Some might have read recent news such as Novell SELinux killer rattles Red Hat, or Dan Walsh's critique of Novells AppArmor release, concerned with "unix like fragmentation in the security sector".

While I also do think that SELinux is both more mature in the core system and more powerful than AppArmor (with a big plus being that SELinux is in the vanilla kernel) - I do think that AppArmor can quickly become a true SELinux killer, by just being better documented and easier to use.

SELinux has serious deficiencies in documentation and development community. Almost all the available SELinux documentation is based around the policy as published by the NSA, which is "superseded by the reference policy project". This is the policy currently in Debian and used in the Gentoo SELinux docs - which hasn't received any updates in months now.

The newer "reference policy" is updated every few days, by exporting Tresys' internal SVN into a public CVS on sourceforge.

Dan Walsh claimed "multiple distributions shipping with SELinux including Fedora Core (2,3,4 and soon 5), Red Hat Enterprise Linux 4, Gentoo, Debian, Ubuntu, Suse and Slackware. "

Which is not entirely true. SuSE has AppArmor now, Fedora and RHEL are pretty much the same, and apparently neither Gentoo, Debian, Ubuntu or Slackware are up to date with SELinux. Or actually involved in the current development. So that basically makes 1 distribution using current SELinux and 1 distribution using AppArmor... Looks like a tie to me.

Also with the development it's pretty much down. AppArmor was developed by a small company called Immunix, and is now backed by big Novell, owner of SuSE. Current SELinux is mostly developed by a small company called Tresys, and somewhat backed and used by RedHat. Both have the feeling of "closed door" commercial development, which may be the reason why it reminds some people of the old Unix wars.

Both of course claim to do an open development, with for example the current SELinux Symposium. But if you look closely at the Agenda and the speakers, it's fairly obvious that this is pretty much a business meeting, with some university speakers talking about the security concepts used.

Just one quote from the site:

Developer Summit
An invitation only meeting for the core developers of SELinux to discuss future plans for SELinux and upcoming technologies.

The winner of this "war" between AppArmor and SELinux will be whoever manages to incorporate community development best, and get the other distributions like Debian, Ubuntu and Slackware to support their efforts. Currently neither of them has the air of actively supporting them, which is really bad. Widespread adoption is also where grSecurity has failed before.

I'm trying to put together a SELinux packaging team for Debian and Ubuntu. Current SELinux is still a major pita to get running... so we need to join our efforts in adopting policy to our needs and such.

Upstream development is of an rather "uncooperative" model: both the selinux libraries and the reference policy are updated by a single person each, by exporting an internal VCS to a public CVS on sourceforge. If you want to add patches, you always have to send them through a mailing list, and hope for them to appear in the archive sometime soon. Or not.

While this works okay for the libraries and utilities - which are fairly stable by now - I have doubts that this is appropriate for the policy. Given the amount of fixes/additions we'll need at least for the reference policy, I think more people should have write access to a shared repository. For this I've setup a subversion repository on svn.debian.org, with currently two branches: unmodified upstream and a debian branch. Note that we might also switch to an arch repository, when some big contributors prefer so.

If users of other distributions (Gentoo?) want to join, they are welcome to do so. They can have their own branch, of course, albeit I don't think it's really necessary (maybe I should have named the "debian" branch "alioth-trunk" or so...)

Basically anything is okay with me, that helps the reference policy and SELinux in picking up speed.

If you'd like to get write access, send me an email with your alioth user id. Given the "unmodified upstream" branch, it should be fairly easy to extract patches from our repository to be included upstream, too.

Todays PhD comic is very funny.

Another spam fun I like a lot is Make p*nis fast - combining the usual enlargement stuff with pyramid schemes.

On a completely unrelated note, a german bird flu joke:

Treffen sich ein Bär, ein Löwe und ein Huhn.
Sagt der Bär: "Wenn ich brülle, zittert der ganze Wald." Meint der Löwe: "Das ist garnichts, wenn ich brülle, zittert die ganze Savanne!"
Daraufhin das Huhn: "Wenn ich huste, zittert die ganze Welt."

A bear, a lion and a chicken meet.
The bear says: "When I bellow, the whole forest is afraid.". The lion tops: "When I roar, the whole savannah goes into cover."
The chicken: "When I cough, the whole world panics."

I never thought much of these flashmobs. But admittedly have never seen one in reality, so maybe they are a lot of fun. ;-) Still I'm fine that this hype has pretty much died. I havn't heard of them for years.

I've just come across these pictures of a flashmob in japan in 2003 - where people dressed up as Agent Smith from Matrix.

This one seems pretty cool, albeit many of the pictures are "group shots", and there are way to many people taking photographs on the photographs. The (staged) fights however add a nice note to it. And on overall it's much more of a "collective show", instead of just people doing random stupid things such as rushing all into one shop and going up and down the stairs.

The idea is way cool. People wearing a dark tuxedo, then suddenly pulling out dark sunglasses and an earplug and run off to hunt someone at a special place... that must be so funny to see when you've seen the movie. I wish I were there to give some first-hand impressions.

I've been writing SELinux policy these days. Again. This time for the Reference Policy.

I didn't get any feedback back yet for my policy, which is quite disappointing. Still the number of violations on my systems has gone down a lot, so I might actually be able to run strict some time soon. Which would be a major step. Unfortunately, I still have a couple of things to sort out with the utilities. And every now and then there is a new violation - monthly cronjobs for example are not that easy to observe without playing around. ;-)

The Debian/Ubuntu packaging group is growing, and that means it's bigger than the "pretty much nonexistant" it was just a short time ago.

Recent policy files I've written (which of course still contain bugs): dpkg, apt, tor, amavis, clamav.

I've built new galeon packages from CVS (get them here), that have working typeahead find again, working password prompts (so you can login to websites again) and - working flashblock. This is love!

How to install flashblock with galeon:

• Get flashblock.xpi from flashblock.mozdev.org
• unzip the .xpi file
• put the flashblock.jar file into /usr/share/galeon/chrome
• Create a file /usr/share/galeon/chrome/flashblock.manifest with the contents content flashblock jar:file:///usr/share/galeon/chrome/flashblock.jar!/content/flashblock/ (in one line)
• edit ~/.galeon/mozilla/galeon/chrome/userContent.css and write @import url(chrome://flashblock/content/flashblock.css); there.

Enjoy a world with (next to) no unwanted flash!

Wir haben seit einiger Zeit eine AVM Fritz!Box als DSL-Router. War bei unserem neuen DSL-Anschluss mit dabei, und als kleiner Bonus sind wir so kostenlos über das Internet anrufbar.

Lief auch bisher ganz gut. Nur kam jetzt auf einmal der Windows-Rechner von meiner Mutter nicht mehr ins Internet. Ich hatte zuerst Windows im Verdacht, aus dem einfachen Grund dass der selbe Rechner unter Linux ohne Probleme ins Netz kam. (Meine Mutter hat auch Linux, und nutzt es z.B. zum Filme schauen, weil Windows DVDs nur ohne Ton abspielt, und für LaTeX um ihre Bücher zu layouten)

DHCP war dabei das Problem - Windows bekam einfach keine IP zugewiesen - mit einer statischen IP ging alles wunderbar. Ein einfacher Reboot des Routers brachte auch keine Besserung.

Also das volle Programm an Windows-Fehlerkorrektur. Die zahlreichen im Internet zu findenden Hilfestellungen bei so einem Problem beinhalten mindestens drei Reboots, und dass man auf der Windows-Kommandozeile (Start, Ausführen, cmd) "netsh winsock reset catalog" eingibt (und das soll einfacher sein als bei Linux? Mal davon abgesehen dass es nichts gebracht hat...)

Also hab ich dann doch Linux auf nem Laptop als "bridge" zwischen den Windows-PC und den DSL-Router gehängt. Und siehe da: Windows schickt brav seine DHCP-Anfragen, und bekommt wirklich keine Antwort. Es ist also kein Fehler in der Windows-Firewall der die Antwort verliert (wie sonst), sondern irgendwas stimmt mit dem Router nicht.

Also mal etwas über den Router gegoogled. Da gibts einen kleinen Hack, eine Pseudo-Firmware die man hochladen muss, dann kann man per telnet sich auf dem Router einloggen. Sehr praktisch. Denn da sieht man bessere Fehlermeldungen z.B. folgende: multid[377]: DHCPD: no lease found, for DHCPDISCOVER.

Diese Fehlermeldung kam jedes mal, wenn Windows eine IP anfragte. Also habe ich schnell die Datei gefunden, wo er die DHCP-Zuweisungen ("leases") speichert. Die sah zwar sauber aus, aber ich habe trotzdem mal folgendes gemacht:

killall multid
rm /var/flash/multid.leases
multid&

Und siehe da: auch Windows kommt wieder ins Netz (der Ton bei DVDs fehlt aber immernoch).

Zum Glück kann man sich manchmal in seine AVM-Hardware "reinhacken" und selbst Hand anlegen - genaueres hier: detaillierte Anleitung bei TecChannel.de

Als kleine Seitenbemerkung: Verletzt AVM mit der Fritz!Box die GPL?

Ich bin mit AVM derzeit nicht wirklich glücklich... ihre Treiberunterstützung ist, gelinde gesagt, bescheiden. Statt aber für offene Treiber zu sorgen, drohen sie den Kernel-Entwicklern mit einer kompletten Einstellung ihrer (wie gesagt nur mäßigen) Treiberentwicklung, wenn diese es ihnen nicht erlauben, proprietäre Treiber in den Kernel einzubinden.

Proprietäre Treiber für Linux haben sich bisher aber alles andere als bewährt (sprich: sie taugen nichts, sorgen für ein instabiles System und machen nur Schwierigkeiten bei Upgrades) und sind nach einer aktuellen Studie wohl auch bisher schon eine Rechtsverletzung.

Leider leben wir in einer Welt, in der jedes kleine unsinnige Detail gleich als "Betriebsgeheimnis" bewertet wird. Selbst wenn die Konkurrenz das selbe schon lange auch macht... z.B. zusätzliche Tasten ("play" etc.) an Laptops, wo bei Compaq keine Informationen dazu zu erhalten waren, oder eben ISDN. Oder 3D-Grafik: es gibt OpenSource-Treiber für die meisten Radeon-Grafikkarten, die halt bei jeder neuen Grafikkarten-Generation wieder ein klein wenig angepasst werden müssen. Diese Treiber verfügen über 3D-Beschleunigung. Trotzdem entwickelt ATI lieber eigene (instabile, vielleicht illegale) Treiber, die umständlich zu installieren sind, statt einfach die bestehenden OpenSource-Treiber zu verbessern. Auch PCI-Express ist keine "geheime" Technologie, sondern ein Industriestandard (und wird von den OpenSource-Treibern inzwischen auch voll unterstützt, aber da musste halt wieder jemand ehrenamtlich ran, was ATI wenigstens mit entsprechender Dokumentation hätte unterstützen sollen...) - leider ist Nvidia aber auch nicht besser, deswegen können sie sich das erlauben.

I was about to write a similar script, but then used Google first.

Rodolphe Quiedeville already wrote a OpenVPN plugin for munin. It uses an odd hard-coded statusfile name, but that is easy to adopt to your needs.

Since I already use munin to plot several system parameters, adding the VPN usage in there is a really nice extension.

I have posted the link to this flash before, but it still rocks...

And I especially love this comment on it:

Seven hundred monkeys and seven hundred stolen copies of Flash have turned out a work of copyright-infringin' brilliance.

So, enable proprietary flash, turn up your speakers, prepare to rock and browse here.

Click all the arrows. Heck, I can't even say which one I like best!

I wonder who made that, and whether there will be a version two featuring even more copyright infringements.

The Wikipedia entry on this song mentions a meme... - and it looks like Here is one of the originals. And there are tons more you would not have thought of.

...and explanations.

Debian recently switched from heavyweight mozilla to XULRunner as rendering engine for Epiphany and Galeon. This is nice, because it removes the dependency on Mozilla, which you can uninstall now (well, maybe sometime soon - eclipse still depends on mozilla).

On the other hand, flashblock no longer works for me in Galeon, which drove me crazy the first time I hit Flash ads again. I hate that shit... I really need to find a way to disable them again. Maybe I'll just uninstall Flash entirely...

Oh, and typeahead find is broken in both Epiphany and Galeon, but I don't really know whether to file a bug agains them or aginst xulrunner... ;-)

Oh, and I sometimes can't login to GMail any more with Galeon, sometimes I can... seems like we have some things to do... :-(

KDE apps barely worked for me. For example konqueror crashes on every odd run (I guess it's more like: I need to start it twice). Skype, which also uses QT crashes in the current versions directly after showing it's main window, too (statically linked, so it can't be QT itself...) Sometimes it also crashes and it opens up the non-configured kMail to write an email with the backtrace. I think Gnomes bug-buddy does a better job on that, too, not popping up two overlapping windows...

I was looking for a nice tool to organize my Ogg music collection, and amaroK was recommended to me. While amaroK started fine, it would stop updating it's screen when indexing my collection.

And what I then hate most, is that I can't even type "killall amarok", because KDE applications seem to prefer chaning their name after start... Argh!

I have to admit, that amaroks screen looks pretty. The player that impressed me most (both feature-wise and visually) was quodlibet, though, which suprised me with a nice fading current-track display including cover image. It used way to much memory for my liking though, so I'm back to using mpd with a tiny gnome app to display what is playing and access the playlists.

So what I'd really need is probably a quodlibet-like frontend to mpd. ;-)

Google today launched it's Page Creator, offering you some hundred MB of storage for your webpage, and the service promptly was overloaded some time - Slashdot effect?

It's back now, I just successfully logged in. ;-)

There have been a couple of Microsoft Internet Explorer 7 reviews. They all have one thing in common - they are pretty much dismissive.

A couple of insightful postings:

• I(E7) coulda been a contender ... (Kurt Cagle)
• Stop Stop Stop Hurting The Internet (Jonathan 'Wolf' Rentzsch)
• More people underwhelmed by RSS Support in IE7 (Dare Obasanjo)

Some memorable quotes:

Is it just me, or does this look like a GUI widget test demo? 3 different styles of buttons, in various colors, in seemingly random arrangement. Tabs squished in between other semi-related buttons. - Leslie Michael Orchard

my god, they've made XP's Fisher Price look good

Apparently, IE7 still has only limited support for the current web standards such as RSS (yes, it can display the headlines, but it's totally useless as RSS aggregator), XHTML (you know, this six year old HTML standard which plays nicely with XML) or the SVG vector graphics format you can use with Firefox or an Adobe Plugin to IE6 (which was recently required to see the graphs at Google Webstats, and will likely be used in new versions of Google Maps to further improve speed and display quality - on browsers that support it only, of course).

The UI seems to be a test run for the next office generation - they've remove the menu...

Oh, and it seems rather unlikely that IE will see such a big community with tons of extensions (you name it, someone already did it) like Firefox and Thunderbird do.

Still it likely is an improvement of the current IE versions, which fail to adhere to pretty much any standard. But it won't be the big selling point for users to switch to Vista.

I believe in a better world, he said.
I don't gamble, she replied.
I wouldn't bet on it either, he replied, but it can't get any worse, can it?
We have to chose between bad and bedeviled, she replied.

I'd better go to bed. Tomorrow will be better, the author thought, and off he went into his bedding.

Beep, the alarm clock said.

Gegen Semesterende wird es immer so still: Prüfungszeit. Wenn die letzten Klausuren bevorstehen sind viele nurnoch am Lernen.

Ich hoffe das ist bald vorbei, und die Leute tauchen wieder aus der Versenkung auf... Es ist schade wenn man wochenlang nichts von ihnen hört, da macht man sich richtig Sorgen. :-(

Petition gegen die Vorratsdatenspeicherung - wem die URL (napier.ac.uk) komisch vorkommt: bundestag.de Petitionsausschuss, dann auf öffentliche Petitionen, Übersicht über öffentliche Petitionen, "Strafprozessordnung" (bis 14. März).

Diese Petition ist wichtig:

Unter dem Vorwand der Terrorismusbekämpfung wird uns eingeredet, dass eine Vorratsdatenspeicherung notwendig ist. Das ist aber Unfug: damit kann man nur diejenigen erwischen die unverschlüsselt kommunizieren. Terroristen, die Lernen wie man ein Flugzeug fliegt, lernen auch wie man mit Skype verschlüsselt telefoniert, kryptographie einsetzt und Anonymisierungsdienste wie tor verwendet.

Deswegen ist es utopisch zu glauben, dass Vorratsdatenspeicherung einen nennenswerten Sicherheitsgewinn bringt - den einzigen, denen es etwas nutzt ist die Filmindustrie beim Kampf gegen die Raubkopien.

Die Vorratsdatenspeicherung ist ein nicht akzeptabler Eingriff in unsere Menschenrechte, und zwar in unser Recht auf Selbstbestimmung. Genauer gesagt in das Allgemeine Persönlichkeitsrecht nach Artikel 1 und 2 unseres Grundgesetzes:

Jeder hat das Recht auf die freie Entfaltung seiner Persönlichkeit, soweit er nicht die Rechte anderer verletzt und nicht gegen die verfassungsmäßige Ordnung oder das Sittengesetz verstößt.

* helix wonders if erich ever gets tired of complaining

Customer: I wish to complain about this developer what I purchased not half an hour ago from this very channel.
Vendor: Oh yes, the, uh, the German Blue...What's,uh...What's wrong with it?
Customer: I'll tell you what's wrong with it, my lad. 'E's complaining, that's what's wrong with it!
Vendor: No, no, 'e's uh,...he's discussing
Customer: Look, matey, I know a slasher when I see one, and I'm looking at one right now.
Vendor: No no he's not complaining, he's, he's discussing'! Remarkable dev, the German Blue, idn'it, ay? Beautiful coat!
Customer: The coat don't enter into it. It's bitching.
Vendor: Nononono, no, no! 'E's discussing
Customer: All right then, if he's discussin', I'll debate with him! (shouting at the computer) 'Ello, Mister Perly Python! I've got a lovely fresh babel fish for you if you show...
(owner hits enter) Vendor: There, he replied!
Customer: No, he didn't, that was you spoofing an email!
Vendor: I never!!
Customer: Yes, you did!
Vendor: I never, never did anything...
[...]
Customer: 'E's not chattin'! 'E's vitriolic! This dev is no conversation! He has ceased to design! 'E's obsolete and gone to meet 'is makefile! 'E's a nagger! Bereft of constructivity, 'e breaks in pieces! If you hadn't set an autoresponder 'e'd not be replying to mails! 'Is patches are now 'istory! 'E's off the keyring! 'E's monologing. 'E's bitching, THIS IS AN EX-FLOSSDEV!!

You get the idea. ;-) Apologies to one of the greatest comedians.

No, Erinn, I'm not just complaining all the time. I actually worked quite a lot on OSS these days. But in some projects it feels much like you are the only one working there, probably a bit too much... just don't take my harsh critique too seriously, I'm actually a nice guy, just sometimes too involved with things. (But no, I'm not retiring or so. But facing exams soon.)

On an unrelated note, I today uploaded the selinux-basics package to unstable, it contains some small niceties in setting up a SELinux system on Debian. But it's still far from completed, easy or documented.

Wie man bei einer kurzen Google-Suche schnell feststellt, sind sie kein unbeschriebenes Blatt - Dialer wurden ihnen schon mehrfach von der Regulierungsbehörde stillgelegt.

Über eine Google-Werbung sogar auf meiner eigenen Seite habe ich ihre neueste Masche entdeckt (währe aber nicht drauf reingefallen): Sie locken Besucher - bevorzugt Jugendliche - mit Werbung auf ihre Webseiten, z.B. mit dem Titel "Gedichte Kostenlos" beim Google-Suchbegriff Gedichte, auf gedichte.de und auf hausaufgaben.de (die auch schon zuvor mit Dialer-Angeboten aufgefallen sind), entlocken ihnen dann mit einem Gewinnspiel die Postadresse und über das Kleingedruckte kassieren sie dann erstmal 168 Euro für ein zwei-Jahres-Abo ohne Nutzwert dahinter.

Leider hat auch die Filterfunktion der Google-Werbebanner diese Abzock-Webseiten noch nicht ganz bei mir entfernt. Beschwert habe ich mich bei Google auch schon (oberen Rand des Bannes anklicken!).

Es gibt eine Abwehrmaßnahme, und da müssen möglichst viele mitmachen: wenn ihr eines ihrer Banner findet (gedichte-heute.de, hausaufgaben-heute.com, hausaufgabn.de, referat-24.de z.B. - jede werbung bei Google ein Treffer!), KLICKT drauf. Dafür müssen sie an Google zahlen. Desto häufiger jemand drauf klickt, ohne dass er drauf reinfällt, desto weniger lohnt es sich für die!

Wahrscheinlich findet ihr auf meinem Blog hier auch gleich so eine Werbung...

So I have now installable packages and tools for the mysterious, wondrous SERefPolicy. You can grab them at http://selinux.alioth.debian.org/experimental

Note that I havn't tried using the policy yet. For example, the policy is missing dpkg and apt-get rules. So don't even think of running it on a production system, there is still lots of stuff to do.

But I just, for the first time, managed to use "semodule", and actually add and remove modules from the modular policy. Yay!

Now we just need to rewrite tons of policy in an even cryptier language, using even more M4 macro hell... ;-)

Oh, and then we need to fix that Make bug effecting unstable, so we can actually build the new policy... ;-)

We definitely need more people working on SELinux support in Debian.

After having read a couple of time of it, I decided to give Last.FM a try.

I quickly found out that I can pick a station with "similar" music to a given artist. I've been listening to the lastfm://artist/Gotan%20Project/similarartists stream - aka "Similar music to Gotan Project".

This has largely been a success. A couple of songs came in that made me quickly press the "skip" button (I love this feature) - no, I don't want to hear a christmas song today. But I've heard a couple of songs for the first time that I really like.

Pyroman is now hosted on alioth, and uses Debians subversion server.

I just did a new pyroman release, version 0.1.2. This is just an interim beta release, a version 0.2 will follow soon.

New in this version is:

Detailed error reporting: when a firewall rule is rejected by iptables (e.g. because you specified an invalid port range pyroman didn't detect), it will give you the corresponding filename and line number!

Automatic rollback: Pyroman will undo any changes to the firewall if either any rule is rejected by iptables, an exception in pyroman occurs or the user fails to accept the changes within a configurable time limit (e.g. because he just broke his ssh connection...)

So pyroman is even cooler now! ;-)

On the TODO list: add a no-confirm switch for use at system bootup, code cleanups and a iptables-version test, so you can add rules that need a specific iptables version (such as string matches for bittorrent).

Dear Lazyweb,
I recently noticed that some people e.g. don't know the "mailq" command, which is fairly standard for email servers to print the current mail queue. Which is an essential command if you want to debug your mailserver.

So I was looking for a good tutorial to recommend on "running" an email server, and had a hard time finding one... there is a large list of online books, but as far as I can tell, they don't even teach such basic things such as mailq, do they (I of course only checked those I could read online).

Nor could I find this information easily accessible on the Postfix homepage. But there are a couple of things you should know at least where to find. Including showing whats stuck in your mail queue, why, and how to remove these messages.

I guess this applies to many many things. Everbody assumes the basics to be clear, and just talks about how to pick certain configuration options...

XSLT is an outright ugly language. Thats why I often just hate it. In some (rare) cases it's very elegant, but most often incredibly clumsy.

I've been redoing my homepage completely, and I'm using XSLT to render my data XML files to the XHTML output. That works quite well so far, but I hit more and more special cases.

First I wanted to add a language chooser. This required finding out which lanuages my document supports (read: blocks with that language attribute exist) and check for uniqueness.

Some things where rather easy to solve (with some experience in XSLT), so where extremely ugly.

First of all, I want my template file to be a valid XHTML file, I don't want to have any layout parts in XSLT. Then I have a separate sitemap, needed for generating the menu. So I have to process three documents at the same time in XSLT. Ouch. But doable, using variables.

Basically I have three modes - in one mode, the template is mostly copied over, unless I've specified some special rule, e.g. to insert the page title, meta information or content. A second mode uses the current chunk of the template document as template for the contents a couple of times to iterate over data chunks from the data source file (read: put text blocks from my source files into the output template format). The third mode does the same for the sitemap.

Unfortunately, it started to get even messier...

Big problem number one: Make a list of the available languages for the current page. Make this information reuseable throughout the page transformation. Part one: make a list of available languages by finding unique (!) @lang attributes. (usual approach: grab all nodes with @lang attributes, check if they have the same node id like the first occurence with this @lang value for uniquness, then output. Ugly as hell, but string magic sucks as much.)

Big issue number two: Assume we now have a variable with en in there, access these nodes to transform them. Unfortunately, the generated nodes are "result nodes", and you cannot iterate over them with for-each. Luckily the exslt node-set extension to solve this.

But now came the third big issue along... this is where I give up. I want my pages to have a nice modification date... my data pages are stored in subversion... Subversion has keywords expansion like CVS, which I can use nicely to automatically update the last modification date of the file. Unfortunately, the date will look like this:

$Date: 2006-02-15 21:29:10 +0100 (Mi, 15 Feb 2006) $

Whereas in a web page meta information it's recommended to use ISO8601.

Now if I only had regular expressions and proper date handling functions...

I guess I'll stop writing ugly, hackish XSLT code and chose pretty Python code instead. Maybe use TAL or KID for XMLish templating...

Aargh. Yesterday I spend hours trying to find out why SERefpolicy would not build.

There was a suspicious message in the build process, about a circular dependency being removed, and it was obviously due to this dependency that the build did not work.

But: I couldn't find anything like a circular dependency. The dependencies for this file were trivial, just two input files that are not being modified or generated or anything.

Today I decided to downgrade make to the stable version (which unfortunately conflicts with current kernel-package...) - and now it compiles.

Smells like "make bug" to me...

You can grab the completely untested (last build didn't work, and my test machine is currently down) packages at http://selinux.alioth.debian.org/serefpolicy/ in case you want to try SERefpolicy yourself.

I'd love to have a SELinux policy system which does not involve any such make and m4 black magic. The makefiles are a PITA to read, the whole thing is totally unmanageable IMHO.

Have you seen Shrek 2? Remember when he has to win back his beloved?

"We're gonna need flour. Lots and lots of flour."

Unfortunately, this joke doesn't translate into other languages - "flour" and "flower" rarely sound the same... (e.g. "Mehl" and "Blumen" in German)

My father wanted to try out b2evolution. Oh my god...

He was not able to login. With the help of ethereal we found out that b2evolution uses the following line of code to determine your cookie domain:

$cookie_domain = ($basehost == 'localhost') ? '' : '.'. $basehost;

Changing it to

$cookie_domain = '';

Why is there not a single PHP program that just works? Is it the language that invites you to write crappy code, or is it the users of PHP that have no clue?

zsh: can't write history file /root/.zsh/history

You'll get this error message on logout when your ssh login is to a userid which may not write your home directory (such as staff_t, when logging into root whose files usually are sysadm_home_r).

Here's a simple workaround for you zsh users:

if id | grep -q sysadm_r; then
        export SAVEHIST=1500
        export HISTFILE=~/.zsh/history
        export HISTSIZE=1500
fi

Bash users probably can use

if ! id | grep -q sysadm_r; then
       shopt -u cmdhist
fi

Wednesday, my S-Bahn had obviously been kissed by someone. I coudln't resist and tried to take a picture of it (which is far from easy with an autofocus camera...) - I hope the result is okay.

Die S-Bahn, in der ich am Mittwoch gefahren bin, hat offensichtlich jemand richtig abgeknuscht... nicht einfach zu fotographieren mit Autofokus, aber das Ergebnis ist nicht ganz katastrophal. Nur beim Hintergrund hatte ich leider kaum Auswahl...

Kiss my S-Bahn.

According to the specs I read from IBM/Lenovo and from Microsoft, a current top-notch Thinkpad X60 (with Core Duo CPU, 12" display, 1.3 kg) ultraportable is not "sufficient" for running Windows Vista.

The laptop only has 512 MB RAM, parts of which are used for graphics. Windows Vista requires full 512 MB RAM for the System and a graphics card with at least 64 MB (for the rather low resulution of the 12" display, make it 128 MB for bigger ones, and 256 MB for 1600x1200)

Oh, the current "high end" Thinkpad T43/T43p models are not sufficient either. They both have too little video memory for their display size, too. But the specs say they at least should be fine if you disable the glass UI.

Sometimes I think if that's worth the benefits (?) of Vista...

Hmm... how about an Intel Mac? Can at least an Intel Mac run Vista?

I've recently done a couple of updates to my SELinux backports for Debian stable.

The backports are mostly "No changes" backports; recent improvements include (finally) a SELinux enabled shadow package. Approximately tomorrow I'll also have a new sysvinit package which makes my modifications hopefully obsolete thanks to the maintainers fixing my reported bugs. ;-)

The packages are largely untested, though. I havn't rolled them out on my main SELinux enabled boxes yet. There also is no SeRefPolicy package yet.

My father asked me how to setup an alert to remind him of the evening news. (The serious ones in the public channel, not the sensational in the private channels...)

My first suggestion was to use evolution, but it cluttered his calendar view. I guess you could avoid that by using a separate calendar file, though.

Still, these alerts are of very low priority, so I considered that the new notifications should actually suit better.

Sending notifications from the command line is supposedly easy - if you're in the same session. Otherwise, you have to find out which socket to send it to. (Btw: what happens when the dbus daemon is restarted ungracefully? will notifications be broken until the session is restarted, too?)

Anyway, here's the solution I came up with:

#!/bin/sh
user=`whoami`
pids=`pgrep -u whoami gnome-session`
title="$1"
text="$2"
for pid in $pids; do
        # find DBUS session bus for this session
        DBUS_SESSION_BUS_ADDRESS=`grep -z DBUS_SESSION_BUS_ADDRESS \
           /proc/$pid/environ | sed -e 's/DBUS_SESSION_BUS_ADDRESS=//'`
        # use it
        DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS \
           notify-send -u low -t 30000 "$title" "$text"
done

This will send a notification with a lifetime of 3 minutes to all running gnome-sessions of the current user. Supposedly works fine from cron (not yet tested, though). Error handling isn't perfect yet, either (but again, this is a very low priority notification).

P.S. hint of the day: use a line like

apt-get install libnotify-bin && notify-send 'Yay! Completed!'

Wer bei GMail seine Sprache auf Englisch stellt, hat jetzt Instant Messaging via Web und EMail integriert. Die Oberfläche schaut auf den ersten Blick ganz "benutzbar" aus, und prinzipiell finde ich das ganz cool: IM anywhere... und man braucht nichtmal extra Software starten, insbesondere kein Java.

Oh, als kleinen Bonus gibts auch einen direkt erreichbaren "Löschen"-Knopf.

P.S. Sorry, wem die ganzen Blog-Einträge heute etwas viel werden...

Simple answer: because RSS and Atom are XML formats. So please generate valid output. Adhere to the standards! The RSS feeds of Planet Gnome and Planet Ubuntu, for example, are currently broken. (Planet Gnome due to a bug in Planetplanet AFAICT, Planet Ubuntu due to a broken RSS feed from Wordpress... Yes, you must escape single < characters in XML...)

Templating systems such as the default templating of the Django Framework, or the popular Clearsilver templating engine are unfortunately not suited for XML output. Oh, and please never ever write XML using 'print' commands either. Use a proper XML writer, which can handle charset issues and escaping properly.

Good examples for XML-enabled templating engines include TAL and METAL used by Zope (but available for a variety of languages), and KID (again python, used by the Turbogears Framework).

Closely related is the "HTML fragments" issue, which basically is why I want XML to be used internally, too (you could also store StructuredText only, and convert it to XML just for transformation to the output):

HTML fragments in my blog should be valid slices of an XHTML file, to avoid issues when generating both the web pages as well as when integrating the feed into other pages. With RSS, the HTML code is AFAICT escaped in one big data chunk, so it doesn't matter there. It probably does for Atom.

So what a good blog tool (including a rewrite of planetplanet which has way too many bugs) needs to do is to parse it's input data (plain text, HTML provided by a web browsers WYSIWYG edit component, mail, structured text, XML, ...) and either reject broken entries or try to guess whats intended, but guarantee that the output is valid XML. Then generate proper feeds and output from that.

Thanks to all those who already replied to my previous posting. One thing I was pointed at, and I'll probably look into is Apache Forrest. Although I likely will use KID instead, if I happen to write my own tool after or despite my upcoming final exams.

Dear Lazyweb,

Anyone aware of a nice blog software that

• Uses some kind of proper XML to store all data (and thus always create valid output,
• Allows me to enter stuff using some StructuredText human-writeable markup and copy HTML fragements from other pages in there.
• Does reasonable caching instead of doing XSLT transforms over and over again...
• Allows me to tag posts, and provide customized RSS feeds (e.g. all english, non-personal, XML-related posts
• Doesn't force me to use the web to blog (like WordPress)
• Doesn't use PHP or ASP or JSP and a MySQL database which I consider bloated and potentially insecure - should be nice and clean code, which PHP rarely ever is.
• Doesn't use extensive frameworks such as Ruby on Rails or TurboGears either... I don't want to have to install these.
• Doesn't bring with it another stupid user management (like WordPress and all these fancy php thingys do)
• Preferrably doesn't require CGI at all...
• Doesn't need to have comments, and lets me disable them. It's my blog, I don't want to have to care about spam and you are supposed to read it using a RSS reader (and no UI-hell Internet Exploder 7), actually. :-)
• Is OpenSource, obviously. I will certainly want to remove some things I consider stupid. I've yet to see a commercial software I'm happy with.

And I bet I forgot some additional restrictions... Thanks for any suggestions..

Today I "quit" (formally) my math studies and became a computer science student instead. While my next term will officially be my 6th term in CS, I will be doing my finals and then start writing my thesis (which you usually do somewhere in your 9th-11th term).

I have in fact been studying CS longer than that, but I also wanted to do math (mostly because CS was too boring for me most of the time, and math provided a higher challenge) - and instead of formally doing both (which would have required finding out specific formalities noone knows, and maybe paying some extra money) I went with math for a long time.

Now that I was approaching final exams for both math and computer science, I had to decide: do math, do CS or do both. Being lazy (and wanting to finish as soon as possible now) I decided to pick the easiest - computer science.

My diploma topic will be very mathematical, though - a special logic for reasoning on the web, so it's logic, web 3.0 and theoretical computer science combined. Sweet.

I guess it really doesn't matter that I don't end up with two degrees, given all my other qualifications. :-)

Nicht nur der Transrapid ist ein Unsinn, den uns die Politiker als Toll verkaufen wollen. Zitat Edmund Stoiber:

Wenn Sie vom Flug- äh vom Hauptbahnhof starten Sie steigen in den Hauptbahnhof ein, Sie fahren mit dem Transrapid in zehn Minuten an den Flughafen in an den Flughafen Franz-Josef Strauß dann starten Sie praktisch hier am Hauptbahnhof in München - das bedeutet natürlich daß der Hauptbahnhof im Grunde genommen näher an Bayern an die bayerischen Städte heranwächst

Nein, der zweite SBahn-Tunnel ist genauso ein Unsinn (mit den derzeitigen Plänen). Ich denke wir sind uns alle einig, dass die S-Bahn-Stammstrecke entlastet werden muss, und eine Umgehungsroute entstehen muss. Aber umbedingt in Form einer "Express-Röhre", die die Benutzer dazu zwingt am Ostbahnhof, Hauptbahnhof oder Marienhof umzusteigen - mit erheblichen Entfernungen zu laufen? Für eine große Zahl an Passagieren wird die SBahn-Fahrt dadurch sogar erheblich länger - und gleichzeitig wird der Takt auf manchen Linien - z.B. der S5, die gerade erst in Spitzenzeiten einen 10-Minuten-Takt bekommen hat dann wieder ausgedünnt?

Warum taucht in den Plänen auf einmal eine Express-S5 von Deisenhofen auf, die erst am Ostbahnhof wieder hält (und damit das neugebaute Infineon überspringt!) - obwohl es in Deisenhofen schon die S20 und S27 gibt - damit wäre Deisenhofen nach der Stammstrecke der am besten angebundene Bahnhof! Und gleichzeitig wird behauptet dass eine Express-SBahn zum Flughafen nicht möglich ist, und man statt dessen den Transrapid braucht (damit der Hauptbahnhof näher an die Geminden rückt???)

Nein, was hier fehlt ist ein schlüssiges Gesamtkonzept.

Was uns momentan präsentiert wird ist gar kein Kopnzept um die Probleme zu lösen - es ist ein kostspieliges "herumgedokter" an dem Problem, dass die Stammstrecke manchmal einfach zu ist. Anscheinend hat sich niemand Gedanken gemacht, von wo nach wo die Leute fahren wollen.

Beispielsweise ist der größte Brennpunkt in München der Marienplatz - hier steigen am meisten Leute um, von der SBahn in die überlasteten UBahn-Linien U3 und U6. Deswegen wird dort ja gerade umgebaut. Eine schlüssige Lösung für die SBahn würde aber dieses Umsteigeproblem in Betracht ziehen, und versuchen, stärker zu entlasten als das durch den "Marienhof" geschieht. Denn hier werden die Fahrgäste genauso zur UBahn Marienplatz geleitet, und das Problem besteht nach wie vor. An eine in der Zukunft früher oder später notwendige Entlastung der U3/U6 wurde gar nicht gedacht.

Nehmen wir doch den alten Vorschlag wieder auf, den Bahn-Südring zu verwenden. Es gibt doch bereits eine zweite Bahnstrecke vom Ostbahnhof nach Westen. Die führt durch Giesing, am Kolumbusplatz, Flaucher, Poccistraße und Heimeranplatz vorbei. Das klingt wie das Who-is-Who der Umsteigemöglichkeiten: Kolumbusplatz (U1, U2, U7, U8), Poccistraße (U3, U6), Heimeranplatz (S7, S20, S27, U4, U5) - alles dabei, und der Süden wäre erheblich besser angebunden. Dazu fehlt dann nurnoch eine Querverbindung im Norden, beispielsweise auf der Höhe der Münchner Freiheit.

Allgemein muss auch ein Ausbau des UBahn-Netzes in Betracht gezogen werden (und das mit der S-Bahn koordiniert werden). Der eine oder andere wird sich vielleicht noch an die "Express-U-Bahn" erinnern, die vom Hauptbahnhof zum Fussballstadion fahren soll(te).

Vielleicht wäre es auch gut, sich die Netze anderer Großstädte anzuschauen, und beispielsweise einen echten Ringschluss wie die Circle-Line in London in Betracht zu ziehen. Vergleichen sie die beiden Netze, was fällt ihnen auf? Marienplatz, Odeonsplatz, Sendlinger Tor - diese drei Innenstadt(!)-Haltestellen sind alles, was den Westen mit dem Osten verbindet. Als ob es da eine Mauer gegeben hätte. Versuchen sie mal auf dem Plan von London eine vergleichbare Konstellation zu finden...

Um das "Lieblingsargument" der Politiker aufzugreifen: Für Terroristen wäre München momentan sehr gut angreifbar - eine Bombe am Marienplatz, zwischen SBahn und UBahn, und die Stadt steht wochenlang still. Und der zweite Tunnel würde daran nichts ändern. Auch der Ostbahnhof spielt eine massive Schlüsselrolle, die nur durch einen Ringschluss - wie bei Straßen schon lange üblich - behoben werden kann.

Und München hat inzwischen wirklich genug ÖPNV-Passagiere, tendenz durch die Entwicklung des Ölpreises stark steigend...

Deswegen: Gegen die derzeitige Planung des S-Bahn-Ersatztunnels protestieren und ein schlüssiges Zukunftskonzept fordern!

I wondered where all my diskspace had gone to... Using Baobab, I discovered it was my ~/.thumbnails directory containing 1.1 GB of data. I definitely have way to many pictures... (there were thumbnails of at least of all pictures I shot during my US trip in there)

So when you are running out of diskspace, check your Trash and thumbnails folders... ;-)

Julien Danjou and others replied to my "please don't obfuscate BitTorrent" post, pointing out providers in {France, Canada} that already filter BitTorrent one way or another. I've read similar things about some DSL providers in Germany (Telekom however is proud that they don't do that).

But basically this only shows my point: by having the major p2p filesharing protocols use non-standard ports and non-detectable protocols, more and more providers take measures like doing QoS for non-standard ports or filtering them altogether. And just as you reported, this has bad side effects on the ability of other users to e.g. use VoIP or play online games.

Remember: my point is to make P2P protocols easy to filter/limit by routers, so provider do NOT block/throttle all non-HTTP connections, but can selectively throttle only P2P filesharing when they think they need to. Because otherwise they'll break other stuff such as online games and VoIP.

Now by putting your BitTorrent on ports such as 80 or some VoIP port which isn't throttled, you only cause these providers to e.g. install a transparent proxy for these services. You make it only worse.

I agree that you don't have that much choice in countries where there is some kind of monopoly there. But then this increase in filtering will probably allow new companies to enter the market.

I redecorated my (physical) desktop today. I still need some more posters, too much empty wall. But it's nice to lean back and have some colorful stuff to look at.

But do you know what's best?

My laptop is back from repair. I have backlight again! Though I think they used a too short light tube, it feels somewhat darker on the left and right. But the laptop is old anyway. And the old tubes used to have a reddish tint there...

I love having my 15" 1600x1200 screen back. ;-)

Recently there was a discussion on whether BitTorrent should get some encryption (or obfuscation, more likely) added.

Right now, you can filter out BitTorrent traffic with the following iptables command (note: this needs iptables 1.3.4 and a recent kernel):

iptables -I OUTPUT -j DROP -m string --string "BitTorrent protocol" --algo bm --from 0 --to 100

The nice thing is, that this match is very unlikely to match non-Bittorrent traffic. Linux users can use it to filter out all BitTorrent traffic or mark it for speed restrictions.

Network operators are very interested in filtering this traffic: it slows down more important traffic (and if you are e.g. using stochastic fair queing, the large number of connections for P2P filesharing will make it get a larger share than other apps!) and can cause costs.

If you have mobile users, who e.g. connect their laptop to your network, they will occasionally use BitTorrent at home, and forget to disable it when they connect to your network. That's really bad, it happens and it's not like this is intentional "malbehaviour" or "sabotage"!

So back to the original topic - obfuscating BitTorrent traffic. Let me explain what network operators might do when BitTorrent can't be slowed or filtered any more (Note that this already applies to some services such as Skype or Kazaa as far as I know):

First of all, they might decide to filter all connections to non-standard ports. This effectively eliminates (most of) filesharing - but also e.g. Skype and some IM and chat services. Basically any non-standard service. (Note that "professional" VoIP services using SIP may still be whitelisted).

Secondly, they could decide to slow down all connections to non-standard ports. This would make filesharing, Skype, IM etc. still possible, but for example file transfers via IM will be really slow. No video via Skype, probably, depending on the limits set in traffic shaping.

Thirdly, they could disable all outgoing connections and require you to use proxies for that. Then you need to enable/disable your proxy all the time when switching networks, and you'll only be able to use a limited set of services. Again, Telephony via SIP is still technically possible, using a SIP proxy or by whitelisteing major SIP providers. Skype is no longer possible. IM needs whitelisting, and will likely be blocked, too.

None of these options are very favourable for the users. So please do not support "obfuscated" Protocols such as Kazaa or Skype, or an obfuscated variant of BitTorrent. Stick with stuff administrators can set up policies for - and be nice to your admins. Tunneling via non-standard ports, hiding services will only get you into trouble, and probably even make innocent other users suffer.

After all, filesharing - especially illegal downloading movies and music - is not THAT important, is it? So please make the important services not suffer from it. Thank you.

Oh, and please use SIP, not Skype. Because your admin can whitelist your SIP provider if you tell him you need it for work or setup a proxy for that - and with Skype, he might be afraid that you become a supernode and cause high traffic costs. And then there is a much larger software choice for SIP, including many OpenSource solutions, including PBX software such as Asterisk.

GMail hat inzwischen den lange vermissten "Delete"-Knopf, und jetzt wurde anscheinend auch Google Talk mit GMail integriert...

Beides geht derzeit aber nur, wenn man in GMail als Sprache "English (US)" einstellt. Der "Delete"-Knopf war mir aber schon immer wichtig...

John Williams, of GNOME fame, recently blogged on window placement as part of his "things about gnome that suck" series.

Well, I basically agree with him - but he doesn't propose a solution.

Devil's Pie isn't a solution, because it's not configurable by the average user. Or even by me, I failed to have it tell apart my terminal windows and use a sane placement for them.

Just remembering the last window position doesn't work either - I'm annoyed by this "feature" by nautilus, for example. I tend to have a default position for my windows, by I occasionally have to move them away, and I do not want to have them reappear at this different position ever.

My personal approach basically is to run all windows (except my terminals and popups such as IM windows) fullscreened, on dedicated desktops. Even the IM windows are usually on my "IM & Chat" desktop. This works really well, especially since I keep my terminal windows open all the time, and the default placement to minimize overlap works fairly well.

Still I couldn't specify a general rule how any window manager could learn where to place my windows... so just complaining that Gnome doesn't do this good isn't all - we need to find a way to make this work just fine without the user noticing...

I don't know about OSX - how does this work there? In windows it definitely is horrible. When you watch windows users, you'll often see them stating their Internet Explorer, then clicking on the maximize button. All the time.

Some time ago, I installed Debian on my mothers new laptop (which worked fine once the Xorg drivers supported PCI Express and I did a Bios update).

Since my Laptop is currently being repaired, I'm using hers now (she works 95% of the time on her Desktop anyway). And I noticed a couple of odnesses:

Package: libsdl1.2debian
Depends: libsdl1.2debian-oss (= 1.2.9-0.1) | libsdl1.2debian-all (= 1.2.9-0.1)
| libsdl1.2debian-esd (= 1.2.9-0.1) | libsdl1.2debian-arts (= 1.2.9-0.1)
| libsdl1.2debian-alsa (= 1.2.9-0.1) | libsdl1.2debian-nas (= 1.2.9-0.1)

This makes SDL install OSS support by default, not alsa. IMHO we should now make alsa support default. Maybe even some dmix configuration, since that is what most users will need.

Similarly, lots of stuff depends on libesd0, which is the OSS library. Or to be precise, they all depend on "libesd0 | libesd0-alsa", tons of packages. Each single one preferring to install the OSS version instead of the ALSA version. :-(

Is it just me thinking that OSS is deprecated, while ALSA works like a charm and can do much more than OSS? Sure, you can use ALSA via it's OSS emulation, but then you lose e.g. the ability to use dmix.

"In der gesamten Innenstadt gibt es wegen der Sicherheitskonferenz bis zum 5. Februar um 15 Uhr großräumig Behinderungen. [...] Benutzen Sie die öffentlichen Verkehrsmittel."

Nur leider fahren auch die öffentlichen Verkehrsmittel nicht ganz unbeeinträchtigt, und so steht die Trambahn dann schon mal 5 Minuten bloss weil ein Mr. Wichtig mit Eskorte vorbei muss.

Das ist auch eine Form von Terrorismus, dass diese "Konferenz" mitten in München stattfinden "muss", und nicht z.B. am Flughafen - Terrorismus gegenüber den hunderttausenden Münchnern die da in der einen oder anderen Form bei ihrer Arbeit gestört werden - und gegenüber allen Deutschen, die das ganze Theater auch noch mit ihren Steuern bezahlen müssen.

Wenn ich mit dem Bayerischen Hof etwas zu tun hätte, würde ich das Hotel ja boykottieren dafür, dass er jedes Jahr wieder diesen Auftrag annimmt.

Grrr... gestern war ich bei der Studentenkanzlei, um mich auf Informatik Umzuschreiben für das Diplom. Auf der Webseite stand, dass man den Studentenwerksbeitrag überwiesen haben muss, seinen Studentenausweis und sein Studienbuch mitbringen muss.

Nachdem ich eine halbe Stunde gewartet hatte, hab ich dann in der ersten Minute gleich erfahren dass ich auch noch eine Einstufung brauche, in welches Semester ich kommen soll. Das konnten sie aber wohl nicht auf die (extrem unübersichtliche) Webseite stellen... grr...

Zum Glück ist die Sekretärin vom Prüfungssekretariat (Grundstudium) - und dem Lehrstuhl an dem ich Diplomarbeit machen werde - Gold wert. Schon beim Vordiplom war sie sehr hilfreich, und auf meine Anfrage, was ich da genau brauche und von wem ich es bekommen kann hat sie mir gleich die ganzen Unterlagen inkl. Unterschriften besorgt. Auf Nummer sicher nämlich noch eine Eignungsfeststellung - Informatik ist ja inzwischen lokal zulassungsbeschränkt. (Der Professor, der für die Einstufung zuständig ist, hat mir im Vordiplom eine 1,0 gegeben - ich denke dass damit die Einstufung in das 6te Fachsemester sowie die Eigungsfrage erledigt war ;-))

Morgen werde ich es dann wohl nochmal bei der Studentenkanzlei versuchen...