We ll be holding a Keysigning Party at FISL10. This will be a good opportunity to renew my key, given I ve been using it since 2001 and it s an old 1024 DSA key. I have to thank An bal Monsalve Salazar and Alexander Wirt for sharing their expertise in organizing this kind of event. More information on the KSP can be obtained from the announcement.

Just this week I went to the movies to check the latest incarnation of Cap. Kirk, Mr. Spock et al. It really was a great movie I was expecting less, I have to admit. But the movie was not bad at all With all that space and beyond thing in my mind, yesterday I was surprised with a greatly inspiring picture taken from Hubble Florida, before STS-125 reach Hubble (thanks Florian Weimer for the heads-up): How inspiring can that be? You can find the original here, along with the explanation of how and when it was taken.

Months (even years) of activism, over 140 thousand signatures, and finally another small victory: Brazilian Minister of Justice Mr. Tarso Genro sent a letter [pt-BR] stating that Sen. Azeredo s bill is dangerous, and that the Ministry is working in an alternative (among other things). We had already incited a public hearing that were very fruitful [pt-BR] and might have brought the Ministry to the issue. But don t relax just yet, folks! Right now, working in this alternative , are people with every kind of agenda It s safe to assume that some of them are from the same lobby that pushed Sen. Azeredo first version of the thing. So, yes, this was another victory, but nothing really changed The bill is still approved by the Senate and still has to be reviewed by the Chamber-of-Deputies, and the alternative that will be presented by the Ministry is still under construction. What we accomplished is nothing more than making the Minister aware of the issue So, keep the pressure over your representatives, send messages to the Ministry, stating how you feel about the issue! Let s show them what we want them to do After all, that s why we elected them, in the first place, isn t it? [Published also at Trezentos, in portuguese]

Last few months since I got my EeePC have been a lot of fun. Playing and tweaking the little bastard is a joy in the end of a busy day. Besides, since I loaded it with the most useful SysAdmin tools, it became a powerful device in my tool belt . Unfortunately, I ve been stupid enough to drink a glass of orange juice while messing with it. I know, I know! Silly thing to do. I should know better! But life is like that I spilled a few drops over it. Of course, the web is pouring off information on what to do in cases like this, so I ll just summarize what I did:

1. Imediatelly, without thinking or questioning, I turned it upside down and removed the battery. It was a clumsy thing to do I ended up spilling the rest of my orange juice on the floor while worrying about the EeePC. Concearns about filesystem corruption (or whatever) crossed my mind, but I can always deal with that later First things first!
2. I went online in another computer and found out how to disassemble it. For me it was easy, since I got other two computers at home but if I needed to leave it there while looking for information, I would! If it s upside down and has no power whatsoever (the battery was removed), it s safe, I think. The information was easily found. I decided I didn t need to disassemble all of it, but having those information at hand was pretty useful.
3. I began by removing the keyboard. It s tricky but not difficult. The secret relies on the spring-mounted tabs near the screen. I checked for spills under it and cleaned with a cotton swab.
4. I was not very confortable to open the case, but I decided that turning it back on without checking the electronic parts first was too risky. So I said goodbye to my warranty and unscrewed the 6 screws from the bottom and the 9 from the silver casing under the keyboard.
5. There I found some little drops! Good decision to open it up! I dried it using cotton swabs again.
6. Before putting it all together, I decided to leave it open until the next day. I was pretty sure everything was dry again, but better safe than sorry . The next day I successfully assembled it and turned it on. Great! Everything worked fine.

Now that was just what worked for me. My EeePC is back, fully restored but, of course, the warranty is void :-( So I cannot recommend you to do the same. Best advice I can tell you: Keep liquids away your EeePC!

SSH is really the Swiss Army pocket knife of sysadmin tools. When I needed to periodically synchronize log files from an old server (old as in customer-would-never-update-it-or-install-anything-new), I built a simple and secure solution using rsync and ssh. This is what I did: (I will call remote the system where the logs I want to retrieve are, and local system where I want them to be copied to) First I created an account with a restricted shell (ideally this should be a system account, but we ll get there!):

remote# adduser --ingroup nogroup --shell /bin/rbash rlogs

Then locally, I created a new, password-less ssh key pair, copying it to my remote system:

local$ ssh-keygen
>>> When asked where to save it, I chose a different name, like .ssh/rlogs
local$ ssh-copy-id -i .ssh/rlogs.pub rlogs@remote
...
>>> You can delete the password of user rlogs, so it, effectively,
>>> cannot log-in with it (almost like a system user).
remote# passwd -d rlogs

Now you should be able to run password-less rsync already (note that I use -e option to point to a different key):

local$ mkdir logs
local$ rsync -av -e "ssh -i $HOME/.ssh/rlogs" rlogs@remote:"logs/" logs/
receiving file list ... done
./
file1
file2
...
fileN

But even with a restricted shell, I wanted even less possible things to happen. That s what command= directive is for It will only allow that command to be run in a session started by that key. Since rsync translates a lot of its command-line options, I run it again with a dirty ps-in-a-loop in the remote host, just to see what running rsync locally causes remotely:

remote$ while 1; do ps wp $(pgrep rsync); sleep 1; done
...
local$ rsync -av -e "ssh -i $HOME/.ssh/rlogs" rlogs@remote:"logs/" logs/
>>> in the remote loop you should be able to get the command:
  PID TTY      STAT   TIME COMMAND
 6183 ?        Ss     0:00 /usr/bin/rsync --server --sender -vlogDtpre.i . logs/

Here comes the authorized_keys magic. At the remote host I edited .ssh/authorized_keys to add a command= line with what I found out in my dirty loop. Also, I added a couple of directives to restrict it even further (they are pretty self-explanatory):

rlogs@remote$ cat .ssh/authorized_keys
command="rsync --server --sender -vlogDtpre.i . logs/",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa (...) myuser@local

Now everything is set. I just added the rsync command to the local crontab and it s done.

One of the largest FLOSS events in the world, FISL (International Free Software Forum in english) subscriptions are already being accepted. They also already called for papers! They re calling this year s a special edition since they expect to reach 10-thousand attendees (last year exceeded 7-thousand)... this is pretty big if you ask me. As usual, it will take place at Porto Alegre, and is scheduled from June 24th to 27th. I think we can expect the usual activities (Programming Arena, Interesting Workshops, FLOSS shows, Great Speakers, Brazilian Government), but I think the special edition is not just due to the number of attendees. What surprises are being cooked by the Organization Committee is just something we ll have to wait and see :-) See you there!

You may have noticed, or not, but WebKit 1.1.3, which has been released a few days ago, is available in experimental. The great news is that we now have a real maintenance team, because I now have a co-maintainer, who actually did most of the work getting the 1.1.x releases in shape for experimental. Now, some JavaScript performance figures, as I have been doing for most WebKit releases I uploaded to the archive, with a recap of previous episodes:

• svn 27674: 3932.0ms
• svn 31842: 2612.2ms
• release 1.0.1: 1658.4ms
• release 1.1.3: 1333.2ms

All there tests have obviously been run on the same machine, under the same conditions. The machine in question is my x86-64 laptop, which means all these test are with a x86-64 binary. This also means the last release, 1.1.3, doesn t take advantage of the Just In Time JavaScript compiler, which is only available on x86 binaries. With the x86 binaries under a x86 personality chroot, I get under one second:

• release 1.1.3, with JIT, x86: 985.4ms

But, in the last few days, I ve been working on getting JIT first to build and then to work on x86-64 linux, and with the help of folks on the webkit-dev list, that just happened. And the result is just wow.

• release 1.1.3, with JIT, x86-64: 623.0ms

(Note that a few tests are actually slower than on x86) That s so many times faster than what we had a year ago that it s almost unbelievable. Expect the next upstream release, planned for some time in the near future, to have my patches applied. In the meanwhile, you can get them here and here.

As I already told you, I am using XMPP4R-Simple in an internal project. For this, I d have to add PubSub capabilities to it, and I did when I decided to get serious with git. Today I committed a version with integration of various patches by other forks I found on GitHub plus a lot of improvements on PubSub functions. With this version it s simple to use PubSub like this:

require 'xmpp4r-simple'
# Simple function just to parse an event
require 'time'
def parse_event(event)
  item = event.children[0]
  node = item.node
  time = nil; item.each_element("//published")    e  time = Time.parse(e.text)  
  text = nil; item.each_element("//body")    e  text = e.text  
  return   :item => item, :node => node, :time => time, :text => text  
end
# Create the clients
im1 = Jabber::Simple.new "im1@example.com", "password" 
im2 = Jabber::Simple.new "im2@example.com", "password" 
# im1 creates a node
im1.create_node("/some/node")
# im2 subscribe to that node
im2.pubsubscribe_to("/some/node")
# We'll start a simple thread to get the events coming from that node to im2
Thread.new   loop  
  sleep 1 while ! im2.received_events?
  im2.received_events    event 
    h = parse_event(event)
    puts ">>> Got an event from node # h[:node]  published at # h[:time]  with text # h[:text] " 
   
 
# Now im1 just publishes anything to that node.
im1.publish_atom_item("/some/node", "This is my node", "This is the content of my node")
# The thread should capture the event and run puts on the hash from parsing.

PubSub is great, isn t it?

I finally took some days off. Those are most needed, since I spent carnival on call at the hospital (argh!)... So Brenda and I decided to spend those days at Maceio, capital of Alagoas state, and a very anticipated vacation. They have a lot of sun and beautiful beaches, enough to fill our week (and get some tan also). This picture was taken at Praia do Gunga (Gunga s Beach), a charming place with a calm shore, almost like a pool, protected by natural reefs. As you can see, I am having a bad time right now :-) Food is excellent, so are the people. But there are some inconveniences (as always). Beaches around downtown are not proper for bathing They re fighting a long fight against pollution (and loosing, if you ask me)... Also, Alagoas is a poor state Our guide said alphabetization covers less than 70% of the people Also, network connection is expensive in hotels. Ours charges BRL 1,00 every 5 minutes! And the speed is not the best. They have one of those systems requiring a web authentication before you go. I ve seem people complaining about this kind of system in Planet Debian before (reference please!) and suggesting Tunneling over DNS as a fix . I ve noticed it would work in our hotel, but I decided to try another approach I ve already written about: just a quick tunnel over an ssh connection. I know I told you I needed an authentication before, but that is for the first connection! Yes, once the connection is established, I could just log out (thus stop the charging). No new connections could be made, but the tunnel was already up, so just put everything through the tunnel and I should be fine right? Wrong. I got bitten by a drawback of the technique already pointed in a comment when I first wrote about it: in an error-prone network, TCP-in-TCP slowly dies of attempting to correct itself over and over and I was using a poorly connected wi-fi (loosing almost 30% of the packets!). So, I was left with the set-up of a not foreseen tunnel using DNS as the only option This would take time (and money)... So I decided for a simpler approach: SOCKS proxy. Yes, everything I would do could be done through a SOCKS! So a simple:

bash$ ssh -D 8888 my.remote.location

was all that I needed. That and setting my Firefox to use a SOCKS proxy on localhost:8888 and all went fine. I paid to set-up the tunnel then, once established, I logged out and kept using my tunnel all this time. Simple and effective, and I got some time left to blog about it. :-)

I ve been using git this last few days and I am still working on a workflow for my projects. Unfortunately, as others have noticed, git violates POLS is so many ways, it ends up being hard to get. Creating a remote repository seems to be the first thing to bite a developer switching to git (mainly if coming from a centralized SCM). I have not decided which is the best way of doing it, but I ve been using git-daemon via inetd and a path in my remote hosting holding all my repositories for public pulling, and ssh for pushing. Here is how to create it:

local$ ssh spectra@remotehost
remotehost$ mkdir /var/git/myproject.git
remotehost$ cd /var/git/myproject.git
remotehost$ git --bare init 
remotehost$ logout
local$ cd myproject
local$ git remote add remotehost spectra@remotehost:/var/git/myproject.git
local$ git push remotehost master
...
otherlocal$ git clone git://remotelocal/myproject.git
otherlocal$ cd myproject
otherlocal$ git remote add remotehost spectra@remotehost:/var/git/myproject.git
(hack hack hack)
otherlocal$ git push remotehost master

Now everybody can pull your repository at git://remotehost/myproject.git and you can push and pull to it via ssh. Note that you have to setup git-daemon, which is pretty straight forward. I am using it as an inetd daemon, but you can use it as a standalone one. Debian has a package which does just that. Now, some people think logging in a remote server just to create an empty repository is too much. Well repositories are just .git directories. It happens that you can push for the first time by rsyncing your .git with a remote host:

local$ cd myproject
local$ rsync -a .git/ spectra@remotehost:/var/git/myproject.git
local$ git remote add remotehost spectra@remotehost:/var/git/myproject.git
(hack hack hack)
local$ git push remotehost master

(Apparently you can push using rsync every time, but it s regarded as wiser to keep your probably crappy local repository commits separated from the public repository otherwise commit messages like Please, don t use this code are likely to pop up everywhere :) ). Now, I don t know if this have side effects, but it works :-) Another thing to notice is that git is more directed at pulling than pushing. This may be because of its designer: the way Linus works is by pulling changes from others repositories and not by letting others push em into his one. And this is another violation of POLS for most of the people, who is used to commit their changes into some remote repository. Rather than that, people using git would expose their own repositories in order to have it pulled by others. I also agree with most of the git critics wrt git commands There s a lot of examples and I am not going deeper in this but I think it was a bad choice calling checkout what git does when told to checkout , for instance. Yes, I know different tools, different ways of seeing it but everyone was already used to what centralized SCMs call their operations, and I think it would only help git adopting same names for the same operations, and inventing new ones for those proper of decentralized operations. Anyway, once you get it (and I have not completely got it yet), it seems all flow as expected. If this adaptation fails, there s still Easy Git to the rescue! One last thing that I think contribute to the git sucks effect: git-svn. This is a great tool, but it was built from git s point of view Given it s intended as a glue for Subversion newcomers, it would benefit more from being built from svn s point of view. This was mentioned by a colleague developer in my company, when he just couldn t understand why one have to git svn rebase instead of a simple update. So git-svn also suffers of the bad command naming habit git do. Of course, that given that you came from this environment (I am sure git and git-svn makes perfect sense for Linus & cia :-) ). I have not tried yet, but yap seems to be targeted on providing an alternative to git-svn.

I was browsing GitHub, getting to know the system and feeling pretty amazed by it (seriously I felt I discovered Orkut for developers)... when some thought just stroke me: how do they save space? Yes, I know git is pretty efficient when it comes to saving space. Yes, I also know that space are becoming cheaper with time, but still, they claim to have +50k developers hooked up their servers if they re not doing something about space, things will go inefficient quite quickly. Rails alone seems to have 464 forks! If all of them represent one bare clone of the canonical repository on GitHub s side, that is a lot of space wasted in duplicated things Git has one amazing feature: hashing the objects it keeps track of. It surely doesn t seem too complicated to design a schema that avoids having two copies of objects with the same hash. So all those forks of Rails, on GitHub s side, would be just hardlinks to the canonical repository Surely people working in GitHub are smart enough to have though about it on their own Who knows? Maybe that s exactly what they re doing already! If so, can I ask them to share their schema, since it can become very useful to the rest of us? If not, can we beat them ;-D?

Everybody seems to be using git these days I am not very found of hypes , as I told you before, but there s been some time I ve been evaluating git. I was happy with svk for quite a long time Lately, though, I ve been developing and extending a lot of ruby libraries, and all of them seem to be hosted at GitHub and using git So, why not give it a serious try? I chose a simple task on my TODO-list: to extend xmpp4r-simple to support XMPP PubSub, so I could use it in an internal project at my company. So I cloned its git repo and started developing. Not a really hard task, since all I had to do was use the underlying library (xmpp4r not surprisingly also in GitHub) and mimic what Blaine s done for the callbacks and it was ready (and working although I still need to put more time on the test suite). I am still exploring It will take some time to migrate my stuff (and maybe a lot will remain in my company s Subversion), but that s what git-svn is for, isn t it? Right now I am looking for ways to work with git-buildpackage and Debian git tools Do you have some advice on that?

I don t know maybe it s because my birthday is coming (Feb 10th)... or maybe because my wife s birthday is around the corner (Jan 26th), but I am feeling too old these days. I know, though, that at least part of it is due to Web 2.0! I feel like being the last geek still using my own mail server (everybody else is using Google Apps) and a console-based MUA (I am using Mutt for as long as I remember everybody else seems to be on Google s Gmail). I still don t have a Twitter or an Identi.ca account. I still use my ICQ account! I never got an OpenID. Just yesterday I was lost in a conversation about Google Reader! I am a lost case Is this how it is to become an old days geek? Now I know what those bearded geeks from the 70s felt

This is just to keep a reference (so I don t have to google it again :-) ): One can create a quick and dirty VPN using pppd and ssh:

bash$ /usr/sbin/pppd noauth 10.0.0.1:10.0.0.2 pty 'ssh -x -t -e none remote_user@remote_server /usr/sbin/pppd passive noauth'

This assumes both users (local and remote) have permissions to run pppd (some sudo trickery may become very handy) and that no password is asked by ssh (password-less key authentication). Quite handy, ain t it?

While googling for something completely different (which I cannot remember right now), I passed by what is probably the best Bash tip I ever read:

bash$ head -10 /etc/apache2/sites-available/default
(...)
bash$ ^10^20^
(...)

What happens in the second command is that the previous one is repeated, replacing 10 by 20 ! How great is that?!

This is the follow-up on my Asus EEE PC configuration. Next on my TODO list was to make the webcam work, and as Ben Armstrong had pointed it worked fairly well, proving to be a non-issue. After that, I decided it would be a good thing if the presence of my bluetooth-enabled cellphone were tested, so that if I walk away from the PC, it called xscreensaver -lock. After some googling, I found a tool that did just that: BlueProximity. It really seemed a good idea, except that my cellphone (a Palm Treo 650) kept warning me about a connection going on, which was quite unpleasant. This happens because BlueProximity tests the RSSI of a bluetooth connection Beautiful, but a little overkill for what I wanted: I just wanted to know if it is there or not. First I tested the bluetooth discovery with hcitool scan, but for that I would have to keep my cellphone Discovery On, which is not a smart thing to do So I tested other things, and found out that hcitool name XX:XX:XX:XX:XX:XX only returned the name of my cellphone if it were around. So that was what I used. This is treo-presence.sh script:

#!/bin/bash
TREO='XX:XX:XX:XX:XX:XX'
NAME='name_of_my_cellphone'
CMD="/usr/bin/hcitool name $TREO" 
if [ " $CMD " = "$NAME" ]; then
  exit 1
fi
exit 0

It returns 0 or 1 if the TREO device is absent or present, respectively. I use it from the following cron script:

#!/bin/bash
/usr/bin/w   /bin/grep $LOGNAME > /dev/null 2>&1
if [ $? -ne 0 ]; then
  # Running user is not logged in
  exit 1
fi
CMD="/usr/local/bin/treo-presence.sh" 
LOCK_CMD="/usr/bin/xscreensaver-command -lock" 
FILE="/tmp/no-treo-lock.txt" 
TMPFILE= /bin/tempfile 
/bin/touch $FILE
/usr/bin/tail -2 $FILE > $TMPFILE
$CMD; echo $? >> $TMPFILE
/bin/mv $TMPFILE $FILE
/bin/rm -f $TMPFILE
for line in  cat $FILE ; do
  if [ "$line" = "1" ]; then
    exit 1
  fi
done
# Got here: all 3 lines are not 1
$LOCK_CMD > /dev/null 2>&1
exit 0

This is run from the user crontab file every minute, recording the last 3 runs in a file in /tmp. If all 3 runs indicates the absence of my cellphone, xscreensaver -lock is called. Simple enough and doesn t give me connection warnings in my Treo. Other approaches are surely possible. Also, I am not sure treo-presence.sh would work for other devices This is just what works for me

Wow! I woke up this morning and, while browsing my usual feeds I got a nice (although odd) surprise: Rails and Merb will merge !!! Should we all wait for the end of days? ;-) Seriously That is really something I d never have expected. Rails 3 will be such an interesting framework! What a nice Christmas gift! Merry Christmas.

Really, now is the day 3 I am just considering this day 2 for I had to do a lot of things again due to my dumbness. Let me explain: I had a desktop environment in place (with fluxbox), wired network, and most of my daily softwares (Iceweasel, X-Chat, Pidgin, GkRellM), then I decided to test the Suspend-to-Disk At first, it seemed to work well: I made a swap file for uswsusp, just as documented what is not documented is that this file must be outside the encrypted partition! So, when I turned it on again, an error telling me about some corruption in the opened luks partition. I though OK, something gone mad, just a matter of running an e2fsck . So I booted with the netinst pendrive, opened the luks partition and ran it with -y. Everything seemed to be corrupted!!! It spend almost 5 minutes fixing bogus inodes and stuff before I decided to interrupt the process this fixed filesystem would never work anyway. So I began from scratch All over again. When I got into a working base-system, some other thought stroke me: what if Brenda were to use rohan (have I mentioned the name is rohan? I name all my machines after places in Middle-earth)? So, a minimal user-friendly desktop is needed After some research, I decided to go for LXDE. This is a minimalist desktop with OpenBox as the window-manager. I ve been using FluxBox for a long time now, so running another BlackBox-based would not be such a problem. LXDE is quite good. So far, everything I expected is working fine . Then I decided it s time to move on to configure the Wi-Fi stuff. I installed the RT2860 modules from Debian/EEEPC Repository and added rt2860sta to /etc/modules. At first I was worried that some reports of it not working with WEP showed up in a Google Search But nothing could be smoother! I installed wicd and it detected our WEP AP like a charm (and a bunch of other APs nearby)... after entering our key it just connected fine and I ve been using it since no glitches so far. I would like to play a little more, but I called the day since I got a lot of work going on Next item planned is the webcam

Following my previous post, today I began to turn my brand new Asus EEE PC 901 into a Debian Machine. At first I wanted to do all in one day, but since work is taking too much out of me (and everything seems to take more time than expected), I ll have to split this in different days So, first things first. I read Debian Wiki on the issue and began by doing the most important: backing it up. So I got a daily netinst iso, put it on a USB Pendrive and followed the tip on backup over the network using netcat. Easy and effective, and took only 8 minutes on the 901 (I think the 35 minutes described on the wiki were for models with slower NICs). From there, I had to decide which version of the installer I d use. I chose Standard, since I want an encrypted disk on my EEE. So I run the installer and, on the partition manager, I deleted /dev/sda1 (where Xandros was installed), turning it into a 300 MB /dev/sda5 (to use as /boot) and a 3 GB /dev/sda6 building a Logical Volume over an LVM Volume Group with it and /dev/sdb1 (where the user directory was), and enciphering it. This took a long time, since, I believe, random data were being written to the device to increase crypto strength. I left /dev/sda 2,3,4 as they were, since they can belong to the Asus EEE Recovering System (and they don t take too much space :-) ) Now base system is installed, and wired network works like a charm Next steps will have to wait until tomorrow.

I got an Asus EEE PC 901 Linux. Unfortunately it arrived just now, at the end of the day. I ll document the process of turning it into a Debian machine as I go, beginning tomorrow. So, stay tuned!