Planet Debian

Mozilla recently dropped support for Firefox XUL extensions.

The initial threat of this prompted me to discover how to re-enable XUL extensions by modifying Firefox's omni.ja file. That clearly is not going to last very long since Mozilla is also deleting XPCOM interfaces but I note the Tor Browser is temporarily still using XUL extensions.

Since I have some extensions I wrote for myself, I will need to rewrite them as WebExtension add-ons.

The first thing to do is check how to install WebExtension add-ons. My local XUL extensions are run from the corresponding git trees. Using an example extension I discovered that this no longer works. The normal way to install add-ons is to use the web-ext tool, upload to the Mozilla app store and then install from there. This seems like overkill for an unpolished local add-on. One way to workaround this is to disable signing but that seems suboptimal if one has installed Mozilla-signed add-ons, which I will probably have to do until Debian packages more add-ons. Luckily Mozilla offers alternative "sideloading" distribution mechanisms and Debian enables these by default for the Debian webext-* packages. Installing a symlink to the git repository into the extensions directory and adding a gecko identifier to the add-on manifest.json file works.

Then I started looking at how to rewrite XUL extensions and discovered the user-interface options are limited compared to XUL. So the Galeon-style smart-bookmarks workaround plugin I use a lot is not even possible to implement as a WebExtension add-on and will require some changes to search, bookmarks or WebExtensions user-interface APIs or a solution external to Firefox like a floating toolbar.

Another plugin I wrote adds a few buttons to the toolbar but WebExtension add-ons are only allowed to add one button to the toolbar. The plugin is more logical as an address bar button but again WebExtension add-ons are only allowed to add one button to the address bar. Each of these allow popups for additional user-interface. So the options are to split this into multiple plugins, one per button or to reqire a second click in the popups.

The remaining task is to migrate from each of the xul-ext-* Debian packages. Some folks have already completed their transition and documented it.

Some packages simply got updated to the corresponding webext-* packages. Some packages were updated upstream but aren't yet in webext-* packages.

Some packages were no longer developed upstream but were updated in forks or reimplementations:

• Firebug: reimplemented as a whitelisted Firefox internal XUL extension
• Autofill Forms: the author released a renamed version
• Open in Browser: reimplemented by another developer
• RefControl: reimplemented as Referer Modifier by another developer
• User Agent Switcher: reimplemented by another developer in a very different way

Some packages are no longer useful upstream but alternatives are available:

• Adblock Plus: acquired by the untrustworthy advertising industry, replaced by uBlock Origin
• Stylish: acquired by the untrustworthy advertising industry, replaced by Stylus
• Cookie Monster: cookie-autodelete or uMatrix are possible alternatives
• DOM Inspector: the native web developer tools are almost the same
• HTTPS Finder: smart-https, https-by-default are alternatives and https-everywhere is kind of an alternative
• livehttpheaders: the native web developer tools are mostly an alternative but headers are missing from the page info dialog

Some packages are blocked by missing APIs because they are not yet permitted to replace the Certificate Authorities with alternate trust models such as DNSSEC+DANE, Certificate Patrol, Perspectives, Monkeysphere or Communism.

Like many technology transitions, this one was done for good reasons but is extremely disruptive and a time sink for users and developers. I still have floppy disks that could contain viruses or poetry but I will never find out their content.

So, I hope this will help me go back to being more productive!

I ended up buying a Lenovo Thinkpad SK-8845 keyboard. As it was mentioned by Martin, jelly and Marcos on my previous blog post (hey! This is one of the rare ocasions where I must say Thanks Lazyweb!), it is not a new model, but it seems to be in mint shape... Plus, I got it for only MX$745 (that is, ≈US$37), shipped to my office and all!

My experiences so far? Mostly positive. Yes, I would prefer the trackpad to be a bit larger (it is approx 6×4cm). Most noticeably, I spent some time getting my setup working, as I had to remap my keys — I rely quite a bit on the Super and Multi keys (oh, are you not a Unix person? Super is Mod4, usually located at the Windows keys; I reconfigured the Menu key to be Multi or Compose, to be able to input §ṫℝ∀ℕĠ̣∃ symbols, even some useful ones from time to time). This keyboard has no Windows or Menu keys, so I was playing a bit with how my fingers accept Super being at CapsLock and Multi being and ScrollLock... Lets see!

Also, I am super-happy with my laptop's keyboard (Thinkpad as well, X230), and I thought not having different mental models for laptop and office keyboards would be a win... But this is the seven-row Thinkpad model, and the X230 has the six-row one. Not much changes to the finger memory, but I've found myself missing the Esc key (one row higher) and PgUp/PgDn (in the upper corner instead of around the cursor keys). Strangest, I initially thought I would be able to remap Super and Multi to the two keys where I expected PgUp and PgDn to be (what are their names?), but... Looking at the keycodes they send, it is just not possible — They are hardwired to send Alt + → or Alt + ←. Will come handy, I guess, and I will get used to them. But they are quite odd, I think. With all the people that complained loudly when Lenovo abandoned the seven-row in favor of the six-row layout... I guess I'm about to discover something good..?

this was from before I ran

After biking and biking this summer (and not making much progress), this past weekend was on a different tune. For my second time (ever), went for a kayaking weekend, this time on Lake Geneva. Basically, this:

which is very different from my usual “outdoor” environment.

My previous time kayaking was a basic course, so lots of introduction and explanations (on land), plus a tiny bit of paddling, plus lots of rescue stuff (self and others). Definitely useful, but didn’t feel like actually “going kayaking”.

This weekend however, it was the next step - going a bit further distance, more paddling, more “on the way” learning. And while the weather wasn’t very nice on the first day (see above), the second day’s morning was awesome (the afternoon was again just drab):

Well, for one, water is awesome. And then the question is, what kind of water activity? Not swimming since I suck at that.

It all started with an ad, I think on digitec’s web site, about a certain brand of inflatable catamarans. I did not know these things existed at all (for people living in an apartment instead of castle), so it opened my interest into accessible water sports for city dwellers.

One thing led to another and to yet another and in the end I reached the conclusion that learning kayaking is most interesting from a couple points of view:

1. It is self-powered, and kind of an endurance activity. This is important for me. While sailing is definitely on my long term radar for the skill itself, paddling is much more basic and involved (from my point of view), so it possibly answers my search for a sport to counterbalance my biking (upper/core vs. core/lower).

2. You can paddle on a river (which seems a bit strange to me), on a lake, on a big lake, and even on the sea. I mean here along the shore, not crossing a sea—only crazy people would do that. So there is place to grow one’s skills.

3. In a proper sea kayak, you are “in” the water. On a SUP board (which I also did a few times), you’re “on” the water. But a kayak seems a very, hmm, intimate way of travelling on the water. And because you sit much lower, it’s not so much a fight for survival, err, balance as on a SUP board. You can actually take time to take a picture, drink water, etc.

4. It is a symmetrical sport. Very important for me, and again bonus points over stand-up paddling, since you have a symmetrical paddle (feathering aside, see the wikipedia article on paddles).

So after all thinking done, and after finding good course options, I was eager to learn basic kayaking.

The most funny thing is how slow moving on the water is. After my second kayaking weekend, it looks like with neutral wind and no waves, my personal sustained speed is somewhere around 6km/h (3.2 knots) for around 10 minutes, 5.2km/h (2.8 knots) for half an hour. The exact value is not important, the point is, it’s definitely less than 10km/h. I can run faster, I can bike significantly faster, I can even bike uphill (up to a certain inclination) at this speed or faster even.

And yet, this is a speed that still makes you feel that you’re “going”, despite being just a bit faster than walking. And if you get wind or some waves, it feels fast even! A bit funny, but true. And because you can go straight for your target, over minutes the distance does add up. Just not fast enough :)

Another fun thing about kayaking is how much fun shallow water is. On a sunny day, you can actually see lots of things in the water if it is shallow. I didn’t know for example how underwater plants look like :)

One downside however is that I can’t yet make this an aerobic activity. Since I’m mostly cycling and in some odd years running, my upper body is not strong enough to be able to paddle strongly beyond some very short distances, so I get tired (muscles) before I can actually get my heart rate up. On these two weekend days, max HR as recorded with a chest strap (so should be accurate) was 107, respectively 115 bpm. Which is a far far away cry from my biking/running steady state, not even speaking of max. I guess this will get fixed with more experience and training?

The other very curious thing I learned is that water is much, much more complex than I thought. Started to read some books and it’s definitely complex on paper, but even on a lake, it reacts to wind in oh so interesting ways! A bit of wind and the surface changes immediately, some real wind and in 10 minutes you have waves (on a lake! I didn’t know this is possible…) that become a real impediment to easy, straight paddling.

As an example, it went from this:

to this in less than five minutes (and the picture doesn’t do it justice):

and to even a bit more, in a very short time span. From an easy paddle, to struggling against waves and the wind (which is trying to both push the kayak back and also turn it). And then, ten minutes later, all good again. I was like “huh?”…

And then, the next day started with again what I call “normal” water (just small ripples), but by the afternoon it became this:

Which again confused me greatly. How can a large body of water be this still? Even ships passing were only generating large waves, but the waves themselves had a smooth surface.

I bought last year an Olympus Tough camera (a TG-5), with family beach vacations in mind. That got some use out of it, but it’s actually perfect for kayaking! I shot a large number of pictures this weekend with it—which is why I was so slow, maybe. But it was fun, to not fear water, or even better, to just put the camera in the water:

However, I also learned that being in a kayak even in nice weather gives a very unstable platform, so even with optical stabilisation (which the TG-5 does have), pictures will many times get tilted or even miss the framing significantly. So my new modus operandi is to set the camera on sequential low (that means with mechanical shutter), and fire 4-6 frames of every picture. This way, it’s somewhat guaranteed that each burst will have a usable picture (as usable as can be from this small sensor).

Even with a small sensor, in nice sunny weather, pictures do look nice, as you can see in the “on the water” pictures in this post, and at a stretch, it can even pretend to be good for regular photography, still from the water of course:

And because it’s small and easy to easy, you don’t scare the wildlife, for example:

So overall I’m very happy with this camera, for its intended purpose.

One funny thing regarding taking pictures on the water was that, as ships were passing nearby—which is a good thing, because big ship means many large waves, which are awesome fun!—I kept taking photos. And at one point, I got a very funny sensation, and a feeling first of “I’ve been doing this before” and then “good angle, launch all torpedoes!”. When I realised what was happening—flashbacks from computers games from ages ago—I started laughing out-loud. Funny how the brain works and how it makes connections… So here’s one such picture:

Kayaking is fun, but it’s much less accessible sport than biking. I still don’t know if I can actually pursue this long term beyond “relaxation” level, because the time overhead to getting on the water is prohibitive, for all solutions I’ve investigated so far. It seems what you can do while living in an apartment is one of inflatable, foldable, or modular kayaks, and all come with their downsides.

A “real” sea kayak is a beautiful thing, and makes one dream of expeditions; dangerous, beautiful, real expeditions out on the ocean (coast). But that’s out of the reach of normal people living in a land-locked country…

Well, we’ll see what the future brings. At least, getting out on the water once in a while is a nice thing, and one that I’m looking forward to when I’ll be able to.

While the weekend was mostly around kayaking, the nice location did lend itself to other “normal” activities, like enjoying the local food, a bit of walk around, and taking regular land-based photos. Not the first time, and likely not the last time we’ll visit this area.

And with that, a last picture (but you can see more here):

Our university, among the largest in the world and among the most important in Latin America, had an unexpected and traumatic event last September 3rd: A group of students from one of the high schools our university operates, peacefully protesting, demanding mostly proper study conditions and better security for their area, were violently attacked by a large, organized group. Things are still very much in flux, and we have yet to see what this really meant, and what are its consequences.

But in the meantime, I cannot but take as mine the following words, by Comité Cerezo. I am sorry for not translating into English, interested people will be able to do so using automated services or human talent.

Original here: Carta al Rector de la UNAM por los hechos sucedidos el 3 de septiembre: la omisión, complicidad e impunidad también son violencia

Ciudad Universitaria 4 de septiembre de 2018

Enrique Luis Graue Wiechers
Rector de la Universidad Nacional Autónoma de México

Ante los hechos suscitados el día 3 de septiembre en la explanada de Rectoría de la UNAM y sus alrdedores, el Comité Cerezo México, cuyos integrantes en su mayoría formamos parte de la comunidad universitaria como egresados, estudiantes en activo, académicos y trabajadores, nos dirigimos a usted con el objetivo de manifestar que, como la gran mayoría de quienes se han pronunciado, repudiamos los hechos de violencia por medio de los cuales un grupo de sujetos atacaron violentamente a estudiantes que se manifestaban pacíficamente ejerciendo su derecho humano a la protesta. Sin embargo, consideramos que el repudio a la violencia y la promesa de investigación queda corta ante los hechos ocurridos. Por ello, maniestamos que:

1. Repudiamos con la misma fuerza la actitud omisa e indolente que en los distintos videos e imágenes se observa por parte del cuerpo Auxilio UNAM ante los hechos de violencia. Incluso nos preguntamos por qué elementos de esta corporación de seguridad se acercaron a los grupos de jóvenes que atacaban a los manifestantes e incluso los saludaron de mano en lugar de impedir que agredieran a los estudiantes.

2. Repudiamos el hecho de que, a priori, en algunos comunicados de las autoridades se afirmara que los agresores eran personas ajenas a la comunidad académica. De acuerdo a informaciones que circulan en redes sociales (y que por supuesto deben ser verificadas) algunos de los agresores forman parte de la comunidad estudiantil y de grupos que operan, al menos en CCH Azcapotzalco, CCH Naucalpan y CCH Vallejo. La condena a la violencia y la afirmación pronta de que los agresores no son integrantes de la comunidad es un acto incongruente con la promesa de investigar los hechos. En el mismo sentido afirmar que los hechos que se vivieron buscan enturbiar el ambiente sin tener una investigación clara de qué grupo operó, sin tener claridad en la cadena de mando y en la implicación de algunas autoridades no abona en nada a la resolución del conflicto.

3. Manifestamos nuestro extrañamiento por el hecho de que pese a que en los pronunciamientos de las autoridades se afirma que están abiertas al diálogo, no se haya mencionado que las demandas por las que los estudiantes se manifestaban en Rectoría serán atendidas y de qué modo.
Ante esto, exigimos a las autoridades responsables que a la brevedad:

a) Expliquen a la comunidad universitaria por qué el cuerpo de Auxilio UNAM, como en otros casos ya públicos, no detuvo a los agresores ni intentó contenerlos. Es necesario también que expliquen a la comunidad por qué un integrante de Auxilio UNAM afirmó ante un medio de comunicación en un video que “tenían órdenes de arriba de no actuar”. La comunidad universitaria exige claridad en la rendición de cuentas de cómo y por qué se operó de ese modo. Asimismo, deben aclarar quiénes eran los funcionarios que en los distintos videos están cerca o saludan al grupo de agresores y por qué en lugar de impedir los hechos se limitaron a mirar y en algunos casos a interactuar con estos grupos.

b) Que la investigación de los hechos así como sus avances se hagan públicos. Esa investigación implica una gran exhaustividad y claridad. Las autoridades deben explicar a todos ¿Quiénes eran los jóvenes, y muchos no tan jóvenes, agresores? ¿A qué grupo o grupos pertenecen? ¿Cómo se trasladaron a la Rectoría? Pero no basta con la aclaración de los hechos que componen el ataque, es necesario también que se investigue quién ordenó u orquestó tal ataque, la cadena de omisiones que lo hicieron posible así como la investigación de las autoridades involucradas o no en tales hechos, de tal manera que no sólo se investigue a los ejecutores de las agresiones sino a la cadena completa de mando que las planeó u ordenó.

c) Que se atienda y brinde todo el apoyo necesario para los alumnos atacados, sus familiares y amigos de manera integral y apoyándolos en todas las acciones que ellos necesiten no sólo en su atención médica y psicológica, sino en el acompañamiento jurídico en caso de que quieran proceder contra los agresores.

d) Que de inmediato se nombre un representante de Rectoría que se haga responsable de recibir a una comisión que presente el pliego petitorio o las demandas de los estudiantes y que de inmediato rinda cuentas de la manera en que se atenderán esas demandas. De lo contrario decir que el diálogo y la apertura es la solución sin establecer mecanismos concretos y claros de cómo se atenderán las demandas de los estudiantes es sólo una declaración que no alcanza a resolver el problema.

e) Vigilar que bajo ninguna circunstancia, los estudiantes que han decidido parar actividades y aquellos que están marchando y/o concentrándose en la explanada de Rectoría, como ejercicios del derecho humano a la protesta por los graves hechos ocurridos el 3 de septiembre en la Rectoría, sean intimidados, molestados, amenazados o agredidos por grupos porriles (ajenos o no a la comunidad universitaria) ni por autoridades o integrantes de la misma comunidad.

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

• Really good news this month as Yavor Doganov provided patches for  gamazons (#885735), gnomekiss (#885740) and teg (#885751) which all depended on obsolete GNOME 2 libraries. He succeeded in porting them to GooCanvas and GNOME 3. We are currently aware of some issues in Teg (#907834) and would appreciate more feedback from game testers. In any case this was a non-trivial feat and many thanks go to Yavor who prevented the removal of three games from Debian.
• I applied a patch from Adrian Bunk which made FreeOrion (#906746) more portable and packaged the latest and greatest release 0.4.8 later.
• I fixed a broken start script in FreeCol due to OpenJDK 10 changes. (#907661)
• The Spring RTS engine was affected by a GCC-8 RC bug. (#906409)
• I backported FreeCiv 2.6.0 to Stretch.
• I updated some games to the latest standards in Debian, made some minor changes and applied patches to fix FTCBFS bugs or build failures due to a missing libm library. Those issues were solved in tenmado, supertransball2 (#902537), seahorse-adventures, empire (#900197), phlipple (#907207) and ace-of-penguins (#900200).
• I sponsored mupen64plus-qt for Dan Hastings.

• I made some minor updates for the Java Packaging guide and announced its existence here on this blog.
• I packaged new upstream releases and fixed some serious issues in libmiglayout-java, wildfly-client-config, h2database (#902787), jackson-dataformat-xml (#906368), libcommons-compress-java (#906301), xmlgraphics-commons (#906523) and tomcat8 (#906447).
• We still have about 100 RC bugs to fix at the moment. As usual there are still Java 9 and Java 10 issues (and soon I’m sure Java 11). This month I triaged and fixed RC bugs in spatial4j-0.4 (#902789), plexus-archiver (#906396), zookeeper (#897892 prepared by tony mancill), simple-xml (#888547), axis (#902861), asm (#902570), jnr-posix (#901044), mina2 (#907001), disruptor (#906347), libreadline-java (#898380), gnome-split (#893201) and lucene-solr (#906384, #904063).
• I applied a patch from Bdale Garbee and lowered the minimum required source/target level to 1.6 in Ant again since we know that OpenJDK 11 will support that. However we will have to revert to 1.7 again because OpenJDK 12 will drop support for Java 6 in the future.
• I completed a security update for Tomcat 8. It was issued by the security team as DSA 4281-1.
• I packaged a new build-dependency for mediathekview, libmbassador-java. The update also requires a working JavaFX package and probably one or two additional packages. I intend to work on JavaFX in September.

• I NMUed ruby-zip to fix RC bug (#902720) and libcgroup (#906308) and uploaded the fix for the latter to Stretch as well. (#907386)
• I updated byzanz and pyblosxom and moved them to salsa.debian.org.
• I packaged a new upstream release of the https-everywhere browser extension.

This was my thirtieth month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 13.08.2018 until 19.08.2018 and from 27.08.2018 until 02.09.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in intel-microcode, bind9, confuse, libykneomgr, mp4v2, gdm3, wesnoth-1.10, ruby-zip, otrs2, mathjax, mono, tcpflow, bluez, openssh, mariadb-10.0, tomcat-native, wordpress, thunderbird, spice, spice-gtk, libextractor, postgresql-9.1, libcgroup, zutils, soundtouch, squirrelmail, git-annex, ghostscript, libpgjava, elfutils, libpodofo, libtirpc, libxkbcommon, libtasn1-6, cinder, 389-ds-base, wireshark, php5, libzypp, imagemagick, kfreebsd-10, tiff, discount and polarssl.
• DLA-1467-1.  Issued a security update for ruby-zip fixing 1 CVE.
• I worked on gdm3 to fix CVE-2018-14424.  I backported the patch to Jessie but could still trigger a session restart with the POC. Since there is no crash and the session is completely restored, we believe now that this is the intended behavior.  I also tried to contact Chris Coulson, the original bug reporter, for further advice but have not received a reply yet. If we don’t discover another issue we will release a DLA for gdm3 in September.
• DLA-1472-1. Issued a security update for libcgroup fixing 1 CVE.
• DLA-1473-1. Issued a security update for otrs2 fixing 1 CVE.
• DLA-1482-1. Issued a security update for libx11 fixing 3 CVE.
• DLA-1475-1. Issued a security update for tomcat-native fixing 2 CVE.
• I am still working on a security update for ghostscript. I have already backported the majority of patches to Jessie to fix a serious sandboxing issue with the -dSAFER mode.  More patches are required to fix the problem and only yesterday more CVE were assigned to them.

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my third month and I have been paid to work 12  hours on ELTS.

• I was in charge of our ELTS frontdesk from 13.08.2018 until 19.08.2018 and I triaged CVE in intel-microcode, azureus, gdm3, couchdb, lxc, squirrelmail, wordpress, wpa, xen, tomcat7, firmware-nonfree, postgresql-9.1, apache2, bluez, dojo, libcommons-compress-java, spice, spice-gtk, tomcat-native, libcgroup, libx11 and samba.
• ELA-21-1. Issued a security update for openssl fixing 1 CVE.
• ELA-27-1. Issued a security update for tomcat7 fixing 1 CVE.
• ELA-28-1. Issued a security update for tomcat-native fixing 2 CVE.
• ELA-20-2. Issued a regression update for busybox.
• ELA-29-1. Issued a security update for postgresql-9.1 fixing 1 CVE.
• ELA-30-1. Issued a security update for libx11 fixing 3 CVE.

Thanks for reading and see you next time.