Planet Debian

Now it is a commonplace that security is hard. It involves advanced mathematics and a single, tiny mistake or omission in implementation can spoil everything.

And the only sane IT security can be open source security. Because you need to assess the algorithms and their implementation and you need to be able to completely verify the implementation. You simply can't if you don't have the code and can compile it yourself to produce a trusted (ideally reproducible) build. A no-brainer for everybody in the field.

But we make it unbelievably hard for people to use security tools. Because these have grown over decades fostered by highly intelligent people with no interest in UX.
"It was hard to write, so it should be hard to use as well."
And then complain about adoption.

PGP / gpg has received quite some fire this year and the good news is this has resulted in funding for the sole gpg developer. Which will obviously not solve the UX problem.

But the much worse offender is OpenSSL. It is so hard to use that even experienced hackers fail.

Now, securely encrypting a mass communication media like IRC is not possible at all. Read Trust is not transitive: or why IRC over SSL is pointless1.
Still it makes wiretapping harder and that may be a good thing these days.

LibreSSL has forked the OpenSSL code base "with goals of modernizing the codebase, improving security, and applying best practice development processes". No UX improvement. A cleaner code for the chosen few. Duh.

I predict the re-implementations and gradual improvement scenarios will fail. The nearly-impossible-to-use-right situation with both gpg and (much more importantly) OpenSSL cannot be fixed by gradual improvements and however thorough code reviews.

Now the "there's an App for this" security movement won't work out on a grand scale either:

1. Most often not open source. Notable exceptions: ChatSecure, TextSecure.
2. No reference implementations with excellent test servers and well documented test suites but products. "Use my App.", "No, use MY App!!!".
3. Only secures chat or email. So the VC-powered ("next WhatsApp") mass-adoption markets but not the really interesting things to improve upon (CA, code signing, FDE, ...).
4. While everybody is focusing on mobile adoption the heavy lifting is still on servers. We need sane libraries and APIs. No App for that.

So we need a new development, a new code, a new open source product. Sadly so the Core Infrastructure Initiative so far only funds existing open source projects in dire needs and people bug hunting.

It basically makes the bad solutions of today a bit more secure and ensures maintenance of decade old crufty code bases. That way it extends the suffering of everybody using the inadequate solutions of today.

That's inevitable until we have a better stack but we need to look into getting rid of gpg and OpenSSL and replacing it with something new. Something designed well from the ground up, technically and from a user experience perspective.

Now who's in for a five year funding plan? $2m annually. ROCE 0. But a very good chance to get the OBE awarded.

Updates:

28.11.18: Changed the Quakenet link on why encrypting IRC is useless to an archive.org one as they have removed the original content.

13.03.17: Chris Wellons writes about why GPG is a failure and created a small portable application Enchive to replace it for asymmetric encryption.

24.02.17: Stefan Marsiske has written a blog article: On PGP. He argues about adversary models and when gpg is "probably" 2 still good enough to use. To me a security tool can never be a sane choice if the UI is so convoluted that only a chosen few stand at least a chance of using it correctly. Doesn't matter who or what your adversary is.
Stefan concludes his blog article:

PGP for encryption as in RFC 4880 should be retired, some sunk-cost-biases to be coped with, but we all should rejoice that the last 3-4 years had so much innovation in this field, that RFC 4880 is being rewritten[Citation needed] with many of the above in mind and that hopefully there'll be more and better tools. [..]

He gives an extensive list of tools he considers worth watching in his article. Go and check whether something in there looks like a possible replacement for gpg to you. Stefan also gave a talk on the OpenPGP conference 2016 with similar content, slides.

14.02.17: James Stanley has written up a nice account of his two hour venture to get encrypted email set up. The process is speckled with bugs and inconsistent nomenclature capable of confusing even a technically inclined person. There has been no progress in the last ~two years since I wrote this piece. We're all still riding dead horses. James summarizes:

Encrypted email is nothing new (PGP was initially released in 1991 - 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it.

04.09.16: Greg Kroah-Hartman ends an analysis of the Evil32 PGP keyid collisions with:

gpg really is horrible to use and almost impossible to use correctly.

14.11.15:
Scott Ruoti, Jeff Andersen, Daniel Zappala and Kent Seamons of BYU, Utah, have analysed the usability [local mirror, 173kB] of Mailvelope, a webmail PGP/GPG add-on based on a Javascript PGP implementation. They describe the results as "disheartening":

In our study of 20 participants, grouped into 10 pairs of participants who attempted to exchange encrypted email, only one pair was able to successfully complete the assigned tasks using Mailvelope. All other participants were unable to complete the assigned task in the one hour allotted to the study. Even though a decade has passed since the last formal study of PGP, our results show that Johnny has still not gotten any closer to encrypt his email using PGP.

1. Quakenet has removed that article citing "near constant misrepresentation of the presented argument" sometime in 2018. The contents (not misrepresented) are still valid so I have added and archive.org Wayback machine link instead. ↩

2. Stefan says "probably" five times in one paragraph. Probably needs an editor. The person not the application. ↩

Here’s what happened in the Reproducible Builds effort between Sunday November 18 and Saturday November 24 2018:

• Reproducible Builds were mentioned on the latest episode of the Late Night Linux podcast starting at 18:03 (direct link).

• Apache Maven are continuing their work on reproducible builds, documenting their progress on their corresponding Confluence page.

• Vagrant Cascadian automated uploading .buildinfo files from the Debian archive to the experimental buildinfo.debian.net service. Over 1,000 .buildinfo files are typically uploaded each day.

• Bernhard M. Wiedemann posted the montly openSUSE reproducible builds status with details on the remaining 58 major issues in 2565 openSUSE DVD packages with GCC, Python and OpenJDK being the most irksome cases.

• Holger Levsen posted to our mailing list that Reproducible Builds t-shirts are available to contributors. Please see the corresponding thread for more information.

• Chris Lamb requested that the “Deterministic compilation” Wikipedia page be renamed to Reproducible builds (via the “Technical move requests” mechanism) given that this is overwhelmingly the generally accepted term for this concept.

• 17 Debian package reviews were added, 5 were updated and 14 were removed in this week, adding to our knowledge about identified issues. Two new issue types were added this week by Chris Lamb (timestamp_added_by_gnuradio_grcc and paths_vary_due_to_usrmerge) and he also updated a number of others, including as well as adding references to various existing notes (1 & 2), merging a duplicate issue […], and adding a bug reference for a patch […].

• Holger Levsen updated our website project to add IPFS as a participant at our upcoming Paris Summit […] and replaced an instance of “Tor” with “Tor Project” […]. In addition, Chris Lamb added a number of missing dates to the Talks & Resources page […].

• diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, version 106 was uploaded to Debian unstable by Mattia Rizzolo. He included contributions already covered in previous weeks as well as overriding the new Lintian’s public-upstream-key-in-native-package tag […] and temporarily disabling Depends: on Gnumeric and Procyon as they are RC buggy […].

• We have received more than 50 registrations for the upcoming Reproducible Builds summit in Paris between 11th—13th December 2018 and registrations are now closed. Again, very much looking forward to seeing you there.

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • lirc (date, sort, uname -r, also submitted upstream)
  • tigervnc (use CMake timestamp)
  • plasma5-desktop (parallelism)
  • python-textX (drop non-deterministic files)
• Chris Lamb:
  • #914091 filed against googletest.
  • #914176 filed against cfitsio.
  • #914252 filed against gnuradio.
• Emmanuel Bourg:
  • #914278 filed against openjdk-11.

Test framework development

There were a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org this week, including:

• Chris Lamb:
  • Add support for calculating a PureOS package set. […]
• Eli Schwartz:
  • Provide an even-better explanation for a sed(1) command in the Archlinux support. […]
• Jelle van der Waa:
  • Set LANG/LC_ALL in build 1 in the Archlinux support. […]
• Niko Tyni:
  • Fix the umask information on the “Variations tested” page. […]
• Simon McVittie:
  • Disable the merged /usr functionality in the base Debian tarball. […]
• Holger Levsen:
  • Explicitly also install GnuPG. […]
  • Perform some node maintenance. […]
  • reviewed, merged and deployed the above commits.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Onyx Boox Note is a great device for reading, writing, note taking. I have written about my first impressions with this device here, and since then I have used the device heavily. I don’t even remember when I last took my Kobo GloHD in hand since I got the Boox. Onyx has announced a new firmware version (2.0) with a flashy video. The firmware is not generally available, but a hint in the forums tells that switching to Chinese will get you the latest firmware.

Well, I have tried it, and after installation of the latest version switched back to English. Here are my experiences with the new firmware.

The new library page (front page) has changed considerably. Instead of the big cover of the last read book and much smaller covers of the recently read books, all are arranged in the same size. Further information like the format of the book and the progress are overlaid on top of the cover. The icons on the top right allow for filtering, searching, creation of sub-libraries (folders). The bottom shows the total number of books and libraries. I prefer this layout a lot over the previous as it gives me immediate access to most of the recently read books.

There is a new shop available, but for now it seems most books are in Chinese only, which doesn’t help me a lot. I haven’t really checked out and searched books there for now, but I guess over time and with the general availability of the firmware in the next months better support for (at least) English books is to be expected. There is also a new AppStore (link to image) but again, most of the apps are in Chinese so not very helpful. I hope that in the similar vein with the above, a global release will improve this situation.

The storage page is quite bare, a simple file manager. I don’t think anything has changed from the previous firmware. One can explore the content of the device, copy/move/delete files etc. All very much in usual Android style.

The application page (not shown here, link to image) hasn’t changed a lot, but allows now for per-app optimization as shown on the left. There is an Onyx-specific app store with applications optimized for the Boox devices, but most apps installed via Google Play (or any other method) aren’t optimized. This screen seems to allow for various tweaks to optimize appearance of apps that are not made for grey-scale screens. I haven’t used many of the non-native apps by now, though.

The settings screen got a complete renewal with several new items appearing there.

Most of the items are no new functionality, but there is one new seriously niWell, I have tried it, and after installation of the latest version switched back to English. Here are my experiences with the new firmware.ce feature – synchronization of notes taken. There are several providers, most importantly Dropbox and some Chinese typical services. And with Wifi on the notes are saved nicely into my Dropbox account, which makes the tedious connecting to computer and copying a thing of the past. Thanks!

Let us finally go to the Notes application, which got the biggest update in this round. The entry page of the application hasn’t changed a lot, allowing for sorting of notes, creation of folders etc.

What is interesting is the ability to edit hand-written notes: select, copy, paste, resize, transform. It allows also to type text everywhere (see the teaser video linked at the top for details). Another feature that is presented in the teaser video is the text recognition and search in the content of hand-written notes. I have tried this a few times, but it seems my hand-writing is so bad that it wasn’t recognized.

The Notes application got a lot of new settings, most prominently the AI recognition settings which allows selecting the main language of hand-writing recognition. The language support seems to be impressive, including Japanese, but as I said, I didn’t manage by now to actually get it to find one of my notes. Another item is that search takes quite some time to go through all notes. Maybe only the first time, though.

One last new feature I found while digging through the menus is a Wifi Hotspot to allow for up/download of files from mobiles or other Wifi client devices. Not sure whether I will have use for it, but it might be a nice way to share books to friends without using a computer.

All in all I think after some polishing (the English translations are currently horrible at times) and bug fixing, this firmware is a great addition and step forward for the Onyx devices. There is only one really strange thing I experienced during the upgrade to version 2.0, namely that some of my books got corrupted during the process, and the NeoReader couldn’t open them anymore. I have no idea why some books were affected and some not, but it is not a matter of format I found. Removing them from the device and reloading them from Calibre fixed these problems.

Last comment for today: during writing this blog I switched to Chinese again and got a new version via OTA update (2018-11-22_10-36_2.0.3dcbcf5). Not sure what has changed, though.

This week I'm at the UN Forum on Business and Human Rights in Geneva.

What is the level of influence that businesses exert in the free software community? Do we need to be more transparent about it? Does it pose a risk to our volunteers and contributors?

Some time ago I got flamed by Lars Wirzenius, because I dared to write on my blog

The last point by Linus is what I criticize most on Debian nowdays, it has become a sterilized over-governed entity, where most fun is gone.

One of the things he said was

I do feel it is important to make it clear to the people reading Planet Debian, where both Preining’s and my blogs are published, that his opinions are not mainstream in the Debian project, and that despite what he says, Debian development continues to be fun.
– Lars Wirzenius, On Norbert Preining, Sarah Sharp, and Debian

Well, as it turned out he got tired of Debian and doesn’t consider it fun anymore:

I’ve had a rough year, and Debian has also stopped being fun for me.
– Lars Wirzenius, Retiring from Debian

Times are a changin‘! Despite the difference of our opinions, thanks for your hard work on Debian!

The new 0.4.6 release of RQuantLib arrived on CRAN and Debian earlier today. It is two-fold update: catching up QuantLib 1.14 while also updating to Boost 1.67 (and newer).

A special thanks goes to Josh for updating to the binary windows library in the rwinlib repository allowing us a seamless CRAN update.

The package needs some help, though. There are two open issues. First, while it builds on Windows, many functions currently throw errors. This may be related to upstream switching to a choice of C++11 or Boost smart pointers though this throws no spanners on Linux. So it may simply be that some of the old curve-building code shows its age. It could also be something completely different—but we need something with a bit of time, debugging stamina, at least a little C++ knowledge and a working Windows setup for testing. I have a few of the former attributes and can help, but no suitable windows (or mac, see below) machine. If you are, or can be, the person to help on Windows, please get in touch at this issue ticket.

Second, we simply have no macOS build. Simon has a similar binary repo but no time himself to work on building QuantLib for macOS with the required R-compatible toolchains. If you are on macOS, care about RQuantLib, and know how to build R packages (and how to deal with compilers etc in general) please consider helping. A little more is at this issue ticket.

Otherwise, this release was mostly about internal plus a little helper for holidays. The complete set of changes is listed below:

Changes in RQuantLib version 0.4.6 (2018-11-25)

• Changes in RQuantLib code:

  • The code was updated for release 1.14 of QuantLib.

  • The code was updated for Boost 1.67 or later (#120 fixing #119).

  • Fewer examples and tests are running on Windows.

  • Several bond prixing examples corrected to use dayCounter.

  • Two new functions were added to add and remove (custom) holidays (#115).

  • The continuous integration setup was rewritten for containers.

Courtesy of CRANberries, there is also a diffstat report for the this release. As always, more detailed information is on the RQuantLib page. Questions, comments etc should go to the rquantlib-devel mailing list off the R-Forge page. Issue tickets can be filed at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Debian recently switched from Alioth to Salsa offering only Git hosting from now on and that simplifies the work of exiting contributors and also helps newcomers who are most likely already familiar with Git if they know at least one version control system. (Thanks to everyone involved in the transition!)

On Ubuntu’s side, most Ubuntu-specific packages and big part of Ubuntu’s infrastructure used to be maintained in Bazaar repositories in the past. Since then Git became the most widely used version control system but the Bazaar repositories did not fully disappear.

There are still hundreds of packages maintained in Bazaar in Ubuntu (packaging repositories in Bazaar by team) and Debian (lintian report) and maintaining them in Git instead could be easier in the long term.

Launchpad already supports Git and there are guidelines for converting Bazaar repositories to Git (1,2),  but if you would like to make the switch I suggest taking a look at bzr-git-mass-convert based on bzr fast-export (verifying the result with git-remote-bzr). It is a simple tool for merging multiple Bazaar branches to a single git repository set up for pushing it back to Launchpad.

We (at the Foundations Team) use it for migrating our repositories and there is also a wiki page for tracking the migration schedule of popular repositories.

Another minor release 0.3.3.5.0 of RcppEigen arrived on CRAN today (and just went to Debian too) bringing support for Eigen 3.3.5 to R.

As we now carry our small set of patches to Eigen as diff in our repo, it was fairly straightforward to bring these few changes to the new upstream version. I added one trivial fix of changing a return value to void as this is also already in the upstream repo. Other than that, we were fortunate to get two nice and focussed PRs since the last release. Ralf allowed us to use larger index values by using R_xlen_t, and Michael corrected use of RcppArmadillo in a benchmarking example script.

Next, it bears repeating what we said in February when we release 0.3.3.4.0:

One additional and recent change was the accomodation of a recent CRAN Policy change to not allow gcc or clang to mess with diagnostic messages. A word of caution: this may make your compilation of packages uses RcppEigen very noisy so consider adding -Wno-ignored-attributes to the compiler flags added in your ~/.R/Makevars.

It’s still super-noise, but hey, CRAN made us do it …

The complete NEWS file entry follows.

Changes in RcppEigen version 0.3.3.5.0 (2018-11-24)

• Updated to version 3.3.5 of Eigen (Dirk in #65)

• Long vectors are now supported via R_xlen_t (Ralf Stubner in #55 fixing #54).

• The benchmarking example was updated in its use of RcppArmadillo (Michael Weylandt in #56).

Courtesy of CRANberries, there is also a diffstat report for the most recent release.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

In January I was at Linux Conf Australia and had the idea of forming a group match campaign for the Software Freedom Conservancy. The Conservancy is one of my favorite nonprofits, and I had been interested in trying to level up my giving while not putting myself into dangerous financial straits.

A match campaign is when an organization, a person, or persons offer/s to give a nonprofit a large(er) sum in the event they can raise an equal amount during their fundraising activities. For example, Private Internet Access has pledged $50,000 to the Conservancy as part of the Conservancy’s matching donation efforts.

I wanted to participate in the fun of running a match donation, but recognized that the amount I could offer was paltry in comparison to most matches, as well as being not actually enough to inspire participation from potential donors. I realized that instead I could work with others others to help reach a number — I picked $10,000 somewhat randomly — and began asking around. With the help of Karen Sandler, Conservancy Executive Director, we surpassed that $10,000 and found ourselves with a $15,000 match.

The Conservancy seemed like a natural choice as a recipient of a somewhat scrappy attempt at a match — they consider themselves to be a scrappy organization, doing a lot with very little. They support free and open source software projects — and unless we have good projects, we don’t have anything to offer people looking to be more freedom respecting in their own lives and their works. They do copyleft compliance work, without which copyleft (and licensing in general) would be meaningless — the licenses need to have teeth in order for any companies to actually follow them and the promise of copyleft to be followed through. They work every day to spread the message and value of software freedom around the world, reaching people who need to be made aware of the way their rights extend to digital spaces and technologies. In the spirit of full disclosure, I also consider the staff of the Conservancy to be among my friends, and I enjoy seeing them at conferences.

I’m really excited (these words don’t capture how excited I am) that I get to participate in something so cool and inspiring as a group of people who want to encourage others to give. I hope you’ll consider making our match successful by supporting the Conservancy.

Review: Skeen's Leap, by Jo Clayton

Series: Skeen #1 Publisher: Open Road Copyright: 1986 Printing: 2016 ISBN: 1-5040-3845-2 Format: Kindle Pages: 320

Skeen is a Rooner: a treasure hunter who finds (or steals) artifacts from prior civilizations and sells them to collectors. She's been doing it for decades and she's very good at her job. Good enough to own her own ship. Not good enough to keep from being betrayed by her lover, who stole her ship and abandoned her on a miserable planet with a long history of being temporarily part of various alien empires until its sun flares and wipes out all life for another round.

At the start, Skeen's Leap feels like a gritty space opera, something from Traveller or a similar universe in which the characters try to make a living in the interstices of sprawling and squabbling alien civilizations. But, shortly into the book, Skeen hears rumors of an ancient teleportation gate and is drawn through it into an entirely different world. A world inhabited by the remnants of every civilization that has fled Kildun Aalda during one of its solar flares, alongside native (and hostile) shape-changers. A world in which each of those civilizations have slowly lost their technology from breakdowns and time, leaving a quasi-medieval and diverse world with some odd technological spikes. And, of course, the gate won't let Skeen back through.

This turns out not to be space opera at all. Skeen's Leap is pure sword and sorcery, with technology substituted (mostly) in for the sorcery.

It's not just the setting: the structure of the book would be comfortably at home in a Conan story. Skeen uses her darter pistol and streetwise smarts to stumble into endless short encounters, most of them adding another member to her growing party. She rescues a shapeshifter who doesn't want to be rescued, befriends an adventuring scholar seeking to map the world, steals from an alien mob boss, attaches herself to four surplus brothers looking for something to do in the world, and continues in that vein across the world by horse and ship, searching for the first and near-extinct race of alien refugees who are rumored to have the key to the gate. Along the way, she and her companions occasionally tell stories. Hers are similar to her current adventures, just with spaceships and seedy space stations instead of ships and seedy ports.

Skeen's Leap is told in third person, but most of it is a very tight third-person that barely distinguishes Skeen's rambling and sarcastic thoughts from the narration. It's so very much in Skeen's own voice that I had to check when writing this review whether it was grammatically in first or third. The narrator does wander to other characters occasionally, but Skeen is at the center of this book: practical, avaricious, competent, life-hardened, observant, and always a survivor. The voice takes a bit to get used to (although the lengthy chapter titles in Skeen's voice are a delight from the very start), but it grew on me. I suspect one's feeling about Skeen's voice will make or break one's enjoyment of this book. I do wish she'd stop complaining about her lost ship and the lover who betrayed her, though; an entire book of that got a bit tiresome.

One subtle thing about this book that I found fascinating once I noticed it is its embrace of the female gaze. In most novels, even with female protagonists, descriptions of other characters use a default male gaze, or at best a neutral one. Women are pretty or beautiful or cute; men are described in more functional terms. Skeen's Leap is one of the few SFF novels I've seen with a female gaze that lingers on the attractiveness and shape of male bodies throughout, and occasionally stands gender roles on their head. (The one person in the book who might be Skeen's equal is a female ship captain with a similar background.) It's an entertaining variation.

Despite the voice and the unapologetic female perspective, though, this wasn't quite my thing. I picked up this book looking for a space opera, so the episodic sword-and-sorcery plot structure didn't fit my mood. I wanted deeper revelations and more complex world-building, but that's not on the agenda for this book (although it might be in later books in the series). This is pure adventure story, and by the end of the book the episodes were blending together and it all felt too much the same. It doesn't help that the book ends somewhat abruptly, at a milestone in Skeen's quest but quite far from any conclusion.

If you're looking for sword and sorcery with some SF trappings and a confident female protagonist, this isn't bad, but be warned that it doesn't end so much as stop, and you'll need (at least) the next book for the full story.

Followed by Skeen's Return.

Rating: 6 out of 10

Here’s what happened in the Reproducible Builds effort between Sunday November 11 and Saturday November 17 2018:

• Code review for the LLVM compiler to support the -fmacro-prefix-map argument is currently in progress. Like the -fdebug-prefix-map flag, this argument replaces a string prefix for the FILE pre-processor macro.

• Kyle Rankin, the Chief Security Officer of Puri.sm authored a blog post entitled “Protecting the Digital Supply Chain” which describes how with Reproducible Builds you can show that no malicious code was injected in software supply chains:

  Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.

• Chris Lamb gave a presentation at the SFScon conference in Bozen, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.

• Holger Levsen updated our website to add the Tor project as a participant at our upcoming Paris Summit. In addition, Bernhard M. Wiedemann applied a sitewide change to use consistent capitalisation for openSUSE […].

• 38 Debian package reviews were added, 4 were updated and 19 were removed in this week, adding to our knowledge about identified issues. The nondeterminstic_output_in_pkgconfig_files_generated_by_meson was removed as a fix was applied upstream […], and the note for the randomness_in_binaries_generated_by_golang issue was updated. (1, 2)

• diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, Marius Gedminas provided a patch to add a python_requires field to diffoscope’s setup.py […] and Mattia Rizzolo sorted the list of recommended Python modules in debian/tests/control […].

• Chris Lamb’s previously-authored patches for GNU mtools to ensure the Debian Installer images could become reproducible which were sent upstream last week (1 & 2) are now available in upstream’s 4.0.20 release.

• Upstream chromium-70 now builds reproducibly in openSUSE (with a admittedly-normalised build environment) since it uses the Git commit date.

• Chris Lamb uploaded strip-nondeterminism (our tool to post-process files to remove known non-deterministic output) version 0.45.0-1 to Debian unstable in order that catch invalid ZIP “local” field lengths — we were previously blindly trusting the value supplied in the ZIP file (#803503). As part of this upload he moved the utility to the SemVer versioning scheme.

• We have received more than 45 registrations for the upcoming Reproducible Builds summit in Paris between 11th—13th December 2018 and have now closed registrations. Very much looking forward to seeing you there!

Packages reviewed and fixed, and bugs filed

• Bernhard M. Wiedemann:
  • kvirc (drop uname -r), Also submitted to openSUSE (…)
  • libpt2 (drop uname -r)
• Christoph Berg posted some work-in-progress patches for postgresql-hll (a PostgreSQL extension adding HyperLogLog data structures as a native data type) to make their build reproducible to the upstream mailing list.

Test framework development

There were a large number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org by Holger Levsen this week, including:

• Arch Linux-specific changes:

  • Make sed(1) calls for modifying pacman.conf more robust, fixing building in the future as well as using proxies for downloading package dependencies. (1
  • Improve the documentation of a multi-line sed(1) statement. […]
  • Perform some administration on the package blacklists. (1, 2)
  • Move to using sudo(8) for cleaning old /tmp files left by package builds. […]

• Debian-specific changes:

  • Add two new cloud-image and cloud-image_build-depends package sets.
  • Perform some node maintenance. (1, 2, 3)
  • Install munin from the “Backports repositories. (1, 2)
  • Strip architecture from packages in the grml package sets. […]

• Misc/generic changes:

  • Ensure all ProfitBricks (amd64 and i386) nodes in Karlsruhe use pb1 as a proxy and all nodes in Frankfurt use pb10. This might have produced some build failures but fixed issues with Squid running in the future. This complements previous work for the arm64 architecture.
  • Filed #913658: (“Broken links on packages pages”)
  • Document that the proxy setting for chroot installs are actually correct. […]

In addition, Alexander Couzens provided workaround for an OpenWrt build system bug […], Eli Schwartz refactored our Arch Linux support […] and Mattia Rizzolo performed some node maintenance.

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Since the day I had my first class of Operating Systems (OS) in my engineering course, I got passionate about it; for me, OS represents one of the greatest achievements of mankind. As a result of my delight for OS, I always tried to gravitate around this field, but my school environment did not provide me with many opportunities to get into the area. To summarize this long journey, I will jump directly into the main point, on November 15 of 2017, I joined to a conference named Linuxdev-br [1] which brought together some of the best Brazilians Kernel developers. I took this opportunity to learn everything that I could by asking lots of questions to developers. Additionally, I was lucky to meet Gustavo Padovan. He helped me a lot during my first steps in the Linux Kernel.

From November 2017 until now, I did the best I could to become a Kernel developer, and I have to admit that the path was very complicated. I paid the price to work from 8 AM to 11 PM, from Sunday to Sunday, to maintain my efforts in my master and the Linux Kernel at the same time; unfortunately, I could not stay focused only in the Kernel. However, all of these efforts were paid off along the year; I had many patches accepted in the Kernel, I joined the Google Summer of Code (GSoC), I traveled to conferences, I returned to Linuxdev-br 2018 as a speaker, I joined XDC2018 [2], and many other good things happened.

Now I am close to complete one year of Linux Kernel, and one question still bugs me: why does it have to be so hard for someone in a similar condition to become part of this world? I realized that I had great support from many people (especially from my sweet and calm wife) and I also pushed myself very hard. Now, I feel that it is time to start giving back something to society; as a result, I began to promote some small events about free software in the university and the city I live. However, my main project related to this started around two months ago with six undergraduate students at the University of Sao Paulo, IME [3]. My plan is simple: train all of these six students to contribute to the Linux Kernel with the intention to help them to create a local group of Kernel developers. I am excited about this project! I noticed that within a few weeks of mentoring the students they already learned lots of things, and in a few days, they will send out their contributions to the Kernel. I want to write a new post about that in December 2018, reporting the results of this new tiny project and the summary of this one year of Linux Kernel. See you soon :)

Reference

1. linuxdev-br
2. XDC 2018
3. IME USP

I’m wondering now if the problem with the activitypub is because the user object was already in the remote site and somehow the two were not being linked up properly.

Removing the user information off the mastodn instance may help, or not.

Craig https://dropbear.xyz Small Dropbear

4th attempt at getitng the linking working, works ok on the test site now!

Craig https://dropbear.xyz Small Dropbear

I was in need of creating a Qt application using current Debian stable (Stretch) and gpsd. I could have used libQgpsmm which creates a QTcpSocket for stablishing the connection to the gpsd daemon. But then I hit an issue: libQgpsmm was switched to Qt 5 after the Strech release, namely in gpsd 3.17-4. And I'm using Qt 5.

So the next thing to do is to use libgps itself, which is written in C. In this case one needs to call gps_open() to open a connection, gps_stream() to ask for the needed stream... and use gps_waiting() to poll the socket for data.

gps_waiting() checks for data for a maximum of time specified in it's parameters. That means I would need to create a QTimer and poll it to get the data. Poll it fast enough for the application to be responsive, but not too excessively to avoid useless CPU cycles.

I did not like this idea, so I started digging gpsd's code until I found that it exposes the socket it uses in it's base struct, struct gps_data_t's gps_fd. So the next step was to set up a QSocketNotifier around it, and use it's activated() signal.

So (very) basically:

// Class private:
struct gps_data_t mGpsData;
QSocketNotifier * mNotifier;

// In the implementation:
result = gps_open("localhost", DEFAULT_GPSD_PORT, &mGpsData);
// [...check result status...]

result = gps_stream(&mGPSData,WATCH_ENABLE|WATCH_JSON, NULL);
// [...check result status...]

//  Set up the QSocketNotifier instance.
mNotifier = new QSocketNotifier(mGpsData.gps_fd, QSocketNotifier::Read, this); 

connect(mNotifier, &QSocketNotifier::activated, this, &MyGps::readData);

And of course, calling gps_read(&mGpsData) in MyGps::readData(). With this every time there is activity on the socket readData() will be called, an no need to set up a timer anymore. Lisandro Damián Nicanor Pérez Meyer noreply@blogger.com Solo sé que sé querer, que tengo Dios y tengo fe.

A second and minor update for the RcppGetconf package for reading system configuration — not unlike getconf from the libc library — is now on CRAN.

Changes are minor. We avoid an error on a long-dead operating system cherished in one particular corner of the CRAN world. In doing so some files were updated so that dynamically loaded routines are now registered too.

The short list of changes in this release follows:

Changes in inline version 0.0.3 (2018-11-16)

• Examples no longer run on Solaris where they appear to fail.

Courtesy of CRANberries, there is a diffstat report. More about the package is at the local RcppGetconf page and the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Dirk Eddelbuettel http://dirk.eddelbuettel.com/blog Thinking inside the box

I have been having a series of strange dreams for few days now. I had seen a bollywood movie called Sui-Dhaaga few days back .

The story is an improbable, semi-plausible story of a person, couple, no a community’s search for self-respect and dignity in labor. While the clothes shown in the movie at the fashion show were shown to be made by them, the styles seemed pretty much reminiscent of the materials and styles used by National Institute of Design.

One of the first dreams I had were of being in some sort of bare foot Design school which is/was interdisciplinary in nature. I am the bored guy who is there because he has no other skills and have been pressured by parents and well-wishers to do the course and even failed in that. I have been observing a guy who is always cleaner than the rest of us, always has a smile on his face and is content and enjoys working with cloth, whether it is tailoring or anything and everything to do with cloth. The material used is organic handspun Khadi which is mixed with silk to lose the coarseness and harshness that handspun Khadi has but using the least of chemicals and additives and is being sold at very low prices so that even a poor person can afford it.

This in reality is still a distant dream.

Anyways, with that as a backgrounder to the story, one day there is a class picnic/short travel. Because the picnic is ‘free’ i.e. paid by the Institute , almost everybody else except the gentleman who is always smiling and content agrees and wants to go to the picnic. The gentleman asks that he would prefer to be there in the classroom, studying and working with the cloth.

The lone teacher/management is in a fix. While he knows the student and doesn’t question his sincerity he is in a fix because the whole class/school is going for the picnic and there are expensive machines, material lying around. Even the watchmen want to be on the picnic and the teacher/management doesn’t have the heart to say no to them.

He asks in a sort of dejected voice if somebody wants to stay behind with him. A part of me wants to go to the picnic, a part of me wants to stay behind and if possible learn about the person’s mystery of his smile and contentedness.

After awaiting appropriate time and teacher asking couple of times, I take on a bored, resigned tone and volunteer to stay behind, provided I get some of the sweets and any clothes or whatever is distributed.

The next day, I wear one of my lesser shabbier clothes and go to school and find him near the gates of the school, at a nearby chai shop/tapri. He asks me how I am and asks if I would like to eat and drink something. I quickly order 3-4 items and after a fullish breakfast ended by a sweet masala chai we go to the school.

The ‘school’ is nothing but a two rooms with two adjacent toilets, one for men, one for women. The school is probably 500 meters squarish spaced with one corner for embroidery works, one corner for dyeing works, one corner for handspunning khadi and one corner which has tailoring machines. Just last year we had painted the walls of the school using organic colors and the year before we had some students come in who helped us in having more natural light and air to the school.

We also had a new/old water pump which after a long fight with the local councillor we had been able to get and got running water of sorts. We went to the loo, washed our hands, faces, cracked a few jokes and then using the heavy iron key chain which had multiple keys, opened the front door and we went in. He going to his seat, while I going to mine. As always, he’s fully absorbed, immersed in his work.

After waiting for half an hour to an hour, I announced that I’m going to take a leak and have water. He agreed to join me and we had a short break. After coming back, I sat a little across him and asked if I could ask him a few questions. Without missing a beat, he said sure. I asked him a few probing questions as to who he was, who else was in his family, what he used to do before enrolling here.

Slowly but surely, he teased out the answers sharing that while he had been a successful person and had money (he actually said ‘entrepreneur’ but my dream self couldn’t make out what it was) and while he had money saved, his wife was supporting him in this venture as she was good at Maths (a ‘statistician’ which again my dream self was oblivious was all about) and apart from learning about clothes, how they are made etc. something which he always enjoyed but which was discouraged in his house. They were working on a book about ‘learning outcomes’ (which again my dream self knew nothing about, but when he said he would be sharing stories about me and my class-mates I was excited and apprehensive at the same time.) He assured it would be nothing bad.

I asked him in my innocence as to why such a book was necessary because in my world-view we were doing nothing exciting about a school where most of us were learning in the hopes that with the skills we would somehow be able to eke out a living. Looking at the bleakness of the background of the people around me, I didn’t think there was anything worth writing about. I had learnt about writers who were given money to write about fairy tales and even had got a comic book or two with bright colors and pictures. When I asked him if it was going to be something similar to that book, he replied in the negative . He shared that they were in-fact were going to self-publish the book as the book was going to be ‘controversial’ in nature. While my dream self didn’t understand what ‘controversial was all about but was concerned when he explained that they would be putting up their own money to bring out the book. I felt this was foolishness as nobody I knew would spent money to print a book which didn’t have pictures and it was not also a fantasy like about a hero battling dragons and such.

At this moment, my dream ended. For those who had been working in the education sector I’m sure they would be having a laugh on almost all the aspects of the dream/story. ‘Learning outcomes’ has never been a serious consideration by either the Government of the day or previous Governments. Teachers are the most lowly paid staff in the Government machinery. Most of them who enter the profession, do it out of not being able to get a job any other way and are also not obsessed by the subject/s they teach. They somehow want to make ends meet. The less said of the ‘no detention’ policy of the Government, the better. Even the Government doesn’t believe the stats trouted by its own people but instead on ASER made by Pratham although the present Government has reversed it as it wants to show they have been doing the best job in field of education.

shirishag75 https://flossexperiences.wordpress.com #planet-debian – Experiences in the community

Sometimes tiny things make my day at 9am already.

That spammer got frustrated because none of his bots would get comments pasted to my blog:

Greetings to Cambodia.

BTW: Mikrotik RouterOS 6.41, CVE-2018-7445. RCE unpatched for 9+ months.

Daniel Lange https://daniel-lange.com/ Daniel Lange's blog

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In October, about 209 work hours have been dispatched among 13 paid contributors. Their reports are available:

• Abhijith PA did 1 hour (out of 10 hours allocated + 4 extra hours, thus keeping 13 extra hours for November).
• Antoine Beaupré did 24 hours (out of 24 hours allocated).
• Ben Hutchings did 19 hours (out of 15 hours allocated + 4 extra hours).
• Chris Lamb did 18 hours (out of 18 hours allocated).
• Emilio Pozuelo Monfort did 12 hours (out of 30 hours allocated + 29.25 extra hours, thus keeping 47.25 extra hours for November).
• Holger Levsen did 1 hour (out of 8 hours allocated + 19.5 extra hours, but he gave back the remaining hours due to his new role, see below).
• Hugo Lefeuvre did 10 hours (out of 10 hours allocated).
• Markus Koschany did 30 hours (out of 30 hours allocated).
• Mike Gabriel did 4 hours (out of 8 hours allocated, thus keeping 4 extra hours for November).
• Ola Lundqvist did 4 hours (out of 8 hours allocated + 8 extra hours, but gave back 4 hours, thus keeping 8 extra hours for November).
• Roberto C. Sanchez did 15.5 hours (out of 18 hours allocated, thus keeping 2.5 extra hours for November).
• Santiago Ruano Rincón did 10 hours (out of 28 extra hours, thus keeping 18 extra hours for November).
• Thorsten Alteholz did 30 hours (out of 30 hours allocated).

Evolution of the situation

In November we are welcoming Brian May and Lucas Kanashiro back as contributors after they took some break from this work.

Holger Levsen is stepping down as LTS contributor but is taking over the role of LTS coordinator that was solely under the responsibility of Raphaël Hertzog up to now. Raphaël continues to handle the administrative side, but Holger will coordinate the LTS contributors ensuring that the work is done and that it is well done.

The number of sponsored hours increased to 212 hours per month, we gained a new sponsor (that shall not be named since they don’t want to be publicly listed).

The security tracker currently lists 27 packages with a known CVE and the dla-needed.txt file has 27 packages needing an update.

Thanks to our sponsors

New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 37 months)
• GitHub (for 28 months)
• Civil Infrastructure Platform (CIP) (for 5 months)
• Gold sponsors:
• The Positive Internet (for 53 months)
• Blablacar (for 52 months)
• Linode (for 42 months)
• Babiel GmbH (for 31 months)
• Plat’Home (for 31 months)
• Silver sponsors:
• Domeneshop AS (for 53 months)
• Nantes Métropole (for 47 months)
• Dalenys (for 43 months)
• Univention GmbH (for 38 months)
• Université Jean Monnet de St Etienne (for 38 months)
• Ribbon Communications, Inc. (for 32 months)
• maxcluster GmbH (for 26 months)
• Exonet B.V. (for 22 months)
• Leibniz Rechenzentrum (for 16 months)
• Vente-privee.com (for 13 months)
• CINECA (for 5 months)
• Bronze sponsors:
• David Ayers – IntarS Austria (for 53 months)
• Evolix (for 53 months)
• Seznam.cz, a.s. (for 53 months)
• MyTux (for 52 months)
• Intevation GmbH (for 50 months)
• Linuxhotel GmbH (for 50 months)
• Daevel SARL (for 49 months)
• Bitfolk LTD (for 47 months)
• Megaspace Internet Services GmbH (for 47 months)
• NUMLOG (for 47 months)
• Greenbone Networks GmbH (for 46 months)
• WinGo AG (for 46 months)
• Ecole Centrale de Nantes – LHEEA (for 42 months)
• Sig-I/O (for 40 months)
• Entr’ouvert (for 37 months)
• Adfinis SyGroup AG (for 35 months)
• GNI MEDIA (for 29 months)
• Laboratoire LEGI – UMR 5519 / CNRS (for 29 months)
• Quarantainenet BV (for 29 months)
• Bearstech (for 21 months)
• LiHAS (for 20 months)
• People Doc (for 17 months)
• Catalyst IT Ltd (for 15 months)
• Supagro (for 10 months)
• Demarcq SAS (for 9 months)
• TrapX Security (for 6 months)
• NCC Group (for 3 months)

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Raphaël Hertzog https://raphaelhertzog.com apt-get install debian-wizard

# docker version|grep Version Version: 18.03.1-ce Version: 18.03.1-ce # cat Dockerfile FROM alpine RUN addgroup service && adduser -S service -G service COPY --chown=root:root debug.sh /opt/debug.sh RUN chmod 544 /opt/debug.sh USER service ENTRYPOINT ["/opt/debug.sh"] # cat debug.sh #!/bin/sh ls -l /opt/debug.sh whoami # docker build -t foobar:latest .; docker run foobar Sending build context to Docker daemon 5.12kB [...] Sucessfully built 41c8b99a6371 Successfully tagged foobar:latest -r-xr--r-- 1 root root 37 Nov 14 22:42 /opt/debug.sh service # docker version|grep Version Version: 18.09.0 Version: 18.09.0 # docker run foobar standard_init_linux.go:190: exec user process caused "permission denied"

That changed with 18.06 and just uncovered some issues. I was, well let's say "surprised", that this ever worked at all. Other sets of perms like 0700 or 644 already failed with different error message on docker 18.03.1.

Sven Hoexter http://sven.stormbind.net/blog/ a blog