# Planet Debian

Planet Debian - http://planet.debian.org/
Updated: 24 min 54 sec ago

### Sylvain Le Gall: Release of OASIS 0.4.0

5 hours 5 min ago

I am happy to announce that OASIS v0.4.0 has just been released.

OASIS is a tool to help OCaml developers to integrate configure, build and install systems in their projects. It should help to create standard entry points in the source code build system, allowing external tools to analyse projects easily.

This tool is freely inspired by Cabal which is the same kind of tool for Haskell.

You can find the new release here and the changelog here. More information about OASIS in general on the OASIS website.

I have recently resumed my work on OASIS and this will be hopefully the new version that will lead to quicker iteration in the development of OASIS. The development process was slowdown by the fact, that I feared introducing new fields in _oasis or regression. This was a pain and I decided to change my development model.

Features

The most important step is the introduction of AlphaFeatures and BetaFeatures fields. They allow to introduce pieces of code that will only be activated if certain features are listed in those fields. It should help to be always ready to release.

The features also cover other aspect like flag_tests and flag_docs which has been introduced in OASIS v0.3.0. In fact the features API is now used to introduce all enhancement while keeping backward compatibility with regard to OASISFormat. Rather than defining a ~since_version:0.3 for fields we use a feature that handle the maturity level of the feature. When I feel a specific feature is ready to ship, I just change the InDev Alpha to InDev Beta and then SinceVersion 0.4. On the long term, when we won't support anymore a version of OASIS that existed before the SinceVersion, the feature will always be true and I will fully integrate it in the code.

The only constraint around features is: if you use AlphaFeatures or BetaFeatures field, you must use the latest OASISFormat...

Features section in the manual.

Example of features available:

• section_object: allow to create object (.cmo/.cmx) in _oasis
• pure_interface: an OCamlbuild feature that allows to handle .mli without a .ml file
Automate

Another topic is automation of testing releases. For OASIS v0.3.0, I ran tests on all platforms manually, late in the development of v0.3.0 and it was painful to fix. So I have decided to setup a Jenkins instance that automate testing on Linux. On the long term, I plan to also setup a Mac OS X builder and start looking at Windows as well. This should help me catch errors early and be able to fix them quickly.

However, for v0.4.0 I have decided to just release what I have and which has mainly be tested on Linux. The point here is to quickly release and iterate, rather than wait for perfection. Hopefully end user testing will allow to quickly discover new bugs.

Time boxed release

In the coming months, I will try to do time boxed releases. I will try to release version of OASIS every 15th of the month. The point here is to try to iterate faster and avoid long delay between release.

See you in 1 month for the next release.

Categories: Elsewhere

### Jonathan McCrohan: Linux Kernel Contributor

5 hours 57 min ago

Having used GNU/Linux systems for some time now, and having submitted patches to a fair number of open source projects, it is nice to finally get a patch accepted into the biggest open source project of them all, the Linux kernel. While I did submit a kernel patch to OpenWrt back in 2011, it is maintained as a rebased patchset, and was never upstreamed to Linus' tree.

That changed today though, when a small patch I (had forgotten I had) sent to the linux-media mailinglist back in October 2013, was just pulled by Linus Torvalds into his tree for the Linux 3.13-rc4 release; so I'm now proud to be able to call myself a contributor to the Linux Kernel.

Categories: Elsewhere

### Daniel Pocock: xWiki: 10 years and a WebRTC success story

7 hours 10 min ago

Six months ago, I wrote to the leaders of several open source web frameworks and asked them about their vision for WebRTC and if they would come to the WebRTC Conference in Paris this week (now finished). The most promising response was from Ludovic Dubost, founder of the xWiki project.

Ludovic successfully demonstrated their shiny new WebRTC capabilities today in front of an audience including many far more experienced telephony operators who are still only getting to terms with this technology.

What is xWiki?

Don't let the wiki name limit your perception of this project. xWiki is a lot more than just another wiki hosting framework. As a bare minimum, you can certainly use it in the same way as other wikis, doing lightweight markup that is easier than HTML. On the other hand, xWiki really shines when it comes to extensibility. The xWiki team are Java developers and so xWiki appeals most to other Java developers who may want to leverage some library code from their web portal from time to time, without even having to compile anything. Here are some examples and here is one of the most trivial ones:

{{velocity}} Your username is $xcontext.getUser(), welcome to the site. {{/velocity}} WebRTC capabilities The xWiki team chose XMPP as a chat protocol (using the Candy XMPP JavaScript chat) as the foundation for real-time communication. They have then extended this by creating a custom signalling mechanism and making it convenient for users of a chat session to upgrade the session to voice/video with a mouseclick. The whole experience works within the browser without any plugins. 10 years of xWiki It was also xWiki's 10th birthday today and this provided the perfect opportunity for a party: cjdns and enigmabox While at the xWiki office, it was interesting to see a lot of innovative work taking place, including this VoIP setup where a Grandstream phone is attached to an Enigmabox operated by Caleb from the cjdns project. Categories: Elsewhere ### Gerfried Fuchs: [dunkelbunt] 7 hours 49 min ago Tuesday was a really nice evening. A few weeks ago I found a poster about the concert of [dunkelbunt], and got my ticket only on monday. I was told by the ticket sellers that they still have plenty left. In the end when I turned up at the event at tuesday though the concert hall was fully packed with people and I was told that it actually was sold out. There wasn't much place inside the hall left, so I mostly stood in the doorway to the bar area and enjoyed the music from there. If you listen to their songs you might get an idea why the music catched me and I started to let the music move my body, literally. It's a great feeling after a tough day, and there were some other nice people around which let the same happen to them so it did feel less awkward for me. Anyway, if you want to find out if their music can do the same to you, here are some songs to listen to: • The Chocolate Butterfly: This was actually the first song that got me interested in them which was playing on a local radio station. • Cinnamon Girl: One of the reasons why [dunkelbunt] is put into the electro swing genre. :) • Schlawiener: The title is a pun, a mix between "Schlawiner" (smooth operator) and "Wiener" (Viennese). Enjoy! /music | permanent link | Comments: 0 | Flattr this Categories: Elsewhere ### Christine Spang: Donate to OpenHatch Thu, 12/12/2013 - 19:27 I just donated$500 to OpenHatch. Here's why you should donate too:

1. Diversity in open source matters. We can't keep making the software the world runs on without involving people of all sorts, from all backgrounds.
2. OpenHatch is run by community members who I've known for years and trust. They care about data-driven effectiveness and are always getting better at what they do.
3. A rising tide floats all boats. More contributors == more awesome.
4. If you donate before December 24th, your donation makes twice the difference.

Diversity and education initiatives are the reason I'm a part of the free and open source software community today. (Thanks, Debian Women.)

You don't have to donate $500 to make a difference.$5, $10,$25— from a hundred people—all adds up.

Please join me in supporting OpenHatch today.

Categories: Elsewhere

Wed, 11/12/2013 - 20:01

... Creating var directory '/usr/src/git/debian/pkg-mariadb/builddir/mysql-test/var'... Checking supported features... MariaDB Version 5.5.32-MariaDB-1 Installing system database... - SSL connections supported Collecting tests... Using server port 42388 ============================================================================== TEST RESULT TIME (ms) or COMMENT -------------------------------------------------------------------------- worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019 oqgraph.basic [ skipped ] No OQGraph oqgraph.binlog [ skipped ] No OQGraph sphinx.sphinx [ skipped ] No Sphinx archive.archive-big [ skipped ] Test needs --big-test binlog.binlog_multi_engine [ skipped ] ndbcluster disabled binlog.binlog_spurious_ddl_errors [ disabled ] BUG#11761680 2013-01-18 astha Fixed on mysql-5.6 and trunk binlog.binlog_truncate_innodb [ disabled ] BUG#11764459 2010-10-20 anitha Originally disabled due to BUG#42643. Product bug fixed, but test changes needed federated.federated_server [ skipped ] Test needs --big-test ...
Categories: Elsewhere

### Daniel Pocock: Get WebRTC going faster

Wed, 11/12/2013 - 18:25

On Saturday, Lumicall began offering free calls from browser to mobile using the free and open WebRTC technology. It should be no surprise that the service has been popular.

Is it really free and open?

The only way to prove this technology is free is to help people implement this for themself.

On Monday, I uploaded reSIProcate v1.9.0 beta7 packages to Debian. The reSIProcate SIP proxy, repro, is one of the core components of the solution behind the free Lumicall service.

Simply install the repro and resiprocate-turn-server packages using apt-get and make the following changes to the configuration (use your own IP addresses of course). I've taken this diff from my own runtime environment, only hiding my passwords, so that you can see exactly how I got it working:

--- repro.config.orig 2013-12-11 17:36:27.179228324 +0100 +++ repro-ws.sip5060.net.config 2013-12-11 17:48:24.159938649 +0100 @@ -143,6 +143,41 @@ # Transport6TlsClientVerification = None # Transport6RecordRouteUri = sip:h1.sipdomain.com;transport=WS +Transport1Interface = 195.8.117.57:80 +Transport1Type = WS +Transport1RecordRouteUri = auto + +Transport2Interface = 2001:67c:1388:1000::57:80 +Transport2Type = WS +Transport2RecordRouteUri = auto + +Transport3Interface = 195.8.117.57:5060 +Transport3Type = TCP +Transport3RecordRouteUri = auto + +Transport4Interface = 2001:67c:1388:1000::57:5060 +Transport4Type = TCP +Transport4RecordRouteUri = auto + +Transport5Interface = 195.8.117.57:443 +Transport5Type = WSS +#Transport5RecordRouteUri = auto +Transport5TlsDomain = ws.sip5060.net +Transport5TlsClientVerification = None +Transport5RecordRouteUri = sip:ws.sip5060.net;transport=WSS +Transport5TlsCertificate = /etc/ssl/ssl.crt/ws.sip5060.net-bundle.crt +Transport5TlsPrivateKey = /etc/ssl/private/ws.sip5060.net-key.pem + +Transport6Interface = 2001:67c:1388:1000::57:443 +Transport6Type = WSS +#Transport6RecordRouteUri = auto +Transport6TlsDomain = ws.sip5060.net +Transport6TlsClientVerification = None +Transport6RecordRouteUri = sip:ws.sip5060.net;transport=WSS +Transport6TlsCertificate = /etc/ssl/ssl.crt/ws.sip5060.net-bundle.crt +Transport6TlsPrivateKey = /etc/ssl/private/ws.sip5060.net-key.pem + + # Comma separated list of DNS servers, overrides default OS detected list (leave blank # for default) DNSServers = @@ -455,7 +490,7 @@ ForceRecordRouting = false # Assume path option -AssumePath = false +AssumePath = true # Disable registrar DisableRegistrar = false @@ -481,7 +516,7 @@ # WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using # the alternate transport specification mechanism and defining a RecordRouteUri per # transport: TransportXRecordRouteUri -DisableOutbound = true +DisableOutbound = false # Set the draft version of outbound to support (default: RFC5626) # Other accepted values are the versions of the IETF drafts, before RFC5626 was issued @@ -505,7 +540,7 @@ # WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using # the alternate transport specification mechanism and defining a RecordRouteUri per # transport: TransportXRecordRouteUri -EnableFlowTokens = false +EnableFlowTokens = true # Enable use of flow-tokens in non-outbound cases for clients detected to be behind a NAT. # This a more selective flow token hack mode for clients not supporting RFC5626. The

This is a diff against the /etc/repro/repro.config file distributed in the Debian package version 1.9.0~beta7-1.

In the example above, I've included WSS transport defintions for WebSockets over TLS. Use the standard procedure for creating webserver SSL certificates to create certificates for repro and make sure you insert the correct filenames in the TLS parameters above. I've also duplicated every transport for IPv6. If you don't want TLS/WSS or IPv6, just comment those entries out (and renumber the remaining transports).

Web-based SIP proxy setup

Once you have repro running, go to the web admin interface (port 5080, username: admin, password: admin) and finish the setup using the web UI. The following steps are essential:

• Add any routes to external services (optional - in my next blog I'll demonstrate how to route WebRTC calls to Asterisk using the Debian packages and less than 20 lines of configuration)
Set up reTurn, the TURN server

test:notasecret:reTurn:authorized

IMPORTANT: the realm in the users file (reTurn in the example and default config) must be identical to the AuthenticationRealm in the /etc/reTurnServer.config file.

Simply install your own apache server and clone the webrtc.lumicall.org demo site. Modify the file js/custom.js and include the settings for your own server.

# cd /var/www # mkdir webcall # cd webcall # wget -r -nH http://webrtc.lumicall.org # vi js/custom.js

In the custom.js, make sure you use a ws:// URL if you didn't set up SSL certificates and use a wss:// URL if you did. The IP or domain of your repro server must be in the ws:// or wss:// URL.

Now navigate to the URL ending with /webcall on your server.

For RHEL, Fedora and other RPM users

Can somebody please assist with the review of the cajun-jsonapi dependency package so I can upload this new version of reSIProcate to Fedora? I'm also planning to make v1.9.0 available in EPEL6 when it is released in January.

Questions?

Categories: Elsewhere

### Steve Kemp: It's a wonderful life

Wed, 11/12/2013 - 17:41

Today, here in the UK, the date is 11/12/13.

Today, here in Edinburgh, I we became married.

I've already promised I will make no more than two jokes, ever, about "owning a wife". I will save them for suitable occasions.

Categories: Elsewhere

### Gustavo Noronha Silva: WebKitGTK+ hackfest 5.0 (2013)!

Wed, 11/12/2013 - 10:47

For the fifth year in a row the fearless WebKitGTK+ hackers have gathered in A Coruña to bring GNOME and the web closer. Igalia has organized and hosted it as usual, welcoming a record 30 people to its office. The GNOME foundation has sponsored my trip allowing me to fly the cool 18 seats propeller airplane from Lisbon to A Coruña, which is a nice adventure, and have pulpo a feira for dinner, which I simply love! That in addition to enjoying the company of so many great hackers.

Web with wider tabs and the new prefs dialog

The goals for the hackfest have been ambitious, as usual, but we made good headway on them. Web the browser (AKA Epiphany) has seen a ton of little improvements, with Carlos splitting the shell search provider to a separate binary, which allowed us to remove some hacks from the session management code from the browser. It also makes testing changes to Web more convenient again. Jon McCan has been pounding at Web’s UI making it more sleek, with tabs that expand to make better use of available horizontal space in the tab bar, new dialogs for preferences, cookies and password handling. I have made my tiny contribution by making it not keep tabs that were created just for what turned out to be a download around. For this last day of hackfest I plan to also fix an issue with text encoding detection and help track down a hang that happens upon page load.

Martin Robinson and Dan Winship hack

Martin Robinson and myself have as usual dived into the more disgusting and wide-reaching maintainership tasks that we have lots of trouble pushing forward on our day-to-day lives. Porting our build system to CMake has been one of these long-term goals, not because we love CMake (we don’t) or because we hate autotools (we do), but because it should make people’s lives easier when adding new files to the build, and should also make our build less hacky and quicker – it is sad to see how slow our build can be when compared to something like Chromium, and we think a big part of the problem lies on how complex and dumb autotools and make can be. We have picked up a few of our old branches, brought them up-to-date and landed, which now lets us build the main WebKit2GTK+ library through cmake in trunk. This is an important first step, but there’s plenty to do.

Hackers take advantage of the icecream network for faster builds

Under the hood, Dan Winship has been pushing HTTP2 support for libsoup forward, with a dead-tree version of the spec by his side. He is refactoring libsoup internals to accomodate the new code paths. Still on the HTTP front, I have been updating soup’s MIME type sniffing support to match the newest living specification, which includes specification for several new types and a new security feature introduced by Internet Explorer and later adopted by other browsers. The huge task of preparing the ground for a one process per tab (or other kinds of process separation, this will still be topic for discussion for a while) has been pushed forward by several hackers, with Carlos Garcia and Andy Wingo leading the charge.

Jon and Guillaume battling code

Other than that I have been putting in some more work on improving the integration of the new Web Inspector with WebKitGTK+. Carlos has reviewed the patch to allow attaching the inspector to the right side of the window, but we have decided to split it in two, one providing the functionality and one the API that will allow browsers to customize how that is done. There’s a lot of work to be done here, I plan to land at least this first patch durign the hackfest. I have also fought one more battle in the never-ending User-Agent sniffing war, in which we cannot win, it looks like.

Hackers chillin’ at A Coruña

I am very happy to be here for the fifth year in a row, and I hope we will be meeting here for many more years to come! Thanks a lot to Igalia for sponsoring and hosting the hackfest, and to the GNOME foundation for making it possible for me to attend! See you in 2014!

Categories: Elsewhere

### Rogério Brito: Trivial fact: convexity of polyhedra

Wed, 11/12/2013 - 03:27

Just a trivial fact: every polyhedron that is used in linear programming is convex, that is !!mathjaxbegin-i!! QXggXGxlcSBi !!mathjaxend-i!! is convex, for a matrix !!mathjaxbegin-i!! QQ== !!mathjaxend-i!! and a (column) vector !!mathjaxbegin-i!! Yg== !!mathjaxend-i!!.

Proof: Take any !!mathjaxbegin-i!! eCcsIHgnJw== !!mathjaxend-i!! that satisfy the system of inequalities !!mathjaxbegin-i!! QXggXGxlcSBi !!mathjaxend-i!!. Then, for !!mathjaxbegin-i!! MCBcbGVxIFxsYW1iZGEgXGxlcSAx !!mathjaxend-i!!, we have that !!mathjaxbegin-i!! XGxhbWJkYSBBeCcgXGxlcSBcbGFtYmRhIGI= !!mathjaxend-i!!, that is !!mathjaxbegin-i!! QSBcbGFtYmRhIHgnIFxsZXEgXGxhbWJkYSBi !!mathjaxend-i!!. Similarly, for !!mathjaxbegin-i!! eCcn !!mathjaxend-i!!, we have that !!mathjaxbegin-i!! QSAoMS1cbGFtYmRhKSB4JyBcbGVxICgxLVxsYW1iZGEpIGI= !!mathjaxend-i!!. Summing the inequalities, we get: !!mathjaxbegin-d!! CiBBW1xsYW1iZGEgeCcgKyAoMS1cbGFtYmRhKSB4JyddIFxsZXEgW1xsYW1iZGEgKyAoMS1cbGFt YmRhKV0gYiA9IGIsCg== !!mathjaxend-d!! which means that !!mathjaxbegin-i!! XGhhdHt4fSA9IFxsYW1iZGEgeCcgKyAoMS1cbGFtYmRhKSB4Jyc= !!mathjaxend-i!! is again a solution of the original set of inequalities, thus concluding the argument.

Categories: Elsewhere

### Kees Cook: live patching the kernel

Wed, 11/12/2013 - 00:40

A nice set of recent posts have done a great job detailing the remaining ways that a root user can get at kernel memory. Part of this is driven by the ideas behind UEFI Secure Boot, but they come from the same goal: making sure that the root user cannot directly subvert the running kernel. My perspective on this is toward making sure that an attacker who has gained access and then gained root privileges can’t continue to elevate their access and install invisible kernel rootkits.

An outline for possible attack vectors is spelled out by Matthew Gerrett’s continuing “useful kernel lockdown” patch series. The set of attacks was examined by Tyler Borland in “Bypassing modules_disabled security”. His post describes each vector in detail, and he ultimately chooses MSR writing as the way to write kernel memory (and shows an example of how to re-enable module loading). One thing not mentioned is that many distros have MSR access as a module, and it’s rarely loaded. If modules_disabled is already set, an attacker won’t be able to load the MSR module to begin with. However, the other general-purpose vector, kexec, is still available. To prove out this method, Matthew wrote a proof-of-concept for changing kernel memory via kexec.

Chrome OS is several steps ahead here, since it has hibernation disabled, MSR writing disabled, kexec disabled, modules verified, root filesystem read-only and verified, kernel verified, and firmware verified. But since not all my machines are Chrome OS, I wanted to look at some additional protections against kexec on general-purpose distro kernels that have CONFIG_KEXEC enabled, especially those without UEFI Secure Boot and Matthew’s lockdown patch series.

My goal was to disable kexec without needing to rebuild my entire kernel. For future kernels, I have proposed adding /proc/sys/kernel/kexec_disabled, a partner to the existing modules_disabled, that will one-way toggle kexec off. For existing kernels, things got more ugly.

What options do I have for patching a running kernel?

First I looked back at what I’d done in the past with fixing vulnerabilities with systemtap. This ends up being a rather heavy-duty way to go about things, since you need all the distro kernel debug symbols, etc. It does work, but has a significant problem: since it uses kprobes, a root user can just turn off the probes, reverting the changes. So that’s not going to work.

Next I looked at ksplice. The original upstream has gone away, but there is still some work being done by Jiri Slaby. However, even with his updates which fixed various build problems, there were still more, even when building a 3.2 kernel (Ubuntu 12.04 LTS). So that’s out too, which is too bad, since ksplice does exactly what I want: modifies the running kernel’s functions via a module.

So, finally, I decided to just do it by hand, and wrote a friendly kernel rootkit. Instead of dealing with flipping page table permissions on the normally-unwritable kernel code memory, I borrowed from PaX’s KERNEXEC feature, and just turn off write protect checking on the CPU briefly to make the changes. The return values for functions on x86_64 are stored in RAX, so I just need to stuff the kexec_load syscall with “mov -1, %rax; ret” (-1 is EPERM):

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include <linux/init.h> #include <linux/module.h> #include <linux/slab.h> static unsigned long long_target; static char *target; module_param_named(syscall, long_target, ulong, 0644); MODULE_PARM_DESC(syscall, "Address of syscall"); /* mov $-1, %rax; ret */ unsigned const char bytes[] = { 0x48, 0xc7, 0xc0, 0xff, 0xff, 0xff, 0xff, 0xc3 }; unsigned char *orig; /* Borrowed from PaX KERNEXEC */ static inline void disable_wp(void) { unsigned long cr0; preempt_disable(); barrier(); cr0 = read_cr0(); cr0 &= ~X86_CR0_WP; write_cr0(cr0); } static inline void enable_wp(void) { unsigned long cr0; cr0 = read_cr0(); cr0 |= X86_CR0_WP; write_cr0(cr0); barrier(); preempt_enable_no_resched(); } static int __init syscall_eperm_init(void) { int i; target = (char *)long_target; if (target == NULL) return -EINVAL; /* save original */ orig = kmalloc(sizeof(bytes), GFP_KERNEL); if (!orig) return -ENOMEM; for (i = 0; i < sizeof(bytes); i++) { orig[i] = target[i]; } pr_info("writing %lu bytes at %p\n", sizeof(bytes), target); disable_wp(); for (i = 0; i < sizeof(bytes); i++) { target[i] = bytes[i]; } enable_wp(); return 0; } module_init(syscall_eperm_init); static void __exit syscall_eperm_exit(void) { int i; pr_info("restoring %lu bytes at %p\n", sizeof(bytes), target); disable_wp(); for (i = 0; i < sizeof(bytes); i++) { target[i] = orig[i]; } enable_wp(); kfree(orig); } module_exit(syscall_eperm_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Kees Cook <kees@outflux.net>"); MODULE_DESCRIPTION("makes target syscall always return EPERM"); If I didn’t want to leave an obvious indication that the kernel had been manipulated, the module could be changed to: • not announce what it’s doing • remove the exit route to not restore the changes on module unload • error out at the end of the init function instead of staying resident And with this in place, it’s just a matter of loading it with the address of sys_kexec_load (found via /proc/kallsyms) before I disable module loading via modprobe. Here’s my upstart script: # modules-disable - disable modules after rc scripts are done # description "disable loading modules" start on stopped module-init-tools and stopped rc task script cd /root/modules/syscall_eperm make clean make insmod ./syscall_eperm.ko \ syscall=0x$(egrep ' T sys_kexec_load\$' /proc/kallsyms | cut -d" " -f1) modprobe disable end script

And now I’m safe from kexec before I have a kernel that contains /proc/sys/kernel/kexec_disabled.

Categories: Elsewhere

### Dmitrijs Ledkovs: Hi! My name is... (what?) My name is... (who?) My name is... Slim Shady

Tue, 10/12/2013 - 17:55
On the 21st of November I have become a British citizen, and on the 9th of December I have changed my name by signing a statutory declaration with the following clauses:I absolutely and entirely renounce, relinquish and abandon the use of my former name of Dmitrijs Ļedkovs and assume, adopt and determine to take and use from the date hereof the new name of Dimitri John Ledkov in substitution for my former name of Dmitrijs Ļedkovs.I shall at all times hereafter, in all records, deeds, documents and other writings and in all actions and proceedings, as well as in all dealings and transactions and on all occasions whatsoever, use and subscribe my new name of Dimitri John Ledkov in substitution for my former name of Dmitrijs Ļedkovs so relinquished to the intent that I may hereafter be called, known and identified by the new name of Dimitri John Ledkov and not by my former name of Dmitrijs Ļedkovs.I authorise and require all persons, at all times, to identify, describe and address me by my new name of Dimitri John Ledkov. I make this solemn declaration conscientiously, believing the same to be true and by virtue of the provisions of the Statutory Declarations Act 1835.Now I need to get new passport, IDs and change my name pretty much everywhere. I have started the ball rolling and hopefully I'll be known by my new name everywhere soon enough.

Regards,

Dimitri.
Categories: Elsewhere

### Bartosz Fe&#324;ski: another two days of paid work on Debian

Tue, 10/12/2013 - 15:48

Last year I told you that I spent two full-time days working on Debian as a part of initiative sponsored by my current employer.

This year I’ve devoted these two days again for Debian.

Quick summary of what I was able to do during these two days.

11 bugs, 4 lintian errors and 43 warnings were fixed. In addition 3 packages now use new source format (usually that means repackaging software from scratch). 4 uses new copyright format and the newest Standards-Version. 5 packages were updated to the newest upstream version.

Changelog entries:

potrace (1.11-1) unstable; urgency=low

* The Akamai Technologies paid volunteer days release.
* New upstream version.
* Completely repackaged from scratch (funny experience as usual):
- uses debhelper compatibility level 9 w/hardening options
- fixes 11 lintian warnings and 2 errors
* Fixes typo in manpage. (Closes: #694492)

-- Bartosz Fenski Mon, 9 Dec 2013 11:23:32 +0100

makeself (2.2.0-1) unstable; urgency=low

* The Akamai Technologies paid volunteer days release.
* New upstream release. (Closes: #690105)
- handles df output in more portable way (Closes: #641804)
* Repackaged from scratch.
- uses new packaging format 3.0 (Closes: #670738)
- uses debhelper compatibility level 9
- fixes 2 lintian errors and 6 warnings

-- Bartosz Fenski Mon, 09 Dec 2013 17:32:45 +0100

dibbler (1.0.0~rc1-1) unstable; urgency=low

* The Akamai Technologies paid volunteer days release.
* New upstream release candidate 1 version (Closes: #686539)
- doesn't drop dhcp session during pppd restarts (Closes: #641237)
- doesn't hang indefinitely on 'stop' (Closes: #675272)
* Calls dh --with autotools_dev to prevent build failures (Closes: 727356)
* Includes Japanese debconf translation (Closes: #718921)
* Updated Standards-Version (no changes needed)
* Uses debhelper compatibility level 9 w/hardening options
* init scripts now source init functions
* Fixes 20 lintian warnings.

-- Bartosz Fenski Tue, 10 Dec 2013 10:05:56 +0100

calcurse (3.1.4-1) unstable; urgency=low

* The Akamai Technologies paid volunteer days release.
* New upstream version.
* ACK previous NMU - thanks!
* Bumped Standards-Version (no changes needed)

-- Bartosz Fenski Tue, 10 Dec 2013 12:22:06 +0100

ipcalc (0.41-4) unstable; urgency=low

* The Akamai Technologies paid volunteer days release.
* Fixes overzealous input checking (Closes: #332468)
* Martin F Krafft removed as co-maintainer (Closes: #719098)
+ package now uses new copyright format
* Bumped Standards-Version (no changes needed)

-- Bartosz Fenski Tue, 10 Dec 2013 13:05:15 +0100

msort (8.53-1) unstable; urgency=low

* The Akamai Technologies paid volunteer days release.
* New upstream release.
* ACK previous NMUs, thanks!
* Switched to new source format.
* Switched to new copyright format.
* Moved patches to new quilt format and described them.
* Bumped Standards-Version (no changes needed)
* Has correct tcl/tk dependencies (Closes: #545135)
* Doesn't segfault with certain input (Closes: #630485)

-- Bartosz Fenski Tue, 10 Dec 2013 16:39:44 +0100

Thank you Akamai

Categories: Elsewhere

Tue, 10/12/2013 - 12:23
A new Armadillo release 3.930 came out a few days ago, with a very nice set of changes (see below). I rolled this into RcppArmadillo 0.3.930.0. However, one of these changes revealed that R shipped only the standard SVD for complex-valued matrices, and not the more performant divide-and-conquer approach. So in R builds using the default built-in Lapack, at least one CRAN package no longer built.

After some back and forth, Conrad put some branching in the library to fall back to the standard SVD, and I added a built-time configuration test for an appropriate preprocessor directive used by the fallback code. This is now on which is now on CRAN and in Debian as RcppArmadillorelease 0.3.930.1, and Conrad will probably update the Armadillo page as well (though the fix is only needed with R's builtin Rlapack). Also of note is that R Core already added the missing Fortran routine zgesdd to R 3.1.0 (aka "R-devel") so this issue goes away with the next release. Also of note, I wrote up a short Rcpp Gallery post illustrating the performance gains available from divide-and-conquer SVD.

The complete list of changes is below.

Changes in RcppArmadillo version 0.3.930.1 (2013-12-09)

• Armadillo falls back to standard complex svd if the more performant divide-and-conquer variant is unavailable

• Added detection for Lapack library and distinguish between R's own version (withhout zgesdd) and system Lapack; a preprocessor define is set accordingly

Changes in RcppArmadillo version 0.3.930.0 (2013-12-06)

• added divide-and-conquer variant of svd_econ(), for faster SVD

• added divide-and-conquer variant of pinv(), for faster pseudo-inverse

• added element-wise variants of min() and max()

• added size() based specifications of submatrix view sizes

• added randi() for generating matrices with random integer values

• added more intuitive specification of sort direction in sort() and sort_index()

• added more intuitive specification of method in det(), .i(), inv() and solve()

• added more precise timer for the wall_clock class when using C++11

• New unit tests for complex matrices and vectors

Courtesy of CRANberries, there is also a diffstat report for the most recent release As always, more detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: Elsewhere

### Russ Allbery: krb5-sync 3.0

Tue, 10/12/2013 - 08:29

krb5-sync is the software we run at Stanford to synchronize principal information from a central Heimdal realm to Active Directory, allowing users to use either a Linux-based Kerberos environment or Active Directory with the same account and password.

The original intent of this release was to add a new feature to allow a subsidiary instance of an account in the MIT or Heimdal realm to be synchronized with the instance-less account in Active Directory. This allows, for example, an rra/windows instance to be used to set and maintain the password for an rra principal in Active Directory.

In the process of implementing that, though, I ended up doing a significant overall of the code, since the plugin architecture was quite awkward and dated. The code now uses the MIT Kerberos data structures in a more natural and native way, since MIT Kerberos has now added direct support for plugins of this sort. Kerberos contexts and Kerberos error codes are used uniformly throughout the plugin, which provides consistent and more robust error handling and reporting. I also significantly enhanced the test suite, although it still needs more work to test the core functionality that has complex external dependencies. This release also drops support for all versions of MIT Kerberos prior to 1.9, which required an external patch; to run krb5-sync 3.0, you should upgrade to a recent version of MIT Kerberos. This allowed me to drop support for the legacy API.

There are a couple of major backward-incompatible changes in this release (and both unfortunately are not handled automatically by the Debian package upgrade, since it's hard to find and safely modify KDC configuration). First, the ad_ldap_base configuration option is now mandatory when synchronizing account status and its meaning has changed. Previously, dc elements for the realm were appended to a provided partial base. Now, the complete DN of the root of the Active Directory tree should be provided. This is more flexible and more useful with a wider variety of Active Directory setups.

Second, I took advantage of the backward-incompatibilities to change the module name to sync.so from krb5_sync.so, since the latter sounded weirdly redundant and verbose when installed in the Kerberos plugin directory. This will require a configuration change to the plugin configuration for the KDC or kadmin server.

Also in this release are a couple of new options: ad_queue_only, which forces all changes to be queued for later processing instead of processed in real time, and syslog, which can be used to turn off the internal syslog logging of non-errors from the module. (This is mostly useful for test suites.)

Now, password changes are queued on any Active Directory failure, not just a few oddly-distinguished ones. The previous behavior was rather specific to Stanford's needs, and queuing all password changes shouldn't pose any problems.

Finally, the krb5-sync-backend utility program for manipulating the queued changes has been completely rewritten and is much cleaner. It now uses the Net::Remctl::Backend Perl module for command and option handling, so that module (provided with remctl 3.4 or later) must be installed. It also requires IPC::Run, which is available from CPAN. It uniformly supports a -d option to specify the queue location, and skips event files during processing that no longer exist.

You can get the latest release from krb5-sync distribution page.

Categories: Elsewhere

### Russ Allbery: rra-c-util 4.12

Tue, 10/12/2013 - 02:13

This release of my collection of shared C, Perl, and Autoconf code fixes a bug in all the Autoconf macros that use the lib-helper framework for optional use of libraries. The --with flag without a path would result in yes/include and yes/lib to be added to the compiler and linker paths. It also adds Autoconf probles for Cyrus SASL libraries, contributed by Julien ÉLIE based on the INN macros.

This release also adds support for KADM5_MISSING_KRB5_CONF_PARAMS to portable/kadmin.h and the test_tmpdir function to Test::RRA::Automake. The latter works the same as it does in the C and shell TAP libraries.

Finally, the shared valgrind suppression file adds a suppression for the memory allocated by dlopen to store error messages for dlerror on Linux, which is apparently never freed.

You can get the latest release from the rra-c-util distribution page.

Categories: Elsewhere

### Pau Garcia i Quiles: Going to FOSDEM 2014

Mon, 09/12/2013 - 23:06

Once more, I’m going to FOSDEM 2014, the largest Free/Libre/Open Source Software event in Europe (5,000 attendants every year).

As usual, I will be in charge of the Desktops DevRoom, together with our friends from Gnome (Christophe Fergeau), Unity (Didier Roche), Enlightenment (Philippe Caseiro) and others.

See you in Brussels 1-2 February 2014!

BTW, have you already submitted your talk proposal for the Desktops DevRoom? The deadline (15th December) is very close! Do not wait any more!!! See the details here: FOSDEM 2014 Desktops DevRoom Call for Talks

Categories: Elsewhere

### John Goerzen: Delicious Holiday Recipes

Mon, 09/12/2013 - 17:17

I’ve come up with some new favorites this season. The boys and Laura were around for all three, and I am happy to report there were many kitchen smiles over these!

From-Scratch Hot Chocolate

There’s something about hot chocolate made from scratch, with chocolate melted into milk, instead of a powder stirred in. It takes quite a bit more time, and probably has more calories, but it is quite delicious.

The key to a delicious result where milk is concerned is to take things slow and keep stirring. You don’t want the chocolate to scorch at the bottom of the pan. Heating up the milk before the chocolate should help things mix in more easily as well.

• Begin with 3 cups milk and 1 cup heavy whipping cream. Heat slowly over moderate to low heat, stirring periodically. Once you see bubbles start to form around the edges, it is plenty hot (or even a bit more hot than it needs to be).
• Add one cup of semisweet chocolate chips, 1 teaspoon sugar, and 1/2 tsp vanilla extract.
• Stir constantly until all the chocolate is melted and well mixed. There will still be some small bits of chocolate within, but if it is all done slowly like this, the chocolate should be pretty well melted.

The basis for this recipe was here, and it called for 2 cups milk and 2 cups half-and-half. I trust my heavy whipping cream was fine! <grin> There are also some other variations on that site.

This nearly made my little cast iron kettle overflow, so next time I made a 3/4 recipe.

Hot Spiced Cider

We put up a Christmas tree yesterday, so I thought hot spiced cider would be perfect for the occasion. I went searching for recipes, and many of them called for cloves (which have to be sifted out later or put in a spice bag). I wasn’t going to have time to delay two boys from setting up a Christmas tree long enough for that, so I found this basic recipe to work well. However, I, as usual, made some modifications ;-)

• Warm 4 cups apple cider (not juice, as the recipe suggests) in a pot.
• Add 1/4 tsp nutmeg or allspice (I used allspice because I was mysteriously out of nutmeg, but will probably use nutmeg next time)
• Add 1 tbsp brown sugar
• Stir constantly until sufficiently dissolved. Pour immediately before drinking, as the contents will tend to separate.

Mmmmm…. yum….

Turkey or Chicken Noodle Soup

The annual “what to do with all that leftover turkey” quest strikes again. I like chicken noodle soup, so why not a turkey noodle soup done the same way?

Here’s what I used, roughly, in my large 6-quart cast iron cooking pot (aka “Dutch oven”):

• 9 cups chicken/turkey broth. Your own if you have it, or the canned variety works. Or make your own with boullion if you have it.
• 2 chopped yellow onions. (I added half a chopped red onion as well because I had it sitting around. Nobody complained, but 2.5 onions was a little much.)
• 4 tsp fresh basil or 1 tsp dried basil
• 4 tsp fresh oregano or 1 tsp dried oregano
• 1/2 tsp pepper
• 1/2 tsp salt
• 1 tsp beef bouillon
• 2 bay leaves
• 20 oz frozen mixed vegetables (I’d probably add more than that next year; this wasn’t quite enough)
• Plenty of wide egg noodles. The recipe I used called for 1 cup, which was laughably inadequate. I just dumped until it looked right, and then the package was almost empty so I dumped the rest in too.
• 4 cups cooked turkey or chicken, cubed (a kitchen scissors makes quick work of that)
• Two 14.5-oz cans diced tomatoes (do not drain)

Start with the broth, onion, basil, oregano, pepper, and bay leaf. Heat up the mixture and add the vegetables. Bring it to boiling, then add the uncooked noodles. Return to boiling, then reduce heat, cover, and simmer for 8 minutes. Add the turkey or chicken and diced tomatoes, and simmer until hot enough to serve.

The nice thing about soups is that they freeze well and make great winter leftovers. This recipe makes quite a lot of soup; you may wish to halve it.

This recipe was adapted from one in a Better Homes & Gardens cookbook.

Categories: Elsewhere

### MJ Ray: About Co-ops & Governance

Mon, 09/12/2013 - 14:53

There have been some dark days for UK coops recently – the crystal Methodist and all that – and I have not been able to talk about it much because of the amount of work that I want to do before the end of the year.

Happily good colleagues have been writing about it and here’s another good article from Kate Whittle that links to Ed Mayo and Ian Snaith who are the other two that I’d suggest.  http://www.cooperantics.coop/2013/12/09/co-ops-governance/

I should be back in a few days to summarise the event I attended last week.

Categories: Elsewhere

### Christoph Berg: TF101 flickering and a loose cable

Sun, 08/12/2013 - 20:36

My ASUS Transformer TF101 had suddenly started flickering in all sorts of funny colors some weeks ago. As tapping it gently on the table in the right angle made the problem go away temporarily, it was clear the problem was about a loose cable, or some other hardware connection issue.

As I needed to go on a business trip the other day, I didn't look up the warranty expiration day until later that week. Then, Murphy struck: the tablet was now 2 years + 1 day old! Calling ASUS, some friendly guy there suggested I still tried to get ASUS to accept it for warranty, because the tablet had been with them last year for 5 days, so if they added that, it would still be within the warranty period. I filled out the RMA form, but one hour later the reply was they rejected it because it was out of warranty. Another guy on the phone then said they would probably only do the adding if it had been with them for maybe 10 days, or actually really 30 days, or whatever.

Some googling suggested that the loose cable theory was indeed worth a try, so I took it apart. Thanks to a forum post I could then locate the display connector and fix it.

Putting the case back together was actually harder than disassembling it because some plastic bits got stuck, but now everything is back to normal.

Categories: Elsewhere