The first sentence was taken from his platform. Information about this post.

Suppposedly, card number five in the Tarot is the Hierophant, described as “someone who interprets secret knowledge” and representing concepts such as “conformity” and “group identification”. Not that any of that is related to this “five things you don’t know about me” meme, for which I’ve apparently been tagged by both Pia and Tony. And since I wouldn’t want to be accused of being either cool or vanity lacking here’s some from me.

• I used to be a regular bit-part actor in school plays and musicals; I was in the school choir for four years in high school too. I tried getting back into it once during uni, but didn’t really have the time or interest, so I’m just left with going to the occassional show and watching these days. Of course, when they’re as spectacular as Woman in White that’s not much of a problem…
• For quite a while, my favourite food was lamb’s brains, crumbed and fried with a white sauce. I’m quite fond of offal, also known as “variety meats” apparently, in general really – I’m not really persuaded by the “it’s morally wrong to eat animals” thing, but I figure if you’re going to anyway, it makes sense to not be wasteful about it. Kidneys are pretty awesome too; though liver seems to get boring before you’ve finished eating it. I’ve never tried haggis; but I suspect that’ll change before the next DebConf is over…
• Prior to getting an 486sx33 that eventually ran Linux, I used to be an Amiga geek. As an Aussie Amigoid, that meant reading the Australian Commodore and Amiga Review (edited by Andy Farrell), and eventually when I became really elite, subscribing to Megadisc, a monthly magazine on floppy disk, which included useful programs, reviews, letters, and all sorts of interesting things. My first published C progream was included on one of the issues – it was a teensy little app for people with hard disks that would see if you had a Megadisc in the drive, then open up a dialog box so you could choose a directory to copy the disk too, and not have to worry about seek times and such. Unfortunately I was new enough at the whole “C” thing that I wasn’t sure how to make a new directory myself, and decided to just expect the user to use the “New Dir” button in the standard Amiga dialog box for that. Which would have been fine if I hadn’t also gone to the trouble of helpfully emptying the selected directory so the user wouldn’t end up with two Megadiscs in the same place. Put the two together, and evidently you end up with Megadisc’s editor, Tim Strachan, calling you at 9am the morning after publication and telling you how someone had tried it out and it had started deleting all the files on the hard drive. Ooops. With the Amiga dying out and the rise of the internet, it looks like Tim’s now more into alternative health products than computers.
• On the Friday before flying down to Canberra to be Rusty’s wingman for a meeting with the Attorney-General’s department I had my first motorbike accident – not making a turn on a wet road at night just near home, hitting the asphalt and the gutter. I came out of it with some torn jeans and a grazed knee, a banged hand that needed icing, a nice bruise on my side, and a bike that ended up taking aaaages to get fixed and ridable again. Happily it’s gotten another couple of thousand k’s on the odometer since then.
• In the couple of days before I head to Sydney for the 2007 edition of the fantabulous linux.conf.au I’ll be moving from my unit in Toowong to a house in Highgate Hill. Clinton and I will be sharing the upstairs, while the downstairs will be turned into a granny-flat for my parents for when they decide to stay in the city. The theory is it’ll be an investment over the longer term, with the idea being to try building some townhouses in the rather large backyard and sub-dividing. Should be fun!

Let’s see, I’ll tag: vocalist extraordinaire James, companionable carnivore Pat, sometime C hacker David, fellow motorcyclist Sez, and future housemate Clinton.

Sometimes doing a Google News search for debian turns up some fascinating little gems. Today’s was this article:

Einfeldt says that the project also plans to sell copies of the film, or at least one of the versions of the film. Taking a cue from the Debian project, Einfeldt says that there will be several versions, starting with the edit codenamed “Buzz.” He says that there will be another version codenamed “Rex” that will be sold on DVD and through other avenues like Lulu.com that cater to self-distribution.

Some interesting quotes in the article from Postgresql hacker and SPI treasurer Josh Berkus, along with a link to the Digital Tipping Point wiki.

Following Joey’s lead, here’s some DWN-style comments on some of the stuff I’ve been involved in or heard of over the past week… A future for m68k has been planned on the release list, after being officially dropped as a release architecture in September. The conclusion of the discussion seems to be that we’ll move the existing m68k binaries from etch into a new “testing-m68k” suite that will be primarily managed by m68k porters Wouter Verhelst and Michael Schmitz, and aim to track the real testing as closely as can be managed. In addition the m68k will aim to make installable snapshots from this, with the aim of getting something as close as possible to the etch release on other architectures. A new trademark policy for Debian is finally in development, inspired by the Mozilla folks rightly pointing out that, contrary to what we recommend for Firefox, our own logos aren’t DFSG-free. Branden Robinson has started a wiki page to develop the policy. The current proposal is to retain two trademark policies – an open use policy for the swirl logo, that can be used by anyone to refer to Debian, with the logo released under an MIT-style copyright license, and left as an unregistered trademark; and an official use license for the bottle-and-swirl logo, with the logo being a registered trademark, but still licensed under a DFSG-free copyright license. The hope is that we can come up with at least one example, and hopefully more, of how to have an effective trademark without getting in the way of people who want to build on your work down the line. Keynote address at OpenFest. Though obviously too modest to blog about this himself, Branden Robinson is currently off in Bulgaria, headlining the fourth annual OpenFest, speaking on the topics of Debian Democracy and the Debian Package Management System. New Policy Team. After a few days of controversy following the withdrawal of the policy team delegation, a new policy team has formed consisting of Manoj Srivastava, Russ Allbery, Junichi Uekawa, Andreas Barth and Margarita Manterola. Point release of sarge, 3.1r4. A minor update to Debian stable was released on the 28th October, incorporating a number of previously released security updates. Updated sarge CD images have not been prepared at this time and may not be created until 3.1r5 is released, which is expected in another two months, or simultaneously with the etch release. Debian miniconf at linux.conf.au 2007. While it may technically not be supposed to be announced yet, there’s now a website for the the Debian miniconf at linux.conf.au 2007, to be held in Sydney on January 15th and 16th (with the rest of the conference continuing until the 20th). This year derived distributions are being explicitly encouraged to participate, so competition is likely to be high, and it’s probably a good idea to get your talk ideas sorted out pretty quickly if you want them to be considered!

After visiting Google for the Summer of Code Summit the other week, I thought I might actually try out some of the web services they’ve come up with, rather than just sticking with search and maps, and see if they did anything for me. To my surprise – as a certified hater of webapps generally – a couple did. Writely, the web-based word processor, was kind-of interesting, but in the end didn’t work for me. The potential killer feature for me would’ve been SubEthaEdit or Gobby -like interactive collaboration, which seems like something Google ought to be able to do with their whacky AJAX techniques. Unfortunately, it seems to just be some sort of automated merge-on-commit, which does nothing for me. What I’d really like as far as online document editing goes, is actually to be able to do Gobby-like editing of (moinmoin) wikis, rather than having to deal with advisory locking. I poked a bit further at that, and I suspect it ought to be possible to hack something up by using a tool like editmoin to edit wikipages with an editor rather than a webbrowser, and using gobby to do the editing, via a sobby server hosted on the same site as the wiki. It ought to be possible to automate all that complexity using an application/gobbymoin mime type; but I didn’t get anywhere because sobby seems to require IPv6 support. Oh well, maybe some other time. I’ve played with GMail and Google Talk before, with minimal impact. GMail is kind-of nice, but I like to be able to read my mail offline, so whatever. It is useful as a backup email address if my regular one goes down though. Google Talk doesn’t seem to handle voice/video under Linux, so it’s just a Jabber server. Which is fine, since I hadn’t ever actually gotten any of these whizbang IM things setup. What’s less brilliant is that Gaim is a bit of a pain when it loses connectivity, which happens everytime I suspend my laptop, which is everytime I stop using it. But I need GMail in order to even try some of the interesting Google services these days, so whatever. Google Calendar isn’t really something I expected much of. Sure, it’s a calendar app, but I’ve never gotten much use out of appointment diaries or planners or whatever anyway. Having it be web-based actually changes that a bit though, since it makes it trivial to publish to other people, and that even makes a calendar a little bit useful for me too. Having it be able to send reminder SMSes is also neat, at least now I’ve worked out how to default that behaviour to off… Oddly, though, I’ve found I’m getting more value out of it in listing things I’ve done rather than things I’ve got coming up. I guess it’s nicer to have a list of things you’ve actually done, rather than a list of things you should have done (but often didn’t), or a list of things you’ve got to do… But the real winner is definitely Google Reader even if it’s still in Google Labs, rather than even being “beta”. While I’ve tried some aggregators in the past, none have remotely grabbed me, and I’ve been tending to just remember the URLs for the blogs and webcomics I like, and type them in when I’m feeling bored. That has the benefit that it limits the number of each I read, but the drawback that I waste time typing URLs and waiting for pages to load even when there haven’t been any updates. The keyboard interface to Reader is pretty pleasant, with the only drawback I’ve found a slight lag in loading entries at the start of the day. Having it be in my web browser is perfect, since I generally want to follow a few links from blog posts anyway. It’s also made it easy enough that I’ve added a few feeds from real newspapers (or news channels), which is probably a good thing as far as balancing my take on what’s going on in the world. There’s a couple of downsides. One is that a lot of webcomics don’t have RSS feeds, or, if they do, don’t seem to include the actual comic, just a link to it. I don’t think there’s much of a reason for that – there are a few blogs I read that include ads in their RSS, so that doesn’t seem difficult to handle, and I can’t see any other potential objections. Also annoying is that posts that get aggregated on multiple planets (such as Planet Debian and Planet Linux Australia) show up multiple times, though admittedly I pretty much expected that. Probably the major downside is that it’s so easy to read stuff that I keep adding feeds to it, though…

First, my position: I'm in favour of paying people to work on debian, but I think the one-person job markets, lack of openness and trading on debian's goodwill makes the current configuration of Dunc-Tank unacceptable. This should not be a surprise: I questioned the one-person-time contracts right near the start, but - like so many questions - it went unanswered. Secondly, I think this is wrong for the project. Damage was forseeable and maybe could have been mitigated, but Debian Project Leader Anthony Towns chose to raise the stakes, taking the funding outside the project, leaving no control for the developers except a recall vote, as far as I can see. The DPL wasn't recalled, but is still partly to blame for the damage, no matter whether more than half of DDs support him or not. Finally, I'm unconvinced by Wouter Verhelst's arguments that USD 6000 is a fair price. The one-person market is nothing like a free market and that particular rationale seems wrong because:

1. VAT is a Tax on Value Added, so the payment of 21% or whatever would be reduced by the VAT paid on any supplies, which reduces the effective total rate. Also, small businesses are VAT-exempt in some states. Finally, Stephen R. Langasek seems to be in Oregon and Oregon has no state sales tax [Oregon Department of Revenue] - does that mean no VAT either? So, still 6000 left;
2. Suburban office space in Oregon looks like it costs USD 13.50/sf/yr fully-serviced (source), so a month for one person (175sf) would be about USD 200. Even downtown Portland is only about USD 300. (Where did 500 come from?) So, 5700 left;
3. Utilities: it's GBP 40 for phone+internet here and the rest are included in fully-serviced, as far as I know, so let's say USD 100, even though USA is reputedly cheaper? 5600 left;
4. Accountant fees are pretty much constant if you have a working business, but USD 3600 for a year? I'd expect closer to USD2000 (so about 200 per month) for a one-person business. SPI seems to pay USD1000 for bookkeeping, but I can't find a direct comparable - anyone know? 5400 left;
5. Social and other insurances tend to be related to income, working out around to a third or so in the UK IIRC, so USD2000? What's the current US rate? 3400 left;
6. Double-taxation seems like something a good accountant should help to avoid - not heard of it being a significant problem often; 3400 left.

So, that leaves USD 3400, less some % for VAT maybe. Not well-paid IMO, but much more than living cost for many DDs. If any of the above figures are too high or low, please tell me and I'll update this. Of course, the actual payment rate is minor to me, compared to the problem of dunc-tank being designed as a market for lemons and being driven through by brinkmanship.

Julien: ask and ye shall receive . I took the liberty of preempting Jaldhar’s GIMPing of a piece of headwear on the photo (no, contrary to popular belief, it’s not a wasps’ nest) ;-) Original found in this LWN article.

Or Dunc-tank in sorted order. I never wrote about this until now. But today, when I woke up, I had this strange feeling saying "jd, you gotta do something about DT today.". Actually, that was just my f**** alarm clock. And here I am, and I'm gonna talk to you about the dunc-tank experiment. First it's important to know what a real dunk tank is, because personally I've got no idea until I looked up on Google. So, you see? A dunk tank is a funny game finally. I must admit, if Anthony Towns was seated above the dunk, I would have vote in favor of DT!
Maybe I'm trying to give you some idea for the next DebConf, who knows More seriously, after the co-signed mail that Joerg Jaspert just sent, I wanted to say something more.
Some weeks ago, when our DPL (amen) asked us our opinion about that idea, I said "yeah, go ahead". Of course, that was my opinion at this time, and it changed a little. I still don't have objections about people getting paid, because I'm not jealous.
What does that mean? This means that if Debian was only composed of me, Anthony, and two release managers, I wouldn't have any problem. But that's not the case here, I discovered that there is a lots of people in Debian. Maybe should I tell DT people about that, don't you think? Reality is obviously different, and DT has been launched without a real consensus. We lost valuable people, and I dislike this project for that. We lost time. And we lost money, because time is money (don't beat me). That's an organised foutage de gueule ^[1] . But please, remember this is an experiment, so kids: don't do this at home.

While I do blog under the title “indolence log” for a reason, I’ve been a bit unhappy with how little I’ve managed to blog since April – barely managing one post a month. That drop-off coincided pretty sharply with getting elected DPL, and my best guess at the reasoning is that I’ve associated blogging with getting aggregated by Planet Debian, and the implication that I need to be careful about anything I might say. And that’s pretty much in conflict with how I prefer to blog, so I’ve been thinking over the last few days about whether I should deaggregate myself from Planet Debian to help avoid that tendency. So far it seems like just remembering what my blog’s about is enough, but we’ll see. Of course, it’s hard to blog like no one’s watching when you do a quick post about todo lists, and get half a dozen replies in your inbox and elsewhere. Anyway, I stumbled upon gtodo (a simple gtk based todo app) after posting, probably not for the first time, and found it actually had all the field I wanted, and nothing else. I’ve tweaked the source a little (to include the weekday name in the date field, and only include the comments in the tooltips), and so far it looks like exactly what I specced out. We’ll see if that works for me over the next few weeks…

Thanks to Don Armstrong's improvements to the performance of version-tracking in the BTS and Anthony Towns's tweaks to dak, as of the middle of last week, all NMUs uploaded to Debian unstable will cause the bugs mentioned in their changelogs to be marked as closed in that version, instead of just being marked as fixed. This is a great benefit to the release process, since previously, bugfixes in NMUs were still falling off the radar as soon as they were uploaded, with no automatable way to check whether a given update stuck in unstable fixed release-critical bugs that we needed to have in testing for the release. So these guys get a big thank you from me for helping to ensure etch only ships with the bugs we want it to ship with. ;) The new setup also has the advantage that bug submitters finally get the same, real email for bugs closed in NMU as they do for bugs closed in MU, instead of being left in the dark as they were before. But that only takes care of bugs closed in NMUs that happen between now and the release -- it does nothing for the roughly 1200 RC bugs that were already fixed in prior NMUs that haven't been acknowledged by the maintainer. Who knows if any (or how many) of those are still open in etch right now? Rather hard to tell when we don't know what version closed them, isn't it? So with a lot of help from Adam Barratt this weekend, we've marked about 800 (egads) of these RC bugs as closed in the corresponding NMU versions, with a brief note to the submitters. In the next couple of days, we should find our way to the end of the list, at which point we can think about ignoring the 'fixed' tag over on turmzimmer.net. Also fixed now is bug #388431, so people should be able to stop worrying now about their users chewing up the CPU with real-time scheduling. Nothing like a maintainer upload of a base package one year in the making, being uploaded after it's been frozen. So make that... 801 bugs closed?

A while ago I read Steve Yegge’s rant about Agile development, though I’ve forgotten who linked to it. The thing that struck me as interesting was the bit about “work queues”:

With a priority queue, you have a dumping-ground for any and all ideas (and bugs) that people suggest as the project unfolds. No engineer is ever idle, unless the queue is empty, which by definition means the project has launched. Tasks can be suspended and resumed simply by putting them back in the queue with appropriate notes or documentation. You always know how much work is left, and if you like, you can make time estimates based on the remaining tasks. You can examine closed work items to infer anything from bug regression rates to (if you like) individual productivity. You can see which tasks are often passed over, which can help you discover root causes of pain in the organization. A work queue is completely transparent, so there is minimal risk of accidental duplication of work.

Sadly, googling for “work queue” doesn’t come up with any sort of todo list stuff, but rather a multiprocessing scheduling tool which is cool, but not immediately relevant for me. As far as I can see, whatever was actually being talked about either isn’t public, or is more of a concept than an actual tool. The only Google Todo thing I could find was an applet thing for the personalised google homepage, which just lets you make todo items and set them as high/medium/low priority. And while that might be all that Steve Yegge was talking about, it doesn’t really feel terribly inspiring to me. I guess what I’d really like is to have todo items get assigned to a project (so that I can ignore all the todos for projects I don’t want to worry about atm), and also to be able to give them a deadline (so I can treat them with a bit more urgency when necessary) and a priority (so that I can easily spot things I’m willing to defer or ignore completely when I find I don’t have time to do everything I’d like). I suspect I’ll probably just stick with writing notes in vi to keep track of things, though, same as I have been for years.

I'm glad to see that Debian vote 2006-06, to reaffirm support for the Debian project leader, has passed, and that associated counter-proposals to recall the DPL have been defeated. The central issue has been Dunc Tank, a project to raise money to support certain Debian developers with the goal of getting Debian's next release, etch, out on time. There's been more heat than light on this issue over the last few weeks in various Debian- and Linux-related venues (mailing lists to media), and I'm happy to see that we've come to a conclusive resolution and can hopefully put the issue behind us. I've been impressed with Anthony Towns's aplomb in dealing with this issue, and I'm glad that he'll be staying in the DPL seat. We have one of the best, if not the best, Linux-based Operating Systems available. But Debian's late releases have become a laughingstock, and our users have to resort to backports and workarounds to keep running a stable release version of our software. With luck, putting extra resources into getting out a release will serve our users better and restore our reputation for delivering software in a timely fashion. tags: debian dpl anthony towns dunc tank gr

Daisy, Daisy, give me your answer, do The wp:2001: A Space Odyssey (film) jokes are probably a little too thick on the ground, but I'm glad to see the launch of the HAL Project at le Sans Fil. HAL is a distribution system for getting locally-produced digital art, music and video out on a community wireless project like le Sans Fil. Kinda puts the "community" back into "community wireless"... a great idea. The HAL Project software is of course available for download as an Open Source project, which is good news for other community wireless projects out there. tags: ilesansfil isf hal wireless local

Directed by jd & adn Genre: Action / Adventure / Sci-Fi / Thriller / Horror / Drama / Humor
Runtime: several weeks
Country: A lot
Language: English
Color: Color (Technicolor, QT, GTK and ncurses) Tagline: They stole their project, now they want it back. Plot Outline: In September 2006, a group of developpers from the Debian planet rise against the corruption leading the government.
User Comments: Great action, great suspense, great cultural satire, and a great mind-bender. Awards: Waiting for nomination. Quotes:

• Bah, if you don't want to read me, just don't , Sven Luther
• Oh my. , Clint Adams
• Or maybe I'm withdrawing my support because I'm busy with my chainsaw. , Josselin Mouette
• "I'm withdrawing my support because the developers might agree with AJ rather than me"? Come on. , Matthew Garett
• OH NO YOU DON'T. This thread is _not_ about you, it is _not_ about Frans Pop, and it is _not_ about debian-installer. , Peter Samuelson

Cast overview

	Anthony Towns (aj), as the Debian Project Leader		Denis Barbier (bouz), as The Recaller
	Aurelien Jarno (aurel32), as one Seconder		Clint Adams (schizo), as one Seconder
	MJ Ray (mjr), as one Seconder		Pierre Habouzit (madcoder), as one Seconder
	Martin Schulze (joey), as one Seconder		Marc Dequ nes (duck), as one Seconder

A couple of comments on the ongoing votes. The DFSG/firmware issue is a complicated one. For the votes that we’ve currently got open, I’m voting for futher discussion in favour of the DFSG#2 clarification – not because I disagree with requiring source code for all works in principle, but because I think we should be making sure we can make Debian work with full source for everything first, before issuing position statements about it; and I’m voting for “release etch even with kernel firmware issues” above further discussion and “special exception to DFSG#2 for firmware” below further discussion, because I don’t think we can handle the broader issue before etch, and I don’t think it’s a good idea to try to tie the exception to the non-existance of technical measures directly. I’m not really sure that’s a good enough reason to vote that option below further discussion, so I might change my vote on that yet. There have been quite a few other proposals on the topic, including one from me that didn’t get sufficient seconds to be voted on, another from Frans Pop that was withdrawn due to procedural issues, a couple more from Sven Luther, and a new proposal from Sven and supported by the kernel team that’s a further refinement on the “release etch even with firmware issues” resolution currently being voted on. I personally think we should spend some time after etch thinking a bit more deeply about this stuff. Personally, I think we should insist on source for everything, but that also means we need to have a clear explanation on why it’s good – even for firmware and font files and music and artwork – and it means we’re going to need to make sure we have a reasonable way of distributing it, and it means we’re going to have to make sure that we have a good way of distributing stuff that doesn’t meet our standards but that users still need or want; whether that’s drivers they need to do installation or get good graphics performance, documentation for their software, or whatever else. There’s a lot of real improvements we could make there – both in making the core of Debian more free and more useful, and making it easier for users who want to make compromises to choose what they want to compromise on and what they don’t want to compromise on. I really hope that once etch is done and dusted quite a few of those sorts of improvements will get done, both in technical improvements in Debian, and in good advocacy from Debian and other groups towards people who aren’t already making things as free as they potentially could be. One the recall issue, I would have preferred to vote “re-affirm”, then “recall”, then “further discussion”, to say “I don’t think this creates a conflict of interest that can’t be handled, but I’ve no objection if other people think it does”. But since that isn’t what the ballot(s) turned out to be, I’ve voted “re-affirm” above further discussion on that ballot, and “recall” below further discussion on the other ballot. I’ve voted the “wish success” option above “don’t endorse/support” option for two reasons – first, because the “wish success” resolution actually refers to “projects funding Debian or helping towards the release of Etch” in general, while the “don’t endorse/support” proposal specifically talks about projects I’m involved in (including non-Dunc-Tank projects) which seems kind of personal. There’s also the fact that I’d rather see more success and mutual support in the Debian community, even for projects I don’t personally like, than less. I originally voted the “don’t endorse/support” option below further discussion for those reasons, but then decided that that was silly – just as I would have been happy to vote for the recall above further discussion, it’s not really that big a deal either way, and fundamentally I think both options are essentially the same anyway: that any potential conflict of interest can be dealt with, and Debian and Dunc-Tank are fundamentally different projects. I was probably influenced in that a fair bit by the “not endorse/support” option being proposed and seconded mostly by people who actively oppose the idea, including Josselin Mouette, Samuel Hocevar, Pierre Habouzit and Aurélien Jarno. But in the end, the outcome’s fine any which way – some people will continue disagreeing with the concept, others will agree with it, and everyone can keep contributing to Debian in whatever way they think’s best whatever the outcome. And like I said when running for DPL this year, while you are a lot more visible as DPL, it’s not actually that necessary to be DPL to get things done in Debian.

Today actually two mailing lists made my day: First Theo de Raadt’s mail to the FreeBSD security mailing list:

Date:       Mon, 02 Oct 2006 14:00:11 -0600
From:       Theo de Raadt <deraadt@cvs.openbsd.org>
To:         freebsd-security@freebsd.org
Subject:    Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh 
Message-ID: <200610022000.k92K0B5P009759@cvs.openbsd.org>
> The OpenSSH project believe that the race condition can lead to a Denial
> of Service or potentially remote code execution
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Bullshit.  Where did anyone say this?
Why don't you put people in charge who can READ CODE, and SEE THAT
THIS IS ABSOLUTE BULLSHIT.

and Colin Percival’s dry reply pointing out who made the “ABSOLUTE BULLSHIT”:

Date:       Mon, 02 Oct 2006 14:25:05 -0700
From:       Colin Percival <cperciva@freebsd.org>
To:         Theo de Raadt <deraadt@cvs.openbsd.org>
Cc:         freebsd-security@freebsd.org
Subject:    Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh
Message-ID: <452183B1.7000306@freebsd.org>
Theo de Raadt wrote:
>> The OpenSSH project believe that the race condition can lead to a Denial
>> of Service or potentially remote code execution
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Bullshit.  Where did anyone say this?
The OpenSSH 4.4 release announcement says that, actually:
 * Fix an unsafe signal hander reported by Mark Dowd. The signal
   handler was vulnerable to a race condition that could be exploited
   to perform a pre-authentication denial of service. On portable
   OpenSSH, this vulnerability could theoretically lead to
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   pre-authentication remote code execution if GSSAPI authentication
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   is enabled, but the likelihood of successful exploitation appears
   remote.
Colin Percival

Well, looks like an exquisite own goal. (Found by Squeeeez.) Then, _rene_ cited a mail from the current Debian Project Leader Anthony Towns on debian-devel in #debian.de, who thought that Switzerland was some foreign word meaning “snowy place” :

Date:       Tue, 3 Oct 2006 15:52:38 +1000
Subject:    Re: Bits from the DPL: Looking forward
From:	    Anthony Towns <aj@azure.humbug.org.au>
Message-ID: <20061003055238.GA4841@azure.humbug.org.au>
On Tue, Oct 03, 2006 at 03:39:20PM +1000, Anthony Towns wrote:
> BSPs in Vienna (Switzerland) [3], 
I was assuming, of course, that "Switzerland" was some foreign word
meaning "snowy place", but apparently it's actually a country all of
its own, entirely separate to Austria...
On Tue, Oct 03, 2006 at 03:43:52PM +1000, Anthony Towns wrote:
> (b) Firmware vote
> proposal, as amended by Manon Srivastava (Message-id:
And while _Manon des sources_ might've been a neat French film, I don't
think it's actually got all that much to do with Manoj...
Cheers,
aj

And contrary to the usual biases, this geographic unawareness comes from Australia (which is unequal to Austria ;-) and not from the US. :-) Guys, you all made my day. Kind regards from a currently not so snowy snowy place. :-)

After a lot of discussion on -private, and a fair bit more discussion off list, a bunch of Debian developers, including myself, have launched dunc-tank.org. The idea is that we think getting etch out on time is important enough to be worth paying the release managers to work on it full time, so in the free software spirit, we’ve gone ahead and done something about it. We’ve already put up some of our own money, as have some other developers, and if you’d like to join us, there are more details at the website. We’re currently hoping that SPI will agree to accept funds on our behalf, and thus provide a good level of accountability. The board meeting later today will hopefully shed some light on whether that’s feasible. There’s also some information in press release form, and some interesting background detail for people who don’t follow the Debian release process as closely as some of us do. The first article on the topic’s already been published; with one somewhat inaccuracy – this is not a Debian project, and is being specifically handled outside of Debian to both ensure that any conflict of interest that might occur can be decided by Debian in Debian’s favour, and to allow other groups that have different ideas about what priorities are important to encourage contributions to those areas. A question that has been raised is whether the organisation can be sufficiently “outside” of Debian when the DPL is intimately involved. I don’t have the answer to that – in my opinion it can be, but whether this one is will be up to Debian to decide.

Anthony Towns will be Debian’s next project leader. I am not happy with that outcome at all. With just a tiny margin, aj has won over Steve. Steve was not my favorite candidate as well, but he’d be better than aj, who in my opinion stands for the cabal that is running Debian from their positions of power for years now. Only 421 DDs have cast their vote, which is 43.3128% of all possible votes. Voter participation has thus been lower than the historic low Germany’s state Sachsen-Anhalt recently had in its Landtag election. More than half of the DDs do not seem to be interested in who makes Debian’s external policy and who represents the project to the outside. On the other hand, debian-vote sees a number of people who are not currently allowed to vote, but regularly contribute to Debian. It looks like the people who could vote don’t, while people who do good things to Debian are not allowed to vote. Bad. But, IMNSHO, the really bad thing is the new DPL itself. I think he has won the election with saying that he will increase Debian’s speed. On the other hand, he is member of ftpmaster, the team that might be one of the biggest causes for Debian’s slow speed. He is generally regarded to be close to the “Cabal”, which of course does not exist. I don’t see how the speed increase is can be accomplished giving this background. However, the vote can easily be interpreted as a vote of confidence in the Cabal, which in itself is a good thing. It shows that even the voting DD’s are comfortable to be ruled by the secret club of most senior DDs. I don’t have to like it, but I’ll have to live with it. aj is also one of the founders of #debian-tech, an IRC channel which has been created as a “nice” channel for technical discussions. The channel has a very strict code of conduct, and people are being removed from the channel if they do not comply. I am really really really afraid of this “be nice or else” attitude being extended to other Debian communications media during aj’s term. Being robbed of the right to speak one’s mind might adversely affect many people’s motivation to spend time with Debian in the future. In a nutshell: This is a sad day for Debian. But, otoh, every project gets the leadership it deserves. And it looks like Debian didn’t deserve any of the better candidates. jftr, I voted 63571824 Be warned: I have a bad history of mis-judging new DPLs just after their election. A year ago, I was quite happy about Branden being elected, and was convinced that things would change during his first term of DPLship. I really believed that he could remove the Cabal from the power, and that Debian would change to a more co-operative environment. I surely hope that I am as wrong this time as I was a year ago. It’ll be more positive this time.

It’s time for LinuxWorld SFO, which means it’s time for lots of interesting announcements. A major one today is from Hewlett-Packard, announcing that they’re ready to support Debian GNU/Linux officially on their Proliant and BladeSystem servers, and as a side note that their revenues from sales of Linux servers has now hit six billion dollars a year over the past eight years. An interesting note from the IDG article above is IBM’s response:

“IBM works well with Debian in the Linux community and will, and does, support the Debian distribution for our customers,” the company said in a prepared statement. “It’s not a standard offering, but we do it under special bid.”

It’s interesting that vendors are seeing enough interest in Debian from their customers to be specifically supporting it, whether on an specially negotiated basis as IBM does, or now on a standard basis for entire product ranges as HP is. Personally, I find it really pleasing that companies are doing support for Debian not because we’ve negotiated with them, but because customers are asking for it. I’m also pretty pleased that HP’s commitment to Debian support doesn’t come at a cost to the support they’re offering for their other “tier-1” distributions: Red Hat and Novell’s Suse. To me, that’s what free software’s all about, friendly competition that’s focussed on making people’s computers work, not exclusive deals and promotional rights. Debian’s also been mentioned in a ZDNet story about Movidis MIPS servers, which have a nifty 16-core processor and seem to be aimed at video streaming and other tasks that are a mixture of storage and processor intensive. Interestingly, while the story mentions the use of a mildly customised version of Debian as their OS basis, there doesn’t seem to be similar mentions on either the Movidis or Cavium Networks sites, let alone any juicy technical details. Also interesting is this mention in a story about Zimbra groupware:

ZCS supports Microsoft’s Outlook messaging software and runs on the two leading flavors of Linux – Red Hat and Suse – and Apple Computer Inc.’s Mac OS X. Although ZCS also runs on Windows on the client side, Zimbra isn’t seeing interest from its customers in supporting Microsoft’s operating systems on the server side, Dietzen said. The start-up has a list of other operating systems it plans to support, notably the Debian distribution of Linux and Sun Microsystems Inc.’s Solaris flavor of Unix, he added.

Looks like the first efforts at Debian packaging are happening on the Zimbra forums already. And then, of course, there’s the announcements from last week, such as the Creative Commons 3.0 discussion draft, that’s trying to solve some of the conflicts between the expectations we have of free “software” licenses, and that others have of free “content” licenses. A lot of work’s been put into that already, and hopefully it’ll pay off for everyone. Or the recent betrayal of the Debian spirit by Linspire, encapsulated in this ComputerWorld headline: Linspire releases Freespire 1.0 early. Ah well, traditions have to end sometime I guess. Or there was OSDL’s announcement that they’ve signed up Debian deriver Xandros for their desktop working group, with the little side note dropped in that IDC estimate desktop Linux will be worth ten billion dollars in annual revenue beginning the year after next. Or there was OpenVZ’s announcement at being included in unstable recently (it’s also available in etch, and they’ve announced today a build for RHEL 4). Of course, I’ve also neglected to mention some much bigger Debian news, which is that as of Friday, etch beta3 is out, which is an excellent sign that we’re on track for release, even ignoring all of the nifty new features it includes. And heck, Debian’s birthday is still a couple of days off. In the meantime, I’m going to go to sleep, so I can make it to Novell’s launch event for Suse Linux Enterprise 10 in Brisbane tomorrow, and see what they’re up to.