... is pretty bad. So far, only four applications (i.e. much less than 1% of all packages) have been renamed to ice* (i.e. frozen!):

Iceweasel, Icedove, Iceape and Icedax. Or did I miss something?

P.S. All your freeze are belong to us.

P.P.S. Stupid SUV drivers delaying our freeze. Your CO2 production causes the climate to change, which makes freezing much harder!

Congrats to Felipe C. for the Bug-not-found bug (aka: the bug with the magic number 404 404) :-)

And thanks for the spanish translation.

Here's my contribution to the next DWN:

Some developers continue to whine in inappropriate places [1] about others being paid by Dunc-Tank for their work on Debian.
[1] http://www.debian.org/News/weekly/2006/42/

Would you please cut down your childish behaviour a bit more? Can someone else maybe step up and do DWN instead? I'm sooo getting tired of this (and you).

(Granted: at least you didn't claim that everybody is demotivated because of this, or that it delayed the etch release. Thats why I added the "more" in the previous paragraph; also what you wrote is likely correct - I can't judge your true motiviations, if you are actually demotivated or if you just don't like AJs hair color.)

It's a very subjective point of view, and while somewhat marked as such ("because its editor can't ignore other duties while the Debian project is indirectly paying some developers"; however there are six editors listed at the end!) I find it inappropriate to put this into DWN (which should try to be obejctive). To me, it's just another lame attempt of you to voice your disagreement with Dunc-Tank (again, note that you have been heard by the whole community, there is no censoring being done) in an unfair way (because I couldn't voice my opinion in the same place).

Did you at least talk about this paragraph with the other "editors"?

(Note: I'm not directly pro dunc-tank, and I find the way AJ introduced it not too appropriate; my suggestion would have been to ask him kindly to step down from having a position in the dunc-tank board. However I'm certainly not demotivated by it, but I find it both good that key people of Debian are being paid without having additional responsibilities to some company, and that there is now a way to donate to Debian that won't just eventually maybe be used for something, but where I can clearly mark it for.)

[Yes, I am aware that others are just as annoyed by my responses to Joey&co. Especially when they happen to agree with him. Nevertheless he maybe shouldn't be abusing DWN!]

Merry Christmas!

I'm catching up with some RSS feeds, including the Linux Weekly News (LWN). This is a high-quality news site for Linux, and being issued just weekly is a nice feature for all those suffering from information overload.

They had an interesting article some weeks ago on Virtual Machines and Memory Protection. If you are interested in system and application security, this is an interesting read.

SELinux has permissions called "execmem" and "execstack". Basically these allow applications to map some memory executeable, or execute their own stack. Back in the assembler days, some techniques relied on this, but it has lately become frowned upon: most buffer overflow and other attacks used by viruses and worms relied on an executable stack or memory. Recently, Intel and AMD added support for "non-executable" bits for memory maps, i.e. hardware support to enforce these permissions; this was sold as an achievement in application security.

Though this is mostly true - tons of attacks rely on this permission - it's not that easy. Modern programming languages such as Java and C# rely on so called Just-In-Time compilation for fast execution. (And future version of perl and python will probably do that, too.) And JIT requires executable memory, because it basically compiles the VMs bytecode into (optimized) machine code, and executes it.

Now you could say: okay, let's just grant mono and java the execmem permission; (which is also what SELinux does) - and this will probably be okay unless there is some grave error in the mono or java runtime. Or any other native library they use. And this is where the problems start: both Mono and Java rely to a certain extend on native libraries. For example the GTK libraries for the UI. Mono applications can also use gstreamer, gnome-vfs, zlib, libpng, libjpeg, ...

That means, security issues in these libraries that need execmem and would not work on native applications can suddenly be exploitable in mono and java apps.

Since we can't do without execmem for Java and Mono: the executable bit for memory does add some extra layers, but doesn't give you full protection from this kind of attacks, sorry. No magic "my computer is no longer hackable because I have the NX bit".

With an NX Bit capable operating system such as Windows XP SP2, harmful viruses are stopped before it can cause any damage to the system.

Die wohl erste web 2.0 Weihnachts-Ecard (und hoffentlich auch die letzte...).

Tja, das muss ich dann einfach machen, an Weihnachten den web2.0 hype etwas durch den Kakao ziehen...

Frohe Weihnachten Euch allen!

Check out the first web 2.0 christmas card (and hopefully the last, ever!).

Sorry, I just could not resist doing that... mocking web2.0 on christmas.

Merry christmas to everbody!

A few days ago, I blogged on the popularity of Debian, using Alexa ranking graphs. They showed Debian ahead of the other distributions in terms of web page accesses. Ubuntu definitely was the top growing domain there, but it didn't reach Debian yet, and there was no drop to suggest that Debian was actually losing users to Ubuntu.

Here is another chart for you: (Note that it has a referrer block, if you are reading my blog via some planet I'm not aware of, I can add you to the whitelist that is allowed to refer to the image. I added this because some images from my photoblog were heavily linked from myspace and similar sites.)

This is a chart from the Debian popularity contest statistics. Submitting data here is entirely voluntary; the data is used to determine which packages to put on which CDs in the CD set.

The chart contains four lines, the top line is for bash; pretty much every system has bash, so this is very close to the number of submissions to the popularity contest database. Note that this number has doubled within one year.

Sarge was released in June 2005, and thats where the graph changes significantly. Up to then, popularity contest was a rather uncommon package, but sarge promoted its use somewhat IIRC. So lets look only on the post-sarge part of the graph. Ubuntu Dapper was released in June 2006. Any effect? No.

The other lines are gnome-session (green), kwin from KDE (blue) and openoffice.org-base (red). KDE is at about 25%, Gnome at about 50% and Openoffice goes up to 50%. This suggests that a significant amount of Debian installations are actually desktop machines (I remove popcon on all my servers, where I'm more concerned with not having too much software on it). For KDE and Gnome, these values have been quite constant. When only counting "active" users, Gnome drops to about 25% (same for OO.o), and KDE to around 10%. VIM would be at 35%, same for apache.

I don't claim these numbers are accurate; it's probably more interesting to compare Gnome vs. KDE and similar things. The total number of submissions (represented by bash in this graph) shows that Debian is quite healthy.

Oh, and of course I'd like to invite you to install popularity-contest and contribute your software choice to optimizing the CD layout for etch.

Zack asked for website meta languages for redoing his homepage.

Well, I redid my homepage last february, using XML and XSLT. A monster XSLT stylesheet, because I wanted to keep my template outside of the stylesheet.

I can not recommend XSLT. Using it for templating is quite messy. XSLT is okay if you want to transform one representation of the data to another; it's not if you want to add a lot of surrounding markup and things like a sitemap and similar navigation tools. This is next to impossible in pure XSLT, it gets better once you have some extensions (dubbed EXSLT, and supported by pretty much any xslt processor) or maybe with XSLT2. String manipulation is also a pain (at least with XSLT1); I gave up on generating a nice "last modified" date from my subversion tag. Supposedly XSLT2 has some functions that could make this easier (i.e. for parsing and printing datetime information), but the common approach with XSLT is to only supply the required minimum of function you need, and I'm not aware of an easy way to add custom functions, not to mention any large standard library that can efficiently be used (which is the true strength of Java, Python and C#, that they bring a huge collection of pre-written ready-to-use code with them). Of course there are some efforts to write XSLT libraries (especially for XSLT2), and this aforementioned EXSLT is some kind of standard library that even might be efficiently implemented in some interpreters - you can't rely on it to be there and to just work. XSLT isn't useless, but when it comes to presenting data to humans or writing clean, compact code it's not satisfactory at all.

I'd give you my Makefile and XSLT file, if they weren't that messy... too many features; I'm generating two languages, a partially expanded navigation menu, etc. - my XSLT is 10k, my sitemap currently 4.5k, the template file is 5k.

Anyway. Half a year ago, my favourite templating language was KID templating. I used it for some small projects such as my DNSoupdate tool to edit DNS zones via the DNS protocol (requires a nameserver such as bind which has support for DNS update, uses encryption). It was a perfect match for such tiny pages, but I'm no longer that convinced I still like it for larger projects.

What's good about Kid: XML templating language, Python based, easy to use in whichever way you want by writing a few lines of python (i.e. easy to write a Makefile to generate a static version of you homepage)

What's not good about Kid: only works with a Python interpreter. I'd prefer to have a templating language that can be used from multiple languages. However the Kid syntax relies on Python, which is really bad. Also I'd prefer to have some component-render model for more complex websites. The current setup is IMHO okay if you have one default layout and one content layout; but if you have multiple components that could be combined differently on the pages, it gets too messy. With my turbogears experiments, Kid was also not very performant (but that might as well be Turbogears fault).

Right now, I'd probably still go with Kid. But I've been having a look at JSP 2.1, and JSF / Facelets in particular. There are some things about facelets that I really like (for example, that they use a proper XML syntax, instead of this bastardized almost-XML that JSP usually (ab-)uses). There is also some stuff that I don't like (e.g. the massive overengineering of everything surrounding it), and I have no idea how easy it will be to generate static pages in a scripted fashion, i.e. using it without a real webserver. Or I might just write it all in python, which is a nice language for manipulating XML, usually.

Please don't just send me an email with your favourite templating engine. Like zack, I'm only interested in XML-based templating engines, which does not apply to most templating solutions out there. Clearsilver for example is another bastardization of XML. I'm aware of TAL/METAL, and find them quite interesting, but they were also not having this kind of componentization that I'm usually thinking in.

[Update: some people have pointed me to Genshi, which is mostly Kid compatible. However, it still has mostly the same problems, e.g. the templates being not reusable in other languages than python, and that certain constructs are a pain to do (e.g. the page_specific_css recipe with more than one css file). Others have pointed me to smarty, but it's string-based and doesn't ensure valid XML output. (Which is very useful for e.g. generating atom or rss output) For example this is probably valid in smarty: {if 0}<b>{/if}</b> - allowing errors is bad. Oh, and smarty is PHP, which is broken by design, a no-go. The best match to my ideas so far is XML::Template (for Perl, Python, Ruby, PHP) which is pretty close to what I've been doing manually when not using a templating solution. I don't know yet how well it handles recursion - I need recursive templates for the navigation menu on my homepage.]

Sergey raised the issue of restricting use of software to non-military use, and Alan pointed out how much they've given back to the FLOSS community.

However, I'd like to point out that any such restriction violates rules for opensource used by both the FSF and Debian.

Debian is pretty clear about it in the social contract:

No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

And in the GNU Free Software Definition:

The freedom to run the program, for any purpose (freedom 0).

So any such restriction would mean your software is no longer free software.

It's not that I'm in any way pro military, but allowing usage restrictions will cause a huge mess. Next we'll have some application which may not be used by religious zealots (of any kind), paedophiles, and at some point end up with a huge licensing mess (maybe even full of discrimination). ("No, I can't sell you a web server, because your brother-in-law is in the military."?)

Actually disallowing any military use is some kind of discrimination, too. Military is not only used to kill someone, but it can serve humanitarian purposes, too. Rescue people in flooded New Orleans etc. - if you are unhappy with what your government is using your military for, vote accordingly and do politics.

It's fine if you as the author point out that you disapprove of any use of it to harm anybody, or commit crimes; but don't put up restrictions you couldn't verify anyway. (As if the military would care much for any such restriction, anyway.)

Always remember: it's only the good guys playing by the rules. There is no use in disallowing use of some software for cracking, is there?

Joey and Josselin, I'm calling you childish, not because you "stand" your principles, but because of the way you try to convince others that your principles are better.

What you are using is:

• Insults ("lying", and for the record, FUD means twisting the facts and telling only half the story, and you are twisting the facts, as I detailed in my post; "should read constitution", which of course means to imply that I'm trying to deny you some constitutional right, which I'm not, I'm just asking you to stop spreading FUD)
• Blackmail and threats ("I'll stop contributing" [if dunc-bank is paying anyone], "reduced it much less than I could, probably much less than I should")
• Schadenfreude (the libpng mishap of the new maintainer; noone broke libpng intentionally. That is not a nice character trait, and pollutes the community)
• You seriously annoy people by going on and on and on, while everybody has already understood your opinion and arguments (and just happens to have a different opinion)
• Playing big words without actual content ("read the constitution §2.1.1", which btw. also states that you "must not actively work against these rules and decisions properly made under them"; your attempt at a GR failed, and you are working against these decisions on planet; I've however never said that you're oblieged to still work for Debian if you don't like the decision)

Actually, I'm by now convinced that it would have been better for Debian, if you would just have really left. Your behaviour in the last months makes you qualify as "poisonous people" (except these usually aren't big contributors). In my opinion, your infighting has harmed the project, it gives people the impression that being involved in Debian means mostly having to deal with such things. While it's not - Debian is still fun to me, although I have little time, and didn't manage to go to the last few Debian meetings here in Munich - all these fights are a nuisance to me. Even though I'm not actually affected by them (neither Dunc-Tank, because it doesn't demotivate me, nur the powerpc fights, nor some other fights on -private), the way they are dicussed on the Debian lists does annoy me.

Again: if anything is cutting on my motiviation, it's your behaviour (this btw. includes the powerpc issue and fighters, too, especially Sven Luther who has probably sent as many mails as all others together, just reiterating the same things again and again). So if you are planning to become a Debian contributor, learn to use the "delete" button in your email clients, and don't be afraid to just delete whole threads. Certain threads are just a waste of time and bring negative emotions.

So: Joey, Josselin: grow up, and accept that people sometimes have a different opinion, and you can achieve more by accepting that your opinions differ and just try to make the most of it anyway. Reminding them of your differences won't make them change their mind, nor will it make them like you any better.

Fortunately, most people in the project (well, everybody except me?) seem to obey above "poisoned people" recommendations, and just ignored your posts on this issue. I didn't, and one of the reasons it that I feared Joeys first post could grab some media attention, and I felt there should be at least one post saying that, well, the debian-installer and some other RC bugs are probably also a cause of the delay, and it's probably not worth rehashing the dunc-bank issue. So far, I've only seen one news article citing aba that the delay was caused by the debian installer among others, no "the delay is due to dunc-bank demotivating all developers" FUD.

Joey and Josselin are trying to bring dunc wars back. Please ignore the trolls.

They're talking more FUD than ever. And yes, I consider this behaviour childish, too.

Basically they claim that dunc tank is to blame for the etch release delay.

Sure, blame AJ for the attr breakage. And the libpng disaster. And the FransPop and others vs. Sven Luther issue. And the installer delays.

Especially the latter. The installer has never ever before delayed a Debian release, so obviously AJ and his dunc tank are to blame.

(Well, actually I think that this kind of infighting done wrt Sven Luthers access to the debian-installer repository or the anti-dunc-tank-evangelists that really harms the project: this can really take a lot of fun out of Debian, more than dunc-tank ever could. But pointing at the installer is more fun, you know...)

So Joey, Josselin: please, grow up. Stop trying to harm the project just because you disagree with a decision some months ago.

Thank you, aba, for working e.g. on helping sorting out the libpng issues and doing a quick NMU for the attr breakage. And all the other release work you've been doing before, during and after dunc-tank funding. Your work is heavily appreciated because it's constructive.

Especially since Ubuntu was first released, some people claim that Debians popularity is declining. I doubt so, Debian is as healthy as ever.

Here's a chart to back my claims:

(Ignore mid-april to mid-june, looks like the alexa data was somewhat biased during that time. And this is a "ranking" graph. A lower ranking means more popular, #1 is the most popular website.)

This is the alexa traffic ranking for some popular Linux distribution domains.

Debian is doing just fine, more visitors than ever before. We're just lacking the release peaks in our graph. :-)

At the main train station in Munich, at the subway level there is a big screen showing ads and miscellaneous information to capture the attention of the waiting passengers.

These screens are pretty nice, they show some comics, random facts, some headlines, weather forecast and similar things. In their "bits & more" computer tips section they today showed the URI for some linux application finder. (That is not at all specific to germany, so I doubt they paid for being mentioned)

I was really surprised to see a Linux software page mentioned on such a high visibility place; stuff there is usually targeted at the total computer newbies. Now if this isn't a sign that Linux is becoming mainstream...

That would solve so many problems.

LaTeX is still unbeaten in terms of print quality. It's really powerful. Since I've been using it, if started to really despise Writer and Impress. latex-beamer slides look just so much better than any PowerPoint presentation I've ever seen.

However, it's far from easy to use. The syntax is a pain, and I don't think it's a feature that you can actuall program in this language. Similar things hold for BibTeX - there are so many things to do wrong there that will go a long way unnoticed.

I've recently helped a friend to fix some BibTeX files. It was a pain, there was so much wrong in there... for example URLs. People noticed that they can't just always copy URLs in there, because some characters are special to LaTeX. But instead of using the \url macro, which would also have solved linewrap problem, they started doing the most obscure things (and of course they did not read the FAQ we wrote for them or asked how to do it right), for example adding whitespace to enforce line wraps, replace _ and & with whitespace etc., wrap uppercase chars in {} - an awful mess.

The same thing with the author values. They just wrote "First author, second author" without considering that this might be interpreted according to the common "Last Name, First Name" scheme: e.g. "van Damme, Jean-Claude". (The correct syntax is "First Author and Second Author and Author, Third" - use "and" for separating even when you have more than two authors.)

XML is better here. It's rules of escaping are generic and application-independant, and thus you'll have much more tools that know how to do it right, and you only have to learn it once, not for each application. The structuring also comes in handy:

  <authors>
    <author firstname="Foo" lastname="Bar" />
    <author firstname="Gnarf" lastname="Quux" />
  </authors>

Now don't point me to XML-FO. I know about formatting objects, the paper I submitted to the eXtreme Markup Languages conferences was done with FO. It's just that they don't come anywhere close to LaTeX in terms of print quality, the only OpenSource implementation I'm aware of didn't make much progress (but they seem to have released a rewrite in the meantime) and was lacking important features, and MathML has a horrible syntax mess (apart from Apache FOP not having MathML support).

XSLT also has an annoying syntax. Too verbose and totally unreadable once you do things that are a bit more complex than the simplest examples.

I wish we had something that gives a similar print quality to LaTeX, that uses some XML format (or something similar structured and easy to parse, like Xcerpt data terms, but thats basically equivalent to XML, just a bit more compact; Lisp S-expressions and OEM are other examples) that allows the easy creation of third party utilities and does away with all the black magic involved...

Yeah, IMHO it's really time for a rewrite of LaTeX with a modern language design. And a large, unified standard library; plain LaTeX sucks, you can barely use it without extras such as url, hyperref, latex-beamer.

[Update: yes, I'm aware of bibtexML, but it's just as bad, you still need hacks such as "the {C} language" or using "and" to separate multiple authors. I'm also aware of docbook and docbook to latex converters; that definitely is a workaround, but doesn't solve the real problems]

(Comments in my blog are intentionally disabled. So if you want to voice your general dislike of anything with XML, abuse your own blog!)

A few weeks ago, some spammer sent out a spam wave abusing one of my domains (fortunately one I havn't been using much). I quickly reacted by rejecting all mail to this domain.

However, I'm still seeing frequent mail delivery attempts. Apparently spammers have "discovered" the email address one of them invented, and are now spamming these addresses. Great... that's like... spammer masturbation? making up your own email addresses to spam to...

And worse: apparently they're now trying to bypass greylisting. Looks like we've now hit the point where greylisting will lose much of it's effectiveness we all love it for. :-( thats really bad news.

Here's an excerpt from my logs (addresses removed to protect the invented):

Dec 10 14:58:54 postfix/smtpd[25738]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random@random.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mail.001sm.com>
Dec 10 15:00:25 postfix/smtpd[15969]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random2@random2.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mx1.cnm.cn>
Dec 10 15:02:35 postfix/smtpd[15139]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random3@random3.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mx2.fr.clara.net>
Dec 10 15:04:40 postfix/smtpd[10646]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random4@random4.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<mail.1-shops.com>
Dec 10 15:06:46 postfix/smtpd[20414]: NOQUEUE: reject: RCPT from unknown[89.129.198.153]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random5@random5.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<aspmx2.googlemail.com>
Dec 10 15:09:48 postfix/smtpd[20608]: NOQUEUE: reject: RCPT from efi235.internetdsl.tpnet.pl[83.14.242.235]: 550 <agricolaapocalyptic@mydomain.tld>: Recipient address rejected: Spammers invented this address, it does not exist.; from=<random6@random6.tld> to=<agricolaapocalyptic@mydomain.tld> proto=ESMTP helo=<efi235.internetdsl.tpnet.pl>

Yes, that is one host retrying for 8 minutes (usually enough to bypass a greylist), another one a few minutes later, and a third one 5 days later (not included in the log); hosts that didn't make it past the RBL are not included. All in all I count 148 email delivery attemts to this address.

And all on a random email in my domain that never existed, and is not a dictionary address like sales@domain.tld; but this probably means I won't be able to enable a catchall for this domain ever again or face loads of spam. OTOH, my spam filter can probably learn that "agricolaapocalyptic" is a sure indicator for spam and just discard all of it.

P.S. this effect makes it more plausible that spammers are grabbing the Outlook address books of Windows users to use for spam; it's plausible the spam-address was auto-collected by outlook and then in turn collected by the next spammer. Maybe we really need to create random addresses until they give up on having sane databases sometime? Or at least blacklist our domains for their email collectors...

An important PHP security developer retires, with some rather harsh words on the project and PHP security.

While I agree that PHP by itself isn't really insecure (actual security bugs excluded), the one thing I really blame PHP for is that it does not assist the developer at all in writing secure applications. On contrary, give a novice PHP developer some non-trivial task involving a database and some extra files and you'll have at least two security issues.

I stopped using PHP some years ago for a few reasons, including above "security issues by default" (which IMHO are due to a badly designed language) and because PHP is heavily encouraging the user to mix design and application (which is a pain from a maintainance point of view). Of course you could do model-view-controller in PHP, but it doesn't make it easy to do so (another thing why I consider the language to be badly designed). And don't get me started on "register_globals"...

OTOH, some years ago I maintained a PHP extension, ming, which has recently found it's way back into Debian. Back then, I had the impression that PHP itself is also a pain to package. Building an extension worked okay, but it seemed as if getting PHP to build and work reliably on all architectures with all extensions is a pain. (That maybe is why the php packages have many open bugs; and why it took e.g. four years to add packages for the pspell extension)

It's out - and barely missed the etch freeze, so we'll still ship the previous version. But the 1.00 version is sitting in the Debian NEW queue (I moved the manual to it's own package, so this needs ftp-master intervention); a recent beta is already in unstable for you to begin playing.

Enigma is a game with a great mixture of mouse skill and puzzle elements. Some levels rely on precise mouse movements, others on speed, and others are pure puzzle levels. And of course everything inbetween. Sometimes you have to use items in a clever way, sometimes control several marbles at once, or switch control between two marbles as needed (some of these levels will be playable in a multiplayer mode sometime). It's the smooth mouse control (which varies from floor type, too bad we don't have force feedback...) and this unique mixture that makes it so great.

If you've ever played Oxyd on Atari ST or Mac (later versions were also available on MS DOS) - then you'll definitely want to get enigma - it's a clone of that classic, and it can load levels from your Oxyd data files, if you want to play the original levels.

Russel Coker has posted a SELinux on Debian etch in 5 Minutes guide.

Some small things to note:

• This is for etch, which has Linux 2.6.18 - there are SELinux changes in 2.6.19 which require policy version 21, whereas 2.6.18 has policy version 20. Changing it in /etc/selinux/semanage.conf may or may not be enough.
• rjc posted this Policy fix you'll likely need for running enforcing
• strict, while being more secure, will likely require you to write some policy modules on your own
• policy is a snapshot from october, you might want to get an updated policy. However I currently don't have time to work on it, and I just heard that etch was frozen. But maybe Manoj has still time to update the policy and get it into etch...

Check out this patent, and read claim #9.

So much for patents being seriously checked before being granted.

I wonder if I could get a patent on filing patents that get granted without ever being read, because they're so full of legalese and templates you'll go crazy if you actually try reading it.

(via: Daniel Silverstone)

CSSzengarden has reached 200 CSS files. It's an impressive site full of CSS tricks to learn.

Go there, and just click through a few designs. There are many impressive designs there. And while most a very different in their visual experience, they all have the exact same HTML code.

So please avoid using HTML for layouting purposes. That's what CSS is for. CSS is much more powerful and does a better job for this, so use it!

From time to time, I use technorati to monitor for links to my blog. I intentionally do not allow comments or trackbacks, but often people send me replies in their own blogs.

In technorati, I noticed a link to my blog that wasa quite surprising. Spammers have been around for some time, that take part of your blog posting and add their random shite to it. This was somewhat different.

This spammer quoted an old version of a blog posting. When I wrote that blog positing, I noticed like 10-20 minutes later that I had a fact wrong, so I changed that, even renaming the blog postings title. This spammer still had the old title, that only live for some 20 minutes at most.

So either this spammer was very lucky in crawling my blog exactly at that time - or they've received a ping for it. I'm usually pinging different services using the ping-o-matic.

I'm convinced at least one of these services allows you to subscribe to all blog posts that contain certain keywords (I've seen political web sites linking to posts favourable for their candidate within minutes!), and I have the impression some spammers are doing this. They're probably sending trackbacks to my site then, hoping that I'll add a link back to them automatically, or that they'll at least go up in the Google rankings.

Update: I've found out that Google blog search still has that incorrect version of my blog posting; the spammers site heavily links back to Google blog search; the search terms were "computer science"... so apparently they are not indirectly subscribed to my pings, but they're just polling Google blogsearch every five minutes.

Ajax, when used properly, can be a great user experience.

Badly written ajax however can be a pain. Often huge javascript libraries are loaded, it makes your browser and system slow and sometime you just end up staring at an spinning animated gif for "Loading ...".

Good Ajax makes the application snappy, responsive, fast, and avoids screen flicker. But with your traditional "get new HTML page" model, error handling is done by your browser. DNS issue? Your browser will say server not found. Connectivity issues? Browser will inform you of the timeout. Slow connection? our browsers throbber [wikipedia] gives you an indication something is happening.

With AJAX, it's up to the authors of the Ajax application to do proper error handling. And many AJAX application have serious issue here.

User proofing Ajax application [A list apart] is a good article on some basics on how to improve your Ajax applications.

Ajax is in the need for some software engineering for QA. Right now, it's so much low level hacking there, it makes you expect 90% of Ajax applications have serious usability and reliability issues.

Die AVM Fritz!Box hat einen lästigen Fehler im DHCP-Server. Leider glaubt AVM, selbst besser zu wissen wie ein DHCP-Server funktionieren muss, statt auf bewährte Standardsoftware zu setzen...

Startet man einen Rechner abwechselnd unter Linux und unter Windows (wie es meine Mutter macht, da Videos unter Windows kaputten Sound haben), so kommt es vor, dass er unter einem der beiden Systeme auf einmal keine IP mehr bekommt über DHCP.

Windows schickt bei DHCP-Anfragen einen "client identifier" mit. Eigentlich komplett wertlos, denn er besteht aus nichts anderem als der MAC-Adresse, die eh schon im Paket drin ist. Linux macht das standardmäßig nicht. Und da die Anfragen in diesem optionalen Teil nicht übereinstimmen, erkennt die Fritz!Box anscheinend den Rechner zunächst wieder, dann findet es aber doch nicht die vorherige Adresse und schickt ihm doch keine...

Abhilfe schafft es, unter Linux explizit einen client-identifier anzugeben, per /etc/dhcp3/dhclient.conf

send dhcp-client-identifier 01:<mac-addresse>;

Falls es jetzt Windows war, das von der Fritz!Box gerade keine IP mehr bekommen hat, wird es aber hässlich - dann muss man sich noch per telnet auf der Fritz!Box einloggen (und dazu überhaupt erstmal telnet aktivieren) und dort den DHCP-Cache löschen. Mehr auf der Fritzbox Probleme-Seite

British now divide by zero.

Either this "Dr James Anderson, from the University of Reading's computer science department" is a crappy computer scientist (not to speak of his mathematical skills), or this is a case of really bad journalism.

Apart from having some facts wrong (infinity and -infinity aren't numbers, they're symbols outside of the numbers), he basically defines "0/0 = Nullity".

Well, some of us might prefer the name "NaN" for this. "Not a Number". In floating point calculations, 0/0 may (if you've disabled exceptions) return NaN.

So it is nothing new. And it's not particularly useful either, because all it solves is not having to raise an exception, but being able to continue your calculations (which will continue to return NaN) and handle the error at the end. With modern languages designed around exception handling, this of course is rarely ever used anymore.

Some simple calculations you might find convincing:

2 * Nullity = 2 * (0/0) = (2*0)/0 = 0/0 = Nullity

Nullity + 1 = (0/0) + (1/1) = (0*1 + 1*0)/(0*1) = 0/0 = Nullity

Nullity / Nullity = (0/0) / (0/0) = (0/0) * (0/0) = (0*0)/(0*0) = (0/0) = Nullity

So if you ever have Nullity anywhere in your equation the whole equation equals nullity. There is no way to remove Nullity from your results, since even Nullity/Nullity is Nullity.

So you could just call it "I divided by zero, so the result is invalid". Thats probably not as pretty as "Nullity", but as useful.

Some simple calculation, why you must not be allowed to divide by zero (independently from any nullity or whatever):

1*0 = 0 = 2*0     (This equation is right, isn't it?)
1 = 2             (I divided by 0 on both sides, removing the *0 factor)

This works for any number, not only for 1 or 2. So: if you divide by zero, all your numbers are equal (if you keep standard calculus rules such as associativity, distributivity etc. used in above equations). If that is okay for you, then you can divide by zero. I do prefer having 1 life to 0 life. And if 1 = 1000000, can you give me $1000000, I'll give you $1 back tomorrow...

But: Maybe it's just a bad piece of journalism.

He's a computer science guy. Maybe he knows about NaN. Maybe he's just trying to teach kids to use NaN when calculating, instead of teaching them to never divide by zero. There might be didactic benefits from this approach.

The 1200 year old problem (Pythagoras, cited in the article lived 2500 years ago, I have no idea how they made up this number) IS easy to solve, if the result is called "invalid" instead of just having no valid result...

That won't make your airplane land better, if it notices it's current height is Nullity... and what if his heart pacemaker obtains a result of "nullity", what is it supposed to do (as opposed to noticing it miscalculated?)

[Update: he has published papers on this, too. Unbelievable... So above theory that it maybe is good for educational purposes is incorrect. Anyway, journalists shouldn't have reported on this without talking to some serious mathematicians...]

[Update: Zoy, thats why I wrote "if you keep standard calculus rules such as associativity, distributivity, etc. - and I find these exceptionally useful. The last example is not using his rules, but standard math, but treats zero like all other numbers, to show that a canonical extension will just not give useful results. My whole point is NOT that you can't define 0/0=Nullity, but that it's not compatible with the standard calculus we're used to and relying on.]

Yesterday I put my laptop to sleep (on AC power) while I went to the christmas party of a company I worked for.

After returning, I couldn't read my email any more; dovecot would segfault after login. Restarting dovecot didn't help, but a reboot helped.

Sounds to me as if during sleep, some kernel cache of the dovecot application was corrupted (read only memory; cached by the kernel, which is why it survived the restart of dovecot).

Whoa, this is like Windows. Rebooting the computer actually fixed something!

The "high definition audio" in my laptop is rather minimal. Apart from the mic not yet working, it has a line out and a single volume control. Thats it.

However, I'd like to have multiple applications use the sound card, for example my music player, eventually some video player or flash, and some system events.

ALSA to the rescue. It's not easy to configure, but really powerful:

Yes, that is a separate volume slider in my regular mixer for MPD, my music player. Here's how to do that:

First we'll need to create a huge /etc/asound.conf:

# the real device
pcm.realdev {
        type hw
        card 0
        device 0
}
# software mixing
pcm.dmixer {
        type dmix
        ipc_key 3129397
        ipc_key_add_uid false
        ipc_perm 0666
        slave.pcm "realdev"
        slave {
                period_time 0
                period_size 1024
                buffer_size 8192
                # we're enforcing 44100, since thats what most apps use
                rate 44100
        }
        bindings {
                0 0
                1 1
        }
}
# software volume
pcm.softvol {
        type softvol
        slave.pcm "dmixer"
        control {
                name "Software"
                card 0
        }
}
pcm.mpdvol {
        type softvol
        slave.pcm "dmixer"
        control {
                name "MPD"
                card 0
        }
}
# input
pcm.input {
        type dsnoop
        ipc_key 3129398
        ipc_key_add_uid false
        ipc_perm 0660
        slave.pcm "realdev"
}
# duplex device
pcm.duplex {
        type asym
        playback.pcm "softvol"
        capture.pcm "input"
}
# default devices
pcm.!default {
        type plug
        slave.pcm "duplex"
}
pcm.dsp0 {
        type plug
        slave.pcm "duplex"
}

I won't go into all the details (I don't know all of them either), but the basic idea is that I setup the dmixer plugin for software mixing, and attach two software volume controls to it. I'm keeping the permissions to 0666, since my MPD is running as a different user, and I didn't find a way to say I'd like to have the permission set to group "audio".

The default device is the regular microphone jack (untested, since there are driver issues with my chipset and recording) and the "Software" volume control.

If you have an ~/.asoundrc you might want to move it out of the way.

Next I need to configure MPD to use its own volume control via /etc/mpd.conf:

audio_output {
        type            "alsa"
        name            "my ALSA device"
        # 'mpdvol' is the device name I used in asound.conf
        device          "mpdvol"
}

You'll probably need to restart all applications currently accessing your audio devices to have them pick up the new config. The new volume control will also only appear after you've started an application using it AFAICT. Sometimes you need to restart them twice for the new volume control to be effective. When alsa-utils restores the volume controls after reboot it should work right away.

The "Software" volume control is optional, but that way I can tune down the default applications volumes below the MPD volume if ever needed. Oh, and I think you can safely keep one or all of the software volume controls to maximum without distortion happening (this doesn't hold for all sound cards, where it's often best to keep the sliders at ~75% max to avoid distortion)

... is rather annoying these days. Apparently this known hacker group with their powerful Windows trojans is behind the latest spam wave: they use image obfuscation that makes the average Captchas look easy.

In fact it took me a couple of seconds to understand what they're spamming about this time - the image just contained a highly unreadable stock symbol.

I wonder if the big financial web sites (for non-experts) like Google Finance, Yahoo Finance or whatever you use for occassionally checking your stock quotes couldn't just add a warning if a penny stock is being spamvertised.

Preventing naive users from falling for these frauds would certainly be a good service for their visitors, wouldn't it?

And there are already websites listing spamvertised penny stocks. So dear big-financial-websites, start protecting your customers now (and reduce the amount of spam for all of us that way, since that will hopefully make penny stocks a lot less lucrative).

Ich habe hier ja schon zuvor eine Liste von (vermutlich, ich habe gehört dass die Staatsanwaltschaft in dutzenden Fällen ermittelt) betrügerischen Webseiten in meinem Blog gepostet.

Die Liste ist gedacht zur Verwendung im "Konkurrenz-Filter" bei Google AdSense; man möchte ja seine Besucher schon irgendwo schützen. Diese Liste wurde auch dankbar aufgegriffen.

Es gibt eine verschärfte Version: eben hat sich ein Spam in meinen "Spamverdacht"-Ordner gemogelt (nicht "sicherer Spam"), der über den Umweg von "wundervoll.net" auf so eine "Lebensprognose" verweist.

Offenbar gibt es inzwischen selbst bei Betrügern Partnerprogramme...

Ich hab mich bisher weder bei StudiVZ noch bei Facebook angemeldet, zum Glück. Meine Anmeldung bei OpenBC habe ich schon bereut - bisher nur ein paar Spam-Anrufe (Nein, ich suche derzeit keinen Job, und das steht auch auf meiner OpenBC-Seite ziemlich deutlich), so dass ich inzwischen meine Telefonnummer (die ja eigentlich nicht angezeigt werden sollte) wieder entfernt habe. Seither ist wieder Ruhe im Karton.

Tja, jetzt hat es mal StudiVZ erwischt. Bisher waren sie mir nur durch eine recht aggressive Marketing-Kampagne an die Fachschaften oder so etwas aufgefallen. Aber so wie es aussieht haben sie ernsthafte Probleme die Daten vertraulich zu halten. Natürlich interessant für Spammer, Phischer und sonstige Online-Ganoven, so ein Datenbestand wie StudiVZ.

Meine habe ich ihnen nicht gegeben. Wieso auch, wo ist der Mehrwert?

I've started playing around with DBus a little. It's somewhat cute, I was able to quickly write a script that monitors my wireless network connection going up and down, and after some searching for useful documentation, I'm now able to tell gaim to disconnect when my wireless goes down and reconnect when it comes back. All with just a few lines of Python.

While searching for some docs on the Gaim API, I stumbled upon the Skype DBus API. But it's crap. Evil stuff. (And not working, from what I can tell; I read somewhere they're using a totally outdated DBus version, and to use it you have to downgrade and break lots of other stuff).

They've totally bastardized DBus. First of all, the trace of a DBus API I've found is on a system level, not a user/session level. It should be per-session; you especially don't want others to mess with your Skype.

Instead of offering an API with sane methods to invoke, they offer a single method, called "Invoke", and a single callback called "Notify". Ouch. With these methods you're expected to do a ascii protocol something like this:

-> NAME UltimateProgram
<- OK
-> PROTOCOL 5
<- PROTOCOL 5

Note that the name choice is up to the connecting application; so you can cloak yourself as a different application; it will be displayed to the user when asking for confirmation, apparently.

Another example how crappy Skype dbus is: their "dbus example in C" links to the Python example and the other way round. The C example consists of 2.4 MB precompiled example and about 100k source code (the example of course is a graphical client).

For comparison, this is a complete example on how to reconnect all your Gaim accounts via python-dbus:

import gobject, time, dbus, dbus.glib
# get DBus inteface
sesbus = dbus.SessionBus()
gaim_obj = sesbus.get_object("net.sf.gaim.GaimService", "/net/sf/gaim/GaimObject")
gaim = dbus.Interface(gaim_obj, "net.sf.gaim.GaimInterface")
for account in gaim.GaimAccountsGetAllActive():
  gaim.GaimAccountDisconnect(account)
time.sleep(5)
for account in gaim.GaimAccountsGetAllActive():
  gaim.GaimAccountConnect(account)

Debtags made quite some progress the last months. Many thanks to Enrico Zini, who did most of the work.

We now have a new database (on alioth), a new editing frontend (using Ajax, and accessing this database) and a couple of nice utils around it.

Go Tagging is a page listing untagged packages - by popularity contest score.

Just go there, click a package you are somewhat familiar with (sorry, the really popular ones are already gone :-) but there are still some well-known ones in there such as "rails") and edit the tags. Enrico also did some kind of AI to suggest tags. This is not based on the Google Summer of Code project, but something Enrico did using the Xapian search engine index he's been using for the main search function.

A couple of good features have been proposed, but are not yet implemented. For example, a "similar packages" overview, so that when you've been tagging one package you could easily switch over to another similar package.

Or a per-maintainer view. It was suggested that it should be added to the packages.qa.debian.org per-maintainer view page; this would be great, but will require some more work to be done.

On a related base, it would be interesting to make a tag cloud (like this Debian package cloud) on one maintainers packages only. This would then be a view of one maintainers interests in Debian...

Anyway, thanks to everybody who has been tagging packages and helping with the backend databases and applications.