Did you ever use a tool such as netcat, which has no history and does not allow you to edit the line you are typing?

% nc localhost smtp
220 cocorico.example.com ESMTP Postfix
HELO localhost
250 cocorico.example.com
MAIL FROM: <tanguy@localhost>
250 2.1.0 Ok
RCTP TO: <tanguy@localhost>
502 5.5.2 Error: command not recognized
^[[A Sh*t, line recall does not work!
502 5.5.2 Error: command not recognized

Here comes rlwrap: it is a small and useful tool that wraps any command line-oriented tool using readline to provide you a history allow you to edit each line before you send it:

% rlwrap nc localhost smtp
220 cocorico.example.com ESMTP Postfix
HELO localhost
250 cocorico.example.com
MAIL FROM: <tanguy@localhost>
250 2.1.0 Ok
RCTP TO: <tanguy@localhost>
502 5.5.2 Error: command not recognized
  RCTP TO: <tanguy@localhost>  

rlwrap's effect is hard to describe with a transcript, so here are two screencasts, with and without it. If you often use tools such as netcat, try it!

Installing an operating system When you want to install a new operating system, the first thing to do is to get an installer medium, which usually involves two steps: downloading an image, and writing it to a medium. There are two major types of media usable for that purpose: optical discs and USB sticks. There used to be a third one, floppy disks, but it is no longer used, and it was conceptually very similar to USB sticks.Power-user If you are a power-user, you probably use USB stick, to be able to reuse them and because they are easier to carry. For you, writing an optical disc or an USB drive is almost the same:

$ wodim image.iso
$ dd if=image.img of=/dev/sdc

Regular user But what would you suggest to a normal user? USB stick? You should not: while it is technically much easier to write an USB stick (just copy blocks from the image to the peripheral file, without any need to use any specific function), desktop file manager make it much harder. Indeed, for a desktop user, burning an ISO image to an optical disk is quite simple: right-click on the image file and choose the burn option. But writing an image to an USB stick? There is no similar option, so that will involve calling a power-user friend, which will tell you to open a terminal and type dd if= . Moral

Power-users

Continue using USB sticks as installation media, but tell regular users to use optical discs until desktop file managers adapt.

Regular users

Use optical discs. If your computer does not have an optical reader, either invite a power user friend, or buy an USB optical reader.

Desktop developers

Please, fix that! Writing an image to an USB stick should not be harder than burning it to an optical disc! People are using more and more computers without an optical reader, and that situation is certainly not new, as it is only similar to that of the time when we were using floppy disks.

Floating and tiling window managers In the X Window System, the window manager is that piece of software that places your windows and allows you to move them, resize them, hide them, etc. If your windows have titles on top of them, with buttons to close them or reduce them, it is thanks to the window manager. There are two major types of window managers:

Floating window managers

They are the most usual window managers, that allow you to place an size your windows freely on the screen, in a way where they are independent of each other, possibly overlapping, just as you would be able to place sheets of paper on your desk.

Tiling window managers

They are a more elitist type of window manager, that adjust the size and position of the windows so there is no overlapping and no space lost between windows, thus tiling the screen.

The frontier between these two types is not very tight, because some floating window managers have limited tiling features, and almost all the tiling window manager have floating modes for programs that are not adapted to tiling. For what it is worth, here is a report on my experience with three tiling window managers. Perhaps it may help people that are still hesitating to switch to tiling window management?Using tiling window managers Five years ago I switched to tiling window management, feeling that managing windows was the window manager's job (a quote from larswm). At that time, I started using wmii, then switched to awesome, and now I am trying i3. For people in a hurry, here is a comparative table:

	wmii	awesome	i3
Configuration	Shell script	Lua script	config file
Scriptability	any language, 9P-based	Lua, API-based	any language, socket-based
Layout	simple, column-based	automatic layout-based	flexible, manual tiling-based
Multi-monitor	sucks	OK	OK
Modern stuff		XCB, Xft, notification area, dock windows	XCB, Xft, notification area
Special features	tag-based workspace system	XDG convention to locate the config file real framework for customization	powerful status bar

wmii wmii is a rather minimalist window manager which used to be part of the suckless project, but is now hosted at Google Code and seems to have lost all its documentation during the move (why is it that all the software I have seen hosted at Google Code or worst, at Launchpad, have almost not documentation, and never, ever a single screenshot?). It uses a column-based layout: you place windows in a number of columns, and for each column you can choose either vertical split, stacking or full column mode. This system is very simple to control flexible enough for most situations, but it does not allow for arbitrary tiling. It is fully scriptable in any language, in an interesting way: it exposes all its functions on a 9P virtual filesystem. In fact, wmii itself only implements window management functions, and all the user interaction logic takes place in a distinct script which calls that functions using that 9P filesystem. wmii comes with a default script, written in shell, which makes it a bit hard to extend, and slow if you start calling external programs such as grep, sed and co. You can script it in any language you like however, and there are some already made implementations in Ruby and Python IIRC. A special feature of wmii is that its workspaces are in fact tags, and that you can tag a window so that it will appear in several ones. While this is interesting, in practice I did not find much use for that feature. It is explicitly minimalist, and the developers used to impose themselves a limit on its numbers of lines of codes (not sure if this is still true with the switch to Google Code). While I was using it, it had no notification area, no support for Xft fonts and it sucked with multiple monitors, which is the reason I switched to awesome. awesome awesome is a very flexible window manager that provides advanced automatic layouts. It has become quite popular, and it has a very well documented wiki. It is not officially a tiling window manager but a framework window manager, and to emphasize on that it start in floating mode by default. I think most people use it in tiling mode however. It uses automatic layouts, that place your windows according to rules, for instance the fair layout, which tiles in columns and rows so that each window occupies a similar space. Thanks to that automation, this system is very easy to control and to get used to, and although it certainly does not allow arbitrary tiling, you can cycle between several available layouts which are suitable for most situations (most of them are entirely automatic, but some have parameters you can modify, such as the number and width of columns), and if you miss one, I think you can even code your own. It is fully scriptable using the Lua language. In fact, just as wmii, the user interaction logic is defined in the configuration file, which allows efficient customization. The Lua API is fully documented, and there is a series of useful libraries to extend the basic configuration in any way you like, which is why awesome calls itself a framework window manager . It is not designed to be minimalist, and it implements some modern stuff, such as using XCB rather than Xlib, a notification area, and specific support for dock or utility-type windows such as GIMP's tools. i3 i3 is a window manager inspired by wmii, although they do not have much in common in my opinion. for what I have seen, I think it would be closer the defunct Ion. It uses a layout based on manual splitting: as you open windows you can choose to split an existing window either vertically or horizontally, leading to arbitrarily complex layouts. In addition to that you can tab or stack windows in containers instead of splitting them. This system is very flexible but it requires more user intervention. In its standard mode of operation, i3 is simply configured in a regular way, which allows to customize the user interaction but not to script it in an arbitrary way. It offers an IPC system that can be used for that however, by the mean of a Unix socket, so it can actually be scripted in any language too if needed, although this possibility is probably not as popular and easy as with wmii and awesome. It implements modern features such as XCB, a notification area and a powerful status bar that uses the standard output of a dedicated program that is easy to replace by your own if you need.

My current employer as a benefit offers two days of paid volunteer time every calendar year. In September I decided to devote this time for Debian project. It wasn t easy to convince HR and my manager (hi Gloria ) that such activity can be considered as volunteering but I eventually did it! So last Thursday and Friday were days I could spent working on my packages and other stuff related to Debian Let s talk about effects. 5 packages updated, 16 bugs closed, more than 50 lintian warnings/errors solved. Here goes changelogs from updated packages:
calcurse (3.1.2-1) unstable; urgency=low * The Akamai Technologies paid volunteer days release.
* Package made from scratch (this was funny experience):
- uses new quilt source format
- uses new copyright format
- uses debhelper compatibility level 9 w/hardening options
- uses the newest Standards-Version
* New upstream version:
- supports UTF8 (Closes: #558671)
- hopefully fixes problem with accented characters (Closes: #466010) -- Bartosz Fenski <fenio> Thu, 20 Dec 2012 13:51:08 +0100 httpie (0.3.1-1) unstable; urgency=low * The Akamai Technologies paid volunteer days release.
* Includes manual page (Closes: #673067)
Courtesy of Khalid El Fathi <khalid>. Thanks!
* New upstream version. (Closes: #693810)
- handles binary transfers properly (Closes: #689974) -- Bartosz Fenski <fenio> Thu, 20 Dec 2012 14:27:59 +0100 skipfish (2.10b-1) unstable; urgency=low * The Akamai Technologies paid volunteer days release.
* New upstream version.
* Bumped Standards-Version (no changes needed).
* Various path fixes because of upstream changes.
* Added new libpcre3-dev build dependency.
* Totally rewritten copyright file to comply with new copyright standard. -- Bartosz Fenski <fenio> Thu, 20 Dec 2012 14:59:36 +010 ipcalc (0.41-3) unstable; urgency=low * The Akamai Technologies paid volunteer days release.
* ACK previous NMU, thanks Christopher!
* Documents some missing features in the manpage (Closes: #588143)
Thanks Tanguy Ortolo <tanguy>!
* Fixes other minor problems in manpage (Closes: #688148)
* Description now says it's tool IPv4 only (Closes: #628955)
* Fixes lack of </table> tag when printing supernets (Closes: #600251)
* The following changes are courtesy of Jari Aalto <jari.aalto>:
- Remove deprecated dpatch and upgrade to packaging format "3.0 quilt".
- Update to Standards-Version to 3.9.3 and debhelper to 9.
- Add build-arch and build-indep targets; use dh_prep in rules file.
- Patch 03: update with "quilt refresh" to make it apply cleanly.
Thanks to these changes (Closes: #670737) -- Bartosz Fenski <fenio> Fri, 21 Dec 2012 12:30:11 +0100 netw-ib-ox-ag (5.39.0-1) unstable; urgency=low * The Akamai Technologies paid volunteer days release.
* New upstream version.
* Uses Homepage header. (Closes: #615219, #615294, #615321, #615436, #645522)
* Bumped Standards-Version (no changes needed).
* Switch to dpkg-source 3.0 (quilt) format)
* Fixes FTBFS on s390x and sparc64 (Closes: #639493)
* Fixes 29 (sic!) lintian warnings/errors thus many small changes
in packaging scripts. -- Bartosz Fenski <fenio> Fri, 21 Dec 2012 15:38:29 +0200
Despite this I did something else. I sent end of the world joke-mail to debian-mentors mailing list stating (ignore the fact that my own server marked me as spammer; fixed already ;P) that I m going to review and try to upload every package that will be send to me during end-of-the-world day.
That action was quite successful although no package has been uploaded yet. I reviewed 4 of them and two more are yet to come. So it looks that these two days sponsored by Akamai motivated me enough to spent few more days or even months and help other people to contribute to Debian. Thank you Akamai!

(Apologies for putting this on Planet Debian, but it says the one or other non-English post is okay as long as it s an exception. I feel I need to reach more people with this, but don t feel like translating this into English right now.)
Update: Tanguy asked for a short English summary: it s me ranting against the rioting against muslims and the call for more CCTV surveillance after a possible bomb was found at the train station. In Bonn herrscht immer noch Bombenstimmung , wenn man z.B. auf die Webseite der Lokalzeitung schaut von dem Amoklauf in Connecticut, ber den sich im IRC gewunder wird, ist immer noch nichts zu sehen, daf r wird flei ig wider Islamisten gehetzt. Ich finde das besorgniserregend, mu doch jetzt jeder Angeh rige des Islams f rchten, verfolgt oder benachteiligt zu werden. Das reizt doch erst recht zum Gegenschlag, bei dem dann auch Menschen, die absolut nicht mit der hier vorherrschenden Meinung und Politik bereinstimmen, getroffen werden k nnen. Ich pers nlich habe kein Problem mit Menschen anderen Glaubens oder anderer Weltanschauung, solange wir friedlich miteinander leben k nnen. Ich teile eure Unzufriedenheit mit dem herrschenden Staat, der immer weitergehenden berwachung, Unterdr ckung von Leuten, die nicht dem vorherrschenden Menschenbild entsprechen (egal an welchen Kategori n), und bitte die, die dies lesen, nochmal nachzudenken, bevor sie etwas tun, was hinterher Unschuldige trifft oder gar in friendly fire ausartet. Hat eigentlich wer die in Bad Godesberg ausgegebenen Koran-B cher sich mal angeschaut? Als ich davon las, war ich ja zugegebenerma en neugierig, weil ich vom Koran leider eher wenig kenne, wei aber nicht, wie neutral oder eben nicht die bersetzung gehalten ist. Anhand dessen, was ich bereits mitbekam, sollte das eher friedlicher sein als was durch sp tere Theologen festgelegt wurde wie ja auch zum Beispiel im Christentum, aber ber die Horrorepisoden der christlichen Kirche will ich jetzt auch nicht mich auslassen, in der Hoffnung, da auch diese sich mit den Jahren gebessert hat. (Ist nur halt das Problem mit den Leuten, die die alten Hetzparolen jetzt noch verbreiten. Ist wie im Netz mit den Groupies von Theo de Raadt, die noch asiger zu Leuten sind als er selber.) (Au erdem mu man ja bef rchten, durch Besitz eines Korans schon vorverurteilt zu werden heutzutage *seufz* ich finde das nicht gut!) Update (ich verga ): auch der Ruf nach mehr Video berwachung ist nur Panikmache. Das geht nur zu Lasten des Normalb rgers. Vielleicht lassen sich noch Kleinstdelikte wie Taschendiebstahl damit abschrecken, aber gerade diese Bomben und dergleichen sind doch oft von Leuten, die vor Konsequenzen keine Angst haben, organisiert. Die werden dann maximal M rtyrer. Ich wiederhole nochmal f r die Politiker und die ganz langsamen unter den Lesern: berwachung verhindert keine Straftat.

Mobile devices A number of people are using small mobile devices to read Web pages. These devices have small screens, which make it hard to read pages designed for a large screen width.CSS Media types to the rescue Good news: the W3C thought of that fourteen years ago, when they introduced the concept of media types in CSS 2:

<link rel="stylesheet" type="text/css" media="handheld"/>

Here, the attribute media="handheld" indicates this dedicated style sheet should be loaded by hand-held devices (typically small screen, limited bandwidth) (quoting the CSS 2.1 Specification). Cool stuff, for a specification written in 1998, is it not? or not Well, bad news: mobile browsers do not honour it. Try this test page with a hand-held device: if the browser respects the specification, it should display a section of text which is not shown for regular browsers. It probably wont. So, how do people do to implement a specific style for mobile devices? Well, the W3C seemed to acknowledge the fact that mobile browser authors had no intention of respecting the existing specification, so they extended it with Media Queries:

<link rel="stylesheet" type="text/css" media="screen and (max-device-width: 480px)"/>

Here, this attribute indicates this dedicated style sheet is to be loaded by devices with a screen not too large (in pixels: not sure how this would work with small but high resolution screens). Thank you, mobile browsers, for not implementing a specification that was designed just for you before you even existed, and requiring such a kludge with a new specification instead

Next week end, November 24th and 25th, the mini Debconf will take place at EPITA in Paris. Mehdi Dogguy and I worked hard on the organization and on building a great program for this 2012 conference. This mini debconf will cover many subjects like Gnome (both as upstream and downstream), the Release team, how the Linux is packaged in Debian, etc.
The keynote will be "Free software and Debian, 20 years after" by Roberto Di Cosmo. Also, some merchandising will be proposed during the event by the association Debian France. Here is a quick list: Polos

Long-sleeved polo
40 euros - 10 pieces
Sleeveless polo
25 euros - 100 pieces Thanks to Tanguy Ortolo for taking take of the order. Buff

Buff Debian
18 euros - 75 pieces. It is described as Original Multifunctional Headwear. Real life example in video.
I love them! Finally, we will sell two kinds of Debian branded Sticker Portable:

Sticker Debian
1 euro - 100 pieces. They can be also ordered on the it2l website. Thanks to J r me Lemaire for providing these great products. If these products are successful, we will probably produce more for FOSDEM! For more information about the conference:
The official website
Wiki page for subscription

I am organizing two signing parties in France:

• Saturday, November 17th at 12:15 at the JDLL in Lyon;
• Sunday, November 25th at 11:45 at the Mini-DebConf in Paris.

Lyon, November 17th This will be an informal key signing party: just come with your ID documents and paper strips with your public key fingerprint. The signing party will occur at 2012-11-17 12:15+01:00 in the Maison Pour Tous in Lyon, France.

Paris, November 25th This will be a formally organized key signing party. If you want to participate, you should follow the indications given in the event wiki page. Basically:

1. send me your public key;
2. print some copies of your key fingerprint for people that did not register;
3. print the attendees list I shall send you before the event;
4. come to the signing party with all that, ID documents and a pen.

The signing party will occurr at 2012-11-25 11:45+01:00 in the pita school in Le Kremlin-Bic tre, France.

Tips To print strips with your public key fingerprint, you can use the utility gpg-key2ps from the package signing-party. If you are a user of the CAcert.org SSL certification authority, you can come to these signing parties with some copies of the accreditation form: it will be an opportunity to get or give CAcert.org accreditation.

The title of the next James Bond movie! Or will that be the next OpenBSD release song? ;-)

You certainly know Picasa Albums Web and Flickr, two commercial picture hosting services. You probably know a few free software projects that allow people to keep control of their own pictures, such as Gallery, Piwigo, Zenphoto or PhotoShow. GNU MediaGoblin is a similar project, but with some interesting characteristics and features:

• it has a funny name and mascot;
• it is part of the GNU project;
• it is written in Python;
• it does not need a database servers since can use an SQLite database;
• it is designed with a specific care for free culture, allowing to indicate the license of a picture and to provide its source format as an attachment for instance.
• it supports audio, video and 3D models with HTML5 features rather than the dreadful Flash;
• it is a work in progress and is asking for financial contribution.

If you find GNU MediaGoblin as promising as I do, please consider donating!

As you may know, when Phil Zimmermann published PGP, his goal was to counter the wide spying possibilities the development of electronic communications offered to the authorities, by promoting the general use of encryption so that 1. governments would not be able to restrict it afterwards and 2. it becomes possible to encrypt messages for privacy without drawing suspicion. Now, cryptography has made its way and is widely use, but mostly for commercial website and only sparsely for mail. Indeed, contrary to signing, encrypting a message requires that the recipient has a crypto key and is able and willing to use it to decrypt your message. To alleviate this problem, I thought that it would be useful to have a way, when sending a message, to tell your recipients that you would like that they encrypt their answers, because you are able and willing to get encrypted mail. I think the most relevant way to do that would be by adding a dedicated header field:

Encryption-Desired: PGP

In that header, one would be able to indicate what protocols he accepts. I suggest a comma-separated list, with the following possible values: PGP (or PGP/MIME and PGP/traditional for people that only accept one of these two PGP formats), S/MIME. For instance:

Encryption-Desired: PGP/MIME, S/MIME

It may be useful to be able to indicate that you either always wish your messages to be encrypted, or that it is only for this message's replies. If this is really relevant, it would take two distinct headers: Encryption-Desired and Reply-Encryption-Desired. Any thought about that proposal? Next thing to do, determine how to have that standardized at IANA and how to promote it.

Phishing is a fraud technique that consists in reproducing the content of a targeted website, directing users to it, and recording their credentials when they log into your website. It is like fishing fish with fake food, only you phish humans with fake websites. Well, I have a good news for the phishers: people are using more and more smartphones, and mobile browsers are making your job really easy. In fact, many regular smartphone user simply have no way to tell your fake website apart from the real one.For instance, this is what my bank website looks like in my desktop browser, and what a corresponding phishing website would look like: See the difference? It is not that obvious, but it is easy to detect when you are trained: the page address is not the same, with the fake website it refers to the phisher's server instead of the bank's one. Now, what does it look like on a Firefox Mobile? Well, here is the answer: the same, absolutely the same: The page address is hidden for space reasons, and only shown when touching the address page title bar. Want to browse the Web safely? After each link you follow, click on the page title bar. Good luck if you are using such a mobile Web browser. Fortunately, I am not.

This is my monthly summary of my Debian related activities. If you re among the people who made a donation to support my work (1086.48 , thanks everybody!), then you can learn how I spent your money. Otherwise it s just an interesting status update on my various projects. Dpkg I am subscribed to Launchpad s dpkg bug tracker and I was getting annoyed with the amount of noise I got under the form of bug reports that look like package foo failed to install/upgrade: package foo is already installed and configured . Those reports are a combination of a bug in APT and of random other failures (often hardware related like corrupted .deb files, or I/O errors, but sometimes also real problems in other packages) but they always end up assigned on dpkg (because dpkg is outputting an error message complaining about APT s decision to configure something that doesn t have to be configured). I simply don t have the time required to manually process and inspect all those reports, so I decided to filter them at the apport level with a new Ubuntu bug pattern that indicates that those reports are a duplicate of LP#541595. Thanks to this, the dpkg bug count quickly went down from 130 to about 80. Packaging I sponsored a new upstream version of ledgersmb. I quickly updated WordPress to version 3.4.2 since it contains security relevant fixes. I also pushed a small update of nautilus-dropbox fixing #686863 because upstream renamed the binary package that they hand out on their website from nautilus-dropbox to dropbox. Their dropbox package only conflicts with old versions of nautilus-dropbox and not with the version that Debian is shipping and thus I had to add a Conflicts on our side to forbid co-installation of both packages. Testing wheezy s installation I bought a new laptop (Lenovo Thinkpad X230) and used this as an excuse to test Wheezy s installation process. It worked mostly fine except for two things:

1. First I noticed that it would not accept my passphrase for my encrypted partition during early boot this turned out to be already reported as #619711 but was no longer getting any attention from the package maintainer. After some IRC discussion with Julien Cristau, we prodded Michael Prokop who had apparently already offered to take care of this issue. I tested his updated package and the result got quickly uploaded.
2. I had weird networking problems that turned out to be related to the lack of the loopback network (i.e. on localhost). This was the result of a broken /etc/network/interfaces: it had been incorrectly modified by NetworkManager. I reported this in #688355. This issue affects people with IPv6 enabled networks.

Debian France There s a resurgence of activity in Debian France. Sylvestre Ledru is leading the organization of a mini-debconf in Paris on November 24-25th. And Tanguy Ortolo is now taking care of some merchandising (Polo shirts, to change from the usual T-Shirt). I might give a talk during this mini-debconf, possibly about multi-arch. Misc It s been a few months that I noticed a 2 second lag of gnome-shell everytime that smuxi (my IRC client) sent a notification. It s very annoying, you have the impression that the entire machine freezes. So I contacted Mirco Bauer on #smuxi and we investigated a bit. It turns out that smuxi is using an old version of the notification protocol where the picture is sent as a bytestream leading to huge dbus messages. This is clearly sub-optimal so smuxi will be fixed to be able to send the path of the picture instead of the picture itself. On the other hand, it s really a bug of gnome-shell that it freezes during the time it takes to handle the bigger-than-usual dbus message. So I also filed a bug on GNOME Shell (Bugzilla #683829) to get this fixed. Librement: funding free software work I started a new project with the goal of helping free software developers to fund their free software work. It s still mostly vaporware for now but I have a public code repository, a nice logo and lots of ideas. If the topic is of interest to you, and you d like to be involved, feel free to get in touch. Otherwise stay tuned. Thanks See you next month for a new summary of my activities.

4 comments Liked this article? Click here. My blog is Flattr-enabled.

When you start using Linux' logical volume manager, one of the first question you have to answer is: what name will you give to your volume group? The usual answer is: vg1, vg2, etc. Although it does not bear any specific meaning, this naming convention is simple and seems functional enough. In fact, this is a bad idea, which can have nasty consequences on the long term. Here is why: one day, your computer will eventually give out. To save your precious data, you will remove its drives and plug them into another computer. If you are using LVM with the same naming convention on that second computer, you will then get a name conflict, which will prevent you from seeing the volume group you want to recover. The solution is to name volume groups uniquely across all your computers, and if possible other people's. An elegant way to achieve this is to use your host names as a basis. For instance, on a machine called Pi acolada , you would name a single volume group pinacolada , or two volume groups pinacolada1 and pinacolada2 . Or perhaps vg-pinacolada0 or whatever, you get the idea.

La Quadrature du Net is a European advocacy group that has been created to defend our rights and freedoms on the Internet against the continuous political threats driven by major corporations, such as the recent ACTA. After the recent citizen victories against these monsters, it is time to take the initiative and advocate for a reform of the copyright system which has become inappropriate with the omnipresence of copy-based systems. To this end, la Quadrature will give each Member of the European Parliament a customized USB drive, preloaded with a set of elements for a copyright reform, and with an anthology of free cultural works. To fund that campaign, la Quadrature is asking for everyone's help, by the means of an Ulule campaign (Ulule is a crowd-funding platform similar to Kickstarter). This initiative is noteworthy by at least two aspects:

• after years of being in a defensive position, I think this is the first offensive initiative from the citizen group in the copyright wars;
• the crowd funding will strongly indicate that it is supported by citizens.

If, like me, you are tired of the continuous attacks from the major corporations of mass entertainment, in addition to not helping them by buying their crap, you can now participate in this first counter-attack. This will probably not end the war, so I hope there will be more offensive actions from the citizen group!

XMPPloit is an exploit tool for a so-called flaw in the XMPP protocol. It has been published recently under the GPLv3 license, and has received much comment. However, it does not seem anybody took the time to study this attack and explain it. Goals XMPPloit is designed to serve as a transparent man-in-the-middle between an XMPP client and its XMPP server, in order to force the client not to encrypt its communications, so that it is possible to read them and modify them on-the-fly. That allows to force the client to use a clear text authentication mechanism, to display its login and password, and to modify any message it sends or receives. Mode of operation If you were expecting a tricky, undetectable attack against the XMPP protocol itself, you will be disappointed. This attack could not be simpler:

1. In XMPP, the clients opens a connection to the server as plain text. In this case, with the attacker between them.
2. The server offers the STARTTLS extension. The attacker blocks it, that is, does not transmit this offer to the client, so the connection stays in plain text.
3. The client authenticate over the plain text connection.

Comments

• This is not at all a flaw of the XMPP protocol. It is applicable to POP, IMAP, SMTP, in fact to any protocol that uses clear text connections and upgrades them using a STARTTLS-like mechanism. This includes HTTP with redirection to HTTPS.
• This is not transparent, at least not with XMPP client that respect the RFC recommendation that Clients SHOULD use TLS to secure the streams prior to attempting the completion of SASL negotiation. In Gajim for instance, the user would be informed that the authentication is going to happen without encryption, and asked for a confirmation.

In fact, this is only an exploit against design flaws of some XMPP clients that would not warn the user that they are about to send their credentials on a clear text channel. Actually, the protocol most vulnerable to this type of attack is HTTP. Many websites that identify their users are made available over clear text HTTP, with an automatic redirection to HTTPS. Unless they use HSTS, this redirection can be blocked by an attacker without being noticed by most users. And, contrary to XMPP, not warn the user of an insecure login is not the fact of some broken clients, but of all the available browsers. I repeat: not a single browser will currently tell the user: Hey, you are about to transmit a password in clear, it could be intercepted! . Yes, there are browser that warn their users this way the first time: Hey, you are about to transmit your answers to a form in clear! Do you wish to do that, and do you want me to warn you next time? but this not quite the same, and it is just badly designed and in practice neither useful nor usable so everybody disables that.

I had to play a bit with MySQL, saving and restoring databases with mysqldump and mysql. These two tools have one severe discrepancy, which I would like to comment here because I think it is an excellent example of what not to do when designing tools to be used together.Save mysqldump(1) is a database backup tool, that takes a MySQL database and prints the necessary SQL statements to restore it to a new server. It has one interesting option:

--default-character-set=charset_name Use charset_name as the default character set. See Section 10.5, Character Set Configuration . If no character set is specified, mysqldump uses utf8.

As you can see, it is quite modern in its default choice: if you do not specify which encoding you want to encode your database content into, it uses UTF-8. This way, it can save any database content, whatever characters it may contain. A more sensible choice may have been to use the LC_CTYPE environment variable. Restore mysql(1) is the command-line MySQL client, which can is used to restore such dumps. It has a similar option:

--default-character-set=charset_name Use charset_name as the default character set for the client and connection. A common issue that can occur when the operating system uses utf8 or another multi-byte character set is that output from the mysql client is formatted incorrectly, due to the fact that the MySQL client uses the latin1 character set by default. You can usually fix such issues by using this option to force the client to use the system character set instead.

As you can see, this utility is still has an antique design: if you do not specify a character set, it assumes you are giving it data encoded in latin-1. Discrepancy You can see the obvious discrepancy here: mysqldump encodes your database backups in UTF-8 by default, and mysql restores them as if they were encoded in latin-1. This way, when you have to restore your databases, if you thought you could do it without wondering, congratulations: voil , you have just fucked your databases up! And as an additional present, chances are high that this mistake is discreet enoughto be detected only after a while, when modifications have been done to the restored database and the original backups have been deleted. So, if you are dealing with MySQL databases, remember that you must take care of the encoding of your backups, because MySQL utilities will not by itself, or rather it will do just what should not be done. And if you are designing similar tools, please think, and if you want an example of what not to do, here is one!

This is my monthly summary of my Debian related activities. If you re among the people who made a donation to support my work (168.12 , thanks everybody!), then you can learn how I spent your money. Otherwise it s just an interesting status update on my various projects. Dpkg This month, I resumed my work on dpkg. I concentrated my efforts on some polishing of the 3.0 (quilt) format. With the latest version (1.16.6 which was uploaded to unstable shortly before the freeze), dpkg-source restores the source tree in a clean state after a failed patch application (#652970), doesn t overwrite the patch header from the pre-existing automatic patch, updates automatically debian/source/include-binaries during dpkg-source commit, and supports a new no-unapply-patches option for those who dislike the auto-unapplication at the end of the process when the patches were not applied at the start. I wanted to go further and offer a new feature that could insert the automatic patch at the bottom of the quilt series but I have been short on time to complete this feature. I just managed to factorize all the quilt handling in a dedicated Perl module (Dpkg::Source::Quilt) to have cleaner code in the module handling the source format (Dpkg::Source::Package::V3::quilt). For those who wonder, this feature is meant primarily for the X Strike Force team which maintains packages in Git and are doings lots of upstream cherry-picks (to fix regressions, etc.). But they also use quilt on top of that tree to keep some lasting Debian specific changes. With the 1.0 format, the automatic diff is a bit messy but at least it gets smaller automatically when a new upstream release gets out, there s nothing to clean out. I d like them to be able to use 3.0 (quilt) while keeping their workflow. I m leaning towards allowing --auto-commit=first:cherry-picks that would name the automatic patch cherry-picks and put it in the first position in the quilt series. (Opinions welcome on that feature, BTW) Packaging There s been quite some packaging in this last month before the freeze:

• I packaged CppUTest (a test framework for C/C++), and I wrote an article about it.
• I prepared a stable update of Publican to fix a missing dependency. I also updated the unstable version to include a backport of a fix that some user requested me to include.
• I updated dh-linktree to improve its documentation (following a discussion that happened on debian-devel) and to deal properly with trailing slashes in its input (#673408).
• I sponsored dblatex 0.3.4-1 and ledgersmb 1.3.18-1.
• I updated gnome-shell-timer to a new upstream snapshot that was tagged as compatible with GNOME 3.4 (#6776516).
• I packaged wordpress 3.4 and spent a whole day triaging the old bugs that accumulated. A few days later I developed a new infrastructure to properly manage plugins/themes/language files. The canonical directory where the user is expected to drop his custom plugins/themes is now in /var/lib/wordpress/wp-content/ and the official plugins/themes are installed there with symlinks pointing back to /usr/share/wordpress/wp-content/ where they actually reside.
• I wanted to commit 2 patches for the developers-reference but then I noticed that some translations were complete and were waiting for an upload. So I cleaned the packaging (switch to dh) and I uploaded version 3.4.8 before committing the patches for #678710 and #678712.

While doing all this packaging work, I found 2 possible improvements that I filed as bug reports:

• #676606: debcommit should be able to identify alone that a new release is prepared (when the distribution field of the changelog changes from UNRELEASED to something else).
• #679132: lintian outputs false positives for the tag package-uses-local-diversion when neither local nor package is given on the dpkg-divert command line.

Debian France Booth at Solutions Linux From June 19th to June 21th, I manned the Debian France booth at Solutions Linux together with Carl Chenet, Tanguy Ortolo and other members of the association. We answered lots of questions, sold all t-shirts and umbrellas that Carl imported from Germany and Switzerland (we really need to get our own merchandising stuff produced in France!), got people to join the association. We also presented a printed copy of the Debian Administrator s Handbook and of the corresponding French book. You can see Carl, me and Tanguy on this picture (click on it to see a bigger picture, thanks to S bastien Dubois of Evolix for this one!):
I know lots of people are preparing for Debconf but I decided to not attend this year, the price of the air plane ticket was a bit too hefty for me and it was also in partial conflict with our family vacations. I thought about attending the Libre Software Meeting instead but alas I won t go there either (but Roland Mas will be there!), I have too much work to complete before my own vacation in 2 weeks. Thanks See you next month for a new summary of my activities.

2 comments Liked this article? Click here. My blog is Flattr-enabled.

You already know NTP, the protocol that allows your computers to keep an accurate clock. Thanks to a global pool of time servers, it is available to everyone on the Internet. This public pool is constituted by volunteers' servers and it needs more.So, if you

• have a server with a decent (as in static address) broadband connection;
• want to help the Internets;

you should consider joining the pool. It is actually quite easy:

1. install NTP;
2. configure it to use five good servers from your region;
3. register your server.

Do you remember how Intel used to be the white knight of graphic card manufacturers, the one from which you could buy hardware without looking, being sure that it would be supported by GNU/Linux directly? Do you remember how they broke that by releasing the infamous Poulsbo card? Well, they did it again. The newest Intel Atom D2500, D2550, D2700, N2600 and N2800 processors, codenamed CedarView and Cedar Trail , include a graphic core that is only supported by a proprietary driver only available on Meego (read: unusable on regular GNU/Linux.So, if you plan to buy a netbook, beware! Intel is not a manufacturer you can trust to provide freely usable hardware. Just like other manufacturers, check that the hardware you are planning to buy is supported, by asking on #intel-gfx on Freenode. The most relevant course of action probably consists in buying a previous model or waiting for the next models.