UPDATE: the bug is already fixed after a few hours, and only affected a minority of users (of a now deprecated, experimental option in the 'unstable' distribution, and only users that rebooted with the affected version).

The sysvinit version that hit unstable today has a grave bug if you have been running "startpar" or maybe "shell" style parallel booting. Read this bug report, if you have been using these (they were not enabled by default, so unless you've been giving parallel boot a try before, you should be ok.)

How to check if you are affected:

grep CONCURRENCY /etc/default/rcS

The workaround is as simple: just put either "none" or "makefile" in there, these are the only two values that are still distinct.

How to recover a broken system:

1. Boot recovery mode aka "single-user". At some point you should be asked for the root password. Login.
2. Run mount -o remount,rw / to enable write mode on your disk.
3. $EDITOR /etc/default/rcS and change the value of "CUNCURRENCY"
4. reboot

I can only confirm that changing "startpar" to "none" helped me. I havn't tried "makefile" yet, and "none" seemed more likely to fix things.

Unless someone drops in as new maintainer, I'll file for removal of ModLogAn from Debian soon.

The software has been abandoned upstream for, well, a couple of years. It still works okayish (just the patterns need refreshing), and in fact I'm still running it. But there is plenty of software to replace it, and it seems as if many people go the Google Analytics way today.

Please speak up quickly if you care about ModLogAn, otherwise it's gone from Debian soon.

It seems that Sun doesn't care much about getting bugs fixed in Java.

This bug for example causes rendering artifacts in Apache Batik, and is very visible with many SVG files. It causes circles to be rendered as approximated diamonds. It has been reported 9 years ago (the first time, there duplicates).

I understand that there are both more important bugs, and that one must avoid introducing new bugs when fixing bugs. But there should be little dependencies on a broken circle rendering routine, so please just fix this cosmetic bug, too. One of the reports is even staged "Fix understood" ...

A more important issue with Sun Java (known since 2005) is this bug, which effectively breaks Java IPv4 networking on Debian unstable now (which recently changed the IPv6-to-IPv4 fallback behaviour). So far, Sun has rated this as "request for enhancement". WTF?

Sure, you can work around the bug easily - change /etc/sysctl.d/bindv6only.conf to use the value of 0 instead to re-enable IPv4 fallback - but after all, IPv4 networking is pretty much an essential Java feature.

Enigma is a great game, with a unique mixture of puzzles with mouse skills and action. If you know the discontinued game Oxyd originally on the Atari ST in the 90s (also on Amiga and one version on DOS), then you know the principle of Enigma. Except that it has tons of more levels and is Open Source.

Some weeks ago, I uploaded a 1.10 pre-release (approximately milestone 5) to Debian experimental. This is the soon-to-be-released new version, using a new level file format (with a much extended API to make level development even easier, ~50% less code per level now), new levels (of course), updated graphics (including support for new graphics modes), ...

Unstable still contains version 1.01; the reason is simple that I knew there would be another 1.01 maintainance release coming. However I believe it doesn't offer much against the current unstable version; it largely marks an upstream release containing patches already in the Debian package (since communication with upstream is really good).

So I have now two choices: refreshing the Debian unstable package to the "probably last" 1.01 release upstream, or going straight for the 1.10 milestones to give enigma some extra testing.

Somehow, I'm still lacking the optimal media player application. Many popular ones are totally overloaded (e.g. amarok). Others like totem seems to be just a minimalistic frontend for a particular backend.

My current choice:

• Single-shot playback: to view a random song or video I usually open them with Totem (the GNOME default) and that works okay
• Library: I use MPD as player because it just seems to be rock stable. As UI I currently use Sonata, but I don't use it for much more than choosing a song from the currentl playlist.
• Editing: ExFalso seems to have the best ID3v4 support, in particular it also allows multiple genre fields. (Note that Vorbis even suggests you should use multiple artist fields instead of the common "Arist A & Artist B" way of filling the fields)

However, there is one thing I'm really not satisfied with: when putting together a CD compilation for friends (say, as Christmas present), they are quite useless. A key issue here is the total playlist length. Guess what, I want to make sure it fits on a single CD. So I really need to know the total playlist length. Why do so many media players (e.g. totem, alsa-player-gtk, xfmedia4, vlc, mplayer, ...) not show you the total playlist length? They did read all the files to get artist and title. Many even have the individual song lengths, just not the total sum.

In the past I've been using old XMMS1 to check for the total length, or a CD burning application like K3B by repeatedly importing my current folder.

Right now, I'm using Quod Libet (since I like the tag-editing component exfalso a lot) to arrange the playlist. It also gives me the total length, albeit I belive I've had incorrect song lengths in it before (broken VBR files?), and it's not perfect, too: being database-driven it has really long startup times for occasional users (because of updating the database) and is much more heavyweight. I also believe I've lost some playlists because I had moved my files around once ... so I'm a bit sceptical.

Anyway, there are still hundreds of media players I havn't looked at. Don't bother me to send me an email about one I havn't mentioned!

But if you are developing a media player, please consider the use case of putting together a music CD for your friends. In particular, for users that do not use your player all day.

I'd like to make pyroman IPv6 capable. That is actually the one big thing before calling it a version "1.0".

I must admit that I havn't been very active on Pyroman (or Debian in general) the last years. This goes even so far as that "pyroman" was considered "abandoned" by Fedora or so. It is not; I use it on all my servers. It's still in use at the network I developed it for (after all there is not that much benefit for a workstation setup, where a 10 line iptables script will do the job just perfectly.).

Anyway, I'd like to get IPv6 support into pyroman, but there is one big issue here: I don't have any machine using IPv6, so I havn't used ip6tables myself yet, so I don't know about all the magic involved ...

So if you use IPv6, it would be very cool if someone would jump in to get full IPv6 support into pyroman. Madduck had already done some preliminary stuff, but I didn't get around to have a look at the integration or completeness yet.

The '--no-act' and '--print' modes of pyroman should even allow development without any IPv6 support or root permissions in the system.

Other things remaining on my pyroman wishlist:

• Fully automatic iptables firewall visualization
• Keeping traffic counters over firewall reloads
• Configuration UI
• A fancy 'arsonist' icon and a web page design

These days, something happened to one of my external USB drives that I so far only knew from ReiserFS (which I since called ReisswolFS, German word play on "shredder" ...). But, it's not ext3 which I blame.

Short story what happened:

• Resumed the system from 'suspend'.
• I copied some files onto the first file system.
• I copied the same files to a second external disk (dual backup...)
• I copied some files from the first disk, which caused an access-beyond-end-of-disk, mounting the filesystem read only
• Unmounted the filesystem, started e2fsck
• Started copying the files from the secondary filesystem
• Got the same error on the second disk.
• Cancelled e2fsck doing more damage to the first disk.
• Shutdown and reboot
• Memcheck, three iterations. Nothing.
• Checked second disk, no errors in filesystem (!), copied the files I had issues accessing just fine.
• Filesystem on disk #1 seriously trashed.
• Had ext2fsck try to recover filesystem on disk #1
• Pretty much all data on disk #1 is now in lost+found, it seems as if all major folders were corrupted. Lots of corrupted file entries (character devices with random permissions and numbers) there, too.

• Reformat disk #1, and restore it from the other backup (Extra backup for teh win! I also have a 3rd copy of about 2 months ago off-site)

As you can see, something was wrong with the system, not with the file system.

I have a strong suspect to have caused this. In case you wondered why I included "resumed from suspend" above: I've been having system stability issues with resume ever since upgrading to the Intel driver 2.9.0 and KMS (Debian unstable+testing) with kernels up to 2.6.31. In about 1 out of 5 resumes, I get a Xorg or system lockup after anything from 1 to 60 minutes. Sometimes I also experience video corruption after a few minutes, trashing some terminal emulation until the next redraw. Just before writing this email I had a typical lockup: when scrolling the terminal emulator. This has been a typical trigger for lockups. On contrast I havn't seen any such crashes (or screen corruption) on a fresh boot.

Freedesktop bug reporting the same issue closed as "not our bug, blame it on the kernel".

Note that 2.6.32 release candidate Changelog contain many changes for the intel DRI kernel driver. So the bug might already be fixed in the RC kernels.

Same report in Kernel Bugzilla is still 'NEW' though.

Related bug report in Debian, blaming it on KMS.

[Update: I've disabled KMS and upgraded to 2.6.32-rc8 and not had such a crash since. But I can't pinpoint it to one or the other yet.]

[Update: just tried another external harddisk ...

[305032.148616] EXT3-fs: mounted filesystem with ordered data mode.
[305066.061708] usb 1-8.3.3: reset high speed USB device using ehci_hcd and address 27
[305081.132471] usb 1-8.3.3: device descriptor read/64, error -110
...
[305147.468857] sd 4:0:0:0: Device offlined - not ready after error recovery
[305147.468880] sd 4:0:0:0: [sdb] Unhandled error code
[305147.468886] sd 4:0:0:0: [sdb] Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
...
[305147.473500] WARNING: at /build/buildd-linux-2.6_2.6.32~rc8-1~experimental.1-i386-g1b8iG/linux-2.6-2.6.32~rc8/debian/build/source_i386_none/fs/buffer.c:1159 mark_buffer_dirty+0x20/0x7a()

Just a short reminder that the application phase for the Google Summer of Code 2009 is running.

So far, we have quite few applications. Deadline is April 3rd, 19:00 UTC. Usually applications arrive rather late, but still I have the impression that we have much less than the previous years. But less copy & paste, too.

If you are interested in doing a GSoC project at Debian:

• Check the Debian Wiki which has all kind of relevant information.
• Talk to Debian people
• Make sure it's related to Debian (and not just "runs on Linux")
• Talk to Debian people
• Make sure your application shows your genuine interest and has some original ideas, copy & paste will not be sufficient
• Talk to Debian people

P.S. as far as I can tell, current Debian Developers can be eligible as well, although it has also always been a goal of the project to get new contributors involved.

Congratulations to all developers (DDs or not, we have sponsored uploads, Debian contributors and such, too!) who contributed to the release of Debian GNU/Linux "lenny" 5.0. I must admit that I've been largely inactive recently, I just managed to keep the bugs on my remaining packages low. Funnily, just the day lenny was released I learned about a bug in Enigma on AMD64 that is probably worth fixing through proposed updates ...

... is almost as bad as ever before.

On my Core 1 Duo system (32 bit), official Adobe Flash crashes my browser when I close a tab which had a Flash plugin running. Going to a blank page then closing the tab usually helps, but it seems that sometimes Flash continues to run in the background (sound doesn't stop either) and then will still crash.

On my AMD64 system, the official Adobe plugin crashes my browser. There are reports at Adobe that link it to Gmail. So here, the Adobe flash is unusable. The 32 bit version via nspluginwrapper did not have sound for me, probably some issue with Pulseaudio.

So I'm now trying out Gnash. First thing I noticed: it has FlashBlock built in, all those stupid Flash things won't auto-run but I'll always have the nice play button to enable them when I want them to run. And while Gnash is working pretty well on most sites, every now and then something just does not work. Like some YouTube movies not playing (usually very short ones - maybe it will only start playing a video when the buffer was completely filled, and a video which is smaller than the buffer will thus not play?) etc.

Some wishlist items:

• Add a 'auto run whitelist' to Gnash, when I go to YouTube I usually want to actually run the video.
• Provide some 'fall through' option, so if the Flash doesn't work right in Gnash I can pass it on to the Adobe plugin if I really need to.

Since it took me more than one hour to figure out (and the documentation wasn't too helpful), here's how to enumerate audio devices in GStreamer:

import gst
sink=gst.element_factory_make("pulsesink","mysink")
sink.probe_property_name("device")
devs = sink.probe_get_values_name("device")

Can anybody point me to a beginners tutorial for running PyGTK on OS X?

I've written this little BPM tap program in PyGTK, that gives you a speed plot and confidence interval, works well for me.

A friend of mine would like to use it, but is running OS X, and doesn't know much about computers. I know next to nothing about OS X. I know it already has Python2.5 installed, and that's about it.

So anyone got a tutorial that doesn't require previous knowlege about using fink, ports or whatever? Something that I can point a real novice user to?

Via email please, my blog intentionally doesn't have comments. Erich AT Debian DOT org.

[Update: so far, I've only had requests about my bpm toy and about the same kind of instructions, but no links to refer people to...]

Due to their implementation by erasure, they face certain limitations.

For example, the following constructor for a class with both compile time and runtime type checking:

class BagOf<T> {
  BagOf(Class<T> restrictionClass);
}

class BagOf<T> {
  BagOf(Class<?> restrictionClass);
}

The cost is low (obviously no difference at runtime) - you just don't assert that the developer using your class specifies a restriction class derived from the class T used in the generics. That won't prevent certain programming errors such as this anymore

BagOf<Integer> bar = BagOf<Integer>(Double.class)

Before submitting too clever suggestions, please make sure you've tested them. For example "if (obj instanceof T)" is not valid java code: since generics are implemented by erasure, T cannot be referenced in runtime statements.

P.S. It would obviously be nice if the Java syntax would allow Foo<Bar>.class (which at runtime would be the same as Foo.class, and at complie time would have the result type Class<Foo<Bar>>), but currently it does not for all I know.

P.P.S. I'm not looking for "Class<? extends T>", that is a different situation. The difficult case is when T is a Generic itself, not a subclass.

Update: JM Ibanez pointed me to Neal Gafter's Super Type Tokens, which apparently are the same as TypeLiteral in Google Guice. Thanks!

... might be due to a bug in Sun Java 6. Try upgrading to Java 6 Update 10 release candidate (also known as 'beta') or using a different Java VM such as IBMs or GNU. Worked for me.

Bug reported in Feb 2008 and Bug reported in Oct 2008 at Sun (note: they are marked as 'fix delivered' but that includes beta releases such as the 6u10RC linked above.

From Roderich Schupp I received the following instructions:

cp /usr/share/doc/hal/examples/10-x11-input.fdi /etc/hal/fdi/policy/

And in order to set a default keymap:

<deviceinfo version="0.2">
  <device>
    <match key="input.xkb.rules" contains="base">
      <merge key="input.xkb.layout" type="string">de</merge>
      <merge key="input.xkb.variant" type="string">nodeadkeys</merge>
    </match>
  </device>
</deviceinfo>

Thank you, I'm going to try that on my next reboot (which may take a week).

Xorg 1.4 in experimental is supposed to have input device hotplugging.

Does anyone have a Howto for Debian? I tried it, but I couldn't get it to hot-plug my USB mouse, so I'm back to using the regular mouse driver for it again, using the /dev/input/mice in-kernel-hack for hotplugging.

P.S. on a recent kernel, you might want to add

blacklist snd_pcsp

P.S. No, my blog doesn't have comments. Just send me an email (you know, 'legacy' email) via erich AT debian org.

As mentioned earlier, I've uploaded a new Pyroman release to Debian. I've also updated the download at the download page on alioth for the non-Debian users.

There is just one single user-visible change (under the hood I switched some Python API so you need python 2.4+ now, which was available in sarge already):

This version has a new command line option, "--verification-cmd". This can be used to point to a script file to verify network connectivity. For example, you could try to send a ping to the next router, or you could ssh to another host, have it ssh back and touch a flag file in /tmp to signal success.

Similar to the --safe option, it is meant as a safety feature to avoid locking yourself out of your system. But while --safe needs to be used interactively, this new command could be used when automatically activating new firewall rules, e.g. triggered by cfengine or some other configuration management. If the verification command does not succeed, the firewall rules will automatically be rolled back to the previous state.

Note that I didn't get around to add IPv6 support yet. It would definitely be desirable to add ip6tables support, but I currently do not have any experience with IPv6, so I'm not sure I'd know how to do things right. Of course I'd welcome any patches.

(In case you havn't read about pyroman yet - it's yet another tool to configure iptables firewalls. It puts a thin abstraction layer on top of iptables, but the main benefit is that it uses "iptables-restore" to quickly mass-set all the firewall rules - other tools tend to invoke several hundred iptables processes to achieve the same - and if any error occurs it will both give you a clear indication of which rule caused the error and rolling back your firewall to the previous state.)

Today, I uploaded a new version of my firewall configuration tool, pyroman, to Debian unstable.

About 4 hours later I googled for "Pyroman Debian" and was surprised to find the upload notification in the top results. The first hour of this was probably spent with me doing some package function tests (I don't want to upload broken packages, after all), then the announcement was distributed to the -changes mailing list at Debian, which in turn was picked up by Google Groups.

However that might be due to groups.google.com getting special treatment, though. For this resource, Google can actually trigger an update instead of having to have a spider frequently re-crawl all the contents.

Still I find it pretty impressive to have such new data already in their main index. I was used to this e.g. for blog and news search, but not for regular web search.

Since development kernels 2.6.26-rc*, the iwlwifi drivers (iwl3945, iwl4965) have LED support. While LED support is nice to have (making it easy to see when the wireless connection is available), the blinking of the LED whenever there is data transmitted is annoying.

In most networks, there is a constant chatter on the net. Windows server browsing and announcing, Zeroconf/Bonjour announcements, Printer discovery. When you're using some instant messaging or chat such as IRC there is some data transmitted all the time. Your email program might be polling for new emails, and your weather applet might be fecthing the latest forecasts. So basically, there always is ome network traffic. Often in the range of less than 1k/s, but there is.

The new iwlwifi drivers don't flicker the LED with each packet received, but apparently will just set the LED to a blink mode when they received or transmitted some data, which if find rather irritating.

Fortunately, this can easily be configured in Linux, just save this script in /etc/network/if-up.d/iwl-no-blink and make it executable:

#!/bin/sh
if [ "$IFACE" = "wlan0" ]; then
	for dir in /sys/class/leds/iwl-phy*X; do
		echo none > $dir/trigger
	done
fi

This is a quick hack, but it does the job well for me - when the device is connected it will stop blinking on data. It will still blink when connecting (leds:iwl-phy*:assoc) and indicate if the connection is available (leds:iwl-phy*:radio).

GNOME has reacted and removed all blacklisted SSH keys from their authorized_keys, which is the minimum you should do to ensure safety.

For all I know, sourceforge.net has not yet done so (I didn't check if I could have logged in with my old key, though - maybe they installed the blacklist in the SSH server, not touching the users' keys; there is no blacklist in /etc/ssh though). authorized_keys files are world-readable, so I can login at sourceforge and read other users' authorized_keys. With this approach I believe you could hack dozens of SSH accounts on Sourceforge within a few hours, without having to employ brute-force.

These keys could then be used in turn to inject backdoors and/or trojans into other OpenSource projects (where at least one developer with write access did use a vulnerable key).

If you were affected by the Debian OpenSSL bug, please replace your SourceForge key as soon as possible. Please verify any commits made on SourceForge until they've taken appropriate measures to block bad keys.

SourceForge and other operators of such platforms should install blacklists NOW, and remove any vulnerable keys from their databases.

Let me just point out, that the consequences affect all users of SSH. Therefore IMHO all other Linux and BSD distributions need to release a security update to OpenSSH as well, to prevent the use of insecure (too common) keys, because it threatens the security of their systems as well!

Apparently, there are only about 2^15 different keys generated by the SSH versions shipped with Debian for 2 years. It's really surprising that noone noticed this earler. This is just about 32767 different keys. (For each type, size and endianess, but that still makes this number much much much too low) The weakness is caused by a bad random number generator in the Debian package.

Hackers have already generated all these 32767 different keys, for two key lengths and types. In a few hours, they'll also have generated all the 4096 bit keys that could have been generated. Other key lengths are uncommon and sometimes might even be unsupported. Most people use keys with length 1024 or 2048.

So we now have about 32767 keys which are used by lots of Debian and Ubuntu users. That's not very much. Now you have to realize how the keys are used:

The key is used to log into a system without a password. Sometimes a key is protected with a passphrase (you really should do that), but this doesn't help here, because an unencrypted clone of the key was already generated.

Sometimes (or let me even claim 'often') one such key is also used to login as root into a server. This is equivalent to just 32767 different passwords being used as root passwords. So with about this number of tries, an attacker might be able to log into your server as 'root'!

Now the weakness is 'distributed' by the users, it's not just a server-side vulnerability. If your server is running e.g. RedHat, it doesn't mean it is secure!.

In fact, if your server is running Debian and you installed the Debian security update for openssh, it will be much more secure than the RedHat server. Because the Debian server has a blacklist of keys that are too common. The other-Linux server who doesn't have this blacklist doesn't know that a certain 'weak' key is not trustworthy.

Fixing the bad key-generation is just half of the deal. "Recalling" all the keys in use out there is the big challenge, that affects all systems using SSH (and to a different extend, SSL). The most reliable way is if all other distributions would release a security update as well, which refuses to accept the keys that were generated by vulnerable Debian systems.

Let me just repeat it in other words: Any Linux/Unix/*BSD system is vulnerable that grants access to a key that was generated on an affected Debian or Ubuntu system. (Until the system has a reliable detection method of such weak keys.) Keys are usually generated on the users workstation, so if any of your users is or was potentially running Debian or Ubuntu ... you get the idea.

Note that if you are not careful, you might lock yourself out from your server. If you don't have or remember the password, installing the security update might disable your login key. So if your key is bad, make sure to generate a new, secure key and distribute it ASAP. Also remove any vulnerable key ASAP; remember that hackers now have a list of all possible keys and could use that to brute-force login.

P.S. Since some people still don't seem to get the consequences in full: The bigger problem is to remove are the weak keys, not to fix the broken library. The weak keys (especially in the form of public keys!) can live on tons of other systems, not just on Debian and Ubuntu. This is why TOR also released a security update and e.g. CACert urges non-Debian distributors to also ship and use the blacklists of known weak keys. Also note that not all keys that can be considered compromised can be detected this easily. If you've been using a DSA key on an affected system - even when it was created on a different system - it is to be considered compromised.

I've read some more about this and especially had a look at some of the source code, so I've completely revised this blog post.

There is no doubt that the Debian Maintainer who added this patch screwed up, seriously. But he's not the only one to blame:

• OpenSSL isn't valgrind-clean. It should be made, since valgrind is a very important debugging tool; the bad patch was introduced to make OpenSSL better in this respect due to the request by the users.
• The OpenSSL source code could be better documented in these places.
• There are two instances of this line in OpenSSL which can both generate the 'using uninitialized data' warning. One is safe to remove (it's supposed to fill the buffer with random data, and just uses the existing contents as additional source of randomness), the other is not (it's used to feed randomness coming from e.g. /dev/random into the pool).
• The Debian maintainer received the reply "if it helps with debugging, I'm in favour of removing them" by one of the current OpenSSL devs on the openssl-dev mailing list. Probably just referring to the 'safe one' of the two locations where this occurs, though?
• Nobody noticed the severity of this change for more than 2 years. We're all to blame.

I'm really sick of hearing comments like "Still, whoever took out the entire initialization should not be trusted with security intensive code." (guest comment on LWN). Yes, he screwed up there. But you bet he's going to be a lot more careful with any change in the future: he has learned his lesson. Better than having someone else screw up in a similar way again. And actually he didn't do this change half as easy-hearted as many people suggest, if you look at the discussions on the bug report and mailing lists. He was trying to fix the valgrind bug, and he talked to several people on how to do it properly.

The best way the bug could have been avoided was if the OpenSSL upstream developers had cared more about the valgrind issue themselves. (E.g. by teaching valgrind to ignore the issue, documenting in the source code why this is intentional and not an issue, ...)

P.S. in the previous version of this blog post I had asked why OpenSSL apparently relies on uninitialized data for security. It doesn't; the same lines exist in two places, and it's the other change that caused the problems. One place will 'usually' generate the warning, and it's not important (that's the place where you could just remove the line). The other place will generate the same warning when someone passes uninitialized data into the RNG. As long as the RNG is sufficiently seeded with other random data that isn't much of a problem. So if you take a buffer of 1024 bytes and fill it with 1000 bytes of good random data (e.g. from a hardware randomness source) and feed the whole buffer to the RNG, it will be seeded quite well, but the warning will be generated. The 24 uninitizialized bytes won't take the entropy away.

(This blog does intentionally not have a comment function. Sorry.)

Since I didn't find a similar tool for Linux, I've hacked together a tiny tool to do BPM counting. The usual stuff: tap any key with the music to get a BPM estimation. There is no music analysis done.

To achieve better results, my tool uses an exponentially weighted average. It also computes a confidence interval. So if the song changes tempo (and quite some jazz songs do) or doesn't keep the tempo constantly (live music with human drummers often shows some tempo drift. It's just the drum computers that keep their speed very well...) - the tool can handle that quite well, while also not being overly sensitive to tapping errors (as you can see in the image).

I figure there might be even better estimation tricks (e.g. doing some error detection and removing them), but this one was just very simple to implement. And by looking at the graph and the error interval it's quite easy to check that you didn't any recent mistakes and the result is okay.

The Python code is about 158 lines SLOC, and a small UI description generated with Glade. It's built with PyGTK and uses Cairo for the plots, so it should be very platform independant and even run on Windows.

Download will be available sometime when I get around to clean it up a little. There is for example still the code in there to compute plain averages, which can't handle songs with multiple tempos at all.

[Update: it now also has a tiny 'flasher' icon that will show you the current tempo estimation. This is great for checking the quality of the result - if it keeps on flashing in sync with the music after you've stopped tapping, it's good. I was also pointed to GNU GTick which is a full featured metronome application and also has a tap button.]

Any ALSA experts around that can help me with the following setup?

I want to create a virtual device that does the following: - send the audio data to my regular onboard sound devices - when I plug in some USB audio device, send it there as well OR just there

The difficult part is the plugging part. There is an example in the Wiki how to use two cards as one. This works, but only if the USB audio device was plugged in before starting the audio application and it is not unplugged either.

Obviously, switching the configuration files on plug events is another possibility, but again this requires applications to be restarted. :-(

What I want to achieve is simple: when I plug in the USB device, I want to switch my music playback there (since it will be connected to my stereo). System events, voice calls etc. however should remain on the system audio.

If you have any solution, please send me an email at erich AT debian DOT org.

(And yes, I know about PulseAudio, and I use it. But only on top of ALSA)

The Summer of Code wiki page in the Debian Wiki has been updated with an overview of the projects that made the race for the 13 slots we have.

A separate press release (containing a short paragraph on what each project is about) is in preparation and will be out soonish.

We've received another of the last minute slots (thanks to those organizations which returned some of their assigned slots) to a total of 13 this year.

We have received some very good application, and we'll be able to fill these 13 slots easily with very good applications working on a variety of topics.

The results will be published on Monday, since there may still be minor changes in which students are accepted or who didn't make it to the top slots.

Google Summer of Code 2008

If you are writing free software, choose your license appropriately. This can make a big difference with respect to adoption of your software.

I'll just show you an excerpt from a Debian changelog:

* DFSG version of Mono 1.9
  + Deleted the mcs/class/System.Web.Extensions/ directory as
    mcs/class/System.Web.Extensions/System.Web.Script.Serialization/JSON/*.cs
    is licensed under Creative Commons Attribution 2.5 which is not
    DFSG-free.

Debian policy doesn't allow us to include Creative Commons Attribution 2.5 in the main Debian archive, since that license doesn't meet the Debian Free Software Guidelines, which are part of our social contract. Therefore we must and will remove such code.

debian-legal summary for "main" Creative Commons licenses

Creative Commons is aware of these issues:

Creative Commons recommends and uses free and open source licenses for software.

Creative Commons even includes "wrappers" for common licenses: CC GPL, CC LGPL, CC BSD

So if you like Creative Commons because of this pretty "commons deed" human-understandable version of the license they offer, just use these wrappers. The "legal code" links will actually take you to the GNU or Opensource.org license pages.

I'm not aware of a good reason to use an opensource license other than GPL, LGPL or 3-clause BSD, depending on how you want to allow your opensource code to be used in combination with non-free software. If you are contributing to a bigger project, choosing the same license as the main project is although a very good idea.

[Yes, this post was written on April 1st and is not to be taken serious.]

The usability experts of Ubuntu have finally started to handle the single most mentioned usability issue with Linux: the top level directory names.

Quoting Finn C. Tional from the Ubuntu Usability Group:

It's one of the mysteries of Unix that the directory named "usr" is not for user data, and the directory named "etc" while looking like random stuff thrown together stores all the important config files. [...] This is probably the single most confusing hurdle for new Unix users. [...] We need to finally tackle this, before people are too used to these odd directory names.

Therefore, they propose the following renaming scheme:

/bin      /system/executables
/boot     /system/boot
/dev      /system/devices
/etc      /system/config
/lib      /system/libraries
/home     /users
/media    /storage
/mnt      /storage
/proc     /system/processes
/root     /users/Administrator
/sbin     /system/executables/admin
/tmp      /system/temporary
/usr      /system/applications

They'll include a patch for the GNU C library as well as for AppArmor to redirect the old path names to the new ones. Given the existing filename matching already done by AppArmor the overhead is expected to be neglible at least for AppArmor enabled systems. SELinux enabled systems will remain unchanged, since the user won't be allowed to see anything potentially irritating in the root directory anyway, but will be confined to his user directory.

Since there are a dozen applications that will need changes to accomodate the new naming scheme, expect these changes only to be included with Ubuntu 10.4 (also lovingly named Ubuntu X) scheduled for April 2010.

Other distributions are expected to follow up with these changes in 2011.

P.S. Yeah, the Ubuntu folks really need to think this throuh some more. Russel pointed out that "My System" is even easier to understand; after all this is not about someone elses system or some systematic error or whatever. I figure he's right. How about "My Computer" than this lowercase (pessimistic?) "system" directory they're proposing there!

As blogged before, Debian is in the Google Summer of Code 2008.

So far, we have rather few applications - much less than last year. This doesn't seem specific to Debian, other organizations have also been reporting fewer applications, and Google is considering a deadline extension. Maybe the low number is related to Easter holidays. Also at least at my university the summer term will start only on April 1st, just past the deadline. So many students probably are still away in holiday.

Anyway: if you are interested in participating in the Google Summer of Code, chances are still pretty good. We don't have too many applications yet; not even all of the projects on the Wiki Ideas page have received a submission yet, only a few have received more than one; and even with those a well-written submission standas a good chance. Also some new ideas have been added in the meantime.

In particular missing from our submissions list are:

• MergeMaster port
• debexpo
• CDD webtools
• security policy

Especially the lack of a submission for the MergeMaster port is surprising. Many people would love to see a good configuration file merging tool in Debian. I can only guess that people are thinking "awh, everybody is going to submit an application for this one, I don't have a chance here". You currenlty DO have a chance, because there is no single proposal in for this one yet!

If you have any questions, IRC channel #debian-soc in OFTC is pretty useful.

Do you know why so many (mostly PHP) developers have problems porting their applications to PostgreSQL?

Because PostgreSQL actually enforces constraints on the data.

MySQL, which can even have values that are NULL and NOT NULL at the same time (yes, this is not a joke, Details are found here), is not particularly good at that. And people get used to all kind of stuff they can throw at MySQL and it will try to make the best out of it, instead of forcing the programmer to correctly specify what he intends to do.

That's the reason why I so far have been avoiding any application which only support MySQL: If it only supports MySQL, it probably means they can't get it to work with anything else. And that is a really bad sign.

I was looking for some cheap WebCMS. The big names are Typo3, Joomla, Drupal. Joomla is MySQL only. Plus it doesn't support iCalendar. Typo3, I've had had a look on that one before, it was ugly, used things like line numbers for layouting. And Drupal was pretty much the only one I heard not just negative things about (I was mostly talking to tech guys, not "web designers"). So I thought I'd give it a try. With PostgreSQL, since I want a consistent database.

Drupal (6.1) installation with PostgreSQL worked fine. Then I tried installing the add-on modules I was most interested in: Date and Event; since the web site I'm considering it for will be mostly around organizing events, so I do need some solid calendaring functions.

Apparently, the Date module of Drupal currently does not support PostgreSQL, it failed creating or filling it's timezone table in the database.

How come that pretty much all PHP stuff is broken on so many levels? I figure the Drupal people have spent a lot of time in getting their core working well, and I also believe that the cores of the other systems might all be okay. But when it comes to extension modules, it seems to be as bad as ever before with PHP...

Some people might just say "well, run MySQL, and it would be working".

If a module isn't capable of storing timezone information in other SQL databases, how can it be of good code quality?

(Yes, I know that I'm not being entirely fair. Picking on Drupal or even on the not yet finished Date extension is probably not really fair. But you have to admit that an application which can work with multiple databases probably has received more attention to doing database things the proper way, right?

The Date module is not yet "released". I'm not saying it's worthless, it just does not work for me yet. And it actually backs my first claim: working support for other SQL databases is a sign of code maturity.

And in most (if not all) PHP web applications, extension modules with their varying code quality are known for introducing security issues again and again.)

Debian is part of the Google Summer Of Code again this year (2008).

Last year was quite successful, so we hopefully will get at least as many slots as last year.

Applications will be possible March 24th to March 31st. This means, you should already starting writing your project proposals and get feedback by possible mentors. Ideas can be found in the Debian Wiki, but notice these are just ideas. You are by no means limited to what we're proposing there.

As for writing an application, here are some general notes:

• Start writing early, submit early. The early ones get best exposal to mentors. When we read the nth proposal for the same project, we're usually quite bored already. Especially with respect to feedback this IS a benefit for the early proposals
• Don't just copy & paste. We're not stupid. We want to know if you understand the subject and have good ideas, so show that. We're not interested in your ability to access the Wiki, we trust you on that one.
• Communicate. Open Source is about communication and collaboration. So get feedback from people who work on the related subjects and possible mentors. Don't keep your application secret. You don't have to be afraid someone could steal your application (remember, we read the applications, and we can tell who has just been using copy & paste and who is able to answer our questions!) - but you DO need the feedback to improve your application.
• Use all communication media. The GSoC web application has it's limits (e.g. by not being open yet). So make use of the IRC channels (#debian-soc in OFTC) and the mailing lists for your project. We'll also use these to judge your application, not just the web interface. "Has been asking good questions on the mailing list" is one of the best verdicts you can get.
• Bring in your own ideas. We're looking for talented, interested people, not "stupid work horses". So show what you've got.
• Don't be afraid of challenges. This is all about stepping up to a challenge. We'll help you succeed. If you e.g. aren't experienced in Python yet, but the proposal says "Required skills: Python", just be honest. Mention that you're a good Ruby coder, and we'll trust you on being able to pick up Python in a short timeframe. And maybe even just start already in filling such a gap.

In turn, we (= the mentors and admins) will try to (again - we did that last year) have at least three mentors read through your application, provide feedback on it and judge it. We don't draw lots for the slots, but we'll rank the applications based on the scoring by the mentors. We'll also try to assign you a fallback mentor in case your mentor has to step back for whatever reason and to give you additional people to talk to.

Watch the youtube video of the n810 with a tilt device.

It's pretty cool to see Enigma running on the n810. The tilt device seems to be suprisingly good for playing Enigma, I wouldn't have expected that - Enigma is heavily designed to be played with a mouse.

Congrats to the tilt stick makers and the Enigma porters for the n810.

There will be a new release of Enigma in a few months, with serious engine improvements (several algorithms have been replaced with more efficient ones, leading to serious speed improvements in certain levels!). The code got a pretty big overhaul by the main developers, and the level API was also redesigned, so this will really be a major thing.

If you are doing websites, you might want to test them with Safari as well.

Sure, konqueror and midori (which uses GTK webkit) already provide a pretty good approximation on Safari rendering, but there might still be differences.

Here's how to run Safari on Linux:

• run winecfg, set Windows version to WinXP.
• copy the core windows fonts:

  cp /usr/share/fonts/truetype/msttcorefonts/{Arial,Times_New_Roman}*.ttf ~/.wine/drive_c/windows/fonts/
  

• Download Safari for Windows from the Apple homepage
• Run the Safari installer with Wine. Do not install Bonjour or the Apple updater.
• Run Safari

The biggest 'trick' for me was to install the Microsoft fonts. Without them, Safari would segfault when rendering the URL bar the first time.

Step 2 assumes you have the Microsoft fonts already installed on your system in the place typical for Debian and Ubuntu users. If you don't find out how to get the required ttf files yourself. You maybe also can just symlink them.

Wine can indeed run most Windows applications by now...

P.S. ies4linux claims to have a way of installing and running MS IE 7 on Linux. I didn't test this. But that would give you the full array of major browsers on Linux: IE6, IE7, Safari, Iceweasel (Firefox), Opera. And tons of more usable and better integrated browsers such as Epiphany. :-)

Some people will have come across this: They've started some long-running process, e.g. some computation for their thesis, and want to be notified when it's done. Depending on the setup, they can't just background it and run wait in the shell.

Or you might want to run some expensive process somewhere, but there is some larger thing going on right now, so you want to wait for that to finish (you know, it's often better when people don't fight for memory and put all the load on the swap drive...).

Or you need to monitor some process that might crash, and want to schedule a notification or restart.

Here's how I'm doing that now:

busywaitpid command-of-process && notify-send "Computation is finished!"

Here's the script:

#!/bin/sh
mypid=$$
pid=`pgrep -of $@ | grep -vE "^$mypid$"`
if [ -z "$pid" ]; then
  echo "No pid found." >&2
  exit 2
fi
echo "Waiting for pid $pid."
while test -d "/proc/$pid"; do
  sleep .1
done
# Make sure it's gone...
test -d "/proc/$pid" || exit 1
exit 1

Note that it will wait for the oldest (-o) process where the full command line (-f) matches the given parameter.

Bugs: it doesn't handle when there are multiple processes matching the query - it will use the oldest (as given my pgrep).

[Update: Specto, aptitude install specto, is a GNOME GUI application that you should be able to use for this purpose (amongst others such as website change monitoring)]

I've switched back to the Debian stock kernel 2.6.23 from a self-compiled 2.6.23.9. The reason: I wanted to give the iwlwifi driver for my Intel 3945 wireless a try.

I think the 'iwlwifi' driver will be included upstream in 2.6.24, I guess the Debian people have added it to the 2.6.23 package themselves. At least I didn't come across it when configuring my 2.6.23.9, and I've seen it in the 2.6.24rc changelogs.

So far, the iwlwifi driver has been clearly superios, except it still lacks support for the LED. There seems to be a patch around for that though. So maybe my wireless is still disconnecting from time to time and I'm just not noticing it because I don't see the LED flashing. :-)

Spamassassin supposedly can precompile rules to allow faster operation. It compiles an optimized matching automaton that will process all the regular expressions in parallel.

Anyway, in order to use it, you need to manuall install some dependencies. They probably can't be introduced as real dependencies to not enforce them upon people who don't want to use this feature. So far, I've identified

aptitude install re2c gcc libc6-dev make

I'm aware that many people will have the libc6-dev and gcc stuff already installed, and the re2c dependency is well-documented. But I actually had removed the C compiler from my mail server.

Linux has already been the main OS here at the computer sciences for some time. The computer pool was just switched to Ubuntu, after having been on SuSE and OpenSuSE for the last 6 years or more. With the latest hardware upgrades, our computer lab is nicer than ever: dual-core AMD64 systems with 2.6 GHz, a couple of them with two LCD screens connected (which is great for developing, having the editor on one screen and documentation on the other). I wonder if the machines spend more than 1% of their time at full CPU speed - I havn't seen any running at more than the minimum 1 GHz.

But one thing I've noticed, which has changed: even those people I can see in the lab having their own laptop with them have Linux running.

A few years ago, most people bringing their laptops were doing so to have Windows around. Now with the nice dual-screen setups here, bringing along a laptop to have Linux is less attractive than ever. Still more people bringing their laptops run Linux anyway.

I figure this means that they've noticed that the DEs a Linux system offers is very useful (granted, and more to what they have at the university when they don't have their laptop around. However the main part - Java and Eclipse - actually wouldn't differ). They still dual-boot (I overheard something about 'on Windows, this and that and foo) - and even accept the effort of dual-booting to get the Linux benefits.

In a few years, will there still be Windows developers you can hire, when everybody studying computer science is being taught Linux? (Granted, not all universities have made the full switch to Linux for their computer sciences)

P.S. I'm not involved with the computer admin group; for detailed inquiries you should talk to them directly. Especially for e.g. software distribution questions and such. Oh, and I heard that the servers were running Debian for some time already, while the clients were OpenSuSE. So maybe they still are Debian.

... was a lot easier than expected. Just not very well documented.

First of all, you need the appropriate utilities. Debian users can aptitude install libsmbios-bin

Next identify your system. It will look something like this

$ sudo modprobe dcdbas
$ sudo getSystemId
Libsmbios:    0.13.10
System ID:    0x01D8
Service Tag:  ...REMOVED...
Express Service Code: ...although my warrany is over...
Product Name: MXC061
BIOS Version: A10
Vendor:       Dell Inc.
Is Dell:      1

The information you need is the "System ID".

Now you need to get the so-called HDR file for your bios. This can either be extracted from their EXE file using wine (with -dump-hdr or so), or you can find it on the linux.dell.com server. This page contains a huge list, and there are tons of dirs like system_bios_ven_0x1028_dev_0x01d8_version_a10. 0x1028 apparently is "Dell". The second hex number is your System ID. The last number (A10 here) is the BIOS revision. Pick the appropriate directory. There should be a bios.hdr file in there.

You can verify if the file is appropriate for your system:

$ sudo dellBiosUpdate -f bios.hdr -t

$ sudo modprobe dell_rbu
$ sudo dellBiosUpdate -f bios.hdr -u

When rebooting the next time, your screen might be garbled for a few seconds. At least it was for me. I was scared I might have trashed my system, but then it rebooted and had the new BIOS. So just give it some time (Fortunately I've done enough BIOS updates to know to just wait. I've even done a 'blind' video BIOS update on a Nvidia TNT. The first update had trashed the card, but I was able to redo the flash process without seeing anything on the screen, and guess what, the card worked again!)

In case you're wondering how this works: as I understand it, the dell_rbu driver will reserve memory for the BIOS update. Being a kernel module, it can just lock the memory in place until the next reboot. It will store that address in CMOS for the Bios and set the update flag. On reboot, the current Bios will check if that the stored image is still intact (I bet they do some checksumming here!) and then load that into the BIOS flash. That way, you don't need to boot into a low-level system such as Dos or Dos-Mode anymore to do an update.

My domains DNS is still hosted with the company I registered it at. I'm planning to move it to a different company early next year. So when a friend asked me for secondary nameserver exchange, I already set up the new DNS.

So my current setup is like this:

Primary and secondary nameserver are at my old provider, serving their copy of the DNS zone (which obviously lists their nameservers as NS)

The A and MX records point to my server, which will sometime also be the new master NS. This host has an own copy of the zone file, which agrees on the 'regular' entries, but lists my server as well as the friends two servers as NS. This is the only link from the domain to the friends servers. Let me emphasize this: neither my server nor my friends servers are currently listed in the .tld database. Their NS entries still point to the old providers server. I'm planning to change that in January.

Now my friend told me, that he had about 10 email delivery attempts to my domain in his logs, obviously coming from some spammers.

WTF? In order to link my domain to his server, you'd need to

• find the official NS for my domain
• lookup my A or MX record (not the NS record!)
• use this record as new NS
• lookup an NS record, using my new NS
• use this NS record as MX

What is the reason to jump through all those hoops? Do many admins configure a secondary NS to be an unlisted, unprotected relay for incoming email?

Is it common for secondary NS to receive random emails from spammers?

It's now far over a year that the ipw3945 driver doesn't work reliably for me on stock Debian kernels. From other blogs I figured it only occurs in SMP situation, and even then not on all systems.

On my laptop, I can reproduce it rather reliably: connect to the WPA2 encrypted network at my parents and transfer a file to one of the other computers on the network. An IO rate of a couple hundred kb/s will make the wireless card disconnect frequently. Often I end up having to flip the kill switch twice to get it working again.

I have however found a workaround: use a kernel with preemption enabled.

So it seems that there is something in that driver which will in certain situations trigger a big lock. Actually you can even hear that - sound will also be interrupted shortly when the wireless dies. Without preemption enabled, this will make the wireless card run into a timeout and reset itself.

I don't know yet if this completely fixes it. But other comments in the bug report at bughost suggest that it's at least much more stable. bug 1085 seems another instance of this bug and is open since june 2006. As good as their OSS record is, it seems that Intel has given up on fixing this bug.

There are other drivers causing similar problems. For example the dcdbas driver for the Dell Bios used to check for the wireless kill switch, display brightness and such functionality. When I load that driver, hal or NetworkManager will interrupt my sound every few seconds when polling the kill switch. Maybe they would just need to get hold of a system affected so they can diagnose it properly themselves. There have been at least 20 people reporting this bug by now, most of them on Dell systems.