Search Results: "morten"

11 November 2020

Reproducible Builds: Reproducible Builds in October 2020

Welcome to the October 2020 report from the Reproducible Builds project. In our monthly reports, we outline the major things that we have been up to over the past month. As a brief reminder, the motivation behind the Reproducible Builds effort is to ensure flaws have not been introduced in the binaries we install on our systems. If you are interested in contributing to the project, please visit our main website.

General On Saturday 10th October, Morten Linderud gave a talk at Arch Conf Online 2020 on The State of Reproducible Builds in Arch. The video should be available later this month, but as a teaser:
The previous year has seen great progress in Arch Linux to get reproducible builds in the hands of the users and developers. In this talk we will explore the current tooling that allows users to reproduce packages, the rebuilder software that has been written to check packages and the current issues in this space.
During the Reproducible Builds summit in Marrakesh in 2019, developers from the GNU Guix, NixOS and Debian distributions were able to produce a bit-for-bit identical GNU Mes binary despite using three different versions of GCC. Since this summit, additional work resulted in a bit-for-bit identical Mes binary using tcc, and last month a fuller update was posted to this effect by the individuals involved. This month, however, David Wheeler updated his extensive page on Fully Countering Trusting Trust through Diverse Double-Compiling, remarking that:
GNU Mes rebuild is definitely an application of [Diverse Double-Compiling]. [..] This is an awesome application of DDC, and I believe it s the first publicly acknowledged use of DDC on a binary
There was a small, followup discussion on our mailing list. In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update. This month, the Reproducible Builds project restarted our IRC meetings, managing to convene twice: the first time on October 12th (summary & logs), and later on the 26th (logs). As mentioned in previous reports, due to the unprecedented events throughout 2020, there will be no in-person summit event this year. On our mailing list this month El as Alejandro posted a request for help with a local configuration

Software development This month, we tried to fix a large number of currently-unreproducible packages, including: Bernhard M. Wiedemann also reported three issues against bison, ibus and postgresql12.

Tools diffoscope is our in-depth and content-aware diff utility. Not only could you locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds too. This month, Chris Lamb uploaded version 161 to Debian (later backported by Mattia Rizzolo), as well as made the following changes:
  • Move test_ocaml to the assert_diff helper. [ ]
  • Update tests to support OCaml version 4.11.1. Thanks to Sebastian Ramacher for the report. (#972518)
  • Bump minimum version of the Black source code formatter to 20.8b1. (#972518)
In addition, Jean-Romain Garnier temporarily updated the dependency on radare2 to ensure our test pipelines continue to work [ ], and for the GNU Guix distribution Vagrant Cascadian diffoscope to version 161 [ ]. In related development, trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb made the following changes:
  • Mark a --help-only test as being a superficial test. (#971506)
  • Add a real, albeit flaky, test that interacts with the try.diffoscope.org service. [ ]
  • Bump debhelper compatibility level to 13 [ ] and bump Standards-Version to 4.5.0 [ ].
Lastly, disorderfs version 0.5.10-2 was uploaded to Debian unstable by Holger Levsen, which enabled security hardening via DEB_BUILD_MAINT_OPTIONS [ ] and dropped debian/disorderfs.lintian-overrides [ ].

Website and documentation This month, a number of updates to the main Reproducible Builds website and related documentation were made by Chris Lamb:
  • Add a citation link to the academic article regarding dettrace [ ], and added yet another supply-chain security attack publication [ ].
  • Reformatted the Jekyll s Liquid templating language and CSS formatting to be consistent [ ] as well as expand a number of tab characters [ ].
  • Used relative_url to fix missing translation icon on various pages. [ ]
  • Published two announcement blog posts regarding the restarting of our IRC meetings. [ ][ ]
  • Added an explicit note regarding the lack of an in-person summit in 2020 to our events page. [ ]

Testing framework The Reproducible Builds project operates a Jenkins-based testing framework that powers tests.reproducible-builds.org. This month, Holger Levsen made the following changes:
  • Debian-related changes:
    • Refactor and improve the Debian dashboard. [ ][ ][ ]
    • Track bugs which are usertagged as filesystem , fixfilepath , etc.. [ ][ ][ ]
    • Make a number of changes to package index pages. [ ][ ][ ]
  • System health checks:
    • Relax disk space warning levels. [ ]
    • Specifically detect build failures reported by dpkg-buildpackage. [ ]
    • Fix a regular expression to detect outdated package sets. [ ]
    • Detect Lintian issues in diffoscope. [ ]
  • Misc:
    • Make a number of updates to reflect that our sponsor Profitbricks has renamed itself to IONOS. [ ][ ][ ][ ]
    • Run a F-Droid maintenance routine twice a month to utilise its cleanup features. [ ]
    • Fix the target name in OpenWrt builds to ath79 from ath97. [ ]
    • Add a missing Postfix configuration for a node. [ ]
    • Temporarily disable Arch Linux builds until a core node is back. [ ]
    • Make a number of changes to our thanks page. [ ][ ][ ]
Build node maintenance was performed by both Holger Levsen [ ][ ] and Vagrant Cascadian [ ][ ][ ], Vagrant Cascadian also updated the page listing the variations made when testing to reflect changes for in build paths [ ] and Hans-Christoph Steiner made a number of changes for F-Droid, the free software app repository for Android devices, including:
  • Do not fail reproducibility jobs when their cleanup tasks fail. [ ]
  • Skip libvirt-related sudo command if we are not actually running libvirt. [ ]
  • Use direct URLs in order to eliminate a useless HTTP redirect. [ ]

If you are interested in contributing to the Reproducible Builds project, please visit the Contribute page on our website. However, you can also get in touch with us via:

5 October 2020

Reproducible Builds: Reproducible Builds in September 2020

Welcome to the September 2020 report from the Reproducible Builds project. In our monthly reports, we attempt to summarise the things that we have been up to over the past month, but if you are interested in contributing to the project, please visit our main website. This month, the Reproducible Builds project was pleased to announce a donation from Amateur Radio Digital Communications (ARDC) in support of its goals. ARDC s contribution will propel the Reproducible Builds project s efforts in ensuring the future health, security and sustainability of our increasingly digital society. Amateur Radio Digital Communications (ARDC) is a non-profit which was formed to further research and experimentation with digital communications using radio, with a goal of advancing the state of the art of amateur radio and to educate radio operators in these techniques. You can view the full announcement as well as more information about ARDC on their website.
In August s report, we announced that Jennifer Helsby (redshiftzero) launched a new reproduciblewheels.com website to address the lack of reproducibility of Python wheels . This month, Kushal Das posted a brief follow-up to provide an update on reproducible sources as well. The Threema privacy and security-oriented messaging application announced that within the next months , their apps will become fully open source, supporting reproducible builds :
This is to say that anyone will be able to independently review Threema s security and verify that the published source code corresponds to the downloaded app.
You can view the full announcement on Threema s website.

Events Sadly, due to the unprecedented events in 2020, there will be no in-person Reproducible Builds event this year. However, the Reproducible Builds project intends to resume meeting regularly on IRC, starting on Monday, October 12th at 18:00 UTC (full announcement). The cadence of these meetings will probably be every two weeks, although this will be discussed and decided on at the first meeting. (An editable agenda is available.) On 18th September, Bernhard M. Wiedemann gave a presentation in German titled Wie reproducible builds Software sicherer machen ( How reproducible builds make software more secure ) at the Internet Security Digital Days 2020 conference. (View video.) On Saturday 10th October, Morten Linderud will give a talk at Arch Conf Online 2020 on The State of Reproducible Builds in the Arch Linux distribution:
The previous year has seen great progress in Arch Linux to get reproducible builds in the hands of the users and developers. In this talk we will explore the current tooling that allows users to reproduce packages, the rebuilder software that has been written to check packages and the current issues in this space.
During the Reproducible Builds summit in Marrakesh, GNU Guix, NixOS and Debian were able to produce a bit-for-bit identical binary when building GNU Mes, despite using three different major versions of GCC. Since the summit, additional work resulted in a bit-for-bit identical Mes binary using tcc and this month, a fuller update was posted by the individuals involved.

Development work In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.

Debian Chris Lamb uploaded a number of Debian packages to address reproducibility issues that he had previously provided patches for, including cfingerd (#831021), grap (#870573), splint (#924003) & schroot (#902804) Last month, an issue was identified where a large number of Debian .buildinfo build certificates had been tainted on the official Debian build servers, as these environments had files underneath the /usr/local/sbin directory to prevent the execution of system services during package builds. However, this month, Aurelien Jarno and Wouter Verhelst fixed this issue in varying ways, resulting in a special policy-rcd-declarative-deny-all package. Building on Chris Lamb s previous work on reproducible builds for Debian .ISO images, Roland Clobus announced his work in progress on making the Debian Live images reproducible. [ ] Lucas Nussbaum performed an archive-wide rebuild of packages to test enabling the reproducible=+fixfilepath Debian build flag by default. Enabling the fixfilepath feature will likely fix reproducibility issues in an estimated 500-700 packages. The test revealed only 33 packages (out of 30,000 in the archive) that fail to build with fixfilepath. Many of those will be fixed when the default LLVM/Clang version is upgraded. 79 reviews of Debian packages were added, 23 were updated and 17 were removed this month adding to our knowledge about identified issues. Chris Lamb added and categorised a number of new issue types, including packages that captures their build path via quicktest.h and absolute build directories in documentation generated by Doxygen , etc. Lastly, Lukas Puehringer s uploaded a new version of the in-toto to Debian which was sponsored by Holger Levsen. [ ]

diffoscope diffoscope is our in-depth and content-aware diff utility that can not only locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds too. In September, Chris Lamb made the following changes to diffoscope, including preparing and uploading versions 159 and 160 to Debian:
  • New features:
    • Show ordering differences only in strings(1) output by applying the ordering check to all differences across the codebase. [ ]
  • Bug fixes:
    • Mark some PGP tests that they require pgpdump, and check that the associated binary is actually installed before attempting to run it. (#969753)
    • Don t raise exceptions when cleaning up after guestfs cleanup failure. [ ]
    • Ensure we check FALLBACK_FILE_EXTENSION_SUFFIX, otherwise we run pgpdump against all files that are recognised by file(1) as data. [ ]
  • Codebase improvements:
    • Add some documentation for the EXTERNAL_TOOLS dictionary. [ ]
    • Abstract out a variable we use a couple of times. [ ]
  • diffoscope.org website improvements:
    • Make the (long) demonstration GIF less prominent on the page. [ ]
In addition, Paul Spooren added support for automatically deploying Docker images. [ ]

Website and documentation This month, a number of updates to the main Reproducible Builds website and related documentation. Chris Lamb made the following changes: In addition, Holger Levsen re-added the documentation link to the top-level navigation [ ] and documented that the jekyll-polyglot package is required [ ]. Lastly, diffoscope.org and reproducible-builds.org were transferred to Software Freedom Conservancy. Many thanks to Brett Smith from Conservancy, J r my Bobbio (lunar) and Holger Levsen for their help with transferring and to Mattia Rizzolo for initiating this.

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of these patches, including: Bernhard M. Wiedemann also reported issues in git2-rs, pyftpdlib, python-nbclient, python-pyzmq & python-sidpy.

Testing framework The Reproducible Builds project operates a Jenkins-based testing framework to power tests.reproducible-builds.org. This month, Holger Levsen made the following changes:
  • Debian:
    • Shorten the subject of nodes have gone offline notification emails. [ ]
    • Also track bugs that have been usertagged with usrmerge. [ ]
    • Drop abort-related codepaths as that functionality has been removed from Jenkins. [ ]
    • Update the frequency we update base images and status pages. [ ][ ][ ][ ]
  • Status summary view page:
    • Add support for monitoring systemctl status [ ] and the number of diffoscope processes [ ].
    • Show the total number of nodes [ ] and colourise critical disk space situations [ ].
    • Improve the visuals with respect to vertical space. [ ][ ]
  • Debian rebuilder prototype:
    • Resume building random packages again [ ] and update the frequency that packages are rebuilt. [ ][ ]
    • Use --no-respect-build-path parameter until sbuild 0.81 is available. [ ]
    • Treat the inability to locate some packages as a debrebuild problem, and not as a issue with the rebuilder itself. [ ]
  • Arch Linux:
    • Update various components to be compatible with Arch Linux s move to the xz compression format. [ ][ ][ ]
    • Allow scheduling of old packages to catch up on the backlog. [ ][ ][ ]
    • Improve formatting on the summary page. [ ][ ]
    • Update HTML pages once every hour, not every 30 minutes. [ ]
    • Use the Ubuntu (!) GPG keyserver to validate packages. [ ]
  • System health checks:
    • Highlight important bad conditions in colour. [ ][ ]
    • Add support for detecting more problems, including Jenkins shutdown issues [ ], failure to upgrade Arch Linux packages [ ], kernels with wrong permissions [ ], etc.
  • Misc:
    • Delete old schroot sessions after 2 days, not 3. [ ]
    • Use sudo to cleanup diffoscope schroot sessions. [ ]
In addition, stefan0xC fixed a query for unknown results in the handling of Arch Linux packages [ ] and Mattia Rizzolo updated the template that notifies maintainers by email of their newly-unreproducible packages to ensure that it did not get caught in junk/spam folders [ ]. Finally, build node maintenance was performed by Holger Levsen [ ][ ][ ][ ], Mattia Rizzolo [ ][ ] and Vagrant Cascadian [ ][ ][ ].
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

9 September 2020

Reproducible Builds: Reproducible Builds in August 2020

Welcome to the August 2020 report from the Reproducible Builds project. In our monthly reports, we summarise the things that we have been up to over the past month. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced from the original free software source code to the pre-compiled binaries we install on our systems. If you re interested in contributing to the project, please visit our main website.


This month, Jennifer Helsby launched a new reproduciblewheels.com website to address the lack of reproducibility of Python wheels. To quote Jennifer s accompanying explanatory blog post:
One hiccup we ve encountered in SecureDrop development is that not all Python wheels can be built reproducibly. We ship multiple (Python) projects in Debian packages, with Python dependencies included in those packages as wheels. In order for our Debian packages to be reproducible, we need that wheel build process to also be reproducible
Parallel to this, transparencylog.com was also launched, a service that verifies the contents of URLs against a publicly recorded cryptographic log. It keeps an append-only log of the cryptographic digests of all URLs it has seen. (GitHub repo) On 18th September, Bernhard M. Wiedemann will give a presentation in German, titled Wie reproducible builds Software sicherer machen ( How reproducible builds make software more secure ) at the Internet Security Digital Days 2020 conference.

Reproducible builds at DebConf20 There were a number of talks at the recent online-only DebConf20 conference on the topic of reproducible builds. Holger gave a talk titled Reproducing Bullseye in practice , focusing on independently verifying that the binaries distributed from ftp.debian.org are made from their claimed sources. It also served as a general update on the status of reproducible builds within Debian. The video (145 MB) and slides are available. There were also a number of other talks that involved Reproducible Builds too. For example, the Malayalam language mini-conference had a talk titled , ? ( I want to join Debian, what should I do? ) presented by Praveen Arimbrathodiyil, the Clojure Packaging Team BoF session led by Elana Hashman, as well as Where is Salsa CI right now? that was on the topic of Salsa, the collaborative development server that Debian uses to provide the necessary tools for package maintainers, packaging teams and so on. Jonathan Bustillos (Jathan) also gave a talk in Spanish titled Un camino verificable desde el origen hasta el binario ( A verifiable path from source to binary ). (Video, 88MB)

Development work After many years of development work, the compiler for the Rust programming language now generates reproducible binary code. This generated some general discussion on Reddit on the topic of reproducibility in general. Paul Spooren posted a request for comments to OpenWrt s openwrt-devel mailing list asking for clarification on when to raise the PKG_RELEASE identifier of a package. This is needed in order to successfully perform rebuilds in a reproducible builds context. In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update. Chris Lamb provided some comments and pointers on an upstream issue regarding the reproducibility of a Snap / SquashFS archive file. [ ]

Debian Holger Levsen identified that a large number of Debian .buildinfo build certificates have been tainted on the official Debian build servers, as these environments have files underneath the /usr/local/sbin directory [ ]. He also filed against bug for debrebuild after spotting that it can fail to download packages from snapshot.debian.org [ ]. This month, several issues were uncovered (or assisted) due to the efforts of reproducible builds. For instance, Debian bug #968710 was filed by Simon McVittie, which describes a problem with detached debug symbol files (required to generate a traceback) that is unlikely to have been discovered without reproducible builds. In addition, Jelmer Vernooij called attention that the new Debian Janitor tool is using the property of reproducibility (as well as diffoscope when applying archive-wide changes to Debian:
New merge proposals also include a link to the diffoscope diff between a vanilla build and the build with changes. Unfortunately these can be a bit noisy for packages that are not reproducible yet, due to the difference in build environment between the two builds. [ ]
56 reviews of Debian packages were added, 38 were updated and 24 were removed this month adding to our knowledge about identified issues. Specifically, Chris Lamb added and categorised the nondeterministic_version_generated_by_python_param and the lessc_nondeterministic_keys toolchain issues. [ ][ ] Holger Levsen sponsored Lukas Puehringer s upload of the python-securesystemslib pacage, which is a dependency of in-toto, a framework to secure the integrity of software supply chains. [ ] Lastly, Chris Lamb further refined his merge request against the debian-installer component to allow all arguments from sources.list files (such as [check-valid-until=no]) in order that we can test the reproducibility of the installer images on the Reproducible Builds own testing infrastructure and sent a ping to the team that maintains that code.

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of these patches, including:

diffoscope diffoscope is our in-depth and content-aware diff utility that can not only locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds. In August, Chris Lamb made the following changes to diffoscope, including preparing and uploading versions 155, 156, 157 and 158 to Debian:
  • New features:
    • Support extracting data of PGP signed data. (#214)
    • Try files named .pgp against pgpdump(1) to determine whether they are Pretty Good Privacy (PGP) files. (#211)
    • Support multiple options for all file extension matching. [ ]
  • Bug fixes:
    • Don t raise an exception when we encounter XML files with <!ENTITY> declarations inside the Document Type Definition (DTD), or when a DTD or entity references an external resource. (#212)
    • pgpdump(1) can successfully parse some binary files, so check that the parsed output contains something sensible before accepting it. [ ]
    • Temporarily drop gnumeric from the Debian build-dependencies as it has been removed from the testing distribution. (#968742)
    • Correctly use fallback_recognises to prevent matching .xsb binary XML files.
    • Correct identify signed PGP files as file(1) returns data . (#211)
  • Logging improvements:
    • Emit a message when ppudump version does not match our file header. [ ]
    • Don t use Python s repr(object) output in Calling external command messages. [ ]
    • Include the filename in the not identified by any comparator message. [ ]
  • Codebase improvements:
    • Bump Python requirement from 3.6 to 3.7. Most distributions are either shipping with Python 3.5 or 3.7, so supporting 3.6 is not only somewhat unnecessary but also cumbersome to test locally. [ ]
    • Drop some unused imports [ ], drop an unnecessary dictionary comprehensions [ ] and some unnecessary control flow [ ].
    • Correct typo of output in a comment. [ ]
  • Release process:
    • Move generation of debian/tests/control to an external script. [ ]
    • Add some URLs for the site that will appear on PyPI.org. [ ]
    • Update author and author email in setup.py for PyPI.org and similar. [ ]
  • Testsuite improvements:
    • Update PPU tests for compatibility with Free Pascal versions 3.2.0 or greater. (#968124)
    • Mark that our identification test for .ppu files requires ppudump version 3.2.0 or higher. [ ]
    • Add an assert_diff helper that loads and compares a fixture output. [ ][ ][ ][ ]
  • Misc:
In addition, Mattia Rizzolo documented in setup.py that diffoscope works with Python version 3.8 [ ] and Frazer Clews applied some Pylint suggestions [ ] and removed some deprecated methods [ ].

Website This month, Chris Lamb updated the main Reproducible Builds website and documentation to:
  • Clarify & fix a few entries on the who page [ ][ ] and ensure that images do not get to large on some viewports [ ].
  • Clarify use of a pronoun re. Conservancy. [ ]
  • Use View all our monthly reports over View all monthly reports . [ ]
  • Move a is a suffix out of the link target on the SOURCE_DATE_EPOCH age. [ ]
In addition, Javier Jard n added the freedesktop-sdk project [ ] and Kushal Das added SecureDrop project [ ] to our projects page. Lastly, Michael P hn added internationalisation and translation support with help from Hans-Christoph Steiner [ ].

Testing framework The Reproducible Builds project operate a Jenkins-based testing framework to power tests.reproducible-builds.org. This month, Holger Levsen made the following changes:
  • System health checks:
    • Improve explanation how the status and scores are calculated. [ ][ ]
    • Update and condense view of detected issues. [ ][ ]
    • Query the canonical configuration file to determine whether a job is disabled instead of duplicating/hardcoding this. [ ]
    • Detect several problems when updating the status of reporting-oriented metapackage sets. [ ]
    • Detect when diffoscope is not installable [ ] and failures in DNS resolution [ ].
  • Debian:
    • Update the URL to the Debian security team bug tracker s Git repository. [ ]
    • Reschedule the unstable and bullseye distributions often for the arm64 architecture. [ ]
    • Schedule buster less often for armhf. [ ][ ][ ]
    • Force the build of certain packages in the work-in-progress package rebuilder. [ ][ ]
    • Only update the stretch and buster base build images when necessary. [ ]
  • Other distributions:
    • For F-Droid, trigger jobs by commits, not by a timer. [ ]
    • Disable the Archlinux HTML page generation job as it has never worked. [ ]
    • Disable the alternative OpenWrt rebuilder jobs. [ ]
  • Misc;
Many other changes were made too, including:
  • Chris Lamb:
    • Use <pre> HTML tags when dumping fixed-width debugging data in the self-serve package scheduler. [ ]
  • Mattia Rizzolo:
  • Vagrant Cascadian:
    • Mark that the u-boot Universal Boot Loader should not build architecture independent packages on the arm64 architecture anymore. [ ]
Finally, build node maintenance was performed by Holger Levsen [ ], Mattia Rizzolo [ ][ ] and Vagrant Cascadian [ ][ ][ ][ ]

Mailing list On our mailing list this month, Leo Wandersleb sent a message to the list after he was wondering how to expand his WalletScrutiny.com project (which aims to improve the security of Bitcoin wallets) from Android wallets to also monitor Linux wallets as well:
If you think you know how to spread the word about reproducibility in the context of Bitcoin wallets through WalletScrutiny, your contributions are highly welcome on this PR [ ]
Julien Lepiller posted to the list linking to a blog post by Tavis Ormandy titled You don t need reproducible builds. Morten Linderud (foxboron) responded with a clear rebuttal that Tavis was only considering the narrow use-case of proprietary vendors and closed-source software. He additionally noted that the criticism that reproducible builds cannot prevent against backdoors being deliberately introduced into the upstream source ( bugdoors ) are decidedly (and deliberately) outside the scope of reproducible builds to begin with. Chris Lamb included the Reproducible Builds mailing list in a wider discussion regarding a tentative proposal to include .buildinfo files in .deb packages, adding his remarks regarding requiring a custom tool in order to determine whether generated build artifacts are identical in a reproducible context. [ ] Jonathan Bustillos (Jathan) posted a quick email to the list requesting whether there was a list of To do tasks in Reproducible Builds. Lastly, Chris Lamb responded at length to a query regarding the status of reproducible builds for Debian ISO or installation images. He noted that most of the technical work has been performed but there are at least four issues until they can be generally advertised as such . He pointed that the privacy-oriented Tails operation system, which is based directly on Debian, has had reproducible builds for a number of years now. [ ]

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

30 April 2017

Paul Wise: FLOSS Activities April 2017

Changes

Issues

Review

Administration
  • Debian systems: quiet a logrotate warning, investigate issue with DNSSEC and alioth, deploy fix on our first stretch buildd, restore alioth git repo after history rewrite, investigate iptables segfaults on buildd and investigate time issues on a NAS
  • Debian derivatives census: delete patches over 5 MiB, re-enable the service
  • Debian wiki: investigate some 403 errors, fix alioth KGB config, deploy theme changes, close a bogus bug report, ping 1 user with bouncing email, whitelist 9 email addresses and whitelist 2 domains
  • Debian QA: deploy my changes
  • Debian mentors: security upgrades and service restarts
  • Openmoko: debug mailing list issue, security upgrades and reboots

Communication
  • Invite Wazo to the Debian derivatives census
  • Welcome ubilinux, Wazo and Roopa Prabhu (of Cumulus Linux) to the Debian derivatives census
  • Discuss HP/ProLiant wiki page with HPE folks
  • Inform git history rewriter about the git mailmap feature

Sponsors The libconfig-crontab-perl backports and pyvmomi issue were sponsored by my employer. All other work was done on a volunteer basis.

3 February 2017

Petter Reinholdtsen: A day in court challenging seizure of popcorn-time.no for #domstolkontroll

On Wednesday, I spent the entire day in court in Follo Tingrett representing the member association NUUG, alongside the member association EFN and the DNS registrar IMC, challenging the seizure of the DNS name popcorn-time.no. It was interesting to sit in a court of law for the first time in my life. Our team can be seen in the picture above: attorney Ola Tellesb , EFN board member Tom Fredrik Blenning, IMC CEO Morten Emil Eriksen and NUUG board member Petter Reinholdtsen. The case at hand is that the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (aka kokrim) decided on their own, to seize a DNS domain early last year, without following the official policy of the Norwegian DNS authority which require a court decision. The web site in question was a site covering Popcorn Time. And Popcorn Time is the name of a technology with both legal and illegal applications. Popcorn Time is a client combining searching a Bittorrent directory available on the Internet with downloading/distribute content via Bittorrent and playing the downloaded content on screen. It can be used illegally if it is used to distribute content against the will of the right holder, but it can also be used legally to play a lot of content, for example the millions of movies available from the Internet Archive or the collection available from Vodo. We created a video demonstrating legally use of Popcorn Time and played it in Court. It can of course be downloaded using Bittorrent. I did not quite know what to expect from a day in court. The government held on to their version of the story and we held on to ours, and I hope the judge is able to make sense of it all. We will know in two weeks time. Unfortunately I do not have high hopes, as the Government have the upper hand here with more knowledge about the case, better training in handling criminal law and in general higher standing in the courts than fairly unknown DNS registrar and member associations. It is expensive to be right also in Norway. So far the case have cost more than NOK 70 000,-. To help fund the case, NUUG and EFN have asked for donations, and managed to collect around NOK 25 000,- so far. Given the presentation from the Government, I expect the government to appeal if the case go our way. And if the case do not go our way, I hope we have enough funding to appeal. From the other side came two people from kokrim. On the benches, appearing to be part of the group from the government were two people from the Simonsen Vogt Wiik lawyer office, and three others I am not quite sure who was. kokrim had proposed to present two witnesses from The Motion Picture Association, but this was rejected because they did not speak Norwegian and it was a bit late to bring in a translator, but perhaps the two from MPA were present anyway. All seven appeared to know each other. Good to see the case is take seriously. If you, like me, believe the courts should be involved before a DNS domain is hijacked by the government, or you believe the Popcorn Time technology have a lot of useful and legal applications, I suggest you too donate to the NUUG defense fund. Both Bitcoin and bank transfer are available. If NUUG get more than we need for the legal action (very unlikely), the rest will be spend promoting free software, open standards and unix-like operating systems in Norway, so no matter what happens the money will be put to good use. If you want to lean more about the case, I recommend you check out the blog posts from NUUG covering the case. They cover the legal arguments on both sides.

7 July 2013

Paul Tagliamonte: Hy 0.9.10 released

A huge release, the combined 0.9.9 and 0.9.10 releases (I made a mistake releasing) are now tagged and pushed to pypi. It features a number of enhancements and fixes, and is just an absolute thrill to play with. Thanks to the contributors this cycle:
Bob Tolbert Christopher Allan Webber Duncan McGreggor Guillermo Vaya Joe H. Rahme Julien Danjou Konrad Hinsen Morten Linderud Nicolas Dandrimont Ralph Moritz rogererens Thomas Ballinger Tuukka Turto
Outstanding! New features are now being considered for 0.9.11. Thanks!

18 October 2012

Jonas Smedegaard: SOME DESCRIPTIVE TITLE

# Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR <email>, YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2012-10-12 11:14+0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <email>\n" "Language-Team: LANGUAGE <ll>\n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Title # #, no-wrap msgid "Status hos doktoren" msgstr "" #. type: Plain text #, no-wrap msgid "\n" msgstr "" #. type: Plain text #, no-wrap msgid "\n" msgstr "" #. type: Plain text #, no-wrap msgid "" "**Jonas Smedegaard** [dr.jones at pobox.com " "](mailto:friends%40jones.dk?Subject=Status%20hos%20doktoren&In-Reply-To=1.5.4.32.19971011010004.0067de34%40kaospilot.dk) " "\n" msgstr "" #. type: Plain text msgid "_Sat Oct 11 15:22:00 CEST 1997_" msgstr "" #. type: Bullet: ' * ' #: msgid "Previous message: [Spamming? ](000001.html)" msgstr "" #. type: Bullet: ' * ' #: msgid "" "**Messages sorted by:** ? date (date.html#2) ? thread (thread.html#2) " "? subject (subject.html#2) ? author (author.html#2)" msgstr "" #. type: Plain text #, no-wrap msgid " Hej Patrik (og alle Jer andre )!\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " >_Vad sker med dig det var ett stycke tid diden?\n" " _>_Vad skedde der med ditt arbejde pa cafeet og pa skolen?\n" " _\n" " Lang historie!\n" " (den kommer nu )\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Jeg tror snart jeg har laert (the hard way) hvor dyr jeg egentligt er i " "drift.\n" " Jeg har nu i 3 maneder "ligget med r ven *under* vandskorpen" " " konomisk: minus 15.000,- pa kontoen. Det vender forhabentligvis indenfor " "den naeste maned - ellers pa jeg tage et regulaert lan, hvis jeg fortsat " "skal have firma som fuldtidsbeskaeftigelse.\n" " Det betyder, at jeg for tiden arbejder fra ca. 9 morgen til 0:30 nat syv " "dage om ugen (med enkelte eftermiddage eller aftener fri). Der er faktisk " "opgaver at lave, som ogsa gi'r penge i kassen - men det har der ikke vaeret " "for nogle maneder siden, og nar der var, har jeg taget mig for billigt " "betalt (men du kender mig jo!). Jeg er begyndt mere at involvere min " "storebror, nar jeg udarbejder tilbud, til at hjaelpe mig med en mere reel " "prissaetning.\n" msgstr "" #. type: Plain text #, no-wrap msgid " Her er lidt(?) om, hvad jeg beskaeftiger mig med for tiden:\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " *** Homebase ***\n" " Jeg far forbindelse fra mit kontor og ned til Mejlgade om en lille uge - " "rent teoretisk ihvertfald - derefter skal jeg ha' elektronikken til at " "fungere \n" " Jeg administrerer deres servere og netvaerk, og er "Boss" for Morten " "P. fra Frontl berne, som er blevet hyret til at vedligeholde alle " "arbejdspladserne pa skolen.\n" " Jeg har *intet* at g re med content pa webserveren. Efter i foraret at " "have haft DogSystem (et par nystartede edb-folk) til at udarbejde noget " "smart (som vist aldrig blev rigtigt til noget) har Uffe nu faet samlet nogle " "studerende (vist primaert fra hold 3), som skal hitte pa noget \n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Her er et uddrag af en mail til Rasmus fra hold 3:\n" " >>_Du ma gerne f lge lidt med i arbejdet og sende mig en kommentar " "eller\n" " _>>_gode rad, hvis du f ler for det.\n" " _>_\n" " _>_Jeg har et ambivalent forhold til Jeres arbejde:\n" " _>_ - Jeg f ler for det, Ja. Meget!\n" " _>_ - I sidder og laver mit arbejde \n" " _>_ - Meningen med mit arbejde er ar g re mig selv arbejdsl s - sa det " "er\n" " _>_*godt*, at I laver det \n" " _>_ - I laver det maske bedre, maske darligere end jeg ville ha' gjort " "det -\n" " _>_men helt sikkert anderledes!\n" " _>_ - Min force (og min kaephest!) er grundstrukturer mere end visuel " "(og\n" " _>_anden) indpakning. Det er svaert at kommentere og komme med gode rad, " "nar de\n" " _>_er omkring grundstruktur. Det kraever naesten, at man sidder ved " "roret \n" " _>_ - Hvis ikke jeg kommer med mine kommentarer nu, skal jeg enten holde " "mund\n" " _>_med det (og det er svaert) eller de vil udvikles til bagklogskab og\n" " _>_bedrevidenhed \n" " _>_ - Jeg har egentligt for travlt til at beskaeftige mig med det: Jeg " "har hele\n" " _>_tiden haft "travlt". At jeg har "for travlt" er et udtryk for, at " "jeg er\n" " _>_blevet klar over, at for at leve et liv som selvstaendigt " "erhvervsdrivende\n" " _>_er det ikke nok at arbejde hardt - man skal ogsa ta' penge for " "det Jeg\n" " _>_har derfor ikke for travlt, hvis der er penge i lortet (men det er " "sjaeldent\n" " _>_tilfaeldet i Mejlgade - til gengaeld er der sa meget andet " "dernede!).\n" " _\n" " *** Brugerflade-design ***\n" " Jeg har faet et job ved Frontl berne: VPAE (Virtual Project Assistance " "Environment).\n" " De er med i et faelles-nordisk projekt om at lave en "virtuel " "projektvugge" - altsa et forum pa Internet med en raekke vaerkt jer til " "projektudvikling og administration af gamle projekter.\n" " Konkret arbejder jeg i diss uger pa design af brugergraenseflade " "(dialogbokse osv.) og n dvendige datastrukturer til et system til " "udarbejdelse af en projektbeskrivelse.\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Jeg arbejder taet sammen med Morten P., og det er utroligt spaendende at " "arbejde med en konkret, mindre opgave med stor paedagogisk og funktionel " "vaerdi.\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " *** Praktikant ***\n" " En af mine venner fra gymnasietiden, Henrik, studerer informatik (det " "hedder vist noget lidt andet ) her i rhus, og meget tyder pa, at han " "snart kommer i praktik her hos mig i en maned.\n" " Han skal arbejde meget selvstaendigt. Jeg har brug for hans viden " "indenfor PR, han kan bruge mig som "pr veklud", og jeg kan stille medier " "(webserver o.l.) til hans radighed.\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Jeg har en ide om at vaere meget aben overfor brug af praktikanter - " "ikke bare som nem arbejdskraft (det er kraevende at saette i arbejde, og at " "give opgaver fra sig!), men mere fordi det giver mig en traening i " "formidling af min viden, og erfaringer mht. "s saetning" af mine metoder " "og ideer som tekniker - men det kraever maske lidt uddybning :\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Mit virke er grundliggende at bygge bro mellem teknikere og brugere " "indenfor IT. Det har 2 aspekter - at naerme teknikeren til brugeren, og at " "naermere brugeren til teknikken. Jeg arbejder med undervisning (arketyper, " "paedagogik og kommunikation), brugerfladedesign og almen radgivning for at " "hjaelpe brugeren pa vej. For at hjaelpe teknikeren tager jeg udgangspunkt i " "mig selv og mit arbejde med brugeren, og udvikler herigennem en raekke " "metoder og tankesaet, som jeg vil formidle - gennem praktikanter eller " "evt. decideret undervisning - til andre teknikere, som ikke i det daglige " "arbejder "i begge lejre", og derfor ikke ser de samme problematikker som " "mig.\n" " konomisk skulle "Projekt dr. Jones" gerne baeres igennem " "vha. konkrete projekter - virksomheder og enkeltpersoner, som har behov for " "min viden og mit arbejde, og som er villige til at betale merprisen for " "forskning fremfor traditionelle l sninger (NB! jeg bruger bevidst ikke ord " "som "udvikling" og "innovation" - for mit arbejde f rer til tider " "tilbage til udgangspunktet - det er ikke *altid* n dvendigt at opfinde den " "dybe tallerken igen!)\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Henrik vil ikke give mig de store erfaringer mht. formidling af min " "viden - jeg har for stor en pukkel af opgaver liggende til at kunne gabe " "over ham ogsa. Denne gang er det primaert hans felt - PR - jeg kan drage " "nytte af.\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " *** Undevisning ***\n" " Jeg har nu i en maned undeervist i edb som valgfag pa IDA " "(Idraetsdagh jskolen). Indtil nu har det vaeret 2 timer om ugen, elever i " "alderen 30-60 ar - men om fa uger bliver der yderligere 4 timer om ugen med " "elever pa 20-30 ar.\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Afl nningen er symbolsk (nej, god l n regnet som underviser, jeg far " "samme l n som en uddannet laerer - men ikke sammenholdt med, hvor " ""dyrebar" min tid er som selvstaendig ), men sjaeldent har jeg oplevet " "sa tydeligt et ryk i min paedagogiske forstaelse og opmaerksomhed.\n" " Jeg bliver sandsynligvis ikke haengende ved IDA i mere end et 1/2-1 ar - " "det er simpelthen for tids- og ressourcekraevende - men h ster gode " "erfaringer salaenge (og bader mig i deres positive feedback :-)\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " *** Brugerflade-programmering ***\n" " Samtidig (egentligt burde jeg forlaengst vaere faerdig, men opgaven greb " "om sig) arbejder jeg pa mit eget projekt: BOS (BrugerOpdateringsSystem).\n" " Det er et CGI-script (lille program pa en web-server), som muligg r " "redigering af indholdet pa websider uafhaengigt af sidens grafiske " "opsaetning, og - vaesentligst - UDEN AT SKRIVE EEN ENESTE KODE!\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " 1. udgave af BOS betalte jeg en programm r 15.000,- for at udvikle. Jeg " "havde brug for det til en opgave for AC (Akademikernes Centralorganisation), " "som skulle bruge det til bl.a. pressemeddelelser og publicering af et " "manedsblad pa deres 200+ siders websider (som jeg ogsa har lavet!).\n" " Da AC i sensommeren kom med rettelser og udvidelser til deres website " "blev der brug for forbedringer af BOS, og jeg erfarede, at min programm r " "havde lavet meget u-fleksibel kode, som var umulig at bygge videre pa.\n" " 2. udgave af BOS er nu naesten faerdig. Jeg valgte at skrive det om fra " "grunden selv (med hjaelp fra en god ven, som studerer datalogi), og har " "efterhanden skrevet ca. 750 linjers kode i programmeringssproget Perl \n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Jeg havde ikke troet, at jeg nogensinde skulle kunne programmere. Det " "kraever disciplin og god forstaelse for grundliggende datastrukturer, som " "jeg hidtil troede n dvendiggjorde et mangearigt universitetsstudie " "(datalogi).\n" " Jeg vil ikke sla mig ned som programm r, men kan nu bruge det som ekstra " "fjer i min vifte af erfaringsomrader, i min rejse mod "At vaere det ledende " "radgivningsorgan i Danmark indenfor anvendt edb"!\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " *** Internet-Cafe ***\n" " Jeg har jo kontor i 2 lokaler hos NETLAB, en spillecafe (computerspil i " "netvaerk). Det tog ikke mange jeblikke at slutte deres og mit netvaerk " "sammen, sa alle spillecomputerne ogsa kunne komme pa Internet - desvaerre " "fungerede det ikke med store computerspil (lang teknisk forklaring ), kun " "med alm. ting som e-mail og at "surfe" pa nettet.\n" " Jeg far snart (indenfor fa uger) "aegte" adgang til Internet, via fast " "forbindelse d gnet rundt. Sa kan der spilles computerspil via Internet, og " "spillecafeen er reelt blevet en Internet-Cafe \n" " Den kommende Internetforbindelse er dog ikke saerligt kraftig (64kbit - " "2-4 x modemhastighed) til deling mellem 20 kraftige maskiner, og har lagt en " "f ler ind hos Telia: Om ikke de har lyst til at sponsorere stedet. Give os " "en kraftig forbindelse til Internet, og til gengaeld fa reklamevaerdien af " "en stabil og hurtig forbindelse Folk der bliver rigtigt bidt af det vil " "jo f r eller siden k be en maskine selv, og sa far de jo brug for en " "Internet-udbyder \n" " Min rolle bliver at administrere "hullet" (eller "hullerne" til " "Internet, og evt. ogsa at strukturere og administrere mail-adresser til " "bes gende pa cafeen.\n" " konomisk forestiller jeg mig en fast procentdel af indtaegterne i " "cafeen - eller evt. simpelthen en billigere husleje?!?. Det gaelder om at " "finde en prispolitik, som spiller sammen med den grundliggende holdning ved " "bade dr. Jones og NETLAB om et indbydende, seri st (uden at blive kedeligt!) " "milj fremfor "flest muligt forbi kasseapperatet".\n" msgstr "" #. type: Plain text #, no-wrap msgid " -\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Det blev et laengere brev - og jeg tror faktisk, jeg vil genbruge det " "til ogsa at fortaelle familie og andre venner, hvorfor de har h rst sa lidt " "til mig pa det sidste \n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Hej allesammen!\n" " Haber I nyder tilvaerelsen. Det g r jeg - men traenger ogsa snart til et " "lille pusterum - juleferie i Sydfrankrig, regner jeg med!\n" msgstr "" #. type: Plain text #, no-wrap msgid "" " Ha' det bra!\n" " Jonas\n" " :_-)\n" " _\n" msgstr "" #. type: Plain text msgid "" "[More information about the Friends mailing list](http://mail.jones.dk/cgi- " "bin/mailman/listinfo/friends)" msgstr "" #. type: Plain text msgid "This text is part of my friends scriblings." msgstr ""

23 March 2009

Adeodato Sim : Five films (#4)

Wow, long time without one of these posts. I actually have material that will have to wait for the next issue already!