Agreguesi i feed

Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko focuses on the role that red teaming plays in a variety of institutions, ranging from the Department of Defense to cybersecurity. It’s an excellent book that describes the thought process behind red teaming, when red teaming is a success and when it can be a failure, and the way a red team can best fit into an organization and provide value. If you’re looking for a book that’s highly technical or focused entirely on information security engineering, this book may disappoint. There’s only a single chapter covering the application of red teaming in the information security space (particularly “vulnerability probes” as Zenko refers to many of the tests), but that doesn’t make the rest of the content any less useful – or interesting – to the Red Team practitioner.

Read more...

Since many of you reached out to me in the past weeks to find out if I was still travelling the world and how things were going, I thought I’d reconnect with the online world and write a blog post again.

After a bit more than a year, my sabbatical is coming to an end now. I had a lot of time to reflect, recharge batteries, be curious again, travel and make new experiences.

In December ’16 I fled the winter in Germany and went to Ecuador. Curiosity was my guidebook, I slowed down, let nature sink in, enjoyed the food and hospitality of the country, met many simply beautiful people along the way, learned some Spanish, went scuba diving with hammerhead sharks and manta rays, sat on top of mountains, hiked, listened to stories from village elders in Kichwa around the fire, went paragliding, camped in the jungle with Shuar people, befriended a macaw in a hippie village and got inspired by many long conversations.

As always when I’m travelling, my list of recommended next destinations grew and I could easily have gone on. After some weeks, I decided to get back to Berlin though and venture new paths there.

When I first got involved in Ubuntu, I was finishing my studies in Computer Sciences. Last March, thirteen years later, I felt the urge to study again. To open myself up to new challenges, learn entirely new skills, exercise different parts of the brain and make way for a possible new career path in the future. I felt quite uncertain, I wasn’t sure if I was crazy to attempt it,  but I was going to try. I went back to square one and started training as a psychotherapist. This was, and still is, an incredibly exciting step for me and has been a very rewarding experience so far.

I wasn’t just looking for a new intellectual exercise – I was also looking for a way to work more closely with people. Although it’s quite different from what I did up until now, this decision still was very consistent with my beliefs, passions and personality in general. Supporting another human being on their path, helping to bring out their potential and working out new perspectives together have always deeply attracted me.

I had the privilege of learning about and witnessing the work of great therapists, counsellors and trainers in seminars, workshops, books, talks and groups, so I had some guidance which supported me and I chose body psychotherapy as the method I wanted to learn. It is part of the humanistic psychotherapy movement and at its core are (among others) the following ideals:

• All people are inherently good.
• People are driven towards self-actualisation: development of creativity, free will, and positive human potential.
• It is based on present-tense experience as the main reference point.
• It encourages self-awareness and mindfulness.
• Wikipedia quotes an article, which describes the benefits as having a "crucial opportunity to lead our troubled culture back to its own healthy path. More than any other therapy, Humanistic-Existential therapy models democracy. It imposes ideologies of others upon the client less than other therapeutic practices. Freedom to choose is maximized."

If you know me just a little bit you can probably tell, that this all very much resonated with me. In a way, it’s what led me to the Ubuntu project in 2004 – there is a lot of “humanity towards others” and “I am what I am because of who we all are” in there.

Body psychotherapy was also specifically interesting to me, as it offers a very rich set of interventions and techniques, all experience-based and relying on the wisdom of our body. Furthermore it seeks to reconcile the body and mind split our culture so heavily promotes.

Since last March I immersed myself in this new world: took classes, read books, attended a congress and workshops and had quite a bit of self-experience. In November I took the required exams and became “Heilpraktiker für Psychotherapie”. The actual training in body psychotherapy I’m going to start this year in March. As this is going to take still several years, I’m not exactly sure when or how I will start working in this field. While it’s still quite some time off and right now only an option for some time in the future, I know that this process will encourage me to become more mindful, patient, empathic and a better listener, colleague, partner and friend.

Does this mean, I’m going to leave the tech world? No, absolutely not. My next steps in this domain I’m going to leave to another blog post though.

I feel very privileged having been able to take the time and embark on this adventure and add a new dimension to my coordinate system. All of this wouldn’t have been possible without close people around me who supported and encouraged me. I’m very grateful for this and feel quite lucky.

This has been a very exciting year, a very important experience and I’m very much looking forward to what’s yet to come.

In musicians circles, the Fractal Audio Systems Axe FX range of products has become one of the most highly regarded product lines. Aside from just being a neat product, what is interesting to me is the relationship they have built with their community and value they have created in the product via sustained software updates.

As a little background, the Axe FX and their other AX8/FX8 floor-board products, are hardware units that replicate in software the characteristics of an analog tube guitar amplifier and speaker cabinets. Now, for years there have been companies (e.g. Line6, IK Multimedia) trying to create a software replication of popular Marshall, Mesa Boogie, Ampeg, Peavey, Fender, and other amp tones, with the idea being that you can spend far less on the software and have a wide range of amps to choose from as well. This not only saves on physical space and dollars, but also simplifies recording these amps as you won’t need to plug in a physical microphone – you just play direct through the software. Sadly, the promise has been largely pretty disappointing. Most generally sound like fizzy, cheap knockoffs.

The Axe FX II

While this may be a little strange to grok for the non-musicians reading this, but there isn’t just a tonality assessment to determine if the amp simulator sounds like the real thing, but there is a feel element. Tube amps feel different to play. They have tonal characteristics that adjust as you dial in different settings, and one of the tricky elements for amp simulators to solve is that analog tubes adjust as you use them; the tone adjusts in subtle ways depending on what you play, how you play it, which power supply you are using, how you dial in the amp, and more.

The Axe FX changed much of this. While many saw it initially as just another amp simulator, it has evolved to a point where in A/B testing it is virtually indistinguishable from the amps it is modelling tonally, and the feel is very much there too. This is why bands such as Metallica, U2, Periphery, Steve Vai, and others carry them on tour with them: they can accomplish the same tonal and feel results without the big, unreliable, and complex-to-maintain tube amps.

Sustained Software Updates

The reason why this has been such a game changer is that Cliff Chase, founder of Fractal Audio Systems, has taken a borderline obsessive approach to detail in building this amp/speaker modelling and creating a small team to deliver it.

Cliff Chase, head honcho at Fractal Audio Systems (middle).

From a technology perspective, this is interesting for a few reasons.

Firstly, Fractal have been fairly open about how their technology has evolved. They published a whitepaper on their MIMIC technology and they have been fairly open about how this modelling technology has evolved. You can see the release notes, some further technical details, and a collection of technical posts by Cliff on the forum.

What I found particularly interesting here was Fractal have consistently delivered these improvements via repeated firmware updates out to existing devices. As an example, the MIMIC technology I mentioned above was a major breakthrough in their technology and really (no pun intended) amped up the simulation quality, but it was delivered as a free firmware update to existing hardware.

Now, many organizations would have seen such a technologically important and significant product iteration software update as an opportunity to either release a new hardware product or sell a new line of firmware at a cost. Fractal didn’t do this and have stuck to their philosophy that when you buy their hardware, it is “future proofed” with firmware updates for years to come.

This is true. As an example, the Axe FX II was released in May 2011 and has received 20+ firmware updates which have significantly improved the quality of the product.

In a technology culture where companies release new-feature software updates for a limited period of time (often 2 – 3 years) and then move firmly into maintenance/security updates for a stated “product life” (often 4 – 7 years), Fractal Audio Systems are bucking this trend significantly.

Community

This regular stream of firmware updates that bring additional value, not just security/compatibility fixes, is notable for a few reasons.

Firstly, it has significantly expanded the lifespan and market impact of these devices. Musicians and producers can be a curmudgeonly bunch, and it can take a while for a product to take hold. This is particularly true in a world where “purism” of the art of creating and producing music, and the purism of the tools you use would ordinarily reject any kind of simulated equipment. The Axe FX has become a staple in touring and production rigs because of it’s constant evolution and improvements.

Tones can be shaped using the Axe Edit desktop client.

Secondly, from a consumer perspective, there is something so satisfying about purchasing a hardware product that consistently improves. Psychologically, we are used to software evolving (in either good or bad directions), but hardware has more of a “cast in stone” psychological impression in many of us. We buy it, it provides a function, and we don’t expect it to change much. In the case of the Fractal Audio Systems hardware, it does change, and this provides that all important goal companies focus on: customer delight.

Thirdly, and most interestingly for me, Fractal Audio Systems have fostered a phenomenally devoted, positive, and supportive community. From a community strategy perspective, they have not done anything particularly special: they have a forum, a wiki, and members of the Fractal Audio Systems team post periodically in the forum. They have the usual social media accounts and they release videos on YouTube. This devotion in the community is not from any community engagement fakery…it is from (a) a solid product, and (b) a company who they feel isn’t bullshitting them.

This latter element, the bullshit factor, is key. When I work with my clients I always emphasize the importance of authenticity in the relationship between a company and their community of users/customers. This doesn’t mean pandering to the community and the critics, it means an honest exchange of ideas and discussion in which the company and the community/users can derive equal levels of value out of the relationship.

In my observation of the Fractal Audio Systems community, they have done just this. Cliff Chase, as the supreme leader at Fractal Audio Systems is revered in the community as a mastermind, a reputation that is rightly earned. He is an active participant with the community, sharing his input both on the musical use of his products as well as the technology that has gone into them. He isn’t a CEO who is propped up on conference stages or bouncing from journalist to journalist merely talking about vision, he is knee-deep, sleeves rolled fully-up, working on improvements that then get rolled out…freely…to an excitable community of users.

This puts the community in a valuable position. They become the logical feedback loop (again, no pun intended) for how well the products and firmware updates are working, and while the community can’t participate in improving the products directly (as they don’t have access to the code or in many cases, the skills to contribute) they get to see the fruits of their feedback in these firmware updates.

This serves two important benefits. Firstly, validation is an enormous force in what we do. Everyone, no matter who you are, needs validation of their input and ideas. When the community share feedback that is then validated by Cliff and co., and then rolled out in a freely available firmware update that benefits everyone, this is a deeply satisfying experience. Secondly, in many communities there is a suspicion about providing value (such as feedback or other technical contributions) to a company if only the company benefits from this (e.g. by selling a new product encompassing that feedback). Given that Fractal Audio Systems pushes out these updates freely, it largely eradicates that issue.

In Conclusion

Everything I have outlined here could be construed as a master plan on behalf of the folks at Fractal Audio Systems. I don’t think this is the case. I don’t believe that when Cliff Chase founded the company he layed all of this out as a grand plan for how to build community and customer engagement.

This goes back to purity. My guess is that Cliff and team just wanted to build a solid product that makes their customers happy and providing this regular stream of updates was the most obvious way to do it. It wouldn’t surprise me if they themselves were surprised by how much goodwill would be generated throughout this process.

This is all paving away to the next iteration of this journey, when the Axe FX III was announced last week. It provides significantly greater horsepower, undoubtedly to usher in the next era of improvements. This is a journey I will be following along with when I get an Axe FX III of my own in March.

The post Case Study: Building Product, Community, and, Sustainability at Fractal Audio Systems appeared first on Jono Bacon.

I think I found a bug in a Henry Dudeney book.

Dudeney was a really famous puzzle creator in Victorian/Edwardian times. For Americans: Sam Loyd was sort of an American knock-off of Dudeney, except that Loyd stole half his puzzles from other people and HD didn’t. Dudeney got so annoyed by this theft that he eventually ended up comparing Loyd to the Devil, which was tough talk in 1910.

Anyway, he wrote a number of puzzle books, and at least some are available on Project Gutenberg, so well done the PG people. If you like puzzles, maths or thinking sorts, then there are a few good collections (and there are nicer to read versions at the Internet Archive too). The Canterbury Puzzles is his most famous work, but I’ve been reading Amusements in Mathematics. In there he presents the following puzzle:

81.—THE NINE COUNTERS. 15879 ×23×46

I have nine counters, each bearing one of the nine digits, 1, 2, 3, 4, 5, 6, 7, 8 and 9. I arranged them on the table in two groups, as shown in the illustration, so as to form two multiplication sums, and found that both sums gave the same product. You will find that 158 multiplied by 23 is 3,634, and that 79 multiplied by 46 is also 3,634. Now, the puzzle I propose is to rearrange the counters so as to get as large a product as possible. What is the best way of placing them? Remember both groups must multiply to the same amount, and there must be three counters multiplied by two in one case, and two multiplied by two counters in the other, just as at present.

81. ANSWER

In this case a certain amount of mere “trial” is unavoidable. But there are two kinds of “trials”—those that are purely haphazard, and those that are methodical. The true puzzle lover is never satisfied with mere haphazard trials. The reader will find that by just reversing the figures in 23 and 46 (making the multipliers 32 and 64) both products will be 5,056. This is an improvement, but it is not the correct answer. We can get as large a product as 5,568 if we multiply 174 by 32 and 96 by 58, but this solution is not to be found without the exercise of some judgment and patience.

But, you know what? I don’t think he’s right. Now, I appreciate that he probably had to spend hours or days trying out possibilities with a piece of paper and a fountain pen, and I just wrote the following 15 lines of Python in five minutes, but hey, he didn’t have to bear with his government trying to ban encryption, so let’s call it even.

from itertools import permutations nums = [1,2,3,4,5,6,7,8,9] values = [] for p in permutations(nums, 9): one = p[0]*100 + p[1]*10 + p[2] two = p[3]*10 + p[4] three = p[5]*10 + p[6] four = p[7]*10 + p[8] if four > three: continue # or we'll see fg*hi and hi*fg as different if one*two == three*four: expression = "%s*%s = %s*%s = %s" % ( one, two, three, four, one*two) values.append((expression, one*two)) values.sort(key=lambda x:x[1]) print("Solution for 1-9") print("\n".join([x[0] for x in values]))

The key point here is this: the little programme above indeed recognises his proposed solutions (158*32 = 79*64 = 5056 and 174*32 = 96*58 = 5568) but it also finds two larger ones: 584*12 = 96*73 = 7008 and 532*14 = 98*76 = 7448. Did I miss something about the puzzle? Or am I actually in the rare position of finding an error in a Dudeney book? And all it took was seventy years of computer technology advancement to put me in that position. Maths, eh? Tch.

It’s an interesting book. There are lots of money puzzles, in which I have to carefully remember that ha’pennies and farthings are a thing (a farthing is a quarter of a penny), there are 12 pennies in a shilling, and twenty shillings in a pound. There’s some rather racist portrayals of comic-opera Chinese characters in a few of the puzzles. And my heart sank when I read a puzzle about husbands and wives crossing a river in a boat, where no man would permit his wife to be in the boat with another man without him, because I assumed that the solution would also say something like “and of course the women cannot be expected to row the boat”, and I was then pleasantly surprised to discover that this was not the case and indeed they were described as probably being capable oarswomen and it was likely their boat to begin with! Writings from another time. But still as good as any puzzle book today, if not better.

From Henry Dudeney's Amusements in Mathematics, published 1917. We did, Henry, mate. Cheers for the puzzle book. https://t.co/tt8JljBXN1 pic.twitter.com/MFamXHxJ05

— Stuart Langridge (@sil) 25 September 2017

I realised that it’s now a decade of KDE releasing its Plasma desktop.  The KDE 4 release event was in January 2008.  Google were kind enough to give us their office space and smoothies and hot tubs to give some talks and plan a way forward.

The KDE 4 release has gained something of a poor reputation, at the time we still shipped Kubuntu with KDE 3 and made a separate unsupported release for Plasma, but I remember it being perfectly useable and notable for being the foundation that would keep KDE software alive.  It had been clear for sometime that Kicker and the other elements of the KDE 3 desktop were functional but unlikely to gain much going forward.  When Qt 4 was announced back in (I’m pretty sure) 2004 Akademy in Ludwigsberg it was seen as a chance to bring KDE’s desktop back up to date and leap forward.  It took 4 long years and to keep community momentum going we had to release even if we did say it would eat your babies.

Kubuntu at KDE 4 release event

Somewhere along the way it felt like KDE’s desktop lost mindshare with major distros going with other desktops and the rise of lightweight desktops.  But KDE’s software always had the best technological underpinnings with Qt and then QtQuick plus the move to modularise kdelibs into many KDE Frameworks.

This week we released Plasma 5.12 LTS and what a fabulous reception we are getting.  The combination of simple and familiar by default but customisable and functional is making many people realise what an offering we now have with Plasma. When we tried Plasma on an ARM laptop recently we realised it used less memory then the “lightweight” Linux desktop that laptop used pre-installed.  Qt being optimised for embedded use means KDE’s offerings are fast whether you’re experimenting with Plasma Mobile or using it on the very latest KDE Slimbook II means it’ll run smooth and fast.

Some quotes from this week:

“Plasma, as tested on KDE neon specifically, is almost perfect” Ask Noah Show

“This is the real deal.. I’m going all in on this.. ” Linux Unplugged

“Become a Plasma Puppy”

Here’s @popey installing @KdeNeon at 30,000 feet. See how excited he looks. How did it turn out? pic.twitter.com/jWVrdR6kPp

— Martin Wimpress (@m_wimpress) February 4, 2018

Elite Ubuntu community spod Alan Pope tired to install KDE neon in aeroplane mode (fails because of a bug which we have since fixed, thanks for the poke).

Anyone up for a Plasma desktop challenge for the next week?

I’m installing @KdeNeon on all my systems for the next week: https://t.co/ya2tGeMQxu

Maybe some of you will try it along with me, and send me your updates as you go? Also here’s my current setup: pic.twitter.com/lVLf3x4l3U

— Chris Fisher (@ChrisLAS) February 4, 2018

Chris Fisher takes the Plasma Desktop Challenge, can’t wait to find out what he says next week.

On Reddit Plasma 5.12 post:

“KDE plasma is literally worlds ahead of anything I’ve ever seen. It’s one project where I felt I had to donate to let them know I loved it!”
“I’ve switched to Plasma a little over a year ago and have loved it ever since. I’m glad they’re working so hard on it!”
“Yay! Good to see Kickass Desktop Environment get an update!”

Or here’s a random IRC conversation I had today in a LUG channel

<yeehi> Riddell – I adore KDE now!
<yeehi> It is gobsmackingly beautiful
<yeehi> I put in the 12.0 LTS updates yesterday, maybe over a hundered packages, and all the time I was thinking, “Man, I just love those KDE developers!
<yeehi> It is such a pleasure to use and see. Also, I have been finding it to be my most stable GNU+Linux experience

So after a decade of hard work I’m definitely feeling the good vibes this week. Take the Plasma Challenge and be a Plasma Puppy! KDE Plasma is lightweight, functional and rocking your laptop.

 

 

by

Used by millions around the world, Slack is an enterprise software platform that allows teams and businesses of all sizes to communicate effectively. Slack works seamlessly with other software tools within a single integrated environment, providing an accessible archive of an organisation’s communications, information and projects. Although Slack has grown at a rapid rate in the 4 years since their inception, their desktop engineering team who work across Windows, MacOS and Linux consists of just 4 people currently. We spoke to Felix Rieseberg, Staff Software Engineer, who works on this team following the release of Slack’s first snap last month to discover more about the company’s attitude to the Linux community and why they decided to build a snap.

Install Slack snap

Can you tell us about the Slack snap which has been published?

We launched our first snap last month as a new way to distribute to our Linux community. In the enterprise space, we find that people tend to adopt new technology at a slower pace than consumers, so we will continue to offer a .deb package.

What level of interest do you see for Slack from the Linux community?

I’m excited that interest for Slack is growing across all platforms, so it is hard for us to say whether the interest coming out of the Linux community is different from the one we’re generally seeing. However, it is important for us to meet users wherever they do their work. We have a dedicated QA engineer focusing entirely on Linux and we really do try hard to deliver the best possible experience.

We generally find it is a little harder to build for Linux, than say Windows, as there is a less predictable base to work from – and this is an area where the Linux community truly shines. We have a fairly large number of users that are quite helpful when it comes to reporting bugs and hunting root causes down.

How did you find out about snaps?

Martin Wimpress at Canonical reached out to me and explained the concept of snaps. Honestly, initially I was hesitant – even though I use Ubuntu – because it seemed like another standard to build and maintain. However, once understanding the benefits I was convinced it was a worthwhile investment.

What was the appeal of snaps that made you decide to invest in them?

Without doubt, the biggest reason we decided to build the snap is the updating feature. We at Slack make heavy use of web technologies, which in turn allows us to offer a wide variety of features – like the integration of YouTube videos or Spotify playlists. Much like a browser, that means that we frequently need to update the application.

On macOS and Windows, we already had a dedicated auto-updater that doesn’t require the user to even think about updates. We have found that any sort of interruption, even for an update, is an annoyance that we’d like to avoid. Therefore, the automatic updates via snaps seemed far more seamless and easy.

How does building snaps compare to other forms of packaging you produce? How easy was it to integrate with your existing infrastructure and process?

As far as Linux is concerned, we have not tried other “new” packaging formats, but we’ll never say never. Snaps were an easy choice given that the majority of our Linux customers do use Ubuntu. The fact that snaps also run on other distributions was a decent bonus. I think it is really neat how Canonical is making snaps cross-distro rather than focusing on just Ubuntu.

Building it was surprisingly easy: We have one unified build process that creates installers and packages – and our snap creation simply takes the .deb package and churns out a snap. For other technologies, we sometimes had to build in-house tools to support our buildchain, but the `snapcraft` tool turned out to be just the right thing. The team at Canonical were incredibly helpful to push it through as we did experience a few problems along the way.

How do you see the store changing the way users find and install your software?

What is really unique about Slack is that people don’t just stumble upon it – they know about it from elsewhere and actively try to find it. Therefore, our levels of awareness are already high but having the snap available in the store, I hope, will make installation a lot easier for our users.

We always try to do the best for our users. The more convinced we become that it is better than other installation options, the more we will recommend the snap to our users.

What are your expectations or already seen savings by using snaps instead of having to package for other distros?

We expect the snap to offer more convenience for our users and ensure they enjoy using Slack more. From our side, the snap will save time on customer support as users won’t be stuck on previous versions which will naturally resolve a lot of issues. Having the snap is an additional bonus for us and something to build on, rather than displacing anything we already have.

What release channels (edge/beta/candidate/stable) in the store are you using or plan to use, if any?

We used the edge channel exclusively in the development to share with the team at Canonical. Slack for Linux as a whole is still in beta, but long-term, having the options for channels is interesting and being able to release versions to interested customers a little earlier will certainly be beneficial.

How do you think packaging your software as a snap helps your users? Did you get any feedback from them?

Installation and updating generally being easier will be the big benefit to our users. Long-term, the question is “Will users that installed the snap experience less problems than other customers?” I have a decent amount of hope that the built-in dependencies in snaps make it likely.

What advice or knowledge would you share with developers who are new to snaps?

I would recommend starting with the Debian package to build your snap – that was shockingly easy. It also starts the scope smaller to avoid being overwhelmed. It is a fairly small time investment and probably worth it. Also if you can, try to find someone at Canonical to work with – they have amazing engineers.

Where do you see the biggest opportunity for development?

We are taking it step by step currently – first get people on the snap, and build from there. People using it will already be more secure as they will benefit from the latest updates.

• To date, we've shaved the Bionic (18.04 LTS) minimal images down by over 53%, since Ubuntu 14.04 LTS, and trimmed nearly 100 packages and thousands of files.
• Feedback welcome here: https://ubu.one/imgSurvey

In last year's AskHN HackerNews post, "Ask HN: What do you want to see in Ubuntu 17.10?", and the subsequent treatment of the data, we noticed a recurring request for "lighter, smaller, more minimal" Ubuntu images.
This is particularly useful for container images (Docker, LXD, Kubernetes, etc.), embedded device environments, and anywhere a developer wants to bootstrap an Ubuntu system from the smallest possible starting point.  Smaller images generally:

• are subject to fewer security vulnerabilities and subsequent updates
• reduce overall network bandwidth consumption
• and require less on disk storage

First, a definition..."The Ubuntu Minimal Image is the smallest base upon which a user can apt install any package in the Ubuntu archive."By design, Ubuntu Minimal Images specifically lack the creature comforts, user interfaces and user design experience that have come to define the Ubuntu Desktop and Ubuntu Cloud images.
To date, we've shaved the Bionic (18.04 LTS) minimal images down by over 53%, since Ubuntu 14.04 LTS, and trimmed nearly 100 packages and thousands of files.

If there’s one thing I wish people from outside the security industry knew when dealing with information security, it’s that Security is not an absolute. Most of the time, it’s not even quantifiable. Even in the case of particular threat models, it’s often impossible to make statements about the security of a system with certainty.

Read more...

Earlier last year I announced last year that I was partnering up with the Linux Foundation to create the Open Community Conference as part of their Open Source Summit events in North America and Europe.

Well, the events happened, and it was (in my humble opinion) an enormous success. We had 120+ papers submitted to the North American event and 85+ papers submitted to the European event. From there I whittled it down to around 40 sessions for each event which resulted in some fantastic content and incredible discussions/networking.

Not only was I delighted with the eagerness of people to speak, but we also had a tremendously diverse range of people submitting from a range of genders, backgrounds, cultures, experience levels, and beyond. I was proud to see this, and I am similarly proud to see the fantastically diverse attendees we have at the Community Leadership Summit each year (note: CFP is open there too). So, thanks to everyone who submitted, and sorry we couldn’t squeeze you all in to speak.

A Name Change: Open Collaboration Conference

I am delighted to announce we are doing it all again, with one small change: the name.

As the event has evolved, I have wanted it to incorporate as many elements focused on people collaborating together. While one component of this is certainly people building communities, other elements such as governance, remote working, innersource, cultural development, and more fit under the banner of “collaboration”, but don’t necessarily fit under the traditional banner of “community”.

As such, we decided to change the name of the conference to the Open Collaboration Conference. I am confident this will then provide both a home to the community strategy and tactics content, as well as these other related areas. This way the entire event services as a comprehensive capsule for collaboration in technology.

Call For Papers

So, I wanted to let you all know the key details right now of how to get involved in the events. Firstly, when the events are (as part of the Open Source Summit):

• North America in Vancouver from 29th – 31st August 2018 – CFP link
• Europe in Edinburgh from 22nd – 24th October 2018 – CFP link

As usual, there is a deadline for the call for papers and they are:

• North America – 29th April 2018
• Europe – 1st July 2018

In terms of topics, I encourage you all submit papers that relate to:

• Open Source Metrics
• Incentivization and Engagement
• Software Development Methodologies and Platforms
• Building Internal Innersource Communities
• Remote Team Management and Methods
• Bug/Issue Management and Triage
• Communication Platforms and Methods
• Open Source Governance and Models
• Mentoring and Training
• Event Strategy
• Content Management and Social Media
• DevOps Culture
• Community Management
• Advocacy and Evangelism
• Government and Compliance

I look forward to seeing you submissions and seeing you there!

The post Open Collaboration Conference CFP Now Open appeared first on Jono Bacon.

You're on time for submit a conference, workshop, stand or podcast for the next Ubucon!!


Main room. With no edits ;) Just checking things in situ for April
We're working hard for the next Ubucon Europe 2018 and we would like to tell you the current status:

• Official webpage updated. 
• You have especial discounts for your travel in bus, train and hotel. More info here.
• The conferences will be for free. 
• Social event of Saturday: It will be a traditional espicha. If you are coming, you need to pay that dinner in advance as soon as possible, because there are limited places! More info here.
• You can follow the last news here: Telegram, Twitter, Google + & Facebook.
• We'll publish the complete schedule soon.

It has been a while since my last post about stress-ng so I thought it would be useful to provide an update on the changes since V0.08.09.

I have been focusing on making stress-ng more portable so it can build with various versions of clang and gcc as well as run against a wide range of kernels.   The portability shims and config detection added to stress-ng allow it to build and run on a wide range of Linux systems, as well as GNU/HURD, Minix, Debian kFreeBSD, various BSD systems, OpenIndiana and OS X.

Enabling stress-ng to work on a wide range of architectures and kernels with a range of compiler versions has helped me to find and fix various corner case bugs.  Also, static analysis with a various set of tools has helped to drive up the code quality. As ever, I thoroughly recommend using static analysis tools on any project to find bugs.

Since V0.08.09 I've added the following stressors:

• inode-flags  - (using the FS_IOC_GETFLAGS/FS_IOC_SETFLAGS ioctl, see ioctl_iflags(2) for more details.
• sockdiag - exercise the Linux sock_diag netlink socket diagnostics
• branch - exercise branch prediction
• swap - exercise adding and removing variously sized swap partitions
• ioport - exercise I/O port read/writes to try and cause CPU I/O bus delays
• hrtimers - high resolution timer stressor
• physpage - exercise the lookup of a physical page address and page count of a virtual page
• mmapaddr - mmap pages to randomly unused VM addresses and exercise mincore and segfault handling
• funccall - exercise function calling with a range of function arguments types and sizes, for benchmarking stack/CPU/cache and compiler.
• tree - BSD tree (red/black and splay) stressor, good for exercising memory/cache
• rawdev - exercise raw block device I/O reads
• revio - reverse file offset random writes, causes lots of fragmentation and hence many file extents
• mmap-fixed - stress fixed address mmaps, with a wide range of VM addresses
• enosys - exercise a wide range of random system call numbers that are not wired up, hence generating ENOSYS errors
• sigpipe - stress SIGPIPE signal generation and handling
• vm-addr - exercise a wide range of VM addresses for fixed address mmaps with thorough address bit patterns stressing

Stress-ng has nearly 200 stressors and many of these have various stress methods than can be selected to perform specific stress testing.  These are all documented in the manual.  I've also updated the stress-ng project page with various links to academic papers and presentations that have used stress-ng in various ways to stress computer systems.  It is useful to find out how stress-ng is being used so that I can shape this tool in the future.

As ever, patches for fixes and improvements are always appreciated.  Keep on stressing!

This Snapcraft Summit is coming to an end. We had five days full of hard and fun work, together with many friends from many other projects that are part of our ecosystem.

It was amazing to see the kind of collaboration that snapcraft brings to the Linux world. The engineering, advocacy, desktop and design teams of snapcraft spent every day working next to developers from Microsoft, Skype, Slack, Electron, CircleCI, Plex and ROSHub on improving the experience to deliver their applications continuously, in a way that fits perfectly into their release process and that will make their users feel secure and confident. It was great to see the mix of languages, cultures and operating systems, all working together to solve this common delivery problem, now with a tool that is very open and welcoming, and that evolves quickly as new applications bring new requirements.

We are making packaging a problem of the past, so developers can just focus on the exciting part of the job: writing features. This week ended with a lot of improvements to get us there. Sergio was supposed to summarize what happened on Thursday, but has instead been hard at work preparing those improvements to be released in snapcraft 2.39, coming to an automatic update near you early next week. So we’ll excuse him, and I’ll summarize the things that happened on these last two days.

Kyle is in the middle of a deployment provider for Travis, that will make it super simple to release applications to the Snap Store for projects already using Travis for their CI. He also vastly improved the way we generate the snapcraft docker images. He also worked on a super-secret, soon-to-be released snap, more good news coming soon!

Leo started experimenting with a new language: typescript, with a new snap that was a nice proof of concept: tslint. He met with members of other teams at Canonical to make a big improvement on the testing infrastructure for snapcraft itself, focusing on tests that will run on Mac and Windows. Finally, he started a call for testing to get more people from the community exploring the features of 2.39 before the stable release.

Martin and Alan have been non-stop working with all the special guests of this summit, testing the early builds, offering advice on ways to improve the packaging, integrating the release of the snap into their pipelines, and removing unnecessary parts of the snaps to make them smaller. They were also constantly seen using an audio chat to talk to each other, despite being at the same table. Expect a new and shiny release to the mumble snap!

James has been working on the much expected feature to let users give access to individual files/directories, instead of granting the applications full access to your home. He’s also doing an amazing job at reducing the amount of time that it will take snapcraft to generate a fully self-contained application. That is work in progress, so something to look forward for the 2.40 release, later in the month.

Sergio, as mentioned before, worked on the 2.39 release. Get it on Linux with sudo snap install snapcraft –candidate, or on Mac with brew install snapcraft.

And now is time for us to celebrate. Cheers for a bright year full of snaps!

Go is a programming language and is available in most Linux distributions. Sometime Go is preinstalled, other times we need to install ourselves, or we need to update the existing version to a newer version. Go in Ubuntu 16.04 Ubuntu 16.04 comes with Go version 1.6. The package name is golang (same as their website …

Continue reading

Background: LXD is a hypervisor that manages machine containers on Linux distributions. You install LXD on your Linux distribution and then you can launch machine containers into your distribution running all sort of (other) Linux distributions. You have installed the LXD snap and you are happy using it. However, you are developing LXD and you …

Continue reading

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

While I continue to manage the administrative side of Debian LTS, I’m taking a break of the technical work (i.e. preparing and releasing security updates). The hope is that it will help me focus more on my book which (still) needs to be updated for stretch. In truth, this did not happen in January but I hope to do better in the upcoming months.

Salsa and related

The switch to salsa.debian.org is a major event in our community. Last month I started with the QA team and the distro-tracker repository as an experiment. This month I took this opportunity to bring to fruition a merge between the pkg-security team and the forensics team that I already proposed in the past and that we postponed because it was deemed busy work for no gains. Now that both teams had to migrate anyway, it was easier to migrate everything at once under a single project.

All our repositories are now managed under the same team in salsa: https://salsa.debian.org/pkg-security-team/ But for the mailing list we are still waiting for the new list to be created on lists.debian.org (#888136).

As part of this work, I contributed some fixes to the scripts maintained by Mehdi Dogguy. I also filed a wishlist request for a new script to make it easy to share repositories with the Debian group.

With the expected demise of alioth mailing lists, there’s some interest in getting the Debian package tracker to host the official maintainer email. As the central hub for most emails related to packages, it seems natural indeed. We made some progress lately on making it possible to use @packages.debian.org emails (with the downside of receiving duplicate emails currently) but that’s not an really an option when you maintain many packages and want to see them grouped under the same maintainer email. Furthermore it doesn’t allow for automatic association of a package to its maintainer team. So I implemented a team+slug@tracker.debian.org email that works for each team registered on the package tracker and that will automatically associate the package to its team. The email is just a black hole for now (not really a problem as most automatic emails are already received through another email) but I expect to forward non-automatic mails to team members to make it useful as a way to discuss between team members.

The package tracker also learned to recognize commit mails generated by GitLab and it will now forward them to the source package whose name is matching the name of the GitLab project that generated them (see #886114).

Misc Debian stuff

Distro Tracker. I got my two first merge requests which I reviewed and merged. One adds native HTML support to toggle action items (i.e. without javascript on recent browsers) and the other improves some of the messages shown by the vcswatch integration. In #886450, we discussed how to better filter build failure mails sent by the build daemons. New headers have been added.

Bug reports and patches. I forwarded and/or got moving a couple of bugs that we encountered in Kali (glibc: new data brought to #820826, raspi3-firmware: #887062, glibc: tracking down #886506 to a glibc regression affecting busybox, gr-fcdproplus: #888853 new watch file, gjs: upstream bug #33). I also needed a new feature in live-build so I filed #888507 which I implemented almost immediately (but released only in Kali because it’s not documented yet and can possibly be improved a bit further).

While doing my yearly accounting, I opened an issue on tryton and pushed a fix after approval. While running unit tests on distro-tracker, I got an unexpected warning that seems to be caused by virtualenv (see upstream issue #1120).

Debian Packaging. I uploaded zim 0.68~rc1-1 to experimental.

Thanks

See you next month for a new summary of my activities.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Below is an email that has been distributed to the FSFE community today. FSFE aims to be an open organization and people are welcome to discuss it through the main discussion group (join, thread and reply) whether you are a member or not.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site. The "No Cloud" stickers and the Public Money Public Code campaign are examples of initiatives started by FSFE - you can request free stickers and posters by filling in this form.

Dear FSFE Community,

I'm writing to you today as one of your elected fellowship representatives rather than to convey my own views, which you may have already encountered in my blog or mailing list discussions.

The recent meeting of the General Assembly (GA) decided that the annual elections will be abolished but this change has not yet been ratified in the constitution.

Personally, I support an overhaul of FSFE's democratic processes and the bulk of the reasons for this change are quite valid. One of the reasons proposed for the change, the suggestion that the election was a popularity contest, is an argument I don't agree with: the same argument could be used to abolish elections anywhere.

One point that came up in discussions about the elections is that people don't need to wait for the elections to be considered for GA membership. Matthias Kirschner, our president, has emphasized this to me personally as well, he looks at each new request with an open mind and forwards it to all of the GA for discussion. According to our constitution, anybody can write to the president at any time and request to join the GA. In practice, the president and the existing GA members will probably need to have seen some of your activities in one of the FSFE teams or local groups before accepting you as a member. I want to encourage people to become familiar with the GA membership process and discuss it within their teams and local groups and think about whether you or anybody you know may be a good candidate.

According to the minutes of the last GA meeting, several new members were already accepted this way in the last year. It is particularly important for the organization to increase diversity in the GA at this time.

The response rate for the last fellowship election was lower than in previous years and there is also concern that emails don't reach everybody thanks to spam filters or the Google Promotions tab (if you use gmail). If you had problems receiving emails about the last election, please consider sharing that feedback on the discussion list.

Understanding where the organization will go beyond the extinction of the fellowship representative is critical. The Identity review process, championed by Jonas Oberg and Kristi Progri, is actively looking at these questions. Please contact Kristi if you wish to participate and look out for updates about this process in emails and Planet FSFE. Kristi will be at FOSDEM this weekend if you want to speak to her personally.

I'll be at FOSDEM this weekend and would welcome the opportunity to meet with you personally. I will be visiting many different parts of FOSDEM at different times, including the FSFE booth, the Debian booth, the real-time lounge (K-building) and the Real-Time Communications (RTC) dev-room on Sunday, where I'm giving a talk. Many other members of the FSFE community will also be present, if you don't know where to start, simply come to the FSFE booth. The next European event I visit after FOSDEM will potentially be OSCAL in Tirana, it is in May and I would highly recommend this event for anybody who doesn't regularly travel to events outside their own region.

Changing the world begins with the change we make ourselves. If you only do one thing for free software this year and you are not sure what it is going to be, then I would recommend this: visit an event that you never visited before, in a city or country you never visited before. It doesn't necessarily have to be a free software or IT event. In 2017 I attended OSCAL in Tirana and the Digital-Born Media Carnival in Kotor for the first time. You can ask FSFE to send you some free stickers and posters (online request with optional donation) to give to the new friends you meet on your travels. Change starts with each of us doing something new or different and I hope our paths may cross in one of these places.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site.

Please feel free to discuss this through the FSFE discussion group (join, thread and reply)

Daniel.Pocock https://danielpocock.com/tags/debian DanielPocock.com - debian

Below is an email that has been distributed to the FSFE community today. FSFE aims to be an open organization and people are welcome to discuss it through the main discussion group (join, thread and reply) whether you are a member or not.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site. The "No Cloud" stickers and the Public Money Public Code campaign are examples of initiatives started by FSFE - you can request free stickers and posters by filling in this form.

Dear FSFE Community,

I'm writing to you today as one of your elected fellowship representatives rather than to convey my own views, which you may have already encountered in my blog or mailing list discussions.

The recent meeting of the General Assembly (GA) decided that the annual elections will be abolished but this change has not yet been ratified in the constitution.

Personally, I support an overhaul of FSFE's democratic processes and the bulk of the reasons for this change are quite valid. One of the reasons proposed for the change, the suggestion that the election was a popularity contest, is an argument I don't agree with: the same argument could be used to abolish elections anywhere.

One point that came up in discussions about the elections is that people don't need to wait for the elections to be considered for GA membership. Matthias Kirschner, our president, has emphasized this to me personally as well, he looks at each new request with an open mind and forwards it to all of the GA for discussion. According to our constitution, anybody can write to the president at any time and request to join the GA. In practice, the president and the existing GA members will probably need to have seen some of your activities in one of the FSFE teams or local groups before accepting you as a member. I want to encourage people to become familiar with the GA membership process and discuss it within their teams and local groups and think about whether you or anybody you know may be a good candidate.

According to the minutes of the last GA meeting, several new members were already accepted this way in the last year. It is particularly important for the organization to increase diversity in the GA at this time.

The response rate for the last fellowship election was lower than in previous years and there is also concern that emails don't reach everybody thanks to spam filters or the Google Promotions tab (if you use gmail). If you had problems receiving emails about the last election, please consider sharing that feedback on the discussion list.

Understanding where the organization will go beyond the extinction of the fellowship representative is critical. The Identity review process, championed by Jonas Oberg and Kristi Progri, is actively looking at these questions. Please contact Kristi if you wish to participate and look out for updates about this process in emails and Planet FSFE. Kristi will be at FOSDEM this weekend if you want to speak to her personally.

I'll be at FOSDEM this weekend and would welcome the opportunity to meet with you personally. I will be visiting many different parts of FOSDEM at different times, including the FSFE booth, the Debian booth, the real-time lounge (K-building) and the Real-Time Communications (RTC) dev-room on Sunday, where I'm giving a talk. Many other members of the FSFE community will also be present, if you don't know where to start, simply come to the FSFE booth. The next European event I visit after FOSDEM will potentially be OSCAL in Tirana, it is in May and I would highly recommend this event for anybody who doesn't regularly travel to events outside their own region.

Changing the world begins with the change we make ourselves. If you only do one thing for free software this year and you are not sure what it is going to be, then I would recommend this: visit an event that you never visited before, in a city or country you never visited before. It doesn't necessarily have to be a free software or IT event. In 2017 I attended OSCAL in Tirana and the Digital-Born Media Carnival in Kotor for the first time. You can ask FSFE to send you some free stickers and posters (online request with optional donation) to give to the new friends you meet on your travels. Change starts with each of us doing something new or different and I hope our paths may cross in one of these places.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site.

Please feel free to discuss this through the FSFE discussion group (join, thread and reply)

Changes

• whohas: related software
• codespell: typos
• foxtrotgps: switch from GConf to GSettings
• spelling dictionaries:
  • codespell: accapt(ed), consifer(ed), defered, timout, unncessary, bumpded, certificat, acount(s), perference(s), temproary, lenghtening, tranport, invalide, ACII
  • lintian: accapt(ed), consifer(ed), unncessary, bumpded, certificat, acount(s), perference(s), temproary, lenghtening, tranport, invalide, ACII
• Debian Planets: update Apertis logo
• Debian fakeupstream: support Python __version__ in files in commits (1, 2)
• Debian derivatives census: git for Planet Debian
• Debian puppet: wafer referrers
• Debian portfolio: add salsa
• Debian security tracker: https, normalise CVE identifiers, redmine RCE, CVE-2017-9801 NFU status, CVE-2018-1294 fixed, CVE-2017-7516 patch
• Debian testing migration: drop dupe excuse
• Debian package uploads: purple-discord, harmony (0.2.2-1 0.2.2-2), librecaptcha (0.2.0-1 0.2.0-2)
• Debian wiki config: salsa
• Debian wiki pages: BIOS, BSP, (2018/03/al/Tirana), DebianDay (2018), DebianEvents/be/2018/FOSDEM, DebianLogo, Derivatives (FrontDesk, Integration), DesktopEnvironment (1 2), DeveloperNews, Firmware (Updates (1 2)), gsoc, GSoC, ia64, InstallingDebianOn (Acer/Spin1, SolidRun (CuBox, CuBox-i)), JigdoOnLive, LTS/Development, PaulWise/InterestingSoftware, PressCoverage (2018), RISC-V, Salsa/FAQ, Sprints, SummerOfCode (2018/Projects/FreedomBoxContainer), Teams (ReleaseTeam/ReleaseCheckList, Treasurer/Organizations, WindowMaker), X32Port, Year
• File Formats wiki pages: Dalvik_Executable
• Wikipedia: List_of_version_control_software (all reverted: 1 2 3)

Issues

• Crashes in apt, evolution, Xwayland, gnome-shell (1 2), GNOME gitlab, nautilus, torbrowser-launcher
• False positives in duck
• Incompatibility in gnome-shell-extension-show-ip
• Incorrect glyph in VL Gothic
• Liberation of the OmniGraffle format
• Features in tracker.debian.org, adequate, lintian (1 2 3 4), debian-dad, needrestart (1 2), harmony (1 2), diffoscope (1 2 3)
• New versions of youtube-dl
• Code issues in ncdu
• Cruft in kytos-utils
• Missing symbols in libsnmp30, libhpmud0, libmpx2, libparted-fs-resize0
• List formatting in mblaze
• Intents to package purple-discord, harmony, librecaptcha

Review

• Spam: reported 2 LWN comments 8 Debian bug reports and 229 Debian mailing list posts
• Debian packages: reviewed urlwatch, minidb and sponsored streamlink (1 2)
• Debian wiki: RecentChanges for the month
• Debian screenshots:
  • approved animals blender breeze-icon-theme ember firefox-locale-hu fontypython formiko geeqie iraf kde-standard klystrack leafnode libreoffice libreoffice-math mate-applet-brisk-menu mricron papirus-icon-theme photofilmstrip psk31lx putty python3-pyraf python-link-grammar qt5ct rma speedpad xtide xtide-coastline
  • rejected tuxpaint (just a dot), cinnamon (probably non-free imagery), tipp10 (not on Debian), xinit/default-jdk (other software), faenza-icon-theme/herculesstudio (upstream screenshots), xtide-data-nonfree (package from non-free)
  • approved deletion of pegsolitaire (wrong package)
  • rejected deletion of gkamus/budgie-keyboard-autoswitch-applet (spam reason), tellico (non-understandable reason)

Administration

• Debian: try to regain OOB access to a host, try to connect with a hoster, restart bacula after db restart, provide some details to a hoster, add debsnap to snapshot host, debug external email issue, redirect users to support channels
• Debian mentors: redirect to sponsors, teach someone about dput .upload files, check why a package disappeared
• Debian wiki: unblacklist IP address, whitelist email addresses, whitelist email domain, investigate DocBook output crash

Communication

• Initiate discussion about ingestion of more security issue feeds
• Invite LinuxCNC to the Debian derivatives census

Sponsors

I renewed my support of Software Freedom Conservancy.

The Discord related uploads (harmony, librecaptcha, purple-discord) and the Debian fakeupstream change were sponsored by my employer. All other work was done on a volunteer basis.

Paul Wise http://bonedaddy.net/pabs3/log/ Log

Here is my monthly update covering what I have been doing in the free software world in January 2018 (previous month):

• Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
  • Only include the output of debc if less than 500 lines to prevent issues with log truncation. [...]
  • Add support for TRAVIS_DEBIAN_LINTIAN. [...]
• Submitted a pull request for the Promise JS framework to make the build reproducible. [...]
• Submitted a number of pull requests to ffs, a set of filesystem API helpers for Python:
  • Initial support for Windows. [...]
  • Pass genuine str instances to os.path.abspath, not our wrapper class. [...]
  • Explicitly pass str instances to shutil methods. [...]
  • Correct a "treat" typo. [...]
  • Correct reference to getwd(). [...]
• Suggested improvements to Turtlecoin, a private and fast cryptocurrency:
  • Prevent potential output truncation issue when formatting. [...]
  • Avoid (eg.) logical 'or' of equal expressions warnings with GCC 7. [...]
  • Be explicit about a conditional with misleading indentation. [...]
  • Add explicit fallthrough statements to silence warnings with GCC 7. [...]
• Updated the Opal web framework for building usable healthcare applications:
  • Fix Windows testsuite and main management comments. [...]
  • Get the testsuite working under Windows. [...]
  • Add ghetto --failfast support to runtests.py. [...]
  • Ensure runtests.py does nott exit with return code of zero if we have a multiple of 256 errors. [...]
• Created a pull request for the RediSearch search engine module for Redis to fix a -Wformat error for the "long unsigned int type. [...]
• Filed a PR against openSUSE's hardware information tool to ensure the CDBISDN_DATE variable ignores timezone in order to make the build reproducible. [...]
• Submitted a pull request to python-stdnum, A Python library to provide functions to handle, parse and validate standard numbers to not rely on stable set ordering to ensure a reproducible build. [...]
• Even more hacking on the Lintian static analysis tool for Debian packages:
  • New features:
    • Check for files under debian/patches that are not mentioned in any series file. (#887817)
    • Check for upstream tarballs that ship examples but none are installed in any binary package. (#539326)
    • Ask maintainers to add a header to debian/copyright if their package is in contrib or non-free. (#773562)
    • Check for override_dh_auto_test targets that do not check DEB_BUILD_OPTIONS. (#712394)
    • Add support for passing .buildinfo files to Lintian. (#853274)
    • Check for inconsistencies between Files and Checksums- sections in .changes files. (#658542)
    • Check for packages that with dependencies on packages such as cdbs or debhelper. (#700953)
    • Warn about packages that specify a Files-Excluded header without a valid Format header. (#745743)
    • Check for .jar files that do not match the Debian Java policy. (#791552)
    • Emit a pedantic warning for packages using dpatch. (#884500)
    • When looking for the source of subdir/foo/bar.min.js, also check src/foo/bar.js etc. (#832027)
    • Check for packages that mention planned features in their description. (#782990)
    • Improve the description-synopsis-might-not-be-phrased-properly tag also detect multiple sentences. (#778427)
    • Warn about Multi-Arch: same packages that ship arch-specific overrides. (#787469)
    • Add a warning for comaintained packages not managed in a revision control system. (#884497)
    • Warn when a "Files: *" DEP-5 paragraph exists but isn't the first paragraph. (#879235)
    • Detect "backports" as an overly generic Python module name. (#888559)
    • Allow debian/missing-sources/foo.js directories to represent the source for foo.js. (#836771)
    • Add a check for packages that specify dh --with quilt whilst not using the 3.0 (quilt) source format. (#886566)
    • Warn about warn packages that use dh_systemd_* overrides whilst using debhelper level 11. (#887899)
    • Emit a warning about documentation packages that end with -docs. (#664520)
    • Emit an error if packages ship files in /etc/skel. (#887120)
    • Detect overly-compressed xz packages. (#829100)
    • Warn about packages that ship Python modules but are missing dependencies on an interpreter. (#887083)
    • Ensure Name Services Switch modules are placed in the admin section. (#886961)
    • Warn about insecure DEP-5 Format: URIs. (#886930)
    • Check for packages that should specify Rules-Require-Root. (#886479)
    • Emit pedantic warnings for packages that refer to a non-Git VCSs hosted in the Debian infrastructure. (#885974)
    • Change ancient-standards-version policy to "a release of Policy from the previous stable release cycle". (#886219)
    • Warn for packages that ship (non-reproducible) Python Hypothesis examples. (#886101)
    • Warn about orphaned packages not maintained in the Debian infrastucture. (#886057)
    • Warn about packages that ship (eg.) test_foo.py files in the global Python module namespace. [...]
  • Bug fixes:
    • Don't emit new-package-should-not-package-python2-module if the maintainer can justify its inclusion. [...]
    • Avoid false positives in spelling-error-in-description where the repetition is part of an acronym expansion. (#883719)
    • Ignore Rust .rs files in extra-license-file. (#887715)
    • Support the latest binutils when parsing ELF files as this was causing a testsuite failure. (#888456)
    • When checking for a Python 3 variant of a Python package, consider any package that declares a binary dependency on ${python3:Depends}. (#886303)
    • Fix issue where bad-section-in-changes-file, file-size-mismatch-in-changes-file and checksum-mismatch-in-changes-file were not being checked. [...]
    • Don't emit license-problem-php-license when the source comes from pecl.php.net. (#810780)
    • Avoid false positives and remove an existing (incorrect) test for apparent brace expansions in config files that do not include a comma. (#888304)
    • Avoid a false positive for spelling-error-in-binary that was causing a FTBFS on armhf. (#888074)
    • Avoid false positives for missing-notice-file-for-apache-license by looking for files with a .txt extension. (#886343)
    • Avoid false-positives when checking Windows PE files. (#886555)
    • Ensure xfonts-foo are recognised as part of the x11 section to match the definition on packages.debian.org. (#878609)
    • Fix Use of uninitialized value in string ne warnings. (#887428)
    • Only run files-multiarch-foreign-files test on amd64. (#886163)
    • Don't warn about unknown template type entropy when a package depends on cdebconf. (#677870)
    • Ignore TeX \section titles when checking for GFDL licenses. (#863384)
    • Only test for packages shipping gschemas.compiled files in specified dirs. (#884142)
    • Fix a programming error in the src-orig-index collection script. (#886586)
    • Ensure bugs-field-does-not-refer-to-debian-infrastructure can be overridden by not emitting them for -dbgsym packages. (#886426)
    • Don't warn about extra license files installed via Sphinx. (#885968)
    • Don't warn about django-package-does-not-depend-on-django for -doc packages, etc. [...]
    • Skip Objective-C libraries for no-symbols-control-file. (#749202)
    • Install files-multiarch-foreign-files tests to a multi-arch directory on all architectures. (#886163)
    • Skip comment lines when matching autotools-pkg-config-macro-not-cross-compilation-safe. (#886297)
    • Identify both python-foo-dbg and python3-foo-dbg as known debug packages. (#886271)
  • Output/reporting improvements:
    • Make previously-hidden package anchor links visible. [...]
    • Include the offending context and line when emitting brace-expansion-in-debhelper-config-file. [...]
    • Include the date the Standards-Version was released in output of ancient-standards-version and out-of-date-standards-version. [...]
    • Include the value in the output of debian-rules-should-not-use-DH_EXTRA_ADDONS. [...]
    • Append the URI in the output of vcs-deprecated-in-debian-infrastructure. [...]
    • Include offending package name in new-package-should-not-package-python2-module output. [...]
    • Include Bugs field value in the output of bugs-field-does-not-refer-to-debian-infrastructure. [...]
    • Add more context to xz-compression-level-too-high output. [...]
  • Severities:
    • Upgrade the severity of missing-debian-source-format from wishlist to normal. (#702671)
    • Downgrade extra-license-file (#740118), dependency-on-python-version-marked-for-end-of-life (#886259), wrong-section-according-to-package-name (#883772) & newer-standards-version (#886210).
  • Documentation:
    • Clarify paragraph ordering matters in the description for unused-file-paragraph-in-dep5-copyright. (#762261)
    • Remark that new-package-should-not-package-python2-module's appearance on lintian.debian.org can be ignored. (#887124)
    • Also mention Recommends and Suggests in the opening paragraph of python-script-but-no-python-dep. (#687141)
    • Add missing initials in debian/copyright. (#831729)
  • Misc:
    • Rename debian-watch-does-not-check-gpg-signature to avoid confusion around "may check". (#735040)
    • Bump arch-dep-package-has-big-usr-share thresholds. (#648755)

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.

This month I:

• Presented at linux.conf.au on diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
• Filed upstream pull requests for python-stdnum, PromiseJS & hwinfo.
• In Debian:
  • Kept isdebianreproducibleyet.com up to date. [...]
  • Added a Lintian check for packages that ship (non-reproducible) Python Hypothesis examples. (#886101)
  • Added another Lintian check to warn about packages that override dh_fixperms without calling dh_fixperms as this makes the build vary depending on the current umask(2). (#885910)
  • I also submitted 21 patches to fix specific reproducibility issues in clanlib, dtkwm, fox1.6, hwinfo, klystrack, kopano-webapp, libmsv, librsvg, mcl, mdds, mstflint, node-deflate-js, node-jquery, node-promise, normaliz, python-hpack, python-pysnmp4, python-stdnum, texlive-extra, todoman & zorp.
• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
• Worked on publishing our weekly reports. (#140, #142 #143 & #144)

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

• New features:
  • Compare JSON files using the jsondiff module. (#888112)
  • Report differences in extended file attributes when comparing files. (#888401)
  • Show extended filesystem metadata when directly comparing two files not just when we specify two directories. (#888402)
  • Do some fuzzy parsing to detect JSON files not named .json. [...]
• Bug fixes:
  • Return unknown if we can't parse the readelf version number for (eg.) FreeBSD. (#886963)
  • If the LLVM disassembler does not work, try the internal one. (#886736)
• Misc:
  • Explicitly depend on e2fsprogs. (#887180)
  • Clarify Unidentified file log message as we did try and lookup via the comparators first. [...]

I also fixed an issue in the "trydiffoscope" command-line client that was preventing installation on non-Debian systems (#888882).

disorderfs

disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.

• Correct "explicitly" typo in disorderfs.1.txt. [...]
• Bump Standards-Version to 4.1.3. [...]
• Drop trailing whitespace in debian/control. [...]

Debian

My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.

In addition to this, I:

• Published whydoesaptnotusehttps.com, an overview of why APT does not rely solely on SSL for validation of downloaded packages as I noticed it was being asked a lot on support forums.
• Reported a number of issues for the mentors.debian.net review service.

Patches contributed

• dput: Suggest --force if package has already been uploaded. (#886829)
• linux: Add link to the Firmware page on the wiki to failed to load log messages. (#888405)
• markdown: Make markdown exit with a non-zero exit code if cannot open input file. (#886032)
• spectre-meltdown-checker: Return a sensible exit code. (#887077)

Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

• Initial draft of a script to automatically detect when CVEs should be assigned to multiple source packages in the case of legacy renames, duplicates or embedded code copies.
• Issued DLA 1228-1 for the poppler PDF library to fix an overflow vulnerability.
• Issued DLA 1229-1 for imagemagick correcting two potential denial-of-service attacks.
• Issued DLA 1233-1 for gifsicle — a command-line tool for manipulating GIF images — to fix a use-after-free vulnerability.
• Issued DLA 1234-1 to fix multiple integer overflows in the GTK gdk-pixbuf graphics library.
• Issued DLA 1247-1 for rsync, fixing a command-injection vulnerability.
• Issued DLA 1248-1 for libgd2 to prevent a potential infinite loop caused by signedness confusion.
• Issued DLA 1249-1 for smarty3 fixing an arbitrary code execution vulnerability.
• "Frontdesk" duties, triaging CVEs, etc.

Uploads

• adminer (4.5.0-1) — New upstream release.
• bfs (1.2-1) — New upstream release.
• dbus-cpp (5.0.0+18.04.20171031-1) — Initial upload to Debian.
• installation-birthday (7) — Add e2fsprogfs to Depends so it can drop Essential: yes. (#887275
• process-cpp:
  • 3.0.1-1 — Initial upload to Debian.
  • 3.0.1-2 — Fix FTBFS due to symbol versioning.
• python-django (1:1.11.9-1 & 2:2.0.1-1) — New upstream releases.
• python-gflags (1.5.1-4) — Always use SOURCE_DATE_EPOCH from the environment.
• redis:
  • 5:4.0.6-3 — Use --clients argument to runtest to force single-threaded operation over using taskset.
  • 5:4.0.6-4 — Re-add procps to Build-Depends. (#887075)
  • 5:4.0.6-5 — Fix a dangling symlink (and thus a broken package). (#884321)
  • 5:4.0.7-1 — New upstream release.
• redisearch (1.0.3-1, 1.0.4-1 & 1.0.5-1) — New upstream releases.
• trydiffoscope (67.0.0) — New upstream release.

I also sponsored the following uploads:

• check-manifest (0.36-1)
• dict-devil (1.0-13)
• nose2 (0.7.3-2)
• pytest-httpbin (0.3.0-1)
• python-blessed (1.14.2-3)
• twodict (1.2-1)

Debian bugs filed

• gdebi: Invalid gnome-mime-application-x-deb icon in AppStream metadata. (#887056)
• git-buildpackage: Please make gbp clone not quieten the output by default. (#886992)
• git-buildpackage: Please word-wrap generated changelog lines. (#887055)
• isort: Don't install test_isort.py to global Python namespace. (#887816)
• restrictedpython: Please add Homepage. (#888759)
• xcal: Missing patches due to 00List != 00list. (#888542)

I also filed 4 bugs against packages missing patches due to incomplete quilt conversions against cernlib geant321, mclibs & paw.

RC bugs

• gnome-shell-extension-tilix-shortcut: Invalid date in debian/changelog. (#886950)
• python-qrencode: Missing PIL dependencies due to use of Python 2 substvars in Python 3 package. (#887811)

I also filed 7 FTBFS bugs against lintian, netsniff-ng, node-coveralls, node-macaddress, node-timed-out, python-pyocr & sleepyhead.

FTP Team

As a Debian FTP assistant I ACCEPTed 173 packages: appmenu-gtk-module, atlas-cpp, canid, check-manifest, cider, citation-style-language-locales, citation-style-language-styles, cloudkitty, coreapi, coreschema, cypari2, dablin, dconf, debian-dad, deepin-icon-theme, dh-dlang, django-js-reverse, flask-security, fpylll, gcc-8, gcc-8-cross, gdbm, gitlint, gnome-tweaks, gnupg-pkcs11-scd, gnustep-back, golang-github-juju-ansiterm, golang-github-juju-httprequest, golang-github-juju-schema, golang-github-juju-testing, golang-github-juju-webbrowser, golang-github-posener-complete, golang-gopkg-juju-environschema.v1, golang-gopkg-macaroon-bakery.v2, golang-gopkg-macaroon.v2, harmony, hellfire, hoel, iem-plugin-suite, ignore-me, itypes, json-tricks, jstimezonedetect.js, libcdio, libfuture-asyncawait-perl, libgig, libjs-cssrelpreload, liblxi, libmail-box-imap4-perl, libmail-box-pop3-perl, libmail-message-perl, libmatekbd, libmoosex-traitfor-meta-class-betteranonclassnames-perl, libmoosex-util-perl, libpath-iter-perl, libplacebo, librecaptcha, libsyntax-keyword-try-perl, libt3highlight, libt3key, libt3widget, libtree-r-perl, liburcu, linux, mali-midgard-driver, mate-panel, memleax, movit, mpfr4, mstch, multitime, mwclient, network-manager-fortisslvpn, node-babel-preset-airbnb, node-babel-preset-env, node-boxen, node-browserslist, node-caniuse-lite, node-cli-boxes, node-clone-deep, node-d3-axis, node-d3-brush, node-d3-dsv, node-d3-force, node-d3-hierarchy, node-d3-request, node-d3-scale, node-d3-transition, node-d3-zoom, node-fbjs, node-fetch, node-grunt-webpack, node-gulp-flatten, node-gulp-rename, node-handlebars, node-ip, node-is-npm, node-isomorphic-fetch, node-js-beautify, node-js-cookie, node-jschardet, node-json-buffer, node-json3, node-latest-version, node-npm-bundled, node-plugin-error, node-postcss, node-postcss-value-parser, node-preact, node-prop-types, node-qw, node-sellside-emitter, node-stream-to-observable, node-strict-uri-encode, node-vue-template-compiler, ntl, olivetti-mode, org-mode-doc, otb, othman, papirus-icon-theme, pgq-node, php7.2, piu-piu, prometheus-sql-exporter, py-radix, pyparted, pytest-salt, pytest-tempdir, python-backports.tempfile, python-backports.weakref, python-certbot, python-certbot-apache, python-certbot-nginx, python-cloudkittyclient, python-josepy, python-jsondiff, python-magic, python-nose-random, python-pygerrit2, python-static3, r-cran-broom, r-cran-cli, r-cran-dbplyr, r-cran-devtools, r-cran-dt, r-cran-ggvis, r-cran-git2r, r-cran-pillar, r-cran-plotly, r-cran-psych, r-cran-rhandsontable, r-cran-rlist, r-cran-shinydashboard, r-cran-utf8, r-cran-whisker, r-cran-wordcloud, recoll, restrictedpython, rkt, rtklib, ruby-handlebars-assets, sasmodels, spectre-meltdown-checker, sphinx-gallery, stepic, tilde, togl, ums2net, vala-panel, vprerex, wafw00f & wireguard.

I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against: fpylll, gnome-tweaks, org-mode-doc & py-radix.

Chris Lamb https://chris-lamb.co.uk/blog/category/planet-debian lamby: Items or syndication on Planet Debian.