May was the first month I started to contribute to Debian LTS under the Freexian umbrella. In total I spent six hours working on:

• dulwich: research on CVE-2015-0838, CVE-2014-9706. This resulted in DLA-231-1.
• mercurial: research on CVE-2014-9462, CVE-2014-9390 with Javi Merino. This resulted in DLA-237-1.
• mongodb: research on CVE-2015-1609. It turned out that we're not affected, the code did the check correctly in earlier versions but lost it then.

My current work flow looks like

• Find a package to work on via https://security-tracker.debian.org/tracker/status/release/oldoldstable
• Look at the details, via the security tracker, e.g. https://security-tracker.debian.org/tracker/source-package/mercurial
• Get the sources

  #!/bin/sh -e
  PKG="$1"
  gbp import-dscs --debsnap "$ PKG "
  cd "$ PKG "
  git checkout -b debian/squeeze-lts debian/$(rmadison -s squeeze -a amd64 "$ PKG "   awk '/squeeze/   print $3  '    sed -s -e 's/:/%/' -e 's/~/_/')
  gbp pq import
  

Now I have an already patched source tree to add the backported patches to. Especially in cases where the Jessie version is already fixed this makes it rather quick to get an idea what the affected versions are and to see how the code evolved over time. In order for this to work properly I made (on non LTS time) some improvements to gbp:

• git-pbuilder now knows about LTS so it can create chroots like:

  DIST=squeeze-lts git-pbuilder create
  

• gbp buildpackage is now clever enough to figure out the distribution to build for from the current branch name if you adhere to DEP14. So in case you're building from a git branch named debian/squeeze-lts it will automatically pass DIST=squeeze-lts to git-pbuilder. This needs

  [buildpackge]
  dist=DEP14
  

  in gbp.conf.
• gbp pq now tries harder to preserve patch names. While having patch names adhere to what git am writes out is nice but renaming patches just leads to too much noise when importing and exporting from existing packages (#761161). gbp pq still needs to improve in preserving DEP-3 header information though (#785274).

I have released whatmaps 0.0.9 a tool to check which processes map shared objects of a certain package. It can integrate into apt to automatically restart services after a security upgrade. This release fixes the integration with recent systemd (as in Debian Jessie), makes logging more consistent and eases integration into downstream distributions. It's available in Debian Sid and Jessie and will show up in Wheezy-backports soon. This blog is flattr enabled.

To keep up with GNOMEs schedule I've released krb5-auth-dialog 3.15.4. The changes of 3.15.1 and 3.15.4 include among updated translations, the replacement of deprecated GTK+ widgets, minor UI cleanups and bug fixes a header bar fix that makes us only use header bar buttons iff the desktop environment has them enabled: This makes krb5-auth-dialog better ingtegrated into other desktops again thanks to mclasen's awesome work. This blog is flattr enabled.

Testing the password dialog of a NetworkManager VPN plugin is as simple as:

echo -e 'DATA_KEY=foo\nDATA_VAL=bar\nDONE\nQUIT\n'   ./auth-dialog/nm-iodine-auth-dialog -n test -u $(uuid) -i

The above is for the iodine plugin when run from the built source tree. This allows one to test these dialogs although one didn't see them since ages since GNOME shell uses the external UI mode to query for the password. This blog is flattr enabled.

The seventh Debian Groupware Meeting was held in the LinuxHotel, Essen, Germany. We had one remote hacker from NYC which brings the number of attendants up to 9. This is a short summary of what happened during the weekend:

• We decided to abandon Iceowl (based on the standalone calendar sunbird) since Mozilla started to actively remove the code. Unfortunately this leaves us without a proper GUI stand alone calendar client with GSSAPI support.
• The icedove package got a major cleanup including the switch from CDBS to dh and the removal of the rebranding logic. This will hopefully allow us to better keep in sync with upstream. Carsten's git repo usually carries the most up to date version and a automated build of these version is in the works.
• The sogo connector extension for icedove got uploaded and tested including a wiki page
• The Groupware Page got updated
• We discussed the possibility of caldav/carddav servers in Debian using autopkgtest. This resulted in caldav-tester being packaged. It's currently waiting for an updated dependency before it can be uploaded.
• Based on that we added minimal autopkg tests to calypso. The later also gained GSSAPI support.
• OpenChange got updated in experimental (now moved to sid) and got a debug package. There were also some upstream improvements to ease provisioning.
• Dovecot's installation of the Sieve ext_programs was fixed
• SOPE and SOGo got updated to the latest upstream versions
• The SOGo-OpenChange plugin got build against the OpenChange package in experimental
• Giraffe (aka Zarafa packaging) made nice progress including the switch to free artwork and further renaming of the services. For Details on the current state check the wiki page.
• Due to the warm spring we had two nice barbecues for lunch.

Since we had a nice mix of first time Debian contributors, Debian Maintainers and Debian Developers we had lots of room for discussion and co-working which made this an exciting weekend.

When starting to work on a new project I start from an empty git repository right away so I can try out different ideas, revert easily, can diff against old versions (to check if I missed something) and have a commit history to record fixmes and todos. However when making the repo public these things are not of much interest anymore so I truncate the history. To be on the save side I want to keep that history locally though. Assuming the repo is on master, I do:

# 1.) Move the old master out of the way
git branch -m branch master oldmaster
# 2.) Get the current tree at HEAD
tree=$(git rev-parse HEAD^ tree )
# 3.) Create a new commit without ancestry
commit=$(git commit-tree -m "Initial commit" $tree)
# 4.) Make this the new master
git branch master $commit
# 5.) Switch to the new branch
git checkout master

Done. One can now add a remote and push the master branch. The old history is still there locally on the completely detached commit history ending at oldmaster:

$ git log --pretty=short --graph --decorate master oldmster
* commit d5cf3371eaefbaa8efac10c0fb9e7597da17b423 (HEAD, master)
  Author: Guido G nther <agx@sigxcpu.org>
      Initial commit
* commit 64103ff72bde13d7ec4cf0489ad2a80f3ac249d3 (oldmster)
  Author: Guido G nther <agx@sigxcpu.org>
 
      Another uninteresting commit message
 
* commit bd7332a79380bb217eca09cbd7f6ff0e5174deb8
  Author: Guido G nther <agx@sigxcpu.org>
 
      Uninteresting commit message
 
... <more old history>

Update: Uli Heller pointed out that this is the same as using git checkout's --orphan option.

Following up on my port of the crystalhd plugin to the gstreamer 1.0 api I realized that the CrystalHD repo is pretty dormant. After reading slomo's nice article about GStreamer and hardware integration and a short off list mail exchange I decided to split the GStreamer part out of the CrystalHD repo and to try to get the plugin into gst-plugins-bad. Since the kernel part is already in linux kernel's staging area there would not be much left in the repo except for the libcrystalhd library itself and the firmware blobs. So I split them out as well and started to clean them up a bit by moving it to autoconf/automake, dropping the need for a C++ compiler and adding symbol versioning among other things. So up to know video is still smooth with:

gst-launch-1.0 filesrc location=sample.mp4 ! decodebin ! xvimagesink

after jhbuilding up to gst-plugins-bad. There are #ifdefs for macosx and windows but I doubt they're functional but in case anybody is building libcrystalhd on these these platforms it'd be great to know if it still works. Should these efforts lead to the crystalhd plugin being merged into GStreamer getting the kernel driver out of staging would be a great next step. This blog is flattr enabled.

One of the replies to the post about Debian's last groupware meeting was from Patrick Ohly of syncevolution fame pointing out that syncevolution already implements calendar autodetection for CalDAV calendars as described in draft-daboo-srv-caldav-10. While looking at the code I noticed that there's a backend for the N900s calendar by Ove K ven as well. When I tried Ove's latest package on my N900 it lead to an immediate crash when doing a:

syncevolution --print-items target-config@webdav calendar

According to Patrick the bug was supposed to be fixed in recent versions so I set up scratchbox and built a newer git snapshot for maemo (sources). This wouldn't crash but didn't show up any items either. It turned out to be a minor bug in calypso returning no content type for REPORT queries which resulted in libneon discarding the whole reply (now already fixed in calypso upstream). With this out of the way setting up synchronisation is quiet simple:

# Configuration
CALDAV_SERVER=192.168.0.10
syncevolution --configure username=<username> password=<password> \
              calendar/backend=caldav calendar/database=https://$ CALDAV_SERVER :5233/private/my_calendar \
              target-config@webdav calendar
syncevolution --configure --template SyncEvolution_Client sync=none syncURL=local://@webdav username= password= webdav
syncevolution --configure sync=two-way backend=calendar webdav calendar

You should then be able to print the items on the local (N900) and from the remote (CalDAV server) end:

# This lists the current calendar items on the server
syncevolution --print-items target-config@webdav calendar
# This lists the current calendar items on the N900
syncevolution --print-items @default calendar

And from there on sync away:

# initial slow sync
syncevolution --sync slow webdav
# from there on
syncevolution webdav

The syncevolution source code has great documentation about debugging problems (e.g. src/backends/webdav/README). So check that in case you run into problems. The tl;dr version is

SYNCEVOLUTION_DEBUG=1 src/syncevolution loglevel=10 --print-items target-config@webdav calendar

to debug CalDAV related problems. In case you need to run syncevoluton from source be sure to set these beforehand:

export SYNCEVOLUTION_TEMPLATE_DIR=$PWD/src/templates/
export SYNCEVOLUTION_XML_CONFIG_DIR=$PWD/src/syncevo/configs/

On the CalDAV side I used current Calypso git which (with some additional minor fixes) now also interoperates nicely with Iceowl/Icowl-Extension aka Sunbird/Lightning on the desktop side. There's also an ITP for it. So it'll hopefully end up in Debian soon.

The sixth Debian Groupware Meeting was held in the LinuxHotel, Essen, Germany. We had one remote hacker from NYC which brings the number of attendants up to nine - an all time high! This is a short summary of what happened during the weekend:

• Sogo 2.0.5 got uploaded to unstable and work on OpenChange support is advancing.
• D-push (the rebranded version of z-push) got split and restructured to better handle different backends. An update in experimental is pending.
• Giraffe's git (the rebranded version of zaraffa) got updated to 7.1. There's some more work needed to get this into the archive though.
• There's been progress on getting Kolab3 into Debian starting with libkolabxml 0.8.4 and libkolab 0.4.2 (also needed by kde-pim).
• mozilla-devscripts now handles Iceowl as well so packaging calendaring extensions like this one becomes even more useful.
• Icedove and Iceowl bugsquashing. New versions were uploaded to unstable and experimental. The bug count trends look quiet promising but we really need help for #658664.
• We did some davmail <-> iceowl/icedove interop testing.
• The Groupware Page got updated
• We had some discussions about calendar and addressbook detection and autoconfiguration. For CalDAV/CardDAV there's a specification available already but there seems to be no client implementation in Debian so we started13 to work on it.
• We had a nice barbecue enjoying the first warm days.

Following up on using Debian on the WeTab with GNOME Shell I figured accelerated video using the built in CrystalHD to save battery power and CPU cycles would be nice to have. There's even a Debian package available but not for gstreamer 1.0 (which is used by GNOME 3.6) so I had a look at gstreamer's plugin writers guide and porting guide and updated the driver. Packages are here until there's a new upstream version or Debian package release. This blog is flattr enabled.

Following up on using Debian on the WeTab with GNOME Shell I had a look at automatically adjusting the screen orientation when rotating the device. The accelerometer is handled in the asus_laptop module since kernel 3.2, so this shows up in /proc/bus/input/devices:

I: Bus=0019 Vendor=0000 Product=0000 Version=0000
N: Name="Pegatron Lucid Tablet Accelerometer"
P: Phys=pega_accel/input0
S: Sysfs=/devices/platform/asus_laptop/input/input4
U: Uniq=
H: Handlers=event4 js0 
B: PROP=0
B: EV=9
B: ABS=7

Whenever the screen orientation changes the driver emits a udev event. The helper in /lib/udev/accelerometer processes it thanks to /lib/udev/rules.d/61-accelerometer.rules, determines the orientation and adds the ID_INPUT_ACCELEROMETER_ORIENTATION property to the event which can be checked with udevadm monitor --property:

UDEV  [5778.534171] change   /devices/platform/asus_laptop/input/input4 (input)
ABS=7
ACTION=change
DEVPATH=/devices/platform/asus_laptop/input/input4
EV=9
ID_FOR_SEAT=input-platform-asus_laptop
ID_INPUT=1
ID_INPUT_ACCELEROMETER=1
ID_INPUT_ACCELEROMETER_ORIENTATION=right-up
ID_PATH=platform-asus_laptop
ID_PATH_TAG=platform-asus_laptop
MODALIAS=input:b0019v0000p0000e0000-e0,3,kra0,1,2,mlsfw
NAME="Pegatron Lucid Tablet Accelerometer"
PHYS="pega_accel/input0"
PRODUCT=19/0/0/0
PROP=0
SEQNUM=1550
SUBSYSTEM=input
TAGS=:seat:
UDEV_LOG=3
USEC_INITIALIZED=6154288

This is captured by gnome-settings-daemon (>=3.2) that adjusts the screen rotation using xrandr2 accordingly. This can be checked by running gnome-settings-daemon with --debug. The old way of using xinput events is no longer supported. Unfortunately Debian's udev has a minor bug that misdetects the input device so this patch is needed to have the screen orientation changed automatically on the WeTab. This blog is flattr enabled.

Following up on using Debian on the WeTab with GNOME Shell I've put together a bit of GTK+3 CSS to make it more touch friendly. It's in the same git repo as the OSK extension. If you put the gtk.css into ~/.config/gtk-3.0/gtk.css scrollbars will be a bit larger and the padding between widgets will be increased over the default theme: This will need more work since some of the sliders look a bit a awkward now so any enhancements will be greatly appreciated. The docs for GTK3's CSS are here. This blog is flattr enabled.

Running Debian on the WeTab with GNOME Shell without an external keyboard works pretty nicely. The on screen keyboard - if enabled via the accessibility menu - folds out automatically in the shell itself within text input fields. To have this within GTK+3/GTK+2 applications you need libcaribou-gtk3-module and libcaribou-gtk-module installed. For other cases I stitched together a small extension that puts a keyboard "Button" prominently into the middle of the panel. Clicking/touching it will fold it out, clicking again will hide it again. You can fetch it from

git clone git://honk.sigxcpu.org/git/gnome-shell-oskb-extension.git ~/.local/share/gnome-shell/extensions/OnScreenKeyboardButton@sigxcpu.org

and activate it via

 gsettings set org.gnome.shell enabled-extensions "['OnScreenKeyboardButton@sigxcpu.org']"

For kinetic scrolling in Iceweasel I'm currently using Grab and Drag which is not yet packaged for Debian. Thanks to the Debian's GNOME packaging team gnome-shell 3.6 is already available in experimental. This blog is flattr enabled.

Interactively installing Debian virtual machines with virt-install without having to download anything in advance can already be done by pointing it to a Debian mirror via --location. But you can also add files to the initrd after downloading using --initrd-inject. Upstreams intended use is for kickstart files but we can also feed it a preseed.cfg to automate the whole installation:

virt-install --connect=qemu:///system \
             --location=http://ftp.us.debian.org/debian/dists/stable/main/installer\-i386 \
             --initrd-inject=/path/to/preseed.cfg \
             --extra-args="auto" \
             --name d-i --ram=512 \
             --disk=pool=default,size=5,format=qcow2,bus=virtio

preseed.cfg is a regular preseed file (as described in the Debian Wiki) in your local filesystem. I'm using this one for Squeeze and Wheezy VMs. It must be named preseed.cfg in order for d-i to pick it up from the initrd. This also works for URLs like qemu+ssh://<remotehost>/system/ since virt-install uses libvirt's streaming API to upload the kernel and modified initrd to the remote host. In case you're running this on an i386 you'll need this fix which already sits in experimental. This blog is flattr enabled.

This went out to d-d-a already but I figured that this might be of interest here too: The fifth Debian Groupware Meeting was held in the LinuxHotel, Essen, Germany. Eight persons attended which is an all time high! This is a short summary of what happened during the weekend:

• We pushed a ESR (extended support release) version of icedove including l10n and the calendaring extension to unstable. By cherry-picking lots of build-fixes from iceweasel we made the testing transition getting rid of the old 3.X version.
• Since iceowl (the standalone calendar) is not maintained upstream anymore we're keeping it in experimental only for now. A new version got uploaded including updated l10n.
• A new upstream version of evolution-mapi was upload to sid fixing an FTBFS.
• d-push 1.5.8 (the rebranded version of z-push) got uploaded to unstable including translation updates and adaption to php 5.4.0.
• Lots of progress was made on packaging SOGo and related components and it's now quiet close to an upload to sid.
• Work on OpenChange included looking into using the version in Debian for SOGo packaging as well as fixing Samba4 issues that broke (among other things) the OpenChange build.
• Progress was made on packaging Zarafa ZCP for Debian (rebranded as giraffe). The packages are working but rebranding is not yet complete.
• About 60 evolution bugs where either closed or commented on.
• As usual the Groupware page got updated.
• The meetings 5th anniversary was celebrated with a barbecue.

During FOSDEM I finally got around to hack on a iodine plugin for network manager. Given a suitably prepared server on the other end this allows you to tunnel connections over DNS when all other traffic is firewalled. The basic configuration only needs the domain name set: You can grab the sources from git.gnome.org, a Debian package is also available. This blog is flattr enabled.

I've started uploading snapshots of git-buildpackage to experimental recently. Here's a short list of what changed over the version in wheezy and sid:

• git-buildpackage now has a --git-pristine-tar-commit option that commits a tarball right back to the pristine-tar branch if it's not already there. This makes tracking upstream git and dfsg-clean source handling easier.
• git-buildpackage's --git-upstream-tree now accepts a tree directly without the need to use --git-upstream-branch.
• git-buildpackage's --git-export now parses the exported changelog instead of the working copy. This way we automatically pick up the correct tarballs, branches, etc. reducing the number of options needed.
• Jan apek added a --git-postexport hook to allow to mangle the source after exporting it.
• gbp-pull and gbp-fetch now support shallow clones thanks to Markus Lehtonen.
• gbp-pull got a speed up by skipping the checkout for fast-forward. This makes updating large source trees less time consuming.
• git-import-orig and git-import-dsc can now import into bare repositories.
• Russ Allbery updated git-pbuilder to 1.27.
• gbp-pq should be easier to use thanks to the --force and --switch options. It also handles patches without descriptions more robustly.
• The test coverage of the internal test suite increased quiet a bit. We're now generating coverage information during the build in build/cover.
• We're now generating apidocs which also serves as usage examples.

This blog is flattr enabled.

A recent trip to Switzerland made me dig out my prepaid card for UMTS usage again. This resulted in some minor enhancements for Prepaid Manager. The new release handles disabled and missing modems more reliably. It also has some visual feedback if we know the length of the top up code: This blog is flattr enabled.

Debian's libvirt in unstable finally passes the Technology Compatibility Kit (libvirt-tck) for qemu:///system:

Files=59, Tests=1579, 315 wallclock secs ( 0.77 usr  1.02 sys + 31.40 cusr 10.14 csys = 43.33 CPU)
Result: PASS

We're running libvirt's internal test suite since 0.9.0 but this doesn't launch any real virtual machines to check things like suspend, resume, snapshotting, migration and it doesn't create storage pools and volumes or networks. This means a lot of testing was done manually with each release. libvirt-tck provides a framework to perform these kinds of integration testing between libvirt and it's drivers, comes with hundreds of testcases already and it's easy to set up since it's available in experimental:

apt-get install -t experimental libvirt-tck

Edit /etc/libvirt-tck/default.cfg if you don't want to use the default connection URI. Then just run libvirt-tck:

libvirt-tck

Since this is supposed to stress libvirtd and the hypervisor and since it creates and deletes storage pools, networks and virtual machines it's recommended to run this on a dedicated system to make sure the tests don't blow away any precious config. If a test fails one can debug that single test using:

LIBVIRT_TCK_CONFIG=/etc/libvirt-tck/default.cfg prove --verbose /usr/share/libvirt-tck/tests/hooks/051-daemon-hook.t

This already revealed errors in our package like a missing parted build dependency breaking the creation of disk based storage pools, bugs in libvirt, crashes in QEMU and minor errors in the test suite itself. We're currently cheating a bit since the tests for hooks and nwfilter are currently disabled due to license problems with the used Perl modules. libvirt-tck can easily be integrated into Jenkins since it can now use libtap-formatter-junit-perl to generate JUnit XML. To do so simply configure a free-style software project to execute these commands:

rm -f libvirt-tck.xml
sudo libvirt-tck --timer --format junit --force > libvirt-tck.xml

allow Jenkins to run libvirt-tck as root

jenkins ALL=(ALL) NOPASSWD: /usr/bin/libvirt-tck --timer --format junit --force

and configure it to publish a JUnit test result report. Currently I'm only running the tests for qemu:///system so any help running and debugging this for LXC, VirtualBox or XEN is very welcome. Many thanks go to Salvatore Bonaccorso for packaging the missing Perl modules needed by libvirt-tck.

The new release switches to GDBus and adds an application icon. Together with the recently released Modem Manager 0.5 it's now able to fetch the balance information via USSD on Huawei and ZTE modems as well. This blog is flattr enabled.