For people who are visually differently-abled, the above reads To learn who rules over you, simply find out who you are not allowed to criticize Voltaire wrote this either in late 16th century or early 17th century and those words were as apt in those times, as it is in these turbulent times as well. Update 05/03 According to @bla these words are attributable to a neo-nazi and apparently a child abuser. While I don t know the context in which it was shared, it describes the environment in which we are perfectly. Please see his comment for a link and better understanding. The below topic requires a bit of maturity, so if you are easily offended, feel free not to read further. While this week-end I was supposed to share about the recent Science Day celebrations that we did last week Would explore it probably next week. This week the attempt is to share thoughts which had been simmering at the back of my mind for more than 2 weeks or more and whose answers are not clear to me. My buttons were pressed when Martin f. Kraft shared about a CoC violation and the steps taken therein. While it is easy to say with 20:20 hind-sight to say that the gentleman acted foolishly, I don t really know the circumstances to pass the judgement so quickly. In reality, while I didn t understand the joke in itself, I have to share some background by way of anecdotes as to why it isn t so easy for me to give a judgement call. a. I don t know the topics chosen by stand-up comedians in other countries, in India, most of the stand-up acts are either about dating or sex or somewhere in-between, which is lovingly given the name Leela (dance of life) in Indian mythology. I have been to several such acts over the years at different events, different occasions and 99.99% of the time I would see them dealing with pedophilia, necrophilia and all sorts of deviants in sexuality and people laughing wildly, but couple of times when the comedian shared the term sex with people, educated, probably more than a few world-travelled middle to higher-middle class people were shocked into silence. I had seen this not in once but 2-3 times in different environments and was left wondering just couple of years back Is sex such a bad word that people get easily shocked ? Then how is it that we have 1.25 billion + people in India. There had to be some people having sex. I don t think that all 1.25 billion people are test-tube babies. b. This actually was what lead to my quandary last year when my sharing of My Experience with Debian which I had carefully prepared for newbies, seeing seasoned debian people, I knew my lame observations wouldn t cut ice with them and hence had to share my actual story which involved a bit of porn. I was in two minds whether or not to say it till my eyes caught a t-shirt on which it was said We make porn or something to that effect. That helped me share my point. c. Which brings me to another point, it seems it is becoming increasingly difficult to talk about anything either before apologizing to everyone and not really knowing who will take offence at what and what the repercussions might be. In local sharings, I always start with a blanket apology that if I say something that offends you, please let me know afterwards so I can work on it. As the term goes You can t please everyone and that is what happens. Somebody sooner or later would take offence at something and re-interpret it in ways which I had not thought of. From the little sharings and interactions I have been part of, I find people take offence at the most innocuous things. For instance, one of the easy routes of not offending anyone is to use self-deprecating humour (or so I thought) either of my race, caste, class or even my issues with weight and each of the above would offend somebody. Charlie Chaplin didn t have those problems. If somebody is from my caste, I m portraying the caste in a certain light, a certain slant. If I m talking about weight issues, then anybody who is like me (fat) feels that the world is laughing at them rather than at me or they will be discriminated against. While I find the last point a bit valid, it leaves with me no tools and no humour. I neither have the observational powers or the skills that Kapil Sharma has and have to be me. While I have no clue what to do next, I feel the need to also share why humour is important in any sharing.- a. Break When any speaker uses humour, the idea is to take a break from a serious topic. It helps to break the monotony of the talk especially if the topic is full of jargon talk and new concepts. A small comedic relief brings the attendees attention back to the topic as it tends to wander in a long monotonous talk. b. Bridge Some of the better speakers use one or more humourous anecdote to explain and/or bridge the chasm between two different concepts. Some are able to produce humour on the fly while others like me have to rely on tried and tested methods. There is one another thing as well, humour is seems to be a mixture of social, cultural and political context and its very easy to have it back-fired upon you. For instance, I attempted humour on refugees, probably not the best topic to try humour in the current political climate, and predictably, it didn t go down well. I had to share and explain about Robin Williams slightly dark yet humorous tale in Moscow on the Hudson The film provides comedy and pathos in equal measure. You are left identifying with Vladimir Ivanoff (Robin Williams character) especially in the last scene where he learns of his grand-mother dying and he remembers her and his motherland, Russia and plays a piece on his saxophone as a tribute both to his grand-mother and the motherland. Apparently, in the height of the cold war, if a Russian defected to United States (land of Satan and other such terms used) you couldn t return to Russia. The movie, seen some years back left a deep impact on me. For all the shortcomings and ills that India has, even if I could, would and could I be happy anywhere else ? The answers are not so easy. With most NRI s (Non-Resident Indians) who emigrated for good did it not so much for themselves but for their children. So the children would hopefully have a better upbringing, better facilities, better opportunities than they would have got here. I talked to more than a few NRI s and while most of them give standardized answers, talking awhile and couple of beers or their favourite alcohol later, you come across deeply conflicted human beings whose heart is in India and their job, profession and money interests compel them to be in the country where they are serving. And Indian movies further don t make it easy for the Indian populace when trying to integrate into a new place. Some of the biggest hits of yesteryear s were about having the distinct Indian culture in their new country while the message of most countries is integration. I know of friends who are living in Germany who have to struggle through their German in order to be counted as a citizen, the same I guess is true of other countries as well, not just the language but the customs as well. They also probably struggle with learning more than one language and having an amalgamation of values which somehow they and their children have to make sense of. I was mildly shocked last week to learn that Mishi Choudary had to train people in the U.S. to differentiate between Afghan turban styles of wearing and the Punjabi style of wearing the turban. A simple search on Afghani turban and Punjabi turban reveals that there are a lot of differences between the two cultures. In fact, the way they talk, the way they walk, there are lots that differentiate the two cultures. The second shocking video was of an African-American man racially abusing an Indian-American girl. At first, I didn t believe it till I saw the video on facebook. My point through all that is it seems humour, that clean, simple exercise which brings a smile to you and uplifts the spirit doesn t seem to be as easy as it once was. Comments, suggestions, criticisms all are welcome.
Filed under: Miscellenous Tagged: #Elusive, #Fear, #hind-sight, #Humour, #immigrant, #integration, #Mishi Choudary, #refugee, #Robin Williams, #self-deprecating, #SFLC, #two-minds

It was in my mind to open a new series of articles with topic selfhosting , because I really believe in free software based network services and since long time I want to plug a machine 24 7 at home to host my blog, microblog, MediaGoblin, XMPP server, mail, and, in conclusion, all the services that now I trust to very kind third parties that run them with free software, but I know I could run myself (and offer them to my family and friends). Last September I bought the domain larjona.net (curious, they say buy but it s a rent, for 1,2,3 years never yours. Pending another post about my adventures with the domain name, dynamic DNS, and SSL certs!) and I bought an HP Microserver G7 N54L, with 2 GB RAM. It had a 250GB SATA harddisk and I bought 2 more SATA harddisks, 1 TB each, to setup a RAID 1 (mirror). Total cost (with keyboard and mouse), 300 . A friend gave me a TFT monitor that was too old for him (1024 768) but it serves me well, (it s a server, no graphical interface, and I will connect remotely most of the times). Installing Debian stable (wheezy) I decided to install Debian stable. Jessie was not frozen yet, and since it was my first non-LAMP server install, I wanted to make sure that errors and problems would be my errors, not issues of the non-released-yet distro. I thought to install YunoHost or some other distro prepared for selfhosting, but I ve never tried them, and I have not much free time, so I decided to stick on Debian, my beloved distro, because it s the one that I know best and I m part of its awesome community. And maybe I could contribute back some bug reports or documentation. I wanted to try a crypto setup (just for fun, just for learn, for its benefits, and to be one more freecrypto-tester in the world) so after reading a bit: https://wiki.debian.org/DebianInstaller/SataRaid
https://wiki.archlinux.org/index.php/disk_encryption
http://madduck.net/docs/cryptdisk/
http://linuxgazette.net/140/kapil.html
http://smcv.pseudorandom.co.uk/2008/09/cryptroot/
http://www.linuxquestions.org/questions/linux-security-4/lvm-before-and-after-encryption-871379/ and some other pages, and try some different things, this is the setup that I managed to configure:

• A rescue system with /boot and / partitions, both in the 250 GB disk.
• A RAID 1 system of the two 1TB disks, setup in the BIOS of the machine (so the motherboard handles the RAID and the OS is focused in other things).
• Inside the Debian installer, I went to manual partition, then I put my /boot in the 250GB disk (yes, a 2nd /boot there), and then selected the 1TB disk (since the RAID was already made, it appeared a single 1TB disk) as physical device to be encrypted.
• After that, still in the Debian installer, I setup LVM there: configured a volume group, then, two volumes, one for / and the other one for swap.
• Then I saved the changes and go on installing my system.

Everything went well. Yay! Some doubts and one problem Everything went quite well except some doubts:

• I m still not sure if this BIOS RAID ( Fake RAID ) is better than a software RAID or not. I suppose it s better since I delegate in the motherboard to do it, and leave the OS to care about other things (transcode my videos yeah!). But I don t know how to measure performance and which metrics and results should I expect. The disks (cheap disks) are a bit noisy (just a bit! or maybe it s the fan that it s very quiet! poor Laura, never saw/had a luxury machine like this one :)
• I had to install firmware-linux-nonfree in order to properly use the graphics card (Mobility Radeon HD 4225/4250). I have no graphical environment there, only a console, so I was not sure if installing the firmware or not (without the firmware, the letters of the console were bigger, but I just don t mind since I most of the time I log in remotely from my laptop). Then, two questions arised to my ignorant mind:
  1. Do I need the driver for better performance (aka is the graphics card used for rendering/transcoding/showing images and videos in my MediaGoblin site or just when it s needed to display them in local (and subsequently, never)?
  2. If I leave the system like that, and forget about the firmware warning at boot time, can the hardware be damaged by the default (free) driver? (for example, due to fan controlling malfunction or something like that).

After talking about this issues with friends (and in debian-women IRC channel), I decided to install the non-free driver, just in case, with the same reasoning as with the RAID: let the card do the job, so the CPU can care about other things. Again, I notice that learning a bit about benchmarking (and having some time to do some tests) would be nice And now, the problem:

• I noticed something strange in my setup. Sometimes, after a system reboot, cryptsetup was not accepting the password to unlock the encrypted disk. And believe me, I was typing it carefully. But when I completely shutdown the computer, unplug the cable, replug the cable, and start again, the password was accepted. The keyboard is USB and this machine does not accept other connection for the keyboard. The keyboard configuration, language and so, was all correct. No Non-ASCII symbols in my password. My password would need to press the same keys in a Spanish and an English keyboard.
• I thought that maybe something in my RAID was failing. I tried to disconnect one of the disks, and see if (1) the bug was solved (no) and (2) the RAID was working (yes). I made the same with the other disk. I was happy that I could reconstruct my RAID when plugging the disk again. But still I had the problem of the password.

I left this problem apart and go on installing the software. I would think later what to do. Installing MediaGoblin The most urgent selfhosting service, for me, was GNU MediaGoblin, because I wanted to show my server to my family in Christmas, and upload the pictures of the babies and kids of the family. And it s a project where I contribute translations and I am a big fan, so I would be very proud of hosting my own instance. I followed the documentation to setup 2 instances of GNU MediaGoblin 0.7 (the stable release in the moment), with their corresponding PostgreSQL databases. Why two instances? Well, I want an instance to host and show my videos, images, and replicate videos that I like, and a private one for sharing photos and videos with my family. MediaGoblin has no privacy settings yet, so I installed separate instances, and the private one I put it in a different port, with a self-signed SSL cert, and enabled http-authorization in Nginx, so only authorized Linux users of my machine can accesss the website. Installing MediaGoblin was easier than what I thought. I only had some small doubts about the documentation, and they were solved in the IRC channel. You can access, for example, my user profile in my public instance, and see some different files that I already uploaded. I m very happy!! Face to face with the bug, again I had to solve the problem of the password not accepted in reboots. I began to think that it could be a bug in cryptsetup. Should I upgrade the package to the version in wheezy-backports? Jessie was almost frozen, maybe it was time to upgrade the whole system, to see if the problem was solved (and to see how my MediaGoblin was working or not in Jessie. It should work, it s almost packaged! But who knows). And if it didn t work, maybe it was time to file a bug So I upgraded my system to Debian Jessie. And after upgrade, the system didn t boot. But that s the story of another blog post (that I still need to finish to write don t worry, it has happy end, as you could see accessing my Mediagoblin site!). Comments? You can comment in this pump.io thread.
Filed under: My experiences and opinion Tagged: Debian, encryption, English, libre software, MediaGoblin, Moving into free software, N54L, selfhosting, sysadmin

The Abel prize for 2011 has been awarded to John Willard Milnor.[1] In response to a query from Dr. R. Ramachandran who writes about Science and Science Policy for The Hindu'' newspaper group, I wrote the following short piece which others may find interesting as well. Milnor is well-known for his work on topology and geometry. He has also made significant contributions to algebra and even number theory. In addition, he has written a number of books which are loved by graduate students in Mathematics all over the world. One of the striking early results of Milnor was the example he gave of a seven dimensional space which is topologically a sphere but its geometric (differentiable) structure is different. This was the first example of an "exotic sphere". A nice way to state his main result (due to Ajit Sanzgiri) is that "Groups of homotopy spheres are homotopy groups of spheres". Milnor received the Fields' Medal in 1962. In addition, the work of a number of later Fields' medallists such as Donaldson, Thurston, Mori and Voevodsky can be seen as having roots in the work of Milnor.

---

[1]The last time I wrote about the Abel Prize was to contribute to a guest post to Rahul Basu's science blog: The Far Side. Unfortunately, Rahul is no longer among us. This post is dedicated to the memory of Rahul Basu.

It might seem odd that someone who has come from a research organisation to one which is for education and research should ask a question such as the title! Some explanations are in order. Mathematics is one of the oldest intellectual activities of mankind, so it is not surprising that the amount of mathematics that has already been done is enormous as compared with almost any other discipline. One consequence (that has not escaped notice!) is that people who prove theorems are often much older today than in earlier years. Another important consequence is that for anyone active in mathematical research today, most mathematical learning has happened outside the classroom. Moreover, such non-classroom learning is far from linear. Monuments of mathematical beauty are built on wooden stilts; the latter are only turned into firm pillars when one finally writes down the fruits of one s research. The above paragraph is nothing new to working mathematicians, but each incoming generation must learn it anew. This is because courses and books in mathematics are often structured in a linear way. There are clearly defined prerequisites and everything new is either defined or proved in strict deductive order. This serves the important purpose that each fresh batch of students verifies the grand edifice . However, it also leaves many a student with the false impression that this is how mathematics is done. Even worse, it may leave the impression that classroom and textbook learning is what mathematics is about. One should certainly strive to improve one s classroom skills, to write more readable textbooks and to design better courses. However, one should never lose sight of the wide open spaces where many new mathematicial objects are built.

(This blog has slept since I wrote the previous post. That post had to wait for a year to be made public! Anyway, here I go again ) One of the ways people characterise science and technology is by saying that science is about prediction and technology is about design. This is not wrong but I feel that it misses something. An astrologer too claims to predict the future and claims to tell you how to re-design your future. So the above explanation of science and technology could make it indistinguishable from magic! One thing that does distinguish science is that the prediction and design is done by calculation ; this is not restricted to mathematical calculation but includes recipes like mix so much of this reagent with so much of that solvent . In fact, the notion of calculation can be expanded to anything that I can teach someone else to do even an idiot like a computer. This leads us to the view that science is not only about making predictions and designing things but also about teaching others to do the same. At the very first level, this is done by providing formulas which other people can use to make predictions and design things. However, this is not quite far enough, since it would still make the act of creating these formulas a magical thing! So we must take this a step further and be able to teach others how to create their own formulas. In other words, we want to provide formulas for creating new formulas. It does look as if we could be in infinite regression here, for who will then create formulas to provide formulas for creating new formulas! Luckily, the monadic thinking of Turing helps us here. He realised that formulas for creating new formuals are themselves just (slightly more complicated) formulas. Just as a gift-wrapped box containing a gift can be thought of as just a box containing a gift.

The Abel Prize 2009 has been awarded to Mikhail Gromov. Rahul Basu was kind enough to invite me to write about this on his blog: The Far Side. The write-up is a summary of a longer article; which in turn is based on a talk I gave for STAMATICS which is the Math club of IIT, Kanpur.

Rahul Basu pointed out an article by the eminent scientist Freeman Dyson. In the past Dyson has raised a number of interesting questions and has been thought-provoking, but it is difficult to read him when he writes like this. I have re-phrased what he has said (debunking climatologists) and turned it into an argument against the Large Hadron Collider so that we can see how obnoxious it sounds.¹

My first heresy says that all the fuss about the Higgs particle is grossly exaggerated. Here I am opposing the holy brotherhood of high energy physicists and the crowd of deluded citizens who believe that the world is predicted by the standard model. Of course, they say, I have no degree in physics and I am therefore not qualified to speak. But I have studied the standard model and I know what it can do. The model solves the equations of gauge theory in the simplest cases, and it does a very good job of describing the interactions of the known particles. It does a very poor job of describing how mass arises and the chemistry and the biology of phenomena we see everyday. It does not begin to describe the real world that we live in. The real world is muddy and messy and full of things that we do not yet understand. It is much easier for a scientist to sit in an air-conditioned building and run computer models, than to put on a lab coat and measure what is really happening in the complex phenomena of compounds and materials. That is why the high enery physicists end up believing their own models.

The rest of the article can then be similarly re-phrased but I will just summarise it as:

There is no reason for the rest of the world to believe the high energy physicists and squander billions of dollars into following their proposed unique solution to the questions of physics.

Of course, there is a good chance that Dyson will agree with the above point of view as well! The problem with controversialists'' like Dyson is that they believe that taking extreme positions helps clarify issues. Unfortunately, extremists are a-dime-a-dozen in today's world. I suppose I should clarify that I accept neither the extreme position on climatology nor the one on the LHC!

We managed to watch the multi-award winning "Slumdog Millionaire" this weekend. It is difficult for me to understand why people (in India or PIO's) are so upset about the movie. It is a good movie (I do not know enough about cinema to pronounce it a great movie).

• the narrative style is very nice --- question and answer.
• the editing is tight; the movie doesn't drag at any point.
• there are some very nice sequences and panoramic views.
• none of the actors stands out, but then none bombs out either!

As a Rahman fan since "Kadal Desam" (1993 or so), my opinion on the music is a bit biased. His work on this movie is more than competent though not his best. A. R. Rahman has written better songs than "Jai Ho!" and I didn't notice anything spectacular about the rest of the music. Still, it is worth noting that his best work is in the context of Indian-style films, where there are a lot of songs; the background score of those films only stands out if it is bad! So, I suppose that the criticism of this movie by Indians is largely based on its story-line and setting. This is strange, since poverty in a Mumbai slum (to the extent that I am acquainted with it) is depicted quite accurately here. The plot (like any Dickensian story) drives home the terrible nature of poverty in cities but still manages to inject a note of optimism.

If you are lucky/strong enough to survive with your humanity intact after growing up in a Mumbai slum, then the luck required to win a TV show is nothing in comparison.

The recent issue of Frontline has an interview of Stallman. It is indeed a nice thing to see that nationally circulated news magazines in India are talking about Mukta Software. However, it is disappointing to see the FSF take one more pot-shot at Linus Torvalds.

Torvalds said he rejects GNU GPL Version 3 because he approves of tivoization, because he does not agree that users deserve the freedom to change their own copies of software.

By choosing the GPL for his own code Linus Torvalds gave users the freedom to change their own copies of Linux. This certainly seems at odds with what is quoted. There are many different points of view about how the cause of mukta software and its users can be strengthened. I think we can agree that it is certainly not strengthened by shooting each other in the foot. The GPLv3 bolsters-up one aspect of this cause: use the legal system to make if difficult (if not impossible) to take free software and put it in proprietary bottles. Linus Torvalds and all his "show me the code" buddies are addressing another aspect; to ensure that there are enough people accomplished in the task of reading, improving and writing high quality free software. The West has traditionally had more success with the law. When free programs was written in the 70's and 80's by people who did not care to preserve its freedom with a free license, this code was gobbled up and re-gurgitated as proprietary software. Once free licenses became commonplace in the 90's, the West has had a resurgence of high quality public code and coders. Unfortunately, some of the latter tend to look down on "mere users". Over here, in India, we have little faith in the legal system. (For reasons, see this report and a more recent one). We know that freedom is hard fought even when the law is technically on your side. At the same time, the brahminical approach of knowledge being safe-guarded by the self-proclaimed elite was what rang the death knell for Indian knowledge systems in the past. So it is important that the breed of skeptical people in India who tinker with their computers and software (and everything else) grows.

We have far too many cattle who will follow any flute-playing good-looking young person who is willing to fight their demons for them.

fakechroot, or any similar tool that uses a facility such as LD_PRELOAD, is not suitable for use in a security context. Such tools are way cool, but can be trivially broken out of by the attacker. Kapil Paranjape suggests using fakechroot for locking down ssh authorized keys for unison. The idea being unison will run in a (fake)chroot, set up by a regular, non-root user, and will thus be limited to the files you want it to access. First problem is, any statically linked executable on the system (unison can be used to upload one too) is immune to the fakechroot.

joey@gnu:~>FAKECHROOT_EXCLUDE_PATH=/bin fakeroot fakechroot chroot /tmp/empty /bin/sh
sh-3.2# ls
sh-3.2# ls /
sh-3.2# cd ..
sh-3.2# ls
sh-3.2# sash
Stand-alone shell (version 3.7)
> cd ..
> ls
empty  gconfd-joey  gpg-XhukMB  keyring-ZxSuTB  orbit-joey
> cd ..
> ls
bin    etc         lib     opt   selinux  usr

Getting unison to run a static executable in a setup such as Kapil describes is left as an exercise for the more determined attacker than I. Here, though, is an easier way.

sh-3.2# ls /
sh-3.2# ls /bin/..
bin    etc         lib     opt   selinux  usr

To understand why this works, notice that I left /bin excluded when I ran fakechroot. (Still .. Is this a bug in fakechroot?) Or, you could use unison to upload a symlink:

joey@gnu:~>ln -s / /tmp/empty/root
joey@gnu:~>FAKECHROOT_EXCLUDE_PATH=/bin fakeroot fakechroot chroot /tmp/empty /bin/sh
sh-3.2# ls root
bin    etc         lib     opt   selinux  usr

---

Moral: Taking a program, be it fakechroot or unison, that was never designed with security in mind, and trying to use it as a security barrier, is an open invitation to pain.

There are a number of documents about how to permit ssh access to run rsync or unison for remote synchronisation by an appropriate configuration of the authorized_keys file. Of these the best two are probably those by St phane Kattoor and Christian 'Greek0' Aichinger. Joey Hess also explains some of the pitfalls. The problem is the familiar one: to limit the file-system hierarchy accessible. The humble chroot is a natural way to implement such restrictions which is probably what led "Greek0" to suggest the use of dchroot. This is indeed a fine solution ... except, how does one implement it if one is not root on the server machine? WARNING: The rest of this entry is wrong as was pointed out by Joey Hess. See the update at the bottom. The package fakechroot by Piotr Roszatycki provides a way out. The problem I had was as follows:

• I want to share a certain sub-tree of $HOME using unison.
• I am OK with sharing whatever access I give to /bin, /lib and /usr in the process.
• I do not have root access to the machine.

A recent enough version of fakechroot (version 2.8 worked) allows one to do make use of environment variables as follows:

LD_PRELOAD=libfakechroot.so
LD_LIBRARY_PATH=/usr/lib/fakechroot:/usr/lib64/fakechroot:/usr/lib32/fakechroot:/usr/lib:/lib
FAKECHROOT=true
FAKECHROOT_VERSION=2.8
FAKECHROOT_EXCLUDE_PATH=/bin:/lib:/usr
export LD_LIBRARY_PATH LD_PRELOAD
export FAKECHROOT_EXCLUDE_PATH FAKECHROOT FAKECHROOT_VERSION

After this setup one can run

HOME=/ chroot $HOME/some/dir /usr/bin/unison -server

and the unison server¹ will only be able to view /bin, /lib, /usr and $HOME/some/dir; the latter will be mapped to /. (One needs to set the $HOME variable to something sensible for unison to function.) One should not be tempted to create subdirectories of $HOME/some/dir containing only the "relevant" portions of the system directories for unison. The reason is that those files will be created as me and so could be overwritten by unison. The creation of a suitable entry in authorized_keys to use this is an easy exercise! UPDATE: As Joey Hess has noted:

Taking a program, be it fakechroot or unison, that was never designed with security in mind, and trying to use it as a security barrier, is an open invitation to pain.

I had thought about the problem of uploading static-linked binaries and had imagined that it had been overcome. However, the basic facts in this case are:

• unison -server does not have an option to limit its view of the directory heirarchy. The upstream authors are aware of this but it is not clear whether they perceive it as a bug.
• fakechroot is meant to give a different view of the directory heirarchy to programs that use standard libc calls. It does not block access to part of the tree as the real chroot does; again, this is not necessarily a bug.

I use public-key based access for a number of things and gpg-agent is a useful way to avoid having to repeatedly type the passphrases needed to unlock the private-keys. The agent prompts you for the passphrase and then uses the unlocked keys for a user-determined time-period. For a number of reasons it is a "good thing" if this prompting happens in a different interface from that where the key is being used. In an X window environment this is done by the pinentry-gtk avatar of pinentry which pops up a new window. However, I use screen to multiplex operations within a single terminal session, often without an X session. It used to bother me that I could not get pinentry-curses to pop up in a different window. No more ;). Here is a hack that seems to work.

1. Decide on some location like $HOME/.gnupg/pin-tty and assign it to the variable PINTTY.
2. Use the additional options --ttypath $PINTTY, --ttytype screen and --keep-tty for gpg-agent.
3. Start a screen window with the command screen -M -t pin socat -,raw,echo=0 PTY,link=$PINTTY

Now everytime a program asks gpg-agent to use a secret-key, it will invoke pinentry-curses which will connect to the pin window under screen; the latter will warn you (-M) that something is asking for a passphrase. It would be nice if one did not have to invoke socat and screen could do step (3) directly. Is there any way to integrate the use of gpg-agent with openvpn when the latter uses SSL keys? There may be some security issues with such use! I can't see any at the moment but I may be wrong. :-(

On the 26th of November 2008, there was a double blow. It had been raining almost all night in Chennai and we put on the TV to figure out what the weather was going to be like only to find out that there had been attacks with guns and bombs in multiple areas in Mumbai. The attacks in Mumbai and the rain in Tamil Nadu continued over the next 36 hours or so --- with disastrous effects all around. All this was more than a week ago and so it feels as if one can write about it with a modicum of objectivity. The cyclone that hit Tamil Nadu was not man-made, but many of its consequences were. The attacks in Mumbai were carried out by people who were human beings once upon a time, but they had their humanity stripped by those who run the camps which trained them. So to some extent it feels as if we have suffered from a natural disaster --- but one which could have been mitigated by humans. The Indian state and people seem to be returning back to "normal" and this is said be a sign of our resilience. On the other hand that may only be because we suffer a thousand cuts every day --- self-inflicted. Indeed, each one of us is a minor terrorist carrying out little acts of rebellion against the state; acts that also threaten the well-being of our fellow citizens. Some examples follow:

• we throw plastic bags and paper cups into the canals and drains around our cities.
• we evade taxes and even pride ourselves on reducing government power as a consequence.
• we throw lavish "rave" parties where drugs and alcohol flow freely.
• we destroy public roads and public spaces for our own private needs.

The list could go on and on ... All of these acts weaken our state and our people to the point where we cannot act swiftly in an emergency:

• garbage blocks the canals, which leads to floods during heavy rains.
• the lost taxes means reduced training and equipment for our police and other emergency forces.
• the drugs and alcohol that are distributed at the "rave" parties are bought from the same smugglers who also bring guns and RDX.
• public roads are in no shape to supply things required during emergencies.
• public spaces are not available for relief efforts since they are illegally occupied or damaged beyond use.
• our under-paid police force has its hands full dealing with the thousands of little violations that we commit.
• our police force is so used to looking the other way while our top brass and gold-laden classes are violating the rules that they can be forgiven if they cannot distinguish them from the "real" terrorists.

This is what makes us a "soft target for terror". If the Indian government were to indeed go after all those who are weakening it and terrorizing its people, then a good percentage of our citizenry and an even larger percentage of our well-off citizenry would find itself in the cross-hairs. To paraphrase what an assistant commissioner of police once said: If 100% of our citizens are 2% terrorists then it is very hard to catch the 2% of the citizens who are 100% terrorists.

When a sphere (globe or ball) is turned about its centre a number of times, there is at least one point that starts and ends at the same place. This a consequence of the algebraic statment that a 3x3 orthogonal matrix with determinant has 1 as an eigenvector with eigenvalue 1. One of my students recently asked me for a geometric proof and I came up with the following construction. (Of which I am evidently quite proud!) We begin by making a more precise statement of the above proposition. Let a, b, c, ..., z be a succession of points on the sphere and A, B, C, ..., Z be a sucession of rotations; where A is a rotation about the axis through a, B a rotation about the axis through b and so on. We will show how to find a point on the sphere so that the combined effect of these rotations is a rotation about the axis through that point. It is enough to show how this can be done for two successive rotations since the rest of the argument/construction follows by induction/recursion. So we restrict ourselves to the simpler case of two points a and b on the sphere and two rotations A and B respectively about the axes through these points. Let me introduce some elementary notions and results. The term "great circle" is used for the circle obtained by cutting a sphere with a plane passing through the centre of the sphere; any two points on the sphere lie on a (common) great circle. The term "antipode of a point p" denotes a point q that is diametrically opposite to the given point p; the axis through a point also passes through its antipode. Two points on the sphere that are not antipodal lie on a unique great circle, whereas the antipode of p lies on every great circle through p. Consider the point c which goes to the point b under the rotation A and cb be the great circle containing these two points. Let d denote a point on bc that lies halfway between b and c. There are two such points which are antipodes; pick any one. Let ad be the great circle containing a and d. Similarly, let e be the point which a goes to under the rotation B and ae be the great circle containing these two points. Let f denote a point on ae that lies halfway between a and e; let bf denote the great circle which contains b and f. A point g (and its antipode) where the great circle ad meets the great circle bf is fixed under the combination of the two rotations. In fact, the result of the rotation A followed by the rotation B is a rotation G about the axis through the point g. The proof that this construction works relies on the following description of a rotation X of a sphere about the axis through a point x on the sphere. Let y be any other point and z be its image under the rotation. As above let t be the point halfway between y and z on the great circle containing these two points. The rotation X is obtained as a succession of two reflections; first a reflection in the plane containing the x, t and the centre of the sphere and second a reflection in the plane containing x, z and the centre of the sphere. One can see this by noting that the composite of two reflections is indeed a rotation; moreover, a rotation that fixes x is uniquely determined by what it does to y. We use the above description to write the composite of A and B as succession of four reflections through planes as follows: the plane containing d, a and the centre of the sphere; the plane containing b, a and the centre of the sphere; the plane containing a, b and the centre of the sphere; the plane containing f, b and the centre of the sphere The two reflections in the middle cancel each other out. We are then left with the composite of two reflections. Clearly, the points that lie on the fixed plane of each of these reflections are fixed by this composite rotation. This intersection is an axis of the sphere through the point g.

Kudos to the Debian Xen Team for getting Xen ready for lenny in time. As I wrote earlier, my desktop runs a Xen dom0 under Debian etch. The various domU's run Debian lenny among other things. While doing a (much delayed) upgrade of these domU's I noticed that there was a xen-linux-2.6.26-1-amd64 package available under lenny. This made me exclaim, "Three cheers for the Debian Xen Team! Time to upgrade and test things out." The upgrade to lenny went smoothly --- almost. Here are some sticky points which are at least partly due my own goof-ups and perhaps due to some aspect of the xen package upgrades. Since I am not clear about where the "blame" lies, I haven't yet filed bugs!

• xen-utils-common version 3.2.0-2 needs the newer xen-utils-3.2-1. In particular, /etc/init.d/xend fails to run with xen-utils-3.0.3-1. The newer package is "Recommended" by the Xen 3.2 hypervisor, so I should have installed it but perhaps it should not be possible to avoid installing it.
• xen-utils-3.2-1 depends on a large number of packages since it includes the functionality of xen-ioemu-3.0.3-1. This is why I tried to avoid installing it --- my mistake.
• The xen domU configurations created using xen-tools version 2.8-2 did not (I think!) have a "xencons=tty" parameter appended to the kernel command-line. This does not cause a problem with the 2.6.18 Xen kernels but caused the 2.6.26 kernels to fail to assign a usable device to the domU's tty1. Since some of these domU's did not have a running ssh this made it impossible for me to login to them! :-(

The bottom line is that to upgrade an etch dom0 to a lenny dom0 (on amd64) you should make sure that you install the following packages:

xen-linux-system-2.6.26-1-xen-amd64, linux-image-2.6.26-1-xen-amd64, 
linux-modules-2.6.26-1-xen-amd64, xen-utils-common, xenstore-utils,
xen-hypervisor-3.2-1-amd64, xen-utils-3.2-1

If you install all recommended packages, then just installing the first package above will pull in all the others; however, like me you may be a no-one-recommends-packages-to-me kind of person! :-( Secondly, you should add the "xencons=tty" kernel parameter to those domU's which will boot the lenny 2.6.26 xen kernel. These are minor issues considering that anyone who runs a Xen machine circa 2008 should be knowledgable enough to be able to fix them. However, they could cause unpleasant hiccups for some people so I'm documenting them here. Update: One thing which is required to run the Xserver when your graphics card uses shared memory is to limit the memory used by dom0. To do this you pass an option like "dom0_mem=128M" to the command line for the xen hypervisor in grub's configuration file menu.lst .

The Omelette Post by Atul Chitnis provoked a lot of discussion and Christian Perrier's response explains the objections clearly. I disagree with them both in different ways. Hence this post. Atul Chitnis is not known for his politeness (unfortunately, like many in the FLOSS community). In such cases, it is best to try to understand the (positive) intent behind the words written rather than concentrate on the words themselves --- the current kabab mein haddi seems to be "low-hanging fruit". I agree with Christian that finding, analysing and fixing bugs ranks up there along with writing programs; especially since many of today's programmers continue to be ''bug-generators'' in the sense of (and in spite of) Dijkstra's article. My reading of the Omelette Post is that hacking should take precendence over talking at FOSS.in 2008 --- a sentiment that I find quite palatable and even tasty! So let's see if we can have a Debian Workout at FOSS.in 2008.

Some people troll free software lists with remarks like:

Linux will never be able to displace MacOS/Windows since the latter are much more pretty/user-friendly. You will lose.

Such people assume that hackers write free software because they "hate Microsoft" or "hate capitalism" or have some other pet hates. However, it should be obvious that such a large creative effort cannot be sustained if it is based on such negative emotions.¹ There are a number of positive reasons why one works on free software. The software that I like to work on is software² that I use or want to use. This has some consequences which are worth underlining:

• Contrary to the views expressed in some articles about free software, the theme of usability (by me!) is uppermost in my mind whenever I approach any task pertaining to software.
• Since the software I work on should be usable long after I have forgotten the ideas behind its implementation, the user interface should be one that confirms to "standard" expections. This means that it should be possible to use the software without reading the code.
• When I look at the code after a long time (for example to extend it in some way) I should be able to read and understand it, which requires clean code with adequate documentation.

Giving others the "four freedoms" results in wider critical examination of these aspects. Bugs must be acknowledged and fixed --- or elevated to features! Moreover, there are parts of the task that are "obvious" to me but I would have to ask others for advice on other parts. So I gain a lot by being part of a larger community. There are other reasons to write free software. For example, someone may pay you to do it. However, this is just deferring the same question to your employer. In most cases, your employer already has a use in mind for the software. The employer has the same concerns as I outlined above except that the job of writing the code is being out-sourced. The usability, portability and long-term maintainability are probably even bigger concerns for your employer. "Last but not the least" (as we always wrote in our school-day essays) free software is fun! You share ideas with people from across the globe and to show them your own clever little tricks. Good code and good themes resonate with people who may not even speak the same language as you do. What could be nicer than that!

The IMSc recently installed a desktop machine for me that is powerful enough to run Xen virtualised domU's. (My previous desktop machine was removed at my request; explanations at a later date!) One task was to get Fedora Core running under this Debian Etch machine. Since the information required for this task was rather difficult to find (rant later!), here is a quick 2-paise tip (to borrow a phrase from the linux gazette) on how to get Fedora Core running under a Debian Xen machine. The helpful packages under Debian are xen-tools and rinse.¹ Since the latter is only available with "lenny", this requires an schroot installation about which I have written elsewhere. So let me assume that we have a lenny chroot inside the dom0 in which xen-tools and rinse have been installed. One can either bind mount /etc/xen from the dom0 into the lenny chroot or one can just create this directory to hold the configuration file for the domU to be created. Creating the domU is as simple as:

xen-create-image --ip=192.168.17.71 --hostname=fedora \
  	--arch=amd64 --lvm vg0 --install-method rinse \
  	--dist fedora-core-8

   

with ip address, hostname, lvm volume group and arch chosen appropriately. (Be careful and choose a hostname that does not match a hostname that you have already used in the same Xen system). This will create the logical volumes /dev/vg0/fedora-disk and /dev/vg0/fedora-swap containing the appropriate images for use with the Fedora domU. Before you can boot into this domU there are some minor issues you need to fix; see #499476. The fixes are to create /etc/shadow and /etc/gshadow and set a usable password as follows. Mount /dev/vg0/fedora-disk somewhere and chroot to it. Then run the following commands:

  pwconv
  grpconv
  passwd root

   

Then exit the chroot and unmount /dev/vg0/fedora-disk and then exit the lenny chroot. If necessary, copy the file etc/xen/fedora.cfg from within the lenny chroot to /etc/xen/ in the dom0. You should now be ready to boot your Fedora Core 8 domU with

  xm create fedora.cfg

   

It would be nice if one could install Fedora Core 9 the same way; see #499477.

The FSF is celebrating the birth of the idea that is GNU. There is a video which I have mirrored here for local users. So I plan to sing "Happy Birthday to GNU" on 27th September 2008 as well. It seems like some people are not quite so happy. One correspondent wrote that it was not the 25th birthday of the "GNU Operating System" since that would mean the GNU+HURD which he feels is still not ready. In my opinion the term "GNU Operating System" represents in loose terms "a free alternative to Unix" (free as in mukta). And that idea was born 25 years ago.² I think that the HURD was just the "concept of a notion of an idea" 25 years ago. (The first article about the HURD was on the net about 1990 or so). Moreover, in comparison with Unix of 25 years ago, the GNU+HURD combination could be considered "ready". Thus, there is indeed much to celebrate. For example,

1. There is not one --- there are many free alternatives to Unix. In fact, there are perhaps no non-free Unixes visible anymore! Does this owe a lot to the resolution made by RMS 25 years ago? Absolutely. Of course, it also owes a lot to the resolve of the hackers who followed up on this and took it well beyond what he had in mind.
2. One can run the GNU tools + HURD combination to get an environment as good or better than what was available as Unix 25 years ago. Does a general member of the public really need to do this? No. There are currently a number of far superior solutions. Does the software community need this? Yes. (See below.)

I think that there are a lot of people who disagree with RMS and FSF today on a number of issues --- and these detractors may even be right. Perhaps this makes some people begrudge FSF celebrating the 25th anniversary/birthday of GNU. I offer the following points for their consideration:

1. The vision and resolve RMS and the FSF put behind the vision --- starting 25 years ago --- have got us here.
2. The FSF's astuteness in getting a rather well-known person like Stephen Fry ¹ to celebrate GNU. If any of the distros had managed it, it would have been considered a coup!
3. While Linux may be the dominant player in Unix today, the alternatives like *BSD, Solaris and even the HURD have an important role to play in the development of free software.
4. That chocolate cake looks really delicious. :-)

So here's to (at least) another 25 years for GNU!