You are here

Planet Debian

Subscribe to Feed Planet Debian
Planet Debian - https://planet.debian.org/
Përditësimi: 8 months 1 ditë më parë

Molly de Blanc: Free software activities (November, 2018)

Enj, 29/11/2018 - 11:54md

Welcome to what is the first and may or may not be the last monthly summary of my free software activities.

November was a good month for me, heavily laden with travel. Conferences and meetings took me to Seattle, WA (USA) and Milano and Bolzano in Italy. I think of my activities as generally focusing on “my” projects — that is to say, representing my own thoughts and ideas, rather than those of my employer or associated projects.

In addition to using my free time to work on free and open source software and related issues, my day job is at the Free Software Foundation. I included highlights from my past month at the FSF. This feels a little bit like cheating.

November Activities (personal)
  • I keynoted the Seattle GNU/Linux festival (SeaGL), delivering a talk entitled “Insecure connections: Love and mental health in our digital lives.” Slides are available on GitLab.
  • Attended an Open Source Initiative board meeting in Milan, Italy.
  • Spoke at SFScon in Bolzano, Italy, giving a talk entitled “User freedom: A love Story.” Slides forthcoming. For this talk, I created a few original slides, but largely repurposed images from “Insecure connections.”
  • I made my first quantative Debian contribution, in which I added the Open Source Initiative to the list of organizations to which Debian is a member.
  • Submitted sessions to the Community and the Legal and Policy devrooms at FOSDEM. #speakerlife
  • Reviewed session proposals for CopyLeft Conf, for which I am on the paper’s committee.
  • I helped organize a $15,000 match donation for the Software Freedom Conservancy.
Some highlights from my day job

Daniel Pocock: Connecting software freedom and human rights

Enj, 29/11/2018 - 11:04md

2018 is the 70th anniversary of the Universal Declaration of Human Rights.

Over the last few days, while attending the UN Forum on Business and Human Rights, I've had various discussions with people about the relationship between software freedom, business and human rights.

In the information age, control of the software, source code and data translates into power and may contribute to inequality. Free software principles are not simply about the cost of the software, they lead to transparency and give people infinitely more choices.

Many people in the free software community have taken a particular interest in privacy, which is Article 12 in the declaration. The modern Internet challenges this right, while projects like TAILS and Tor Browser help to protect it. The UN's 70th anniversary slogan Stand up 4 human rights is a call to help those around us understand these problems and make effective use of the solutions.

We live in a time when human rights face serious challenges. Consider censorship: Saudi Arabia is accused of complicity in the disappearance of columnist Jamal Khashoggi and the White House is accused of using fake allegations to try and banish CNN journalist Jim Acosta. Arjen Kamphuis, co-author of Information Security for Journalists, vanished in mysterious circumstances. The last time I saw Arjen was at OSCAL'18 in Tirana.

For many of us, events like these may leave us feeling powerless. Nothing could be further from the truth. Standing up for human rights starts with looking at our own failures, both as individuals and organizations. For example, have we ever taken offense at something, judged somebody or rushed to make accusations without taking time to check facts and consider all sides of the story? Have we seen somebody we know treated unfairly and remained silent? Sometimes it may be desirable to speak out publicly, sometimes a difficult situation can be resolved by speaking to the person directly or having a meeting with them.

Being at the United Nations provided an acute reminder of these principles. In parallel to the event, the UN were hosting a conference on the mine ban treaty and the conference on Afghanistan, the Afghan president arriving as I walked up the corridor. These events reflect a legacy of hostilities and sincere efforts to come back from the brink.

A wide range of discussions and meetings

There were many opportunities to have discussions with people from all the groups present. Several sessions raised issues that made me reflect on the relationship between corporations and the free software community and the risks for volunteers. At the end of the forum I had a brief discussion with Dante Pesce, Chair of the UN's Business and Human Rights working group.

Best free software resources for human rights?

Many people at the forum asked me how to get started with free software and I promised to keep adding to my blog. What would you regard as the best online resources, including videos and guides, for people with an interest in human rights to get started with free software, solving problems with privacy and equality? Please share them on the Libre Planet mailing list.

Let's not forget animal rights too

Are dogs entitled to danger pay when protecting heads of state?

Bits from Debian: Debian welcomes its new Outreachy intern

Enj, 29/11/2018 - 8:15md

Debian continues participating in Outreachy, and we'd like to welcome our new Outreachy intern for this round, lasting from December 2018 to March 2019.

Anastasia Tsikoza will work on Improving the integration of Debian derivatives with the Debian infrastructure and the community, mentored by Paul Wise and Raju Devidas.

Congratulations, Anastasia, and welcome!

From the official website: Outreachy provides three-month internships for people from groups traditionally underrepresented in tech. Interns work remotely with mentors from Free and Open Source Software (FOSS) communities on projects ranging from programming, user experience, documentation, illustration and graphical design, to data science.

The Outreachy programme is possible in Debian thanks to the efforts of Debian developers and contributors who dedicate their free time to mentor students and outreach tasks, and the Software Freedom Conservancy's administrative support, as well as the continued support of Debian's donors, who provide funding for the internships.

Join us and help extend Debian! You can follow the work of the Outreachy interns reading their blogs (they are syndicated in Planet Debian), and chat with us in the #debian-outreach IRC channel and mailing list.

Russ Allbery: Review: The Blind Side

Enj, 29/11/2018 - 6:25pd

Review: The Blind Side, by Michael Lewis

Publisher: W.W. Norton & Company Copyright: 2006, 2007 Printing: 2007 ISBN: 0-393-33047-8 Format: Trade paperback Pages: 339

One of the foundations of Michael Lewis's mastery of long-form journalism is that he is an incredible storyteller. Given even dry topics of interest (baseball statistics, bond trading, football offensive lines), he has an uncanny knack for finding memorable characters around which to tell a story, and uses their involvement as the backbone of a clear explanation of complex processes or situations. That's why one of the surprises of The Blind Side is that Lewis loses control of his material.

The story that Lewis wants to tell is the development of the left tackle position in professional football. The left tackle is the player on the outside of the offensive line on the blind side of a right-handed quarterback. The advent of the west-coast offense with its emphasis on passing plays, and the corresponding development of aggressive pass rushers in the era of Lawrence Taylor, transformed that position from just another member of the most anonymous group of people in football into one of the most highly-paid positions on the field. The left tackle is the person most responsible for stopping a pass rush.

Lewis does tell that story in The Blind Side, but every time he diverts into it, the reader is left tapping their foot in frustration and wishing he'd hurry up. That's because the other topic of this book, the biographical through line, is Michael Oher, and Michael Oher the person is so much more interesting than anything Lewis has to say about football that the football parts seem wasted.

I'm not sure how many people will manage to read this book without having the details of Oher's story spoiled for them first, particularly given there's also a movie based on this book, but I managed it and loved the unfolding of the story. I'm therefore going to leave out most of the specifics to avoid spoilers. But the short version is that Oher was a sometimes-homeless, neglected black kid with incredible physical skills but almost no interaction with the public school system who ended up being adopted as a teenager by a wealthy white family. They help him clear the hurdles required to play NCAA football.

That's just the bare outline. It's an amazing story, and Lewis tells it very well. I had a hard time putting this book down, and rushed through the background chapters on the evolution of football to get back to more details about Oher. But, as much as Lewis tries to make this book a biography of Oher himself, it's really not. As Lewis discloses at the end of this edition, he's a personal friend of Sean Tuohy, Oher's adoptive father. Oher was largely unwilling to talk to Lewis about his life before he met the Tuohys. Therefore, this is, more accurately, the story of Oher as seen from the Tuohys' perspective, which is not quite the same thing.

There are so many pitfalls here that it's amazing Lewis navigates them as well as he does, and even he stumbles. There are stereotypes and pieces of American mythology lurking everywhere beneath this story, trying to make the story snap to them like a guiding grid: the wealthy white family welcoming in the poor black kid, the kid with amazing physical talent who is very bad at school, the black kid with an addict mother, the white Christian school who takes him in, the colleges who try to recruit him... you cannot live in this country without strong feelings about all of these things. Nestled next to this story like landmines are numerous lies that white Americans tell themselves to convince themselves that they're not racist. I could feel the mythological drag on this story trying to make Oher something he's not, trying to make him fit into a particular social frame. It's one of the reasons why I doubt I'll ever see the movie: it's difficult to imagine a movie managing to avoid that undertow.

To give Lewis full credit, he fights to keep this story free of its mythology every step of the way, and you can see the struggle in the book. He succeeds best at showing that Oher is not at all dumb, but instead is an extremely intelligent teenager who was essentially never given an opportunity to learn. He also provides a lot of grounding and nuance to Oher's relationship with the Tuohys. They're still in something of a savior role, but it seems partly deserved. And, most importantly, he's very open about the fact that Oher largely didn't talk to anyone about his past, including Lewis, so except for a chapter near the end laying out the information Lewis was able to gather, it's mostly conjecture on the part of the Tuohys and others.

But there is so much buried here, so many fault lines of US society, so many sharp corners of racism and religion and class, that Oher's story just does not fit into Lewis's evolution-of-football narrative. It spills out of the book, surfaces deep social questions that Lewis barely touches on, and leaves so many open questions (including Oher's own voice). One major example: Briarcrest Christian School, the high school Oher played for and the place where he was discovered as a potential NCAA and later professional football player, is a private high school academy formed in 1973 after the desegregation of Memphis schools as a refuge for the children of white supremacists. Lewis describes Oher's treatment as one of only three black children at the school as positive; I can believe that because three kids out of a thousand plays into one kind of narrative. Later, Lewis mentions in passing that the school balked at the applications of other black kids once Oher became famous, and one has to wonder how that might change the narrative for the school's administration and parents. There's a story there that's left untold, and might not be as positive as Oher's reception.

Don't get me wrong: these aren't truly flaws in Lewis's book, because he's not even trying to tell that story. He's telling the story of one exceptional young man who reached college football through a truly unusual set of circumstances, and he tells that story well. I just can't help but look for systems in individual stories, to look for institutions that should have been there for Oher and weren't. Once I started looking, the signs of systemic failures sit largely unremarked beneath nearly every chapter. Maybe this is a Rorschach test of political analysis: do you see an exceptional person rising out of adversity through human charity, or a failure of society that has to be patched around by uncertain chance that, for most people, will fail without ever leaving a trace?

The other somewhat idiosyncratic reaction I had to this book, and the reason why I've put off reading it for so long, is that I now find it hard to read about football. While I've always been happy to watch nearly any sport, football used to be my primary sport as a fan, the one I watched every Sunday and most Saturdays. As a kid, I even kept my own game statistics from time to time, and hand-maintained team regular season standings. But somewhere along the way, the violence, the head injuries, and the basic incompatibility between the game as currently played and any concept of safety for the players got to me. I was never someone who loved the mud and the blood and the aggression; I grew up on the west coast offense and the passing game and watched football for the tactics. But football is an incredibly violent sport, and the story of quarterback sacks, rushing linebackers, and the offensive line is one of the centers of that violence. Lewis's story opens with Joe Theismann's leg injury in 1985, which is one of the most horrific injuries in the history of sport. I guess I don't have it in me to get excited about a sport that does things like that to its players any more.

I think The Blind Side is a bit of a mess as a book, but I'm still very glad that I read it. Oher's story, particularly through Lewis's story-telling lens, is incredibly compelling. I'm just also wary of it, because it sits slightly askew on some of the deepest fault lines in American society, and it's so easy for everyone involved to read things into the story that are coming from that underlying mythology rather than from Oher himself. I think Lewis fought through this whole book to not do that; I think he mostly but did not entirely succeed.

The Tuohys have their own related book (In a Heartbeat), written with Sally Jenkins, that's about their philosophy of giving and charity and looks very, very Christian in a way that makes me doubtful that it will shine a meaningful light on any of the social fault lines that Lewis left unaddressed. But Oher, with Don Yaeger, has written his own autobiography, I Beat the Odds, and that I will read. Given how invested I got in his story through Lewis, I feel an obligation to hear it on his own terms, rather than filtered through well-meaning white people.

I will cautiously recommend this book because it's an amazing story and Lewis tries very hard to do it justice. But I think this is a book worth reading carefully, thinking about who we're hearing from and who we aren't, and looking critically at the things Lewis leaves unsaid.

Rating: 7 out of 10

Norbert Preining: OneDrive and directory junctions sync problems

Enj, 29/11/2018 - 2:07pd

With Dropbox’s end of Linux support I have been on the search for alternatives, as I will quit my Dropbox contract and need to move considerable data to a different provider. Since I am also a Office365 subscriber I get 1Tb of free OneDrive space, which should be usable. With recent updates of the onedrive package in Debian I am maintaining, using it instead of Dropbox has become a feasible alternative. I also started to use OneDrive extensively on the Windows side to sync my Desktop, documents, and my GPS and Map data (history of 20 years of GPS tracks and loads of maps). Advertised all over the internet (eg here, here, here) is a method to use directory junctions to link arbitrary folders by creating a junction in the OneDrive folder that links to the original folder.

As it turns out, this does not work as expected: Assume the following setup

  • There is a folder c:\MyFolder
  • A junction in %UserProfile%\OneDrive\MyFolder pointing to c:\MyFolder

and create a file c:\MyFolder\test.txt. This file is kept in a pending synchronization state and is not properly uploaded to the server.

One can trigger the upload by various methods:

  • pause and restart syncing
  • change/create any file in %UserProfile%\OneDrive\

If a sync is triggered by one of the above, also the pending changes in c:\MyFolder are uploaded, but NOT otherwise.

This did hit me several times because I preferred to have the main folders not in the OneDrive directory, but in their original location. Experimentation turned out that if you do the link source and target switch, so that the actual folder is in the OneDrive directory, and the directory junction wherever you need it, files are correctly synchronized.

For those having the wrong setup already, the following steps allow to switch the direction without triggering a full resync:

  • Wait until OneDrive has synced completely, then exit the program from the notification area;
  • remove the junction with rmdir, this will not remove the original directory;
  • move the original directory into the OneDrive folder;
  • recreate the junction with mklink /j c:\MyFolder %UserProfile%\OneDrive\MyFolder;
  • restart OneDrive.

This should bring you back to fully synchronized state in a very short time, and further changes in either the OneDrive folder or the directory junction will immediately trigger a file sync operation.

Dirk Eddelbuettel: RcppArmadillo 0.9.200.5.0

Mër, 28/11/2018 - 11:50pd

A new RcppArmadillo release arrived at CRAN overnight. The version 0.9.200.5.0 is a minor upgrade and based on the new Armadillo bugfix release 9.200.5 from yesterday. I also just uploaded the Debian version.

Armadillo is a powerful and expressive C++ template library for linear algebra aiming towards a good balance between speed and ease of use with a syntax deliberately close to a Matlab. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 539 other packages on CRAN.

This release just brings one upstream bug fix, see below for details.

Changes in RcppArmadillo version 0.9.200.5.0 (2018-11-09)
  • Upgraded to Armadillo release 9.200.5 (Carpe Noctem)

Courtesy of CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Daniel Lange: Security is hard, open source security unnecessarily harder

Mër, 28/11/2018 - 11:23pd

Now it is a commonplace that security is hard. It involves advanced mathematics and a single, tiny mistake or omission in implementation can spoil everything.

And the only sane IT security can be open source security. Because you need to assess the algorithms and their implementation and you need to be able to completely verify the implementation. You simply can't if you don't have the code and can compile it yourself to produce a trusted (ideally reproducible) build. A no-brainer for everybody in the field.

But we make it unbelievably hard for people to use security tools. Because these have grown over decades fostered by highly intelligent people with no interest in UX.
"It was hard to write, so it should be hard to use as well."
And then complain about adoption.

PGP / gpg has received quite some fire this year and the good news is this has resulted in funding for the sole gpg developer. Which will obviously not solve the UX problem.

But the much worse offender is OpenSSL. It is so hard to use that even experienced hackers fail.

Now, securely encrypting a mass communication media like IRC is not possible at all. Read Trust is not transitive: or why IRC over SSL is pointless1.
Still it makes wiretapping harder and that may be a good thing these days.

LibreSSL has forked the OpenSSL code base "with goals of modernizing the codebase, improving security, and applying best practice development processes". No UX improvement. A cleaner code for the chosen few. Duh.

I predict the re-implementations and gradual improvement scenarios will fail. The nearly-impossible-to-use-right situation with both gpg and (much more importantly) OpenSSL cannot be fixed by gradual improvements and however thorough code reviews.

Now the "there's an App for this" security movement won't work out on a grand scale either:

  1. Most often not open source. Notable exceptions: ChatSecure, TextSecure.
  2. No reference implementations with excellent test servers and well documented test suites but products. "Use my App.", "No, use MY App!!!".
  3. Only secures chat or email. So the VC-powered ("next WhatsApp") mass-adoption markets but not the really interesting things to improve upon (CA, code signing, FDE, ...).
  4. While everybody is focusing on mobile adoption the heavy lifting is still on servers. We need sane libraries and APIs. No App for that.

So we need a new development, a new code, a new open source product. Sadly so the Core Infrastructure Initiative so far only funds existing open source projects in dire needs and people bug hunting.

It basically makes the bad solutions of today a bit more secure and ensures maintenance of decade old crufty code bases. That way it extends the suffering of everybody using the inadequate solutions of today.

That's inevitable until we have a better stack but we need to look into getting rid of gpg and OpenSSL and replacing it with something new. Something designed well from the ground up, technically and from a user experience perspective.

Now who's in for a five year funding plan? $2m annually. ROCE 0. But a very good chance to get the OBE awarded.

Updates:

28.11.18: Changed the Quakenet link on why encrypting IRC is useless to an archive.org one as they have removed the original content.

13.03.17: Chris Wellons writes about why GPG is a failure and created a small portable application Enchive to replace it for asymmetric encryption.

24.02.17: Stefan Marsiske has written a blog article: On PGP. He argues about adversary models and when gpg is "probably" 2 still good enough to use. To me a security tool can never be a sane choice if the UI is so convoluted that only a chosen few stand at least a chance of using it correctly. Doesn't matter who or what your adversary is.
Stefan concludes his blog article:

PGP for encryption as in RFC 4880 should be retired, some sunk-cost-biases to be coped with, but we all should rejoice that the last 3-4 years had so much innovation in this field, that RFC 4880 is being rewritten[Citation needed] with many of the above in mind and that hopefully there'll be more and better tools. [..]

He gives an extensive list of tools he considers worth watching in his article. Go and check whether something in there looks like a possible replacement for gpg to you. Stefan also gave a talk on the OpenPGP conference 2016 with similar content, slides.

14.02.17: James Stanley has written up a nice account of his two hour venture to get encrypted email set up. The process is speckled with bugs and inconsistent nomenclature capable of confusing even a technically inclined person. There has been no progress in the last ~two years since I wrote this piece. We're all still riding dead horses. James summarizes:

Encrypted email is nothing new (PGP was initially released in 1991 - 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it.

04.09.16: Greg Kroah-Hartman ends an analysis of the Evil32 PGP keyid collisions with:

gpg really is horrible to use and almost impossible to use correctly.

14.11.15:
Scott Ruoti, Jeff Andersen, Daniel Zappala and Kent Seamons of BYU, Utah, have analysed the usability [local mirror, 173kB] of Mailvelope, a webmail PGP/GPG add-on based on a Javascript PGP implementation. They describe the results as "disheartening":

In our study of 20 participants, grouped into 10 pairs of participants who attempted to exchange encrypted email, only one pair was able to successfully complete the assigned tasks using Mailvelope. All other participants were unable to complete the assigned task in the one hour allotted to the study. Even though a decade has passed since the last formal study of PGP, our results show that Johnny has still not gotten any closer to encrypt his email using PGP.
  1. Quakenet has removed that article citing "near constant misrepresentation of the presented argument" sometime in 2018. The contents (not misrepresented) are still valid so I have added and archive.org Wayback machine link instead. 

  2. Stefan says "probably" five times in one paragraph. Probably needs an editor. The person not the application. 

Reproducible builds folks: Reproducible Builds: Weekly report #187

Mar, 27/11/2018 - 1:40md

Here’s what happened in the Reproducible Builds effort between Sunday November 18 and Saturday November 24 2018:

Packages reviewed and fixed, and bugs filed Test framework development

There were a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org this week, including:

  • Chris Lamb:
    • Add support for calculating a PureOS package set. []
  • Eli Schwartz:
    • Provide an even-better explanation for a sed(1) command in the Archlinux support. []
  • Jelle van der Waa:
    • Set LANG/LC_ALL in build 1 in the Archlinux support. []
  • Niko Tyni:
  • Simon McVittie:
  • Holger Levsen:
    • Explicitly also install GnuPG. []
    • Perform some node maintenance. []
    • reviewed, merged and deployed the above commits.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Norbert Preining: Onyx Boox Firmware 2.0

Mar, 27/11/2018 - 5:19pd

Onyx Boox Note is a great device for reading, writing, note taking. I have written about my first impressions with this device here, and since then I have used the device heavily. I don’t even remember when I last took my Kobo GloHD in hand since I got the Boox. Onyx has announced a new firmware version (2.0) with a flashy video. The firmware is not generally available, but a hint in the forums tells that switching to Chinese will get you the latest firmware.

Well, I have tried it, and after installation of the latest version switched back to English. Here are my experiences with the new firmware.

The new library page (front page) has changed considerably. Instead of the big cover of the last read book and much smaller covers of the recently read books, all are arranged in the same size. Further information like the format of the book and the progress are overlaid on top of the cover. The icons on the top right allow for filtering, searching, creation of sub-libraries (folders). The bottom shows the total number of books and libraries. I prefer this layout a lot over the previous as it gives me immediate access to most of the recently read books.

There is a new shop available, but for now it seems most books are in Chinese only, which doesn’t help me a lot. I haven’t really checked out and searched books there for now, but I guess over time and with the general availability of the firmware in the next months better support for (at least) English books is to be expected. There is also a new AppStore (link to image) but again, most of the apps are in Chinese so not very helpful. I hope that in the similar vein with the above, a global release will improve this situation.

The storage page is quite bare, a simple file manager. I don’t think anything has changed from the previous firmware. One can explore the content of the device, copy/move/delete files etc. All very much in usual Android style.

The application page (not shown here, link to image) hasn’t changed a lot, but allows now for per-app optimization as shown on the left. There is an Onyx-specific app store with applications optimized for the Boox devices, but most apps installed via Google Play (or any other method) aren’t optimized. This screen seems to allow for various tweaks to optimize appearance of apps that are not made for grey-scale screens. I haven’t used many of the non-native apps by now, though.

The settings screen got a complete renewal with several new items appearing there.

Most of the items are no new functionality, but there is one new seriously niWell, I have tried it, and after installation of the latest version switched back to English. Here are my experiences with the new firmware.ce feature – synchronization of notes taken. There are several providers, most importantly Dropbox and some Chinese typical services. And with Wifi on the notes are saved nicely into my Dropbox account, which makes the tedious connecting to computer and copying a thing of the past. Thanks!

Let us finally go to the Notes application, which got the biggest update in this round. The entry page of the application hasn’t changed a lot, allowing for sorting of notes, creation of folders etc.

What is interesting is the ability to edit hand-written notes: select, copy, paste, resize, transform. It allows also to type text everywhere (see the teaser video linked at the top for details). Another feature that is presented in the teaser video is the text recognition and search in the content of hand-written notes. I have tried this a few times, but it seems my hand-writing is so bad that it wasn’t recognized.

The Notes application got a lot of new settings, most prominently the AI recognition settings which allows selecting the main language of hand-writing recognition. The language support seems to be impressive, including Japanese, but as I said, I didn’t manage by now to actually get it to find one of my notes. Another item is that search takes quite some time to go through all notes. Maybe only the first time, though.

One last new feature I found while digging through the menus is a Wifi Hotspot to allow for up/download of files from mobiles or other Wifi client devices. Not sure whether I will have use for it, but it might be a nice way to share books to friends without using a computer.

All in all I think after some polishing (the English translations are currently horrible at times) and bug fixing, this firmware is a great addition and step forward for the Onyx devices. There is only one really strange thing I experienced during the upgrade to version 2.0, namely that some of my books got corrupted during the process, and the NeoReader couldn’t open them anymore. I have no idea why some books were affected and some not, but it is not a matter of format I found. Removing them from the device and reloading them from Calibre fixed these problems.

Last comment for today: during writing this blog I switched to Chinese again and got a new version via OTA update (2018-11-22_10-36_2.0.3dcbcf5). Not sure what has changed, though.

Daniel Pocock: UN Forum on Business and Human Rights

Hën, 26/11/2018 - 12:42md

This week I'm at the UN Forum on Business and Human Rights in Geneva.

What is the level of influence that businesses exert in the free software community? Do we need to be more transparent about it? Does it pose a risk to our volunteers and contributors?

Norbert Preining: On Lars Wirzenius, Fun, and Debian

Hën, 26/11/2018 - 3:20pd

Some time ago I got flamed by Lars Wirzenius, because I dared to write on my blog

The last point by Linus is what I criticize most on Debian nowdays, it has become a sterilized over-governed entity, where most fun is gone.

One of the things he said was

I do feel it is important to make it clear to the people reading Planet Debian, where both Preining’s and my blogs are published, that his opinions are not mainstream in the Debian project, and that despite what he says, Debian development continues to be fun.
– Lars Wirzenius, On Norbert Preining, Sarah Sharp, and Debian

Well, as it turned out he got tired of Debian and doesn’t consider it fun anymore:

I’ve had a rough year, and Debian has also stopped being fun for me.
– Lars Wirzenius, Retiring from Debian

Times are a changin‘! Despite the difference of our opinions, thanks for your hard work on Debian!

Dirk Eddelbuettel: RQuantLib 0.4.6: Updated upstream, and calls for help

Hën, 26/11/2018 - 12:42pd

The new 0.4.6 release of RQuantLib arrived on CRAN and Debian earlier today. It is two-fold update: catching up QuantLib 1.14 while also updating to Boost 1.67 (and newer).

A special thanks goes to Josh for updating to the binary windows library in the rwinlib repository allowing us a seamless CRAN update.

The package needs some help, though. There are two open issues. First, while it builds on Windows, many functions currently throw errors. This may be related to upstream switching to a choice of C++11 or Boost smart pointers though this throws no spanners on Linux. So it may simply be that some of the old curve-building code shows its age. It could also be something completely different—but we need something with a bit of time, debugging stamina, at least a little C++ knowledge and a working Windows setup for testing. I have a few of the former attributes and can help, but no suitable windows (or mac, see below) machine. If you are, or can be, the person to help on Windows, please get in touch at this issue ticket.

Second, we simply have no macOS build. Simon has a similar binary repo but no time himself to work on building QuantLib for macOS with the required R-compatible toolchains. If you are on macOS, care about RQuantLib, and know how to build R packages (and how to deal with compilers etc in general) please consider helping. A little more is at this issue ticket.

Otherwise, this release was mostly about internal plus a little helper for holidays. The complete set of changes is listed below:

Changes in RQuantLib version 0.4.6 (2018-11-25)
  • Changes in RQuantLib code:

    • The code was updated for release 1.14 of QuantLib.

    • The code was updated for Boost 1.67 or later (#120 fixing #119).

    • Fewer examples and tests are running on Windows.

    • Several bond prixing examples corrected to use dayCounter.

    • Two new functions were added to add and remove (custom) holidays (#115).

    • The continuous integration setup was rewritten for containers.

Courtesy of CRANberries, there is also a diffstat report for the this release. As always, more detailed information is on the RQuantLib page. Questions, comments etc should go to the rquantlib-devel mailing list off the R-Forge page. Issue tickets can be filed at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Bálint Réczey: Migrating from Bazaar to Git on Launchpad just got easier!

Sht, 24/11/2018 - 11:48md

Debian recently switched from Alioth to Salsa offering only Git hosting from now on and that simplifies the work of exiting contributors and also helps newcomers who are most likely already familiar with Git if they know at least one version control system. (Thanks to everyone involved in the transition!)

On Ubuntu’s side, most Ubuntu-specific packages and big part of Ubuntu’s infrastructure used to be maintained in Bazaar repositories in the past. Since then Git became the most widely used version control system but the Bazaar repositories did not fully disappear.

There are still hundreds of packages maintained in Bazaar in Ubuntu (packaging repositories in Bazaar by team) and Debian (lintian report) and maintaining them in Git instead could be easier in the long term.

Launchpad already supports Git and there are guidelines for converting Bazaar repositories to Git (1,2),  but if you would like to make the switch I suggest taking a look at bzr-git-mass-convert based on bzr fast-export (verifying the result with git-remote-bzr). It is a simple tool for merging multiple Bazaar branches to a single git repository set up for pushing it back to Launchpad.

We (at the Foundations Team) use it for migrating our repositories and there is also a wiki page for tracking the migration schedule of popular repositories.

Dirk Eddelbuettel: RcppEigen 0.3.3.5.0

Sht, 24/11/2018 - 11:39md

Another minor release 0.3.3.5.0 of RcppEigen arrived on CRAN today (and just went to Debian too) bringing support for Eigen 3.3.5 to R.

As we now carry our small set of patches to Eigen as diff in our repo, it was fairly straightforward to bring these few changes to the new upstream version. I added one trivial fix of changing a return value to void as this is also already in the upstream repo. Other than that, we were fortunate to get two nice and focussed PRs since the last release. Ralf allowed us to use larger index values by using R_xlen_t, and Michael corrected use of RcppArmadillo in a benchmarking example script.

Next, it bears repeating what we said in February when we release 0.3.3.4.0:

One additional and recent change was the accomodation of a recent CRAN Policy change to not allow gcc or clang to mess with diagnostic messages. A word of caution: this may make your compilation of packages uses RcppEigen very noisy so consider adding -Wno-ignored-attributes to the compiler flags added in your ~/.R/Makevars.

It’s still super-noise, but hey, CRAN made us do it …

The complete NEWS file entry follows.

Changes in RcppEigen version 0.3.3.5.0 (2018-11-24)
  • Updated to version 3.3.5 of Eigen (Dirk in #65)

  • Long vectors are now supported via R_xlen_t (Ralf Stubner in #55 fixing #54).

  • The benchmarking example was updated in its use of RcppArmadillo (Michael Weylandt in #56).

Courtesy of CRANberries, there is also a diffstat report for the most recent release.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Molly de Blanc: Conservancy Match

Sht, 24/11/2018 - 4:02md

In January I was at Linux Conf Australia and had the idea of forming a group match campaign for the Software Freedom Conservancy. The Conservancy is one of my favorite nonprofits, and I had been interested in trying to level up my giving while not putting myself into dangerous financial straits.

A match campaign is when an organization, a person, or persons offer/s to give a nonprofit a large(er) sum in the event they can raise an equal amount during their fundraising activities. For example, Private Internet Access has pledged $50,000 to the Conservancy as part of the Conservancy’s matching donation efforts.

I wanted to participate in the fun of running a match donation, but recognized that the amount I could offer was paltry in comparison to most matches, as well as being not actually enough to inspire participation from potential donors. I realized that instead I could work with others others to help reach a number — I picked $10,000 somewhat randomly — and began asking around. With the help of Karen Sandler, Conservancy Executive Director, we surpassed that $10,000 and found ourselves with a $15,000 match.

The Conservancy seemed like a natural choice as a recipient of a somewhat scrappy attempt at a match — they consider themselves to be a scrappy organization, doing a lot with very little. They support free and open source software projects — and unless we have good projects, we don’t have anything to offer people looking to be more freedom respecting in their own lives and their works. They do copyleft compliance work, without which copyleft (and licensing in general) would be meaningless — the licenses need to have teeth in order for any companies to actually follow them and the promise of copyleft to be followed through. They work every day to spread the message and value of software freedom around the world, reaching people who need to be made aware of the way their rights extend to digital spaces and technologies. In the spirit of full disclosure, I also consider the staff of the Conservancy to be among my friends, and I enjoy seeing them at conferences.

I’m really excited (these words don’t capture how excited I am) that I get to participate in something so cool and inspiring as a group of people who want to encourage others to give. I hope you’ll consider making our match successful by supporting the Conservancy.

Russ Allbery: Review: Skeen's Leap

Mër, 21/11/2018 - 5:30pd

Review: Skeen's Leap, by Jo Clayton

Series: Skeen #1 Publisher: Open Road Copyright: 1986 Printing: 2016 ISBN: 1-5040-3845-2 Format: Kindle Pages: 320

Skeen is a Rooner: a treasure hunter who finds (or steals) artifacts from prior civilizations and sells them to collectors. She's been doing it for decades and she's very good at her job. Good enough to own her own ship. Not good enough to keep from being betrayed by her lover, who stole her ship and abandoned her on a miserable planet with a long history of being temporarily part of various alien empires until its sun flares and wipes out all life for another round.

At the start, Skeen's Leap feels like a gritty space opera, something from Traveller or a similar universe in which the characters try to make a living in the interstices of sprawling and squabbling alien civilizations. But, shortly into the book, Skeen hears rumors of an ancient teleportation gate and is drawn through it into an entirely different world. A world inhabited by the remnants of every civilization that has fled Kildun Aalda during one of its solar flares, alongside native (and hostile) shape-changers. A world in which each of those civilizations have slowly lost their technology from breakdowns and time, leaving a quasi-medieval and diverse world with some odd technological spikes. And, of course, the gate won't let Skeen back through.

This turns out not to be space opera at all. Skeen's Leap is pure sword and sorcery, with technology substituted (mostly) in for the sorcery.

It's not just the setting: the structure of the book would be comfortably at home in a Conan story. Skeen uses her darter pistol and streetwise smarts to stumble into endless short encounters, most of them adding another member to her growing party. She rescues a shapeshifter who doesn't want to be rescued, befriends an adventuring scholar seeking to map the world, steals from an alien mob boss, attaches herself to four surplus brothers looking for something to do in the world, and continues in that vein across the world by horse and ship, searching for the first and near-extinct race of alien refugees who are rumored to have the key to the gate. Along the way, she and her companions occasionally tell stories. Hers are similar to her current adventures, just with spaceships and seedy space stations instead of ships and seedy ports.

Skeen's Leap is told in third person, but most of it is a very tight third-person that barely distinguishes Skeen's rambling and sarcastic thoughts from the narration. It's so very much in Skeen's own voice that I had to check when writing this review whether it was grammatically in first or third. The narrator does wander to other characters occasionally, but Skeen is at the center of this book: practical, avaricious, competent, life-hardened, observant, and always a survivor. The voice takes a bit to get used to (although the lengthy chapter titles in Skeen's voice are a delight from the very start), but it grew on me. I suspect one's feeling about Skeen's voice will make or break one's enjoyment of this book. I do wish she'd stop complaining about her lost ship and the lover who betrayed her, though; an entire book of that got a bit tiresome.

One subtle thing about this book that I found fascinating once I noticed it is its embrace of the female gaze. In most novels, even with female protagonists, descriptions of other characters use a default male gaze, or at best a neutral one. Women are pretty or beautiful or cute; men are described in more functional terms. Skeen's Leap is one of the few SFF novels I've seen with a female gaze that lingers on the attractiveness and shape of male bodies throughout, and occasionally stands gender roles on their head. (The one person in the book who might be Skeen's equal is a female ship captain with a similar background.) It's an entertaining variation.

Despite the voice and the unapologetic female perspective, though, this wasn't quite my thing. I picked up this book looking for a space opera, so the episodic sword-and-sorcery plot structure didn't fit my mood. I wanted deeper revelations and more complex world-building, but that's not on the agenda for this book (although it might be in later books in the series). This is pure adventure story, and by the end of the book the episodes were blending together and it all felt too much the same. It doesn't help that the book ends somewhat abruptly, at a milestone in Skeen's quest but quite far from any conclusion.

If you're looking for sword and sorcery with some SF trappings and a confident female protagonist, this isn't bad, but be warned that it doesn't end so much as stop, and you'll need (at least) the next book for the full story.

Followed by Skeen's Return.

Rating: 6 out of 10

Reproducible builds folks: Reproducible Builds: Weekly report #186

Mar, 20/11/2018 - 2:16md

Here’s what happened in the Reproducible Builds effort between Sunday November 11 and Saturday November 17 2018:

  • Code review for the LLVM compiler to support the -fmacro-prefix-map argument is currently in progress. Like the -fdebug-prefix-map flag, this argument replaces a string prefix for the FILE pre-processor macro.

  • Kyle Rankin, the Chief Security Officer of Puri.sm authored a blog post entitled “Protecting the Digital Supply Chain” which describes how with Reproducible Builds you can show that no malicious code was injected in software supply chains:

    Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.

  • Chris Lamb gave a presentation at the SFScon conference in Bozen, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.

  • Holger Levsen updated our website to add the Tor project as a participant at our upcoming Paris Summit. In addition, Bernhard M. Wiedemann applied a sitewide change to use consistent capitalisation for openSUSE [].

  • 38 Debian package reviews were added, 4 were updated and 19 were removed in this week, adding to our knowledge about identified issues. The nondeterminstic_output_in_pkgconfig_files_generated_by_meson was removed as a fix was applied upstream [], and the note for the randomness_in_binaries_generated_by_golang issue was updated. (1, 2)

  • diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, Marius Gedminas provided a patch to add a python_requires field to diffoscope’s setup.py [] and Mattia Rizzolo sorted the list of recommended Python modules in debian/tests/control […].

  • Chris Lamb’s previously-authored patches for GNU mtools to ensure the Debian Installer images could become reproducible which were sent upstream last week (1 & 2) are now available in upstream’s 4.0.20 release.

  • Upstream chromium-70 now builds reproducibly in openSUSE (with a admittedly-normalised build environment) since it uses the Git commit date.

  • Chris Lamb uploaded strip-nondeterminism (our tool to post-process files to remove known non-deterministic output) version 0.45.0-1 to Debian unstable in order that catch invalid ZIP “local” field lengths — we were previously blindly trusting the value supplied in the ZIP file (#803503). As part of this upload he moved the utility to the SemVer versioning scheme.

  • We have received more than 45 registrations for the upcoming Reproducible Builds summit in Paris between 11th—13th December 2018 and have now closed registrations. Very much looking forward to seeing you there!

Packages reviewed and fixed, and bugs filed Test framework development

There were a large number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org by Holger Levsen this week, including:

  • Arch Linux-specific changes:

    • Make sed(1) calls for modifying pacman.conf more robust, fixing building in the future as well as using proxies for downloading package dependencies. (1
    • Improve the documentation of a multi-line sed(1) statement. []
    • Perform some administration on the package blacklists. (1, 2)
    • Move to using sudo(8) for cleaning old /tmp files left by package builds. []
  • Debian-specific changes:

  • Misc/generic changes:

    • Ensure all ProfitBricks (amd64 and i386) nodes in Karlsruhe use pb1 as a proxy and all nodes in Frankfurt use pb10. This might have produced some build failures but fixed issues with Squid running in the future. This complements previous work for the arm64 architecture.
    • Filed #913658: (“Broken links on packages pages”)
    • Document that the proxy setting for chroot installs are actually correct. []

In addition, Alexander Couzens provided workaround for an OpenWrt build system bug [], Eli Schwartz refactored our Arch Linux support [] and Mattia Rizzolo performed some node maintenance.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Rodrigo Siqueira: An attempt to create a local Kernel community

Hën, 19/11/2018 - 3:00pd

Since the day I had my first class of Operating Systems (OS) in my engineering course, I got passionate about it; for me, OS represents one of the greatest achievements of mankind. As a result of my delight for OS, I always tried to gravitate around this field, but my school environment did not provide me with many opportunities to get into the area. To summarize this long journey, I will jump directly into the main point, on November 15 of 2017, I joined to a conference named Linuxdev-br [1] which brought together some of the best Brazilians Kernel developers. I took this opportunity to learn everything that I could by asking lots of questions to developers. Additionally, I was lucky to meet Gustavo Padovan. He helped me a lot during my first steps in the Linux Kernel.

From November 2017 until now, I did the best I could to become a Kernel developer, and I have to admit that the path was very complicated. I paid the price to work from 8 AM to 11 PM, from Sunday to Sunday, to maintain my efforts in my master and the Linux Kernel at the same time; unfortunately, I could not stay focused only in the Kernel. However, all of these efforts were paid off along the year; I had many patches accepted in the Kernel, I joined the Google Summer of Code (GSoC), I traveled to conferences, I returned to Linuxdev-br 2018 as a speaker, I joined XDC2018 [2], and many other good things happened.

Now I am close to complete one year of Linux Kernel, and one question still bugs me: why does it have to be so hard for someone in a similar condition to become part of this world? I realized that I had great support from many people (especially from my sweet and calm wife) and I also pushed myself very hard. Now, I feel that it is time to start giving back something to society; as a result, I began to promote some small events about free software in the university and the city I live. However, my main project related to this started around two months ago with six undergraduate students at the University of Sao Paulo, IME [3]. My plan is simple: train all of these six students to contribute to the Linux Kernel with the intention to help them to create a local group of Kernel developers. I am excited about this project! I noticed that within a few weeks of mentoring the students they already learned lots of things, and in a few days, they will send out their contributions to the Kernel. I want to write a new post about that in December 2018, reporting the results of this new tiny project and the summary of this one year of Linux Kernel. See you soon :)

Reference
  1. linuxdev-br
  2. XDC 2018
  3. IME USP

Another ActivityPub quirk

Sht, 17/11/2018 - 11:44md

I’m wondering now if the problem with the activitypub is because the user object was already in the remote site and somehow the two were not being linked up properly.

Removing the user information off the mastodn instance may help, or not.

Craig https://dropbear.xyz Small Dropbear

activitypub 4

Sht, 17/11/2018 - 11:13md

4th attempt at getitng the linking working, works ok on the test site now!

Craig https://dropbear.xyz Small Dropbear

Faqet