You are here

Planet Debian

Subscribe to Feed Planet Debian
Planet Debian -
Përditësimi: 4 months 3 javë më parë

Joachim Breitner: Nonce sense paper online

Enj, 10/01/2019 - 9:04pd

Nadia Heninger and I just have put the preprint version of our paper “Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies”, to be presented at Financial Crypto 2019, online. In this work, we see how many private keys used on the Bitcoin, Ethereum and Ripple blockchain, as well as in HTTPS and SSH, were used in an unsafe way and hence can be compromised. The resulting numbers are not large – 300 Bitcoin keys, with a balance of around $54 – but it shows (again and again) that it can be tricky to get crypto right, and that if you don’t get it right, you can lose your money.

Brief summary

When you create a cryptographic signatures using ECDSA (the elliptic curve digital signature algorithm), you need to come up with the nonce, a 256 bit random number. It is really important to use a different nonce every time, otherwise it is easy for someone else to take your signatures (which might be stored for everyone to read on the Bitcoin blockchain) and calculate your private key using relatively simple math, and with your private key they can spend all your Bitcoins. In fact, there is evidence that people out there continuously monitor the blockchains for signatures with such repeated nonces and immediately extract the money from compromised keys.

Less well known, but still nothing new to the crypto (as in cryptography) community is the that an attacker can calculate the key from signature that use different, but similar nonces: For example if they are close by each other (only the low bits differ), or if they differ by exactly a large power of two (only the high bits differ). This uses a fancy and powerful technique based on lattices. Our main contribution here is to bridge crypto (as in cryptography) and crypto (as in cryptocurrency) and see if such vulnerabilities actually exist out there.

And indeed, there are some. Not many (which is good), but they do exist, and clearly due to more than one source. Unfortunately, it is really hard to find out who made these signatures, and with which code, so we can only guess about the causes of these bugs. A large number of affected signatures are related to multisig transactions, so we believe that maybe hardware tokens could be the cause here.

Observing programming bugs

Even though we could not identify the concrete implementations that caused these problems, we could still observe some interesting details about them. The most curious is certainly this one:

One set of signatures, which incidentally were created by an attacker who emptied out accounts of compromised keys (e.g. those that are created with a weak password, or otherwise leaked onto the internet), was using nonces that shared the low 128 bits, and hence revealed the (already compromised) private key of the account he emptied out. Curiously, these low 128 bits are precisely the upper 128 bits of the private key.

So it very much looks like the attacker hacked up a program that monitors the blockchain and empties out accounts, and probably did so using a memory unsafe language like C, and got the size of the buffers for nonce and key wrong, so maybe they did properly filled the nonce with good random data, but when they wrote the secret key, the memory locations overlapped and they overrode parts of their randomness with the very non-random secret key. Oh well.

Do I need to worry?

Probably not. The official blockchain clients get their crypto right (at least this part), and use properly random nonces, so as a user you don’t have to worry. In fact, since 2016, the Bitcoin client uses deterministic signatures (RFC6979) which completely removes the need for randomness in the process.

If you are using non-standard libraries, or if you write your own crypto routines (which you should only ever do if you have a really really good reason for it) you should make sure that these use RFC6979. This is even more important on embedded devices or hardware tokens where a good source of randomness might be hard to come by.

Discrete logarithm in secp256k1 with lookup table

In the course of this work I wanted to find out if small nonces (<264) were used even when the key created only one of these – the lattice-based attacks need at least two signatures to work. So I created code that calculates the discrete log in the secp256k1 curve up to an exponent of (<264). This is made feasible using a lookup table for smaller exponents (<239 in our case – just large enough to still fit into 2.2TB of RAM).

This exercise turned out to be not very useful; we did not find any additional keys, but I had fun writing up the program, implemented in C and working very close to the raw data, juggling big binary files mmap’ed into memory, and implementing custom lookup indices and such. In the hope that this might be useful to someone, I share the code at

Russ Allbery: Review: Bright Earth

Enj, 10/01/2019 - 5:26pd

Review: Bright Earth, by Philip Ball

Publisher: University of Chicago Copyright: 2001 Printing: 2003 ISBN: 0-226-03628-6 Format: Trade paperback Pages: 337

The subtitle Art and the Invention of Color does a good job advertising the topic of Bright Earth: a history of the creation of color pigments for art (specifically European painting; more on that in a moment). It starts with a brief linguistic and scientific introduction to color, sketches what's known about use and creation of color pigments in antiquity, and then settles down for serious historical study starting in the Middle Ages. Ball catalogs pigment choices, discusses manufacturing methods, and briefly surveys the opinions of various schools of art on color from before the Renaissance through to the modern art of today. He also takes two fascinating (albeit too brief) side trips to discuss aging of pigments and the problem of reproducing color art.

This is one of those non-fiction books whose primary joy for me was to introduce me to problems and constraints that were obvious in retrospect but that I'd never thought about. If someone had asked me whether painters were limited in their subject matter and methods by the colors available to them, I probably would have said "huh" and agreed, but I never thought to ask the question. Like a lot of people of my age in the US, I grew up watching Bob Ross's The Joy of Painting and its familiar list of oil paints: phthalo green, alizarin crimson, and so forth. But of course that rich palette is a product of modern chemistry. Early Renaissance painters had to make do with fewer options, many of them requiring painstaking preparation that painters or their assistants did themselves before the popularity of art and the rise of professional color makers. They knew, and were shaped by, their materials in a way that one cannot be when one buys tubes of paint from an art store.

Similarly, I was familiar with additive color mixing from physics and from computer graphics projects, and had assumed that a few reasonable primaries would provide access to the entire palette. I had never considered the now-obvious problem of subtractive mixing with impure primaries: since the pigments are removing colors from white light, mixing together multiple pigments quickly gets you a muddy brown, not a brilliant secondary color. The resulting deep distrust of mixing pigments that dates back to antiquity further limits the options available to painters.

Ball's primary topic is the complicated interplay between painting and science. Many of the new colors of the Renaissance were byproducts or accidents of alchemy, and were deeply entangled in the obsession with the transmutation of metals into gold. Most of the rest were repurposed dyes from the much more lucrative textile business. Enlightenment chemistry gave rise to a whole new palette, but the chemistry of colors is complex and fickle. Going into this book, I had a superficial impression that particular elements or compounds had particular colors, and finding pigments would be a matter of finding substances that happened to have that color. Ball debunks that idea quickly: small variations in chemical structure, and thus small variations in preparation, can produce wildly different colors. Better chemistry led to more and better colors, but mostly by accident or trial and error until surprisingly recently. The process to make a color almost always came first; understanding of why it worked might be delayed centuries.

In school, I was an indifferent art student at best, so a lot of my enjoyment of Bright Earth came from its whirlwind tour of art history through the specific lens of color. I hadn't understood why medieval European paintings seem so artificial and flat before reading this book, or why, to my modern eye, Renaissance work suddenly became more beautiful and interesting. I had also never thought about the crisis that photography caused for painting, or how much that explains of the modern move away from representational art. And I had seriously underestimated the degree to which colors are historically symbolic rather than representational. This material may be old news for those who paid attention in art history courses (or, *cough*, took them in the first place), but I enjoyed the introduction. (I often find topics more approachable when presented through an idiosyncratic lens like this.)

Ball is clear, straightforward, and keeps the overall picture coherent throughout, which probably means that he's simplifying dramatically given that the scope of this book is nothing less than the entire history of European and American painting. But I'm a nearly complete newcomer to this topic, and he kept me afloat despite the flood of references to paintings that I've never seen or thought about, always providing enough detail for me to follow his points about color. You definitely do not have to already know art history to get a lot out of this book.

I do have one caveat and one grumble. The caveat is that, despite the subtitle, this book is not about art in general. It's specifically about painting, and more specifically focused on the subset of painting that qualifies as "fine art." Ball writes just enough about textiles to hint that the vast world of dyes may be even more interesting, and were certainly more important to more people, but textiles are largely omitted from this story. More notably, one would not be able to tell from this book that eastern Asia or Africa or pre-colonial America exist, let alone have their own artistic conventions and history. Ball's topic is relentlessly limited to Europe, and then the United States, except for a few quick trips to India or Afghanistan for raw materials. There's nothing inherently wrong with this — Ball already has more history than he can fully cover in only Europe and the United States — but it would have been nice to read a more explicit acknowledgment and at least a few passing mentions of how other cultures approached this problem.

The grumble is just a minor mismatch of interests between Ball and myself, namely that the one brief chapter on art reproduction was nowhere near enough for me, and I would have loved to read three or four chapters (or a whole book) on that topic. I suspect my lack of appreciation of paintings has a lot to do with the challenges of reproducing works of art in books or on a computer screen, and would have loved more technical detail on what succeeds and what fails and how one can tell whether a reproduction is "correct" or not. I would have traded off a few alchemical recipes for more on that modern problem. Maybe I'll have to find another book.

As mentioned above, I'm not a good person to recommend books about art to anyone who knows something about art. But with that disclaimer, and the warning that the whirlwind tour of art history mixed with the maddening ambiguity of color words can be a bit overwhelming in spots, I enjoyed reading this more than I expected and will gladly recommend it.

Bright Earth does not appear to be available as an ebook, and I think that may be a wise choice. The 66 included color plates help a great deal, and I wouldn't want to read this book without them. Unless any future ebook comes with very good digital reproductions, you may want to read this book in dead tree form.

Rating: 7 out of 10

Gunnar Wolf: Finally, a sensible increase in participation for Tor in Mexico!

Enj, 10/01/2019 - 1:23pd

/Known fact: Latin America's share of participation in different aspects of the free software movement is very low.

There are many hypotheses for this, but all in all, it's mainly economics related: Only a tiny minority of us in this geographic region can spare the time, energy and money needed to donate part of our work and life to a project, no matter how much we agree with it. Of course, this cannot explain it wholly; there are many issues that further contribute with this low participation. Free software development is mostly carried out in English (much more so even than programming in general, although basically any programing language "reeks" of English).

In mid-2017, the Tor project acknowledged this and created the Global South Initiative. At first, I heard about it when the mailing list was started, and started interacting there right away. Roughly a month later, we started to plan for what is now our research/documentation project. We even managed to somehow attract the Tor community at large for the Tor Meeting last September/October in Mexico City (which was a *great* opportunity!)

One of the issues we have been pushing for, with marginal success rate until very recently, is to get more people involved running Tor relays or, if possible, exit nodes. Of course, when I asked officially for permission to set up an exit node at the university (I want to do things the right way), I was right away slammed and denied.

But... Patience, time, hardware donation by Derechos Digitales, and some determination have led us to the fact that... 18 months ago, we only had one or two active Tor relays. Now, the reality is finally changing!

Thanks to many individuals willing to donate their time and resources, we currently have eleven relays (eight of them which I can recognize by name and thank their respective owners — The linked page will probably give different results, as it varies over time).

As for the diversity this brings to the network, it's well summed up by the aggregated search:

Four autonomous systems; the only ISP that's usable for home users we have been able to identify is Axtel, with which we have five relays currently running; three at UNAM, the biggest university in the country; one in CINVESTAV, an important research facility; finally, one in Mega Cable, which surprises me, as Mega Cable does not provide a reachable IP for any of the subscribers we have probed! (Maybe it's run by corporate users or something like that?)

And, very notably: I have to recognize and thank our friends at Red en Defensa de los Derechos Digitales (R3D), as they have set up our –so far– only exit node (via the Axtel ISP). Wow!

Ten relays, mind you, is still a tiny contribution. Due to the bandwidth we are currently able to offer (and many many many other factors I cannot go into details, as I don't even know them all), Mexico as a country is currently providing approximately 0.05% (that is, one out of each 2000) Tor connections as a guard (entry) node, a slightly higher amount as a middle node, and a slightly lower amount as an exit node. But it is steadily increasing, and that's great!

AttachmentSize relays.png85.37 KB aggr_relays.png52.3 KB

Markus Koschany: My Free Software Activities in December 2018

Mër, 09/01/2019 - 8:43md

Welcome to Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games
  • I used this month to polish some of my team-maintained packages and to slightly improve the debian packaging in openyahtzee, monopd, opencity, pangzero, powermanga, ri-li, tecnoballz, whichwayisup, atanks, ufoai and dreamchess.
  • I fixed RC bug #915453 in supertuxkart.
  • I released a new version of debian-games,  a collection of metapackages to ease the installation of games in Debian. I plan to do another update in January. This one will then almost be the final state for Buster but there is usually another last minor update during deep freeze to include even the latest changes.
  • I also packaged a new upstream version of enemylines3, which was merely a bug fix release though. Nevertheless I could drop two Debian patches. Yeah.
Debian Java Misc
  • I updated osmo, tofrodos and iftop and applied a patch by Andreas Henriksson for wbar to  fix a reproducibility issue on merged-usr systems.
  • The browser extension privacybadger was updated to version 2018.12.17.
  • I prepared a security update of libarchive for Stretch released as DSA-4360-1.
  • I reported a FTBFS that got recently fixed in moria. (#916030)
NMU Debian LTS

This was my thirty-fourth month as a paid contributor and I have been paid to work 30 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 17.12.2018 until 06.01.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in graphiscmagick, sqlite3, libvncserver, pspp, yara, terminology, sssd, libarchive, freecol, rabbitmq-server, hoteldruid, libraw, nagios3, gnupg2, igraph, python3.4, radare2, imagemagick, tar, poppler, tcpreplay,  libcaca, binutils, liblas, mxml, jasper, aria2, systemd, libpff, libsixel, libspring-security-2.0-java, nasm, yaml-cpp and yaml-cpp0.3.
  • DLA-1630-1. I triaged and investigated 39 CVE in libav. Later I issued a security update for libav fixing 14 of them.
  • DLA-1612-1. Issued a security update for libarchive fixing 2 CVE.
  • DLA-1615-1. Issued a security update for nagios3 fixing 5 CVE.
  • DLA-1616-1. Issued a security update for libextractor fixing 2 CVE.
  • DLA-1628-1. Issued a security update for jasper fixing 8 CVE (announced 9). It turned out that CVE-2018-19139 has not been fixed yet.

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my seventh month and I have been paid to work 15 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 17.12.2018 until 06.01.2019 and I triaged CVE in libarchive, gnutls26, rabbitmq-server, binutils, wget, tar, krb5, jasper and systemd.
  • ELA-72-1. Issued a security update for jasper fixing 5 CVE. I analyzed the remaining open issues, prepared patches myself and forwarded them upstream.
  • ELA-73-1. Issued a security update for libcaca fixing 4 CVE.
  • ELA-74-1. Issued a security update for sqlite3 fixing 3 CVE.

Thanks for reading and see you next time.

Gergely Nagy: One hat less

Mër, 09/01/2019 - 12:45md

Almost a week ago, on a snowy night of January 3, I hung up my Debian Developer hat, and sent my retirement letter in. This has been a long time coming, and I contemplated doing this many times over the past year or two, but never got the courage and the willpower to retire. It wasn't easy. Debian has been part of my life for the past two decades, and I've been a developer for about eighteen years. I considered - and to some extent, still do - Debian my second family. There have been times when Debian was my escape hatch, something I could focus on to help me pass the days by. I've made friends, I've met people, I learned humility, I learned empathy. If it weren't for Debian, I wouldn't be the person I am today. Retiring felt like admitting defeat for a long time. But it isn't.

It's not defeat when you admit that your circumstances changed. It's not defeat when you let others take better care of the stuff you've been neglecting for way too long. It's not defeat when you're taking a break. It's not defeat when you're reducing the amount of stress that keeps you awake at night. It's not defeat when you do the right thing. It's not defeat when you gracefully retire: rather, it is a start of something new.

I originally joined Debian for two reasons: I was a Debian user for a while by then, and felt that I should be giving back, as I received so much from Debian. The second reason wasn't this noble, but after eighteen years, I guess I could admit it: the other reason I applied was vanity. Having a email-address was something.

At the time, I was... a different person. I was full of myself at times, I was angry, perhaps a tad too elitist at times too. I'm not proud of old me, but it's part of me. I grew, and became a better person, there's no shame in being able to grow - quite the contrary. And Debian helped immensely. I've had role models in the project, who I look up to even to this day, who helped shape me one way or the other.

There are two people I need to mention specifically: Martin Michlmayr and Rhonda D'Vine.

Martin was my Application Manager when I applied, I considered him a mentor, a friend. The example he set were instrumental in shaping me too. Rhonda helped me get to my first ever conference: I got on a train to Vienna, and she took me to LinuxTag in her car from there, and then back again. That first LinuxTag, the path that led there, the conference itself, was formative, and both Martin and Rhonda had a big part in it being so. Thank you again - so many years later, I still smile when I think back. Those years we were in touch, meant a lot to me.

I often feel nostalgic about the times way back then, when I was active on IRC. I miss the old bunch (oh, so many people I haven't talked to in years!). I miss being active in Debian. I miss talking to fellow developers. But life took me elsewhere, and there's only so many hours in a day. Over the years Debian and me, we grew apart. There was always something more important, so my Debian contributions dropped (though, I had some ups too, while I was ftp-master assistant for example). By 2018, I barely did anything, and one of my resolutions for the new year was that I'll be taking better care of my health, mental and physical alike. Part of this is reducing my workload, reducing the stress levels, and things I feel guilty about.

It's a strange feeling. A mix of sadness and relief. On the flip side, as Lars put it, I'm now part of the retired DD club, and that's one illustrious club to be part of. First I joined the Debian Parents Club, now the Retired Debian Developers Club. This is a good start of a new chapter.

At some point though, I will be back. Debian is part of my life, and always will be. One way or the other, there will be a way back. It may take years, or a decade, but I'll put on that swirly hat again.

Daniel Lange: Apple Time Machine backups on Debian 9 (Stretch)

Mër, 09/01/2019 - 11:29pd

Netatalk 3.1.12 has been released which fixes an 18 year old RCE bug. The Medium write up on CVE-2018-1160 by Jacob Baines is quite an entertaining read.

The full release notes for 3.1.12 are unfortunately not even half as interesting.

Be sure to read the original blog post if you are new to Netatalk3 on Debian Jessie or Stretch!
You'll get nowhere if you install the .debs below and don't know about the upgrade path from 2.2.x which is still in the Debian archive. So RTFA.

For Debian Buster (Debian 10) we'll have Samba 4.9 which has learnt (from Samba 4.8.0 onwards) how to emulate a SMB time machine share. I'll make a write up how to install this once Buster stabilizes. This luckily means there will be no need to continue supporting Netatalk in normal production environments. So I guess bug #690227 won't see a proper fix anymore. Waiting out problems helps at times, too :/.

Update instructions and downloads:

Continue reading " Apple Time Machine backups on Debian 9 (Stretch)"

Chris Lamb: Favourite books of 2018

Sht, 05/01/2019 - 9:50pd

I managed to read 53 books 2018 (up from fifty in 2017) but here follows eleven of my favourite, in no particular order.

Disappointments this year included Attack of the 50 Foot Blockchain: I am finding snark and sarcasm to be subject to severe diminishing returns these days, so whilst entertaining at first it got a little too much too fast. I was not altogether surprised that the author is "a proud editor of RationalWiki" too.

In addition, whilst I really enjoyed The Martian back in 2016 I didn't find Weir's Artemis nearly as compelling. Whilst it was a good enough yarn, everything about the protagonist felt somewhat forced and ultimately hollow. Yuval Noah Harari's 21 Lessons for the 21st Century also did not match up with his previous two but still warrants the investment if you enjoyed them.

The worst book I finished this year was probably Nasssim Nicholas Taleb's Fooled by Randomness. I admit this was a guilty pleasure to some degree; a car crash of arrogance at its finest but ironically quite a compelling read if you can stomach it. However, How to Own the World "bests" it that whilst it delivers some fairly sensible financial advice at first the book finally reveals itself as a tedious encomium to gold about halfway through.

Countdown to Zero Day (2014)

Kim Setter

A genuine thriller or cyberpunk "novel", this book tells the true story behind the virus that sabotaged Iran's nuclear efforts. Not content to focus on Stuxnet itself, it discusses the wider issues with regards to the market for exploits, cyberwarfare and geopolitics.

Although at times it goes into somewhat-unnecessary technical detail on the exploits themselves (".lnk" files, anyone?) this should absolutely not deter recommending it to non-technical folks as these asides are not essential to appreciating this fine book. Indeed, this is absolutely riveting and eye-opening, even for someone who is reasonably up-to-date with security issues.

Highly recommended, I ended gifting this book as a number of Christmas presents.

A Year in Provence (1989)

Peter Mayle

Whilst waxing lyrical to a friend about Kate Fox's Watching the English from my 2017 highlights, they immediately enquired whether I had read any of Peter Mayle's Provence series. Answering in the negative, they explained that it uses the authors's renovation of a house in a small village in France as a way of hanging an amusing socio-anthropological yarn. I ended up binge-reading this in a number of wine bars and bistros in the XVIIIe arrondissement guessing that was as good a set and setting I was going to achieve, especially as that would avoid the dreaded Mistral that is personified as a human actor throughout the tale.

Singularly impressed by the quality of the writing ("… by nine o'clock it was already too hot to wear a watch…") and the author's ability to find the «le mot juste», it is an unalloyed joy to read primarily due to the interactions into the natives:

"What’s your best price?" she asked the dealer. "My best price, Madame, is a hundred francs. However, this now seems unlikely and lunch approaches. You can have it for fifty."

The immediate sequel, Toujours Provence, is already high on my queue for January. Mayle tragically passed away in January 2018, but not before quipping "I've often thought the best time to die would be after a long lunch — just before the bill arrives."

Confessions of a Conjuror (2009)

Derren Brown

Until recently, Derren was somewhat of a UK-centric celebrity magician who essentially redefined the public perception of the genre to modern audiences by foregrounding psychological manipulation and spectacle over mere "tricks".

An autobiography of sorts, Confessions is structured around a single performance from the days when Brown was an unknown magician working the tables in a middlebrow Bristol restaurant, and uses this narrative conceit as a springboard to break into rambling yet highly-revealing tangents into parts of his world and mind.

Clearly highly tuned to social dynamics, Derren offers a fair amount of observational humour too:

The Parmesan Moment: when the most animated chatter enters, sometimes mid-word, a cryogenic phase equal in length to the time it takes the waiter to shave hard cheese on to the plates of the erstwhile vivacious diners. No conversation is too mundane, no babble too banal for it to be suddenly classified as anything less than entirely confidential once the rotary grater invades the periphery.

As you might be able to surmise, one hurdle to really enjoying this book is Brown's use of unnecessarily fancy prose which — like Russell Brand's similar pretentious affections — serves only to keep the reader at a distance. It is refreshing that Brown's later works don't appear to have this trait however and his Happy is very much on my to-read for 2019.

Nevertheless, this is a bizarre, intriguing and (almost entirely…) brilliant insight into the mind of a remarkable artist.

On Tyranny: Lessons from the Twentieth Century (2017)

Timothy Synder

I first discovered Synder many years ago through his harrowing Bloodlands which describes the Nazi and Soviet killing fields of the Black Sea and the Baltic Republics where both parties were complicit in such atrocities that are so huge and so awful that grief could almost grow numb. However, this year he popped up on an episode of the Sam Harris podcast to promote his Lessons from the Twentieth Century.

This book comprises of a number of short chapters with titles like "Remember Professional Ethics" and "Beware the One-Party State", each purporting to illustrate some angle of the 20th-century to readers in the 21st. At only 128 pages, this slender and easy-to-read volume was engaging enough to enjoyed over a the course of a single beverage.

I am now straining to elucitate exactly why I liked this as a whole but in hindsight it seemed to hit home at the right time and was motivational in terms of re-affirming confidence in ones established beliefs. It certainly makes some mordant criticisms of our approaches to current world events, including remarking that whilst our generic cynicism makes us feel alternative, given this is what everyone else is doing we are actually part of a morass of indifference. The positive (but "adolescent") connotations of the doctrine of disruption are also given a knock with the observation that:

The man who runs naked across a football field disrupts, but he does not change the rules of the game.

… and for those with more of a penchant for privacy-related topics, Synder reminds us that totalitarianism is not necessarily the clichéd all-powerful state but rather the erasure of the difference between the private and public life: we are free only insofar as we exercise control over what people know about us and in what circumstances they come to know it.

Why We Sleep: The New Science of Sleep and Dreams (2017)

Matthew Walker

We remain shockingly ignorant of how we spend at least a third of our lives and how much it affects the other two-thirds. But perhaps more worrying are the severe physical and mental health considerations of foregoing sleep as well as the degree a deficiency prevents us from perceiving said negative effects in a kind of bizarre "Dunning—Morpheus" effect.

Sleep (or rather; the "science of sleep") was definitely a meme of 2018 popular science and garnered a lot of attention in the podcast world — so what stood out about this particular contribution?

Indeed, in terms of specific advice there nothing here you haven't come across before (regular schedule, no screens, cooler room, avoid sleeping pills…) this book rises above the rest in that it isn't a step-by-step manual (isn#t "advice is what we ask for when we already know the answer but wish we didn't…" anyway?). In contrast, Walker foregrounds explanations about dreams, REM & NREM sleep, the evolution of sleep, jetlag, the history of sleep as well as the ever-changing relationship between society and the act of sleeping. There is unfortunately not enough causal data on a population level at the moment to make definitive statements, but enough highly correlative stuff and thus ironically ripe for the pop science treatment.

Zen and the Art of Motorcycle Maintenance (1974)

Robert Pirsig

After at least a decade, I finally got around to reading this. I am not sure why I had avoided it up until now, perhaps worrying such a "hypercanonical" book in this space would come across as highly-derivative given that I've read so many books that occupy the same space or have otherwise taken it as inspiration.

However, it was probably the acquisition of an actual motorbike this year that prompted an ironic purchase (along with the associated Haynes manual) and was quickly rewarded by its take on the philosophy of science and other prosaic or romantic thoughts.

Reviewing such a book in any detail in late-2018 seems a little odd (do we need another "review" of GEB on Hacker News?) so I will only add that I not found myself associating my thoughts on maintenance closer to the Sutherlands than our protagonist and my copy is now irredeemably littered with highlighted quotations for which it is impossible to find a favourite. However, he's one, perhaps, suitable for the upcoming year:

You are never dedicated to something you have complete confidence in. When people are fanatically dedicated to political or religious faiths or any other kinds of dogmas or goals, it's always because these dogmas or goals are in doubt.

The Dig (2007)

John Preston

This novel dramatises the events behind the discovery of the Sutton Hoo treasure in 1939 which included a "ship burial" and a wealth of undisturbed Anglo-Saxon artefacts. Eerily similar to when I was reading the author's A Very English Scandal, I started out not aware it was based on a true story but some very slightly incongruous or unnecessary facts encouraged me look up the background online.

A quick, short and enjoyable read, recommended to anyone interested in history or a portrait of antebellum England.

The Long Way to a Small, Angry Planet (2014)

Becky Chambers

This is one of those books whose appeal and interest is curiously in its flaws. Or: if this was a better book it would be curiously less compelling to recommend. To get it out of the way up-front, Chambers clearly has a particular target audience in mind and this regrettably means a certain amount of pandering, wish-fulfillment and compromises on behalf of the art of the novel.

For example, one discovers that in the Android is actually black and it seemed clear to me you weren't really meant to notice and thus raise an eyebrow at one's own prejudice when it is faux-casually revealed to you. There, of course, is nothing really wrong with these sorts of games — or perhaps the book's overt use of non-standard pronouns — but this sort of oft-laboured detail ends up simply tripping up the (good!) core narrative rather than offering delightful background colour, at least violating the principle of Chechov's Gun and getting in the way of the plot; these social elements are invariably not "world-building" as it is in, say, episodic and early Star Trek or Stargate is.

Despite all of the above, I would still highly recommend this to anyone remotely-interested in modern sci-fi; indeed I found its loosely-associated followup almost as compelling and the third installment on my 2019 list once I can stomach the cheeky "get 'em hooked" drug dealer pricing strategy of the trilogy.

The Road to Wigan Pier (1937)

George Orwell

Defying strict classification, this book is split into two quite distinct parts; the first discusses the living conditions among the working class in Yorkshire whilst the second half is a long and rambling essay on a myriad of subjects including socialism, politics, his middle-class upbringing.

A huge fan of Orwell, I also read his Burmese Days (1934) too, finally finishing my entire journey through his oeuvre. However, unlike his other works, Orwell uncharacteristically comes across a bit cuckoo in this second part:

It would help enormously if the smell of crankishness which still clings to the socialist movement could be dispelled. If only the sandals and the pistachio-coloured shirts could be put in a pile and burnt, and every vegetarian, teetotaller, and creeping Jesus sent home to Welwyn Garden City to do his yoga exercises quietly!

Curiously, this second part was almost entirely cut by an original editor. It is not, however, without a bit of humour or even entirely unrelatable:

I am a degenerate modern semi-intellectual who would die if I did not get my early morning cup of tea and my "New Statesman" every Friday.

For fans of 1984 or Animal Farm I could not unreservedly recommend this but if you have enjoyed any of his splendid essays then it is definitely worth checking out.

How to Change Your Mind: The New Science of Psychedelics (2018)

It appears that widespread adoption of psychedelic drugs, at least for therapeutic purposes, always appears to be just another year away, but 2018 definitely represented a convergence of literature on the topic.

Pollan's work stands above the rest with its compelling explanation of the substances' storied histories, the author's own personal experiences with it whilst weaving in the neuroscience without putting the reader at distance.

As somewhat of a paean to such "cures", I would find myself unable to recommended this unreservedly to all and sundry, but most will find the combination of science, spirituality (from the perspective of a skeptic) and narrative adds up to something far more than the sum of its parts.

American Kingpin (2017)

Nick Bilton

Subtitled "Catching the Billion-Dollar Baron of the Dark Web", this gripping tale tells the story of Ross Ulbricht, better known as the owner/operator of the Silk Road online black market. It describes the background of the creation of the site, the fascinating and at-times completely immoral & illegal activities of the law enforcement sent after him, all the way through to his arrest and subsequent trial.

Like Countdown to Zero Day reviewed above, you probably couldn't make a believable film about episode in our history without requiring something on the scope and quality of 2010's The Social Network. Eerily reminiscent or suggestive of the film itself, this book is perhaps at its best when critically dissecting Russ' personality, describing the bizarre antics happening and getting somewhat weaker as it moves into the more-humdrum court proceedings.

Regardless, neither fans nor detractors of cryptocurrencies or the ethics of online black markets should be deterred from checking out this superb work.

Niels Thykier: “debhelper-compat (= 12)” is now released

Pre, 04/01/2019 - 11:03pd

A few days ago, we released debhelper/12 and yesterday uploaded it to stretch-backports (as debhelper/12~bpo9+1).  We deliberately released debhelper/12 so it would be included in buster for the people, who backport their packages to older releases via stable-backports.  That said, we would like to remind people to please be careful with bumping the debhelper compat level at this point of the release cycle.  We generally recommand you defer migrating to compat 12 until bullseye (to avoid having to revert that change in case you need an unblock for the buster release).

Upgrading to compat 12

If/when you upgrade the compat level, please consider using the recently added debhelper-compat (= 12) build-dependency form.  It reduces redundancy, centralizes your debhelper relations to debian/control (replacing debian/compat) and avoids having you remember that you need a ~ in your build-dependency to support backports.

As usual, you can read about which behavioural changes are introduced by compat 12 in the debhelper(7) manpage.  About one third of the changes are removing deprecated features and the rest are mostly about tweaking “minor” defaults.  Though, please be careful around systemd unit files for two reasons:

  1. debhelper cleanly separates the handling of systemd unit files, so dh_installsystemd now 100% manages these while dh_installinit takes care of the sysvinit scripts.  In particular, if you have something like dh_installinit –no-start then you almost certainly also want a dh_installsystemd –no-start if you have systemd unit shadowing the sysvinit file.
  2. Caveat for stretch-backports support: Due to the above, we need a versioned Pre-Depends on init-system-helpers.  That version is unfortunately not available in stretch nor stretch-backports and therefore packages relying on this cannot be safely backported to stretch (but they will be backportable to buster).

If you target stretch-backports and ship services, we recommend you to stay with compat 11 for now.

General changes since stretch (i.e. 10.2.5 to 12):

The following are some of the changes that have been introduced in debhelper since the stretch release (available via stretch-backports):

  • dh_missing was added to take over dh_install –list-missing/–fail-missing while reducing some of the issues that dh_install had with those options.
  • debhelper now supports the meson+ninja and cmake+ninja build system.
  • Improved or added cross-compilation support (via the dh_auto_* tools) for:
    • meson build system
    • cmake build system
    • (“plain”) makefile system (parts only in compat 11+)
    • qmake build system (qt5)
  • Experimental support for cross-building for TARGET rather than HOST (for the about less than 5 source packages in total that might find this useful).
  • Improved bulk performance in various parts of debhelper.
  • Support for “nodoc” profile/build option plus the “terse” build option.
  • Correctly handle systemd units with \x2d (escaped “-“) in their name.
  • Rules-Requires-Root support when the field is set and dpkg-dev notifies debhelper that it supports the feature (requires dpkg-dev from Debian buster).  Besides removing the need for (fake)root it can also remove about 3 invocations of debian/rules.
  • Reduced dbgsym files via dh_dwz (use either manually, with dh –with dwz or dh + compat 12).
  • Enable dh to skip more no-op commands including dh_auto_* and to a minor extend also even when dh is passed arguments that it should pass on to the underlying tools.
  • Support for setting debhelper compat level via debhelper-compat (= X) build-dependency and load dh add-on sequences via dh-sequence-foo build-dependency (as an alternative to the original methods).
  • Support for derivatives and custom/local builds using DH_EXTRA_ADDONS to enable derivative or custom add-ons for debhelper.  Note: Packagers should keep using –with foo or the new dh-sequence-foo build-dependency – this interface is intended to enable a particular add-on without changing the package.
  • Improved maintscript snippet ordering to ensure that service enable + start related snippets always run last in postinst (and first in prerm etc.) in the code inserted via the #DEBHELPER# token.  This ensures that all other scripts (e.g. configuration file management via dh_ucf or the debian/maintscript file) is complete by the time the service (re)starts.
  • Improved “rollback” handling of maintscripts generated by debhelper. Among other, debhelper autoscripts now handle cases like abort-deconfigure and abort-upgrade.  In general, they are handled like configure and replays the setup to ensure that services are correctly running as expected.
  • The autoscript snippet for loading systemd tmpfiles now simply uses the basename of the tmpfiles configuration, which enables the administrator to override the package provided tmpfiles configuration by placing their own in /etc/tmpfiles.d.
  • The new dh_installinitramfs tool now installs maintainer provided initramfs hooks and generates autosnippets for all hooks installed in /usr/share/initramfs-tools/hooks.  Enable via dh –with installinitramfs or dh + compat 12 or call it manually.
  • The new dh_installsystemduser which manages system units per user rather than for the system.  Enable via dh + compat 12 or call it manually.

The above is by no means complete and among other excludes many things that is introduced in compat 11 or compat 12.


Many thanks to the following people, who contributed to debhelper since stretch release with one or more patches (based on git log debian/10.2.5..debian/12 | git shortlog):

Adam Conrad, Américo Monteiro, Axel Beckert, Baptiste Jammet, Chris Lamb, Chris Leick, Christoph Biedl, Clément Hermann, Colin Watson, Daniele Nicolodi, Dmitry Shachnev, Fabian Grünbichler, Fabian Wolff, Felipe Sateler, Geoffrey Thomas, Helmut Grohne, Hideki Yamane, Iain Lane, Isaac Jurado, Jakub Wilk, Johannes Schauer, Josh Triplett, Juhani Numminen, Lisandro Damián Nicanor Pérez Meyer, Luca Boccassi, Mattia Rizzolo, Michael Biebl, Michael Stapelberg, Nicholas Guriev, Nicolas Boulenguez, Niels Thykier, Olly Betts, Paul Tagliamonte, Peter Pentchev, Roberto C. Sánchez, Steven Chamberlain, Sven Joachim, Ville Skyttä, gregor herrmann

Also, many thanks to the people reporting bugs, regressions and feature suggestions via the Debian BTS.

Shirish Agarwal: Debutsav Kochi 2018

Pre, 04/01/2019 - 7:36pd

This year we, the members of FSCI had been trying to have a mini-debconf or a Debutsav down in South India for sometime now. First, preparations were made for August 2018 to have Debutsav in Kochi, Kerala but then the Kerala Floods happened and the organizers were forced to push it back to November end.

So somewhere around end-October there was a CFP announced with two tracks, one on general FOSS technologies and one for the Debian track. I submitted few topics and 2 of my talks were accepted. and the final schedule was known about one or one and a half week before the Event.

Before venturing ahead, I would like to thank Balasankar, Kiran and the whole team of volunteers at CUSAT for taking such good care of all the speakers.

If you look at the schedule you would see lot that at least on Day 1 there were quite a few parallel sessions so it was not possible to cover all the sessions as they were happening at the same time. I am covering only those which I was able to cover or was able to take time from the presenter to know her or his presentation.

Day 1 Aruna Sankarnaryan talks of her journey into free software

She shared how she first connected with FSMK , then entered into Outreachy , shared her contributions in Gcompris, her contributions of adding recordings of Carnatic Music in Wikipedia mostly by adding public domain Carnatic Music so people could have some understanding of the various Ragas that Carnatic Music has.

I *think* she also shared how at times she had to clean musical recordings which also takes a lot of time. She had to leave the project half-way as Carnatic Music has lots of history and she was finding it difficult to give more time to her passion. It is still a project close to her heart.

Then somehow she found herself into mapping, contributing to Gender map, Chennai Flood Map, Some analysis of Bangalore Metropolitan Transport Corporation and so on and so forth. Most of these projects are part of the Humanitarian OSM project. I guess, one thing led to another and she joined Mapbox to continue to work on contribute on such initiatives. She also shared few of the initiatives which I had covered about a year back. She ended her presentation after sharing the many ways people can contribute to FOSS and implored students to take up challenges.

Introduction to Debian and Debutsav by Shruti

A bit of background about Shruti before I share about her presentation. She was a librarian who married Praveen, a Debian Developer. They met and post marriage she learnt Debian packaging and best practises from him and is now a Debian Maintainer of 200+ Ruby packages in Debian Main.

Shruti’s presentation started with how Debian is named about Ian Murdock’s girlfriend at the time Debby as conjunction to become ‘Debian’. The naming of Toy story characters within Debian, bits about what packaging is and why is it necessary, how new releases are churned out every two years or so and why Debian is termed as ‘stable’ or ‘rock-solid’ by people who run Debian.

It was a brief introduction, the idea behind the presentation was that at least students should know some of the history, the terminology used and also how free software development works. She didn’t get into Git as that was to be taken in the Packaging workshop which would be a hands-on session. This was the third or fourth time I have heard her and she has improved quite a bit from her first presentations.

Prashant Sugathan talks about licensing

Before going ahead, if you look at the schedule you would see that two talks were happening simultaneously. Because I had knowledge of what Raju was going to talk about or at least had a fair idea I chose to attend Prashant’s talk as I have always enjoyed talking, sharing and learning about FOSS licensing.

While Prashant didn’t share much of his background, he did share that he is a lawyer and has been with SFLC since the very beginning probably 2011 or even earlier.

As this was more attuned towards students, he started with the basics of what a license is, what does it actually mean ? What does EULA stand for. He shared how GPL is superior and fairer to both the users and creators of software. He shared about the Busybox case , Tivozation , bits of background on AGPL , importance of having a copyright file in your package/work, difficulties which can arise when you combine two or more works which may have incompatible licenses.

One interesting case study/case-law was between Cokinetic vs Panasonic which was ultimately settled in January 2018.

Prashant also shared that one of the ways that sflc works with foss communities and vendors is advising them on licensing issues to make sure that no costly mistakes are made. It is easy to have two or more third-party licenses which do not sit or work well with whatever license you want to put it under.

One of the most simplest example I can share is let’s say you have some GPL library and you want to license your work under BSD. Now because the nature and difference between the two licenses, it is possible you will run afoul of the terms of the GPL License.Things can get more hairy if you have few more licenses in the mix, each may or may not have the same interpretation in copyright law.

There are also various software tools which SFLC uses to help automate verification of a client’s software to see that are required for software distribution in the wild and any probable issues that a client may run into if they put out the software as it is. This becomes more important if the final software/release would be closed-sourced i.e. just binaries and no-source-code or incomplete or wrong source-code, all of which companies have tried and paid price for.

The rest of his presentation is and was devoted to mid-management and process oriented people hence he stopped the presentation there itself. It anyways wouldn’t have made sense to students who are just starting to think of software development.

Shirish Agarwal shares about Debian teams and how to be part of them.

After lunch it was time to share and build on whatever Shruti had shared in the morning. I first shared the Debian-dug-in mailing list homepage

I shared some of the early mails of the mailing list i.e. 2010 and then jumped to the mails of November 2018 where Abhijit A became a DD. I shared how we started this community with help of Alexander Wirt in 2010 and how we use it to communicate if and when we want to have events or discuss any major or minor issues regarding community as a whole. The concept of a mailing list was new for many of the students hence had to use analogies of instant messaging clients such as whatsapp, telegram etc. We did share that the main difference between instant-messaging and a mailing list that the archives are public, remain for a long time, is topical-based and one has to be careful when sharing anything as you would in any public stage.

I hadn’t got my laptop, hence borrowed a friend’s laptop, installed riot on it and then showed it to people. I wouldn’t go into details of what riot is and how it can be set up as have already covered that part in a previous article . I can share a snapshot of one of the channels where I hang out often as shared below. I could have shared some more resources for e.g. the debian-mentors mailing list and IRC channel but knew that would be covered in the next day’s workshop hence stopped there itself.

Vipin George talks about using Debian as a forensic Workstation

You can see Vipin on the right. He is the gentleman to the right in the off-white t-shirt. He shared about quite a few forensic tools, almost all of which can be found under either forensics-all or forensics-extra . I am not going to go into specifics of any of the tools as each tool in the list is curated for a specific purpose and each tool would probably require its own article to share why such a tool is needed and how it can help. I can however share that almost all of the tools could be used either for defensive or offensive purposes. These tools are used mainly by sys-admins, forensic experts and pen-testers.

At one point during the presentation there was a flame-war where it was contended that MS-Windows has better or more number of tools for such purposes by a self-admitted MS-Windows fanboy. The result of that argument took the remainder of the day and hence was not able to share about gaming although few people were curious to know about that. Sorry people.

Impromptu Evening session

In the evening, after dinner, it was impromptu decided to have an evening session to talk about free software as many new and old people who had a stake in the future of free software were present. Around 30-35 people of us were there, some of which can be seen in the photograph below and some not due to the angle from which the photo was taken. There were lot of discussions and sharing of personal lessons learnt. One of the conclusions was to have more mini-debconfs and debutsavs in order to make the movement larger especially if we want to have a Debconf in India.

Some left-over sessions from Day 1 Introduction to Ansible by Ompgragash

While I didn’t attend his session, from the slides it seems it was a very basic introduction to Ansible which basically deals with provisioning and automating in the cloud.As the presentation shared seems to be pretty basic, there doesn’t seem much to comment upon.

Raju talks about becoming a Debian Developer

While I didn’t attend Raju’s talk but he most probably must have talked about –
a. How to become a Debian Developer either an uploading or a non-uploading one.
b. Benefits of becoming a Debian Developer
c. The tasks one has to complete to become a DD
d. Typical life-cycle of a Debian Developer.

Ram talks about Project Vidyalaya

Unfortunately before coming Ram had a crash and hence had to send his hdd for data-recovery so he didn’t bring a demo. Although The easiest way to share about Project Vidyalaya is to share about Debian-Edu but with many innovations yet to be done for the way the Indian Education Institutions are run and managed. The distribution will default to Indian language settings (probably based on Debian sid) and would have more or less an overlay of buttons and dialog boxes which are scripted to perform functionality which is present in Debian itself. The trick would probably be in how error reporting, exception handling etc. works in real-world as no program is bug-free. There is and would be lot of infrastructure issues which would need to be fixed for that. There are two-three players in the Indian scene who are trying to do the same thing with their own vision. I am happy to see competition come up in this area.

Amoghavarsha talks about reverse-engineering

It was a very basic talk about reverse-engineering. From what conversations I had with Amogh, there was only a person or two who knew what it was about. Instead of sharing what reverse-engineering is and why it’s needed I would like to point out the movement for having high quality libre drivers for all kinds of hardware. It has lots of content where somebody who has interest in doing clean-room implementations for drivers and why it’s needed could learn from. While we hope that a day will come that open hardware is the norm, as of now it isn’t so these efforts are also needed.

Subin talks about Different Desktop environments

Subin is part of the Student Developer Community, one of the volunteers and organizers of the event and also a member of FSCI. He is also the lead at FOSSersvast , a foss club in Vidyaacademy, Thissur. He shared a bit about history of Unix and shared about the different desktops in use today and why they are needed. The FOSS Club seems to have some nice activities.

Simran shares about Apache Hadoop Sqoop.

The simplest way to talk about Apache Sqoop is that it serves as an interconnect between raw data, Hadoop and databases such as MySQL, Postgres or Oracle. From the interactions I had with her, While one can use Hadoop Mapreduce itself to get interesting data, Apache Sqoop could and is used as a conjunction for both transferring data and even getting more fine-tuned data out of the map-reduced data. While she was sharing about ACID databases, the simplest example which came to my mind is the apt database which checks all the pertinent points.

Day 2 Todd Weaver shares about

Day 2 was started by a Remote presentation by Todd Weaver. While Abhishek had covered about Librem in May this year. As can be seen in the comments to Abhishek’s article there is a lot of anticipation as people are becoming more and more aware of the dangers of a more or less a monopoly and big tech ecosystem.

Todd divided the presentation in three parts, the past, the present and the future. One of the interesting bits of news that Todd shared at the 1/3rd part was that is incorporated as a Social Purpose Corporation. The nomenclature and the legal framework behind it is pretty recent, although it does show a way in which people could ethically make money as well which is a cause of concern especially to those who are thinking of entering into free software.

The second part of his presentation dealt with the current state of things as they are. Most people though aware of the dangers what big tech. offers or gives and what it takes are known to people but can’t seem to do anything about it. Todd shared how big tech distorts facts to suit to their convenience.

The last part i.e. the future had some of the more interesting questions and answers. While Todd hopes that they would be able to launch the phones in India sometime next year provided the logistics and partnerships work out, he also shared a possible plan to just not assemble but maybe manufacture some of the parts in India itself. While Pune has a couple of fabless design companies that I know of and people have done small production runs of small transistors or IC’s for specific purposes, having a full-fledged fab similar to TSMC is could go a long way in not only lowering India’s foreign exchange bill, but may go a long way in terms of making chips for Indian defence and other places where it might make sense to have our own chips. But this is far into the future and depends on many a thing. At the very least, if they are able to get the price-point right, get some sort of migration tools and give a competitive phone in terms of design and specs, it is possible they may make a dent in the market. I am cautiously optimistic and would be waiting till the Librem 5 phone hits Indian shores.

Biswas Tharakath shares his experience while driving Kerala Rescue project.

Hearing Biswas was a very humbling experience. Here was a person who probably was in his mid 20’s and already had to face a full-blown crisis. Nobody expected was the Kerala floods to happen although the Chennai floods had happened just sometime back.

As usually it happens, the Government is either in denial or state of shock as probably most people were, hence Biswas had the idea to put up a form where people could ask their needs and wants, and some volunteers from each village (3 per village) could fill the forms in behalf and the site could be used to have real-life information. The floods stuck on 9th August and he shared the form on 11th August live after coding it in couple of hours. He also shared the source-code of the form on so people could suggest improvements to the form.

Interestingly, the site took a life of its own as it started get publicity due to Kerala Police and many reel-life actors supporting the site. He shared some info. on the stack used, they used Heroku as their cloud hosting provider, Cloudflare for DNS management, gunicorn as the application server and Python Django as the web-framework for scalability of the web application.

Due to big stars and Kerala Police both promoting the site, the volunteer registration site took something like 10k entries thus ending the free database tier limit on Heroku. They tried moving the database to another service provider but failed, then jumped to AWS and then jumped back to heroku as they got more free credits from heroku. While Biswas shared some of the requests and was trying to be on top of the situation, it was barely manageable. Somebody shares a message on the web about the site and the need for open source contributors. Unlike many volunteer-led projects where people are usually looking for people to have same/similar passion, Biswas started getting drowned in pull requests. There were something like 150+ merge requests and about 450 issues which people bought up. At that time, I guess Biswas realized he needs more hands and talking to people both by repute or otherwise he shared commit access as he knew that time was important.

If memory serves right, he along with the help of remote maintainers and developers also came out with a style guide for the request form so it’s easier to understand how the logic and things flow. I also remember either him or Aruna sharing some issues they had with the OSM map as many people were trying to fork OSM map while if memory serves me right, Aruna shared that OSM supports concurrency protocols which I knew although for understanding, it means everybody could work on different parts of the map at the same time. The only ‘locking’ feature would be the point where a person would be updating that particular point or area. For e.g. a Refugee point or an area to show where water level is high, things like that.

He also commented a bit about the help given by the administration, the police, relief agencies which coordinated on the OSM slippy map and added markers wherever needed. The great thing about the Kerala rescue website was that you could get accurate information on the number of refugee camps where people were, information of places where information is missing, number of type of materials which were required. Apart from food grains, cooking oil, utensils, clothing the site even had information as to how many pairs of footwear were needed according to gender and approximate ages. I even remember seeing requests for spectacles. Unfortunately the site seems to be down due to running out of free credits. It apparently will be back up on 1st January 2019. I did see few people also made android clients but dunno if there was an official Android client for volunteers or not.

Professor Abhijit talks about rise of permissive licensing

While I didn’t attend his talk as have attended the talk n number of times i.e. whenever we do have a free software presentation or talk in Pune, Professor Abhijit’s talk is a staple diet hence didn’t attend that. In brief though, his talk was about why permissive licensing is winning over copyleft licenses. I won’t go into details as a simple search of ‘permissive licensing versus copyleft licensing’ would give more than enough content. There are lots of factors associated and would need an article of its own to make some sense.

Ashish Kurian Thomas shares Unix kungfu for web developers

Ashish’s talk was titled a cheeky one. It basically talked or shared about zsh, oh-my-zsh, how to add git prompt (which IIRC oh-my-zsh enables by default), shared some of the fun and funky commands that most command-line users use all the time and a bunch of aliases. While I didn’t attend his session, I do wish it was more of a hands-on workshop but then that would have required people to install Debian, although from the discussions on the debtusav matrix/irc channel there was supposed to be a docker image having non-free drivers for installation.

The docker image though was for Praveen, Shruti’s packaging workshop where a bunch of people were helping them who were taking different parts of the full-day packaging workshop. I didn’t attend the workshop as had been busy socializing and seeing presentations which I had missed on the first day. But more on this later.

Panel discussion on Debian India, Road ahead

Just to start with, this was the last session of the day.This was a panel discussion with Anusree being the anchor on the extreme left, Raju, Kannan, Abraham Raji, Subin and rounding out at Sruthi. Again lot of learnings were shared along with a strong statement that FSCI would never register at least in the short and medium term due to impersonality that organisations create and they have more than enough organizations who are willing to hold money or do any sort of legal work or otherwise that FSCI needs if need be. There were also some queries about how people can start contributing and I shared some of the simplest examples of how people could get started. The problem with most students is they look for mentors while Debian is more like ‘scratch your own itch’ more often than not. There are lots of fields like bioinformatics, medicine, engineering, Architecture, Animation etc. where Debian has all the tools and is being used by people but that’s story for another day.

Some notable mentions

There are still a lot I have left out. I left Shruti and Praveen’s Packaging workshop as it’s a long drawn-out process having its own fun and challenges.There was also Kasim from IIT Mumbai who was showing a sub-10k laptop for educational purposes, made in China sporting a KDE desktop. I didn’t have enough time to look through it, although the best way would have been to open it and look at the innards as to what makes it tick and how things are placed but that may be for another day altogether. There was also a gentleman whom I met who was using Bangalore OSM to make an app. where people could add reports of either crowding, accidents, materials strewn on the path etc. He showed us both the back-end and the front-end which needed lots of polish. Also, before finishing, I need to call out Bilal for all the beautiful photos that he clicked without which this blog post would have been more forlorn. If you are seeing any digital artefacts, that’s simply because I resampled the images so its easier to load and doesn’t take much bandwidth. Last but not the least, no Debutsav is complete without the full group photograph.

Molly de Blanc: Free software activities (December, 2018)

Enj, 03/01/2019 - 7:30md

December was a fairly quiet month for my free software activities (and my life in general). There was a lot of continued discussion around the Server Side Public License and the Commons Clause. People around me debated the relationship between open source and software freedom and the role of open source to support corporate activities. We’ve had some turnover at work (and are hiring!).

December activities (personal)
  • The Debian Anti-harassment covered several incidents, sharing a summary of them in Bits from the Debian Anti-harassment Team.
  • I wrote about the Open Source Definition and User Freedom.
  • I served on the papers committee for CopyLeft Conf, which you all should attend.
  • I became a Debian Developer.
  • I had my fourth and fifth experiences of being the target of internet vitriol (in relation to my free software work), though neither was a big deal.
December activities (professional)

A few other quick notes.

  • In February I’ll be speaking at FOSDEM, in the Legal & Policy devroom. I hope to see you there!
  • I’ve been trying to increase my blogging. So far so good.
  • I hear I’m supposed to be adding photos to my posts, so that’s my cat Bash at the top.

Mike Gabriel: My Work on Debian LTS/ELTS (December 2018)

Enj, 03/01/2019 - 4:31md

In December 2018, I have worked on the Debian LTS project for 21 hours and on the Debian ELTS project for 5 hours as a paid contributor. The originally planned 11 LTS hours (one hour carried over from November) had been extended to 21 hours. Of the originally planned 6 ELTS hours I carry over one hour to January 2019.

LTS Work
  • Fix several CVE issues in libav (DLA-1611-1 [1a] and DLA-1611-2 [1b]).
  • Fix the Magellan vulnerability in sqlite3 (DLA-1631-1 [2]).
  • Regression fix of poppler (DLA-1562-3 [3])
  • Involve FreeRDP upstream into fixing FreeRDP v1.1 in Debian jessie (esp. big thanks to Bernhard Miklautz for giving feedback).
  • Port FreeRDP CVE fixes over from Ubuntu [4].
  • Backport RDP v6 proto code and CredSSP v3 code from FreeRDP upstream commits to Debian jessie's (and stretch's) FreeRDP v1.1 [5].
  • An upload of a fixed FreeRDP v1.1 (both jessie and stretch) can be expected for January 2019. This work will be co-ordinated with the Debian stable release team [6] (feedback is still pending).
  • Setup test and build environment for Debian wheezy ELTS.
  • Give feedback on problems when installing Debian wheezy from scratch (although this makes rarely sense for most scenarious, it might help future ELTS developers).
  • Research on the Magellan vulnerability in Debian wheezy's sqlite3 [7] and request a second pair of eyes to look at sqlite3 in Debian wheezy (it might not be affected by it). The sqlite3 fix for Debian jessie (DLA-1613-1 [2]) was a zero-extra-effort outcome of this research.

Thanks to all LTS/ELTS sponsors for making these projects possible.



Louis-Philippe Véronneau: Fixing stability issues with 1st generation Ryzen chips on Debian

Enj, 03/01/2019 - 5:30pd

I was an early adopter when Ryzen - AMD's latest CPU line - came out. The prices were very good, the chips had a lot of cores and they ran pretty fast. At the time I thought the Ryzen 1600 CPU with its 6 core and 12 threads all running at 3.4 GHz with a TDP of 65W (with support for ECC RAM) made the perfect homeserver chip.

Fast forward two years: I've finally got around the stability issues I was having that hung my server at random intervals. Sometimes, everything was fine for months, but I also experienced random system freezes twice in a week. Since I'm using full disk encryption on all the drives in my server, a whole system freeze meant I had to go back home and reboot the server manually.

I first thought I was affected by a "rare" bug that touched the first batch of Ryzen CPUs so I RMAed mine and had to handle nearly a month of downtime. Sadly, it didn't solve my problem. Two weeks ago I decided I was tired of this whole reboot cycle and tried to see if upgrading to a more recent kernel (4.9 -> 4.18) did the trick. The problem only got worse and my server ended up freezing each and every night. As always, no errors showed up anywhere in the logs.

With the 4.18 kernel, the timing of the system freezes got me thinking and I found this bug report in Launchpad. Turns out the problem is caused by bad low-power handling. When the CPU idles for a long time, it enventually freezes and hangs the whole system. This is corroborated by this AMD report that states:

1109 MWAIT Instruction May Hang a Thread Description: Under a highly specific and detailed set of internal timing conditions, the MWAIT instruction may cause a thread to hang in SMT (Simultaneous Multithreading) Mode. Potential Effect on System: The system may hang or reset. Suggested Workaround: System software may contain the workaround for this erratum. Fix Planned: No fix planned

To fix the problem I've:

  • disabled SMT in the BIOS
  • disabled "Cool 'n Quiet" in the BIOS
  • disabled "Global C-states" in the BIOS
  • set "Power Supply Idle Control" to "Common current idle" in the BIOS
  • set idle=nomwait in the kernel
  • set processor.max_cstate=5 in the kernel

Disabling C-States means that the CPU cores always run at 3.4 GHz and the chip consumes 50W at idle instead of 30W, but that's a price I'm willing to pay to have a stable server.

Note that from what I've read online, the Ryzen 2 chips aren't affected by this. Don't take my word for it though. I guess I've learnt the hard way that trying to build a stable system out of a bleeding edge platform is a bad idea.

Jonathan Wiltshire: Behind the scenes

Mër, 02/01/2019 - 10:51md

“Paradoxically, government is more open when it is less open. Open Government is rather like the live theatre: the audience gets a performance. And it gives a response. But, like the theatre, in order to have something to show openly there must first be much hidden activity. And all sorts of things have to be cut or altered in rehearsals, and not shown to the public until you have got them right.”

The Rt Hon James Hacker MP (from The Complete Yes Minister, ch. 5, Jonathan Lynn and Anthony Jay)

Andrej Shadura: wpa-supplicant and hostapd 2.7 in Debian

Mër, 02/01/2019 - 1:29md

Hostapd and wpa-supplicant 2.7 have been in Debian experimental for some time already, with snapshots available since May 2018, and the official release since 3 December 2018. I’ve been using those 2.7 snapshots myself since May, but I do realise my x250 with an Intel Wi-Fi card is probably not the most representative example of hardware wpa-supplicant would often run on, so before I upload 2.7 to unstable, it would be great if more people tested it. So please try to install it from experimental and see if it works for your use cases. In the latest upload, I have enabled a bunch of new upstream features which previously didn’t exist or were still experimental, so it would be great to give them a go.

Andrej Shadura: Bye-bye binary vconfig(1)

Mër, 02/01/2019 - 1:01md

This morning I have decided that this is the time. The time to finally remove the binary vconfig utility (which used to help people configure VLANs) from Debian. But fear not, the command isn’t going anywhere (yet), since almost six years ago I’ve written a shell script that replaces it, using ip(8) instead of the old and deprecated API.

If you’re still using vconfig, please give it a test and consider moving to better, newer ways of configuring your VLANs.

If you’re not sure whether you’re using it or not, mostly likely not only you aren’t, but it’s quite possible that you may not even need the vlan package that ships vconfig, since the most important functionality of it has since been implemented in ifupdown, networkd and NetworkManager.

Jonathan Dowland: Maker Faire UK RIP

Mër, 02/01/2019 - 12:41md

I'm sad to belatedly witness the apparent demise of Maker Faire UK: an annual event for (mostly) amateur makers of all skill-levels that ran from the Centre for Life in Newcastle.

The Centre was always packed out for the Maker Faire, which attracted a huge range of people from all over the UK, and beyond. I was proud that this was taking place in my city. I always enjoyed attending the Faire, although it was often bitter-sweet: none of my own Making was of the kind of that you could show off at an exhibition like this. I often found myself wondering if I should try my hand at more physical hobbies.

The Centre for Life is remodelling itself this January, and as part of that project or planning, they seem to have decided that the Maker Faire was not a good fit for their new direction. They talk about opening a new space for "crafting, tinkering and creativity" within the Centre in the Spring, but I very much doubt it will attract the breadth and depth of talent that the Maker Faire did.

The decision was announced back in September, but they've already pulled the plug on the website hosting the announcement (, which was up so briefly it was not captured by either or Their defunct twitter account points cryptically at this dead website with a final tweet of "We have posted important news about Maker Faire UK on the homepage of the website:".

At the last event in April, 2018, a friend from the Paper Jam Comics Collective demonstrated an incredible Lego Mindstorms-powered Comics drawing robot:

Other things that stuck out to me at the last Faire were some of the non-computer, non white-male-dominated crafts, such as creative stitching, knitting, crocheting and similar. Some of the exhibitors there seemed to feel like they were outsiders, but I felt they were as deserving to be there as anyone else (and more so than some of the purely vendor tables); some of them proudly exclaimed as such, and their work was a refreshing change of pace from the more dominant themes.

I recall enjoying music-related stalls in years gone by. There was usually a table of synthesizers which was fun to noodle with. I'm not sure what making they were exhibiting, perhaps the intention was their own music: there was no sign of DIY synth building. But it was fun. Various other stalls tended to have DIY synths or novel musical input devices wired up to Arduinos, or Raspberry Pis. The Centre itself has a permanently installed reactive table set up as a synthesizer which my daughter and I both enjoy playing with when we visit. One year a company was demonstrating reactive lighting boxes that I'm fairly sure were designed with (or in collaboration with) Brian Eno.

I was also impressed to see a stand demonstrating a mini replica of a PDP-8 minicomputer (it might have been this one), which reminded me of the Newcastle University Computing History Committee, and made me ponder whether any of our activities in that committee would be worthy of a stall at the next Maker Faire. For the last couple of years I've also weighed up whether or not my daughter was old enough to enjoy attending. I was fairly sure that 2019 would have been the first year that she might be, but alas, it will not come to pass.

Reproducible builds folks: Reproducible Builds: Weekly report #192

Mar, 01/01/2019 - 8:44md

Here’s what happened in the Reproducible Builds effort between Sunday December 23 and Saturday December 29 2018:

Packages reviewed and fixed, and bugs filed

In addition, Mattia Rizzolo filed a build failure bug. website development

Chris Lamb made a huge number of updates to our project website this week:

  • Set a temporary logo for Christmas. [][]

  • Move our homepage to the new visual style. [][]

  • Split, tidy and expand footer. [][][] and link the main heading element of blog posts “back” to themselves [].

  • Move the tools, resources and events pages to new visual style. [][][][]

  • Update the support mechanisms for the weekly reports, such as dropping the migrate-blog-posts script [] as well as fixing some title handling [] [].

  • Improve a number of styles, such as blockquotes, linked headings should not have “link” styling, unpublished blog post drafts, etc. [][][]

  • Tidy and highlight the display of our sponsors. [][]

  • Add the ablity to override the entire <head> title [] and improve spacing etc. on mobile browsers [].

In addition, Arnout Engelen and Hervé Boutemy made an initial stab at documenting the JVM “buildinfo” format. [][]

Test framework development

There were a number of updates to our Jenkins-based testing framework that powers this week, including:

  • Holger Levsen updated the Coreboot support to point to the new Git repositories to new URI. []

  • Mattia Rizzolo updated the “wrong future” check for the 2019 (part of our many build variations). [][] as well as a various bits of node maintenance. [][][]

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Russ Allbery: 2018 Book Reading in Review

Mar, 01/01/2019 - 8:38md

Despite the best of intentions to spread my reading out more evenly across the year, much of 2018's reading happened in concentrated bursts during vacation (particularly my fall vacation, during which I read eleven books in a little over two weeks). Politics and other online reading continued to be an irritating distraction, although I made some forward progress at picking up a book instead of Twitter.

My reading goal for last year was to make time and energy for deeper, more demanding, and more rewarding books. I think the verdict is mixed, but I didn't do too poorly. I finished Jemisin's Broken Earth trilogy (more on that below), which certainly qualifies and which was one of the year's highlights, and dug deep into a few other rewarding books. For 2019, my goal is to maintain my current reading pace (hopefully including the gradual improvement year over year) and focus on catching up on award winners and nominees to broaden my reading beyond favorite authors.

Two books, both fiction, received 10 out of 10 ratings from me this year: My Grandmother Asked Me to Tell You She's Sorry, by Fredrik Backman, and Record of a Spaceborn Few, by Becky Chambers. Backman's novel is a delightful character story — funny, open-hearted, and gracious — with a wonderful seven-year-old protagonist (and that's something you'll rarely hear me say). It was the best book I read this year. Record of a Spaceborn Few was the most emotionally affecting book I read in 2018 (by far): a deeply moving story about community and belonging and not belonging, and about culture and why it's important. The narrative structure is unusual and the writing is less evenly high quality than Backman's, but it was exactly the book I needed to read when I read it. I think it's Chambers's best work to date, and that's saying a lot.

The novels that received 9 out of 10 ratings from me in 2018 were The Obelisk Gate and The Stone Sky, the second and third books in N.K. Jemisin's Broken Earth trilogy. Given Jemisin's three Hugo awards for this series and the wealth of online reviews, you probably don't need me to tell you how good they are. I found the series hard to read, since it's full of strong negative emotions and takes a very sharp look at pain, loss, and oppression, but I also thought it was worth the emotional effort. This trilogy is something very special in SFF and fully deserves the attention that it's gotten.

There was one more fiction 9 out of 10 rating this year, which also came as a complete surprise to me: walkingnorth's online graphic novel Always Human. This was one of the year's pure delights: gentle, kind, thoughtful, empathetic, and sweet. I am very grateful to James Nicoll for reviewing it; I never would have discovered it otherwise, and was able to share it with several other people.

The sole non-fiction 9 out of 10 this year was Zeynep Tufekci's excellent Twitter and Tear Gas, a thoughtful, critical, and deep look at the intersection of politics and online social networks that avoids facile moralizing and embraces the complex interactions we have with for-profit web sites that have far outgrown the understanding of the corporations that run them. I think (or at least hope) there's more awareness now, at the end of 2018, of the way that totalitarian regimes undermine political engagement not via suppression but via flooding networks with garbage news, fake personas, heated opinions, and made-up stories. Tufekci was studying this before it was widely talked about, and Twitter and Tear Gas is still a reliable guide to how political engagement works in online spaces.

The full analysis includes some additional personal reading statistics, probably only of interest to me.

Rhonda D'Vine: Political Correct Communication

Mar, 01/01/2019 - 4:33md

It seems almost as if being political correct is something people do not want to be. As a matter of fact, to move forward as humanity, we though need it very much. Let's take a look at the why and what it actually means, shall we?

I think we all have heard of the Golden Rule: "The Golden Rule is the principle of treating others as one's self would wish to be treated." I hope that we can agree on that. The idea behind is to envision oneself in the other person's shoes, figuratively, and see what it would do to yourself. If you don't like it, don't do it. Sounds easy?

Well, it isn't. When it comes to discrimination, which is something systematic, that doesn't work. There is also a power difference involved in discrimination, and here it starts: It's not possible to envision what some words might do unto others. Most of of the people within the Debian community are most probably white, able-bodied, cis (identifying with the gender assigned at birth), hetero, and male. Just to name a few most prominent categories. So even if we try to envision oneself in the place of the other person, we haven't experienced systematic discrimination like racial profiling, not able to enter a restaurant, being looked strange at whatever toilet we go to, have heads turned on us and people whispering when walking down the street hand-in-hand with our partners, or being cat called. And we might envision that being called "fag" isn't the nicest thing, people forget one thing: There is a huge power difference especially also in language.

How many discriminatory words can you come up for black people? Disabled people? Non-hetero people? Trans people? Women? And then take a step back ... and try to think about how many discriminatory words you can come up with for white, able-bodied, hetero, cis and male people. And then try to realize how even language plays into that power imbalance. Especially on the internet where the only thing you get from others is written language. So the one way to work with that is to actually listen to those facing discrimination and acknowledging that some words are off limit.

So next time you tell someone they are just a special snowflake, or that they should just swallow it down because that's the way things work ... think about this. And think about what you actually are transporting when you oppose to a political correct approach: When you consider political correctness something awful to strive for because it seemingly limits how you speak to and about others. Because honey, no, it doesn't. Anytime you belittle a political correct approach you are just showing one thing: That you are unwilling to be a safe space for the people around you, and simply don't care.

Oh, and one more thing: Free Software and Debian in specific always was political. Don't tell me that's news to you. Working on Free Software is an extremely strong political statement. It is to improve the world for everyone through making software available to everyone. And yes, that everyone includes non-white, non-cis, non-ablebodied, non-hetero and non-male people too, surprisingly to some it seems.

Enjoy, and happy new year!

P.S.: Part of this content is inspired by the German language book: Eine Frage der Moral from Anatol Stefanowitsch. If you understand German I urge you to read it. It gives a good insight.

/debian | permanent link | Comments: 9 | Flattr this

Paul Wise: FLOSS Activities December 2018

Mar, 01/01/2019 - 1:29md
Changes Issues Review Administration
  • Debian: answer query about LDAP signing
  • Debian wiki: unblacklist IP addresses, fix login issue, whitelist email addresses
Communication Sponsors

The purple-discord work was sponsored by my employer. All other work was done on a volunteer basis.