Rise of the machines

Last week I was in a crowd of 256 people watching and cheering Compressorhead, some were stage-diving. Truely awesome.

Posted Fri Jul 6 14:12:14 2018

My LTS work in May 2018

Organizing the MiniDebConf 2018 in Hamburg definitly took more time than planned, and then some things didnt work out as I had imagined so I could only start working on LTS at the end of May, and then there was this Alioth2Salsa migration too… But at least I managed to get started working on LTS gain \o/

I managed to spend 6.5h working on:

  • reviewing the list of open CVEs against tiff and tiff3 in wheezy
  • prepare tiff 4.0.2-6+debu21, test and upload to wheezy-security, fixing CVE-2017-11613 and CVE-2018-5784.

  • review procps 1:3.3.3-3+deb7u1 by Abhijith PA, spot an error, re-review, quick test and upload to wheeze-security, then re-upload after building with -sa :) This upload fixes CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 and CVE-2018-1126.

  • write and release DLA-1390-1 and DLA-1301 for those two uploads.

I still need to mark CVE-2017-9815 as fixed in wheezy, as the fix for CVE-2017-9403 also fixes this issue.

Posted Sat Jun 2 19:55:23 2018

So, the MiniDebConf Hamburg 2018 is about to end, it's sunny, no clouds are visible and people seem to be happy.

And, I have time to write this blog post! So, just as a teaser for now, I'll present to you the content of some slides of our "Reproducible Buster" talk today. Watch the video!

Debian is wrong

93% is a lie. We need infrastructure, processes and policies. (And testing. Currently we only have testing and a vague goal.)

With the upcoming list of bugs (skipped here) we don't want to fingerpoint at individual teams, instead I think we can only solve this if we as Debian decide we want to solve it for buster.

I think this is not happening because people believe things have been sorted out and we take care of them. But we are not, we can't do this alone.

Debian stretch

the 'reproducibly in theory but not in practice' release

Debian buster

the 'we should be reproducible but we are not' release?

Debian bullseye

the 'we are almost there but still haven't sorted out...' release???


I rather hope for:

Debian buster

the release is still far away and we haven't frozen yet! ;-)

Posted Sun May 20 18:00:36 2018

Trouble in techno hippie paradise

So I'm in some 'jungle' in Brasil, enjoying a good time with some friends which another friend jokingly labeled as cryptohippies, enjoying the silence, nature, good food, some cats & dogs and 3g internet. Life is good here.

And then we decided to watch "Stare into the lights my pretties" and while it is a very good and insightful movie, it's also disturbing to see just how much we, as human societies, have changed ourselves mindlessly (or rather, out of our own minds) in very recent history.

Even though not a smartphone user myself and while seemingly aware and critical of many changes happening in the last two decades, the movie was still eyeopening to me. Now if there only werent 100 distractions per day I would maybe be able to build up on this. Or maybe I need to watch it every week, though this wouldn't work neither, as the movie explains so well...

The movie also reminded me why I dislike being cc:ed on email so much (unless urgent and when I'm subscribed to the list being posted to). Because usually during the day I (try to) ignore list mails, but I do check my personal inboxes. And if someone cc:s me, this breaks my lines of thoughts. So it seems I still need to get better at ignoring stuff, even if something is pushed to me. Maybe especially then. (And hints for good .procmail rules for this much appreciated.)

Another interesting point: while the number of people addicted to nicotine has been going down globally lately, the number of network addicts has outnumbered those by far now. And yet the long term effects of being online almost 24/365 have not yet been researched at all. The cigarette companies claimed that most doctors smoke. The IT industry claims it's normal to be online. What's your wakeup2smartphone time? Do you check email every day?

This movie also made me wonder what Debian's role will, can and should be in this future. (And where of course I don't only mean Debian, but free software, free societies, in general.)

So, this movie brings up many questions. (And nicely explains why people rather don't like that.) So go watch this movie! You will be touched, think and check your email/smartphone afterwards.

(Least, of course it's ironic that the movie is on youtube. I learned that to download subtitles you need to tell youtube-dl to do so, and it's easiest by using --all-subs. And btw, youtube-dl-gui needs help with running with python3 and thus with getting into Debian.)

Update: it's on archive.org as well.

Posted Tue Apr 24 02:25:06 2018

My LTS work in March

So in March I resumed contributing to LTS again, after 2 years of taking a break, due to being overwhelmed with work on Reproducible Builds... Reproducible Builds is still eating a lot of my time, but as we currently are unfunded I had to pick up some other sources of funding.

And then, due to Reproducible Builds still requiring a lot of my attention (both actual work as well as work on getting funded again) and other stuff happening in my life, I was also mostly unable to find time to really dive into LTS again, so while I managed to renew my knowledge of the procedures etc, I only managed to find 1.5h work to be done :/ Which in turn made me feel quite bad, so that I also postponed writing about this until now.

So, in March I only managed to mark libcdio as no-DSA and upload samba to fix CVE-2018-1050.

On the plus side and despite the above, I'm very happy to be able to work on LTS again, because a.) I consider it interesting (to fix bugs in old packages, yes!) and b.) because I use LTS myself and c.) because the LTS crowd is actually a nice and helpful one.

And now let's see how much LTS work I'll manage in April...!

Posted Mon Apr 16 15:01:05 2018

Some problems with Code of Conducts

shiromarieke took her time and wrote an IMHO very good text about problems with Code of Conducts, which I wholeheartly recommend to read.

I'll just quote two sentences which I think are essential:

Quote 1: "This is not a rant - it is a call for action: Let's gather, let's build the structures we need to make all people feel safe and respected in our communities." - in that sense, if you have feedback, please share it with shiromarieke as suggested by her. I'm very thankful she is taking the time to discuss her critism and work on possible improvements! (I'll likely not discuss this online though I'll be happy to discuss offline.) I just wanted to share this link with the Debian communities, as I agree with many of shiromarieke's points and because I want to support effords to improve this, as I believe those efforts will benefit everyone (as diversity and a welcoming athmospehre benefits everyone).

Quote 2: "Although I don't believe CoC are a good solution to help fix problems I have and will always do my best to respect existing CoC of workplaces, events or other groups I am involved with and I am thankful for your attempt to make our places and communities safer." - me too.

Posted Tue Mar 20 13:26:27 2018

Everything about the Mini-DebConf in Hamburg in May 2018

Moin!

With great joy we are finally offically announcing the Debian MiniDebConf which will take place in Hamburg (Germany) from May 16 to 20, with three days of Debcamp style hacking, followed by two days of talks, workshops and more hacking. And then, Monday the 21st is also a holiday in Germany, so you might choose to extend your stay by a day! (Though there will not be an official schedule for the 21st.)

;tl;dr: We're having a MiniDebConf in Hamburg on May 16-20. It's going to be awesome. You should all come! Register now!

the longer version:

Registration

Please register now, registration is free and now open until May 1st.

In order to register, add your name and details to the registration page in the Debian wiki.

There's space for approximately 150 people due to limited space in the main auditorium.

Please register ASAP, as we need this information for planning food and hacking space size calculations.

Talks wanted (CfP)

We have assembled a content team (consisting of Margarita Manterola, Michael Banck and Lee Garrett), who soon will publish an extra post for the CfP. Though you don't need to wait for that and can already send your proposals to

    cfp@minidebconfhamburg.debian.net

We will have talks on Saturday and Sunday, the exact slots are yet to be determined by the content team.

We expect submissions and talks to be held in English, as this is the working language in Debian and at this event.

Debian Sprints

The miniDebcamp from Wednesday to Friday is a perfect opportunity to host Debian sprints. We would welcome if teams assemble and work together on their projects.

Location

The event will be hosted in the former Victoria Kaserne, now called Fux (or Frappant), which is a collective art space located in a historical monument. It is located between S-Altona and S-Holstenstraße, so there is a direct subway connection to/from the Hamburg Airport (HAM) and Altona is also a long distance train station.

There's a Gigabit-Fiber uplink connection and wireless coverage (almost) everywhere in the venue and in the outside areas. (And then, we can also fix locations without wireless coverage.)

Within the venue, there are three main areas we will use, plus the garden and corridors:

dock europe

dock europe is an international educational centre with a meeting space within the venue which offers three rooms which can be combined into one big one. During the Mini-DebCamp from Wednesday to Friday we will probably use the rooms in the split configuration, while on Saturday and Sunday it will be one big room hosting presentations and such stuff. There are also two small rooms we can use as small hacklabs for 4-6 people.

dock europe also provides accomodation for some us, see further below.

CCCHH hackerspace

Just down two corridors in the same floor and building as dock europe there is the CCC Hamburg Hackerspace which will be open for us on all five days and which can be used for "regular Debian hacking" or, if you find some nice CCCHH members to help you, you might also be able to use the lasercutter, 3d printer, regular printer and many other tools and devices. It's definitly also suitable for smaller ad-hoc workshops but beware, it will also somewhat be the noisy hacklab, as it will also be open to regular CCC folks when we are there.

fux und ganz

The Fux also has a cantina called "fux und ganz" which will serve us (and other visitors of the venue) with lunch and dinner. Please register until May 1st to ease their planning as well!

Accommodation

The Mini-DebConf will take place in the center of Hamburg, so there are many accomodation options available. Some suggestions for housing options are given in the wiki and you might want to share your findings there too.

There is also limited on-site accomodation available, dock europe provides 36 beds in double-rooms in the venue. The rooms are nice, small, clean, have a locker, wireless and are just one floor away from our main spaces. There's also a sufficient amount of showers and toilets and breakfast is available (for those 36 people) as well.

Thankfully nattie has agreed to be in charge of distributing these 36 beds, so please mail her if you want a bed. The beds will be distributed from two buckets on a first come, first serve base:

  • 24 beds for anyone, first come, first serve, costs 27e/night.
  • 12 beds for video team, frontdesk desk, talk meisters, etc, also by first come, first served and nattie decides, whether you qualify indeed. Those also costs 27e/night.

Sponsors wanted

Making a Mini DebConf happen costs money, we need to rent the venue, video gear, hopefully can pay hard working volunteers lunch and dinner and maybe also sponsor some travel. So we really appreciate companies willing to support this meeting!

We have three sponsor categories:

  • 1000€ = sponsor, listed as such in all material.

  • 2500€ = gold sponsor, listed as such in all material, logo featured in the videos.

  • 5000€ = platinum sponsor, listed as such prominently in all material, logo featured prominently in the videos

Plus, there's corporate registration as an option too, where we will charge you 250€ for the registration. Please contact us if you are interested in that!

More volunteers wanted

Some things still need more helping hands:

So far we thankfully have Nattie volunteering for frontdesk duties. In turn, she'd be very thankful if some people join her staffing frontdesk, because shared work is more joyful!

The same goes for the video team. So far, we know the gear will arrive, and probably a person knowing how to operate it, but that's it. Please consider making sure we'll have videos released! ;) (And streams hopefully too.)

Also, please consider submitting a talk or holding a workshop! cfp@minidebconfhamburg.debian.net is waiting for you!

Finally, we would also very much welcome a nice logo and t-shirts with it being printed. Can you come up with a logo? Print shirts?

Contact

If you want to help, need help, have comments or want to contact us for other reasons, there are several ways:

Looking forward to see you in Hamburg!

Holger, for the 2018 Mini DebConf Hamburg team

Posted Thu Feb 15 17:16:59 2018

On using QubesOS MirageOS firewall

So I'm lucky to attend the 4th MirageOS hack retreat in Marrakesh this week, where I learned to build and use qubes-mirage-firewall, which is a MirageOS based (system) firewall for Qubes OS. The main visible effect is that this unikernel only needs 32 megabytes of memory, while a Debian (or Fedora) based firewall systems needs half a gigabyte. It's also said to be more secure, but I have not verified that myself ;-)

In the spirit of avoiding overhead I decided not to build with docker as the qubes-mirage-firewall's README.md suggests, but rather use a base Debian stretch system. Here's how to build natively:

sudo apt install git opam aspcud curl debianutils m4 ncurses-dev perl pkg-config time

git clone https://github.com/talex5/qubes-mirage-firewall
cd qubes-mirage-firewall/
opam init
# the next line is super useful if there is bad internet connectivity but you happen to have access to a local mirror
# opam repo add local http://10.0.0.2:8080
opam switch 4.04.2
eval `opam config env`
## in there:
opam install -y vchan xen-gnt mirage-xen-ocaml mirage-xen-minios io-page mirage-xen mirage mirage-nat mirage-qubes netchannel
mirage configure -t xen
make depend
make tar

Then follow the instructions in the README.md and switch some AppVMs to it, and then make it the default and shutdown the old firewall, if you are happy with the results, which currently I'm not sure I am because it doesn't allow updating template VMs...

Update: qubes-mirage-firewall allows this. Just the crashed qubes-updates-proxy service in sys-net prevented it, but that's another bug elsewhere.

I also learned that it builds reproducibly given the same build path and ignoring the issue of timestamps in the generated tarball, IOW, the unikernel (and the 3 other files) inside the tarball is reproducible. And I still need to compare a docker build with a build done the above way & and I really don't like having to edit the firewalls rules.ml file and then rebuilding it. More on this in another post later, hopefully.

Oh, I didn't mention it and won't say more here, but this hack retreat and it's organisation is marvellous! Many thanks to everyone here!

Posted Mon Dec 4 15:37:14 2017

Reproducible Builds Summit 3 next week in Berlin

Next week from Tuesday, the 31st of October until Thursday, November 2nd, we'll have the 3rd Reproducible Builds summit in Berlin, to improve collaboration both between and inside projects, expand the scope and reach of reproducible builds to more projects and to brainstorm designs on tools enabling users to get the most benefits from reproducible builds.

We're again expecting contributors from around twenty projects and we're still having some free seats available. If you want to join this meeting, please register by sending us a short mail briefly describing why (eg. by stating you involvement in some project). We also have some funding available to further rextend the diversity of our community, so please also contact us if you think you cannot make it for financial reasons!

Personally I'm much looking forward to this event. The reproducible builds crowd is really a lovely bunch of people and thus I expect us to have some great discussions, some cool ideas and also some concrete actionable plans as a result of it. Totally worth it!

Talk about Reproducible Builds at OSSE in Prague tomorrow

Tomorrow, Wednesday, October 25th I'll be giving a talk at OSSE in Prague about the current status of Reproducible Builds and why we are not 'there' yet. I'd be glad to have a chat with you if you are there!

Posted Tue Oct 24 12:18:52 2017

"Qubes OS from the POV of a Debian developer" and "Qubes OS user meetup at Bornhack"

I wrote the following while on my way home from Bornhack which was an awesome hacking camp on the Danish island of Bornholm, where about 200 people gathered for a week, with a nice beach in walking distance (and a not too cold Baltic Sea) and vegan and not so vegan grills, to give some hints why it was awesome. (Actually it was mostly awesome due to the people there, not the things, but anyway…)

And there were of course also talks and workshops, and one was a Qubes OS users meetup, which amazingly was attended by 20 Qubes OS users (and some Qubes OS users present were even missing), so in other words: Qubes OS had a >10% user base at this event! And I even found one heads user! ;-)

At DebConf17 I gave a talk titled "Qubes OS from the POV of a Debian developer" and while the video was immediatly available (thanks to the DebConf videoteam!) I've also now put my slides for it online.

Since then, I learned a few things:

  • I should have mentioned Standalone-VM (=non-template based VMs) in the talk, as those are also possible, and sometimes handy.
  • IPv6 works with manual fiddling… (but this is undocumented)
  • I've given Salt (for configuation management) a short try (with the help of an experienced Salt users, thanks nodens!) and I must say I'm not impressed yet. But Qubes 4.0 will bring huge changes to this area (including introducing an AdminVM), so while I will not use Salt for the time I'll still be using Qubes 3.2, I will come back and look at this later.
  • after adding a single line containing "iwldvm iwlwifi" to /rw/config/suspend-module-blacklist in the NetVM the wireless comes back nicely (on my X230) after Suspend/Resume.

I'm looking forward to more Qubes OS user meetups in future!

Posted Wed Aug 30 00:46:51 2017