Somalia's chief exports appear to be morally-ambiguous Salon articles about piracy and sophomoric evidence against libertarianism. However, it is the former topic that Captain Phillips concerns itself with, inspired by the hijacking of the Maersk Alabama container ship in 2009. What is truth? In the end, Captain Phillips does not rise above Pontius Pilate in providing an answer, but it certainly tries using more refined instruments than irony or leaden sarcasm. This motif pervades the film. Obviously, it is based on a "true story" and brings aboard that baggage, but it also permeates the plot in a much deeper sense. For example, Phillips and the US Navy lie almost compulsively to the pirates, whilst the pirates only really lie once (where they put Phillips in greater danger). Notice further that Phillips only starts to tell the truth when he thinks all hope is lost. These telling observations become even more fascinating when you realise that they must be based on the testimony of the, well, liars. Clearly, deception is a weapon to be monopolised and there are few limits on what good guys can or should lie about if they believe they can save lives. Futhermore, there is an utterly disarming epilogue where Phillips is being treated for shock by clinical efficient medical staff. Not only will this scuttle any "blanket around the shoulders" clich but is probably a highly accurate portrayal of what actually happens post-trauma. This echoes the kind of truth Werner Herzog aims for in his filmmaking as well his guilt-inducing duality between uncomfortable lingering and compulsive viewing. Lastly, a starter for a meta-discussion: can a film based on real-world events even be "spoilered"? Hearing headlines on the radio before you read your newspaper hardly robs you of a literary journey... Captain Phillips does have some quotidian problems. Firstly, the only tool for ratcheting up tension is for the Somalians to launch verbal broadsides at the Americans, with each compromise somehow escalating the situation. This technique is effective but well before the climatic rescue scene where it is really needed it has been subject to the most extreme diminishing returns. (I cannot be the first to notice the "Africans festooned with guns shouting incomphensively" trope I hope it is based on a Babel-esque mechanism of disorientation from miscommunication rather than anything more unsavoury.) Secondly, the US Navy acts like a teacher with an Ofsted inspector observing quietly from the corner of the classroom; far too well-behaved it suspends belief, with no post-kill gloating or even the tiniest of post-arrest congratulations. Whilst nobody wants to see the Navy overreact badly to other military branches getting all the glory, nobody wants to see a suspiciously bland recruitment vehicle either. Paradoxically, this hermetic treatment made me unduly fascinated by them as if they were part of some military "uncanny valley". Two quick observations:

• All US Somali interactions are recorded by a naval officer. No doubt a value-for-money defense against a USS Abu Ghraib, but knowing the plot is based on factual events, it was perhaps a little too Baudrillardian to ponder how the presence of the Navy's cameras in a scene actually lent weight to the film's version of events, crucially without me even knowing whether the parallel "real-life" footage is verifiable or not.
• The navigational computers not only seem to require lines to drawn repeatedly between points of interest, but the Maersk Alabama's arbitrary relabelling as MOTHERSHIP seems to imply that an officer could humourously rename a radar contact to something unbecoming of a 12A classification.

Finally, despite the title, the film is actually about two captains; the skillful liar Phillips and ... well, that's the real problem. Whilst Captain Muse is certainly no caricatured Hook, we are offered little depth beyond a "You're not just a fisherman" faux-revelation that leads nowhere. I was left inventing reasons for his akrasia so that he made any sense whatsoever. One could charitably argue that the film attempts to stay objective on Muse, but the inability for the film to take any obvious ethical stance actually seems to confuse and then compromise the narrative. What deeper truth is actually being revealed? Is this film or documentary? Worse still, the moral vacuum is invariably filled by the viewer's existing political outlook: are Somali pirates victims of circumstance who are forced into (alas, regrettable) swashbuckling adventures to pacify plank-threatening warlords? Or are they violent and dangerous criminals who habour an irrational resentment against the West, flimsily represented by material goods in shipping containers? Your improvised answer to this Rorschach test will always sit more haphazardly in the film than any pre-constructed treatment ever could. 6/10

Somalia's chief exports appear to be morally-ambiguous Salon articles about piracy and sophomoric evidence against libertarianism. However, it is the former topic that Captain Phillips concerns itself with, inspired by the hijacking of the Maersk Alabama container ship in 2009. What is truth? In the end, Captain Phillips does not rise above Pontius Pilate in providing an answer, but it certainly tries using more refined instruments than irony or leaden sarcasm. This motif pervades the film. Obviously, it is based on a "true story" and brings aboard all that well-travelled baggage, but it also permeates the plot in a much deeper sense. For example, Phillips and the US Navy lie almost compulsively to the pirates, whilst the pirates only really lie once where they put Phillips in greater danger. Notice further that Phillips only starts to tell the truth when he thinks all hope is lost. These telling observations become even more fascinating when you realise that they must be based on the testimony of the, well, liars. Clearly, deception is a weapon to be monopolised and there are few limits on what good guys can or should lie about if they believe they can save lives. Lastly, there is an utterly disarming epilogue where Phillips is being treated for shock by clinical efficient medical staff. Not only will it scuttle any "blanket around the shoulders" clich but is probably a highly accurate portrayal of what actually happens post-trauma. This echoes the kind of truth Werner Herzog often aims for in his filmmaking as well his guilt-inducing duality between uncomfortable lingering and compulsive viewing. Another angle worthy of discussion: can a film based on real-world events even be "spoilered"? Hearing headlines on the before you read the newspaper hardly robs you of a literary journey... Captain Phillips does have some quotidian problems. Firstly, the only tool for ratcheting up tension is for the Somalians to launch verbal broadsides at the Americans, with each compromise somehow escalating the situation further. This technique is genuinely effective but well before the climatic rescue scene where it is really needed it has been subject to the most extreme diminishing returns. (I cannot be the first to notice the "Africans festooned with guns shouting incomphensively" trope I hope it is based on a Babel-esque mechanism of disorientation and miscommunication rather than anything, frankly, unsavoury.) Secondly, the US Navy acts like a teacher with an Ofsted inspector observing quietly from the corner of the classroom; far too well-behaved it suspends belief, with no post-kill gloating or even the tiniest of post-arrest congratulations. Whilst nobody wants to see the Navy overreact badly to other military branches getting all the glory, nobody wants to see a suspiciously bland recruitment vehicle either. Paradoxically, this hermetic treatment made me unduly fascinated by them, as if they were part of some military "uncanny valley". Two quick observations:

• All US Somali interactions are recorded by a naval officer. No doubt a value-for-money defense against a USS Abu Ghraib, but knowing the plot is based on a factual events, it was perhaps a little too Baudrillardian to ponder how the presence of the Navy's cameras in a scene actually lent weight to the film's version of events, crucially without me even knowing whether the parallel "real life" footage is verifiable or not.
• The navigational computers not only seem to require lines to drawn repeatedly between points of interest, but the Maersk Alabama's arbitrary relabelling as MOTHERSHIP seems to imply that an officer could humourously rename a contact to something unbecoming of a 12A classification.

Finally, despite the title, the film is actually about two captains; the skillful liar Phillips and ... well, that's the real problem. Whilst Captain Muse is certainly no caricatured Hook, we are offered little depth beyond a "You're not just a fisherman" faux-revelation that leads nowhere. I was left inventing reasons for his akrasia so that he made any sense whatsoever. One could charitably argue that the film attempts to stay objective on Muse, but the inability for the film to take any obvious ethical stance actually seems to confuse and then compromise the narrative. What deeper truth is actually being revealed? Is this film or documentary? Worse still, the moral vacuum is invariably filled by the viewer's existing political outlook: are Somali pirates victims of circumstance who are forced into (alas, regrettable) swashbuckling adventures to pacify plank-threatening warlords? Or are they violent and dangerous criminals who habour an irrational resentment against the West, flimsily represented by material goods in shipping containers? Your improvised answer to this Rorschach test will always sit more haphazardly in the film than any pre-constructed treatment ever could. 6/10

Matt Palmer wrote an insightful post about the use of the word professional [1]. It s one factor that makes me less inclined to be a member of professional societies. The TED blog has an interesting article about Wikihouse which is a project to create a set of free designs for houses to be cut out of plywood with a CNC milling machine [2]. The article also links to a TED talk by Alastair Parvin of the Wikihouse project which covers many interesting things other than designing houses. An XKCD comic has one of the best explanations of bullying I ve ever seen [3]. If you aren t familiar with XKCD then make sure you hover your mouse over it to read the hidden text. The Fair Phone is a project to develop a smart phone starting with conflict-free resources and with fully free software (not like a typical Android build) [4]. It s an interesting project and the price and specs seem within the normal range so you re not paying a huge premium for a conflict-free phone. Unfortunately they only have one model with a 4.3 display, if they had a competitor for the Galaxy Note then I d be interested. Patrick Stokes wrote an insightful article about why I m entitled to my opinion is a bogus argument [5]. Jim Daly wrote an interesting TED blog post interviewing Rishi Manchanda about Upstream Doctors who look for the root causes of medical problems rather than just treating the symptoms [6]. Brian Krebs wrote an insightful article about the value of a hacked email account [7]. If you are trying to convince your users to use better passwords then this should help. Ron Garrett wrote an insightful series or articles on morality hooked on the premise of whether it s wrong to torture kittens [8]. Part of his conclusion is that people who believe it s wrong to do such things tend to be more capable of working in large groups and forming a productive and efficient society. The TED blog has an interesting post by Karen Eng summarising Andreas Raptopoulos talk about using autonomous drones to deliver parcels in parts of the world that don t have usable roads [9]. Delivering parcels (which would start with medical supplies but would presumably move on to commercial transport) by drone is apparently really cheap. Being cheaper than building roads isn t going to be difficult but it seems that they are going to make it cheaper than paying people to deliver parcels even if the roads were built. The main web site about this project is www.matternet.us, they are hiring electrical engineers. Here is the link for Andreas TED talk [10]. The TOR blog has an interesting article by Emily Asher-Perrin comparing the different houses of Hogwarts [11]. It s an insightful article about personality attributes and gives more information than is available in the movies (I d read the books if I had time).

• [1] http://hezmatt.org/~mpalmer/blog/2013/05/14/a-modest-vocabulary-proposal.html
• [2] http://blog.ted.com/2013/05/23/how-to-print-out-your-own-house/
• [3] http://xkcd.com/1216/
• [4] http://www.fairphone.com/
• [5] http://theconversation.com/no-youre-not-entitled-to-your-opinion-9978
• [6] http://tinyurl.com/n2rvo94
• [7] http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
• [8] http://tinyurl.com/nczyspd
• [9] http://tinyurl.com/kxu8dxp
• [10] http://www.youtube.com/watch?v=eqcX3AM5oh8
• [11] http://tinyurl.com/o4sbt3l

I have attended the SciPy 2013 conference in Austin, Texas. Here are my impressions.

Number one is the fact that the IPython notebook was used by pretty much everyone. I use it a lot myself, but I didn't realize how ubiquitous it has become. It is quickly becoming the standard now. The IPython notebook is using Markdown and in fact it is better than Rest. The way to remember the "[]()" syntax for links is that in regular text you put links into () parentheses, so you do the same in Markdown, and append [] for the text of the link. The other way to remember is that [] feel more serious and thus are used for the text of the link. I stressed several times to +Fernando Perez and +Brian Granger how awesome it would be to have interactive widgets in the notebook. Fortunately that was pretty much preaching to the choir, as that's one of the first things they plan to implement good foundations for and I just can't wait to use that.

It is now clear, that the IPython notebook is the way to store computations that I want to share with other people, or to use it as a "lab notebook" for myself, so that I can remember what exactly I did to obtain the results (for example how exactly I obtained some figures from raw data). In other words --- instead of having sets of scripts and manual bash commands that have to be executed in particular order to do what I want, just use IPython notebook and put everything in there.
Number two is that how big the conference has become since the last time I attended (couple years ago), yet it still has the friendly feeling. Unfortunately, I had to miss a lot of talks, due to scheduling conflicts (there were three parallel sessions), so I look forward to seeing them on video.

+Aaron Meurer and I have done the SymPy tutorial (see the link for videos and other tutorial materials). It's been nice to finally meet +Matthew Rocklin (very active SymPy contributor) in person. He also had an interesting presentation
about symbolic matrices + Lapack code generation. +Jason Moore presented PyDy.
It's been a great pleasure for us to invite +David Li (still a high school student) to attend the conference and give a presentation about his work on sympygamma.com and live.sympy.org.

It was nice to meet the Julia guys, +Jeff Bezanson and +Stefan Karpinski. I contributed the Fortran benchmarks on the Julia's website some time ago, but I had the feeling that a lot of them are quite artificial and not very meaningful. I think Jeff and Stefan confirmed my feeling. Julia seems to have quite interesting type system and multiple dispatch, that SymPy should learn from.

I met the VTK guys +Matthew McCormick and +Pat Marion. One of the keynotes was given by +Will Schroeder from Kitware about publishing. I remember him stressing to manage dependencies well as well as to use BSD like license (as opposed to viral licenses like GPL or LGPL). That opensource has pretty much won (i.e. it is now clear that that is the way to go).

I had great discussions with +Francesc Alted, +Andy Terrel, +Brett Murphy, +Jonathan Rocher, +Eric Jones, +Travis Oliphant, +Mark Wiebe, +Ilan Schnell, +St fan van der Walt, +David Cournapeau, +Anthony Scopatz, +Paul Ivanov, +Michael Droettboom, +Wes McKinney, +Jake Vanderplas, +Kurt Smith, +Aron Ahmadia, +Kyle Mandli, +Benjamin Root and others.


It's also been nice to have a chat with +Jason Vertrees and other guys from Schr dinger.

One other thing that I realized last week at the conference is that pretty much everyone agreed on the fact that NumPy should act as the default way to represent memory (no matter if the array was created in Fortran or other code) and allow manipulations on it. Faster libraries like Blaze or ODIN should then hook themselves up into NumPy using multiple dispatch. Also SymPy would then hook itself up so that it can be used with array operations natively. Currently SymPy does work with NumPy (see our tests for some examples what works), but the solution is a bit fragile (it is not possible to override NumPy behavior, but because NumPy supports general objects, we simply give it SymPy objects and things mostly work).

Similar to this, I would like to create multiple dispatch in SymPy core itself, so that other (faster) libraries for symbolic manipulation can hook themselves up, so that their own (faster) multiplication, expansion or series expansion would get called instead of the SymPy default one implemented in pure Python.

Other blog posts from the conference:

• Aaron's post
• Fernando's post

Cory Doctorow published a letter from a 14yo who had just read his novel Homeland [1]. I haven t had anything insightful to say about Aaron Swartz, so I think that this link will do [2]. Seth Godin gave an interesting TED talk about leading tribes [3]. I think everyone who is active in the FOSS community should watch this talk. Ron Garrett wrote an interesting post about the risk of being hit by a dinosaur killer [4]. We really need to do something about this and the cost of defending against asteroids is almost nothing compared to defence spending. Afra Raymond gave an interesting TED talk about corruption [5]. He focussed on his country Trinidad and Tobago but the lessons apply everywhere. Wikihouse is an interesting project that is based around sharing designs for houses that can be implemented using CNC milling machines [6]. It seems to be at the early stages but it has a lot of potential to change the building industry. Here is a TED blog post summarising Dan Pallotta s TED talk about fundraising for nonprofits [7]. His key point is that moral objections to advertising for charities significantly reduce their ability to raise funds and impacts the charitable mission. I don t entirely agree with his talk which is very positive towards spending on promotion but I think that he makes some good points which people should consider. Here is a TED blog post summarising Peter Singer s TED talk about effective altruism [8]. His focus seems to be on ways of cheaply making a significant difference which doesn t seem to agree with Dan Pallotta s ideas. Patton Oswalt wrote an insightful article about the culture of stand-up comedians which starts with joke stealing and heckling and ends with the issue of rape jokes [9]. Karen Eng wrote an interesting TED blog post about Anthony Vipin s invention of HAPTIC shoes for blind people [10]. The vibration of the shoes tells the person which way to walk and a computer sees obstacles that need to be avoided. David Blaine gave an interesting TED talk about how he prepared for a stunt of holding his breath for 17 minutes [11].

• [1] http://craphound.com/?p=4521
• [2] https://torforge.wordpress.com/2013/02/04/cory-doctorow-on-aaron-swartz/
• [3] http://www.ted.com/talks/seth_godin_on_the_tribes_we_lead.html
• [4] http://blog.rongarret.info/2013/02/its-question-of-when-not-if.html
• [5] http://www.ted.com/talks/afra_raymond_three_myths_about_corruption.html
• [6] http://www.wikihouse.cc/
• [7] http://tinyurl.com/d3jnmqt
• [8] http://blog.ted.com/2013/03/01/effective-altruism-peter-singer-at-ted2013/
• [9] http://tinyurl.com/krxvrnx
• [10] http://tinyurl.com/nlrq5k6
• [11] http://www.ted.com/talks/david_blaine_how_i_held_my_breath_for_17_min.html

This is a quick, test-suite-only release to handle a new warning in Pod::Simple 3.26 that broke the test suite. Pod::Simple now warns if the =item elements seem to mix different types of items (bullets, numbers, and text strings). This triggered a couple of times in the test suite: once where I was explicitly testing the Pod::Man handling of that case (now moved to a separate test suite where I can suppress errors), and in several other places where I was testing item tag widths in formatting and was using =item 1 as the test for a single-column tag. That's now disambiguated with Z<>. There are various other changes pending, but alas I don't have time for a proper release at the moment. (Particularly since I'll probably be tackling coding style changes and a switch to Module::Build in the next release.) You can get the latest version from CPAN or from the podlators distribution page.

Please DO TRY this at home Here's a little tutorial on how to modify a plain t-shirt, inspired by this one. What you'll need:

• a t-shirt: a loosely fit one will do but - as a rule - huge t-shirts are more fun (as you have more room for improvements/changes/customizations);
• fabric shears
• needle and thread (or, if you prefer, a sewing machine)
• pins

Step 1: the neckline Put the t-shirt on a flat surface, then start cutting out the collar, to create a new neckline: cut two slits about 2 cm from the collar (from both sides), then cut out a circle. Flip the tee and do the same on the back side. Step 2: the bottom hem Try your shirt on and mark the desired lenght. I decided to create a curved hem, to make it more feminine: to do it, you'll just need to cut an half-moon shape on the bottom line of the t-shirt. Step 3: the shoulder strap (optional) Just to add a little twist, I decided to sew a ribbon as shoulder strap. You'll just need to measure the required lenght with the tee on, and mark the place to sew the ribbon. After sewing the strap, you can also add a little bow on the front side. Don't throw away the scraps, use them to make a fabric necklace! Some resources on t-shirt surgery:

• projects and moar projects
• pinterest(ing)!
• crafster have lots of tutorial of reconstructed clothes

this week I focussed mostly on bugs where conffiles are modified in maintainer scripts. thanks to the recipe in debconf-devel(7) many cases are not so hard to solve.

• #632604 src:libatomic-ops: "libatomic-ops: FTBFS on i386"
  prepare a patch for testing-proposed-updates, upload after ack from maintainer and release team
• #687858 tasksel-data: "tasksel-data: copyright file missing after upgrade (policy 12.5)"
  add info and tag in BTS
• #687944 mason: "mason: modifies conffiles (policy 10.7.3): /etc/masonrc"
  fix configuration file handling, upload to DELAYED/2
• #688196 mimedefang: "mimedefang: modifies conffiles (policy 10.7.3): /etc/default/mimedefang"
  fix configuration file handling, upload to DELAYED/2, then included in maintainer upload
• #688200 fprobe: "fprobe: modifies conffiles (policy 10.7.3): /etc/default/fprobe"
  fix configuration file handling, upload to DELAYED/2
• #688205 mono-xsp2: "mono-xsp2: modifies conffiles (policy 10.7.3): /etc/default/mono-xsp2"
  fix configuration file handling, upload to DELAYED/2, rescheduled to 0-day with maintainer's permission
• #688375 ntlmaps: "ntlmaps: modifies conffiles (policy 10.7.3): /etc/ntlmaps/server.cfg"
  fix configuration file handling, upload to DELAYED/2
• #688378 gom: "gom: modifies conffiles (policy 10.7.3): /etc/default/gom"
  fix configuration file handling, upload to DELAYED/2
• #688499 netmrg: "netmrg: modifies conffiles (policy 10.7.3): /etc/netmrg/netmrg.xml"
  install only template configuration file, upload to DELAYED/2
• #688565 mono-apache-server2,mono-apache-server4: "mono-apache-server2, mono-apache-server4: modifies conffiles (policy 10.7.3): /etc/default/mono-apache-server[24]"
  fix configuration file handling, upload to DELAYED/2, rescheduled to 0-day with maintainer's permission
• #688736 w3c-linkchecker: "w3c-linkchecker: modifies conffiles (policy 10.7.3): /etc/w3c/checklink.conf"
  remove configuration file on purge (pkg-perl)

ELKI is a data mining software project that I have been working on for the last years as part of my PhD research. It is open source (AGPL-3 licensed) and avilable as both a Debian package and Ubuntu package in the official repositories. So a simple aptitude install elki should get you going and give you a menu entry for ELKI. These packages come with the scripts elki to launch the MiniGUI and elki-cli to run from command line. The key feature that sets ELKI apart from existing open source tools used in data mining (e.g. Weka and R) is that it has support for index structures to speed up algorithms, and a very modular architecture that allows various combinations of data types, distance functions, index structures and algorithms. When looking for performance regressions and optimization potential in ELKI, I recently ran some benchmarks on a data set with 110250 images described by 8 dimensional color histograms. This is a decently sized dataset: it takes long enough (usually in the range of 1-10 minutes) to measure true hotspots. When including Weka and R in the comarison I was quite surprised: our k-means implementation runs at the same speed as Rs implementation in C (and around twice that of the more flexible "flexclus" version). For some of the key agorithms (DBSCAN, OPTICS, LOF) we are an order of magnitude faster than Weka and R, and adding index support speeds up the computation by another factor of 5-10x. In the most extreme case - DBSCAN in Weka vs. DBSCAN with R-tree in ELKI - the speedup was a factor of 330x, or 2 minutes (ELKI) as opposed to 11 hours (Weka).
The reason why I was suprised is that I expected ELKI to perform much worse. It is written in Java (as opposed to R's kmeans, which is in C), uses a very flexible architecture which for example does not assume distances to be of type double and just has a lot of glue code inbetween. However, obviously, the Java Hotspot compiler actually lives up to its expectations and manages to inline the whole distance computations into k-means, and then compiles it at a level comparable to C. R executes vectorized operations quite fast, but on non-native code as in the LOF example it can become quite slow, too. (I would not take Weka as reference, in particular with DBSCAN and OPTICS there seems to be something seriously broken. Judging from a quick look at it, the OPTICS implementation actually is not even complete, and both implementations actually copy all data out of Weka into a custom linear database, process it there, then feed back the result into Weka. They should just drop that "extension" altogether. The much newer and Weka-like LOF module is much more comparable.) Note that we also have a different focus than Weka. Weka is really popular for machine learning, in particular for classification. In ELKI, we do not have a single classification algorithm because there is Weka for that. Instead, ELKI focuses on cluster analysis and outlier detection. And ELKI has a lot of algorithms in this domain, I dare to say the largest collection. In particular, they are all in the same framework, so they can be easily compared. R does of course have an impressive collection in CRAN, but in the end they do not really fit together. Anyway, ELKI is a cool research project. It keeps on growing, we have a number of students writing extensions as part of their thesis. It has been extremely helpful for me in my own research, as I could quickly prototype some algorithms, then try different combinations and use my existing evaluation and benchmarking. You need some time to get started (largely because of the modular architecture, Java generics and such hurdles), but then it is a very powerful research tool. But there are just many more algorithms, published sometime, somewhere, but barely with source code available. We'd love to get all these published algorithms into ELKI, so researchers can try them out. And enhance them. And use them for their actual data. So far, ELKI was mostly used for algorithmic research, but it's starting to move out into the "real" world. More and more people that are not computer scientists start using ELKI to analyze their data. Because it has algorithms that no other tools have. I tried to get ELKI into the "Google Summer of Code", but it was not accepted. But I'd really like to see it gain more traction outside the university world. There are a number of cool projects associated with ELKI that I will not be able to do myself the next years, unfortunately.

• A web browser frontend would be cool. Maybe even connected to Google Refine, using Refine for preprocessing the data, then migrating it into ELKI for analysis. The current visualization engine of ELKI is using SVG - this should be fairly easy to port into the web browser. Likely, the web browers will even be faster than the current Apache Batik renderer.
• Visual programming frontend. Weka, RapidMiner, Orange: they all have visual programming style UIs. This seems to work quite well to model the data flow within the analysis. I'd love to see this for ELKI, too.
• Cluster/Cloud backend. ELKI can already handle fairly large data sets on a big enough system. If someone spends extra effort on the index structures, the data won't even need to fit into main memory anymore. Yet, everybody now wants "big data", and parallel computation probably is the future. I'm currently working on some first Hadoop YARN based experiments with ELKI. But this is a huge field, turning this into true "elk yarn". I will likely only lay some foundations (unless I get funding to continue as a PostDoc on this project. I sure hope to get to do at least a few years of postdoc somewhere, as I really enjoy working with students on this kind of project)
• New visualization engine. The current visualization engine, based on Apache Batik and SVG is quite okay. It does what I need, which is to get a quick glance at the results and the ability to export them for publications in print quality. (in particular, I can easily edit the SVG files with Inkscape) But it is not really something fancy (although we have a lot of cool visualizations). And it is slow. I havn't found a portable and fast graphics toolkit for Java yet that can produce SVG files. There is a lot of hype around processing, for example, but it seems to be too much about art for me. In fact, I'd love to use either something like Clutter or Cairo. But getting them to work for Windows and Mac OSX will likely be a pain.
• Human Computer Interaction (HCI). This is in my opinion the biggest challenge we are facing with all the "big data" stuff. If you really go into big data (and not just run Hadoop and Mahout on a single system; yes - a lot of people seem to do this), you will at some point need to go beyond just crunching the numbers. So far, the challenges that we are tackling are largely data summarization and selection. TeraSort is a cool project, and a challenge. Yet, what do you actually get from sorting this large amount of data? What do you get from running k-means on a terabyte? When doing data mining on a small data set, you quickly learn that the main challenge actually is preprocessing the data and choosing parameters the right way so that your result is not bogus. Unless you are doing simple prediction tasks, you often don't have a clearly defined objective. Sure, when predicting churn rates, you can hope to just throw all the data into a big cloud and hope you get some enlightement out. But when you are doing cluster analysis or outlier detection - unsupervised methods - the actual objective by definition cannot be hardcoded into a computer. The key objective then is learn something new on the data set. But if you want to have your user learn something on the data set, you will have to have the user guide the whole process, and you will have to present results to the user. Which gets immensely more difficult with larger data. Big data just does no longer look like this. And neither are the algorithms as simple as k-means or hierarchical clustering. Hierarchical clustering is good for teaching the basic ideas of clustering. But you will not be using a dendrogram for a huge data set. Plus, it has a naive complexity of O(n^3) and for some special cases O(n^2) - too slow for truly big data.
  For the "big data future" once we get over all the excitement of being able to just somehow crunch these numbers we will need to seriously look into what to do with the results (in particular, how to present them to the user), and how to make the algorithms accessible and usable for non-techies. Right now, you cannot expect a social sciences researcher to be able to use a Hadoop cluster. Yet to make sense of the results. But if you are a smart guy to actually solve this, and open up "big data processing" to the average non-IT user, this will be big.
• Oh, and of course there are just hundreds of algorithms not yet available (accessible) as open source. Not in ELKI, and usually not anywhere else either. Just to name a few from my wishlist (I could probably implement many of them in a few hours in ELKI, but I don't have the time to do so myself, plus they are good student or starter project to get used to ELKI): BIRCH, CLARA, CLARANS, CLINK, COBWEB, CURE, DOC, DUSC, EDSC, INSCY, MAFIA, P3C, SCHISM, STATPC, SURFING, ... just to name a few.

If you are a researcher in cluster analysis or outlier detection, consider contributing your algorithms to ELKI. Spend some time optimizing them, adding some documentation. Because, if ELKI keeps on growing and gaining popularity, it will be the future benchmark platform. And this can give you citations, which are somewhat the currency of science these days. Algorithms available in the major toolkits just do get cited more, because people compare to them. See this list for an overview of work cited by ELKI - scientific work that we reimplemented at least to some extend for ELKI. It is one of the services that we provide with ELKI for researchers: not only the algorithm, but also the appropriate citation.

Fresh from the oven, monthly report of what I've been working on as DPL during January 2012.

---

Dear Developers,
here is another monthly report of what happened in DPL-land, this time for January 2012. There's quite a bit to report about --- including an insane amount of legal-ish stuff --- so please bear with me. Or not. Legal stuff

• Webmaster heroes have decided to tackle the long standing issues of copyright and licensing of the Debian website. I've accepted to help them out in reaching consensus with license choice and I'm happy to report that we've managed to pick a DFSG-free license (BSD-ish) for future contributions. Webmasters will soon contact contributors to re-license old contributions (or get rid of them), so hopefully will have a DFSG-free website RSN. Many thanks go to David Pr vot for successfully tackling such a can of worms.
• I've sought a second legal advice on the constraints that trademarks (might) impose on the work-flow of a distro like Debian. Luckily, it is coherent with one I've sought in the past so I'm now in condition to wrap up the "trademark vs DFSG" thread on -project with the missing legal information. Hopefully, I'll find time to do that sometime next week.
• I've restarted discussions with the Debian France association so that they can become a Debian Trusted Organization (as per Constitution 9.3). Members of the board of the association seem to be interested and I'm positive it could happen fairly soon. The importance of this is that we could use a back-up association in Europe to hold Debian assets, to complement the services that FFIS are already offering us.
• Thanks to the contributions of Benjamin Mako Hill and SPI lawyers, I've now what I consider a final draft of a trademark policy for Debian trademarks. Before proposing it to you, I'm waiting for some feedback from another umbrella organization for Free Software projects, that is working on a trademark policy for all their associated projects. As many Free Software projects are seeking trademark protection these days, I see benefits in having uniform (and sane!) policies. I hope to be able to gather the feedback I still miss this week-end at FOSDEM, and let you know shortly after that. Once this is done, we'll also be able to (finally!) relicense all kinds of Debian logos under a DFSG-free license. On this front, I've also updated http://www.debian.org/trademark with the information needed to contact us about trademark usage; hopefully it'll reduce the burden of answering to such inquiries.
• With the help of Kenshi Muto, Fumitoshi Ukai, Ishikawa Mutsumi, Shuzo Hatta, and Yasuhiro Araki we've started the process to move the Debian trademark in Japan from individuals (who are present or past members of the Debian JP association) to SPI. That would help dealing with these matters, as well as ensure that important Debian assets are held by Debian Trusted Organizations.
• I remind you that we've an ongoing complaint with the current registrant of debian.eu, domain that we believe Debian should legitimately own. Lawyers at SPI has now formally contacted the current owner and hopefully we'll be able to solve the issue amicably in the next months.
• Some of the past legal advice I sought for PPA came handy in a discussion on the legal risks of running a service like mentors.debian.net, hopefully addressing part of the issues in turning that into mentors.debian.org
• Patent policy for the Debian archive is now ready as well and I also have a patch for the website ready to be merged. I'm just waiting for the final blessing from SPI (lawyers) to go ahead and publish it.

Most of the above wouldn't have been possible without the precious help of folks at SFLC working for SPI and Debian. Be sure to thank SFLC for what they're doing for us and many other Free Software projects. Coordination Nobody stepped up to coordinate the artwork collection for Wheezy I've mentioned last month, so I've tried to do a little bit of that myself. The -publicity team is now preparing the call for artwork and hopefully we'll send it out RSN. In case you want to help, there is still a lot of room for that; just show up on the debian-desktop mailing list. Sprints A Debian Med sprint has happened in January, and Andreas Tille has provided a nice and detailed report about it. Some more sprints are forthcoming this spring, how about yours? Money

• We got from SPI a prepaid and rechargeable credit card that we can use for expenses or other kind of guarantees. Many thanks to Michael Schulteiss, SPI treasurer, for his help with that. Using it, we've redeemed 10k$ of credits offered to us by Amazon, that (thanks to ongoing work by Lucas Nussbaum) we're going to use to make our QA rebuilds independent from the underlying computing infrastructure.
• Thanks to the help of Luca Capello, we advanced quite a bit on forming the Debian Event Box kit that should make it easier to set up Debian booth at FOSS events. We bought the machine for it (for about ~755 CHF) and the box to contain it will soon be on its way as well. If you're at FOSDEM, tend to the Debian booth to check it out (and possibly help out with the technical setup).
• We've got quite a bit of donations during the December holidays. I've took the chance to thank donors, discuss what we do with donations and the status of publishing periodic Debian budgets.
• Pinged by Yves-Alexis Perez, I've now properly documented the fact that DDs are welcome to apply for hardware sponsoring, in case the hardware can be used to help/improve their Debian work. As suggested by Yves-Alexis, you can also advocate other DDs for hw sponsoring.
• Given hardware invariably age and that we can afford it, I've prodded DSA to prepare a general hardware replacement plan for our machines. Planning will go on this week-end and FOSDEM (thanks to Martin Zobel-Helas and Faidon Liambotis for their presence here) and I hope to have an approved machine replacement plan well before the end of the current DPL term (although I'm usually optimist...).

Important stuff going on Other important stuff has been going on in various area of the project in January. I'd like to point your attention to a couple of things:

• People active on debian-mentors have proposed an improved work-flow to deal with sponsoring/mentoring requests, based on the usage of a new pseudo package "sponsorship-requests". Thanks to Ansgar Burchardt, Jakub Wilk, Arno T ll, and Gregor Herrmann for working on this.
• Raphael Hertzog has kickstarted work on DEP-2, as a way to rationalize the flow of package-related information that (co-)maintainers get. Discussion about the idea are ongoing on the debian-qa mailing list.

Miscellanea

• Work has further progressed in reaching out to companies with an interest in giving support for, and contributing to Debian. Thanks to Alexander Wirt the technical work is now done and some sort of governance policy has been decided. Further step for me is to announce it properly hoping to reach out to as many interested companies as possible. I hope to finalize that in the next month. (If you're working for such a company and you happen to read this, feel free to reach out to me already.)
• I've completed an old todo item setting up and documenting titanpad.debian.net, service that has been requested for collaborative work during various kinds of online events. Help is welcome to help administering the service (see doc).
• SPI has clarified the role of project representatives and, as a consequence of that, I (as DPL) no longer receive SPI board discussions addressed to board@spi. That is good not only for the sanity of my inbox, but also because it puts all projects affiliated to SPI at the same level of communication within SPI. Thanks to Robert Brockway for his work on this.

In the unlikely case you've read thus far, thanks for your attention! Happy Debian hacking.

---

PS as usual, the boring day-to-day activity log is available at master:/srv/leader/news/bits-from-the-DPL.*

It's about time that Rapha l is interviewed in the "People behind Debian" series he initiated on his blog. Indeed, when he interviews people, Rapha l asks about other people they could suggest for next interviews. So, during mine, I suggested him to be a next "victim". As he couldn't interview himself, I volunteered for this. As you'll see below, Rapha l (who's a friend of mine as I'm a friend of his) likes to speak and that shows in the length of his answers :-) but you always know more about Debian when reading his blog posts, books, mails, etc. I personnally think that he is among the best promoters of the project for years and it was a pleasure for me to conduct this interview. My questions are in bold, the rest is by Rapha l. Who are you? Hi, Rapha l Hertzog, I'm a 32 years old French Debian developer who is married and who has a 2-year old son. I'm running my own company (Freexian) since 2005, I started it 3 years after the end of my computer science studies. I'm also a very proud author of the Cahier de l'Admin Debian, a French book about Debian. You often wrote about your attempts to make your living partly, if not completely, out of your Debian work. Can you describe the way you're trying to do this? My first try has been with Freexian. I always advertised this company as being specialized in Debian GNU/Linux. While Freexian is successful enough to provide me a decent income, I'm not really satisfied with the result because very few of my contracts are about improving Debian. I use Debian daily for the benefit of my customers, writing new customer specific (embedded) software, deploying a service on Debian servers, etc. But except for the occasional bugfix, all this work does not improve Debian (the only exception has been the dpkg multiarch implementation work sponsored by Linaro). The positive side is that I don't need to fill my entire schedule to earn enough money to live. So I'm regularly taking some days off work to be able to contribute to Debian. This is a freedom that I enjoy... My French book has also been a bestseller and depending on the years the royalties represented between 1 and 2 months of supplementary time that I can spend on Debian (that is between 2000 and 4000 EUR of income). Now since last year, I decided to actively work towards my goal of making a living out of my Debian work. I want to build on what has been most successful for me up to now, that is my book. My strategy has been to build an audience around my blog: with a direct contact with my readers I have the opportunity to sell e-books, and without any intermediary taking the biggest part of the price, I don't need a very large audience to be successful. I have also been experiencing micro-donations with Flattr, people who are enjoying my articles on my blog can use it to give a few cents for each article they find useful. With a large enough userbase, this could fund free documentation and would avoid the need for commercial e-books but we're not there currently and I don't know if it will ever reach the critical mass. Last but not least, I'm soliciting donations for my Debian work on the sidebar of my blog, and I have the chance to a have a few (regular) donators. You're a proud father since last year. How do you manage your commitment to the project with your family life? There are few things that I put above Debian in my life, but my family certainly is. I try to handle most of my Debian duties during work hours so that I can spend time with my family on evenings and during week-ends but in truth I never really disconnect from Debian. It happens quite often that I say to my wife I'll come in a few minutes, let me finish this and then I end up responding to a Debian mail, or an IRC query and take 30 minutes instead of the 5 expected ones. I try hard to avoid this but it's difficult. Luckily for me, my wife is very supportive of my Debian involvement and knows me well... By the way my wife is using Debian on her computer, and my son has already played with DoudouLinux (a Debian derivative!). Have you already been accused of self-promotion in your writings? If that would ever happen, what would you answer to that? Yes, more than once. I am proud of what I do for Debian, I enjoy sharing the result of my work. Because of this, some people believe that I'm selfish and egocentric. And this has somewhat increased since I have been soliciting donations: for me it's important to be transparent towards donators so that they see what I really do for Debian. But some people have the feeling that I'm getting undeserved attention and that I bring everything towards my own person. On the other side, as an author, I'm a public figure who is definitely seeking some attention... I don't have any miraculous answer, we are a large and diverse community, it's next to impossible to please everybody. I listen to all the concerns that people bring forward, I take them into account as much as possible, in particular when I believe they are reasonable/well justified, or when they come from people that I highly respect. But sometimes I have to plainly ignore them too... in particular when they are trying to impose their own political view on a topic that's not directly related to the only value that we all share: the social contract. Contributing to Debian is a challenge, we all have to make efforts to put aside our differences and to concentrate on the work that brings us closer to the best free software operating system ever built. You recently launched a campaign to free out the soon-to-be-published "Debian Administrator Handbook", an English version of your well-known book about Debian in French. Can you tell us more about this project? My French book has been very successful at helping people to get started with Debian, and like I already explained, it was also effective to fund a part of my Debian work. So I wanted to make it available world-wide by publishing an English translation of it. I tried to find an English-speaking editor willing to take on the challenge but I found none interested. Not put off by a setback, Roland (my co-author) and I decided to negotiate with our French editor Eyrolles to recuperate the necessary rights to translate the book into English. Handling everything ourselves represents a lot of work, but it also means that we have the freedom required to decide of the license of the resulting book. We would love to see it under a license compatible with the Debian Free Software Guidelines. But at the same time we firmly believe that we deserve a reasonable monetary compensation for the work on the book, so we conditioned its liberation to a predefined amount of money (25 K ) in what we call the "liberation fund". And since we wanted to be sure that we would have the required means to complete the translation, we used a crowfunding platform to seek support of people interested by the book. With such a platform you're only debited if the minimal requested amount is reached. Anyone can participate, pre-order the book and/or put some money in the liberation fund. As of today, we already reached the minimal funding goal (15 K ) so the book translation will happen. But the liberation target has not yet been reached so we don't know yet if the book will be free from the start... you can follow the progress right on the fundraising page or on the website dedicated to the book. PS: If you want to contribute to this project and also make a donation to Debian at the same time, you should check out this page. You're one of the main developers of dpkg, a critical tool for Debian systems. Can you tell us more about the current development challenges it is facing? What will be the new dpkg features for wheezy? The current challenges are not really technical. dpkg is a relatively mature piece of software and it will continue to work for the foreseeable future without needing much maintenance work. The real challenge is trying to setup a healthy developement community around it so that we can keep tackling new interesting problems (there are many listed in the roadmap and in the 225 wishlist bugs). There is a real problem of leadership and communication in the current team. We used to be three, and we're only two nowadays. Guillem is the legitimate leader since he's involved in dpkg's developement since early 2006 while I joined only in late 2007. But in the last 4 years, we did not manage to recruit anyone else on the team. Some persons tried to contribute significant new features (like Sean Finney with a rework of the way we handle configuration files) but they gave up frustrated after a while because we did not manage to review their work (and discuss the design) in any reasonable timeframe. Another famous case is Ian Jackson with his trigger work. His work got merged, but so late that in the mean time he blew up while trying to hijack the maintenance of dpkg. For a long time I was concentrating my work on the Perl part of dpkg (aka dpkg-dev mainly), so I did not feel qualified to review and merge work related to the C part and I was just a worried observator of this situation. I tried to improve it by setting up some basic review infrastructure, it should have brought some lisibility to the status of each change left to be reviewed... but it has not been used and it changed nothing. Over the years, I became much more interested in the C part. My first big contribution in C has been the rewrite of update-alternatives (from Perl to C). I made other small changes in between, but at the start of this year I had this great opportunity to work on the multiarch implementation (FYI, multiarch is the possibility to mix packages from several architectures on a single system). This really forced me to jump into the C codebase and learn a lot about how dpkg is implemented. Thanks to this I have been able to tackle other small projects (like the improved triggers). This would be all great if my multiarch work was already merged, but it's not. It's a large work, I do not mind waiting a bit in particular since Guillem is a highly skilled C programmer. His sharp analysis of new designs are invaluable, when he reviews code he always finds something to improve. I learnt a lot just by reviewing the code he wrote over the years. That said I have been waiting since April without almost no updates from him. With the release team asking us to hurry up, the situation is getting somewhat strained as I really want to see multiarch in Wheezy and I do not really want to short-circuit Guillem. Hum, I may have drifted a bit from your original question... what great new features can people expect? Well multiarch is supposed to be the big new feature, apart from that there aren't many things that matter to the end users. But there are already quite a few changes that are of interest to package maintainers (like hardened build flags, source package improvements, improved triggers, ). What's the biggest problem of Debian? Manicheism and a tendency to quickly polarize the discussions. In reality, there are very few situations where everything is all good or all bad. Ever since I have read The 7 Habits of Highly Effective People I try hard to put into practice the habits of interdependence . Instead of having only my point of view in mind, I try to understand the motivations from the other party ( Seek First to Understand, Then to be Understood ) in order to be able to put forward solutions acceptable to both parties ( Think Win-Win ). I highly recommend this book to anyone. And I invite everybody to at least try to follow those simple advices. Is there someone in Debian you admire for their contributions? There are many and I can't give an exhaustive list... here are some that I would like to highlight (in no particular order):

• Niels Thykier for the work he puts into Lintian, and his recent work on a britney test-suite (the software that creates testing out of unstable);
• Joachim Breitner for his britney reimplementation using a SAT solver;
• Adam D. Barrat for his work on britney2;
• All the release team members who take care of an endless stream of transitions;
• Christoph Berg for his continuous work over the years on various QA infrastructure (DDPO, Mole, );
• Enrico Zini for the way he helped reform the New Member process without any big disruption;
• Russ Allbery for his Debian Policy work and for being a model in terms of how we should interact on Debian mailing lists;
• Stefano Zacchiroli for being the most active leader that I have ever seen, and for the way he tries to steer important discussions to a constructive conclusion.
• etc.

Most of those people are working on improving Debian's infrastructure so that we can all be more effective and do an even better work. This kind of work is not always very visible but it's crucial to Debian's future. Thank you to Rapha l for the time spent answering my questions. I hope you enjoyed reading his answers as I did. And, anyway, it was fun to just play the game "the other way".

Some days ago, a hacker group, THC, released a denial of service tool for SSL web servers. As stated in its description, the problem is not really new: a complete SSL handshake implies costly cryptographic computations. There are two different aspects in the presented attack:

• The computation cost of an handshake is more important on the server side than on the client side. The advisory explains that a server will require 15 times the processing power of a client. This means a single average workstation could challenge a multi-core high-end server.
• The use of SSL renegotiation allows to trigger hundreds of handshakes in the same TCP connection. Even a client behind a DSL connection can therefore bomb a server with a lot of renegotiation requests.

Mitigation techniques There is no definitive solution to this attack but there exists some workarounds. Since the DoS tool from THC relies heavily on renegotiation, the most obvious one is to disable this mechanism on the server side but we will explore other possibilities.

Disabling SSL renegotiation Tackling the second problem seems easy: just disable SSL renegotiation. It is hardly needed: a server can trigger a renegotiation to ask a client to present a certificate but a client usually does not have any reason to trigger one. Because of a past vulnerability in SSL renegotiation, recent version of Apache and nginx just forbid it, even when the non-vulnerable version is available. openssl s_client can be used to test if SSL renegotiation is really disabled. Sending R on an empty line trigger renegotiation. Here is an example where renegotiation is disabled (despite being advertised as supported):

$ openssl s_client -connect www.luffy.cx:443 -tls1
[...]
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
[...]
R
RENEGOTIATING
140675659794088:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:

Disabling renegotation is not trivial with OpenSSL. As an example, I have pushed a patch to disable renegotiation in stud, the scalable TLS unwrapping daemon.

Rate limiting SSL handshakes Disabling SSL renegotiation on the client side is not always possible. For example, your web server may be too old to propose such an option. Since those renegotiations should not happen often, a workaround is to limit them. When the flaw was first advertised, F5 Networks provided a way to configure such a limitation with an iRule on their load-balancers. We can do something similar with just Netfilter. We can spot most TCP packets triggering such a renegotiation by looking for encrypted TLS handshake record. They may happen in a regular handshake but in this case, they usually are not at the beginning of the TCP payload. There is no field saying if a TLS record is encrypted or not (TLS is stateful for this purpose). Therefore, we have to use some heuristics. If the handshake type is unknown, we assume that this is an encrypted record. Moreover, renegotiation requests are usually encapsulated in a TCP packet flagged with push .

# Access to TCP payload (if not fragmented)
payload="0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @"
iptables -A LIMIT_RENEGOCIATION \
    -p tcp --dport 443 \
    --tcp-flags SYN,FIN,RST,PSH PSH \
    -m u32 \
    --u32 "$payload 0 >> 8 = 0x160300:0x160303 && $payload 2 & 0xFF = 3:10,17:19,21:255" \
    -m hashlimit \
    --hashlimit-above 5/minute --hashlimit-burst 3 \
    --hashlimit-mode srcip --hashlimit-name ssl-reneg \
    -j DROP

The use of u32 match is a bit difficult to read. The manual page gives some insightful examples. $payload allows to seek for the TCP payload. It only works if there is no fragmentation. Then, we check if we have a handshake (0x16) and if we recognise TLS version (0x0300, 0x0301, 0x0302 or 0x0303). At least, we check if the handshake type is not a known value. There is a risk of false positives but since we use hashlimit, we should be safe. This is not a bullet proof solution: TCP fragmentation would allow an attacker to evade detection. Another equivalent solution would be to use CONNMARK to record the fact the initial handshake has been done and forbid any subsequent handshakes. If you happen to disable SSL renegociation, you can still use some Netfilter rule to limit the number of SSL handshakes by limiting the number of TCP connections from one IP:

iptables -A LIMIT_SSL \
    -p tcp --dport 443 \
    --syn -m state --state NEW \
    -m hashlimit \
    --hashlimit-above 120/minute --hashlimit-burst 20 \
    --hashlimit-mode srcip --hashlimit-name ssl-conn \
    -j DROP

Your servers will still be vulnerable to a large botnet but if there is only a handful of source IP, this rule will work just fine¹. I have made all those solutions available in a single file.

Increasing server-side power processing SSL can easily be scaled up and out. Since SSL performance increases linearly with the number of cores, scaling up can be done by throwing in more CPU or more cores per CPU. Adding expensive SSL accelerators would also do the trick. Scaling out is also relatively easy but you should care about SSL session resume.

Putting more work on the client side In their presentation of the denial of service tool, THC explains:

Establishing a secure SSL connection requires 15 more processing power on the server than on the client.

I don t know where this figure comes from. To check it, I built a small tool to measure CPU time of a client and a server doing 1000 handshakes with various parameters (cipher suites and key sizes). The results are summarized on the following plot: For example, with 2048bit RSA certificates and a cipher suite like AES256-SHA, the server needs 6 times more CPU power than the client. However, if we use DHE-RSA-AES256-SHA instead, the server needs 34% less CPU power. The most efficient cipher suite from the server point of view seems to be something like DHE-DSS-AES256-SHA where the server needs half the power of the client. However, you can t really uses those shiny cipher suites:

1. Some browsers do not support them: they are limited to RSA cipher suites².
2. Using them will increase your regular load a lot. Your servers may collapse with just legitimate traffic.
3. They are expensive for some mobile clients: they need more memory, more processing power and will drain battery faster.

Let s dig a bit more on why the server needs more computational power in the case of RSA. Here is a SSL handshake when using a cipher suite like AES256-SHA: When sending the Client Key Exchange message, the client will encrypt TLS version and 46 random bytes with the public key of the certificate sent by the server in its Certificate message. The server will have to decrypt this message with her private key. Those are the two most expensive operations in the handshake. Encryption and decryption are done with RSA (because of the selected cipher suite). To understand why decryption is more expensive than encryption, let me explain how RSA works. First, the server needs a public and a private key. Here are the main steps to generate them:

1. Pick two random distinct prime numbers p and q , each roughly the same size.
2. Compute n=pq . It is the modulus.
3. Compute \varphi(n)=(p-1)(q-1) .
4. Choose an integer e such that 1<e<\varphi(n) and \gcd(\varphi(n),e) = 1 (i.e. e and \varphi(n) are coprime). It is the public exponent.
5. Compute d=e^ -1 \mod\varphi(n) . It is the private key exponent.

The public key is (n,e) while the private key is (n,d) . A message to be encrypted is first turned into an integer m<n (with some appropriate padding). It is then encrypted to a ciphered message c with the public key and should only be decrypted with the private key:

• c=m^e\mod n (encryption)
• m=c^d\mod n (decryption)

So, why is decryption more expensive? In fact, the key pair is not really generated like I said above. Usually, e is a small fixed prime number with a lot of 0, like 17 (0x11) or 65537 (0x10001) and p and q are choosen such that \varphi(n) is coprime with e . This allows encryption to be fast using exponentiation by squaring. On the other hand, its inverse d is a big number with no special property and therefore, exponentiation is more costly and slow. Instead of computing d from e , it is possible to choose d and compute e . We could choose d to be small and coprime with \varphi(n) and then compute e=d^ -1 \mod\varphi(n) and get blazingly fast decryption. Unfortunately, there are two problems with this:

• Most SSL implementation expects e to be a 32bit integer.
• If d is too small (less than one-quarter as many bits as the modulus n ), it can be computed efficiently from the public key.

Therefore, we cannot use a small private exponent. The best we can do is to choose the public exponent to be e =4294967291 (the biggest prime 32bit number and it contains only one 0). However, there is no change as you can see on our comparative plot. To summarize, no real solution here. You need to allow RSA cipher suites and there is no way to improve the computational ratio between the server and the client with such a cipher suite.

Things get worse Shortly after the release the denial of service tool, Eric Rescorla³ published a good analysis on the impact of such a tool. He asks himself about the efficiency to use renegotiation for such an attack:

What you should be asking at this point is whether a computational DoS attack based on renegotiation is any better for the attacker than a computational DoS attack based on multiple connections. The way we measure this is by the ratio of the work the attacker has to do to the work that the server has to do. I ve never seen any actual measurements here (and the THC guys don t present any), but some back of the envelope calculations suggest that the difference is small. If I want to mount the old, multiple connection attack, I need to incur the following costs:

1. Do the TCP handshake (3 packets)
2. Send the SSL/TLS ClientHello (1 packet). This can be a canned message.
3. Send the SSL/TLS ClientKeyExchange, ChangeCipherSpec, Finished messages (1 packet). These can also be canned.

Note that I don t need to parse any SSL/TLS messages from the server, and I don t need to do any cryptography. I m just going to send the server junk anyway, so I can (for instance) send the same bogus ClientKeyExchange and Finished every time. The server can t find out that they are bogus until it s done the expensive part. So, roughly speaking, this attack consists of sending a bunch of canned packets in order to force the server to do one RSA decryption.

I have written a quick proof of concept of such a tool. To avoid any abuse, it will only work if the server supports NULL-MD5 cipher suite. No sane server in the wild will support such a cipher. You need to configure your web server to support it before using this tool. While Eric explains that there is no need to parse any SSL/TLS messages, I have found that if the key exchange message is sent before the server send the answer, the connection will be aborted. Therefore, I quickly parse the server s answer to check if I can continue. Eric also says a bogus key exchange message can be sent since the server will have to decrypt it before discovering it is bogus. I have choosen to build a valid key exchange message during the first handshake (using the certificate presented by the server) and replay it on subsequent handshakes because I think the server may dismiss the message before the computation is complete (for example, if the size does not match the size of the certificate). With such a tool and 2048bit RSA certificate, a server is using 100 times more processing power than the client. Unfortunately, this means that most solutions, except rate limiting, exposed on this page may just be ineffective.

---

1. However, since this rule relies on source IP to identify the attacker, the risk of false positive is real. You can slow down legitimate proxies, networks NATed behind a single IP, mobile users sharing an IP address or people behind a CGN.
2. Cipher suites supported by all browsers are RC4-MD5, RC4-SHA and 3DES-SHA. Support for DHE-DSS-AES256-SHA requires TLS 1.2 (not supported by any browser).
3. Eric is one of the author of several RFC related to TLS. He knows his stuff.

This weekend, the boys got what they ve been waiting for: another trip on Amtrak. For the last week or so, Jacob has had a morning ritual. He ll look at the calendar, figure out what today is, figure out when we ll get on the train, and then figure out how many days it will be. As the number gets lower, the excitement gets higher, of course. Friday morning, we woke the boys at 2:30AM to get to the train station. The only Amtrak trains through our area are middle of the night departures. Jacob is normally hard to wake up, but when I tell him that I m waking him up to go to the train station, he wakes up faster than I ve ever seen him before. It takes about 3 seconds for him to process that in his groggy state, and then he sits up straight, throws off the covers, and is instantly ready to go. Both boys were excited even in the station waiting room. Oliver has been on an Amtrak train before, but it s been awhile and he probably doesn t remember it. He constantly talked about it, jabbering as much as his vocabulary lets him. Once we were on the train, Terah and I would have liked to get some more sleep. The boys, on the other hand, were now wide awake, and didn t fall back asleep until about 5:30. That means Terah and I didn t, either. Here s what it usually looks like: When it came time for breakfast, we went to the dining car as usual. Jacob had already been telling us for days what he would eat for breakfast on the train: I always have French toast on the train, dad. And so he did. A few minutes later, I heard the waitress telling other people they were out of French toast, so I was glad I didn t have to disappoint Jacob over that! But it was Oliver that really came alive on this trip. I don t think I ve ever seen him so excited. It was almost constant. He happily talked about anything he could see or touch. But he also listened to other conversations, and would frequently pick out one word from a sentence and try to say it. He does that at home too, but not nearly so often as on the train. Both boys wanted to go exploring a lot my word for taking them for a walk in the train and seeing what they might find. We walked up and down the train several times, Jacob excited over opening the doors between the cars, and Oliver excited just to be there. Oliver s excitement kept him from sleeping well. He did eventually get a short nap, but that wasn t quite enough to avert a couple of tantrums later in the day. The reason for the trip was the 80th birthday party for Terah s grandpa. And it so happened that Oliver s 2nd birthday would be over the same time. So, Saturday morning, we all went for breakfast at Das Dutchman Essenhaus, one of the favorite local restaurants in northern Indiana. After that, it was over to a relative s place for some birthday festivities. The children got mini cakes to decorate as rail cars. There was frosting and all sorts of toppings. Great fun was had by all, and it was wise that this activity took place in a garage rather than indoors. Yes, that is a marshmallow stuck to Jacob s nose. Then in the evening, it was off to another relative s place for some more family time. Jacob had a great time all day, and was in high spirits. He asked me to sit by him at dinner, and started one of the longest conversations I ve had with him in some time. We just talked about the things that happened in the day, but it was nice when I told him, I like sitting by you, Jacob, and he said, Dad, me too! The big highlight for the day happened in the evening. We were gathered around a fire with a guitar to do some singing. Jacob was happily perched in his lawn chair, but got very excited when he saw some lightweight airplanes flying overhead. These kept flying at some distance, and he kept pointing them out to us. But that wasn t even the most exciting part. That came when the fireflies came out. Jacob ran around, catching them in his hands, and excitedly showing them to whatever person happened to be closest. He was laughing with joy for such a long time. At one point, someone asked him if the bugs were tickling his hands. He said, evidentally just realizing it, Oh yes, they ARE tickling my hands! He was one very happy boy. Sunday I had to leave to get back home, while Terah and the boys will return a couple of days later. Although I do sort of look forward to a train trip that I can relax without having to manage two young boys, I do miss them already and will be happy to have everyone back home in a few days. (This post written during the trip and posted a week later after arriving home)

For those who are interested in the world of compiz, new development snapshots have been trickling their way into experimental for the past week and are now available for widespread testing. They're being sent to experimental instead of straight to unstable for a few reasons:

• None of us really know how stable / problematic they will be, whether they will build on all arches, or have other RC bugs. So this lets us evaluate the situation and not commit ourselves if we think it's still premature to support them.
• Updating these packages is a major pain and very time consuming, due to how the authors choose to maintain/organize their software. This is really a rant for another day though. Short version is that packages have to be dealt with manually and in a serial manner, and this means they don't all arrive ready to go in one evening's worth of work.
• Since 0.8.x, the upstream authors have moved the locations of some of the repositories, and in some cases rebuilt the repositories from scratch in the process. That meant I had to spend lots of time learning about how to do a few arcane things in git.
• Some of the new packages are using git submodules, which by itself isn't necessarily bad. However, for maintaining debian packages out of git with submodules, this a fairly exotic concept and requires some changes to the typical packaging workflows as well as maybe needing to hack some support into commonly used packaging tools.

So, anyway, the packages are all uploaded now--give them a try!

One of the common complains about Debian packaging is that it s hard to learn because, while there is quite a lot of high-quality documentation, it is often written more as a reference manual than as a tutorial: it s great if you already know everything and want to check some detail, but not so great if you want to learn everything from scratch. I have been volunteered (i.e, someone decided I volunteered) for a Debian packaging tutorial at work, so I decided to give a try at tackling this issue. I also volunteered (voluntarily this time) for a similar talk at RMLL 2011 to make sure I would be forced to do the work and prepare the actual tutorial. I m also considering teaching this next year in Licence Pro ASRALL, but I haven t made up my mind about it yet. The result is a work in progress (hey, I still have a lot of time), but in the release-early-release-often tradition, I m making it public now in the hope that someone will pick up the idea and do all the work for me (you never know). I ve decided to create a set of slides using Latex Beamer. The current version can be found here. The sources are available in a git repository, and all contributions are welcomed (including plain comments or suggestions). The last slide is the current TODO list.

Friday, I wrote about the train trip Jacob and I were planning to take. Here s the story about it. Friday night, Jacob was super excited. He was running around the house, talking about trains. I had him pack his own backpack with toys this time, which were you guessed it trains. Plus train track. His usual bedtime is around 7. He was still awake in his room at about 11, too excited to sleep. The train was an hour late into Newton, so got up, got ready, and then went into Jacob s room at 3:15AM. I put my arm around him and said his name softly. No response. I said, just a little louder, Jacob, it s time to wake up to go to the train station. There was about a 2-second pause and then he sat bolt upright rubbing his eyes. A couple seconds later, in a very tired but clear voice, OK dad, let s go! That is, I believe, a record for waking up speed for Jacob. We went downstairs, got coats, mittens, hats, etc. on, made sure we had the stuffed butterfly he always sleeps with, and went out the door. As usual, Jacob chattered happily during the entire 15-minute drive to the Amtrak station. One of these days I need to remember to record it because it s unique. He described things to me ranging from the difference between freight and passenger trains, to what the dining car is all about, to tractors and how to ride them safely. Newton has some winter lights , and a few places still had Christmas lights, which were of course big hits. We had to wait a few minutes at the Amtrak station, and Jacob hadn t shown any signs of slowing down yet. He wanted to look at every Amtrak poster, picture, logo, or sign in the building. This generally meant me holding him up high while he leaned over to touch it and make out a few words. Then, of course, he would pick out minute details about the trains, such as how many coach cars he thought they had, and we d visit about that for awhile. We got on at about 4:20. We found our seats, and Jacob showed no signs of calming down, despite having had only 4 hours of sleep (instead of his usual 11) so far. We checked out the buttons for lights. And, of course, he excitedly yelled out, Dad, the train is moving! He spent the next while mostly watching out his window, but also still exploring his space. Finally at about 5, I said, Jacob, I am really tired. I am going to sleep now. Will you sleep too? His response: Oh sure dad, I will sleep with my eyes open! As a result, no sleep was had for Jacob, and only a little for me. The dining car opens for breakfast at 6:30, which is normally a rather foreign time for breakfast on the train for us. But we were both awake so I figured might as well go. So Jacob and I went to the dining car. We sat with a woman going from New Mexico to Lawrence for her grandpa s funeral, though it was expected and she was having a good time on the train. Jacob turned completely shy, and refused to say a word, except maybe a few whispered into my ear. He got his favorite railroad French toast, and had me drizzle some syrup on it. I used the word drizzle for syrup the first time he had French toast on the train, and if I fail to use that word in the dining car, I will hear about it in no uncertain terms from Jacob. He loved his dining car breakfast, but we spent about an hour and a half there. He was really slow at eating because his face was pressed up against the window so much. But that was just fine; we had nowhere else to be, the person eating breakfast with us enjoyed visiting (and, apparently, scaring the dining car staff with tales of bears in the New Mexico mountains). This was what the train trip was all about, after all. We played in the lounge car for awhile. The almost floor-to-ceiling wrap-around windows provided a great view for him, and more opportunities to press his face against a window. We talked about freight trains that he saw, noticed the snow on some of them. Then we found the back of the train and he got to look out the back window. Back at our seat, he played with his toys for about 10 minutes, which was all he used them on the entire trip. There was just too much else to enjoy. When we used the restroom on the train, he d comment on how much he liked the Amtrak soap. It smells SO very very good! He wanted to wash his hands on the train. By late morning, he had decided: Dad, I LOVE this Amtrak soap. It smells like peaches! Shall your hands smell like peaches too? And, when we d get back up to our seats, he d put his hands in my face, saying, Dad, smell that! My hands smell like peaches! It was from the AMTRAK SOAP! At some point, he discovered the airline-style safety brochures in the seat back pockets. These were filled with diagrams of the train car, a few photos, and lots of icons with descriptions. I don t know how many times I read the thing to him, or really how many times he then recited it to me from memory. It was a lot. He spent hours with those brochures. Jacob had already told me that he wanted pizza for lunch, so I got him the kid-sized pizza. It wasn t all that big, and he could have devoured at least half of it when hungry. But he was getting really tired and ate only a few bites of pizza and a few chips. Pretty soon he was leaning up against me, the window, and eventually had his head on the table in some tomato sauce. But he didn t quite fall asleep by the time we went back to our seats, and of course was wide awake by that point. Jacob loves spotting the word Amtrak on things. It was very exciting when he noticed his orange juice at breakfast, and milk at lunch, were Amtrak juice and Amtrak milk due to the logo on the cups. At dinner he noticed we had Amtrak plates, and when I pointed out that his metal fork had the Amtrak logo on it, he got very excited and had to check every piece of silverware within reach. Dad, I have an Amtrak fork too! . And dad, YOU also have an Amtrak fork! We ALL have Amtrak forks! *cackling laughter* I finally insisted that Jacob lay down for some quiet time. I closed the curtains, and he finally did fall asleep less than an hour before our arrival into Galesburg. So by 2:15 he was up to 4.75 hours of sleep, I guess. We stopped in the train station briefly, then started our walk to the Discovery Depot Children s Museum, which was right nearby. Although I made no comment about it, Jacob said, Dad, there is a train museum RIGHT HERE! Yes, you re right Jacob. I can see a steam engine and some cars here. Let s go in! I don t think it s open today. It IS open shall we go check? It wasn t, and that was mighty sad though when he spotted another old caboose sitting outside the children s museum, the day suddenly seemed brighter. He complained of how cold he was, although my suggestion that he stop walking through the big piles of snowdrifts was met with a whiny, But dad, I WANT to do that! We went inside the museum (having to walk right buy the locked caboose thankfully the people at the desk promised to unlock it for us when we were ready) and Jacob started to explore. There was some wooden play trains big enough for children to climb in which he enjoyed, but in general he went from one thing to the next every minute or two as he does when he s really tired or overstimulated. Until, that is, he discovered the giant toy train table. It had a multi-level wooden track setup, and many toy trains with magnetic hitches. It was like what we have at home, only much bigger and fancier. He spent a LONG time with that. We then briefly explored the rest of the museum and went out into the caboose. It wasn t the hit it might have been, possibly because there are several at the Great Plains Transportation Museum that he gets to go in on a somewhat regular basis. After that, he was ready to go back into the museum, but I was feeling rather over-stimulated. On a day when the highs were still well below freezing, it seemed just about every family in Galesburg was crowded into the children s museum, making it loud and crowded which I don t enjoy at all. So I suggested maybe it was snack time instead. A moment s thought, then he started to pull me out of the caboose before I could get my gloves back on Yes dad, I think it IS snack time. Let s go. Let s go NOW! We walked over to Uncle Billy s Bakery (Google link or minimal website). Jacob spotted some sugar cookies shaped like mittens. Despite my reluctance to get him more sugar, he was so excited plus I had barely prevented a meltdown at lunch by promising him that he would get dessert later in the day so he picked two red mitten cookies. I got myself a wonderful peach muffin and a croissant and we sat down at one of the tables by the window. I taught Jacob how to hang his coat on his chair and he lit into those cookies. I spotted a guy at the next table over wearing a BNSF jacket, and asked him if he worked for the railroad. He had retired as an engineer a couple of years ago, and had worked various jobs before that. He grew up in Manhattan, KS and so was interested in our trip and very friendly. While we visited, Jacob devoured his cookies and increasing portions of my snack as well. He told us about a new shop The Stray Cat just two stores down that was having a grand opening event today. They make decorations and art out of basically discarded items, and had some really nifty things that I may have bought had I not been wanting for space in our backpack. Then I spotted Sweets Old-Fashioned Ice Cream, Candy, and Soda Shop across the road. I figured he d love it and I was already in for the sugar so might as well. He picked out some birthday cake flavor ice cream for himself. I got huckleberry ice cream, which he insisted on calling purpleberry and managed to get some tastes of as well. After that, we went to the train station. It was about an hour until our train would be there. I wasn t sure if we d find enough to do, but I shouldn t have worried. Earlier, we had made the happy discovery that the station s restroom featured the Amtrak soap, so there was that. Then there was the model Amtrak train in the ticket window, which Jacob kept wanting to look at while I d hold him. And also, the California Zephyr came in. We watched it arrive from the station window, saw people get off and on, and saw it leave maybe the first time Jacob has witnessed all that in person. And, of course, we looked at the pictures in that train station. The ticketmaster gave Jacob a paper conductor s hat with puzzles and mazes on the back side. And then it was time to get onto our train back home. We ate dinner Jacob again ate little and almost fell asleep and got back to our seats. I let Jacob stay awake until about 8, when he was starting to get a bit fragile. It took him awhile to fall asleep, but he finally did at about 8:30. Today he s still been all excited. He will randomly tell us about bits of the trip, that the man at supper called his grilled cheese sandwich piece little when it was really big, what we did at the ice cream store, etc. And I do think that he is now a train safety expert. All in all, I think that is probably the most excitement he s ever had in 24 hours and it was a lot of fun to be with him for it!

Two weeks ago, nekohayo posted a blog entry on Recipe Manager, a (you guessed it) cooking recipe manager for GNOME. Looking good, I fetched the bzr tree from Launchpad and played a bit with it, and soon discovered it had no internationalisation support. I've tried to add i18n properly, but I've not had enough time to do it. Before tackling that, the authors need to give it some bootstrapping love so the app can actually install, look for its files in /usr/share, etc. My fugly, unpostable current patch does allow for a preview of how Recipe Manager will teach the world about the best rice dish ever, arr s a banda. Yum!

Recipe Manager, showing off the zenith of Valencian culture

Recently, Google started changing the web in some interesting ways. A lot by contributing code. It started with projects such as the Chrome web browser, which quickly achieved a market shares over 10%, which is more than Apple Safari and Opera together.And the good side, Chrome did not actually add "yet another incompatible platform", but by being closely related to Safari (or more precisely WebKit), it is not that different.Other stuff that belongs into this category is the Google Web Toolkit and the closure compiler (which essentially is a JavaScript code checker and optimizer).But recently, Google goes a step further. They started tackling internet file formats. First they proposed a new Video codec known as WebM or VP8. Now they extracted an image format out of this codec, known as WebP.There is some serious doubt on the quality, the images do appear to be a bit blurry and lose details. I concur with JPEG even being a bit better, despite the block artefacts. The blurry results of WebP are not really convincing.The h.264 based image looks best to me, but H.264 is patent-encumbered for all I know, so we might not see this new format in wide use until 2028. This already ruled out other image formats such as JBIG or FIF. Or look at audio formats: we're still using MP3 everywhere, because everyone tries to push another patent-encumbered audio format that the others are not going to adopt. So MP3 remains the only thing widely accepted (Ogg Vorbis is nice, but it looks as if companies such as Apple are not going to adopt it, probably because they have interest in other formats. Maybe the Ogg Vorbis support in Chrome will help here on the long run).In particular, why would you pay royalties for a tiny bit of image quality, given the constantly sinking prices of bandwidth? The H.264 patents may make a difference on video data, they probably won't pay of for still images.Given that WebM is sometimes claimed to be a simplified H.264 (minus the patent issues?), WebP probably is as good as we can get to the H.264 based quality without running into the same patent issues?But enough on the image data. There is one thing, I'd really like to see Google change on the web. The worst thing about the web is called JavaScript (or more accurately, ECMAScript). There is just so much wrong with this language that we really need to replace it ASAP.Some things that are wrong with JavaScript:

• The syntax is about as crazy as Perl, anything could be valid code.
• There a lot of syntax quirks and oddities. Try to test for a variable storing an Array ...
• It lacks any reasonable Standard Library - which is a key strength of modern languages such as Java, Python, C# - and which is why everbody is using one of the thousand JavaScript frameworks such as Dojo, Mojikit, Google Closure Library, Prototype, jQuery, MooTools, Yahoo UI Library, ...
• Due to the lack of standard functionality, the JavaScript development cost is a lot higher than needed, development time is bad for the triviality of most JavaScript tasks, and the file size is even worse than JPEG vs. WebP ...

So my biggest wishlist item of Google to contribute to the Web via Chrome and Firefox is a new web scripting language. As much as I love python, the whitespace syntax of Python doesn't work for the web (we need to be able to store complex statements in HTML attributes without newlines), so we'll have to look for something else. Maybe Ruby will work?

There are corners of the Internest where foolish people congregate, and invent stories. These foolish stories are then read as gospel by trusting people, and reposted, until the original made-up source is concealed from view. As an attempt to stem this flow of disinformation, here are some commonly held but incorrect beliefs about the Mono framework, and an explanation of the reality of the situation, as far as I understand it. The next Mono version is co-developed with Microsoft There is a grain of truth behind this one, but it s a gross mischaracterisation. Mono 2.8, when it ships, will bundle, for convenience, a number of Free Software libraries, which are released by Microsoft under a license considered Free Software by the Free Software Foundation, the Ms-PL. These are:

• System.Web.Mvc and System.Web.Mvc2: ASP.NET MVC, a library for writing ASP.NET web pages with a model-view-controller design, similar to Rails for Ruby. This is not news System.Web.Mvc has been bundled in Mono since Mono 2.4.2 (June 25th 2009). System.Web.Mvc2 has been bundled in Mono since Mono 2.6.7 (July 14th 2010).
• System.Numerics: Mono re-uses Microsoft s implementation of BigInteger.cs from the Dynamic Language Runtime (see below). This is indeed new to Mono 2.8, as it is part of .NET 4.0 (Mono 2.8 targets .NET 4.0 compatibility by default).
• System.Data.Services.Client: The OData SDK client library. This is indeed new to Mono 2.8.
• System.ComponentModel.Composition: The Managed Extensibility Framework, a library for writing and using plugins. This is similar in scope to the existing Mono.Addins project. This is indeed new to Mono 2.8, although it was added to Mono Trunk in 2009.
• System.Web.Extensions: Microsoft Ajax, a library for using Ajax inside ASP.NET projects. This is not news MicrosoftAjaxLibrary has been bundled in Mono since Mono 1.2.6 (11th December 2007).
• Microsoft.Scripting.Core and Microsoft.Dynamic: The Dynamic Language Runtime is a framework permitting implementation of dynamic languages (such as Python or Ruby) on top of the core .NET runtime. It is used for IronPython and IronRuby, amongst others. The DLR has very recently changed license from Ms-PL to Apache 2.0, but the version bundled in Mono is still under the older license. This is not news the DLR has been bundled in Mono since Mono 2.6 (14th December 2009).

So, to summarise, there are five Free Software libraries written by Microsoft under the Ms-PL included in Mono 2.8 but only two of those five are new, and none of them were co-developed in any meaningful sense. Mono development is dead There have been reports that Mono development has ended, on the basis that no commits have been made to Novell s Subversion server for a few weeks. However, these reports miss one minor detail Mono has moved to Github.com. There were 35 commits from 9 different people to the main mono.git repository (of dozens of repositories under the main Mono project) in the last 2 days, at time of writing far from dead. Mono lacks features found in Microsoft.NET Mono lacks libraries found in Microsoft.NET, such as the Windows Presentation Framework GUI toolkit. In terms of features, i.e. things implemented at a compiler or runtime level, Mono is typically more advanced. This is helped in no small part by Mono s Free Software development model, allowing experimentation and what if changes to the core runtime which a sluggish corporate behemoth like Microsoft cannot accommodate. To give three real-world examples, Mono allows embedding of its compiler as a service, and provides a REPL shell this is a planned feature for .NET 5.0, but has been available for years in Mono; Mono.Simd provides a number of data structures which will run on any version of Mono or Microsoft.NET, but will use optimized CPU extensions like SSE when run on a sufficiently new version of Mono, on an appropriate architecture as far as I m aware, there is nothing like this available or planned for Microsoft.NET. Mono is able to produce fully compiled, static executables which do not need to JIT anything at runtime this is used for iPhone compilation, for example, where JITters are not permitted. There is no comparable feature in Microsoft.NET. Clearly, Microsoft.NET can only be thought of as more featureful if one defines features in terms of does it have lots of libraries? in terms of functionality, Mono is ahead. Mono can sneak onto your system without your knowledge If you don t have the mono-runtime package installed, you can t run Mono apps. It is possible to install some Mono apps alongside the awful-yet-popular mononono equivs package, since the popular equivs script fails to place Conflicts on the correct packages (F-Spot will be blocked, Tomboy will not). No package in Debian or Ubuntu embeds its own copy of the Mono runtime, and we have no plans to make any changes to packaging which would allow execution of any C# application without mono-runtime installed. If one is using a different OS, then things may be different e.g. The Sims 3 for Mac & PC uses embedded Mono, which you wouldn t know about without looking. Canonical are pursuing a pro-Mono agenda, and are responsible for it being pushed in Debian Mono development has been happening in Debian for longer than Canonical has existed the first upload was made in April 2002. Ubuntu is made primarily from software already available in Debian deemed of sufficient quality, and when F-Spot and Tomboy became parts of the default Ubuntu desktop system in 2006, both pieces of software were already available in Debian and deemed of sufficient quality. Nobody working on Mono in Debian is paid by Canonical actually, that s not entirely true, three packages related to accessibility are officially maintained by someone who was hired by Canonical after doing the initial packaging work when he worked for Novell. But the Mono runtime itself, Canonical have no influence over its direction in Debian. As for a pro-Mono agenda , they ve always taken an extremely pragmatic approach to language choice, never showing any real preference for one language or another when it comes to app selection. They don t exhibit any overt anti-Mono policies, which is not the same thing. The names of people contributing to Mono in Debian are not secret check the pkg-mono team page on Alioth. The System.Windows.Forms namespace is protected by Microsoft patents The truth is, nobody knows for sure if SWF, or any other part of Mono, or any other framework such as Vala or Python, is covered by Microsoft patents. The way the US patent system is contrived, it is actively dangerous to check whether something contains any patents when you write it, as you are liable for triple damages should it later emerge that there WAS a patent, even if your searching missed the fact. You cannot patent an API or namespace only a specific implementation of a software concept, in those countries where software patents are permitted. There has never been any evidence shown that Mono s implementation of SWF, or indeed any part of Mono, infringes any Microsoft-held patents, because if that were the case, then the code would be rewritten to avoid the issue much like the approach taken by Linux kernel developers when a patent becomes apparent. The belief within the Mono community is that the core parts of Mono as defined in ECMA334/335 are safe (they are covered by the Microsoft Community Promise patent grant); any of the Ms-PL libraries mentioned above is definitely safe (Ms-PL includes an explicit patent grant); and the rest of the package is likely safe too (on the basis that it is a named component of the Open Innovation Network s list of protected software and on the basis that there s unlikely to be anything patentable in one of many implementations of basic ideas like database connectors). Nobody knows for sure, because that s how the system works. But, again, nobody knows for sure that Microsoft patents don t apply to other frameworks such as Python there is simply a belief and an assumption that they do not. MonoDevelop contributors removed GPL code from MonoDevelop, in an attack on the GPL This is somewhat disingenuous, given MonoDevelop is LGPL. The MonoDevelop team excised the remaining GPL code (and there wasn t much of it) in order to grant greater Freedom to developers. Previously, the entire MonoDevelop IDE was a GPL combination, meaning any add-ins for the IDE also needed to be GPL, regardless of developer choice. Now, any developer can write an add-in for MonoDevelop, using the license of their choice, whether another Free license like the Mozilla Public License, or a proprietary closed-source add-in. They are still welcome to produce GPL add-ins, if they want to, as well. Mono won t run random Microsoft.NET apps anyway, so isn t really cross-platform Actually, this one is often true. When developers write apps for Windows primarily, they rarely take the time to think is this the correct way to do it? and will often plough on with an assumption about the Windows way of doing things. It might be simple things like filesystem assumptions (assuming a case-insensitive filesystem, or assuming a backslash is used to separate directories, not a forward slash). It might be more involved, such as using P/Invokes into Windows-specific C libraries, when a more cross-platform alternative is possible. So, often, random applications for Microsoft.NET won t run on Mono. The reverse is also true F-Spot or GNOME Do are fairly heavily tied to Linux (or to UNIX-like OSes with X11, at any rate), through the libraries they invoke being fairly platform-specific. You can write platform-specific Java, with one quick piece of JNI, too. It should be noted, however, that Mono makes the chance of .NET applications being ported to Linux (and/or Mac) much more likely, since even in the worst case scenario, a company only needs to fix a portion of their source to make it cross-platform. The Mono team have a tool called MoMA, which will scan an application and its libraries, and give you detailed reports on the app s portability. This info is used at both ends by app vendors who want to become more portable, and by the Mono team who want to fill in the most frequently encountered blanks. And, it should be stressed, writing cross-platform apps is entirely possible if one desires it e.g. the IRC client Smuxi is pure cross-platform C#, and the executables compiled on Mono on Linux will run fine on Microsoft.NET on Windows. Portability in this direction is important too consider how many people have been introduced to Free Software thanks to availability of Free apps on Windows like OpenOffice.org, Firefox, Pidgin or GIMP. You can download Tomboy for Windows, and work is ongoing on fixing Banshee portability issues (which are mostly caused by gStreamer). Mono on Android is a terrible idea which will be super slow There are two efforts to enable developers to write Android applications with Mono a paid proprietary product from Novell called MonoDroid, and an untitled porting effort by big-name Android hacker Koushik Dutta. I have no insight into MonoDroid since it hasn t been released yet, but Koush did some benchmarks of his work which exhibited some remarkable figures compared to Dalvik (and even compared to Sun Java for ARM). Those numbers haven t been updated to reflect the Froyo Dalvik JITter, but Mono on Android is still very exciting from a performance perspective. Mono isn t really Free Software The source code is all available under Free Software licenses. So, um, yes it is. We don t need Mono because we have $LANG By the same logic, we don t need $LANG because we have Mono. By all means, use the language of your choice other developers will use the language of their choice too. If you want to use Vala or Python or Java, then by all means, go ahead. It doesn t mean there s no room for more languages, better suited to other usage patterns. Haskell is great for some types of development, so is Fortran, and so is C#. You might not need Mono because of $LANG, but there are others in the world with different needs. Mono apps are all slow, and crash your computer, and stuff No userland app can crash your Linux system, unless there s a bug in the kernel, or you have some severe problems with your hardware. If you ve ever observed a crash as a result of running a Mono app, then it s really coincidence that Mono is tickling whichever part of your system is busted. As for slow startup time may well be slower than for apps written in C or Vala. There s a delay due to the JITter needing to compile all the libraries used by the application (we may AOT the most common libraries in a future Mono package version, at upstream s recommendation). Once an app is running, it should be fast compared to a Python app, and memory-light compared to a Java app. The new garbage collector in Mono 2.8 should also offer significant improvements to performance, especially under heavy workloads. Ubuntu s default GTK+ themes require Mono This is my favourite recent nonsense to emerge from the Internest. There are reports mostly restricted to IRC and blog comments, that (paraphrasing here) removing Mono removes the Ubuntu themes . Here s the reality: in Ubuntu 10.04, a new visual style was implemented throughout the distro. As part of this, small icons (e.g. notification area icons) were set to be black-and-white by default, and colourised when attention is needed (e.g. the power-off icon turns red when a reboot is needed, the messaging indicator turns green when there s a new message). All of these new monochrome icons are in a package named ubuntu-mono . Removing the ubuntu-mono icon package will also remove the new Ubuntu GTK+ themes, in the light-themes package. So there s your explanation: the themes have a dependence on some monochrome icons, not on the Mono framework.

In a great post a few days ago, Jono asks why you are doing free software and reminds us to remember it. It s quite easy to lose sight of our goals and motivations while working on the day-to-day tasks. This reminds me of an interesting point made in the course I m currently studying on Applying Our Co-operative Values and Principles. As well as our shared values and principles, each co-op should have a statement of its goals. For our co-op, that s to provide computer-related services . For the Co-operative Group, it s currently inspiring young people; tackling global poverty; and combatting climate change it s a big co-op, so it has big goals. But while goals are a shared commitment, your motivation for them is often a personal thing. Often it will be rooted in a negative, a dissatisfaction about how the world was before you started, then making that into an excitement about what you could do, the new possibilities that are opened up. I think you can see this a little in Jono s motivation of how excited they were at exploring their new system and many of the comments there. They re positives and often the silver lining around some cloud. So, please, head over to Jono s page and share your motivations. Then pop back to my site and tell me your goals (or how I ve misinterpreted this ) in a comment.