Subscribe: Planet Debian
http://planet.debian.org/rss20.xml
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
bug  debian  filed  free software  free  new  nonfiction  package  people  software  source  time  update  usb  work   
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Planet Debian

Planet Debian



Planet Debian - http://planet.debian.org/



 



Norbert Preining: Kobo firmware 4.6.9995 mega update (KSM, nickel patch, ssh, fonts)

Wed, 18 Oct 2017 00:54:15 +0000

It has been ages that I haven’t updated the MegaUpdate package for Kobo. Now that a new and seemingly rather bug-free and quick firmware release (4.6.9995) has been released, I finally took the time to update the whole package to the latest releases of all the included items. The update includes all my favorite patches and features: Kobo Start Menu, koreader, coolreader, pbchess, ssh access, custom dictionaries, and some side-loaded fonts. So what are all these items: firmware (thread): the basic software of the device, shipped by Kobo company Metazoa firmware patches (thread): fix some layout options and functionalities, see below for details. Kobo Start Menu (V08, update 5b thread): a menu that pops up before the reading software (nickel) starts, which allows to start alternative readers (like koreader) etc. KOreader (koreader-nightly-20171004, thread): an alternative document reader that supports epub, azw, pdf, djvu and many more pbchess and CoolReader (2017.10.14, thread): a chess program and another alternative reader, bundled together with several other games kobohack (web site): I only use the ssh server ssh access (old post: makes a full computer from your device by allowing you to log into it via ssh custom dictionaries (thread): this fix updates dictionaries from the folder customdicts to the Kobo dictionary folder. For creating your own Japanese-English dictionary, see this blog entry side-loaded fonts: GentiumBasic and GentiumBookBasic, Verdana, DroidSerif, and Charter-eInk Install procedure Download Mark6 – Kobo GloHD firmware: Kobo 4.6.9995 for GloHD Mega update: Kobo-4.6.9995-combined/Mark6/KoboRoot.tgz Mark5 – Aura firmware: Kobo 4.6.9995 for Aura Mega update: Kobo-4.6.9995-combined/Mark5/KoboRoot.tgz Mark4 – Kobo Glo, Aura HD firmware: Kobo 4.6.9995 for Glo and AuraHD Mega update: Kobo-4.6.9995-combined/Mark4/KoboRoot.tgz Latest firmware Warning: Sideloading or crossloading the incorrect firmware can break/brick your device. The link below is for Kobo GloHD ONLY. The first step is to update the Kobo to the latest firmware. This can easily be done by just getting the latest firmware from the links above and unpacking the zip file into the .kobo directory on your device. Eject and enjoy the updating procedure. Mega update Get the combined KoboRoot.tgz for your device from the links above and put it into the .kobo directory, then eject and enjoy the updating procedure again. After this the device should reboot and you will be kicked into KSM, from where after some time of waiting Nickel will be started. If you consider the fonts too small, select Configure, then the General, and add item, then select kobomenuFontsize=55 and save. Remarks to some of the items included The full list of included things is above, here are only some notes about what specific I have done. Metazoa firmware patches Included patches from the Metazoa firmware patches: Custom left & right margins Fix three KePub fullScreenReading bugs Change dicthtml strings to micthtml Default ePub monospace font (Courier) Custom reading footer style Dictionary pop-up frame size increase Increase The Cover Size In Library Increasing The View Details Container New home screen increasing cover size Reading stats/Author name cut when the series is showing bug fix New home screen subtitle custom font Custom font to Collection and Authors names If you need/want different patches, you need to do the patching yourself. kobohack-h Kobohack (latest version 20150110) originally provided updated libraries and optimizations, but unfortunately it is now completely outdated and using it is not recommended for the library part. I only include the ssh server (dropbear) so that connections to the Kobo via ssh. ssh fixes See the detailed instructions here, the necessary files are already included in the mega upload. It updates the /etc/inittab to run also /etc/init.d/rcS2, and this one again starts the inetd server and run user supplied commands in /mnt/onboard/run.sh which is where your documents are. Custom dictionaries The necessary dir[...]



Sune Vuorela: KDE still makes Qt

Tue, 17 Oct 2017 20:21:28 +0000

(image)

A couple of years ago, I made a blog post, KDE makes Qt, with data about which percentage of Qt contributions came from people starting in KDE. Basically, how many Qt contributions are made by people who used KDE as a “gateway” drug into it.

I have now updated the graphs with data until the end of September 2017:

(image)

Many of these changes are made by people not directly as a result of their KDE work, but as a result of their paid work. But this doesn’t change the fact that KDE is an important project for attracting contributors to Qt, and a very good place to find experienced Qt developers.




Reproducible builds folks: Reproducible Builds: Weekly report #129

Tue, 17 Oct 2017 19:29:02 +0000

Here's what happened in the Reproducible Builds effort between Sunday October 8 and Saturday October 14 2017: Upcoming events On Saturday 21st October, Holger Levsen will present at All Systems Go! in Berlin, Germany on reproducible builds. On Tuesday 24th October, Chris Lamb will present at All Things Open 2017 in Raleigh, NC, USA on reproducible builds. On Wednesday 25th October, Holger Levsen will present at the Open Source Summit Europe in Prague, Czech Republic on reproducible builds. From October 31st - November 2nd we will be holding the 3rd Reproducible Builds summit in Berlin. If you are working in the field of reproducible builds, you should totally be there. Please contact us if you have any questions! Quoting from the public invitation mail: These dates are inclusive, ie. the summit will be 3 full days from "9 to 5". Best arrive on Monday October 30th and leave on the evening of Thursday, 3rd at the earliest. Meeting content =============== The exact content of the meeting is going to be shaped by the participants, but here are the main goals: - Update & exchange about the status of reproducible builds in various projects. - Establish spaces for more strategic and long-term thinking than is possible in virtual channels. - Improve collaboration both between and inside projects. - Expand the scope and reach of reproducible builds to more projects. - Brainstorming / Designing several things, eg: - designing tools enabling end-users to get the most benefits from reproducible builds. - design of back-ends needed for that. - Work together and hack on solutions. There will be a huge variety of topics to be discussed. To give a few examples: - continuing design and development work on .buildinfo infrastructure - build-path issues everywhere - future directions for diffoscope, reprotest & strip-nondeterminism - reproducing signed artifacts such as RPMs - discussing formats and tools we can share - sharing proposals for standards and documentation helpful to spreading the reproducible effort - and many many more. Please think about what you want discuss, brainstorm & learn about at this meeting! Schedule ======== Preliminary schedule for the three days: 9:00 Welcome and breakfast 9:30 Meeting starts 12:30 Lunch 17:00 End of the official schedule Gunner and Beatrice from Aspiration will help running the meeting. We will collect your input in subsequent emails to make the best of everyone's time. Feel free to start thinking about what you want to achieve there. We will also adjust topics as the meeting goes. Please note that we are very likely to spend large parts of the meeting away from laptops and closer to post-it notes. So make sure you've answered any critical emails *before* Tuesday morning! :) Reproducible work in other projects Pierre Pronchery reported that that he has built the foundations for doing more reproducibility work in NetBSD. Packages fixed Upstream bugs and patches: Bernhard M. Wiedemann: qutim used RANDOM which is unpredictable and unreproducible. dpdk used locale-dependent sort. Reproducibility non-maintainer uploads in Debian: Chris Lamb: mailfront for bugs #777431 & #847020. plib-doc for bugs #778971 & #557676. ipsvd for bugs #777417 & #846890. Holger Levsen keyutils for bug #828681. QA fixes in Debian: Adrian Bunk: #878329 filed against sonic-visualiser. #878333 filed against tree-puzzle. Reviews of unreproducible packages 6 package reviews have been added, 30 have been updated and 37 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by: Adrian Bunk (40) Eric Valette (1) Markus Koschany (1) diffoscope development Ximin Luo: Containers: diff the metadata of containers in one central location in the code, so that deep-diff works between all combinations of different container types. This lets us finally clos[...]



Jonathan Dowland: Electric Dreams

Tue, 17 Oct 2017 11:33:56 +0000

(image)

No spoilers, for those who have yet to watch it...

Channel 4 have been broadcasting a new 10-part series called Electric Dreams, based on some of the short fiction of Philip K Dick. The series was commissioned after Channel 4 lost Black Mirror to Netflix, perhaps to try and find something tonally similar. Electric Dreams is executive-produced by Brian Cranston, who also stars in one of the episodes yet to broadcast.

I've read all of PKD's short fiction1 but it was a long time ago so I have mostly forgotten the stories upon which the series is based. I've quite enjoyed going back and re-reading them after watching the corresponding episodes to see what changes they've made. In some cases the changes are subtle or complementary, in other cases they've whittled the original story right out and installed a new one inside the shell. A companion compilation has been published with just the relevant short stories in it, and from what I've seen browsing it in a book shop it also contains short introductions which might be worth a read.

Things started strong with The Hood Maker, which my wife also enjoyed, although she was disappointed to realise we wouldn't be revisiting those characters in the future. The world-building was strong enough that it seemed like a waste for a single episode.

My favourite episode of those broadcast so far was The Commuter, starring Timothy Spall. The changes made were complementary and immensely expanded the emotional range of the story. In some ways, a key aspect of the original story was completely inverted, which I found quite funny: my original take on Dick's story was Dick implying a particular outcome was horrific, whereas it becomes desirable in the TV episode.

(image)

Episode 4, Crazy Diamond

One of the stories most hollowed-out was Sales Pitch which was the basis for Tony Grisoni’s episode Crazy Diamond, starring Steve Buscemi and Sidse Babett Knudsen. Buscemi was good but Knudsen totally stole every frame she was in. Fans of the cancelled Channel 4 show Utopia should enjoy this one: both were directed by Marc Munden and the directing, photography and colour balance really recall it.

The last episode broadcast was Real Life directed by Ronald D Moore of Battlestar Galactica reboot fame and starring Anna Paquin. Like Sales Pitch it bears very little resemblance to the original story. It played around with similar ideas explored in a lot of Sci-Fi movies and TV shows but left me a little flat; I didn't think it contributed much that I hadn't seen before. I was disappointed that there was a relatively conclusive ending. There was a subversive humour in the Dick short that was completely lost in the retelling. The world design seemed pretty generic.

I'm looking forward to Autofac, which is one of the shorts I can remember particularly enjoying.


  1. as collected in the 5 volumes of The Collected Stories of Philip K Dick, although I don't doubt there are some stragglers that were missed out when that series was compiled. ↩




Russ Allbery: Bundle haul

Tue, 17 Oct 2017 05:38:00 +0000

Confession time: I started making these posts (eons ago) because a close friend did as well, and I enjoyed reading them. But the main reason why I continue is because the primary way I have to keep track of the books I've bought and avoid duplicates is, well, grep on these posts. I should come up with a non-bullshit way of doing this, but time to do more elegant things is in short supply, and, well, it's my blog. So I'm boring all of you who read this in various places with my internal bookkeeping. I do try to at least add a bit of commentary. This one will be more tedious than most since it includes five separate Humble Bundles, which increases the volume a lot. (I just realized I'd forgotten to record those purchases from the past several months.) First, the individual books I bought directly: Ilona Andrews — Sweep in Peace (sff) Ilona Andrews — One Fell Sweep (sff) Steven Brust — Vallista (sff) Nicky Drayden — The Prey of Gods (sff) Meg Elison — The Book of the Unnamed Midwife (sff) Pat Green — Night Moves (nonfiction) Ann Leckie — Provenance (sff) Seanan McGuire — Once Broken Faith (sff) Seanan McGuire — The Brightest Fell (sff) K. Arsenault Rivera — The Tiger's Daughter (sff) Matthew Walker — Why We Sleep (nonfiction) Some new books by favorite authors, a few new releases I heard good things about, and two (Night Moves and Why We Sleep) from references in on-line articles that impressed me. The books from security bundles (this is mostly work reading, assuming I'll get to any of it), including a blockchain bundle: Wil Allsop — Unauthorised Access (nonfiction) Ross Anderson — Security Engineering (nonfiction) Chris Anley, et al. — The Shellcoder's Handbook (nonfiction) Conrad Barsky & Chris Wilmer — Bitcoin for the Befuddled (nonfiction) Imran Bashir — Mastering Blockchain (nonfiction) Richard Bejtlich — The Practice of Network Security (nonfiction) Kariappa Bheemaiah — The Blockchain Alternative (nonfiction) Violet Blue — Smart Girl's Guide to Privacy (nonfiction) Richard Caetano — Learning Bitcoin (nonfiction) Nick Cano — Game Hacking (nonfiction) Bruce Dang, et al. — Practical Reverse Engineering (nonfiction) Chris Dannen — Introducing Ethereum and Solidity (nonfiction) Daniel Drescher — Blockchain Basics (nonfiction) Chris Eagle — The IDA Pro Book, 2nd Edition (nonfiction) Nikolay Elenkov — Android Security Internals (nonfiction) Jon Erickson — Hacking, 2nd Edition (nonfiction) Pedro Franco — Understanding Bitcoin (nonfiction) Christopher Hadnagy — Social Engineering (nonfiction) Peter N.M. Hansteen — The Book of PF (nonfiction) Brian Kelly — The Bitcoin Big Bang (nonfiction) David Kennedy, et al. — Metasploit (nonfiction) Manul Laphroaig (ed.) — PoC || GTFO (nonfiction) Michael Hale Ligh, et al. — The Art of Memory Forensics (nonfiction) Michael Hale Ligh, et al. — Malware Analyst's Cookbook (nonfiction) Michael W. Lucas — Absolute OpenBSD, 2nd Edition (nonfiction) Bruce Nikkel — Practical Forensic Imaging (nonfiction) Sean-Philip Oriyano — CEHv9 (nonfiction) Kevin D. Mitnick — The Art of Deception (nonfiction) Narayan Prusty — Building Blockchain Projects (nonfiction) Prypto — Bitcoin for Dummies (nonfiction) Chris Sanders — Practical Packet Analysis, 3rd Edition (nonfiction) Bruce Schneier — Applied Cryptography (nonfiction) Adam Shostack — Threat Modeling (nonfiction) Craig Smith — The Car Hacker's Handbook (nonfiction) Dafydd Stuttard & Marcus Pinto — The Web Application Hacker's Handbook (nonfiction) Albert Szmigielski — Bitcoin Essentials (nonfiction) David Thiel — iOS Application Security (nonfiction) Georgia Weidman — Penetration Testing (nonfiction) Finally, the two SF bundles: Buzz Aldrin & John Barnes — Encounter with Tiber (sff) Poul Anderson — Orion Shall Rise (sff) Greg Bear — The Forge of God (sff) Octavia E. Butler — Dawn (sff) William C. [...]



Norbert Preining: Japanese TeX User Meeting 2017

Tue, 17 Oct 2017 05:22:48 +0000

Last saturday the Japanese TeX User Meeting took place in Fujisawa, Kanagawa. For those who have been at the TUG 2013 in Tokyo you will remember that the Japanese TeX community is quite big and vibrant. On Saturday about 50 users and developers gathered for a set of talks on a variety of topics. The first talk was by Keiichiro Shikano (鹿野 桂一郎) on using Markup text to generate (La)TeX and HTML. He presented a variety of markup formats, including his own tool xml2tex. The second talk was my Masamichi Hosoda (細田 真道) on reducing the size of PDF files using PDFmark extraction. As a contributor to many projects including Texinfo and LilyPond, Masamichi Hosoda tells us horror stories about multiple font embedding in the manual of LilyPond, the permanent need for adaption to newer Ghostscript versions, and the very recent development in Ghostscript prohibiting the merge of font definitions in PDF files. Next up was Yusuke Terada (寺田 侑祐) on grading exams using TeX. Working through hundreds and hundreds of exams and do the grading is something many of us are used to and I think nobody really enjoys it. Yusuke Terada has combined various tools, including scans, pdf merging using pdfpages, to generate gradable PDF which were then checked on an iPad. On the way he did hit some limits in dvipdfmx on the number of images, but this was obviously only a small bump on the road. Now if that could be automatized as a nice application, it would be a big hit I guess! The forth talk was by Satoshi Yamashita (山下 哲) on the preparation of slides using KETpic. KETpic is a long running project by Setsuo Takato (高遠節夫) for the generation of graphics, in particular using Cinderella. KETpic and KETcindy integrates with lots of algebraic and statistical programs (R, Maxima, SciLab, …) and has a long history of development. Currently there are activities to incorporate it into TeX Live. The fifth talk was by Takuto Asakura (朝倉 卓人) on programming TeX using expl3, the main building block of the LaTeX3 project and already adopted by many TeX developers. Takuto Asakura came to fame on this years TUG/BachoTeX 2017 when he won the W. J. Martin Prize for his presentation Implementing bioinformatics algorithms in TeX. I think we can expect great new developments from Takuto! The last talk was by myself on fmtutil and updmap, two of the main management programs in any TeX installation, presenting the changes introduced over the last year, including the most recent release of TeX Live. Details have been posted on my blog, and a lengthy article in TUGboat 38:2, 2017 is available on this topic, too. After the conference about half of the participants joined a social dinner in a nearby Izakaya, followed by a after-dinner beer tasting at a local craft beer place. Thanks to Tatsuyoshi Hamada for the organization. As usual, the Japanese TeX User Meetings are a great opportunity to discuss new features and make new friends. I am always grateful to be part of this very nice community! I am looking forward to the next year’s meeting. [...]



François Marier: Checking Your Passwords Against the Have I Been Pwned List

Tue, 17 Oct 2017 05:10:20 +0000

Two months ago, Troy Hunt, the security professional behind Have I been pwned?, released an incredibly comprehensive password list in the hope that it would allow web developers to steer their users away from passwords that have been compromised in past breaches.

While the list released by HIBP is hashed, the plaintext passwords are out there and one should assume that password crackers have access to them. So if you use a password on that list, you can be fairly confident that it's very easy to guess or crack your password.

I wanted to check my active passwords against that list to check whether or not any of them are compromised and should be changed immediately. This meant that I needed to download the list and do these lookups locally since it's not a good idea to send your current passwords to this third-party service.

I put my tool up on Launchpad / PyPI and you are more than welcome to give it a go. Install Postgres and Psycopg2 and then follow the README instructions to setup your database.




Gustavo Noronha Silva: Who knew we still had low-hanging fruits?

Mon, 16 Oct 2017 18:23:45 +0000

Earlier this month I had the pleasure of attending the Web Engines Hackfest, hosted by Igalia at their offices in A Coruña, and also sponsored by my employer, Collabora, Google and Mozilla. It has grown a lot and we had many new people this year. Fun fact: I am one of the 3 or 4 people who have attended all of the editions of the hackfest since its inception in 2009, when it was called WebKitGTK+ hackfest \o/ It was a great get together where I met many friends and made some new ones. Had plenty of discussions, mainly with Antonio Gomes and Google’s Robert Kroeger, about the way forward for Chromium on Wayland. We had the opportunity of explaining how we at Collabora cooperated with igalians to implemented and optimise a Wayland nested compositor for WebKit2 to share buffers between processes in an efficient way even on broken drivers. Most of the discussions and some of the work that led to this was done in previous hackfests, by the way! The idea seems to have been mostly welcomed, the only concern being that Wayland’s interfaces would need to be tested for security (fuzzed). So we may end up going that same route with Chromium for allowing process separation between the UI and GPU (being renamed Viz, currently) processes. On another note, and going back to the title of the post, at Collabora we have recently adopted Mattermost to replace our internal IRC server. Many Collaborans have decided to use Mattermost through an Epiphany Web Application or through a simple Python application that just shows a GTK+ window wrapping a WebKitGTK+ WebView. Some people noticed that when the connection was lost Mattermost would take a very long time to notice and reconnect – its web sockets were taking a long, long time to timeout, according to our colleague Andrew Shadura. I did some quick searching on the codebase and noticed WebCore has a NetworkStateNotifier interface that it uses to get notified when connection changes. That was not implemented for WebKitGTK+, so it was likely what caused stuff to linger when a connection hiccup happened. Given we have GNetworkMonitor, implementation of the missing interfaces required only 3 lines of actual code (plus the necessary boilerplate)! I was surprised to still find such as low hanging fruit in WebKitGTK+, so I decided to look for more. Turns out WebCore also has a notifier for low power situations, which was implemented only by the iOS port, and causes the engine to throttle some timers and avoid some expensive checks it would do in normal situations. This required a few more lines to implement using upower-glib, but not that many either! That was the fun I had during the hackfest in terms of coding. Mostly I had fun just lurking in break out sessions discussing the past, present and future of tech such as WebRTC, Servo, Rust, WebKit, Chromium, WebVR, and more. I also beat a few challengers in Street Fighter 2, as usual. I’d like to say thanks to Collabora, Igalia, Google, and Mozilla for sponsoring and attending the hackfest. Thanks to Igalia for hosting and to Collabora for sponsoring my attendance along with two other Collaborans. It was a great hackfest and I’m looking forward to the next one! See you in 2018 =) [...]



Yves-Alexis Perez: OpenPGP smartcard transition (part 1.5)

Mon, 16 Oct 2017 15:32:01 +0000

(image)

Following the news about the ROCA vulnerability (weak key generation in Infineon-based smartcards, more info here and here) I can confirm that the Almex smartcard I mentionned on my last post (which are Infineon based) are indeed vulnerable.

I've contacted Almex to have more details, but if you were interested in buying that smartcard, you might want to refrain for now.

It does *not* affect keys generated off-card and later injected (the process I use myself).

 




Iain R. Learmonth: No more no surprises

Mon, 16 Oct 2017 08:00:00 +0000

(image)

Debian has generally always had, as a rule, “sane defaults” and “no surprises”. This was completely shattered for me when Vim decided to hijack the mouse from my terminal and break all copy/paste functionality. This has occured since the release of Debian 9.

I expect for my terminal to behave consistently, and this is broken every time I log in to a Debian 9 system where I have not configured Vim to disable this functionality. I also see I’m not alone in this frustration.

To fix this, in your .vimrc:

if !has("gui_running")
  set mouse=
endif

(This will check to see if your using GVim or similar, where it would be reasonable to expect the mouse to work.)

This is perhaps not aggresive enough though. I never want to have console applications trying to use the mouse. I’ve configured rxvt to do things like open URLs in Firefox, etc. that I always want to work, and I always want my local clipboard to be used so I can copy/paste between remote machines.

I’ve found a small patch that would appear to disable mouse reporting for rxvt, but unfortunately I cannot do this through an Xresources option. If someone is looking for something to do for Hacktoberfest, I’d love to see this be an option for rxvt without re-compiling:

diff --git a/src/rxvt.h b/src/rxvt.h
index 5c7cf66..2751ba3 100644
--- a/src/rxvt.h
+++ b/src/rxvt.h
@@ -646,7 +646,7 @@ enum {
 #define PrivMode_ExtMouseRight  (1UL<<24) // xterm pseudo-utf-8, but works in non-utf-8-locales
 #define PrivMode_BlinkingCursor (1UL<<25)
 
-#define PrivMode_mouse_report   (PrivMode_MouseX10|PrivMode_MouseX11|PrivMode_MouseBtnEvent|PrivMode_MouseAnyEvent)
+#define PrivMode_mouse_report   0 /* (PrivMode_MouseX10|PrivMode_MouseX11|PrivMode_MouseBtnEvent|PrivMode_MouseAnyEvent) */
 
 #ifdef ALLOW_132_MODE
 # define PrivMode_Default (PrivMode_Autowrap|PrivMode_ShiftKeys|PrivMode_VisibleCursor|PrivMode_132OK)



Russ Allbery: Free software log (September 2017)

Mon, 16 Oct 2017 04:47:00 +0000

I said that I was going to start writing these regularly, so I'm going to stick to it, even when the results are rather underwhelming. One of the goals is to make the time for more free software work, and I do better at doing things that I record. The only piece of free software work for September was that I made rra-c-util compile cleanly with the Clang static analyzer. This was fairly tedious work that mostly involved unconfusing the compiler or converting (semi-intentional) crashes into explicit asserts, but it unblocks using the Clang static analyzer as part of the automated test suite of my other projects that are downstream of rra-c-util. One of the semantic changes I made was that the vector utilities in rra-c-util (which maintain a resizable array of strings) now always allocate room for at least one string pointer. This wastes a small amount of memory for empty vectors that are never used, but ensures that the strings struct member is always valid. This isn't, strictly speaking, a correctness fix, since all the checks were correct, but after some thought, I decided that humans might have the same problem that the static analyzer had. It's a lot easier to reason about a field that's never NULL. Similarly, the replacement function for a missing reallocarray now does an allocation of size 1 if given a size of 0, just to avoid edge case behavior. (I'm sure the behavior of a realloc with size 0 is defined somewhere in the C standard, but if I have to look it up, I'd rather not make a human reason about it.) I started on, but didn't finish, making rra-c-util compile without Clang warnings (at least for a chosen set of warnings). By far the hardest problem here are the Clang warnings for comparisons between unsigned and signed integers. In theory, I like this warning, since it's the cause of a lot of very obscure bugs. In practice, gah does C ever do this all over the place, and it's incredibly painful to avoid. (One of the biggest offenders is write, which returns a ssize_t that you almost always want to compare against a size_t.) I did a bunch of mechanical work, but I now have a lot of bits of code like: if (status < 0) return; written = (size_t) status; if (written < avail) buffer->left += written; which is ugly and unsatisfying. And I also have a ton of casts, such as with: buffer_resize(buffer, (size_t) st.st_size + used); since st.st_size is an off_t, which may be signed. This is all deeply unsatisfying and ugly, and I think it makes the code moderately harder to read, but I do think the warning will potentially catch bugs and even security issues. I'm still torn. Maybe I can find some nice macros or programming styles to avoid the worst of this problem. It definitely requires more thought, rather than just committing this huge mechanical change with lots of ugly code. Mostly, this kind of nonsense makes me want to stop working on C code and go finish learning Rust.... Anyway, apart from work, the biggest thing I managed to do last month that was vaguely related to free software was upgrading my personal servers to stretch (finally). That mostly went okay; only a few things made it unnecessarily exciting. The first was that one of my systems had a very tiny / partition that was too small to hold the downloaded debs for the upgrade, so I had to resize it (VM disk, partition, and file system), and that was a bit exciting because it has an old-style DOS partition table that isn't aligned (hmmm, which is probably why disk I/O is so slow on those VMs), so I had to use the obsolete fdisk -c=dos mode because I wasn't up for replacing the partition right then. The second was that my first try at an upgrade died with a segfault during the libc6 postinst and[...]



Norbert Preining: Fixing vim in Debian

Mon, 16 Oct 2017 01:18:39 +0000

(image)

I was wondering for quite some time why on my server vim behaves so stupid with respect to the mouse: Jumping around, copy and paste wasn’t possible the usual way. All this despite having

  set mouse=

in my /etc/vim/vimrc.local. Finally I found out why, thanks to bug #864074 and fixed it.

(image)

The whole mess comes from the fact that, when there is no ~/.vimrc, vim loads defaults.vim after vimrc.local and thus overwriting several settings put in there.

There is a comment (I didn’t see, though) in /etc/vim/vimrc explaining this:

" Vim will load $VIMRUNTIME/defaults.vim if the user does not have a vimrc.
" This happens after /etc/vim/vimrc(.local) are loaded, so it will override
" any settings in these files.
" If you don't want that to happen, uncomment the below line to prevent
" defaults.vim from being loaded.
" let g:skip_defaults_vim = 1

I agree that this is a good way to setup vim on a normal installation of Vim, but the Debian package could do better. The problem is laid out clearly in the bug report: If there is no ~/.vimrc, settings in /etc/vim/vimrc.local are overwritten.

This is as counterintuitive as it can be in Debian – and I don’t know any other package that does it in a similar way.

Since the settings in defaults.vim are quite reasonable, I want to have them, but only fix a few of the items I disagree with, like the mouse. At the end what I did is the following in my /etc/vim/vimrc.local:

if filereadable("/usr/share/vim/vim80/defaults.vim")
  source /usr/share/vim/vim80/defaults.vim
endif
" now set the line that the defaults file is not reloaded afterwards!
let g:skip_defaults_vim = 1

" turn of mouse
set mouse=
" other override settings go here

There is probably a better way to get a generic load statement that does not depend on the Vim version, but for now I am fine with that.




Iain R. Learmonth: Free Software Efforts (2017W41)

Sun, 15 Oct 2017 22:00:00 +0000

Here’s my weekly report for week 41 of 2017. In this week I have explored some Java 8 features, looked at automatic updates in a few Linux distributions and decided that actually I don’t need swap anymore. Debian The issue that was preventing the migration of the Tasktools Packaging Team’s mailing list from Alioth to Savannah has now been resolved. Ana’s chkservice package that I sponsored last week has been ACCEPTED into unstable and since MIGRATED to testing. Tor Project I have produced a patch for the Tor Project website to update links to the Onionoo documentation now this has moved (#23802 ). I’ve updated the Debian and Ubuntu relay configuration instructions to use systemctl instead of service where appropriate (#23048 ). When a Tor relay is less than 2 years old, an alert will now appear on Atlas to link to the new relay lifecycle blog post (#23767 ). This should hopefully help new relay operators understand why their relay is not immediately fully loaded but instead it takes some time to ramp up. I have gone through the tickets for Tor Cloud and did not find any tickets that contain any important information that would be useful to someone reviving the project. I have closed out these tickets and the Tor Cloud component no longer has any non-closed tickets (#7763, #8544, #8768, #9064, #9751, #10282, #10637, #11153, #11502, #13391, #14035, #14036, #14073, #15821 ). I’ve continued to work on turning the Atlas application into an integrated part of Tor Metrics (#23518 ) and you can see some progress here. Finally, I’ve continued hacking on a Twitter bot to tweet factoids about the public Tor network and you can now enjoy some JavaDoc documentation if you’d like to learn a little about its internals. I am still waiting for a git repository to be created (#23799 ) but will be publishing the sources shortly after that ticket is actioned. Bugs opened: #23799, #23802, #23809, #23830, #23831 Bugs closed (fixed/wontfix): #7763, #8544, #8768, #9064, #9751, #10282, #10637, #11153, #11502, #13391, #14035, #14036, #14073, #15821, #23048, #23767 Sustainability I believe it is important to be clear not only about the work I have already completed but also about the sustainability of this work into the future. I plan to include a short report on the current sustainability of my work in each weekly report. I have not had any free software related expenses this week. The current funds I have available for equipment, travel and other free software expenses remains £60.52. I do not believe that any hardware I rely on is looking at imminent failure. I’d like to thank Digital Ocean for providing me with futher credit for their platform to support my open source work. I do not find it likely that I’ll be travelling to Cambridge for the miniDebConf as the train alone would be around £350 and hotel accomodation a further £600 (to include both me and Ana). [...]



Norbert Preining: TeX Live Manager: JSON output

Sun, 15 Oct 2017 01:32:53 +0000

With the development of TLCockpit continuing, I found the need for and easy exchange format between the TeX Live Manager tlmgr and frontend programs like TLCockpit. Thus, I have implemented JSON output for the tlmgr info command. While the format is not 100% stable – I might change some thing – I consider it pretty settled. The output of tlmgr info --data json is a JSON array with JSON objects for each package requested (default is to list all). [ TLPackageObj, TLPackageObj, ... ] The structure of the JSON object TLPackageObj reflects the internal Perl hash. Guaranteed to be present keys are name (String) and avilable (Boolean). In case the package is available, there are the following further keys sorted by their type: String type: name, shortdesc, longdesc, category, catalogue, containerchecksum, srccontainerchecksum, doccontainerchecksum Number type: revision, runsize, docsize, srcsize, containersize, srccontainersize, doccontainersize Boolean type: available, installed, relocated Array type: runfiles (Strings), docfiles (Strings), srcfiles (Strings), executes (Strings), depends (Strings), postactions (Strings) Object type: binfiles: keys are architecture names, values are arrays of strings (list of binfiles) binsize: keys are architecture names, values or numbers docfiledata: keys are docfile names, values are objects with optional keys details and lang cataloguedata: optional keys aare topics, version, license, ctan, date, values are all strings A rather long example showing the output for the package latex, formatted with json_pp and having the list of files and the long description shortened: [ { "installed" : true, "doccontainerchecksum" : "5bdfea6b85c431a0af2abc8f8df160b297ad73f6a324ca88df990f01f24611c9ae80d2f6d12c7b3767308fbe3de3fca3d11664b923ea4080fb13fd056a1d0c3d", "docfiles" : [ "texmf-dist/doc/latex/base/README.txt", .... "texmf-dist/doc/latex/base/webcomp.pdf" ], "containersize" : 163892, "depends" : [ "luatex", "pdftex", "latexconfig", "latex-fonts" ], "runsize" : 414, "relocated" : false, "doccontainersize" : 12812184, "srcsize" : 752, "revision" : 43813, "srcfiles" : [ "texmf-dist/source/latex/base/alltt.dtx", .... "texmf-dist/source/latex/base/utf8ienc.dtx" ], "category" : "Package", "cataloguedata" : { "version" : "2017/01/01 PL1", "topics" : "format", "license" : "lppl1.3", "date" : "2017-01-25 23:33:57 +0100" }, "srccontainerchecksum" : "1d145b567cf48d6ee71582a1f329fe5cf002d6259269a71d2e4a69e6e6bd65abeb92461d31d7137f3803503534282bc0c5546e5d2d1aa2604e896e607c53b041", "postactions" : [], "binsize" : {}, "longdesc" : "LaTeX is a widely-used macro package for TeX, [...]", "srccontainersize" : 516036, "containerchecksum" : "af0ac85f89b7620eb7699c8bca6348f8913352c473af1056b7a90f28567d3f3e21d60be1f44e056107766b1dce8d87d367e7f8a82f777d565a2d4597feb24558", "executes" : [], "binfiles" : {}, "name" : "latex", "catalogue" : null, "docsize" : 3799, "available" : true, "runfiles" : [ "texmf-dist/makeindex/latex/gglo.ist", ... "texmf-dist/tex/latex/base/x2enc.dfu" ], "shortdesc" : "A TeX macro package that defines LaTeX" } ] What is currently not available via tlmgr info and thus also not via the JSON output is access to virtual TeX Live databases with several member databases (multiple repositories). I am thinking about how to incorporate this information. These changes are currently available in the tlcr[...]



Lior Kaplan: Debian Installer git repository

Sat, 14 Oct 2017 22:15:50 +0000

While dealing with d-i’s translation last month in FOSScamp, I was kinda surprised it’s still on SVN. While reviewing PO files from others, I couldn’t select specific parts to commit.

Debian does have a git server, and many DDs (Debian Developers) use it for their Debian work, but it’s not as public as I wish it to be. Meaning I lack the pull / merge request abilities as well as the review process.

Recently I got a reminder that the D-I’s Hebrew translation needs some love. I asked my local community for help. Receiving a PO file by mail, reminded me of the SVN annoyance. So this time I decided to convert it to git and ask people to send me pull requests. Another benefit would be making the process more transparent as others could see these PRs (and hopefully comment if needed).

For this experiment, I opened a repository on GitHub at https://github.com/kaplanlior/debian-installer I know they aren’t open source as GitLab, but they are a popular choice which is a good start for my experiment. If and when it succeeds, we can discuss the platform.

(image)

Debian 9

(featured image by Jonathan Carter)

 


Filed under: Debian GNU/Linux (image)



Petter Reinholdtsen: A one-way wall on the border?

Sat, 14 Oct 2017 20:10:00 +0000

I find it fascinating how many of the people being locked inside the proposed border wall between USA and Mexico support the idea. The proposal to keep Mexicans out reminds me of the propaganda twist from the East Germany government calling the wall the “Antifascist Bulwark” after erecting the Berlin Wall, claiming that the wall was erected to keep enemies from creeping into East Germany, while it was obvious to the people locked inside it that it was erected to keep the people from escaping.

Do the people in USA supporting this wall really believe it is a one way wall, only keeping people on the outside from getting in, while not keeping people in the inside from getting out?




Norbert Preining: ScalaFX: ListView with CellFactory

Sat, 14 Oct 2017 05:29:18 +0000

(image)

I had a bit hard time to get ScalaFX to display a list of items in a scrollable space, and each item can be clicked. I use this in TLCockpit to display the list of documentation files in a TeX Live package, and open it directly from the application. Unfortunately there is not a huge amount of examples using ScalaFX out there in the web, so it took me a bit. My first try was using a VBox with various Labels in there, but this is not scrollable.

(image)

In other areas I have used TreeTableView, so in this case using ListView should be fine. What I finally came up is the following code:

import scalafx.application.JFXApp
import scalafx.application.JFXApp.PrimaryStage
import scalafx.collections.ObservableBuffer
import scalafx.geometry.Orientation
import scalafx.scene.control.{ListCell, ListView}
import scalafx.scene.input.MouseEvent
import scalafx.scene.{Cursor, Scene}
import scalafx.scene.paint.Color
import scalafx.Includes._

object ApplicationMain extends JFXApp {

  val SomeStrings: Seq[String] = Seq("Hello", "World", "Enjoy")

  stage = new PrimaryStage {
    title = "ListViewExample"
    scene = new Scene {
      root = {
        new ListView[String] {
          orientation = Orientation.Vertical
          cellFactory = {
            p => {
              val cell = new ListCell[String]
              cell.textFill = Color.Blue
              cell.cursor = Cursor.Hand
              cell.item.onChange { (_, _, str) => cell.text = str }
              cell.onMouseClicked = { me: MouseEvent => println("Do something with " + cell.text.value) }
              cell
            }
          }
          items = ObservableBuffer(SomeStrings)
        }
      }
    }
  }
}

Some comments to the code, at least as far I understand it:

  • line 9: Importing scalafx.Includes._ seems to simplify some things, in particular the event handler routines can be written more straight forward.
  • line 20: Many more properties can be set here, for example the preferred height and max height, both of which I am using.
  • line 23: In my case a ListCell was enough for my needs (changing color, cursor, and allowing for mouse clicks), but if one needs something more complicated here it is bst to create an arbitrary object and asign it to the graphic field.
  • line 26: The essential part to actually fill the cells is the routine cell.item.onChange, which takes three arguments of which the last is the new value. It is used to update the cell text.
  • line 31: Last but not least one needs to assign some Observable to the items, in this case I use ObservableBuffer around the lost of strings.

Once managed, it doesn’t look so complicated, but took me some time.




Alex Muntada: My Free Software Activities in Jul-Sep 2017

Fri, 13 Oct 2017 18:47:36 +0000

If you read Planet Debian often, you’ve probably noticed a trend of Free Software activity reports at the beginning of the month. First, those reports seemed a bit unamusing and lengthy, but since I take the time to read them I’ve learnt a lot of things, and now I’m amazed at the amount of work that people are doing for Free Software. Indeed, I knew already that many people are doing lots of work. But reading those reports gives you an actual view of how much it is. Then, I decided that I should do the same and write some kind of report since I became a Debian Developer in July. I think it’s a nice way to share your work with others and maybe inspire them as it happened to me. So I asked some of the people that have been inspiring me how do they do it. I mean, I was curious to know how they keep track of the work they do and how long it takes to write their reports. It seems that it takes quite some time, it’s mostly manual work and usually starts by the end of the month, reviewing their contributions in mailing lists, bug trackers, e-mail folders, etc. Here I am now, writing my first report about my Free Software activities since July and until September 2017. I hope you like it: Filed bug #867068 in nm.debian.org: Cannot claim account after former SSO alioth cert expired. Replied a request in private mail for becoming the maintainer for the Monero Wallet, that I declined suggesting to file an RFP. Attended DebConf17 DebCamp but I missed most of Open Day and the rest of the Debian conference in Montreal. Rebuilt libdbd-oracle-perl after being removed from testing to enable the transition to perl 5.26. Filed bug #870872 in tracker.debian.org: Server Error (500) when using a new SSO cert. Filed bug #870876 in tracker.debian.org: make subscription easier to upstreams with many packages. Filed bug #871767 in lintian: [checks/cruft] use substr instead of substring in example. Filed bug #871769 in reportbug: man page mentions -a instead of -A. Suggested to remove libmail-sender-perl in bug #790727, since it’s been deprecated upstream. Mentioned -n option for dpt-takeover in how to adopt pkg-perl manual. Fixed a broken link to HCL in https://wiki.debian.org/Hardware. Adopted libapache-admin-config-perl into pkg-perl team, upgraded to 0.95-1 and closed bug #615457. Fixed bug #875835 in libflickr-api-perl: don’t add quote marks in SYNOPSIS. Removed 50 inactive accounts from pkg-perl team in alioth as part of our annual membership ping. Happy hacking!   [...]



Lisandro Damián Nicanor Pérez Meyer: Qt 4 and 5 and OpenSSL1.0 removal

Fri, 13 Oct 2017 14:29:00 +0000

(image) Today we received updates on the OpenSSL 1.0 removal status:

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828522#206>
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859671#19>

So those removal bugs' severities will be raised to RC in aproximately a month.

We still don't have any solutions for Qt 4 or 5.

For the Qt 5 case we will probably keep the bug open until Qt 5.10 is in the archive which should bring OpenSSL 1.1 support *or* FTP masters decide to remove OpenSSL1.0. In this last case the fate will be the same as with Qt4, below.

For Qt4 we do not have patches available and there will probably be none in time (remember we do not have upstream support). That plus the fact that we are actively trying to remove it from the archive it means we will remove openssl support. This might mean that apps using Qt4:

- Might cease to work.
- Might keep working:
  - Informing their users that no SSL support is available → programmer did a good job.
  - Not informing their users that no SSL support is available and establishing connections non the less → programmer might have not done a good job.

Trying to inform users as soon as possible,

Lisandro for the Qt/KDE team.



Michal Čihař: Weblate 2.17

Fri, 13 Oct 2017 13:00:19 +0000

(image)

Weblate 2.17 has been released today. There are quite some performance improvements, improved search, improved access control settings and various other improvements.

Full list of changes:

  • Weblate by default does shallow Git clones now.
  • Improved performance when updating large translation files.
  • Added support for blocking certain emails from registration.
  • Users can now delete their own comments.
  • Added preview step to search and replace feature.
  • Client side persistence of settings in search and upload forms.
  • Extended search capabilities.
  • More fine grained per project ACL configuration.
  • Default value of BASE_DIR has been changed.
  • Added two step account removal to prevent accidental removal.
  • Project access control settings is now editable.
  • Added optional spam protection for suggestions using Akismet.

Update: The bugfix 2.17.1 is out as well, fixing testsuite errors in some setups:

  • Fixed running testsuite in some specific situations.
  • Locales updates.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Turris, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Filed under: Debian English SUSE Weblate




Shirish Agarwal: I need to speak up now X – Economics

Fri, 13 Oct 2017 11:58:45 +0000

Dear all, This would be a longish blog post (as most of mine are) compiled over days but as there is so short a time and so much to share. I had previously thought to share beautiful photographs of Ganesh mandals taking out the procession at time of immersion of the idol or the last day of Durga Puja recent events around do not make my mood to share photos at this point in time. I may share some of them in a future blog post or two . Before going further, I would like to offer my sympathies and condolences to people hurt and dislocated in Hurricane Irma , the 2017 Central Mexico Earthquake and lastly the most recent Las Vegas shooting as well as Hurricane Maria in Puerto Rico . I am somewhat nonplussed as to why Americans always want to name, especially hurricanes which destroy people’s lives and livelihood built over generations and why most of the hurricanes are named after women. A look at weather.com site unveiled the answer to the mystery. Ironically (or not) I saw some of the best science coverage about Earthquakes or anything scientific reporting and analysis after a long time in mainstream newspapers in India. On another note, I don’t understand or even expect to understand why the gunman did what he did 2 days back. Country music AFAIK is one of the most chilled-out kind of music, in some ways very similar to classical Indian singing although they are worlds apart in style of singing, renditions, artists, the way they emote etc. I seriously wish that the gunman had not been shot but caught and reasons were sought about what he did, he did. While this is certainly armchair thinking as was not at the scene of crime, but if a Mumbai Police constable could do it around a decade ago armed only with a lathi could do it, why couldn’t the American cops who probably are trained in innumerable ways to subdue people without killing them, did. While investigations are on, I suspect if he were caught just like Ajmal Kasab was caught then lot of revelations might have come up. From what is known, the gentleman was upwardly mobile i.e. he was white, rich and apparently had no reason to have beef with anybody especially a crowd swaying to some nice music, all of which makes absolutely no sense. Indian Economy ‘Slowdown’ Anyways, back to one of the main reasons of writing this blog post. Few days back, an ex-finance Minister of India Yashwant Sinha wrote what was felt by probably millions of Indians, an Indian Express article called ‘I need to speak up now‘ While there have been many, many arguments made since then by various people. A simple search of ‘I need to speak up’ would lead to lead to many a result besides the one I have shared above. The only exception I have with the article is the line “Forty leading companies of the country are already facing bankruptcy proceedings. Many more are likely to follow suit.” I would not bore you but you ask any entrepreneur trying to set up shop in India i.e. ones who actually go through the processes of getting all the licenses for setting up even a small businesses as to the numerous hurdles they have to overcome and laid-back corrupt bureaucracy which they have to overcome. I could have interviewed some of my friends who had the conviction and the courage to set up shop and spent more than half a decade getting all the necessary licenses and approval to set up but it probably would be too specific for one industry or the other and would lead to the same result. Co-incidentally, a new restaurant, leaf opened in my vicinity[...]



Michal Čihař: Using Trezor to store cryptocurencies

Fri, 13 Oct 2017 04:00:19 +0000

(image)

For quite some time I have some cryptocurrencies on hold. These mostly come from times it was possible to mine Bitcoin on the CPU, but I've got some small payments recently as well.

I've been using Electrum wallet so far. It worked quite well, but with increasing Bitcoin value, I was considering having some hardware wallet for that. There are few options which you can use, but I've always preferred Trezor as that device is made by guys I know. Also it's probably device with best support out of these (at least I've heard really bad stories about Ledger support).

In the end what decided is that they are also using Weblate to translate their user interface and offered me the wallet for free in exchange. This is price you can not beat :-). Anyway the setup was really smooth and I'm now fully set up. This also made me more open to accept other cryptocurrencies which are supported by Trezor, so you can now see more options on the Weblate donations page.

Filed under: Debian English SUSE Weblate




Dirk Eddelbuettel: GitHub Streak: Round Four

Fri, 13 Oct 2017 02:45:00 +0000

(image)

Three years ago I referenced the Seinfeld Streak used in an earlier post of regular updates to to the Rcpp Gallery:

This is sometimes called Jerry Seinfeld's secret to productivity: Just keep at it. Don't break the streak.

and showed the first chart of GitHub streaking

(image)

And two year ago a first follow-up appeared in this post:

(image)

And a year ago we had a followup last year

(image)

And as it October 12 again, here is the new one:

(image)

Again, special thanks go to Alessandro Pezzè for the Chrome add-on GithubOriginalStreak.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.




Joachim Breitner: Isabelle functions: Always total, sometimes undefined

Thu, 12 Oct 2017 17:54:20 +0000

Often, when I mention how things work in the interactive theorem prover Isabelle/HOL to people with a strong background in functional programming (whether that means Haskell or Coq or something else), I cause confusion, especially around the issue of what is a function, are function total and what is the business with undefined. In this blog post, I want to explain some these issues, aimed at functional programmers or type theoreticians. Note that this is not meant to be a tutorial; I will not explain how to do these things, and will focus on what they mean. HOL is a logic of total functions If I have a Isabelle function f :: a ⇒ b between two types a and b (the function arrow in Isabelle is ⇒, not →), then – by definition of what it means to be a function in HOL – whenever I have a value x :: a, then the expression f x (i.e. f applied to x) is a value of type b. Therefore, and without exception, every Isabelle function is total. In particular, it cannot be that f x does not exist for some x :: a. This is a first difference from Haskell, which does have partial functions like spin :: Maybe Integer -> Bool spin (Just n) = spin (Just (n+1)) Here, neither the expression spin Nothing nor the expression spin (Just 42) produce a value of type Bool: The former raises an exception (“incomplete pattern match”), the latter does not terminate. Confusingly, though, both expressions have type Bool. Because every function is total, this confusion cannot arise in Isabelle: If an expression e has type t, then it is a value of type t. This trait is shared with other total systems, including Coq. Did you notice the emphasis I put on the word “is” here, and how I deliberately did not write “evaluates to” or “returns”? This is because of another big source for confusion: Isabelle functions do not compute We (i.e., functional programmers) stole the word “function” from mathematics and repurposed it1. But the word “function”, in the context of Isabelle/HOL, refers to the mathematical concept of a function, and it helps to keep that in mind. What is the difference? A function a → b in functional programming is an algorithm that, given a value of type a, calculates (returns, evaluates to) a value of type b. A function a ⇒ b in math (or Isabelle/HOL) associates with each value of type a a value of type b. For example, the following is a perfectly valid function definition in math (and HOL), but could not be a function in the programming sense: definition foo :: "(nat ⇒ real) ⇒ real" where "foo seq = (if convergent seq then lim seq else 0)" This assigns a real number to every sequence, but it does not compute it in any useful sense. From this it follows that Isabelle functions are specified, not defined Consider this function definition: fun plus :: "nat ⇒ nat ⇒ nat" where "plus 0 m = m" | "plus (Suc n) m = Suc (plus n m)" To a functional programmer, this reads plus is a function that analyses its first argument. If that is 0, then it returns the second argument. Otherwise, it calls itself with the predecessor of the first argument and increases the result by one. which is clearly a description of a computation. But to Isabelle/HOL, the above reads plus is a binary function on natural numbers, and it satisfies the following two equations: … And in fact, it is not so much Isabelle/HOL that reads it this way, but rather the fun command, which is external to t[...]



Dirk Eddelbuettel: RcppArmadillo 0.8.100.1.0

Thu, 12 Oct 2017 02:13:00 +0000

We are thrilled to announce a new big RcppArmadillo release! Conrad recently moved Armadillo to the 8.* series, with significant improvements and speed ups for sparse matrix operations, and more. See below for a brief summary. This also required some changes at our end which Binxiang Ni provided, and Serguei Sokol improved some instantiations. We now show the new vignette Binxiang Ni wrote for his GSoC contribution, and I converted it (and the other main vignette) to using the pinp package for sleeker pdf vignettes. This release resumes our bi-monthly CRAN release cycle. I may make interim updates available at GitHub "as needed". And this time I managed to mess up the reverse depends testing, and missed one sync() call on the way back to R---but all that is now taken care of. Armadillo is a powerful and expressive C++ template library for linear algebra aiming towards a good balance between speed and ease of use with a syntax deliberately close to a Matlab. RcppArmadillo integrates this library with the R environment and language--and is widely used by (currently) 405 other packages on CRAN. A high-level summary of changes follows. Changes in RcppArmadillo version 0.8.100.1.0 (2017-10-05) Upgraded to Armadillo release 8.100.1 (Feral Pursuits) faster incremental construction of sparse matrices via element access operators faster diagonal views in sparse matrices expanded SpMat to save/load sparse matrices in coord format expanded .save(),.load() to allow specification of datasets within HDF5 files added affmul() to simplify application of affine transformations warnings and errors are now printed by default to the std::cerr stream added set_cerr_stream() and get_cerr_stream() to replace set_stream_err1(), set_stream_err2(), get_stream_err1(), get_stream_err2() new configuration options ARMA_COUT_STREAM and ARMA_CERR_STREAM Constructors for sparse matrices of types dgt, dtt amd dst now use Armadillo code for improved performance (Serguei Sokol in #175 addressing #173) Sparse matrices call .sync() before accessing internal arrays (Binxiang Ni in #171) The sparse matrix vignette has been converted to Rmarkdown using the pinp package, and is now correctly indexed. (#176) Courtesy of CRANberries, there is a diffstat report. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page. This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings. [...]



Steve Kemp: A busy week or two

Wed, 11 Oct 2017 21:00:00 +0000

(image)

It feels like the past week or two has been very busy, and so I'm looking forward to my "holiday" next month.

I'm not really having a holiday of course, my wife is slowly returning to work, so I'll be taking a month of paternity leave, taking sole care of Oiva for the month of November. He's still a little angel, and now that he's reached 10 months old he's starting to get much more mobile - he's on the verge of walking, but not quite there yet. Mostly that means he wants you to hold his hands so that he can stand up, swaying back and forth before the inevitable collapse.

Beyond spending most of my evenings taking care of him, from the moment I return from work to his bedtime (around 7:30PM), I've made the Debian Administration website both read-only and much simpler. In the past that site was powered by a lot of servers, I think around 11. Now it has only a small number of machines, which should slowly decrease.

I've ripped out the database host, the redis host, the events-server, the planet-machine, the email-box, etc. Now we have a much simpler setup:

  • Front-end machine
    • Directly serves the code site
    • Directly serves the SSL site which exists solely for Let's Encrypt
    • Runs HAProxy to route the rest of the requests to the cluster.
  • 4 x Apache servers
    • Each one has a (read-only) MySQL database on it for the content.
      • In case of future-compromise I removed all user passwords, and scrambled the email-addresses.
      • I don't think there's a huge risk, but better safe than sorry.
    • Each one runs the web-application.
      • Which now caches each generated page to /tmp/x/x/x/x/$hash if it doesn't exist.
      • If the request is cached it is served from that cache rather than dynamically.

Finally although I'm slowly making progress with "radio stuff" I've knocked up a simple hack which uses an ultrasonic sensor to determine whether I'm sat in front of my (home) PC. If I am everything is good. If I'm absent the music is stopped and the screen locked. Kinda neat.

(Simple ESP8266 device wired to the sensor. When the state changes a message is posted to Mosquitto, where a listener reacts to the change(s).)

Oh, not final. I've also transfered my mobile phone from DNA.fi to MoiMobile. Which should complete soon, right now my phone is in limbo, active on niether service. Oops.




Michal Čihař: New projects on Hosted Weblate

Wed, 11 Oct 2017 16:00:18 +0000

(image)

Hosted Weblate provides also free hosting for free software projects. The hosting requests queue has grown too long, so it's time to process it and include new project.

This time, the newly hosted projects include:

  • Hunspell - famous spell checker
  • Eolie - a web browser for GNOME
  • SkyTube - an open-source YouTube app for Android
  • Eventum - issue tracking system

Additionally there were some notable additions to existing projects:

If you want to support this effort, please donate to Weblate, especially recurring donations are welcome to make this service alive. You can do that easily on Liberapay or Bountysource.

Filed under: Debian English SUSE Weblate




Carl Chenet: The Slack Threat

Tue, 10 Oct 2017 22:00:40 +0000

During a long era, electronic mail was the main communication tool for enterprises. Slack, which offer public or private group discussion boards and instant messaging between two people, challenge its position, especially in the IT industry. Not only Slack has features known and used since IRC launch in the late ’80s, but Slack also offers file sending and sharing, code quoting, and it indexing for ulterior searches everything that goes through the application. Slack is also modular with numerous plug-in to easily add new features. Using the Software-As-A-Service (SAAS) model, Slack basic version is free, and users pay for options. Slack is now considered by the Github generation like the new main enterprise communication tool. As I did in my previous article on the Github threat, this one won’t promote Slask’s advantages, as many other articles have already covered all these points ad nauseam, but to show the other side and to warn the companies using this service about its inherent risks. So far, these risks have been ignored, sometimes voluntary in the name of the “It works™” ideology. Neglecting all economic and safety consideration, neglecting all threat to privacy and individual freedom. We’ll see about them below. Github, a software forge as a SAAS, with all the advantage but also all the risk of its economic model All your company communication since its creation When a start-up chooses Slack, all of its internal communication will be stored by Slack. When someone uses this service, the simple fact to chat through it means that the whole communication is archived. One may point that within the basic Slack offer, only the last 10.000 messages can be read and searched. Bad argument. Slack stored every message and every file shared as it pleases. We’ll see below this application behavior is of capital importance in the Slack threat to enterprises. And the problem is the same for all other companies which choose Slack at one point or another. If they replace their traditional communication method with it, Slack will have access to capital data, not only in volume, but also because of their value for the company itself… Or anyone interested in this company life. Search Your Entire Archive One of the main arguments to use Slack is its “Search your entire archive” feature. One can search almost anything one can think of. Why? Because everything is indexed. Your team chat archive or the more or less confidential documents exchanged with the accountant department; everything is in it in order to provide the most effective search tool. The search bar, well-known by Slack users We can’t deny it’s a very attractive feature for everyone inside the company. But it is also a very attractive feature for everyone outside of the company who would want to know more about its internal life. Even more if you’re looking for a specific subject. If Slack is the main communication tool of your company, and if as I’ve experienced in my professional life, some teams prefer to use it than to go to the office next door or even bug you to put the information on the dedicated channel, one can easily deduce that nothing—in this type of company—escape Slack. The automatic indexation and the search feature efficiency are excellent tools to get all the information needed, in quantity and[...]



Yves-Alexis Perez: OpenPGP smartcard transition (part 1)

Tue, 10 Oct 2017 20:44:37 +0000

A long time ago, I switched my GnuPG setup to a smartcard based one. I kept using the same master key, but: copied the rsa4096 master key to a “master” smartcard, for when I need to sign (certify) other keys; created rsa2048 subkeys (for signature, encryption and authentication) and moved them to an OpenPGP smartcard for daily usage. I've been working with that setup for a few years now and it is working perfectly fine. The signature counter on the OpenPGP basic card is a bit north of 5000 which is large but not that huge, all considered (and not counting authentication and decryption key usage). One very nice feature of using a smartcard is that my laptop (or other machines I work on) never manipulates the private key directly but only sends request to the card, which is a really huge improvement, in my opinion. But it's also not the perfect solution for me: the OpenPGP card uses a proprietary platform from ZeitControl, named BasicCard. We have very few information on the smartcard, besides the fact that Werner Koch trust ZeistControl to not mess up. One caveat for me is that the card does not use a certified secure microcontroler like you would find in smartcard chips found in debit card or electronic IDs. That means it's not really been audited by a competent hardware lab, and thus can't be considered secure against physical attacks. The cardOS software and the application implementing the OpenPGP specification are not public either and have not been audited either, to the best of my knowledge. At one point I was interested in the Yubikey Neo, especially since the architecture Yubico used was common: a (supposedly) certified platform (secure microcontroler, card OS) and a GlobalPlatform / JavaCard virtual machine. The applet used in the Yubikey Neo is open-source, too, so you could take a look at it and identify any issue. Unfortunately, Yubico transitioned to a less common and more proprietary infrastructure for Yubikey 4: it's not longer Javacard based, and they don't provide the applet source anymore. This was not really seen as a good move by a lot of people, including Konstantin Ryabitsev (kernel.org administrator). Also, it wasn't possible  even for the Yubico Neo to actually build the applet yourself and inject it on the card: when the Yubikey leaves the facility, the applet is already installed and the smartcard is locked (for obvious security reason). I've tried asking about getting naked/empty Yubikey with developers keys to load the applet myself, but it' was apparently not possible or would have required signing an NDA with NXP (the chip maker), which is not really possible as an individual (not that I really want to anyway). In the meantime, a coworker actually wrote an OpenPGP javacard applet, with the intention to support latest version of the OpenPGP specification, and especially elliptic curve cryptography. The applet is called SmartPGP and has been released on ANSSI github repository. I investigated a bit, and found a smartcard with correct specification: certified (in France or Germany), and supporting Javacard 3.0.4 (required for ECC). The card can do RSA2048 (unfortunately not RSA4096) and EC with NIST (secp256r1, secp384r1, secp521r1) and Brainpool (P256, P384, P512) curves. I've ordered some cards, and when they arrived start[...]



Michal Čihař: Better access control in Weblate

Tue, 10 Oct 2017 18:45:37 +0000

(image)

Upcoming Weblate 2.17 will bring improved access control settings. Previously this could be controlled only by server admins, but now the project visibility and access presets can be configured.

This allows you to better tweak access control for your needs. There is additional choice of making the project public, but restricting translations, what has been requested by several projects.

You can see the possible choices on the UI screenshot:

(image)

On Hosted Weblate this feature is currently available only to commercial hosting customers. Projects hosted for free are limited to public visibility only.

Filed under: Debian English SUSE Weblate




Iain R. Learmonth: Automatic Updates

Tue, 10 Oct 2017 18:00:00 +0000

(image)

We have instructions for setting up new Tor relays on Debian. The only time the word “upgrade” is mentioned here is:

Be sure to set your ContactInfo line so we can contact you if you need to upgrade or something goes wrong.

This isn’t great. We should have some decent instructions for keeping your relay up to date too. I’ve been compiling a set of documentation for enabling automatic updates on various Linux distributions, here’s a taste of what I have so far:


Debian

Make sure that unattended-upgrades is installed and then enable the installation of updates (as root):

apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Fedora 22 or later

Beginning with Fedora 22, you can enable automatic updates via:

dnf install dnf-automatic

In /etc/dnf/automatic.conf set:

apply_updates = yes

Now enable and start automatic updates via:

systemctl enable dnf-automatic.timer
systemctl start dnf-automatic.timer

(Thanks to Enrico Zini I know all about these timer units in systemd now.)

RHEL or CentOS

For CentOS, RHEL, and older versions of Fedora, the yum-cron package is the preferred approach:

yum install yum-cron

In /etc/yum/yum-cron.conf set:

apply_updates = yes

Enable and start automatic updates via:

systemctl start yum-cron.service

I’d like to collect together instructions also for other distributions (and *BSD and Mac OS). Atlas knows which platform a relay is running on, so there could be a link in the future to some platform specific instructions on how to keep your relay up to date.




Jamie McClelland: Docker in Debian

Tue, 10 Oct 2017 16:07:53 +0000

It's not easy getting Docker to work in Debian.

It's not in stable at all:

0 jamie@turkey:~$ rmadison docker.io
docker.io  | 1.6.2~dfsg1-1~bpo8+1 | jessie-backports | source, amd64, armel, armhf, i386
docker.io  | 1.11.2~ds1-5         | unstable         | source, arm64
docker.io  | 1.11.2~ds1-5         | unstable-debug   | source
docker.io  | 1.11.2~ds1-6         | unstable         | source, armel, armhf, i386, ppc64el
docker.io  | 1.11.2~ds1-6         | unstable-debug   | source
docker.io  | 1.13.1~ds1-2         | unstable         | source, amd64
docker.io  | 1.13.1~ds1-2         | unstable-debug   | source
0 jamie@turkey:~$ 

And a problem with runc makes it really hard to get it working on Debian unstable.

These are the steps I took to get it running today (2017-10-10).

Remove runc (allow it to remove containerd and docker.io):

sudo apt-get remove runc

Install docker-runc (now in testing)

sudo apt-get install docker-runc

Fix containerd package to depend on docker-runc instead of runc:

mkdir containerd
cd containerd
apt-get download containerd 
ar x containerd_0.2.3+git20170126.85.aa8187d~ds1-2_amd64.deb
tar -xzf control.tar.gz
sed -i s/runc/docker-runc/g control
tar -c md5sums control | gzip -c > control.tar.gz
ar rcs new-containerd.deb debian-binary control.tar.gz data.tar.xz
sudo dpkg -i new-containerd.deb

Fix docker.io package to depend on docker-runc instead of runc.

mkdir docker
cd docker
apt-get download docker.io
ar x docker.io_1.13.1~ds1-2_amd64.deb
tar -xzf control.tar.gz
sed -i s/runc/docker-runc/g control
tar -c {post,pre}{inst,rm} md5sums control | gzip -c > control.tar.gz
ar rcs new-docker.io.deb debian-binary control.tar.gz data.tar.xz
sudo dpkg -i new-docker.io.deb

Symlink docker-runc => runc

sudo ln -s /usr/sbin/docker-runc /usr/sbin/runc

Keep apt-get from upgrading until this bug is fixed:

printf "# Remove when docker.io and containerd depend on docker-runc
# instead of normal runc
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877329
Package: runc 
Pin: release * 
Pin-Priority: -1 

Package: containderd 
Pin: release * 
Pin-Priority: -1 

Package: docker.io
Pin: release * 
Pin-Priority: -1" | sudo tee /etc/apt/preferences.d/docker.pref

Thanks to coderwall for tips on manipulating deb files.




Lars Wirzenius: Debian and the GDPR

Tue, 10 Oct 2017 15:11:57 +0000

(image)

GDPR is a new EU regulation for privacy. The name is short for "General Data Protection Regulation" and it covers all organisations that handle personal data of EU citizens and EU residents. It will become enforceable May 25, 2018 (Towel Day). This will affect Debian. I think it's time for Debian to start working on compliance, mainly because the GDPR requires sensible things.

I'm not an expert on GDPR legislation, but here's my understanding of what we in Debian should do:

  • do a privacy impact assessment, to review and document what data we have, and collect, and what risks that has for the people whose personal data it is if the data leaks

  • only collect personal information for specific purposes, and only use the data for those purposes

  • get explicit consent from each person for all collection and use of their personal information; archive this consent (e.g., list subscription confirmations)

  • allow each person to get a copy of all the personal information we have about them, in a portable manner, and let them correct it if it's wrong

  • allow people to have their personal information erased

  • maybe appoint one or more data protection officers (not sure this is required for Debian)

There's more, but let's start with those.

I think Debian has at least the following systems that will need to be reviewed with regards to the GDPR:

  • db.debian.org - Debian project members, "Debian developers"
  • nm.debian.org
  • contributors.debian.org
  • lists.debian.org - at least membership lists, maybe archives
  • possibly irc servers and log files
  • mail server log files
  • web server log files
  • version control services and repositories

There may be more; these are just off the top of my head.

I expect that mostly Debian will be OK, but we can't just assume that.




Reproducible builds folks: Reproducible Builds: Weekly report #128

Tue, 10 Oct 2017 08:08:10 +0000

Here's what happened in the Reproducible Builds effort between Sunday October 1 and Saturday October 7 2017: Media coverage Bernhard sent another report about the status of Reproducible openSUSE. They currently they are at 478 unreproducible and 11,111 reproducible packages out of 11,821, so also at 93%! Holger attempted to get a Reproducible Builds devroom at FOSDEM 2018 but sadly this proposal was not accepted. Documentation updates Christoph Berg created a wiki page about Openjade generated timestamps from DSSSL stylesheets. Packages reviewed and fixed, and bugs filed Bernhard M. Wiedemann: LiE uninitialized memory (need to find upstream) chrony date (merged) Chris Lamb: #877375 filed against polygen. #877381 filed against plr. #877384 filed against rcs. #877928 filed against cadvisor. jathan: #877470 filed against bsh. Reviews of unreproducible packages 32 package reviews have been added, 46 have been updated and 62 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by: Adrian Bunk (27) diffoscope development Chris Lamb: Don't crash on malformed md5sums files. (Closes: #877473) Improve names in output of "internal" binwalk members. (Closes: #877525) Mattia Rizzolo: Fix test compatibility with dtb version 1.4.5 strip-nondeterminism development Rob Browning noticed that strip-nondeterminism was causing serious performance regressions in the Clojure programming language within Debian. After some discussion, Chris Lamb also posted a query to debian-devel in case there were any other programming languages that might be suffering from the same problem. Chris Lamb: jar.pm: Clojure considers the .class file to be stale if it shares the same timestamp of the .clj. We thus adjust the timestamps of the .clj to always be younger.. (Closes: #877418) jar.pm, zip.pm: Allow $options{member_normalizer} callback to support specifying the timestamp. zip.pm: Ensure that we don't try and write an old timestamp; Archive::Zip will do this anyway, just noisily. zip.pm: Calculate the target canonical time in just one place. bin/strip-nondeterminism: Print a warning in --verbose mode if no canonical time specified. jar.pm: Update comment to reflect that NTFS/FAT has a 2s timestamp granularity. jar.pm: s/NTFS/FAT/. Thanks to James Ross. reprotest development Versions 0.7.1 and 0.7.2 were uploaded to unstable by Ximin Luo: New features: Add a --auto-build option to try to determine which specific variations cause unreproducibility. Add a --source-pattern option to restrict copying of source_root, and set this automatically in our presets. Usability improvements: Improve error messages in some common scenarios. Fiving a source_root or build_command that doesn't exist Using reprotest with default settings after not installing Recommends Output hashes after a successful --auto-build. Print a warning message if we reproduced successfully but didn't vary everything. Fix varying both umask and user_group at the same time. Have dpkg-source extract to different build dir [...]



Vincent Fourmond: Define a function with inline Ruby code in QSoas

Mon, 09 Oct 2017 22:31:50 +0000

QSoas can read and execute Ruby code directly, while reading command files, or even at the command prompt. For that, just write plain Ruby code inside a ruby...ruby end block. Probably the most useful possibility is to define elaborated functions directly from within QSoas, or, preferable, from within a script; this is an alternative to defining a function in a completely separated Ruby-only file using ruby-run. For instance, you can define a function for plain Michaelis-Menten kinetics with a file containing:

ruby
def my_func(x, vm, km)
  return vm/(1 + km/x)
end
ruby end

This defines the function my_func with three parameters, , (vm) and (km), with the formula:

You can then test that the function has been correctly defined running for instance:

QSoas> eval my_func(1.0,1.0,1.0)
 => 0.5
QSoas> eval my_func(1e4,1.0,1.0)
 => 0.999900009999

This yields the correct answer: the first command evaluates the function with x = 1.0, vm = 1.0 and km = 1.0. For , the result is (here 0.5). For , the result is almost . You can use the newly defined my_func in any place you would use any ruby code, such as in the optional argument to generate-buffer, or for arbitrary fits:

QSoas> generate-buffer 0 10 my_func(x,3.0,0.6)
QSoas> fit-arb my_func(x,vm,km)

To redefine my_func, just run the ruby code again with a new definition, such as:
ruby
def my_func(x, vm, km)
  return vm/(1 + km/x**2)
end
ruby end
The previous version is just erased, and all new uses of my_func will refer to your new definition.


See for yourself

The code for this example can be found there. Browse the qsoas-goodies github repository for more goodies !

About QSoas

QSoas is a powerful open source data analysis program that focuses on flexibility and powerful fitting capacities. It is released under the GNU General Public License. It is described in Fourmond, Anal. Chem., 2016, 88 (10), pp 5050–5052. Current version is 2.1. You can download its source code or buy precompiled versions for MacOS and Windows there.




Markus Koschany: My Free Software Activities in September 2017

Mon, 09 Oct 2017 22:18:12 +0000

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in  Java, Games and LTS topics, this might be interesting for you. Debian Games I sponsored a new release of hexalate for Unit193 and icebreaker for Andreas Gnau. The latter is a reintroduction. New upstream releases this month: freeorion and hyperrogue. I backported freeciv and freeorion to Stretch. Debian Java New upstream releases and one update: sweethome3d, sweethome3d-furniture, sweethome3d-furniture-editor, sweethome3d-textures-editor (update), libsambox-java, libsejda-java, pdfsam, easymock, jboss-modules, jboss-xnio and undertow. I fixed one RC bug in libsejda-io-java (#874494) and investigated another one (#869266) in commons-httpclient which could be closed. The new build-dependencies of jboss-xnio, wildfly-client-config and wildfly-common, were accepted into the archive this month. I spent some quality time on fixing  #874579 in libhibernate-validator-java. This was the last blocking bug for pdfsam which I could finally upload to unstable. It’s a really great JavaFX application. Check it out! I sponsored another update of libimglib2-java for Ghislain Vaillant and simplyhtml, freeplane and knopflerfish-osgi for Felix Natter. I also fixed RC bug #871348 in robocode, a Java programming game and #871347 in tycho. Debian LTS This was my nineteenth month as a paid contributor and I have been paid to work 15,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following: From 18. September to 24. September I was in charge of our LTS frontdesk. I triaged bugs in poppler, binutils, kannel, wordpress, libsndfile, libexif, nautilus, libstruts1.2-java, nvidia-graphics-drivers, p3scan, otrs2 and glassfish. DLA-1108-1. Issued a security update for tomcat7 fixing 1 CVE. DLA-1116-1. Issued a security update for poppler fixing 3 CVE. DLA-1119-1. Issued a security update for otrs2 fixing 4 CVE. DLA-1122-1. Issued a security update for asterisk fixing 1 CVE. I also investigated CVE-2017-14099 and CVE-2017-14603. I decided against a backport because the fix was too intrusive and the vulnerable option is disabled by default in Wheezy’s version which makes it a minor issue for most users. I submitted a patch for Debian’s reportbug tool. (#878088) During our LTS BoF at DebConf 17 we came to the conclusion that we should implement a feature in reportbug that checks whether the bug reporter wants to report a regression for a recent security update. Usually the LTS and security teams  receive word from the maintainer or users who report issues directly to our mailing lists or IRC channels. However in some cases we were not informed about possible regressions and the new feature in reportbug shall ensure that we can respond faster to such reports. I started to investigate the open security issues in wordpress and will complete the work in October. Misc I packaged a new version of xarchiver. Thanks to the work of Ingo Brückl xarchiver can handle almost all archive formats in Debian now. QA upload I did a QA upload of xball, an [...]



Ben Hutchings: Debian LTS work, September 2017

Mon, 09 Oct 2017 16:25:52 +0000

(image)

I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 6 hours from August. I only worked 12 hours, so I will carry over 9 hours to the next month.

I prepared and released another update on the Linux 3.2 longterm stable branch (3.2.93). I then rebased the Debian linux package onto this version, added further security fixes, and uploaded it (DLA-1099-1).




Michal Čihař: Better acess control in Weblate

Mon, 09 Oct 2017 16:00:19 +0000

(image)

Upcoming Weblate 2.17 will bring improved access control settings. Previously this could be controlled only by server admins, but now the project visibility and access presets can be configured.

This allows you to better tweak access control for your needs. There is additional choice of making the project public, but restricting translations, what has been requested by several projects.

You can see the possible choices on the UI screenshot:

(image)

On Hosted Weblate this feature is currently available only to commercial hosting customers. Projects hosted for free are limited to public visibility only.

Filed under: Debian English SUSE Weblate




Antonio Terceiro: pristine-tar updates

Mon, 09 Oct 2017 15:06:22 +0000

Introduction pristine-tar is a tool that is present in the workflow of a lot of Debian people. I adopted it last year after it has been orphaned by its creator Joey Hess. A little after that Tomasz Buchert joined me and we are now a functional two-person team. pristine-tar goals are to import the content of a pristine upstream tarball into a VCS repository, and being able to later reconstruct that exact same tarball, bit by bit, based on the contents in the VCS, so we don’t have to store a full copy of that tarball. This is done by storing a binary delta files which can be used to reconstruct the original tarball from a tarball produced with the contents of the VCS. Ultimately, we want to make sure that the tarball that is uploaded to Debian is exactly the same as the one that has been downloaded from upstream, without having to keep a full copy of it around if all of its contents is already extracted in the VCS anyway. The current state of the art, and perspectives for the future pristine-tar solves a wicked problem, because our ability to reconstruct the original tarball is affected by changes in the behavior of tar and of all of the compression tools (gzip, bzip2, xz) and by what exact options were used when creating the original tarballs. Because of this, pristine-tar currently has a few embedded copies of old versions of compressors to be able to reconstruct tarballs produced by them, and also rely on a ever-evolving patch to tar that is been carried in Debian for a while. So basically keeping pristine-tar working is a game of Whac-A-Mole. Joey provided a good summary of the situation when he orphaned pristine-tar. Going forward, we may need to rely on other ways of ensuring integrity of upstream source code. That could take the form of signed git tags, signed uncompressed tarballs (so that the compression doesn’t matter), or maybe even a different system for storing actual tarballs. Debian bug #871806 contains an interesting discussion on this topic. Recent improvements Even if keeping pristine-tar useful in the long term will be hard, too much of Debian work currently relies on it, so we can’t just abandon it. Instead, we keep figuring out ways to improve. And I have good news: pristine-tar has recently received updates that improve the situation quite a bit. In order to be able to understand how better we are getting at it, I created a "visualization of the regression test suite results. With the help of data from there, let’s look at the improvements made since pristine-tar 1.38, which was the version included in stretch. pristine-tar 1.39: xdelta3 by default. This was the first release made after the stretch release, and made xdelta3 the default delta generator for newly-imported tarballs. Existing tarballs with deltas produced by xdelta are still supported, this only affects new imports. The support for having multiple delta generator was written by Tomasz, and was already there since 1.35, but we decided to only flip the switch after using xdelta3 was supported in a stable release[...]



Petter Reinholdtsen: Generating 3D prints in Debian using Cura and Slic3r(-prusa)

Mon, 09 Oct 2017 08:50:00 +0000

At my nearby maker space, Sonen, I heard the story that it was easier to generate gcode files for theyr 3D printers (Ultimake 2+) on Windows and MacOS X than Linux, because the software involved had to be manually compiled and set up on Linux while premade packages worked out of the box on Windows and MacOS X. I found this annoying, as the software involved, Cura, is free software and should be trivial to get up and running on Linux if someone took the time to package it for the relevant distributions. I even found a request for adding into Debian from 2013, which had seem some activity over the years but never resulted in the software showing up in Debian. So a few days ago I offered my help to try to improve the situation.

Now I am very happy to see that all the packages required by a working Cura in Debian are uploaded into Debian and waiting in the NEW queue for the ftpmasters to have a look. You can track the progress on the status page for the 3D printer team.

The uploaded packages are a bit behind upstream, and was uploaded now to get slots in the NEW queue while we work up updating the packages to the latest upstream version.

On a related note, two competitors for Cura, which I found harder to use and was unable to configure correctly for Ultimaker 2+ in the short time I spent on it, are already in Debian. If you are looking for 3D printer "slicers" and want something already available in Debian, check out slic3r and slic3r-prusa. The latter is a fork of the former.




Gunnar Wolf: Achievement unlocked - Made with Creative Commons translated to Spanish! (Thanks, @xattack!)

Mon, 09 Oct 2017 04:05:27 +0000

I am very, very, very happy to report this — And I cannot believe we have achieved this so fast: Back in June, I announced I'd start working on the translation of the Made with Creative Commons book into Spanish. Over the following few weeks, I worked out the most viable infrastructure, gathered input and commitments for help from a couple of friends, submitted my project for inclusion in the Hosted Weblate translations site (and got it approved!) Then, we quietly and slowly started working. Then, as it usually happens in late August, early September... The rush of the semester caught me in full, and I left this translation project for later — For the next semester, perhaps... Today, I received a mail that surprised me. That stunned me. 99% of translated strings! Of course, it does not look as neat as "100%" would, but there are several strings not to be translated. So, yay for collaborative work! Oh, and FWIW — Thanks to everybody who helped. And really, really, really, hats off to Luis Enrique Amaya, a friend whom I see way less than I should. A LIDSOL graduate, and a nice guy all around. Why to him specially? Well... This has several wrinkles to iron out, but, by number of translated lines: Andrés Delgado 195 scannopolis 626 Leo Arias 812 Gunnar Wolf 947 Luis Enrique Amaya González 3258 ...Need I say more? Luis, I hope you enjoyed reading the book :-] There is still a lot of work to do, and I'm asking the rest of the team some days so I can get my act together. From the mail I just sent, I need to: Review the Pandoc conversion process, to get the strings formatted again into a book; I had got this working somewhere in the process, but last I checked it broke. I expect this not to be too much of a hurdle, and it will help all other translations. Start the editorial process at my Institute. Once the book builds, I'll have to start again the stylistic correction process so the Institute agrees to print it out under its seal. This time, we have the hurdle that our correctors will probably hate us due to part of the work being done before we had actually agreed on some important Spanish language issues... which are different between Mexico, Argentina and Costa Rica (where translators are from). Anyway — This sets the mood for a great start of the week. Yay! AttachmentSize Screenshot from 2017-10-08 20-55-30.png103.1 KB [...]



Iain R. Learmonth: Free Software Efforts (2017W40)

Sun, 08 Oct 2017 22:00:00 +0000

Here’s my weekly report for week 40 of 2017. In this week I have looked at censorship in Catalonia and had my “deleted” Facebook account hacked (which made HN front page). I’ve also been thinking about DRM on the web. Debian I have prepared and uploaded fixes for the measurement-kit and hamradio-maintguide packages. I have also sponsored uploads for gnustep-base (to experimental) and chkservice. I have given DM upload privileges to Eric Heintzmann for the gnustep-base package as he has shown to care for the GNUstep packages well. In the near future, I think we’re looking at a transition for gnustep-{base,back,gui} as these packages all have updates. Bugs filed: #877680 Bugs closed (fixed/wontfix): #872202, #877466, #877468 Tor Project This week I have participated in a discussion around renaming the “Operations” section of the Metrics website. I have also filed a new ticket on Atlas, which I am planning to implement, to link to the new relay lifecycle post on the Tor Project blog if a relay is less than a week old to help new relay operators understand the bandwidth usage they’ll be seeing. Finally, I’ve been hacking on a Twitter bot to tweet factoids about the public Tor network. I’ve detailed this in a separate blog post. Bugs closed (fixed/wontfix): #23683 Sustainability I believe it is important to be clear not only about the work I have already completed but also about the sustainability of this work into the future. I plan to include a short report on the current sustainability of my work in each weekly report. I have not had any free software related expenses this week. The current funds I have available for equipment, travel and other free software expenses remains £60.52. I do not believe that any hardware I rely on is looking at imminent failure. [...]



Michael Stapelberg: Debian stretch on the Raspberry Pi 3 (update)

Sun, 08 Oct 2017 20:45:00 +0000

I previously wrote about my Debian stretch preview image for the Raspberry Pi 3.

Now, I’m publishing an updated version, containing the following changes:

  • SSH host keys are generated on first boot.
  • Old kernel versions are now removed from /boot/firmware when purged.
  • The image is built with vmdb2, the successor to vmdebootstrap. The input files are available at https://github.com/Debian/raspi3-image-spec.
  • The image uses the linux-image-arm64 4.13.4-3 kernel, which provides HDMI output.
  • The image is now compressed using bzip2, reducing its size to 220M.

A couple of issues remain, notably the lack of WiFi and bluetooth support (see wiki:RaspberryPi3 for details. Any help with fixing these issues is very welcome!

As a preview version (i.e. unofficial, unsupported, etc.) until all the necessary bits and pieces are in place to build images in a proper place in Debian, I built and uploaded the resulting image. Find it at https://people.debian.org/~stapelberg/raspberrypi3/2017-10-08/. To install the image, insert the SD card into your computer (I’m assuming it’s available as /dev/sdb) and copy the image onto it:

$ wget https://people.debian.org/~stapelberg/raspberrypi3/2017-10-08/2017-10-08-raspberry-pi-3-buster-PREVIEW.img.bz2
$ bunzip2 2017-10-08-raspberry-pi-3-buster-PREVIEW.img.bz2
$ sudo dd if=2017-10-08-raspberry-pi-3-buster-PREVIEW.img of=/dev/sdb bs=5M

If resolving client-supplied DHCP hostnames works in your network, you should be able to log into the Raspberry Pi 3 using SSH after booting it:

$ ssh root@rpi3
# Password is “raspberry”



Joachim Breitner: e.g. in TeX

Sun, 08 Oct 2017 19:08:13 +0000

When I learned TeX, I was told to not write e.g. something, because TeX would think the period after the “g” ends a sentence, and introduce a wider, inter-sentence space. Instead, I was to write e.g.\␣. Years later, I learned from a convincing, but since forgotten source, that in fact e.g.\@ is the proper thing to write. I vaguely remembering that e.g.\␣ supposedly affected the inter-word space in some unwanted way. So I did that for many years. Until I recently was called out for doing it wrong, and that infact e.g.\␣ is the proper way. This was supported by a StackExchange answer written by a LaTeX authority and backed by a reference to documentation. The same question has, however, another answer by another TeX authority, backed by an analysis of the implementation, which concludes that e.g.\@ is proper. What now? I guess I just have to find it out myself. The problem and two solutions The above image shows three variants: The obviously broken version with e.g., and the two contesting variants to fix it. Looks like they yield equal results! So maybe the difference lies in how \@ and \␣ react when the line length changes, and the word wrapping require differences in the inter-word spacing. Will there be differences? Let’s see; Expanding whitespace, take 1 Expanding whitespace, take 2 I cannot see any difference. But the inter-sentence whitespace ate most of the expansion. Is there a difference visible if we have only inter-word spacing in the line? Expanding whitespace, take 3 Expanding whitespace, take 4 Again, I see the same behaviour. Conclusion: It does not matter, but e.g.\␣ is less hassle when using lhs2tex than e.g.\@ (which has to be escaped as e.g.\@@), so the winner is e.g.\␣! (Unless you put it in a macro, then \@ might be preferable, and it is still needed between a captial letter and a sentence period.) [...]



Daniel Pocock: A step change in managing your calendar, without social media

Sun, 08 Oct 2017 17:36:49 +0000

Have you been to an event recently involving free software or a related topic? How did you find it? Are you organizing an event and don't want to fall into the trap of using Facebook or Meetup or other services that compete for a share of your community's attention? Are you keen to find events in foreign destinations related to your interest areas to coincide with other travel intentions? Have you been concerned when your GSoC or Outreachy interns lost a week of their project going through the bureaucracy to get a visa for your community's event? Would you like to make it easier for them to find the best events in the countries that welcome and respect visitors? In many recent discussions about free software activism, people have struggled to break out of the illusion that social media is the way to cultivate new contacts. Wouldn't it be great to make more meaningful contacts by attending more a more diverse range of events rather than losing time on social media? Making it happen There are already a number of tools (for example, Drupal plugins and Wordpress plugins) for promoting your events on the web and in iCalendar format. There are also a number of sites like Agenda du Libre and GriCal who aggregate events from multiple communities where people can browse them. How can we take these concepts further and make a convenient, compelling and global solution? Can we harvest event data from a wide range of sources and compile it into a large database using something like PostgreSQL or a NoSQL solution or even a distributed solution like OpenDHT? Can we use big data techniques to mine these datasources and help match people to events without compromising on privacy? Why not build an automated iCalendar "to-do" list of deadlines for events you want to be reminded about, so you never miss the deadlines for travel sponsorship or submitting a talk proposal? I've started documenting an architecture for this on the Debian wiki and proposed it as an Outreachy project. It will also be offered as part of GSoC in 2018. Ways to get involved If you would like to help this project, please consider introducing yourself on the debian-outreach mailing list and helping to mentor or refer interns for the project. You can also help contribute ideas for the specification through the mailing list or wiki. Mini DebConf Prishtina 2017 This weekend I've been at the MiniDebConf in Prishtina, Kosovo. It has been hosted by the amazing Prishtina hackerspace community. Watch out for future events in Prishtina, the pizzas are huge, but that didn't stop them disappearing before we finished the photos: [...]



Ricardo Mones: Cannot enable. Maybe the USB cable is bad?

Sun, 08 Oct 2017 16:17:09 +0000

One of the reasons which made me switch my old 17" BenQ monitor for a Dell U2413 three years ago was it had an integrated SD card reader. I find very convenient to take camera's card out, plug the card into the monitor and click on KDE device monitor's option “Open with digiKam” to download the photos or videos.But last week, when trying to reconnect the USB cable to the new board just didn't work and the kernel log messages were not very hopeful:[190231.770349] usb 2-2.3.3: new SuperSpeed USB device number 15 using xhci_hcd [190231.890439] usb 2-2.3.3: New USB device found, idVendor=0bda, idProduct=0307 [190231.890444] usb 2-2.3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [190231.890446] usb 2-2.3.3: Product: USB3.0 Card Reader [190231.890449] usb 2-2.3.3: Manufacturer: Realtek [190231.890451] usb 2-2.3.3: SerialNumber: F141000037E1 [190231.896592] usb-storage 2-2.3.3:1.0: USB Mass Storage device detected [190231.896764] scsi host8: usb-storage 2-2.3.3:1.0 [190232.931861] scsi 8:0:0:0: Direct-Access Generic- SD/MMC/MS/MSPRO 1.00 PQ: 0 ANSI: 6 [190232.933902] sd 8:0:0:0: Attached scsi generic sg5 type 0 [190232.937989] sd 8:0:0:0: [sde] Attached SCSI removable disk [190243.069680] hub 2-2.3:1.0: hub_ext_port_status failed (err = -71) [190243.070037] usb 2-2.3-port3: cannot reset (err = -71) [190243.070410] usb 2-2.3-port3: cannot reset (err = -71) [190243.070660] usb 2-2.3-port3: cannot reset (err = -71) [190243.071035] usb 2-2.3-port3: cannot reset (err = -71) [190243.071409] usb 2-2.3-port3: cannot reset (err = -71) [190243.071413] usb 2-2.3-port3: Cannot enable. Maybe the USB cable is bad? ... I was sure USB 3.0 ports were working, because I've already used them with a USB 3.0 drive, so first thought was the monitor USB hub had failed. It seemed unlikely that a cable which has not been moved in 3 years was suddenly failing, is that even possible?But a few moments later the same cable plugged into a USB 2.0 worked flawlessly and all photos could be downloaded, just noticeably slower.A bit confused, and thinking that, since everything else was working maybe the cable had to be replaced, it happened I upgraded the system in the meantime. And luck came into rescue, because now it works again in 4.9.30-2+deb9u5 kernel. Looking at the package changelog it seems the fix was this “usb:xhci:Fix regression when ATI chipsets detected“. So, not a bad cable but a little kernel bug ;-)Thanks to all involved, specially Ben for the package update! [...]



Iain R. Learmonth: Tor Relays on Twitter

Sun, 08 Oct 2017 14:00:00 +0000

A while ago I played with a Twitter bot that would track radio amateurs using a packet radio position reporting system, tweet their location and a picture from Flickr that was taken near to their location and a link to their packet radio activity on aprs.fi. It’s really not that hard to put these things together and they can be a lot of fun. The tweets looked like this: VK4CVL is mobile near Chapel Hill, Australia http://t.co/2dqvuqjJxQ http://t.co/q88OhtcPTX #hamradio #hamr pic.twitter.com/5gBVw3ebvq— HamLocator (@HamLocator) June 12, 2015 This isn’t about building a system that serves any critical purpose, it’s about fun. As the radio stations were chosen essentially at random, there could be some cool things showing up that you wouldn’t otherwise have seen. Maybe you’d spot a callsign of a station you’ve spoken to before on HF or perhaps you’d see stations in areas near you or in cool places. On Friday evening I took a go at hacking together a bot for Tor relays. The idea being to have regular snippets of information from the Tor network and perhaps you’ll spot something insightful or interesting. Not every tweet is going to be amazing, but it wasn’t running for very long before I spotted a relay very close to its 10th birthday: esko in Finland started contributing bandwidth to the #Tor network 9 years and 51 weeks ago https://t.co/4K7aj9Jf6C— Tor Atlas (@TorAtlas) October 7, 2017 The relays are chosen at random, and tweet templates are chosen at random too. So far, tweets about individual relays can be about age or current bandwidth contribution to the Tor network. There are also tweets about how many relays run in a particular autonomous system (again, chosen at random) and tweets about the total number of relays currently running. The total relays tweets come with a map: There are currently 6638 #Tor relays running. https://t.co/uySyX7AlAH pic.twitter.com/BbgNGpoNtY— Tor Atlas (@TorAtlas) October 7, 2017 The maps are produced using xplanet. The Earth will rotate to show the current side in daylight at the time the tweet is posted. Unfortunately, the bot currently cannot tweet as the account has been suspended. You should still be able to follow @TorAtlas though and tweets will begin appearing again once I’ve resolved the suspension. I plan to rewrite the mess of cron-activated Python scripts into a coherent Python (maybe Java) application and publish the sources soon. There are also a number of new templates for tweets I’d like to explore, including number of relays and bandwidth contributed per family and statistics on operating system diversity. Update (2017-10-08): The @TorAtlas account should now be unsuspended. [...]



Thomas Lange: FAI 5.4 enters the embedded world

Sun, 08 Oct 2017 13:05:34 +0000

(image)

Since DebConf 17 I was working on cross-architecture support for FAI. The new FAI release supports creating cross-architecture disk images, for e.g. you can build an image for Arm64 (aarch64) on a host running 64-bit x86 Linux (amd64) in about 6 minutes.

The release announcement has more details, and I also created a video showing the build process for an Arm64 disk image and booting this image using Qemu.

I'm happy to join the Debian cloud sprint in a week, where more FAI related work is waiting.

FAI embedded ARM




Chris Lamb: python-gfshare: Secret sharing in Python

Sat, 07 Oct 2017 10:12:23 +0000

I've just released python-gfshare, a Python library that implements Shamir’s method for secret sharing, a technique to split a "secret" into multiple parts. An arbitrary number of those parts are then needed to recover the original file but any smaller combination of parts are useless to an attacker. For instance, you might split a GPG key into a “3-of-5” share, putting one share on each of three computers and two shares on a USB memory stick. You can then use the GPG key on any of those three computers using the memory stick. If the memory stick is lost you can ultimately recover the key by bringing the three computers back together again. For example: $ pip install gfshare >>> import gfshare >>> shares = gfshare.split(3, 5, b"secret") >>> shares {104: b'1\x9cQ\xd8\xd3\xaf', 164: b'\x15\xa4\xcf7R\xd2', 171: b'>\xf5*\xce\xa2\xe2', 173: b'd\xd1\xaaR\xa5\x1d', 183: b'\x0c\xb4Y\x8apC'} >>> gfshare.combine(shares) b"secret" After removing two "shares" we can still reconstruct the secret as we have 3 out of the 5 originals: >>> del shares['104'] >>> del shares['171'] >>> gfshare.combine(shares) b"secret" Under the hood it uses Daniel Silverstone’s libgfshare library. The source code is available on GitHub as is the documentation. Patches welcome. [...]



Scarlett Clark: KDE at #UbuntuRally in New York! KDE Applications snaps!

Fri, 06 Oct 2017 20:50:42 +0000

(image)

KDE at #UbuntuRally New York

I was happy to attend Ubuntu Rally last week in New York with Aleix Pol to represent KDE.
We were able toaccomplish many things during this week, and that is a result of having direct contact with Snap developers.
So a big thank you out to Canonical for sponsoring me. I now have all of KDE core applications,
and many KDE extragear applications in the edge channel looking for testers.
I have also made a huge dent in also making the massive KDE PIM snap!
I hope to have this done by week end.
Most of our issue list made it onto TO-DO lists 🙂
So from KDE perspective, this sprint was a huge success!




Raphaël Hertzog: My Free Software Activities in September 2017

Fri, 06 Oct 2017 08:30:46 +0000

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me. Debian LTS This month I was allocated 12h but I only spent 10.5h. During this time, I continued my work on exiv2. I finished reproducing all the issues and then went on doing code reviews to confirm that vulnerabilities were not present when the issue was not reproducible. I found two CVE where the vulnerability was present in the wheezy version and I posted patches in the upstream bug tracker: #57 and #55. Then another batch of 10 CVE appeared and I started the process over… I’m currently trying to reproduce the issues. While doing all this work on exiv2, I also uncovered a failure to build on the package in experimental (reported here). Misc Debian/Kali work Debian Live. I merged 3 live-build patches prepared by Matthijs Kooijman and added an armel fix to cope with the the rename of the orion5x image into the marvell one. I also uploaded a new live-config to fix a bug with the keyboard configuration. Finally, I also released a new live-installer udeb to cope with a recent live-build change that broke the locale selection during the installation process. Debian Installer. I prepared a few patches on pkgsel to merge a few features that had been added to Ubuntu, most notably the possibility to enable unattended-upgrades by default. More bug reports. I investigated much further my problem with non-booting qemu images when they are built by vmdebootstrap in a chroot managed by schroot (cf #872999) and while we have much more data, it’s not yet clear why it doesn’t work. But we have a working work-around… While investigating issues seen in Kali, I opened a bunch of reports on the Debian side: #874657: pcmanfm: should have explicit recommends on lxpolkit | polkit-1-auth-agent #874626: bin-nmu request to complete two transitions and bring back some packages in testing #875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing) Packaging. I sponsored two uploads (dirb and python-elasticsearch). Debian Handbook. My work on updating the book mostly stalled. The only thing I did was to review the patch about wireless configuration in #863496. I must really get back to work on the book! Thanks See you next month for a new summary of my activities. No comment | Liked this article? Click here. | My blog is Flattr-enabled. [...]



Ross Gammon: My FOSS activities for August & September 2017

Thu, 05 Oct 2017 19:35:12 +0000

I am writing this from my hotel room in Bologna, Italy before going out for a pizza. After a successful Factory Acceptance Test today, I might also allow myself to celebrate with a beer. But anyway, here is what I have been up to in the FLOSS world for the last month and a bit. Debian Uploaded gramps (4.2.6) to stretch-backports & jessie-backports-sloppy. Started working on the latest release of node-tmp. It needs further work due to new documentation being included etc. Started working on packaging the latest goocanvas-2.0 package. Everything is ready except for producing some autopkgtests. Moved node-coffeeify experimental to unstable. Updated the Multimedia Blends Tasks with all the latest ITPs etc. Reviewed doris for Antonio Valentino, and sponsored it for him. Reviewed pyresample for Antonio Valentino, and sponsored it for him. Reviewed a new parlatype package for Gabor Karsay, and sponsored it for him. Ubuntu Successfully did my first merge using git-ubuntu for the Qjackctl package. Thanks to Nish for patiently answering my questions, reviewing my work, and sponsoring the upload. Refreshed the gramps backport request to 4.2.6. Still no willing sponsor. Tested Len’s rewrite of ubuntustudio-controls, adding a CPU governor option in particular. There are a couple of minor things to tidy up, but we have probably missed the chance to get it finalised for Artful. Tested the First Beta release of Ubuntu Studio 17.10 Artful and wrote the release notes. Also drafted my first release announcement on the Ubunti Studio website which Eylul reviewed and published. Refreshed the ubuntustudio-meta package and requested sponsorship. This was done by Steve Langasek. Thanks Steve. Tested the Final Beta release of Ubuntu Studio 17.10 Artful and wrote the release notes. Started working on a new Carla package, starting from where Víctor Cuadrado Juan left it (ITP in Debian). [...]



Wouter Verhelst: Patching Firefox

Thu, 05 Oct 2017 14:49:21 +0000

At work, I help maintain a smartcard middleware that is provided to Belgian citizens who want to use their electronic ID card to, e.g., log on to government websites. This middleware is a piece of software that hooks into various browsers and adds a way to access the smartcard in question, through whatever APIs the operating system and the browser in question provide for that purpose. The details of how that is done differ between each browser (and in the case of Google Chrome, for the same browser between different operating systems); but for Firefox (and Google Chrome on free operating systems), this is done by way of a PKCS#11 module. For Firefox 57, mozilla decided to overhaul much of their browser. The changes are large and massive, and in some ways revolutionary. It's no surprise, therefore, that some of the changes break compatibility with older things. One of the areas in which breaking changes were made is in the area of extensions to the browser. Previously, Firefox had various APIs available for extensions; right now, all APIs apart from the WebExtensions API are considered "legacy" and support for them will be removed from Firefox 57 going forward. Since installing a PKCS#11 module manually is a bit complicated, and since the legacy APIs provided a way to do so automatically provided the user would first install an add-on (or provided the installer of the PKCS#11 module sideloads it), most parties who provide a PKCS#11 module for use with Firefox will provide an add-on to automatically install it. Since the alternative involves entering the right values in a dialog box that's hidden away somewhere deep in the preferences screen, the add-on option is much more user friendly. I'm sure you can imagine my dismay when I found out that there was no WebExtensions API to provide the same functionality. So, after asking around a bit, I filed bug 1357391 to get a discussion started. While it took some convincing initially to get people to understand the reasons for wanting such an API, eventually the bug was assigned the "P5" priority -- essentially, a "we understand the need and won't block it, but we don't have the time to implement it. Patches welcome, though" statement. Since having an add-on was something that work really wanted, and since I had the time, I got the go-ahead from management to look into implementing the required code myself. I made it obvious rather quickly that my background in Firefox was fairly limited, though, and so was assigned a mentor to help me through the process. Having been a Debian Developer for the past fifteen years, I do understand how to develop free software. Yet, the experience[...]



Steve Kemp: Tracking aircraft in real-time, via software-defined-radio

Wed, 04 Oct 2017 21:00:00 +0000

So my last blog-post was about creating a digital-radio, powered by an ESP8266 device, there's a joke there about wireless-control of a wireless. I'm not going to make it. Sticking with a theme this post is also about radio, software-defined radio. I know almost nothing about SDR, except that it can be used to let your computer "do stuff" with radio. The only application I've ever read about that seemed interesting was tracking aircraft. This post is about setting up a Debian GNU/Linux system to do exactly that, show aircraft in real-time above your head! This was almost painless to setup. Buy the hardware. Plug in the hardware. Confirm it is detected. Install the appropriate sdr development-package(s). Install the magic software. Written by @antirez, no less, you know it is gonna be good! So I bought this USB device from AliExpress for the grand total of €8.46. I have no idea if that URL is stable, but I suspect it is probably not. Good luck finding something similar if you're living in the future! Once I connected the Antenna to the USB stick, and inserted it into a spare slot it showed up in the output of lsusb: $ lsusb .. Bus 003 Device 043: ID 0bda:2838 Realtek Semiconductor Corp. RTL2838 DVB-T .. In more detail I see the major/minor numbers: idVendor 0x0bda Realtek Semiconductor Corp. idProduct 0x2838 RTL2838 DVB-T So far, so good. I installed the development headers/library I needed: # apt-get install librtlsdr-dev libusb-1.0-0-dev Once that was done I could clone antirez's repository, and build it: $ git clone https://github.com/antirez/dump1090.git $ cd dump1090 $ make And run it: $ sudo ./dump1090 --interactive --net This failed initially as a kernel-module had claimed the device, but removing that was trivial: $ sudo rmmod dvb_usb_rtl28xxu $ sudo ./dump1090 --interactive --net Once it was running I'd see live updates on the console, every second: Hex Flight Altitude Speed Lat Lon Track Messages Seen . -------------------------------------------------------------------------------- 4601fc 14200 0 0.000 0.000 0 11 1 sec 4601f2 9550 0 0.000 0.000 0 58 0 sec 45ac52 SAS1716 2650 177 60.252 24.770 47 26 1 sec And opening a browser pointing at http://localhost:8080/ would show that graphically, like so: NOTE: In this view I'm in Helsinki, and the airport is at Vantaa, just outside the city. Of course there are tweaks to be made: With the right udev-rules in place it is[...]



Daniel Silverstone: F/LOSS (in)activity, September 2017

Wed, 04 Oct 2017 12:53:18 +0000

(image)

In the interests of keeping myself "honest" regarding F/LOSS activity, here's a report, sadly it's not very good.

Unfortunately, September was a poor month for me in terms of motivation and energy for F/LOSS work. I did some amount of Gitano work, merging a patch from Richard Ipsum for help text of the config command. I also submitted another patch to the STM32F103xx Rust repository, though it wasn't a particularly big thing. Otherwise I've been relatively quiet on the Rust/USB stuff and have otherwise kept away from projects.

Sometimes one needs to take a step away from things in order to recuperate and care for oneself rather than the various demands on ones time. This is something I had been feeling I needed for a while, and with a lack of motivation toward the start of the month I gave myself permission to take a short break.

Next weekend is the next Gitano developer day and I hope to pick up my activity again then, so I should have more to report for October.




Dirk Eddelbuettel: RProtoBuf 0.4.11

Wed, 04 Oct 2017 00:28:00 +0000

(image)

RProtoBuf provides R bindings for the Google Protocol Buffers ("ProtoBuf") data encoding and serialization library used and released by Google, and deployed fairly widely in numerous projects as a language and operating-system agnostic protocol.

A new releases RProtoBuf 0.4.11 appeared on CRAN earlier today. Not unlike the other recent releases, it is mostly a maintenance release which switches two of the vignettes over to using the pinp package and its template for vignettes.

Changes in RProtoBuf version 0.4.11 (2017-10-03)

  • The RProtoBuf-intro and RProtoBuf-quickref vignettes were converted to Rmarkdown using the templates and style file from the pinp package.

  • A few minor internal upgrades

CRANberries also provides a diff to the previous release. The RProtoBuf page has copies of the (older) package vignette, the 'quick' overview vignette, a unit test summary vignette, and the pre-print for the JSS paper. Questions, comments etc should go to the GitHub issue tracker off the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.




Christoph Egger: Observations on Catalunya

Tue, 03 Oct 2017 22:17:02 +0000

(image)

Some things I don't really understand reading in German media

  • Suddenly the electoral system becomes a legitimacy problem. While it has never been a problem for any of the previous decisions of the Catalunyan regional government suddenly a "only 48% of people voted for the government" results in the decisions being illegitimate? This is also a property of many governments (Greece and the US president being obvious examples but also the German Bundestag can have a majority government without the majority of votes). Is this just the media trying to find something they can blame on "the other side"?

  • How can you ever possibly excuse violence against people peacefully and non-violently doing whatever they're doing. Sure this referendum was considered illegal (and it may be legitimate to ignore the result, or legal prosecution of the initiators) but how can that ever possibly be an excuse for half a population peacefully doing whatever they are about to do? How can you possibly claim that "both sides are to blame" for the violence? "Die Zeit" seems to be the only one with an somewhat convincing argument ("Deciding to press on despite the obviously happening violence") while "Welt", "Spiegel" and "Süddeutsche" all trying to blame the regional government for the violence with as much of an argument as asking people to do something illegal in a totally peaceful way. Possibly an argument for legal consequences, sure -- but for violence?

Too bad I didn't keep the links / articles from Sunday night.




Reproducible builds folks: Reproducible Builds: Weekly report #127

Tue, 03 Oct 2017 18:15:32 +0000

Here's what happened in the Reproducible Builds effort between Sunday September 24 and Saturday September 30 2017: Development and fixes in key packages Kai Harries did an initial packaging of the Nix package manager for Debian. You can track his progress in #877019. Uploads in Debian: Chris Lamb: shadow/1:4.5-1 fixing #857803. Holger Levsen: font-uralic/0.0.20040829-6 fixing #854362. (NMU) mpack/1.6-8.2 fixing #777376. (NMU) Packages reviewed and fixed, and bugs filed Patches sent upstream: Bernhard M. Wiedemann: python-numpy build timestamp; merged python-marshmallow build timestamp; merged python-astropy-helpers build timestamp; merged oprofile build timestamp libheimdal build timestamp, hostname, username; upstream exploring alternative fixes openSUSE/Qt hash table seed libkolabxml/xsd ASLR memory location differences; no patch Reproducible bugs (with patches) filed in Debian: Chris Lamb: #877375 filed against polygen. #877381 filed against plr. #877384 filed against rcs. Daniel Schepler: #876672 filed against e2fsprogs. Vagrant Cascadian: #876657 filed against device-tree-compiler and uploaded 1.4.4-1 with the patch applied. QA bugs filed in Debian: Adrian Bunk: #876641 filed against pcb. #876685 filed against mssh. #876776 filed against fityk. #876845 filed against webkit2-sharp. #876870 filed against apertium-en-es. #877021 filed against breathe. #877031 filed against sextractor. #877054 filed against hypre. #877063 filed against libitpp. #877065 filed against alglib. #877211 filed against ipmiutil. Reviews of unreproducible packages 103 package reviews have been added, 153 have been updated and 78 have been removed in this week, adding to our knowledge about identified issues. Weekly QA work During our reproducibility testing, FTBFS bugs have been detected and reported by: Adrian Bunk (177) Andreas Beckmann (2) Daniel Schepler (1) diffoscope development Mattia Rizzolo uploaded version 87 to stretch-backports. Holger Levsen: Bump standards version to 4.1.1, no changes needed. strip-nondeterminism development Holger Levsen: Bump Standards-Version to 4.1.1, no changes needed. reprotest development Ximin Luo: New features: Add a --env-build option for testing different env vars. (In-progress, requires the python-rstr package awaiting entry into Debian.) Add a --source-pattern option to restrict copying of source_root. Usability improvements: Improve error messages in some common scenarios. Output hash[...]



Christoph Egger: Another Xor (CSAW 2017)

Tue, 03 Oct 2017 16:40:10 +0000

A short while ago, FAUST participated in this year's CSAW qualification and -- as usual -- I was working on the Crypto challenges again. The first puzzle I worked on was called "Another Xor" -- and, while there are quite some write ups already our solution was somewhat different (maybe even the intended solution given how nice things worked out) and certainly interesting. The challenge provides a cipher-text. It's essentially a stream cipher with key repeated to generate the key stream. The plain-text was plain + key + checksum. p = this is a plaintextThis is the keyfa5d46a2a2dcdeb83e0241ee2c0437f7 k = This is the keyThis is the keyThis is the keyThis is the keyThis i Key length Our first step was figuring out the key length. Let's assume for now the key was This is the key. Notice that the key is also part of the plain-text and we know something about its location -- it ends at 32 characters from the back. If we only take a look at the encrypted key it should have the following structure: p' = This is the key k' = he keyThis is t The thing to notice here is that every character in the Key appears both in the plain-text and key stream sequence. And the cipher-text is the XOR (⊕) of both. Therefore XOR over the cipher-text sequence encrypting the key should equal 0 (⊕(p') ⊕ ⊕(k') = 0). So remove the last 32 characters and find all suffixes that result in a XOR of 0. Fortunately there is exactly one such suffix (there could be multiple) and therefore we know the key size: 67. To put it in code, this basically is the function we implemented for this: def calculate(ciphertextcandidate): accumulator = 0 for char in ciphertextcandidate: accumulator = accumulator ^ char Which, for the matching plain-text and key-stream fragments is equal (due to the XOR encryption) to def calculate(plainfragment, keyfragment): accumulator = 0 for i in range(len(plainfragment): accumulator = accumulator ^ (plainfragment[i] ^ keyfragment[i]) Now XOR lets us nicely reorder this to def calculate(plainfragment, keyfragment): accumulator = 0 for i in range(len(plainfragment): accumulator = accumulator ^ (plainfragment[i] ^ keyfragment[(i + 6) % len(plainfragment)]) And, as plainfragment[i] and keyfragment[(i + 6) % len(plainfragment)] are equal for the plain-text range encoding the key this becomes def calculate(plainfragment, keyfragment): accumulator = 0 for i in range(len([...]



Christoph Egger: Looking for a mail program + desktop environment

Tue, 03 Oct 2017 15:16:34 +0000

Seems it is now almost a decade since I migrated from Thunderbird to GNUS. And GNUS is an awesome mail program that I still rather like. However GNUS is also heavily quirky. It's essentially single-threaded and synchronous which means you either have to wait for the "IMAP check for new mails" to finish or you have to C-g abort it if you want the user interface to work; You have to wait for the "Move mail" to complete (which can take a while -- especially with dovecot-antispam training the filter) before you can continue working. It has it's funny way around TLS and certificate validation. And it seems to hang from time to time until it is C-g interrupted. So when I set up my new desktop machine I decided to try something else. My first try was claws-mail which seems OK but totally fails in the asynchronous area. While the GUI stays reactive, all actions that require IMAP interactions become incredibly slow when a background IMAP refresh is running. I do have quite some mailboxes and waiting the 5+ minutes after opening claws or whenever it decides to do a refresh is just to much. Now my last try has been Kmail -- also driven by the idea of having a more integrated setup with CalDAV and CardDAV around and similar goodies. And Kmail really compares nicely to claws in many ways. After all, I can use it while it's doing its things in the background. However the KDE folks seem to have dropped all support for the \recent IMAP flag which I heavily rely on. I do -- after all -- keep a GNUS like workflow where all unread mail (ref \seen) needs to still be acted upon which means there can easily be quite a few unread messages when I'm busy at the moment and just having a quick look at the new (ref \recent) mail to see if there's something super-urgent is essential. So I'm now looking for useful suggestions for a mail program (ideally with desktop integration) with the following essential features: It stays usable at all times -- which means smarter queuing than claws -- so foreground actions are not delayed by any background task the mail program might be up to and tasks like moving mail are handled in the background. Decent support for filtering. Apart from some basic stuff I need shortcut filtering for \recent mail. Option to hide \seen mail (and ideally hide all folders that only contain \seen mail). Hopefully toggle-able by some hotkey. "Age in days" would be an acceptable approximation, but Kmail doesn't seem to allow that in search (it[...]