Search Results: "Adrian Bridgett"

12 February 2011

Wouter Verhelst: Ten years of Debian

My first ever Linux installation was done in the late nineties 1998 or thereabouts but was a RedHat 4.5 installation rather than a Debian one. The reason for that was fairly simple: the Infomagick sixpack CD set that I'd bought contained RedHat, Debian, and Slackware, but the RedHat installation was the only one that could be installed directly from CD the other two required me to write floppies and boot from those to start the installation, and I wasn't very fond of that idea. It was only a few years and a few broken RedHat upgrades later that I saw the light and considered trying out this Debian thing that some of my classmates were talking about. The fact that I'd just bought my own computer (rather than having to compete for time with my siblings on my parents' computer) was a good reason to do a fresh Linux installation. I'd been planning to install Linux From Scratch, but as what was still known as the LFS HOWTO told me you'd need a working Linux installation to do that, I considered my options. Since I'd developed a strong dislike of RedHat, I wasn't interested in doing another RedHat anymore. So, I downloaded the most recent version of Debian at the time (Potato Test Cycle III), wrote it to a CD, and installed. I've probably still got the CD lying around somewhere. A few months later, I found these "Linux Gazette" packages in the archive, with the latest packaged issue being 47, but the latest upstream version being much higher. Trying to figure out what was going on, I mailed the maintainer, Adrian Bridgett, who encouraged me to take over maintenance. Thus began my life of actively contributing to Open Source software. In November 2000, I applied to become a Debian Developer. In January 2001, Martin Michlmayr was assigned to be my AM. And in early February 2001, now just over ten years ago, I'd become a Debian Developer. Yes, that was fast, and no, I probably wasn't really ready yet, at the time. Originally, I only cared much about these Linux Gazette packages. But, as time went on, I started looking around, too. A friend passed me an old Macintosh Centris 610. As I tried to install Debian on it, I found that it didn't actually run very well. This turned out to be due to it having a broken 68LC040 processor, so I bought me another m68k-based mac, one with a full 68040 processor (a Centris 650). Thus I became involved in the m68k port and buildd maintenance. As these old machines came with 80MB or 250MB SCSI hard disks of which I had none laying around, and a then-recent Debian installation had minimum requirements of about 200MB, I was in need of network storage to be able to do anything useful with the mac. NFS didn't work as expected; the RTC implementation on m68k mac hardware was reverse engineered and didn't work too well at the time, which meant that the clock would run slower if the machine was under load, and that in turn would mean that make would get confused about timestamps, since they would suddenly appear to originate from the future (in NFS, it's the server that assigns time stamps, not the client). There was a simple solution, however; Pavel Macheck had written this neat 'Network Block Device', which would let the client do its own filesystem on network storage. Only it wasn't packaged; but then, that was easy to fix. Thus I started maintaining the single piece of software that I've worked the most on, to date. A few years later, Pavel lost interest in maintaining NBD, and handed over upstream maintenance to me and maintenance of the kernel side to Paul Clements. Thus began my life in upstream work. And while I originally joined Debian with the intent of using it as a learning experience and stepping stone on my way to more "important" free software, I found that it wasn't as satisfying as was my work for Debian. Over the years, there's been this duality where I've felt like I was doing too much and not enough at the same time. Too much, because the things I was doing would eat up much of my spare time, leaving little time left for other hobbies. Not enough, because I witnessed other people doing much more for Debian than I did, and I wanted to make a difference. As the years passed by, many things have changed. Not only in Debian, but also besides it. I became an independent contractor, focusing mostly on supporting people in using Debian (although I support them with other distributions, too). The importance of a port went from 'something which these weird porter people are doing, and that we should probably help them with if it doesn't work, but is their problem really' to 'something that I really really really have to make sure works for my packages', and back for the port that I cared about most. After several years of trying, I finally managed to explain to my parents what this Debian thing is, why it matters, and what my role in the whole thing is. We did a few releases, some taking longer than I would've liked. People joined the project, and left again. Some of my friends died. My fame in the project rose, even though I wasn't aware of it initially; and thus I was rather surprised when someone asked me whether I was "the Wouter Verhelst" at a key signing party. Recently, I've started looking back, and considered the things which Debian has meant to me. Ten years ago, I was 22, still in college, and had way too much spare time on my hands. I'd recently gotten my first Internet installation, and all these online communities were very new to me. Yes, that was all probably rather late. Debian has changed my life in many ways; it has allowed me to meet various kinds of people, both online and in meatspace. I've been to Helsinki, Edinburgh, Mar del Plata, C ceres, and New York City, places that I might otherwise not have visited. Each of these trips was an incredible experience that I have fond memories of; and while the most fond ones originate from Helsinki, I cherish the memories of each of these trips as some of the best trips I've ever done. Working on Debian has forced me to learn about the inner workings of a Linux-based system, which is knowledge that has helped me tremendously professionally, too. And finally, working on Debian has given me a unique perspective on this whole FOSS community, which has helped shape my ethics and my view of the world. While I believe that I would've subscribed to most of that ideology at any rate, I'm not sure that the details of my beliefs and understanding would've been exactly the same. And while I don't agree on every position that the project subscribes to as a whole, I do believe that the philosophies that lie at the core of this project contain just the right mix of pragmatism and ideology that makes it possible for our project to thrive in a changing world of not only a growing group of people who subscribe unconditionally to the free software ideals, but also business people who care mostly about money. Over the years, somehow I moved from "one of the recent batch of new Debian Developers" to "someone who's been with the project longer than most". It still feels weird to see people shut up because you've built up a reputation in some area, and you give your gut opinion on some subject without researching it too much. I try not to let that happen too often. Today, ten years and just over a week ago, my life as a Debian Developer started, and it would change the way I looked at the world, the things I would do in my spare time, and the people I would meet. I wouldn't have it any other way. Thanks, Debian, for what's been a blast; may the next ten years be as inspiring to me and everyone as the past ten!

23 April 2010

Jonathan McDowell: Out, damn'd PGP v3

Nearly a year ago people starting worrying about the complexity of SHA-1 being reduced and the potential availability of viable attacks against things such as PGP keys that used SHA-1. Many people (myself included) generated a new key, or updated preferences on keys that were otherwise strong enough. There were worries about what this might mean for Debian. We were getting ahead of ourselves a bit though. Firstly there haven't been any public viable attacks that I'm aware of (though of course this doesn't mean we shouldn't continue to migrate away), but secondly there's a much easier method of attack. PGP v3 keys. To quote RFC4880:

V3 keys are deprecated. They contain three weaknesses. First, it is relatively easy to construct a V3 key that has the same Key ID as any other key because the Key ID is simply the low 64 bits of the public modulus. Secondly, because the fingerprint of a V3 key hashes the key material, but not its length, there is an increased opportunity for fingerprint collisions. Third, there are weaknesses in the MD5 hash algorithm that make developers prefer other algorithms. See below for a fuller discussion of Key IDs and fingerprints.
At the time of writing Debian has 21 remaining v3 keys. This is a significant improvement over a year ago, when we had 200, but it's still 21 more than I'd like. I've been chasing people since last May (starting with those who had v3 + v4 keys, all of whom now only have a v4 key) and we're down to the stragglers. So it's time to name and shame, in the hope of kicking them into action. The following keys are what's left (doesn't match the currently active keyring because we've had a few replacements since the last promote):

0x0D2156BD3D97C149 Michael Stone <mstone>
0x225FD911CD269B31 Carlos Barros <cbf>
0x31E73F14E298966D James R. Van Zandt <jrv>
0x366CD3FEEBC11B01 Chris Waters <xtifr>
0x37A73FE355E8BC4D Frederic Lepied <lepied>
0x3E973117DCC528E9 Ardo van Rangelrooij <ardo>
0x5C7A46637953F711 Rich Sahlender <rsahlen>
0x5D6560F85F30F005 Craig Brozefsky <craig>
0x6B0E322836129171 Jim Westveer <jwest>
0x723724B4A5B6DD31 Christian Meder <meder>
0x7629B22ED71DAABD Adrian Bridgett <bridgett>
0x8FFC405EFD5A67CD Adam Di Carlo <aph>
0xB0D269DE17F3D4D1 Matthew Vernon <matthew>
0xBC151FC8D2A913A1 Peter S Galbraith <psg>
0xC1A0A171C2DCD3B1 Jim Mintha <jmintha>
0xC3168EBA23F5ADDB Ian Jackson <iwj>
0xCE951B1160D74C7D Patrick Cole <ltd>
0xE82A8B0D57137FE5 Paul Seelig <pseelig>
0xF20E242CE77AC835 Brian White <bcwhite>
0xFBAA570C3087194D Alan Bain <afrb2>
0xFFD1B4AC7C19FD19 David Engel <david>

Of these keys only 2 voted in the recent DPL election. 8 have failed to make any response to my mails (3 since last August). Only 9 have uploaded a package since August 2008. And 10 were already known to the MIA database. Some of them have stated they'll sort out a new key, but not yet done so.

If you are one of these people, please either get a new key sorted and signed and reply to the mails I've sent you, or reply and say you no longer wish to be involved in Debian. And if you know any of these people, encourage them to get a new key sorted and offer to sign it for them.