Drivel 2.0.4 ("Alive again")
============================

* Improvements:
- Add current patches from Debian and Ubuntu
- Add patches from bugzilla that have accumulated since 2.0.3
- New member of upstream team: Neil Williams
- Add tag support for LiveJournal. Closes #307967

* Translation updates:
- Added Italian translation (Vincenzo Campanella)
- Updated Germann translation (Mario Bl ttermann)
- Updated Portuguese translation. (Am rico Monteiro)
- Updated Canadian English translation. (Adam Weinberger)
- Updated Nepali translation. (Basanta shrestha)
- Updated Portuguese translation. (Miguel Figueiredo)
- Updated Russian translation. (Yuri Kozlov)

Drivel 2.0.4-1 has also arrived in Debian unstable - Ubuntu will update in due course but there's an Ubuntu release to get out before then (I assume).

http://incoming.debian.org/drivel_2.0.4-1_amd64.changes

Description:
drivel - Blogging client for the GNOME desktop
Closes: 465805 521452 521903 522335 522661 523425
Changes:
drivel (2.0.4-1) unstable; urgency=low
.
* New upstream release.
* [INTL:ru] Russian program translation update (Closes: #521452)
* [INTL:pt] Updated Portuguese translation (Closes: #521903)
* Update Standards Version (no changes)
* Drop previous patches and dpatch support, patches implemented
upstream.
* Switch to libcurl4-gnutls-dev instead of libcurl4-openssl-dev
to avoid linked against OpenSSL (Closes: #522335)
* Add LiveJournal tags support (Closes: #465805)
* [INTL:ru] Russian program translation update - added string
(Closes: #522661)
* [INTL:it] New Italian translation (Closes: #523425)
* Add gnome-doc-utils to build-depends

So I have been getting used to madduck's workflow for topgit and debian packaging, and one thing that bugged me a bit was all the steps required to to build. I tend to build quite a lot when debugging, so I wrote up a quick and dirty script to

• export a copy of the master branch somewhere
• export the patches from topgit
• invoke debuild

I don't claim this is anywhere ready production quality, but maybe it helps someone. Assumptions (that I remember)

• you use the workflow above
• you use pristine tar for your original tarballs
• you invoke the script (I call it tg-debuild) from somewhere in your work tree

Here is the actual script:

#!/bin/sh
set -x
if [ x$1 = x-k ]; then
    keep=1
else
    keep=0
fi
WORKROOT=/tmp
WORKDIR= mktemp -d $WORKROOT/tg-debuild-XXXX 
# yes, this could be nicer
SOURCEPKG= dpkg-parsechangelog   grep ^Source:   sed 's/^Source:\s*//' 
UPSTREAM= dpkg-parsechangelog   grep ^Version:   sed -e 's/^Version:\s*//' -e s/-[^-]*// 
ORIG=$WORKDIR/$ SOURCEPKG _$ UPSTREAM .orig.tar.gz
pristine-tar checkout $ORIG
WORKTREE=$WORKDIR/$SOURCEPKG-$UPSTREAM
CDUP= git rev-parse --show-cdup 
GDPATH=$PWD/$CDUP/.git
DEST=$PWD/$CDUP/../build-area
git archive --prefix=$WORKTREE/ --format=tar master   tar xfP -
GIT_DIR=$GDPATH make -C $WORKTREE -f debian/rules tg-export
cd $WORKTREE && GIT_DIR=$GDPATH debuild 
if [ $?==0 -a -d $DEST ]; then
    cp $WORKDIR/*.deb $WORKDIR/*.dsc $WORKDIR/*.diff.gz $WORKDIR/*.changes $DEST
fi
if [ $keep = 0 ]; then
    rm -fr $WORKDIR
fi

Packages uploaded in Debconf. I've uploaded qemubuilder new version which supports armel architecture. And I updated dpatch with some necessary patches.

I got a new package to start from scratch (amule-emc, ITP) so I wanted to try debhelper 7. In need of patching upstream source code, I used my old friend dpatch, but then started to have some problems putting things together; so, here below is the minimal debian/rules to use dh7+dpatch:

#!/usr/bin/make -f
include /usr/share/dpatch/dpatch.make

build: build-stamp
build-stamp: patch-stamp
      dh build
      touch $@

clean:
      dh clean

%:
      dh $@

Thanks to jcristau and noshadow from #debian-devel@OFTC for opening my eyes ;)Edited: thanks to Joey's comment, I was able to reduce it again down to:

#!/usr/bin/make -f

include /usr/share/dpatch/dpatch.make

build: patch-stamp
       dh build

clean: unpatch
       dh clean

%:
       dh $@

( I love acronyms :-D )

At this point, all of you should know and see how the H D Moore s toys work. Those toys attack SSH public-key authentication using clone keys and online brute force.

Furthermore, many of you know that there are other effects produced by a biased PRNG besides this one.

Strangely, I could not find more of those toys exploiting these aspects. So, I would like to show you a Wireshark patch which attacks Perfect Forward Secrecy (PFS) provided by Ephemeral Diffie Hellman (EDH).
Introduction to EDHLet s put it in plain words (if you know what we are talking about, ignore this and jump to the next heading):
In an insecure communications channel the parties agree a common key to cipher their dialog. This is what happens in SSL (in most of the cases, depending on the cipher suite):

• The server selects a random prime p and a generator g of the field Z*_p (Let s ignore the mathematical properties of these values). So, the components p and g are public.
  
• The server picks a secret random number X_s and calculates Y_s=g^X_s mod p. Y_s is public and is sent to the client (just like p and g).
  
• The client does something similar, selecting a secret random number X_c and calculating Y_c=g^X_c mod p too. The client makes Y_c public by sending it to the server.
  
• The shared secret s is the public key of the other part to the exponential of the own private number, all in p modulus. That is, for the client s=Y_s^X_cmod p and for the server s=Y_c^X_smod p.
  
• With this shared secret the parties can encrypt all the following messages in a secure way.
  
• In the Ephemeral Diffie Hellman (EDH), the private numbers are ruled out, so s is mathematically secure and nobody can obtain it even having access to one of the parties after the aforementioned handshake.
  

The exploit If an eavesdropper can explore the complete private key space (the all possible numbers for X_c or X_s), he/she will be able to get access to the shared secret. With it all the communication can be deciphered. That s what this patch can do.

A Wireshark with this patch and a list of possible private keys will try to brute force the share secret. If one of the parties is using the vulnerable OpenSSL package the communication is totally insecure and will be decrypted.

• The patch for Wireshark 1.0.2 can be downloaded from here.
  
• Debian packages with the patch applied can be found here.
  
• This is a list of all 2¹⁵ possible 64 and 128 bit DH private keys in systems vulnerable to the predictable OpenSSL PRNG described by DSA-1571.
  
• An example of a pcap file can be found here (it was built with a vulnerable client and one of the Moore toys, a hacked getpid by running $ MAGICPID=101 LD_PRELOAD= getpid.so ./vulnerable-openssl/apps/openssl s_client -connect db.debian.org:443 )

The patch was submitted in order to be committed on the Wireshark trunk. There you can find the patch against the on-develop source revision 25765.
Issues that can be improvedWe (the other developers and myself) detected few things to be improved. But we will do nothing for them. So, if you want to contribute with some code, start from these items and submit the patches to the Wireshark s bugzilla:

• When the packets are out-of-order the decipher with stop itself.
  
• The brute force attack should run in a background process (and with a progress bar)
  
• Check the length of the keys before trying to brute force them.
  
• The patch also implements the display of public DH parameters in the packet tree. It s incomplete.

CreditsPaolo Abeni <paolo.abeni at email.it>
Luciano Bello <luciano at debian.org>
Maximiliano Bertacchini <mbertacchini at citefa.gov.ar>

This work was partially supported by Si6 Labs at CITEFA, Argentina.

UPDATE Jul. 21st: See more and updated info here, especially this.

( I love acronyms :-D )

At this point, all of you should know and see how the H D Moore s toys work. Those toys attack SSH public-key authentication using clone keys and online brute force.

Furthermore, many of you know that there are other effects produced by a biased PRNG besides this one.

Strangely, I could not find more of those toys exploiting these aspects. So, I would like to show you a Wireshark patch which attacks Perfect Forward Secrecy (PFS) provided by Ephemeral Diffie Hellman (EDH).
Introduction to EDHLet s put it in plain words (if you know what we are talking about, ignore this and jump to the next tittle):
In an insecure communications channel the parties agree a common key to cipher their dialog. This is what happens in SSL (in most of the cases, depending on the cipher suite):

• The server selects a random prime p and a generator g of the field Z*_p (Let s ignore the mathematical properties of these values). So, the components p and g are public.
  
• The server picks a secret random number X_s and calculates Y_s=g^X_s mod p. Y_s is public and is sent to the client (just like p and g).
  
• The client does something similar, selecting a secret random number X_c and calculating Y_c=g^X_c mod p too. The clients makes Y_c public by sending it to the server.
  
• The share secret s is the public key of the other part to the exponential of the own private number, all in p modulus. That is, for the client s=Y_s^X_cmod p and for the server s=Y_c^X_smod p.
  
• With this share secret the parties can encrypt all the following messages in a secure way.
  
• In the Ephemeral Diffie Hellman (EDH), the private numbers are ruled out, so s is mathematicaly secure and nobody can obtain it even having access to one of the parties after the aforementioned handshake.
  

The exploit If an eavesdropper can explore the complete private key space (the all possible numbers for X_c or X_s), he/she will be able to get access to the share secret. With it all the communication can be deciphered. That s what this patch can do.

A Wireshark with this patch and a list of possible private keys will try to brute force the share secret. If one of the parties is using the vulnerable OpenSSL package the communication is totally insecure and will be decrypted.

• The patch can be downloaded from here.
  
• Debian packages with the patch applied can be found here.
  
• This is a list of all 2¹⁵ possible 64 and 128 bit DH private keys in systems vulnerable to the predictable OpenSSL PRNG described by DSA-1571.
  
• An example of a pcap file can be found here (it was built with a vulnerable client and one of the Moore toys, a hacked getpid by running $ MAGICPID=101 LD_PRELOAD= getpid.so ./vulnerable-openssl/apps/openssl s_client -connect db.debian.org:443 )

The patch was submitted in order to be committed on the Wireshark trunk. There you can find the patch against the on-develop source revision 25765.
Issues that can be improvedWe (the other developers and myself) detected few things to be improved. But we will do nothing for them. So, If you want to contribute with some code, start from these items and submit the patches to the Wireshark s bugzilla:

• When the packets are out-of-order the decypher with stop itselft.
  
• The brute force attack should run in a background process (and with a progression bar)
  
• Check the length of the keys before trying to brute force them.
  
• The patch also implements the display of public DH parameters in the packet tree. It s incomplete.

CreditsPaolo Abeni <paolo.abeni at email.it>
Luciano Bello <luciano at debian.org>
Maximiliano Bertacchini <mbertacchini at citefa.gov.ar>

This work was partially supported by Si6 Labs at CITEFA, Argentina.

The OpenSSL fiasco has started a fresh discussion on Debian source packages and the way we handle changes to upstream software. One of the issues under discussion is that some Debian packages don't use a patch system and ship all their modifications unseparated in the Debian .diff.gz, which makes it harder or impossible to extract patches later on and to understand why some changes were made. The commonly recommended way of doing things is instead to keep the upstream source pristine, storing modifications cleanly separated and documented under debian/patches; several tools such as quilt or dpatch can make this process easy.

Out of curiosity, I did a quick scan of my local mirror to see how many packages ship changes outside debian/ in their .diff.gz, and I was surprised to see that 4803 source packages out of 11853 (40%) do so! This is much more than I expected. Some packages even use a patch system but still have changes in .diff.gz, as shown by this lintian check.

The most commonly patched files in affected packages are:

   1006 config.sub
   1002 config.guess
    823 Makefile
    754 configure
    715 Makefile.in
    484 aclocal.m4

Most of these are caused by autotools updates which are necessary if upstream ships old versions of these files. In many cases there are clean ways to deal with this, for example to always have up-to-date versions of config. guess,sub you can simply make them re-exec their authoritative versions (as shown by this patch) and build-depend on autotools-dev.

If you don't use a patch system, now is a good time to start. The New Maintainers' guide has more information on the topic.

Ubuntu’s audio team has patched my code using a “new approach” to make audacious use Pulse by default! Great right Well, not really, because the way they do it is wrong and won’t work and is prone to breakage with future releases. Here’s the patch:

@DPATCH@
diff -urNad audacious-1.5.0~/src/audacious/main.c audacious-1.5.0/src/audacious/main.c
--- audacious-1.5.0~/src/audacious/main.c       2008-03-13 17:19:27.000000000 -0500
+++ audacious-1.5.0/src/audacious/main.c        2008-03-14 12:38:13.000000000 -0500
@@ -174,7 +174,7 @@
 0.0, 0.0, 0.0, 0.0, 0.0,             /* equalizer bands */
0.0, 0.0, 0.0, 0.0, 0.0 ,
1.2,                        /* GUI scale factor, hardcoded for testing purposes --majeru */
"/usr/share/audacious/Skins/Classic1.3",                       /* skin */
-    NULL,                       /* output plugin */
+    "/usr/lib/audacious/Output/pulse_audio.so (#0)",                       /* output plugin */
NULL,                       /* file selector path */
NULL,                       /* playlist path */

As you can see, this patch is wrong. Why? Because:

• It uses an absolute path, and an absolute plugin UUID.
• The value will probably be ignored on first run for most people anyway, resulting in it using ALSA.
• Obviously we can’t support this change upstream, where all of the Ubuntu users come to ask everything anyway.

I like that, as usual, upstream was not consulted or asked in any way about how to go about making it do what they want. While my first try was wrong, it’s actually wrong due to a bug in audacious; that is the way they should patch it, and they should switch back to my patch in 1.5.1, as the weighted plugin detection is fixed there*. *On my branch only. Which i will be pushing to proposed/audacious-1.5 soon enough. Update: apparently some people took this the wrong way and assumed I was flaming Ubuntu here. Why would I? No, I was ranting about the fact that this guy changed a bug and within minutes uploaded this hideous patch. There wasn’t even realistically time to reply to the bug, nor was the patch posted for any sort of public review before hand. Anyone familiar with audacious’s internals would have immediately recognized that the patch is bogus.

Two or three days ago, there was a discussion on dpatch, quilt and all the other patch management systems on #debian-devel. My opinion still stands: if you change upstream source, then it better be in a way that upstream finds acceptable. But if I expect my changes to be merged quickly, why do I need an elaborate scheme to manage them? Or is a significant percentage of our upstreams unresponsive enough to warrant a fork?

I learned about two bash features I hadn't known about today.

From a colleague, GLOBIGNORE. A colon-separated glob of files to ignore when expanding globs. Helpful behavior when set to "*~" and used with grep.

From the Git FAQ, in a section explaining that it breaks the Git build process, CDPATH. A colon-separated search path to use when you type cd. Possibly useful to refer to subdirs of ~ or other common areas. Seems like it's prone to break a ton of scripts if exported though.

Firstly, I haven't been following debian-devel as closely as in recent months and some things have passed me by. Secondly, I am rather pre-occupied with my own small world of Embedded Debian. One result of this is that I wasn't really paying attention to arguments over the source package format and took longer than I expected to respond to a request to take a look at tslib - a touchscreen library for embedded devices. When I did start work on it I managed to upset Joey Hess by implementing dpatch support which he had recently decried as unhelpful. I also added some extra fuel by getting myself in a two-and-eight over svn-buildpackage and it's broken bias towards native packages.
I happen to disagree with the idea that maintainers should alter upstream files directly, merely relying on the .diff.gz or some weird $RCS runes. Instead, I seek to ensure that the .diff.gz contains no changes outside the debian/ directory. I'm not happy keeping the entire upstream source in yet another RCS (for any reason) and would much rather make updates to my Debian packages by simply copying the debian/ contents into an unpacked pristine upstream source (preferably via uscan). I find it really useful to simply check out the latest CVS/SVN/$RCS, dump debian/ into place and call 'debuild' when testing various upstream development issues. Maybe this is because I have relatively few Debian packages that need debian/patches/* and certainly few that need more than a couple of patch files. It certainly has a lot to do with my embedded work where I need to make changes to the contents of debian/ to make an Emdebian package whilst retaining the same upstream code as is used in existing embedded projects like Open Embedded and Familiar. I don't want to be chasing changes through the upstream source - I want all the changes in a single place so that I can create Emdebian patches against the Debian source. (I'd rather not have patches in the Debian source at all but this is only realistic for either my own packages or those released as part of GPE for various embedded-native compatibility reasons.) I certainly do not want any Debian $RCS to be lumbered with yet another set of upstream sources that will always be out of date compared to the real upstream sources.
I am also a great fan of CDBS - much to the horror of some in Debian - primarily for one very simple reason, it cross builds so easily. Considering my workload, it should not be a surprise that the ability to support cross building without requiring any changes to the Debian package is incredibly persuasive when selecting a build system for a package of my own. debhelper really is woeful at cross building - each package needs customised cross building support painstakingly devised and tested, making script-based mass bug filing impossible. CDBS shows that with a little wrapping, debhelper can support cross building in a clean and completely non-intrusive manner.
This means I can concentrate on those changes that are actually important - the changes that provide the benefits of cross-building and justify the effort of actually cross building the entire dependency chain: the ability to fully control Debian-specifics like "Essential: yes" and to disable, modify or adapt components of any package such that the installed system has a fraction of the dependencies of the Debian version of precisely the same package. TDeb support is good too but that can be implemented against any build, it doesn't need to be a cross build.
Sadly, the end result of all this for tslib is that it will be removed from collab-maint very soon, Joey does not wish to be associated with the new version because although it includes some features which he is happy to see implemented, my use of dpatch and the hacks I had to devise to workaround svn-buildpackage do not fit with his workload patterns. Once tslib is removed from collab-maint, these hacks become redundant and I can use my normal packaging methods. Equally, his methods (in particular the lack of debian/patches/*) do not fit with my workload patterns and although I do not have as many packages as Joey, I have enough (when the 200 Emdebian source packages are also considered) to make the issue into a blocker. The new version of tslib uses the upstream SONAME and adds a -dbg package so it will spend some time in NEW. I am also likely to migrate it to CDBS once removed from collab-maint.
I suspect these issues will be revisited during discussions at Fosdem 2008 where I'll be presenting two talks - one in the Debian developer room and one in the Embedded developer room. Feel free to harangue me if you feel strongly that there is a sane way of cross building that does a better job than CDBS.

Joey has a problem with tools used over dpkg-dev’s core tools to help maintainers maintain their debian packages. I was wondering about the adoption of those tools, so I simply grepped the logs from my last rebuild for “^Setting up $TOOL “, which is more accurate than looking at build-deps, since someteam-pkg-tools could depend on cdbs, and hide cdbs usage. Results, with lists of packages “affected”:

Tool	Packages
debhelper	11434 (95.8%)
cdbs	2665 (22.3%)
dpatch	1714 (14.4%)
quilt	935 (7.8%)
dbs	57 (0.47%)
yada	32 (0.27%)
debmake	2 (0.017%)

(if you want me to check the logs for another tool, just tell me) My personal opinion on this is that tools that make sense are slowly getting adopted (that probably includes debhelper, cdbs, dpatch and quilt). The main difference between debhelper and the other tools is that the other tools don’t try to solve a problem for everybody. cdbs perfectly makes sense for some packages: the simple ones, where you only have to modify 4-5 lines in the output from dh_make to build properly. Patch systems are also a good way to track changes made to upstream source, and probably encourage giving back patches to upstream. Note that my stats don’t include packages using cdbs’ simple-patchsys, so there are probably really close to 1/4 or 1/3 of our packages using some sort of patch system. How course, having simple-patchsys, dpatch and quilt sounds a bit stupid. But last time I checked, nobody took the time to blog a comparison of those tools, saying why quilt,dpatch is better than simple-patchsys,dpatch,quilt . Also, simple-patchsys probably makes a good-enough job for its users, so they don’t see the point in changing. Of course, it’s easier to bury your head in the sand, and ignore the fact that those tools solve real problems for so many people and packages, and make their lives easier. :-)

We have a problem with our tools in Debian, and it's this: Above the core tools in dpkg-dev, and the nearly core tools in debhelper and devscripts, and the many different -- but all slowly converging -- revision control systems, there is the potential for infinite cruft to pollute the source package. Note that one developer's cruft is another developer's use of an excellent tool. If you don't believe that, you haven't read a lot of crufy upstream build systems, because Debian isn't the only project with this problem. The source of this cruft is a near-constant stream of new tools that are each developed in good faith by someone who needs that tool, and then adopted and used in packages of a generally small percentage of developers, who think that tool might be a good fit for their problems. The tool isn't yet suitable for everyone to use, and most of these tools never become suitable for everyone, because

1. making the leap from a special-purpose, poorly-designed hack to a general-purpose tool is hard
2. getting the project to standardise on a tool is hard
3. a tool often doesn't become general purpose until enough people use it, no matter how well designed it is to start out with

So after a while, a better, or at least different, solution to some of the same problems will come along, and some generally small percentage of developers will choose to use it in their source packages. Meanwhile, the developers who chose the old thing will be set in their ways and not want to use the new thing, and generally cannot be budged to stop using the old thing by any amount of argument. Which in a sense is normal, and fine, until you have to collaborate with them. I don't care if someone I'm collaborating with uses emacs to my vim, but I do care if they use cdbs to my debhelper. I care because their tool-choice encrufts the source that I'm supposed to be working on. Once a significant percentage of all the source packages in Debian are encrufted for a wide array of different tools, it will become harder and harder to work with Debian's source packages. We're already seeing this happen. Another way of looking at it is that we've invented dozens of source package formats that all work differently, aside from a small shared core, and we expect our developers to be able to use all of them. At this point I see this as a huge, potentially killer problem, that is making Debian development become worse with every passing year. But I have no real solution. Obviously pointing out that tools are obsoleted or bad doesn't work; we still have dozens of packages using yada, which everyone agrees is horrible. That doesn't bode well, does it? One partial solution is to design a category killer, and get it embedded in acknowledged core tools. That's what I have tried, and so far, failed, to do with an evolutionary change to the Debian source package format, which I'd hope would give people a reason to stop using dpatch, dbs, and their ilk. As noted, this approach is Hard.

---

For now, I have no interest in being on a team that requires I use any of the following things:

• dpatch
• dbs
• quilt
• Any similar system that is used to move all patches to under the debian/ directory.
• Any system that nests the actual original upstream .tar.gz inside an .orig.tar.gz.
• yada
• cdbs
• Any similar system that obfuscates debian/rules.
• Any special script that is required to be used to build a package as a wrapper around dpkg-buildpackage.

This means that I can't be on the security or release teams, and even teams like the perl team are getting sticky to be on.

---

PS, this doesn't mean I dislike quilt. I dislike quilt encrufting Debian source packages, which is entirely different. PPS, In case you're wondering why debhelper gets a pass, it's because it's gone through the three numbered steps above to become a standard, general purpose tool, and has no serious competators. (Though it does have parasites, like cdbs.)

mutt-patched: sidebar keybindings mutt-patched it's really cool, thanks Myon for advertising it. Actually I've tried it only in the hope that it could solve bug #459739 (don't bother trying: it doesn't), but I'm now liking it, especially the sidebar patch. Unfortunately it lacks default keybindings for moving the sidebar cursor (why the heck: since the sidebar is enabled by default, am I supposed only to look at it?). Here are mine, in case someone wants a "plug and play" configuration for her .muttrc:

zack@aquarium:~$ cat .muttrc  tail -n 6
# mutt sidebar settings
bind index,pager \CP sidebar-prev
bind index,pager \CN sidebar-next
bind index,pager \CO sidebar-open
macro index,pager B '<enter-command>toggle sidebar_visible<enter>'
color sidebar_new yellow default

They are basically a subset of those proposed on the homepage, but I did not like changing the default semantics of b. See also bug #459725.

That's the good news. The bad news is, it's still affected by CVE-2007-5925, which allows remote authenticated users to cause a denial of service (database crash). J rg Br he wrote on the packagers mailinglist that's because the sources for 5.0.51 were cloned before the fix got in. I don't know exactly how their release model works, but looks like it needs to be improved.

To make it even worse, bug #32125 which has a patch for the problem, was set to private a few days ago. Because we already have the patch in our MySQL packages since exactly three weeks, it's available in our subversion repository.

From November 28 till December 2, 2007, I attended a Debian QA and release teams work session in Extremadura, which is an autonomous community of western Spain, that managed to install Debian on 90000 computers in every school (technically a Debian based distribution called gnuLinEx) and Junta de Extremadura also sponsored this meeting.

I took photos of all participants, see my first, second and third posts. When I arrived at the Madrid airport where we first met, I set myself a goal to remember all names and faces, so I used my blog to help me and I think I succeeded in the end. :)

See also our wiki page that we used prior and during the meeting.

So what did we do besides throwing candies?


Lucas Nussbaum will send a summary email soon about the meeting, so I'll just speak for myself:


I worked with Gon ri on svnbuildstat, that is a service for building packages and show statistics about lintian/linda/piuparts checks. It for example contains all packages of the Debian Python Modules Team (that I am a member of) and many others. We discussed and started to work on how to create robust buildbots, that can be installed as a regular Debian package with zero (if possible) configuration, so that many people can just install them without pain, thus providing a huge scalability to the project.

We wrote a preliminary patch to pbuilder for killing the build if it exceeds given memory/disk usage. I had to learn the internals of pbuilder and I lost quite some time squashing some stupid bug I caused while writing the patch.

I spent most of my time with svnbuildstat, mostly learning and discussing things. This will be important for the future, but to also have some real results, I also fixed some packages I comaintain:

Together with Kumar Appaiah we fixed the python-numpy package and I had it uploaded, then I learned how to work with quilt instead of dpatch to handle patches in Debian packages, thanks to Holger's webpage, that contains a nice tutorial. Then I switched from dpatch to quilt in python-scipy and backported a patch from upstream svn to fix a segfault bug and had the package uploaded.

Then I finished the Cython package and had it uploaded. Cython is a marvelous package to speed up Python programs and interface C/C++ programs. I greatly recommend to try. If you don't like it, you can try some of at least 10 other ways to wrap C code in Python. I also used quilt in there to backport a patch from the upstream Mercurial repository to implement parsing @classmethods. Quilt is really a pleasure to work with.

Impressions from the meeting

I've been using Debian since 2001 as my only operating system on all of my computers, so I am not a complete beginner. But it never occured to me I could get involved in Debian more than a user and an occasional bug reporter. What a mistake.

I started packaging new things and fixing packages that I need for my work and that didn't work. This got me involved quite a bit in Debian. But in M rida it was the first time I could dring a beer (well, especially wine) with Debian Developers and I found out they are really cool people. They are all very skilled. Also something, that I love about Debian, is that the people involved in it share two common features, that are very important for them - respect to democracy and personal freedom. When I think about it, those are probably the first two items on my presonal list of values.

Of course, everytime there is a group of 1000+ people, there are good and bad people, more and less skilled, but important is the overall atmosphere - and that is as I described. I think Debian is truly unique. There is Gentoo, that has maybe 40 (?) active developers. There is Ubuntu, that has maybe 100 (?) developers, but it's basically a comercial distribution and there is not so many interesting work for non employees of Canonical. There is opensuse and fedora, where I am not sure about the numbers. The atmosphere in Debian can change in the future, one never knows, but as of the end of 2007, I think it's very cool to get involved.

Maybe it's not for everyone, but it's the right place for me.

* Once upon a time, I adopted ‘festival‘ and ‘speech-tools‘ packages. Updated it to my standard style of packaging (learned from different mentors) and fixed long pending bugs. I came to know that there is ‘New Upstream Version’ available from long time. Somehow, .diff.gz was so dirty that didn’t dare to touch it and apply and build the packages. Then, Kumar came and handed over me a nice little script.

#!/usr/bin/awk -f
/^—/
name = $2;
sub(/^[^[\/]+\//, “”, name);
gsub(/\//, “_”, name);
if (name !~ /\.diff$/)
name = name “.diff”;

print $0 >> name;

What it will do? gunzip your dirty .diff.gz and run it over .diff. It will split single .diff in multiple .diff s. You now need to merge or un-merge it manually (ah!). Dpatch can also converts .diff.gz in single patch (then you need to split it yourself! Correct me if I’m wrong!!) We are now able to successfully packaged festival and speech-tools. Thanks a lot to Kumar for help, patient and tweaks! I am now quilt lover! Package will be maintain using ‘collab-maint’ in near future. Ah, learning git for it!

dpatch progress. For the last three months, I've neglected dpatch maintenance. Looking at the mail archive, I found a lot of patches. There is a lot of interest in dpatch, I assume. I think I need some help in dpatch maintenance, I am the only active member at the moment in the dpatch maintainer group. Anyone interested ?

Previously, I demonstrated a Debian packaging workflow using Git and I mentioned the possibility of a follow-up post; well, here it is: you want to use my workflow (or one that's related) for a package that is currently maintained with Subversion on svn.debian.org and you'd like to keep the history during the conversion. Make sure to read the previous post before this one. I am again using the example of mdadm since its Git packaging repository is in a state of shambles and I want to restart to get it right and import the history from the previous Subversion repository. What better way than to write a blog post as I do so? Well, plenty actually. This kind of post isn't really made for a blog, and I have started work on setting up ikiwiki on madduck.net, but it's not yet ready, so I'll stick with the blog for now. I will make sure that links don't break as I move content over, so feel free to bookmark this