There s been a lot of discussion regarding whether or not Nokia is Doomed or not. The people who say Nokia are doomed basically point out that Nokia doesn t have any attractive products at the high end, and at the low end the margins are extremely thin. The high end products suffer from the Symbian being essentially dead (even Nokia is recommending that developers not develop native applications for Symbian, but to use Qt instead), and Nokia doesn t have much of a development community following it, and it certainly does have much in the way of 3rd party applications, either targetting Symbian or Qt at the moment. So what do I think of the whole debate between Tomi and Scoble? First of all, I think there is a huge difference in American and European assumptions and perspectives, and a big question is whether the rest of the world will end up looking more like Europe or America vis-a-vis two key areas: cost of data plans, and whether phones become much more application centric. Tomi took Apple to task in the comments section of his 2nd article for not having an SD card slot (how else would people share photos with their friends?) and for not supporting MMS in its earlier phones. My first reaction to that was: Um, isn t that what photo-sharing sites are for? Is it really that hard to attach a photo to an e-mail? And then it hit me. In Europe, data is still like MMS a few years ago a place for rapacious carriers to make way too much money. Many European telco s don t have unlimited data plans, and charge by the megabyte and even if you re lucky enough to live in a country which does have an American-like data plan, the cost of data roaming is still incredibly expensive. In contrast, in the US, I can pay $30/month for an unlimited data plan, and I can travel 2000 miles south or west and it will still be valid. Try doing that in Europe! The US had consumer-friendly data plans much earlier than Europe did, and so perhaps it s not surprising that Nokia has engineered phones that were far more optimized for the limitations caused by the Europe s Wireless carriers. The second area of debate where I think Scoble and Tomi are far apart is whether phones of the future are fundamentally about applications or well, making phone calls. Here I don t have proof that this is a fundamentally European vs. US difference, but I have my suspicions that it might be. Tomi spent a lot of time dwelling on how Nokia was much better at making phone calls (i.e., better microphones, better radios, etc). And my reaction to that was, Who cares? I rarely use my phone for making phone calls these days! And that was certainly one of the reasons why I gave up on Nokia after the E70 its contacts database was garbage! It was OK as a phone directory, but as a place for storing multiple addresses and e-mail addresses, it didn t hold a candle to the Palm PDA. And that s perhaps the key question how much is a smart phone and about being a phone , versus being a PDA (and these days I want a cloud-synchronized PDA, for my calendar, contacts, and todo lists), and how much is it about applications? This is getting long, so I think I ll save my comments about whether I think Meego will be an adequate savior for Nokia for another post. But it s worthwhile to talk here about Tomi s comments about most smartphones being much cheaper than the luxury iPhone, and so it doesn t matter that Nokia s attempt in the higher end smart phones has been a continuous history of fail. First of all, it s worth noting that there are much cheaper Android phones available on the market today, which are price-competitive with Nokia s low-end smartphones (i.e., available for free from T-Mobile in the States with a two year commitment). Secondly, the history in the computer market over the last twenty years is that features inevitably waterfall into the cheaper models, and prices will tend to drop over time as well. Apple started only with the iPod, but over time they added the iPod Nano and the iPod Shuffle. And it would not surprise me if they introduce a lower-end iPhone as well in time as well. It would shock me if they aren t experimenting with such models even as we speak, and have simply chosen not to push one out to the market yet. So even if you buy Tomi s argument that the high-end smartphones don t matter, and you only care about volume, and not about profit margins (talk to the people at Nokia that will need to be laid off to make their expenses match with their lowered revenue run rates; I bet they will care), the question is really about whether Nokia has time to execute on the Meego vision before it s too late and the current application-centric smartphone ecosystems (Android and iPhone) start eating into the lower-end smartphone segment. More on that in my next post. No related posts.

For my birthday back in October, my wonderful wife gave me a Kindle 3 from Amazon. I d been considering other e-book readers for quite some time, but I had mostly ignored the Kindle due to the lack of EPUB support and a general dislike of Amazon s DRM enforcement. In the end, the superior hardware and ecosystem of the Kindle overpowered those concerns and overall I m very pleased with the purchase. The screen is amazing, literally just like reading off a piece of paper and the selection of books is OK. I ve been buying almost all my books from Amazon to date since it s so easy (the Whispernet is amazingly quick!) but it s not terribly difficult to get EPUBs from elsewhere onto the device after a quick run through Calibre to turn them into a MOBI file, so I keep telling myself I ve still got some flexibility. Almost as much fun as reading on the device has been learning about how it works. The Mobile Read forums have lots of step by step posts on how to do specific tasks like replacing the screensaver image, but they don t give much background detail on how the Kindle is actually operating which is what really interests me. Luckily among all the step by step posts I also found a usbnetwork package which also adds an SSH server to the Kindle, so after installing that and then SSHing in to my Kindle I ve been poking around. Under the cover the Kindle reveals a fairly standard Linux installation. While the hardware and IO devices are obviously unique, compared to something like an Android phone, the Kindle is refreshingly normal . Hardware

• Freescale MX35 ARMv6 based CPU with Java specific instruction support.
• 256MB RAM
• 4GB of internal flash presented as an SDHC device with four partitions. A ~700MB root partition, a ~30MB /var/local partition, another roughly 30MB kernel partition and then the rest (~3.1G) as the writeable user partition where your books and other content are stored. The root and /var/local partitions are ext3! (not jffs or some other more traditional flash based file system) while the user partition is vfat for easy use with Windows, etc.
• The board is code-named luigi and there are lots of references to mario and fiona scattered around the device, and even in some URLs on Amazon s website. Someone was obviously a Super Mario fan.
• The wireless chipset is Atheros based using the ar6000 drivers.
• The WAN (3G) modem presents itself as a USB serial device and is controlled via a custom daemon named wand which uses the standard Linux pppd package to establish IP connections over a private APN Amazon (provided by Vodafone here in Ireland).
• The EInk display shows up as some special files under /proc rather than as a device. With a bit of digging I found some simple constants that when written to the proc files cause the screen to display the standard boot/progress/upgrading images. I haven t deciphered how to make more complex updates to the display yet.

Software

• The kernel is based on Linux 2.6.26, with a bunch of hardware specific patches and drivers from lab126.com, an Amazon subsidiary who appear to be responsible for much of the low-level driver and device development.
• Lots of familiar open source projects are present, e.g. syslog-ng, DBus, busybox, pppd, wpa_supplicant, gstreamer, pango, openssl and the list goes on. You can download all the sources from Amazon s website. I haven t spent any time to see what if anything has been modified.
• There were a few unexpected finds as well such as GDB and powertop! No doubt useful for the developers, but highly unlikely to actually be used on a shipping Kindle.
• Boot-up is controlled by a set of sysv style init scripts which setup the filesystems and then start a handful of daemons to look after the low-level subsystems (network, power, sound) as well as the standard syslog and cron daemons you d expect to see on any Linux box.
• Once the basic system is up and running the init scripts kick off the framework which lives under /opt/amazon/ebook and consists of lots of Java classes. The system uses the cvm Java environment from Sun/Oracle which is specialised for embedded low-memory devices like this. The framework appears to take over most of the co-ordination, management and interaction tasks once it has started up.

The application/framework code is heavily obfuscated apparently using the Allatori Java Obfuscator. The jrename and jd-gui utilities have proven very handy in helping to untangle the puzzle, although they still only leave you with a pile of Java source code with mostly single letter alphabetic variable and class names! I ve been using IntelliJ s support for refactoring/renaming Java code to slowly work through it (thanks in large part to error/log messages and string constants found through the code which can t be obfuscated easily and help to explain what is going on), and I m slowly beginning to piece together how the book reading functionality works. I ll maybe write more on this in a future post. In one of my initial tweets about the Kindle I mentioned that it seemed to be regularly uploading syslog data to Amazon based on some sendlogs scripts I d noticed and a few syslog lines containing GPS co-ordinates that had been pasted on the Mobile Read forums. I can t find any trace of GPS co-ordinates in any syslog messages I ve seen on my device, but there is definitely information about the cell sites that my Kindle can see, the books that I m opening and where I m up to in them:

101206:235431 wand[2515]: I dtp:diag: t=4cfd77b7,MCC MNC=272 01,Channel=10762,Band=WCDMA I IMT 2000,Cell ID=1362209,LAC=3021,RAC=1
,Network Time=0000/00/00 00.00.00,Local Time Offset=Not provided,Selection Mode=Automatic,Test Mode=0,Bars=4,Roaming=1,RSSI=-88,Tx
Power=6,System Mode=WCDMA,Data Service Mode=HSDPA,Service Status=Service,Reg Status=Success,Call Status=Conversation,MM Attach St
ate=Attach accept,MM LU State=LU update,GMM Attach State=Attach accept,GMM State=Registered,GMM RAU State=Not available,PDP State=
Active,Network Mode=CS PS separate attach mode,PMM Mode=Connected,SIM Status=Valid; PIN okay; R3,MM Attach Error=No error,MM LU Er
ror=No error,GMM Attach Error=No error,GMM RAU Error=Not available,PDP Rej Reason=No error,Active/Monitored Sets=0;39;-11 1;180;-1
5,RSCP=-111,DRX=64,HSDPA Status=Active,HSDPA Indication=HSDPA HSUPA unsupp,Neighbor Cells=,Best 6 Cells=,Pathloss=,MFRM=,EGPRS Ind
ication=,HPLMN=,RPLMN=272;01 ,FPLMN=234;33 234;30 234;20 272;05 ,n=1: 101206:235758 cvm[3426]: I Reader:BOOK INFO:book asin=B003IWZZ3Y,file size=233168,file last mod date=2010-11-27 19.18.22 +0000,con
tent type=ebook,length=MobiPosition_ 465747,access=2010-12-06 09.44.32 +0000,last read position=MobiPosition_ 464387,isEncrypted=f
alse,isSample=false,isNew=false,isTTSMetdataPresent=false,isTTSMetadataAllowed=true,fileExtn=azw: 101206:233416 udhcpc[5639]: Offer from server xxx.xxx.2.254 received
101206:233416 udhcpc[5639]: Sending select for xxx.xxx.2.10...
Interestingly you can see from the last two lines, that Amazon has taken some care to preserve privacy by not including the full IP address given to the device by my local Wifi network, so in light of that I find it interesting that they decided not to obfuscate the Cell and Book IDs in those respective log messages too. Seems rather inconsistent. As to how and when these logs are sent to Amazon, the picture is a little bit murky. Every 15 minutes tinyrot runs out of cron and rotates /var/log/messages if it is greater than 256k in size. Rotated logs are stored into /var/local/log under filenames like messages_00000044_20101207000006.gz and alongside the log files are a set of state files named nexttosendfile, messages_oldest, messages_youngest. Something regularly sweeps through this directory to update the state and remove the old logs (after sending them up to Amazon I assume). I suspect that something is buried in the Java application code mentioned above. On the whole the Kindle is a fascinating piece of technology. It delivers a wonderful reading experience on top of a familiar Linux system and is going to provide me with many more hours of entertainment as I unpack all the tricks and techniques that have gone into this device. I would recommended it as a present for geeks everywhere.

I was fortunate to get to take a ride on the airship that has in recent times taken up residence in our back yard. It was a 90 minute flight around the South Bay Area (south over CA-85, then north to Stanford over I-280), over the bay itself to Fremont, over the salt evaporation ponds, and then back to Moffett Field. Visibility was fairly good, but there was a bit of smog around. The airship itself was really cool. It only seats 12 people, and it wasn't quite full. I didn't count the passengers, but there were about 3 or 4 empty seats. Once the airship stopped its initial climb, we were free to leave our seats and roam the gondola. There was an openable window at the front and rear of the gondola, and it was big enough to stick your head out, which made for some good photos. At the back, was a bench seat, and an inclined window, so you could lean right out the back. Even the lavatory had a window. The cockpit was literally just at the end of the gondola, so you could inspect all the controls and instruments, and have a chat with the pilot. Disembarking was a delicate counter-balancing affair. Two people off, two people on. We were the first load of passengers for the day, so they jettisoned a heap of water once we were all on board. Overall, it was a lot of fun, and a very smooth ride. I'm not sure that it's worth $495, though. Photos from the flight are here

I have always liked learning and understanding history. Since I discovered him, for a couple of years already I always try to catch Javier Garciadiego's program Conversaciones sobre historia, Saturday 9AM in the Horizonte 108 radio station (can be listened to online). This program started by going over the events just before the beginning of the 1910 revolution in Mexico - and along slightly over five years, one hour per week and following different threads, the program has reached the end of the Cristiada, in the early 1930s. Garciadiego has a very nice, followable, amenable way of telling history, and I have recommended his program to many friends. This last June, I spent some days in Guatemala City, for DrupalCamp Centroam rica. I stayed with my good Colombian friend, Dilson, and at his house he had framed a poster of the History of the Civilizations. Of course, I got my nose close to it, guessing as many faces as possible in the lot. And he showed me his last Christmas present: Two books, each of them with 6 CDs. One is Historia de las Civilizaciones, the second one is Historia de las independencias. They are made by Colombia's very well known and well regarded historian Diana Uribe. I copied the CDs in order to listen to them later And wow, was I impressed! Diana Uribe makes a great narrative about topics that to some people would seem boring and dry. As I said, I have always found passion in understanding the human processes that have shaped civilization and brought us all the way to where we stand now. Well, Diana Uribe manages to bring more "normal" people to this passion. While looking for information on her to share in this blog post, I found so many places offering download of her disks, with apparently young people talking about how she has got them all so excited and interested in history... That's, I think, the best "thank you" any academician can get: having non-specialists say how her work has opened up the passion of one of the world's least sexy professions to them. And yes there are so many "thank you" and "I want" commentaries, so much of what I would call "fan mail", that it took me a bit to find an online library carrying both works. And yes, at ~US$50 each, I do intend to buy them. Now, why am I writing this today? Well, yes, because I finished listening to the series today, but besides During this year, most of Latin American countries conmemorate their 200 years of existence. Most of the independentist struggles in the continent started in 1809-1810. And today is the "partying" day in Mexico Says the legend that in the night between September 15 and 16, 1810, a priest who is always painted as old and charismatic called on his small town urging the people to rise and fight for independence, and as a result of that, only 11 years later Mexico was a fully independent country, spanning from Costa Rica to California, and... well, a nice and very idealized myth. A century later, in 1910, after a very long stability and growth period (attained mostly through repression, the same abstract thing named as "the people" rose against the dictator Porfirio D az, who had been Mexico's president for 30 years. The revolution deeply changed the social face of the country, but politically... After ~15 years of fighting, the result was that a 30 year long dictatorship was replaced by a 70 year long one... And our political system still has not evolved beyond that model. Now, comparing what has not improved nor even stayed the same but went backwards... A century ago, the festivities of the hundred years of independence were a time for showing pride, for showing to the guests from more "civilized" countries how ours was by then a modern, thriving country worth believing in, worth investing in: Besides the important, majestic and well built monuments that were erected and still stand today (i.e. the Column of the Independence or Hemiciclo a Ju rez, many institutions that would socially shape the next century even after D az's death, even after he had been declared not the role model we wanted after all were born: The National University (nowadays the most important university in Latin America), the National School for Professors, the Railroad Technical School and many others (see Javier Aranda's note for some more details)... The celebration was well-thought and planned. Of course, it didn't go into some darker corners, the country was as uneven and unfair as it can be for the poorer indigenous population (which back then was a majority), and what not. But this year? Well, we are expecting an impressive show tonight (which I won't see, even though I'd like to, as I no longer have a TV and even if I had wanted to go downtown for the celebration, different government branches are insisting we should just sit and watch it by TV at home as it can be too crowded... so not even that was well thought out Of course not every Mexican can go to the same square and see the same de-facto president do the ritual, but some more redundancy could be thought, spreading acts through all of the city instead of concentrating the festivities all along Reforma. But anyway Leaving aside our current de-facto ruler's inabilities to do anything worthy, which are already well known and documented... I took this opportunity to listen to a great work, and am most happy to do it, and to be able to share it with you.

As reported earlier, the last few days I have looked at how Debian Edu clients are configured, and tried to get rid of all hardcoded configuration settings on the clients. I believe the work to be mostly done, and the clients seem to work just fine with dynamically generated configuration. What is the point, you might ask? The point is to allow a Debian Edu desktop to integrate into an existing network infrastructure without any manual configuration. This is what happens when installing a Debian Edu client here at the University of Oslo using PXE. With the PXE installation, I am asked for language (Norwegian Bokm l), locality (Norway) and keyboard layout (no-latin1), Debian Edu profile (Roaming Workstation), if I accept to reformat the hard drive (yes), if I want to submit info to popcon.debian.org (no) and root password (secret). After answering these questions, the installer goes ahead and does its thing, and after around 50 minutes it is done. I press enter to finish the installation, and the machine reboots into KDE. When the machine is ready and kdm asks for login information, I enter my university username and password, am told by kdm that a local home directory has been created and that I must log in again, and finally log in with the same username and password to the KDE 4.4 desktop. At no point during this process did it ask for university specific settings, and all the required configuration was dynamically detected using information fetched via DHCP and DNS. The roaming workstation is now ready for use. How was this done, you might wonder? First of all, here is the list of things that need to be configured on the client to get it working properly out of the box:

• IP address/netmask and DNS server.
• Web proxy URL.
• LDAP server for NSS directory information (user, group, etc).
• Kerberos server for PAM password checking.
• SMB mount point to access the network home directory. (*)
• Central syslog server to send syslog messages to. (*)
• Sitesummary collector URL to submit info to central server. (*)

(Hm, did I forget anything? Let me knew if I did.) The points marked (*) are not required to be able to use the machine, but needed to provide central storage and allowing system administrators to track their machines. Since yesterday, everything but the sitesummary collector URL is dynamically discovered at boot and installation time in the svn version of Debian Edu. The IP and DNS setup is fetched during boot using DHCP as usual. When a DHCP update arrives, the proxy setup is updated by looking for http://wpat/wpad.dat and using the content of this WPAD file to configure the http and ftp proxy in /etc/environment and /etc/apt/apt.conf. I decided to update the proxy setup using a DHCP hook to ensure that the client stops using the Debian Edu proxy when it is moved outside the Debian Edu network, and instead uses any local proxy present on the new network when it moves around. The DNS names of the LDAP, Kerberos and syslog server and related configuration are generated using DNS information at boot. First the installer looks for a host named ldap in the current DNS domain. If not found, it looks for _ldap._tcp SRV records in DNS instead. If an LDAP server is found, its root DSE entry is requested and the attributes namingContexts and defaultNamingContext are used to determine which LDAP base to use for NSS. If there are several namingContexts attibutes and the defaultNamingContext is present, that LDAP subtree is used as the base. If defaultNamingContext is missing, the subtrees listed as namingContexts are searched in sequence for any object with class posixAccount or posixGroup, and the first one with such an object is used as the LDAP base. For Kerberos, a similar search is done by first looking for a host named kerberos, and then for the _kerberos._tcp SRV record. I've been unable to find a way to look up the Kerberos realm, so for this the upper case string of the current DNS domain is used. For the syslog server, the hosts syslog and loghost are searched for, and the _syslog._udp SRV record is consulted if no such host is found. This algorithm works for both Debian Edu and the University of Oslo. A similar strategy would work for locating the sitesummary server, but have not been implemented yet. I decided to fetch and save these settings during installation, to make sure moving to a different network does not change the set of users being allowed to log in nor the passwords required to log in. Usernames and passwords will be cached by sssd when the user logs in on the Debian Edu network, and will not change as the laptop move around. For a non-roaming machine, there is no caching, but given that it is supposed to stay in place it should not matter much. Perhaps we should switch those to use sssd too? The user's SMB mount point for the network home directory is located when the user logs in for the first time. The LDAP server is consulted to look for the user's LDAP object and the sambaHomePath attribute is used if found. If it isn't found, the home directory path fetched from NSS is used instead. Assuming the path is of the form /site/server/directory/username, the second part is looked up in DNS and used to generate a SMB URL of the form smb://server.domain/username. This algorithm works for both Debian edu and the University of Oslo. Perhaps there are better attributes to use or a better algorithm that works for more sites, but this will do for now. :) This work should make it easier to integrate the Debian Edu clients into any LDAP/Kerberos infrastructure, and make the current setup even more flexible than before. I suspect it will also work for thin client servers, allowing one to easily set up LTSP and hook it into a existing network infrastructure, but I have not had time to test this yet. If you want to help out with implementing these things for Debian Edu, please contact us on debian-edu@lists.debian.org. Update 2010-08-09: Simon Farnsworth gave me a heads-up on how to detect Kerberos realm from DNS, by looking for _kerberos TXT entries before falling back to the upper case DNS domain name. Will have to implement it for Debian Edu. :)

A few days ago, I tried to install a Roaming workation profile from Debian Edu/Squeeze while on the university network here at the University of Oslo, and noticed how much had to change to get it operational using the university infrastructure. It was fairly easy, but it occured to me that Debian Edu would improve a lot if I could get the client to connect without any changes at all, and thus let the client configure itself during installation and first boot to use the infrastructure around it. Now I am a huge step further along that road. With our current squeeze-test packages, I can select the roaming workstation profile and get a working laptop connecting to the university LDAP server for user and group and our active directory servers for Kerberos authentication. All this without any configuration at all during installation. My users home directory got a bookmark in the KDE menu to mount it via SMB, with the correct URL. In short, openldap and sssd is correctly configured. In addition to this, the client look for http://wpad/wpad.dat to configure a web proxy, and when it fail to find it no proxy settings are stored in /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is configured to look for the same wpad configuration and also do not use a proxy when at the university network. If the machine is moved to a network with such wpad setup, it would automatically use it when DHCP gave it a IP address. The LDAP server is located using DNS, by first looking for the DNS entry ldap.$domain. If this do not exist, it look for the _ldap._tcp.$domain SRV records and use the first one as the LDAP server. Next, it connects to the LDAP server and search all namingContexts entries for posixAccount or posixGroup objects, and pick the first one as the LDAP base. For Kerberos, a similar algorithm is used to locate the LDAP server, and the realm is the uppercase version of $domain. So, what is not working, you might ask. SMB mounting my home directory do not work. No idea why, but suspected the incorrect Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be the cause. These are not properly configured during installation, and had to be hand-edited to get the correct Kerberos realm and server, but SMB mounting still do not work. :( With this automatic configuration in place, I expect a Debian Edu roaming profile installation would be able to automatically detect and connect to any site using LDAP and Kerberos for NSS directory and PAM authentication. It should also work out of the box in a Active Directory environment providing posixAccount and posixGroup objects with UID and GID values. If you want to help out with implementing these things for Debian Edu, please contact us on debian-edu@lists.debian.org.

The new roaming workstation profile in Debian Edu/Squeeze is fairly similar to the laptop setup am I working on using Ubuntu for the University of Oslo, and just for the heck of it, I tested today how hard it would be to integrate that profile into the university infrastructure. In this case, it is the university LDAP server, Active Directory Kerberos server and SMB mounting from the Netapp file servers. I was pleasantly surprised that the only three files needed to be changed (/etc/sssd/sssd.conf, /etc/ldap.conf and /etc/mklocaluser.d/20-debian-edu-config) and one file had to be added (/usr/share/perl5/Debian/Edu_Local.pm), to get the client working. Most of the changes were to get the client to use the university LDAP for NSS and Kerberos server for PAM, but one was to change a hard coded DNS domain name in the mklocaluser hook from .intern to .uio.no. This testing was so encouraging, that I went ahead and adjusted the Debian Edu scripts and setup in subversion to centralise the roaming workstation setup a bit more and avoid the hardcoded DNS domain name, so that when I test this tomorrow, I expect to get away with modifying only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the university servers. My goal is to get the clients to have no hardcoded settings and fetch all their initial setup during installation and first boot, to allow them to be inserted also into environments where the default setup in Debian Edu has been changed or as with the university, where the environment is different but provides the protocols Debian Edu uses.

I just posted this announcement culminating several months of work with the next Debian Edu release. Not nearly done, but one major step completed.

This is the first test release based on Squeeze. The focus of this release is to test the user application selection. To have a look, install the standalone profile and let the developers know if the set of installed packages i.e. applications should be modified. If some user application is missing, or if there are some applications that no longer make sense to be included in Debian Edu, please let us know. Also, if a useful application is missing the translation for your language of choice, please let us know too. In addition, feedback and help to polish the desktop (menus, artwork, starters, etc.) is appreciated. We would like to ship a nice and handy KDE4 desktop targeted for schools out of the box. The other profiles should be installable, but there is a lot more work left to be done before they are ready, so do not expect to much. Changes compared to the lenny based version

• Everything from Debian Squeeze
  • Desktop environment KDE 4.4 => the new KDE desktop in combination with some new artwork
  • Web browser Iceweasel 3.5
  • OpenOffice.org 3.2
  • Educational toolbox GCompris 9.3
  • Music creator Rosegarden 10.04.2
  • Image editor Gimp 2.6.10
  • Virtual universe Celestia 1.6.0
  • Virtual stargazer Stellarium 0.10.4
  • 3D modeler Blender 2.49.2 (new application)
  • Video editor Kdenlive 0.7.7 (new application)
• Now using Kerberos for password checking (migration not finished). Enabled for:
  • PAM
  • LDAP
  • IMAP
  • SMTP (sender verification)
• New experimental roaming workstation profile for laptops.
• Show welcome page to users when they first log in. The URL is fetched from LDAP.
• New LXDE desktop option, in addition to KDE (default) and Gnome.
• General cleanup (not finished)

The following features are not working as they should

• No web based administration tool for creating users and groups. The scripts ldap-createuser-krb and ldap-add-user-to-group can be used for testing.
• DVD installs are missing debian-installer images for the PXE boot, and do not set up the PXE menu on eth0 because of this. LTSP clients should still boot from eth1 on thin client servers.
• The restructured KDE menu is not implemented.
• The LDAP server setup need to be reviewed for security.
• The LDAP directory structure need to be reworked.
• Different sets of packages are installed when using the DVD and the netinst CD. More packages are installed using the netinst CD.
• The jackd package fail to install. This is believed to be caused by some ongoing transition, and hopefully should be solved soon. The jackd1 package can be installed manually for those that need it.
• Some packages lack translations. See http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status, and help out with translations.

To download this multiarch netinstall release you can use

• ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso
• http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso
• rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso

To download this multiarch dvd release you can use

• ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso
• http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso
• rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso

There is no source DVD available yet. It will be prepared when we get closer to the final release. The MD5SUM of these images are

• 3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso
• 22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso

The SHA1SUM of these images are

• c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso
• 2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso

How to report bugs: http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla Please direct replies to debian-edu@lists.debian.org

The last few months me and the other Debian Edu developers have been working hard to get the Debian/Squeeze based version of Debian Edu/Skolelinux into shape. This future version will use Kerberos for authentication, and services are slowly migrated to single signon, getting rid of password questions one at the time. It will also feature a roaming workstation profile with local home directory, for laptops that are only some times on the Skolelinux network, and for this profile a shortcut is created in Gnome and KDE to gain access to the users home directory on the file server. This shortcut uses SMB at the moment, and yesterday I had time to test if SMB mounting had started working in KDE after we added the cifs-utils package. I was pleasantly surprised how well it worked. Thanks to the recent changes to our samba configuration to get it to use Kerberos for authentication, there were no question about user password when mounting the SMB volume. A simple click on the shortcut in the KDE menu, and a window with the home directory popped up. :) One step closer to a single signon solution out of the box in Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now also Samba. Next step is Cups and hopefully also NFS. We had planned a alpha0 release of Debian Edu for today, but thanks to the autobuilder administrators for some architectures being slow to sign packages, we are still missing the fixed LTSP package we need for the release. It was uploaded three days ago with urgency=high, and if it had entered testing yesterday we would have been able to test it in time for a alpha0 release today. As the binaries for ia64 and powerpc still not uploaded to the Debian archive, we need to delay the alpha release another day. If you want to help out with implementing Kerberos for Debian Edu, please contact us on debian-edu@lists.debian.org.

For a laptop, centralized user directories and password checking is a bit troubling. Laptops are typically used also when not connected to the network, and it is vital for a user to be able to log in or unlock the screen saver also when a central server is unavailable. This is possible by caching passwords and directory information (user and group attributes) locally, and the packages to do so are available in Debian. Here follow two recipes to set this up in Debian/Squeeze. It is also possible to set up in Debian/Lenny, but require more manual setup there because pam-auth-update is missing in Lenny. LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir This is the traditional method with a twist. The password caching is provided by libpam-ccreds (version 10-4 or later is needed on Squeeze), and the directory caching is done by nscd. The directory lookup and password checking is done using LDAP. If one want to use Kerberos for password checking the libpam-ldapd package can be replaced with libpam-krb5 or libpam-heimdal. If one is happy having a local home directory with the path listed in LDAP, one can use the pam_mkhomedir module from pam-modules to make this happen instead of using libpam-mklocaluser. A setup for pam-auth-update to enable pam_mkhomedir will have to be written until a fix for bug #568577 is in the archive. Because I believe it is a bad idea to have local home directories using misleading paths like /site/server/partition/, I prefer to create a local user with the home directory in /home/. This is done using the libpam-mklocaluser package. These packages need to be installed and configured

libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser

The ldapd packages will ask for LDAP connection information, and one have to fill in the values that fits ones own site. Make sure the PAM part uses encrypted connections, to make sure the password is not sent in clear text to the LDAP server. I've been unable to get TLS certificate checking for a self signed certificate working, which make LDAP authentication unsafe for Debian Edu (nslcd is not checking if it is talking to the correct LDAP server), and very much welcome feedback on how to get this working. Because nscd do not have a default configuration fit for offline caching until bug #485282 is fixed, this configuration should be used instead of the one currently in /etc/nscd.conf. The changes are in the fields reload-count and positive-time-to-live, and is based on the instructions I found in the LDAP for Mobile Laptops instructions by Flyn Computing.

	debug-level		0
	reload-count		unlimited
	paranoia		no
	enable-cache		passwd		yes
	positive-time-to-live	passwd		2592000
	negative-time-to-live	passwd		20
	suggested-size		passwd		211
	check-files		passwd		yes
	persistent		passwd		yes
	shared			passwd		yes
	max-db-size		passwd		33554432
	auto-propagate		passwd		yes
	enable-cache		group		yes
	positive-time-to-live	group		2592000
	negative-time-to-live	group		20
	suggested-size		group		211
	check-files		group		yes
	persistent		group		yes
	shared			group		yes
	max-db-size		group		33554432
	auto-propagate		group		yes
	enable-cache		hosts		no
	positive-time-to-live	hosts		2592000
	negative-time-to-live	hosts		20
	suggested-size		hosts		211
	check-files		hosts		yes
	persistent		hosts		yes
	shared			hosts		yes
	max-db-size		hosts		33554432
	enable-cache		services	yes
	positive-time-to-live	services	2592000
	negative-time-to-live	services	20
	suggested-size		services	211
	check-files		services	yes
	persistent		services	yes
	shared			services	yes
	max-db-size		services	33554432

While we wait for a mechanism to update /etc/nsswitch.conf automatically like the one provided in bug #496915, the file content need to be manually replaced to ensure LDAP is used as the directory service on the machine. /etc/nsswitch.conf should normally look like this:

passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      files
services:       files
ethers:         files
rpc:            files
netgroup:       files ldap

The important parts are that ldap is listed last for passwd, group, shadow and netgroup. With these changes in place, any user in LDAP will be able to log in locally on the machine using for example kdm, get a local home directory created and have the password as well as user and group attributes cached. LDAP/Kerberos + nss-updatedb + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir Because nscd have had its share of problems, and seem to have problems doing proper caching, I've seen suggestions and recipes to use nss-updatedb to copy parts of the LDAP database locally when the LDAP database is available. I have not tested such setup, because I discovered sssd. LDAP/Kerberos + sssd + libpam-mklocaluser A more flexible and robust setup than the nscd combination mentioned earlier that has shown up recently, is the sssd package from Redhat. It is part of the FreeIPA project to provide a Active Directory like directory service for Linux machines. The sssd system combines the caching of passwords and user information into one package, and remove the need for nscd and libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version 1.2 do not support netgroups, but it is said that it will support this in version 1.5 expected to show up later in 2010. Because the sssd package was missing in Debian, I ended up co-maintaining it with Werner, and version 1.2 is now in testing. These packages need to be installed and configured to get the roaming setup I want

libpam-sss libnss-sss libpam-mklocaluser

The complete setup of sssd is done by editing/creating /etc/sssd/sssd.conf.

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = INTERN
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/INTERN]
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap
ldap_search_base = dc=skole,dc=skolelinux,dc=no
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

I got the same problem here with certificate checking. Had to set "ldap_tls_reqcert = never" to get it working. With the libnss-sss package in testing at the moment, the nsswitch.conf file is update automatically, so there is no need to modify it manually. If you want to help out with implementing this for Debian Edu, please contact us on debian-edu@lists.debian.org.

Funny how life brings those A-HA moments in the least probable of circumstances. Take my career's development, for instance. I'm currently taking a training to become a government bureaucrat. During this training, each student goes through a thorough skill assessment to help the trainer select an appropriate training place in some government office. Asides from covering the obvious aspects of formal education and employment history, we also reviewed achievements and accumulated skills. My A-HA moment came as a result of our trainer asking me to completely rewrite my CV to match some known template. Additionally, she requested that I emphasize my technology background more. I countered by pointing out that the word "technology" tends to mean "engineer" to the average employer and yet I've have always been in Product Management or Business Development, which are more Sales-oriented roles than anything else, hence why I emphasize the Sales aspect and deflate the technology aspect in my CV. Still, while she conceded that difference in emphasis, she insisted that having worked in technology probably influenced my skills or my preferred workflow in one way or another. At the moment, I simply could not think of how it might have. Boy, was I wrong! Where do I begin? First of all, it dawned onto me that I simply cannot claim to know Microsoft Office anymore. Until recently, my Open Office skills were easily applicable to Microsoft Office, because Open Office borrowed a lot of concepts from its Microsoft counterpart. However, following the recent redesign of Microsoft Office, I found that I cannot navigate my way around Microsoft Word's menus anymore. While this new user interface paradigm indeed removes a lot of clutter, it also hides too many features in less than obvious places, which resulted in me concluding that I simply have to downgrade my Microsoft Office skills to medium. Given the progressive conversion of several Finnish agencies and ministries to Open Office, I'm not in such an uncomfortable position but, then again, other agencies and ministries fiercely cling on to their Microsoft licenses and have recently upgraded them. As such, should my practical training take place in one of those offices, I would essentially be unable to perform at my job. Redeeming factor: a friend who only knows Microsoft products faced similar frustrations last year when she got back from her summer vacations, after she realized that their network administrator had upgraded her workstation. It took her the whole autumn before she felt comfortable using Word again. Another aspect of working in Free Software that influences my workflow: telecommuting and teleworking. As anyone working on Free Software projects knows, teams tend to be distributed around the globe, which means that there's always someone somewhere pushing a commit or answering bug reports, at any given time of the day. Simultaneously, work quickly becomes location-independent and flexible schedules are the norm; whatever and wherever works for a given developer, as long as the work gets done. Without anyone really noticing, this work methodology has permeated the whole technology ecosystem, even at fortune-500 companies. Employees come in and out of the office at whichever time suits them, while others choose to work from home and only show up whenever face-to-face meetings are called. Others even adopt a nomad lifestyle, constantly roaming the globe for adventures and connecting to the office network via VPN, from the comfort of their hotel room or from a friend's couch, on the other side of the globe. In my case, having twice worked for Estonian companies while living in Finland, it meant taking the ferry twice a week to visit the office. This brought in more benefits than one might initially think: first of all, the quick walk between the metro station and the harbor in Helsinki meant that I arrived on the ferry with blood pumping adrenaline and fully alert. Being on the ferry gave me 2 hours of quiet time to grab my first coffee and plan my day. Getting out of the ferry in Tallinn meant another quick walk, this time between the harbor and the tramway. By the time I arrived at the office, I had exercised twice and planned all my workday. It's probably the most productive that I've ever been in my whole career. Additionally, I was frequently on the road, meeting customers and following on sales leads, which meant that I got to close many deals using my laptop in my hotel room. As our CEO used to joke, "I have no idea where in the world Martin- ric is today but, just as long as the purchase orders keep on pouring in, it's all the same to me." As a result of this reflexion, I had to explain to our trainer why I am extremely well-suited to government jobs that require a lot of traveling and where Free Software is used on the desktop and, vice-versa, extremely unsuited to back-office jobs where whatever Microsoft products of the day are the norm. I've had to put particular emphasis on what Open Office is all about, because many homeworks were supposed to be submitted in Microsoft Word format. While Writer indeed offers the option to import and export Microsoft formats, it doesn't come with any WYSIWYG guarantee, which is why I took on the habit of sending her PDF documents. Sadly, this did not always work out so well, especially in cases where the intention was to forward selected parts of a document to third-parties. Conclusion: working in the Free Software industry, even in non-engineering roles, indeed has a strong influence on someone's choice of methodology, tools and workflow. In some cases, it can even disqualify someone from making certain career choices. Who would have thought?

Today, the last piece of the puzzle for roaming laptops in Debian Edu finally entered the Debian archive. Today, the new libpam-mklocaluser package was accepted. Two days ago, two other pieces was accepted into unstable. The pam-python package needed by libpam-mklocaluser, and the sssd package passed NEW on Monday. In addition, the libpam-ccreds package we need is in experimental (version 10-4) since Saturday, and hopefully will be moved to unstable soon. This collection of packages allow for two different setups for roaming laptops. The traditional setup would be using libpam-ccreds, nscd and libpam-mklocaluser with LDAP or Kerberos authentication, which should work out of the box if the configuration changes proposed for nscd in BTS report #485282 is implemented. The alternative setup is to use sssd with libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take care of the caching of passwords and group information. I have so far been unable to get sssd to work with the LDAP server at the University, but suspect the issue is some SSL/GnuTLS related problem with the server certificate. I plan to update the Debian package to version 1.2, which is scheduled for next week, and hope to find time to make sure the next release will include both the Debian/Ubuntu specific patches. Upstream is friendly and responsive, and I am sure we will find a good solution. The idea is to set up the roaming laptops to authenticate using LDAP or Kerberos and create a local user with home directory in /home/ when a usre in LDAP logs in via KDM or GDM for the first time, and cache the password for offline checking, as well as caching group memberhips and other relevant LDAP information. The libpam-mklocaluser package was created to make sure the local home directory is in /home/, instead of /site/server/directory/ which would be the home directory if pam_mkhomedir was used. To avoid confusion with support requests and configuration, we do not want local laptops to have users in a path that is used for the same users home directory on the home directory servers. One annoying problem with gdm is that it do not show the PAM message passed to the user from libpam-mklocaluser when the local user is created. Instead gdm simply reject the login with some generic message. The message is shown in kdm, ssh and login, so I guess it is a bug in gdm. Have not investigated if there is some other message type that can be used instead to get gdm to also show the message. If you want to help out with implementing this for Debian Edu, please contact us on debian-edu@lists.debian.org.

For some years now, I have wondered how we should handle laptops in Debian Edu. The Debian Edu infrastructure is mostly designed to handle stationary computers, and less suited for computers that come and go. Now I finally believe I have an sensible idea on how to adjust Debian Edu for laptops, by introducing a new profile for them, for example called Roaming Workstations. Here are my thought on this. The setup would consist of the following:

• During installation, the user name of the owner / primary user of the laptop is requested and a local home directory is set up for the user, with uid and gid information fetched from the LDAP server. This allow the user to work also when offline. The central home directory can be available in a subdirectory on request, for example mounted via CIFS. It could be mounted automatically when a user log in while on the Debian Edu network, and unmounted when the machine is taken away (network down, hibernate, etc), it can be set up to do automatic mounting on request (using autofs), or perhaps some GUI button on the desktop can be used to access it when needed. Perhaps it is enough to use the fish protocol in KDE?
• Password checking is set up to use LDAP or Kerberos authentication when the machine is on the Debian Edu network, and to cache the password for offline checking when the machine unable to reach the LDAP or Kerberos server. This can be done using libpam-ccreds or the Fedora developed System Security Services Daemon packages.
• File synchronisation with the central home directory is set up using a shared directory in both the local and the central home directory, using unison.
• Printing should be set up to print to all printers broadcasting their existence on the local network, and should then work out of the box with CUPS. For sites needing accurate printer quotas, some system with Kerberos authentication or printing via ssh could be implemented.
• For users that should have local root access to their laptop, sudo should be used to allow this to the local user.
• It would be nice if user and group information from LDAP is cached on the client, but given that there are entries for the local user and primary group in /etc/, it should not be needed.

I believe all the pieces to implement this are in Debian/testing at the moment. If we work quickly, we should be able to get this ready in time for the Squeeze release to freeze. Some of the pieces need tweaking, like libpam-ccreds should get support for pam-auth-update (#566718) and nslcd (or perhaps debian-edu-config) should get some integration code to stop its daemon when the LDAP server is unavailable to avoid long timeouts when disconnected from the net. If we get Kerberos enabled, we need to make sure we avoid long timeouts there too. If you want to help out with implementing this for Debian Edu, please contact us on debian-edu@lists.debian.org.

Several months ago, around the Central American Free Software Encounter (ECSL) in Estel , Nicaragua, I started stirring the waters The Central American regions have vibrant, beautiful Free Software communities, but have mostly (with some very notable examples, of course) shied away from being active participants in major development projects. What was I to do about it? Of course, try to get them to become Debian contributors! During the following weeks, I talked about it with several friends from the region, and the result was an announcement and lots of arguments that followed it. Panam was decided as the host country, and many people have put a lot of work into making the MiniDebConf happen. Mauro Rosero and Anto Recio came up with what appears to be a wonderful local venue and a set of sponsored amenities, and the Debian project is sponsoring what is needed in terms of transportation for people from the whole region (spanning from Mexico to Ecuador and Venezuela IIRC). I am very sorry, however, that I cannot attend this meeting. This very same weekend, I will fly three hours, but in the opposite direction: I will go to Tijuana, where fate decided I will present my first round of CENEVAL equivalence exams (Acuerdo 286 Licenciatura). I expect that to be the topic of another post, to come soon. So, while my friends will be having a good time and talking about Debian and group work, I will sit through three periods of four hours, answering an exam for the first time in a very long time. Fun, hah? Anyway, I will meet Guillermo Amaral (thanks for hosting me! ;-) ), which ensures I will not miss all of the fun ;-)

I have just installed an old Three mobile phone with 3G broadband for my parents home network access for the reasons described in my cheap net access in Australia post [1]. The first problem I had was that the pre-paid Three SIM just wouldn t work at all. I ended up phoning the Three support line and had a guy guess at which version of Windows I was running, after guessing every version of Windows from the last 10 years and Mac OS/X he finally asked what OS I use and then told me that Linux isn t supported. I said I HAVE TWO SIMS FROM THREE, ONE WORKS AND THE OTHER DOESN T, IT S ON THE SAME PC WITH THE SAME 3G ACCESS DEVICE, THE PROBLEM IS WITH THE SIM OR THE SERVER NOT MY OS . When the support guy discovered that one sim was pre-paid he said that there is a configuration difference, instead of an APN of 3netaccess for post-paid (contract) you have to use 3services for pre-paid. There are a bunch of web pages describing how to get Three 3G broadband working on Linux in Australia, some say to use 3netaccess and some say 3services. None of the pages I read stated correctly that 3netaccess is for when you are on a contract and 3services is for pre-paid. I ve submitted a suggestion for the Ross Barkman s GPRS Info Page (which seems to be the best reference for such things) [2]. After getting the pre-paid 3G SIM working for net access from the Huawei E1553 USB 3G modem I was unable to get it working from my LG U890 mobile phone. I never figured out how to solve this problem, I left my parents with the SIM that is connected to my $15 per month contract plan for 3G net access and am now using the pre-paid SIM for my own use. Of course this means that as I m using a SIM registered to my mother and she s using one registered to me I ll surely have some problems getting the support center to help me with problems in future. I found that the 3G net access got better reception when the phone was higher than the computer, so I used a USB extension cable to allow it to be placed on a shelf above the computer. The extension cable also allows it to be easily unplugged and plugged in again I ve already seen one situation where Linux got confused about the state of the USB device and replugging it was necessary to solve the problem. I was using Debian/Lenny. Here is my chatscript for connecting to Three with my 3G modem on a pre-paid SIM which also allows roaming to Telstra (I haven t tested whether pre-paid allows roaming, I ve only tested Telstra roaming with a contract SIM): ABORT 'BUSY'
ABORT 'NO CARRIER'
ABORT 'ERROR'
'' AT
OK ATQ0V1E1S0=0&C1&D2+FCLASS=0
OK 'AT+COPS=0,0,"3TELSTRA",2'
OK AT+CGATT=1
#OK AT+CGDCONT=1,"IP","3netaccess"
OK AT+CGDCONT=1,"IP","3services"
OK ATDT*99**3# Here is the ppp configuration for connecting via the USB 3G modem. For use as a permanent connection you want to also include persist and maxfail 0 :
/dev/ttyUSB0
230400
noauth
defaultroute
logfile /var/log/ppp.log
connect "/usr/sbin/chat -v -f /etc/chatscripts/three" For connecting with an LG U890 mobile phone you need to use ATDT*99***1# as the dial command and the device is /dev/ttyACM0 .

• [1] http://etbe.coker.com.au/2010/01/15/cheap-net-access-australia/
• [2] http://www.taniwha.org.uk/gprs.html

So a few years ago I got stuck with no health insurance as I had a fellowship that had for its history accepted professors (with health insurance) not fresh off the boat PhDs as was the case with me. Since I was at a Large State school it was nearly impossible for me to get insurance and finally I ended up paying 400 a month and getting a whole lot of headache. In many ways my ordeal was a fluke following a change of policy and this fellowship now provides insurance to its postdocs. Increasingly, however, it seems like a number of postdoctoral fellowships shirk from their duties and don t provide a drop of health insurance. Given the academic job market, many academics don t have any choice but to accept these positions and if they don t come with insurance, well then these folks are shelling out thousands upon thousands of dollars for basic, really lousy, coverage. Given that universities for the most part have decent, even in some cases kick ass insurance, with a large pool of people, shutting postdocs out of their pool is.. gross and just plain wrong. One of my fellow friends, currently on the market and currently screwed by her last postdoc wrote up a short document (aka Academic Labor Hall of Shame) and I thought I would post it here as it gets to the heart of the issues and starts shaming some of these shameful universities. If you know of other postdoctoral positions that don t offer insurance, please please leave a comment. We will include it in the hall of shame. Academic Labor Hall of Shame Universities like to promote themselves as bastions of enlightenment, but their treatment of temporary and hidden employees is often anything but enlightened. Or progressive. Or fair. 1. Postdoctoral fellows and researchers: There is a growing trend towards classing postdocs as not employees . I learned this recently when I was laid off from postdoctoral position at the University of Pennsylvania. I planned to extend my health insurance through COBRA, which is currently federally subsidized for workers who lost their jobs during the financial crisis. I was shocked when Penn initially claimed that I was not eligible for the subsidy (made available through the American Recovery and Reinvestment Act of 2009, the so-called stimulus act ). Their reason was that postdocs were not classed by Penn as employees. I appealed this with the Office of General Counsel and after a few weeks was told that I was indeed eligible, as Penn had found an inconsistency in [their] policy for certain categories of post docs between tax treatment and the availability of COBRA/ARRA . This means that while I am in fact eligible for this subsidy, postdocs paid through many other classes of grants are still not. If you want to see an example of this process of sorting some postdocs into not employee status, here is another one:
Postdocs on training grants or on individual fellowships (roughly 25% of VUMC postdocs) receive a stipend and are specifically excluded from the employee classification. They do not pay FICA and do not receive employee benefits. Their health insurance is provided and purchased separately. [by whom?] Even if Vanderbilt does in this case make provisions for these postdocs to receive health insurance, there is abundant evidence that some postdocs are outright excluded, as in this example at Stanford:
Stanford makes no provision for fellows to purchase health insurance, and the Institute will not provide medical insurance or other benefits. External fellows must bring their own medical coverage with them or purchase an individual plan during their stay in California. This is also quite apparent when you look into the outfits that profit from selling health insurance to postdocs (because their universities don t provide them any):
http://www.garnett-powers.com/npa/ Also, take a look at the policy they and you ll note that it stinks: it excludes such luxuries as preventive care, birth control, and chemotherapy. I m not making this up:
http://www.garnett-powers.com/npa/summary.pdf

So a few years ago I got stuck with no health insurance as I had a fellowship that had for its history accepted professors (with health insurance) not fresh off the boat PhDs as was the case with me. Since I was at a Large State school it was nearly impossible for me to get insurance and finally I ended up paying 400 a month and getting a whole lot of headache. In many ways my ordeal was a fluke following a change of policy and this fellowship now provides insurance to its postdocs. Increasingly, however, it seems like a number of postdoctoral fellowships shirk from their duties and don t provide a drop of health insurance. Given the academic job market, many academics don t have any choice but to accept these positions and if they don t come with insurance, well then these folks are shelling out thousands upon thousands of dollars for basic, really lousy, coverage. Given that universities for the most part have decent, even in some cases kick ass insurance, with a large pool of people, shutting postdocs out of their pool is.. gross and just plain wrong. One of my fellow friends, currently on the market and currently screwed by her last postdoc wrote up a short document (aka Academic Labor Hall of Shame) and I thought I would post it here as it gets to the heart of the issues and starts shaming some of these shameful universities. If you know of other postdoctoral positions that don t offer insurance, please please leave a comment. We will include it in the hall of shame. Academic Labor Hall of Shame Universities like to promote themselves as bastions of enlightenment, but their treatment of temporary and hidden employees is often anything but enlightened. Or progressive. Or fair. 1. Postdoctoral fellows and researchers: There is a growing trend towards classing postdocs as not employees . I learned this recently when I was laid off from postdoctoral position at the University of Pennsylvania. I planned to extend my health insurance through COBRA, which is currently federally subsidized for workers who lost their jobs during the financial crisis. I was shocked when Penn initially claimed that I was not eligible for the subsidy (made available through the American Recovery and Reinvestment Act of 2009, the so-called stimulus act ). Their reason was that postdocs were not classed by Penn as employees. I appealed this with the Office of General Counsel and after a few weeks was told that I was indeed eligible, as Penn had found an inconsistency in [their] policy for certain categories of post docs between tax treatment and the availability of COBRA/ARRA . This means that while I am in fact eligible for this subsidy, postdocs paid through many other classes of grants are still not. If you want to see an example of this process of sorting some postdocs into not employee status, here is another one:
Postdocs on training grants or on individual fellowships (roughly 25% of VUMC postdocs) receive a stipend and are specifically excluded from the employee classification. They do not pay FICA and do not receive employee benefits. Their health insurance is provided and purchased separately. [by whom?] Even if Vanderbilt does in this case make provisions for these postdocs to receive health insurance, there is abundant evidence that some postdocs are outright excluded, as in this example at Stanford:
Stanford makes no provision for fellows to purchase health insurance, and the Institute will not provide medical insurance or other benefits. External fellows must bring their own medical coverage with them or purchase an individual plan during their stay in California. This is also quite apparent when you look into the outfits that profit from selling health insurance to postdocs (because their universities don t provide them any):
http://www.garnett-powers.com/npa/ Also, take a look at the policy they and you ll note that it stinks: it excludes such luxuries as preventive care, birth control, and chemotherapy. I m not making this up:
http://www.garnett-powers.com/npa/summary.pdf

Since today for kfreebsd-amd64, and probably tomorrow for kfreebsd-i386 too, the gnome metapackage is installable on Debian GNU/kFreeBSD. In the end, this should hopefully give a fully functional desktop for these brand new architectures (to be included in the Squeeze release), with a few notable exceptions:

• no power management support (DeviceKit-Power needs porting);
• no roaming/wireless support (no support for libiw);
• no Bluetooth support (insufficient support in the FreeBSD kernel);
• no webcam support (no existing kernel API).

Apart from that, everything is supposed to work. So, if you want this to mean something, what we need now is some people to test the whole thing and find out if it actually does. Do you feel like helping? Install Debian GNU/kFreeBSD on your favorite virtual machine, upgrade it to the latest sid version, and apt-get install gnome. For everything that s not as enjoyable as it should be, report bugs.

Sigh I am starting to fill up my annual report for my real-life work. You know, that chore you must do every year where you score little bullets next to each completed project and talk well about yourself. For my workplace, fortunately, I do not have to lie and convince people I am worth rehiring - As this year I achieved definitividad as a T cnico Acad mico Asociado C de Tiempo Completo at my University, I can say for sure I have long-term job safety. UNAM is the best place for me to work, and I am most grateful Even if I do want to advance for the future, even though I would strongly like at some point to start working in a real academic position My job is mostly operative, limited to keeping things running smoothly in our network and servers. I work in a social sciences (Economics) research institute, and even though I have taken on an interesting project that is viewed from the social sciences I do expect to finish with a very interesting product in the near future, my interest lies in computing as a science. Anyway, back on track This is the time of year to start evaluating many things, many factors, from many different sides. And yes, for me that involves measuring how am I faring in my involvement in the projects I most care about Specifically, Debian, but also several other Free Software projects, even if my involvement in them is mostly organizational. I am once again going through a tough period in my personal life, and the impact it carries is obviously deep. However, I am not fond of finding excuses for my underachievement or underperformance. And that's what I feel now. Even more when I see posts such as Zack's and Tim's status updates, and when I see that we continue to be on a history-high streak of RC bugs. Regarding the several teams I am (at least formally) involved with in Debian, I have been away from the pkg-perl group for far too long... It is still my first group when it comes to identifying myself with - Both as on a personal level, as I consider them as good friends and great people to work with, and I do feel the responsability to share the load with them, as maintaining >1300 packages (even if they are so highly regular) is just not an easy task. But for over a year, my involvement has been basically zero. I have been a bit more active on pkg-ruby-extras, maybe paradoxically as it is a smaller team and with less packages (as I know it is much less probable for somebody to keep my packages in adequate shape if I don't do it)... and also because I am working more with Ruby than Perl nowadays. And finally, about Cherokee, I decided during DebConf9 to redo the packaging to fully use DH7 instead of our old-style quasimanual style. I have had several bursts of activity, and am almost-almost-ready to do the first newstyle upload... But so far, have been unable to do so. Of course, keyring-maint: With Jonathan's help, I have come to terms with most of the processes. Both Jonathan and I have been swamped lately, but at least I think I am finally helping speed up the process instead of holding it down. We do, yes, have several pending updates - but are working our way up the queue, and I hope not to leave people waiting for too long. And yes, we have discussed several ways of documenting and automating several of the tasks we currently sustain, and that should come soon I have been also leaving maybe a bit too much responsability aside on EDUSOL, for which today we are entering the second week of activity, and I'm very sorry to see our server is just too overloaded to even reply to even answer to me And even lacking admin powers myself, I should have worked earlier on setting up redundancy on a more automatic way (as we have an off-site backup we can promote to live and redirect to, but I am unable to do this... Given that I am the techie person on board/the only "professional" sysadmin). This year I also quietly finished the bulk of the Comas rewrite. What? Comas? Still alive? Yes, and you can expect me to show it off to more people soon, and get it used for more conferences. I will talk more about it (and its motivation, and its current status) later on But basically, the only two things that Comas shares in common with the mod_perl-based system most of you got to know (mainly at CONSOL 2004-2008 or at Debconf 5 and 6, although I know of several other conferences which used it) and the current incarnation are The (most) basic database structure and the name. The project underwent a full rewrite, and is now a far more flexible, far easier to install, Ruby-on-Rails based application. And most important, it does no longer involve your name being Gunnar Wolf as a prerequisite for successfully setting it up ;-) Regarding DebConf, I have promoted a Central American MiniDebConf, and we are right on track for holding it in late March in Panam City. Everybody's invited, and we will have (surprise, surprise!) the very professional involvement of Mr. Anto Recio as local team, as it seems he didn't have enough with last year's DebConf9 and wants to suffer further. What am I lacking here? Motivation. I have been quite pessimistic, possibly turning some people away, even though we have a good first sampling of interested people's profiles and expectations. If you want to get involved, tomorrow (Tuesday 17-nov) we will have a meeting at Freenode's #sl-centroamerica, 17:00 GMT-6. Please note we do need involvement from the Central American communities, it is more than just a motivational issue. Last meeting it seemed Anto and I were the only people pushing the MiniDebConf - and frankly, that would be a basis for not even holding it. We need motivation from the very people involved in it! Anyway You can see I have (and it seems to be a constant in my life) a series of contradictions going on. However, the excercise of putting it all into writing helps me understand better where I am standing. When I started writing this post I felt much heavier, much more at a loss Right now I feel I want to refocus my energy on the same projects and teams I have been involved with, yes, but feel it at least more plausible. Hope so.

I know I wrote about Android already today, but there is another thing that concerns me right now. I am owner of an Android-based phone (an HTC Dream) and recently switched my mobile network provider. The problem is that my new provider is a virtual provider and as such there is no real network of that provider. Now Android has a feature to turn off broadband connections when in roaming mode, which itself is a great idea and can save you from paying quite a lot of money when the phone connects to 3G abroad, but this feature also turns off broadband connections when roaming locally. All this is being discussed in bug report #3499. After noticing this problem I became curious on how Android detects that it is roaming and I found the GsmServiceStateTracker.isRoamingBetweenOperators method to be responsible for that magic, but soon noticed that the method is not only inefficient, but also doesn t work as intended. This is hardly related to the bug mentioned above, but let s have a look at the code in question:

/**
* Set roaming state when gsmRoaming is true and, if operator mcc is the
* same as sim mcc, ons is different from spn
* @param gsmRoaming TS 27.007 7.2 CREG registered roaming
* @param s ServiceState hold current ons
* @return true for roaming state set
*/
    private
    boolean isRoamingBetweenOperators(boolean gsmRoaming, ServiceState s)  
        String spn = SystemProperties.get(PROPERTY_ICC_OPERATOR_ALPHA, "empty");
        String onsl = s.getOperatorAlphaLong();
        String onss = s.getOperatorAlphaShort();
        boolean equalsOnsl = onsl != null && spn.equals(onsl);
        boolean equalsOnss = onss != null && spn.equals(onss);
        String simNumeric = SystemProperties.get(PROPERTY_ICC_OPERATOR_NUMERIC, "");
        String operatorNumeric = s.getOperatorNumeric();
        boolean equalsMcc = true;
        try  
            equalsMcc = simNumeric.substring(0, 3).
                    equals(operatorNumeric.substring(0, 3));
          catch (Exception e) 
         
        return gsmRoaming && !(equalsMcc && (equalsOnsl   equalsOnss));
     

Okay, let me summarize what this piece of code does wrong, at least from my understanding:

• It takes both the network operator alphanumeric identifier and alphanumeric long identifier and compares both to the alphanumeric identifier coming from the SIM card, whilst
• it could simply use the network and SIM card numeric identifiers and compare those, which should be a lot cheaper than comparing those strings
• Then it takes the first three characters/digits of the numeric identifiers (which indicate the country) and compares those

Now in my case my SIM card doesn t seem to provide the phone with a alphanumeric identifier, so the first two comparisons always fail for obvious reasons and, looking at the inline-if in the last line of that method my phone will always indicate that I am in roaming mode, even when I am not. The problem is not only the logic which seems to be wrong, but I rather see the inefficient comparisons used there to be a major problem in embedded systems like mobile phones. This is the first piece of Android code I have had a look at, but if all other code is as ugly and inefficient as these few lines Android really needs some major fixes. Related to this I have reported bug #4590 and forked the git repository in question over at github, to fix this method, should be a matter of 5 minutes.