You are here

Bits from Debian

Subscribe to Feed Bits from Debian
Planet Debian - https://planet.debian.org/
Përditësimi: 3 ditë 3 orë më parë

Joey Hess: solar powered waterfall controlled by a GPIO port

Sht, 04/04/2020 - 10:56md

This waterfall is beside my yard. When it's running, I know my water tanks are full and the spring is not dry.

Also it's computer controlled, for times when I don't want to hear it. I'll also use the computer control later on to avoid running the pump excessively and wearing it out, and for some safety features like not running when the water is frozen.

This is a whole hillside of pipes, water tanks, pumps, solar panels, all controlled by a GPIO port. Easy enough; the pump controller has a float switch input and the GPIO drives a 4n35 optoisolator to open or close that circuit. Hard part will be burying all the cable to the pump. And then all the landscaping around the waterfall.

There's a bit of lag to turning it on and off. It can take over an hour for it to start flowing, and around half an hour to stop. The water level has to get high enough in the water tanks to overcome some airlocks and complicated hydrodynamic flow stuff. Then when it stops, all that excess water has to drain back down.

Anyway, enjoy my soothing afternoon project and/or massive rube goldberg machine, I certainly am.

Thorsten Alteholz: My Debian Activities in March 2020

Sht, 04/04/2020 - 6:02md

FTP master

This month I accepted 156 packages and rejected 26. The overall number of packages that got accepted was 203.

Debian LTS

This was my sixty ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 30h. During that time I did LTS uploads of:

  • [DLA 2156-1] e2fsprogs security update for one CVE
  • [DLA 2157-1] weechat security update for three CVEs
  • [DLA 2160-1] php5 security update for two CVEs
  • [DLA 2164-1] gst-plugins-bad0.10 security update for four CVEs
  • [DLA 2165-1] apng2gif security update for one CVE

Also my work on graphicsmagic was accepted which resulted in:

  • [DSA 4640-1] graphicsmagick security update in Buster and Strech for 16 CVEs

Further I sent debdiffs of weechat/stretch, weechat/buster, e2fsprogs/stretch to the corresponding maintainers but got no feedback yet.

As there have been lots of no-dsa-CVEs accumulated for wireshark, I started to work on them but could not upload yet.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty first ELTS month.

During my really allocated time I uploaded:

  • ELA-218-1 for e2fsprogs
  • ELA-220-1 for php5
  • ELA-221-1 for nss

I also did some days of frontdesk duties.

Other stuff

Unfortunately this month again strange things happened outside Debian and the discussions within Debian did not stop. Nonetheless I got some stuff done.

I improved packaging of …

I sponsored uploads of …

  • … ocf-spec-core
  • … theme-d-gnome

Sorry to all people who also requested sponsoring, but sometimes things happen and your upload might be delayed.

I uploaded new upstream versions of …

On my Go challenge I uploaded:
golang-github-dreamitgetit-statuscake, golang-github-ensighten-udnssdk, golang-github-apparentlymart-go-dump, golang-github-suapapa-go-eddystone, golang-github-joyent-gosdc, golang-github-nrdcg-goinwx, golang-github-bmatcuk-doublestar, golang-github-go-xorm-core, golang-github-svanharmelen-jsonapi, golang-github-goji-httpauth, golang-github-phpdave11-gofpdi

Sean Whitton: Manifest to run Debian pre-upload tests on builds.sr.ht

Pre, 03/04/2020 - 7:47md

Before uploading stuff to Debian, I build in a clean chroot, and then run piuparts, autopkgtest and lintian. For some of my packages this can take around an hour on my laptop, which is fairly old. Normally I don’t mind waiting, but sometimes I want to put my laptop away, and then it would be good for things to be faster. It occurred to me that I could make use of my builds.sr.ht account to run these tests on more powerful hardware.

This build manifest seems to work:

# BEGIN CONFIGURABLE sources: - https://salsa.debian.org/perl-team/modules/packages/libgit-annex-perl.git environment: source: libgit-annex-perl quilt: auto # END CONFIGURABLE image: debian/unstable packages: - autopkgtest - devscripts - dgit - lintian - piuparts - sbuild tasks: - setup: | cd $source source_version=$(dpkg-parsechangelog -SVersion) echo "source_version=$source_version" >>~/.buildenv git deborig || origtargz sudo sbuild-createchroot --command-prefix=eatmydata --include=eatmydata unstable /srv/chroot/unstable-amd64-sbuild sudo sbuild-adduser $USER - build: | cd $source dgit --quilt=$quilt sbuild -d unstable --no-run-lintian - lintian: | lintian ${source}_${source_version}_multi.changes - piuparts: | sudo piuparts --no-eatmydata --schroot unstable-amd64-sbuild ${source}_${source_version}_multi.changes - autopkgtest: | autopkgtest ${source}_${source_version}_multi.changes -- schroot unstable-amd64-sbuild

And here’s my script.

Jonathan Dowland: More Switch games

Pre, 03/04/2020 - 5:44md

Sonic Mania

Sonic Mania is a really lovely homage to the classic 90s Sonic the Hedgehog platform games. Featuring more or less the classic gameplay, and expanded versions of the original levels, with lots of secrets, surprises and easter eggs for fans of the original. On my recommendation a friend of mine bought it for her daughter's birthday recently but her daughter will now have to prise her mum off it! Currently on sale at 30% off (£11.19). The one complaint I have about it is the lack of females in the roster of 5 playable characters.

Butcher is a Doom-esque aesthetic, very violent side-scrolling shooter/platformer, currently on sale at 70% off (just £2.69, the price of a coffee). I've played it for about 10 minutes during coffee breaks and it's fun, hard, and pretty intense. The sound track is great, and available to buy separately but only if you own or buy the original game from the same store, which is a strange restriction. It's also on Spotify.

Dirk Eddelbuettel: RcppSimdJson 0.0.4: Even Faster Upstream!

Pre, 03/04/2020 - 5:15md

A new (upstream) simdjson release was announced by Daniel Lemire earlier this week, and my Twitter mentions have been running red-hot ever since as he was kind enough to tag me. Do look at that blog post, there is some impressive work in there. We wrapped up the (still very simple) rcppsimdjson around it last night and shipped it this morning.

RcppSimdJson wraps the fantastic and genuinely impressive simdjson library by Daniel Lemire. Via some very clever algorithmic engineering to obtain largely branch-free code, coupled with modern C++ and newer compiler instructions, it results in parsing gigabytes of JSON parsed per second which is quite mindboggling. For illustration, I highly recommend the video of the recent talk by Daniel Lemire at QCon (which was also voted best talk). The best-case performance is ‘faster than CPU speed’ as use of parallel SIMD instructions and careful branch avoidance can lead to less than one cpu cycle use per byte parsed.

This release brings upstream 0.3 (and 0.3.1) plus a minor tweak (also shipped back upstream). Our full NEWS entry follows.

Changes in version 0.0.4 (2020-04-03)
  • Upgraded to new upstream releases 0.3 and 0.3.1 (Dirk in #9 closing #8)

  • Updated example validateJSON to API changes.

But because Daniel is such a fantastic upstream developer to collaborate with, he even filed a full feature-request ‘maybe you can consider upgrading’ as issue #8 at our repo containing the fully detailed list of changes. As it is so impressive I will simple quote the upper half of just the major changes:

Highlights
  • Multi-Document Parsing: Read a bundle of JSON documents (ndjson) 2-4x faster than doing it individually. API docs / Design Details
  • Simplified API: The API has been completely revamped for ease of use, including a new JSON navigation API and fluent support for error code and exception styles of error handling with a single API. Docs
  • Exact Float Parsing: Now simdjson parses floats flawlessly without any performance loss (https://github.com/simdjson/simdjson/pull/558). Blog Post
  • Even Faster: The fastest parser got faster! With a shiny new UTF-8 validator and meticulously refactored SIMD core, simdjson 0.3 is 15% faster than before, running at 2.5 GB/s (where 0.2 ran at 2.2 GB/s).

For questions, suggestions, or issues please use the issue tracker at the GitHub repo.

Courtesy of CRANberries, there is also a diffstat report for this release.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Jonathan Dowland: Opinionated IkiWiki

Pre, 03/04/2020 - 4:10md

For various personal projects and things, past and present (including my personal site) I use IkiWiki, which (by modern standards) is a bit of a pain to set up and maintain. For that reason I find it hard to recommend to people. It would be nice to fire up a snapshot of an existing IkiWiki instance to test what the outcome of some changes might be. That's cumbersome enough at the moment that I haven't bothered to do it more than once. Separately, some months ago I did a routine upgrade of Debian for the web server running this site, and my IkiWiki installation broke for the first time in ten years. I've never had issues like this before.

For all of these reasons I've just dusted off an old experiment of mine now renamed Opinionated IkiWiki. It's IkiWiki in a container, configured to be usable out-of-the-box, with some opinionated configuration decisions made for you. The intention is you should be able to fire up this container and immediately have a useful IkiWiki instance to work from. It should hopefully be easier to clone an existing wiki— content, configuration and all—for experimentation.

You can check out the source at GitHub, and grab container images from quay.io. Or fire one up immediately at http://127.0.0.1:8080 with something like

podman run --rm -ti -p 8080:8080 \ quay.io/jdowland/opinionated-ikiwiki:latest

This was a good excuse to learn about multi-stage container builds and explore quay.io.

Feedback gratefully received: As GitHub issues, comments here, or mail.

Norbert Preining: KDE/Plasma updates for Debian sid/testing

Pre, 03/04/2020 - 2:07pd

I have written before about getting updated packages for KDE/Plasma on Debian. In the meantime I have moved all package building to the openSUSE Build Service, thus I am able to provide builds for Debian/testing, both i386 and amd64 architectures.

For those in hurry: new binary packages that can be used on both Debian/testing and Debian/sid can be obtained for both i386 and amd64 archs here:

Debian/testing:

deb http://download.opensuse.org/repositories/home:/npreining:/debian-plasma/Debian_Testing ./

Debian/unstable:

deb http://download.opensuse.org/repositories/home:/npreining:/debian-plasma/Debian_Unstable ./

To make these repositories work out of the box, you need to import my OBS gpg key: obs-npreining.asc, best to download it and put the file into /etc/apt/trusted.gpg.d/obs-npreining.asc.

The sources for the above binaries are available at the OBS site for the debian-plasma sub-project, but I will also try to keep them apt-get-able on my server as before:

deb-src https://www.preining.info/debian unstable kde

I have choosen the openSUSE build service because of its ease to push new packages, and automatic resolution of package dependencies within the same repository. No need to compile the packages myself, nor search for the correct order. I have also added a few new packages and updates (dolphin, umbrello, kwalletmanager, kompare,…), at the moment we are at 131 packages that got updated. If you have requests for update, drop me an email!

Enjoy

Norbert

Dirk Eddelbuettel: RQuantLib 0.4.12: Small QuantLib 1.18 update

Enj, 02/04/2020 - 11:57md

A new release 0.4.12 of RQuantLib arrived on CRAN today, and was uploaded to Debian as well.

QuantLib is a very comprehensice free/open-source library for quantitative finance; RQuantLib connects it to the R environment and language.

This version does relatively little. When QuantLib 1.18 came out, I immediately did my usual bit of packaging it for Debian as well creating binaries via my Ubuntu PPA so that I could test the package against it. And a few call from RQuantLib are now hitting interface functions marked as ‘deprecated’ leading to compiler nags. So I fixed that in PR #146. And today CRAN sent me email to please fix in the released version—so I rolled this up as 0.4.12. Not other changes.

Changes in RQuantLib version 0.4.12 (2020-04-01)
  • Changes in RQuantLib code:

    • Calls deprecated-in-QuantLib 1.18 were updated (Dirk in #146).

Courtesy of CRANberries, there is also a diffstat report for the this release. As always, more detailed information is on the RQuantLib page. Questions, comments etc should go to the new rquantlib-devel mailing list. Issue tickets can be filed at the GitHub repo.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Sven Hoexter: New TLDs and Automatic link detection was a bad idea

Enj, 02/04/2020 - 3:07md

Update: Seems this is a Firefox specific bug in the Slack Webapplication, it works in Chrome and the Slack Electron Application as it should. Tested with Firefox ESR on Debian/buster and Firefox 74 on OS X.

Ah I like it that we now have so many TLDs and matching on those seems to go bad more often now. Last occassion is Slack (which I think is a pile of shit written by morons, but that is a different story) which somehow does not properly match on .co domains. Leading to this auto linking:

Now I'm not sure if someone enocountered the same issue, or people just registered random domains just because they could. I found registrations for

  • resolv.co
  • pam.co
  • sysctl.co
  • so.co (ld.so.co woud've been really cute)

I've a few more .conf files in /etc which could be interesting in an IT environment, but for the sake of playing with it I registered nsswitch.co at godaddy. I do not want to endorse them in anyway, but for the first year it's only 13.08EUR right now, which is okay to pay for a stupid demo. So if you feel like it, you can probably register something stupid for yourself to play around with. I do not intent to renew this domain next year, so be aware of what happens then with the next owner.

Ulrike Uhlig: Breaking the chain reaction of reactions to reactions

Enj, 02/04/2020 - 9:00pd

Sometimes, in our day-to-day-interactions, communication becomes disruptive, resembling a chain of reactions to reactions to reactions. Sometimes we lose the capacity to express our ideas and feelings. Sometimes communication just gets stuck, maybe conflict breaks out. When we see these same patterns over and over again, this might be due to the ever same roles that we adopt and play. Learnt in childhood, these roles are deeply ingrained in our adult selves, and acted out as unconscious scripts. Until we notice and work on them.

This is a post inspired by contents from my mediation training.

In the 1960s, Stephen Karpman has thought of a model of human communication that maps the destructive interactions which occur between people. This map is known as the drama triangle.

Karpman defined three roles that interact with each other. We can play one role at work, and a different one at home, and another one with our children. Or we can switch from one role to the other in just one conversation. The three roles are:

  • The Persecutor. I'm right. It's all your fault. The Persecutor acts out criticism, accusation, and condemnation. Their behavior is controlling, blaming, shaming, oppressive, hurtful, angry, authoritarian, superior. They know everything better, they laugh about others, bully, shame, or belittle them. The Persecutor discounts others' value, looking down on them. Persecutor's thought: I'm okay, you're not okay.
  • The Victim. I'm blameless. Poor me. The Victim feels not accepted by others, oppressed, helpless, hopeless, powerless, ashamed, inferior. The Victim thinks they are unable or not good enough to solve problems on their own. The Victim discounts themselves. Victim's thought: I'm not okay, you're okay.
  • The Rescuer. I'm good. Let me help you! The Rescuer is a person who has unsolicited and unlimited advice concerning the Victim's problems. They think for the Victim, and comfort them, generally without having been asked to do so. The Rescuer acts seemingly to help the Victim but rescuing mostly helps them to feel better themselves, as it allows them to ignore their own anxieties, worries, or shortcomings. The Rescuer needs a Victim to rescue, effectively keeping the Victim powerless. The Rescuer discounts others' abilities to think and act for themselves, looking down on them. Rescuer's thought: I'm okay, you're not okay.
Does this sound familiar?

"Involvement in an unhealthy drama triangle is not something another person is doing to you. It's something you are doing with another person or persons." Well, to be more precise, it's something that we are all doing to each other: "Drama triangles form when participants who are predispositioned to adopt the roles of a drama triangle come together over an issue." (quoted from: Escaping conflict and the Karpman Drama Triangle.)

People act out these roles to meet personal (often unconscious) needs. But each of these roles is toxic in that it sees others as problems to react to. In not being able to see that we take on these roles, we keep the triangle going, like in a dispute in which one word provokes another until someone leaves, slamming the door. This is drama. When we are stuck in the drama triangle, no one wins because all three roles "cause pain", "perpetuate shame [and] guilt", and "keep people caught in dysfunctional behavior" (quoted from Lynne Namka: The Drama Triangle, Three Roles of Victim-hood).

How to get out of the drama triangle

Awareness. To get out of the triangle, it is foremost suggested to be aware of its existence. I agree, it helps. I see it everywhere now.

Identifying one's role and starting to act differently. While we switch roles, we generally take on a preferred role that we act out most of the time, and that was learnt in childhood. (I found a test to identify one's common primary role — in German.)

But how do we act differently? We need to take another look at that uncanny triangle.

From the drama triangle to the winner triangle

I found it insightful to ask what benefit each role could potentially bring into the interaction.
Acey Choy has created the Winner triangle, in 1990, as an attempt to transform social interactions away from drama. Her winner triangle shifts our perceptions of the roles: the Victim becomes the Vulnerable, the Rescuer becomes the Caring, the Persecutor becomes the Assertive.

Persecutor Rescuer Assertive Caring I'm right. I'm good. I have needs. I'm listening. ---------------------- ---------------------- \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \/ \/ Victim Vulnerable I'm blameless. I'm struggling. Karpman Dreaded Drama Triangle Choy's Winner Triangle

The Assertive "I have needs." has a calling, aims at change, initiates, and gives feedback. Skills to learn: The Assertive needs to learn to identify their needs, communicate them, and negotiate with others on eye level without shaming, punishing, or belittling them. The Assertive needs to learn to give constructive feedback, without dismissing others. (In the workplace, it could be helpful to have a space for this.) The Assertive could benefit from learning to use I-Statements.

The Caring "I'm listening." shows good will and sensitivity, cares, is empathic and supportive. Skills to learn: The Caring needs to learn to respect the boundaries of others: trusting their abilities to think, problem solve and talk for themselves. Therefore, the Caring could benefit from improving their active listening skills. Furthermore the Caring needs to learn to identify and respect their own boundaries and not to do things only because it makes them feel better about themselves.

The Vulnerable "I'm struggling." has the skill of seeing and naming problems. Skills to learn: The Vulnerable needs to learn to acknowledge their feelings and needs, practice self-awareness, and self-compassion. They need to untie their self-esteem from the validation of other people. They need to learn to take care of themselves, and to strengthen their problem solving and decision making skills.

What has this got to do with autonomy and power structures?

Each of these interactions is embedded in larger society, and, as said above, we learn these roles from childhood. Therefore, we perpetually reproduce power structures, and learnt behavior. I doubt that fixing this on an individual level is sufficient to transform our interactions outside of small groups, families or work places. Although that would be a good start.

We can see that the triangle holds together because the Victim, seemingly devoid of a way to handle their own needs, transfers care of their needs to the Rescuer, thereby giving up on their autonomy. The Rescuer is provided by the Victim with a sense of autonomy, knowledge, and power, that only works while denying the Victim their autonomy. At the same time, the Persecutor denies everyone else's needs and autonomy, and feels powerful by dismissing others. I've recently mentioned the importance of autonomy in order to avoid burnout, and as a means to control one's own life. If the Rescuer can acknowledge being in the triangle, and give the Victim autonomy, by supporting them with compassion, empathy, and guidance, and at the same time respecting their own boundaries, we could find even more ways to escape the drama triangle.

Notes

My description of the roles was heavily inspired by the article Escaping Conflict and the Karpman Drama Triangle that has a lot more detail on how to escape the triangle, and how to recognize when we're moving into one of the roles. While the article is informing families living with a person suffering from a spectrum of Borderline Personality Disorder, the content applies to any dysfunctional interaction.

Mike Gabriel: Q: RoamingProfiles under GN/Linux? What's your Best Practice?

Enj, 02/04/2020 - 8:36pd

This post is an open question to the wide range of GNU/Linux site admins out there. Possibly some of you have the joy of maintaining GNU/Linux also on user endpoint devices (i.e. user workstations, user notebooks, etc.), not only on corporate servers.

TL;DR; In the context of a customer project, I am researching ways of mimicking (or inventing anew) a feature well known (and sometimes also well hated) from the MS Windows world: Roaming User Profiles. If anyone does have any input on that, please contact me (OFTC/Freenode IRC, Telegram, email). I am curious what your solution may be.

The Use Case Scenario

In my use case, all user machines shall be mobile (notebooks, convertibles, etc). The machines maybe on-site most of the time, but they need offline capabilities so that the users can transparently move off-site and continue their work. At the same time, a copy of the home directory (or the home directory itself) shall be stored on some backend fileservers (for central backups as well as for providing the possibility to the user to login to another machine and be up-and-running +/- out-of-the-box).

The Vision Initial Login

Ideally, I'd like to have a low level file system feature for this that handles it all. On corporate user logon (which must take place on-site and uses some LDAP database as backend), the user credentials get cached locally (and get re-mapped and re-cached with every on-site login later on), and the home directory gets mounted from a remote server at first.

Shortly after having logged in everything in the user's home gets sync'ed to a local cache in the background without the user noticing. At the end of the sync a GUI user notification would be nice, e.g. like "All user data has been cached locally, you are good to go and leave off-site now with this machine."

Moving Off-Site

A day later, the user may be travelling or such, the user logs into the machine again, the machine senses being offline or on some alien (not corporate) network, but the user can just continue their work, all in local cache.

Several days later, the same user with the same machine returns back to office, logs into the machine again, and immediately after login, all cached data gets synced back to the user's server filespace.

Possible Conflict Policies

Now there might be cases where the user has been working locally for a while and all the profile data received slight changes. The user might have had the possibility to log into other corporate servers from the alien network he*she is on and with that login, some user profile files probably will have gotten changed.

Regarding client-server sync policies, one could now enforce a client-always-wins policy that leads to changes being dropped server-side once the user's mobile workstation returns back on-site. One could also set up a bi-directional sync policy for normal data files, but a client-always-wins policy for configuration files (.files and .folders). Etc.pp.

Request for Feedback and Comments

I could go on further and further with making up edges and corner cases of all this. We had a little discussion on this some days ago on the #debian-devel IRC channel already. Thanks to all contributors to that discussion.

And again, if you have solved the above riddle on your site and are corporate-wise allowed to share the concept, I'd be happy about your feedback.

Plese get in touch!

light+love
Mike (aka sunweaver on the Fediverse and in Debian)

Ben Hutchings: Debian LTS work, March 2020

Mër, 01/04/2020 - 11:34md

I was assigned 20 hours of work by Freexian's Debian LTS initiative, and carried over 0.75 hours from February. I only worked 12.25 hours this month, so I will carry over 8.5 hours to April.

I issued DLA 2114-1 for the update to linux-4.9.

I continued preparing and testing the next update to Linux 3.16. This includes a number of filesystem fixes that require running the "xfstests" test suite.

I also replied to questions from LTS contributors and users, sent to me personally or on the public mailing list.

Joachim Breitner: 30 years of Haskell

Mër, 01/04/2020 - 8:16md

Vitaly Bragilevsky, in a mail to the GHC Steering Committee, reminded me that the first version of the Haskell programming language was released exactly 30 years ago. On April 1st. So that raises the question: Was Haskell just an April fool's joke that was never retracted?

The cover of the 1.0 Haskell report

My own first exposure to Haskell was in April 2005; the oldest piece of Haskell I could find on my machine is this part of a university assignment from April:

> pascal 1 = [1] > pascal (n+1) = zipWith (+) (x ++ [0]) (0 : x) where x = pascal n

This means that I now have witnessed half of Haskell's existence. I have never regretted getting into Haskell, and every time I come back from having worked in other languages (which all have their merits too), I greatly enjoy the beauty and elegance of expressing my ideas in a lazy and strictly typed language with a concise syntax.

I am looking forward to witnessing (and, to a very small degree, shaping) the next 15 years of Haskell.

Sylvain Beucler: Debian LTS and ELTS - March 2020

Mër, 01/04/2020 - 4:26md

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In March, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 20h for ELTS (out of 20 max; I did 0).

Most contributors claimed vulnerabilities by performing early CVE monitoring/triaging on their own, making me question the relevance of the Front-Desk role. It could be due to a transient combination of higher hours volume and lower open vulnerabilities.

Working as a collective of hourly paid freelancers makes it more likely to work in silos, resulting in little interaction when raising workflow topics on the mailing list. Maybe we're reaching a point where regular team meetings will be benefical.

As previously mentioned, I structure my work keeping the global Debian security in mind. It can be stressful though, and I believe current communication practices may deter such initiatives.

ELTS - Wheezy

  • No work. ELTS has few sponsors right now and few vulnerabilities to fix, hence why I could not work on it this month. I gave back my hours at the end of the month.

LTS - Jessie

  • lua-cgi: global triage: CVE-2014-10399,CVE-2014-10400/lua-cgi not-affected, CVE-2014-2875/lua-cgi referenced in BTS
  • libpcap: global triage: request CVE-2018-16301 rejection as upstream failed to; got MITRE to reject (not "dispute") a CVE for the first time!
  • nfs-utils: suites harmonization: CVE-2019-3689: ping upstream again, locate upstream'd commit, reference it at BTS and MITRE; close MR which had been ignored and now redone following said referencing
  • slurm-llnl: re-add; create CVE-2019-12838 reproducer, test abhijith's pending upload; reference patches; witness regression in CVE-2019-19728, get denied access to upstream bug, triage as ignored (minor issue + regression); security upload DLA 2143-1
  • xerces-c: global triage progress: investigate ABI-(in)compatibility of hle's patch direction; initiate discussion at upstream and RedHat; mark postponed
  • nethack: jessie triage fix: mark end-of-life
  • tor: global triage fix: CVE-2020-10592,CVE-2020-10593: fix upstream BTS links, fix DSA reference
  • php7.3: embedded copies: removed from unstable (replaced with php7.4); checked whether libonig is still bundled (no, now properly unbundled at upstream level); jessie still not-affected
  • okular: CVE-2020-9359: reference PoC, security upload DLA 2159-1

Documentation/Scripts

  • data/dla-needed.txt: tidy/refresh pending packages status
  • LTS/Development: DLA regression numbering when a past DLA affects a different package
  • LTS/FAQ: document past LTS releases archive location following a user request; trickier than expected, 3 contributors required to find the answer
  • Question aggressive package claims; little feedback
  • embedded-copies: libvncserver: reference various state of embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot; builds on initial research from sunweaver
  • Attempt to progress on libvncserver embedded copies triaging; technical topic not anwered, organizational topic ignored
  • phppgadmin: provide feedback on CVE-2019-10784
  • Answer general workflow question about vulnerability severity
  • Answer GPAC CVE information request from a PhD student at CEA, following my large security update

Joey Hess: DIN distractions

Mër, 01/04/2020 - 4:12md

My offgrid house has an industrial automation panel.

I started building this in February, before covid-19 was impacting us here, when lots of mail orders were no big problem, and getting an unusual 3D-printed DIN rail bracket for a SSD was just a couple clicks.

I finished a month later, deep into social isolation and quarentine, scrounging around the house for scrap wire, scavenging screws from unused stuff and cutting them to size, and hoping I would not end up in a "need just one more part that I can't get" situation.

It got rather elaborate, and working on it was often a welcome distraction from the news when I couldn't concentrate on my usual work. I'm posting this now because people sometimes tell me they like hearing about my offfgrid stuff, and perhaps you could use a distraction too.

The panel has my house's computer on it, as well as both AC and DC power distribution, breakers, and switching. Since the house is offgrid, the panel is designed to let every non-essential power drain be turned off, from my offgrid fridge to the 20 terabytes of offline storage to the inverter and satellite dish, the spring pump for my gravity flow water system, and even the power outlet by the kitchen sink.

Saving power is part of why I'm using old-school relays and stuff and not IOT devices, the other reason is of course: IOT devices are horrible dystopian e-waste. I'm taking the utopian Star Trek approach, where I can command "full power to the vacuum cleaner!"

At the core of the panel, next to the cubietruck arm board, is a custom IO daughterboard. Designed and built by hand to fit into a DIN mount case, it uses every GPIO pin on the cubietruck's main GPIO header. Making this board took 40+ hours, and was about half the project. It got pretty tight in there.

This was my first foray into DIN rail mount, and it really is industrial lego -- a whole universe of parts that all fit together and are immensely flexible. Often priced more than seems reasonable for a little bit of plastic and metal, until you look at the spec sheets and the ratings. (Total cost for my panel was $400.) It's odd that it's not more used outside its niche -- I came of age in the Bay Area, surrounded by rack mount equipment, but no DIN mount equipment. Hacking the hardware in a rack is unusual, but DIN invites hacking.

Admittedly, this is a second system kind of project, replacing some unsightly shelves full of gear and wires everywhere with something kind of overdone. But should be worth it in the long run as new gear gets clipped into place and it evolves for changing needs.

Also, wire gutters, where have you been all my life?

Finally, if you'd like to know what everything on the DIN rail is, from left to right: Ground block, 24v DC disconnect, fridge GFI, spare GFI, USB hub switch, computer switch, +24v block, -24v block, IO daughterboard, 1tb SSD, arm board, modem, 3 USB hubs, 5 relays, AC hot block, AC neutral block, DC-DC power converters, humidity sensor.

Mike Gabriel: My Work on Debian LTS (March 2020)

Mër, 01/04/2020 - 11:41pd

In March 2020, I have worked on the Debian LTS project for 10.25 hours (of 10.25 hours planned).

LTS Work
  • Frontdesk: CVE Bug Triaging for Debian jessie LTS: libpam-krb5, symfony, edk2 (EOL), icu, twisted, yubikey-val, netkit-telnet(-ssl), libperlspeak-perl (new EOL). and glibc.
  • Upload to jessie-security: tinyproxy (DLA-2163-1 [1], 1 CVE, 1 severe bug [2]).
  • Revisit CVE-2015-9541 in jessie's qtbase-opensource-src and agree with Dmitry Shachnev from Debian's KDE/Qt Team about tagging this CVE '<ignored>' in Debian's security tracker. The proposed upstream patch uses an API not available in jessie's Qt5 version (QStringView API) and the serious of patched ot be applied would be quite invasive.
  • Prepare upload of libpam-krb5 4.6-3+deb8u1 (1 CVE) (will be uploaded during the day).
  • Look closer into CVE-2019-17177 for FreeRDP v1.1 (and decide to ignore it, as patchwork would have to be applied all over the code).
Other security related work for Debian
  • Upload to stretch: libvncserver 0.9.11+dfsg-1.3~deb9u4 (1 CVE)
  • Upload to buster: libvncserver 0.9.11+dfsg-1.3+deb10u3 (1 CVE)
  • Upload to stretch: tinyproxy 1.8.4-3~deb9u2 (1 CVE, 1 severe bug [2])
  • Upload to buster: tinyproxy 1.10.0-2+deb10u1 (1 severe bug)
  • Study the code of x11vnc (regarding Debian bug #672435 [3], which currently has a temp-CVE), apply upstream's fix (which did not work) and ping upstream about possible other required patches in x11vnc and/or libVNC.
References

Russ Allbery: Review: A Grand and Bold Thing

Mër, 01/04/2020 - 5:43pd

Review: A Grand and Bold Thing, by Ann Finkbeiner

Publisher: Free Press Copyright: August 2010 ISBN: 1-4391-9647-8 Format: Kindle Pages: 200

With the (somewhat excessively long) subtitle of An Extraordinary New Map of the Universe Ushering In a New Era of Discovery, this is a history of the Sloan Digital Sky Survey. It's structured as a mostly chronological history of the project with background profiles on key project members, particularly James Gunn.

Those who follow my blog will know that I recently started a new job at Vera C. Rubin Observatory (formerly the Large Synoptic Survey Telescope). Our goal is to take a complete survey of the night sky several times a week for ten years. That project is the direct successor of the Sloan Digital Sky Survey, and it's project team includes many people who formerly worked on Sloan. This book (and another one, Giant Telescopes) was recommended to me as a way to come up to speed on the history of this branch of astronomy.

Before reading this book, I hadn't understood how deeply the ready availability of the Sloan sky survey data had changed astronomy. Prior to the availability of that survey data, astronomers would develop theories and then try to book telescope time to make observations to test those theories. That telescope time was precious and in high demand, so was not readily available, and was vulnerable to poor weather conditions (like overcast skies) once the allocated time finally arrived.

The Sloan project changed all of that. Its output was a comprehensive sky survey available digitally whenever and wherever an astronomer needed it. One could develop a theory and then search the Sloan Digital Sky Survey for relevant data and, for at least some types of theories, test that theory against the data without needing precious telescope time or new observations. It was a transformational change in astronomy, made possible by the radical decision, early in the project, to release all of the data instead of keeping it private to a specific research project.

The shape of that change is one takeaway from this book. The other is how many problems the project ran into trying to achieve that goal. About a third of the way into this book, I started wondering if the project was cursed. So many things went wrong, from institutional politics through equipment failures to software bugs and manufacturing problems with the telescope mirror. That makes it all the more impressive how much impact the project eventually had. It's also remarkable just how many bad things can happen to a telescope mirror without making the telescope unusable.

Finkbeiner provides the most relevant astronomical background as she tells the story so that the unfamiliar reader can get an idea of what questions the Sloan survey originally set out to answer (particularly about quasars), but this is more of a project history than a popular astronomy book. There's enough astronomy here for context, but not enough to satisfy curiosity. If you're like me, expect to have your curiosity piqued, possibly resulting in buying popular surveys of current astronomy research. (At least one review is coming soon.)

Obviously this book is of special interest to me because of my new field of work, my background at a research university, and because it features some of my co-workers. I'm not sure how interesting it will be to someone without that background and personal connection. But if you've ever been adjacent to or curious about how large-scale science projects are done, this is a fascinating story. Both the failures and problems and the way they were eventually solved is different than how the more common stories of successful or failed companies are told. (It helps, at least for me, that the shared goal was to do science, rather than to make money for a corporation whose fortunes are loosely connected to those of the people doing the work.)

Recommended if this is topic sounds at all interesting.

Rating: 7 out of 10

Paul Wise: FLOSS Activities March 2020

Mër, 01/04/2020 - 4:34pd
Changes Issues Review Administration
  • Debian wiki: approve accounts
Communication Sponsors

The dh-make-perl feature requests, file bug report, File::Libmagic changes, autoconf-archive change, libpst work and the purple-discord upload were sponsored by my employer. All other work was done on a volunteer basis.

Junichi Uekawa: After the snow cherry blossoms fell.

Mër, 01/04/2020 - 2:52pd
After the snow cherry blossoms fell. It's already April.

Jonathan Wiltshire: neuraldak

Mër, 01/04/2020 - 2:50pd

We are proud to announce that dak, the Debian Archive Kit, has been replaced by a neural network for processing package uploads and other archive maintenance. All FTP masters and assistants have been re-deployed to concentrate on managing neuraldak.

neuraldak is an advanced machine learning algorithm which has been taught about appropriate uploads, can write to maintainers about their bugs and can automatically make an evaluation about suitable licenses and code quality. Any uploads which do not meet its standards will be rejected with prejudice.

We anticipate that neuraldak will also monitor social media for discontent about package uploads, and train itself to do better with its decisions.

In terms of licensing , neuraldak has been seeded only with the GPL license. This we consider the gold standard of licenses, and its clauses will be the basis for neuraldak evaluating other licenses as it is exposed to them.

Over the course of the next few weeks, neuraldak will also learn to manage the testing suite. Once it is established, we expect to be able to make a full stable release of Debian approximately every six weeks. We have therefore also re-purposed Janelle Shane’s cat name algorithm to invent suitable release names, since the list of Toy Story names is likely to be exhausted before 2021.

neuraldak is an independent software project. Rumours of it being derived from Skynet are entirely unfounded.

The post neuraldak appeared first on jwiltshire.org.uk.

Faqet