Stuff I have written/presented
Submitted by gwolf on Thu, 06/05/2014 - 23:20
John states some very important reasons for people everywhere to verify the identities of those parties they sign GPG keys with in a meaningful way, and that means, not just trusting government-issued IDs. As he says, It's not the Web of Amateur ID Checking. And I'll take the opportunity to expand, based on what some of us saw in Debian, on what this means.
I know most people (even most people involved in Free Software development — not everybody needs to join a globally-distributed, thousand-people-strong project such as Debian) are not that much into GPG, trust keyrings, or understand the value of a strong set of cross-signatures. I know many people have never been part of a key-signing party.
I have been to several. And it was a very interesting experience. Fun, at the beginning at least, but quite tiring at the end. I was part of what could very well constitute the largest KSP ever in DebConf5 (Finland, 2005). Quite awe-inspiring — We were over 200 people, all lined up with a printed list on one hand, our passport (or ID card for EU citizens) in the other. Actwally, we stood face to face, in a ribbon-like ring. And, after the basic explanation was given, it was time to check ID documents. And so it began.
The rationale of this ring is that every person who signed up for the KSP would verify each of the others' identities. Were anything fishy to happen, somebody would surely raise a voice of alert. Of course, the interaction between every two people had to be quick — More like a game than like a real check. "Hi, I'm #142 on the list. I checked, my ID is OK and my fingerprint is OK." "OK, I'm #35, I also printed the document and checked both my ID and my fingerprint are OK." The passport changes hands, the person in front of me takes the unique opportunity to look at a Mexican passport while I look at a Somewhere-y one. And all is fine and dandy. The first interactions do include some chatter while we grab up speed, so maybe a minute is spent — Later on, we all get a bit tired, and things speed up a bit. But anyway, we were close to 200 people — That means we surely spent over 120 minutes (2 full hours) checking ID documents. Of course, not all of the time under ideal lighting conditions.
After two hours, nobody was checking anything anymore. But yes, as a group where we trust each other more than most social groups I have ever met, we did trust on others raising the alarm were anything fishy to happen. And we all finished happy and got home with a bucketload of signatures on. Yay!
One year later, DebConf happened in Mexico. My friend Martin Krafft tested the system, perhaps cheerful and playful in his intent — but the flaw in key signing parties such as the one I described he unveiled was huge: People join the KSP just because it's a social ritual, without putting any thought or judgement in it. And, by doing so, we ended up dilluting instead of strengthening our web of trust.
Martin identified himself using an official-looking ID. According to his recount of the facts, he did start presenting a German ID and later switched to this other document. We could say it was a real ID from a fake country, or that it was a fake ID. It is up to each person to judge. But anyway, Martin brought his Transnational Republic ID document, and many tens of people agreed to sign his key based on it — Or rather, based on it plus his outgoing, friendly personality. I did, at least, know perfectly well who he was, after knowing him for three years already. Many among us also did. Until he reached a very dilligent person, Manoj, that got disgusted by this experiment and loudly denounced it. Right, Manoj is known to have strong views, and using fake IDs is (or, at least, was) outside his definition of fair play. Some time after DebConf, a huge thread erupted questioning Martin's actions, as well as questioning what do we trust when we sign an identity document (a GPG key).
So... We continued having traditional key signing parties for a couple of years, although more carefully and with more buzz regarding these issues. Until we finally decided to switch the protocol to a better one: One that ensures we do get some more talk and inter-personal recognition. We don't need everybody to cross-sign with everyone else — A better trust comes from people chatting with each other and being able to actually pin-point who a person is, what do they do. And yes, at KSPs most people still require ID documents in order to cross-sign.
Now... What do I think about this? First of all, if we have not ever talked for at least enough time for me to recognize you, don't be surprised: I won't sign your key or request you to sign mine (and note, I have quite a bad memory when it comes to faces and names). If it's the first conference (or social ocassion) we come together, I will most likely not look for key exchanges either.
My personal way of verifying identities is by knowing the other person. So, no, I won't trust a government-issued ID. I know I will be signing some people based on something other than their name, but hey — I know many people already who live pseudonymously, and if they choose for whatever reason to forgo their original name, their original name should not mean anything to me either. I know them by their pseudonym, and based on that pseudonym I will sign their identities.
But... *sigh*, this post turned out quite long, and I'm not yet getting anywhere ;-)
But what this means in the end is: We must stop and think what do we mean when we exchange signatures. We are not validating a person's worth. We are not validating that a government believes who they claim to be. We are validating we trust them to be identified with the (name,mail,affiliation) they are presenting us. And yes, our signature is much more than just a social rite — It is a binding document. I don't know if a GPG signature is legally binding anywhere (I'm tempted to believe it is, as most jurisdictions do accept digital signatures, and the procedure is mathematically sound and criptographically strong), but it does have a high value for our project, and for many other projects in the Free Software world.
So, wrapping up, I will also invite (just like John did) you to read the E-mail self-defense guide, published by the FSF in honor of today's Reset The Net effort.
Submitted by gwolf on Tue, 05/27/2014 - 10:04
The picture explains it much better than what I ever could.
Submitted by gwolf on Sat, 05/17/2014 - 16:49
Yesterday night, we had the opportunity to have –for the first time– my friend Kaz as a guest in my Operating Systems class. We are about to finish the semester, and he took the opportunity not just to show how the Ext4 filesystem is structured, but how it is implemented in a current Linux release.
Kaz took a very different approach from what I do: He did it really hands-on, starting with the explanation on how a hello world module would be created, and then digging in following the code of the ext4 module in Linux 3.14 (and some bits in the general filesystem-related includes).
Of course, for a ~2hr session, he did not go into the full details, but did show where the main structures of a filesystem are defined, including a general walkthrough on the general kernel coding style.
The class was very enjoyable and clear. We had the bad luck of the projector's lamp burning out at the beginning of the class, but still, you can see in the pictures the students were really into his exposition. I think the exposition did make it through and got the students involved and interested — And that makes it really worth it!
Now... Sadly, due to a (most probably) human factor, I tried to record this talk but lost most of it :-( I have only the first part, but lost most of the second one. I have some bits recorded by a second camera, but have to check if they make sense by themselves, or do need the whole context. Anyway, I'll be reviewing those bits, and will update this post when I get around to cleaning+fixing+integrating them.
Submitted by gwolf on Sat, 05/17/2014 - 15:05
Shame on me... I should have uploaded this video a long time ago. I wanted to edit this video to remove pauses, add some in-band indications on who and what it is, and stuff... But after a month, I have not yet got around to do it.
On April 23, I invited César Yáñez to present a talk on virtual memory management to my students (for the Operating Systems class). As always (this is the third time I invite him — The previous iteration was on process scheduling, and is on my site as well), he gave a great class.
I still have some pending videos to upload from the other guests we had this semester, they should come shortly.
Submitted by gwolf on Mon, 05/05/2014 - 12:37
I was invited to give a talk at a local conference, OS-UPIITA. I have been invited to this conference before, and will gladly be there again. But I was recently pointed at the invitation poster they are distributing (which I reproduce here for your convenience) — And I must make a couple of corrections here:
But anyway, I will be very happy to be there, and believe me, am working to come up with a good talk.
OS-UPIITA friends: Please correct your online banners carrying this wrong data.
[update] OS-UPIITA changed the poster! I'm just keeping this one for the memory ;-)
[update 2] I was there, and gave the talk. And it was even a success, yay! \o/ Care to see it? Here is the presented material.
Submitted by gwolf on Tue, 04/29/2014 - 13:15
I have heard many good things about Docker, and decided to give it a spin on my systems. I think application-level virtualization has a lot to offer to my workflow...
But the process to understand and later adopt it has left me somewhat heart-torn.
Docker is clearly great technology, but its documentation is... Condescending and completely out of line with what I have grown used to in my years using Linux. First, there is so much simplistic self-praise sprinkled throughout it. There is almost no page I landed on that does not mention how user-friendly and user-centric Docker's commandline arguments are — They let you talk in almost plain1 English. What they don't mention is that... Well, that's the way of basically every command-line tool. Of course, as soon as you start specifying details to it, the plain-Englishness starts dilluting into a more realistic English-inspiredness...
Then... Things that go against our historical culture. It is often said that Windows documentation tends to be repetitive because users don't have the patience to read a full document. And our man pages are succint and to the point, because in our culture it is expected that users know how to search for the bit of information they are after. But reading documentation that's so excited with itself and praises again and again the same values and virtues, but never gets to the point I am interested in getting at (be it deployment, interoperation, description of the in-disk images+overlays layout, or anything moderately technical) never gets there... makes me quite unhappy.
Last (for now)... Such a continuous sales pitch, an insistence on the good virtues, makes me wary of something they might be hiding.
Anyway, at least for now, I just wanted to play a bit with it; I will wait at least until there is a backport to the stable Debian version before I consider moving my LXC VMs setup over to Docker (and a backport does not seem trivial to achieve, as Docker has several updated low-level dependencies we are unlikely to see in Wheezy).
But I had to vent this. OK, now go back to your regular work ;-)
Submitted by gwolf on Wed, 04/23/2014 - 09:26
Ok, so the day has come: Today begins the much awaited Drupal Camp Mexico City, yay!
For those that cannot make it to Mexico City, I
As for the talks schedule, here you have it. Yes, today my workmate and I will be giving a simple introduction to having a useful basic Drupal install. Today is the tutorials / workshops / BoF / hackathon day, and Thursday and Friday will be the more traditional talks days. Several of the talks on Thursday are grouped under the SymfonyDay track and will refer to the framework that serves as a base for Drupal 8.
Anyway, for the Tweetheads among the readers of this post, I understand information will flow under the #DrupalCampMX tag.
Submitted by gwolf on Thu, 04/03/2014 - 20:16
I woke up to the news that, after a very short tenure, Brendan Eich steps down as the Mozilla CEO.
Why? Because of the community outcry. Because some years ago, Eich pubilcly supported (and donated funds) the ban of any kind of marriages in California that were not between a man and a woman. The world has advanced enormously in this regard in the last years/decades, and so many individuals and organizations opposed and announced they would boycott Mozilla that either him or Mozilla could not stand the pressure anymore.
So, of course, it's sad the person had to resign. Many people talked about freedom of speech, freedom of harbouring his own personal opinion — But when it comes to the rights of minorities, particularly of minorities that have suffered such hard prejudice and abuse as the gay, lesbian and all the other non-orthodox sexual- and gender- orientations, righting a wrong is much more important than preserving an individual's freedom of opinion. Besides, it's not just thinking or talking about something — The concrete proposition Eich supported (and eventually made him resign) is about bringing the life of thousands of people to a hellish state of uncertainty, and going back to not having a way for the society to legally recognize their way of being, their love, their lifes.
But anyway — What prompts me into writing this is that, once again, the Free Software (and related denominations) community has shown that a set of core values, seemingly shared by a very large amount of our own people with no coordination or correlation with what conforms us as a community (and thus, being emergent traits), are strong enough to create a critical mass, to achieve cohesion. And that ours is not just a technical community of people writing software at all layers of the stack, but –first and foremost– is a group of social activists, committed to making the world better.
I will quote from Matthew Garrett's post on this topic, clearly more contundent and thorough that what I'm trying to come up with:
Submitted by gwolf on Thu, 04/03/2014 - 08:30
We are organizing a DrupalCamp in Mexico City!
As a Drupal user, I have so far attended two DrupalCamps (one in Guadalajara, Mexico, and one in Guatemala, Guatemala). They are –as Free Software conferences usually are– great, informal settings where many like-minded users and developers meet and exchange all kinds of contacts, information, and have a good time.
Torre de Ingeniería
This year, I am a (minor) part of the organizing team. DrupalCamp will be held in Torre de Ingeniería, UNAM — Just by Facultad de Ingeniería, where I teach. A modern, beautiful building in Ciudad Universitaria.
So, who is this for? You can go look at the accepted sessions, you will find there is a lot of ground. Starting from the very introduction to how Drupal is structured and some tips on how to work with it (delivered by yours truly), through workflows for specific needs, to strong development-oriented talks. The talks are structured along four tracks: "Training", "Theming", "Development", "Business" and "SymfonyDay".
Drupal is a fast-evolving Free Software project. Most users are currently using versions 6 and 7, which are as different between each other as day and night... But the upcoming Drupal 8 brings even greater changes. One of the most interesting changes I can see is that Drupal will now be based on a full MVC framework, Symfony. One of the days of our DrupalCamp will be devoted to Symfony (dubbed the Symfony Day).
...And... Again, just look at the list of talks. You will find a great amount of speakers interested in coming here. Not just from Mexico City. Not just from Mexico. Not just from Latin America. I must say I am personally impressed.
Of course, as with any volunteer-run conferences: We are still looking for sponsors. We believe being a DrupalCamp sponsor will greatly increase your brand visibility in the community you want to work with. There are still a lot of expenses to cover to make this into all that we want. And surely, you want to be a part of this great project. There are many sponsor levels — Surely you can be part of it!
Submitted by gwolf on Thu, 03/27/2014 - 12:28
So a good friend of mine talked about something in the debian-private mailing list. And we should not disclose that something outside such a sensible space without his approval.
But Jakub is right. Once the discussion goes over to only messages talking about non-private stuff, the discussion should be moved to a non-private area. After all, we will not hide problems yada yada, right?
So, not knowing where in the Debian lists this should go to, it will land on my blog, reformatting mail to make sense in this media:
Submitted by gwolf on Sat, 03/15/2014 - 22:10
As I posted some weeks ago, I have been playing with my CuBox-i4Pro, a gorgeous little ARM machine by SolidRun, built around an iMX6 system-on-a-chip.
My first stabs at using it resulted in my previous post on how to get a base, almost-clean Debian distribution to run (Almost? Yes, the kernel requires some patches not yet accepted upstream, so I'm still running with a patched 3.0.35-8 kernel). After writing this step by step instructions, I followed them and built images ready to dd to a SD card and start running (available at my people.debian.org space.
Now, what to do with this little machine? My version is by no means a limited box: 4 ARM cores, 2GB RAM make a quite decent box. In my case, this little machine will most likely be a home storage server with little innovation. However, the little guy is a power server, at only 3W consumption. I wanted to test its capabilities to do some number crunching and aid some of my friends — The obvious candidate is building a Blender render farm. Right, the machines might be quite underpowered, but they are cheap (and look gorgeous!), so at least it's worth playing a bit!
Just as a data point, running on an old hard disk (and not on my very slow SD card), the little machine was able to compile the Blender sources into a Debian package in 89m13.537s, that is, 5353 seconds. According to the Debian build logs (yes, for a different version, I tried with the version in Wheezy and in a clean Wheezy system), the time it took to build on some other architectures' build daemons was 1886s on i386, 1098s on PowerPC, 2003s on AMD64, 11513s on MIPS and 27721 on ARMHF. That means, my little machine is quite slower than desktop systems, but not unbearably so.
But sadly, I have hit a wall, and have been unable to do any further progress. Blender segfaults at startup under the Debian armhf architecture. I have submitted bug report #739194 about this, but have got no replies to it yet. I did get the great help from my friends in the OFTC #debian-arm channel, but they could only help up to a given point. It seems the problem lies in the Python interpreter in armhf, not in Blender itself... But I cannot get much further either. I'm sending this as a blog post to try to get more eyeballs on my problem — How selfish, right? :-)
So, slightly going over the bug report, blender just dies at startup:
After being told that strace is of little help when debugging this kind of issues, I went via gdb. A full backtrace pointed to what feels like the right error point:
I'm not pasting here the full bug history (go to the bug report for the full information!), but it does point me to this being a problem in Python-land: It points to something not found at line 59 of Python/errors.c. And what I understand from that line is that some kind of unknown exception is thrown, and the Python interpreter does not now what to do with it. The check done at line 59 is the if (exception != NULL ** ....:
So... Dear lazyweb: Any pointers on where to go on from here?
Submitted by gwolf on Mon, 03/03/2014 - 13:09
I have just pushed our pseudo-monthly batch of keyring updates to Debian. I am happy to inform you that, while the situation described in Clint Adams' interesting assessment of the state of the Debian keyring (and the quite constructive conversation that followed) still holds, and we still have way too many weak (1024D) keys in the Debian keyring, we got a noticeable effect as a result of said thread: 20 key upgrade requests in somewhat over a one week period! (mostly from DDs, with two from DMs IIRC).
So, for any DD or DM reading this and not following the debian-project list where this thread took place:
As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible.
If you have a key with not-so-many active DD signatures (with not-so-many ≥ 2) waiting to get it more signed, stop waiting and request the key replacement.
If you do not yet have a 4096R key, create a new one as soon as possible and get some signatures on it. Once ≥2 DDs have signed it, please request us to replace your old key. If you cannot get to meet two DDs in person, please talk to us and we will find out what to do.
Submitted by gwolf on Sat, 02/15/2014 - 11:03
For those of you who didn't yet know it: My mother is a painter. A serious, professional, respected painter. But she sometimes goes to the funny side as well — Of course, with all due professionalism!
So, she gave us this great gift: She took one of our pictures from DebConf12 (from the "Conference Dinner" night), and painted it. Real size even!
So, next time you come to our house, even if we are not around to greet you, we will be glad to welcome you to the Residence!
Submitted by gwolf on Sun, 02/02/2014 - 11:44
Somewhere back in August or September, I pre-ordered a CuBox-i — A nicely finished, completely hackable, and reasonably powerful ARM system, nicely packaged and meant to be used to hack on. A sweet deal!
There are four models (you can see the different models' specs here) — I went for the top one, and bought a CuBox-i4Pro. That means, I have a US$130 nice little box, with 4 ARM7 cores, 2GB RAM, WiFi, and... well, all of its basic goodies and features. For some more details, look at the CuBox-i block diagram.
I got it delivered by early January, and (with no real ARM experience on my side) I finally got to a point where I can, I believe, contribute something to its adoption/usage: How to get a basic Debian system installed and running in it.
The ARM world is quite different to the x86 one: Compatibility is much harder, the computing platform does not self-describe properly, and a kernel must first understand how a specific subarchitecture is before being able to boot on it. Somewhere in the CuBox forums (or was it the IRC channel?) I learnt that the upstream Linux kernel does not yet boot on the i.MX6 chip (although support is rumored to be merged for the 3.14 release), so I am using both a kernel and an uBoot bootloader not built for (or by) Debian people. Besides that, the result I will describe is a kosher Debian install. Yes, I know that my orthodox friends and family will say that 99% kosher is taref... But remember I'm never ever that dogmatic. (yeah, right!)
[update]: Read on if you want to learn the process. If you just want to get the image and start playing with your box, you can go ahead and download it from my people.debian.org space.
Note that there is a prebuilt image you can run if you are so inclined: In the CuBox-i forums and wiki, you will find links to a pre-installed Debian image you can use... But I cannot advise to do so. First, it is IMO quite bloated (you need a 4GB card for a very basic Debian install? Seriously?) Second, it has a whole desktop environment (LXDE, if I recall correctly) and a whole set of packages I will probably not use in this little box. Third, there is a preinstalled user, and that's a no-no (user: debian, password: debian). But, most importantly, fourth: It is a nightly build of the Testing (Jessie) suite... Built back in December. So no, as a Debian Developer, it's not something we should recommend our users to run!
So, in the end and after quite a bit of frustration due to my lack of knowledge, here goes the list of steps I followed:
So, how big is this minimal Debian installed system? I cheated a bit on this, as I had already added emacs and screen to the system, so yours will be a small bit smaller. But anyway — Lets clear our cache of downloaded packages, and see the disk usage information:
So, instead of a 4GB install, we have a 228MB one. Great improvement!
For this first boot, and until you set up a way to automatically (or configure it to be static) determine the network configuration, you can use dhclient eth0 to request an IP address via the wired network port (configuring the wireless network is a bit more involved; I suggest you install the wicd-curses package to help on that regard). With the network working, update the Debian package lists:
# apt-get update Get:1 http://http.debian.net wheezy Release.gpg [1672 B] Get:2 http://http.debian.net wheezy Release [168 kB] Get:3 http://http.debian.net wheezy/main Sources [5956 kB] Get:4 http://http.debian.net wheezy/main armhf Packages [5691 kB] Get:5 http://http.debian.net wheezy/main Translation-en [3849 kB] Fetched 15.7 MB in 1min 27s (180 kB/s) Reading package lists... Done Reading package lists... Done Building dependency tree... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Yay, all of Debian is now at your fingertips! Now, lets get it to do something useful, in a most Debianic way!
[note]: I have tried to keep this as true as possible to the real install. I have modified this text every now and then, looking at ways to make it a little bit better. So, excuse me if you find any inconsistencies in the instructions! :)
[update]: I finally followed through the instructions again and produced a downloadable image, where I did all of this work, and you can just download it and play with your CuBox-i! You can download it from my people.debian.org space. You will find there instructions on how to get it installed.
Submitted by gwolf on Thu, 01/23/2014 - 13:34
I am not (yet?) reporting this as a bug as this happened with a several days old session open, and just while I was upgrading my Sid system, after a long time without doing so (probably since before the vacations started... In December 2013). But I cannot avoid sharing this interesting screenshot.
(Hey, and FWIW... Why is the online copy of the Debian policy still in iso-8859-1‽ It's not 1995 anymore...)
[update] Of course, it's the default font, not only the Debian policy. Just as an example, the following text:
Yields the following output:
[update 2] And, of course, after finishing the update process... I got a new version of Iceweasel. Restarted it, and everything is back to normal :-}
Random Acidfree items
Talks, papers and documents by category
Blog posts by category