Dear Lazyweb, I was asked if I could easily setup a system with the following characteristics for a sport club:

• A server in the office room (= locked) hosts the music library
• Two clients (for the two training rooms) are connected to the server
• Each rooms' client can select it's own music (preferrably using a touch screen), pause, play and pitch.
• Trainers can create, save and recall playlists for their class
• It should be possible to associate additional metadata to the music, such as measures-per-minute speed information.
• If possible trainers should be able to generate playlists remotely using a VPN connection; however it needs to be ensured that they cannot download the music this way (the sport club has a license for music use in training classes, but obviously not for anything else)

Two setups I was considering:

• NSLU2 and some USB disks as storage
• DAAP on the NSLU2 for music serving
• Rythmbox, Banshee or maybe even iTunes as client

• Full linux server, maybe NSLU2 would be fast enough?
• Two MPD instances running there, streaming the audio to the clients
• Clients with a small GTK or Web UI to control MPD instances on server

Maybe some solution using XMMS2 or VLC would also be possible. And the ideal solution would allow some pitching.

Do you have any recommendations for me? Please send them via EMail to erich AT debian DOT org.

IMHO, the key factor will actually be the UI for the trainers. It should allow them to easily locate a song when needed, or put a couple of songs into a playlist to use during their class.

Carzy DJ mixing capabilities aren't needed; party evens will likely have a real DJ around. This setup is solely meant to help the trainers getting their music ready in no time. Right now there are always issues with cables gone missing, CDs in the wrong covers, CD readers not reading certain CDs, etc. pp. And after all CDs have a pretty bad usability; you can't reorder songs easily according to your needs, and you'll often have to switch CDs. Having the music on a harddisk and using playlists can offer some good improvements here.

So instead the UI should allow easy searching of tracks, easy access to a large number of playlists and such key functionality.

Note that this is just an idea floating around so far; I don't know if it will become reality sometime. Adding some PCs to the rooms, eventually even with a touch screen, is some expenditure; that money might be better spent differently.

The search functionality of YouTube always sucked. Ever since Google acquired them, I was looking forward for them to add a better search.

Well, this apparently has happened now; searching at youtube now allows queries like "paris -hilton". At the same time, searching at Google Video now returns results at YouTube.

In this particular case however, I'd prefer it to not return YouTube results, because videos at Google are usually of a better quality...

(Title stolen from Holger Levsen)

Whenever I see this image [mozilla open Standards], I want to make a spoof of it titled:

Every time you make an Ajax app, god kills a firefox.

But I would certainly be violating Mozilla trademarks by doing so (their artwork, logos and trademarks such as "firefox" are not OpenSource).

Anyway: AJAX is a hackaround, in particular it is not an open standard. Please use it only where it's really needed. Granted, there is worse (e.g. Flash; prepare for incompability hell now that the first opensource plugin can playback youtube videos - as you might be aware, many Linux distributions can not ship Adobe Flash, so they'll likely start shipping this plugin as soon as it's somewhat working sufficiently; or ActiveX which only works with MSIE...), but that's not really a good excuse for this abuse of Javascript that is called AJAX.

On a side note, since I already mentioned flash - I can really recommend the Flashblock mozilla extension. A must have: you can view any flash if you need to by just clicking on it, but they won't be loaded automatically anymore. So you can easily access youtube (just one extra click!), but won't be bothered by flash ads and such stuff.

Oh, and Adobe. They're probably the biggest blocker for a widespread Linux adoption judging by this article [computerworld.com], which is already very positive on Linux ("Unlike many of the applications included on new Windows systems, these don't seem to come with annoying self-launching advertisements, such as the irony-challenged Trend Micro Anti-Spyware pop-up upgrade pleas that plagued my HP system at home."): maybe his biggest issue is that he couldn't just run his Adobe Photoshop Elements on Linux.

Of course there are application trying to offer the same functionality; starting with Gimp, digiKam and Krita (and I'm not sure he tried Krita and digiKam as well; they are probably more similar to Adobes product), but I can understand his wish to be able to continue using the same applications.

(My personal recommendation: start using Opensource applications on Windows, e.g. Firefox, Thunderbird, Inkscape (great vector graphics program!) (and it's using open standards: SVG), Gaim (multi-protocol instant messenger and tons of others. They're free, so even if you don't use them every day, you didn't waste money on them... and if you happen to like them: you can be sure that they'll be working the same if you do the switch to Linux at some point in the future. Be prepared for when Microsoft says you PC is too old.

Applications are still open until March 26th.

Note: the following is my personal opinion; I'm not the coordinator of the Debian GSoC project, and others might disagree.

Debian has received a couple of applications, but there were rather few among them I found really convincing. :-(

What I usually dislike in applications:

• doesn't state an actual project (yes, this happens, we nuke them pretty quickly. "Debian for my life" is not a real project, you know...)
• isn't related to Debian. For example "face recognition PAM module" certainly is an interesting topic, but I don't think Debian is the appropriate organization to mentor this. We aren't an organization of image recognition experts, but our key strength is distribution infrastructure.
• doesn't say much more than the suggested topic already did (note that for such 'popular' topics from the Wiki we usually receive more than one application; so adding some good ideas yourself or at least writing a good plan is key to being accepted!)
• doesn't give the impression of having done some basic background research, such as having searched in the Debian packages repository with "apt-cache search"

So if your application is really Debian-related, invest a few hours in writing the application and your chances are pretty good at being accepted!

Of course Debian could be an Umbrella for e.g. another network configuration GUI, a tool to configure traffic shaping etc.; however I don't think that should be our focus. In fact, Google itself could mentor these topics maybe as good as we can. So please don't just submit a proposal to us because you happen to be a Debian user, or submit it to all mentoring organizations. Instead try to find an appropriate mentoring organization. (On a side note, the mentoring organization is supposed to provide you with a mentor which can actually help you on the topic). Debian is a good choice when it comes to integrating software, software management, system administration and such. Thats what we do: collect existing software and try to make it work together as good as possible. And build infrastructure and tools to make this task easier. This of course touches e.g. porting to different architectures and writing new administration frontends, however we try to avoid reinventing the wheel.

One of the suggested topics, where I'm really surprised to not having seen a proposal yet is CRMI; which matches what I sometimes call a "per package wiki for metadata". Or a Debtags related project. Or a SELinux project. These are both pretty interesting technologies, which offer substantial benefits when actually used. When properly integrated in the distribution.

Ich muss meine frühere Ablehnung gegen einen Bundeswehreinsatz im Inneren wohl doch noch einmal revidieren.

Schuld daran ist die Schlagzeile der Bild: Bundeswehr jagt Tokio Hotel.

Das ist der beste Vorschlag, den ich seit langer Zeit gehöhrt habe!

Und es ist nicht einmal grundgesetzwidrig (im Gegensatz zu den Plänen von Schäuble, Schily, Beckstein und ähnlichen Befürwortern eines totalitären Systems): bei "Naturkatastrophen" und "schweren Unglücksfällen" darf die Bundeswehr ja schon eingesetzt werden. Und richtige Waffen brauchen sie auch nicht gegen die Krischperl von Tokio Hotel, genauso wenig brauchen sie dafür eine passende Ausbildung (eine Ausbildung zum Thema Sicherheit würde Schäuble und Beckstein auch mal gut tun, damit sie nicht mehr mit solchen Vorschlägen kommen. Soldaten sind keine ausgebildeten "Ordnungshüter", im Gegenteil!): einfach hinterherlaufen, den kreischenden Fans ausweichen wie auf dem Truppenübungsplatz, unter dem Zahnspangenzaun durchkriechen und dann die Band so anschreien, dass sie sich zu Tode erschrecken. Problem gelöst.

SCNR, die Steilvorlage von der Bild war einfach zu gut. Mir ist's ja letztlich egal was Tokio Hotel macht, da ich sie zum Glück nie höre - das einzige was ich von ihnen weiss ist das sie ein Lied "Monsun" oder so mal gemacht haben (oder war das "Katrina"?). Und diese Schlagzeile der Bild, die ich von der Trambahn aus hier in München gesehen habe.

P.S. Können wir die Bundeswehr nicht auch noch gegen Raucher in Gaststätten und anderen geschlossenen Räumen einsetzen?

Using Sun Java 1.5.0_11:

final SimpleDateFormat almostXsDateTime=new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
System.out.println("One: "+almostXsDateTime.format(c));
c.set(GregorianCalendar.HOUR_OF_DAY, copy.get(GregorianCalendar.HOUR_OF_DAY));
System.out.println("Two: "+almostXsDateTime.format(c));

IMHO, the get/set combo shouldn't be changing the date... but:

One: 2007-05-17T00:00:00.000+0200
Two: 2007-05-17T02:00:00.000+0200

(I'm not yet sure under which exact cirumstances this happens; it doesn't happen always...)

P.S. the format is called "almost XSDateTime", because it's just almost XML Schemas DateTime format. Unfortunately, the Java date parsing and writing classes can't handle XML Schema DateTime (or ISO 8601) because of a tiny little detail: they use a colon in their timezone offset. How annoying is that, that java can just almost handle this ISO date format?

P.P.S. so apparently Java is adding the ZONE_OFFSET to the date in this situation; it likely is related to locales and timezones.

I'm now a Gnome contributor; not a foundation member, but I have an account and a SVN Repository for Dbus-inspector at Gnome now. Thanks go to Riccardo for following up on the SVN and account creation!

I've just committed my current version of dbus-inspector. It doesn't differ from my previous blog post on dbus-inspector; it does include the hotfix for working around python-dbus vs. tracker incompabilities (by just skipping tracker if the python-dbus version is known to crash).

There is still a lot of things I need to find out (e.g. how to setup a proper project web page, how to properly offer tarballs for downloading); and I don't know when I'll find time to search for the appropriate documentation on everything.

A repository for my "dbus-hook" project was also created, however I don't have any code (except the dbus-inspector stuff) that is ready to be shown yet. It's mostly an idea of mine so far, and I'll need to sit down and properly plan it's implementation.

Microsofts view of Linux users, and how to convince them of Windows.

I don't like linking to Microsoft stuff, and especially not to Microsoft FUD (the flash presentation of theirs will in turn try to bring you to their "get the facts" wrong site...)

However, for Linux evangelists it's a good opportunity to see Microsofts strategy at attacking Linux, and where we should improve to counter their claims (e.g. with respect to mangeability).

It's also nice to see that they actually feel oblieged to counter SAMBA and other Linux technology, and that especially in the networking part they have little to claim to be superior. And also for Samba all they claim is "higher value because of better integration and manageability".

And I definitely have to agree that management of a larger Linux network isn't easy, and we could do with some better tools. (And especially tools to do tools for network management; we have different requirements, and there are good tools, but they are either hard to roll out and customize - cfengine -, or too primitive to be of use to many - webmin etc.)

Still the average Linux administrator does manage a significantly higher number of servers than a Windows admin, so their claim actually is incorrect.

And it's totally absurd they claim to be better in security with Exchange. Maybe better than their older crap, but I still would never ever trust a Microsoft system for Email... just remember all those bad email vacation notices etc. Microsoft delivers...

So: know your "enemy"s tactics.

Uwe and Gunnar have been talking about using flash aka. solid state disks.

So far, every USB memory stick I had has died after a fairly low number of write cycles... sometimes doing a low level format helped, but the errors resurfaced again later on. Interestingly enough, I never had such problems with digial camera media, just with USB thumb drives.

The wikipedia article on Flash RAM is also rather vague:

Another limitation is that flash memory has a finite number of erase-write cycles (most commercially available flash products are guaranteed to withstand 1 million programming cycles). This effect is partially offset by some chip firmware or file system drivers by counting the writes and dynamically remapping the blocks in order to spread the write operations between the sectors.

(Note: you can do some simple counting with programming cycles only, i.e. by doing only NOR/NAND operations and no resets)

Note that there are also filesystems designed for flash, e.g. JFFS2, that have built-in wear leveling at the filesystem level. It might also make sense to not use a media with wear leveling, but instead do it yourself in software. However you most likely won't have a choice here unless you build your own hardware and want to skip the extra controller.

You should however try to keep the number of writes low, so e.g. disable atime for ext2/3 (I guess JFFS2 doesn't support atime by design), reduce the frequency of flushing buffers to disk ('laptop mode') and use RAM filesystems where possible (e.g. /tmp).

Anyway, go and read above Wikipedia article, it has some good information on it. And in half a year, many laptops will sell with hybrid drives, because of Microsoft pushing that technology. (I remember having read that in fall, having a hybrid drive will be a requirement for Vista gold compability or so?)

It would be interesting to work out how Linux can benefit most from such a hybrid system. I can imagine using a USB thumb drive with my laptop both as access key and for rapid boot (my harddisk is encrypted anyway, and it would make sense to not have an unencrypted bootloader on the disk, but only on the flash drive. The flash drive would not contain the key, but the kernel, decryption software, i.e. cryptsetup etc., and maybe some services to be loaded on boot for fast startup)...

Rumor: the B in "blog" actually means beta.

Original text of this post:

You know you've been exposed to too many Web 2.0 applications when you start to think the B in the blogger.com logo is for "beta". I was like WTF, are they making "beta" to be all of their logo now?

And yes, I know about it being a shortened version of "weblog", likely coming from the pun "we blog".

Tja, manchmal sind die Wörterbücher nicht komplett:

Geschrieben hatte ich "Freundschaften".

Korrekturvorschläge: "Freundschaft", "Feindschaften", "Vormundschaften".

Will mir mein Computer damit etwas sagen?

Wie Roger Cicero singt: "Freunde kommen und gehen, Feinde sammeln sich an."

"Es kann nur einen geben!"

Oder "Du sollst keinen anderen Freund neben mir haben." (Und nein, ich bezeichne meinen Computer nicht als meinen Freund; aber ich schriebe meinem Computer auch keine EMail, sondern einem echten, lebendigen Freund...)

... oder zumindest die Vorausscheidung zum Eurovision Song Contest.

Ich war die letzte Zeit so viel Swing-Tanzen, dass ich erst heute mitbekommen habe, dass Roger Cicero gewonnen hat und für Deutschland zum Eurovision Grand Prix fährt. :-)

Auch wenn IMHO "Frauen regier'n die Welt" nicht sein bester Song ist (ich finde "Zieh die Schuh aus" und "Murphys Gesetz" besser), so freut es mich, dass er es geschafft hat, und die Retortenband in ihre Schranken gewiesen hat. :-)

Morgen abend bin ich dann wieder Swing tanzen. :-)

P.S. Dienstag geht der Lindy Hop Kurs bei den Boogie-Bären neu los, wenn ihr also Swing lernen wollt, so kann ich euch Montag abend das Cord in der Sonnenstr. und Dienstag die Boogie-Bären oder den Kurs von Swing and the City (aka: Chris und Cat) empfehlen. Oder nächstes Wochenende den gemeinsamen Workshop von Chris&Cat und (ehem. Weltmeister) Markus&Bärbel für Anfänger und etwas fortgeschrittene Anfänger.

P.P.S. Ich würd ja gerne mal Roger Cicero mit ein paar richtig guten Swing-Tänzern als 'support' auftreten sehen. Aber das aktuelle Lied ist nicht so toll zum tanzen.

Roger Cicero will be going for germany to the Eurovision song contest.

With his song "Frauen regier'n die Welt" ("Women rule the world"), which he sings with the impression of being able to himself rule any woman. :-)

His mix is very uncommon: it's swing, but with german lyrics, about love and life, flirting and with a well-dosed amount of macho in it, but not serious but always joking and cool.

YouTube has some video clips with his music. Note that I don't think "Frauen regier'n die Welt" is his best song. Scroll down at least to "Murphys Gesetz" ("Murphys Law", and congrats for not incorrectly adding an apostrophe, it's correct this way...) Last.FM has some excerpts from songs I like better.

I don't know if 'we' have any chance with him (last years' winner was Lordi, some 'schocker' hard-rock-heavy-metal band dressing up like halloween monsters), but he won't come out last for sure. Demographics of the Eurovision contest aren't too favourable for germany, nor are are European relations.

But being a swing dancer, this is just really cool, because it gives my hobby a wider audience. :-)

P.S. If you want to learn Swing dancing in Munich: the Lindy Hop course at Boogie-Bären starts again this tuesday, and I can also recommend the classes of Swing and the city (thats Cat and Chris); there is a beginners and intermediate workshop next weekend with world champions Markus & Bärbel together with Cat and Chris. And of course every monday there is a teaser class at Cord.

P.P.S. I'd really love to see Roger Cicero perform together with some good Lindy dancers as show act. Probably a different song then, though.

So far, all network monitoring solutions I've tested suck.

• Nagios, the dinosaur of network monitoring is a pain to configure, and somewhat half of it's features feel incomplete to me. It also spawns a lot of processes, which probably isn't very efficient. I find the UI pretty much useless, thats why I rely mostly on "naglite" (a dirty PHP script) to provide a status screen. I don't think it has any "numerical" monitoring for things like e.g. diskspace, you can only configure alerts when it hits a certain trigger value. I have to admit that Nagios is very powerful when it comes to alerting people based on schedules etc. That probably us why it's #1 for monitoring, it can be setup to send an alert to exactly the right person on duty... Another good feature is the scheduling of downtimes.
• Munin, formerly known as LRRD, is a general purpose graphing tool. It's especially useful in combination to nagios, since it provides some features nagios is missing and duplicates little. Nagios is nice for doing e.g. a usage analysis of you VPN or graphing network load etc. However it doesn't do trend or some more complex analysis.
• Zabbix is written in PHP, and suffers apparently from the same problems as most PHP programs: looks like it's great, but lots of stuff isn't working right or correctly. To me it felt like it was developed without a master plan or any kind of software engineering in the background, but by randomly adding and changing features. I found configuring it a pain, I was tempted to write my own configuration tool for it. But maybe they've changed their configuration again, they had been doing that pretty much every version back then (one of the reasons why I felt it was developed without much of a plan). I also had the impression that it's monitoring is quite inefficient and not capable of handling irregularities in scheduling well. So as long as your network is working great, it will probably work as well, but if you have some serious network problems, it will maybe get totally messed up.
• NetMRG can plot you all kinds of graphs you do not need.
• Tons of other monitoring tools I tested which had random problems, from just being able to graph data, but not to assign a meaning to them to being a Java GUI app...

What I'm looking for is a network monitoring solutions, which

• Allows me to setup monitoring with the host, service model I use for my tasks, ideally even allowing me to easily move a service from one host to another. Should be class based, and allow multiple classes per system.
• Understands that some services are important (e.g. firewall), and others are not (paper availability in the printers)
• Doesn't waste my time with millions of configuration settings, network mapping, SNMP digits, listing every single SNMP value...
• Doesn't bother me with all the thousands of values it could collect
• Handles dependencies, and doesn't alert me separately for obvious consequences
• Has a good alerting system, with little to setup
• Has a good monitoring scheduler, that will adjust it's monitoring interval to the current monitoring load (e.g. reduce scheduling density when all services are timing out, do multithreaded pinging / querying of hosts, avoid busy polling, use push instead of poll where possible.
• Has a very minimalistic status screen, as long as everything is okay it should just say so; if something is down, it should show some report on what is wrong, but never ever fill the screen. The main monitoring screen doesn't have a mousewheel or any other input device! (Test: should be useful even without colors!)
• Multi-host monitoring with synchronization, so I can e.g. have a monitoring service in the internal network and one in the DMZ. If they are disconnected, they monitor independenctly and merge data afterwards.
• Does real trend analysis on numeric values, with some prediction model, for e.g. diskspace. Diskspace often follows daily, weekly and monthly patterns. Especially log file partitions. The monitoring tool should alert me if it looks like the disk is going to be full "anytime soon", not just when it's too late!
• Not written in a bad language such as PHP, efficient, not spawning thousands of processes...

Pretty much every monitoring solution I've seen so far is great at collecting tons of data, but doesn't help me with actually handling this amount of data.

Anyone has a recommendation for a good network monitoring tool?

I'd be really interested in doing the last point - a real statistical analysis for network monitoring. This would be so useful... predicting peaks in network usage, predicting when a system will be overloaded or a disk full... but I'm phasing out of network administration; so my interest here is mostly in being able to give advice to others.

[Update: no, you don't need to point me to Cacti. It's just another grapher and data collector that doesn't actually do what I would call 'monitoring'. It also seems to not have a smart scheduler, and is written in PHP (which is bad!) I was also told a non-success story with OpenNMS which just crashed when adding a host to be monitored with a totally unhelpful stack trace. I had a look at their online demo, but it felt very complex and not very useful to me...]

Debian is participating in the Google Summer of Code again.

Russell Coker offers to mentor SELinux projects, and so do I. I'm available for mentoring SELinux and Debtags related projects in particular.

This years idea pool in the Debian Wiki. Make sure to also check last years idea pool (some of which will no longer be open, though). And of course your idea doesn't need to be on these pages already; we're of course interested in anything that goes beyond that.

One thing with SELinux I'm particularly interested in is install scripts. That is quite some work to do, and you might want to automate it somewhat.

Debian install scripts can be quite complex. Some things are obvious such as restarting services on upgrade. But some scripts do much more.

SELinux uses a deny by default approach (which is the only sane security approach, btw.); in particular this means that many Debian install scripts will be failing.

Right now, package postinst scripts are being run with the full permissions of the apt-get domain. It would be good to reduce that to a "postinst" domain. It would be a possible GSoC project to analyze which permissions package postinst scripts need, and if we can e.g. add a "postinst extended" domain for just a few postinst scripts that really need extended permissions.

An example for extended postinst tasks in Debian (I don't think Redhat, Fedora or Gentoo does that yet): precompiling all python modules for all installed python versions (and to avoid having programs try to precompile them on demand, which will result in audit errors and such). I wrote a module for that called python-support. It adds a restricted domain which can exactly do this task of precompiling Python. But there is other such stuff, such as updating the menus, managing alternatives etc.

But feel free to suggest your own ideas.

Brain Handles did a test to see if Google indexes Javascript-generated content (for simple scripts).

It doesn't. So if you are doing a heavily Ajax-based web page, you are (still) risking to prevent Google from indexing your contents.

(Note that for two prime Ajax examples this doesn't matter: GMail and Google Maps. One doesn't have any public content anyway, the other no text.)

Please use Ajax only sparingly. It's a dirty workaround for shortcomings in interaction capabilities of HTML and web browsers, not the ultimate solution to all our web problems.

Two consequences:

1. For now you can hide content from being indexed by Google by putting it into Javascript code. Note that it will be missing for non-Javascript-enabled browsers then, too.
2. There might be a business opportunity in running Javascript in a Crawler to obtain additional text to index. This is best when integrated with the Javascript interpreter, to e.g. index text changes as they are generated. And this could also be used to detect e.g. sites with annoying commercials (popups), fraud sites or sites which try to run browser exploits or that try to cheat on search engines by e.g. doing a Javascript redirection.

... write an email to "area-muc", the list for the Debian Munich user group and propose to do a link exchange for "Toronto Restaurants".

May I point out that Munich and Toronto are separated by a larger ocean? And the Debian Munich user group doesn't have a real homepage they could do a link exchange on?

No, this is not a joke. Since my upgrade to Xorg 7.2, I can't run tomcat from eclipse anymore. It fails with

java: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.

The workaround is simple: start tomcat with

DISPLAY= tomcat5.5/bin/startup.sh

Yes, if you 'hide' the graphical interface from tomcat, it works...

WTF is it with Java? (And yes, this is a bug in Java, not in libx11)

Interesting side note: Eclipse still works. And in contrast to tomcat, it actually is supposed to use X11. But it probably always goes through GTK.

P.S. setting LIBXCB_ALLOW_SLOPPY_LOCK=true doesn't help.

The intel video driver in Debian 'experimental' didn't work for my laptop. All I got was a black screen. This apparently is related to modesetting on 1400x900 screens, and is in upstream BTS as bug #9076.

Anyway, if you are facing this issue, you can either downgrade to the intel driver from Debian unstable, or download the source code and apply this diff:

--- xserver-xorg-video-intel-1.9.92.orig/src/i830_display.c
+++ xserver-xorg-video-intel-1.9.92/src/i830_display.c
@@ -121,1 +121,1 @@
-#define I9XX_P2_LVDS_SLOW_LIMIT         112000
+#define I9XX_P2_LVDS_SLOW_LIMIT         90000

Then recompile and you should have a working intel video driver again.

The Google Summer of Code is in preparation again. I'll be available as mentor for the Debian project again in 2007.

If you are interested in the summer of code, hurry up:

• March 14: List of accepted mentoring organizations published on code.google.com; student application period opens
• March 24: Student application deadline

Yes, about one week left to write and send in your proposal!

I'm interested in SELinux and Debtags related projects mostly. Maybe some init stuff or infrastructure, too. But there might be better mentors available for that. Just make a good proposal!

SummerOfCode2007 in the Debian wiki, where some ideas are posted. But it'll probably give you higher scores if you come up with something on your own. You might also want to read Planet Debian or the DPL vote platforms for some ideas on things to work on. And of course you can discuss them in our IRC channel or on the mailing lists, there is nothing to be kept secret!

Anyway, make sure you write a good proposal. We don't like copy&paste jobs. We want students who are serious about contributing to Debian, the opensource world and about learning how development on this scale works. That want to become an important member of the community. It's about you and the community, not so much about the project or the donation to Debian (we aren't good at spending money anyway, being a volunteer project).

Call me picky, but I'd actually like to be able to see my window contents.

I just tried Beryl from the official beryl repositories for Debian; and while it started fine, the window contents weren't redrawn. Also memory usage skyrocketed. It was totally unusable, I couldn't get Beryl to draw the window contents properly (and yes, I also tried a clean login into Beryl right away.)

I'll try tweaking it some more, but so far it's just not working at all.

[Update: after an upgrade to Xorg 7.2, beryl displays window contents. I'll give it another try. However my experience with compiz and beryl so far was rather disappointing: not worth the hassle. I also clarified above paragraph: it's beryl for Debian from the repos as beryl-project.org]

[Update: I can stand Beryl for at most 5 minutes... it has rendering artefacts with window shadows (so they are very common), and I consider most of the animations just to be pointless. Configurartion of Beryl is hell... I'm back to my trusty openbox which just totall gets out of my way and lets me do my work.]

Via Russel Coker.

A. Copy the list below to your own journal and

Bold the actions you are already taking
Underline the actions you plan to start taking
Italicize the actions that don't apply to you

B. Add one (or more) suggested action(s) of your own

C. Leave a comment here, so that she can track the meme to your journal, and copy your suggested action(s) back to my master list.

1. Replace standard incandescent light bulbs with compact fluorescent light bulbs - my room has a 12 W bulb. How much watts do you need for lighting?
2. Choose energy efficient appliances
3. Wash clothes in cold(er) water
4. Turn the thermostat of your hot water tank down to 50°C (125 °F)
5. Install a programmable thermostat (or turn the heat down over night and when you're out of the house) - it is often sufficient to have the heater go on at like 7 at night and 5 in the morning for an hour each
6. Register with the [Canadian Marketing Association's] Do Not Contact Service to reduce the amount of junk mail delivered to your house. - Substitute MPS.
7. Eat less meat (particularly feedlot beef) - it's a lot healthier anyway. I enjoy the occasional steak, but you actually enjoy any taste more if you have more variance
8. Walk, bike, carpool or take public transit as often as possible - I don't have a car. If I need to transport something big, I borrow one. I do my regular shopping via bicycle or public transit, which saves me looking for a parking space etc. anyway. Also note that when using public transit, you can work a bit, read a book, enjoy some music, ... and you arrive less stressed out than when driving a car.
9. Make sure you know what can be recycled in your area, and try to recycle as much household waste as possible
10. Compost using an outdoor compost bin or an indoor vermicomposter - at my parents
11. Clean or replace filters on your furnace and air conditioner
12. Buy local, organic or fair trade food where possible - tastes much better anyway
13. Reduce air travel - pity that long-distance trains suck in Australia
14. Wrap your water heater in an insulation blanket
15. Use a clothesline instead of a dryer whenever possible - don't own a clothes dryer, hanging up clothes inside near a heater works on cold days - you often can do without ironing, too, by hanging them on a clothes hanger for drying they'll often be reasonably straight. My washing mashine has a program helping at that, too. It uses 40 C and takes just about .8 kWh and is called "easy iron".
16. Plant a tree - pity my trees are dying because of the drought / climate change
17. Buy fresh foods instead of frozen - especially with meat I do really notice a better taste
18. Keep your car tuned up and your tires inflated to their optimal pressure - I don't have or need a car
19. Use biodegradable dishwashing liquid, laundry soap powder, etc. - causes less allergies
20. Drink tap water (filtered if necessary) rather than buying bottled water - our tap water here in Munich is better than bottled water anyway, and it saves you from carrying it, too.
21. Turn the tap off while brushing your teeth
22. Unplug seldom-used appliances and chargers for phones, cameras, etc., when you're not using them - consider to use a master switch for them
23. Plug air leeks and drafts around doors and windows with weatherstripping
24. Switch from disposable to reusable products: food and beverage containers, cups, plates, writing pens, razors, diapers, towels, shopping bags, etc. - especially shopping bags and beverage containers is easy
25. Consider garage sales, Freecycle, eBay, or borrowing from friends/family before buying a new tool or appliance - saves energy and money
26. Reuse bathwater, maybe to flush the loo, water the garden, etc.
27. Make sure your roof is well-insulated.
28. Always wear a jumper/sweater and socks indoors unless it's warm enough outdoors to go without both. - and turn down the heater a bit, it saves a lot of energy and money. Sweater and socks are quite comfortable...
29. Run your vehicle on biofuel/sustainable fuels
30. Set up a grey water barrel to use when clean water isn't necessary
31. Put grey water on your garden immediately without storing it.
32. Install tanks to collect rain-water from your roof for watering the garden, washing your car, etc. (at my parents; we also installed an overflow valve which will automatically redirect overflow water to plants that can always use more water)
33. Don't keep windows open when your heater is on - especially don't keep them half-open. If you want better air, turn off the heater and open the windows for a few minutes completely. This will quickly refersh the air in the room. Then close the window and turn the heater on again.
34. Turn off light that you don't need
35. Stop your engine when waiting more than 10 seconds - for example at train crossings; maybe doesn't apply to Diesel as much because it relies on a operating temperatrue, but I doubt it cools down that quickly
36. Install a solar panel on your roof for water heating - especially in summer or in sunny regions, this will allow you to completely turn off the heater during summer or even most of the year. A solar water heater will easily heat your water to 60 C (on hot days we reach 70 or 80 C), while even keeping your house a bit cooler). It can be installed yourself. At the same time, maybe add insulation to your pipes. If you minimize temperature loss over night, you'll even have warm water left in the morning.
37. Use air circulation for cooling - much cooling can be achieved by having a good air flow, wearing appropriate clothing and avoiding heavy work during the hot hours. Consider doing a siesta and work in the morning and evening
38. Ask your bank for an online-only account - some banks even offer lower fees if you don't use paper-based banking
39. Try to make more use of daylight - that's like free light, you know.
40. Walk and run more - it's healthy, saves you fitness club costs and it saves some energy if you are not using the lift. Walk to the supermarket or fitness club!
41. Use your local recreational facilities - there are probably nice parks nearby where you can go running, maybe some place to go climbing nearby, some pool, ...; this can be an interesting alternative to watching a movie, too
42. Use the refridgerator smartly - don't leave it open when not necessary, and keep the temperature only as low as you need it. Bring all your shopping into the house, sort it, and then open the refridgerator and put it all in in one go, for example.
43. Learn how to cook energy efficient - for example, if you plan ahead you can put frozen foods into the refridgerator to defrost at virtually no power cost. It's also better for the food. Use lids when boiling water; you can also use it often for cooking if you turn down the heat. For rice, I usually put on the lid, and when the water is boiling I can turn the heat off again. With the lid on, the rice will end up cooked just fine. Also pick an appropriate applicance. A real water cooker will be more power efficient for making your tea than putting a small pot on a large flame.

I've made a tiny update to DBus inspector, which works around the Tracker issue causing a segfault for many users (especially Ubuntu users, where Tracker seems to be part of a default install now?)

Anyway, it should be working with the Python DBus bindings from GIT, but since they aren't released yet (or in Debian), I've added a workaround. If any service containes "Tracker" and your python dbus version is at most 0.80.2, it will just skip this service.

I don't know if it's also Trackers fault that dbus-python segfaults.

Download DBus Inspector

Sorry, no homepage yet. Still waiting for repository and account creation on Gnome.org, which seems like a good home for it.

... ist jedenfalls die Forderung des "Ltd. Regierungsdirektor" an die Angestellten der Universität München:

Ich darf Sie bitten, verdächtig erscheinende Wahrnehmungen, die Rückschlüsse auf eine islamisch-fundamentalistische Haltung zulassen, unverzüglich hierher mitzuteilen.

Hallo? Gehts noch?

Artikel dazu bei der TAZ:

"Deswegen muss man sich anschauen, wenn jemand von T-Shirt und Jeans plötzlich zu Bart und Kaftan wechselt", so Riedl. Das könnte äßere Anzeichen einer inneren Radikalisierung" sein.

Das könnte aber auch ein ziemlich banaler Satz gewesen sein...

Sorry, aber jedes Jahr sterben mehr Menschen in Deutschland an den Folgen des Passivrauchens als Weltweit an Anschlägen von Islamisten.

Das größere Problem für unsere Freiheit und innere Sicherheit sind vielleicht unsere Innenminister wie Beckstein und andere Panikmacher, die derzeit auf einen Überwachungsstaat wie die DDR zusteuern.

Dell is doing a survey on their upcoming Linux offers. But "Debian" isn't on their shortlist of preinstalled Linux versions. There is an "other" option though we can use.

Please tell Dell that Debian is nice on the Desktop, too. It's not a server-only distribution...

P.S. Let me point out, that I'm running Debian on a Dell Inspiron.

I was the maintainer of minit for some time, and spent some time adding some runit-like functionality to minit I then called "enitdir". It worked similar to runit (IIRC, maybe it was a different init).

Basically you had a directory for each runlevel, which contained symlinks to all services supposed to be running. There is a symlink called "current" or something pointing to the current runlevel. enitdir monitored this symlink and the directories contents via dnotify, so it supposedly was both very fast and efficient at noticing changes there.

Switching runlevels was as easy as "ln -snf current foobar"; starting and stopping services worked by removing the symlinks in the current runlevel or manually calling minit (for non-persistent changes, restarts, etc.)

(I think I never uploaded a package with any of this, the minit packages remained really close to upstream. I intended to do a fork/rewrite named enit, but never got around to it. Many of my ideas are addressed by upstart.)

However this didn't solve some integration issues.

First of all, not all packages back then were using invoke-rc.d; this should be a lot better nowadays.

But the major issues lie within handling multiple inits on one system.

There is a hook that applications could use to prevent init scripts from running (which might be the answer to Wouters iniscripts post). It's called "policy-rc.d".

However there are some things wrong with this approach: it doesn't really support the installation of multiple inits or handles the problems of switching between inits in any way.

Basically, the moment we need to switch inits (and thus service startup/stopping behaviour!) is during reboot. While the old init is still running, any start/stop operations MUST still use the method appropriate for the current init system. Otherwise, major bugs can occur, especially with smarter init systems that respawn services.

E.g. the user runs "apt-get install sysvinit mysql-server". Lets assume sysvinit has a debconf prompt 'make me the default init' and the user says yes. Next mysql-server is upgraded, during which it calls the sysvinit way of stopping the service (i.e. /etc/init.d/mysql-sever stop), then does some dangerous things to the database, then restarts the server. However, a smart init such as minit (when equipped with appropriate service files) will notice the mysql-server process dying and immediately restart it (notified by kernel, efficient and fast) while the upgrade script is still messing with the database files. Boom, there goes your database.

I guess you got the point.

So we probably need a smarter invoke-rc.d script. It should support

• init detection - figure out which init is running, e.g. by comparing the inode of /proc/1/exe to the inode of /sbin/init.* (current init doesn't need to be named /sbin/init, but note that this magic might break on upgrades. Fallback to readlink(/proc/1/exe) maybe?)
• different init behaviours. The current policy-rc.d hook is pretty much a yes/no hook. Instead it should call the appropriate init-specific invoke tool.

Such an invoke tool could then for example look like this:

if [ -e "/etc/enit/service/$1" ]; then
    enitctl start $1
else
    /etc/init.d/$1 start
fi

You get the idea, having the policy script figure handle compability for services that don't have an appropriate service description for this init system yet. (Yes, s/start/$2/ or something, above is pretty dumb, but helps bringing my idea over).

There was just a mail to debian-devel-announce with the new release schedule.

Here's an excerpt:

N    =  1 Apr 2007:
       -1 RC bugs.  Release etch with an off-by-one bug.

Nah, just kidding. Damn. I should probably have saved that one for April 1st.

Actual N is:

N    =  2 Apr 2007:
        0 RC bugs.  Barring any problems that would cause us to need to
        re-roll the installer <knock on wood>, we should be ready to
        release.

In a short mail exchange with Kevin Mark, he coined the term "contribute.debian.net" (or .org). I really like this name, and the idea behind it:

Similar to packages.qa.debian.org/packagename, we create a platform trying to encourage people to contribute to Debian.

Stuff that should be listed here includes:

• Pending and missing translations
• Missing metadata (Homepage, Screenshots, support groups, alternatives, Debtags, ...)
• Open bug reports that 'need help' or are unhandled
• ...

Other views include the canonical translation views (DDTP/DDTSS) or the current TODO page (which is not very widely known, I think, and probably not updated very often either) and such tools, of course. Again, similar to packages.qa.debian.org, but with a focus on non-DD-contributors.

My favourite browser, epiphany, is installable in a new version from experimental. One of my biggest wishes was added:

By middle clicking on the "new tab" button, you can open the URL in your pastebuffer in a new tab. Much nicer than making a new tab, killing the location bar contents without losing the copy buffer and pasting the new URL, isn't it? And actual a very canonical behaviour.

[Update: I don't want to have my browser load an URL in the current window when I middle click on the text body. Because if I click on a link, it will instead open that link. If I click on a text field it will paste the link into the text field. Why the heck should it leave a page when I click on it? Adding a "new tab" button (there is plenty of space), and using it to open a new tab (with the context from the clipboards URL) is the sanest behaviour.

Of course there are still some things not perfect with Epiphany, but I don't miss Galeon anymore. And I had been using it since 1.0 or so, I even was the maintainer for it some time and added some functionality to it.

I like SmartBookmarks in Epiphany a lot, btw.]

Screenshot from liferea (experimental):

This is a search folder, searching for "erich" and removing a few common false positives (mostly "Bericht" = "report" and "Gericht" = "court").

So how did I über-read these three messages? :-)

Debian used to be the cool kid among Linux distributions. Because our stuff worked much better, was easy to install and especially to upgrade. Dependencies would be automatically resolved while others were fighting dependency chaos, and our menus would have all the apps in it, where others had to fill their menus on their own. And at the same time, Debian was very flexible and could be customized to become e.g. Knoppix. Our bugtracking was great and we were openly discussing bugs and all this stuff.

Many of these Debian achievements are now common among distributions. Especially among Debian-derived distributions. Debian however has become a reliable 'stable' distribution often even called 'stale', while others stand in the spotlight of innovation. Other distributions have come up with maybe more advanced bugtrackers (I'm not talking bugzilla, which IMHO is overengineered) and other tools.

Technically, this isn't completely true. There are still many fields where Debian is technically leading. But our focus has recently been a lot about individual packages or components (e.g. the installer). Maybe we should try focusing more on infrastructure again.

In fact, Debian still has some very good infrastructure components others might be lacking. Our QA tools (including bug counters, tracking which versions are affected by which bugs, all kinds of graphs, wotomae) are great. All our update-* commands are missing in many other distributions, also things like invoke-rc.d. We have a solid Python policy to support multiple Python versions and precompilation (judging from the SELinux policy, none of the other distributions has that yet). We're able to use dash as a minimal shell instead of bash in most places (which does make a speed and memory difference). We have Debtags.

But these projects don't play a key role in Debian anymore AFAICT. Trying to start a major infrastructure thing requires a LOT of engagement, maybe too much. I'd love to see better SELinux support in Debian, but I can't do it on my own, it's just too much. And I find it very hard to find people to help me with that effort. If Enrico hadn't been pushing Debtags again and again (and with a lot of code), it would also have gone stale. Despite being IMHO something that can take Debian on top again (making it a lot easier to find appropriate software). One of the reasons why Debian is still living pretty much outside is that it would be a huge effort to get maintainers to add the corresponding Tag information to their packages and so on. I've always balked at even trying that, fortunately Enrico got some tag information added via overrides to the Packages file already. Another thing that should have been happening within Debian (but happened at Ubuntu) is 'upstart'. There have been a couple of packages dealing with new init systems, but none ever managed to get support into other packages (nor is there any package in Debian with upstart support that I'm aware of).

Getting SELinux strict support into init ramdisks is another big thing I'm too scared of to even attempt... i.e. I doubt that I'll be able to do that on my own, yet even to get it into the actual packages...

DPL candidates: any ideas on how to be come more agile in such points (e.g. adding support to sysvinit+upstart+initng+runit to all packages with init scripts)? It took us already ages to get LSB headers added to many init scripts. Or on any of the other transitions we should do (SELinux support, Debtags, ...), or even why we've lost this flexibility?

The one idea I have for that is to try to do some hackfests. Like an init transition day, where a group of people tries to NMU most of the packages that have init scripts. Or adds "Homepage:" to most packages, which some important package metadata we only have on some packages. Or adding 'watch' files.

Some of these would be easier if we had a common way of packaging and a central SVN repository. That would make it both easier to prepare the transition (e.g. committing init scripts beforehand) or especially for adding Homepage metadata and watch files without actually interfering with the maintainers work by not doing an upload immedeately, but just adding them to SVN so the maintainer includes them on his next upload.

(Sorry, no comments enabled in my blog.)

P.S. another thing I'd really love to see is a (semantic) PackageWiki for Debian, that has a Wiki-like structure with a page for each (Source-) package. Including things like e.g. Screenshots, Homepage link, Link to the Freshmeat page of the package, support lists/groups ... Kind of like the QA pages, but for the actual users, and editable by visitors.

With the help of the great qa.debian.org developer overview pages (great tool, thank you Igor and all others who contributed. It keeps on getting better!), I found out that a NMU I did during a Munich BSP for sarge still lives (it was a simple 'recommends' removal NMU): html2wml was not changed since then. Popcon lists a few installations for this, there are no bugs open, but I wonder if the package is actually still working or useful. Or if we should keep it in the repository (it has not been orphaned; but it doesn't look like the maintainer has been active since 2003, I didn't check the MIA tools though).

I have a Debian wish for lenny:

• define and deploy a standard way of packaging software, that can be used for like 90% of packages. (It doesn't 'have' to be CDBS, it can be something 'better' for a reasonable definition of better. CDBS is the closest of the packaging tools I've tried so far, I've had single line package scripts with CDBS for many packages)
• Put the maintainer scripts into version control, it should be something with a central repository, but that of course allows maintainers to easily do a local branch. Especially for backports. Maybe SVN with SVK is okay.
• Use a standardized patch system along with a toolchain, quilt-like
• Link this patch management to upstream watching, so that patches applied upstream can automatically 'disappear'

Why do we really have to make a distinction between NMUs and maintainer uploads? I agree that we need to have someone (which can be a group) be responsible for packages and need to keep track of that to detect unmaintained packages (as well as to have someone track bug reports).

With this central repository, we could have NMUs committed to the packages directly, and make contribution easier in general.

For example, right now transations are usually added to a package via a bug report. The maintainer then needs to go through these bug reports (and some packages have so many open bugs I doubt the maintainer has a real overview over them; so he might easily miss some easy to fix ones), extract the patch and apply it to his package after review. With this central patch tracking system, the translators could just commit the translation change to the package directly, and it will end up in the next upload automatically.

(Note that I'm not trying to force all packages to be maintained this way. I agree that for some packages it's not really appropriate. In general it should be left to the maintainers discretion. However I guess many team-maintained packages are handled in a similar way already, and I'd like to use that for my packages as well, even when not having Co-Maintainers. I'm also aware that when fixing security issues, you might not want to make your changes world visible immediately. This can however be done using SVK if we end up using SVN, for example.)

Some rationale for this suggestion:

• Promotes team maintainance
• Offers another easy way of contribution (especially for sponsorees)
• Better change and version tracking
• Standard way of packaging makes NMUs and adoption easier
• Makes it easier to work on many packages when needed (e.g. new GCC version fixes, porters, translations, upstart support, SELinux support, Python, all kinds of transitions)

In fact I think that other distributions (e.g. *BSD ports, Gentoo?) are ahead of us in this respect, having a standard way of packaging and building things and keeping track of changes.

Anyway, just my € 0.02

[Yes, I'm aware that this was covered in the DPL debate, but IMHO the point of different packaging preferences falls a bit short, and probably needs to be addressed first, before being able to have a central VCS for all packages. Also I think we should be able to find a common VCS we can all live with, or at least 90% of packages.]

[And yes, I'm aware that this is a controversial topic that can easily start yet another flameware. But we need to find a way of keeping flamewars down anyway...]

München (Munich!) has a great swing scene - alive and kicking.

Lindy Hop [wikipedia], Balboa [wikipedia], Boogie Woogie [wikipedia] (~ East Coast Swing) and Rock'n'Roll [wikipedia] (the acrobatic version) all over the place.

Since starting dancing (RnR some years ago, Lindy a year ago, all just socially until about half a year where I took on the others as well and started going to some real trainings), they've become an essential part of my life that I wouldn't want to miss.

If you happen to come to Munich, here are some links for you:

• Swing and the City, the homepage of Christine von Scheidt, a world class dancer and trainer as well as judge in some contests gives Lindy Hop classes that are excellent.
• The Cord (Sonnenstraße, very central location in Munich) has a great metropolitan flair and a swing night every monday thursday, often with live music (which may or may not be great for dancing). Cat and Chris of 'Swing and the City' give teaser classes there, too.
• Salon Erna at Optimolwerke (near Ostbahnhof, also quite central, at the big party areal in Munich) is the home of Swing on Sunday. There is a beginners class as 19:30 with changing trainers and topic (usually Lindy Hop). While a bar like Cord, there are mostly dancers here.
• Swing it! is organizing social dancing events with livebands about once a month. Unfortunately, the previous location closed down (not due to Swing It, which got the place really crowded), but they'll hopefully find a new home soon. [Update: they're in Brickhouse now]
• Boogie-Bären is the dancing club I'm in. They have four Lindy Hop classes on Tuesday, two Balboa classes on thursday and Boogie Woogie classes on most days.
• Near Fürstenfeldbruck (north-west of Munich) there is the Tanzfabrik Überacker where Fabi and Gino will take good care of you; I learned a lot from them in their classes at Salon Erna. They got me addicted to Lindy Hop. :-)
• Keep on Swinging, is the home of Fabi and Chrissi. They are giving occasional workshops at the Tanzfabrik
• If you are at the university for some time, got to the University Sports Programm. It's exceptionally cheap (like 7.50 EUR for a term for a regular student), and that includes lots of sport offers, such as a Rock'n'Roll and Boogie Woogie class. Thats where I started dancing before going to Berkeley, discovering Lindy Hop there and continuing it in Munich later on.
• And of course World of Swing: Markus and Bärbel are very well known dancers and trainers. If you are into swing, you probably have seen or met them already. They are giving Balboa and Boogie Woogie-Classes and organizing large dance events such as Rock that Swing or the "Munich Balboa Weekend".
• In summer, there will hopefully be a weekly dance event in Hofgarten park again, at the Diana temple.

P.S. My personal favourites / recommendations: Go to Cord or Salon Erna to see how much fun the community is, then take classes with Swing and the City or Keep on Swinging.

[Update: this blog article is quite outdated. Please visit my Swing information site or Swing and the City for up to date information.]

Romain Francoise mentions Yahoo Pipes.

Well, I played with Yahoo pipes like one or two weeks ago; and while I was impressed with their Visio-Like UI, I was lacking pretty much all functionality I wanted to try...

My goal was simple: run a query on Google Blog Search (which will have the result available in RSS), and then grab all URLs out of that stream.

But I didn't find any 'filter' in Yahoo Pipes which allowed me to extract the URLs (or any part of the text, actually) from the blog entries. I don't want to remove whole result entries, but I just want to extract certain text chunks from their body... (there might be multiple, so the regexp module isn't an option either).

I could do that with Python in a few lines, actually.

Russel Coker explained how to generate a local policy module from the error log.

Note that this approach (audit2allow) suffers from the same problems that automatic policy learning suffers from (at least when not done very smartly). The generated policy will exactly cover the behaviour you had during logging; functionality that you didn't use is not covered, but misbehaviour that occured during this time is.

Thats basically why SELinux doesn't use this autolearning approach considered a "benefit" of AppArmor by some (as you've just seen, you can do that with SELinux, too).

So let me show you an alternate way: First of all, install the refpolicy-*-dev (from my experimental repository on alioth) or selinux-policy-refpolicy-dev (unstable) packages.

Next you'll need an audit error to fix, e.g.:

audit(1173577161.426:3436296): avc:  denied  { search } for  pid=23862 comm="amavisd-new" name="lib" dev=md2 ino=63745 scontext=system_u:system_r:amavis_t tcontext=system_u:object_r:var_lib_t tclass=dir

So that obviously is amavis trying to access /var/lib (you can verify this by checking that ino= is the inode number of this directory). Looking at /var/lib/amavis reveals that these files are labeled amavis_var_lib_t, so the amavis policy is lacking just this simple tweak.

While Russel's approach would work fine, I'll try to show how this would be fixed in the actual policy. The approach I use is documented somewhat in the README.Debian at least in my packages.

I'll create a file named amavisfix.te:

policy_module(amavisfix,1.0.0);
require {
        type amavis_t;
}
files_list_var_lib( amavis_t )

The name "files_list_var_lib" was looked up in the Refpolicy API documentation. Granted, it takes some time to get used to their naming scheme, but it's actually quite consistent.

Now I run

make -f /usr/share/selinux/refpolicy-strict/include/Makefile

Note that "files_list_var_lib" has an actual semantic meaning what the process is being granted; audit2allow lines are just technical representations of the access violations seen.

Some of the more advanced SELinux IDEs might be able to suggest you appropriate interfaces by looking at the audit errors; I havn't tried them yet.

Lindy Hop [wikipedia.de] ist ein cooler Swing-Tanz, einer der Vorläufer von Jive, Boogie und Rock'n'Roll. Seit ich Lindy Hop und Balboa entdeckt habe, sind sie zu einem wichtigen Bestandteil meines Lebens geworden...

In München gibt es eine recht aktive Szene im Swing-Bereich (also insbesondere Lindy Hop und Balboa [wikipedia.de]), hier ein paar Links für euch:

• Swing and the City bietet regelmäßig Lindy-Hop-Kurse an, die sehr empfehlenswert sind
• Das Cord in der Sonnenstraße hat ein cooles Großstadt-Flair und jeden Montag wird hier Swing gespielt. Regelmäßig mit Livemusik (die leider nicht immer optimal zum Tanzen ist :-) aber es sind ja auch viele nicht-tanzende Gäste da). Cat und Chris (von Swing and the City) geben dort um 20 Uhr einen Schnupperkurs in Swing/Lindy Hop
• Salon Erna in den Optimolwerken ist das Zuhause des Swing on Sunday. Auch hier gibt es um 19:30 einen Schnupperkurs mit wechselnden Trainern und Themen (Neubeginn/Trainerwechsel immer am ersten Sonntag im Monat; derzeit wird Lindy Hop gemacht). Obwohl das genauso eine Bar ist wie das Cord, ist hier vor allem tanzendes Publikum anwesend.
• Swing it! versucht regelmäßig Abende mit guten Livebands zu organisieren. Früher im Lotterleben, dann im C-Club, und sicher bald wieder irgendwo.
• Die Boogie-Bären, mein ehemaliger Verein, bieten Dienstags vier Lindy Hop-Kurse an, Donnerstags Balboa und natürlich Boogie Woogie (Anfänger: Teens+Twens: Mi bzw. GK1: Fr)
• Bei Fürstenfeldbruck werdet ihr in der Tanzfabrik Überacker von Fabi und Gino bestens betreut; von ihnen hab ich (im Salon Erna) sehr viel gelernt, sie waren meine ersten regelmäßigen Trainer
• Im Hochschulsport-Programm findet ihr einen Rock'n'Roll und Boogie Woogie Kurs. (Kostenlos, wenn ihr die normale ZHS-Marke habt, Donnerstags). Damit ging es damals bei mir los, bevor ich in den USA Lindy kennen lernte und diesen dann im Salon Erna weiterführte.
• Und natürlich nicht zuletzt: World of Swing: Markus und Bärbel sind weltweit bekannte Trainer und Tänzer. Sie geben regelmäßig Balboa und Boogie Woogie-Unterricht und organisieren Großveranstaltungen (Lindy/Boogie/Balboa) hier in München.

Nicht zu vergessen natürlich die ganzen Tanz-Camps in der ganzen Welt.

Meine persönlichen Favoriten (momentan): Schnupperkurs Montag abend im Cord oder im Salon Erna und dann einen Kurs bei Swing and the city oder den Workshop bei Keep on Swinging.

P.S. T-Shirts für Lindy & Bablboa-Tänzer.

[Update: Link zu Fabi&Chrissi eingebaut und zu ihrem Workshop]

[Update: alte Links entfernt.]

Fortunately, I rarely use my Google GMail account.

Because for about a month or so, I can't write replies in my preferred browser anymore. I can only guess it's due to some broken browser detection done by Google - my preferred browser is Epiphany, and uses XulRunner. So it's the same engine as my Firefox, and I can write replies with Firefox (but the Firefox UI is not as nice as Epiphanys, and it uses more memory).

(Well, almost. Epiphany is Gecko/20070209, whereas Firefox is Gecko/20070208. So either some change in this one day breaks GMail, or Google broke it themselves with some stupid browser detection; many people still think it's sufficient to check for 'Firefox' to detect all non-IE users. Please use the engine ID, that is Gecko.)

Anyway: if I'd be a heavy Google Mail user, that would be a desaster for me. Broken for a month now and counting!

Fortunately, I don't rely on that friggin' Ajax stuff; I can either use the standard HTML version of GMail or use Firefox. I'd just like to emphasize that Ajax apps break much easier, and your users might be unhappy about that. Ajax is far from perfect, but an ugly hack.

Don't overuse it.

[Update: I fixed my GMail issues by switching the language to German and back to English. Weird, huh?]

I have not been active with SELinux recently. I was seriously lacking motivation, and recently the old server I was using to test my SELinux stuff died because of a hardware failure.

But these days I installed vmware, and in order to try it out, I decided to install a SELinux Debian etch system. Then I also updated my policy packages.

I actually did quite some progress on the packages; I not only merged the latest upstream SVN version, I also fixed a couple of Debian policy issues (or worked around them), and added some new functionality.

First of all, I extended the update tool (now called update-selinux-policy). It will not only install the current version of each module, but also rerun autodetection and install additional modules if you added software in the meantime (it won't do the relabeling for you, though). This should make system administration a lot easier.

The packages now come with a -dev companion, which includes the interface files. The README.Debian file details how you can use this to build a custom policy module, and the policygentool included will actually generate a template for you. This should make the development of policy modules a lot easier.

Grab the policy packages from my experimental refpolicy directory.

Note: while they share the "refpolicy" source name with the packages in Debian main, they are packaged independently. Manoj is maintaining the official packages, and I never learned how his Makefiles work, so I'm sticking to my own packaging for my development stuff.

Oh, and for me they don't work in enforcing strict mode at boot yet. Policy is still incomplete for Debian (but down to ~25 audit errors). Targeted mode works in enforcing at boot time. The main issue seems to be the way Debians init ramdisk is working and the /dev directory is populated.

But maybe I can host a SELinux-enabled basic vmware image somewhere you could use for cloning yourself SELinux servers as needed.

I don't think I'll keep the packages updated frequently, sorry, and I don't think I'll have time to get enforcing working for strict, either. :-(

Now that VMWare is actually working for me, I tried the GUI installer of Debian 'etch'; not that the installation in VMWare hasn't been tested often enough...

I intend to use the VM for some SELinux tests; the server I was running SELinux on has died recently (likely a bad power supply), so I currently don't have any current SELinux system left. (I can probably still use rjc's SELinux test box, though).

Anyway, I must say that I'm quite impressed with the GUI installer. It looks serious (not this wannabe-cool look that Vista has), but still welcoming and features the Debian colors. I like it.

Fonts are good, smooth but crisp. Unlike the fonts of Vista, which were heavily blurred (did they stop using hinting?)

Now we just need to get 'etch' released...

I tried to setup VMWare today, to be able to have some virtual machines to test random stuff.

My laptop only has a small HD, so I want to have all the VM stuff on my huge external USB drive. Also I only use them occasionally, so that pretty much rules out Xen. So I decided to give VMWare a try.

VMWare has always been a desaster installation-wise. It took me like 5 runs to get it installed properly; you need to apply some patches or it won't work with current kernels etc. After these tries it had installed without any further error messages and the GUI also came up easily.

However none of the VMs I created did anything; apparently they're supposed to at least show some BIOS like screen. Instead I only get the error message "Unable to change virtual machine power state: The process exited with an error: End of error message."

And of course it doesn't tell me which process or anything else that could help debugging it.

Shutdown also doesn't work properly - stopping vmware leaves a vmware-serverd process running that needs to be killed with -9.

As usual, commercial software is totally disappointing.

[Update: so neither the vmmon shipped with VMWare nor the one from vmware-any-any-update108 worked; keep your eyes open for update109. I managed to patch vmmon myself, in include/compat_kernel.h move the if/else part up to the front, as it is in update108.]

I just uploaded a minor update of Pyroman to unstable and the pyroman download page on alioth. I added support for a complete interface wildcard, and added example configuration files for a single-host setup.

Pyroman is a firewall configuration tool I wrote for managing the firewall of a small network consisting of four zones and servers with a dozen different tasks. It plays very well in setups with DMZ, wireless networks, intranet etc. and all kinds of different services.

Key benefits are the very simple syntax, safeguards (extensive syntax checks, rollback on failure, safety timeout option for remote administration), scriptability in python and high performance, since it does not run dozens of iptables commands, but generates a script file for iptables-restore.

For more benefits, see the pyroman homepage.

The next version will probably feature an XML syntax additionally; while the current Python syntax is very powerful and readable, it's pretty much impossible to write a GUI for editing the policy when written this way.

That's why I'd like to add an XML syntax (that can be intermixed with Python statements, but only the XML-defined parts will be editable in the GUI) that supports the key parts of configuration (if you want the rules to be generated on the fly from some database or whatever, you'll still be able to do that in Python!): making it easier to write a GUI for it.