Planet Debian

Subscribe to Planet Debian feed
Planet Debian -
Updated: 9 min 9 sec ago

Paul Tagliamonte: The Open Source License API

Sat, 16/07/2016 - 21:30

Around a year ago, I started hacking together a machine readable version of the OSI approved licenses list, and casually picking parts up until it was ready to launch. A few weeks ago, we officially announced the osi license api, which is now live at

I also took a whack at writing a few API bindings, in Python, Ruby, and using the models from the API implementation itself in Go. In the following few weeks, Clint wrote one in Haskell, Eriol wrote one in Rust, and Oliver wrote one in R.

The data is sourced from a repo on GitHub, the licenses repo under OpenSourceOrg. Pull Requests against that repo are wildly encouraged! Additional data ideas, cleanup or more hand collected data would be wonderful!

In the meantime, use-cases for using this API range from language package managers pulling OSI approval of a licence programatically to using a license identifier as defined in one dataset (SPDX, for exampele), and using that to find the identifer as it exists in another system (DEP5, Wikipedia, TL;DR Legal).

Patches are hugly welcome, as are bug reports or ideas! I'd also love more API wrappers for other languages!

Categories: Elsewhere

Raphaël Hertzog: Freexian’s report about Debian Long Term Support, June 2016

Sat, 16/07/2016 - 08:31

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In June, 158.25 work hours have been dispatched among 11 paid contributors. Their reports are available:

DebConf 16 Presentation

If you want to know more about how the LTS project is organized, you can watch the presentation I gave during DebConf 16 in Cape Town.

Evolution of the situation

The number of sponsored hours increased a little bit at 135 hours per month thanks to 3 new sponsors (Laboratoire LEGI – UMR 5519 / CNRS, Quarantainenet BV, GNI MEDIA). Our funding goal is getting closer but it’s not there yet.

The security tracker currently lists 40 packages with a known CVE and the dla-needed.txt file lists 38 packages awaiting an update.

Thanks to our sponsors

New sponsors are in bold.

Categories: Elsewhere

Lars Wirzenius: Two-factor auth for local logins in Debian using U2F keys

Fri, 15/07/2016 - 13:19

Warning: This blog post includes instructions for a procedure that can lead you to lock yourself out of your computer. Even if everything goes well, you'll be hunted by dragons. Keep backups, have a rescue system on a USB stick, and wear flameproof clothing. Also, have fun, and tell your loved ones you love them.

I've recently gotten two U2F keys. U2F is a open standard for authentication using hardware tokens. It's probably mostly meant for website logins, but I wanted to have it for local logins on my laptop running Debian. (I also offer a line of stylish aluminium foil hats.)

Having two-factor authentication (2FA) for local logins improves security if you need to log in (or unlock a screen lock) in a public or potentially hostile place, such as a cafe, a train, or a meeting room at a client. If they have video cameras, they can film you typing your password, and get the password that way.

If you set up 2FA using a hardware token, your enemies will also need to lure you into a cave, where a dragon will use a precision flame to incinerate you in a way that leaves the U2F key intact, after which your enemies steal the key, log into your laptop and leak your cat GIF collection.

Looking up information for how to set this up, I found a blog post by Sean Brewer, for Ubuntu 14.04. That got me started. Here's what I understand:

  • PAM is the technology in Debian for handling authentication for logins and similar things. It has a plugin architecture.

  • Yubico (maker of Yubikeys) have written a PAM plugin for U2F. It is packaged in Debian as libpam-u2f. The package includes documentation in /usr/share/doc/libpam-u2f/README.gz.

  • By configuring PAM to use libpam-u2f, you can require both password and the hardware token for logging into your machine.

Here are the detailed steps for Debian stretch, with minute differences from those for Ubuntu 14.04. If you follow these, and lock yourself out of your system, it wasn't my fault, you can't blame me, and look, squirrels! Also not my fault if you don't wear sufficient protection against dragons.

  1. Install pamu2fcfg and libpam-u2f.
  2. As your normal user, mkdir ~/.config/Yubico. The list of allowed U2F keys will be put there.
  3. Insert your U2F key and run pamu2fcfg -u$USER > ~/.config/Yubico/u2f_keys, and press the button on your U2F key when the key is blinking.
  4. Edit /etc/pam.d/common-auth and append the line auth required cue.
  5. Reboot (or at least log out and back in again).
  6. Log in, type in your password, and when prompted and the U2F key is blinking, press its button to complete the login.

pamu2fcfg reads the hardware token and writes out its identifying data in a form that the PAM module understands; see the pam-u2f documentation for details. The data can be stored in the user's home directory (my preference) or in /etc/u2f_mappings.

Once this is set up, anything that uses PAM for local authentication (console login, GUI login, sudo, desktop screen lock) will need to use the U2F key as well. ssh logins won't.

Next, add a second key to your u2f_keys. This is important, because if you lose your first key, or it's damaged, you'll otherwise have no way to log in.

  1. Insert your second U2F key and run pamu2fcfg -n > second, and press the second key's button when prompted.
  2. Edit ~/.config/Yubico/u2f_keys and append the output of second to the line with your username.
  3. Verify that you can log in using your second key as well as the first key. Note that you should have only one of the keys plugged in at the same time when logging in: the PAM module wants the first key it finds so you can't test both keys plugged in at once.

This is not too difficult, but rather fiddly, and it'd be nice if someone wrote at least a way to manage the list of U2F keys in a nicer way.

Categories: Elsewhere

Ritesh Raj Sarraf: Fully SSL for my website

Fri, 15/07/2016 - 12:24

I finally made full switch to SSL for my website. Thanks to this simple howto on Let's Encrypt. I had to use the upstream git repo though. The Debian packaged tool,, did not have enough documentation/pointers in place. And finally, thanks to the Let's Encrypt project as a whole.

PS: http is now redirected to https. I hope nothing really breaks externally.

Categories: Keywords: Like: 
Categories: Elsewhere

Andrew Cater: Who wrote Hello world

Fri, 15/07/2016 - 00:43
Who wrote "Hello, world" ?Rereading Kernighan and Ritchie's classic book on C - - almost the first thing you find is the listing for hello world. The comments make it clear that this is a commonplace - the sort of program that every programmer writes as a first test - the new computer works, the compiler / interpreter produces useful output and so on. It' s the classic, canonical thing to do.
A long time back, I got asked whether programming was an art or a science: it's both, but most of all it's only good insofar as it's shared and built on. I used hello world as an example: you can write hello world. You decide to add different text - a greeting (Hej! / ni hao / Bonjour tout le monde! )for friends. 
You discover at / cron / anacron - now you can schedule reminders "It's midnight - do you know where your code is?" "Go to bed, you have school tomorrow"
You can discover how to code for a graphical environment: how to build a test framework around it to check that it _only_ prints hello world and doesn't corrupt other memory ... the uses are endless if it sparks creativity.
If you feel like it, you can share your version - and learn from others. Write it in different languages - there's the analogous 99 bottles of beer site showing how to count and use different languages at
Not everyone will get it: not everyone will see it but everyone needs the opportunity 
Everyone needs the chance to share and make use of the commons, needs to be able to feel part of this 
Needs to be included: needs to feel that this is part of common heritage. If you work for an employer: get them to contribute code / money / resources - even if it's as a charitable donation or to offset against taxes
If you work for a government: get them to use Free/Libre/Open Source products
If you work for a hosting company / ISP - get them to donate bandwidth for schools/coding clubs.
Give your time, effort, expertise to help: you gained from others, help others gain
If you work for an IT manufacturer - get them to think of FLOSS as the norm, not the exception


Categories: Elsewhere

Sune Vuorela: Leaky lambdas and self referencing shared pointers

Thu, 14/07/2016 - 22:27

After a bit of a debugging session, I ended up looking at some code in a large project

m_foo = std::make_shared<SomeQObject>(); /* plenty of lines and function boundaries left out */ (void)connect(m_foo.get(), &SomeQObject::someSignal, [m_foo]() { /* */ });

The connection gets removed when the pointer inside m_foo gets de-allocated by the shared_ptr.
But the connection target is a lambda that has captured a copy of the shared_ptr…

There is at least a couple of solutions.

  • Keep the connection object (QMetaObject::Connection) around and call disconnect in your destructor. That way the connection gets removed and the lamda object should get removed
  • Capture the shared pointer by (const) reference. Capture the shared pointer as a weak pointer. Or as a raw pointer. All of this is safe because whenever the shared pointer gets a refcount of zero, the connection gets taken down with the object.

I guess the lesson learnt is be careful when capturing shared pointers.

Categories: Elsewhere

Steve Kemp: Adding lua to all the things!

Thu, 14/07/2016 - 20:00

Recently Antirez made a post documenting a simple editor in 1k of pure C, the post was interesting in itself, and the editor is a cute toy because it doesn't use curses - instead using escape sequences.

The github project became very popular and much interesting discussion took place on hacker news.

My interest was piqued because I've obviously spent a few months working on my own console based program, and so I had to read the code, see what I could learn, and generally have some fun.

As expected Salvatore's code is refreshingly simple, neat in some areas, terse in others, but always a pleasure to read.

Also, as expected, a number of forks appeared adding various features. I figured I could do the same, so I did the obvious thing in adding Lua scripting support to the project. In my fork the core of the editor is mostly left alone, instead code was moved out of it into an external lua script.

The highlight of my lua code is this magic:

-- -- Keymap of bound keys -- local keymap = {} -- -- Default bindings -- keymap['^A'] = sol keymap['^D'] = function() insert( ) end keymap['^E'] = eol keymap['^H'] = delete keymap['^L'] = eval keymap['^M'] = function() insert("\n") end

I wrote a function invoked on every key-press, and use that to lookup key-bindings. By adding a bunch of primitives to export/manipulate the core of the editor from Lua I simplified the editor's core logic, and allowed interesting facilities:

  • Interactive evaluation of lua.
  • The ability to remap keys on the fly.
  • The ability to insert command output into the buffer.
  • The implementation of copy/past entirely in Lua_.

All in all I had fun, and I continue to think a Lua-scripted editor would be a neat project - I'm just not sure there's a "market" for another editor.

View my fork here, and see the sample kilo.lua config file.

Categories: Elsewhere

Norbert Preining: Osamu Dazai – No Longer Human

Thu, 14/07/2016 - 06:42

Japanese authors have a tendency to commit suicide, it seems. I have read Ryunosuke Akutagawa (芥川 龍之介, at 35), Yukio Mishima (三島 由紀夫, at 45), and also Osamu Dazai (太宰 治, at 39). Their end often reflects in their writings, and one of these examples is the book I just finished, No Longer Human.

Considered as Dazai’s master piece, and with Soseki’s Kokoro the best selling novels in Japan. The book recounts the life of Oba Yozo, from childhood to the end in a mental hospital. The early years, described in the first chapter (“Memorandum”), are filled with the feeling of differentness, alienation from the rest, and Oba starts his way of living by playing the clown, permanently making jokes. The Second Memorandom spans the time to university, where he drops out, tries to become a painter, indulges in alcohol, smoking and prostitutes, leading to a suicide attempt together with a married woman, but he survived. The first part of the Third Memorandom sees a short recovering due to his relationship with a woman. He stops drinking and works as cartoonist, but in the last part his drinking pal from university times shows up again and they return into an ever increasing vicious drinking. Eventually he is separated from his wife, and confined to a mental hospital.

Very depressing to read, but written in a way that one cannot stop reading. The disturbing thing about this book is that, although the main actor conceives many bad actions, we feel somehow attached to him and feel pity for him. It is somehow a exercise how circumstances and small predispositions can make a huge change in our lives. And it warns us that each one of us can easily come to this brink.

Categories: Elsewhere

Steinar H. Gunderson: Cubemap 1.3.0 released

Thu, 14/07/2016 - 01:15

I just released version 1.3.0 of Cubemap, my high-performance video reflector. For a change, both new features are from (indirect) user requests; someone wanted support for raw TS inputs and it was easy enough to add.

And then I heard a rumor that people had found Cubemap useless because “it was logging so much”. Namely, if you have a stream that's down, Cubemap will connect to it every 200 ms, and log two lines for every failed connection attempt. Now, why people discard software on ~50 MB/day of logs (more like 50 kB/day after compression) on a broken setup (if you have a stream that's not working, why not just remove it from the config file and reload?) instead of just asking the author is beyond me, but hey, eventually it reached my ears, and after a grand half hour of programming, there's rate-limiting of logging failed connection attempts. :-)

The new version hasn't hit Debian unstable yet, but I'm sure it will very soon.

Categories: Elsewhere

Niels Thykier: Selecting key packages via UDD

Wed, 13/07/2016 - 22:36

Thanks to Lucas Nussbaum, we now have a UDD script to filter/select key packages. Some example use cases:

Which key packages used compat 4? # Data file compat-4-packages (one *source* package per line) $ curl --silent --data-binary @compat-4-packages \ alsamixergui apg [...] sgml-base wwwconfig-common

Also useful for things like bug#830997, which was my excuse for requesting this.

Is package foo a key package (yet)? $ is-key-pkg() { RES=$(echo "$1" | curl --silent --data-binary @- \ if [ "$RES" ]; then echo yes else echo no fi } $ is-key-pkg bash yes $ is-key-pkg mscgen no $ is-key-pkg NotAPackage no


Above shell snippets might need tweaking for better error handling, etc.

Once again, thanks to Lucas for the server-side UDD script.

Filed under: Debian
Categories: Elsewhere

Dominique Dumont: A survey for developers about application configuration

Wed, 13/07/2016 - 19:47


Markus Raab, the author of Elektra project, has created a survey to get FLOSS developer’s point of view on the configuration of application.

If you are a developer, please fill this survey to help Markus’ work on improving application configuration management. Feeling this survey should take about 15 mns.

Note that the survey will close on July 18th.

The fact that this blog comes 1 month after the beginning of the survey is entirely my fault. Sorry about that…

All the best

Tagged: configuration, Perl
Categories: Elsewhere

Reproducible builds folks: Reprotest containers are (probably) working, finally

Wed, 13/07/2016 - 17:49

Author: ceridwen

After testing and looking at the code for Plumbum, I decided that it wouldn't work for my purposes. When a command is created by something like remote['ls'], it actually looks up which ls executable will be run and uses in the command object an internal representation of a path like /bin/ls. To make it work with autopkgtest's code would have required writing some kind of middle layer that would take all of the Plumbum code that makes subprocess calls, does path lookups, or uses the Python standard library to access OS functions and convert them into shell scripts. Another similar library, sh, has the same problems. I think there's a strong argument that something like Plumbum's or sh's API would be much easier to work with than adt_testbed, and I may take steps to improve it at some point, but for the moment I've focused on getting reprotest working with the existing autopkgtest/adt_testbed API.

To do this, I created a minimalistic shell AST library in using the POSIX shell grammar. I omitted a lot of functionality that wasn't immediately relevant for reprotest and simplified the AST in some places to make it easier to work. Using this, it generates a shell script and runs it with adt_testbed.Testbed.execute(). With these pieces in place, the tests succeed for both null and schroot! I haven't tested the rest of the containers, but barring further issues with autopkgtest, I expect they should work.

At this point, my goal is to push the next release out by next week, though as usual it will depend on how many snags I hit in the process. I see the following as the remaining blockers:

  • Test chroot and qemu in addition to null and schroot.

  • PyPi still doesn't install the scripts in virt/ properly.

  • While I fixed part of adt_testbed's error handling, some build failures still cause it to hang, and I have to kill the process by hand.

  • Better user documentation. I don't have time to be thorough, but I can provide a few more pointers.

Categories: Elsewhere

Norbert Preining: Jonas Jonasson – The Girl Who Saved the King of Sweden

Wed, 13/07/2016 - 02:59

Just finished my first book of Jonas Jonasson, a Swedish journalist and author. Most famous for his book The Hundred-Year-Old Man Who Climbed Out the Window and Disappeared, but author of two others. The one I read was The Girl Who Saved the King of Sweden, which strange enough became in German Die Analphabetin die rechnen konnte (The analphabet who could compute).

The story recounts the countless turns the life of Nombeko Mayeki, a black girl born in Soweto as latrine cleaner, who manages to save the Swedish king as well as most of the world from an atomic desaster by first getting driven over by a drunkard of South African nuclear bomb engineer, then meeting a clique of three Chinese sisters excelling in faking antiquities, and two Mossad agents. With the (unwilling) help of those agents she escapes to Sweden (including the atomic bomb) where she meets twins of a psychotic father who brought them up as one child so that the spare one can eradicate the Swedish monarchy. After many twists and setbacks, including several meetings with the Chinese premier Hu Jintao, she finally manages to get rid of the atomic bomb, get her “undercover” twin a real identity, and set up a proper life – ah, and not to forget, save the King of Sweden!

A fast paced, surprisingly funny and lovely story about how little things can change our lives completely.

Categories: Elsewhere

Steinar H. Gunderson: Cisco WLC SNMP password reset

Wed, 13/07/2016 - 00:00

If you have a Cisco wireless controller whose admin password you don't know, and you don't have the right serial cable, you can still reset it over SNMP if you forgot to disable the default read/write community:

snmpset -Os -v 2c -c private s foobarbaz

Thought you'd like to know. :-P

(There are other SNMP-based variants out there that rely on the CISCO-CONFIG-COPY-MIB, but older versions of the WLc software doesn't suppport it.)

Categories: Elsewhere

Olivier Grégoire: Seventh week: create a new architecture and send a lot of information

Tue, 12/07/2016 - 18:57

At the begin of this week, I thought my architecture needed to be closer to the call . The goal was to create one class per call to save the different information. With this method, I only need to call the instance who I am interested and I can easly pull the information.
So, I began to rewrite my architecture on the daemon to create an instance of my class link directly with the callID.
After implementing it, I was really disappointed. This class was hardly to call from the upper software layers. Indeed, I didn’t know what is the current call display on my client.
I change my mind and I rewrite the architecture again. I observed the information I want to pull (frame rate, bandwidth, resolution…) and they are all generating in my daemon. Therefore, it will update every time something change in the client. So, I just need to catch it and send it to the upper software layers. My new architecture is simply a singleton because I just need one instance and I need to pull it from everywhere in my program.

Beyond that, I wanted to pull some information about the video (frame rate, resolution, codec for the local and remote computer). So, I looked to understand how the frame generate work. Now I can pull:
-Local and remote video codec
-Local and remote frame rate
-Remote audio codec
-Remote resolution


Next week, I will begin with working on creating an API on the client library. After that, I will continue to retrieve other information.

Categories: Elsewhere

Norbert Preining: Michael Köhlmeier: Zwei Herren am Strand

Tue, 12/07/2016 - 04:30

This recent book of the Austrian author Michael Köhlmeier, Zwei Herren am Strand (Hanser Verlag), spins a story about an imaginative friendship between Charlie Chaplin and Winston Churchill. While there might not as be more different people than these two, in the book they are connected by a common fight – the fight against their own depression, explicitly as well as implicitly by fighting Nazi Germany.

Michael Köhlmeier’s recently released book Zwei Herren am Strand tells the fictive story of Charlie Chaplin and Winston Churchill meeting and becoming friends, helping each other fighting depression and suicide thoughts. Based on a bunch of (fictive) letters of a (fictive) private secretary of Churchill, as well as (fictive) book on Chaplin, the first person narrator dives into the interesting time of the mid-20ies to about the Second World War.

Chaplin is having a hard time after the divorce from his wife Rita, paired with the difficulties at the production of The Circus, and is contemplating suicide. He is conveying this fact to Churchill during a walk on the beach. Churchill is reminded of his own depressions he suffers from early age on. The two of them agree to make a pact fighting the “Black Dog” inside.

Later Churchill asks Chaplin about his method to overcome the phases of depression, and Chaplin explains him the “Method of the Clown”: Put a huge page of paper on the floor, lie yourself facing down onto the paper and start writing a letter to yourself while rotating clockwise and creating a spiral inward.

According to Chaplin, he took this method from Buster Keaton and Harold Lloyd (hard to verify), and it works by making oneself ridiculous, so that one part of oneself can laugh about the other part.

The story continues into the early stages of the world war, with both sides fighting Hitler, one politically, one by comedy. The story finishes somewhere in the middle when the two meet while Chaplin is in a deep depression during cutting his movie
The great dictator, and together to manage once more to overcome the “black dog”.

The book is pure fiction, and Köhlmeier dives into a debaucherous story telling, jumping back and forth between several strands of narration lines. An entertaining and very enjoyable book if you are the type of reader that enjoys story telling. For me this book is in best tradition of Michael Köhlmeier, whom I consider an excellent story teller. I loved his (unfinished trilogy of) books on Greek mythology (Telemach and Calypso), but found that after these books he got lost too much in radio programs of story telling. While in itself good, I preferred his novels. Thus, I have to admit that I have forgotten about Köhlmeier for some years, until recently I found this little book, which reminded me of him and his excellent stories.

A book that is – if you are versed in German – well worth enjoying, especially if one likes funny and a bit queer stories.

Categories: Elsewhere

Dirk Eddelbuettel: RProtoBuf 0.4.4, and new JSS paper

Tue, 12/07/2016 - 03:43

A new release 0.4.4 of RProtoBuf is now on CRAN, and corresponds to the source archive for the Journal of Statistical Software paper about RProtoBuf as JSS vol71 issue 02. The paper is also included as a pre-print in the updated package.

RProtoBuf provides R bindings for the Google Protocol Buffers ("Protobuf") data encoding library used and released by Google, and deployed as a language and operating-system agnostic protocol by numerous projects.

This release brings small cleanups as well as build-system updates for the updated R 3.3.0 infrastructure based on g++ 4.9.*.

Changes in RProtoBuf version 0.4.4 (2016-07-10)
  • New vignette based on our brand-new JSS publication (v71 i02)

  • Some documentation enhancements were made, as well as other minor cleanups to file modes and operations

  • Unit-test vignette no longer writes to /tmp per CRAN request

  • The new Windows toolchain (based on g++ 4.9.*) is supported

CRANberries also provides a diff to the previous release. The RProtoBuf page has an older package vignette, a 'quick' overview vignette, a unit test summary vignette, and the pre-print for the JSS paper. Questions, comments etc should go to the GitHub issue tracker off the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: Elsewhere

Mateus Bellomo: Get presence from buddy’s

Tue, 12/07/2016 - 03:19


Now it’s also implemented the functionality that allows a user to see his contacts presence. At first week I’ve implemented only the Telepathy part of this methods and back then I didn’t comprehend that this information would come in the form of a NOTIFY SIP message. I also needed to use the SUBSCRIPTION mechanism properly so the presence server could send me the NOTIFY message.

To be able to create those messages was necessary a better understanding of resip/stack, resip/recon and resip/dum API’s.  Not that I master this libraries now, but at least I’m not totally lost anymore =)

Looking into this libraries I could see how much work was done by all of resiprocate contributors (and I imagine I don’t even saw the tip of the iceberg). There is so many features ready for use that now I think twice before start implementing something.

Since I didn’t find any reference explicitly showing the contact’s status in RFC3863 [1], I got this information by changing a contact presence (in a different machine logged in Jitsi [2]) and looking into the NOTIFY message received at resiprocate.

Follow some images about contact’s presence at Empathy:


Online status



Offline status Busy – DND status Away status In a meeting status Unknow status



Categories: Elsewhere