English language planet

You may have heard of it: I’m speaking about DSA-1571-1. Read more about it on the pages “Key Rollover“, or “SSLkeys“.

And no, I don’t put it off lightly, like tuxchick did lately, nor do I blame any Debian people or anyone else - we’re only human, after all. But think about the consequences, like Erich did.

For me, that meant for instance that with fixing my setups on my local and remote Etch systems, I had to take care not to lock myself out of my older (and not vulnerable) Sarge servers with just generating new keys. The same applies if you made keys and used them for instance in your ?OpenWrt (or other) routers. Or for (SSL-) certificates. Or Tor. The possibilities are endless.

It’s even an issue if you set up a new Ubuntu Hardy system with the shiny new CDs which come fresh out of Canonical’s shop - the host keys are generated before you’ll get any updates over the network!

Maybe that is why Steinar explains us the maths, why Daniel calls it the “Worst Debian day ever“, or why Steve thinks that “Fixing this will take years, probably“. And it affects half of the world, tho most end users probably won’t be thinking about the large number of servers which run their services (I bet most people still don’t know that each and every email or chat or whatever runs through Debian servers somewhere out there).

But, like Michal said, “Everything bad is good for something” - so let’s roll up our sleeves and get to work. I’m halfway through already, I hope. Let’s see if I forgot something…

So - for all the sysadmins out there: think twice, and then again. And for the end users who rely on someone else (like an ISP or some “managed hosting”) to run their stuff: ask them if they heard about DSA-1571-1.

Following the security problem on openssl/openssh specific to Debian (apparently, a lack of randomness in the generation of the keys for the whole OpenSSL library), it is time to renew your SSL certificates and SSH keys (a bit of cleaning). Why not turn it into the occasion to test a new certificate with the capability of answering to different names (with only one certificate and IP), as explained here? It will certainly not help the progression of my patch for OpenSSH (which did not show much progress anyhow since it was submitted upstream...)

I will not give much more info, it runs the blogosphere; however, in one line for openssh-server it is sufficient to do sudo rm /etc/ssh/ssh_host*key*;dpkg-reconfigure -plow openssh-server. But most of all, do not forget to do the upgrade before! (0.9.8g-9 for sid, 0.9.8c-4etch3 for stable).

[Update] A link that I find interesting about the whole thing.

From Berne, the Swiss capital, hails a band I really like by the name of Züri West. The name itself is a pun: the folks from Berne love their city (rightfully so!) and join the rest of Switzerland in looking down a bit upon Zurich, which is “metropolitan” and “hip” and has often been considered the real capital of Switzerland. Located west of Zurich, Berne is thus “Züri West”, and by using this name, the Bernese band ridicules the Zurich folks a bit. Well, that’s my interpretation anyway and I make no claim over its correctness, and I surely don’t want to get mixed up in local politics!

Where was I? Oh yeah: Züri West (Flash-using homepage] make rock music, and they’re good with their instruments. The result are groovy and melodic sounds, which everyone in Switzerland knows.

What I find particularly amazing about this band are their lyrics. Kuno, the singer, sings almost all songs in the Bernese dialect, which I’ve learnt to the point of understanding it, though I can’t speak it yet. It’s a beautiful dialect, and Kuno displays magnificent control over it.

When I say beautiful, I do not only mean its sound, but also the way it allows one to express thoughts, situations, feelings, etc.. It’s very lyrical, often poetic, but always very much to the point. It sounds natural, yet not at all blunt.

In addition, Züri West’s songs display no haste. Again, this is a bit ironic since the Bernese are said to be slow, but what I mean is that the band is unafraid to take their time to recount what they have to say. Forget 4/4 beats and verse-chorus-bridge-verse-chorus, it’s a lot more as if the band shaped the music around the story they’re telling.

(Of course I have no reason to claim that the Bernese are actually slow. According to my dear (Bernese) friend Isabel, they are just considerate to give the rest of the world enough time to parse and understand their sophisticated verbal and non-verbal output).

I won’t be able to convey all of the lyrical beauties of their music to you, but what I want to do is translate my favourite of their songs, which is based on a story by Peter Bichsel and it’s called “America does not exist”.

Keep in mind that their version rhymes, which I won’t be able to achieve in the translation. I’ll try to keep the flow though. Imagine a jazzy, slightly Latin groove to it. And it’s sung, not spoken.

This is the story of Colombo
not the one from the TV show
but of a guy who once lived in Spain
and who was a bit of a freak
capable of nothing
and always telling weird stuff
without giving it much thought
until one day someone told him: you’ve got to learn a trade
you have to live your life
nobody takes you for real like this
and most just laugh about you
what are the options
he asked - what do you do
I’m an explorer - the other guy said
I sail my ship out to the sea
through the various parts of the globe
that sounds very interesting - I’d like that too
and so Colombo said - I’ll become a famous explorer

And he told it to everyone
and everyone just started laughing
and he said: just wait and see
and the people didn’t believe him
and he got sulky
and the people almost died laughing
and he left the town
and hid somewhere in the forest
where he remained for 13 weeks - 13 weeks in the shrubs
and the people searched and felt ashamed
and noone knew where he might be
and noone laughed anymore when suddenly on a wonderful morning he was back
then everyone rejoiced
and when he said: i told you so
I discovered a new land
it’s out there somewhere in the sea
then everyone listened
and was kind to him
and tried hard to make some dreadfully serious faces

The explorer from the first verse
Amerigo Vespucci is his name
just happened to be in town
and said: good for you, but I won’t believe you until I see it myself
and went off to set sail immediately
and after exactly 13 weeks and a day and a night he was finally back
and the people all went down to the port
and Colombo was nervous, almost ill because he had lied
and he was horribly frightened
and pale
and looked noone in the eyes

But Vespucci smiled and stood in front of the people
and blinked at Colombo and told that he had found it
and Colombo was so glad that he didn’t tell on him
and called out Amerigo Amerigo and the people joined in

And Colombo became famous and until the end of his days
he was never actually sure and never dared to ask
whether America really existed
over time, more people went there and when they came back
they told stories and they tell the same stories until today
and noone knows anything more than he knew before
and everyone saw exactly the same
and that sounds very dodgy
and tastes a bit like screenplay and Hollywood

America doesn’t exist
they never found it
America doesn’t exist
it’s all just a tale
America doesn’t exist
it’s all lies and made up
America doesn’t exist
America is just a rumour

NP: Züri West: Züri West

I was excited by Pierre’s idea to add Git branch information to the Zsh prompt and even more so when I saw Mike implement support for multiple VCSs.

Unfortunately, Mike’s a Bash user, and so I took it upon myself to port the idea to Zsh. The file 60vcsprompt is sourced from my .zshrc, which sets psvar[1] through psvar[3]. Those are then used in 80prompt (also sourced from .zshrc) when setting $PS1.

My prompt follows the same principle as Mike’s and puts the branch name at the repository root location in the repository path. In the following example, ~, ~/code, and ~/code/netconf/netconf are three separate Git repositories, while ~/code/unionfs-fuse and ~/code/unperish are maintained with Mercurial and Bazaar respectively:

lapse:~|master|% cd code
lapse:~/code|master|% cd netconf 
lapse:~/code|master|netconf% cd netconf
lapse:..e/netconf/netconf|master|% cd src
lapse:..etconf/netconf|master|src% git checkout no-threads
Switched to branch "no-threads"
lapse:..nf/netconf|no-threads|src% cd ../../../unionfs-fuse 
lapse:../unionfs-fuse|hg:default|% cd ../unperish
lapse:..unperish|bzr:unperish@159|%

You’ll notice that unlike Mike’s prompt, mine’s limited to a maximum length of 25 characters. However, the repository root path is kept at least 10 characters long, so the prompt might get longer than 25 characters if you descend deep into a repository’s subdirectories.

I couldn’t easily figure out how to add support for other version control systems, so if you do, please feed back the patches! And the same goes for suggestions and improvements.

One of the next things I am planning to implement is an indicator for when your working tree contains uncommitted changes, e.g.:

lapse:..etconf/netconf|master|src% touch foo
lapse:..tconf/netconf|master*|src%

So watch those files.

NP: Gazpacho: Bravo

A common rant against Launchpad is that it’s closed: the code is proprietary, and Canonical doesn’t give raw access to the data they collect via the interface. Anyway, other people have taken up this issue, and it’s not the point of this post to do so.

I’ve heard two argument why Launchpad is closed: first, it’s a test bed for a product, which Canonical hopes to market to commercial entities to manage their own release cycles. And second: it’s purposely cross-project and tries to integrate and link between them. Thus, lots of instances of Launchpad would defeat the point.

I’ll address these points in turn, starting from the back:

While I won’t deny a “pre-trend” towards (back to) “mainframe-like” computing, with Google, Amazon, and others providing rent-a-computer-cycle services. In addition, environmental concerns cast clouds over the 400W heating appliance under your desk, which happens to run your word processor and browser when it doesn’t lose track of its countless spare cycles. Yet, I maintain that centralised services, such as Launchpad are a thing of the past.

If you ask me, Launchpad got it wrong, even though it’s light years further than its predecessors. It features pleasant graphics and obviously has had lots of smart thinking and experience shoved into it, but it’s still centralised. It might be a business case, but it’s not what the world needs.

We’ve seen massive growth of decentralised approaches to classic services, from file sharing to version control, from number crunching to simple web browsing, and yet, there’s Launchpad, single point of entry (and failure) to the world of data surrounding Free software (at least if you follow their vision).

What we need is something as slick as Launchpad, and thousands of instances thereof, which all peer with each other, automatically. The information would automatically be mirrored wherever it’s referenced, so the entire cloud would be highly-available and failure-proof.

Obviously, this wouldn’t render itself well to the (traditional) software business model Canonical seems to strive for, so they’re unlikely to go down this route.

But we could. It would be a non-competitor.

Update: thanks for the copious feedback I’ve received. Among them was a comment by [Elliot Murphy]](http://launchpad.net/~statik), who speaks of “us” and thus leads me to believe that he’s part of the Launchpad team:

We’re definitely listening, and we still have lots more improvements we want to make. Our goal is collaboration, not centralization: thats why we build bazaar, are working busily on doing two-way integration with other bug tracker systems, and are building the best API we can. Our goal in the team is to make it trivially easy for you to get all the data that you put into launchpad back out through the API, data portability is very important. There is no big evil business model, but it would be socially irresponsible if we did not work toward making launchpad self-sustaining. It has been a long road, but the launchpad team is steadily working toward a distributed model, one step at a time.

While it’s definitely nice to hear that data portability is a concern to them, I don’t see Debian using Launchpad without the ability to run it on our own servers. I’m definitely curious to hear more about the distributed model the team is pursuing.

I certainly don’t have a problem with self-sustainability, but in the Free software world, I do wonder what that is supposed to achieve. Release early, release often, anyone?

Update: Philip Newborough took up the issue and has received a number of noteworthy replies. It made me very happy that he sees my post as “a rant about Launchpad which is not lambasting Canonical for their proprietary Launchpad software;” I wasn’t aiming for any lambasting.

NP: Nine Inch Nails: Further Down the Spiral

• create awareness of Linux, and Debian in particular
• Celebrate Debian's 15th Anniversary
• exchanging knowledge, thoughts and ideas about Debian GNU/Linux
  

This mornings upgrade of Cacti on Etch wasn’t a very good one - it only displays

Invalid PHP_SELF Path

Get back the old one with:

sudo aptitude install cacti=0.8.6i-3.2

Then things should be back to normal. See also: Bug #479618 with the severity grave.

Update (only one(!) day later…):

As usual, Debian developers are super-fast. Now Cacti 0.8.6i-3.4 is available, and it just works. Thanks, Sean (or whoever uploaded this)! You rock.

Seems like ATI/AMD did the absolute right thing with opening up their drivers and/or hardware specs, following the good example of Intel. The good news of the day are:

If you have an IGP (integrated graphics chip set) like the RS480, or the RS690, then with the patch to a bug in MESA, the open source driver named “xf86-video-ati” now provides 3D, and you can expect that for example Compiz will finally run on your hardware. Non-proprietary.

Read David Airlie’s Blog for more info. Found on Phoronix.

The short version: packages for Fedora 8 and 9 are underway; I’ve read nothing so far within the Debian pages I’m following, but once that patch arrives in Sid, we all know it will take some 10 days or so to make it into Lenny as well.

This is great news indeed. Finally, we can start thinking about actually buying ATI graphics. And choice is what it’s all about, right?

backports.org currently lacks a security team and infrstructure, like testing has. Currently it's possible that someone uploads a package and stops caring and nobody notices. I guess the people running backports.org are aware of this and do their best to prevent it (and afaik dont really want backports.org to become official) but for an official backports service I think this issue needs to be tackled. What do you think?

I also like backports to become officially endorsed and supported as I would like stable to continue to have no new features introduced. EtchAndAHalf and ?LennyAndAHalf being the exceptions to this rule, though I see some (currently only potential) problems in the way it's handled now.

Do you write your changelog entries in past or presence? Policy 4.4 doesn't recommend anything.

Sune, I have begun to think that it might actually be useful if many people replied to this kind of backscatter and make sure, that the mailsystem works as intended. Mail gets delivered. (Or not, as it's recognized as spam. Something which is possible in 2008.)

I’ve just kicked off a wiki page to follow up on the state of Integration into IDEs, so, if you want a specific IDE worked on, or are currently working on an integration, please feel free (or encouraged even) to add it to the wiki page: http://bazaar-vcs.org/IDEIntegration

I hope that page eventually harbours enough information for any random person to land on it and find out if their favourite IDE currently works with bazaar, or enough information to start working on one.

Every year, I have to declare my income to the tax services. In the preceding years, I managed it with mostly no problems. This year, my computer being in the amd64 architecture, I feared I would have some troubles and I was right: one hour later, I could not yet do my declaration, and I used only about three minutes under MacOS X.

Je partais quand même avec une longueur d'avance : j'avais déjà un certificat valable jusqu'en 2010, qui a été reconnu d'office. J'ai ainsi pu remplir ma déclaration d'impôt (format PKCS 12, que j'ai pu exporter et mettre sur mon Mac pour finir la déclaration). Mais au moment de signer la déclaration, il faut exécuter une applet java, qui permettait la signature proprement-dite (au sens cryptographique du terme). Et là, plus possible.

• Sun n'a pas publié de plugin compatible amd64 et ne prévoit pas de le faire avant début 2009...
• openjdk-6 n'est pas fabriqué pour Debian
• Le plugin d'IcedTea ne fonctionne pas pour les impôts (fenêtre grise vide).
• Blackdown Java est introuvable... et avant ça, j'en avais une vieille copie qui fonctionnait à certains endroits mais faisait des segfaults systématiques sur cette applet-là.
• Monter un chroot pour iceweasel n'a pas l'air de fonctionner dans le temps imparti (même avec un xhost + il n'arrive pas à ouvrir de fenêtres graphiques)...

Enfin bref, conclusion : j'ai fait sur un Mac, et ces conneries m'emmerdent.

Readers of my blog may recall that I don’t take it well when someone takes my breakfast from me, especially something as good as Bircher Müesli.

Today, on my way to Limerick for some intensive Ph.D. work, I decided to try again and put a container with 300g of this beloved food into my hand luggage.

Noone noticed. And now I am happily fed and enjoying the increased sense of security on this airplane.

NP: Pulp: We Love Life

This morning, at Zurich airport, I was greeted by massive banners saying:

We welcome the fans of the future European champion

Does this mean that Switzerland won’t be champion, or that Swiss fans generally arrive by plane?

Bloody football championships! I still have 6 days in which I don’t have plans outside of the country. Help!

NP: Gazpacho: Firebird

Dear all: I am not interested in social networking sites. Please don’t give them my email address for their invitation letters and email address database.

In general, don’t give them anyone’s address without the person’s consent. You never know what kind of abuse might happen with the addresses they collect.

NP: Gazpacho: Bravo

Just a quick note: I've updated my sid kernel repository (the one which the only change of enabling the old firewire stack along with the new one) to 2.6.24-6, the old instructions still apply.

Unfortunatly my pegasos2 died after building that package in march, so from now on I will only provide packages for amd64 and i386. But you can use my sources and trivially rebuild them