Welcome to the April 2023 report from the Reproducible Builds project! In these reports we outline the most important things that we have been up to over the past month. And, as always, if you are interested in contributing to the project, please visit our Contribute page on our website.

General news Trisquel is a fully-free operating system building on the work of Ubuntu Linux. This month, Simon Josefsson published an article on his blog titled Trisquel is 42% Reproducible!. Simon wrote:

The absolute number may not be impressive, but what I hope is at least a useful contribution is that there actually is a number on how much of Trisquel is reproducible. Hopefully this will inspire others to help improve the actual metric.

Simon wrote another blog post this month on a new tool to ensure that updates to Linux distribution archive metadata (eg. via apt-get update) will only use files that have been recorded in a globally immutable and tamper-resistant ledger. A similar solution exists for Arch Linux (called pacman-bintrans) which was announced in August 2021 where an archive of all issued signatures is publically accessible.
Joachim Breitner wrote an in-depth blog post on a bootstrap-capable GHC, the primary compiler for the Haskell programming language. As a quick background to what this is trying to solve, in order to generate a fully trustworthy compile chain, trustworthy root binaries are needed and a popular approach to address this problem is called bootstrappable builds where the core idea is to address previously-circular build dependencies by creating a new dependency path using simpler prerequisite versions of software. Joachim takes an somewhat recursive approach to the problem for Haskell, leading to the inadvertently humourous question: Can I turn all of GHC into one module, and compile that? Elsewhere in the world of bootstrapping, Janneke Nieuwenhuizen and Ludovic Court s wrote a blog post on the GNU Guix blog announcing The Full-Source Bootstrap, specifically:

[ ] the third reduction of the Guix bootstrap binaries has now been merged in the main branch of Guix! If you run guix pull today, you get a package graph of more than 22,000 nodes rooted in a 357-byte program something that had never been achieved, to our knowledge, since the birth of Unix.

More info about this change is available on the post itself, including:

The full-source bootstrap was once deemed impossible. Yet, here we are, building the foundations of a GNU/Linux distro entirely from source, a long way towards the ideal that the Guix project has been aiming for from the start. There are still some daunting tasks ahead. For example, what about the Linux kernel? The good news is that the bootstrappable community has grown a lot, from two people six years ago there are now around 100 people in the #bootstrappable IRC channel.

Michael Ablassmeier created a script called pypidiff as they were looking for a way to track differences between packages published on PyPI. According to Micahel, pypidiff uses diffoscope to create reports on the published releases and automatically pushes them to a GitHub repository. This can be seen on the pypi-diff GitHub page (example).
Eleuther AI, a non-profit AI research group, recently unveiled Pythia, a collection of 16 Large Language Model (LLMs) trained on public data in the same order designed specifically to facilitate scientific research. According to a post on MarkTechPost:

Pythia is the only publicly available model suite that includes models that were trained on the same data in the same order [and] all the corresponding data and tools to download and replicate the exact training process are publicly released to facilitate further research.

These properties are intended to allow researchers to understand how gender bias (etc.) can affected by training data and model scale.
Back in February s report we reported on a series of changes to the Sphinx documentation generator that was initiated after attempts to get the alembic Debian package to build reproducibly. Although Chris Lamb was able to identify the source problem and provided a potential patch that might fix it, James Addison has taken the issue in hand, leading to a large amount of activity resulting in a proposed pull request that is waiting to be merged.
WireGuard is a popular Virtual Private Network (VPN) service that aims to be faster, simpler and leaner than other solutions to create secure connections between computing devices. According to a post on the WireGuard developer mailing list, the WireGuard Android app can now be built reproducibly so that its contents can be publicly verified. According to the post by Jason A. Donenfeld, the F-Droid project now does this verification by comparing their build of WireGuard to the build that the WireGuard project publishes. When they match, the new version becomes available. This is very positive news.
Author and public speaker, V. M. Brasseur published a sample chapter from her upcoming book on corporate open source strategy which is the topic of Software Bill of Materials (SBOM):

A software bill of materials (SBOM) is defined as a nested inventory for software, a list of ingredients that make up software components. When you receive a physical delivery of some sort, the bill of materials tells you what s inside the box. Similarly, when you use software created outside of your organisation, the SBOM tells you what s inside that software. The SBOM is a file that declares the software supply chain (SSC) for that specific piece of software. [ ]

Several distributions noticed recent versions of the Linux Kernel are no longer reproducible because the BPF Type Format (BTF) metadata is not generated in a deterministic way. This was discussed on the #reproducible-builds IRC channel, but no solution appears to be in sight for now.

---

Community news On our mailing list this month:

• Larry Doolittle shared an interesting puzzle with the group where three bytes in a .zip file were different between two builds.
• Alexis PM wrote a message as they had observed a difference between binaries available in the Debian archive and the ones on tests.reproducible-builds.org. The thread generated a number of replies, including interesting responses from Vagrant Cascadian [ ] and kpcyrd [ ].

Holger Levsen gave a talk at foss-north 2023 in Gothenburg, Sweden on the topic of Reproducible Builds, the first ten years. Lastly, there were a number of updates to our website, including:

• Chris Lamb attempted a number of ways to try and fix literal : .lead appearing in the page [ ][ ][ ], made all the Back to who is involved links italics [ ], and corrected the syntax of the _data/sponsors.yml file [ ].
• Holger Levsen added his recent talk [ ], added Simon Josefsson, Mike Perry and Seth Schoen to the contributors page [ ][ ][ ], reworked the People page a little [ ] [ ], as well as fixed spelling of Arch Linux [ ].

Lastly, Mattia Rizzolo moved some old sponsors to a former section [ ] and Simon Josefsson added Trisquel GNU/Linux. [ ]

---

Debian

• Vagrant Cascadian reported on the Debian s build-essential package set, which was inspired by how close we are to making the Debian build-essential set reproducible and how important that set of packages are in general . Vagrant mentioned that: I have some progress, some hope, and I daresay, some fears . [ ]
• Debian Developer Cyril Brulebois (kibi) filed a bug against snapshot.debian.org after they noticed that there are many missing dinstalls that is to say, the snapshot service is not capturing 100% of all of historical states of the Debian archive. This is relevant to reproducibility because without the availability historical versions, it is becomes impossible to repeat a build at a future date in order to correlate checksums. .
• 20 reviews of Debian packages were added, 21 were updated and 5 were removed this month adding to our knowledge about identified issues. Chris Lamb added a new build_path_in_line_annotations_added_by_ruby_ragel toolchain issue. [ ]
• Mattia Rizzolo announced that the data for the stretch archive on tests.reproducible-builds.org has been archived. This matches the archival of stretch within Debian itself. This is of some historical interest, as stretch was the first Debian release regularly tested by the Reproducible Builds project.

---

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:
  • ghc (workaround a parallelism-related issue)
• Jan Zerebecki:
  • ghc (report a parallelism-related issue)
• Chris Lamb:
  • #1034147 filed against ruby-regexp-parser.
• Vagrant Cascadian:
  • #1033954, #1033955 and #1033957 filed against pike8.0.
  • #1033958 and #1033959 filed against binutils.
  • #1034129 filed against lomiri-action-api.
  • #1034199 and #1034200 filed against lomiri.
  • #1034327 filed against nmodl.
  • #1034423 filed against php8.2.
  • #1034431 filed against qemu.
  • #1034499 filed against twisted.
  • #1034740 filed against boost1.74.
  • #1034892 filed against php8.2.
  • #1035324 filed against shaderc.
  • #1035329 and #1035331 filed against jackd2.

---

diffoscope development diffoscope version 241 was uploaded to Debian unstable by Chris Lamb. It included contributions already covered in previous months as well a change by Chris Lamb to add a missing raise statement that was accidentally dropped in a previous commit. [ ]

---

Testing framework The Reproducible Builds project operates a comprehensive testing framework (available at tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In April, a number of changes were made, including:

• Holger Levsen:
  • Significant work on a new Documented Jenkins Maintenance (djm) script to support logged maintenance of nodes, etc. [ ][ ][ ][ ][ ][ ]
  • Add the new APT repo url for Jenkins itself with a new signing key. [ ][ ]
  • In the Jenkins shell monitor, allow 40 GiB of files for diffoscope for the Debian experimental distribution as Debian is frozen around the release at the moment. [ ]
  • Updated Arch Linux testing to cleanup leftover files left in /tmp/archlinux-ci/ after three days. [ ][ ][ ]
  • Mark a number of nodes hosted by Oregon State University Open Source Lab (OSUOSL) as online and offline. [ ][ ][ ]
  • Update the node health checks to detect failures to end schroot sessions. [ ]
  • Filter out another duplicate contributor from the contributor statistics. [ ]
• Mattia Rizzolo:
  • Code changes to properly archive the stretch Debian distribution. [ ][ ][ ][ ]
  • Introduce the archived suites configuration option. [ ]][ ]
  • Fix the KGB bot configuration to support pyyaml 6.0 as present in Debian bookworm. [ ]

---

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Twitter: @ReproBuilds
• Mailing list: rb-general@lists.reproducible-builds.org

Focus This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

• zxing-cpp: use system deps, fix Python tests
• git-remote-hg: gitignore
• hexedit: add test
• libpst: fix header detection
• webdl: fix SBS video params
• libusbgx: fix alignment
• tracegraph: API porting
• pyemd: cleanup code, packaging
• pytest-rerunfailures: cleanup code, build, packaging
• librecaptcha: cleanup Python packaging, links
• check-all-the-things: update MIME types, command verbosity (1 2), TODO items (1 2 3)
• devscripts: multiple packages for grep-excuses --wipnity
• debhelper: typo, cmake ctest argument order
• Debian website: sync langs
• Debian /updates to -security transition: 1 2 3 4 5 6
• Debian release info hardcoding: 1 2
• Debian QA services: cleanup
• Debian package uploads: libpst, foxtrotgps, sptag (1 2 3), pytest-rerunfailures, git-remote-hg (1 2), librecaptcha
• Debian wiki pages: 900000thBugContest, ALSA, AlyssaRosenzweig, BugTriage, DebianDay/2021/India/Online, DebianEdu/Status/Bullseye, FrontPage, Fvwm, HostingControlPanels, InstallingDebianOn (Microsoft/Windows/SubsystemForLinux, Thinkpad/L13 Gen 2/buster), ReleaseParty, SourcesList, Status/Stable, SuitesAndReposExtension, Teams (Apt, ReleaseTeam/ReleaseCheckList), ungoogled-chromium
• FOSSjobs wiki pages: Resources
• Wikipedia: Display_Data_Channel

Issues

• Crash in eog
• Web request mishandling in fossjobs
• AppArmor issues in torbrowser-launcher
• Broken links in Debian backports NEW, GMime
• Missing link in GMime
• Outdated links in crouton, breezy
• Broken pages in GNOME Bugzilla archive
• Features in debiman (1 2), gokart, debhelper, shellcheck (1 2)
• New versions of umatrix, doc8, git-remote-hg
• New repo needed for misspelling research
• Hardcoded Debian release info updates for debiman (1 2)
• Syntax error in freefem++
• Adoption needed for veles
• Underlinking in libuemf0
• Conffile removal needed in wireplumber
• Build issues in SPTAG (1 2), plocate, zxing-cpp
• Git tag conflict in git-remote-hg
• Dependency updates for catfish, education-common, cruft-ng
• Cruft deposited by qgis-providers
• More binary packages needed in zxing-cpp (1 2)
• Malicious Python module on PyPI

Review

• Spam: reported 1 sourceware bug report, 2 Debian bug reports and 86 Debian mailing list posts
• Debian packages: reviewed iotop-c and approved DM upload
• Debian wiki: RecentChanges for the month
• Debian BTS usertags: changes for the month
• Debian screenshots:
  • approved aptitude faenza-icon-theme gnome-icon-theme-yasis gnome-illustrious-icon-theme gnome-power-manager juffed mm3d mystiq shiki-brave-theme
  • rejected unetbootin (random web page), tuxmath (photograph not screenshot)

Administration

• Debian servers: expand LV, fix debbugs config
• Debian wiki: unblock IP addresses, approve accounts
• Debian QA services: deploy changes

Communication

• Initiate discussion about Debian source tarball choices

Sponsors The pyemd, pytest-rerunfailures, libpst, sptag, librecaptcha work was sponsored by my employer. All other work was done on a volunteer basis.

Focus This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

• apt-offline: typos
• libusbgx: document need for module, gitignore updates, drop autotools cruft
• gt: option to disable manual page, fix manual page install path
• kms-cmake-utils: packaging cleanup
• kurento-module-creator: packaging cleanup
• Kurento jsoncpp: packaging cleanup
• kms-jsonrpc: packaging cleanup
• kms-core: packaging cleanup
• purple-discord: cleanup code, build, clean
• Debian usertags QA: add single user rename function
• Debian UDD FTBFS CGI: fix encoding, show all FTBFS bugs
• Debian website: templatise security suite
• Debian package uploads: microsoft-authentication-library-for-python, foxtrotgps, purple-discord
• Debian wiki config: reorganise footer
• Debian wiki pages: DebianIRCChannelGuidelines, DebianKernel/UserspaceTools, DebianSoftware, fr/pcmanfm, Hardware/Database, HomepageTemplate, HowtoDebianInAndroid, InstallingDebianOn (ComputerTemplate, Google/PixelbookEve), PrivacyIssues, Teams/Root support
• FOSSjobs wiki pages: Resources

Issues

• Features in gallery-dl
• Typos in moreutils
• Apparmor issues in torbrowser-launcher (upstream, Debian)
• Renaming needed for kms-*
• Obsolete links in libimobiledevice website
• Debian testing migration needed for foxtrotgps
• Removal from Debian needed for bind, pyfeed, xmlelements, tomcat8
• Security issues in a FLOSS project's website (reported privately)

Review

• Spam: reported 2 Debian bug reports and 123 Debian mailing list posts
• Patches: merged libusbgx/gt pull requests
• Debian wiki: RecentChanges for the month
• Debian BTS usertags: changes for the month
• Debian screenshots:
  • approved adequate atool barrier breathe-icon-theme darkcold-gtk-theme darkmint-gtk-theme isenkram-cli licensecheck moka-icon-theme nemo-gtkhash rabbitvcs-cli rabbitvcs-gedit rabbitvcs-thunar sunclock suru-icon-theme ubuntu-kylin-software-center
  • rejected xfce4 (Windows 95 screenshot), thunar-gtkhash (Windows XP screenshot), msmtp-mta (random wallpaper)

Administration

• libusbgx/gt: triage issues
• Debian packages: triaged bugs for reintroduced packages
• Debian servers: debug lists mail issue, debug lists subscription issue
• Debian wiki: unblock IP addresses, approve accounts

Communication

• Respond to queries from Debian users and contributors on the mailing lists and IRC

Sponsors The microsoft-authentication-library-for-python and purple-discord work was sponsored by my employer. All other work was done on a volunteer basis.

Focus This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

• git-remote-hg: fix imports, install, test dep/python/umask usage, tmp dir handling and result expectation
• flower: bump, drop dependencies
• duck: phrases indicating deprecated projects
• debbugs: fix default user for usertags
• Debian BTS usertags: move some tags to correct user
• Debian QA services: usertags: fix shell usage (1 2 3 4), add removal support
• Debian website: document usertags for multiple users, document more testing contributions
• Debian BTS: triage bugs for reintroduced packages
• Debian screenshots: deleted simplyhtml (manual page), charactermanaj (macOS)
• Debian wiki pages: accessibility-devel, AppStream/Guidelines, DebianKernel/UserspaceTools, DebianRepository/Format, DebianTaiwan/ocf.tw/TrustedOrganizationCriteria, Derivatives/Census/Ubuntu, DesktopDefaultSettings, DeveloperNews, Hardening/RepoAndImages, InstallingDebianOn/SeeedStudio (OdysseyBlueJ4105), LVM, Mobile, Packaging/Intro, PerlFAQ, peylight, Proposals/EssentialOnDiet, RaspberryPi, ReproducibleInstalls/LiveImages, SaneOverNetwork, Teams (Apache, Debbugs/ArchitectureTags, DebianPerlGroup, DPL/HowTo/DelegationUpdates, ListMaster (FAQ, ListArchiveSpam, Usertags), Outreach, ReleaseTeam (PointReleaseCheckList, ReleaseCheckList/BullseyeCheckList), Treasurer/Organizations, Webmaster/Submissions), UltimateDebianDatabase/udd.debian.org, USB/GadgetSetup, WakeOnLan
• FOSSjobs wiki pages: Resources

Issues

• Proprietary image in librecaptcha
• Crashes in librecaptcha
• AppArmor denials in torbrowser-launcher
• Incorrect name in src:ppmd
• Outdated links in gssproxy, isenkram-cli
• Inconsistency in reportbug
• New versions of samba, mmv, sharness
• Typos in chroma
• Code copies in flower
• Latency in librecaptcha
• Animation freeze in librecaptcha
• New maintainer needed for git-remote-hg

Debugging

• libpst: failing to extract headers
• marco: breaks xfreerdp fullscreen toggle

Review

• Spam: reported 1 Debian bug reports and 139 Debian mailing list posts
• Patches: reviewed patches for libpst, check-all-the-things, foxtrotgps, hexahop
• Debian wiki: RecentChanges for the month
• Debian BTS usertags: changes for the month
• Debian screenshots:
  • approved ansiweather audiofile-tools backup-manager compton conky-std debian-edu-artwork debian-edu-install dragonfly-reverb duff freedombox gliv gocr-tk grub-theme-starfield localepurge okular-extra-backends pdf-presenter-console sed simplyhtml speedtest-cli sqlitebrowser vobcopy xsel
  • rejected browser-plugin-gnash (random photo), pcb-lesstif (copied from elsewhere), jc (macOS)

Administration

• Debian packages: migrate flower git repo from alioth-archive to salsa
• Debian: restart bacula-director after PostgreSQL restart
• Debian wiki: block spammer, clean up spam, approve accounts

Communication

• Initiate discussions about moving SDL_Pango to libsdl-org
• Respond to queries from Debian users and contributors on the mailing lists and IRC

Sponsors The librecaptcha/libpst/flower/marco work was sponsored by my employers. All other work was done on a volunteer basis.

Happy Independence Day to all. I had been looking forward to this day so I can use to share with my brothers and sisters what little I know about TOR . Independence means so many things to many people. For me, it means having freedom, valuing it and using it to benefit not just to ourselves but to people at large. And for that to happen, at least on the web, it has to rise above censorship if we are to get there at all. I am 40 years old, and if I can t read whatever I want to read without asking the state-military-Corporate trinity than be damned with that. Debconf was instrumental as I was able to understand and share many of the privacy concerns that we all have. This blog post is partly a tribute to being part of a community and being part of Debconf16. So, in that search for privacy couple of years ago, I came across TOR . TOR stands for The Onion Router project. Explaining tor is simple. Let us take the standard way in which we approach the website using a browser or any other means. a. We type out a site name, say debian.org in the URL/URI bar .
b. Now the first thing the browser would do is look into its DNS Cache to see if the name/URL has been used before. If it is something like debian.org which has been used before and is *fresh* and there is content already it would serve the content from the cache there itself.
c. In case, if it s not or the content is stale or something, it would generate a DNS lookup through the various routing tables till the DNS IP Address is found and information relayed to the browser.
d. The browser takes the IP Address and opens a TCP connection to the server, you have the handshake happen and after that it s business as usual.
e. In case if it doesn t work, you could get errors like Could not connect to server xyz or some special errors with error codes. This is a much simplified version of what happens or goes through normally with most/all of the browsers. One good way to see how the whole thing happens is to use traceroute and use the whois service. For e.g. [$] traceroute debian.org and then [$] whois 5.153.231.4 grep inetnum
inetnum: 5.153.231.0 - 5.153.231.255 Just using whois IP Address gives much more. I just shared a short version because I find it interesting that Debian has booked all 255 possible IP Addresses but speculating on that would be probably be a job for a different day. Now the difference when using TOR are two things a. The conversation is encrypted (somewhat like using https but encrypted through the relays)
b. The conversation is relayed over 2-3 relays and it will give a somewhat different identification to the DNS server at the other end.
c. It is only at the end-points that the conversation will be in plain text. For e.g. the TOR connection I m using atm is from me France (relay) Switzerland (relay) Germany (relay) WordPress.com . So wordpress thinks that all the connection is happening via Germany while I m here in India. It would also tells that I m running MS-Windows some version and a different browser while I m from somewhere in India, on Debian, using another browser altogether There are various motivations for doing that. For myself, I m just a private person and do not need or want that any other person/s or even the State should be looking over my shoulder as to what I m doing. And the argument that we need to spy on citizens because Terrorists are there doesn t hold water over me. There are many ways in which they can pass messages even without tor or web. The Government-Corporate-Military just get more powerful if and when they know what common people think, do, eat etc. So the question is how does you install tor if you a private sort of person . If you are on a Debian machine, you are one step closer to doing that. So the first thing that you need to do is install the following $ sudo aptitude install ooniprobe python-certifi tor tor-geoipdb torsocks torbrowser-launcher Once the above is done, then run torbrowser-launcher. This is how it would work out the first time it is run [$] torbrowser-launcher Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.2.6
https://github.com/micahflee/torbrowser-launcher
Creating GnuPG homedir /home/shirish/.local/share/torbrowser/gnupg_homedir
Downloading and installing Tor Browser for the first time.
Downloading https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US
Latest version: 6.0.3
Downloading https://dist.torproject.org/torbrowser/6.0.3/tor-browser-linux64-6.0.3_en-US.tar.xz.asc
Downloading https://dist.torproject.org/torbrowser/6.0.3/tor-browser-linux64-6.0.3_en-US.tar.xz
Verifying signature
Extracting tor-browser-linux64-6.0.3_en-US.tar.xz
Running /home/shirish/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'... As can be seen above, you basically download the tor browser remotely from the website. Obviously, for this port 80 needs to be opened. One of the more interesting things is that it tells you where it installs the browser. /home/shirish/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser and then detaches. The first time the TOR browser actually runs it looks something similar to this Additionally it would give you 4 choices. Depending on your need for safety, security and convenience you make a choice and live with it. Now the only thing remaining to do is have an alias for your torbrowser. So I made [$] alias tor tor=/home/shirish/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser It is suggested that you do not use the same usernames on the onion network. Also apart from the regular URL addresses such as flossexperiences.wordpress.com you will also see sites such as https://www.abc12defgh3ijkl.onion.to (fictional address) Now there would be others who would want to use the same/similar settings say as there are in their Mozilla Firefox installation. To do that do the following steps a. First close down both Torbrowser and Mozilla Firefox .
b. Open your file browser and go to where your mozilla profile details are. In typical Debian installations it is at ~/.mozilla/firefox/5r7t1r92.default In the next tab, navigate to ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default c. Now copy the following files over from your mozilla profile to your tor browser profile and you can resume where you left off.

cert8.db
chromeappsstore.sqlite
content-prefs.sqlite
cookies.sqlite
formhistory.sqlite
key3.db
logins.json (Firefox 32 and above)
mimeTypes.rdf
permissions.sqlite
persdict.dat
places.sqlite
signons3.txt (if exists)
webappsstore.sqlite

and the following folders/directories

bookmarkbackups
chrome (if it exists)
searchplugins (if it exists)

Once the above is done, fire up your torbrowser with the alias shared. This is usually put it in your .bashrc file or depending on whatever terminal interpreter you use, wherever the config file will be. Welcome to the world of TOR. Now, after a time if you benefit from tor and would like to give back to the tor community, you should look up tor bridges and relay. As the blog post has become long enough, I would end it now and hopefully we can talk about tor bridges and relay some other day.
Filed under: Miscellenous Tagged: #anonymity, #Debconf16, #debian, #tor, #torbrowser, GNU, Linux, Privacy

Using Tor helps take back control of what data one decides to share online. It also helps in avoiding surveillance from the local network (think of someone listening to the public Wi-Fi) or the Internet access provider. But it is easy to make mistakes: Tor Browser, the easiest and most common way to use Tor, is just a web browser. Extra special care is required to make other applications use Tor, and it is easy to forget to change settings, let alone actual attackers. That's why using Tails is often recommended as everything is preconfigured and it requires traffic to go through Tor by various means. Qubes or Whonix also have interesting properties, but require reinstalling systems and changing habits. Meanwhile, securing the network on an already installed system can help you feel better. A potential solution to prevent connections from leaking out without going through Tor is simply to prevent all connections from leaving the computer, except the ones going to the Tor network. This can quite easily be implemented by setting up an outgoing firewall. Using the default settings, a Tor client can potentially connect to any of the 2,000 Guard relays. While there are ways to get such a list and turn it into firewall rules, we are going to use an easier solution. Because the list of Tor relays is public, censors have often used it to prevent people from connecting to the Tor network. The Tor project came up with bridges as a work-around. Bridges are entry nodes in the Tor network. For public bridges, users can only get a few bridge addresses at a time, preventing an adversary from easily blocking them at all once. When configured to use a set of bridges, Tor will only connect to their addresses. This will make our firewall much shorter. The instructions that follow should work on Debian Jessie and later versions. Adapting them to other systems should not be too hard either. We assume that Tor Browser is already installed. As we will want other applications to use Tor than just the browser, we also want to install a system-wide instance:

# apt install tor

Next, visit bridges.torproject.org to request a set of bridges: You then need to select the type of bridges. Tor standard protocol is easy to identify as such. The Tor project has developed pluggable transports to easily disguise the traffic, but using them is outside the scope for this documentation. So lets stay with the default type of bridges: After solving a CAPTCHA, you'll get a list of addresses and fingerprints for a couple of bridges like the following one: To tell Tor to use these bridges, edit /etc/tor/torrc, and at the end, add something like:

UseBridges 1
Bridge 109.XXX.XXX.XXX:4XXX 2244XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Bridge 37.XXX.XXX.XXX:1XXXX 9CF0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Bridge 171.XXX.XXX.XXX:4XXX 7705XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Replace the actual addresses and fingerprints by those you got earlier. Now reload the daemon and make sure that it still connects to the network:

# service tor reload
# tail -f /var/log/tor/log

Tor Browser also needs to be told to use these bridges. Open the onion menu close to the location bar, and select Tor Network Settings . In there, tick My Internet Service Provider (ISP) blocks connections to the Tor network and paste the list of bridges below Enter custom bridges: Before we restrict outgoing connections to only use the Tor network, lets configure APT to use Tor as well so we can continue installing and upgrading packages in the future:

# apt install apt-transport-tor

The following command will reconfigure APT to use Tor to access the currently configured package repositories. It basically takes care of replacing every http:// by tor+http://:

# sed -e 's/^[^#]*\(deb\(-src\)\?\W\+\)http/\1tor+http/' -i /etc/apt/sources.list /etc/apt/sources.list.d/*.list

Lets see if it still works:

# apt update

One last thing: sometimes, we still need to bypass our restrictions and access the network directly. Some websites sadly deny access to Tor users, or we might need to login through a captive portal before being able to use a random network. To make it practical, we are going to create a new user account. This will enable us to use the desktop user switching capabilities to start a new browser or sudo for command line applications. In this example, the user is going to be named passthrough:

# adduser passthrough

Make sure to set a proper password! Now lets configure the firewall. Here we are going to use ferm which makes it fairly easy to do low-level firewall rule in a readable manner:

# apt install ferm

We want the firewall to be started at boot time. Now edit its configuration in /etc/ferm/ferm.conf. At the end, add:

# Let's block everything for both IPv4 and IPv6, except to localhost,
# already established connections and the special 'passthrough' user.
domain (ip ip6) chain OUTPUT  
    policy DROP;
    outerface lo ACCEPT;
    proto icmp ACCEPT;
    mod state state (ESTABLISHED RELATED) ACCEPT;
    mod owner uid-owner "passthrough" ACCEPT;
 
# Now for IPv4, we want to restrict output to configured Tor bridges
domain ip chain OUTPUT  
    # Don't break network autoconfiguration
    mod owner uid-owner 0 proto udp dport bootps ACCEPT;
    # Allow bridges defined in torrc by getting them directly
    # from the configuration file.
    @include "sed -n -e 's/^Bridge \([^ ]* \)\?\([0-9.]*\):\([0-9]*\).*/daddr \2 proto tcp dport \3 ACCEPT;/p' /etc/tor/torrc  ";
 
# Let's REJECT everything else so we get notice instead of timeouts
domain (ip ip6) chain OUTPUT REJECT;

Reload the firewall through:

# service ferm reload

Lets do some tests:

# ping check.torproject.org
  ping: unknown host check.torproject.org
# tor-resolve check.torproject.org
  38.229.72.22
# ping 38.229.72.22
  From 192.168.7.234 icmp_seq=1 Destination Port Unreachable
# curl https://check.torproject.org/
  curl: (6) Could not resolve host: check.torproject.org
# curl -I https://38.229.72.22/
  curl: (7) Failed to connect to 38.229.72.22 port 443: Connection refused
# curl --socks5 127.0.0.1:9050 https://check.torproject.org/
  curl: (6) Could not resolve host: check.torproject.org
# curl --silent --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/   grep Congratulations
  Congratulations. This browser is configured to use Tor.
# sudo -u passthrough ping -c 1 check.torproject.org
  64 bytes from sergii.torproject.org (38.229.72.22): icmp_seq=1 ttl=54 time=148 ms
# sudo -u passthrough curl --silent https://check.torproject.org/   grep Sorry
  Sorry. You are not using Tor.

One last thing to complete the setup: for command line applications like SSH, torsocks does wonders. Just prefix your usual commands by torsocks and they should work:

# apt install torsocks
# torsocks curl --silent https://check.torproject.org/   grep Congratulations
  Congratulations. This browser is configured to use Tor.

All set! In case you ever need to turn it all off, just ask ferm to reconfigure the firewall:

# service ferm stop

But don't forget to turn it back on later!

# service ferm start

Ideally, we would have a way to automatically configure a different set of bridges for each network we connect to make it more difficult to trace the computer from network to network. But there's quite some more work to be done on various levels before that can be done in an integrated manner (torshiftchange and tordyguards are promising options). Meanwhile, be aware that you might want to keep a fresh set of bridges handy to configure them after leaving for a trip. Another downside of the setup currently is that it doesn't allow for network time synchronization. That might make the system fingerprintable by using its clock drift. To use obfs4 bridges which helps defeating censored networks, you will need two extra steps. First, install the required software:

# apt install obfs4proxy

Then add the following extra line to /etc/tor/torrc:

ClientTransportPlugin obfs2,obfs3,obfs4,scramblesuit exec /usr/bin/obfs4proxy

You can then request obfs4 bridges from BridgeDB. These changes are only required for the system-wide Tor daemon, as Tor Browser comes with obs4proxy preconfigured. Kudos to Micah for proofreading this article.

In case you're one of those troubled by the sorry state of the apcu release in Ubuntu 14.04 you can now switch to the official backport. Micah Gersten was kind enough to invest some time and got it uploaded.

after the release is before the release. or: long time no RC bug report. after the jessie release I spent most of my Debian time on work in the Debian Perl Group. we tried to get down the list of new upstream releases (from over 500 to currently 379; unfortunately the CPAN never sleeps), we were & still are busy preparing for the Perl 5.22 transition (e.g. we uploaded something between 300 & 400 packages to deal with Module::Build & CGI.pm being removed from perl core; only team-maintained packages so far), & we had a pleasant & productive sprint in Barcelona in May. & I also tried to fix some of the RC bugs in our packages which popped up over the previous months. yesterday & today I finally found some time to help with the GCC 5 transition, mostly by making QA or Non-Maintainer Uploads with patches that already were in the BTS. a big thanks especially to the team at HP which provided a couple dozens patches! & here's the list of RC bugs I've worked on in the last 3 months:

• #752026 libpdl-stats-perl: "libpdl-stats-perl: FTBFS on arm*"
  upload new upstream release (pkg-perl)
• #755961 autounit: "FTBFS with clang instead of gcc"
  apply patch from Alexander <sanek23994@gmail.com>, QA upload
• #755963 clearsilver: "FTBFS with clang instead of gcc"
  apply patch from Alexander <sanek23994@gmail.com>, upload to DELAYED/5
• #777776 src:apron: "apron: ftbfs with GCC-5"
  tag as unreproducible
• #777780 src:asmon: "asmon: ftbfs with GCC-5"
  apply patch from Martin Michlmayr, upload to DELAYED/5
• #777783 src:atftp: "atftp: ftbfs with GCC-5"
  apply patch from Martin Michlmayr, upload to DELAYED/5
• #777797 src:bbrun: "bbrun: ftbfs with GCC-5"
  add patch to build with "-std=gnu89", upload to DELAYED/5
• #777806 src:booth: "booth: ftbfs with GCC-5"
  tag as unreproducible
• #777808 src:bwm-ng: "bwm-ng: ftbfs with GCC-5"
  merge patch from Ubuntu, and build with "-std=gnu89", upload to DELAYED/5
• #777831 src:deborphan: "deborphan: ftbfs with GCC-5"
  apply patch from Jakub Wilk, upload to DELAYED/5, then rescheduled to 0-day with maintainer's permission
• #777835 src:dsbltesters: "dsbltesters: ftbfs with GCC-5"
  tag as unreproducible
• #777853 src:flow-tools: "flow-tools: ftbfs with GCC-5"
  apply patch from Alexander Balderson, upload to DELAYED/5
• #777880 src:gnac: "gnac: ftbfs with GCC-5"
  apply patch from Greg Pearson, upload to DELAYED/5
• #777881 src:gngb: "gngb: ftbfs with GCC-5"
  apply patch from Greg Pearson, upload to DELAYED/5
• #777895 src:haildb: "haildb: ftbfs with GCC-5"
  tag as unreproducible
• #777902 src:hfsplus: "hfsplus: ftbfs with GCC-5"
  merge patch from Ubuntu, QA upload
• #777903 src:hugs98: "hugs98: ftbfs with GCC-5"
  apply patch from Elizabeth J Dall, upload to DELAYED/5
• #777965 src:libpam-chroot: "libpam-chroot: ftbfs with GCC-5"
  apply patch from Linn Crosetto, upload to DELAYED/5
• #777975 src:libssh: "libssh: ftbfs with GCC-5"
  apply patch from Matthias Klose, upload to DELAYED/5
• #778009 src:mknbi: "mknbi: ftbfs with GCC-5"
  apply patch from Matthias Klose, QA upload
• #778020 src:mz: "mz: ftbfs with GCC-5"
  apply patch from Joshua Gadeken, upload to DELAYED/5
• #778051 src:overgod: "overgod: ftbfs with GCC-5"
  apply patch from Nicholas Luedtke, upload to DELAYED/5
• #778056 src:pads: "pads: ftbfs with GCC-5"
  apply patch from Andrew Patterson, upload to DELAYED/5
• #778121 src:sks-ecc: "sks-ecc: ftbfs with GCC-5"
  apply patch from Brett Johnson, QA upload
• #778129 src:squeak-plugins-scratch: "squeak-plugins-scratch: ftbfs with GCC-5"
  apply patch from Brett Johnson, upload to DELAYED/5
• #778137 src:tabble: "tabble: ftbfs with GCC-5"
  apply patch from David S. Roth, QA upload
• #778146 src:tinyscheme: "tinyscheme: ftbfs with GCC-5"
  apply patch from Nicholas Luedtke, upload to DELAYED/5
• #778148 src:trafficserver: "trafficserver: ftbfs with GCC-5"
  lower severity
• #778151 src:tuxonice-userui: "tuxonice-userui: ftbfs with GCC-5"
  apply patch from Nicholas Luedtke, upload to DELAYED/5, later sponsor maintainer upload
• #778152 src:uaputl: "uaputl: ftbfs with GCC-5"
  apply patch from Brett Johnson, upload to DELAYED/5
• #778153 src:udftools: "udftools: ftbfs with GCC-5"
  apply patch from Jakub Wilk, upload to DELAYED/5
• #778159 src:uswsusp: "uswsusp: ftbfs with GCC-5"
  apply patch from Andrew James, upload to DELAYED/5
• #778167 src:weplab: "weplab: ftbfs with GCC-5"
  apply patch from Elizabeth J Dall, QA upload
• #778171 src:wmmon: "wmmon: ftbfs with GCC-5"
  add patch to build with "-std=gnu89", upload to DELAYED/5
• #778173 src:wmressel: "wmressel: ftbfs with GCC-5"
  apply patch from Elizabeth J Dall, upload to DELAYED/5
• #780199 src:redhat-cluster: "redhat-cluster: FTBFS in unstable - error: conflicting types for 'int64_t'"
  apply patch from Michael Tautschnig, upload to DELAYED/2, then rescheduled by maintainer
• #783899 liblog-any-perl: "liblog-any-perl, liblog-any-adapter-perl: File conflict when being installed together"
  add Breaks/Replaces/Provides (pkg-perl)
• #784844 libmousex-getopt-perl: "libmousex-getopt-perl: FTBFS: test failures"
  upload new upstream release (pkg-perl)
• #785020 libmoosex-getopt-perl: "libmoosex-getopt-perl: FTBFS: test failures"
  upload new upstream release (pkg-perl)
• #785158 libnet-ssleay-perl: "libnet-ssleay-perl: FTBFS: Your vendor has not defined SSLeay macro LIBRESSL_VERSION_NUMBER"
  upload new upstream release (pkg-perl)
• #785229 sqitch: "sqitch: FTBFS: new warnings"
  upload new upstream release (pkg-perl)
• #785232 libdist-zilla-plugin-requiresexternal-perl: "libdist-zilla-plugin-requiresexternal-perl: FTBFS: More than one plan found in TAP output"
  make tests non-verbose (pkg-perl)
• #785659 libdist-zilla-perl: "libdist-zilla-perl: FTBFS: t/plugins/testrelease.t failure"
  make tests non-verbose (pkg-perl)
• #786447 libcgi-application-plugin-authentication-perl: "libcgi-application-plugin-authentication-perl FTBFS in unstable"
  add patch from Micah Gersten/Ubuntu (pkg-perl)
• #786591 libtext-quoted-perl: "libtext-quoted-perl: broken by libtext-autoformat-perl changes"
  upload new upstream release (pkg-perl)
• #786667 libcatalyst-plugin-authentication-credential-openid-perl: "libcatalyst-plugin-authentication-credential-openid-perl: FTBFS: Bareword "use_test_base" not allowed"
  patch Makefile.PL (pkg-perl)
• #788350 libhttp-proxy-perl: "FTBFS - proxy tests"
  add patch, improved from CPAN RT (pkg-perl)
• #789141 src:libdancer2-perl: "libdancer2-perl: FTBFS with Plack >= 1.0036: t/classes/Dancer2-Core-Response/new_from.t"
  upload new upstream release (pkg-perl)
• #789669 src:starlet: "starlet: FTBFS with Plack 1.0036"
  add patch for test compatibility with newer Plack (pkg-perl)
• #789838 src:starman: "starman: FTBFS with Plack 1.0036"
  upload new upstream release (pkg-perl)
• #791493 libpadre-plugin-datawalker-perl: "libpadre-plugin-datawalker-perl: missing dependency on padre"
  add missing dependency (pkg-perl)
• #791510 libcatalyst-authentication-credential-authen-simple-perl: "libcatalyst-authentication-credential-authen-simple-perl: FTBFS: Can't locate Test/Exception.pm in @INC"
  add missing build dependency (pkg-perl)
• #791512 libcatalyst-plugin-cache-store-fastmmap-perl: "libcatalyst-plugin-cache-store-fastmmap-perl: FTBFS: Can't locate Test/Exception.pm in @INC"
  add missing build dependency (pkg-perl)
• #791709 libjson-perl: "libjson-perl: FTBFS: Recursive inheritance detected"
  upload new upstream release (pkg-perl)
• #792063 src:libmath-mpfr-perl: "FTBFS: lngamma_bug.t and test1.t fail"
  upload new upstream release (pkg-perl)
• #792844 libatombus-perl: "libatombus-perl: ships usr/share/man/man3/README.3pm.gz"
  don't install README manpage (pkg-perl)
• #792845 libclang-perl: "libclang-perl: ships usr/share/man/man3/README.3pm.gz"
  don't install README POD/manpage (pkg-perl)

PyCon 2014 happened. (Sprints are still happening.) This was my 3rd PyCon, but my first year as a serious contributor to the event, which led to an incredibly different feel. I also came as a person running a company building a complex system in Python, and I loved having the overarching mission of what I'm building driving my approach to what I chose to do. PyCon is one of the few conferences I go to where the feeling of acceptance and at-homeness mitigates the introvert overwhelm at nonstop social interaction. It's truly a special event and community. Here are some highlights:

• I gave a tutorial about search, which was recorded in its entirety... if you watch this video, I highly recommend skipping the hands-on parts where I'm just walking around helping people out.
• I gave a talk! It's called Subprocess to FFI, and you can find the video here. Through three full iterations of dry runs with feedback, I had a ton of fun preparing this talk. I'd like to give more like it in the future as I continue to level up my speaking skills.
• Allen Downey came to my talk and found me later to say hi. Omg amazing, made my day.
• Aux Vivres and Dieu du Ciel, amazing eats and drink with great new and old friends. Special shout out to old Debian friends Micah Anderson, Matt Zimmerman, and Antoine Beaupr for a good time at Dieu du Ciel.
• The Geek Feminism open space was a great place to chill out and always find other women to hang with, much thanks to Liz Henry for organizing it.
• Talking to the community from the Inbox booth on Startup Row in the Expo hall on Friday. Special thanks for Don Sheu and Yannick Gingras for making this happen, it was awesome!
• The PyLadies lunch. Wow, was that amazing. Not only did I get to meet Julia Evans (who also liked meeting me!), but there was an amazing lineup of amazing women telling everyone about what they're doing. This and Noami Ceder's touching talk about openly transitioning while being a member of the Python community really show how the community walks the walk when it comes to diversity and is always improving.
• Catching up with old friends like Biella Coleman, Selena Deckelmann, Deb Nicholson, Paul Tagliamonte, Jessica McKellar, Adam Fletcher, and even friends from the bay area who I don't see often. It was hard to walk places without getting too distracted running into people I knew, I got really good at waving and continuing on my way.

I didn't get to go to a lot of talks in person this year since my personal schedule was so full, but the PyCon video team is amazing as usual, so I'm looking forward to checking out the archive. It really is a gift to get the videos up while energy from the conference is still so high and people want to check out things they missed and share the talks they loved. Thanks to everyone, hugs, peace out, et cetera!

As a followup to my toy over at debtree, I ve taken some suggestions from my buddy Arno and found some time in the hotel during a visit for work up to Canada with the Open North folks hacking on open13. The hack is called debfriends (I need to purge personal details from the source tree before I can push it to VCS, since it uses the nm.d.o dump. Sorry, I should have been better about that.) I ve posted a cute front-end on my staging machine to play with over at graph.lucifer.pault.ag There s also an API, but it has all the data in the NM dump exposed. If you re a DD who will treat this data right, I can add a key (it s not secure, like, at all). I m going to publish the source ASAP so that others can stand up an instance if they d like. It s a cute toy, though! In the tradition of using nhandler for my examples, here s an example path from pabs to Nathan: pabs > nhandler

• nhandler was advocated by paultag
• paultag was advocated by mako
• micah was advocated by mako
• pabs was advocated by micah

Also, we re a shockingly well connected bunch. Well done :) Feel free to play with it!

here's my report about RC bug related activities for the last week. besides working on the bugs mentioned below I've also documented my RCBW work flow for the NMUs, just in case it's interesting for others.

• #615705 dasher: "dasher: ftbfs with gold or ld --no-add-needed"
  add patch from M nica Ram rez Arceda, upload to DELAYED/2
• #628590 siggen: "please make siggen depends on oss-compat"
  add missing dependency, do a QA upload
• #633453 drac: "drac: fails to install due to incorrect dependencies in init.d LSB header"
  add patch from Ubuntu / Daniel T Chen, upload to DELAYED/2
• #634451 src:hwinfo: "hwinfo: FTBFS: /usr/include/dbus-1.0/dbus/dbus.h:29:33: fatal error: dbus/dbus-arch-deps.h: No such file or directory"
  add patch from Simon McVittie, upload to DELAYED/2
• #638379 xine-ui: "xine-ui: fatal error: curl/types.h: No such file or directory"
  add patch from Ubuntu / Daniel T Chen, upload to DELAYED/2
• #639772 src:slrn: "slrn: FTBFS: checking for the slang library and header files ... no"
  point configure to multiarched slang, upload to DELAYED/2
• #639991 guile-1.8-non-dfsg: "guile-1.8-non-dfsg fails to build from source in unstable"
  add patch from Ubuntu / Matthias Klose, upload to DELAYED/2
• #640439 src:gtk-nodoka-engine: "gtk-nodoka-engine: FTBFS: nodoka_style.c:1279: undefined reference to sqrt'"
  add patch from Ubuntu / Micah Gersten, upload to DELAYED/2
• #640883 libnet-ldap-perl: "regression: breaks $ldap->start_tls()"
  add patch from Peter Marschall, taken from upstream's "next" branch (pkg-perl)
• #643339 src:most: "most: build fails on configure-step (couldn't find slang.h)"
  add patch from Ubuntu / Daniel T Chen, upload to DELAYED/2
• #643371 src:dasher: "dasher: FTBFS: game_mode_helper.cpp:327:15: error: format not a string literal and no format arguments [-Werror=format-security]"
  add patch from Eric Alexander, upload the DELAYED/2
• #649066 libmason-perl: "libmason-perl and mason: error when trying to install together"
  upload new upstream release, package prepared by Florian Schlichting (pkg-perl)

after some months of looking only at "my" packages, I'm back in the #RCBW flow. here's my overview of RC bug activities & NMUs in the last week:

• #533812 freehdl: "freehdl: non-standard gcc/g++ used for build (gcc-4.3)"
  fixed by the same changes as #629731
• #564968 bobot++: "bobot++: ftbfs with gcc-4.5"
  add patch from BTS and upload to DELAYED/5
• #598940 src:libkinosearch-perl: "libkinosearch-perl: FTBFS on armel: testfailures"
  add patch from BTS (Ubuntu/cjwatson) (pkg-perl)
• #618510 scribus-ng-doc: "scribus-ng-doc: FTBFS (missing build-depends on cmake)"
  add missing build dependency and upload to DELAYED/5
• #619243 libjs-protoaculous: "libjs-protoaculous: fails to install"
  add "patch" to Depends and upload to DELAYED/5, later rescheduled to DELAYED/0
• #628349 phpunit: "php-gettext: FTBFS: require_once(): Failed opening required 'PHP/CodeCoverage/Filter.php'"
  reassign to phpunit and merge with existing bug + affects
• #628358 phpunit: "libxmpp-php: FTBFS: require_once(): Failed opening required 'PHP/CodeCoverage/Filter.php'"
  reassign to phpunit and merge with existing bug + affects
• #628576 tagcloud: "missing dependencies"
  add missing runtime dependencies and upload to DELAYED/5
• #629731 src:freehdl: "freehdl: FTBFS: build-dependency not installable: g++-4.3"
  use default gcc, upload to DELAYED/5
• #632532 transgui: "transgui: hardcoded Depends on libssl0.9.8"
  take a look and ask about the upload in the bug report
• #634140 src:libgeotiff-dfsg: "libgeotiff-dfsg: Please Build-Depends on libjpeg-dev, not libjpeg62-dev"
  update build dependency and upload to DELAYED/5, later overridden by maintainer upload
• #635489 src:libgd-ruby: "libgd-ruby: FTBFS: Please Build-Depends on libjpeg-dev, not libjpeg62-dev"
  update build dependency and upload to DELAYED/5, later rescheduled to DELAYED/0
• #635687 src:ecore: "ecore: Please Build-Depends on libjpeg-dev, not libjpeg62-dev"
  update build dependency and upload to DELAYED/5
• #636097 pidgin-skype: "pidgin-skype FTBFS with multiarch"
  add patch from BTS (Ubuntu/micahg) and upload to DELAYED/5
• #639064 src:ygraph: "ygraph: FTBFS: please build-depend on libjpeg-dev, not libjpeg62-dev libjpeg-dev"
  update build dependency and upload to DELAYED/5

two short observations:

• now is a good time for fixing RC bugs there are tons (of easy ones) available. just head over to the UDD bugs page.
• quite a few of the bugs with patches contain fixes forwarded from Ubuntu thanks guys!

Tomorrow, at this time, I'll probably be unsuccessfully trying to find a comfortable position on a seat of the Bilmanbus to Irun. Very early on Saturday, as soon as we get off the bus, Maria and I will quickly head to Hondarribia's beach in Cape Higer to symbolically wet our feet in the waters of the Cantabrian Sea. We won't have much time to enjoy the cold waters of the ocean, though. Soon after that, we'll have to take a deep breath, look East, and start walking if we want to achieve our utmost objective: take a bath in the beautiful beaches of the Cap de Creus, in the Mediterranean sea. In between, 30 days and 840 kilometres of thick woods, deep valleys, high peaks and cold waters, all of which shape incredible landscapes.

The Portella de Baiau, during our 2008 trip For a whole month, we'll be mostly disconnected from everything else that isn't our knee ache, our blisters, the Sun over our heads or where to get food. It's the first time I leave on a hiking trip as long and tough as this one, and I feel both uncertainty and eagerness. We've been so busy during the last few months that we've been unable to train at all for this, and I'm probably in the worst physical condition in a decade. It's too late to take care of that now, so we'll try to take good care of our legs and spine. In order to get back home in the Mediterranean, we'll have to be fast, some days joining two stages and skipping a few that we know are not that interesting (sections over asphalt, etc.). It's hard to make it in just one month, but we'll try our best. The plan is going to sleep not long after sunset, getting up at dawn, to be able to walk for a decent time before the heat starts being a handicap and just resting at midday, when the Sun is strongest. Of course, this means that I'm missing, yet again, this year's edition of DebConf in New York City, which is really sad because I was looking forward hanging around with Mako, Mika, Biella, micah, Clint and the rest of the NYC/ Boston gang, but when the idea of doing a long trip this summer popped up around January, it was clear DebConf seemed unlikely this year. I hope all of you have a lot of fun, and see you in a few weeks!

Micah Veith reported the Debian bug #610000 on Friday January 14th, against the util-vserver package. Bug #600000 was reported as of October 12th. That makes 3 months for 10,000 bugs, one of the slowest ratio since I'm tracking these little things. We indeed had the same effect during lenny deep freeze, between bugs #500000 and #510000. So, that seems to be a proof that freezes also slowdown the bug reporting rate (or the prevalence of bugs...). As we're probably about to release, let's meet again in 2 months, to see if the bug rate increased again... See you for bug #620000. And don't forget aboutthe bug prediction contest.

A few months after starting the NM process, I have just been accepted as a Debian Developer. My account name is simply: julien I have been a Debian user for about 10 years now, and have begun contributing to Debian in 2005. I have then been accepted as a Debian Maintainer in 2007. This post is mainly to thank:

• all my sponsors: Christoph Haas (haas) , Lo c Minier (lool), Free Ekanayaka (freee), Maximiliano Curia (maxy) and Micah Anderson (micah),
• my advocate: Matthijs M hlman (matthijs)
• my AM (who actually make it happen in a really short time frame, thanks a lot to him): Xavier Oswald (xoswald)
• all people who helped me during the process, to name a few: Christoph Berg (myon), Enrio Zini (enrico), Peter Palfrader (weasel)

Also thanks to all people who have already sent their congratulations, it makes me very proud!

During my recent trip to Massachusetts for CalConnect XIX I passed back via New York, surfing a few nights on the couch at the Washington Cube Garden¹. This was just enough time for my new Davis VantagePro2 to arrive by UPS ground (phew!) causing me much consternation, as the box was about twice as wide as I expected it to be. On opening it I discovered that the reason for the size was the physical dimensions of the rain gauge, leading me to realise that I had actually bought exactly what I wanted: a high quality weather station. Also leading me to wonder how the hell I was going to get it halfway around the world with me the next day. Unfortunately that extra wide carrying case was in no way going to fit inside my suitcase. Fortunately it came with a handle. And those wonderful people at Air New Zealand gave me a Koru Gold upgrade for a 50th birthday present, so it was time to put it to the test... Travelling on the subway out to JFK was it's own little adventure, but I made it out to terminal 5 and wandered around a bit before concluding I needed to be in terminal 7. Once I was in the right place I found the fancy people's check in counter and the nice lady there was only too happy for me to carry it to New Zealand, though she did aver that perhaps the security scanners would be dubious. Not a hitch there though: I guess they're used to letting everything through that's not specifically denied, so weather stations are fine because nobody would be silly enough to even think of doing that... Being Koru Gold really helped at this point though, because it enabled me to queue jump use the priority boarding line when getting onto the plane, and every airline in the US seems to have gone all-out for this "checked baggage costs more" approach, so the planes all fly with empty baggage holds and totally overstuffed overhead lockers. If this progresses I shouldn't wonder that the planes will get so top-heavy they roll over, but through the miracles of priority boarding I was able to commandeer all the locker space I needed before anyone else had even made it past row 40. I confess that I was a little worried that it wouldn't be quite such plain sailing getting through LAX. I mean we all know what reputation this delightful little exit port has. In the event it was totally anitclimactic. If it has a handle on it, and it's about the same size and shape as a largish carryon then it's fine. There have been no recorded stabbings with wind vanes anyway - at least on aeroplanes - so clearly they are perfectly safe. Finally back in my country of birth, thinking I was home free, I breathed a sigh of relief transferred my bags and nipped off to the Koru lounge for a much needed shower and change of clothes after I snuck the station through another scanner. By now the handle had broken, so it was looking decidedly more 'box' like and less 'carryon' like, and when I eventually rolled up at the gate with my boarding pass the attendant made a valiant attempt to relieve me of it, but she was too slow and I danced around her and swanned up the gangway to take my seat. I was slow, this time, having missed the first boarding call, and all overhead lockers were crammed full. There was no seat in front of me to put the weather station under. Fortunately a nearby cupboard proved fit for purpose and it was secreted there and we were underway. At this point the guy two seats over said "didn't I see that weather station in New York?". Of course being bright yellow does make it a little conspicuous I guess, and I'm not renowned for my own inconspicuousness myself. So that's how I got my new weather station home, and you can see right away that doing things the easy way would never even occur to me. Possibly this is why I run Linux: there just isn't enough challenge when you run a different operating system. On Windows someone has always written a program for your new weather station, and a Mac user wouldn't be seen dead with it because it's black and beige and comes in a bright yellow box! So now I had to find some code to write. I looked around and very rapidly discovered that some software called vproweather was available, which would happily talk to my weather station and download the data from it, write web pages, stuff it into a MySQL database and so forth. All, obviously, far too easy, so I thought aha! I could convert that to PostgreSQL, and then I would be happy and relax with the thought of a job well done. So I downloaded the code in question an impressive several hundred kb of C code, cranked open a text editor and started to crawl through it and see where I could add the magic pixie dust to make it work with PostgreSQL. But it was not to be. My eyes glazed over or scales fell from them or something, and I realised that this particular edifice was beyond my help. Back to square one. I downloaded the Vantage Serial Protocol docs from the Davis Instruments website did some quick googling and decided I should write a module to talk this protocol. And I should write it in Perl (it was a Thursday, and Perl always seems more sensible on a Thursday, and not because of Douglas Adams, either). I beavered away into the night. Rain threatened, so I raced outside and installed the new weather station on the roof in the hopes that it's magnificent rain collector would collect. I raced back inside and was able to count the first (and so far, only) tip of the bucket. And so I now release upon the world Davis::VantagePro my first perl module. Well, the first one I care to share with the world, anyway. I have stressed it with very little testing, lumbered it with no planning or design whatsoever and so I feel it only fair that I should cast it upon the world with very little thought for it's survival or existential goals.

¹ I seem to recall one night we came up with some fantastic names for Micah & Biella's Washington Square apartment, but I couldn't remember any of the good ones and had to slap a new one on there. I should also mention my stay at the Acetarium in Boston, which was a fabulous few days, but it would pad this blog post needlessly, and I've already done that.

At the beginning of DebCamp, Zack started the RCBC the Release Critical Bug squashing Contest. Two weeks later not only DebConf10 is over but we also have results for the RCBC:

In summary: It was a huge success, we managed to fix

• 139 RC bugs in testing/unstable
• 79 RC bugs in stable

And the winners are:

• Stable: Gerfried Fuchs (77 bugs)
• Testing/unstable: 1. Moritz M hlenhoff (32 bugs), 2. Nico Golde (17 bugs), 3. Alexander Reichle-Schmehl (16 bugs)

All details can be found at http://wiki.debconf.org/wiki/DebConf10/RCBC.

The winners who haven't collected their prizes at the closing ceremony will get them be snail mail.

Finally let me thank

• our donors of the prizes
• Micah and Zack for initiating the contest
• Mehdi for being my co-judge
• all participants who hugely improved Debian in the last two weeks

So, DebConf is over and it was a blast. I wanted to blog about my talks for a couple of days, but the conference was so great that I did not get around to it until now. The unique thing about this year's conference were the outstanding contributions by non-Debian FLOSS people from the east coast. I am really glad the organizers decided to reach out to the communi ty and take this opportunity when a lot of great minds were just a couple of hours away. Also, discussing and hanging out with the local team people was so much fun and interesting that it was wor th the visit alone. The venue was just perfect, the dorms were on campus, the cafeteria had an all-you-can-eat buffet, everything was in short walking distance and the Columbia campus is beautiful. I would have liked to go to a couple more places in the evenings, but hanging out in the Carman basement lounge with awesome people was just as good. A big thanks to Richard Darst, Biella, Micah and the rest of the crew. The Debian GNU/Hurd talk went quite well, I was pleasantly surprised so many people made it to the Davis auditorium. I wanted to do the presentation on Debian GNU/Hurd (and I had it working before the talk), but as my notebook has a different resolution than the projector, I decided to play it safe and just show a d-i run in qemu. Nevertheless, Jeremie's wo rk on debian-installer is impressive, I got it installed on my ThinkPad without a problem (using qemu) and it automatically installed and setup grub2. Unfortunately, grub2 seems to be having issues when booting my notebook natively, but I got it to work with grub-legacy, including X and evince. There were quite a few comments and I had interesting conversations afterwards with a couple of people. It is a shame Emilio Pozuelo Monfort (pochu) could not make it to DebConf to give the talk himself, he did lots of great work on porting packages and fixing the Hurd and glibc for various testsuites over the last couple of months. My other talk about GOsa and FAI was a bit rougher, I scrambled to get FAI integration in GOsa to work based on Mark Pavlichuk'sinstallation scripts which I fixed up over the last couple of weeks to the point where one can install a client using the FAI simple demo classes (which I ported to GOsa's FAI LDAP). There were some problems with the demonstration during the talk and I guess it was a tough audience for a web-based admin tool but I hopefully got my point across that we should salvage this work done for the city of Munich. Indeed, I had great discussions with Andreas Mundt from debian-edu afterwards who posted a summary and call for discussion to the debian-edu mailing list.

Recipe for RCBC - Release Critical Bug squashing Contest: It has been a while since my last post in the RCBW tradition. Luckily, the tradition is in very good health of its own, thanks to many others that have picked up the habit of SPAM-ing planet with good news for Debian, encouraging others to do the same. With all that RC-obsessed people around and with the Squeeze release forthcoming, can DebConf10 be devoid of geeky RC-squashing activities? Of course not! Thanks to the orga team we expect the conference to contain a 2-week long RC bug squashing pride with tutorials, BoFs, a permanent bug squashing party, ... and a contest! I won't indulge much on the contest as the wiki page contains all rules and gory details. Obviously, all usual rules and best practices of bug squashing parties will apply; coordination will happen on #debian-bugs. Get involved, it starts today, and it's open to everyone (DebConf10 attendees as well as Debian enthusiasts abroad, regular RC squashers as well as casual bystanders, etc). All this wouldn't have been possible without the help of many people that love Debian, so many thanks to:

• the sponsors of RCBC:
  • Marvell, for offering a GuruPlug
    (of course, the winner of this device is expected to help with Debian support for it *g*)
  • HP, for offering t-shirts
  • Pearson, for offering books
• micah - who dragged me into this (it hasn't been hard)
• gregoa and mehdi - the almighty judges - who have been transitively dragged into this (it hasn't been hard either)

PS a corresponding announcement is in the debconf-announce pipeline already

Tomorrow, at this time, I'll probably be unsuccessfully trying to find a comfortable position on a seat of the Bilmanbus to Irun. Very early on Saturday, as soon as we get off the bus, Maria and I will quickly head to Hondarribia's beach in Cape Higer to symbolically wet our feet in the waters of the Cantabrian Sea. We won't have much time to enjoy the cold waters of the ocean, though. Soon after that, we'll have to take a deep breath, look East, and start walking if we want to achieve our utmost objective: take a bath in the beautiful beaches of the Cap de Creus, in the Mediterranean sea. In between, 30 days and 840 kilometres of thick woods, deep valleys, high peaks and cold waters, all of which shape incredible landscapes.

The Portella de Baiau, during our 2008 trip For a whole month, we'll be mostly disconnected from everything else that isn't our knee ache, our blisters, the Sun over our heads or where to get food. It's the first time I leave on a hiking trip as long and tough as this one, and I feel both uncertainty and eagerness. We've been so busy during the last few months that we've been unable to train at all for this, and I'm probably in the worst physical condition in a decade. It's too late to take care of that now, so we'll try to take good care of our legs and spine. In order to get back home in the Mediterranean, we'll have to be fast, some days joining two stages and skipping a few that we know are not that interesting (sections over asphalt, etc.). It's hard to make it in just one month, but we'll try our best. The plan is going to sleep not long after sunset, getting up at dawn, to be able to walk for a decent time before the heat starts being a handicap and just resting at midday, when the Sun is <strongest.> Of course, this means that I'm missing, yet again, this year's edition of DebConf in New York City, which is really sad because I was looking forward hanging around with Mako, Mika, Biella, micah, Clint and the rest of the NYC/ Boston gang, but when the idea of doing a long trip this summer popped up around January, it was clear DebConf seemed unlikely this year. I hope all of you have a lot of fun, and see you in a few weeks!