Review: The Space Between Worlds, by Micaiah Johnson

Publisher:	Del Rey
Copyright:	2020
ISBN:	0-593-13506-7
Format:	Kindle
Pages:	327

Cara is valuable because, in most places, she's dead. In the world of Earth Zero, as the employees of the Eldridge Institute call it, a scientific genius named Adam Bosch developed the ability to travel between parallel worlds. This ability is not limitless, however. One restriction is that the parallel world has to be very close; large divergences of history render them unreachable. The other restriction is that anyone who attempts to travel to a world in which the local version of themselves is still alive is rejected: physically mangled in ways that result in a very short remaining lifespan. Earth Zero has not found a way to send information between worlds without sending people there physically to collect it. Those people are traversers, and their value lies in how many of their parallel selves have died. Each death in one of the 380 worlds Earth Zero can reach means another world that person can traverse to. They are the transportation system for a network of information-gathering nodes, whose collected contents are mined for stock tips, political cautions, and other information of value. Cara is dead on 372 worlds, and thus provides valuable savings on employee salaries. These related worlds are not so much post-apocalyptic as a continuation of current wealth disparity trends, although it's also clear that the climate has gotten worse. The Eldridge Institute, which controls traversing, is based in Wiley City, a walled, climate-controlled arcology of skyscrapers with a dome that filters out the dangerous sun. Its citizens are rich, with the best social support that money can buy. They are not interested in immigrants, unless they are extremely valuable. Cara is not from Wiley City. She is from Ashtown, the encampment in the desert outside of Wiley City's walls. That's part of the explanation for her death rate; in Ashtown, there are only a few ways to survive, particularly if one is not from the stiflingly religious Rurals, and most of them are dependent on being in the good graces of the local warlord and his Mad-Max-style enforcers. Being a traverser gets Cara out of Ashtown and into Wiley City, but not as a citizen, although that's dangled vaguely as a possible future prize. She's simply an employee, on a work permit, who enjoys the comforts of Wiley City for exactly as long as she's useful. Meanwhile, she juggles the demands of her job, her attraction to her watcher Dell, and her family in Ashtown. She is profoundly, aggressively cynical. Cara is also not precisely who people think she is. The Space Between Worlds pulls off a beautifully elegant combination of two science fiction subgenres: parallel universes and time travel. Both have been part of science fiction for decades, but normally parallel universes are substantially different from each other. Major historical events go differently, Nazis win World War II, Spock has a goatee, etc. Minor deviations are more often the subject of time travel stories, as travelers attempt to tweak the past and influence the future. Johnson instead provides the minor variations and small divergences of time travel stories in a parallel world framework, with no actual time travel involved or possible. The resulting story shows the same ripple effect of small differences, but the future remains unwritten and unconstrained, which avoids the stiflingly closed feeling of most time travel plots. Against that backdrop is set a story of corporate and personal intrigue, but one with a far deeper understanding of class and place than almost all of science fiction. Cara is not from Ashtown in the normal sense of science fiction novels written by comfortably middle-class white authors about protagonists from the wrong side of the tracks, who show their merit and then never look back. Cara is from Ashtown in a way that means she misses the taste of its dirt and understands its people and feels seen there. Wiley City knows very well that she's from Ashtown, and doesn't let her forget it. This type of ambiguous relationship with place and wealth, and deep connection to where one comes from, is so rare in science fiction, and it's beautifully written here. Cara wants to be in Wiley City over the alternative; the potential loss of her job is a real threat. But at the same time she is not at home there, because she is not visible there. Everything is slightly off, she has no one she can really talk to, and her reactions don't quite fit. No one understands her the way that her family in Ashtown does. And yet, by living in Wiley City, she is becoming less at home in Ashtown as well. She is becoming an outsider. It takes about 70 pages for the story in The Space Between Worlds to really get started. Those first 70 pages is very important background information that the rest of the story builds on, but they weren't that engrossing. Once the story kicks into gear, though, it's a tense, complicated story that I had a hard time predicting and an even harder time putting down. It's not perfect (more on that in a moment), but Johnson weaves together Cara's sense of place, her family connections, her sense of self, and her internal moral compass to create a memorable protagonist in a page-turning plot with a satisfying payoff. She uses our ability to look in on several versions of each character to give them additional satisfying heft and depth. Esther, Cara's highly religious sister, is the most delightful character in this book, and that's saying a lot coming from someone who usually doesn't like highly religious characters. I do have some world-building quibbles, and came up with more when I mulled over the book after finishing it, so you may need to strengthen your suspension of disbelief. The passive information gathering via traversing made a lot of sense; the bulk import of raw materials via the industrial hatch makes less sense given the constraints of the world. (Who is loading those materials into the other side? Or are they somehow traversing them directly out of the ground? Wouldn't someone notice?) The plot also partly hinges on a bit of lost technology that is extremely difficult to square with the rest of the setting, and felt like a transparent justification for introducing Mad Max elements into the setting. The quibble I noticed the most may be unavoidable given the setting: alternate worlds with slightly different versions of the same characters creates a potential explosion in cast size, which Johnson deals with by focusing on the cross-world variations of a small number of characters. I like all of those characters, but it does give the story a bit of an incestuous feel. The politics of every world revolve around the same ten people, and no one else seems to matter (or usually even has a name). That said, a small cast is a better problem to have than a confusing cast. Johnson does a great job helping the reader keep all the characters and relationships straight across their alternate world variations. I didn't realize until after I finished the book how difficult that probably was, which is the sign of a job well done. I do also have to complain about how completely dense Cara is when it comes to Dell, but I won't say any more than that to avoid spoilers. There are some things I figured out way before Cara did, though, and that made her behavior rather frustrating. This is an extremely impressive first novel that does some lovely things with genre and even more impressive things with social class and mobility. It's a little rough in places, you have to bear with the first 70 pages, and the ending, while a fitting conclusion to the emotional arc, seemed wildly unbelievable to me given the events of the plot. But it's very much worth reading despite those flaws. Johnson respects her characters and their culture and their world, and it shows. This was one of the best science fiction novels I read in 2021. (Content warning for physical and emotional partner abuse.) Rating: 8 out of 10

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you re interested in Android, Java, Games and LTS topics, this might be interesting for you. Debian Android

• I sponsored and reviewed android-platform-external-libunwind and android-platform-frameworks-base for Kai-Chung. Two more packages, android-framework-23 and android-platform-tools-swt, are currently waiting in the NEW queue and hopefully they become available soon. Kai-Chung also became Debian Maintainer this month and I granted him upload permissions for android-platform-tools-base for a start. Congratulations.
• I packaged a new upstream release of apktool (2.2.1).

Debian Games

• I fixed RC bugs in lordsawar (#839323) and doomsday (#839338).
• I packaged new upstream releases of atanks, lordsawar, blockattack and peg-e.
• I completed the Bullet transition (#839243). Bullet 2.85 has also been released this month but it is now too late for Stretch because the transition freeze is already on the 5th of November. I expect more point releases a la 2.85.x during the coming weeks and I intend to provide an updated package in experimental soon.
• I did some cleanups, package upgrades and bug fixes for box2d and redeclipse (apparently redeclipse-server requires the -data package to be present now).
• I uploaded Redeclipse 1.5.6 to jessie-backports in the hope that more players will be able to connect to the multiplayer servers. Unfortunately network compatibility breaks rather frequently.
• I applied a patch from Gianfranco Costamagna to address an Multiarch installation issue (#841824) in FreeOrion.

Debian Java

• This month I tended to upgrade more Java packages including new upstream releases of libjide-oss-java, activemq, easymock, libapache-mod-jk, svnkit, sweethome3d-furniture-editor, sweethome3d-textures-editor, sweethome3d-furniture, sweethome3d, sweethome3d-furniture-nonfree, maven-enforcer, bsaf, libjcommon-java, libjfreechart-java, libcsv-java, jansi, jansi-native, jboss-xnio and undertow.
• The update of maven-enforcer caused a regression in its reverse-dependencies (#841197) and required a patch and upload of another revision. The Jfreechart library upgrade also required a compatibility patch for statcvs.
• I updated stegosuite and fixed an incorrect Section field in debian/control.
• I updated the Debian packaging of libjgraph-java and libjemmy2-java.
• I decided to work on getting Eclipse into shape again. The current version is outdated and affected by several bugs at the moment and I really think it should not be released with Stretch. The new version though requires a major package update because the build system is Maven based now. Luca Vercelli already worked on sat4j and Tycho, two preconditions for packaging Eclipse. I reviewed sat4j and uploaded an NMU (#815911) later. I m still working on Tycho (#816604) and I hope to finish it soon.
• Netbeans 8.2 was released. I have already completed the work on libnb-platform18-java (updated package is available in Git) but I haven t started yet with netbeans itself. I intend to continue the fun in November.

Debian LTS This was my eight month as a paid contributor and I have been paid to work 13 hours on Debian LTS, a project started by Rapha l Hertzog. In that time I did the following:

• From 10. October until 17. October I was in charge of our LTS frontdesk. I triaged bugs in libgd2, graphicsmagick, libxrender, mupdf, libxfixes, guile-2.0, glance, inspircd, libxi, libxv, libxst, spip, libxml2, libarchive and jasper.
• DLA-648-1. Issued a security update for c-ares fixing 1 CVE.
• DLA-664-1. Issued a security update for libxrender fixing 2 CVE.
• DLA-666-1. Issued a security update for guile-2.0 fixing 2 CVE.
• DLA-667-1. Issued a security update for libxv fixing 1 CVE.
• DLA-668-1. Issued a security update for libass fixing 2 CVE. I triaged CVE-2016-7970 and marked the version in Wheezy as not affected.
• DLA-673-1. Issued a security update for kdepimlibs fixing 1 CVE.

Non-maintainer uploads

• I fixed various RC bugs in gnudoq and xsok which are not maintained by the Games Team. The following games are available in Stretch again: gnudoq (#817296, #817484), xsok (#817738) and I also worked on four more bug fixes to improve the game s desktop integration and internationalization support.
• I fixed another RC bug in trackballs (#831119) but while I was working on the update I discovered that the game frequently segfaults which makes it kind of unplayable (#839788). I haven t found a solution yet but I suspect the switch to guile-2.0 and related patches introduced this behavior.

QA

• I uploaded a new revision of criticalmass and applied a patch from Adrian Bunk to fix #811816, a FTBFS.
• I triaged an RC bug for raptor2 (#824735) and the issue could be closed after the bug reporter confirmed that raptor2 built fine again.

What happened about the reproducible builds effort for this week: Presentations On May 26th,Holger Levsen presented reproducible builds in Debian at CCC Berlin for the Datengarten 52. The presentation was in German and the slides in English. Audio and video recordings are available. Toolchain fixes

• Dmitry Shachnev uploaded pyqt5/5.4.1+dfsg-3 which makes pyuic output imports in stable order. Original patch by Reiner Herrmann.
• Lunar uploaded mozilla-devscripts/0.41 which uses the UTC timezone when calling zip or unzip.

Niels Thykier fixed the experimental support for the automatic creation of debug packages in debhelper that being tested as part of the reproducible toolchain. Lunar added to the reproducible build version of dpkg the normalization of permissions for files in control.tar. The patch has also been submitted based on the main branch. Daniel Kahn Gillmor proposed a patch to add support for externally-supplying build date to help2man. This sparkled a discussion about agreeing on a common name for an environment variable to hold the date that should be used. It seems opinions are converging on using SOURCE_DATE_UTC which would hold a ISO-8601 formatted date in UTC) (e.g. 2015-06-05T01:08:20Z). Kudos to Daniel, Brendan O'Dea, Ximin Luo for pushing this forward. Lunar proposed a patch to Tar upstream adding a --clamp-mtime option as a generic solution for timestamp variations in tarballs which might also be useful for dpkg. The option changes the behavior of --mtime to only use the time specified if the file mtime is newer than the given time. So far, upstream is not convinced that it would make a worthwhile addition to Tar, though. Daniel Kahn Gillmor reached out to the libburnia project to ask for help on how to make ISO created with xorriso reproducible. We should reward Thomas Schmitt with a model upstream trophy as he went through a thorough analysis of possible sources of variations and ways to improve the situation. Most of what is missing with the current version in Debian is available in the latest upstream version, but libisoburn in Debian needs help. Daniel backported the missing option for version 1.3.2-1.1. akira submitted a new issue to Doxygen upstream regarding the timestamps added to the generated manpages. Packages fixed The following 49 packages became reproducible due to changes in their build dependencies: activemq-protobuf, bnfc, bridge-method-injector, commons-exec, console-data, djinn, github-backup, haskell-authenticate-oauth, haskell-authenticate, haskell-blaze-builder, haskell-blaze-textual, haskell-bloomfilter, haskell-brainfuck, haskell-hspec-discover, haskell-pretty-show, haskell-unlambda, haskell-x509-util, haskelldb-hdbc-odbc, haskelldb-hdbc-postgresql, haskelldb-hdbc-sqlite3, hasktags, hedgewars, hscolour, https-everywhere, java-comment-preprocessor, jffi, jgit, jnr-ffi, jnr-netdb, jsoup, lhs2tex, libcolor-calc-perl, libfile-changenotify-perl, libpdl-io-hdf5-perl, libsvn-notify-mirror-perl, localizer, maven-enforcer, pyotherside, python-xlrd, python-xstatic-angular-bootstrap, rt-extension-calendar, ruby-builder, ruby-em-hiredis, ruby-redcloth, shellcheck, sisu-plexus, tomcat-maven-plugin, v4l2loopback, vim-latexsuite. The following packages became reproducible after getting fixed:

• afterstep/2.2.12-6 uploaded by Robert Luberda, original patch by Juan Picca.
• birdfont/2.8.0-2 by Hideki Yamane.
• bzr/2.6.0+bzr6602-1 by Jelmer Vernooij.
• cassiopee/1.0.3+dfsg-2 uploaded by Olivier Sallou, original patch by akira.
• dhcp-helper/1.1-3 by Simon Kelley.
• elog/3.1.0-2-1 by Roger Kalt.
• flashcache/3.1.3+git20150513-1 uploaded by Liang Guo, original patch by Reiner Herrmann.
• fonts-kiloji/1:2.1.0-21 by Hideki Yamane.
• inspircd/2.0.20-2 by Guillaume Delacour.
• jd/1:2.8.9-150226-3 by Hideki Yamane.
• jruby-joni/2.1.6-2 by Hideki Yamane.
• libaqbanking/5.6.0beta-1 by Micha Lenk.
• libencode-hanextra-perl/0.23-4 fixed and uploaded by Niko Tyni.
• libencode-jis2k-perl/0.02-3 by Niko Tyni.
• libjide-oss-java/3.6.9+dfsg-1 by Markus Koschany.
• librpc-xml-perl/0.78-3 upload by Niko Tyni, original patch by Reiner Herrmann.
• libterm-readkey-perl/2.32-2 by Niko Tyni.
• mkgmap-splitter/0.0.0+svn421-1 by Bas Couwenberg.
• mod-authn-webid/0~20110301-3 by Clint Adams, original patch by Chris Lamb.
• ossim/1.8.16-4 uploaded by Bas Couwenberg, original patch by Juan Picca.
• psfex/3.17.1+dfsg-2 by Ole Streicher.
• socket-wrapper/1.1.3-2 uploaded by Laszlo Boszormenyi, original patch by Jelmer Vernooij.
• stiff/2.4.0-2 by Ole Streicher.
• testng/6.9.4-2 by Eugene Zhukov.
• wcwidth/0.1.4-2 by Sebastian Ramacher.

Some uploads fixed some reproducibility issues but not all of them:

• ant/1.9.5-1 by Emmanuel Bourg.
• gcin/2.8.3+dfsg1-2 by ChangZhuo Chen.
• grcompiler/4.2-5 by Hideki Yamane.
• python2.7/2.7.10-2 uploaded by Matthias Klose, based on a patch by Lunar.
• python3.4/3.4.3-7 uploaded by Matthias Klose, based on a patch by Lunar.
• python3.5/3.5.0~b2-1 uploaded by Matthias Klose, based on a patch by Lunar.
• wml/2.0.12ds1-9 by Axel Beckert.

Patches submitted which did not make their way to the archive yet:

• #787327 on vim by Reiner Herrmann: set a constant user and set modified-by option.
• #787650 on lush by Daniel Kahn Gillmor: remove __DATE__ and __TIME__ macros from source.
• #787669 on cloc by Daniel Kahn Gillmor: use time of latest debian/changelog entry in manpage.
• #787675 on ricochet by Daniel Kahn Gillmor: patch configure to allow an external build date and set it to the time of latest debian/changelog entry.
• #787804 on clipper by akira: set HTML_TIMESTAMP to NO in Doxygen configuration.
• #787829 on colobot by akira: set HTML_TIMESTAMP to NO in Doxygen configuration.
• #787865 on fastjet by akira: call Doxygen with HTML_TIMESTAMP set to NO.
• #787916 on cal3d by akira: remove $datetime from the file api_footer.html.
• #787918 on dime by akira: remove $datetime from the file footer.html.

Daniel Kahn Gilmor also started discussions for emacs24 and the unsorted lists in generated .el files, the recording of a PID number in lush, and the reproducibility of ISO images in grub2. reproducible.debian.net Notifications are now sent when the build environment for a package has changed between two builds. This is a first step before automatically building the package once more. (Holger Levsen) jenkins.debian.net was upgraded to Debian Jessie. (Holger Levsen) A new variation is now being tested: $PATH. The second build will be done with a /i/capture/the/path added. (Holger Levsen) Holger Levsen with the help of Alexander Couzens wrote extra job to test the reproducibility of coreboot. Thanks James McCoy for helping with certificate issues. Mattia Rizollo made some more internal improvements. strip-nondeterminism development Andrew Ayer released strip-nondeterminism/0.008-1. This new version fixes the gzip handler so that it now skip adding a predetermined timestamp when there was none. Holger Levsen sponsored the upload. Documentation update The pages about timestamps in manpages generated by Doxygen, GHC .hi files, and Jar files have been updated to reflect their status in upstream. Markus Koschany documented an easy way to prevent Doxygen to write timestamps in HTML output. Package reviews 83 obsolete reviews have been removed, 71 added and 48 updated this week. Meetings A meeting was held on 2015-06-03. Minutes and full logs are available. It was agreed to hold such a meeting every two weeks for the time being. The time of the next meeting should be announced soon.

Review: Cry Wolf, by Patricia Briggs

Series:	Alpha and Omega #2
Publisher:	Ace
Copyright:	August 2008
ISBN:	0-441-01615-4
Format:	Mass market
Pages:	310

Cry Wolf is a sequel to the novella Alpha and Omega. This was originally included in the anthology On the Prowl, which I had no particular interest in, but it's now available as a standalone novella if you have an ebook reader. I recommend reading it first if you have any interest in this series; it's not particularly expensive, and piecing together what happened in it while reading the beginning of Cry Wolf is not particularly enjoyable. There are some mild spoilers for Alpha and Omega here, so if you're planning on reading the novella first, you may want to do that before reading on. Anna is an Omega, an extremely rare form of werewolf who does not fall into the normal pack hierarchy. With normal werewolves, either the wolf is dominant or is submissive, and the most dominant wolf leads the pack and can force their will on the other pack members. Omegas are strange. Normal pack dominance doesn't really work on them, but neither are they dominant themselves. At the start of Cry Wolf, Anna has very little idea what any of this means. She's been rescued from a horribly abusive situation and is being brought to Montana by Charles, the enforcer and son of the leader of all North American werewolves. And, apparently, her mate, according to both of their wolf natures, but she's not entirely sure what that means either. She doesn't have a lot of time to find out, since the local pack is immediately threatened by a rogue werewolf and she's pulled into both pack politics and that hunt. Cry Wolf, despite being the first full book of the Alpha and Omega series, is set in the same world as Briggs's Mercy Thompson series. (At a guess, somewhere around Iron Kissed.) This is not just a vague link within the universe, unfortunately. The characters here refer frequently to Mercy and previous events in her series in that way that implies the reader should have read them, without explaining fully what happened. If, like me, you're more interested in this series than the Mercy Thompson series (I preferred it because there are no vampires and I'm sick of vampires), be aware that starting here will feel like starting in the middle of a series. This will be even worse if you don't read Alpha and Omega first, making the first section of the book feel like constant namedropping when you don't know any of the references. The story, otherwise, is basically hurt/comfort with a side of coming of age. Whether you will enjoy this will depend on whether you're in the mood for a fairly predictable story that hits those buttons. Anna is a mess, thrown into survival mode after years of abuse and hating what she's become. (She is, actually, somewhat less of a mess than I think she should be given what happened to her, although Briggs has both her Omega nature and her wolf as outs there.) Charles wants to comfort her and isn't sure how. She misreads things, he misreads things, there's lots of missed communication... you've probably read this story before and have a pretty good idea how it will go. They are somewhat less stupid about their communication problems than the typical novel of this type, but they still don't use words very well. The rest of the plot felt like mostly an excuse to throw Anna and Charles together doing something external to their relationship and to give Anna a chance to use her unique talents. It takes a bit to get going, since most of the early book is introductions and setting up all the connections to the Mercy Thompson stories, but there is some meat to it, including fleshing out the mythology of werewolves in Briggs's world. (And some passable descriptions of Montana wilds.) I'm not a big fan of how power struggles and combat seem binary and very hierarchical, but that seems to be the way that Briggs differentiates her werewolves, and it does form a sharp contrast with Anna's ability. I think Omegas could have been even more subtle than they are here, but the interplay between the conflict-driven approach of everyone else and Anna's inherent calm can be fun. The biggest problem I had with Cry Wolf, apart from the general predictability of the story and relationships, is that the hurt/comfort angle never felt adequately resolved. Hurting a character very badly and then having others offer comfort is a very common story technique that brings with it some reader expectations in terms of emotional payoff. The point at which the comfort finally works can be very empowering and very affecting. I don't think Briggs hit the payoff as well as she could have. Anna recovers, but she does so rather more easily than felt correct, and without the emotional punch that I was waiting for. It seems odd to complain about this sort of urban fantasy novel having too little angst, and maybe I was just hoping for a story other than the one I was reading, but I wanted a story that dug a bit deeper into Anna's psyche. I think the best word for Cry Wolf is okay. If this is the story you're in the mood for, it delivers that story. Briggs's werewolves are mildly interesting, and the Omega concept is a good one, although not as thoroughly or convincingly explored as I would have liked. I would have preferred more intensity in the hurt/comfort plot and a more difficult healing, but I still enjoyed the book. Followed by Hunting Ground. Rating: 6 out of 10

Review: Alpha and Omega, by Patricia Briggs

Series:	Alpha and Omega #1
Publisher:	Berkley
Copyright:	2007
ISBN:	1-101-41379-4
Format:	Kindle
Pages:	112

Alpha and Omega is a novella set in Briggs's Mercy Thompson universe, an urban fantasy world that started with Moon Called. There's a limited edition hardcover version which is, at this point, ridiculously expensive, but it's available relatively inexpensively on the Kindle. (The page count in the sidebar may be high, since that's from the hardcover version; the Kindle version doesn't have page numbers.) It's the prequel novella to the novel Cry Wolf. You don't have to have read any of the Mercy Thompson novels to follow the story; it stands alone fairly well. I actually read Cry Wolf first, but (as I was warned) that proved to be a mistake, so I'm publishing my reviews in the "correct" reading order. Unusually for a niche novella leading into a regular series, Cry Wolf leans heavily on Alpha and Omega and works best if you've read it first. Anna is a werewolf, but not a very happy one. She's been a werewolf for three years, cutting herself off from everything before at the insistance of her pack, and she's at the bottom of the pecking order: abused, mistreated, and ordered about (although some of the abuse has gotten mildly better). That makes it startling that, when she sees a photograph in the paper of a missing teenager that she recognizes, she's willing to call the Marrok, the ruler of all wolves in North America, to report her pack's possible involvement. The Marrok sends his enforcer, Charles, to investigate. As soon as he arrives, he can tell that far more is wrong than anyone had realized. Anna's pack is completely dysfunctional, and Anna herself... well, that's the point of the story. Alpha and Omega has one of the more appealing qualities of novellas: a clear narrative drive that goes from point A to point B without many sidetracks or digressions. It's told in alternating tight third person perspectives, a traditional choice for this sort of story. Very little here will surprise an urban fantasy reader. It's the hurt/comfort story that one expects from the early going, but it's one that moves right along and hits most of the right notes. The biggest drawback for me was that I'm not horribly fond of Briggs's werewolf mythology. There are some parts that I like, such as Anna herself and the role that she discovers, but there's rather a lot of characters wrestling with their instinctive reactions or finding pack hierarchy enforced via means that appear to be magic. Given that the sort of absolute dominance hierarchy portrayed here is now considered dubious or refuted even in wild wolves, and given that I have a knee-jerk dislike of simplified, absolute structures, that part of Briggs's world-building makes my teeth itch. But, if you can get past that, and if you're not looking for any complex plotting (it is just a novella, after all), this isn't a bad way to spend an afternoon. It's comfort reading: things go roughly as you would expect them to go, and you can have the emotional satisfaction of seeing Anna's growth with very little risk. Followed by Cry Wolf. Rating: 7 out of 10

Content Security Policy is a proposed HTTP extension which allows websites to restrict the external content that can be displayed by visiting web browsers. By expressing a set of rules to be enforced by the browser, a website is able to prevent the injection of outside resources by malicious users.

While adding support for the March 2011 draft in Libravatar, I looked at three different approaches.

Controlling the headers in the applicationThe first approach I considered was to have the Django application output all of the headers, which is what the django-csp module does. Unfortunately, I need to be able to vary the policy between pages (the views in Libravatar have different requirements) and that's one of the things that hasn't been implemented yet in that module.

Producing the same headers by hand is fairly simple:

response = render_to_response('app/view.html')
response['X-Content-Security-Policy'] = "allow 'self'"
return response

but it would mean adding a bit of code to every view and/or writing a custom wrapper for render_to_response().

Setting a default header in ApacheIdeally, I'd like to be able to set a default header in Apache using mod_headers and then override it as needed inside the application.

The first problem with this solution is that it's not possible (as far I can tell) for a Django application to override a header set by Apache:

• mod_headers adds its response header after mod_wsgi has returned (unless early processing is used).
• Django's response objects cannot see the early headers set by Apache.

The second problem is that mod_headers doesn't have an action that adds/sets a header only if it didn't already exist. It does have append and merge actions which could in theory be used to add extra terms to the policy but it unfortunately uses a different separator (the comma) from the CSP spec (which uses semi-colons).

Always set headers in ApacheWhile I would have liked to get the second approach working, in the end, I included all of the CSP directives within the main Apache config file:

Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img-src 'self' data:"

<Location /account/confirm_email>
  Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img-src *"
</Location>

<Location /tools/check>
  Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img-src *"
</Location>

The first Header call sets a default policy which is later overriden based on the path to the Django view that's being used.

Related technologiesIf you are interested in Content Security Policy, you may also want to look into Application Boundaries Enforcer (part of the NoScript Firefox extension) for more security rules that can be supplied by the server and enforced client-side.

It's also worth mentioning the excellent Request Policy extension which solves the same problem by letting users whitelist the cross-site requests they want to allow.

My relationship with Puppet is one of love and hate. I am forced to use it simply because there is no better tool around, but I hate it in so many ways that I don t even want to start to enumerate (hint: most have to do with Ruby, actually). Today I decided to put an end to one thing that has been driving me insane: the fact that puppetd (the client) and puppetmasterd (the server) use the same working directory, /var/lib/puppet. Since I consider and would like to treatthe machine on which puppetmasterd is running just another puppet client, I was running into funky issues related to SSL certificate confusion, obscure errors, and SSL revocation horrors. The following hence assumes that you have installed or are planning to install puppetd on the machine running your puppetmaster, and that you have two fully-qualified domain names for the machine. For instance, I run puppetmaster on vera.madduck.net, and puppetmaster.madduck.net is an alias for the same machine. I ll use these names in the following as examples. The following may be Debian-specific, as I am solely using the puppet and puppetmaster packages for my experimentation and verification. Your mileage may vary, but the concept shall be the same.

1. Stop everything:

   /etc/init.d/puppetmaster stop
   /etc/init.d/puppet stop
   
   

   (also verify that you have not instructed cron to restart these services)
2. Rename the working directory:

   mv /var/lib/puppet /var/lib/puppetmaster
   
   

   and amend /etc/puppet/puppet.conf accordingly:

   [main]
   #  
   vardir=/var/lib/puppetmaster
   ssldir=$vardir/ssl
   #  
   [puppetmasterd]
   certname=puppetmaster.madduck.net
   #  
   
   

   I am doing this in [main], planning to override it for puppetd later, because puppetd is the only program which makes sense to be separated from the rest. Since only the puppetmaster needs a special certificate name, that is set specifically in the [puppetmasterd] section. If you use apache2 or nginx in front of your puppetmasters, make sure to amend the SSL file locations in the virtual host definition and restart (!) the service. You can verify that the configuration has been amended by making sure that there is no output from the following command:

   # puppetmasterd --genconfig   grep -q '/var/lib/puppet/' && echo SOMETHING IS WRONG
   
   

3. Now restart puppetmaster:

   /etc/init.d/puppetmaster start
   
   

   and verify that it starts. If your puppetmaster previously ran under a different name, it will create itself a new certificate and sign it. Since the client will get its own working directory (and thus a new SSL certificate), you want to remove all records of the old certificate:

   # puppetca --list --all
   + puppetmaster.madduck.net
   + vera.madduck.net
   # puppetca --clean vera.madduck.net
   
   

4. Change the configuration file to tell puppetd about its working directory:

   [puppetd]
   server=puppetmaster.madduck.net
   vardir=/var/lib/puppetmaster
   ssldir=$vardir/ssl
   #  
   
   

   This you can verify with the following command, which should not print anything:

   # puppetd --genconfig   grep -q '/var/lib/puppet[^/]' && echo SOMETHING IS WRONG
   
   

5. Now install puppet, or (re)start it if it s already installed:

   # /etc/init.d/puppet stop
   # puppetd --no-daemonize --onetime --verbose --waitforcert 30 &
   info: Creating a new SSL key for vera.madduck.net
   warning: peer certificate won't be verified in this SSL session
   info: Caching certificate for ca
   info: Creating a new SSL certificate request for vera.madduck.net
   # puppetca --list
   vera.madduck.net
   # puppetca --sign vera.madduck.net
   notice: Signed certificate request for vera.madduck.net
   notice: Removing file Puppet::SSL::CertificateRequest vera.madduck.net at '/var/lib/puppetmaster/ssl/ca/requests/vera.madduck.net.pem'
   # fg
   info: Caching certificate for vera.madduck.net
   info: Caching certificate_revocation_list for ca
   [ ]
   # puppetca --list --all
   + puppetmaster.madduck.net
   + vera.madduck.net
   # /etc/init.d/puppet start
   
   

   Do yourself the favour and check that it s all working.
6. Optionally, you can now clean up the client stuff in the server s working directory, for instance like this (it worked for me, but this is the sledgehammer approach):

   # /etc/init.d/puppetmaster stop
   # cd /var/lib/puppetmaster
   # tar -cf /tmp/puppetmaster.workingdir-backup.tar .
   # find ../puppet -type f -printf '%P\n'   xargs rm
   # /etc/init.d/puppetmaster start
   
   

7. If you stopped cron before (and your puppet recipes have not since restarted it):

   /etc/init.d/cron start
   
   

All done. I wish puppet, or at least Debian s puppet packages would do this by default. Please let me know if the above conversion works for you. Then I might start working on an automated migration. NP: Genesis: Selling England by the Pound

Alright, Debian GNU/Linux 5.0 AKA as Lenny has been released. Time for a Debian unstable unfreeze party! What does the new stable release bring for system administrators? I ll give an overview what news you might expect when upgrading from Debian GNU/Linux 4.0, codename Etch (released on 8th April 2007) to the current version Debian GNU/Linux 5.0, codename Lenny (released on 14th February 2009). I try to avoid duplicated information so make sure to read the release announcement and the official release notes for Lenny beforehand. Noteworthy Changes

• initrd-tools got replaced by initramfs-tools
• netkit-inetd got replaced by openbsd-inetd
• the default syslog daemon sysklogd got replaced by rsyslog
• new defaults when creating ext2/ext3 file systems: dir_index and resize_inode feature enabled by default and use blocksize = 4096, inode_size = 256 and inode_ratio = 16384 (see /etc/mke2fs.conf)
• improved IPv6 support
• init.d-scripts for dependency-based init systems
• Debian-Volatile (hosting packages providing data that needs to be regularly updated over time, such as timezones definitions, anti-virus signature files, ) is an official service
• EVMS (Enterprise Volume Management System) was removed
• compatibility with the FHS v2.3
• software developed for version 3.2 of the LSB
• official Debian Lenny live systems for the amd64 and i386 architectures
• several new d-i features

Virtualisation

• kvm: works out-of-the-box with Lenny
• OpenVZ: deploying OpenVZ systems works out-of-the-box now thanks to new OpenVZ kernel image flavors (no need for any further, external repositories)
• vserver: the according kernel images are available
• Xen: works (dom0 as well as domU support), see Xen @ Debian-Wiki

Virtualisation related new tools:

• ganeti: Cluster-based virtualization management software
• libvirt-bin: Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The library aims at providing a long term stable C API for different virtualization mechanisms.
• virtinst: Programs to create and clone virtual machines
• virt-manager: desktop application for managing virtual machines
• xen-shell: Console based Xen administration utility
• xenstore-utils: Xenstore utilities for Xen
• xenwatch: Virtualization utilities, mostly for Xen

Desktop oriented packages like virtualbox and qemu are available as well of course. Noteworthy Updates This is a (selective) list of some noteworthy updates:

• apache2: upgrade from 2.2.3-4+etch6 to 2.2.9-10+lenny2
• apt: upgrade from version 0.6.46.4-0.1 to 0.7.20.1, bringing apt-get autoremove
• aptitude: upgrade from version 0.4.4-4 to 0.4.11.11-1~lenny1, bringing aptitude safe-upgrade which replaces aptitude upgrade and aptitude full-upgrade replacing aptitude dist-upgrade
• bash: upgrade from 3.1dfsg-8 to 3.2-4
• bind: upgrade from 1:8.4.7-1 / 1:9.3.4-2etch4 to 1:9.5.0.dfsg.P2-5.1
• cfengine: upgrade from 2.1.20-1 to 2.2.8-1
• courier: upgrade from 0.53.3-5 to 0.60.0-2
• dpkg: upgrade from 1.13.26 to 1.14.24, bringing dpkg triggers
• drbd: upgrade from 0.7.21-4 to 2:8.0.14-2
• dstat: upgrade from 0.6.3-2 to 0.6.7-1, the new version for example provides the topcpu and topmem modules so you can run dstat -c -M topcpu -dng -M topmem to identify cpu and memory intensive jobs
• fai: upgrade from 3.1.8 to version 3.2.16, see NEWS
• gcc/g++: upgrade from 4:4.1.1-15 to 4.3.2-1.1
• git: upgrade from 1:1.4.4.4-4+etch1 to 1:1.5.6.5-2
• initramfs-tools: upgrade from 0.85i to 0.92o, see new Lenny features
• iproute: upgrade from 20061002-3 to 20080725-2
• iptables: upgrade from 1.3.6.0debian1-5 to 1.4.2-5
• gnu libc: upgrade from 2.3.6.ds1-13etch9+b1 to 2.7-18
• lighttpd: upgrade from 1.4.13-4etch11 to 1.4.19-5
• linux-kernel: upgrade from kernel 2.6.18 to 2.6.26, see wiki.debian.org/KernelFAQ#new-features-in-lenny
• lvm2: upgrade from 2.02.06-4etch1 to 2.02.39-6
• mdadm: upgrade from 2.5.6-9 to 2.6.7.1-1, see README.upgrading-2.5.3
• mercurial: upgrade from 0.9.1-1+etch1 to 1.0.1-5.1
• mount: upgrade from 2.12r-19etch1 to 2.13.1.1-1, bringing read-only binds, make-shared, make-slave, make-private, make-unbindable
• mysql: upgrade from 5.0.32-7etch8 to 5.0.51a-23
• nagios: upgrade from 2.6-2+etch1 to 3.0.6-3, see Upgrading From Nagios 2.x and What s New in Nagios 3 for details
• openldap: upgrade from 2.3.30-5+etch2 to 2.4.11-1
• openssh: upgrade from 1:4.3p2-9etch3 to 1:5.1p1-5
• postgresql: upgrade from 7.5.22 / 8.1.15-0etch1 to 8.3.5-1
• perl: upgrade from 5.8.8-7etch6 to 5.10.0-19
• php: upgrade from 5.2.0-8+etch13 to 5.2.6.dfsg.1-1+lenny2
• postfix: upgrade from 2.3.8-2+etch1 to 2.5.5-1.1
• puppet: upgrade from 0.20.1-1 to 0.24.5-3
• python: upgrade from 2.4.4-2 to 2.5.2-3
• ruby: upgrade from 1.8.5-4etch4 to 1.8.7.72-3
• samba: upgrade from 3.0.24-6etch10 to 2:3.2.5-4
• subversion: upgrade from 1.4.2dfsg1-2 to 1.5.1dfsg1-2
• tcl/tk: upgrade from 8.4.12-1etch2 to 8.5.3-4
• utilx-linux: upgrade from 2.12r-19etch1 to 2.13.1.1-1, brings new utilities like:
  • chrt: manipulate real-time attributes of a process
  • ionice: get/set program io scheduling class and priority
  • rename.ul: rename the specified files by replacing the first occurrence of from in their name by to
  • taskset: retrieve or set a process s CPU affinity
• zsh: upgrade from 4.3.2-25 to 4.3.6-6

New packages Lenny ships over 7000 new packages. Lists of new/removed/replaced packages are available online. I ll name 238 sysadmin related packages that might be worth a look. (Note: I don t list addon stuff like optional server-modules, docs-only and kernel-source related packages. I plan to present some of the following packages in more detail in separate blog entries.)

• ack-grep: A grep-like program specifically for large source trees
• acpitail: Show ACPI information in a tail-like style
• adns-tools: Asynchronous-capable DNS client library and utilities
• aggregate: ipv4 cidr prefix aggregator
• aosd-cat: an on screen display tool which uses libaosd
• apt-cacher-ng: Caching proxy for distribution of software packages
• apt-cross: retrieve, build and install libraries for cross-compiling
• aptfs: FUSE filesystem for APT source repositories
• apt-p2p: apt helper for peer-to-peer downloads of Debian packages
• apt-transport-https: APT https transport, use deb https://foo distro main lines in the sources.list
• arp-scan: arp scanning and fingerprinting tool
• array-info: command line tool reporting RAID status for several RAID types
• balance: Load balancing solution and generic tcp proxy
• bash-completion: programmable completion for the bash shell
• blktrace: utilities for block layer IO tracing
• daemonlogger: simple network packet logger and soft tap daemon
• daemontools: a collection of tools for managing UNIX services
• dbndns: Debian fork of djbdns, a collection of Domain Name System tools
• dcfldd: enhanced version of dd for forensics and security
• dctrl2xml: Debian control data to XML converter
• debomatic: automatic build machine for Debian source packages
• desproxy: tunnel TCP traffic through a HTTP proxy
• detox: utility to replace problematic characters in filenames
• di-netboot-assistant: Debian-Installer netboot assistant
• dish: the diligence/distributed shell for parallel sysadmin
• djbdns: a collection of Domain Name System tools
• dns2tcp: TCP over DNS tunnel client and server
• dnscache-run: djbdns dnscache service
• dnshistory: Translating and storing of IP addresses from log files
• dnsproxy: proxy for DNS queries
• dsyslog: advanced modular syslog daemon
• etckeeper: store /etc in git, mercurial, or bzr
• ext3grep: Tool to help recover deleted files on ext3 filesystems
• fair: high availability load balancer for TCP connections
• fatresize: FAT16/FAT32 filesystem resizer
• flog: dump STDIN to file and reopen on SIGHUP
• freeradius-utils: FreeRadius client utilities
• ganeti: Cluster-based virtualization management software
• gfs2-tools: Red Hat cluster suite - global file system 2 tools
• gitosis: git repository hosting application
• gptsync: GPT and MBR partition tables synchronisation tool
• grokevt: scripts for reading Microsoft Windows event log files
• grub2: GRand Unified Bootloader, version 2
• gt5: shell program to display visual disk usage with navigation
• haproxy: fast and reliable load balancing reverse proxy
• havp: HTTP Anti Virus Proxy
• heirloom-mailx: feature-rich BSD mail(1)
• hfsprogs: mkfs and fsck for HFS and HFS+ file systems
• hinfo: Check address ownership and DNSBL listings for spam reporting
• hlbr: IPS that runs over layer 2 (no TCP/IP stack required)
• hobbit: monitoring system for systems, networks and applications - server
• hotwire: Extensible graphical command execution shell
• hunchentoot: the Common Lisp web server formerly known as TBNL
• ifupdown-extra: Network scripts for ifupdown
• ike: Shrew Soft VPN client - Daemon and libraries
• incron: cron-like daemon which handles filesystem events
• inoticoming: trigger actions when files hit an incoming directory
• iodine: tool for tunneling IPv4 data through a DNS server
• iotop: simple top-like I/O monitor
• ipplan: web-based IP address manager and tracker
• ips: Intelligent process status
• iscsitarget: iSCSI Enterprise Target userland tools
• isns: Internet Storage Naming Service
• itop: simple top-like interrupt load monitor
• iwatch: realtime filesystem monitoring program using inotify
• jetring: gpg keyring mantainance using changesets
• john: active password cracking tool
• kanif: cluster management and administration swiss army knife
• keepassx: Cross Platform Password Manager
• keysafe: A safe to put your passwords in
• killer: Background job killer
• kpartx: create device mappings for partitions
• kvm: Full virtualization on x86 hardware
• latencytop: A tool for developers to visualize system latencies
• lbcd: Return system load via UDP for remote load balancers
• ldb-tools: LDAP-like embedded database - tools
• ldnsutils: ldns library for DNS programming
• lfhex: large file hex editor
• live-helper: Debian Live build scripts
• live-magic: GUI frontend to create Debian LiveCDs, netboot images, etc.
• logapp: supervise execution of applications producing heavy output
• lsat: Security auditor tool
• lustre-utils: Userspace utilities for the Lustre filesystem
• lwat: LDAP Web-based Administration Tool
• maatkit: Command-line utilities for MySQL
• mantis: web-based bug tracking system
• memdump: memory dumper
• memlockd: daemon to lock files into RAM
• metainit: Generates init scripts
• mirmon: monitor the state of mirrors
• mkelfimage: utility to create ELF boot images from Linux kernel images
• mongrel: A small fast HTTP library and server for Ruby
• monkey: fast, efficient, small and easy to configure web server
• monkeytail: tail variant designed for web developers monitoring logfiles
• mpy-svn-stats: Simple and easy to use svn statistics generator
• mr: a Multiple Repository management tool
• msr-tools: Utilities for modifying MSRs from userspace
• mtd-utils: Memory Technology Device Utilities
• munge: authentication service to create and validate credentials
• mxallowd: Anti-Spam-Daemon using nolisting/iptables
• mylvmbackup: quickly creating backups of MySQL server s data files
• myrescue: rescue data from damaged harddisks
• mysql-proxy: high availability, load balancing and query modification for mysql
• mysqltuner: high-performance MySQL tuning script
• nagvis: Visualization addon for Nagios
• ncdu: ncurses disk usage viewer
• netrw: netcat like tool with nice features to transport files over network
• netsend: a speedy filetransfer and network diagnostic program
• network-config: Simple network configuration tool
• nfdump: netflow capture daemon
• ngetty: getty replacement - one single daemon for all consoles
• nilfs2-tools: Continuous Snapshotting Log-structured Filesystem
• ninja: Privilege escalation detection system for GNU\Linux
• noip2: client for dynamic DNS service
• nsd3: authoritative domain name server (3.x series)
• ntfs-3g: read-write NTFS driver for FUSE
• nulog: Graphical firewall log analysis interface
• nuttcp: network performance measurement tool
• ocsinventory-server: Hardware and software inventory tool (Communication Server)
• odt2txt: simple converter from OpenDocument Text to plain text
• olsrd: optimized link-state routing daemon (unik-olsrd)
• onesixtyone: fast and simple SNMP scanner
• openais: Standards-based cluster framework (daemon and modules)
• opencryptoki: PKCS#11 implementation for Linux (daemon)
• openvas-client: Remote network security auditor, the client
• ophcrack: Microsoft Windows password cracker using rainbow tables
• op: sudo like controlled privilege escalation
• otpw-bin: OTPW programs for generating OTPW lists
• packeth: Ethernet packet generator
• paperkey: extract just the secret information out ouf OpenPGP secret key
• paris-traceroute: New version of well known tool traceroute
• password-gorilla: a cross-platform password manager
• pathfinderd: Daemon for X.509 Path Discovery and Validation
• pathfinder-utils: Utilities to use with the Pathfinder Daemon
• pcaputils: specialized libpcap utilities
• pcp: System level performance monitoring and performance management
• perlconsole: small program that lets you evaluate Perl code interactively
• pgloader: loads flat data files into PostgreSQL
• pgpool2: connection pool server and replication proxy for PostgreSQL
• pgsnap: PostgreSQL report tool
• pmailq: postfix mail queue manager
• pnputils: Plug and Play BIOS utilities
• policykit: framework for managing administrative policies and privileges
• postfwd: Postfix policyd to combine complex restrictions in a ruleset
• postpone: schedules commands to be executed later
• powertop: Linux tool to find out what is using power on a laptop
• prayer: standalone IMAP-based webmail server
• prelude-correlator: Hybrid Intrusion Detection System [ Correlator ]
• privbind: Allow unprivileged apps to bind to a privileged port
• pssh: Parallel versions of SSH-based tools
• ptop: PostgreSQL performance monitoring tool akin to top
• pyftpd: ftp daemon with advanced features
• rancid-core: rancid Really Awesome New Cisco confIg Differ
• rancid-util: Utilities for rancid
• rdnssd: IPv6 recursive DNS server discovery daemon
• rdup: utility to create a file list suitable for making backups
• reglookup: utility to read and query Windows NT/2000/XP registry
• rgmanager: Red Hat cluster suite - clustered resource group manager
• rinse: RPM installation environment
• rofs: Read-Only Filesystem for FUSE
• rsyslog: enhanced multi-threaded syslogd
• safe-rm: wrapper around the rm command to prevent accidental deletions
• samba-tools: tools provided by the Samba suite
• samdump2: Dump Windows 2k/NT/XP password hashes
• scalpel: A Frugal, High Performance File Carver
• scamper: advanced traceroute and network measurement utility
• scanmem: Locate and modify a variable in a running process
• schedtool: Queries/alters process scheduling policy and CPU affinity
• screenie: a small and lightweight GNU screen(1) wrapper
• scrounge-ntfs: Data recovery program for NTFS filesystems
• ser: Sip Express Router, very fast and configurable SIP proxy
• serverstats: a simple tool for creating graphs using rrdtool
• shutdown-at-night: System to shut down clients at night, and wake them in the morning
• sipcrack: SIP login dumper/cracker
• sks: Synchronizing OpenPGP Key Server
• slack: configuration management program for lazy admin
• sma: Sendmail log analyser
• smbind: PHP-based tool for managing DNS zones for BIND
• smbnetfs: User-space filesystem for SMB/NMB (Windows) network servers and shares
• softflowd: Flow-based network traffic analyser
• speedometer: measure and display the rate of data across a network connection
• spf-milter-python: RFC 4408 compliant Python SPF Milter for Sendmail and Postfix
• spf-tools-perl: SPF tools (spfquery, spfd) based on the Mail::SPF Perl module
• spf-tools-python: sender policy framework (SPF) tools for Python
• sqlgrey: Postfix Greylisting Policy Server
• ssdeep: Recursive piecewise hashing tool
• sshfp: DNS SSHFP records generator
• sshm: A command-line tool to manage your ssh servers
• sshproxy: ssh gateway to apply ACLs on ssh connections
• sslscan: Fast SSL scanner
• strace64: A system call tracer for 64bit binaries
• sucrack: multithreaded su bruteforcer
• supercat: program that colorizes text for terminals and HTML
• superiotool: Super I/O detection tool
• system-config-lvm: A utility for graphically configuring Logical Volumes
• system-config-printer: graphical interface to configure the printing system
• tack: terminfo action checker
• taktuk: efficient, large scale, parallel remote execution of commands
• tcpwatch-httpproxy: TCP monitoring and logging tool with support for HTTP 1.1
• terminator: Multiple GNOME terminals in one window
• timelimit: Simple utility to limit a process s absolute execution time
• tipcutils: TIPC utilities
• tor: anonymizing overlay network for TCP
• tpm-tools: Management tools for the TPM hardware (tools)
• tracker-utils: metadata database, indexer and search tool - commandline tools
• tumgreyspf: external policy checker for the postfix mail server
• ucspi-tcp: command-line tools for building TCP client-server applications
• unbound: validating, recursive, caching DNS resolver
• unhide: Forensic tool to find hidden processes and ports
• uniutils: Tools for finding out what is in a Unicode file
• unsort: reorders lines in a file in semirandom ways
• uphpmvault: upload recovery images to HP MediaVault2 via Ethernet
• usermode: Graphical tools for certain user account management tasks
• utf8-migration-tool: Debian UTF-8 migration wizard
• uuid-runtime: universally unique id library
• vblade-persist: create/manage supervised AoE exports
• vde2: Virtual Distributed Ethernet
• vdmfec: recover lost blocks using Forward Error Correction
• virtinst: Programs to create and clone virtual machines
• virt-manager: desktop application for managing virtual machines
• virtualbox-ose: x86 virtualization solution - binaries
• virt-viewer: Displaying the graphical console of a virtual machine
• watchupstream: Look for newer upstream releases
• whirlpool: Implementation of the whirlpool hash algorithm
• win32-loader: Debian-Installer loader for win32
• xavante: Lua HTTP 1.1 Web server
• xdelta3: A diff utility which works with binary files
• xen-shell: Console based Xen administration utility
• xenstore-utils: Xenstore utilities for Xen
• xenwatch: Virtualization utilities, mostly for Xen
• xfingerd: BSD-like finger daemon with qmail support
• xl2tpd: a layer 2 tunneling protocol implementation
• xrdp: Remote Desktop Protocol (RDP) server
• yersinia: Network vulnerabilities check software
• zerofree: zero free blocks from ext2/3 file-systems
• zipcmp: compare contents of zip archives
• zipmerge: merge zip archives
• ziproxy: compressing HTTP proxy server

Further Ressources

• Debian GNU/Linux 5.0 released - Release Announcement
• Debian GNU/Linux 5.0 - Release Notes
• Etch2Lenny Upgrade @ Debian-Wiki
• New in Lenny @ Debian-Wiki

At first glance, the Gowers report could be very good, especially the EUCD (European Copyright Directive, also known as European-DMCA, or "that TPM/DRM crap") changes for 'orphan works' and the fence-sitting on punishment adjustments, but could also be bad with increased numbers of state copyright enforcers and increased use of the confused "IP" jargon (then again, UK Patent Office handles Copyright at the moment, which is confused anyway).

History

• Alex Hudson's advice to fsfe-uk
• ORG's prep
• Official site at HM-Treasury

Discussion

• FSFE-UK, started by Alex Hudson
• FC-UK-Discuss, started by Rob Myers and David Berry
• FSFE-UK crossover
• Tom Chance's website

Heh, its been more than a day now since I got back from Manila after the Ubuntu AsiaBusinessTour, and even then I have some stuff to do here (both IRL and IOL work) before I could find some time to blog Here are the highlights of my trip:

• Feb 1 - Arrived in Manila around 6 in the evening; spent the early part of the evening looking for an internet cafe to check on mail. libmemcache got ACCEPTED, but it FTBFS on powerpc $DEITY, I sure wish I had my desktop with me! (or at least some access to a ppc Looked for someone on #debianPPC to help me solve it (and indeed got the hint by the next day Slept late.
• Feb 2 - Woke up late, checked mail only to be told by Jerome to GO HERE NOW to the Peninsula Manila for the ABT breakfast meeting. After a short tirade with some Ayala traffic enforcers about crossing pedestrian lanes, I was able to arrive (already late) to Garcia Villa, seeing Jerome, Charo, Clair, and Dom, providing a nice representation for both PLUG and Ubuntu-PH. The Inceptions folks (who I met last time at LinuxWorld) were there as well. Mark was already talking when I arrived, while Hande and Malcolm from Canonical were at the back with the local media; and after that, I got to talk with the SABDFL, of all things, about my Debian packaging adventure last night :/ After lunch, we then transferred to the National Computer Center at UP Diliman (Canonical in the chopper, Ubuntu-PH and PLUG in Jerome’s Picanto) to continue the Tour for government representatives and CIOs (which didn’t go quite well in my opinion; imagine crickets signing in the night), NGOs, and academe (which was much better, especially since Doc Pablo Manalastas asked the last question regarding backports.) Mark and company had to leave early, which left us PLUG/Ubuntu-PH people going to the UP Shopping Center for snacks, some talk, and an early wrapup. I however still slept late. Photos by Charo are visible.
• Feb 3 - After doing some errands in the morning, I went to Makati to meet up with Shelley, Markku, and Rommel of Inceptions. I will be doing a project with them

I’ve adopted opendchub, rccp, and xshisen from Grzegorz Prokopski too Heh, I’ll be quite busy this coming week…