Two policy issues have been brewing in debian and I ve been mostly quiet about them because I ve been busy with TTLLP work. One is the Lenny release GR which I m still trying to make sense of. I mean: yikes! I ve been reading debian-legal and -vote for years and this ballot confuses me. I think I ll vote 5324671 but I m really not sure what that means. The other big issue is that Manoj has resigned as secretary. I think this is a good thing, if for no other reason than he s been secretary for 7 years and I feel it s not healthy for one person to hold that post too long in a thousand-strong group. I ve disagreed with Manoj about some tasks, but I didn t see any point in making this difficult job even less fun, so I stopped criticising him a while ago. Since then, my comments on the secretary s work have usually been limited to small review comments on ballots (which are then apparently ignored anyway, but at least I offer help). I m apprehensive about who will replace Manoj. In the short term, Bdale Garbee acts as secretary, but surely Bdale is busy enough already? Given his increased vote-taking activity, Neil McGovern seems a likely choice, but the work left undone after his term as SPI secretary may count against him. More generally, I think there s a problem with Debian s secretary, so anyone who would be a good secretary would probably refuse to do it as currently defined. There s an email about bundled votes and the secretary by Steve Langasek which touches on this major problem:

the secretary is the *only* line of defense against gaming of the GR process by a small group of developers who propose an uncontroversial but orthogonal amendment that will always win over the alternatives, in the process preventing the will of the project from being formally enacted

In other words, in Debian, the secretary is both secretary (usually an appointed or consensual post in most organisations, in my experience) and chairman (usually an elected post) - both doing the hard administrative leg-work and actually ruling on contentious issues, rather than just giving an opinion to the chairman. Manoj commented that he would be happy if the constitution was changed, to clarify the issue, or to explicitly add another entity to handle intepretations . Is it time to split the secretary s role?

I went on IRC to ask a simple technical question earlier today. I wasn't going to ask it in the #debian-devel channel, since it was a samba question rather than a debian-related one; but since my IRC client was still running, and had that channel active, I couldn't help but notice some discussion about "what-ifs" when there isn't a secretary, and who gets to do what then. Surely this was idle speculation, I thought? But that can sometimes be fun, so let's look at the backlog, and see... That's when I found out that this wasn't, in fact, idle speculation. Oh dear. Well, that's the end of an era, I guess. Not that it wasn't totally unexpected; when I learned that Neil McGovern had become "assistant secretary", I already suspected that Manoj was going to resign eventually, and he does confirm that suspicion in his resignation email. However, the suddenness of it certainly was unexpected. Here's a tip of the hat for everything Manoj has done for Debian so far. I can only wish to be at your level. What does distress me, however, is a part of Manoj's email, in which he mentions some people had been trying to get him kicked from the project:

As to the people who emailed me that they are putting together a petition for the DAM to have me removed from the project, I hear you too. I am going to spend the next few days evaluating how important the project is to me, and whether I should save you the bother or an expulsion process.

Well, Manoj, if my voice means anything to you: ignore those people, and stay a happy Debian Developer. You became project secretary not too long after I became Debian Developer, and over the years I've learned to respect you as a person with great integrity for your work, who would always do what you considered to be "the right thing". Even when I disagreed with you on what "the right thing" is (and there have been cases of this happening, including this particular vote, although I wasn't very active in the discussions), I have never been able to pinpoint our disagreement on you abusing your position as secretary in order to win the argument, or some such. You have been consistent and (where necessary) predictable in performing your duties as project secretary, and that is a great compliment. I can only hope we'll see those same virtues in our next secretary. As for that expulsion process, please do not tell us who those people were, for I do not like seeing people made utter fools of in public.

This should act as a reminder to anyone who gets accomodation with the Debian UK lot that I need to know by the 14th if you want somewhere to stay. Wiki page is advertised in the usual places, or catch me on IRC if you've forgotton!

A few days ago I was awarded official Debian Developer status. Many thanks to:

• Thomas Viehmann
• Ana Beatriz Guerrero L pez
• Daniel Baumann
• Christoph Berg
• Thomas Bushnell, BSG
• Stephen Gran
• Steve McIntye
• Neil McGovern
• Cyril Brulebois
• Matthew Johnson
• Sune Vuorela
• Peter Palfrader
• Jonathan McDowell
• Tim Retout

For posterity, my first experience with the Debian development process was with #400550. Never underestimate the importance of giving credit in changelog entries.

I'm currently sat in the formal dinner for DebConf8 in Argentina. As part of the presentations, our glorious leader, the forever DPL Sledge announced that we'd recently won an award for... wait for it... MOST EPIC FAIL!

In recognition of this, I present to you the following:

Another point release for Etch has been done; now it's the time for the CD team to roll out new images after the next mirror pulse. The official announcements (prepared by Alexander Reichle-Schmehl, thanks!) will follow shortly afterwards. FTP master of the day was Joerg Jaspert, who did his first point release since Woody, as he told us on IRC. We appreciate your work and you spending your time that shortly before going to Argentina. This point release includes the etchnhalf update introducing a new kernel image (based on 2.6.24) and some driver updates. Additionally the infamous openssl hole will be fixed for good, even for new installs. Again I want to present you a list of people who contributed to this release. It cannot be complete as I got the information out of the Changed-by fields of the uploads.

• akira yamada
• Alexander Sack
• Alexander Schmehl
• A Mennucc1
• Andrea De Iacovo
• Andres Salomon
• Aurelien Jarno
• Charles Plessy
• Christian Perrier
• Christian Welzel
• Colin Watson
• dann frazier (indefatigable kernel worker, most sourceful uploads)
• Darren Salt
• Devin Carraway (3rd place of sourceful uploads, due to security work)
• Emmanuel Lacour
• Eric Dorland
• Fabio Tranchitella
• Faidon Liambotis
• Fathi Boudra
• Florian Weimer
• Francesco Paolo Lovergine
• Francois Marier
• Frank Lichtenheld
• Frans Pop (thanks for your d-i work!)
• Frederic Peters
• Gregory Colpart
• Holger Levsen
• Jan Wagner
• Jay Berkenbilt
• J r my Bobbio
• Joey Hess
• Joey Schulze
• Josselin Mouette
• Julien Cristau
• Kai Hendry
• Kurt Roeckx
• LaMont Jones
• Laszlo Boszormenyi
• Martin Pitt
• maximilian attems
• Michael Biebl
• Michael Koch
• Mike Hommey
• Moritz Muehlenhoff
• Noah Meyerhans
• Ola Lundqvist
• Otavio Salvador
• Patrick Matth i
• Petter Reinholdtsen
• Philipp Kern
• Pierre Habouzit
• Raphael Hertzog
• Rene Engelhard
• Robert Millan
• Roberto Lumbreras
• Roland Mas
• Romain Beauxis
• Russ Allbery
• Sean Finney
• Stefan Fritsch
• Steffen Joeris
• Stephen Gran
• Steve Kemp
• Sune Vuorela
• Thijs Kinkhorst (2nd place of sourceful uploads, due to security work)
• Thomas Viehmann
• Toni Mueller
• Tzafrir Cohen

From the Release Team we had dann frazier (who drove the important kernel part of etchnhalf), Luk Claes, Neil McGovern, Andreas Barth, Martin Zobel-Helas and me working on it. ;-)

I'm currently sat at the Debian stand at LRL08 with Wolverhampton, and have finally got around to signing up and becoming a supporter of the Open Rights Group, paying them £10 per month (although you can pay less). It's been something I've been meaning to do for a while, but haven't got around to it.

For those who haven't heard of ORG, they protect 'digital rights', and actually make a difference. Go sign up if you haven't already.

For info, as I've been asked by a couple of people, I've been elected as a city councillor for King's Hedges in Cambridge

Full results:

Candidate	Votes
Neil McGovern (Liberal Democrat)	762
Geri Bird (Labour)	560
Cyril Weinman (Conservative)	419
James Youd (Green)	129

This gave me a majority of 198, a massive improvement of last year's majority of just 18. Huge thank you to everyone who supported me and helped during the campaign period, I'm really grateful.

In follow-up to my previous post, in which the phrase "google for gerri bird cambridge" (which turned up a rather poor lack of reply to a survey) was printed on some campain leaflets, I've come across a slightly different example of how traditional PR ideas may not work online if the people who are doing it don't understand the technology.

The Cambridgeshire County Council have placed on their transport page a link inviting people to view some videos of their new mis^WGuided Busway on YouTube. They've even gone so far as to create a YouTube account for the purpose. Unfortunately, the comments on their first video aren't too favourable, with the vast majority of people hating the idea. Not content with this, a second video was also posted, with exactly the same effect. In retaliation, it seems that their PR department has tried to fake some good reviews, but have been caught out.

So, some simple lessons:

1. Don't trust user generated content to do your job for you
2. Don't trust sites you have little control over
3. Don't try and stuff the ballot by writing like a PR person

We escorted Sarge to its last home. 3.1r8 is done, thanks to all the people who made it possible. A big thanks goes to James Troup, our ftpmaster of the day doing all the grunt work of getting a new point release out of the door. To bring in a more personal feeling of who makes this all possible, here is a list of people contributing uploads to 3.1r8 (mostly people from our fabulous Security Team):

• Alberto Gonzalez Iniesta
• dann frazier
• Darren Salt
• Devin Carraway
• Florian Weimer
• Gregory Colpart
• Julien Cristau (who is glad that he finally got rid of xfree86)
• Luk Claes
• Martin Pitt
• Michael Koch
• Moritz Muehlenhoff
• Noah Meyerhans
• Patrick Schoenfeld
• Roland Mas
• Russ Allbery
• Sean Finney
• Steffen Joeris
• Thijs Kinkhorst

I would also like to thank dann frazier, Luk Claes, Martin Zobel-Helas and Neil McGovern for helping with the preparation of the point release.

For those that don't know, I'm running for local government as the Liberal Democrat candidate for King's Hedges City Councillor in Cambridge.
Part of this involves seeing what the other parties do. I had a leaflet come through the door for the potential Labour candidate, Gerri Bird. It contained the usual bumpf, and a suggestion at the end; "google for gerri bird cambridge".
This could present a problem for Gerri. You're not asking someone to go to a site, where the information you have is constant and of a known quality. In this case, Gerri not replying to a survey from the local cycling organisation is the top hit on Google. As these leaflets are already out in the wild, the instructions can't be changed.

Something to be careful of.

As some people may know, I'm a member of the Debian testing security team. As well as tracking all CVE IDs with which packages they affect, we also keep a list of known embedded code copies. Embedded code copies are a bad thing, as they cause no end of problems for the security teams.

One of the problems we've had to find a solution for is: How do we know what statically compiles against a library, or even worse, ships it's own copy?
So, we're looking for something that looks a particular set of bytes in arbitary executeables; a signature of the library if you will. And we do have a rather good tool that can be used to scanning for binary signatures: clamav :)

Step 1Create a clamav signature Clamav have a nice guide on how to create signatures on their site. The method I use is fairly simple: find a unique binary string and pass it to sigtool --hex-dump and place it in a nbd file. Step 2Scan the archive

for I in  find /mirror/debian/pool/ -name *all.deb ; do 
	clamscan -i -d smarty.ndb --deb --tempdir=/home/maulkin --no-summary \
	--max-space=1024m --stdout $I >> /home/maulkin/smarty.log; 
done;

Step 3??? Step 4PROFIT!!!

While I'm talking about testing security, we're all rather busy at the moment in the team, so we could do with some help! If you fancy helping, have a quick read of the intro and come onto #debian-security on irc.debian.org and say hi!

Sweden	UK
Victory for topless bathers Court gives thumbs up to anal massage technique Postcard arrives 25 years late Swedish prostitution: gone or just hidden? Ninety pythons left to die in Swedish cottage	Parted-at-birth twins 'married' Pound at record low against euro Vomiting bug 'hits three million' Mr Potato Head makes octopus pal Ngugi laments Kenya violence

An interesting discussion appeared on #debian on OFTC regarding TOR. One person was of the view that "many intelligence and other agencies are probably heavily involved in tor". As the discussion continued (yes, I should have pointed out it was OT for the channel...) it appeared that privicy and anonymity were getting confused.

Now, I'm not a huge TOR fan (being an oper on OFTC), but I seriously doubt that government agencies are 'heavily involved'. I was pointed at an article to back this claim up, but the article doesn't. Instead, it (and the original claim) raises a couple of interesting issues.

Firstly, there is a difference between privacy and anonymity, although closely related. Privacy allows you to keep information about yourself secret, and anonymity allows you to keep you yourself secret. In the case linked, although the people browsing were anonymous, and maintained privacy, this was broken when they revealed information about themselves. Breaking this privacy broke their anonymity. TOR doesn't even grantee complete anonymity:

Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy while web browsing to block cookies and withhold information about your browser type. Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms.

[http://www.torproject.org/overview.html.en]

Used properly, TOR can be a very powerful tool to help, but certainly isn't a silver bullet. It needs to be used properly to prevent your identity being known (anonymity). However, without privacy, this is nothing.
Even without these safeguards, it would require significant resources (and may not be possible) to reliably retrieve useful information about one particular person. This leads to the Greater Internet Fuckwad Theory, which is the main issue I have with TOR, but that's a different post.

So, the question is: do you want privacy or anonymity when using the internet? You need to know what you want before you use a tool, as nothing can beat user education on how to keep your browsing details out of the 'wrong hands'.

Providing a lot of information in a bug report is useful. It helps the developer work out what's wrong. However, you should be careful not to reveal too much information as one submitter did to Gnome in their bug report. Have a look (if you're not in work) at the .xsession-errors at the end of their report to see what movies they were playing.

Update: mind you, at least they were vaguely covert, compared to the brutal honesty of this report. Thanks to Florent Bayle for that link.

Neil McGovern recently blogged about the SPI election results - namely the outcomes using different election systems. While it is an interesting exersise, a point to note is that people know the rules for the elction and vote tactically. So to make the assumption that if SPI used a given system, then the outcome would be Neil's results is wrong. This point also applies to discussions of the use of secret ballots - changing this will change the election result.

MJ Ray posted a couple of short summaries as to how the election would have turned out if alternate voting systems had been used. A couple of people asked about others, so here's a nice long list:

Borda,
Borda Elimination,
Minmax,
Nanson,
Ranked Pairs,
Condorcet (SPI),
Condorcet (Debian):

• Bdale Garbee
• David Graham
• Luk Claes
• Joshua D. Drake
• Martin Zobel-Helas
• Joerg Jaspert

Bucklin:

• Bdale Garbee
• David Graham
• Joshua D. Drake
• Luk Claes
• Joerg Jaspert
• Ian Jackson

IRV,
Pluralty:

• Bdale Garbee
• David Graham
• Joshua D. Drake
• Martin 'Joey' Schulze
• Luk Claes
• MJ Ray

Most of these seem to come out in favour of the result we achieved with Condorcet. Plurality (aka: First past the post) and IRV put heavy emphisis on the voters first choice. It doesn't really make sense to compare results from a condorcet ballot with either of these methods. Bucklin is rather meaningless in a multi-winner election.

In answer to "is this type of Condorcet ever likely to elect someone who polarises views", it's possible, but unlikely. IRV and Pluralty are the ones to go for if you want the majority of people unhappy, unlike the others, which produce the majority of people happy.

I wasn't elected to SPI's board. I didn't think I would be once I saw all the other candidates (I nominated before all declared), but it looks like I would have been elected with those votes under some other common systems. I think both first-past-the-post and alternative vote (also known as instant run-off voting, reportedly recommended by Robert's Rules for election-by-mail) would have resulted in this same board:

1. Bdale Garbee
2. David Graham
3. Joshua D. Drake
4. Martin 'Joey' Schulze
5. Luk Claes
6. MJ Ray

Instead, the results were:

1. Bdale Garbee
2. David Graham
3. Luk Claes
4. Joshua D. Drake
5. Joerg Jaspert
6. Martin Zobel-Helas

Nevertheless, well done to the new members. On one hand, I'm happier, because there's still two of my top four there and now I've less required work. On the other hand, I would have liked a crack at it myself and both boards are disappointing because there's no Ian Jackson. An interesting thing is how many times I appear in each position in voting lists: (5, 1, 2, 1, 9, 6, 6, 3, 3, 4, 2, 9, 37), or as a bar chart:

1. st
2. nd
3. rd
4. th
5. th
6. th
7. th
8. th
9. th
10. th
11. th
12. th
13. th

A fairly acceptable middle-of-road candidate for most of it, but then a huge spike at the low end. Note that a majority of voters put me in positions 11-13. There wasn't much warning of that one coming during hustings. WTF? There seem to be some 30 or 40 voters who really dislike me, but didn't tell me that straight, preferring to be silent then vote me down. Are you cowards, or what? More generally, is this type of Condorcet ever likely to elect someone who polarises views, or who many inexplicably dislike? What does this say for any plan to use a Condorcet for debian's social committee? Could majorities always prevent minority reps? Update: Neil McGovern posted a few comparisons of more complex systems (I only did the easy ones) and AJ posted STV results which completes the main systems, I think. It seems Condorcet-SPI wasn't as unusual as I first thought. Finally, as I understand it, turn-out was 25% of voting members (not the 25% of SPI members that some press reported). Why was turn-out so low? (2007-08-08: 1 pingback, 3 comments)

As a load of the UK seems partially under water:

Well, my colo box lives again. Ish. It's now running under a Xen instance until the new hardware arrives that'll fix it's blown up PSU. So I can now be contacted via the usual methods again :)

In other news, it seems that the new 2012 logo has been announced. It's really quite foul. Fortunately, others have come up with alternate designs. See image 5. If it gets pulled (very likely) see my mirror.