I will be attending Debconf 9 in Spain from July 23-30. I will also be attending debcamp the previous week. I m hoping to build contacts and increase my involvement in the Debian community, and the previous debconf I attended was an interesting window into what was going on in Debian and Linux. I m still lining up things to do at Debcamp. Jelmer Vernooij will be there; he s interested in working with me on Samba 4 support for MIT Kerberos in Debian. I m interested in working with him on making the user experience good for people who use both Samba 4 and other Kerberos applications. As I wrote at the bottom of this post, I believe it is critical that the open source community not just follow what Microsoft is doing in the Enterprise space. I also think it is important that we maintain avenues for our own innovation. To that end, I want to look at what we can do to use enterprise infrastructure independent of AD-look-alike projects like Samba as well. So, I ll be looking at making what I can do to help this in Debian. Areas of interest include:

1. Easy set up of Kerberos to use an LDAP database
2. Easy configuration of libpam-krb5 and libpam-ldap together using Kerberos for authentication and LDAP for authorization but not authentication.
3. Support for FAST integrated into Debian systems so we can gain better protection against weak passwords. As I promised, more about this in its own post.
4. Better support for PKI/smart cards for network authentication.

These are all projects I think I could make headway on myself. However the value of debcamp is the other people there. I ve never been to a debcamp before and so I don t know what it will be like. I do know that I will give higher priority to projects that will benefit from close cooperation over a week. So, if you re there and want to try to recruit me to your project, feel free. I m interested in enterprise infrastructure, VOIP, IPv6, network security and making complex infrastructure easy to use.

MIT Kerberos 1.7 is released. I think this release really takes MIT Kerberos forward both for end sites and for system integrators. There are a lot of code quality improvements and bug fixes. For sites, this release allows changes to flow from one KDC to another on an ongoing basis rather than waiting for periodic refreshes. In addition, the domain-realm referral project allows information mapping hosts to domains to be configured in one place rather than on each client. I already wrote about Active Directory enhancements. Painless Security was also involved in a project to secure Kerberos against offline dictionary attacks. I m very happy that this project made the 1.7 release. To be truly useful, it will require integration from OS vendors into PAM modules and the like. I ll discuss my plans for doing that in Debian in a future post. Despite a lot of new features, initial signs are that 1.7 is going to be a relatively stable release. It has been in Debian unstable for over a month and at this point is working quite well.

It's been a while since I've posted anything except reviews and I'm overdue for a general update. With the Kerberos upgrade project finished last month, I'm currently in the wonderful situation of not having any large active projects at work and being given time to generally catch up. With luck, I'll have a couple more months of that before things really heat up. I only have to consult on a few projects and otherwise can deal with all the operational issues that I'd been putting off. A lot of my time lately has been spent on Puppet configuration cleanup and improvements, and there's at least another solid week of that to go, as well as a pile of overdue documentation to write. On the Debian side, Lintian has moved to a new Git repository and Adam D. Barratt has started committing directly. Frank has also had time to do a lot of work, which means that Lintian development is proceeding quite well without a lot of active attention on my part. That's been wonderful and has given me time to focus on other things. Most of my Debian effort of late has gone into the new Shibboleth packaging team and review of Shibboleth 2.0 packages, the last of which was uploaded last week and is sitting in NEW. Thanks to Ferenc W gner for the fine work! All the packages are now in Git and migrated to Alioth and there's a wiki page for the packaging team. Scott Cantor, the primary upstream developer, has joined the mailing list and has been extremely helpful and responsive. Sam Hartman has also migrated the krb5 packaging repository to Git and Alioth, and last Friday I finally finished migrating the openafs repository. Both are unfortunately rather huge since they contain all the historic upstream tarballs (extracting that would have been hideously complicated to do as part of the migration), but they shouldn't grow nearly as much now that we can use pristine-tar. This is the heart of the Kerberos and AFS packaging; there's now just kerberos-configs and my two PAM modules to move (more on the complexities of the PAM module Git migration in a later post). On the personal front, I've been travelling a lot lately, but that will now calm down for a while. I have some company next month, though, and hopefully will be up for it by then (right now, I just want to hole up in my apartment and do my own thing and not interact for a bit). I've been reading George Orwell: An Age Like This (1920-1940), the first of a four-volume collection of his letters, essays, and reviews. I was inspired to buy the first volume after reading one of his essays on-line after a Usenet discussion some time back, and I'm delighted I did. It took me a bit to get into it, but now I'm finding it absolutely fascinating. Orwell has a talent for concise and accurate descriptions of life (primarily of the poor) that capture the emotional tone as well as the surface details. That's mixed with interesting book reviews (I love reading book reviews), intriguing tidbits on his writing process and how he viewed being a writer, and snippets of the day-to-day of his life that have survived in letters. It's rather like reading a blog, and Orwell is a good enough writer that even his unparagraphed, abbreviated commentary in letters is full of memorable turns of phrase or observations. If you like that sort of thing, I recommend it highly. I'm going to buy the remaining three volumes and read the whole collection, plus quite likely pick up Orwell's other books besides 1984 and Animal Farm.