Update 2: Richard and especially Moray debunked my statistics and given that they're actually on the DebConf team, they simply know it better what to look at and which numbers cannot be trusted. So look over to Moray's post for some numbers about DC11 and DC12.

Oops. At least the average count of days per person seems slightly higher. (But then the stats may likely be off, given that any part of the day counts as full.)
This year's DebConf will have remote participation through video streams and IRC chat, as usual. But they will be late at night for Europeans. Despite those hurdles, let's make this conference a success! The same procedure as every year. ;-)

Update: I don't have any privileged access to Pentabarf and hence I was just working on the exported data at the link above. When perusing the "Statistics for ONLY people who have both dates in Penta" I get this:
That's because this year seems to have a much higher percentage of people filling out both fields (~58% for DC10/DC11 and 85% for DC12). I'm still unsure if Penta was set to filter out those who did not reconfirm. But after all the others would not be very meaningful for room planning.

Yay, so we made it: s390x got added as a release architecture. What this means:

• If the package already exists on that architecture and fails to build, that issue is deemed RC. You can debug the issue on the porterbox (zelenka), chroot sid_s390x. Build dependencies are installed by a team, just follow the request guidelines.
• If your package is not installable on s390x, it will not migrate to testing anymore. So if a package does not exist on s390x, you need to make sure not to generate a dependency on it or prevent your package from building on s390x (by e.g. build-depending on a package that's not available on s390x or by getting it into Packages-arch-specific).

This will also help other 64bit big-endian ports (like powerpc64 and sparc64) to enter the archive more easily, as most issues left are indeed related to endianness, not to specialities of the System z hardware.

Many thanks go to Aur lien Jarno, without whom this would not have been possible. I also want to take this opportunity to thank all our s390(x) machine sponsors: ZIVIT, IIC@KIT and Marist College. There are not many mainframe owners who let free software projects work on their machines.

If you want to add System z zFCP drives to a Debian GNU/Linux system, you first need to make the HBA known to the system. For this you add an (initially empty) file with the (lowercase) device ID of the zFCP HBA to /etc/sysconfig/hardware. There should already be files for the ECKD/FBA disks and the network adapters.

Then you need to list the drives to initialize by placing the following array in it with a list of WWPN:LUN, seperated by spaces within the parentheses:

ZFCP_DEVICES=(0x1234567890abcdef:0x4000400000000000)

Please keep in mind that the WWPN and LUN need to be specified in hex and again entirely in lower case. This will cause hwup ccw 0.0.4000 (with 4000 being the CHPID) to instruct the HBA to add the drive after setting it online. Then you should regenerate your initrd, so that it happens on-boot, by running update-initramfs -u -k all.

With current kernels the available WWPNs should be probed and listed in /sys/bus/ccw/devices/0.0.4000 without further intervention after the HBA is initialized.

Sadly there's no way to set up a zFCP disk in debian-installer.

Dear Lazyweb,

is there a simple way to block some users who login with SSH to read /proc/<pid>/cmdline of processes they don't own? Or better yet: don't see these pids at all?

I know that there are PID namespaces, but they seem to require a special PID 1. Seems hard to get for a simple SSH login. (I wouldn't mind changing a user's shell. But brittle shell startup scripts wouldn't cut it.) systemd-nspawn wants to boot a full Linux distribution in a container and even then I'd be unsure how to wire it up so that it cannot be skipped. I wouldn't mind a read-only bind mount of the outermost Linux installation into a chroot environment, as long as the parent SSH process can get the user jailed into it securely. (No need for someone to be root in the chroot.)

I know that there are RBAC frameworks, but they're cumbersome to use. I don't need file labelling or path-based access control, as I do trust the Linux file permissions for this. I think SMACK wouldn't help here, AppArmor isn't really useable in Debian testing and TOMOYO is a tad crazy to use with its domain transitions through process invocations.

I bet that grsecurity would have something for me up its sleeve. But it's not in a Debian kernel. Even though I know how to compile my own kernel I'd only do that if everything else fails.

Thanks in advance for your help.

UPDATE: That was quick, thanks to everyone who participated! Vasiliy Kulikov came up with a kernel patch to my problem (a hidepid mount option for procfs) that landed in 3.3. I tested it with the kernel in experimental and it works just fine and as expected. With hidepid set to 1, it will still leak the process count and their euids and egids. With hidepid set to 2, you only see your own processes, unless you're root. For ps there's no visible distinction between the two. So to test it you can just invoke this as root on a host running 3.3+:

mount -o remount,hidepid=1 /proc

There's even a backport request in the Debian BTS to get the feature into the wheezy kernel (3.2).

When we added s390x to the main archive, coming from Debian Ports, we were unlucky. A new glib release had assumptions that weren't true on 64bit big endian architectures and it entered the archive just a few days before we made the initial import. This weekend we finally got a new major release into Debian unstable that fixed these issues. So we're almost on par with s390 now. It all untangled quite nicely after glib-networking was able to complete its testsuite. Only one build-dependency loop between nautilus and tracker had to be broken manually.

So what's left? There's a bunch of usertagged bugs (with both general FTBFSes and arch-specific issues; kudos to Aur lien Jarno providing a lot of patches) and we still need to file some, like iceweasel segfaulting during its build. That's important because another bunch of packages needs it to build (well, mozjs and/or xulrunner, or some package that needs those).

Thanks to klibc being fixed, rootskel finally built in the archive and hence we've now finally enabled the daily builds of debian-installer for s390x. They're still untested, though, and I hope to come around to that in the near future.

In other news I've spent some more time chasing weird 64bit big endian issues in glib. Newer versions have regressed in their support and again assume that certain fields are either 32bit/64bit little endian or 32bit big endian, which is unhelpful. Sadly the testsuite is guilty as well, which doesn't make debugging any easier. I still suspect a bug in either gio or GClosure's interface to libffi, let's hope that when that one's found that the remainder of the archive is building just fine (Currently a lot is blocking on glib-networking which fails in its testsuite. And of course there are still usertagged bugs that need to be fixed.)

It would be cool if we could run more testsuites during package building and find the bugs in them. glib does have one, but its failures are non-fatal for the build (also because there are so many failures). That would make porting to future architectures a tad easier.

TL;DR: Since a few months Debian also hosts a Gobby server. You can find it at gobby.debian.org. To use it, install gobby-0.5.

Gobby is a realtime collaborative editor, much like Etherpad, but as a standalone desktop application. (It's also open source since the beginning.) It resembles gedit somewhat. In retrospect plugging into gedit would've made more sense than to develop yet another editor.

Sadly there's a catch: Gobby had multiple iterations at getting its protocol right. So there are two incompatible versions: Gobby 0.4 and Gobby 0.5. But to confuse you, Gobby 0.4.9x is currently called Gobby 0.5. The lead developer wants to get self-hosting (i.e. the one-click creation of a server) back into the application before he calls it stable.

So to use the aforementioned server you need to apt-get install gobby-0.5, invoke gobby-0.5 and type gobby.debian.org into the "direct connection" field in the lower left bottom. This will give you a document tree on the left, where you can create new documents and folders. Please don't be destructive.

If you have a problem, if no one else can help, and if you can find them, you might contact the admins at admin@$service.

Adam sent a new call for testing for the next point release of Debian Squeeze. Please test the packages in squeeze-proposed-updates on some machines running squeeze if possible, so that we don't screw up your production machines with bad updates in a week. The point release is scheduled for January 28th, i.e. next Saturday. Don't forget to copy the debian-release mailing list when you encounter regressions. Thanks for your efforts.

If you want to receive these notices by mail, please subscribe to the debian-stable-announce mailing list.

It took quite a lot of effort to persuade all decision makers to make this happen, but here it is: A new Debian buildd is being hosted at Karlsruhe Institute of Technology, to support the s390(x) ports. Its name is zemlinsky. So we've got some redundancy now and despite them being some sort of fringe architectures, they're looking pretty good. s390x is currently bootstrapped in the archive and it's progressing pretty quick. This new fast builder is one of the reasons why the slope is so steep.

Pointing people at the Debian Machine Usage Policies (DMUP) is pretty helpful to get a consent, with relation to network usage and acceptable use of the machines themselves. In this case the hardest part was drafting a user agreement that allows other non-university persons to log into the box, which is crucial to have it maintained by the Debian System Administrators.

Thanks to all the people at IPD Reussner, Steinbuch Centre for Computing and BelW who helped me getting this done.

If you want to copy debian-installer for System z onto a z/VM user's CMS disk, you don't need access to FTP (and hence the host's TCP/IP stack). You can just use x3270 and transfer files with it. For odd reasons I forgot about this, so let's document it here:

• Figure out which CMS disk is actually writeable for you (most likely the A disk) by issuing Q DISK and looking for "R/W" in the STAT column.
• Select File, File Transfer.
• Tick "Send to host" and "Host is VM/CMS".
• Download the four installer files to your local machine: debian.exec (a startup script that punches the kernel, boot parameters and initrd onto cards and executes the card deck), kernel.debian, parmfile.debian (the boot parameters) and initrd.debian.
• Transfer debian.exec and parmfile.debian with "Transfer ASCII file" ticked and Record Format set to "Variable" ("Add/remove CR at end of line" and "Remap ASCII characters" should both be ticked by default; LRECL and BLKSIZE should both be empty.) The host filename is the CMS filename, so something like "DEBIAN EXEC A" (with the spaces, and A replaces with the letter of the writeable disk of your choice). Both files must be prefectly readable in XEDIT (i.e. properly converted to EBCDIC).
• Then transfer kernel.debian and initrd.debian with "Transfer binary file" ticked and Record Format set to "Fixed" with LRECL = 80. This may take a while.
• Boot up the installer by issuing DEBIAN to z/VM, starting the script. If you needed to rename the files above (the drive letter doesn't matter), you need to adjust DEBIAN EXEC first.
• You should see Linux kernel messages now. Profit.

Since my last post about Firefox extensions I've enabled two other addons:

Through the comments I got pointed to Fox to Phone which enables you to send links from your browser directly to your Android phone with Chrome to Phone installed. Thanks for that.

Another useful extension that was recommended to me is LeechBlock. You give it a list of news sites you regularly frequent and it will make sure that you only spend a given time budget on them per day or that you only browse them in the evenings (or even a combination of both).

As I expected I did deactivate RequestPolicy again. That said, Facebook recently switched its certificates, so Certificate Patrol was unhappy. It's impressive and sad how many pages actually do cross-site requests to embed Facebook's buttons. If somebody would invent something less annoying to stop this mess, that would be great.

There are various presentations that state the goodness of PAV on Linux. Most revolve around using multipath-tools to assemble a volume if you don't have HyperPAV. But it turns out that the DASD device driver does multipathing for them internally in current kernels (which includes the squeeze kernel).

So all you need to do is setting those alias devices online. When you do that the kernel will log that it detected a new device, but you'll find that it won't create any dasd* device nodes for them, nor will it list partitions. lsdasd will only show you "alias" without mentioning the base volume, but you can fetch that information easily from the uid sysfs entry.

Many people around me switched to Chrome or Chromium. I also used it for a bit, but I was a bit disappointed about the extensions available. To show why, here's a list of the extensions I've currently installed:

• Adblock Plus: I guess everyone knows this. It sits quitely in the background and removes quite a bunch of eye-distracting stuff from web pages. You see the web differently and are always confused when viewing pages on your smartphone.
• British English Dictionary: Pretty self-explaining. Firefox has an integrated spell checker and that one needs a dictionary.
• BugMeNot: You can right-click on a login field and let it insert BugMeNot data automatically. I don't use it often enough to remember that it's there.
• Certificate Patrol: SSL's X.509 trust model is weak, to say the least. This extension implements the "save on first visit" trust model and warns you if the certificate or the CA of a URL changes.
• Download Statusbar: If you're used from, say, Chromium to see your download progress above the status bar, this extension will give you that. I don't like the separate window, especially with Awesome as my window manager.
• Firebug: Most people know this, too. Very useful when you do web development. You can see the effects of CSS as you type, for instance.
• Flashblock: YouTube has its HTML5 trial, so you don't need Flash for it. Sadly I had to give in recently (for live streaming sites like the German Parliament, go figure) and have it installed for "emergency" cases. But really nobody needs Flash advertisements or other silly Flash animations, so Flashblock will conveniently refuse to load the Flash plugin unless you tell it to.
• German Dictionary: As above.
• Google Translator for Firefox: Translates marked sections on a web page in place. It lets Google guess the source language, so you really only mark the area, click the button and be done.
• Greasemonkey: Modifies web pages in place to make them more sane, using little scripts. I use two currently:
• Better Outlook Web Access (OWA): For odd reasons I'm forced to use OWA 2007 at a company of Windows and Mac users. This makes it a little bit more bearable, by allowing you to save your password and by adding a message preview pane. You really don't want to use OWA Light 2007 without this.
• Tagesschau.de - video tag: A simple script that lets you watch videos on tagesschau.de without resorting to Flash. They ship Theora videos alongside H.264, which is supported by Firefox out of the box.
• Lazarus: Form Recovery: This already saved me many, many times. Sometimes I hit the stupid Thinkpad page back/page forward keys, or the browser crashes or I'm torn away from a page in another way. This extension keeps your form content mostly save, so that you don't need to start from scratch. A must have.
• Live HTTP headers: curl -D usually works. But sometimes you need authentication and cookies and stuff, hence doing it in the browser makes sort of sense.
• Modify Headers: I don't really use it anymore. There was this legend that YouTube lets you watch videos that are blocked in your country (Hello, GEMA, I'm looking at you!) if you provide a X-Forwarded-For header with an IP from another country. Never worked for me.
• Mozilla Archive Format: If you need to archive a web page or want to collect a bunch of pages for offline reading, this is the way to go. You can conveniently select either single pages or several tabs to be stored.
• Perspectives: I'm paranoid, so here's the second SSL certificate check. Perspectives uses a bunch of network notaries hosted on PlanetLab to check if everyone sees the same certificate. Together with Certificate Patrol that means if that you save a self-signed certificate on first visit if the notaries all agree that it's the currently installed one.
• PwdHash: Password re-use on different web sites is bad. There are sites where I'm not very concerned about the strength of my password, but where I don't want to leak my main ones. PwdHash uses the domain name and the password I give as components to a hash function. So if I'm at a computer without access to my saved passwords, I can easily reconstruct the hash. If need be, I can use the JavaScript on the developer's web site to do that.
• RequestPolicy: It's currently installed but I don't think it will stick around much longer. Too many sites are using embedded cross-site requests, which this extension will allow you to review. As an example every Blogger site that's on a custom domain (like my blog) will trigger it. Instead half of your web will have red flags everywhere full of blocked requests. Not that helpful. Interestingly enough it also polices Flash's outgoing web requests. Which breaks even more often than normal web pages.
• Secure Login: This gives you a button (or a keyboard shortcut) that allows you to choose from several logins and then goes on and posts those credentials securely to the page in question, bypassing any JavaScript that might want to see them. You also get auto-login bookmarks for those sites which don't allow you to remain logged-in across browser sessions. (Like OWA.)

If Firefox on Android were quicker to start and faster overall, I might even use it there. But as-is it's not very useful. Sadly this also means that I can't use Firefox Sync on my phone and as I don't use Chrome on my desktop I also can't use Chrome to Phone. So I usually go and build a QR code on my laptop and read that with Android's Barcode Scanner.

Of course I'm actually using Iceweasel and I'm very grateful for Mike Hommey's efforts to track the release channel on mozilla.debian.net.

There's a new call for testing for the next point release of Debian Squeeze. Please test the packages in squeeze-proposed-updates on some stable machines if possible, so that we don't screw up your production machines with bad updates in a week. The point release is scheduled for October 8th, i.e. next Saturday. Don't forget to copy the debian-release mailing list when you encounter regressions. Thanks for your efforts.

If you want to receive these notices by mail, please subscribe to the debian-stable-announce mailing list.

Two tiny bits:

• Thanks to Micha Lenk and after a fruitful discussion with Andrew Ruthven, you can finally find the Python bindings for Gnucash in the archive.
• If you want to check how your favourite package evolved over time: All historic build times and disk space information available in the Debian build logs are now imported into our database and are hence visible on log overview pages such as the insighttoolkit one.

If you still want to grab documents that used to be on gobby.debian.net:

• A Gobby server is back at that address. However its SSL certificate is issued on the name of gobby.0x539.de, which is upstream's public Gobby server. So you can just accept the certificate and then access the documents in the "debconf11" folder.
• I put up a tarball of all resulting plain-text documents. If you miss some content in one of them, please don't hesitate to contact me. I might be able to restore it from the records that dkg sent me before shredding the server.

Three things I learned about Debian s390 today:

• The kernel expects hexadecimal channel numbers in lower case. Trying uppercase digits is futile.
• To get a getty in the HMC's Operating System Messages window of an LPAR, just uncomment the dumb console entry in /etc/inittab.
• For the integrated ASCII console to work on LPAR, you need to put up a getty onto ttysclp0. You can reuse the same parameters as for ttyS0 (the device that just works with z/VM). Unlike the 3270 interface of z/VM the integrated ASCII console is actually pretty nice and usable. You can even run vim in it without getting completely crazy.

So there are two things I stumbled upon with caff:

• If you have two keys, you want to set $CONFIG 'local-user' to the content of $CONFIG 'keyid' . For some reason unbeknownst to me this option is not even listed in the configuration file template. keyid does something different that you'd expect
• More importantly it uses its own gpg.conf for whatever reason (probably because it sets its own GnuPG homedir and does not override the configuration file location). So if you, like me, put the right settings for strong signatures into ~/.gnupg/gpg.conf, you need to replicate them into ~/.caff/gnupghome/gpg.conf.

Thanks to Tom Marble for the hint. I'm still sad that I'd basically need to re-do yesterday's keysigning (which was about 100 e-mails), just to switch from the default SHA1 to SHA256

In the aftermath of the World IPv6 Day YouTube seems to be serving its content over IPv6 now. Interestingly the frontpage is still served via IPv4 (if you're not in a Google IPv6 whitelisted network). But all the Flash and HTML5 video content is served through IPv6 if available, as the cache servers return proper AAAA DNS records. Apparently that's the case unless your network is blacklisted because of bad IPv6 support and even if Google has some caches at your provider's site (which is the case for Alice DSL in Germany, at least).

I think that's quite some motivation for the providers to at least fix IPv6 connectivity if available and to suppress rogue IPv6 router advertisements in their networks. I had to ensure the former today and the latter is a constant source of grief with the bulk of L2 switches and Wi-Fi access points not being IPv6 ready.

Last week I tried switching a library to Gtk3. The needed changes to the code are available through --with-gtk3. However this is generally not enough. Even if your symbol list doesn't change, the ABI changes implicitly. The library in question had a .symbols file, but that's not enough because the resulting GUI application will bail out at runtime if symbols of both Gtk2 and Gtk3 are found in the same address space. That's mostly because C symbols don't contain any signatures with return types and parameters.

So if your library upstream did not change the soname for the Gtk3 build, please encourage them to do so. Also keep in mind that this most likely means new pkg-config files specific to the Gtk3 build, too. At least if you want your reverse-depends to be able to build against either Gtk2 or Gtk3 in a predictable way.

An example is this change to gtk-vnc, which uses gtk-vnc-2.0 as the new API/pkg-config name for the Gtk3 build, gtk-vnc-1.0 remains the old Gtk2 one. The soname changes from libgtk-vnc-1.0.so.0 to libgtk-vnc-2.0.so.0.

(Thanks to Michael Biebl and Julien Cristau for pointing out the obvious to me.)