dkg's bloghttps://dkg.fifthhorseman.net/blog/2023-12-07T00:00:00-05:00New OpenPGP certificate for dkg, December 20232023-12-07T00:00:00-05:002023-12-07T00:00:00-05:00Daniel Kahn Gillmortag:dkg.fifthhorseman.net,2023-12-07:/blog/2023-dkg-openpgp-transition.html<h1 id="dkgs-new-openpgp-certificate-in-december-2023">dkg's New OpenPGP certificate in December 2023</h1>
<p>In December of 2023, I'm moving to a new OpenPGP certificate.</p>
<p>You might know my old OpenPGP certificate, which had an fingerprint of
C29F8A0C01F35E34D816AA5CE092EB3A5CA10DBA.</p>
<p>My new OpenPGP certificate has a fingerprint of:
D477040C70C2156A5C298549BB7E9101495E6BF7.</p>
<p>Both certificates have the same set of User IDs:</p>
<ul>
<li><code>Daniel …</code></li></ul><h1 id="dkgs-new-openpgp-certificate-in-december-2023">dkg's New OpenPGP certificate in December 2023</h1>
<p>In December of 2023, I'm moving to a new OpenPGP certificate.</p>
<p>You might know my old OpenPGP certificate, which had an fingerprint of
C29F8A0C01F35E34D816AA5CE092EB3A5CA10DBA.</p>
<p>My new OpenPGP certificate has a fingerprint of:
D477040C70C2156A5C298549BB7E9101495E6BF7.</p>
<p>Both certificates have the same set of User IDs:</p>
<ul>
<li><code>Daniel Kahn Gillmor</code></li>
<li><code><dkg@debian.org></code></li>
<li><code><dkg@fifthhorseman.net></code></li>
</ul>
<p>You can find a version of this transition statement signed by both the
old and new certificates at:</p>
<p><a href="https://dkg.fifthhorseman.net/2023-dkg-openpgp-transition.txt">https://dkg.fifthhorseman.net/2023-dkg-openpgp-transition.txt</a></p>
<p>The new OpenPGP certificate is:</p>
<div class="highlight"><pre><span></span><code><span class="gh">-----BEGIN PGP PUBLIC KEY BLOCK-----</span>
<span class="s">xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/Y</span>
<span class="s">O+5Zi7HCwAsEHxYKAH0FgmVxCcsDCwkHCRC7fpEBSV5r90cUAAAAAAAeACBzYWx0</span>
<span class="s">QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfUAgfN9tyTSxpxhmHA1r63GiI4v6NQ</span>
<span class="s">mrrWVLOBRJYuhQMVCggCmwECHgEWIQTUdwQMcMIValwphUm7fpEBSV5r9wAAmaEA</span>
<span class="s">/3MvYJMxQdLhIG4UDNMVd2bsovwdcTrReJhLYyFulBrwAQD/j/RS+AXQIVtkcO9b</span>
<span class="s">l6zZTAO9x6yfkOZbv0g3eNyrAs0QPGRrZ0BkZWJpYW4ub3JnPsLACwQTFgoAfQWC</span>
<span class="s">ZXEJywMLCQcJELt+kQFJXmv3RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVv</span>
<span class="s">aWEtcGdwLm9yZ4l+Z3i19Uwjw3CfTNFCDjRsoufMoPOM7vM8HoOEdn/vAxUKCAKb</span>
<span class="s">AQIeARYhBNR3BAxwwhVqXCmFSbt+kQFJXmv3AAALZQEAhJsgouepQVV98BHUH6Sv</span>
<span class="s">WvcKrb8dQEZOvHFbZQQPNWgA/A/DHkjYKnUkCg8Zc+FonqOS/35sHhNA8CwqSQFr</span>
<span class="s">tN4KzRc8ZGtnQGZpZnRoaG9yc2VtYW4ubmV0PsLACgQTFgoAfQWCZXEJywMLCQcJ</span>
<span class="s">ELt+kQFJXmv3RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y</span>
<span class="s">ZxLvwkgnslsAuo+IoSa9rv8+nXpbBdab2Ft7n4H9S+d/AxUKCAKbAQIeARYhBNR3</span>
<span class="s">BAxwwhVqXCmFSbt+kQFJXmv3AAAtFgD4wqcUfQl7nGLQOcAEHhx8V0Bg8v9ov8Gs</span>
<span class="s">Y1ei1BEFwAD/cxmxmDSO0/tA+x4pd5yIvzgfGYHSTxKS0Ww3hzjuZA7NE0Rhbmll</span>
<span class="s">bCBLYWhuIEdpbGxtb3LCwA4EExYKAIAFgmVxCcsDCwkHCRC7fpEBSV5r90cUAAAA</span>
<span class="s">AAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmd7X4TgiINwnzh4jar0</span>
<span class="s">Pf/b5hgxFPngCFxJSmtr/f0YiQMVCggCmQECmwECHgEWIQTUdwQMcMIValwphUm7</span>
<span class="s">fpEBSV5r9wAAMuwBAPtMonKbhGOhOy+8miAb/knJ1cIPBjLupJbjM+NUE1WyAQD1</span>
<span class="s">nyGW+XwwMrprMwc320mdJH9B0jdokJZBiN7++0NoBM4zBGVxCcsWCSsGAQQB2kcP</span>
<span class="s">AQEHQI19uRatkPSFBXh8usgciEDwZxTnnRZYrhIgiFMybBDQwsC/BBgWCgExBYJl</span>
<span class="s">cQnLCRC7fpEBSV5r90cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBn</span>
<span class="s">cC5vcmfCopazDnq6hZUsgVyztl5wmDCmxI169YLNu+IpDzJEtQKbAr6gBBkWCgBv</span>
<span class="s">BYJlcQnLCRB3LRYeNc1LgUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lh</span>
<span class="s">LXBncC5vcmcQglI7G7DbL9QmaDkzcEuk3QliM4NmleIRUW7VvIBHMxYhBHS8BMQ9</span>
<span class="s">hghL6GcsBnctFh41zUuBAACwfwEAqDULksr8PulKRcIP6N9NI/4KoznyIcuOHi8q</span>
<span class="s">Gk4qxMkBAIeV20SPEnWSw9MWAb0eKEcfupzr/C+8vDvsRMynCWsDFiEE1HcEDHDC</span>
<span class="s">FWpcKYVJu36RAUlea/cAAFD1AP0YsE3Eeig1tkWaeyrvvMf5Kl1tt2LekTNWDnB+</span>
<span class="s">FUG9SgD+Ka8vfPR8wuV8D3y5Y9Qq9xGO+QkEBCW0U1qNypg65QHOOARlcQnLEgor</span>
<span class="s">BgEEAZdVAQUBAQdAWTLEa0WmnhUmDBdWXX0ZlYAa4g1CK/fXg0NPOQSteA4DAQgH</span>
<span class="s">wsAABBgWCgByBYJlcQnLCRC7fpEBSV5r90cUAAAAAAAeACBzYWx0QG5vdGF0aW9u</span>
<span class="s">cy5zZXF1b2lhLXBncC5vcmexrMBZe0QdQ+ZJOZxFkAiwCw2I7yTSF2Ox9GVFWKmA</span>
<span class="s">mAKbDBYhBNR3BAxwwhVqXCmFSbt+kQFJXmv3AABcJQD/f4ltpSvLBOBEh/C2dIYa</span>
<span class="s">dgSuqkCqq0B4WOhFRkWJZlcA/AxqLWG4o8UrrmwrmM42FhgxKtEXwCSHE00u8wR4</span>
<span class="s">Up8G</span>
<span class="s">=9Yc8</span>
<span class="gh">-----END PGP PUBLIC KEY BLOCK-----</span>
</code></pre></div>
<p>When I have some reasonable number of certifications, i'll update the
certificate associated with my e-mail addresses on
https://keys.openpgp.org, in DANE, and in WKD. Until then, those
lookups should continue to provide the old certificate.</p>2022 Digital Rights Job Fair2022-05-10T20:39:00+00:002022-05-10T20:39:00+00:00Daniel Kahn Gillmortag:dkg.fifthhorseman.net,2022-05-10:/blog/2022-digital-rights-job-fair.html<p>I'm lucky enough to <a href="https://www.aclu.org/bio/daniel-kahn-gillmor">work</a> at the intersection between information communications technology and civil rights/civil liberties.
I get to combine technical interests and social/political interests.</p>
<p>I've talked with many folks over the years who are interested in doing similar work.
Some come from a technical background, and some …</p><p>I'm lucky enough to <a href="https://www.aclu.org/bio/daniel-kahn-gillmor">work</a> at the intersection between information communications technology and civil rights/civil liberties.
I get to combine technical interests and social/political interests.</p>
<p>I've talked with many folks over the years who are interested in doing similar work.
Some come from a technical background, and some from an activist background (and some from both).
Are you one of them?
Are you someone who works as an activist or in a technical field who wants to look into different ways of meging these interests?</p>
<p>Some great organizers maintain a <a href="https://www.digitalrights.community/job-board">job board for Digital Rights</a>.
Next month they'll host a Digital Rights Job Fair, which offers an opportunity to talk with good people at organizations that fight in different ways for a better world.
You need to <a href="https://digitalrights.formstack.com/forms/jobfair">RSVP to attend</a>.</p>
<p><img alt="Digital Rights Job Fair" src="images/DigitalRightsJobFair.png"></p>Bitstream Vera Must Die2022-04-14T00:00:00-04:002022-04-14T00:00:00-04:00Daniel Kahn Gillmortag:dkg.fifthhorseman.net,2022-04-14:/blog/bitstream-vera-must-die.html<p><a href="https://dkg.fifthhorseman.net/bitstream-vera-must-die.html">Bitstream Vera must die</a>.</p>New OpenPGP certificate for dkg, 20212020-12-31T00:00:00-05:002020-12-31T00:00:00-05:00Daniel Kahn Gillmortag:dkg.fifthhorseman.net,2020-12-31:/blog/2021-dkg-openpgp-transition.html<h1 id="dkgs-2021-openpgp-transition">dkg's 2021 OpenPGP transition</h1>
<p>As 2021 begins, I'm changing to a new OpenPGP certificate.</p>
<p>I did a similar transition <a href="2019-dkg-openpgp-transition.html">two years ago</a>, and a fair amount has changed since then.</p>
<p>You might know my old OpenPGP certificate as:</p>
<div class="highlight"><pre><span></span><code><span class="n">pub</span><span class="w"> </span><span class="n">ed25519</span><span class="w"> </span><span class="mi">2019</span><span class="o">-</span><span class="mi">01</span><span class="o">-</span><span class="mi">19</span><span class="w"> </span><span class="o">[</span><span class="n">C</span><span class="o">]</span><span class="w"> </span><span class="o">[</span><span class="n">expires: 2021-01-18</span><span class="o">]</span>
<span class="w"> </span><span class="n">C4BC2DDB38CCE96485EBE9C2F20691179038E5C6</span>
<span class="n">uid</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn …</span></code></pre></div><h1 id="dkgs-2021-openpgp-transition">dkg's 2021 OpenPGP transition</h1>
<p>As 2021 begins, I'm changing to a new OpenPGP certificate.</p>
<p>I did a similar transition <a href="2019-dkg-openpgp-transition.html">two years ago</a>, and a fair amount has changed since then.</p>
<p>You might know my old OpenPGP certificate as:</p>
<div class="highlight"><pre><span></span><code><span class="n">pub</span><span class="w"> </span><span class="n">ed25519</span><span class="w"> </span><span class="mi">2019</span><span class="o">-</span><span class="mi">01</span><span class="o">-</span><span class="mi">19</span><span class="w"> </span><span class="o">[</span><span class="n">C</span><span class="o">]</span><span class="w"> </span><span class="o">[</span><span class="n">expires: 2021-01-18</span><span class="o">]</span>
<span class="w"> </span><span class="n">C4BC2DDB38CCE96485EBE9C2F20691179038E5C6</span>
<span class="n">uid</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@fifthhorseman</span><span class="p">.</span><span class="n">net</span><span class="o">></span>
<span class="n">uid</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@debian</span><span class="p">.</span><span class="n">org</span><span class="o">></span>
</code></pre></div>
<p>My new OpenPGP certificate is:</p>
<div class="highlight"><pre><span></span><code><span class="n">pub</span><span class="w"> </span><span class="n">ed25519</span><span class="w"> </span><span class="mi">2020</span><span class="o">-</span><span class="mi">12</span><span class="o">-</span><span class="mi">27</span><span class="w"> </span><span class="o">[</span><span class="n">C</span><span class="o">]</span><span class="w"> </span><span class="o">[</span><span class="n">expires: 2023-12-24</span><span class="o">]</span>
<span class="w"> </span><span class="n">C29F8A0C01F35E34D816AA5CE092EB3A5CA10DBA</span>
<span class="n">uid</span><span class="w"> </span><span class="o">[</span><span class="n"> unknown</span><span class="o">]</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span>
<span class="n">uid</span><span class="w"> </span><span class="o">[</span><span class="n"> unknown</span><span class="o">]</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@debian</span><span class="p">.</span><span class="n">org</span><span class="o">></span>
<span class="n">uid</span><span class="w"> </span><span class="o">[</span><span class="n"> unknown</span><span class="o">]</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@fifthhorseman</span><span class="p">.</span><span class="n">net</span><span class="o">></span>
</code></pre></div>
<p>You can find a <a href="https://dkg.fifthhorseman.net/2021-dkg-openpgp-transition.txt">signed transition statement</a> if you're into that sort of thing.</p>
<p>If you're interested in the rationale for why I'm making this transition, read on.</p>
<h2 id="dangers-of-offline-primary-secret-keys">Dangers of Offline Primary Secret Keys</h2>
<p>There are several reasons for transitioning, but one i simply couldn't argue with was my own technical failure.
I put the primary secret key into offline storage some time ago for "safety", and used <a href="https://manpages.debian.org/buster/e2fsprogs/e4crypt.8.en.html">ext4's filesystem-level encryption</a> layered on top of <a href="https://gitlab.com/cryptsetup/cryptsetup/">dm-crypt</a> for additional security.</p>
<p>But either the tools changed out from under me, or there were failures on the storage medium, or I've failed to remember my passphrase correctly, because I am unable to regain access to the cleartext of the secret key.
In particular, I find myself unable to use <code>e4crypt add_key</code> with the passphrase I know to get a usable working directory.</p>
<p>I confess I still find <code>e4crypt</code> pretty difficult to use and I don't use it often, so the problem may entirely be user error (either now, or two years ago when I did the initial setup).</p>
<p>Anyway, lesson learned: don't use cryptosystems that you're not comfortable with to encrypt data that you care about recovering.
This is a lesson I'm pretty sure I've learned before, sigh, but it's a good reminder.</p>
<h2 id="split-user-ids">Split User IDs</h2>
<p>I'm trying to split out my User IDs again -- this way if you know me by e-mail address, you don't have to think/worry about certifying my name, and if you know me by name, you don't have to think/worry about certifying my e-mail address.
I think that's simpler and more sensible.</p>
<p>It's also nice because e-mail address-only User IDs can be used effectively in contexts like <a href="https://autocrypt.org">Autocrypt</a>, which I think are increasingly important if we want to have usable encrypted e-mail.</p>
<p>Last time around I initially tried <a href="2019-dkg-openpgp-transition.html">split User IDs but rolled them back</a> and I think most of the bugs I discovered then have been fixed.</p>
<h2 id="certificate-flooding">Certificate Flooding</h2>
<p>Another reason for making a transition to a new certificate is that my older certificate is one of the ones that was "<a href="openpgp-certificate-flooding.html">flooded</a>" on the <a href="https://sks-keyservers.net">SKS keyserver network</a> last year, which was one of the final straws for that teetering project.
Transitioning to a new certificate lets that old flooded cert expire and people can just simply move on from it, ideally deleting it from their local keyrings.</p>
<p>Hopefully as a community we can move on from SKS to key distribution mechanisms like <a href="https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/">WKD</a>, <a href="https://autocrypt.org">Autocrypt</a>, <a href="https://tools.ietf.org/html/rfc7929">DANE</a>, and <a href="https://keys.openpgp.org">keys.openpgp.org</a>, all of which address some of the <a href="https://datatracker.ietf.org/doc/draft-dkg-openpgp-abuse-resistant-keystore/">known problems with keyserver abuse</a>.</p>
<h2 id="trying-new-tools">Trying New Tools</h2>
<p>Finally, I'm also interested in thinking about how key and certificate management might be handled in different ways.
While I'm reasonably competent in handling <a href="https://www.gnupg.org">GnuPG</a>, the larger OpenPGP community (which I'm a part of) has done a lot of thinking and a lot of work about how people can use OpenPGP.</p>
<p>I'm particularly happy with the collaborative work that has gone into the <a href="https://gitlab.com/dkg/openpgp-stateless-cli">Stateless OpenPGP CLI</a> (aka <code>sop</code>), which helps to generate a powerful <a href="https://tests.sequoia-pgp.org/">interoperability test suite</a>.
While <code>sop</code> doesn't offer the level of certificate management I'd need to use it to manage this new certificate in full, I wish something like it would!
Starting from a fresh certificate and actually using it helps me to think through what I might actually need from a tool that is roughly as straightforward and opinionated as <code>sop</code> is.</p>
<p>If you're a software developer who might use or implement OpenPGP, or a protocol designer, and you haven't played around with <a href="https://git.savannah.nongnu.org/cgit/dkgpg.git/tree/tools/dkg-sop.cc">any</a> <a href="https://gitlab.com/sequoia-pgp/sop-openpgp-js">of</a> <a href="https://salsa.debian.org/clint/hopenpgp-tools/-/blob/master/hop.hs">the</a> <a href="https://pypi.org/project/sop/">various</a> <a href="https://crates.io/crates/sequoia-sop">implementations</a> <a href="https://github.com/ProtonMail/gosop">of</a> <code>sop</code> yet, I recommend taking a look.
And feedback on the specification is always welcome, too, including ideas for new functionality (maybe even like certificate management).</p>
<h2 id="next-steps">Next Steps</h2>
<p>If you're the kind of person who's into making OpenPGP certifications, feel free to check in with me via whatever channels you're used to using to verify that this transition is legit.
If you think it is, and you're comfortable, please send me (e-mail is probably best) your certifications over the new certficate.</p>
<p>I'll keep on working to make OpenPGP more usable and acceptable.
Hopefully, 2021 will be a better year ahead for all of us.</p>Tech-assisted Contact-Tracing against the COVID-19 pandemic2020-04-16T20:51:00-04:002020-04-16T20:51:00-04:00Daniel Kahn Gillmortag:dkg.fifthhorseman.net,2020-04-16:/blog/tech-assisted-contact-tracing-against-the-covid-19-pandemic.html<p>What are the risks and potential benefits of contact-tracing?</p><p>Today at the ACLU, we <a href="https://www.aclu.org/report/aclu-white-paper-principles-technology-assisted-contact-tracing">released a
whitepaper</a>
discussing how to evaluate some novel cryptographic schemes that are
being considered to provide technology-assisted contact-tracing in the
face of the COVID-19 pandemic.</p>
<p>The document offers guidelines for thinking about potential schemes
like this, and what kinds of safeguards we need to expect and demand
from these systems so that we might try to address the (hopefully
temporary) crisis of the pandemic without also creating a permanent
crisis for civil liberties.</p>
<p>The proposals that we're seeing (including <a href="https://pact.mit.edu">PACT</a>,
<a href="https://github.com/DP-3T">DP^3T</a>, <a href="https://tcn-coalition.org">TCN</a>,
and the <a href="https://www.apple.com/covid19/contacttracing">Apple/Google
proposal</a>) work in pretty
similar ways, and the challenges and tradeoffs there are remarkably
similar to <a href="https://ietf.org">Internet protocol</a> design decisions.
Only now in addition to bytes and packets and questions of efficiency,
privacy, and control, we're also dealing directly with risk of
physical harm (who gets sick?), society-wide allocation of scarce and
critical resources (who gets tested? who gets treatment?), and
potentially serious means of exercising powerful social control (who
gets forced into quarantine?).</p>
<p>My ACLU colleague <a href="https://twitter.com/joncallas">Jon Callas</a> and i
will be doing a Reddit
<a href="https://dkg.fifthhorseman.net/reddit-ama-2020-04-17.jpg">AMA</a> in
<a href="https://reddit.com/r/Coronavirus">r/Coronavirus</a> tomorrow starting at
2020-04-17T19:00:00Z (that's 3pm Friday in <code>TZ=America/New_York</code>)
about this very topic, if that's the kind of thing you're into.</p>DANE OPENPGPKEY for debian.org2019-07-09T00:00:00-04:002019-07-09T00:00:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2019-07-09:/blog/dane-openpgpkey-for-debian.org.html<h1 id="dane-openpgpkey-for-debianorg">DANE OPENPGPKEY for debian.org</h1>
<p>I recently announced <a href="wkd-for-debian.org.html">the publication of Web Key Directory for
<code>@debian.org</code> e-mail addresses</a>. This blog post
announces another way to fetch OpenPGP certificates for <code>@debian.org</code>
e-mail addresses, this time using only the DNS. These two mechanisms
are complementary, not in competition. We want …</p><h1 id="dane-openpgpkey-for-debianorg">DANE OPENPGPKEY for debian.org</h1>
<p>I recently announced <a href="wkd-for-debian.org.html">the publication of Web Key Directory for
<code>@debian.org</code> e-mail addresses</a>. This blog post
announces another way to fetch OpenPGP certificates for <code>@debian.org</code>
e-mail addresses, this time using only the DNS. These two mechanisms
are complementary, not in competition. We want to make sure that
whatever certificate lookup scheme your OpenPGP client supports, you
will be able to find the appropriate certificate.</p>
<p>The additional mechanism we're now supporting (since a few days ago)
is DANE OPENPGPKEY, specified in <a href="https://tools.ietf.org/html/rfc7929">RFC
7929</a>.</p>
<h1 id="how-does-it-work">How does it work?</h1>
<p>DANE OPENPGPKEY works by storing a minimized OpenPGP certificate in
the DNS, ideally in a subdomain at label based on a hashed version of
the local part of the e-mail address.</p>
<p>With modern GnuPG, if you're interested in retrieving the OpenPGP
certificate for <code>dkg</code> as served by the DNS, you can do:</p>
<div class="highlight"><pre><span></span><code><span class="n">gpg</span><span class="w"> </span><span class="c1">--auto-key-locate clear,nodefault,dane --locate-keys dkg@debian.org</span>
</code></pre></div>
<p>If you're interested in how this DNS zone is populated, take a look
<a href="https://salsa.debian.org/debian-keyring/keyring/commits/publish-dane">at can the code that handles
it</a>.
Please <a href="https://salsa.debian.org/debian-keyring/keyring/merge_requests">request
improvements</a>
if you see ways that this could be improved.</p>
<p>Unfortunately, <a href="https://dev.gnupg.org/T4618">GnuPG does not currently do DNSSEC validation on these
records</a>, so the cryptographic
protections offered by this client are not as strong as those provided
by WKD (which at least checks the X.509 certificate for a given domain
name against the list of trusted root CAs).</p>
<h1 id="why-offer-both-dane-openpgpkey-and-wkd">Why offer both DANE OPENPGPKEY and WKD?</h1>
<p>I'm hoping that the Debian project can ensure that no matter whatever
sensible mechanism any OpenPGP client implements for certificate
lookup, it will be able to find the appropriate OpenPGP certificate
for contacting someone within the <code>@debian.org</code> domain.</p>
<p>A clever OpenPGP client might even consider these two mechanisms --
DANE OPENPGPKEY and WKD -- as corroborative mechanisms, since an
attacker who happens to compromise one of them may find it more
difficult to compromise both simultaneously.</p>
<h1 id="how-to-update">How to update?</h1>
<p>If you are a Debian developer and you want your OpenPGP certificate
updated in the DNS, please follow <a href="https://keyring.debian.org/">the normal procedures for Debian
keyring maintenance</a> like you always
have. When a new debian-keyring package is released, we will update
these DNS records at the same time.</p>
<h1 id="thanks">Thanks</h1>
<p>Setting this up would not have been possible without help from
<code>weasel</code> on the Debian System Administration team, and <code>Noodles</code> from
the keyring-maint team providing guidance.</p>
<p>DANE OPENPGPKEY was documented and shepherded through the IETF by Paul
Wouters.</p>
<p>Thanks to all of these people for making it possible.</p>WKD for debian.org2019-07-04T00:00:00-04:002019-07-04T00:00:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2019-07-04:/blog/wkd-for-debian.org.html<h2 id="wkd-for-debianorg">WKD for debian.org</h2>
<p>You can now fetch the OpenPGP certificate for any Debian developer who
uses an <code>@debian.org</code> e-mail address using <a href="https://tools.ietf.org/html/draft-koch-openpgp-webkey-service">Web Key
Directory</a>
(WKD).</p>
<h1 id="how">How?</h1>
<p>With modern GnuPG, if you're interested in the OpenPGP certificate for
<code>dkg</code> just do:</p>
<div class="highlight"><pre><span></span><code><span class="n">gpg</span><span class="w"> </span><span class="c1">--locate-keys dkg@debian.org</span>
</code></pre></div>
<p>By default, this …</p><h2 id="wkd-for-debianorg">WKD for debian.org</h2>
<p>You can now fetch the OpenPGP certificate for any Debian developer who
uses an <code>@debian.org</code> e-mail address using <a href="https://tools.ietf.org/html/draft-koch-openpgp-webkey-service">Web Key
Directory</a>
(WKD).</p>
<h1 id="how">How?</h1>
<p>With modern GnuPG, if you're interested in the OpenPGP certificate for
<code>dkg</code> just do:</p>
<div class="highlight"><pre><span></span><code><span class="n">gpg</span><span class="w"> </span><span class="c1">--locate-keys dkg@debian.org</span>
</code></pre></div>
<p>By default, this will show you any matching certificate that you
already have in your GnuPG local keyring. But if you don't have a
matching certificate already, it will fall back to using WKD.</p>
<p>These certificates are extracted from the debian keyring and published
at <code>https://openpgpkey.debian.org/.well-known/openpgpkey/debian.org/</code>, as defined
in <a href="https://tools.ietf.org/html/draft-koch-openpgp-webkey-service">the
WKD spec</a>. We intend to keep them up-to-date when ever the
keyring-maint team publishes a new batch of certificates. Our tooling
uses <a href="https://salsa.debian.org/debian-keyring/keyring/merge_requests/2">some repeated invocations of
<code>gpg</code></a>
to extract and build the published tree of files.</p>
<p>Debian is current <em>not</em> implementing the <a href="https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08#section-4">Web Key Directory Update
Protocol</a>
(and we have no plans to do so). If you are a Debian developer and
you want your OpenPGP certificate updated in WKD, please follow <a href="https://keyring.debian.org/">the
normal procedures for Debian keyring
maintenance</a> like you always have.</p>
<h1 id="what-about-other-domains">What about other domains?</h1>
<p>Our update here works great for e-mail addresses in the <code>@debian.org</code>
domain, but it has no direct effect for other e-mail addresses.</p>
<p>However, if you have an e-mail address in a domain you control, you
can publish your own WKD. If you would rather use an e-mail service
in a domain managed by other people, you might also be interested in
GnuPG's list of <a href="https://wiki.gnupg.org/WKD#Mail_Service_Providers_offering_WKD">e-mail service providers that offer
WKD</a>.</p>
<h1 id="why">Why?</h1>
<p>The SKS keyserver network has been <a href="https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore">vulnerable to
abuse</a>
for years. The <a href="community-impact-openpgp-cert-flooding.html">recent certificate flooding
attacks</a> make fetching an
OpenPGP certificate from that pool a risky operation: potentially
causing a <a href="https://dev.gnupg.org/T4592">denial of service against
GnuPG</a>. In particular, <a href="https://access.redhat.com/articles/4264021"><em>anyone</em> can
flood any certificate in
SKS</a> (or other common
keyservers that are not resistant to abuse).</p>
<p>WKD avoids the problem of certificate flooding by arbitrary third
parties. It's not a guaranteed defense against flooding though: the
domain controller (and whoever they authorize to update the WKD) is
still capable of offering a flooded certificate via WKD. On the plus
side, at least some WKD clients do <a href="https://dev.gnupg.org/T4607#127792">aggressive filtering on
certificates found via WKD</a>, which
should limit the ability of an adversary to flood a certificate in
your local keyring.</p>
<h1 id="thanks">Thanks</h1>
<p>Setting this up would not have been possible without help from
<code>weasel</code> and <code>jcristau</code> from the Debian System Administration team,
and <code>Noodles</code> from the keyring-maint team.</p>
<p>WKD was designed and implemented by Werner Koch and the GnuPG team, in
anticipation of this specific need.</p>
<p>Thanks to all of these people for making it possible.</p>
<h1 id="what-next">What next?</h1>
<p>There's some talk about publishing similar OpenPGP certificates in the
DNS as well, using <a href="https://tools.ietf.org/html/rfc7929">RFC 7929
(OPENPGPKEY) records</a>, but we haven't set that up yet.</p>Community Impact of OpenPGP Certificate Flooding2019-06-28T15:00:00-04:002019-06-28T15:00:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2019-06-28:/blog/community-impact-openpgp-cert-flooding.html<h2 id="community-impact-of-openpgp-certificate-flooding">Community Impact of OpenPGP Certificate Flooding</h2>
<p>I wrote yesterday about <a href="openpgp-certificate-flooding.html">a recent OpenPGP certificate flooding
attack</a>, what I think it means for
the ecosystem, and how it impacted me. This is a brief followup,
trying to zoom out a bit and think about why it affected me
emotionally the way …</p><h2 id="community-impact-of-openpgp-certificate-flooding">Community Impact of OpenPGP Certificate Flooding</h2>
<p>I wrote yesterday about <a href="openpgp-certificate-flooding.html">a recent OpenPGP certificate flooding
attack</a>, what I think it means for
the ecosystem, and how it impacted me. This is a brief followup,
trying to zoom out a bit and think about why it affected me
emotionally the way that it did.</p>
<p>One of the reasons this situation makes me sad is not just that it's
more breakage that needs cleaning up, or even that my personal
identity certificate was on the receiving end. It's that it has
impacted (and will continue impacting at least in the short term) many
different people -- friends and colleagues -- who I know and care
about. It's not just that they may be the next targets of such a
flooding attack if we don't fix things, although that's certainly
possible. What gets me is that they were affected <em>because</em> they know
me and communicate with me. They had my certificate in their keyring,
or in some mutually-maintained system, and as a result of what we know
to be good practice -- regular keyring refresh -- they got burned.</p>
<p>Of course, they didn't get actually, physically burned. But from
several conversations i've had over the last 24 hours, i know
personally at least a half-dozen different people who i personally
know have lost hours of work, being stymied by the failing tools, some
of that time spent confused and anxious and frustrated. Some of them
thought they might have lost access to their encrypted e-mail messages
entirely. Others were struggling to wrestle a suddenly non-responsive
machine back into order. These are all good people doing other
interesting work that I want to succeed, and I can't give them those
hours back, or relieve them of that stress retroactively.</p>
<p>One of the points I've been driving at for years is that the goals of
much of the work I care about (confidentiality; privacy; information
security and data sovereignty; healthy communications systems) are not
individual goods. They are interdependent, communally-constructed and
communally-defended social properties.</p>
<p>As an engineering community, we failed -- and as an engineer, I
contributed to that failure -- at protecting these folks in this
instance about because we left things sloppy and broken and supposedly
"good enough".</p>
<p>Fortunately, this failure isn't the worst situation. There's no
arbitrary code execution, no permanent data loss (unless people get
panicked and delete everything), no accidental broadcast of secrets
that shouldn't be leaked.</p>
<p>And as much as this is a community failure, there are also communities
of people who have recognized these problems and have been working to
solve them. So I'm pretty happy that good people have been working on
infrastructure that saw this coming, and were preparing for it, even
if their tools haven't been as fully implemented (or as widely
adopted) as they should be yet. Those projects include:</p>
<ul>
<li>
<p><a href="https://autocrypt.org">Autocrypt</a> -- which avoids any interaction
with the keyserver network in favor of in-band key discovery.</p>
</li>
<li>
<p><a href="https://tools.ietf.org/html/draft-koch-openpgp-webkey-service">Web Key
Directory</a>
or WKD, which maps e-mail addresses to a user-controlled
publication space for their OpenPGP Keys.</p>
</li>
<li>
<p><a href="https://tools.ietf.org/html/rfc7929">DANE OPENPGPKEY</a> which lets a
domain owner publish their user's minimal OpenPGP certificates in
the DNS directly.</p>
</li>
<li>
<p><a href="https://gitlab.com/hagrid-keyserver/">Hagrid</a>, the implementation
behind the <a href="https://keys.openpgp.org">keys.openpgp.org</a> keyserver,
which presents the opportunity for a <a href="https://lists.nongnu.org/archive/html/sks-devel/2019-02/msg00041.html">updates-only
interface</a>
as well as a place for people to publish their certificates if
their domain controller doesn't support WKD or DANE OPENPGPKEY.
Hagrid is also an excellent first public showing for the <a href="https://sequoia-pgp.org/">Sequoia
project</a>, a Rust-based implementation of
the OpenPGP standards that hopefully we can build more tooling on
top of in the years to come.</p>
</li>
</ul>
<p>Let's keep pushing these community-driven approaches forward and get
the ecosystem to a healthier place.</p>OpenPGP Certificate Flooding2019-06-28T00:00:00-04:002019-06-28T00:00:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2019-06-28:/blog/openpgp-certificate-flooding.html<h2 id="openpgp-certificate-flooding">OpenPGP Certificate Flooding</h2>
<p>My public cryptographic identity has been spammed to the point where
it is unusable in standard workflows. This blogpost talks about what
happened, what I'm doing about it, and what it means for the broader
ecosystem.</p>
<p>If you work with me and you use OpenPGP certificates to …</p><h2 id="openpgp-certificate-flooding">OpenPGP Certificate Flooding</h2>
<p>My public cryptographic identity has been spammed to the point where
it is unusable in standard workflows. This blogpost talks about what
happened, what I'm doing about it, and what it means for the broader
ecosystem.</p>
<p>If you work with me and you use OpenPGP certificates to do so, the
crucial things you should know are:</p>
<ul>
<li>
<p>Do not refresh my OpenPGP certificate from the SKS keyserver
network.</p>
</li>
<li>
<p>Use a constrained keyserver like
<a href="https://keys.openpgp.org">keys.openpgp.org</a> if you want to check
my certificate for updates like revocation, expiration, or subkey
rollover.</p>
</li>
<li>
<p>Use an <a href="https://autocrypt.org">Autocrypt</a>-capable e-mail client,
<a href="https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08">WKD</a>,
or <a href="https://dkg.fifthhorseman.net/dkg-openpgp.key">direct download from my
server</a> to find my
certificate in the first place.</p>
</li>
<li>
<p>If you have already fetched my certificate in the last week, and it
is bloated, or your GnuPG instance is horribly slow as a result,
you probably want to delete it and then recover it via one of the
channels described above.</p>
</li>
</ul>
<h2 id="what-happened">What Happened?</h2>
<p>Some time in the last few weeks, <a href="https://dkg.fifthhorseman.net/dkg-openpgp.key">my OpenPGP certificate,
0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6</a>
was flooded with bogus certifications which were uploaded to the <a href="https://sks-keyservers.net/">SKS
keyserver network</a>.</p>
<p>SKS is known to be vulnerable to this kind of <a href="https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1">Certificate
Flooding</a>,
and is difficult to address due to the synchronization mechanism of
the SKS pool. (SKS's synchronization assumes that all keyservers have
the same set of filters). You can see <a href="https://bitbucket.org/skskeyserver/sks-keyserver/issues/57/anyone-can-make-any-pgp-key-unimportable">discussion about this
problem</a>
from a year ago along with earlier proposals for how to <a href="https://lists.gnupg.org/pipermail/gnupg-users/2018-January/059799.html">mitigate
it</a>.
But none of those proposals have quite come to fruition, and people
are still reliant on the SKS network.</p>
<h2 id="previous-instances-of-certificate-flooding">Previous Instances of Certificate Flooding</h2>
<p>We've seen various forms of certificate flooding before, including
<a href="https://lists.gnupg.org/pipermail/gnupg-users/2018-January/059753.html">spam on Werner Koch's
key</a>
over a year ago, and abuse tools made available years ago under the
name <a href="https://github.com/micahflee/trollwot">"trollwot"</a>. There's a
<a href="https://github.com/yakamok/keyserver-fs">keyserver-backed filesystem</a>
proposed as a proof of concept to point out the abuse.</p>
<p>There was even a discussion a few months ago about how <a href="https://lists.riseup.net/www/arc/monkeysphere/2019-04/msg00000.html">the SKS
keyserver network is
dying</a>.</p>
<p>So none of this is a novel or surprising problem. However, the scale
of spam attached to certificates recently appears to be unprecedented.
It's not just mine: <a href="https://dev.gnupg.org/T3972#127338">Robert J, Hansen's certificate has also been
spammed into oblivion</a> as
well. The older certification spam on Werner's certificate, for
example is "only" about 5K certifications (a total of < 1MiB), whereas the
certification spam attached to mine is more like 55K certifications for a
total of 17MiB, and rjh's is more than double that.</p>
<h2 id="what-problems-does-certificate-flooding-cause">What Problems does Certificate Flooding Cause?</h2>
<p>The fact that my certificate is flooded quite this badly provides an
opportunity to see what breaks. I've been filing bug reports and
profiling problems over the last day.</p>
<p>GnuPG <a href="https://dev.gnupg.org/T4591">can't even import my certificate</a>
from the keyservers any more in the common case. This also has
implications for ensuring that revocations are discovered, or new
subkeys rotated, as described in that ticket.</p>
<p>In the situations where it's possible to have imported the large
certificate, gpg exhibits <a href="https://dev.gnupg.org/T4592">severe performance problems for even basic
operations over the keyring</a>.</p>
<p>This causes <a href="https://dev.gnupg.org/T3972">Enigmail to become unusable</a>
if it encounters a flooded certificate.</p>
<p>It also causes problems for <a href="https://bugs.debian.org/931204">monkeysphere-authentication if it
encounters a flooded certificate</a>.</p>
<p>If this spammed certificate is in the GnuPG keyring, just verifying an
OpenPGP-signed tag in the <a href="https://git-scm.com">git</a> revision control
system made by this certificate is now extremely expensive. <code>git tag
-v $tagname</code>, for a tag that is signed with the signing-capable subkey
of this certificate consumes 145 seconds of CPU time (tag signature
verification often happens as part of an automated process, and
typically takes much less than 1 second of CPU time).</p>
<p>There are probably more! If you find other problems for tools that
deal with these sort of flooded certs, please report bugs
appropriately.</p>
<h2 id="dealing-with-certificate-flooding">Dealing with Certificate Flooding</h2>
<p>What can we do about this? Months ago, i wrote <a href="https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03">a draft about
abuse-resistant
keystores</a>
that outlined these problems and what we need from a keyserver.</p>
<h3 id="use-abuse-resistant-keystores-to-refresh-certificates">Use Abuse-Resistant Keystores to Refresh Certificates</h3>
<p>If the purpose of refreshing your certificate is to find key material
updates and revocations, we need to use an abuse-resistant keyserver
or network of keyservers for that.</p>
<p>Fortunately, <a href="https://keys.openpgp.org">keys.openpgp.org</a> is just such
a service, and it was recently launched. It seems to work! It can
distribute revocations and subkey rollovers automatically, even if you
don't have a user ID for the certificate. You can do this by putting
the following line in <code>~/.gnupg/dirmngr.conf</code> </p>
<div class="highlight"><pre><span></span><code>keyserver hkps://keys.openpgp.org
</code></pre></div>
<p>and ensure that there is no <code>keyserver</code> entry at all in
<code>~/.gnupg/gpg.conf</code>.</p>
<p>This keyserver doesn't distribute third-party certifications at all,
though. And if the owner of the e-mail address hasn't confirmed with
the operators of <code>keys.openpgp.org</code> that they want that keyserver to
distribute their certificate, it <a href="https://keys.openpgp.org/about">won't even distribute the
certificate's user IDs</a>.</p>
<p>This keyserver also doesn't have the same keys as the SKS pool. It was
seeded with the keys on the pool on setup, but is <a href="https://gitlab.com/hagrid-keyserver/hagrid/issues/113">not pulling new
updates in nor sending updates back</a>.</p>
<h3 id="fix-gnupg-to-import-certificate-updates-even-without-user-ids">Fix GnuPG to Import certificate updates even without User IDs</h3>
<p>Unfortunately, <a href="https://dev.gnupg.org/T4393">GnuPG doesn't cope well with importing minimalist
certificates</a>. I've applied patches for
this in debian experimental (and they're documented in debian as
<a href="https://bugs.debian.org/930665">#930665</a>), but those fixes are not yet
adopted upstream, or widely deployed elsewhere.</p>
<h3 id="in-band-certificate-discovery">In-band Certificate Discovery</h3>
<p>Refreshing certificates is only part of the role that keyserver
networks play. Another is just finding OpenPGP certificates in the
first place.</p>
<p>The best way to find a certificate is if someone just gives it to you
in the context that it makes sense.</p>
<p>The <a href="https://autocrypt.org">Autocrypt project</a> is an example of this
pattern for e-mail messages. If you can adopt an Autocrypt-capable
e-mail client, you should, since that will avoid needing to search for
keys at all when dealing with e-mail. Unfortunately, those
implementations are also not widely available yet.</p>
<h3 id="certificate-lookup-via-wkd-or-dane">Certificate Lookup via WKD or DANE</h3>
<p>If you're looking up an OpenPGP certificate by e-mail address, you
should try looking it up via some mechanism where the address owner
(or at least the domain owner) can publish the record. The current
best examples of this are
<a href="https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-08">WKD</a>
and <a href="https://tools.ietf.org/html/rfc7929">DANE's OPENPGPKEY DNS
records</a>. Modern versions of
GnuPG support both of these methods. See the <code>auto-key-locate</code>
documentation in <code>gpg(1)</code>.</p>
<h2 id="conclusion">Conclusion</h2>
<p>This is a mess, and it's a mess a long time coming. The parts of the
OpenPGP ecosystem that rely on the naive assumptions of the SKS
keyserver can no longer be relied on, because people are deliberately
abusing those keyservers. We need significantly more defensive
programming, and a better set of protocols for thinking about how and
when to retrieve OpenPGP certificates.</p>
<h2 id="a-personal-postscript">A Personal Postscript</h2>
<p>I've spent a significant amount of time over the years trying to push
the ecosystem into a more responsible posture with respect to OpenPGP
certificates, and have clearly not been as successful at it or as fast
as I wanted to be. Complex ecosystems can take time to move.</p>
<p>To have my own certificate directly spammed in this way felt
surprisingly personal, as though someone was trying to attack or
punish me, specifically. I can't know whether that's actually the
case, of course, nor do I really want to. And the fact that Robert
J. Hansen's certificate was also spammed makes me feel a little less
like a singular or unique target, but I also don't feel particularly
proud of feeling relieved that someone else is also being "punished"
in addition to me.</p>
<p>But this report wouldn't be complete if I didn't mention that I've
felt disheartened and demotivated by this situation. I'm a stubborn
person, and I'm trying to make the best of the situation by being
constructive about at least documenting the places that are most
severely broken by this. But I've also found myself tempted to walk
away from this ecosystem entirely because of this incident. I don't
want to be too dramatic about this, but whoever did this basically
experimented on me (and Robert) directly, and it's a pretty shitty
thing to do.</p>
<p>If you're reading this, and you set this off, and you selected me
specifically because of my role in the OpenPGP ecosystem, or because I
wrote <a href="https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore">the abuse-resistant-keystore
draft</a>,
or because I'm part of the Autocrypt project, then you should know
that I care about making this stuff work for people. If you'd reached
out to me to describe what you were planning to do, we could have done
all of the above bug reporting and triage using demonstration
certificates, and worked on it together. I would have happily helped.
I still might! But because of the way this was done, I'm not feeling
particularly happy right now. I hope that someone is, somewhere.</p>New OpenPGP certificate for dkg, 20192019-01-19T02:49:53-05:002019-01-19T02:49:53-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2019-01-19:/blog/2019-dkg-openpgp-transition.html<h2 id="update">Update</h2>
<p>I've scrapped my first try at a new OpenPGP certificate for 2019 (the
one I published yesterday). See the history discussion at the bottom
of this post for details. This blogpost has been updated to reflect
my revised attempt.</p>
<h2 id="2019-openpgp-transition-try-2">2019 OpenPGP transition (try 2)</h2>
<p>My old OpenPGP certificate will …</p><h2 id="update">Update</h2>
<p>I've scrapped my first try at a new OpenPGP certificate for 2019 (the
one I published yesterday). See the history discussion at the bottom
of this post for details. This blogpost has been updated to reflect
my revised attempt.</p>
<h2 id="2019-openpgp-transition-try-2">2019 OpenPGP transition (try 2)</h2>
<p>My old OpenPGP certificate will be 12 years old later this year. I'm
transitioning to a new OpenPGP certificate.</p>
<p>You might know my old OpenPGP certificate as:</p>
<div class="highlight"><pre><span></span><code><span class="n">pub</span><span class="w"> </span><span class="n">rsa4096</span><span class="w"> </span><span class="mi">2007</span><span class="o">-</span><span class="mi">06</span><span class="o">-</span><span class="mi">02</span><span class="w"> </span><span class="o">[</span><span class="n">SC</span><span class="o">]</span><span class="w"> </span><span class="o">[</span><span class="n">expires: 2019-06-29</span><span class="o">]</span>
<span class="w"> </span><span class="mi">0</span><span class="n">EE5BE979282D80B9F7540F1CCD2ED94D21739E9</span>
<span class="n">uid</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@fifthhorseman</span><span class="p">.</span><span class="n">net</span><span class="o">></span>
<span class="n">uid</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@debian</span><span class="p">.</span><span class="n">org</span><span class="o">></span>
</code></pre></div>
<p>My new OpenPGP certificate is:</p>
<div class="highlight"><pre><span></span><code><span class="n">pub</span><span class="w"> </span><span class="n">ed25519</span><span class="w"> </span><span class="mi">2019</span><span class="o">-</span><span class="mi">01</span><span class="o">-</span><span class="mi">19</span><span class="w"> </span><span class="o">[</span><span class="n">C</span><span class="o">]</span><span class="w"> </span><span class="o">[</span><span class="n">expires: 2021-01-18</span><span class="o">]</span>
<span class="w"> </span><span class="n">C4BC2DDB38CCE96485EBE9C2F20691179038E5C6</span>
<span class="n">uid</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@fifthhorseman</span><span class="p">.</span><span class="n">net</span><span class="o">></span>
<span class="n">uid</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@debian</span><span class="p">.</span><span class="n">org</span><span class="o">></span>
</code></pre></div>
<p>If you've certified my old certificate, I'd appreciate your certifying
my new one. Please do confirm by contacting me via whatever channels
you think are most appropriate (including in-person if you want to
share food or drink with me!) before you re-certify, of course.</p>
<p>I've published the new certificate to the SKS keyserver network, as
well as to <a href="https://dkg.fifthhorseman.net/dkg-openpgp.key">my personal
website</a> -- you can
fetch it like this:</p>
<div class="highlight"><pre><span></span><code>wget -O- https://dkg.fifthhorseman.net/dkg-openpgp.key | gpg --import
</code></pre></div>
<p>A copy of this transition statement signed by both the old and new
certificates is available <a href="https://dkg.fifthhorseman.net/2019-dkg-openpgp-transition.txt">on my
website</a>,
and you can also find <a href="https://dkg.fifthhorseman.net/blog/2019-dkg-openpgp-transition.html">further explanation about technical details,
choices, and rationale on my
blog</a>.</p>
<h2 id="technical-details">Technical details</h2>
<p>I've made a few decisions differently about this certificate:</p>
<h3 id="ed25519-and-curve25519-for-public-key-material">Ed25519 and Curve25519 for Public Key Material</h3>
<p>I've moved from 4096-bit RSA public keys to the <a href="https://cr.yp.to/ecdh.html">Bernstein elliptic
curve 25519</a> for all my public key
material (<a href="https://en.wikipedia.org/wiki/EdDSA">EdDSA</a> for signing,
certification, and authentication, and
<a href="https://en.wikipedia.org/wiki/Curve25519">Curve25519</a> for
encryption). 25519 appears to be significantly stronger than any
cryptanalytic attack known to the public. (4096-bit RSA may be
marginally stronger cryptographically than curve 25519, but both of
them are well beyond the threshhold of what we know how to break with
today's machinery)</p>
<p>Additionally, elliptic curve keys and the signatures associated with
them are tiny compared to 4096-bit RSA. I certified my new cert with
my old one, and well over half of the new certificate is just
certifications from the old key because they are so large.</p>
<p>This size advantage makes it easier for me ship the public key
material (and signatures from it) in places that would be more awkward
otherwise. See the discussion about Autocrypt below.</p>
<h3 id="split-out-aclu-identity">Split out ACLU identity</h3>
<p>Note that my old certificate included some additional identities,
including job-specific e-mail addresses. I've split out my
job-specific cryptographic credentials to a different OpenPGP
certificate entirely. If you want to mail me at <a href="mailto:dkg@aclu.org">dkg@aclu.org</a>, you
can use the certificate with fingerprint
<code>888E6BEAC41959269EAA177F138F5AB68615C560</code> (which is also published on
<a href="https://www.aclu.org/bio/daniel-kahn-gillmor">my work bio page</a>).</p>
<p>This is in part because the folks who communicate with me at my ACLU
address are more likely to have old or poorly-maintained e-mail
systems than other people I communicate with, and they might not be
able to handle curve 25519. So the ACLU keys use 3072-bit RSA, which
is universally supported by any plausible OpenPGP implementation.</p>
<p>This way I can experiment with being more forward-looking in my free
software and engineering community work, and shake out any bugs that I
might find there, before cutting over the e-mails that come in from
more legal- and policy-focused colleagues.</p>
<h3 id="isolated-subkey-capabilities">Isolated Subkey Capabilities</h3>
<p>In my new certificate, the primary key is designated
certification-only. There are three subkeys, one each for
authentication, encryption, and signing. The primary key also has a
longer expiration time (2 years as of this writing), while the subkeys
have 1 year expiration dates.</p>
<p>Isolating this functionality helps a little bit with security (I can
take the certification key entirely offline while still being able to
sign non-identity data), and it also offers a pathway toward having a
more robust subkey rotation schedule. As I build out my tooling for
subkey rotation, i'll probably make a few more blog posts about that.</p>
<h3 id="autocrypt-friendly">Autocrypt-friendly</h3>
<p>Finally, several of these changes are related to <a href="https://www.autocrypt.org/">the Autocrypt
project</a>, a really great collaboration of
a group of mail user agent developers, designers, UX experts,
trainers, and users, who are providing guidance to make encrypted
e-mail something that normal humans can use without having to think
too much about it.</p>
<p>Autocrypt treats the OpenPGP certificate User IDs as merely
decorative, but its <a href="https://autocrypt.org/level1.html#openpgp-based-key-data">recommended form of the User
ID</a> for an
OpenPGP certificate is just the e-mail address wrapped in angle
brackets. Unfortunately, I didn't manage to get that particular form
of User ID into this certificate at this time (see discussion of split
User IDs below).</p>
<p>Autocrypt is also <a href="https://github.com/autocrypt/autocrypt/pull/393">moving toward 25519 elliptic curve
keys</a>, so this gives
me a chance to exercise that choice.</p>
<p>I'm proud to be associated with the Autocrypt project, and have been
helping to shepherd some of the Autocrypt functionality into different
clients (my work on my own MUA of choice,
<a href="https://notmuchmail.org">notmuch</a> is currently stalled, but I hope to
pick it back up again soon). Having an OpenPGP certificate that works
well with Autocrypt, and that I can stuff into messages even from
clients that aren't fully-Autocrypt compliant yet is useful to me for
getting things tested.</p>
<h3 id="documenting-workflow-vs-tooling">Documenting workflow vs. tooling</h3>
<p>Some people may want to know "how did you make your OpenPGP cert like
this?" For those folks, i'm sorry but this is not a step-by-step
technical howto. I've read far too many "One True Way To Set Up Your
OpenPGP Certificate" blog posts that haven't aged well, and i'm not
confident enough to tell people to run the weird arbitrary commands
that I ran to get things working this way.</p>
<p>Furthermore, I don't <em>want</em> people to have to run those commands.</p>
<p>If I think there are sensible ways to set up OpenPGP certificates, I
want those patterns built into standard tooling for normal people to
use, without a lot of command-line hackery.</p>
<p>So if i'm going to publish a "how to", it would be in the form of
software that I think can be sensibly maintained and provides a sane
user interface for normal humans. I haven't written that tooling yet,
but I need to change certs first, so for now you just get this blog
post in English. But feel free to tell me what you think I could do
better!</p>
<h2 id="history">History</h2>
<p>This is my second attempt at an OpenPGP certificate transition in
2019. My earlier attempt uncovered a bunch of tooling issues with
split-out User IDs. The original rationale for trying the split, and
the problems I found are detailed below.</p>
<h3 id="what-were-separated-user-ids">What were Separated User IDs?</h3>
<p>My earlier attempt at a new OpenPGP certificate for 2019 tried to do
an unusual thing with the certificate User IDs. Rather than two User
IDs:</p>
<ul>
<li><code>Daniel Kahn Gillmor <dkg@fifthhorseman.net></code></li>
<li><code>Daniel Kahn Gillmor <dkg@debian.org></code></li>
</ul>
<p>the (now revoked) earlier certificate had the name separate from the
e-mail addresses, making three User IDs:</p>
<ul>
<li><code>Daniel Kahn Gillmor</code></li>
<li><code>dkg@fifthhorseman.net</code></li>
<li><code>dkg@debian.org</code></li>
</ul>
<p>There are a couple reasons I tried this.</p>
<p>One reason is to simplify the certification process. Traditional
OpenPGP User ID certification is an all-or-nothing process: the
certifier is asserting that both the name and e-mail address belong to
the identified party. But this can be tough to reason about. Maybe
you know my name, but not my e-mail address. Or maybe you know my
over e-mail, but aren't really sure what my "real" name is (i'll leave
questions about what counts as a real name to a more philosophical
blog post). You ought to be able to certify them independently. Now
you can, since it's possible to certify one User ID independently of
another.</p>
<p>Another reason is because I planned to use this certificate for
e-mail, among other purposes. In e-mail systems, the human name is a
confusing distraction, as the real underlying correspondent is the
e-mail address. E-mail programs should definitely allow their users
to couple a memorable name with an e-mail address, but it should be
more like a <a href="https://en.wikipedia.org/wiki/Petname">petname</a>. The
bundling of a human "real" name with the e-mail address by the User ID
itself just provides more points of confusion for the mail client.</p>
<p>If the user communicates with a certain person by e-mail address, the
certificate should be bound to the e-mail protocol address on its own.
Then the user themselves can decide what other monikers they want to
use for the person; the User ID shouldn't force them to look at a
"real" name just because it's been bundled together.</p>
<p>Alas, putting this attempt into public practice uncovered several gaps
in the OpenPGP ecosystem.</p>
<p>User IDs without an e-mail address are often ignored, mishandled, or
induce crashes:</p>
<ul>
<li>
<p><a href="https://www.gnu.org/software/emacs/">emacs</a> <a href="https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34121">chokes when
contemplating a User ID without an e-mail
address</a></p>
</li>
<li>
<p><a href="https://www.phildev.net/pius/">pius</a> <a href="https://github.com/jaymzh/pius/issues/109">fails to certify User IDs
without an e-mail
address</a></p>
</li>
<li>
<p><a href="https://0xacab.org/monkeysphere/monkeysign">monkeysign</a> <a href="https://0xacab.org/monkeysphere/monkeysign/issues/65">certifies
User IDs without an e-mail address, but sends them into the
void</a>.</p>
</li>
<li>
<p><a href="https://wiki.gnome.org/Apps/Keysign">gnome-keysign-sign-key</a>
<a href="https://github.com/gnome-keysign/gnome-keysign/issues/71">discards certifications over User IDs that have no e-mail
address</a></p>
</li>
<li>
<p><a href="https://schleuder.org/">schleuder</a> <a href="https://0xacab.org/schleuder/schleuder/issues/396">dis-associates a certificate
from all e-mail addresses if the primary User ID lacks an e-mail
adddress</a></p>
</li>
</ul>
<p>And User IDs that are a raw e-mail address (without enclosing
angle-brackets) tickle additional problems.</p>
<ul>
<li>
<p><a href="https://www.phildev.net/pius/">pius</a> <a href="https://github.com/jaymzh/pius/issues/111">fails to certify User IDs
that are just a raw e-mail
address</a></p>
</li>
<li>
<p><a href="https://schleuder.org/">schleuder</a> <a href="https://0xacab.org/schleuder/schleuder/issues/395">fails to process User IDs
which are bare e-mail
addresses</a></p>
</li>
</ul>
<p>Finally, <a href="https://web.monkeysphere.info">Monkeysphere</a>'s ssh user
authentication mechanism typically works on a single User ID at a
time. There's no way in Monkeysphere to say "authorize access to
account foo by any OpenPGP certificate that has a valid User ID <code>Alice
Jones</code> <em>and</em> a valid User ID <code><alice@example.org></code>. I'd like to keep
the <code>~/.monkeysphere/authorized_user_ids</code> that I already have in place
working OK. I have enough technical debt to deal with for
Monkeysphere (including that it only handles RSA currently) that I
don't need the additional headache of reasoning about split/joint User
IDs too.</p>
<p>Because of all of these issues, in particular the schleuder bugs, i'm
not ready to use a split User ID OpenPGP certificate on today's
Internet, alas. I have revoked the OpenPGP certificate that had split
User IDs and started over with a new certificate with a more standard
User ID layout, as described above. Better to rip off the band-aid
quickly!</p>Protecting Software Updates2018-06-28T11:57:00-04:002018-06-28T11:57:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2018-06-28:/blog/protecting-software-updates.html<p>In my work at the <a href="https://www.aclu.org">ACLU</a>, we fight for civil
rights and civil liberties. This includes the ability to communicate
privately, free from surveillance or censorship, and to control your
own information. These are principles that I think most free software
developers would agree with. In that vein, we <a href="https://www.aclu.org/blog/privacy-technology/surveillance-technologies/big-brother-getting-more-tech-savvy-heres-how">just …</a></p><p>In my work at the <a href="https://www.aclu.org">ACLU</a>, we fight for civil
rights and civil liberties. This includes the ability to communicate
privately, free from surveillance or censorship, and to control your
own information. These are principles that I think most free software
developers would agree with. In that vein, we <a href="https://www.aclu.org/blog/privacy-technology/surveillance-technologies/big-brother-getting-more-tech-savvy-heres-how">just released a guide
to securing software update
channels</a>
in collaboration with students from <a href="http://www.law.nyu.edu/academics/clinics/semester/technologylawandpolicy">NYU Law
School</a>.</p>
<p>The guide focuses specifically on what people and organizations that
distribute software can do to ensure that their software update
processes and mechanisms are actually things that their users can
reliably trust. The goal is to make these channels trustworthy, even
in the face of attempts by government agencies to force software
vendors to ship malware to their users.</p>
<p>Why software updates specifically? Every well-engineered system on
today's Internet will have a software update mechanism, since there
are inevitably bugs that need fixing, or new features added to improve
the system for the users. But update channels also represent a risk:
they are an unclosable hole that enables installation of arbitrary
software, often at the deepest, most-privileged level of the machine.
This makes them a tempting target for anyone who wants to force the
user to run malware, whether that's a criminal organization, a
corporate or political rival, or a government surveillance agency.</p>
<p>I'm pleased to say that Debian has already implemented many of the
technical recommendations we describe, including leading the way on
<a href="https://reproducible-builds.org">reproducible builds</a>. But as
individual developers we might also be targeted, as <a href="https://media.libreplanet.org/u/libreplanet/m/you-think-you-re-not-a-target-a-tale-of-three-developers/">lamby points
out</a>,
and it's worth thinking about how you'd defend your users from such a
situation.</p>
<p>As an organization, it would be great to see Debian continue to expand
its protections for its users by holding ourselves even more
accountable in our software update mechanisms than we already do. In
particular, I'd love to see work on binary transparency, similar to
<a href="https://wiki.mozilla.org/Security/Binary_Transparency">what Mozilla has been
doing</a>, but
that ensures that the archive signing keys (which our users trust)
can't be abused/misused/compromised without public exposure, and that
allows for easy monitoring and investigation of what binaries we are
actually publishing.</p>
<p>In addition to technical measures, if you think you might ever get a
government request to compromise your users, please make sure you are
in touch with a lawyer who has your back, who knows how to challenge
requests in court, and who understands why software update channels
should not be used for deliberately shipping malware. If you're
facing such a situation, and you're in the USA and you don't have a
lawyer yet yourself, you can <a href="mailto:SPTIntake@aclu.org?subject=Software+updates">reach out to the lawyers my workplace,
the ACLU's Speech, Privacy, and Technology Project for
help</a>.</p>
<p>Protecting software update channels is the right thing for our users,
and for free software -- Debian's priorities. So please take a look
at <a href="https://www.aclu.org/issues/privacy-technology/consumer-privacy/how-malicious-software-updates-endanger-everyone">the
guidance</a>,
think about how it might affect you or the people that you work with,
and start a conversation about what you can do to defend these systems
that everyone is obliged to trust on today's communications.</p>E-mail Cryptography2018-05-11T12:04:00-04:002018-05-11T12:04:00-04:00Daniel Kahn Gillmortag:dkg.fifthhorseman.net,2018-05-11:/blog/e-mail-cryptography.html<p>Analysis of usability and mechanics of cryptographic protection in e-mail</p><p>I've been working on cryptographic e-mail software for many years now,
and i want to set down some of my observations of what i think some of
the challenges are. I'm involved in
<a href="https://autocrypt.org">Autocrypt</a>, which is making great strides in
sensible key management (see the last section below, which is short
not because i think it's easy, but because i think Autocrypt has
covered this area quite well), but there are additional nuances to the
mechanics and user experience of e-mail encryption that i need to get
off my chest.</p>
<p>Feedback welcome!</p>
<div class="toc"><span class="toctitle">Table of contents:</span><ul>
<li><a href="#cryptography-and-e-mail-messages">Cryptography and E-mail Messages</a><ul>
<li><a href="#why-expose-cryptographic-protections-to-the-user-at-all">Why expose cryptographic protections to the user at all?</a></li>
<li><a href="#simplicity">Simplicity</a></li>
<li><a href="#combinations">Combinations</a></li>
<li><a href="#partial-protections">Partial protections</a></li>
</ul>
</li>
<li><a href="#cryptographic-mechanism">Cryptographic Mechanism</a><ul>
<li><a href="#inline-pgp">Inline PGP</a></li>
<li><a href="#pgpmime-and-smime">PGP/MIME and S/MIME</a></li>
<li><a href="#cryptographic-envelope">Cryptographic Envelope</a></li>
<li><a href="#cryptographic-payload">Cryptographic Payload</a></li>
<li><a href="#layering-within-the-envelope">Layering within the Envelope</a><ul>
<li><a href="#signedencrypted-vs-encryptedsigned">signed+encrypted vs encrypted+signed</a></li>
<li><a href="#multiple-layers-of-signatures-or-encryption">Multiple layers of signatures or encryption</a></li>
</ul>
</li>
<li><a href="#signed-messages-should-indicate-the-intended-recipient">Signed messages should indicate the intended recipient</a></li>
<li><a href="#protected-headers">Protected Headers</a><ul>
<li><a href="#message-id-and-threading-headers">Message-ID and threading headers</a></li>
<li><a href="#protecting-headers-during-e-mail-generation">Protecting Headers during e-mail generation</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#key-management">Key management</a><ul>
<li><a href="#key-changes-over-time">Key changes over time</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="cryptography-and-e-mail-messages">Cryptography and E-mail Messages</h1>
<p>Cryptographic protection (i.e., digital signatures, encryption) of
e-mail messages has a complex history. There are several different
ways that various parts of an e-mail message can be protected (or
not), and those mechanisms can be combined in a huge number of ways.</p>
<p>In contrast to the technical complexity, users of e-mail tend to
expect a fairly straightforward experience. They also have little to
no expectation of explicit cryptographic protections for their
messages, whether for authenticity, for confidentiality, or for
integrity.</p>
<p>If we want to change this -- if we want users to be able to rely on
cryptographic protections for some e-mail messages in their existing
e-mail accounts -- we need to be able to explain those protections
without getting in the user's way.</p>
<h2 id="why-expose-cryptographic-protections-to-the-user-at-all">Why expose cryptographic protections to the user at all?</h2>
<p>For a new messaging service, the service itself can simply enumerate
the set of properties that all messages exchanged through the service
must have, design the system to bundle those properties with message
deliverability, and then users don't need to see any of the details
for any given message. The presence of the message in that messaging
service is enough to communicate its security properties to the extent
that the users care about those properties.</p>
<p>However, e-mail is a widely deployed, heterogenous, legacy system, and
even the most sophisticated users will always interact with some
messages that lack cryptographic protections.</p>
<p>So if we think those protections are meaningful, and we want users to
be able to respond to a protected message at all differently from how
they respond to an unprotected message (or if they want to know
whether the message they're sending will be protected, so they can
decide how much to reveal in it), we're faced with the challenge of
explaining those protections to users at some level.</p>
<h2 id="simplicity">Simplicity</h2>
<p>The best level to display cryptographic protects for a typical e-mail
user is on a per-message basis.</p>
<p>Wider than per-message (e.g., describing protections on a
per-correspondent or a per-thread basis) is likely to stumble on mixed
statuses, particularly when other users switch e-mail clients that
don't provide the same cryptographic protections, or when people are
added to or removed from a thread.</p>
<p>Narrower than per-message (e.g., describing protections on a
per-MIME-part basis, or even within a MIME part) is too confusing:
most users do not understand the structure of an e-mail message at a
technical level, and are unlikely to be able to (or want to) spend any
time learning about it. And a message with some cryptographic
protection and other tamperable user-facing parts is a tempting vector
for attack.</p>
<p>So at most, an e-mail should have one cryptographic state that covers
the entire message.</p>
<p>At most, the user probably wants to know:</p>
<ul>
<li>
<p>Is the content of this message known only to me and the sender (and
the other people in Cc)? (Confidentiality)</p>
</li>
<li>
<p>Did this message come from the person I think it came from, as they
wrote it? (Integrity and Authenticity)</p>
</li>
</ul>
<p>Any more detail than this is potentially confusing or distracting.</p>
<h2 id="combinations">Combinations</h2>
<p>Is it possible to combine the two aspects described above into
something even simpler? That would be nice, because it would allow us
to categorize a message as either "protected" or "not protected". But
there are four possible combinations:</p>
<ul>
<li>
<p>unsigned cleartext messages: these are clearly "not protected"</p>
</li>
<li>
<p>signed encrypted messages: these are clearly "protected" (though
see further sections below for more troubling caveats)</p>
</li>
<li>
<p>signed cleartext messages: these are useful in cases where
confidentiality is irrelevant -- posts to a publicly-archived
mailing list, for example, or announcement e-mails about a new
version of some piece of software. It's hard to see how we can get
away with ignoring this category.</p>
</li>
<li>
<p>unsigned encrypted messages: There are people who send encrypted
messages who don't want to sign those messages, for a number of
reasons (e.g., concern over the reuse/misuse of their signing key,
and wanting to be able to send anonymous messages). Whether you
think those reasons are valid or not, some signed messages cannot
be validated. For example:</p>
<ul>
<li>the signature was made improperly,</li>
<li>the signature was made with an unknown key,</li>
<li>the signature was made using an algorithm the message recipient doesn't know how to interpret</li>
<li>the signature was made with a key that the recipient believes is broken/bad</li>
</ul>
<p>We have to handle receipt of signed+encrypted messages with any of
these signature failures, so we should probably deal with unsigned
encrypted messages in the same way.</p>
</li>
</ul>
<p>My conclusion is that we need to be able to represent these states
separately to the user (or at least to the MUA, so it can plan
sensible actions), even though i would prefer a simpler
representation.</p>
<p>Note that some other message encryption schemes (such as those based
on shared symmetric keying material, where message signatures are not
used for authenticity) may not actually need these distinctions, and
can therefore get away with the simpler "protected/not protected"
message state. I am unaware of any such scheme being used for e-mail
today.</p>
<h2 id="partial-protections">Partial protections</h2>
<p>Sadly, the current encrypted e-mail mechanisms are likely to make even
these proposed two indicators blurry if we try to represent them in
detail. To avoid adding to user confusion, we need to draw some
bright lines.</p>
<ul>
<li>
<p>For integrity and authenticity, either the entire message is signed
and integrity-checked, or it isn't. We must not report messages as
being signed when only a part of the message is signed, or when the
signature comes from someone not in the From: field. We should
probably also not present "broken signature" status any differently
that we present unsigned mail. See <a href="https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2017-November/004683.html">discussion on the enigmail
mailing
list</a>
about some of these tradeoffs.</p>
</li>
<li>
<p>For confidentiality, the user likely cares that the entire message
was confidential. But there are some circumstances (e.g., when
replying to an e-mail, and deciding whether to encrypt or not) when
they likely care if <em>any part</em> of the message was confidential
(e.g. if an encrypted part is placed next to a cleartext part).</p>
</li>
</ul>
<p>It's interesting (and frustrating!) to note that these are scoped
slightly differently -- that we might care about partial
confidentiality but not about partial integrity and authenticity.</p>
<p>Note that while we might care about partial confidentiality, actually
representing <em>which parts</em> of a message were confidential represents a
signficant UI challenge in most MUAs.</p>
<p>To the extent that a MUA decides it wants to display details of a
partially-protected message, i recommend that MUA strip/remove <em>all</em>
non-protected parts of the message, and just show the user the
(remaining) protected parts. In the event that a message has partial
protections like this, the MUA may need to offer the user a choice of
seeing the entire partially-protected message, or the stripped down
message that has complete protections.</p>
<p>To the extent that we expect to see partially-protected messages in
the real world, further UI/UX exploration would be welcome. It would
be great to imagine a world where those messages simply don't exist
though :)</p>
<h1 id="cryptographic-mechanism">Cryptographic Mechanism</h1>
<p>There are three major categories of cryptographic protection for
e-mail in use today: Inline PGP, PGP/MIME, and S/MIME.</p>
<h2 id="inline-pgp">Inline PGP</h2>
<p>I've argued elsewhere (and it remains true) that <a href="https://debian-administration.org/users/dkg/weblog/108">Inline PGP
signatures are
terrible</a>.
Inline PGP encryption is also terrible, but in different ways:</p>
<ul>
<li>
<p>it doesn't protect the structure of the message (e.g., the number
and size of attachments is visible)</p>
</li>
<li>
<p>it has no way of protecting confidential message headers (see the
Protected Headers section below)</p>
</li>
<li>
<p>it is very difficult to safely represent to the user what has been
encrypted and what has not, particularly if the message body
extends beyond the encrypted block.</p>
</li>
</ul>
<p>No MUA should ever emit messages using inline PGP, either for
signatures or for encryption. And no MUA should ever display an
inline-PGP-signed block as though it was signed. Don't even bother to
validate such a signature.</p>
<p>However, some e-mails will arrive using inline PGP encryption, and
responsible MUAs probably need to figure out what to show to the user
in that case, because the user wants to know what's there. :/</p>
<h2 id="pgpmime-and-smime">PGP/MIME and S/MIME</h2>
<p>PGP/MIME and S/MIME are roughly equivalent to one another, with the
largest difference being their certificate format. PGP/MIME messages
are signed/encrypted with certificates that follow the OpenPGP
specification, while S/MIME messages rely on certificates that follow
the X.509 specification.</p>
<p>The cryptographic protections of both PGP/MIME and S/MIME work at the
MIME layer, providing particular forms of cryptographic protection
around a subtree of other MIME parts.</p>
<p>Both standards have very similar existing flaws that must be remedied
or worked around in order to have sensible user experience for
encrypted mail.</p>
<p>This document has no preference of one message format over the other,
but acknowledges that it's likely that both will continue to exist for
quite some time. To the extent possible, a sensible MUA that wants to
provide the largest coverage will be able to support both message
formats and both certificate formats, hopefully with the same fixes to
the underlying problems.</p>
<h2 id="cryptographic-envelope">Cryptographic Envelope</h2>
<p>Given that the plausible standards (PGP/MIME and S/MIME) both work at
the MIME layer, it's worth thinking about the MIME structure of a
cryptographically-protected e-mail messages. I introduce here two
terms related to an e-mail message: the "Cryptographic Envelope" and
the "Cryptographic Payload".</p>
<p>Consider the MIME structure of a simple cleartext PGP/MIME signed
message:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="n">A</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">signed</span>
<span class="mf">0</span><span class="n">B</span><span class="w"> </span><span class="err">├─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
<span class="mf">0</span><span class="n">C</span><span class="w"> </span><span class="err">└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">signature</span>
</code></pre></div>
<p>Consider also the simplest PGP/MIME encrypted message:</p>
<div class="highlight"><pre><span></span><code><span class="mf">1</span><span class="n">A</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">encrypted</span>
<span class="mf">1</span><span class="n">B</span><span class="w"> </span><span class="err">├─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">encrypted</span>
<span class="mf">1</span><span class="n">C</span><span class="w"> </span><span class="err">└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">octet</span><span class="o">-</span><span class="n">stream</span>
<span class="mf">1</span><span class="n">D</span><span class="w"> </span><span class="err">╤</span><span class="w"> </span><span class="o"><<</span><span class="n">decryption</span><span class="o">>></span>
<span class="mf">1</span><span class="n">E</span><span class="w"> </span><span class="err">└─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
</code></pre></div>
<p>Or, an S/MIME encrypted message:</p>
<div class="highlight"><pre><span></span><code><span class="mf">2</span><span class="n">A</span><span class="w"> </span><span class="err">└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pkcs7</span><span class="o">-</span><span class="n">mime</span><span class="p">;</span><span class="w"> </span><span class="n">smime</span><span class="o">-</span><span class="n">type</span><span class="o">=</span><span class="n">enveloped</span><span class="o">-</span><span class="kd">data</span>
<span class="mf">2</span><span class="n">B</span><span class="w"> </span><span class="err">╤</span><span class="w"> </span><span class="o"><<</span><span class="n">decryption</span><span class="o">>></span>
<span class="mf">2</span><span class="n">C</span><span class="w"> </span><span class="err">└─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
</code></pre></div>
<p>Note that the PGP/MIME decryption step (denoted "1D" above) may also
include a cryptographic signature that can be verified, as a part of
that decryption. This is not the case with S/MIME, where the signing
layer is always separated from the encryption layer.</p>
<p>Also note that any of these layers of protection may be nested, like
so:</p>
<div class="highlight"><pre><span></span><code><span class="mf">3</span><span class="n">A</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">encrypted</span>
<span class="mf">3</span><span class="n">B</span><span class="w"> </span><span class="err">├─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">encrypted</span>
<span class="mf">3</span><span class="n">C</span><span class="w"> </span><span class="err">└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">octet</span><span class="o">-</span><span class="n">stream</span>
<span class="mf">3</span><span class="n">D</span><span class="w"> </span><span class="err">╤</span><span class="w"> </span><span class="o"><<</span><span class="n">decryption</span><span class="o">>></span>
<span class="mf">3</span><span class="n">E</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">signed</span>
<span class="mf">3</span><span class="n">F</span><span class="w"> </span><span class="err">├─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
<span class="mf">3</span><span class="n">G</span><span class="w"> </span><span class="err">└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">signature</span>
</code></pre></div>
<p>For an e-mail message that has some set of these layers, we define the
"Cryptographic Envelope" as the layers of cryptographic protection
that start at the root of the message and extend until the first
non-cryptographic MIME part is encountered.</p>
<h2 id="cryptographic-payload">Cryptographic Payload</h2>
<p>We can call the first non-cryptographic MIME part we encounter (via
depth-first search) the "Cryptographic Payload". In the examples
above, the Cryptographic Payload parts are labeled 0B, 1E, 2C, and 3F.
Note that the Cryptographic Payload itself could be a multipart MIME
object, like 4E below:</p>
<div class="highlight"><pre><span></span><code><span class="mf">4</span><span class="n">A</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">encrypted</span>
<span class="mf">4</span><span class="n">B</span><span class="w"> </span><span class="err">├─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">encrypted</span>
<span class="mf">4</span><span class="n">C</span><span class="w"> </span><span class="err">└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">octet</span><span class="o">-</span><span class="n">stream</span>
<span class="mf">4</span><span class="n">D</span><span class="w"> </span><span class="err">╤</span><span class="w"> </span><span class="o"><<</span><span class="n">decryption</span><span class="o">>></span>
<span class="mf">4</span><span class="n">E</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">alternative</span>
<span class="mf">4</span><span class="n">F</span><span class="w"> </span><span class="err">├─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
<span class="mf">4</span><span class="n">G</span><span class="w"> </span><span class="err">└─╴</span><span class="n">text</span><span class="o">/</span><span class="n">html</span>
</code></pre></div>
<p>In this case, the full subtree rooted at 4E is the "Cryptographic
Payload".</p>
<p>The cryptographic properties of the message should be derived from the
layers in the Cryptographic Envelope, and nothing else, in particular:</p>
<ul>
<li>the cryptographic signature associated with the message, and</li>
<li>whether the message is "fully" encrypted or not.</li>
</ul>
<p>Note that if some subpart of the message is protected, but the
cryptographic protections don't start at the root of the MIME
structure, there is <em>no</em> message-wide cryptographic envelope, and
therefore there either is no Cryptographic Payload, or (equivalently)
the whole message (5A here) is the Cryptographic Payload, but with a
null Cryptographic Envelope:</p>
<div class="highlight"><pre><span></span><code><span class="mf">5</span><span class="n">A</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">mixed</span>
<span class="mf">5</span><span class="n">B</span><span class="w"> </span><span class="err">├┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">signed</span>
<span class="mf">5</span><span class="n">C</span><span class="w"> </span><span class="err">│├─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
<span class="mf">5</span><span class="n">D</span><span class="w"> </span><span class="err">│└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">signature</span>
<span class="mf">5</span><span class="n">E</span><span class="w"> </span><span class="err">└─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
</code></pre></div>
<p>Note also that if there are any nested encrypted parts, they do not
count toward the Cryptographic Envelope, but may mean that the message
is "partially encrypted", albeit with a null Cryptographic Envelope:</p>
<div class="highlight"><pre><span></span><code><span class="mf">6</span><span class="n">A</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">mixed</span>
<span class="mf">6</span><span class="n">B</span><span class="w"> </span><span class="err">├┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">encrypted</span>
<span class="mf">6</span><span class="n">C</span><span class="w"> </span><span class="err">│├─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">encrypted</span>
<span class="mf">6</span><span class="n">D</span><span class="w"> </span><span class="err">│└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">octet</span><span class="o">-</span><span class="n">stream</span>
<span class="mf">6</span><span class="n">E</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">╤</span><span class="w"> </span><span class="o"><<</span><span class="n">decryption</span><span class="o">>></span>
<span class="mf">6</span><span class="n">F</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">└─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
<span class="mf">6</span><span class="n">G</span><span class="w"> </span><span class="err">└─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span>
</code></pre></div>
<h2 id="layering-within-the-envelope">Layering within the Envelope</h2>
<p>The order and number of the layers in the Cryptographic Envelope might
make a difference in how the message's cryptographic properties should
be considered.</p>
<h3 id="signedencrypted-vs-encryptedsigned">signed+encrypted vs encrypted+signed</h3>
<p>One difference is whether the signature is made over the encrypted
data, or whether the encryption is done over the signature.
Encryption around a signature means that the signature was hidden from
an adversary. And a signature around the encryption indicates that
sender may not know the actual contents of what was signed.</p>
<p>The common expectation is that the signature will be inside the
encryption. This means that the signer likely had access to the
cleartext, and it is likely that the existence of the signature is
hidden from an adversary, both of which are sensible properties to
want.</p>
<h3 id="multiple-layers-of-signatures-or-encryption">Multiple layers of signatures or encryption</h3>
<p>Some specifications define
<a href="https://tools.ietf.org/html/rfc2634#section-1.1">triple-layering</a>:
signatures around encryption around signatures. It's not clear that
this is in wide use, or how any particular MUA should present such a
message to the user.</p>
<p>In the event that there are multiple layers of protection of a given
kind in the Cryptographic Envelope, the message should be marked based
on the properties of the inner-most layer of encryption, and the
inner-most layer of signing. The main reason for this is simplicity
-- it is unclear how to indicate arbitrary (and
potentially-interleaved) layers of signatures and encryption.</p>
<p>(FIXME: what should be done if the inner-most layer of signing can't
be validated for some reason, but one of the outer layers of signing
<em>does</em> validate? ugh MIME is too complex…)</p>
<h2 id="signed-messages-should-indicate-the-intended-recipient">Signed messages should indicate the intended recipient</h2>
<p>Ideally, all signed messages would indicate their intended recipient
as a way of defending against some forms of replay attack. For
example, Alice signs a signed message to Bob that says "please perform
task X"; Bob reformats and forwards the message to Charlie as though
it was directly from Alice. Charlie might now believes that Alice is
asking him to do task X, instead of Bob.</p>
<p>Of course, this concern also includes encrypted messages that are also
signed. However, there is no clear standard for how to include this
information in either an encrypted message or a signed message.</p>
<p>An e-mail specific mechanism is to ensure that the To: and Cc: headers
are signed appropriately (see the "Protected Headers") below.</p>
<p>See also Vincent Breitmoser's <a href="https://mailarchive.ietf.org/arch/msg/openpgp/urog4K_2FG6_mcvoqQmjO6pZvKY">proposal of Intended Recipient
Fingerprint</a>
for OpenPGP as a possible OpenPGP-specific implementation.</p>
<p>However: what should the MUA do if a message is encrypted but no
intended recipients are listed? Or what if a signature clearly
indicates the intended recipients, but does not include the current
reader? Should the MUA render the message differently somehow?</p>
<h2 id="protected-headers">Protected Headers</h2>
<p>Sadly, e-mail cryptographic protections have traditionally only
covered the body of the e-mail, and not the headers. Most users do
not (and should not have to) understand the difference. There are two
not-quite-standards for protecting the headers:</p>
<ul>
<li>
<p><a href="https://tools.ietf.org/html/draft-melnikov-smime-header-signing">message
wrapping</a>,
which puts an entire e-mail message (<code>message/rfc822</code> MIME part)
"inside" the cryptographic protections. This is also discussed in
<a href="https://tools.ietf.org/html/rfc5751#section-3.1">RFC 5751 §3.1</a>.
I don't know of any MUAs that implement this.</p>
</li>
<li>
<p><a href="https://github.com/autocrypt/memoryhole">memory hole</a>, which puts
headers on the top-level MIME part directly. This is implemented
in Enigmail and K-9 mail.</p>
</li>
</ul>
<p>These two different mechanisms are roughly equivalent, with slight
differences in how they behave for clients who can handle
cryptographic mail but have not implemented them. If a MUA is capable
of interpreting one form successfully, it probably is also capable of
interpreting the other.</p>
<p>Note that in particular, the cryptographic headers for a given message
ought to be derived directly from the headers present (in one of the
above two ways) in the root element of the Cryptographic Payload MIME
subtree itself. If headers are stored anywhere else (e.g. in one of
the leaf nodes of a complex Payload), they should not propagate to the
outside of the message.</p>
<p>If the headers the user sees are not protected, that lack of
protection may need to be clearly explained and visible to the user.
This is unfortunate because it is potentially extremely complex for
the UI.</p>
<p>The types of cryptographic protections can differ per header. For
example, it's relatively straightforward to pack all of the headers
inside the Cryptographic Payload. For a signed message, this would
mean that all headers are signed. This is the recommended approach
when generating an encrypted message. In this case, the "outside"
headers simply match the protected headers. And in the case that the
outsider headers differ, they can simply be replaced with their
protected versions when displayed to the user. This defeats the
replay attack described above.</p>
<p>But for an encrypted message, some of those protected headers will be
stripped from the outside of the message, and others will be placed in
the outer header in cleartext for the sake of deliverability. In
particular, From: and To: and Date: are placed in the clear on the
outside of the message.</p>
<p>So, consider a MUA that receives an encrypted, signed message, with
all headers present in the Cryptographic Payload (so all headers are
signed), but From: and To: and Date: in the clear on the outside.
Assume that the external Subject: reads simply "Encrypted Message",
but the internal (protected) Subject: is actually "Thursday's
Meeting".</p>
<p>When displaying this message, how should the MUA distinguish between
the Subject: and the From: and To: and Date: headers? All headers are
signed, but only Subject: has been hidden. Should the MUA assume that
the user understands that e-mail metadata like this leaks to the MTA?
This is unfortuately true today, but not something we want in the long
term.</p>
<h3 id="message-id-and-threading-headers">Message-ID and threading headers</h3>
<p>Messages that are part of an e-mail thread should ensure that
Message-Id: and References: and In-Reply-To: are signed, because those
markers provide contextual considerations for the signed content.
(e.g., a signed message saying "I like this plan!" means something
different depending on which plan is under discussion).</p>
<p>That said, given the state of the e-mail system, it's not clear what a
MUA should do if it receives a cryptographically-signed e-mail message
where these threading headers are <em>not</em> signed. That is the default
today, and we do not want to incur warning fatigue for the user.
Furthermore, unlike Date: and Subject: and From: and To: and Cc:, the
threading headers are not usually shown directly to the user, but
instead affect the location and display of messages.</p>
<p>Perhaps there is room here for some indicator at the thread level,
that all messages in a given thread are contextually well-bound? Ugh,
more UI complexity.</p>
<h3 id="protecting-headers-during-e-mail-generation">Protecting Headers during e-mail generation</h3>
<p>When generating a cryptographically-protected e-mail (either signed or
encrypted or both), the sending MUA should copy all of the headers it
knows about into the Cryptographic Payload using one of the two
techniques referenced above. For signed-only messages, that is all
that needs doing.</p>
<p>The challenging question is for encrypted messages: what headers on
the outside of the message (outside the Cryptographic Envelope) can be
to be stripped (removed completely) or stubbed (replaced with a
generic or randomized value)?</p>
<p>Subject: should obviously be stubbed -- for most users, the subject is
directly associated with the body of the message (it is not thought of
as metadata), and the Subject is not needed for deliverability. Since
some MTAs might treat a message without a Subject: poorly, and
arbitrary Subject lines are a nuisance, it is recommended to use the
exact string below for all external Subjects:</p>
<div class="highlight"><pre><span></span><code><span class="n">Subject</span><span class="o">:</span><span class="w"> </span><span class="n">Encrypted</span><span class="w"> </span><span class="n">Message</span>
</code></pre></div>
<p>However, stripping or stubbing other headers is more complex.</p>
<p>The date header can likely be stripped from the outside of an
encrypted message, or can have it its temporal resolution made much
more coarse. However, this doesn't protect much information from the
MTAs that touch the message, since they are likely to see the message
when it is in transit. It may protect the message from some metadata
analysis as it sits on disk, though.</p>
<p>The To: and Cc: headers could be stripped entirely in some cases,
though that may make the e-mail more prone to being flagged as spam.
However, some e-mail messages sent to Bcc groups are still
deliverable, with a header of</p>
<div class="highlight"><pre><span></span><code><span class="n">To</span><span class="o">:</span><span class="w"> </span><span class="n">undisclosed</span><span class="o">-</span><span class="n">recipients</span><span class="o">:;</span>
</code></pre></div>
<p>Note that the Cryptographic Envelope itself may leak metadata about
the recipient (or recipients), so stripping this information from the
external header may not be useful unless the Cryptographic Envelope is
also stripped of metadata appropriately.</p>
<p>The From: header could also be stripped or stubbed. It's not clear
whether such a message would be deliverable, particularly given DKIM
and DMARC rules for incoming domains. Note that the MTA will still
see the SMTP MAIL FROM: verb before the message body is sent, and will
use the address there to route bounces or DSNs. However, once the
message is delivered, a stripped From: header is an improvement in the
metadata available on-disk. Perhaps this is something that a
friendly/cooperative MTA could do for the user?</p>
<p>Even worse is the Message-Id: header and the associated In-Reply-To:
and References: headers. Some MUAs (like
<a href="https://notmuchmail.org">notmuch</a>) rely heavily on the Message-Id:.
A message with a stubbed-out Message-Id would effectively change its
Message-Id: when it is decrypted. This may not be a straightforward
or safe process for MUAs that are Message-ID-centric. That said, a
randomized external Message-ID: header could help to avoid leaking the
fact that the same message was sent to multiple people, so long as the
message encryption to each person was also made distinct.</p>
<p>Stripped In-Reply-To: and References: headers are also a clear
metadata win -- the MTA can no longer tell which messages are
associated with each other. However, this means that an incoming
message cannot be associated with a relevant thread without decrypting
it, something that some MUAs may not be in a position to do.</p>
<p>Recommendation for encrypted message generation in 2018: copy all
headers during message generation; stub out only the Subject for now.</p>
<p>Bold MUAs may choose to experiment with stripping or stubbing other
fields beyond Subject:, possibly in response to some sort of signal
from the recipient that they believe that stripping or stubbing some
headers is acceptable. Where should such a signal live? Perhaps a
notation in the recipient's certificate would be useful.</p>
<h1 id="key-management">Key management</h1>
<p>Key management bedevils every cryptographic scheme, e-mail or
otherwise. The simplest solution for users is to automate key
management as much as possible, making reasonable decisions for them.
The <a href="https://autocrypt.org/">Autocrypt project</a> outlines a sensible
approach here, so i'll leave most of this section short and hope that
it's covered by Autocrypt. While fully-automated key management is
likely to be susceptible either to MITM attacks or trusted third
parties (depending on the design), as a community we need to
experiment with ways to provide straightforward (possibly gamified?)
user experience that enables and encourages people to do key
verification in a fun and simple way. This should probably be done
without ever mentioning the word "key", if possible. Serious UI/UX
work is needed. I'm hoping future versions of Autocrypt will cover
that territory.</p>
<p>But however key management is done, the result for the e-mail user
experience is that that the MUA will have some sense of the "validity"
of a key being used for any particular correspondent. If it is
expressed at all, it should be done as simply as possible by default.
In particular, MUAs should avoid confusing the user with distinct
(nearly orthogonal) notions of "trust" and "validity" while reading
messages, and should not necessarily associate the validity of a
correspondent's key with the validity of a message cryptographically
associated with that correspondent's key. Identity not the same thing
as message integrity, and trustworthiness is not the same thing as
identity either.</p>
<h2 id="key-changes-over-time">Key changes over time</h2>
<p>Key management is hard enough in the moment. With a store-and-forward
system like e-mail, evaluating the validity of a signed message a year
after it was received is tough. Your concept of the correspondent's
correct key may have changed, for example. I think our understanding
of what to do in this context is not currently clear.</p>Changes for GnuPG in Debian2016-08-03T21:55:00-04:002016-08-03T21:55:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2016-08-03:/blog/changes-for-gnupg-in-debian.html<p>The <a href="https://www.gnupg.org/">GNU Privacy Guard (GnuPG)</a> upstream team
maintains three branches of development: 1.4 ("classic"), 2.0
("stable"), and 2.1 ("modern").</p>
<p>They differ in various ways: software architecture, supported
algorithms, network transport mechanisms, protocol versions, development
activity, co-installability, etc.</p>
<p>Debian currently ships two versions of GnuPG in every maintained …</p><p>The <a href="https://www.gnupg.org/">GNU Privacy Guard (GnuPG)</a> upstream team
maintains three branches of development: 1.4 ("classic"), 2.0
("stable"), and 2.1 ("modern").</p>
<p>They differ in various ways: software architecture, supported
algorithms, network transport mechanisms, protocol versions, development
activity, co-installability, etc.</p>
<p>Debian currently ships two versions of GnuPG in every maintained suite
-- in particular, <code>/usr/bin/gpg</code> has historically always been provided
by the "classic" branch.</p>
<p>That's going to change!</p>
<p>Debian unstable will soon be moving to the "modern" branch for providing
<code>/usr/bin/gpg</code>. This will give several advantages for Debian and its
users in the future, but it will require a transition. Hopefully we can
make it a smooth one.</p>
<h2 id="what-are-the-benefits">What are the benefits?</h2>
<p>Compared to "classic", The "modern" branch has:</p>
<ul>
<li>updated crypto (including elliptic curves)</li>
<li>componentized architecture (e.g. libraries, some daemonized
processes)</li>
<li>improved key storage</li>
<li>better network access (including talking to keyservers over
<a href="https://www.torproject.org">tor</a>)</li>
<li>stronger defaults</li>
<li>more active upstream development</li>
<li>safer info representation (e.g. no more key IDs, fingerprints easier
to copy-and-paste)</li>
</ul>
<p>If you want to try this out, the changes are already made in
experimental. Please experiment!</p>
<h2 id="what-does-this-mean-for-end-users">What does this mean for end users?</h2>
<p>If you're an end user and you don't use GnuPG directly, you shouldn't
notice much of a change once the packages start to move through the rest
of the archive.</p>
<p>Even if you do use GnuPG regularly, you shouldn't notice too much of a
difference. One of the main differences is that all access to your
secret key will be handled through gpg-agent, which should be
automatically launched as needed. This means that operations like
signing and decryption will cause gpg-agent to prompt the the user to
unlock any locked keys directly, rather than gpg itself prompting the
user.</p>
<p>If you have an existing keyring, you may also notice a difference based
on a change of how your public keys are managed, though again this
transition should ideally be smooth enough that you won't notice unless
you care to investigate more deeply.</p>
<p>If you use GnuPG regularly, you might want to read the NEWS file that
ships with GnuPG and related packages for updates that should help you
through the transition.</p>
<p>If you use GnuPG in a language other than English, please install the
<code>gnupg-l10n</code> package, which contains the localization/translation files.
For versions where those files are split out of the main package,
<code>gnupg</code> explicitly <code>Recommends: gnupg-l10n</code> already, so it should be
brought in for new installations by default.</p>
<p>If you have an archive of old data that depends on known-broken
algorithms, PGP3 keys, or other deprecated material, you'll need to have
"classic" GnuPG around to access it. That will be provided in the
<code>gnupg1</code> package</p>
<h2 id="what-does-this-mean-for-package-maintainers">What does this mean for package maintainers?</h2>
<p>If you maintain a package that depends on <code>gnupg</code>: be aware that the
<code>gnupg</code> package in debian is going through this transition.</p>
<p>A few general thoughts:</p>
<ul>
<li><p>
If your package <code>Depends: gnupg</code> for signature verification only,
you might prefer to have it <code>Depends: gpgv</code> instead. <code>gpgv</code> is a
much simpler tool that the full-blown GnuPG suite, and should be
easier to manage. I'm happy to help with such a transition (we've
made it recently with <code>apt</code> already)</li>
<li><p>
If your package <code>Depends: gnupg</code> and expects <code>~/.gnupg/</code> to be laid
out in a certain way, that's almost certainly going to break at some
point. <code>~/.gnupg/</code> is GnuPG's internal storage, and it's not
recommended to rely on any specific data structures there, as they
may change. <code>gpg</code> offers commands like <code>--export</code>, <code>--import</code>, and
<code>--delete</code> for manipulating its persistent storage. please use them
instead!</li>
<li><p>
If your package depends on parsing or displaying <code>gpg</code>'s output for
the user, please make sure you use its special machine-readable form
(<code>--with-colons</code>). Parsing the human-readable text is not advised
and may change from version to version.</li>
</ul>
<p>If you maintain a package that depends on <code>gnupg2</code> and tries to use
<code>gpg2</code> instead of <code>gpg</code>, that should stay ok. However, at some point
it'd be nice to get rid of <code>/usr/bin/gpg2</code> and just have one expected
binary (<code>gpg</code>). So you can help with that:</p>
<ul>
<li><p>
Look for places where your package expects <code>gpg2</code> and make it try
<code>gpg</code> instead. If you can make your code fall back cleanly</li>
<li><p>
Change your dependencies to indicate <code>gnupg (>= 2)</code></li>
<li><p>
Patch <code>lintian</code> to encourage other people to make this switch ;)</li>
</ul>
<h2 id="what-specifically-needs-to-happen">What specifically needs to happen?</h2>
<p>The last major step for this transition was renaming the source package
for "classic" GnuPG to be <code>gnupg1</code>. This transition is currently in the
ftp-master's NEW queue. Once it makes it through that queue, and both
<code>gnupg1</code> and <code>gnupg2</code> have been in experimental for a few days without
reports of dangerous breakage, we'll upload both <code>gnupg1</code> and <code>gnupg2</code>
to unstable.</p>
<p>We'll also need to do some triage on the BTS, reassigning some reports
which are really only relevant for the "classic" branch.</p>
<p>Please report bugs via the BTS as usual! You're also welcome to ask
questions and make suggestions on #debian-gnupg on irc.oftc.net, or to
mail the Debian GnuPG packaging team at
<a href="https://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gnupg-maint">pkg-gnupg-maint@lists.alioth.debian.org</a>.</p>
<p>Happy hacking!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/gnupg">gnupg</a></p>
</p>Challenge: one reproducible package a week2015-06-04T02:31:00-04:002015-06-04T02:31:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2015-06-04:/blog/challenge-one-reproducible-package-a-week.html<p>I encourage anyone interested in debian development to get involved with
<a href="https://wiki.debian.org/ReproducibleBuilds">the Reproducible Builds
project</a>. My own project is
to try to diagnose (and hopefully provide patches for) two
unreproducible packages a week. Maybe you can do one package a week?</p>
<p>Reproducible Builds is another example of the kind of …</p><p>I encourage anyone interested in debian development to get involved with
<a href="https://wiki.debian.org/ReproducibleBuilds">the Reproducible Builds
project</a>. My own project is
to try to diagnose (and hopefully provide patches for) two
unreproducible packages a week. Maybe you can do one package a week?</p>
<p>Reproducible Builds is another example of the kind of audacious project
that I celebrated in <a href="https://www.debian-administration.org/users/dkg/weblog/114">my last blog
post</a>.</p>
<p>It's a fun way to learn a little bit about different parts of the
archive, and to help on an incrementally-improving process. My workflow
below is meant to encourage folks to join in. The documentation <a href="https://wiki.debian.org/ReproducibleBuilds">on the
wiki</a> is certainly more
authoritative (and will be more up-to-date in the future).</p>
<p>My usual workflow is this:</p>
<ul>
<li>Visit <a href="https://reproducible.debian.net/unstable/amd64/index_no_notes.html">the list of unreproducible packages "with no
notes"</a>
-- these are packages that are known to not build reproducibly, but
no one else has diagnosed.</li>
<li>Click on a package basically at random (but if you notice one that
you are familiar with in that list, go ahead and pick it!)</li>
<li>That will take you to a page showing the <a href="https://tracker.debian.org/pkg/debbindiff">debbindiff (difference
between binary packages)</a>
of the two builds. Sometimes, this shows an obvious difference, like
<a href="https://reproducible.debian.net/dbd/unstable/amd64/cloc_1.60-1.debbindiff.html">the difference for cloc, which shows that the man page embeds the
build
time</a>.<ul>
<li>If you have a guess about what's wrong, but don't feel sure, pop
over to the <code>#debian-reproducible</code> IRC channel on <code>irc.oftc.net</code>
-- usually there are friendly people there who will discuss it
with you.</li>
<li>If you find a debbindiff that is completely indecipherable, go
back and pick another package</li>
</ul>
</li>
<li>
<p>Fetch the package source. I like to use <code>debcheckout</code> from the
<a href="https://tracker.debian.org/pkg/devscript">devscripts</a> package, so
that i can work with the maintainer's revision control system of
choice. With <code>cloc</code> above, i'd do:</p>
<div class="highlight"><pre><span></span><code>debcheckout cloc
</code></pre></div>
<p>If that failed for some reason, I would use:</p>
<div class="highlight"><pre><span></span><code>apt-get source cloc
</code></pre></div>
</li>
<li>
<p>Change into the source directory you just unpacked and use your
preferred tools (i like good old <code>grep</code> and <code>find</code>) to figure out
where the affected file is created, and how it derives its variance.
You might want to look through <a href="https://reproducible.debian.net/index_issues.html">the list of known causes of
unreproducibility</a>
to see if there are any similar suggestions there.</p>
</li>
<li>If you can fix the variance, make a patch!</li>
<li>
<p>File a bug report with your diagnosis (and with your patch if you
have one). I write my bug reports as a simple e-mail, with the
subject line describing what i found, and with a header referring it
to the r-b project, like this:</p>
<div class="highlight"><pre><span></span><code><span class="n">Source</span><span class="o">:</span><span class="w"> </span><span class="n">packagenameVersion</span><span class="o">:</span><span class="w"> </span><span class="n">packageversionTags</span><span class="o">:</span><span class="w"> </span><span class="n">patchSeverity</span><span class="o">:</span><span class="w"> </span><span class="n">wishlistUser</span><span class="o">:</span><span class="w"> </span><span class="n">reproducible</span><span class="o">-</span><span class="n">builds</span><span class="err">@</span><span class="n">lists</span><span class="o">.</span><span class="na">alioth</span><span class="o">.</span><span class="na">debian</span><span class="o">.</span><span class="na">orgUsertags</span><span class="o">:</span><span class="w"> </span><span class="n">closest</span><span class="o">-</span><span class="n">usertagX</span><span class="o">-</span><span class="n">Debbugs</span><span class="o">-</span><span class="n">CC</span><span class="o">:</span><span class="w"> </span><span class="n">reproducible</span><span class="o">-</span><span class="n">builds</span><span class="err">@</span><span class="n">lists</span><span class="o">.</span><span class="na">alioth</span><span class="o">.</span><span class="na">debian</span><span class="o">.</span><span class="na">org</span>
</code></pre></div>
<p>When choosing the “closest usertag”, i look at the <a href="https://reproducible.debian.net/reproducible.html#usertagged-bugs">"Usertagged
bugs" block on the R-B continuous integration
dashboard</a>
or <a href="https://wiki.debian.org/ReproducibleBuilds/Contribute#How_to_report_bugs">the wiki
documentation</a>
to see what makes sense.</p>
</li>
<li>
<p>If you find that this is an example of one of the <a href="https://reproducible.debian.net/index_issues.html">known
issues</a>, you can
also note it in <a href="https://anonscm.debian.org/cgit/reproducible/notes.git">the notes.git
repository</a>,
or just mailing a description of what you found to <a href="https://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds">the
reproducible-builds mailing
list</a>.</p>
</li>
</ul>
<p>The information at <a href="https://wiki.debian.org/ReproducibleBuilds">the R-B wiki
page</a> is quite detailed if
you want more info.</p>
<p>Finally, many many thanks to all of the people involved in the project,
and particularly to <code>h01ger</code> and <code>Lunar^</code>, who have both contributed a
ton of work, and have also made it easy to plug in and help as a
less-involved contributor. The nice automatically-updated statistics
provided by <a href="https://reproducible.debian.net/">the team's continuous integration
work</a> makes it a fun game to help out.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/challenge">challenge</a>,
<a href="https://debian-administration.org/tag/reproducible%20builds">reproducible
builds</a></p>
</p>Cheers to audacity!2015-05-08T18:43:00-04:002015-05-08T18:43:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2015-05-08:/blog/cheers-to-audacity.html<p>When <a href="https://lists.debian.org/debian-devel-announce/2015/04/msg00005.html">paultag recently announced a project to try to move debian
infrastructure to
python3</a>,
my first thought was how large that undertaking would likely be. It
seems like a classic engineering task, full of work and nit-picky
details to get right, useful/necessary in the long-term, painful in the
short-term …</p><p>When <a href="https://lists.debian.org/debian-devel-announce/2015/04/msg00005.html">paultag recently announced a project to try to move debian
infrastructure to
python3</a>,
my first thought was how large that undertaking would likely be. It
seems like a classic engineering task, full of work and nit-picky
details to get right, useful/necessary in the long-term, painful in the
short-term, and if you manage to pull it off successfully, the best you
can usually hope for is that no one will notice that it was done at all.</p>
<p>I always find that kind of task a little off-putting and difficult to
tackle, but I was happy to see someone driving the project, since it
does need to get done. Debian is potentially also in a position to help
the upstream python community, because we have a pretty good view of
what things are being used, at least within our own ecosystem.</p>
<p>I'm happy to say that i also missed one of the other great benefits of
paultag's audacious proposal, which is how it has engaged people who
already knew about debian but who aren't yet involved. Evidence of this
engagement is already visible on <a href="https://lists.alioth.debian.org/mailman/listinfo/py3porters-devel">the py3porters-devel mailing
list</a>.
But if that wasn't enough, I ran into a friend recently who told me,
"Hey, I found a way to contribute to debian finally!" and pointed me to
the py3-porters project. People want to contribute to the project, and
are looking for ways in.</p>
<p>So cheers to the people who propose audacious projects and make them
inviting to everyone, newcomers included. And cheers to the people who
step up to potentially daunting work, stake out a task, roll up their
sleeves, and pitch in. Even if the py3porters project doesn't move all
of debian's python infrastructure to pyt3 as fast as paultag wants it
to, i think it's already a win for the project as a whole. I am looking
forward to seeing what comes out of it (and it's reminding me i need to
port some of my own python work, too!)</p>
<p>The next time you stumble over something big that needs doing in debian,
even something that might seem impossible, please make it inviting, and
dive in. The rest of the project will grow and improve from the attempt.</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/py3-porters">py3-porters</a></p>
</p>Preferred Packaging Practices2015-05-01T19:41:00-04:002015-05-01T19:41:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2015-05-01:/blog/preferred-packaging-practices.html<p>I just took a few minutes to write up <a href="https://wiki.debian.org/DanielKahnGillmor/preferred_packaging">my preferred Debian packaging
practices</a>.</p>
<p>The basic gist is that i like to use <code>git-buildpackage</code> (<code>gbp</code>) with the
upstream source included in the repo, both as tarballs (with
<code>pristine-tar</code> branches) and including upstream's native VCS history
(<a href="http://joeyh.name/blog/entry/upstream_git_repositories/">Joey's arguments about syncing with …</a></p><p>I just took a few minutes to write up <a href="https://wiki.debian.org/DanielKahnGillmor/preferred_packaging">my preferred Debian packaging
practices</a>.</p>
<p>The basic gist is that i like to use <code>git-buildpackage</code> (<code>gbp</code>) with the
upstream source included in the repo, both as tarballs (with
<code>pristine-tar</code> branches) and including upstream's native VCS history
(<a href="http://joeyh.name/blog/entry/upstream_git_repositories/">Joey's arguments about syncing with upstream
git</a> are worth
reading if you're not already convinced this is a good idea).</p>
<p>I also started using <code>gbp-pq</code> recently -- the <code>patch-queue</code> feature is
really useful for at least three things:</p>
<ul>
<li>rebasing your <code>debian/patches/</code> files when a new version comes out
upstream -- you can use all your normal git rebase habits! and</li>
<li>facilitating sending patches upstream, hopefully reducing the
divergence, and</li>
<li>cherry-picking new as-yet-unreleased upstream bugfix patches into a
debian release.</li>
</ul>
<p>My preferred packaging practices document is a work in progress. I'd
love to improve it. If you have suggestions, please let me know.</p>
<p>Also, if you've written up your own preferred packaging practices, send
me a link! I'm hoping to share and learn tips and tricks around this
kind of workflow <a href="https://summit.debconf.org/debconf15/meeting/194/git-buildpackage-skillshare/">at debconf 15 this
year</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/git">git</a>,
<a href="https://debian-administration.org/tag/git-buildpackage">git-buildpackage</a>,
<a href="https://debian-administration.org/tag/packaging">packaging</a></p>
</p>Bootable grub USB stick (EFI and BIOS for Intel)2015-03-16T23:12:00-04:002015-03-16T23:12:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2015-03-16:/blog/bootable-grub-usb-stick-efi-and-bios-for-intel.html<p>I'm using <a href="https://www.gnu.org/software/grub/">grub</a> version
2.02\~beta2-2.</p>
<p>I want to make a USB stick that's capable of booting Intel architecture
EFI machines, both 64-bit (x86_64) and 32-bit (ia32). I'm starting from
a USB stick which is attached to a running debian system as <code>/dev/sdX</code>.
I have nothing that i …</p><p>I'm using <a href="https://www.gnu.org/software/grub/">grub</a> version
2.02\~beta2-2.</p>
<p>I want to make a USB stick that's capable of booting Intel architecture
EFI machines, both 64-bit (x86_64) and 32-bit (ia32). I'm starting from
a USB stick which is attached to a running debian system as <code>/dev/sdX</code>.
I have nothing that i care about on that USB stick, and <strong>all data on it
will be destroyed by this process</strong>.</p>
<p>I'm also going to try to make it bootable for traditional Intel BIOS
machines, since that seems handy.</p>
<p>I'm documenting what I did here, in case it's useful to other people.</p>
<p>Set up the USB stick's partition table:</p>
<div class="highlight"><pre><span></span><code>parted /dev/sdX -- mktable gpt
parted /dev/sdX -- mkpart biosgrub fat32 1MiB 4MiB
parted /dev/sdX -- mkpart efi fat32 4MiB -1
parted /dev/sdX -- set 1 bios_grub on
parted /dev/sdX -- set 2 esp on
</code></pre></div>
<p>After this, my 1GiB USB stick looks like:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">foo</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">parted</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sdX</span><span class="w"> </span><span class="o">--</span><span class="w"> </span><span class="kr">print</span>
<span class="n">Model</span><span class="p">:</span><span class="w"> </span><span class="n">USB</span><span class="w"> </span><span class="n">FLASH</span><span class="w"> </span><span class="n">DRIVE</span><span class="w"> </span><span class="p">(</span><span class="n">scsi</span><span class="p">)</span>
<span class="n">Disk</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sdX</span><span class="p">:</span><span class="w"> </span><span class="mf">1032</span><span class="n">MB</span>
<span class="n">Sector</span><span class="w"> </span><span class="n">size</span><span class="w"> </span><span class="p">(</span><span class="nb">log</span><span class="n">ical</span><span class="o">/</span><span class="n">physical</span><span class="p">):</span><span class="w"> </span><span class="mf">512</span><span class="n">B</span><span class="o">/</span><span class="mf">512</span><span class="n">B</span>
<span class="n">Partition</span><span class="w"> </span><span class="nb">Tab</span><span class="n">le</span><span class="p">:</span><span class="w"> </span><span class="n">gpt</span>
<span class="n">Disk</span><span class="w"> </span><span class="n">Flags</span><span class="p">:</span><span class="w"> </span>
<span class="n">Number</span><span class="w"> </span><span class="n">Start</span><span class="w"> </span><span class="kr">End</span><span class="w"> </span><span class="n">Size</span><span class="w"> </span><span class="n">File</span><span class="w"> </span><span class="kr">sys</span><span class="n">tem</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="n">Flags</span>
<span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="mf">1049</span><span class="n">kB</span><span class="w"> </span><span class="mf">4194</span><span class="n">kB</span><span class="w"> </span><span class="mf">3146</span><span class="n">kB</span><span class="w"> </span><span class="n">fat32</span><span class="w"> </span><span class="n">biosgrub</span><span class="w"> </span><span class="n">bios_grub</span>
<span class="w"> </span><span class="mf">2</span><span class="w"> </span><span class="mf">4194</span><span class="n">kB</span><span class="w"> </span><span class="mf">1031</span><span class="n">MB</span><span class="w"> </span><span class="mf">1027</span><span class="n">MB</span><span class="w"> </span><span class="n">efi</span><span class="w"> </span><span class="n">boot</span><span class="p">,</span><span class="w"> </span><span class="n">esp</span>
<span class="mf">0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">foo</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span>
</code></pre></div>
<p>make a filesystem and mount it temporarily at <code>/mnt</code>:</p>
<div class="highlight"><pre><span></span><code>mkfs -t vfat -n GRUB /dev/sdX2
mount /dev/sdX2 /mnt
</code></pre></div>
<p>ensure we have the binaries needed, and add three grub targets for the
different platforms:</p>
<div class="highlight"><pre><span></span><code>apt install grub-efi-ia32-bin grub-efi-amd64-bin grub-pc-bin grub2-common
grub-install --removable --no-nvram --no-uefi-secure-boot \
--efi-directory=/mnt --boot-directory=/mnt \
--target=i386-efi
grub-install --removable --no-nvram --no-uefi-secure-boot \
--efi-directory=/mnt --boot-directory=/mnt \
--target=x86_64-efi
grub-install --removable --boot-directory=/mnt \
--target=i386-pc /dev/sdX
</code></pre></div>
<p>At this point, you should add anything else you want to <code>/mnt</code> here! For
example:</p>
<ul>
<li>a kernel and initramfs from your own computer</li>
<li><a href="https://www.debian.org/devel/debian-installer/">debian-installer ISOs</a></li>
<li>firmware blobs for that annoying proprietary device</li>
<li>BIOS updates</li>
<li><a href="http://debirf.cmrg.net/autobuilds/">debirf images</a></li>
<li><a href="https://tracker.debian.org/pkg/invaders">grub-invaders</a></li>
<li>...</li>
</ul>
<p>And don't forget to cleanup:</p>
<div class="highlight"><pre><span></span><code>umount /mnt
sync
</code></pre></div>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/bios">bios</a>,
<a href="https://debian-administration.org/tag/efi">efi</a>,
<a href="https://debian-administration.org/tag/grub">grub</a>,
<a href="https://debian-administration.org/tag/tip">tip</a></p>
</p>a10n for l10n2014-12-12T23:00:00-05:002014-12-12T23:00:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2014-12-12:/blog/a10n-for-l10n.html<p>The abbreviated title above means "Appreciation for Localization" :)</p>
<p>I wanted to say a word of thanks for the awesome work done by <a href="https://wiki.debian.org/L10n">debian
localization teams</a>. I speak English, and
my other language skills are weak. I'm lucky: most software I use is
written by default in a language that I …</p><p>The abbreviated title above means "Appreciation for Localization" :)</p>
<p>I wanted to say a word of thanks for the awesome work done by <a href="https://wiki.debian.org/L10n">debian
localization teams</a>. I speak English, and
my other language skills are weak. I'm lucky: most software I use is
written by default in a language that I can already understand.</p>
<p>The debian localization teams do great work in making sure that packages
in debian gets translated into many other languages, so that many more
people around the world can take advantage of free software.</p>
<p>I was reminded of this work recently (again) with the great patches
submitted to <a href="https://wiki.debian.org/Teams/GnuPG">GnuPG and related
packages</a>. The changes were made by
many different people, and coordinated with the debian GnuPG packaging
team by David Prévot.</p>
<p>This work doesn't just help debian and its users. These localizations
make their way back upstream to the original projects, which in turn are
available to many other people.</p>
<p>If you use debian, and you speak a language other than english, and you
want to give back to the community, please consider <a href="https://wiki.debian.org/L10n">joining one of the
localization teams</a>. They are a great way
to help out our project's top <a href="https://www.debian.org/social_contract">priorities: our users and free
software</a>.</p>
<p>Thank you to all the localizers!</p>
<p>(this post was inspired by <a href="http://info.comodo.priv.at/blog/archive/2014/12/">gregoa's debian advent
calendar</a>. i won't be
posting public words of thanks as frequently or as diligently as he
does, any more than i'll be fixing the number of RC bugs that he fixes.
This are just two of the ways that gregoa consistently leads the
community by example. He's an inspiration, even if living up to his
example is a daunting challenge.)</p>GnuPG 2.1.0 in debian experimental2014-11-06T23:27:00-05:002014-11-06T23:27:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2014-11-06:/blog/gnupg-210-in-debian-experimental.html<p>Today, i uploaded GnuPG 2.1.0 into debian's experimental suite. It's
built for <code>amd64</code> and <code>i386</code> and <code>powerpc</code> already. You can <a href="https://buildd.debian.org/status/package.php?p=gnupg2&suite=experimental">monitor its
progress on the
buildds</a>
to see when it's available for your architecture.</p>
<h3 id="changes">Changes</h3>
<p><a href="https://gnupg.org/faq/whats-new-in-2.1.html">GnuPG 2.1 offers many new and interesting
features</a>, but one of the …</p><p>Today, i uploaded GnuPG 2.1.0 into debian's experimental suite. It's
built for <code>amd64</code> and <code>i386</code> and <code>powerpc</code> already. You can <a href="https://buildd.debian.org/status/package.php?p=gnupg2&suite=experimental">monitor its
progress on the
buildds</a>
to see when it's available for your architecture.</p>
<h3 id="changes">Changes</h3>
<p><a href="https://gnupg.org/faq/whats-new-in-2.1.html">GnuPG 2.1 offers many new and interesting
features</a>, but one of the
most important changes is the introduction of elliptic curve crypto
(ECC). While GnuPG 2.1 discourages the creation of ECC keys by default,
it's important that we have the ability to verify ECC signatures and to
encrypt to ECC keys if other people are using this tech. It seems
likely, for example, that <a href="https://code.google.com/p/end-to-end/">Google's End-To-End Chrome OpenPGP
extension</a> will use ECC. GnuPG
users who don't have this capability available won't be able to
communicate with End-To-End users.</p>
<p>There are many other architectural changes, including a move to more
daemonized interactions with the outside world, including using
<code>dirmngr</code> to talk to the keyservers, and relying more heavily on
<code>gpg-agent</code> for secret key access. The <code>gpg-agent</code> change is a welcome
one -- the agent now holds the secret key material entirely and never
releases it -- as of 2.1 <code>gpg2</code> never has any asymmetric secret key
material in its process space at all.</p>
<p>One other nice change for those of us with large keyrings is the new
keybox format for public key material. This provides much faster indexed
access to the public keyring.</p>
<p>I've been using GnuPG 2.1.0 betas regularly for the last month, and i
think that for the most part, they're ready for regular use.</p>
<h3 id="timing-for-debian">Timing for debian</h3>
<p>The timing between the debian freeze and the GnuPG upstream is
unfortunate, but i don't think i'm prepared to push for this as a jessie
transition yet, without more backup. I'm talking to other members of the
GnuPG packaging team to see if they think this is worth even bringing to
the attention of the release team, but i'm not pursuing it at the
moment.</p>
<p>If you really want to see this in debian jessie, please install the
experimental package and let me know how it works for you.</p>
<h3 id="long-term-migration-concerns">Long term migration concerns</h3>
<p>GnuPG upstream is now maintaining three branches concurrently: modern
(2.1.x), stable (2.0.x), and classic (1.4.x). I think this is stretches
the GnuPG upstream development team too thin, and we should do what we
can to help them transition to supporting fewer releases concurrently.</p>
<p>In the long-term, I'd ultimately like to see gnupg 2.1.x to replace all
use of gpg 1.4.x and gpg 2.0.x in debian, but unlikely to to happen
right now.</p>
<p>In particular, the following two bugs make it impossible to use my
current, common monkeysphere workflow:</p>
<ul>
<li><a href="https://bugs.g10code.com/gnupg/issue1753"><code>export-reset-subkey-passwd</code> doesn't
work</a>, which breaks
<code>monkeysphere subkey-to-ssh-agent</code>.</li>
<li><a href="https://bugs.g10code.com/gnupg/issue1754">pluggable keyserver transports no longer
work</a>, which means that i
can't use <code>hkpms://</code> access to keyservers.</li>
</ul>
<p>And GnuPG 2.1.0 drops support for the older, known-weak OpenPGPv3 key
formats. This is an important step for simplification, but there are a
few people who probably <a href="http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029054.html">still need to use v3 keys for obscure/janky
reasons</a>,
or have data encrypted to a v3 key that they need to be able to decrypt.
Those people will want to have GnuPG 1.4 around.</p>
<h3 id="call-for-testing">Call for testing</h3>
<p>Anyway, if you use debian testing or unstable, and you are interested in
these features, i invite you to install `gnupg2` and its friends from
<code>experimental</code>. If you want to be sensibly conservative, i recommend
backing up `\~/.gnupg` before trying to use it:</p>
<div class="highlight"><pre><span></span><code>cp -aT .gnupg .gnupg.baksudo apt install -t experimental gnupg2 gnupg-agent dirmngr gpgsm gpgv2 scdaemon
</code></pre></div>
<p>If you find issues, please file them via the debian BTS as usual. I (or
other members of the pkg-gnupg team) will help you triage them to
upstream as needed.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/ecc">ecc</a>,
<a href="https://debian-administration.org/tag/experimental">experimental</a>,
<a href="https://debian-administration.org/tag/gnupg">gnupg</a></p>
</p>OTR key replacement (heartbleed)2014-04-14T18:43:00-04:002014-04-14T18:43:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2014-04-14:/blog/otr-key-replacement-heartbleed.html<p>I'm replacing my OTR key for XMPP because of heartbleed (see below).</p>
<p>If the plain ASCII text below is mangled beyond verification, you can
retrieve a copy of it <a href="https://dkg.fifthhorseman.net/dkg-xmpp-otr-key-2014.txt">from my web
site</a> that
should be able to be verified.</p>
<div class="highlight"><pre><span></span><code><span class="c1">-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512OTR Key Replacement for XMPP dkg …</span></code></pre></div><p>I'm replacing my OTR key for XMPP because of heartbleed (see below).</p>
<p>If the plain ASCII text below is mangled beyond verification, you can
retrieve a copy of it <a href="https://dkg.fifthhorseman.net/dkg-xmpp-otr-key-2014.txt">from my web
site</a> that
should be able to be verified.</p>
<div class="highlight"><pre><span></span><code><span class="c1">-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512OTR Key Replacement for XMPP dkg@jabber.org===========================================Date: 2014-04-14My main XMPP account is dkg@jabber.org.I prefer OTR [0] conversations when using XMPP for privatediscussions.I was using irssi to connect to XMPP servers, and irssi relies onOpenSSL for the TLS connections. I was using it with versions ofOpenSSL that were vulnerable to the "Heartbleed" attack [1]. It'spossible that my OTR long-term secret key was leaked via this attack.As a result, I'm changing my OTR key for this account.The new, correct OTR fingerprint for the XMPP account at dkg@jabber.org is: F8953C5D 48ABABA2 F48EE99C D6550A78 A91EF63DThanks for taking the time to verify your peers' fingerprints. Securecommunication is important not only to protect yourself, but also toprotect your friends, their friends and so on.Happy Hacking, --dkg (Daniel Kahn Gillmor)Notes:[0] OTR: https://otr.cypherpunks.ca/[1] Heartbleed: http://heartbleed.com/-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQJ8BAEBCgBmBQJTTBF+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVBNTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcYwkQAKLzEnTV1lrK6YrhdvRnuYnhBh9Ad2ZY44RQmN+STMEnCJ4OWbn5qx/NrziNVUZN6JddrEvYUOxME6K0mGHdY2KRyjLYudsBuSMZQ+5crZkE8rjBL8vDj8Dbn3mHyT8bAbB9cmASESeQMu96vni15ePd2sB7iBofee9YAoiewI+xRvjo2aRX8nbFSykoIusgnYG2qwo2qPaBVOjmoBPB5YRIPkN0/hAh11Ky0qQ/GUROytp/BMJXZx2rea2xHs0mplZLqJrX400u1Bawllgz3gfVqQKKNc3st6iHf3F6p6Z0db9NRq+AJ24fTJNcQ+t07vMZHCWM+hTelofvDyBhqG/rl8e4gdSh/zWTR/7TR3ZYLCiZzU0uYNd0rE3CcxDbnGTUS1ZxooykWBNIPJMl1DUEzzcrQleLS5tna1b9la3rJWtFIATyO4dvUXXa9wU3c3+Wr60cSXbsK5OCct2KmiWYfJme0bpM5m1j7B8QwLzKqy/+YgOOJ05QDVbBZwJn1B7rvUYmb968yLQUqO5Q87L4GvPB1yY+2bLLF2oFMJJzFmhKuAflslRXyKcAhTmtKZY+hUpxoWuVa1qLU3bQCUSEMlC4Hv6vaq14BEYLeopoSb7THsIcUdRjho+WEKPkryj6aVZM5WnIGIS/4QtYvWpk3UsXFdVZGfE9rfCOLf0F=BGa1-----END PGP SIGNATURE-----</span>
</code></pre></div>
</p>Inline-PGP considered harmful2014-02-24T02:09:00-05:002014-02-24T02:09:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2014-02-24:/blog/inline-pgp-considered-harmful.html<p>We changed the default PGP signatures generated by enigmail in debian
from Inline PGP to PGP/MIME <a href="http://packages.qa.debian.org/e/enigmail/news/20130125T183232Z.html">last
year</a>,
and the experiment has gone well enough that we're now using it in
jessie and wheezy (where it arrived as part of a security update to make
the extension work with …</p><p>We changed the default PGP signatures generated by enigmail in debian
from Inline PGP to PGP/MIME <a href="http://packages.qa.debian.org/e/enigmail/news/20130125T183232Z.html">last
year</a>,
and the experiment has gone well enough that we're now using it in
jessie and wheezy (where it arrived as part of a security update to make
the extension work with the security-updated icedove package).</p>
<p>After having several people poke me in different contexts about why
inline cleartext PGP signatures are a bad idea, i got sufficiently tired
of repeating myself, and finally <a href="https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/">documented some of the problems
explicitly</a>.</p>
<p>The report includes a demonstration of a content-tampering attack that
changes the meaning of a signed inline-PGP message without breaking the
signature, which i first worked out <a href="http://thread.gmane.org/gmane.mail.notmuch.general/15643/focus=15744">on the notmuch mailing
list</a>,
but hadn't gotten around to demonstrating until recently.</p>
<p>The attack is demonstrated against clearsigned messages, but also works
against inline encrypted messages (but is harder to demonstrate since a
demonstration would require sharing secret key material for the
decryption step).</p>
<p>Please don't generate Inline-PGP messages. And if you must parse and
accept them, please consider carefully the risks you expose your users
to and think about ways to mitigate the problems.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/charset">charset</a>,
<a href="https://debian-administration.org/tag/inline-pgp">inline-pgp</a>,
<a href="https://debian-administration.org/tag/openpgp">openpgp</a>,
<a href="https://debian-administration.org/tag/security">security</a></p>
</p>Kevin M. Igoe should step down from CFRG Co-chair2013-12-21T22:55:00-05:002013-12-21T22:55:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-12-21:/blog/kevin-m-igoe-should-step-down-from-cfrg-co-chair.html<p>I've <a href="https://www.debian-administration.org/users/dkg/weblog/102">said
recently</a>
that pervasive surveillance is wrong. I don't think anyone from the NSA
should have a leadership position in the development or deployment of
Internet communications, because their interests are at odds with the
interest of the rest of the Internet. But someone at the NSA is in …</p><p>I've <a href="https://www.debian-administration.org/users/dkg/weblog/102">said
recently</a>
that pervasive surveillance is wrong. I don't think anyone from the NSA
should have a leadership position in the development or deployment of
Internet communications, because their interests are at odds with the
interest of the rest of the Internet. But someone at the NSA is in
exactly such a position. They ought to step down.</p>
<p>Here's the background:</p>
<p>The <a href="https://www.irtf.org">Internet Research Task Force (IRTF)</a> is a
body tasked with research into underlying concepts, themes, and
technologies related to the Internet as a whole. They act as a research
organization that cooperates and complements the engineering and
standards-setting activities of the <a href="https://www.ietf.org">Internet Engineering Task Force
(IETF)</a>.</p>
<p>The IRTF is divided into issue-specific research groups, each of which
has a Chair or Co-Chairs who have "<a href="http://wiki.tools.ietf.org/html/rfc2014#section-5.3">wide discretion in the conduct of
Research Group
business</a>", and are
tasked with organizing the research and discussion, ensuring that the
group makes progress on the relevant issues, and communicating the
general sense of the results back to the rest of the IRTF and the IETF.</p>
<p>One of the IRTF's research groups specializes in cryptography: the
<a href="https://www.irtf.org/cfrg">Crypto Forum Research Group (CFRG)</a>. There
are two current chairs of the CFRG: David McGrew <code><mcgrew@cisco.com></code>
and Kevin M. Igoe <code><kmigoe@nsa.gov></code>. As you can see from his e-mail
address, Kevin M. Igoe is affiliated with the <a href="https://en.wikipedia.org/wiki/National_Security_Agency">National Security Agency
(NSA)</a>. The NSA
itself actively tries to weaken cryptography on the Internet so that
they can improve their surveillance, and one of the ways they try to do
so is to "<a href="http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0">influence policies, standards, and
specifications</a>".</p>
<p>On the CFRG list yesterday, <a href="http://trevp.net/">Trevor Perrin</a>
<a href="https://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html">requested the removal of Kevin M. Igoe from his position as Co-chair of
the
CFRG</a>.
Trevor's specific arguments rest heavily on the technical merits of a
proposed cryptographic mechanism called <a href="https://tools.ietf.org/html/draft-irtf-cfrg-dragonfly">Dragonfly key
exchange</a>, but I
think the focus on Dragonfly itself is the least of the concerns for the
IRTF.</p>
<p>I've <a href="https://www.ietf.org/mail-archive/web/cfrg/current/msg03570.html">seconded Trevor's
proposal</a>,
and asked
<a href="https://debian-administration.org/weblog/feeds/kmigoe@nsa.gov">Kevin</a>
directly to step down and to provide us with information about any
attempts by the NSA to interfere with or subvert recommendations coming
from these standards bodies.</p>
<p>Below is my letter in full:</p>
<blockquote>
<div class="highlight"><pre><span></span><code><span class="k">From</span><span class="err">:</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="nv">@fifthhorseman</span><span class="p">.</span><span class="n">net</span><span class="o">></span><span class="k">To</span><span class="err">:</span><span class="w"> </span><span class="n">cfrg</span><span class="nv">@ietf</span><span class="p">.</span><span class="n">org</span><span class="p">,</span><span class="w"> </span><span class="n">Kevin</span><span class="w"> </span><span class="n">M</span><span class="p">.</span><span class="w"> </span><span class="n">Igoe</span><span class="w"> </span><span class="o"><</span><span class="n">kmigoe</span><span class="nv">@nsa</span><span class="p">.</span><span class="n">gov</span><span class="o">></span><span class="nc">Date</span><span class="err">:</span><span class="w"> </span><span class="n">Sat</span><span class="p">,</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="k">Dec</span><span class="w"> </span><span class="mi">2013</span><span class="w"> </span><span class="mi">16</span><span class="err">:</span><span class="mi">29</span><span class="err">:</span><span class="mi">13</span><span class="w"> </span><span class="o">-</span><span class="mi">0500</span><span class="nl">Subject</span><span class="p">:</span><span class="w"> </span><span class="nl">Re</span><span class="p">:</span><span class="w"> </span><span class="o">[</span><span class="n">Cfrg</span><span class="o">]</span><span class="w"> </span><span class="n">Requesting</span><span class="w"> </span><span class="n">removal</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">CFRG</span><span class="w"> </span><span class="n">co</span><span class="o">-</span><span class="n">chairOn</span><span class="w"> </span><span class="mi">12</span><span class="o">/</span><span class="mi">20</span><span class="o">/</span><span class="mi">2013</span><span class="w"> </span><span class="mi">11</span><span class="err">:</span><span class="mi">01</span><span class="w"> </span><span class="n">AM</span><span class="p">,</span><span class="w"> </span><span class="n">Trevor</span><span class="w"> </span><span class="n">Perrin</span><span class="w"> </span><span class="nl">wrote</span><span class="p">:</span><span class="o">></span><span class="w"> </span><span class="n">I</span><span class="s1">'d like to request the removal of Kevin Igoe from CFRG co-chair.Regardless of the conclusions that anyone comes to about Dragonflyitself, I agree with Trevor that Kevin M. Igoe, as an employee of theNSA, should not remain in the role of CFRG co-chair.While the NSA clearly has a wealth of cryptographic knowledge andexperience that would be useful for the CFRG, the NSA is apparentlyengaged in a series of attempts to weaken cryptographic standards andtools in ways that would facilitate pervasive surveillance ofcommunication on the Internet.The IETF'</span><span class="n">s</span><span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">position</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">favor</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">privacy</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">rightlyidentifies</span><span class="w"> </span><span class="n">pervasive</span><span class="w"> </span><span class="n">surveillance</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">serious</span><span class="w"> </span><span class="nl">problem</span><span class="p">:</span><span class="nl">https</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">ietf</span><span class="p">.</span><span class="n">org</span><span class="o">/</span><span class="n">media</span><span class="o">/</span><span class="mi">2013</span><span class="o">-</span><span class="mi">11</span><span class="o">-</span><span class="mi">07</span><span class="o">-</span><span class="n">internet</span><span class="o">-</span><span class="n">privacy</span><span class="o">-</span><span class="ow">and</span><span class="o">-</span><span class="n">security</span><span class="p">.</span><span class="n">htmlThe</span><span class="w"> </span><span class="n">documents</span><span class="w"> </span><span class="n">Trevor</span><span class="w"> </span><span class="n">points</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="p">(</span><span class="ow">and</span><span class="w"> </span><span class="n">others</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="k">similar</span><span class="w"> </span><span class="n">stories</span><span class="p">)</span><span class="n">indicate</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">NSA</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">organization</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="n">odds</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">goals</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">IETF</span><span class="p">.</span><span class="k">While</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">want</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">IETF</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">continue</span><span class="w"> </span><span class="n">welcoming</span><span class="w"> </span><span class="n">technical</span><span class="w"> </span><span class="n">insight</span><span class="w"> </span><span class="n">anddiscussion</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">everyone</span><span class="p">,</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">think</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">appropriate</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">anyonefrom</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">NSA</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="k">position</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">coordination</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">leadership</span><span class="p">.</span><span class="c1">----Kevin, the responsible action for anyone in your position is toacknowledge the conflict of interest, and step down promptly from theposition of Co-Chair of the CFRG.If you happen to also subscribe to the broad consensus described in theIETF's recent announcement -- that is, if you care about privacy andsecurity on the Internet -- then you should also reveal any NSA activityyou know about that attempts to subvert or weaken the cryptographicunderpinnings of IETF protocols.Regards, --dkg</span>
</code></pre></div>
</blockquote>
<p>I'm aware that an abdication by Kevin (or his removal by the IETF chair)
would probably not end the NSA's attempts to subvert standards bodies or
weaken encryption. They could continue to do so by subterfuge, for
example, or by private influence on other public members. We may not be
able to stop them from doing this in secret, and the knowledge that they
may do so seems likely to cast a pall of suspicion over any IETF and
IRTF proceedings in the future. This social damage is serious and
troubling, and it marks yet another cost to the NSA's reckless
institutional disregard for civil liberties and free communication.</p>
<p>But even if we cannot rule out private NSA influence over standards
bodies and discussion, we can certainly explicitly reject any public
influence over these critical communications standards by members of an
institution so at odds with the core principles of a free society.</p>
<p>Kevin M. Igoe, please step down from the CFRG Co-chair position.</p>
<p>And to anyone (including Kevin) who knows about specific attempts by the
NSA to undermine the communications standards we all rely on: please
blow the whistle on this kind of activity. Alert a friend, a colleague,
or a journalist. Pervasive surveillance is an attack on all of us, and
those who resist it are heroes.</p>automatically have uscan check signatures2013-12-18T03:15:00-05:002013-12-18T03:15:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-12-18:/blog/automatically-have-uscan-check-signatures.html<p>If you maintain software in debian, one of your regular maintenance
tasks is checking for new upstream versions, reviewing them, and
preparing them for debian if appropriate. One of those steps is often to
verify the cryptographic signature on the upstream source archive.</p>
<p>At the moment, most maintainers do the …</p><p>If you maintain software in debian, one of your regular maintenance
tasks is checking for new upstream versions, reviewing them, and
preparing them for debian if appropriate. One of those steps is often to
verify the cryptographic signature on the upstream source archive.</p>
<p>At the moment, most maintainers do the cryptographic check manually, or
maybe even don't bother to do it at all. For the common case of detached
OpenPGP signatures, though,
<a href="http://manpages.debian.org/cgi-bin/man.cgi?query=uscan">uscan</a> can now
do it for you automatically (as of
<a href="http://packages.debian.org/devscripts">devscripts</a> version 2.13.3). You
just need to tell uscan what keys you expect upstream to be signing
with, and how to find the detached signature.</p>
<p>So, for example, <a href="https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-December/031897.html">Damien Miller recently announced his new key that he
will be using to sign OpenSSH
releases</a>
(his new key has OpenPGP fingerprint
<code>59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30</code> -- you can verify it
has been cross-signed by his older key, and his older key has been
revoked with the indication that it was superceded by this one). Having
done a reasonable verification of Damien's key, if i was the <code>openssh</code>
package maintainer, i'd do the following:</p>
<div class="highlight"><pre><span></span><code><span class="n">cd</span><span class="w"> </span><span class="o">~/</span><span class="n">src</span><span class="o">/</span><span class="n">openssh</span><span class="o">/</span><span class="n">mkdir</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="n">debian</span><span class="o">/</span><span class="n">upstreamgpg</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="o">-</span><span class="n">options</span><span class="w"> </span><span class="k">export</span><span class="o">-</span><span class="n">minimal</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="w"> </span><span class="s1">'59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30'</span><span class="w"> </span><span class="o">>></span><span class="w"> </span><span class="n">debian</span><span class="o">/</span><span class="n">upstream</span><span class="o">/</span><span class="n">signing</span><span class="o">-</span><span class="n">key</span><span class="o">.</span><span class="n">asc</span>
</code></pre></div>
<p>And then upon noticing that the signature files are named with a simple
<code>.asc</code> suffix on <a href="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/">the upstream distribution
site</a>, we can use
the following <code>pgpsigurlmangle</code> option in <code>debian/watch</code>:</p>
<div class="highlight"><pre><span></span><code>version=3opts=pgpsigurlmangle=s/$/.asc/ ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-(.*)\.tar\.gz
</code></pre></div>
<p>I've filed this specific example as <a href="http://bugs.debian.org/732441">debian bug
#732441</a>. If you notice a package with
upstream signatures that aren't currently being checked by uscan (or if
you are upstream, you sign your packages, and you want your debian
maintainer to verify them), you can file similar bugs. Or, if you
maintain a package for debian, you can just fix up your package so that
this check is there on the next upload.</p>
<p>If you maintain a package whose upstream doesn't sign their releases,
ask them why not -- wouldn't upstream prefer that their downstream users
can verify that each release wasn't tampered with?</p>
<p>Of course, none of these checks take the the place of the real work of a
debian package maintainer: reviewing the code and the changelogs,
thinking about what changes have happened, and how they fit into the
broader distribution. But it helps to automate one of the basic
safeguards we should all be using. Let's eliminate the possibility that
the file was tampered with at the upstream distribution mirror or while
in transit over the network. That way, the maintainer's time and energy
can be spent where they're more needed.</p>
<p>UPDATED 2015-05-03: use the currently-preferred location for the signing
key.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/crypto">crypto</a>,
<a href="https://debian-administration.org/tag/devscripts">devscripts</a>,
<a href="https://debian-administration.org/tag/openpgp">openpgp</a>, <a href="https://debian-administration.org/tag/package%20maintenance">package
maintenance</a>,
<a href="https://debian-administration.org/tag/signatures">signatures</a>,
<a href="https://debian-administration.org/tag/uscan">uscan</a></p>
</p>OpenPGP Key IDs are not useful2013-12-13T20:04:00-05:002013-12-13T20:04:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-12-13:/blog/openpgp-key-ids-are-not-useful.html<h3 id="fingerprints-and-key-ids">Fingerprints and Key IDs</h3>
<p><a href="https://tools.ietf.org/html/rfc4880#section-12.2">OpenPGPv4
fingerprints</a> are made
from an SHA-1 digest over the key's public key material, creation date,
and some boilerplate. SHA-1 digests are 160 bits in length. The "long
key ID" of a key is the last 64 bits of the key's fingerprint. The
"short key ID …</p><h3 id="fingerprints-and-key-ids">Fingerprints and Key IDs</h3>
<p><a href="https://tools.ietf.org/html/rfc4880#section-12.2">OpenPGPv4
fingerprints</a> are made
from an SHA-1 digest over the key's public key material, creation date,
and some boilerplate. SHA-1 digests are 160 bits in length. The "long
key ID" of a key is the last 64 bits of the key's fingerprint. The
"short key ID" of a key is the last 32 bits of the key's fingerprint.
You can see both of the key IDs as a hash in and of themselves, as
"32-bit truncated SHA-1" is a sort of hash (albeit not a
cryptographically secure one).</p>
<p>I'm arguing here that short Key IDs and long Key IDs are actually
useless, and we should stop using them entirely where we can do so. We
certainly should not be exposing normal human users to them.</p>
<p><em>(Note that I am not arguing that OpenPGP v4 fingerprints themselves are
cryptographically insecure. I do not believe that there are any serious
cryptographic risks currently associated with OpenPGP v4 fingerprints.
This post is about Key IDs specifically, not fingerprints.)</em></p>
<h3 id="key-ids-have-serious-problems">Key IDs have serious problems</h3>
<p><a href="http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html">Asheesh pointed out two years
ago</a>
that OpenPGP short key IDs are bad because they are trivial to
replicate. This is called a <a href="https://en.wikipedia.org/wiki/Preimage_attack">preimage
attack</a> against the short
key ID (which is just a truncated fingerprint).</p>
<p>Today, <a href="https://www.ietf.org/mail-archive/web/openpgp/current/msg07195.html">David Leon Gil demonstrated that a collision attack against the
long key ID is also
trivial</a>.
A <a href="https://en.wikipedia.org/wiki/Collision_resistance">collision attack</a>
differs from a preimage attack in that the attacker gets to generate two
different things that both have the same digest. Collision attacks are
easier than preimage attacks because of <a href="https://en.wikipedia.org/wiki/Birthday_problem">the birthday
paradox</a>. dlg's
colliding keys are not a surprise, but hopefully the explicit
demonstration can serve as a wakeup call to help us improve our
infrastructure.</p>
<p>So this is <em>not</em> a way to spoof a specific target's long key ID on its
own. But it indicates that it's more of a worry than most people tend to
think about or plan for. And remember that for a search space as small
as 64-bits (the long key ID), if you want to find a pre-image against
<em>any one of</em> <code>2k</code> keys, your search is actually only in a <code>(64-k)</code>-bit
space to find a single pre-image.</p>
<p>The particularly bad news: gpg doesn't cope well with the two keys that
have the same long key ID:</p>
<div class="highlight"><pre><span></span><code><span class="mi">0</span> <span class="n">dkg</span><span class="nd">@alice</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">gpg</span> <span class="o">--</span><span class="kn">import</span> <span class="nn">xgpg</span><span class="p">:</span> <span class="n">key</span> <span class="n">B8EBE1AF</span><span class="p">:</span> <span class="n">public</span> <span class="n">key</span> <span class="s2">"9E669861368BCA0BE42DAF7DDDA252EBB8EBE1AF"</span> <span class="n">importedgpg</span><span class="p">:</span> <span class="n">Total</span> <span class="n">number</span> <span class="n">processed</span><span class="p">:</span> <span class="mi">1</span><span class="n">gpg</span><span class="p">:</span> <span class="n">imported</span><span class="p">:</span> <span class="mi">1</span> <span class="p">(</span><span class="n">RSA</span><span class="p">:</span> <span class="mi">1</span><span class="p">)</span><span class="mi">0</span> <span class="n">dkg</span><span class="nd">@alice</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">gpg</span> <span class="o">--</span><span class="kn">import</span> <span class="nn">ygpg</span><span class="p">:</span> <span class="n">key</span> <span class="n">B8EBE1AF</span><span class="p">:</span> <span class="n">doesn</span><span class="s1">'t match our copygpg: Total number processed: 12 dkg@alice:~$ </span>
</code></pre></div>
<p>This probably also means that <code>caff</code> (from the <a href="http://packages.qa.debian.org/signing-party"><code>signing-party</code>
package</a>) will also choke
when trying to deal with these two keys.</p>
<p>I'm sure there are other OpenPGP-related tools that will fail in the
face of two keys with matching 64-bit key IDs.</p>
<h3 id="we-should-not-use-key-ids">We should not use Key IDs</h3>
<p>I am more convinced than ever that key IDs (both short and long) are
actively problematic to real-world use of OpenPGP. We want two things
from a key management framework: unforgability, and human-intelligible
handles. Key IDs fail at both.</p>
<ul>
<li>Fingerprints are unforgable (as much as SHA-1's preimage resistance,
anyway -- that's a separate discussion), but they aren't
human-intelligible.</li>
<li>User IDs are human-intelligible, and they are unforgable if we can
rely on a robust keysigning network.</li>
<li>Key IDs (both short and long) are neither human-intelligible nor
unforgable (regardless of existence of a keysigning network), so
they are the worst of all possible worlds.</li>
</ul>
<p>So reasonable tools should not expose either short or long key IDs to
users, or use them internally if they can avoid them. They do not have
any properties we want, and in the worst case, they actively mislead
people or lead them into harm. What reasonable tool should do that?</p>
<h3 id="how-to-replace-key-ids">How to replace Key IDs</h3>
<p>If we're not going to use Key IDs, what should we do instead?</p>
<p>For anything human-facing, we should be using human-intelligible things
like user IDs and creation dates. These are trivial to forge, but people
can relate to them. This is better than offering the user something that
is <em>also</em> trivial to forge, but that people cannot relate to. The job of
any key management UI should be to interpret the cryptographic
assurances provided by the certifications and present that to the user
in a comprehensible way.</p>
<p>For anything not human-facing (e.g. key management data storage, etc),
we should be using the full key itself. We'll also want to store the
full fingerprint as an index, since that is used for communication and
key exchange (e.g. on calling cards).</p>
<p>There remain parts of the spec (e.g.
<a href="https://tools.ietf.org/html/rfc4880#section-5.1">PK-ESK</a>, <a href="https://tools.ietf.org/html/rfc4880#section-5.2.3.5">Issuer
subpackets</a>) that
make some use of the long key ID in ways that provide some measure of
convenience but no real cryptographic security. We should fix the spec
to stop using those, and either remove them entirely, or replace them
with the full fingerprints. These fixes are not as urgent as the
user-facing changes or the critical internal indexing fixes, though.</p>
<p>Key IDs are not useful. We should stop using them.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/collision">collision</a>,
<a href="https://debian-administration.org/tag/crypto">crypto</a>,
<a href="https://debian-administration.org/tag/gpg">gpg</a>,
<a href="https://debian-administration.org/tag/openpgp">openpgp</a>,
<a href="https://debian-administration.org/tag/pgp">pgp</a>,
<a href="https://debian-administration.org/tag/security">security</a></p>
</p>The legal utility of deniability in secure chat2013-12-05T23:14:00-05:002013-12-05T23:14:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-12-05:/blog/the-legal-utility-of-deniability-in-secure-chat.html<p>This Monday, I attended <a href="https://www.calyxinstitute.org/events/multiparty-otr-and-deniability">a workshop on Multi-party Off the Record
Messaging and
Deniability</a>
hosted by the Calyx Institute. The discussion was a combination of legal
and technical people, looking at how the characteristics of this
particular technology affect (or do not affect) the law.</p>
<p>This is a report-back, since …</p><p>This Monday, I attended <a href="https://www.calyxinstitute.org/events/multiparty-otr-and-deniability">a workshop on Multi-party Off the Record
Messaging and
Deniability</a>
hosted by the Calyx Institute. The discussion was a combination of legal
and technical people, looking at how the characteristics of this
particular technology affect (or do not affect) the law.</p>
<p>This is a report-back, since I know other people wanted to attend. I'm
not a lawyer, but I develop software to improve communications security,
I care about these questions, and I want other people to be aware of the
discussion. I hope I did not misrepresent anything below. I'd be happy
if anyone wants to offer corrections.</p>
<h2 id="background">Background</h2>
<p><a href="https://otr.cypherpunks.ca/">Off the Record Messaging (OTR)</a> is a way
to secure instant messaging (e.g. jabber/XMPP, gChat, AIM).</p>
<p>The two most common characteristics people want from a secure instant
messaging program are:</p>
<dl>
<dt>Authentication</dt>
<dd>Each participant should be able to know specifically who the other
parties are on the chat.</dd>
<dt>Confidentiality</dt>
<dd>The content of the messages should only be intelligible to the
parties involved with the chat; it should appear opaque or encrypted
to anyone else listening in. Note that confidentiality effectively
depends on authentication -- if you don't know who you're talking
to, you can't make sensible assertions about confidentiality.</dd>
</dl>
<p>As with many other modern networked encryption schemes, OTR relies on
each user maintaining a long-lived "secret key", and publishing a
corresponding "public key" for their peers to examine. These keys are
critical for providing authentication (and by extension, for
confidentiality).</p>
<p>But OTR offers several interesting characteristics beyond the common
two. Its most commonly cited characteristics are "forward secrecy" and
"deniability".</p>
<dl>
<dt>Forward secrecy</dt>
<dd>Assuming the parties communicating are operating in good faith,
forward secrecy offers protection against a special kind of
adversary: one who logs the encrypted chat, and subsequently steals
either party's long-term secret key. Without forward secrecy, such
an adversary would be able to discover the content of the messages,
violating the confidentiality characteristic. With forward secrecy,
this adversary is be stymied and the messages remain confidential.</dd>
<dt>Deniability</dt>
<dd>Deniability only comes into play when one of the parties is no
longer operating in good faith (e.g. their computer is compromised,
or they are collaborating with an adversary). In this context, if
Alice is chatting with Bob, she does not want Bob to be able to
cryptographically prove to anyone else that she made any of the
specific statements in the conversation. This is the focus of
Monday's discussion.
<p>
To be clear, this kind of deniability means Alice can correctly say
"you have no cryptographic proof I said <em>X</em>", but it does not let
her assert "here is cryptographic proof that I <em>did not</em> say <em>X</em>" (I
can't think of any protocol that offers the latter assertion). The
opposite of deniability is a cryptographic proof of origin, which
usually runs something like "only someone with access to Alice's
secret key could have said <em>X</em>."</dd>
</dl>
<p>The traditional two-party OTR protocol has offered both forward secrecy
and deniability for years. But deniability in particular is a
challenging characteristic to provide for group chat which is the domain
of Multi-Party OTR (mpOTR). You can read <a href="http://thread.gmane.org/gmane.comp.security.otr.user/1453">some past discussion about the
challenges of deniability in mpOTR (and why it's harder when there are
more than two people
chatting)</a>
from <a href="http://lists.cypherpunks.ca/mailman/listinfo/otr-users">the otr-users mailing
list</a>.</p>
<h2 id="if-youre-not-doing-anything-wrong">If you're not doing anything wrong...</h2>
<p>The discussion was well-anchored by a comment from another participant
who cheekily asked "If you're not doing anything wrong, why do you need
to hide your chat at all, let alone be able to deny it?"</p>
<p>The general sense of the room was that we'd all heard this question many
times, from many people. There are lots of problems with the ideas
behind the question from many perspectives. But just from a legal
perspective, there are at least two problems with the way this question
is posed:</p>
<ul>
<li>laws themselves are not always just (e.g. consider chat
communications between an interracial couple in the USA <a href="https://en.wikipedia.org/wiki/Loving_v._Virginia">before
1967</a>, if instant
messaging had existed at the time), and</li>
<li>law enforcement (or a legal adversary in civil litigation) may have
a different understanding or interpretation of the law than you do
(e.g. consider chat communications between a corporate or government
whistleblower and a journalist).</li>
</ul>
<p>In these situations, people confront real risk from the law. If we care
about these people, we need to figure out if we can build systems to
help them reduce that legal risk (of course we also need to fix broken
laws, and the legal environment in general, but those approaches were
out of scope for this discussion).</p>
<h2 id="the-legal-utility-of-deniability">The Legal Utility of Deniability</h2>
<p>Monday's meeting was called specifically because it wasn't clear how
much real-world usefulness there is in the "deniability" characteristic,
and whether this feature is worth the development effort and
implementation tradeoffs required. In particular, the group was
interested in deniability's utility in legal contexts; many (most?)
people in the room were lawyers, and it's also not clear that
deniability has much utility outside of a formal legal setting. If your
adversary isn't constrained by some rule of law, they probably won't
care at all whether there is a cryptographic proof or not that you wrote
a particular message (In retrospect, one possible exception is exposure
in the media, but we did not discuss that scenario).</p>
<h3 id="places-of-possible-usefulness">Places of possible usefulness</h3>
<p>So where might deniability come in handy during civil litigation or a
criminal trial? Presumably the circumstance is that a piece of a chat
log is offered as incriminating evidence, and the defendant is trying to
deny something that they appear to have said in the log.</p>
<p>This denial could take place in two rather different contexts: during
rules over admissibility of evidence, or (once admitted) in front of a
jury.</p>
<p>In legal wrangling over admissibility, apparently a lot of horse-trading
can go on -- each side concedes some things in exchange for the other
side conceding other things. It appears that cryptographic proof of
origin (that is, a <em>lack</em> of deniability) on the chat logs themselves
might reduce the amount of leverage a defense lawyer can get from
conceding or arguing strongly over that piece of evidence. For example,
if the chain of custody of a chat transcript is fuzzy (i.e. the
transcript could have been mishandled or modified somehow before
reaching trial), then a cryptographic proof of origin would make it much
harder for the defense to contest the chat transcript on the grounds of
tampering. Deniability would give the defense more bargaining power.</p>
<p>In arguing about already-admitted evidence before a jury, deniability in
this sense seems like a job for expert witnesses, who would need to
convince the jury of their interpretation of the data. There was a lot
of skepticism in the room over this, both around the possibility of most
jurors really understanding what OTR's claim of deniability actually
means, and on jurors' ability to distinguish this argument from a bogus
argument presented by an opposing expert witness who is willing to lie
about the nature of the protocol (or who misunderstands it and passes on
their misunderstanding to the jury).</p>
<p>The complexity of the tech systems involved in a data-heavy prosecution
or civil litigation are themselves opportunities for lawyers to argue
(and experts to weigh in) on the general reliability of these systems.
Sifting through the quantities of data available and ensuring that the
appropriate evidence is actually findable, relevant, and suitably
preserved for the jury's inspection is a hard and complicated job, with
room for error. OTR's deniability might be one more element in a
multi-pronged attack on these data systems.</p>
<p>These are the most compelling arguments for the legal utility of
deniability that I took away from the discussion. I confess that they
don't seem particularly strong to me, though some level of "avoiding a
weaker position when horse-trading" resonates with me.</p>
<p>What about the arguments against its utility?</p>
<h3 id="limitations">Limitations</h3>
<p>The most basic argument against OTR's deniability is that courts don't
care about cryptographic proof for digital evidence. People are
convicted or lose civil cases based on unsigned electronic
communications (e.g. normal e-mail, plain chat logs) all the time. OTR's
deniability doesn't provide any legal cover stronger than trying to
claim you didn't write a given e-mail that appears to have originated
from your account. As someone who understands the forgeability of
e-mail, i find this overall situation troubling, but it seems to be
where we are.</p>
<p>Worse, OTR's deniability doesn't cover <em>whether</em> you had a conversation,
just <em>what you said</em> in that conversation. That is, Bob can still
cryptographically prove to an adversary (or before a judge or jury) that
he had a communication with someone controlling Alice's secret key
(which is probably Alice); he just can't prove that Alice herself said
any particular part of the conversation he produces.</p>
<p>Additionally, there are runtime tradeoffs depending on how the protocol
manages to achieve these features. For example, forward secrecy itself
requires an additional round trip or two when compared to authenticated,
encrypted communications without forward secrecy (a "round trip" is a
message from Alice to Bob followed by a message back from Bob to Alice).</p>
<p>Getting proper deniability into the mpOTR spec might incur extra latency
(imagine having to wait 60 seconds after everyone joins before starting
a group chat, or a pause in the chat of 15 seconds when a new member
joins) or extra computational power (meaning that they might not work
well on slower/older devices) or an order of magnitude more bandwidth
(meaning that chat might not work at all on a weak connection). There
could also simply be complexity that makes it harder to correctly
implement a protocol with deniability than an alternate protocol without
deniability. Incorrectly-implemented software can put its users at risk.</p>
<p>I don't know enough about the current state of mpOTR to know what the
specific tradeoffs are for the deniability feature, but it's clear there
will be some. Who decides whether the tradeoffs are worth the feature?</p>
<h3 id="other-kinds-of-deniability">Other kinds of deniability</h3>
<p>Further weakening the case for the legal utility of OTR's deniability,
there seem to be other ways to get deniability in a legal context over a
chat transcript.</p>
<p>There are deniability arguments that can be made from outside the
protocol. For example, you can always claim someone else took control of
your computer while you were asleep or using the bathroom or eating
dinner, or you can claim that your computer had a virus that exported
your secret key and it must have been used by someone else.</p>
<p>If you're desperate enough to sacrifice your digital identity, you could
arrange to have your secret key published, at which point anyone can
make signed statements with it. Having forward secrecy makes it possible
to expose your secret key without exposing the content of your past
communications to any listener who happened to log them.</p>
<h3 id="conclusion">Conclusion</h3>
<p>My takeaway from the discussion is that the legal utility of OTR's
deniability is non-zero, but quite low; and that development energy
focused on deniability is probably only justified if there are very few
costs associated with it.</p>
<p>Several folks pointed out that most communications-security tools are
too complicated or inconvenient to use for normal people. If we have
limited development energy to spend on securing instant messaging,
usability and ubiquity would be a better focus than this form of
deniability.</p>
<p>Secure chat systems that take too long to make, that are too complex, or
that are too cumbersome are not going to be adopted. But this doesn't
mean people won't chat at all -- they'll just use cleartext chat, or
maybe they'll use supposedly "secure" protocols with even worse
properties: for example, without proper end-to-end authentication
(permitting spoofing or impersonation by the server operator or
potentially by anyone else); with encryption that is reversible by the
chatroom operator or flawed enough to be reversed by any listener with a
powerful computer; without forward secrecy; or so on.</p>
<p>As a demonstration of this, we heard some lawyers in the room admit to
using Skype to talk with their clients <em>even though they know it's not a
safe communications channel because their clients' adversaries might
have access to the skype messaging system itself</em>.</p>
<p>My conclusion from the meeting is that there are a few particular
situations where deniability could be useful legally, but that overall,
it is not where we as a community should be spending our development
energy. Perhaps in some future world where all communications are
already authenticated, encrypted, and forward-secret by default, we can
look into improving our protocols to provide this characteristic, but
for now, we really need to work on usability, popularization, and wide
deployment.</p>
<h3 id="thanks">Thanks</h3>
<p>Many thanks to <a href="https://www.calyxinstitute.org/about/board/nicholas-merrill">Nick
Merrill</a>
for organizing the discussion, to <a href="http://ccrjustice.org/about-us/staff-board/kadidal,-shayana">Shayana
Kadidal</a>
and <a href="http://istanleycohen.org/">Stanley Cohen</a> for providing a wealth of
legal insight and legal experience, to <a href="http://ritter.vg/">Tom Ritter</a>
for an excellent presentation of the technical details, and to everyone
in the group who participated in the interesting and lively discussion.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/chat">chat</a>,
<a href="https://debian-administration.org/tag/deniability">deniability</a>,
<a href="https://debian-administration.org/tag/otr">otr</a>,
<a href="https://debian-administration.org/tag/security">security</a></p>
</p>getting to TLS (STARTTLS HOWTO)2013-10-30T17:00:00-04:002013-10-30T17:00:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-10-30:/blog/getting-to-tls-starttls-howto.html<p>Many protocols today allow you to upgrade to TLS from within a cleartext
version of the protocol. This often falls under the rubric of
"STARTTLS", though different protocols have different ways of doing it.</p>
<p>I often forget the exact steps, and when i'm debugging a TLS connection
(e.g. with …</p><p>Many protocols today allow you to upgrade to TLS from within a cleartext
version of the protocol. This often falls under the rubric of
"STARTTLS", though different protocols have different ways of doing it.</p>
<p>I often forget the exact steps, and when i'm debugging a TLS connection
(e.g. with tools like <code>gnutls-cli</code>) i need to poke a remote peer into
being ready for a TLS handshake. So i'm noting the different mechanisms
here. lines starting with <code>C:</code> are from the client, lines starting with
<code>S:</code> are from the server.</p>
<p>many of these are (roughly) built into <code>openssl s_client</code>, using the
<code>-starttls</code> option. Sometimes this doesn't work because the handshake
needs tuning for a given server; other times you want to do this with a
different TLS library. To use the techniques below with <code>gnutls-cli</code>
from the <code>gnutls-bin</code> package, just provide the <code>--starttls</code> argument
(and the appropriate <code>--port XXX</code> argument), and then hit Ctrl+D when
you think it's ok to start the TLS negotiation.</p>
<h3 id="smtp">SMTP</h3>
<p>The polite SMTP handshake (on port 25 or port 587) that negotiates a TLS
upgrade looks like:</p>
<div class="highlight"><pre><span></span><code><span class="nl">C</span><span class="p">:</span><span class="w"> </span><span class="n">EHLO</span><span class="w"> </span><span class="n">myhostname</span><span class="p">.</span><span class="nl">exampleS</span><span class="p">:</span><span class="w"> </span><span class="o">[</span><span class="n">...</span><span class="o">]</span><span class="nl">S</span><span class="p">:</span><span class="w"> </span><span class="mi">250</span><span class="o">-</span><span class="nl">STARTTLSS</span><span class="p">:</span><span class="w"> </span><span class="o">[</span><span class="n">...</span><span class="o">]</span><span class="nl">S</span><span class="p">:</span><span class="w"> </span><span class="mi">250</span><span class="w"> </span><span class="o">[</span><span class="n">somefeature</span><span class="o">]</span><span class="nl">C</span><span class="p">:</span><span class="w"> </span><span class="nl">STARTTLSS</span><span class="p">:</span><span class="w"> </span><span class="mi">220</span><span class="w"> </span><span class="mf">2.0.0</span><span class="w"> </span><span class="n">Ready</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">start</span><span class="w"> </span><span class="n">TLS</span><span class="o"><</span><span class="n">Client</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="k">begin</span><span class="w"> </span><span class="n">TLS</span><span class="w"> </span><span class="n">handshake</span><span class="o">></span>
</code></pre></div>
<h3 id="imap">IMAP</h3>
<p>The polite IMAP handshake (on port 143) that negotiates a TLS upgrade
looks like:</p>
<div class="highlight"><pre><span></span><code><span class="n">S</span><span class="o">:</span><span class="w"> </span><span class="n">OK</span><span class="w"> </span><span class="o">[</span><span class="n">CAPABILITY</span><span class="w"> </span><span class="n">IMAP4rev1</span><span class="w"> </span><span class="o">[...]</span><span class="w"> </span><span class="n">STARTTLS</span><span class="w"> </span><span class="o">[...]]</span><span class="w"> </span><span class="o">[...]</span><span class="n">C</span><span class="o">:</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">STARTTLSS</span><span class="o">:</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">OK</span><span class="w"> </span><span class="n">Begin</span><span class="w"> </span><span class="n">TLS</span><span class="w"> </span><span class="n">negotiation</span><span class="w"> </span><span class="n">now</span><span class="o"><</span><span class="n">Client</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">begin</span><span class="w"> </span><span class="n">TLS</span><span class="w"> </span><span class="n">handshake</span><span class="o">></span>
</code></pre></div>
<h3 id="pop">POP</h3>
<p>The polite POP handshake (on port 110) that negotiates a TLS upgrade
looks like:</p>
<div class="highlight"><pre><span></span><code>S: +OK POP3 readyC: STLSS: +OK Begin TLS <Client can begin TLS handshake>
</code></pre></div>
<h3 id="xmpp">XMPP</h3>
<p>The polite XMPP handshake (on port 5222 for client-to-server, or port
5269 for server-to-server) that negiotiates a TLS upgrade looks
something like (note that the domain requested needs to be the right
one):</p>
<div class="highlight"><pre><span></span><code>C:<span class="w"> </span><span class="cp"><?xml version="1.0"?></span><span class="nt"><stream:stream</span><span class="w"> </span><span class="na">to=</span><span class="s">"example.net"</span><span class="err">C:</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">"jabber:client"</span><span class="w"> </span><span class="na">xmlns:stream=</span><span class="s">"http://etherx.jabber.org/streams"</span><span class="w"> </span><span class="na">version=</span><span class="s">"1.0"</span><span class="nt">></span>S:<span class="w"> </span><span class="cp"><?xml version='1.0'?></span>S:<span class="w"> </span><span class="nt"><stream:streamS:</span><span class="w"> </span><span class="na">xmlns:db=</span><span class="s">'jabber:server:dialback'</span><span class="err">S:</span><span class="w"> </span><span class="na">xmlns:stream=</span><span class="s">'http://etherx.jabber.org/streams'</span><span class="err">S:</span><span class="w"> </span><span class="na">version=</span><span class="s">'1.0'</span><span class="err">S:</span><span class="w"> </span><span class="na">from=</span><span class="s">'example.net'</span><span class="err">S:</span><span class="w"> </span><span class="na">id=</span><span class="s">'d34edc7c-22bd-44b3-9dba-8162da5b5e72'</span><span class="err">S:</span><span class="w"> </span><span class="na">xml:lang=</span><span class="s">'en'</span><span class="err">S:</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">'jabber:server'</span><span class="nt">></span>S:<span class="w"> </span><span class="nt"><stream:features></span>S:<span class="w"> </span><span class="nt"><dialback</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">'urn:xmpp:features:dialback'</span><span class="nt">/></span>S:<span class="w"> </span><span class="nt"><starttls</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">'urn:ietf:params:xml:ns:xmpp-tls'</span><span class="nt">/></span>S:<span class="w"> </span><span class="nt"></stream:features></span>C:<span class="w"> </span><span class="nt"><starttls</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">"urn:ietf:params:xml:ns:xmpp-tls"</span><span class="w"> </span><span class="na">id=</span><span class="s">"1"</span><span class="nt">/></span>S:<span class="w"> </span><span class="nt"><proceed</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">'urn:ietf:params:xml:ns:xmpp-tls'</span><span class="nt">/><Client</span><span class="w"> </span><span class="err">can</span><span class="w"> </span><span class="err">begin</span><span class="w"> </span><span class="err">TLS</span><span class="w"> </span><span class="err">handshake</span><span class="nt">></span>
</code></pre></div>
<h3 id="nntp">NNTP</h3>
<p>RogerBW (in the comments below) points out that <a href="https://tools.ietf.org/html/rfc4642">NNTP has TLS
support</a>:</p>
<div class="highlight"><pre><span></span><code><span class="n">C</span><span class="o">:</span><span class="w"> </span><span class="n">CAPABILITIESS</span><span class="o">:</span><span class="w"> </span><span class="o">[...]</span><span class="n">S</span><span class="o">:</span><span class="w"> </span><span class="n">STARTTLSS</span><span class="o">:</span><span class="w"> </span><span class="o">[...]</span><span class="n">S</span><span class="o">:</span><span class="w"> </span><span class="o">.</span><span class="na">C</span><span class="o">:</span><span class="w"> </span><span class="n">STARTTLSS</span><span class="o">:</span><span class="w"> </span><span class="mi">382</span><span class="w"> </span><span class="n">Continue</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">TLS</span><span class="w"> </span><span class="n">negotiation</span><span class="o"><</span><span class="n">Client</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">begin</span><span class="w"> </span><span class="n">TLS</span><span class="w"> </span><span class="n">handshake</span><span class="o">></span>
</code></pre></div>
<h3 id="postgresql">PostgreSQL</h3>
<p>I got mail from James Cloos suggesting how to negotiate an upgrade to
TLS over <a href="http://www.postgresql.org/">the PostgreSQL RDBMS</a>. He points
to <a href="http://www.postgresql.org/docs/9.3/static/protocol.html">the protocol
docs</a>, and in
particular, to
<a href="http://www.postgresql.org/docs/9.3/static/protocol-flow.html#AEN98759">multiple</a>
<a href="http://www.postgresql.org/docs/9.3/static/protocol-flow.html#AEN99048">protocol</a>
<a href="http://www.postgresql.org/docs/9.3/static/protocol-message-types.html">flow</a>
documents, and <a href="http://www.postgresql.org/docs/9.3/static/protocol-message-formats.html">SSLRequest and StartupMessage chunks of the protocol
spec</a>
(and clarification that <a href="http://www.postgresql.org/docs/9.3/static/protocol-overview.html#PROTOCOL-FORMAT-CODES">data is sent in network byte
order</a>).
It won't work in a text-mode communication, but it's worth noting here
anyway:</p>
<p>The client starts by sending these eight octets:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="n">x00</span><span class="w"> </span><span class="mf">0</span><span class="n">x00</span><span class="w"> </span><span class="mf">0</span><span class="n">x00</span><span class="w"> </span><span class="mf">0</span><span class="n">x08</span><span class="w"> </span><span class="mf">0</span><span class="n">x04</span><span class="w"> </span><span class="mf">0</span><span class="n">xD2</span><span class="w"> </span><span class="mf">0</span><span class="n">x16</span><span class="w"> </span><span class="mf">0</span><span class="n">x2F</span>
</code></pre></div>
<p>and the server replies with '<code>S</code>' for secure or '<code>N</code>' for not. If the
reply is <code>S</code>, TLS negotiation follows.</p>
<p>The message represents <code>int32(8)</code> specifying that there are 8 octets and
<code>int16(1234)</code>,<code>int16(5678)</code>. All sent in network order.</p>
<p>(The non-TLS case starts with a similar message with
<code>int16(3)</code>,<code>int16(0)</code> for protocol version 3.0. Starttls is essentially
pg protocol version 1234.5678.)</p>
<h3 id="what-else">what else?</h3>
<p>I don't know (but would like to) how to do:</p>
<ul>
<li><code>mysql</code> TLS negotiation</li>
<li>STARTTLS for LDAP</li>
<li>other reasonable network protocols capable of upgrade</li>
<li>other free TLS wrapping tools like <code>openssl s_client</code> or
<code>gnutls-cli</code> that can start off in the clear and negotiate to TLS. I
am trying <a href="http://bugs.debian.org/701141">to get libNSS's <code>tstclnt</code> into the <code>libnss3-tools</code>
package</a>, but that hasn't happened
yet.</li>
</ul>
<p>If you know other mechanisms, or see bugs with the simple handshakes
i've posted above, please let me know either by e-mail or on the
comments here.</p>
<p>Other interesting notes: <a href="https://tools.ietf.org/html/rfc2817">RFC
2817</a>, a not-widely-supported
mechanism for upgrading to TLS in the middle of a normal HTTP session.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/gnutls">gnutls</a>,
<a href="https://debian-administration.org/tag/imap">imap</a>,
<a href="https://debian-administration.org/tag/pop">pop</a>,
<a href="https://debian-administration.org/tag/postgresql">postgresql</a>,
<a href="https://debian-administration.org/tag/smtp">smtp</a>,
<a href="https://debian-administration.org/tag/starttls">starttls</a>,
<a href="https://debian-administration.org/tag/tls">tls</a>,
<a href="https://debian-administration.org/tag/xmpp">xmpp</a></p>
</p>Unaccountable surveillance is wrong2013-10-08T20:12:00-04:002013-10-08T20:12:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-10-08:/blog/unaccountable-surveillance-is-wrong.html<p>As <a href="https://debian-administration.org/users/dkg/weblog/99">I mentioned
earlier</a>, the
information in the documents released by Edward Snowden show a clear
pattern of corporate and government abuse of the information networks
that are now deeply intertwined with the lives of many people all over
the world.</p>
<p>Surveillance is a power dynamic where the party doing …</p><p>As <a href="https://debian-administration.org/users/dkg/weblog/99">I mentioned
earlier</a>, the
information in the documents released by Edward Snowden show a clear
pattern of corporate and government abuse of the information networks
that are now deeply intertwined with the lives of many people all over
the world.</p>
<p>Surveillance is a power dynamic where the party doing the spying has
power over the party being surveilled. The surveillance state that
results when one party has "<a href="http://www.nsa.gov/about/values/index.shtml">Global Cryptologic
Dominance</a>" is a seriously
bad outcome. The old saw goes "power corrupts, and absolute power
corrupts absolutely". In this case, the stated goal of my government
appears to be absolute power in this domain, with no constraint on the
inevitable corruption. If you are a supporter of any sort of a just
social contract (e.g. <a href="https://necessaryandproportionate.org/">International Principles on the Application of
Human Rights to Communications
Surveillance</a>), the situation
should be deeply disturbing.</p>
<p>One of the major sub-threads in this discussion is how the NSA and their
allies have actively tampered with and weakened the cryptographic
infrastructure that everyone relies on for authenticated and
confidential communications on the 'net. This kind of malicious work
puts everyone's communication at risk, not only those people who the NSA
counts among their "targets" (and the NSA's "target" selection methods
are themselves fraught with serious problems).</p>
<p>The US government is supposed to take pride in the checks and balances
that keep absolute power out of any one particular branch. One of the
latest attempts to simulate "checks and balances" was <a href="http://www.whitehouse.gov/the-press-office/2013/08/12/presidential-memorandum-reviewing-our-global-signals-intelligence-collec">the President's
creation</a>
of <a href="http://www.whitehouse.gov/the-press-office/2013/08/27/statement-press-secretary-review-group-intelligence-and-communications-t">a "Review
Group"</a>
to oversee the current malefactors. <a href="http://icontherecord.tumblr.com/post/60323228143/review-group-on-global-signals-intelligence">The review group then asked for
public
comment</a>.
A group of technologists (including myself) <a href="https://www.cdt.org/files/pdfs/nsa-review-panel-tech-comment.pdf">submitted a
comment</a>
demanding that the review group provide concrete technical details to
independent technologists.</p>
<p>Without knowing the specifics of how the various surveillance mechanisms
operate, the public in general can't make informed assessments about
what they should consider to be personally safe. And lack of detailed
technical knowledge also makes it much harder to mount an effective
political or legal opposition to the global surveillance state (e.g.
consider the terrible <a href="http://www.supremecourt.gov/opinions/12pdf/11-1025_ihdj.pdf">Clapper v. Amnesty
International</a>
decision, where plaintiffs were denied standing to sue the Director of
National Intelligence because they could not demonstrate that they were
being surveilled).</p>
<p>It's also worth noting that the advocates for global surveillance do not
themselves want to be surveilled, and that (for example) the NSA has
tried to obscure as much of their operations as possible, by
over-classifying documents, and making spurious claims of "national
security". This is where the surveillance power dynamic is most baldly
in play, and many parts of the US government intelligence and military
apparatus has <a href="https://en.wikipedia.org/wiki/Pentagon_Papers">a long
history</a> <a href="https://en.wikipedia.org/wiki/COINTELPRO">of
acting</a> <a href="https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_%282001%E2%80%9307%29">in bad
faith</a>
to obscure its activities.</p>
<p>The people who have been operating these surveillance systems should be
ashamed of their work, and those who have been overseeing the operation
of these systems should be ashamed of themselves. We need to better
understand the scope of the damage done to our global infrastructure so
we can repair it if we have any hope of avoiding a complete surveillance
state in the future. Getting the technical details of these compromises
in the hands of the public is one step on the path toward a healthier
society.</p>
<h3 id="postscript">Postscript</h3>
<p>Lest I be accused of optimism, let me make clear that fixing the
technical harms is necessary, but not sufficient; even if our technical
infrastructure had not been deliberately damaged, or if we manage to
repair it and stop people from damaging it again, far too many people
still regularly accept ubiquitous private (corporate) surveillance.
Private surveillance organizations (like Facebook and Google) are too
often in a position where their business interests are at odds with
their users' interests, and powerful adversaries can use a surveillance
organization as a lever against weaker parties.</p>
<p>But helping people to improve their own data sovereignty and to avoid
subjecting their friends and allies to private surveillance is a
discussion for a separate post, i think.</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/cryptography">cryptography</a>,
<a href="https://debian-administration.org/tag/nsa">nsa</a></p>
</p>RIP Cookiepuss2013-09-28T04:28:00-04:002013-09-28T04:28:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-09-28:/blog/rip-cookiepuss.html<p>Yesterday, i said a sad goodbye to an old friend at <a href="http://abcnorio.org">ABC No
Rio</a>. Cookiepuss was a steadfast companion in my
volunteer shifts at the No Rio computer center, a cranky yet gregarious
presence. I met her soon after moving to New York, and have hung out
with her nearly …</p><p>Yesterday, i said a sad goodbye to an old friend at <a href="http://abcnorio.org">ABC No
Rio</a>. Cookiepuss was a steadfast companion in my
volunteer shifts at the No Rio computer center, a cranky yet gregarious
presence. I met her soon after moving to New York, and have hung out
with her nearly every week for years.</p>
<p><img alt="[Cookiepuss -- No Dogs No
Masters]" src="https://dkg.fifthhorseman.net/personal/cookie.jpg"></p>
<p>She had the run of the building at ABC No Rio, and was friends with all
sorts of people. She was known and loved by punks and fine artists, by
experimental musicians and bike mechanics, computer geeks and
librarians, travelers and homebodies, photographers, screenprinters,
anarchists, community organizers, zinesters, activists, performers, and
weirdos of all stripes.</p>
<p>For years, she received postcards from all over the world, including
several from people who had never even met her in person. In her younger
days, she was a ferocious mouser, and even as she shrank with age and
lost some of her teeth she remained excited about food.</p>
<p>She was an inveterate complainer; a pants-shredder; a cat remarkably
comfortable with dirt; a welcoming presence to newcomers and a friendly
old curmudgeon who never seemed to really hold a grudge even when i had
to do horrible things like help her trim her nails.</p>
<p>After a long life, she died having said her goodbyes, and surrounded by
people who loved her. I couldn't have asked for better, but I miss her
fiercely.</p>half a minute for science!2013-09-25T21:41:00-04:002013-09-25T21:41:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-09-25:/blog/half-a-minute-for-science.html<p>A friend is teaching a class on data analysis. She is building a simple
and rough data set for the class to examine, and to spur discussion. You
can contribute in half a minute! Here's how:</p>
<ol>
<li>get a stopwatch or other sort of timer (whatever device you're
reading this on …</li></ol><p>A friend is teaching a class on data analysis. She is building a simple
and rough data set for the class to examine, and to spur discussion. You
can contribute in half a minute! Here's how:</p>
<ol>
<li>get a stopwatch or other sort of timer (whatever device you're
reading this on probably has such a thing).</li>
<li>start the timer, but don't look at it.</li>
<li>wait for what you think is 30 seconds, and then look at the timer</li>
<li>how many actual seconds elapsed?</li>
</ol>
<p>The data doesn't need to be particularly high-precision (whole second
values are fine). The other data points my friend is looking for are age
(in years, again, whole numbers are fine) and gender.</p>
<p>You can send me your results by e-mail, (i suspect you can find my
address if you're reading this blog). Please put "half a minute for
science" in the subject line, and make sure you include:</p>
<ul>
<li>actual seconds elapsed</li>
<li>age in years</li>
<li>gender</li>
</ul>
<p>Science thanks you!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/science">science</a></p>
</p>Support privacy-respecting network services!2013-09-10T06:07:00-04:002013-09-10T06:07:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-09-10:/blog/support-privacy-respecting-network-services.html<p><a href="http://www.indiegogo.com/projects/fight-the-nsa-save-privacy-help-riseup/x/4408849">Support privacy-respecting network services! Donate to
Riseup.net!</a></p>
<p>There's a
<a href="http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security">lot</a>
of
<a href="https://www.nytimes.com/2013/09/10/business/the-border-is-a-back-door-for-us-device-searches.html?hp&_r=0&pagewanted=all">news</a>
recently about some downright <a href="https://www.propublica.org/special/no-warrant-no-problem-how-the-government-can-still-get-your-digital-data">orwellian
surveillance</a>
executed
<a href="http://www.theguardian.com/world/2013/sep/09/nsa-spying-brazil-oil-petrobras">across</a>
the
<a href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">globe</a>
by <a href="http://www.nsa.gov/">my own government</a> with the <a href="http://www.masslive.com/politics/index.ssf/2013/06/codename_prism_secret_program_data_mining.html">assistance of
major American
corporations</a>.
The scope is huge, and the implications are depressing. It's scary and
frustrating for anyone who …</p><p><a href="http://www.indiegogo.com/projects/fight-the-nsa-save-privacy-help-riseup/x/4408849">Support privacy-respecting network services! Donate to
Riseup.net!</a></p>
<p>There's a
<a href="http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security">lot</a>
of
<a href="https://www.nytimes.com/2013/09/10/business/the-border-is-a-back-door-for-us-device-searches.html?hp&_r=0&pagewanted=all">news</a>
recently about some downright <a href="https://www.propublica.org/special/no-warrant-no-problem-how-the-government-can-still-get-your-digital-data">orwellian
surveillance</a>
executed
<a href="http://www.theguardian.com/world/2013/sep/09/nsa-spying-brazil-oil-petrobras">across</a>
the
<a href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">globe</a>
by <a href="http://www.nsa.gov/">my own government</a> with the <a href="http://www.masslive.com/politics/index.ssf/2013/06/codename_prism_secret_program_data_mining.html">assistance of
major American
corporations</a>.
The scope is huge, and the implications are depressing. It's scary and
frustrating for anyone who cares about civil society, freedom of speech,
cultural autonomy, or data sovereignty.</p>
<p>As bad as the situation is, though, there are groups like
<a href="https://riseup.net">Riseup</a> and <a href="https://mayfirst.org">May First/People
Link</a> who actively resist the data dragnet.</p>
<p>The good birds at <a href="https://riseup.net/">Riseup</a> have been tireless
advocates for information autonomy for people and groups working for
liberatory social change for years. They have provided (and continue to
provide) impressive, well-administered infrastructure using free
software to help further these goals, and they have a <a href="https://www.riseup.net/riseup-and-government-faq">strong political
committment</a> to making
a better world for all of us and to resisting strongarm attempts to turn
over sensitive data. And they provide all this expertise and
infrastructure and support on a crazy shoestring of a budget.</p>
<p>So if the news has got you down, or frustrated, or upset, and you want
to do something to help improve the situation, you could do a lot worse
than <a href="http://www.indiegogo.com/projects/fight-the-nsa-save-privacy-help-riseup/x/4408849">sending some much-needed funds to help Riseup maintain an
expanding
infrastructure</a>.
This fundraising campaign will only last a few more days, so give now if
you can!</p>
<p>(note: i have worked with some of the riseup birds in the past, and hope
to continue to do so in the future. I consider it critically important
to have them as active allies in our collective work toward a better
world, which is why i'm doing the unusual thing of asking for donations
for them on my blog.)</p>gpg --ask-cert-level considered harmful2013-05-20T07:21:00-04:002013-05-20T07:21:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-05-20:/blog/gpg-ask-cert-level-considered-harmful.html<p>Occasionally, someone asks me whether we should encourage use of the
<code>--ask-cert-level</code> option when certifying OpenPGP keys with <code>gpg</code>. I see
no good reason to use this option, and i think we should discourage
people from trying to use it. I don't think there is a satisfactory
answer to the …</p><p>Occasionally, someone asks me whether we should encourage use of the
<code>--ask-cert-level</code> option when certifying OpenPGP keys with <code>gpg</code>. I see
no good reason to use this option, and i think we should discourage
people from trying to use it. I don't think there is a satisfactory
answer to the question "how will specifying the level of identity
certification concretely benefit anyone involved?", and i don't see why
we should want one.</p>
<p><code>gpg</code> gets it absolutely right by not asking users this question by
default. People should not be enabling this option.</p>
<p>Some background: <code>gpg</code>'s <code>--ask-cert-level</code> option allows the user who
is making an OpenPGP identity certification to indicate just how sure
they are of the identity they are certifying. The user's choice is then
mapped into four levels of OpenPGP certification of a User ID and
Public-Key packet, which i'll refer to by <a href="https://tools.ietf.org/html/rfc4880#page-20">their signature type
identifiers in the OpenPGP
spec</a>:</p>
<blockquote>
<dl>
<dt>0x10: Generic certification</dt>
<dd>The issuer of this certification does not make any particular
assertion as to how well the certifier has checked that the owner
of the key is in fact the person described by the User ID.</dd>
<dt>0x11: Persona certification</dt>
<dd>The issuer of this certification has not done any verification of
the claim that the owner of this key is the User ID specified.</dd>
<dt>0x12: Casual certification</dt>
<dd>The issuer of this certification has done some casual verification
of the claim of identity.</dd>
<dt>0x13: Positive certification</dt>
<dd>The issuer of this certification has done substantial verification
of the claim of identity.</dd>
</dl>
<p><p>
Most OpenPGP implementations make their "key signatures" as 0x10
certifications. Some implementations can issue 0x11-0x13
certifications, but <em>few differentiate between the types</em>.</p>
</blockquote>
<p>By default (if <code>--ask-cert-level</code> is not supplied), <code>gpg</code> issues
certificates ("signs keys") using 0x10 (generic) certifications, with
the exception of self-sigs, which are made as type 0x13 (positive).</p>
<p>When interpreting certifications, <code>gpg</code> does distinguish between
different certifications in one particular way: 0x11 (persona)
certifications are ignored; other certifications are not. (users can
change this cutoff with the <code>--min-cert-level</code> option, but it's not
clear why they would want to do so).</p>
<p>So there is no functional gain in declaring the difference between a
"normal" certification and a "positive" one, even if there were a
well-defined standard by which to assess the difference between the
"generic" and "casual" or "positive" levels; and if you're going to make
a "persona" certification, you might as well not make one at all.</p>
<p>And it gets worse: the problem is not just that such an indication is
functionally useless; encouraging people to make these kind of
assertions actively encourages leaks of a more-detailed social graph
than just encouraging everyone to use the default blanket
0x13-for-self-sigs, 0x10-for-everyone-else policy.</p>
<p>A richer public social graph means more data that can feed the ravenous
and growing appetite of the advertising-and-surveillance regimes. i find
these regimes troubling. I admit that people often leak much more
information than this indication of "how well do you know X" via tools
like Facebook, but that's no excuse to encourage them to leak still more
or to acclimatize people to the idea that the details of their personal
relationships should by default be public knowledge.</p>
<p>Lastly, the more we keep the OpenPGP network of identity certifications
(a.k.a. the "web of trust") simple, the easier it is to make sensible
and comprehensible and predictable inferences from the network about
whether a key really does belong to a given user. Minimizing the
complexity and difficulty of deciding to make a certification helps
people streamline their signing processes and reduces the amount of
cognitive overhead people spend just building the network in the first
place.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/openpgp">openpgp</a></p>
</p>OpenPGP User ID Comments considered harmful2013-05-15T02:40:00-04:002013-05-15T02:40:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-05-15:/blog/openpgp-user-id-comments-considered-harmful.html<p>Most OpenPGP User IDs look like this:</p>
<div class="highlight"><pre><span></span><code><span class="n">Jane</span><span class="w"> </span><span class="n">Q</span><span class="p">.</span><span class="w"> </span><span class="k">Public</span><span class="w"> </span><span class="o"><</span><span class="n">jane</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">></span>
</code></pre></div>
<p>This is clean, clear, and unambiguous.</p>
<p>However, some tools (<code>gpg</code>, <code>enigmail</code> among others) ask the user to
provide a "Comment:" field when they are choosing a new User ID (e.g.
when making a new key). <strong><em>These …</em></strong></p><p>Most OpenPGP User IDs look like this:</p>
<div class="highlight"><pre><span></span><code><span class="n">Jane</span><span class="w"> </span><span class="n">Q</span><span class="p">.</span><span class="w"> </span><span class="k">Public</span><span class="w"> </span><span class="o"><</span><span class="n">jane</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">></span>
</code></pre></div>
<p>This is clean, clear, and unambiguous.</p>
<p>However, some tools (<code>gpg</code>, <code>enigmail</code> among others) ask the user to
provide a "Comment:" field when they are choosing a new User ID (e.g.
when making a new key). <strong><em>These UI prompts are evil</em></strong>. The savvy user
knows to avoid entering anything in this field, so that they can end up
with a User ID like the one above. The user who provides something here
(perhaps even something inconsequential like "I like strawberries", due
to not being sure what should go in this little box) will instead end up
with a User ID like:</p>
<div class="highlight"><pre><span></span><code><span class="n">Jane</span><span class="w"> </span><span class="n">Q</span><span class="p">.</span><span class="w"> </span><span class="k">Public</span><span class="w"> </span><span class="p">(</span><span class="n">I</span><span class="w"> </span><span class="ow">like</span><span class="w"> </span><span class="n">strawberries</span><span class="p">)</span><span class="w"> </span><span class="o"><</span><span class="n">jane</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">></span>
</code></pre></div>
<p>This is bad. This means that Jane is asking the people who certify her
key+userid to certify whether she actually likes strawberries (how could
they know? what if she changes her mind? should they revoke their
certifications?) and anywhere that she is referred to by name will
include this mention of strawberries. This is not Jane's identity, and
it doesn't belong in <a href="https://tools.ietf.org/html/rfc4880#section-5.11">an OpenPGP User ID
packet</a>.</p>
<p>Furthermore, since User IDs are atomic, if Jane wants to change the
comment field (but leave her name and e-mail address the same), she will
instead need to create a new User ID, publish it, get everyone who has
certified her old key+userid to certify the key+newuserid, and then
revoke the old one.</p>
<p>It is difficult already to help people understand and participate in the
certification network that forms that backbone of OpenPGP's so-called
"web of trust". These bogus comment fields make an already-difficult
task harder. And all because of strawberries!</p>
<p>Tools like <code>enigmail</code> and <code>gpg</code> <strong><em>should not expose the "Comment:"
field to users who are generating keys or choosing new User IDs</em></strong>. If
they feel it absolutely must be present for some weird corner case that
0.1% of their users will have, they could require that the user enters
some sort of "expert mode" before prompting the user to do something
that is likely to be a mistake.</p>
<p>There is almost no legitimate reason for anyone to use this field. Let's
go through some examples of this people use, taken from some examples i
have lying around (identifying marks have been changed to protect the
innocent who were duped by this bad UI choice, but you can probably find
them on <a href="http://pool.sks-keyservers.net/">the public keyserver network</a>
if you want to hunt around):</p>
<dl>
<dt>domain repetition</dt>
<dd>
<p><code>John Q. Public (Debian) <johnqpublic@debian.org></code></p>
<p>We know you're with debian already from the <code>@debian.org</code> address.
If this is in contrast to your other address
(<code>johnqpublic@example.org</code>) so that people know where to send you
debian-related e-mail, this is still not necessary.</p>
<p><p>
Lest you think i'm just calling out debian developers, people with
<code>@ubuntu.com</code> addresses and <code>(Ubuntu)</code> comments (as well as
<code>@example.edu</code> addresses and <code>(Example University)</code> comments and
<code>@example.com</code> addresses and <code>(Example Corp)</code> comments) are out
there too.</p>
</dd>
<dt>nicknames already evident</dt>
<dd>
<p><code>John Q. Public (Johnny) <johnqpublic@example.net></code><br>
<code>John Q. Public (wackydude) <wackydude@example.net></code></p>
<p>Again, the information these comments are providing offers no clear
disambiguation from the info already contained in the name and
e-mail address, and just muddies the water about what the people who
certify this identity should actually be trying to verify before
they make their certification.</p>
</dd>
<dt>"Work"</dt>
<dd>
<p><code>John Q. Public (Work) <johnqpublic@example.com></code></p>
<p>if John's correspondents know that he works for Example Corp, then
"Work" isn't helpful to them, because they already know this as the
address that they're writing to him with. If they don't know that,
then they probably aren't writing to him at work, so they don't need
this comment either. The same problem appears (for example) with
literal comments of <code>(School)</code> next to their <code>@example.edu</code> address.</p>
</dd>
<dt>This is my nth try at this crazy system!</dt>
<dd>
<p><code>John Q. Public (This is my second key) <johnqpublic@example.com></code><br>
<code>John Q. Public (This is my primary key) <johnqpublic@example.com></code><br>
<code>John Q. Public (No wait really use this one) <johnqpublic@example.com></code></p>
<p>OpenPGP is confusing, and it can be tricky to get it right. We all
know :) This is still not part of John's identity. If you want to
designate a key as your preferred key, keep it up-to-date, get
people to certify it, and revoke or expire your old keys. People who
care can look at the timestamps on your keys and tell which ones are
the most recent ones. You do have a revocation certificate for your
key handy just in case you lose it, right?</p>
</dd>
<dt>Don't use this key</dt>
<dd>
<p><code>John Q. Public (Old key, do not use) <johnqpublic@example.com></code><br>
<code>John Q. Public (Please only use this through September 2004) <johnqpublic@example.com></code></p>
<p>This kind of sentiment is better expressed by <a href="https://tools.ietf.org/html/rfc4880#page-21">revoking the key in
question</a> or setting an
expiration time <a href="https://tools.ietf.org/html/rfc4880#section-5.2.3.6">on the
key</a> or <a href="https://tools.ietf.org/html/rfc4880#section-5.2.3.10">User
ID self-sig</a>
directly. This sentiment is not part of John's identity, and
shouldn't be included as though it were.</p>
</dd>
<dt>"none"</dt>
<dd>
<p><code>John Q. Public (none) <johnqpublic@example.com></code></p>
<p>sigh. This is clearly someone getting mixed up by the UI.</p>
</dd>
<dt>I use strong crypto!</dt>
<dd>
<p><code>John Q. Public (3092 bits of RSA) <johnqpublic@example.com></code></p>
<p>This comment refers to the strength of the key material, or the
algorithms preferred by the user. Since the User ID is associated
with the key material already, people who care about this
information can get it from the key directly. This is also not part
of the user's actual identity.</p>
</dd>
<dt>"no comment"</dt>
<dd>
<p><code>John Q. Public (no comment) <johnqpublic@example.com></code></p>
<p>This is actually not uncommon (some keyservers reply "too many
matches!"). It shows that the user is witty and can think on their
feet (at least once), but it is still not part of the user's
identity.</p>
</dd>
<dt>"offline long-term identity key"</dt>
<dd>
<p>This particular comment shows up in alarming numbers on the
keyservers:</p>
<div class="highlight"><pre><span></span><code><span class="err">`</span><span class="n">John</span><span class="w"> </span><span class="n">Q</span><span class="p">.</span><span class="w"> </span><span class="k">Public</span><span class="w"> </span><span class="p">(</span><span class="n">offline</span><span class="w"> </span><span class="n">long</span><span class="o">-</span><span class="n">term</span><span class="w"> </span><span class="k">identity</span><span class="w"> </span><span class="k">key</span><span class="p">)</span><span class="w"> </span><span class="o"><</span><span class="n">johnqpublic</span><span class="nv">@example</span><span class="p">.</span><span class="n">com</span><span class="o">></span><span class="err">`</span>
</code></pre></div>
<p>Again, this is not a part of the user's identity -- it's a statement
about how the user manages their key. If a third party wants to
certify this, presumably they need to verify it. How would they
decide whether this is true or not? It seems like it would make it
more difficult to get certifications from people who are intent on
actually verifying the User ID.</p>
<p>It's also (potentially) wrong: An OpenPGP User ID is bound directly
to the primary key, but it is implicitly also bound to any subkeys
that are associated with the primary key. if the subkeys are online,
but the primary key is offline, is this comment correct? What if the
primary key later adds a subkey that is <em>not</em> offline or long-term
(e.g. they want to do frequent key rollover for an online subkey)?
Do they need to revoke their User ID for this?</p>
<p>And where it's not wrong, it's redundant. An OpenPGP certificate is
by definition a statement about long-term identity that is bound to
a key in the first place. Why include any of this extra verbiage,
which is only likely to add to the confusion?</p>
</dd>
</dl>
<p>But wait (i hear you say)! I have a special case that actually is a
legitimate use of the comment field that cannot be expressed in OpenPGP
in any other way!</p>
<p>I'm sure that such cases exist. I've even seen one or two of them. The
fact that one or two cases exist does not excuse the fact that that
overwhelming majority of these comments in OpenPGP User IDs are a
mistake, caused only by bad UI design that prompts people to put
something (anything!) in the empty box (or on the command prompt,
depending on your preference).</p>
<p>And this mistake is one of the thousand papercuts that inhibits the
robust growth of the OpenPGP certification network that some people call
the "web of trust". Let's avoid them so we can focus on the other 999
papercuts.</p>
<p>Please don't use comments in your OpenPGP User ID. And if you make a
user interface for OpenPGP that prompts the user to decide on a new User
ID, please <em>don't</em> include a prompt for "Comment" unless the user has
already certified that they are really and truly a special special
snowflake.</p>
<p>Thanks!</p>
<p><strong>UPDATED 2015-02-11:</strong> added "descriptions of key use" example, since
that appears to be more common.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/openpgp">openpgp</a>,
<a href="https://debian-administration.org/tag/ui">ui</a></p>
</p>It's Advertising all the way down2013-05-03T17:21:00-04:002013-05-03T17:21:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-05-03:/blog/its-advertising-all-the-way-down.html<p>Today i saw a billboard on the side of a bus. It was from a cable TV
channel, bragging about how well-connected their viewers are (presumably
on the internet, social media, blogs, etc).</p>
<p>It shows a smiling, attractive man, with text next to him saying
something like "I told 9000 …</p><p>Today i saw a billboard on the side of a bus. It was from a cable TV
channel, bragging about how well-connected their viewers are (presumably
on the internet, social media, blogs, etc).</p>
<p>It shows a smiling, attractive man, with text next to him saying
something like "I told 9000 people what smartphone to buy".</p>
<p>What happened here?</p>
<ul>
<li>A TV channel bought an ad on the side of a bus</li>
<li>trying to demonstrate to other advertisers</li>
<li>about how good their viewers are at providing advertising-by-proxy</li>
<li>on services that themselves are mostly advertising platforms</li>
<li>to sell devices that are themselves often used for advertising
delivery.</li>
</ul>
<p>And almost all of these steps count as positive economic activity when
we try to measure whether the US economy is healthy.</p>
<p>I am depressed by this tremendous waste of time and effort.</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/advertising">advertising</a></p>
</p>Make a Woolly Mammoth (thanks, inkscape!)2013-02-28T00:15:00-05:002013-02-28T00:15:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-02-28:/blog/make-a-woolly-mammoth-thanks-inkscape.html<p>I feel like i've done a lot of blogging recently about failing to do
things with proprietary software. That's annoying.</p>
<p>This post is about something i made successfully with free software (and
some non-software crafting): I made a Woolly Mammoth for my
nephew!<img></img></p>
<p>I documented <a href="https://dkg.fifthhorseman.net/woolly/">the pattern (with pictures!) that …</a></p><p>I feel like i've done a lot of blogging recently about failing to do
things with proprietary software. That's annoying.</p>
<p>This post is about something i made successfully with free software (and
some non-software crafting): I made a Woolly Mammoth for my
nephew!<img></img></p>
<p>I documented <a href="https://dkg.fifthhorseman.net/woolly/">the pattern (with pictures!) that i came up
with</a> using
<a href="http://inkscape.org/">Inkscape</a> (and used markdown, pandoc, emacs,
pdftk, and other free software in the process). i've also published the
source for the pattern via git if you want to modify it:</p>
<div class="highlight"><pre><span></span><code>git clone git://lair.fifthhorseman.net/~dkg/woolly
</code></pre></div>
<p>Writing up the documentation makes me realize that i don't know of any
software tools designed specifically for facilitating fabric/craft
construction. Some interesting software ideas:</p>
<ul>
<li>Make 3-D models showing the partly assembled pieces, derived from
the flat pattern. Maybe something like
<a href="http://blender.org/">blender</a> would be good for this?</li>
<li>Take a 3D-modeled form and produce some candidate patterns for
cutting and sewing? This seems like it is an interesting theoretical
problem: given a set of (marked?) 3D surfaces and a set of
approximation constraints, have the tool come up with a reasonable
set of 2D patterns that could be cut and assembled using a set of
standard operations into something close to the 3D shape.</li>
<li>a "pattern lint checker" (maybe an inkscape extension?) that would
let you mark certain segments of an SVG as related to other segments
(i.e. the two sides of a seam), and could give you warnings when one
side was longer than the other (within some level of tolerance)</li>
</ul>
<p>Anyone have any ideas?</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/brainstorming">brainstorming</a>,
<a href="https://debian-administration.org/tag/crafting">crafting</a>,
<a href="https://debian-administration.org/tag/inkscape">inkscape</a></p>
</p>proprietary software activation fail2013-02-01T16:25:00-05:002013-02-01T16:25:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-02-01:/blog/proprietary-software-activation-fail.html<p>i have a colleague who is forced by work situations to use Windows.
Somehow, I'm the idiot\^W\^W\^W\^W\^Wfriendly guy who gets tapped to fix
it when things break.</p>
<p>Well, this time, the power supply broke. As in, dead, no lights, no fan,
no nothing. No problem …</p><p>i have a colleague who is forced by work situations to use Windows.
Somehow, I'm the idiot\^W\^W\^W\^W\^Wfriendly guy who gets tapped to fix
it when things break.</p>
<p>Well, this time, the power supply broke. As in, dead, no lights, no fan,
no nothing. No problem, though, the disk is still good, and i've got a
spare machine lying around; and the spare is actually superior hardware
to the old machine so it'll be an upgrade in addition to a fix. Nice! So
i transplant the disk and fire up the new chassis.</p>
<p>But WinXP fails to boot with a lovely "0x0000007b" BSOD. The <a href="http://support.microsoft.com/kb/324103">internet
tells me</a> that this might mean
it can't find its own disk. OK, pop into the new chassis' BIOS, tell it
to run the SATA ports in "legacy IDE" mode, and try again.</p>
<p>Now we get a "0x0000007e" BSOD. Some <a href="http://support.microsoft.com/kb/330182">digging on the
'net</a> makes me think it's now
complaining now about the graphics driver. Hmm. Well, i figure i can
probably work around that by installing new drivers from Safe Mode. So i
reboot into Safe Mode.</p>
<p>Success! It boots to the login screen in Safe Mode. And, mirabile dictu,
i happen to know the Administrator password. I put it in, and get a
message that this Windows installation isn't "activated" yet --
presumably because the hardware has changed out from under it. And by
the way, i'm not allowed to log in via safe mode until it's activated.
So please reboot to "normal" Windows and activate it first.</p>
<p>Except, of course, the whole reason i'm booting into safe mode was
because normal Windows gives a BSOD. Grrrr. Who thought up this
particular lovely catch-22?</p>
<p>OK, change tactics. Scavenging the scrap bin turns up a machine with a
failed mainboard, but a power supply with all the right leads. It's
rated for about 80W less than the old machine's failed supply, but i
figure if i rip out the DVD-burner and the floppy drive maybe it will
hold. Oh, and the replacement power supply doesn't physically fit the
old chassis, but it hangs halfway out the back and sort of rattles
around a bit. I sacrifice the rest of the scrap machine, rip out its
power supply, stuff the power supply into the old chassis, swap the
original disk back in, and ... it boots successfully, finally.</p>
<p>That was the shorter version of the story :P</p>
<p>So now my colleague has a horrible mess of a frankencomputer which is
more likely to fail again in the future, instead of a nice shiny
upgrade. Why? Because Microsoft's need to control the flow of software
takes priority over the needs of their users.</p>
<p>This is what you get when you let Marketing and BizDev drive your
technical decisions.</p>
<p>Do i still need to explain why i prefer free software?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/griping">griping</a>,
<a href="https://debian-administration.org/tag/windows">windows</a></p>
</p>visualizing MIME structure2013-01-29T16:16:00-05:002013-01-29T16:16:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-01-29:/blog/visualizing-mime-structure.html<p>Better debugging tools can help us understand what's going on with MIME
messages. A python scrap i wrote a couple years ago named
<code>printmimestructure</code> has been very useful to me, so i thought i'd share
it.</p>
<p>It reads a message from stdin, and prints a visualisation of its
structure, like …</p><p>Better debugging tools can help us understand what's going on with MIME
messages. A python scrap i wrote a couple years ago named
<code>printmimestructure</code> has been very useful to me, so i thought i'd share
it.</p>
<p>It reads a message from stdin, and prints a visualisation of its
structure, like this:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">alice</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="kr">print</span><span class="n">mimestructure</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="err">'</span><span class="n">Maildir</span><span class="o">/</span><span class="n">cur</span><span class="o">/</span><span class="mf">1269025522.</span><span class="n">M338697P12023</span><span class="mf">.</span><span class="n">monkey</span><span class="p">,</span><span class="n">S</span><span class="o">=</span><span class="mf">6459</span><span class="p">,</span><span class="n">W</span><span class="o">=</span><span class="mf">6963</span><span class="p">:</span><span class="mf">2</span><span class="p">,</span><span class="n">Sa</span><span class="err">'</span><span class="w"> </span><span class="err">└┬╴</span><span class="n">multipart</span><span class="o">/</span><span class="n">signed</span><span class="w"> </span><span class="mf">6546</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="err">├─╴</span><span class="n">text</span><span class="o">/</span><span class="n">plain</span><span class="w"> </span><span class="n">inline</span><span class="w"> </span><span class="mf">895</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="err">└─╴</span><span class="n">application</span><span class="o">/</span><span class="n">pgp</span><span class="o">-</span><span class="n">signature</span><span class="w"> </span><span class="n">inline</span><span class="w"> </span><span class="err">[</span><span class="n">signature</span><span class="mf">.</span><span class="nb">asc</span><span class="err">]</span><span class="w"> </span><span class="mf">836</span><span class="w"> </span><span class="n">bytes0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">alice</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span>
</code></pre></div>
<p>It is being published in the <a href="http://notmuchmail.org/">notmuch</a>
repository, under <code>devel/</code></p>
<div class="highlight"><pre><span></span><code>git clone git://notmuchmail.org/git/notmuchls -l notmuch/devel/printmimestructure
</code></pre></div>
<p>It feels silly to treat this \~30 line script as its own project, but i
don't know of another simple tool that does this. If you know of one, or
of something similar, i'd love to hear about it in the comments (or by
sending me e-mail if you prefer).</p>
<p>If it's useful for others, I'd be happy to contribute
<code>printmimestructure</code> to a project of like-minded tools. Does such a
project exist? Or if people think it would be handy to have in debian, i
can also package it up, though that feels like it might be overkill.</p>
<p>and oh yeah, as always: bug reports, suggestions, complaints, and
patches are welcome :)</p>
<p>(2013-10-09: updated to note change of location of the script, thanks to
the notmuch team for adopting it)</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/debugging">debugging</a>,
<a href="https://debian-administration.org/tag/mime">mime</a>,
<a href="https://debian-administration.org/tag/python">python</a></p>
</p>in memory of Aaron Swartz2013-01-15T08:35:00-05:002013-01-15T08:35:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-01-15:/blog/in-memory-of-aaron-swartz.html<p>I was upset to learn about <a href="http://aaronsw.com/">Aaron Swartz</a>'s <a href="http://lessig.tumblr.com/post/40347463044/prosecutor-as-bully">death
last
week</a>. I
continue to be upset about his loss, and about our loss. He didn't just
show promise of great things to come in the future -- he had already
done more work for the public good than many of …</p><p>I was upset to learn about <a href="http://aaronsw.com/">Aaron Swartz</a>'s <a href="http://lessig.tumblr.com/post/40347463044/prosecutor-as-bully">death
last
week</a>. I
continue to be upset about his loss, and about our loss. He didn't just
show promise of great things to come in the future -- he had already
done more work for the public good than many of us will ever do. I'd
only met him IRL a couple times, but (like many others) i had
encountered him on the 'net in many places. He was a good person,
someone i didn't need to always agree with to respect.</p>
<p>I read Russ Allbery's <a href="http://www.eyrie.org/~eagle/journal/2013-01/013.html">posts
about</a> <a href="http://www.eyrie.org/~eagle/journal/2013-01/014.html">Aaron and
"slacktivism"</a>
with much appreciation. I had been ambivalent about signing <a href="https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck">the
whitehouse.gov petition asking for the removal of the prosecutor for
overreach</a>,
because I generally distrust the effectiveness of online petitions (and
offline petitions, for that matter). But Russ's analysis convinced me to
go ahead and sign it. The petition is concrete, clear (despite wanting a
grammatical proofread), and actionable.</p>
<p>For people willing to go beyond petition signing to civil disobedience,
<a href="http://aaronsw.archiveteam.org/">The Aaron Swartz Memorial JSTOR
Liberator</a> is an option. It makes it
straightforward to potentially violate the onerous JSTOR terms of
service by re-publishing a public-domain article from
<a href="http://jstor.org">JSTOR</a> to <a href="http://archive.org/">archive.org</a>, where
it will be accessible to anyone directly.</p>
<p>As someone who builds and maintains information/communications
infrastructure, i have very mixed feelings about most online civil
disobedience, since it often takes the form of a Distributed Denial of
Service (DDoS) attack of some sort. DDoS attacks of public services are
notoriously difficult to defend against without having huge resources to
throw at the problem, so encouraging participation in a DDoS often feels
a little bit like handing out cans of gasoline when you know that
<em>everyone</em> is living in a house of straw.</p>
<p>However, the JSTOR Liberator is not a DDoS at all -- it's simply a
facilitation of people breaking the JSTOR Terms of Service (ToS), some
of the same terms that Aaron was facing charges for violating. So it is
a well-targeted way to demonstrate that the prosecutions were
overreaching.</p>
<p>I wanted to take issue with one of Russ' statements, though. In <a href="http://www.eyrie.org/~eagle/journal/2013-01/014.html">his
second post about the
situation</a>, Russ
wrote:</p>
<blockquote>
<p>Social activism and political disobedience are important and often
valuable things, but performing your social activism using other
people's stuff is just rude. I think it can be a forgivable rudeness;
people can get caught up in the moment and not realize what they're
doing. But it's still rude, and it's still not the way to go about
civil disobedience.</p>
</blockquote>
<p>While i generally agree with Russ' thoughtful consideration of consent,
I have to take issue with this elevation of some sort of hyper-extended
property right over the moral agency that drives civil disobedience.</p>
<p>To use someone else's property for the sake of a just cause without
damaging the property or depriving the owner of its use is not
"forgivable rudeness" -- it's forgivable, laudable even, because it is
just. And the person using the property doesn't need to be "caught up in
the moment and not realize what they're doing" for it to be acceptable.</p>
<p>Civil disobedience often involves putting some level of inconvenience or
discomfort on other people, including innocent people. It might be the
friends and family of the activist who have to deal with the jail time;
it might be the drivers stuck in a traffic jam caused by a
demonstration; it might be the people forced to shop elsewhere because
the store's doors are barricaded by protestors.</p>
<p>All of these people could be troubled by the civil disobedience more
than MIT's network users and admins were troubled by Aaron's protest,
and that doesn't make the protests described worse or "not the way to go
about civil disobedience." The trouble highlights a more significant
injustice, and in its troubling way does what it can to help right it.</p>
<p>Aaron was a troublemaker, and a good one. He will be missed.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/aaronsw">aaronsw</a></p>
</p>universally accessible storage for the wary user2013-01-09T01:12:00-05:002013-01-09T01:12:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2013-01-09:/blog/universally-accessible-storage-for-the-wary-user.html<p>A friend wrote me a simple question today. My response turned out to be
longer than i expected, but i hope it's useful (and maybe other people
will have better suggestions) so i thought i'd share it here too:</p>
<p>Angela Starita wrote:</p>
<blockquote>
<p>I'd like to save my work in a …</p></blockquote><p>A friend wrote me a simple question today. My response turned out to be
longer than i expected, but i hope it's useful (and maybe other people
will have better suggestions) so i thought i'd share it here too:</p>
<p>Angela Starita wrote:</p>
<blockquote>
<p>I'd like to save my work in a location where I can access it from any
computer. I'm wary of using the mechanisms provided by Google and
Apple. Can you suggest another service?</p>
</blockquote>
<p>Here's my reply:</p>
<p>I think you're right to be wary of the big cloud providers, who have a
tendency to inspect your data to profile you, to participate in
arbitrary surveillance regimes, and to try to sell your eyeballs to
advertisers.</p>
<h3 id="caveat-you-have-to-trust-the-client-machine-too">Caveat: You have to trust the client machine too</h3>
<p>But it's also worth remembering that the network service provider is not
the only source of risk. If you really mean "accessing your data from
any computer", that means the computer you're using to access the data
can do whatever it wants with it. That is, you need to trust both the
operator of these "cloud" services, *and* the administrator/operating
system of the client computer you're using to access your data. For
example, if you log into any "secure" account from a terminal in a web
café, that leaves you vulnerable to the admins of the web café (and, in
the rather-common case of sloppily-administered web terminals,
vulnerable to the previous user(s) of the terminal as well).</p>
<h3 id="option-0-portable-physical-storage">Option 0: Portable physical storage</h3>
<p>One way to have your data so that you can access it from "any computer"
is to not rely on the network at all, but rather to carry a
high-capacity MicroSD card (and USB adapter) around with you (you'll
probably want to format the card with a widely-understood filesystem
like FAT32 instead of NTFS or HFS+ or ext4, which are only understood by
some of the major operating systems, but not all).</p>
<p>Here is some example hardware:</p>
<ul>
<li><a href="https://www.adafruit.com/products/939">MicroSD USB adapter (\$5)</a></li>
<li><a href="http://www.jr.com/pny/pe/PNY_PSDU16G10/">16GB class 10 MicroSD card
(\$20)</a></li>
</ul>
<p>Almost every computer these days has either a microSD slot or a USB
port, while some computers are not connected to the network. This also
means that you don't have to rely on someone else to manage servers that
keep your data available all the time.</p>
<p>Note that going the microSD route doesn't remove the caveat about
needing to trust the client workstation you're using, and it has another
consideration:</p>
<p>You'd be responsible for your own backup in the case of hardware
failure. You're responsible for your own backup in the case of online
storage too, of course -- but the better online companies are probably
better equipped than most of us to deal with hardware failure. OTOH,
they're also susceptible to some data loss scenarios that we aren't as
individual humans (e.g. the company might go bankrupt, or get bought by
a competitor who wants to terminate the service, or have a malicious
employee who decides to take revenge). Backup of a MicroSD card isn't
particularly hard, though: just get a USB stick that's the same size,
and regularly duplicate the contents of the MicroSD card to the USB
stick.</p>
<p>One last consideration is storage size -- MicroSD cards are currently
limited to 32GB or 64GB. If you have significantly more data than that,
this approach might not be possible, or you might need to switch to a
USB hard disk, which would limit your ability to use the data on
computers that don't have a USB port (such as some smartphones).</p>
<h3 id="option-1-proprietary-service-providers">Option 1: Proprietary service providers</h3>
<p>If you don't think this portable physical storage option is the right
choice for you, here are a couple proprietary service providers who
offer some flavor of "cloud" storage while claiming to not look at the
contents of your data:</p>
<ul>
<li><a href="https://wuala.com/">wuala</a></li>
<li><a href="https://spideroak.com/">spideroak</a></li>
</ul>
<p>I'm not particularly happy with either of those, though, in part because
the local client software they want you to run is proprietary, so
there's no way to verify that they are actually unable to access the
contents of your data. But i'd be a lot happier with either wuala or
spideroak than i would be with google drive, dropbox, or iCloud.</p>
<h3 id="option-2-what-i-really-want">Option 2: What i really want</h3>
<p>I'm much more excited about the network-accessible, free-software,
privacy-sensitive network-based storage tool known as <a href="http://git-annex.branchable.com/assistant/">git-annex
assistant</a>. The project is
spearheaded by Joey Hess, who is one of the most skilled and thoughtful
software developers i know of.</p>
<p>"assistant" (and git-annex, from which it derives) has the advantage of
being pretty agnostic about the backend service (many plugins for many
different cloud providers) and allows you to encrypt your data locally
before sending it to the remote provider. This also means you can put
your encrypted data in more than one provider, so that if one of the
providers fails for some reason, you can be relatively sure that you
have another copy available.</p>
<p>But "assistant" won't be ready for Windows or Android for several months
(builds are available for Linux and Mac OS X now), so i don't know if it
meets the criterion for "accessible from any computer". And, of course,
even with the encryption capabilities, the old caveat about needing to
trust the local client machine still applies.</p>libasound2-plugins is a resource hog!2012-12-21T01:50:00-05:002012-12-21T01:50:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2012-12-21:/blog/libasound2-plugins-is-a-resource-hog.html<p>I run <a href="http://packages.debian.org/mpd">mpd</a> on debian on "igor", an
NSLU2 -- a very low-power \~266MHz armel machine, with no FPU and a
scanty 32MiB of RAM. This serves nicely to feed my stereo with music
that is controllable from anywhere on my LAN. When playing music and
talking to a single mpd …</p><p>I run <a href="http://packages.debian.org/mpd">mpd</a> on debian on "igor", an
NSLU2 -- a very low-power \~266MHz armel machine, with no FPU and a
scanty 32MiB of RAM. This serves nicely to feed my stereo with music
that is controllable from anywhere on my LAN. When playing music and
talking to a single mpd client, the machine is about 50% idle.</p>
<p>However, during a recent upgrade, something wanted to pull in
<a href="http://packages.debian.org/pulseaudio">pulseaudio</a>, which in turn
wanted to pull in
<a href="http://packages.debian.org/libasound2-plugins">libasound2-plugins</a>, and
i distractedly (foolishly) let it. With that package installed, after an
mpd restart, the CPU was completely thrashed (100% utilization) and
music only played in stutters of 1 second interrupted by a couple
seconds of silence. igor was unusable for its intended purpose.</p>
<p>Getting rid of pulseaudio was my first attempt to fix the stuttering,
but the problem remained even after pulse was all gone and mpd was
restarted.</p>
<p>Then i did a little search of which packages had been freshly installed
in the recent run:</p>
<div class="highlight"><pre><span></span><code><span class="n">grep</span><span class="w"> </span><span class="s1">' install .* <none> '</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">dpkg</span><span class="o">.</span><span class="n">log</span>
</code></pre></div>
<p>and used that to pick out the offending package.</p>
<p>After purging libasound2-plugins and restarting mpd, the igor is back in
action.</p>
<p>Lesson learned: on low-overhead machines, don't allow apt to install
recommends!</p>
<div class="highlight"><pre><span></span><code><span class="nt">echo</span><span class="w"> </span><span class="s1">'APT::Install-Recommends "0";'</span><span class="w"> </span><span class="o">>></span><span class="w"> </span><span class="o">/</span><span class="nt">etc</span><span class="o">/</span><span class="nt">apt</span><span class="o">/</span><span class="nt">apt</span><span class="p">.</span><span class="nc">conf</span>
</code></pre></div>
<p>And it should go without saying, but sometimes i get sloppy: i need to
pay closer attention during an "apt-get dist-upgrade"</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/alsa">alsa</a>,
<a href="https://debian-administration.org/tag/apt">apt</a>,
<a href="https://debian-administration.org/tag/low-power">low-power</a>,
<a href="https://debian-administration.org/tag/mpd">mpd</a></p>
</p>set default margins for OpenOffice as a sysadmin?2012-12-06T17:30:00-05:002012-12-06T17:30:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2012-12-06:/blog/set-default-margins-for-openoffice-as-a-sysadmin.html<p>I'm maintaining a lab of debian squeeze machines that run OpenOffice.org
(i'm considering upgrading to LibreOffice from squeeze-backports). I'd
like to adjust the default page margins for all users of Writer. Most
instructions i've found <a href="http://wiki.openoffice.org/wiki/Documentation/FAQ/Writer/FormattingPagesAndDocuments/How_can_I_change_the_default_Page_Style_margins,_so_that_when_I_start_a_new_document_the_margins_will_be_1_inch%3F">suggest ways to do this as a single
user</a>,
but not how to make …</p><p>I'm maintaining a lab of debian squeeze machines that run OpenOffice.org
(i'm considering upgrading to LibreOffice from squeeze-backports). I'd
like to adjust the default page margins for all users of Writer. Most
instructions i've found <a href="http://wiki.openoffice.org/wiki/Documentation/FAQ/Writer/FormattingPagesAndDocuments/How_can_I_change_the_default_Page_Style_margins,_so_that_when_I_start_a_new_document_the_margins_will_be_1_inch%3F">suggest ways to do this as a single
user</a>,
but not how to make the change system-wide. I don't want to ask every
user of these machines to do this (and i also don't want to tamper with
each home directory directly -- that's not something i can maintain
reliably).</p>
<p>Alas, i can find no documentation about how to change the default page
margins system-wide for either Oo.o or LibreOffice. Surely this is
something that can be done without a recompile. What am i missing?</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/configuration">configuration</a>,
<a href="https://debian-administration.org/tag/libreoffice">libreoffice</a>,
<a href="https://debian-administration.org/tag/margins">margins</a>,
<a href="https://debian-administration.org/tag/openoffice.org">openoffice.org</a>,
<a href="https://debian-administration.org/tag/sysadmin">sysadmin</a>,
<a href="https://debian-administration.org/tag/templates">templates</a></p>
</p>Error messages are your friend (postgres is good)2012-12-04T20:32:00-05:002012-12-04T20:32:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2012-12-04:/blog/error-messages-are-your-friend-postgres-is-good.html<p>Here is a bit of simple (yet subtly-flawed) sql, which produces
different answers on different database engines:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">cat</span><span class="w"> </span><span class="n">test</span><span class="mf">.</span><span class="n">sqldrop</span><span class="w"> </span><span class="nb">tab</span><span class="n">le</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="n">exists</span><span class="w"> </span><span class="n">foo</span><span class="p">;</span><span class="n">create</span><span class="w"> </span><span class="nb">tab</span><span class="n">le</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="p">(</span><span class="n">x</span><span class="w"> </span><span class="nb">int</span><span class="p">,</span><span class="w"> </span><span class="n">y</span><span class="w"> </span><span class="nb">int</span><span class="p">);</span><span class="n">insert</span><span class="w"> </span><span class="nb">int</span><span class="n">o</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="nb">VAL</span><span class="n">UES</span><span class="w"> </span><span class="p">(</span><span class="mf">1</span><span class="p">,</span><span class="mf">3</span><span class="p">);</span><span class="n">insert</span><span class="w"> </span><span class="nb">int</span><span class="n">o</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="nb">VAL</span><span class="n">UES …</span></code></pre></div><p>Here is a bit of simple (yet subtly-flawed) sql, which produces
different answers on different database engines:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">cat</span><span class="w"> </span><span class="n">test</span><span class="mf">.</span><span class="n">sqldrop</span><span class="w"> </span><span class="nb">tab</span><span class="n">le</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="n">exists</span><span class="w"> </span><span class="n">foo</span><span class="p">;</span><span class="n">create</span><span class="w"> </span><span class="nb">tab</span><span class="n">le</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="p">(</span><span class="n">x</span><span class="w"> </span><span class="nb">int</span><span class="p">,</span><span class="w"> </span><span class="n">y</span><span class="w"> </span><span class="nb">int</span><span class="p">);</span><span class="n">insert</span><span class="w"> </span><span class="nb">int</span><span class="n">o</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="nb">VAL</span><span class="n">UES</span><span class="w"> </span><span class="p">(</span><span class="mf">1</span><span class="p">,</span><span class="mf">3</span><span class="p">);</span><span class="n">insert</span><span class="w"> </span><span class="nb">int</span><span class="n">o</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="nb">VAL</span><span class="n">UES</span><span class="w"> </span><span class="p">(</span><span class="mf">1</span><span class="p">,</span><span class="mf">5</span><span class="p">);</span><span class="n">select</span><span class="w"> </span><span class="n">y</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="n">group</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">x</span><span class="p">;</span><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">sqlite3</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">test</span><span class="mf">.</span><span class="n">sql50</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">mysql</span><span class="w"> </span><span class="o">-</span><span class="n">N</span><span class="w"> </span><span class="n">dkg</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">test</span><span class="mf">.</span><span class="n">sql30</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">psql</span><span class="w"> </span><span class="o">-</span><span class="n">qtA</span><span class="w"> </span><span class="n">dkg</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">test</span><span class="mf">.</span><span class="n">sqlERROR</span><span class="p">:</span><span class="w"> </span><span class="n">column</span><span class="w"> </span><span class="s">"foo.y"</span><span class="w"> </span><span class="n">must</span><span class="w"> </span><span class="n">appear</span><span class="w"> </span><span class="n">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">GROUP</span><span class="w"> </span><span class="n">BY</span><span class="w"> </span><span class="n">clause</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="n">in</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">aggregate</span><span class="w"> </span><span class="n">functionLINE</span><span class="w"> </span><span class="mf">1</span><span class="p">:</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="n">y</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="n">group</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">x</span><span class="p">;</span><span class="w"> </span><span class="o">^</span><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span>
</code></pre></div>
<ul>
<li>Clear error reporting and</li>
<li>an insistence on explicit disambiguation</li>
</ul>
<p>are two of the many reasons postgresql is my database engine of choice.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/errors">errors</a>,
<a href="https://debian-administration.org/tag/postgresql">postgresql</a>,
<a href="https://debian-administration.org/tag/sql">sql</a></p>
</p>more proprietary workarounds, sigh2012-11-27T08:39:00-05:002012-11-27T08:39:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2012-11-27:/blog/more-proprietary-workarounds-sigh.html<p>In supporting a labful of Debian GNU/Linux machines with NFS-mounted
home directories, i find some of my users demand a few proprietary
programs. <a href="http://wiki.debian.org/FlashPlayer">Adobe Flash</a> is one of
the most demanded, in particular because some popular streaming video
services (like <a href="http://amazon.com/prime">Amazon Prime</a> and
<a href="http://hulu.com">Hulu</a>) seem to require it.</p>
<p>I'm …</p><p>In supporting a labful of Debian GNU/Linux machines with NFS-mounted
home directories, i find some of my users demand a few proprietary
programs. <a href="http://wiki.debian.org/FlashPlayer">Adobe Flash</a> is one of
the most demanded, in particular because some popular streaming video
services (like <a href="http://amazon.com/prime">Amazon Prime</a> and
<a href="http://hulu.com">Hulu</a>) seem to require it.</p>
<p>I'm not a fan of proprietary network services, but i'm happy to see that
<a href="http://www.amazon.com/gp/help/customer/display.html/ref=atv_drm_flash_help?nodeId=200256920#playbackerror">Amazon Prime takes Linux support seriously
enough</a>
to direct users to <a href="http://helpx.adobe.com/x-productkb/multi/flash-player-11-problems-playing.html">Adobe's Linux Flash "Protected Content"
troubleshooting
page</a>
(Amazon Prime's rival NetFlix, by comparison, has an abysmal record on
this platform). Of course, none of this will work on any platform but
i386, since the flash player is proprietary software and its proprietors
have shown no interest in porting it or letting others port it :(</p>
<p>One of the main issues with proprietary network services is their
inclination to view their customer as their adversary, as evidenced by
various DRM schemes. In two examples, the Flash Player's DRM module
<a href="http://forums.adobe.com/thread/1105464">appears to arbitrarily break when you use one home directory across
multiple machines</a>. Also, the
DRM module appears to <a href="http://forums.adobe.com/message/4594136">depend on
HAL</a>, which is being deprecated
by most of the common distributions.</p>
<p>Why bother with this kind of gratuitous breakage? We know that video
streaming can and does work fine without DRM. With modern browsers,
freely-formatted video, and HTML5 video tags, video just works, and it
works under the control of the user, on any platform. But Flash appears
to throw up unnecessary hurdles, requiring not only proprietary code,
but deprecated subsystems and fiddly workarounds to get it functional.</p>
<p>I'm reminded of <a href="http://wiki.mako.cc/Antifeatures">Mako's concept of
"antifeatures"</a> -- how much
engineering time and effort went into making this system actually be
<em>less</em> stable and reliable than it would have otherwise been? How could
that work have been better-directed?</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/antifeatures">antifeatures</a>,
<a href="https://debian-administration.org/tag/flash">flash</a>,
<a href="https://debian-administration.org/tag/hal">hal</a>,
<a href="https://debian-administration.org/tag/proprietary">proprietary</a>,
<a href="https://debian-administration.org/tag/streaming">streaming</a></p>
</p>KVM, Windows XP, and Stop Error Code 0x0000007B2012-05-29T23:49:00-04:002012-05-29T23:49:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2012-05-29:/blog/kvm-windows-xp-and-stop-error-code-0x0000007b.html<p>i dislike having to run Windows as much as the next free software
developer, but like many sysadmins, i am occasionally asked to maintain
some legacy systems.</p>
<p>A nice way to keep these systems available (while not having to
physically maintain them) is to put them in a virtual sandbox …</p><p>i dislike having to run Windows as much as the next free software
developer, but like many sysadmins, i am occasionally asked to maintain
some legacy systems.</p>
<p>A nice way to keep these systems available (while not having to
physically maintain them) is to put them in a virtual sandbox using a
tool like kvm. While kvm makes it relatively straightforward to install
WinXP from a CD (as long as you have the proper licensing key), it is
more challenging to transition a pre-existing hardware windows XP
installation into a virtual instance, due to Windows only wanting to
boot to ide chipsets that it remembers being installed to.</p>
<p>In particular, booting a disk image pulled from a soon-to-be-discarded
physical disk can produce a Blue Screen of Death (BSOD) with the
message:</p>
<div class="highlight"><pre><span></span><code>Stop error code 0x0000007B
</code></pre></div>
<p>or</p>
<div class="highlight"><pre><span></span><code>(INACCESSABLE_BOOT_DEVICE)
</code></pre></div>
<p>This seems like it's roughly the equivalent (in a standard debian
GNU/Linux environment) of specifying <code>MODULES=dep</code> in
<code>/etc/initramfs-tools/initramfs.conf</code>, and then trying to swap out all
the hardware.</p>
<p>At first blush, Microsoft's knowledge base <a href="http://support.microsoft.com/kb/316401">suggests doing an in-place
upgrade or full repartition and
reinstall</a>, which are both
fairly drastic measures -- you might as well just start from scratch,
which is exactly what you <em>don't</em> want to have to do for a nursed-along
legacy system which no one who originally set it up is even with the
organization any more.</p>
<p>Fortunately, a bit more digging in the Knowledge Base turned up <a href="http://support.microsoft.com/kb/314082">an
unsupported set of steps</a> that
appears to be the equivalent of setting <code>MODULES=most</code> (at least for the
IDE chipsets). Running this on the old hardware before imaging the disk
worked for me, though i did need to re-validate Windows XP after the
reboot by typing in the long magic code again. i guess they're keying it
to the hardware, which clearly changed in this instance.</p>
<p>Such silliness to spend time working around, really, when i'd rather be
spending my time working on free software. :/</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/bugs">bugs</a>,
<a href="https://debian-administration.org/tag/windows">windows</a></p>
</p>Compromising webapps: a case study2012-03-16T01:42:00-04:002012-03-16T01:42:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2012-03-16:/blog/compromising-webapps-a-case-study.html<p><a href="https://jhalderm.com/pub/papers/dcvoting-fc12.pdf">This paper</a> should
be required reading for anyone developing, deploying, or administering
web applications.</p>
<p>It's also interesting to read <a href="http://www.dcboee.org/popup.asp?url=/pdf_files/nr_687.pdf">the perspective of the folks operating
the compromised
webapp</a>
(details are in the section titled "Digital Vote-By-Mail" on pages 34 to
38).</p>Adobe leaves Linux AIR users vulnerable2011-11-21T17:41:00-05:002011-11-21T17:41:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-11-21:/blog/adobe-leaves-linux-air-users-vulnerable.html<p>A few months ago, <a href="https://www.adobe.com/support/security/bulletins/apsb11-12.html">Adobe announced a slew of vulnerabilities in its
Flash
Player</a>,
which is a critical component of Adobe AIR:</p>
<blockquote>
<p>Adobe recommends users of Adobe AIR 2.6.19140 and earlier versions for
Windows, Macintosh and Linux update to Adobe AIR 2.7.0.1948.</p>
<p>[...]</p>
<p><p>
June 14, 2011 …</p></p></blockquote><p>A few months ago, <a href="https://www.adobe.com/support/security/bulletins/apsb11-12.html">Adobe announced a slew of vulnerabilities in its
Flash
Player</a>,
which is a critical component of Adobe AIR:</p>
<blockquote>
<p>Adobe recommends users of Adobe AIR 2.6.19140 and earlier versions for
Windows, Macintosh and Linux update to Adobe AIR 2.7.0.1948.</p>
<p>[...]</p>
<p><p>
June 14, 2011 - Bulletin updated with information on Adobe AIR</p>
</blockquote>
<p>However, looking at <a href="http://kb2.adobe.com/cps/408/kb408084.html">Adobe's instructions for installing AIR on "Linux"
systems</a>, we see that it is
impossible for people running a free desktop OS to follow Adobe's own
recommendations:</p>
<blockquote>
<p>Beginning June 14 2011, Adobe AIR is no longer supported for desktop
Linux distributions. Users can install and run AIR 2.6 and earlier
applications but can't install or update to AIR 2.7. The last version
to support desktop Linux distributions is AIR 2.6.</p>
</blockquote>
<p>So on the exact same day, Adobe said "we recommend you upgrade, as the
version you are using is vulnerable" and "we offer you no way to
upgrade".</p>
<p>I'm left with the conclusion that Adobe's aggregate corporate message is
"users of desktops based on free software should immediately uninstall
AIR and stop using it".</p>
<p>If Adobe's software was free, and they had a community around it, they
could turn over support to the community if they found it too
burdensome. Instead, once again, users of proprietary tools on free
systems get screwed by the proprietary vendor.</p>
<p>And they wonder why we tend to be less likely to install their tools?</p>
<p>Application developers should avoid targeting AIR as a platform if they
want to reach everyone.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/adobe">adobe</a>,
<a href="https://debian-administration.org/tag/proprietary%20software">proprietary
software</a>,
<a href="https://debian-administration.org/tag/security">security</a></p>
</p>unreproducible buildd test suite failures2011-06-21T15:05:00-04:002011-06-21T15:05:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-06-21:/blog/unreproducible-buildd-test-suite-failures.html<p>I've been getting <a href="https://buildd.debian.org/xdotool">strange failures on some architectures for
xdotool</a>. xdotool is a library and a
command-line tool to allow you to inject events into an existing X11
session. I'm trying to understand (or even to reproduce) these errors so
i can fix them.</p>
<p>The upstream project ships an extensive …</p><p>I've been getting <a href="https://buildd.debian.org/xdotool">strange failures on some architectures for
xdotool</a>. xdotool is a library and a
command-line tool to allow you to inject events into an existing X11
session. I'm trying to understand (or even to reproduce) these errors so
i can fix them.</p>
<p>The upstream project ships an extensive test suite; this test suite is
failing on three architectures: ia64, armel, and mipsel; it passes fine
on the other architectures (the hurd-i386 failure is unrelated, and i
know how to fix it). The suite is failing on some "typing" tests -- some
symbols "typed" are getting dropped on the failing architectures -- but
it is not failing in a repeatable fashion. You can see <a href="https://buildd.debian.org/status/logs.php?pkg=xdotool&arch=armel&ver=1%3A2.20110530.1-3">two attempted
armel builds
failing</a>
with different outputs:</p>
<p>The first failure shows <code>[</code> and occasionally <code><</code> failing under a <code>us,se</code>
keymap (that is, after the test-suite's invocation of
<code>setxkbmap -option grp:switch,grp:shifts_toggle us,se</code>):</p>
<div class="highlight"><pre><span></span><code><span class="n">Running</span><span class="w"> </span><span class="n">test_typing</span><span class="o">.</span><span class="n">rbSetting</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">keymap</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="n">usLoaded</span><span class="w"> </span><span class="n">suite</span><span class="w"> </span><span class="n">test_typingStarted</span><span class="o">...........</span><span class="n">F</span><span class="o">..</span><span class="n">Finished</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="mf">19.554214</span><span class="w"> </span><span class="n">seconds</span><span class="o">.</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="n">Failure</span><span class="p">:</span><span class="n">test_us_se_symbol_typing</span><span class="p">(</span><span class="n">XdotoolTypingTests</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">test_typing</span><span class="o">.</span><span class="n">rb</span><span class="p">:</span><span class="mi">58</span><span class="p">:</span><span class="ow">in</span><span class="w"> </span><span class="err">`</span><span class="n">_test_typing</span><span class="s1">' test_typing.rb:78:in `test_us_se_symbol_typing'</span><span class="p">]:</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+[]{}|;:</span><span class="se">\"</span><span class="s2">,./<>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">></span><span class="w"> </span><span class="n">expected</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">was</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+]{}|;:</span><span class="se">\"</span><span class="s2">,./>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">>.</span><span class="mi">14</span><span class="w"> </span><span class="n">tests</span><span class="p">,</span><span class="w"> </span><span class="mi">14</span><span class="w"> </span><span class="n">assertions</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">failures</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">errors</span>
</code></pre></div>
<p>The second failure, on the same buildd, a day later, shows no failures
under <code>us,se</code>, but several failures under other keymaps:</p>
<div class="highlight"><pre><span></span><code><span class="n">Running</span><span class="w"> </span><span class="n">test_typing</span><span class="o">.</span><span class="n">rbSetting</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">keymap</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="n">usLoaded</span><span class="w"> </span><span class="n">suite</span><span class="w"> </span><span class="n">test_typingStarted</span><span class="o">..</span><span class="n">F</span><span class="o">.</span><span class="n">F</span><span class="o">.</span><span class="n">F</span><span class="o">.......</span><span class="n">Finished</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="mf">16.784192</span><span class="w"> </span><span class="n">seconds</span><span class="o">.</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="n">Failure</span><span class="p">:</span><span class="n">test_de_symbol_typing</span><span class="p">(</span><span class="n">XdotoolTypingTests</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">test_typing</span><span class="o">.</span><span class="n">rb</span><span class="p">:</span><span class="mi">58</span><span class="p">:</span><span class="ow">in</span><span class="w"> </span><span class="err">`</span><span class="n">_test_typing</span><span class="s1">' test_typing.rb:118:in `test_de_symbol_typing'</span><span class="p">]:</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+[]{}|;:</span><span class="se">\"</span><span class="s2">,./<>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">></span><span class="w"> </span><span class="n">expected</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">was</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+]{}|;:</span><span class="se">\"</span><span class="s2">,./<>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">>.</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="n">Failure</span><span class="p">:</span><span class="n">test_se_symbol_typing</span><span class="p">(</span><span class="n">XdotoolTypingTests</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">test_typing</span><span class="o">.</span><span class="n">rb</span><span class="p">:</span><span class="mi">58</span><span class="p">:</span><span class="ow">in</span><span class="w"> </span><span class="err">`</span><span class="n">_test_typing</span><span class="s1">' test_typing.rb:108:in `test_se_symbol_typing'</span><span class="p">]:</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+[]{}|;:</span><span class="se">\"</span><span class="s2">,./<>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">></span><span class="w"> </span><span class="n">expected</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">was</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+[]{|;:</span><span class="se">\"</span><span class="s2">,./<>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">>.</span><span class="w"> </span><span class="mi">3</span><span class="p">)</span><span class="w"> </span><span class="n">Failure</span><span class="p">:</span><span class="n">test_se_us_symbol_typing</span><span class="p">(</span><span class="n">XdotoolTypingTests</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">test_typing</span><span class="o">.</span><span class="n">rb</span><span class="p">:</span><span class="mi">58</span><span class="p">:</span><span class="ow">in</span><span class="w"> </span><span class="err">`</span><span class="n">_test_typing</span><span class="s1">' test_typing.rb:88:in `test_se_us_symbol_typing'</span><span class="p">]:</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+[]{}|;:</span><span class="se">\"</span><span class="s2">,./<>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">></span><span class="w"> </span><span class="n">expected</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">was</span><span class="o"><</span><span class="s2">"`12345678990-=~ !@\#$%^&*()_+{}|;:</span><span class="se">\"</span><span class="s2">,./>?:</span><span class="se">\"</span><span class="s2">,./<>?"</span><span class="o">>.</span><span class="mi">14</span><span class="w"> </span><span class="n">tests</span><span class="p">,</span><span class="w"> </span><span class="mi">14</span><span class="w"> </span><span class="n">assertions</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">failures</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">errors</span>
</code></pre></div>
<p>I've tried to reproduce on a cowbuilder instance on my own armel
machine; I could not reproduce the problem -- the test suites pass for
me.</p>
<p>I've asked for help on the various buildd lists, and from upstream; no
one resolutions have been proposed yet. I'd be grateful for any
suggestions or hints of things i might want to look for. It would be a
win if i could just reproduce the errors.</p>
<p>Of course, one approach would be to disable the test suite as part of
the build process, but it has already helped catch a number of other
issues with the upstream source. It would be a shame to lose those
benefits.</p>
<p>Any thoughts?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/buildd">buildd</a>,
<a href="https://debian-administration.org/tag/packaging">packaging</a>,
<a href="https://debian-administration.org/tag/xdotool">xdotool</a></p>
</p>the bleeding edge: btrfs (poor performance, alas)2011-05-10T18:17:00-04:002011-05-10T18:17:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-05-10:/blog/the-bleeding-edge-btrfs-poor-performance-alas.html<p>I'm playing with btrfs to get a feel for what's coming up in linux
filesystems. To be daring, i've configured a test machine using only
btrfs for its on-disk filesystems. I really like some of the ideas put
forward in the btrfs design. (i'm aware that btrfs is considered
experimental-only …</p><p>I'm playing with btrfs to get a feel for what's coming up in linux
filesystems. To be daring, i've configured a test machine using only
btrfs for its on-disk filesystems. I really like some of the ideas put
forward in the btrfs design. (i'm aware that btrfs is considered
experimental-only at this point).</p>
<p>I'm happy to report that despite several weeks of regular upgrade/churn
from unstable and experimental, i have yet to see any data loss or other
serious forms of failure.</p>
<p>Unfortunately, i'm not impressed with the performance. The machine feels
sluggish in this configuratiyon, compared to how i remember it running
with previous non-btrfs installations. So i ran some benchmarks. The
results don't look good for btrfs in its present incarnation.</p>
<p><strong>UPDATE: see the comments section for revised statistics from a quieter
system, with the filesystems over the same partition (btrfs is still
much slower).</strong></p>
<p>The simplified test system i'm running has Linux kernel
2.6.39-rc6-686-pae (from experimental), 1GiB of RAM (no swap), and a
single 2GHz P4 CPU. It has one parallel ATA hard disk
(<code>WDC WD400EB-00CPF0</code>), with two primary partitions (one btrfs and one
ext3). The root filesystem is btrfs. The ext3 filesystem is mounted at
<code>/mnt</code></p>
<p>I used <a href="http://packages.debian.org/bonnie++">bonnie++</a> to benchmark the
ext3 filesystem against the btrfs filesystem as a non-privileged user.</p>
<p>Here are the results on the test ext3 filesystem:</p>
<div class="highlight"><pre><span></span><code><span class="n">consoleuser</span><span class="nv">@loki</span><span class="err">:</span><span class="o">~</span><span class="err">$</span><span class="w"> </span><span class="n">cat</span><span class="w"> </span><span class="n">bonnie</span><span class="o">-</span><span class="n">stats</span><span class="p">.</span><span class="n">ext3</span><span class="w"> </span><span class="n">Reading</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">byte</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="nc">time</span><span class="p">...</span><span class="n">doneReading</span><span class="w"> </span><span class="n">intelligently</span><span class="p">...</span><span class="n">donestart</span><span class="w"> </span><span class="err">'</span><span class="n">em</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="k">Create</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">sequential</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="n">Stat</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">sequential</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="k">Delete</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">sequential</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="k">Create</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="n">Stat</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="k">Delete</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="n">Version</span><span class="w"> </span><span class="mf">1.96</span><span class="w"> </span><span class="c1">------Sequential Output------ --Sequential Input- --Random-Concurrency 1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--Machine Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CPloki 2264M 331 98 23464 11 10988 4 1174 85 39629 6 130.4 5Latency 92041us 1128ms 1835ms 166ms 308ms 6549msVersion 1.96 ------Sequential Create------ --------Random Create--------loki -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete-- files /sec %CP /sec %CP /sec %CP /sec %CP /sec %CP /sec %CP 16 9964 26 +++++ +++ 13035 26 11089 27 +++++ +++ 11888 24Latency 17882us 1418us 1929us 489us 51us 650us1.96,1.96,loki,1,1305039600,2264M,,331,98,23464,11,10988,4,1174,85,39629,6,130.4,5,16,,,,,9964,26,+++++,+++,13035,26,11089,27,+++++,+++,11888,24,92041us,1128ms,1835ms,166ms,308ms,6549ms,17882us,1418us,1929us,489us,51us,650usconsoleuser@loki:~$</span>
</code></pre></div>
<p>And here are the results for btrfs (on the main filesystem):</p>
<div class="highlight"><pre><span></span><code><span class="n">consoleuser</span><span class="nv">@loki</span><span class="err">:</span><span class="o">~</span><span class="err">$</span><span class="w"> </span><span class="n">cat</span><span class="w"> </span><span class="n">bonnie</span><span class="o">-</span><span class="n">stats</span><span class="p">.</span><span class="n">btrfs</span><span class="w"> </span><span class="n">Reading</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">byte</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="nc">time</span><span class="p">...</span><span class="n">doneReading</span><span class="w"> </span><span class="n">intelligently</span><span class="p">...</span><span class="n">donestart</span><span class="w"> </span><span class="err">'</span><span class="n">em</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="n">done</span><span class="p">...</span><span class="k">Create</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">sequential</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="n">Stat</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">sequential</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="k">Delete</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">sequential</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="k">Create</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="n">Stat</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="k">Delete</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="k">order</span><span class="p">...</span><span class="n">done</span><span class="p">.</span><span class="n">Version</span><span class="w"> </span><span class="mf">1.96</span><span class="w"> </span><span class="c1">------Sequential Output------ --Sequential Input- --Random-Concurrency 1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--Machine Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CPloki 2264M 43 99 22682 17 10356 6 1038 79 28796 6 86.8 99Latency 293ms 727ms 1222ms 46541us 504ms 13094msVersion 1.96 ------Sequential Create------ --------Random Create--------loki -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete-- files /sec %CP /sec %CP /sec %CP /sec %CP /sec %CP /sec %CP 16 1623 33 +++++ +++ 2182 57 1974 27 +++++ +++ 1907 44Latency 78474us 6839us 8791us 1746us 66us 64034us1.96,1.96,loki,1,1305040411,2264M,,43,99,22682,17,10356,6,1038,79,28796,6,86.8,99,16,,,,,1623,33,+++++,+++,2182,57,1974,27,+++++,+++,1907,44,293ms,727ms,1222ms,46541us,504ms,13094ms,78474us,6839us,8791us,1746us,66us,64034usconsoleuser@loki:~$</span>
</code></pre></div>
<p>As you can see, btrfs is significantly slower in several categories:</p>
<ul>
<li>writing character-at-a-time is *much* slower: 43K/sec vs. 331K/sec</li>
<li>reading block-at-a-time is slower: 28796K/sec vs. 39629K/sec</li>
<li>all forms of file creation and deletion are nearly an order of
magnitude slower</li>
<li>Random seeks are almost as fast, but they swamp the CPU</li>
</ul>
<p>I'm hoping that i just configured the test wrong somehow, or that i've
done something grossly unfair in the system setup and configuration. (or
maybe i'm mis-reading the <code>bonnie++</code> output?) Maybe someone can point
out my mistake, or give me pointers for what to do to try to speed up
btrfs.</p>
<p>I like the sound of the features we will eventually get from btrfs, but
these performance figures seem like a pretty rough tradeoff.</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/benchmarks">benchmarks</a>,
<a href="https://debian-administration.org/tag/bonnie">bonnie</a>,
<a href="https://debian-administration.org/tag/btrfs">btrfs</a>,
<a href="https://debian-administration.org/tag/ext3">ext3</a></p>
</p>Please use unambiguous tag names in your DVCS2011-05-06T21:05:00-04:002011-05-06T21:05:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-05-06:/blog/please-use-unambiguous-tag-names-in-your-dvcs.html<p>One of the nice features of a distributed version control system (DVCS)
like <code>git</code> is the ability to tag specific states of your project, and to
cryptographically sign your tags.</p>
<p>Many projects use simple tag names with the version string like
"<code>0.35</code>". This is a plea to ensure that …</p><p>One of the nice features of a distributed version control system (DVCS)
like <code>git</code> is the ability to tag specific states of your project, and to
cryptographically sign your tags.</p>
<p>Many projects use simple tag names with the version string like
"<code>0.35</code>". This is a plea to ensure that the tags you make explicitly
reference the project you're working on. For example, if you are
releasing version 0.35 of project Foo, please make your tag "<code>foo_0.35</code>"
for security and for future disambiguation.</p>
<p>There is more than one reason to care about unambiguous tags. I'll give
two reasons below, but they come from the same fundamental observation:
<em>All git repositories are, in some sense, the same git repository; some
just store different commits than others</em>.</p>
<p>it's entirely possible to merge two disjoint git repositories, and to
have two unassociated threads of development in the same repo. you can
also merge threads of developement later if the projects converge.</p>
<dl>
<dt>Avoid tag replay attacks</dt>
<dd>
<p>Let's assume Alice works on two projects, Foo and Bar. She wraps up
work on a new version of Foo, and creates and signs a simple tag
"<code>0.32</code>". She publishes this tag to the Foo project's public git
repo.</p>
<p>Bob is trying to attack the Bar project, which is currently at
version 0.31. Bob can actually merge Alice's work on Foo into the
Bar repository, including Alice's new tag.</p>
<p>Now looks like there is a tag for version 0.32 of project Bar, and
it has been cryptographically-signed by Alice, a known active
developer!</p>
<p><p>
If she had named her tag "<code>foo_0.32</code>" (and if all Bar tags were of
the form "<code>bar_X.XX</code>"), it would be clear that this tag did not
belong to the Bar project.</p>
</dd>
<dt>Be able to merge projects and keep full history</dt>
<dd>Consider two related projects with separate development histories
that later decide to merge (e.g. a library and its most important
downstream application). If they merge their git repos, but both
projects have a tag "<code>0.1</code>", then one tag must be removed to make
room for the other.
<p>
If all tags were unambiguously named, the two repos could be merged
cleanly without discarding or rewriting history.</dd>
</dl>
<p>I noticed this because of a general principle i try to keep in mind:
<em>when making a cryptographic signature, ensure that the thing you are
signing is context-independent -- that is, that it cannot be easily
misinterpreted when placed in a different context</em>. For example, do not
sign e-mails that just say "I approve" -- say specifically what you are
approving of in the body of the signed mail. Otherwise, someone could
re-send your "I approve" e-mail In-Reply-To a topic that you do not
really approve of.</p>
<p>By extension, signing a simple tag is like saying "the source tree in
this specific state (and with this specific history) is version 0.3". A
close inspection of the state and the history by a sensitive/intelligent
human skilled in the art of looking at source code can probably figure
out what the project is from its contents. But it's much less ambiguous
to say "the source tree in this specific state (and with this specific
history) is version 0.3 <em>of project Foo</em>".</p>
<p>Once you start using unambiguous tag names, you make it safe for people
to set up simple tools that do automated scans of your repository and
can take action when a new signed tag appears. And you respect (and help
preserve) the history of any future project that gets merged with yours.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/git">git</a>,
<a href="https://debian-administration.org/tag/security">security</a></p>
</p>test-driven development: refactoring, difficulties2011-05-04T23:11:00-04:002011-05-04T23:11:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-05-04:/blog/test-driven-development-refactoring-difficulties.html<p>liw recently <a href="http://blog.liw.fi/posts/debian-tdd/">wrote about test-driven
development</a>:</p>
<blockquote>
<p><em>This all sounds like a lot of bureaucratic nonsense, but what I get
out of this is this: once all tests pass, I have a strong confidence
that the software works. As soon as I've added all the features I want
to have for …</em></p></blockquote><p>liw recently <a href="http://blog.liw.fi/posts/debian-tdd/">wrote about test-driven
development</a>:</p>
<blockquote>
<p><em>This all sounds like a lot of bureaucratic nonsense, but what I get
out of this is this: once all tests pass, I have a strong confidence
that the software works. As soon as I've added all the features I want
to have for a release, I can push a button to push it out</em></p>
</blockquote>
<p>To my mind, this is only one of the benefits. He doesn't describe
another major benefit, which is the confidence with which you can take
on re-factoring in projects with well-developed test infrastructure.</p>
<p>If your project has no test infrastructure at all, and you make a deep
and/or potentially invasive change, you might well produce something
that is heinously broken for users who have a different pattern of using
the tool than you do.</p>
<p>But if you have a well-developed, reasonable test suite with fairly wide
coverage, you can make a deep or invasive change, and be confident that
-- if the tests all pass -- the stuff you release isn't going to be too
horrific. And if you do break something with a change which the test
suite didn't cover, that's an indication that the test suite is lacking.
Hopefully, you can factor out a problem report into its own test, so
that future changes will ensure that the behavior doesn't regress too.</p>
<p>The upshot of more-confident re-factoring is that your development can
be much bolder, you can roll out new features more quickly, and you can
spend less time agonizing about whether you've got the various
abstraction layers exactly right the first time through. These are all
good things (though i do think the agony of abstraction perfectionism is
well-warranted in some contexts, like API definitions, and wouldn't want
test-driven development to make people give up on that necessary task).</p>
<h3 id="when-testing-cant-cover-everything">when testing can't cover everything</h3>
<p>Some things are just hard to test well. for example, if you have 20
different boolean options to a command-line tool, you can't
realistically test them in all combinations and permutations; that would
be over a million tests.</p>
<p>User experience is also notoriously difficult to test, as are tools that
rely heavily on network interaction, which can be flakey and
unpredictable.</p>
<h3 id="other-downsides">other downsides</h3>
<p>Test suites themselves require maintenance, as the components they rely
on can change over time. More than once, i've had a test suite failure
that was really a failure of the test infrastructure, not the code
itself. But in those same projects, that's usually followed or preceded
by a test suite failure that picks out a particularly nasty or subtle
bug in the tested code that might have persisted for quite a while
unnoticed. So the test suite does in some sense create more work all
around.</p>
<h3 id="more-and-better-testing-is-good-for-debian">more and better testing is good for Debian</h3>
<p>Even when we know that coverage isn't perfect, and even with its
additional overhead, well-integrated tests (at the unit level and more
generally) are worth the tradeoffs. It's worth doing because of the
robustness and guarantees that we can give each other with
regularly-tested code. It's a more stable foundation which surprisingly
also gives us more flexibility going forward. This is good for free
software in general. It also helps us find our bugs before our users do,
so it's better for our users. So more and better testing directly
supports the two main priorities outlined in the Debian Social Contract.</p>
</p>USAA Deposit@Home: bad engineering and terrible UX2011-04-28T06:59:00-04:002011-04-28T06:59:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-04-28:/blog/usaa-deposithome-bad-engineering-and-terrible-ux.html<p>I use <a href="https://www.usaa.com">USAA</a> for some of my finances. They
specialize in remote banking (i've never been in a physical branch).
Sadly, they can still be pretty clueless about how to use the web
properly. My latest frustration with them was trying to use their
<a href="https://www.usaa.com/inet/pages/bank_deposit">Deposit@Home</a> service,
where you scan …</p><p>I use <a href="https://www.usaa.com">USAA</a> for some of my finances. They
specialize in remote banking (i've never been in a physical branch).
Sadly, they can still be pretty clueless about how to use the web
properly. My latest frustration with them was trying to use their
<a href="https://www.usaa.com/inet/pages/bank_deposit">Deposit@Home</a> service,
where you scan your checks and upload them.</p>
<p>No problem, right? I've got a scanner and a web browser and i know how
to use them both. Ha ha. Upon first connecting, i'm rejected, and i find
the absurd <a href="https://www.usaa.com/inet/pages/help_deposit_system_requirements">System
Requirements</a>
-- only Windows and Mac, and only certain versions of certain browsers.
You also need Sun's Java plugin, apparently.</p>
<p>Deliberately naïve, i call their helpdesk and ask them if they could
just give me a link to let me upload my scanned checks. They tell me
that they want 200dpi images, and then give an absurd runaround that
includes references to <a href="https://secure.wikimedia.org/wikipedia/en/wiki/Gramm-Leach-Bliley_Act">the Gramm-Leach-Bliley
Act</a>
as the reason they need to limit the system to Windows or Mac, and that
security is the reason they need to control the scanner directly
(apparently your browser can control your local scanner on Windows?
yikes). But they let slip that Mac users don't have the scanner
controlled directly, and can just upload images (apparently the federal
law doesn't cover them or something). Preposterous silliness.</p>
<h3 id="the-workaround">The Workaround</h3>
<p>Of course, it turns out you can get it working on Debian GNU/Linux,
mainly by telling them what they want to hear ("yes sir, i'm running Mac
OS"), but you'll also have to run Sun's Java (non-free software) to do
it, since their Java uploader fails with <a href="http://lair.fifthhorseman.net/~dkg/personal/usaa.java.err.txt">nasty errors when using
icedtea6-plugin</a>.</p>
<p>I set up a dedicated system user for this goofiness, since i'm going to
be running apparently untrustworthy applets on top of non-free software.
I run a separate instance of iceweasel as that user; all configuration
described is for that user's homedir. If you do this yourself, You'll
need to decide if you want the same level of isolation for yourself.</p>
<p>So i have the choice of installing
<a href="http://packages.debian.org/sun-java6-plugin">sun-java6-plugin</a> from
<code>non-free</code> and having the plugin installed for all web browsers, or just
doing a per-user install of java for my dedicated user (and avoiding the
plugin for my normal user). I opted for the latter. As the dedicated
user, I fetched the self-extracting variant from
<a href="https://www.java.com/en/download/manual.jsp">java.com</a>, unpacked it,
and added it to the iceweasel plugins:</p>
<div class="highlight"><pre><span></span><code><span class="n">chmod</span><span class="w"> </span><span class="n">a</span><span class="o">+</span><span class="n">x</span><span class="w"> </span><span class="o">~/</span><span class="n">Download</span><span class="o">/</span><span class="n">jre</span><span class="o">-</span><span class="mi">6</span><span class="n">u25</span><span class="o">-</span><span class="n">linux</span><span class="o">-</span><span class="n">i586</span><span class="o">.</span><span class="n">binmkdir</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="o">~/</span><span class="n">lib</span><span class="w"> </span><span class="o">~/.</span><span class="n">mozilla</span><span class="o">/</span><span class="n">pluginscd</span><span class="w"> </span><span class="o">~/</span><span class="n">lib</span><span class="o">~/</span><span class="n">Download</span><span class="o">/</span><span class="n">jre</span><span class="o">-</span><span class="mi">6</span><span class="n">u25</span><span class="o">-</span><span class="n">linux</span><span class="o">-</span><span class="n">i586</span><span class="o">.</span><span class="n">binln</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="o">~/</span><span class="n">lib</span><span class="o">/</span><span class="n">jre</span><span class="o">*/</span><span class="n">lib</span><span class="o">/*/</span><span class="n">libnpjp2</span><span class="o">.</span><span class="n">so</span><span class="w"> </span><span class="o">~/.</span><span class="n">mozilla</span><span class="o">/</span><span class="n">plugins</span><span class="o">/</span>
</code></pre></div>
<p>Then i closed iceweasel and restarted it. In the relaunched iceweasel
sesson, I told Iceweasel 4 to pretend that it was actually Firefox 3.6
on a Mac. I did this by going to <code>about:config</code> (checking the box that
says i know what i'm doing), right-clicking, and choosing "new >>
string". The new variable name is
<a href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries#General."><code>general.useragent.override</code></a>
and i found that setting it to the following (insane, false) value
worked for me:</p>
<div class="highlight"><pre><span></span><code>Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9.2.3) Gecko/20060426 Firefox/3.5.18
</code></pre></div>
<p>Note that this configuration might make <a href="https://debian-administration.org/users/dkg/weblog/63">hotmail think that you are a
mobile device</a>.
:P If you try to use this browser profile for anything other than
visiting USAA, you might want to remove this setting, or install
<a href="http://packages.debian.org/xul-ext-useragentswitcher"><code>xul-ext-useragentswitcher</code></a>
to be able to set it more easily than using <code>about:config</code>.</p>
<p>Once these changes were made, I was able to log into USAA, use the
Deposit@Home service to upload my 200dpi grayscale scans. I guess they
think i'm a Mac user now.</p>
<h3 id="the-followup">The Followup</h3>
<p>After completing the upload, I wrote them this review (i doubt they'll
post it):</p>
<blockquote>
<p>The Deposit@Home service has great potential. Unfortunately, it
currently appears to be overengineered and unnecessarily restrictive.</p>
<p>The service requires two scans (front and back) of the deposited
check, at 200dpi, in grayscale or black-and-white, in jpeg format,
reasonably-cropped. The simplest way to do this would be to show some
examples of good scans and bad scans, and provide two file upload
forms.</p>
<p>Once the user uploaded their images, the web site could run its own
verification, and display them back for the user to confirm,
optionally using a simple javascript-based image-cropper if any image
seems wrong-sized. This would work fine with any reasonable browser on
any OS.</p>
<p>Instead, Deposit@Home requires the user to present a User-Agent header
claiming to be from specific versions of Mac or Windows, running
certain (older) versions of certain browsers, and requires the use of
Sun's Java plugin.</p>
<p><p>
Entirely unnecessary system requirements to do a simple task.
Disappointing. :(</p>
</blockquote>
<h3 id="acknowledgements">Acknowledgements</h3>
<p>I found <a href="http://ubuntuforums.org/showthread.php?t=1454931">good background for this approach on the ubuntu
forums</a>.</p>
<h3 id="the-takeaway">The Takeaway</h3>
<p>I continue to be frustrated and annoyed by organizations that haven't
yet embraced the benefits of the open web. Clearly, USAA has spent a lot
of money engineering what they think is a certain experience for their
users. However, they didn't design with standard web browsers in mind,
so they appear to have boxed themselves into a corner where they think
they have to test and approve of the entire software stack running on
the end-user's machine.</p>
<p>This is not only foolish -- it's impossible. When you're designing a
web-based application, just design it for the web. Keep it simple. If
you want to offer some snazzy java-hooked-into-your-scanner insanity, i
will only have a mild objection: it seems like a waste of time and
engineering effort. My objection is much stronger if your
snazzy/incompatible absurdity <em>is the only way to use your service</em>. A
simple, web-based, browser-agnostic interface should be available to all
your clients.</p>
<p>Even more aggravating is the claim that they don't think they should
engineer for everyone. I was told during the runaround that they would
only support Linux if 4% of their users were using Linux (which they
don't think is the case at the moment -- if you are a USAA customer, and
you use something other than Mac and Windows, please tell them so). I
tried to tell them that I wasn't asking for Linux support; i was asking
for <em>everyone</em> support. If you just use generic engineering in the first
place, there's no extra expense for special-casing other users. But they
couldn't understand.</p>
<p>And now, since i'll need to lie to them in my User Agent string every
time i want to deposit a check online, those visits won't even show up
in their logs to be counted. "Our web site deliberately disables itself
for \$foo users; we haven't written it for them; but that's OK, we don't
have any \$foo users anyway" is a nasty self-fulfilling prophecy. Why
would you do that?</p>The bleeding edge: systemd2011-04-27T08:07:00-04:002011-04-27T08:07:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-04-27:/blog/the-bleeding-edge-systemd.html<p>Curious about these shiny new things i keep hearing about, i set up a
test desktop system using using
<a href="http://www.freedesktop.org/wiki/Software/systemd">systemd</a> as the init
system (yes, that means using
<a href="http://packages.debian.org/systemd-sysv">systemd-sysv</a> in place of
<a href="http://packages.debian.org/sysvinit">sysvinit</a> -- so i had to remove an
essential package for this to work).</p>
<p><a href="http://bugs.debian.org/624276">A system-crippling bug</a> was naturally …</p><p>Curious about these shiny new things i keep hearing about, i set up a
test desktop system using using
<a href="http://www.freedesktop.org/wiki/Software/systemd">systemd</a> as the init
system (yes, that means using
<a href="http://packages.debian.org/systemd-sysv">systemd-sysv</a> in place of
<a href="http://packages.debian.org/sysvinit">sysvinit</a> -- so i had to remove an
essential package for this to work).</p>
<p><a href="http://bugs.debian.org/624276">A system-crippling bug</a> was naturally
the result of living on the bleeding edge, but fortunately it was
resolved with a trivial patch.</p>
<p>In all, i'm pretty happy with some of the things that systemd seems to
get right. For example, native supervision of daemon processes, clean
process states, elimination of initscript copy-paste-isms, and
socket-based service initiation are all obvious, marked improvements
over the existing sysvinit legacy cruft.</p>
<p>But i'm a bit concerned about other parts. For example, all the
above-mentioned features fit really well within a tightly-tuned,
well-managed server. But systemd also appears to rely heavily on complex
userland systems like dbus and policykit that would be much more at home
on a typical desktop machine. I've never seen a well-managed server
installation that warranted either policykit or dbus. Also, given the
bug i ran into -- when PID 1 aborts due to a silly assertion, your
system is well-and-truly horked. Shouldn't a <em>lot</em> more attention to
detail be happening? I'd think that a "recover gracefully from failed
assertions" approach would be the first thing to target for a would-be
PID 1.</p>
<p>I'm also concerned about the Linux-centricism of systemd. I understand
that features like cgroups and reliance on the spiffiness of inotify are
part of the appeal, but i also really don't want to see us stuck with
only One Single Kernel as an option. The kFreeBSD folks (and the HURD
folks) have done a lot of work to get us close to having some level of
choice at this critical layer of infrastructure. It'd be good to see
that possibility realized, to help us avoid the creeping monoculture. I
worry that systemd's over-reliance on Linux-specific features is heading
in the wrong direction.</p>
<p>So my question is: why is this all being presented as a package deal?
I'd be pretty happy if i could get just the "server-side" features
without incurring the dbus/policykit/etc bloat. I already run servers
with <a href="http://smarden.org/runit">runit</a> as pid 1 -- they're lean and
quite nice, but runit doesn't have systemd's socket-based initiation (or
the level of heavyweight backing that systemd seems to have picked up,
for that matter).</p>
<p>I understand that Lennart is resistant to UNIX's traditional "do one
thing; do it well" philosophy. I can understand some of his reasoning,
but i think he might be doing his work and his tools a disservice by
taking it this far. Wouldn't systemd be better if it was clearer how to
take advantage of parts of it without having to subscribe to the entire
thing?</p>
<p>Of course, i might be missing some nice ways that systemd can be
effectively tuned and pared down. But i've read <a href="http://0pointer.de/blog/projects/">his blog posts about
systemd</a> and i haven't seen how to
get some of the nice features without the parts i don't want. I'd love
to be pointed to some explanations that show me how i'm wrong :)</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/systemd">systemd</a></p>
</p>EDAC i5000 non-fatal errors2011-04-09T00:00:00-04:002011-04-09T00:00:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-04-09:/blog/edac-i5000-non-fatal-errors.html<p>I've got a Debian GNU/Linux lenny installation (2.6.26-2-vserver-amd64
kernel) running on a Dell Poweredge 2950 with BIOS 2.0.1 (2007-10-27).</p>
<p>It has two <code>Intel(R) Xeon(R) CPU 5160 @ 3.00GHz</code> processors (according
to <code>/proc/cpuinfo</code>, 8 1GiB 667MHz DDR2 ECC modules (part number
<code>HYMP512F72CP8N3-Y5</code>), according …</p><p>I've got a Debian GNU/Linux lenny installation (2.6.26-2-vserver-amd64
kernel) running on a Dell Poweredge 2950 with BIOS 2.0.1 (2007-10-27).</p>
<p>It has two <code>Intel(R) Xeon(R) CPU 5160 @ 3.00GHz</code> processors (according
to <code>/proc/cpuinfo</code>, 8 1GiB 667MHz DDR2 ECC modules (part number
<code>HYMP512F72CP8N3-Y5</code>), according to <code>dmidecode</code>, and an
<code>Intel Corporation 5000X Chipset Memory Controller Hub (rev 12)</code>
according to <code>lspci</code>.</p>
<p>The machine has been running stably for many months.</p>
<p>On the morning of March 31st, i started getting the following messages
from the kernel, on the order of one pair of lines every 3 seconds:</p>
<div class="highlight"><pre><span></span><code>Mar 31 07:04:38 zamboni kernel: [16883514.141275] EDAC i5000 MC0: NON-FATAL ERRORS Found!!! 1st NON-FATAL Err Reg= 0x800Mar 31 07:04:38 zamboni kernel: [16883514.141278] EDAC i5000: NON-Retry Errors, bits= 0x800
</code></pre></div>
<p>A bit of digging turned up <a href="https://bugzilla.redhat.com/show_bug.cgi?id=471933">a redhat bug
report</a> that seems
to suggest that these warnings are just noise, and should be ignorable.
<a href="http://faq.aslab.com/index.php?sid=17883&lang=en&action=artikel&cat=93&id=154&artlang=en">Another link thinks it's a conflict with
IPMI</a>,
though i don't think this model actually has an IPMI subsystem
<strong>correction:</strong> this machine does have IPMI, though i am not making use
of it.</p>
<p>However, i also notice from munin logs that at the same time the error
messages started, the machine exhibited a marked change in CPU activity
(including in-kernel activity) and local timer interrupts:
<img alt="[Individual interrupts - by
month]" src="http://dkg.fifthhorseman.net/blog/i5000_edac/irqstats-month.png"></p>
<p><img alt="[CPU Usage - by
month]" src="http://dkg.fifthhorseman.net/blog/i5000_edac/cpu-month.png"></p>
<p>I also note that more rescheduling interrupts started happening, and
fewer megasas interrupts at about the same time. I'm not sure what this
means.</p>
<p>A review of other logs and graphs on the system turns up no other
evidence of interaction that might cause this kind of elevated activity.</p>
<p>One thought was that the elevated activity was just due to writing out a
bunch more logs. So i tried removing the <code>i5000_edac</code> module just to
keep <code>dmesg</code> and <code>/var/log/kern.log</code> cleaner. Leaving that turned off
doesn't lower the CPU utilization or change the interrupts, though.</p>
<p>Any suggestions on what might be going on, or further diagnostics i
should run? The machine is in production, and I'd really rather not take
down the machine for an extended period of time to do a lengthy memory
test. But i also don't want to see this kind of extra CPU usage (more
than double the machine's baseline).</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/i5000_edac">i5000_edac</a>,
<a href="https://debian-administration.org/tag/troubleshooting">troubleshooting</a></p>
</p>Debian on Thecus N8800Pro2011-04-05T20:07:00-04:002011-04-05T20:07:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-04-05:/blog/debian-on-thecus-n8800pro.html<p>I recently set up debian on a <a href="http://www.thecus.com/product.php?PROD_ID=28">Thecus
N8800Pro</a>. It seems to be
a decent rackmount 2U chassis with 8 3.5" hot-swap SATA drives, dual
gigabit NICs, a standard DB9 RS-232 serial port, one eSATA port, a bunch
of USB 2.0 connectors, and dual power supplies. I'm happy …</p><p>I recently set up debian on a <a href="http://www.thecus.com/product.php?PROD_ID=28">Thecus
N8800Pro</a>. It seems to be
a decent rackmount 2U chassis with 8 3.5" hot-swap SATA drives, dual
gigabit NICs, a standard DB9 RS-232 serial port, one eSATA port, a bunch
of USB 2.0 connectors, and dual power supplies. I'm happy to be able to
report that Thecus appears to be attempting to fulfill their obligations
under the GPL with this model (i'm fetching <a href="http://www.thecus.com/Downloads/GPL/n4200series_n7700pseries_n8800pseries_5.00.04_GPL.tar.bz2">their latest source
tarball</a>
now to have a look).</p>
<p>Internally, it's an Intel Core 2 Duo processor, two DIMMS of DDR RAM,
and a PCIe slot for extensions if you like. It has two
internally-attached 128MiB SSDs that it wants to boot off of.</p>
<p>The downsides as i see them:</p>
<dl>
<dt>BIOS</dt>
<dd>
<p>The BIOS only runs over VGA, which is not easy to access. I wish it
ran over the serial port. It's also not clear how one would find an
upgrade to the BIOS. <code>dmidecode</code> reports the BIOS as:</p>
<div class="highlight"><pre><span></span><code> Vendor: Phoenix Technologies, LTD Version: 6.00 PG Release Date: 02/24/2009
</code></pre></div>
</dd>
<dt>RAM</dt>
<dd>The mainboard has only two DIMM sockets. It came pre-populated with
two 2GiB DDR DIMMs. memtest86+ reports those DIMMs clearly, but sees
only 3070MiB in aggregate. The linux kernel also sees \~3GiB of RAM,
despite dmidecode and lshw reporting that the two DIMM modules each
are only 1GiB in size. I'm assuming this is a bios problem. Anyone
know how to get access to the full 4GiB? Should i be reporting bugs
on any of these packages?</dd>
<dt>SSDs</dt>
<dd>The internal SSDs are absurdly small and very slow for both reading
and writing. This isn't a big deal because i'm basically only using
them for the bootloader, kernel, and initramfs. But i'm surprised
that they could even find 128MiB devices in these days of \$10 1GiB
flash units.</dd>
<dt>processor</dt>
<dd><code>/proc/cpuinfo</code> reports two cores of a
<code>Intel(R) Core(TM)2 Duo CPU T5500 @ 1.66GHz</code>, each with \~3333
bogomips, and apparently without <a href="http://www.linux-kvm.org/page/FAQ#How_can_I_tell_if_I_have_Intel_VT_or_AMD-V.3F">hardware virtualization
support</a>.
It's not clear to me whether the lack of virtualization support is
something that could be fixed with a BIOS upgrade.</dd>
</dl>
<p>I used <a href="http://www.andymillar.co.uk/blog/2010/04/11/installing-linux-on-a-thecus-n8800pro/">Andy Millar's nice
description</a>
of how to get access to the BIOS -- I found i didn't need a hacksaw to
modify the VGA cable i had. just pliers to remove the outer metal shield
on the side of the connector i plugged into the open socket.</p>
<p><code>lshw</code> sees four <code>SiI 3132 Serial ATA Raid II Controller</code> PCI devices,
each of which appears to support two SATA ports. I'm currently using
only four of the 8 SATA bays, so i've tried to distribute the disks so
that each of them is attached to an independent PCI device (instead of
having two disks on one PCI device, and another PCI device idle). I
don't know if this makes a difference, though, in the RAID10
configuration i'm using.</p>
<p>There's also a neat 2-line character-based LCD display on the front
panel which apparently <a href="http://thecususergroup.proboards.com/index.cgi?board=n5500modifications&action=display&thread=4089">can be driven by talking to a serial
port</a>,
though i haven't tried. Apparently there are also LEDs that might be
controllable directly from the kernel via ICH7 and GPIO, but i haven't
tried that yet either.</p>
<p>Any suggestions on how to think about or proceed with a BIOS upgrade to
get access to the full 4GiB of RAM, BIOS-over-serial, and/or enable
hardware virtualization?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/n8800pro">n8800pro</a>,
<a href="https://debian-administration.org/tag/thecus">thecus</a></p>
</p>auto-built debirf images2011-03-29T08:00:00-04:002011-03-29T08:00:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-03-29:/blog/auto-built-debirf-images.html<p><code>jrollins</code> and i recently did a bunch of cleanup work on
<a href="http://cmrg.fifthhorseman.net/wiki/debirf">debirf</a>, with the result
that debirf 0.30 can now build all the shipped example profiles without
error (well, as long as <code>debootstrap --variant=fakechroot</code> is working
properly -- apprently that's not the case for fakechroot 2.9 in squeeze …</p><p><code>jrollins</code> and i recently did a bunch of cleanup work on
<a href="http://cmrg.fifthhorseman.net/wiki/debirf">debirf</a>, with the result
that debirf 0.30 can now build all the shipped example profiles without
error (well, as long as <code>debootstrap --variant=fakechroot</code> is working
properly -- apprently that's not the case for fakechroot 2.9 in squeeze
right now, which is why i've uploaded a backport of 2.14).</p>
<p>To try to avoid getting into a broken state again, we set up an
autobuilder to create the images from the three example profiles
(minimal, rescue, and xkiosk) for amd64 systems. The logs for these
builds are published (with changes) nightly at:</p>
<div class="highlight"><pre><span></span><code>git://debirf.cmrg.net/debirf-autobuilder-logs
</code></pre></div>
<p>But even better, we are also publishing <a href="http://debirf.cmrg.net/autobuilds/">the auto-generated debirf
images themselves</a>. So, for example,
if you've got an amd64-capable machine with a decent amount of RAM
(512MiB is easily enough), you can download a rescue kernel and image
into <code>/boot/debirf/</code>, add a stanza to your bootloader, and be able to
reboot to it cleanly, without having to sort out the debirf image
creation process yourself.</p>
<p>We're also providing ISOs so people who still use optical media don't
have to format their own.</p>
<p>Please be sure to verify the checksums of the files you download. The
checksums themselves are signed by the OpenPGP key for
<code>Debirf Autobuilder <debirf@cmrg.net></code>, which i've certified and
published to the keyserver network.</p>
<p>What's next? It would be nice to have auto-built images for i386 and
other architectures. And if someone has a good idea for a new example
profile that we should also be auto-building, please submit a bug to the
BTS so we can try to sort it out.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/debirf">debirf</a></p>
</p>CryptLib and the OpenSSL License2011-03-16T04:40:00-04:002011-03-16T04:40:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-03-16:/blog/cryptlib-and-the-openssl-license.html<p>I spent part of today looking at packaging <a href="http://www.cs.auckland.ac.nz/~pgut001/cryptlib/">Peter Gutmann's
CryptLib</a> for
<a href="http://debian.org/">debian</a>. My conclusion: it may not be worth my
time.</p>
<p>One of the main reasons i wanted to package it for debian is because i
would like to see more
<a href="https://tools.ietf.org/html/rfc4880">OpenPGP</a>-compliant free software
available to debian users …</p><p>I spent part of today looking at packaging <a href="http://www.cs.auckland.ac.nz/~pgut001/cryptlib/">Peter Gutmann's
CryptLib</a> for
<a href="http://debian.org/">debian</a>. My conclusion: it may not be worth my
time.</p>
<p>One of the main reasons i wanted to package it for debian is because i
would like to see more
<a href="https://tools.ietf.org/html/rfc4880">OpenPGP</a>-compliant free software
available to debian users and developers, particularly if the code is
GPL-compatible.</p>
<p>Cryptlib makes it quite clear that <a href="http://www.cs.auckland.ac.nz/~pgut001/cryptlib/download.html">it intends to be
GPL-compatible</a>:</p>
<blockquote>
<p>cryptlib is distributed under a dual license that allows free,
open-source use under a GPL-compatible license and closed-source use
under a standard commercial license.</p>
</blockquote>
<p>However, a significant portion of the cryptlib codebase (particularly
within the <code>bn/</code> and <code>crypt/</code> directories) appears to derive directly
from OpenSSL, and it retains Eric Young's copyright and licensing. This
licensing retains the so-called "advertising clause" that <a href="http://people.gnome.org/~markmc/openssl-and-the-gpl.html">is generally
acknowledged to be deliberately incompatible with the
GPL</a>. (A
common counterargument for this incompatibility is that OpenSSL should
be considered a "System Library" for
<a href="http://www.gnu.org/licenses/gpl.html">GPL</a>'ed tools that link against
it; whether or not you believe this for tools linked against OpenSSL,
this counterargument clearly does not hold for a project that embeds and
ships OpenSSL code directly, as CryptLib does)</p>
<p>This does not mean that CryptLib is not free software (it is!), nor does
it mean that you cannot link it against GPL'ed code (you can!). However,
you probably can't <em>distribute</em> the results of linking CryptLib against
any GPL'ed code, because the GPL is incompatible with the OpenSSL
license.</p>
<p>The un-distributability of derived GPL-covered works makes the CryptLib
package much less appealing to me, since i want to be able to write
distributable code that links against useful libraries, and many of the
libaries i care about happen to be under the GPL.</p>
<p>I also note that Peter Gutmann and <a href="http://cryptlib.com">CryptLib Security
Software</a> (apparently some sort of company set up
to distribute CryptLib) may be in violation of Eric Young's License,
which states:</p>
<blockquote>
<div class="highlight"><pre><span></span><code> <span class="o">*</span> <span class="mf">3.</span> <span class="nv">All</span> <span class="s s-Atom">advertising</span> <span class="s s-Atom">materials</span> <span class="s s-Atom">mentioning</span> <span class="s s-Atom">features</span> <span class="s s-Atom">or</span> <span class="s s-Atom">use</span> <span class="s s-Atom">of</span> <span class="s s-Atom">this</span> <span class="s s-Atom">software</span> <span class="o">*</span> <span class="s s-Atom">must</span> <span class="s s-Atom">display</span> <span class="s s-Atom">the</span> <span class="s s-Atom">following</span> <span class="s s-Atom">acknowledgement</span><span class="p">:</span> <span class="o">*</span> <span class="s2">"This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)"</span> <span class="o">*</span> <span class="nv">The</span> <span class="s s-Atom">word</span> <span class="s s-Atom">'cryptographic'</span> <span class="s s-Atom">can</span> <span class="s s-Atom">be</span> <span class="s s-Atom">left</span> <span class="s s-Atom">out</span> <span class="s s-Atom">if</span> <span class="s s-Atom">the</span> <span class="s s-Atom">rouines</span> <span class="s s-Atom">from</span> <span class="s s-Atom">the</span> <span class="s s-Atom">library</span> <span class="o">*</span> <span class="s s-Atom">being</span> <span class="s s-Atom">used</span> <span class="s s-Atom">are</span> <span class="o">not</span> <span class="s s-Atom">cryptographic</span> <span class="nf">related</span> <span class="o">:-</span><span class="p">).</span>
</code></pre></div>
</blockquote>
<p>A <a href="https://encrypted.google.com/search?q=site%3Acryptlib.com%20%27eric%20young%27">Google search for Eric Young's name on
cryptlib.com</a>
yields no hits. I do find his name on page 340 of <a href="http://www.cryptlib.com/downloads/manual.pdf">the Cryptlib
manual</a>, but that hardly
seems like it covers "All advertising materials mentioning features or
use of this software". I suppose it's also possible that CryptLib has
negotiated an alternate license with Eric Young that I simply don't know
about.</p>
<p>In summary: i think CryptLib could go into debian, but its incorporation
of OpenSSL-licensed code makes it less useful than i was hoping it would
be.</p>
<p>I have a few other concerns about the package after looking it over in
more detail. I suspect these are fixable one way or another, but i
haven't sorted them out yet. I'm not sure i'll spend the time to do so
based on the licensing issues i sorted out above.</p>
<p>But in case anyone feels inspired, the other concerns i see are:</p>
<dl>
<dt>embedded code copies</dt>
<dd>In addition to embedded (and slightly-modified) copies of <code>bn/</code> and
<code>crypt/</code> from OpenSSL, CryptLib contains an embedded copy of zlib.
<a href="http://bugs.debian.org/392362">Debian has good reasons</a> for wanting
<a href="http://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles">to avoid embedded code
copies</a>.
I've got it CryptLib building against the system copy of zlib, but
the bits copied from OpenSSL seem to be more heavily patched, which
might complicate relying on the system version.</dd>
<dt>executable stack</dt>
<dd>
<p>lintian reports
<a href="http://lintian.debian.org/tags/shlib-with-executable-stack.html">shlib-with-executable-stack</a>
for the library after it is built. I don't fully understand what
this means or how to fix it, but i suspect it derives from the
following set of object files that also have an executable stack:</p>
<p><code>{.terminal}
0 dkg@pip:~/src/cryptlib/cryptlib$ for foo in $(find . -iname '*.o'); do> if ! readelf -S "$foo" | grep -q .note.GNU-stack ; then> echo "$foo"> fi> done./shared-obj/desenc.o./shared-obj/rc5enc.o./shared-obj/md5asm.o./shared-obj/castenc.o./shared-obj/bfenc.o./shared-obj/rmdasm.o./shared-obj/sha1asm.o./shared-obj/bn_asm.o./shared-obj/rc4enc.o0 dkg@pip:~/src/cryptlib/cryptlib$</code></p>
<p>They probably all need to <a href="http://www.gentoo.org/proj/en/hardened/gnu-stack.xml">be
fixed</a>, unless
there's a good reason for them to be that way (in which case they
need to be documented).</p>
</dd>
<dt>non-PIC code</dt>
<dd>lintian reports
<a href="http://lintian.debian.org/tags/shlib-with-non-pic-code.html">shlib-with-non-pic-code</a>
on the library after it is built. I don't fully understand what this
means, or how to resolve it cleanly, but i imagine this is just a
question of sorting out the details.</dd>
</dl>
<p>Anyone interested in using my packaging attempts as a jumping off point
can start with:</p>
<div class="highlight"><pre><span></span><code>git clone git://lair.fifthhorseman.net/~dkg/cryptlib
</code></pre></div>
<p>Oh, and please correct me about anything in this post; I'd be especially
happy to hear that my analysis of the licensing issues above is wrong :)</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/cryptlib">cryptlib</a>,
<a href="https://debian-administration.org/tag/gpl">gpl</a>,
<a href="https://debian-administration.org/tag/licensing">licensing</a>,
<a href="https://debian-administration.org/tag/openssl">openssl</a></p>
</p>PHP, MySQL, and SSL?2011-03-07T06:02:00-05:002011-03-07T06:02:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-03-07:/blog/php-mysql-and-ssl.html<p>Is there a way to access a MySQL database over the network from PHP and
be confident that</p>
<ul>
<li>the connection is actually using SSL, and</li>
<li>the server's X.509 certificate was successfully verified?</li>
</ul>
<p>As far as i can tell, when using <a href="http://www.php.net/manual/en/book.mysql.php">the stock MySQL
bindings</a>, setting
<a href="http://www.php.net/manual/en/mysql.constants.php#mysql.constants">MYSQL_CLIENT_SSL</a>
is purely advisory …</p><p>Is there a way to access a MySQL database over the network from PHP and
be confident that</p>
<ul>
<li>the connection is actually using SSL, and</li>
<li>the server's X.509 certificate was successfully verified?</li>
</ul>
<p>As far as i can tell, when using <a href="http://www.php.net/manual/en/book.mysql.php">the stock MySQL
bindings</a>, setting
<a href="http://www.php.net/manual/en/mysql.constants.php#mysql.constants">MYSQL_CLIENT_SSL</a>
is purely advisory (i.e. it won't fail if the server doesn't advertise
SSL support). This means it won't defend against an active network
attacker performing the equivalent of
<a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a>.</p>
<p>Even if <code>MYSQL_CLIENT_SSL</code> was stronger than an advisory flag, i can't
seem to come up with a way to tell PHP's basic MySQL bindings the
equivalent of <a href="http://dev.mysql.com/doc/refman/5.0/en/ssl-options.html#option_general_ssl-ca">the <code>--ssl-ca</code>
flag</a>
to the <code>mysql</code> client binary. Without being able to configure this, a
"man-in-the-middle" should be able to intercept the connection by
offering their own certificate on their endpoint, and otherwise relaying
the traffic. A client that does not verify the server's identity would
be none the wiser.</p>
<p>One option to avoid a MITM attack would be for the server to require
client-side certs via the <a href="http://dev.mysql.com/doc/refman/5.0/en/grant.html#id822905"><code>REQUIRE</code> option for a <code>GRANT</code>
statement</a>,
but the basic MySQL bindings for php don't seem to support that either.</p>
<p>PHP's <a href="http://www.php.net/manual/en/book.mysqli.php">mysqli bindings</a>
(MySQL <em>I</em>mproved, i think) feature a command called
<a href="http://php.net/manual/en/mysqli.ssl-set.php"><code>ssl_set()</code></a> which appears
to allow client-side certificate support. But its documentation isn't
clear on how it handles an invalid/expired/revoked server certificate
(let alone a server that announces that it doesn't support SSL), and it
also mentions:</p>
<blockquote>
<p>This function does nothing unless OpenSSL support is enabled.</p>
</blockquote>
<p>Given that debian MySQL packages don't use OpenSSL because of <a href="http://people.gnome.org/~markmc/openssl-and-the-gpl.html">licensing
incompatibilities with the
GPL</a>, i'm left
wondering if packages built against yaSSL support this feature. And i'm
more than a little bit leery that i have no way of telling whether my
configuration request succeeded, or whether this function just happily
did nothing because the interpreter got re-built with the wrong flags.
Shouldn't the function fail explicitly if it cannot meet the user's
request?</p>
<p>Meanwhile, the <a href="http://www.php.net/manual/en/ref.pdo-mysql.php">PDO bindings for
MySQL</a> apparently <a href="http://bugs.php.net/bug.php?id=48587">don't
support SSL connections at all</a>.</p>
<p>What's going on here? Does no one use MySQL over the network via PHP?
Given the number of LAMP-driven data centers, this seems pretty
unlikely. Do PHP+MySQL users just not care about privacy or integrity of
their data?</p>
<p>Or (please let this be the case) have i just somehow missed the obvious
documentation?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/mysql">mysql</a>,
<a href="https://debian-administration.org/tag/php">php</a>,
<a href="https://debian-administration.org/tag/question">question</a>,
<a href="https://debian-administration.org/tag/security">security</a>,
<a href="https://debian-administration.org/tag/ssl">ssl</a>,
<a href="https://debian-administration.org/tag/tls">tls</a></p>
</p>Turning my back on the IEEE2011-03-01T18:32:00-05:002011-03-01T18:32:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-03-01:/blog/turning-my-back-on-the-ieee.html<p>I used to maintain a membership with <a href="http://ieee.org/">IEEE</a>. I no
longer do.</p>
<p>The latest nonsense to come from them is <a href="http://www.crypto.com/blog/copywrongs/">a change for the worse in
their copyright assignment
policy</a>, which i thought was
<a href="http://cr.yp.to/writing/ieee.html">already problematic</a>.</p>
<p>Other engineering societies (IETF, USENIX, etc) continue to do socially
relevant, useful work without …</p><p>I used to maintain a membership with <a href="http://ieee.org/">IEEE</a>. I no
longer do.</p>
<p>The latest nonsense to come from them is <a href="http://www.crypto.com/blog/copywrongs/">a change for the worse in
their copyright assignment
policy</a>, which i thought was
<a href="http://cr.yp.to/writing/ieee.html">already problematic</a>.</p>
<p>Other engineering societies (IETF, USENIX, etc) continue to do socially
relevant, useful work without attempting to control copyright of work
contributed to them. This just makes IEEE look like a power- and
money-hungry organization, rather than a force for positive advancement
of technology.</p>
<p>For shame, IEEE.</p>
<p>I will not consider reinstating my membership unless the organization
changes their copyright assignment and publication policy to better
reflect the spirit of scientific inquiry and technological advancement
they should stand for.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/freedom">freedom</a>,
<a href="https://debian-administration.org/tag/ieee">ieee</a>,
<a href="https://debian-administration.org/tag/policy">policy</a></p>
</p>resetting passphrases for mapped LUKS volumes2011-01-16T19:57:00-05:002011-01-16T19:57:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-01-16:/blog/resetting-passphrases-for-mapped-luks-volumes.html<p>Let's say you set up a machine using an encrypted disk with LUKS
(debian-installer's partman makes this wonderfully easy!). You choose an
initial passphrase, get the machine working, and it's working great.
Then, you need to restart it, and realize that (for whatever reason)
you've forgotten or lost the passphrase …</p><p>Let's say you set up a machine using an encrypted disk with LUKS
(debian-installer's partman makes this wonderfully easy!). You choose an
initial passphrase, get the machine working, and it's working great.
Then, you need to restart it, and realize that (for whatever reason)
you've forgotten or lost the passphrase for the volume. oops! (i'm sure
this has never happened to you -- let's just pretend it's your
less-fortunate friend).</p>
<p>If your system is still running, and you have superuser access to it,
you can actually set a new passphrase for the LUKS volume using
information that the dm-crypt kernel module has about the in-use
mapping. In my examples, i'll imagine that the source volume is
<code>/dev/XXX2</code> and the exported cleartext volume is known by the
device-mapper as <code>XXX2_crypt</code></p>
<p>In the bigger picture, this should serve as a reminder that even though
your disk is encrypted, if someone gets live access to the superuser
account on a system with the encryption keys loaded, your data is no
longer secret.</p>
<p>Before you do any tweaking, you might want to back up your LUKS header,
just in case:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">umask</span><span class="w"> </span><span class="mf">0770</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">cryptsetup</span><span class="w"> </span><span class="n">luksHeaderBackup</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">XXX2</span><span class="w"> </span><span class="o">--</span><span class="n">header</span><span class="o">-</span><span class="n">backup</span><span class="o">-</span><span class="n">file</span><span class="w"> </span><span class="n">XXX2</span><span class="mf">.</span><span class="n">luksheader</span><span class="mf">.</span><span class="n">backup0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span>
</code></pre></div>
<p>Maybe also copy that off the machine, since a copy of the LUKS header
stored within its own volume isn't terribly useful for a backup-recovery
situation.</p>
<p>You might also be interested in looking at the contents of the LUKS
header:</p>
<div class="highlight"><pre><span></span><code><span class="mi">0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="o">~</span><span class="c1"># cryptsetup luksDump /dev/XXX2LUKS header information for /dev/XXX2Version: 1Cipher name: aesCipher mode: cbc-essiv:sha256Hash spec: sha1Payload offset: 2056MK bits: 256MK digest: 93 51 6c 66 ec ce 32 54 6f 6b 52 d1 27 9b 5a 62 6f 6b 52 d1MK salt: b2 ca 20 49 9f 78 49 c2 fe 15 b4 0f 74 11 23 49 64 9e 61 bb f2 82 60 47 a5 76 fa a4 24 0e 5a 7eMK iterations: 10UUID: 052f1da0-21a1-11e0-ac64-0800200c9a66Key Slot 0: ENABLED Iterations: 218733 Salt: f2 ae 8c 53 48 a5 f0 bf e1 2c 06 5f 5a bd ff d9 9a 2e d1 49 3a 63 f8 49 82 ed ae 86 7b 7b 7e 76 Key material offset: 8 AF stripes: 4000Key Slot 1: DISABLEDKey Slot 2: DISABLEDKey Slot 3: DISABLEDKey Slot 4: DISABLEDKey Slot 5: DISABLEDKey Slot 6: DISABLEDKey Slot 7: DISABLED0 root@example:~# </span>
</code></pre></div>
<p>Now, the fix: We pull the live "master key" from the running device map,
and fill a new luksKeySlot from it (this example uses bash's <code><()</code>
syntax for process substitution -- if you use a different shell, i'm
sure you can find a different way to do it):</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">cryptsetup</span><span class="w"> </span><span class="o">--</span><span class="n">master</span><span class="o">-</span><span class="n">key</span><span class="o">-</span><span class="n">file</span><span class="w"> </span><span class="o"><</span><span class="p">(</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">dmsetup</span><span class="w"> </span><span class="o">--</span><span class="n">showkeys</span><span class="w"> </span><span class="nb">tab</span><span class="n">le</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="err">'</span><span class="o">/^</span><span class="n">XXX2_crypt</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="err">{</span><span class="w"> </span><span class="kr">print</span><span class="w"> </span><span class="err">$</span><span class="mf">6</span><span class="w"> </span><span class="err">}'</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="n">tr</span><span class="w"> </span><span class="o">-</span><span class="n">d</span><span class="w"> </span><span class="err">'\</span><span class="n">n</span><span class="err">'</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="n">perl</span><span class="w"> </span><span class="o">-</span><span class="n">e</span><span class="w"> </span><span class="err">'</span><span class="kr">print</span><span class="w"> </span><span class="n">pack</span><span class="p">(</span><span class="s">"H*"</span><span class="p">,</span><span class="w"> </span><span class="o"><</span><span class="n">STDIN</span><span class="o">></span><span class="p">);</span><span class="err">'</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="n">luksAddKey</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">XXX2Enter</span><span class="w"> </span><span class="kr">new</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">slot</span><span class="p">:</span><span class="w"> </span><span class="n">abc123Verify</span><span class="w"> </span><span class="n">passphrase</span><span class="p">:</span><span class="w"> </span><span class="n">abc1232</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span>
</code></pre></div>
<p>(note that the <code>luksAddKey</code> invocation above returned an error code of 2
even though it succeeded. I think this is <a href="http://bugs.debian.org/610258">a bug in cryptsetup's return
code</a>, not a bug in the password
resetting -- it should have returned 0 instead of 2).</p>
<p>You can check to see that a new key slot was enabled by re-running
<code>cryptsetup luksDump</code></p>
<p>And if you really want to double-check before you reboot, you can try
enabling a third keyslot using the passphrase you just added, since this
would not succeed if your new passphrase failed to unlock any of the
existing keyslots:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">cryptsetup</span><span class="w"> </span><span class="n">luksAddKey</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">XXX2Enter</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">passphrase</span><span class="p">:</span><span class="w"> </span><span class="n">abc123Enter</span><span class="w"> </span><span class="kr">new</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">slot</span><span class="p">:</span><span class="w"> </span><span class="n">anotherpassphraseVerify</span><span class="w"> </span><span class="n">passphrase</span><span class="p">:</span><span class="w"> </span><span class="n">anotherpassphrase0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span>
</code></pre></div>
<p>You can also get rid of the original keyslot (which you don't know the
passphrase to) like this:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">root</span><span class="err">@</span><span class="n">example</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">cryptsetup</span><span class="w"> </span><span class="n">luksKillSlot</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">XXX2</span><span class="w"> </span><span class="mf">0</span><span class="n">Enter</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="c1">remaining LUKS passphrase: abc1230 root@example:~# </span>
</code></pre></div>
<p>(the above commands were all demonstrated using debian testing, with
cryptsetup 2:1.1.3-4 and dmsetup 2:1.02.48-4)</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/cryptsetup">cryptsetup</a>,
<a href="https://debian-administration.org/tag/dmsetup">dmsetup</a>,
<a href="https://debian-administration.org/tag/luks">luks</a>,
<a href="https://debian-administration.org/tag/tip">tip</a></p>
</p>Liberating Knowledge: A Librarian's Manifesto2011-01-06T05:52:00-05:002011-01-06T05:52:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2011-01-06:/blog/liberating-knowledge-a-librarians-manifesto.html<p><a href="http://alycia.brokenja.ws/">A friend</a> just pointed me to <a href="http://www.nea.org/assets/img/PubThoughtAndAction/A10Fister1.pdf">Liberating
Knowledge: A Librarian's Manifesto for
Change</a>
by <a href="https://barbarafister.wordpress.com/">Barbara Fister</a>, an <a href="http://homepages.gac.edu/~fister/vita.html">academic
librarian</a> who also happens
to <a href="http://barbarafister.com/">write mystery novels</a>.</p>
<p>She has an excellent perspective on the meaning of libraries, and the
tradeoffs involved with the current societal trend toward privatizing
knowledge through so-called …</p><p><a href="http://alycia.brokenja.ws/">A friend</a> just pointed me to <a href="http://www.nea.org/assets/img/PubThoughtAndAction/A10Fister1.pdf">Liberating
Knowledge: A Librarian's Manifesto for
Change</a>
by <a href="https://barbarafister.wordpress.com/">Barbara Fister</a>, an <a href="http://homepages.gac.edu/~fister/vita.html">academic
librarian</a> who also happens
to <a href="http://barbarafister.com/">write mystery novels</a>.</p>
<p>She has an excellent perspective on the meaning of libraries, and the
tradeoffs involved with the current societal trend toward privatizing
knowledge through so-called "intellectual property" regulations. In a
great critique of the passivity of academia and libraries in the face of
attempts at intellectual
<a href="https://secure.wikimedia.org/wikipedia/en/wiki/Enclosure">enclosure</a> by
private corporations, she writes:</p>
<blockquote>
<p>This uninformed indifference is laying the groundwork for a new
tragedy of the commons: a world in which knowledge is turned into
intellectual property, monetizied, and made artificially scarce.</p>
</blockquote>
<p>She closes with a six-point manifesto that begins:</p>
<blockquote>
<p>Liberation bibliography arises out of outrage at the injustice of the
current system. It’s not about saving money, it’s about the empowering
nature of knowledge and the belief that it shouldn’t be a luxury good
for the few.</p>
</blockquote>
<p>The article abounds in examples of heinous arrangements in the current
system that seem to be accepted as standard procedure, and clear
thinking about what the actual tradeoffs are (and how we, as a society,
are making them poorly).</p>
<p>If i had one objection, it would be that she neglects to mention
increased surveillance as one of the problems that come with
privatization of knowledge. Our abilities to read privately and
anonymously, and to correspond confidentially are at risk because of
these systems of control.</p>
<p>Anyway, I'd love to see more open allegiances between librarians and
free software folks; the ideals and struggles are very much in parallel.
Go talk to your librarian friends about this stuff today!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/academia">academia</a>,
<a href="https://debian-administration.org/tag/freedom">freedom</a>, <a href="https://debian-administration.org/tag/intellectual%20property">intellectual
property</a>,
<a href="https://debian-administration.org/tag/libraries">libraries</a></p>
</p>converting eviews models to gretl?2010-12-13T00:17:00-05:002010-12-13T00:17:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-12-13:/blog/converting-eviews-models-to-gretl.html<p>Someone recently pointed me to <a href="http://gennaro.zezza.it/software/eviews/v6/gl03sim_a.prg">some economic/statistical
models</a> that
were designed for <a href="http://www.eviews.com/">eviews (a proprietary tool)</a>.</p>
<p>They were looking for help converting the model into a format that could
work with <a href="http://gretl.sourceforge.net/">gretl (the Gnu Regression, Econometrics and Time-series
Library)</a>. I'm afraid i'm an economics
dunce, and i have no …</p><p>Someone recently pointed me to <a href="http://gennaro.zezza.it/software/eviews/v6/gl03sim_a.prg">some economic/statistical
models</a> that
were designed for <a href="http://www.eviews.com/">eviews (a proprietary tool)</a>.</p>
<p>They were looking for help converting the model into a format that could
work with <a href="http://gretl.sourceforge.net/">gretl (the Gnu Regression, Econometrics and Time-series
Library)</a>. I'm afraid i'm an economics
dunce, and i have no experience with this stuff. Any pointers?</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/conversion">conversion</a>,
<a href="https://debian-administration.org/tag/economics">economics</a>,
<a href="https://debian-administration.org/tag/gretl">gretl</a></p>
</p>forwarding unix domain sockets with ssh and socat2010-12-02T09:41:00-05:002010-12-02T09:41:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-12-02:/blog/forwarding-unix-domain-sockets-with-ssh-and-socat.html<p>i suspect a lot of people are used to forwarding TCP sockets with SSH --
for example, to connect locally to a mysql daemon that runs only on the
loopback interface of a remote machine (this is debian's default
<code>mysql-server</code> configuration):</p>
<div class="highlight"><pre><span></span><code><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">N</span><span class="w"> </span><span class="o">-</span><span class="n">T</span><span class="w"> </span><span class="o">-</span><span class="n">oExitOnForwardFailure</span><span class="o">=</span><span class="n">yes</span><span class="w"> </span><span class="o">-</span><span class="n">L</span><span class="w"> </span><span class="mi">3306</span><span class="err">:</span><span class="nl">localhost</span><span class="p">:</span><span class="mi">3306</span><span class="w"> </span><span class="n">remoteuser …</span></code></pre></div><p>i suspect a lot of people are used to forwarding TCP sockets with SSH --
for example, to connect locally to a mysql daemon that runs only on the
loopback interface of a remote machine (this is debian's default
<code>mysql-server</code> configuration):</p>
<div class="highlight"><pre><span></span><code><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">N</span><span class="w"> </span><span class="o">-</span><span class="n">T</span><span class="w"> </span><span class="o">-</span><span class="n">oExitOnForwardFailure</span><span class="o">=</span><span class="n">yes</span><span class="w"> </span><span class="o">-</span><span class="n">L</span><span class="w"> </span><span class="mi">3306</span><span class="err">:</span><span class="nl">localhost</span><span class="p">:</span><span class="mi">3306</span><span class="w"> </span><span class="n">remoteuser</span><span class="nv">@mysqlserver</span><span class="p">.</span><span class="n">example</span>
</code></pre></div>
<p>But sometimes, the remote service runs on a UNIX-domain socket, not on a
TCP socket -- for example, debian's default configuration for
<code>postgresql</code> is to have it listen only on a UNIX domain socket in
<code>/var/run/postgresql</code>, and use <code>SO_PEERCRED</code> with a simple system
account == psql account mapping scheme to authenticate users without
needing any extra credentials. This is not quite as simple to forward
over ssh, but it's doable as long as <code>socat</code> is installed on both your
local host and on the remote postgres server.</p>
<p>Here's one way to do it if <code>$SOCKET_DIR</code> points to the full path of a
directory under the user's control (this is all one command, split
across lines for easier reading):</p>
<div class="highlight"><pre><span></span><code><span class="n">socat</span><span class="w"> </span><span class="s2">"UNIX-LISTEN:$SOCKET_DIR/.s.PGSQL.5432,reuseaddr,fork"</span><span class="w"> </span>\<span class="w"> </span><span class="n">EXEC</span><span class="p">:</span><span class="s1">'ssh remoteuser@psqlserver.example socat STDIO UNIX-CONNECT\:/var/run/postgresql/.s.PGSQL.5432'</span>
</code></pre></div>
<p>Then, you'd connect with something like:</p>
<div class="highlight"><pre><span></span><code>psql "user=remoteuser host=$SOCKET_DIR"
</code></pre></div>
<p>Each such <code>psql</code> connection will trigger an <code>ssh</code> connection to be made.
Of course, this won't work well if ssh has to prompt for passwords, but
<a href="https://debian-administration.org/users/dkg/weblog/64">you should be using <code>ssh-agent</code>
anyway</a>, right?</p>
<p>There are at least a couple nice features of being able to use
postgresql from a local client like this:</p>
<ul>
<li>your psql client can load files from your local machine, and can
dump/export files to the local machine.</li>
<li>your <code>~/.psql_history</code> stays local, so you can review what you did
even when you're offline</li>
<li>you can run local RDBMS administrative GUIs like <code>pgadmin3</code> with
minimal network traffic and no extra packages installed on the
server.</li>
<li>unlike forwarding TCP ports (where any other user account on the
machine can hop onto your connection), you can control access to
your local UNIX-domain socket with standard filesystem permissions
on <code>$SOCKET_DIR</code>.</li>
</ul>
<p>Of course, <code>postgresql</code> itself already comes with a nice range of
high-quality network-capable authentication mechanisms you could use.
But many of them (like GSSAPI or X.509 mutual key-based authentication
over TLS) require additional infrastructure setup; and you probably
already have <code>sshd</code> up and running on that machine -- so why not make
use of it?</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/postgresql">postgresql</a>,
<a href="https://debian-administration.org/tag/socat">socat</a>,
<a href="https://debian-administration.org/tag/ssh">ssh</a>,
<a href="https://debian-administration.org/tag/tip">tip</a>, <a href="https://debian-administration.org/tag/unix-domain%20socket">unix-domain
socket</a></p>
</p>registrars and AAAA glue records2010-11-17T23:43:00-05:002010-11-17T23:43:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-11-17:/blog/registrars-and-aaaa-glue-records.html<p>i've been on an IPv6 kick recently, getting dual-stack systems up and
working for a bunch of folks.</p>
<p>I'd like to make some of these services reachable by IPv6-only clients.
this suggests that i need a range of details sorted out, but i think the
one piece left for me …</p><p>i've been on an IPv6 kick recently, getting dual-stack systems up and
working for a bunch of folks.</p>
<p>I'd like to make some of these services reachable by IPv6-only clients.
this suggests that i need a range of details sorted out, but i think the
one piece left for me is the glue records for the nameservice. i use
in-bailiwick nameservers for DNS where possible, which means i want
mandatory glue records. that is, the primary namserver for <code>example.org</code>
is probably something like <code>ns0.example.org</code>, which means that the <code>org</code>
nameservers themselves need to store not only the <code>NS</code> record, but an
<code>A</code> record that corresponds to the name pointed to by the <code>NS</code>.</p>
<p>But for IPv6-only clients that do their own name resolution, i need
<code>AAAA</code> glue records, and i haven't yet found a registrar that will push
<code>AAAA</code> glue records <em>for the same names as the existing <code>A</code> glue</em> into
the <code>org</code> zone.</p>
<p>Do you know of a registrar that will do this?</p>
<p>I've tried:</p>
<dl>
<dt><a href="https://dotster.com/">dotster</a></dt>
<dd>Dotster seems to only allow IPv4 glue to be entered on their
<a href="https://secure.dotster.com/account/nameserver/registerns.php">Register Nameserver config
page</a>
(needs a dotster login to see it). They haven't yet yet responded to
my query through <a href="https://secure.dotster.com/help/csupport.php">their support web
form</a> about submitting
<code>AAAA</code> glue</dd>
<dt><a href="https://www.gandi.net">gandi</a></dt>
<dd>gandi at least offers the opportunity to enter <code>AAAA</code> glue, but
apparently can't let me have both <code>AAAA</code> and <code>A</code> glue for the same
name. A note to their support team got me a response that this is
planned “for Q1 or Q2 of 2011”.</dd>
</dl>
<p>Any suggestions for reasonable registrars that offer this today?</p>
<p>Am i being silly in wanting <code>AAAA</code> and <code>A</code> glue for the same names? i
note that the root zone and the <code>org</code> zone both offer <code>A</code> and <code>AAAA</code>
records for each of their dual-stack nameservers. You can check for
yourself:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="n">dig</span><span class="w"> </span><span class="nv">@a</span><span class="p">.</span><span class="n">root</span><span class="o">-</span><span class="n">servers</span><span class="p">.</span><span class="n">net</span><span class="w"> </span><span class="n">ns</span><span class="w"> </span><span class="n">org</span><span class="w"> </span><span class="n">dig</span><span class="w"> </span><span class="nv">@a</span><span class="p">.</span><span class="n">root</span><span class="o">-</span><span class="n">servers</span><span class="p">.</span><span class="n">net</span><span class="w"> </span><span class="n">ns</span><span class="w"> </span><span class="p">.</span>
</code></pre></div>
<p>if i don't go for dual records, i could instead use gandi and go with
distinct names for the v6 and v4 servers, like this:</p>
<div class="highlight"><pre><span></span><code><span class="o">;;</span><span class="w"> </span><span class="nt">QUESTION</span><span class="w"> </span><span class="nt">SECTION</span><span class="o">:;</span><span class="nt">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="o">;;</span><span class="w"> </span><span class="nt">AUTHORITY</span><span class="w"> </span><span class="nt">SECTION</span><span class="p">:</span><span class="nd">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="w"> </span><span class="nt">a</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="w"> </span><span class="nt">b</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="w"> </span><span class="nt">c</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="w"> </span><span class="nt">d</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.;;</span><span class="w"> </span><span class="nt">ADDITIONAL</span><span class="w"> </span><span class="nt">SECTION</span><span class="p">:</span><span class="nd">a</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">A</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">2</span><span class="p">.</span><span class="nc">3b</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">A</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">2</span><span class="p">.</span><span class="nc">4c</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">AAAAA</span><span class="w"> </span><span class="nt">2001</span><span class="p">:</span><span class="nd">db8</span><span class="p">::</span><span class="nd">3d</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">AAAAA</span><span class="w"> </span><span class="nt">2001</span><span class="p">:</span><span class="nd">db8</span><span class="p">::</span><span class="nd">4</span>
</code></pre></div>
<p>But of course what i really want is this:</p>
<div class="highlight"><pre><span></span><code><span class="o">;;</span><span class="w"> </span><span class="nt">QUESTION</span><span class="w"> </span><span class="nt">SECTION</span><span class="o">:;</span><span class="nt">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="o">;;</span><span class="w"> </span><span class="nt">AUTHORITY</span><span class="w"> </span><span class="nt">SECTION</span><span class="p">:</span><span class="nd">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="w"> </span><span class="nt">a</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">NS</span><span class="w"> </span><span class="nt">b</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.;;</span><span class="w"> </span><span class="nt">ADDITIONAL</span><span class="w"> </span><span class="nt">SECTION</span><span class="p">:</span><span class="nd">a</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">A</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">2</span><span class="p">.</span><span class="nc">3a</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">AAAAA</span><span class="w"> </span><span class="nt">2001</span><span class="p">:</span><span class="nd">db8</span><span class="p">::</span><span class="nd">3b</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">A</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">2</span><span class="p">.</span><span class="nc">4b</span><span class="p">.</span><span class="nc">ns</span><span class="p">.</span><span class="nc">example</span><span class="p">.</span><span class="nc">org</span><span class="o">.</span><span class="w"> </span><span class="nt">172800</span><span class="w"> </span><span class="nt">IN</span><span class="w"> </span><span class="nt">AAAAA</span><span class="w"> </span><span class="nt">2001</span><span class="p">:</span><span class="nd">db8</span><span class="p">::</span><span class="nd">4</span>
</code></pre></div>
<p>My concern about this is if some IPv4-only system gets a list like the
first one, and decides to use <code>c.ns.example.org</code> or <code>d.ns.example.org</code>,
which doesn't have an <code>A</code> record at all. That would be a silly
implementation, of course. but uh, we have a lot of silly
implementations of things out there.</p>
<p>Feedback welcome!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/dns">dns</a>,
<a href="https://debian-administration.org/tag/ipv6">ipv6</a></p>
</p>Debian NYC Workshop: What's in a Package?2010-10-20T21:31:00-04:002010-10-20T21:31:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-10-20:/blog/debian-nyc-workshop-whats-in-a-package.html<p>Debian NYC will be holding a workshop next week: <a href="https://wiki.debian.org/DebianNYC/Workshops/WhatsInAPackage">What's in a
Package?</a>
will happen at 7:00pm New York time on October 27, 2010. If you're in
the New York area, interested in packaging things for debian and related
systems, or just want to understand the packages in your …</p><p>Debian NYC will be holding a workshop next week: <a href="https://wiki.debian.org/DebianNYC/Workshops/WhatsInAPackage">What's in a
Package?</a>
will happen at 7:00pm New York time on October 27, 2010. If you're in
the New York area, interested in packaging things for debian and related
systems, or just want to understand the packages in your system better,
you should RSVP and come on out!</p>
<p>This workshop will provide advanced theory useful for people modifying
or creating packages. For people modifying packages, you'll learn many
typical motifs and about various build systems. For creating packages,
you'll be much better prepared to read and understand guides a deep
level. However, this is still not a step-by-step guide in "how to build
packages", but will get you very close to there.</p>
<p>See you there!</p>monkeysphere and distributed naming2010-10-06T23:19:00-04:002010-10-06T23:19:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-10-06:/blog/monkeysphere-and-distributed-naming.html<p>Roland Mas writes <a href="http://roland.entierement.nu/blog/2010/10/02/for-a-truly-acentric-internet.html">an interesting article about decentralized
naming</a>,
in which he says:</p>
<blockquote>
<p><a href="http://web.monkeysphere.info/">Monkeysphere</a> aims at adding a web of
trust to the SSL certificates system, but the CA chain problem seems
to persist (although I must admit I'm not up to speed with the actual
details).</p>
</blockquote>
<p>Since i'm one …</p><p>Roland Mas writes <a href="http://roland.entierement.nu/blog/2010/10/02/for-a-truly-acentric-internet.html">an interesting article about decentralized
naming</a>,
in which he says:</p>
<blockquote>
<p><a href="http://web.monkeysphere.info/">Monkeysphere</a> aims at adding a web of
trust to the SSL certificates system, but the CA chain problem seems
to persist (although I must admit I'm not up to speed with the actual
details).</p>
</blockquote>
<p>Since i'm one of the Monkeysphere developers, i figure i should respond!</p>
<p>Let me clarify that Monkeysphere doesn't just work in places where X.509
(the SSL certificate system) works. It works in other places too (like
SSH connections). And I don't think that the CA chain problem that
remains in Monkeysphere is anything like the dangerous <a href="http://lair.fifthhorseman.net/~dkg/tls-centralization">mess that common
X.509 usage has given
us</a>. I do think
that at some level, people need to think about who is introducing them
to other people -- visual or human-comprehensible representations of
public key material are notoriously difficult to make unspoofable.</p>
<p>On the subject of distributed naming: OpenPGP already allows distributed
naming: every participant in the WoT is allowed to assert that any given
key maps to any given identity. Duplicates and disagreements can exist
just fine. How an entity decides to certify another entity's ID without
a consensus global namespace is a tough one, though. If i've always been
known as "John Smith" to my friends, and someone else has also been
known as "John Smith" to his friends, our friends aren't actually
disagreeing or in conflict -- it's just that neither of us has a unique
name. The trouble comes when someone new wants to find "John Smith" --
which of us should they treat as the "correct" one?</p>
<p>I think the right answer probably has to do with who they're actually
looking for, which has to do with <em>why</em> they're looking for someone
named "John Smith". If they're looking for John Smith because the word
on the street is that John Smith is a good knitter and they need a pair
of socks, they can just examine what information we each publish about
ourselves, and decide on a sock-by-sock basis which of us best suits
their needs.</p>
<p>But if they're looking for "John Smith" because their cousin said "hey,
i know this guy John Smith. I think you would like to argue politics
over a beer with him", then what matters is the <em>introduction</em>. And
OpenPGP handles that just fine -- if their cousin has only ever met a
single John Smith, that's the right one. If their cousin has met several
John Smiths, then the searcher would do well to ask their cousin some
variant of "hey, do you mean John Smith or John Smith ", or even "do you
mean the John Smith who Molly has met, or the one who Charles has met?"
(assuming that Molly and Charles have each only certified one John Smith
in common with the cousin, and not the same one as each other), or to
get a real-time introduction to a particular John Smith, where his
specific key is somehow recordable by the searcher for future
conversations (or beer drinking). This is what we do in the real world
anyway. We currently lack good UIs for doing this over the network, but
the certification infrastructure is in place already.</p>
<p>What we're lacking in infrastructure, though, is a way to have a
distributed <em>addressing</em>. Roland's proposal was to publish addresses
corresponding to cryptographic identities within some DNS zone, or in
freenet or gnutella. Another approach (piggybacking on existing
infrastructure) would be to include IP address information in the
OpenPGP self-certification, so the holder of the name could claim
exactly their own IP address. This could be distributed through the
keyserver network, just like other updates are today, and it could be
done simply and immediately with a well-defined <a href="http://tools.ietf.org/html/rfc4880#section-5.2.3.16">OpenPGP
notation</a>. I'd be
happy to talk to interested people about how to specify such a notation,
and what possible corner cases we might run into. Drop a note here, or
mail <a href="http://web.monkeysphere.info/community/">the Monkeysphere mailing
list</a> or hop onto
<a href="irc://irc.oftc.net#monkeysphere"><code>#monkeysphere</code> on irc.oftc.net</a></p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/authentication">authentication</a>,
<a href="https://debian-administration.org/tag/distributed%20naming">distributed
naming</a>,
<a href="https://debian-administration.org/tag/identity">identity</a>,
<a href="https://debian-administration.org/tag/monkeysphere">monkeysphere</a></p>
</p>You should be using ssh-agent2010-09-27T20:18:00-04:002010-09-27T20:18:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-09-27:/blog/you-should-be-using-ssh-agent.html<p>If you're not using <code>ssh-agent</code> to authenticate yourself to SSH servers,
you should be. (i'm assuming you're already using
<code>PubkeyAuthentication</code>; if you're still using <code>PasswordAuthentication</code>,
<code>ChallengeResponseAuthentication</code> or <code>KbdInteractiveAuthentication</code>, fix
that please).</p>
<p>You should use <code>ssh-agent</code> for a number of reasons, actually, but the
simplest is this: when you authenticate to …</p><p>If you're not using <code>ssh-agent</code> to authenticate yourself to SSH servers,
you should be. (i'm assuming you're already using
<code>PubkeyAuthentication</code>; if you're still using <code>PasswordAuthentication</code>,
<code>ChallengeResponseAuthentication</code> or <code>KbdInteractiveAuthentication</code>, fix
that please).</p>
<p>You should use <code>ssh-agent</code> for a number of reasons, actually, but the
simplest is this: when you authenticate to a text-based channel on a
remote server, you should <em>never</em> have to type anything about that
authentication into the channel that will eventually be controlled by
the remote server.</p>
<p>That's because a malicious server could simply accept your connection as
an anonymous connection and print out the exact prompt you're expecting.
Then, whatever you're typing goes into the remote server instead of into
your authentication scheme. and congrats, you just gave away the
passphrase for your key.</p>
<p>With ssh-agent, you talk first to your agent. Then, you talk to the
server and your ssh client talks to the agent. Your keys and your
passphrase are never exposed.</p>
<p>the second reason is that the agent is a much smaller piece of code than
the ssh client, and it doesn't talk to the network at all (unless you
force it to). It holds your key and never releases it to querying
processes; It even runs in a protected memory space so other processes
can't peek at it.</p>
<p>So if this protected, isolated agent is what holds your key, you're in
much better shape than if a non-protected, larger, network-active
process (the ssh client) has direct access to your secret key material.</p>
<p>The third reason is that it's just more convenient -- you can put a key
in your agent, and ask it to prompt you when its use is requested. you
don't actually need to re-type your passphrase each time. you can just
hit enter or type "yes".</p>
<p>And if that scares you security-wise then you can put the key in for a
limited period of time, as well.</p>
<p>(btw, you should be using the <code>ssh-agent</code> that ships with OpenSSH,
probably not the implementation offered by gnome, which <a href="https://bugzilla.gnome.org/show_bug.cgi?id=525574">doesn't offer a
confirmation prompt</a>,
doesn't run in protected memory space, and links in a ton more
libraries)</p>
<p>So how do you use the agent? It's probably already installed and running
on your computer if you run a desktop with debian or another reasonable
free operating system.</p>
<p>Query what keys are in your agent:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">ssh</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="o">-</span><span class="n">lThe</span><span class="w"> </span><span class="n">agent</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="n">identities</span><span class="mf">.1</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span>
</code></pre></div>
<p>Add a standard OpenSSH secret key to your agent, prompting for
confirmation before each use:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">ssh</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="err">~</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsaEnter</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dkg</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">:</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">nice</span><span class="w"> </span><span class="n">long</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="n">hereIdentity</span><span class="w"> </span><span class="n">added</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dkg</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="w"> </span><span class="p">(</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dkg</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">)</span><span class="n">The</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">must</span><span class="w"> </span><span class="n">confirm</span><span class="w"> </span><span class="n">each</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">key0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span>
</code></pre></div>
<p>(if you drop the <code>-c</code>, you will not be prompted at each use)</p>
<p>Add a standard OpenSSH secret key to your agent, with a lifespan of one
hour (3600 seconds)</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">ssh</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="mf">3600</span><span class="w"> </span><span class="err">~</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsaEnter</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dkg</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">:</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">nice</span><span class="w"> </span><span class="n">long</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="n">hereIdentity</span><span class="w"> </span><span class="n">added</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dkg</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="w"> </span><span class="p">(</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">dkg</span><span class="o">/</span><span class="mf">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">)</span><span class="n">Lifetime</span><span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="kr">to</span><span class="w"> </span><span class="mf">3600</span><span class="w"> </span><span class="n">seconds0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span>
</code></pre></div>
<p>(note that you can combine the <code>-t $SECONDS</code> and <code>-c</code> flags to get key
that is time-constrained and requires a confirmation prompt at each use)</p>
<p>Add a <a href="http://web.monkeysphere.info">monkeysphere</a>-style key (an
authentication-capable subkey from your GnuPG secret keyring) to the
ssh-agent (this will prompt you for your GnuPG passphrase with a
graphical <code>ssh-askpass</code> program during this keyload, if such a program
is available), for one hour:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">monkeysphere</span><span class="w"> </span><span class="n">subkey</span><span class="o">-</span><span class="kr">to</span><span class="o">-</span><span class="n">ssh</span><span class="o">-</span><span class="n">agent</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="mf">3600</span><span class="n">Identity</span><span class="w"> </span><span class="n">added</span><span class="p">:</span><span class="w"> </span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="err">@</span><span class="n">fifthhorseman</span><span class="mf">.</span><span class="n">net</span><span class="o">></span><span class="w"> </span><span class="p">(</span><span class="n">Daniel</span><span class="w"> </span><span class="n">Kahn</span><span class="w"> </span><span class="n">Gillmor</span><span class="w"> </span><span class="o"><</span><span class="n">dkg</span><span class="err">@</span><span class="n">fifthhorseman</span><span class="mf">.</span><span class="n">net</span><span class="o">></span><span class="p">)</span><span class="n">Lifetime</span><span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="kr">to</span><span class="w"> </span><span class="mf">3600</span><span class="w"> </span><span class="n">seconds0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span>
</code></pre></div>
<p>If you don't already have such a subkey, but you want to use the
monkeysphere, you'll need to run <code>monkeysphere gen-subkey</code> to create one
first.</p>
<p>Note also that you can use both <code>-c</code> and <code>-t $SECONDS</code> with
<code>monkeysphere subkey-to-ssh-agent</code>, just like they are used with
<code>ssh-add</code>.</p>
<p>Remove all keys from your running agent:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dkg</span><span class="err">@</span><span class="n">pip</span><span class="p">:</span><span class="err">~$</span><span class="w"> </span><span class="n">ssh</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="o">-</span><span class="n">DAll</span><span class="w"> </span><span class="n">identities</span><span class="w"> </span><span class="c1">removed.0 dkg@pip:~$ </span>
</code></pre></div>
<p>I hope this is helpful to people!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/security">security</a>,
<a href="https://debian-administration.org/tag/ssh">ssh</a>,
<a href="https://debian-administration.org/tag/ssh-agent">ssh-agent</a>,
<a href="https://debian-administration.org/tag/tip">tip</a></p>
</p>hotmail thinks powerpc means mobile2010-09-21T19:55:00-04:002010-09-21T19:55:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-09-21:/blog/hotmail-thinks-powerpc-means-mobile.html<p>Apparently, live.com thinks that any browser coming from a ppc
architecture is a mobile device. This sucks for the users of the
hundreds of thousands of powerpc desktops still in service.</p>
<p>I don't use hotmail myself, but i do support people who use it. I set
one of my …</p><p>Apparently, live.com thinks that any browser coming from a ppc
architecture is a mobile device. This sucks for the users of the
hundreds of thousands of powerpc desktops still in service.</p>
<p>I don't use hotmail myself, but i do support people who use it. I set
one of my clients up with debian squeeze on their PPC machine because
all the proprietary vendors have basically given up on that architecture
-- debian represents the best way to get modern tools on these machines
(and other machines too, but that's a different argument).</p>
<p>However, this client couldn't get to their hotmail account, despite
using the latest version of iceweasel (3.5.12). They were directed to a
crippled interface that didn't include the ability to attach files, and
was a gross waste of the desktop screen space. It appears to be the
"mobile" version of live.com's services.</p>
<p>However, the same version of iceweasel on an i686 test machine could
access the standard version of hotmail with no trouble. My friend
jeremyb helpfully suggested fiddling with the User Agent string exported
by the browser. Some experimentation shows that the presence of the
string "ppc" within any parenthetical expression in the UA makes
live.com show the crappy interface. You can try it yourself (if you have
a hotmail account) on your x86 or amd64 machine by adding <code>(ppc)</code> to the
default valule of <code>general.useragent.extra.firefoxComment</code> in
<code>about:config</code>. Stupid stupid stupid.</p>
<p>I'd like to have fixed this by overriding the browser's reported
architecture (or simply by removing it -- why does a web server need to
know the hardware architecture of my client?). But there doesn't appear
to be a way to do that with <a href="http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#719">the way that mozilla constructs the
UA</a>.
Instead, i needed to add a new string key <a href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries#General.">named
<code>general.useragent.override</code></a>
which is not exposed by default in <code>about:config</code>.</p>
<p>This raises some questions:</p>
<ul>
<li>Why are we publishing our hardware architectures from our browsers
anyway? This seems like unncessary leakage, and not all browsers do
it. For example, <a href="http://code.google.com/p/arora">Arora</a> doesn't
leak this info (despite <a href="http://code.google.com/p/arora/issues/detail?id=876">a poorly-argued request to do
so</a>). <a href="http://panopticlick.eff.org/">Browsers
are already too identifiable by
servers</a>. This information should not
be leaked by default.</li>
<li>Why does live.com insist on sending ppc users to the crappy "mobile"
version? Are they trying to encourage the treadmill of hardware
upgrades that proprietary vendors benefit from? Is there some less
insidious explanation? Are there actually more powerpc-based mobile
devices than desktops?</li>
<li>why is there no simple way to tell Firefox/Iceweasel to override or
suppress the architecture information? Having to override the
useragent string entirely means that when iceweasel does eventually
get upgraded, it's going to report the wrong version unless i can
remember to update the override myself (i can't reasonably expect a
non-techie client who never heard of user agents before today to
remember how to do this correctly).</li>
</ul>
<p>Any ideas?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/browser">browser</a>,
<a href="https://debian-administration.org/tag/hotmail">hotmail</a>,
<a href="https://debian-administration.org/tag/powerpc">powerpc</a>,
<a href="https://debian-administration.org/tag/ppc">ppc</a>,
<a href="https://debian-administration.org/tag/useragent">useragent</a>,
<a href="https://debian-administration.org/tag/wtf">wtf</a></p>
</p>NYC SYEP still requires Microsoft Software2010-05-19T19:44:00-04:002010-05-19T19:44:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-05-19:/blog/nyc-syep-still-requires-microsoft-software.html<p><a href="https://debian-administration.org/users/dkg/weblog/47">A year ago, i wrote
about</a> how <a href="https://application.nycsyep.com/">New
York City's Summer Youth Employment Program
(SYEP)</a> requires the use of Internet
Explorer to apply online (and it even appears to require IE just to
download the PDF of the application!)</p>
<p>Sadly, the situation has not changed, a year later. Today, I'm …</p><p><a href="https://debian-administration.org/users/dkg/weblog/47">A year ago, i wrote
about</a> how <a href="https://application.nycsyep.com/">New
York City's Summer Youth Employment Program
(SYEP)</a> requires the use of Internet
Explorer to apply online (and it even appears to require IE just to
download the PDF of the application!)</p>
<p>Sadly, the situation has not changed, a year later. Today, I'm writing
to <a href="mailto:garodnick@council.nyc.gov?subject=Summer%20Youth%20Employment%20Program%20only%20accessible%20in%20Internet%20Explorer">Dan
Garodnick</a>,
Chair of <a href="http://legistar.council.nyc.gov/DepartmentDetail.aspx?ID=8866&GUID=72EEA817-E6FF-4051-B853-BC1DAD04E8CC&Search=">The City Council's Committee on
Technology</a>
(and the rest of the committee members), <a href="mailto:cpost@doitt.nyc.gov?subject=Summer%20Youth%20Employment%20Program%20only%20accessible%20in%20Internet%20Explorer">Carole
Post</a>,
Commissioner of <a href="http://nyc.gov/html/doitt">DoITT</a> (the city's
Department of Information Technology and Telecommunications), and
<a href="mailto:jmullgrav@dycd.nyc.gov?subject=Summer%20Youth%20Employment%20Program%20only%20accessible%20in%20Internet%20Explorer">Jeanne B.
Mullgrav</a>,
Commissioner of <a href="http://nyc.gov/html/dycd">DYCD</a> (the Department of
Youth and Community Development, which runs SYEP).</p>
<p>Here's what i wrote:</p>
<div class="highlight"><pre><span></span><code><span class="nx">For</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">last</span><span class="w"> </span><span class="nx">two</span><span class="w"> </span><span class="nx">years</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">least</span><span class="p">,</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">DYCD</span><span class="err">'</span><span class="nx">s</span><span class="w"> </span><span class="nx">Summer</span><span class="w"> </span><span class="nx">Youth</span><span class="w"> </span><span class="nx">Employment</span><span class="w"> </span><span class="nx">Program</span><span class="p">(</span><span class="nx">SYEP</span><span class="p">)</span><span class="w"> </span><span class="nx">has</span><span class="w"> </span><span class="nx">been</span><span class="w"> </span><span class="nx">only</span><span class="w"> </span><span class="nx">available</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">users</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">Internet</span><span class="w"> </span><span class="nx">Explorer</span><span class="p">:</span><span class="w"> </span><span class="nx">https</span><span class="p">:</span><span class="c1">//application.nycsyep.com/Internet Explorer (IE) is only made by Microsoft, and is only available forpeople running Microsoft operating systems. Users of other operating systems,such as GNU/Linux, Macintosh, or others cannot access the SYEP applicationprocess. Even users of Windows who care about their online security or simplydesire a different web browsing experience might prefer to avoid InternetExplorer.Not only is the online form inaccessible from browsers other than IE, evenretrieving a copy of the PDF to print out and fill in manually is unavailablefor web browsers other than IE.What is the city's policy is on access to government sites? Is it city policyto mandate a single vendor's software for access to city resources? Should NYCyouth be required to purchase software from Microsoft to be able to applyfor the Summer Youth Employment Program?The sort of data collection needed by such an application is a mainstay of thestandards-based web, and has been so for over 15 years now. There is no reasonto require particular client on an open platform. I can point you towardresources who would be happy to help you make the system functional for usersof *any* web browser, if you like.I raised this issue over a year ago (see nyc.gov correspondence #1-1-473378926,and a public weblog posted around the same time [0]), and got no effectiveremedy. It's worrisome to see that this is still a problem.Please let me know what you plan to do to address the situation.Regards, --dkg[0] https://www.debian-administration.org/users/dkg/weblog/47</span>
</code></pre></div>
<p>Feel free to send your own message to the folks above (especially helps
if you live in or near NYC)</p>
<p>Finally, Carole Post, the head of DoITT will also be <a href="http://personaldemocracy.com/user-blog/pdf-evening-series-what-our-cities-are-telling-us-may-19th">present at a panel
tonight in
Soho</a>,
which i'm unfortunately be unable to attend. If you go there, you might
ask her about the situation.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/policy">policy</a></p>
</p>Talks and tracks at debconf 102010-04-25T22:29:00-04:002010-04-25T22:29:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-04-25:/blog/talks-and-tracks-at-debconf-10.html<p>I'm helping out on the talks committee for debconf 10 this summer in NYC
(so yes, i'm going to be here for it, even though i don't have that
little badge thingy). This is a call for interested folks to let us know
what you want to see at debconf …</p><p>I'm helping out on the talks committee for debconf 10 this summer in NYC
(so yes, i'm going to be here for it, even though i don't have that
little badge thingy). This is a call for interested folks to let us know
what you want to see at debconf!</p>
<h2 id="talks">Talks</h2>
<p>If you haven't already, <a href="https://penta.debconf.org/penta/submission/dc10/">submit your proposal for a talk, performance,
debate, panel, BoF session,
etc</a>! We know you've
got good ideas, and <a href="http://lists.debian.org/debian-devel-announce/2010/04/msg00014.html">the final call for
contributions</a>
went out yesterday, due in less than a week. Please propose your event
soon!</p>
<h2 id="tracks">Tracks</h2>
<p>Also, we want to introduce
<a href="http://wiki.debconf.org/wiki/DebConf10/TalkGlossary">Tracks</a> as a new
idea for debconf this summer. A good track would thematically group a
consecutive set of debconf events (talks, panels, debates, performances,
etc) to encourage a better understanding of a broader theme. For this to
work, we need a few good people to act as track coordinators for the
areas where they are knowledgeable and engaged.</p>
<p>A track coordinator would have a chance to set the tone and scope for
their track, schedule events, assemble panels or debates, introduce
speakers, and report back at the end of debconf to the larger gathering.
We also hope that a coordinator could identify potential good work being
done in their area, encourage people to submit relevant events for
debconf, and shepherd proposals in their track through the submission
process.</p>
<p>Are you interested in coordinating a track on some topic? Or do you have
a suggestion for someone else who might do a good job on a topic you
want to see well-represented at debconf? You can contact the talk
committee privately if you have questions at <a href="mailto:talks@debconf.org">talks@debconf.org</a>, or you
can contact the whole team publicly at
<a href="https://debian-administration.org/cgi-bin/mailto=">debconf-team@lists.debconf.org</a>.</p>
<p>Some ideas about possible tracks:</p>
<ul>
<li>Science and Mathematics in Debian</li>
<li>Debian Integration into the Enterprise</li>
<li>Media and Arts and Debian</li>
<li>Trends and Tools in Debian Packaging</li>
<li>Debian Systems and Infrastructure</li>
<li>Debian Community Outreach</li>
<li><em>...your topic here...</em></li>
</ul>
<p>We can't guarantee that any particular track <em>will</em> happen at dc10, but
we can guarantee that it <em>won't</em> happen if no one proposes it or
wrangles the relevant events together. Help us make this the best
debconf ever and make sure that your own topical itch gets scratched!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/debconf">debconf</a>,
<a href="https://debian-administration.org/tag/debconf10">debconf10</a></p>
</p>Avoiding erroneous OpenPGP certifications2010-03-23T02:44:00-04:002010-03-23T02:44:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-03-23:/blog/avoiding-erroneous-openpgp-certifications.html<p>i'm aware that people don't always take proper measures during mass
OpenPGP keysignings. Apparently, some keys even get signed with no one
at the keysigning present speaking for that key (for example, if the key
was submitted to the keysigning via online mechanisms beforehand, but
the keyholder failed to show …</p><p>i'm aware that people don't always take proper measures during mass
OpenPGP keysignings. Apparently, some keys even get signed with no one
at the keysigning present speaking for that key (for example, if the key
was submitted to the keysigning via online mechanisms beforehand, but
the keyholder failed to show up).</p>
<p>Unverified certifications are potentially erroneous, and erroneous
certifications are bad for the OpenPGP web of trust. Debian and other
projects rely on the OpenPGP web of trust being reasonable and healthy.
People should make a habit of doing proper verifications at keysignings.
People who make unverified certifications should probably be made aware
of better practices.</p>
<p>So for future keysignings, i may introduce a key to the set under
consideration and see what sort of OpenPGP certifications that key
receives. I won't pretend to hold that key in person, won't speak for
it, and it won't have my name attached to it. But it may be on the list.</p>
<p>Depending on the certifications received on that key (and the feedback i
get on this blog post), i'll either publish the list of wayward
certifiers, or contact the certifiers privately. Wayward certifiers
should review their keysigning practices and revoke any certifications
they did not adequately verify.</p>
<p>Remember, at a keysigning party, for each key:</p>
<ul>
<li>Check that the fingerprint on your copy <em>exactly</em> matches the one
claimed by the person in question</li>
<li>Check that the person in question is actually who they say they are
(e.g. gov't ID, with a photo that looks like them, with their name
matching the name in the key's User ID)</li>
<li>If the fingerprints don't match, or you don't have confidence in the
name or their identity, or no one stands up to claim the key,
there's no harm done in simply choosing to not certify the user IDs
associated with that key. You don't even need to tell the person
you've decided to do so.</li>
<li>Take notes in hard copy. It will help you later.</li>
</ul>
<p>After the keysigning, when you go to actually make your OpenPGP
certifications:</p>
<ul>
<li>Make sure you have the same physical document(s) that you had during
the keysigning (no, downloading a file from the same URL is <em>not</em>
the same thing)</li>
<li>Use your notes to decide which keys you actually want to make
certifications over.</li>
<li>Explicitly check the fingerprints of the fetched key before you make
any certification over any of its User IDs. If the fingerprint
doesn't match, discard it and move on (you might want to also
contact the person whose key it is to let them know).</li>
<li>If a key has several user IDs on it, and some of them do not match
the person's name, simply don't certify the non-matching user IDs.
You should certify only the user IDs you have verified.</li>
<li>If a key has a user ID with an e-mail address on it that you aren't
absolutely sure belongs to the person in question, mail an encrypted
copy of your certification for that User ID to the e-mail address in
question. If they don't control that e-mail address, they won't get
the certification, and it will never become public. <code>caff</code> (from the
<a href="http://packages.debian.org/signing-party">signing-party</a> package)
should help you to do that.</li>
</ul>
<p>Feedback welcome!</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/keysigning">keysigning</a>,
<a href="https://debian-administration.org/tag/openpgp">openpgp</a>,
<a href="https://debian-administration.org/tag/tip">tip</a></p>
</p>TCP weirdness, IMAP, wireshark, and perdition2010-01-21T19:37:00-05:002010-01-21T19:37:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2010-01-21:/blog/tcp-weirdness-imap-wireshark-and-perdition.html<p>This is the story of a weirdly unfriendly/non-compliant IMAP server, and
some nice interactions that arose from a debugging session around it.</p>
<p>Over the holidays, i got to do some computer/network debugging for
friends and family. One old friend (I'll call him “Fred”) had a series
of problems …</p><p>This is the story of a weirdly unfriendly/non-compliant IMAP server, and
some nice interactions that arose from a debugging session around it.</p>
<p>Over the holidays, i got to do some computer/network debugging for
friends and family. One old friend (I'll call him “Fred”) had a series
of problems i managed to help work through, but was ultimately basically
stumped based on the weird behavior of an IMAP server. Here's the
details (names of the innocent and guilty have been changed), just in
case it helps other folks in at least diagnosing similar situations.</p>
<h3 id="the-diagnosis">the diagnosis</h3>
<p>The initial symptom was that Fred's computer was "very slow". Sadly,
this was a Windows™ machine, so <a href="http://cmrg.fifthhorseman.net/wiki/DiagnosingSluggishness/Windows">my list of tricks for diagnosing
sluggishness</a>
is limited. I went through a series of questions, uninstalling things,
etc, until we figured it would be better to just have him do his usual
work while i watched, kibitzing on what seemed acceptable and what
seemed slow. Quite soon, we hit a very specific failure: Fred's
<a href="http://mozillamessaging.com">Thunderbird</a> installation (version 2,
FWIW) was sometimes hanging for a very long period of time during
message retrieval. This was not exhaustion of the CPU, disk, RAM, or
other local resource. It was pure network delay, and it was a frequent
(if unpredictable) frustrating hiccup in his workflow.</p>
<p>One thought i had was <a href="http://kb.mozillazine.org/IMAP:_advanced_account_configuration#May_help_prevent_problems">Thunderbird's per-server max_cached_connections
setting</a>,
which can sometimes cause a TB instance to hang if a remote server
thinks Thunderbird is being too aggressive. After <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=168186">sorting out why
Thunderbird was resetting the values after we'd set them to
0</a> (grr, thanks for
the confusing UI, folks!), we set it to 1, but still had the same
occasional, lengthy (about 2 minutes) hang when transfering messages
between folders (including the trash folder!), or when reading new
messages. Sending mail was quite fast, except for occasional (similarly
lengthy) hangs writing the copy to the sent folder. So IMAP was the
problem (not SMTP), and the 2-minute timeouts smelled like an issue with
the networking layer to me.</p>
<p>At this point, i busted out <a href="http://www.wireshark.org/"><code>wireshark</code>, the trusty packet
sniffer</a>, which fortunately works as well on
Windows as it does on GNU/Linux. Since Fred was doing his IMAP traffic
in the clear, i could actually see when and where in the IMAP session
the hang was happening. (BTW, Fred's IMAP traffic is no longer in the
clear: after all this happened, i switched him to IMAPS (IMAP wrapped in
a TLS session), because although the IMAP server in question actually
supports the STARTTLS directive, it fails to advertise it in response to
the CAPABILITIES query, so Thunderbird refuses to try it. arrgh.)</p>
<p>The basic sequence of Thunderbird's side of an initial IMAP conversation
(using plain authentication, anyway) looks something like this:</p>
<div class="highlight"><pre><span></span><code><span class="mf">1</span><span class="w"> </span><span class="n">capability2</span><span class="w"> </span><span class="nb">log</span><span class="n">in</span><span class="w"> </span><span class="s">"user"</span><span class="w"> </span><span class="s">"pass"</span><span class="mf">3</span><span class="w"> </span><span class="n">lsub</span><span class="w"> </span><span class="s">""</span><span class="w"> </span><span class="s">"*"</span><span class="mf">4</span><span class="w"> </span><span class="kr">list</span><span class="w"> </span><span class="s">""</span><span class="w"> </span><span class="s">"INBOX"</span><span class="mf">5</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="s">"INBOX"</span><span class="mf">6</span><span class="w"> </span><span class="n">UID</span><span class="w"> </span><span class="n">fetch</span><span class="w"> </span><span class="mf">1</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="p">(</span><span class="n">FLAGS</span><span class="p">)</span>
</code></pre></div>
<p>What i found with this server was that if i issued commands 1 through 5,
and then left the connection idle for over 5 minutes, then the next
command (even if it was just a <code>6 NOOP</code> or <code>6 LOGOUT</code>) would cause the
IMAP server to issue a TCP reset. No IMAP error message or anything,
just a failure at the TCP level. But a nice, fast, responsive failure --
any IMAP client could recover nicely from that by just immediately
opening a new connection. I don't mind busy servers killing inactive
connections after a reasonable timeout. If it was just this, though,
Thunderbird should have continued to be responsive.</p>
<h3 id="the-deep-weirdness">the deep weirdness</h3>
<p>But if i issued commands 1 through <strong>6</strong> in rapid succession (the only
difference is that extra <code>6 UID fetch 1:* (FLAGS)</code> command), and then
let the connection idle for 5 minutes, then sent the next command: no
response of any kind would come from the remote server (not even a TCP
ACK or TCP RST). In this circumstance, my client OS's TCP stack would
re-send the data repeatedly (staggered at appropriate intervals), until
finally the client-side TCP timeout would trigger, and the OS would
report the failure to the app, which could turn around and do a simple
connection restart to finish up the desired operation. This was the
underlying situation causing Fred's Thunderbird client to hang.</p>
<p>In both cases above (with or without the 6th command), the magic window
for the idle cutoff was a little more than 300 seconds (5 minutes) of
idleness. If the client issued a NOOP at 4 minutes, 45 seconds from the
last NOOP, it could keep a connection active indefinitely.</p>
<p>Furthermore, i could replicate the exact same behavior when i used IMAPS
-- the state of the IMAP session itself was somehow modifying the TCP
session behavior characteristics, whether it was wrapped in a TLS tunnel
or not.</p>
<p>One interesting thing about this set of data is that it rules out most
common problems in the network connectivity between the two machines.
Since none of the hops between the two endpoints know anything about the
IMAP state (especially under TLS), and some of the failures <em>are</em>
reported properly (e.g. the TCP RST in the 5-command scenario), it's
probably safe to say that the various routers, NAT devices, and such
were not themselves responsible for the failures.</p>
<p>So what's going on on that IMAP server? The service itself does not
announce the flavor of IMAP server, though it does respond to a
successful login with “<code>You are so in</code>”, and to a logout with
“<code>IMAP server logging out, mate</code>”. A bit of digging on the 'net suggests
that they are running a <a href="http://www.vergenet.net/linux/perdition/"><code>perdition</code> IMAP
proxy</a>. (clearly written by an
Aussie, mate!) But why does it not advertise its STARTTLS capability,
even though it is capable? And why do some idle connections end up
timing out without so much as an RST, when other idle connections give
at least a clean break at the TCP level?</p>
<p>Is there something about issuing the UID command that causes <code>perdition</code>
to hand off the connection to some other service, which in turn doesn't
do proper TCP error handling? I don't really know anything about the
internals of <code>perdition</code>, so i'm just guessing here.</p>
<h3 id="the-workaround">the workaround</h3>
<p>I ultimately recommended to Fred to reduce the number of cached
connections to 1, and to set Thunderbird's interval to check for new
mail down to 4 minutes. Hopefully, this will keep his one connection
active enough that nothing will timeout, and will keep the interference
to his workflow to a minimum.</p>
<p>It's an unsatisfactory solution to me, because the behavior of the
remote server still seems so non-standard. However, i don't have any
sort of control over the remote server, so there's not too much i can do
to provide a real fix (other than point the server admins (and perdition
developers?) at this writeup).</p>
<p>I don't even know the types of backend server that their perdition proxy
is balancing between, so i'm pretty lost for better diagnostics even,
let alone a real resolution.</p>
<h3 id="some-notes">some notes</h3>
<p>I couldn't have figured out the exact details listed above just using
Thunderbird on Windows. Fortunately, i had a machine with a decent OS
available, and was able to cobble together a fake IMAP client from a
couple files (<code>imapstart</code> contained the lines above, and <code>imapfinish</code>
contained <code>8 LOGOUT</code>), <a href="http://www.gnu.org/software/bash/"><code>bash</code></a>, and
<a href="http://www.dest-unreach.org/socat/">socat</a>.</p>
<p>Here's the bash snippet i used as a fake IMAP client:</p>
<div class="highlight"><pre><span></span><code><span class="nv">spoolout</span><span class="ss">()</span><span class="w"> </span>{<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nv">read</span><span class="w"> </span><span class="nv">foo</span><span class="c1">; do sleep 1 && printf "%s\r\n" "$foo" ; done }( sleep 2 && spoolout < imapstart && sleep 4 && spoolout < imapfinish && sleep 500 ) | socat STDIO TCP4:imap.fubar.example.net:143</span>
</code></pre></div>
<p>To do the test under IMAPS, i just replaced
<code>TCP4:imap.fubar.example.net:143</code> with
<code>OPENSSL:imap.fubar.example.net:993</code>.</p>
<p>And of course, i had <code>wireshark</code> handy on the GNU/Linux machine as well,
so i could analyze the generated packets over there.</p>
<p>One thing to note about user empowerment: Fred isn't a tech geek, but he
can be curious about the technology he relies on if the situation is
right. He was with me through the whole process, didn't get antsy, and
never tried to get me to "just fix it" while he did something else. I
like that, and wish i got to have that kind of interaction more (though
i certainly don't begrudge people the time if they do need to get other
things done). I was nervous about breaking out wireshark and scaring him
off with it, but it turned out it actually was a good conversation
starter about what was actually happening on the network, and how IP and
TCP traffic worked.</p>
<p>Giving a crash course like that in a quarter of an hour, i can't expect
him to retain any concrete specifics, of course. But i think the process
was useful in de-mystifying how computers talk to each other somewhat.
It's not magic, there are just a lot of finicky pieces that need to fit
together a certain way. And Wireshark turned out to be a really nice
window into that process, especially when it displays packets during a
real-time capture. I usually prefer to do packet captures with
<a href="http://www.tcpdump.org"><code>tcpdump</code></a> and analyze them as a non-privileged
user afterward for <a href="http://www.wireshark.org/security/">security
reasons</a>. But in this case, i felt
the positives of user engagement (how often do you get to show someone
how their machine actually works?) far outweighed the risks.</p>
<p>As an added bonus, it also helped Fred really understand what i meant
when i said that it was a bad idea to use IMAP in the clear. He could
actually see his username and password in the network traffic!</p>
<p>This might be worth keeping in mind as an idea for a demonstration for
workshops or hacklabs for folks who are curious about networking -- do a
live packet capture of the local network, project it, and just start
asking questions about it. Wireshark contains such a wealth of obscure
packet dissectors (and today's heterogenous public/open networks are so
remarkably chatty and filled with weird stuff) that you're bound to run
into things that most (or all!) people in the room don't know about, so
it could be a good learning activity for groups of all skill levels.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/debugging">debugging</a>,
<a href="https://debian-administration.org/tag/imap">imap</a>,
<a href="https://debian-administration.org/tag/perdition">perdition</a>,
<a href="https://debian-administration.org/tag/wireshark">wireshark</a></p>
</p>January 2010 Bug-Squashing Party NYC2009-12-21T20:54:00-05:002009-12-21T20:54:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-12-21:/blog/january-2010-bug-squashing-party-nyc.html<p>We're going to have a <a href="http://wiki.debian.org/BSP2010/NewYorkCity">Bug-Squashing Party at the end of January 2010 in
New York City</a>. If you live
in or around the tri-state area (or want to visit), are interested in
learning about the process, meeting other debian folk, or just squashing
some bugs in good company, you …</p><p>We're going to have a <a href="http://wiki.debian.org/BSP2010/NewYorkCity">Bug-Squashing Party at the end of January 2010 in
New York City</a>. If you live
in or around the tri-state area (or want to visit), are interested in
learning about the process, meeting other debian folk, or just squashing
some bugs in good company, you should come out and join us!</p>
<dl>
<dt>Where:</dt>
<dd>Brooklyn, New York, USA</dd>
<dt>When:</dt>
<dd>January 29th, 30th, and maybe 31st of 2010</dd>
<dt>Why:</dt>
<dd>Because them bugs need squashing!</dd>
</dl>
<p>If you plan on coming, please either sign up on <a href="http://wiki.debian.org/BSP2010/NewYorkCity">the wiki
page</a>, or at least mail one
of the good folks listed there, or pop into <a href="irc://irc.oftc.net/#debian-nyc"><code>#debian-nyc</code> on
<code>irc.oftc.net</code>'s IRC network</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/bsp">bsp</a></p>
</p>dd, netcat, and disk throughput2009-12-21T06:21:00-05:002009-12-21T06:21:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-12-21:/blog/dd-netcat-and-disk-throughput.html<p>I was trying to dump a large Logical Volume (LV) over ethernet from one
machine to another. I found some behavior which surprised me.</p>
<h3 id="fun-constraints">fun constraints</h3>
<ul>
<li>I have only a fairly minimal debian installation on each machine
(which fortunately includes <code>netcat-traditional</code>)</li>
<li>The two machines are connected directly by a single …</li></ul><p>I was trying to dump a large Logical Volume (LV) over ethernet from one
machine to another. I found some behavior which surprised me.</p>
<h3 id="fun-constraints">fun constraints</h3>
<ul>
<li>I have only a fairly minimal debian installation on each machine
(which fortunately includes <code>netcat-traditional</code>)</li>
<li>The two machines are connected directly by a single (gigabit)
ethernet cable, with no other network connection. So no pulling in
extra packages.</li>
<li>I have serial console access to both machines, but no physical
access.</li>
<li>The LV being transfered is 973GB in size according to <code>lvs</code> (fairly
large, that is), and contains a LUKS volume, which itself contains a
basically-full filesystem -- transferring just the "used" bytes is
not going to save space/time.</li>
<li>I want to be able to check on how the transfer is doing while it's
happening.</li>
<li>I want the LV to show up as an LV on the target system, and don't
have tons of extra room on the target to play around with (so no
dumping it to the filesystem as a disk image first).</li>
</ul>
<p>(how do i get myself into these messes?)</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/57">read the full
entry</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/lvm">lvm</a>,
<a href="https://debian-administration.org/tag/netcat">netcat</a></p>
</p>dealing with entropy on a virtual machine2009-12-12T18:42:00-05:002009-12-12T18:42:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-12-12:/blog/dealing-with-entropy-on-a-virtual-machine.html<p>I've been using virtual machines (KVM, these days) as isolated
environments to do things like build packages as root. Unfortunately,
some of these activities require decent-sized chunks of random data
(pulled from <code>/dev/random</code>). But <code>/dev/random</code> pulls from the kernel's
entropy pool, which in turn is replenished from "hardware …</p><p>I've been using virtual machines (KVM, these days) as isolated
environments to do things like build packages as root. Unfortunately,
some of these activities require decent-sized chunks of random data
(pulled from <code>/dev/random</code>). But <code>/dev/random</code> pulls from the kernel's
entropy pool, which in turn is replenished from "hardware" events. But a
virtual machine has no actual hardware, and if it is only doing isolated
package builds, there is very little activity to feed the kernel's
entropy pool. So the builds and test suites that rely on this randomness
all hang for a long long time. :(</p>
<p>My current way to get around this is to replace <code>/dev/random</code> with the
<code>/dev/urandom</code> device, which does not block if the entropy pool is
depleted:</p>
<div class="highlight"><pre><span></span><code><span class="nv">mknod</span><span class="w"> </span><span class="o">/</span><span class="nv">dev</span><span class="o">/</span><span class="nv">newrandom</span><span class="w"> </span><span class="nv">c</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">9</span><span class="nv">chmod</span><span class="w"> </span><span class="o">--</span><span class="nv">reference</span><span class="o">=/</span><span class="nv">dev</span><span class="o">/</span><span class="k">random</span><span class="w"> </span><span class="o">/</span><span class="nv">dev</span><span class="o">/</span><span class="nv">newrandommv</span><span class="w"> </span><span class="o">-</span><span class="nv">f</span><span class="w"> </span><span class="o">/</span><span class="nv">dev</span><span class="o">/</span><span class="nv">newrandom</span><span class="w"> </span><span class="o">/</span><span class="nv">dev</span><span class="o">/</span><span class="k">random</span>
</code></pre></div>
<p>This has the consequence that the "randomness" these commands use
doesn't have as much "real" entropy, though some operating systems (like
FreeBSD) have a non-blocking <code>/dev/random</code> by default (and it's also
questionable what "real" entropy means for a virtual machine in the
first place).</p>
<p>I'm also using <a href="http://packages.debian.org/cowbuilder">cowbuilder</a>
within these VMs to do package builds. But cowbuilder has its own <code>/dev</code>
tree, with its own device nodes, so this needs to be fixed too. So after
you have successfully done <code>cowbuilder --create</code>, you need to modify the
<code>random</code> device within the cowbuilder chroot:</p>
<div class="highlight"><pre><span></span><code><span class="n">mknod</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">cache</span><span class="o">/</span><span class="n">pbuilder</span><span class="o">/</span><span class="n">base</span><span class="o">.</span><span class="n">cow</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">newrandom</span><span class="w"> </span><span class="n">c</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">9</span><span class="n">chmod</span><span class="w"> </span><span class="o">--</span><span class="n">reference</span><span class="o">=/</span><span class="k">var</span><span class="o">/</span><span class="n">cache</span><span class="o">/</span><span class="n">pbuilder</span><span class="o">/</span><span class="n">base</span><span class="o">.</span><span class="n">cow</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">random</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">cache</span><span class="o">/</span><span class="n">pbuilder</span><span class="o">/</span><span class="n">base</span><span class="o">.</span><span class="n">cow</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">newrandommv</span><span class="w"> </span><span class="o">-</span><span class="n">f</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">cache</span><span class="o">/</span><span class="n">pbuilder</span><span class="o">/</span><span class="n">base</span><span class="o">.</span><span class="n">cow</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">newrandom</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">cache</span><span class="o">/</span><span class="n">pbuilder</span><span class="o">/</span><span class="n">base</span><span class="o">.</span><span class="n">cow</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">random</span>
</code></pre></div>
<p>Hopefully this will be useful for other people using cowbuilder (or
other build strategies) on isolated virtual machines. If you've worked
around this problem in other ways (or if there's a security concern
about this approach), i'd be happy to hear about the details.</p>
</p>Revoking the Ubuntu Community Code of Conduct2009-10-20T18:24:00-04:002009-10-20T18:24:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-10-20:/blog/revoking-the-ubuntu-community-code-of-conduct.html<p>I've just <a href="http://fifthhorseman.net/ubuntu/coc/coc-revoked.txt">revoked my signature over the Ubuntu Code of Conduct
1.0.1</a>. I did this
because Ubuntu's CoC (perhaps jokingly?) singles out Mark Shuttleworth
as someone who should be held to a super-human standard (as <a href="http://rhonda.deb.at/blog/debian/coc-joke.en.html">pointed out
recently by Rhonda</a>,
as well as earlier in <a href="https://launchpad.net/bugs/53843">ubuntu bug
53848 …</a></p><p>I've just <a href="http://fifthhorseman.net/ubuntu/coc/coc-revoked.txt">revoked my signature over the Ubuntu Code of Conduct
1.0.1</a>. I did this
because Ubuntu's CoC (perhaps jokingly?) singles out Mark Shuttleworth
as someone who should be held to a super-human standard (as <a href="http://rhonda.deb.at/blog/debian/coc-joke.en.html">pointed out
recently by Rhonda</a>,
as well as earlier in <a href="https://launchpad.net/bugs/53843">ubuntu bug
53848</a>).</p>
<p>I think that the CoC is a good document, and good guidelines in general
for reasonable participation in online communities. When i originally
signed the document, i thought the Shuttleworth-exceptionalism was odd,
but decided i'd be willing to hold him to a higher standard than the
rest of the community, if he wanted me to. That is, i figured his
position as project leader meant that he could have made the CoC
different than it is, thus he was (perhaps indirectly) asking me to hold
him to a higher standard.</p>
<p>Why does this matter to me now? Shuttleworth has <a href="https://launchpad.net/~sabdfl#ubuntu-coc">apparently signed the
Ubuntu Code of Conduct</a>, but
<a href="https://debian-administration.org/users/dkg/weblog/54">as i wrote about
earlier</a>, his
<a href="http://blog.linuxtoday.com/blog/2009/09/mark-shuttlewor-1.html">recent sexist comments at
LinuxCon</a>
were a Bad Thing for the community, and his apparent lack of an apology
or open discussion with the community concerned about it was even worse.</p>
<p>So i'm asking Mark Shuttleworth to abide by the following points in the
Code of Conduct that he has signed:</p>
<ul>
<li>Be considerate</li>
<li>Be respectful [...] It's important to remember that a community
where people feel uncomfortable or threatened is not a productive
one.</li>
<li>The important goal is not to avoid disagreements or differing views
but to resolve them constructively. You should turn to the community
and to the community process to seek advice and to resolve
disagreements.</li>
<li>When you are unsure, ask for help. Nobody knows everything, and
nobody is expected to be perfect in the Ubuntu community</li>
</ul>
<p>I've <a href="http://fifthhorseman.net/ubuntu/coc/coc-revised.txt">signed a revised version of the Ubuntu Code of Conduct
1.01</a> (with the
Shuttleworth-exceptionalism clause removed), to reaffirm my commitment
to these principles, and to acknowledge that, yes, the SABDFL can make a
mistake, and to encourage him to address his mistakes in a fashion
befitting a mature participant in this community we both care about.</p>
<p><strong>UPDATE:</strong> It seems that <a href="http://mako.cc/">Mako</a> and <a href="http://daniel.holba.ch/">Daniel
Holbach</a> have recently revised the CoC
resulting in <a href="http://mako.cc/copyrighteous/20091020-00.comment">a new version (1.1) which has just been approved by the
the Ubuntu Community
Council</a>. The [new
version 1.1]{} looks good to me (i like its broadening of scope beyond
developers, and its lack of superhuman claims for Shuttleworth) and when
it is available on Launchpad, i'll most likely sign it there. Thanks to
the two of them for their work! I hope Shuttleworth will consider
abiding by this new version.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/code%20of%20conduct">code of
conduct</a>,
<a href="https://debian-administration.org/tag/sexism">sexism</a>,
<a href="https://debian-administration.org/tag/ubuntu">ubuntu</a></p>
</p>sexist behavior in the free software community2009-10-01T20:32:00-04:002009-10-01T20:32:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-10-01:/blog/sexist-behavior-in-the-free-software-community.html<p>So not even 3 months out from <a href="http://opensourcetogo.blogspot.com/2009/07/emailing-richard-stallman.html">RMS's sexist Gran Canaria “virgins”
remarks</a>,
we have another powerful leader in the Free Software Community <a href="http://blog.linuxtoday.com/blog/2009/09/mark-shuttlewor-1.html">making
sexist remarks in a talk to developers (this time, it's Mark
Shuttleworth)</a>.
It's a shame that these two people have said stupid things that hurt
their …</p><p>So not even 3 months out from <a href="http://opensourcetogo.blogspot.com/2009/07/emailing-richard-stallman.html">RMS's sexist Gran Canaria “virgins”
remarks</a>,
we have another powerful leader in the Free Software Community <a href="http://blog.linuxtoday.com/blog/2009/09/mark-shuttlewor-1.html">making
sexist remarks in a talk to developers (this time, it's Mark
Shuttleworth)</a>.
It's a shame that these two people have said stupid things that hurt
their causes and their communities by perpetuating an unfriendly
environment for women. And it's a bigger shame that neither leader
appears to care enough about their community to issue a sincere public
apology for their screwup (if i'm wrong about this, please point me to
the apology — i've looked).</p>
<p>These guys are in a situation which is nowhere near as hard as writing
good software or managing complex technical projects: if you make a
stupid mistake, own up to it, apologize, and try not to make similar
mistakes in the future.</p>
<p>Perhaps worst of all, are the remarkable number of unreasonably
fucked-up comments on the blog posts discussing these unfortunate
events. If you're in the habit of defending remarks like those made by
RMS and Shuttleworth on the 'net, please take a minute and ask yourself
a few questions:</p>
<ul>
<li>Do you think that the Free Software community today is
overwhelmingly male (even by the standards of the male-dominated IT
industry)? If not, thanks for playing. You are living in a fantasy
world. Try some basic research.</li>
<li>
<p>Do you think that the significant under-representation of women is a
problem? Let's say there are about three answers here:</p>
<dl>
<dt>Gender disparity in Free Software is a Good Thing</dt>
<dd>If this is your position, please announce it explicitly so we
all know. Just so you know: I don't want to be part of your
all-boys club. You can stop these questions now, sorry to have
bothered you.</dd>
<dt>I don't really care about gender disparity in Free Software one way or the other</dt>
<dd>You may not care; but a significant subset of the Free Software
community thinks that it's a problem and would like to address
it. Please keep this in mind as you go to the next question.
Also, have you thought much about the idea of privilege and how
it might apply to your situation?</dd>
<dt>I think gender disparity in Free Software is probably a Bad Thing</dt>
<dd>Great, glad we agree on that.</dd>
</dl>
</li>
<li>
<p>People in our community have a problem with the current state of
affairs, and point out some specific behavior that makes the bad
situation worse. What should you do?
<dl>
<dd>
<dt>
Shout them down or attack them
<dd>
Gee, it sure is upsetting to hear people talk about problems in the
community. It's almost as upsetting as getting bug reports about
problems in our software. Shall we shout them down too? Maybe we
should attack them! Condescension is also great. Those silly bug
reporters!
<dt>
Argue them out of having a problem
<dd>
This just doesn't work very well. Someone has already volunteered to
tell you about a problem that you hadn't noticed. You are unlikely
to convince them that they were imagining things.
<dt>
Take them seriously
<dd>
Yes! It seems to be surprising to some commentators that this is not
a witch hunt or a lynch mob (interesting that these terms often-used
in defense of white men connote specific historical traditions of
the exercise of male privilege and white privilege, respectively).
Well-meaning people have respectfully raised good-faith concerns
about the state of our community, and made very simple suggestions
about what to do to make the community more welcoming to women: lay
off the sexist remarks at conferences, apologize when some nonsense
does slip through — we're all struggling with various kinds of
internalized oppression, you won't be perfect — and try not to do it
again. Why not listen to these people? Why not support them?
</dl></p>
</li>
</ul>
<p>Please read <a href="http://geekfeminism.wikia.com/wiki/Geek_Feminism_Wiki">the Geek Feminism
wiki</a> and
<a href="http://geekfeminism.org/">blog</a>. Even if you don't agree with
everything on those sites (hey, it's a wiki! and a blog! you don't have
to agree with everything!), people are at least trying to address the
problem of sexism in our community there. Engage constructively and
don't hide or ignore problems!</p>
<p><strong>UPDATE:</strong> I've asked the site admin to remove some trollish comments.
If you want to use the comments on this blog to announce something like
"i'd like for free software to be a boys-only club", that's fine, i'd
like to know who you are so i can adjust my perception of you
accordingly. Anything advocating or excusing rape and/or murder is way
over the line and is not welcome here. i'm sure you can find some other
place to troll.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/community">community</a>,
<a href="https://debian-administration.org/tag/conduct">conduct</a>,
<a href="https://debian-administration.org/tag/feminism">feminism</a>, <a href="https://debian-administration.org/tag/free%20software">free
software</a>,
<a href="https://debian-administration.org/tag/sexism">sexism</a></p>
</p>Tools should be distinct from Services2009-09-18T18:47:00-04:002009-09-18T18:47:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-09-18:/blog/tools-should-be-distinct-from-services.html<p>Modern daemon implementations can be run in a variety of ways, in a
range of contexts. The daemon software itself can be a useful tool in
environments where the associated traditional system service is neither
needed nor desired. Unfortunately, common debian packaging practice has
a tendency to conflate the two …</p><p>Modern daemon implementations can be run in a variety of ways, in a
range of contexts. The daemon software itself can be a useful tool in
environments where the associated traditional system service is neither
needed nor desired. Unfortunately, common debian packaging practice has
a tendency to conflate the two ideas, leading to some potentially nasty
problems where only the tool itself is needed, but the system service is
set up anyway.</p>
<p>How would i fix it? i'd suggest that we make a distinction between
packages that provide <em>tools</em> and packages that provide <em>system
services</em>. A package that provides the <em>system service</em> <code>foo</code> would need
to depend on a package that provides the <em>tool</em> <code>foo</code>. But the tool
<code>foo</code> should be available through the package manager without setting up
a system service automatically.</p>
<h2 id="bad-examples">Bad Examples</h2>
<p>Here are some examples of this class of problem i've seen recently:</p>
<dl>
<dt><code>akonadi-server</code> depends on <code>mysql-server</code></dt>
<dd>
<p><a href="http://pim.kde.org/akonadi/">akonadi</a> is a project to provide
extensible, cross-desktop storage for PIM data. It is a dependency
of many pieces of the modern KDE4 desktop. Its current
implementation relies on a private instantiation of
<a href="http://en.wikipedia.org/wiki/MySQL"><code>mysqld</code></a>, executed directly by
the end user whose desktop is running.</p>
<p>This means that a sysadmin who installs <a href="http://packages.debian.org/korganizer">a graphical calendar
application</a> suddenly now has
(in addition to the user-instantiated local <code>mysqld</code> running as the
akonadi backend) a full-blown system RDBMS service running and
potentially consuming resources on her machine.</p>
<p><p>
Wouldn't it be better if <a href="http://bugs.debian.org/513382">the <code>/usr/sbin/mysqld</code> tool itself was
distinct from the system service</a>?</p>
</dd>
<dt><code>puppetmaster</code> depends on <code>puppet</code></dt>
<dd>
<p><a href="http://reductivelabs.com/trac/puppet">Puppet</a> is a powerful
framework for configuration management. A managed host installs the
<a href="http://packages.debian.org/puppet"><code>puppet</code></a> package, which invokes
a <code>puppetd</code> service to reconfigure the managed host by talking to a
centralized server on the network. The central host installs the the
<a href="http://packages.debian.org/puppetmaster"><code>puppetmaster</code></a> package,
which sets up a system <code>puppetmasterd</code> service. <code>puppetmaster</code>
depends on <code>puppet</code> to make use of some of the functionality
available in the package.</p>
<p>But this means that the central host now has <code>puppetd</code> running, and
is being configured through the system itself! While some people may
prefer to configure their all-powerful central host through the same
configuration management system, this presents a nasty potential
failure mode: if the configuration management goes awry and makes
the managed nodes inaccessible, it could potentially take itself out
too.</p>
<p>Shouldn't the <code>puppet</code> tools be distinct from the <code>puppetd</code> system
service?</p>
<p><p>
<strong>Update:</strong> <a href="http://packages.qa.debian.org/p/puppet/news/20100205T111744Z.html">puppet 0.25.4-1 resolves this problem with a package
re-factoring</a>;
the tools are in <code>puppet-common</code>, and the <code>puppet</code> package retains
its old semantics of running the system service. Looks good to me!</p>
</dd>
<dt><code>monkeysphere</code> <code>Build-Depends: openssh-server</code></dt>
<dd>
<p><a href="http://web.monkeysphere.info/">The Monkeysphere</a> is a framework for
managing SSH authentication through the OpenPGP Web-of-Trust (i'm
one of the authors). To ensure that the package interacts properly
with the OpenSSH implementation, the <code>monkeysphere</code> source ships
with a series of test suites that exercise both <code>sshd</code> and <code>ssh</code>.</p>
<p>This means that anyone trying to build the
<a href="http://packages.debian.org/monkeysphere"><code>monkeysphere</code></a> package
must pull in
<a href="http://packages.debian.org/openssh-server"><code>openssh-server</code></a> to
satisfy the build-depends, thereby inadvertently starting up a
potentially powerful network service on their build machine and
maybe exposing it to remote access that they didn't intend.</p>
<p><p>
Wouldn't it be better if the <code>/usr/sbin/sshd</code> tool was available
without starting up the <code>ssh</code> system service?</p>
</dd>
</dl>
<h2 id="good-examples">Good Examples</h2>
<p>Here are some examples of debian packaging that already understand and
implement this distinction in some way:</p>
<dl>
<dt><code>apache2.2-bin</code> is distinct from <code>apache2-mpm-foo</code></dt>
<dd>Debian's <a href="http://packages.debian.org/apache2">apache</a> packaging
<a href="http://packages.debian.org/changelogs/pool/main/a/apache2/current/changelog#versionversion2.2.11-5">recently
transitioned</a>
to split the apache tool into a separate package (<code>apache2.2-bin</code>)
from the packages that provide an apache system service
(<code>apache2-mpm-foo</code>). So apache can now be run by a regular user, for
example as part of
<a href="http://packages.debian.org/gnome-user-share"><code>gnome-user-share</code></a>.</dd>
<dt><code>git-core</code> is distinct from <code>git-daemon-run</code></dt>
<dd><a href="http://packages.debian.org/git-core"><code>git-core</code></a> provides the
<code>git daemon</code> subcommand, which is a tool capable of providing
network access to a git repo. However, it does not set up a system
service by default. The <code>git-daemon-run</code> package provides a way for
an admin to quickly set up a "typical" system service to offer
networked git access.</dd>
<dt><code>vblade</code> is distinct from <code>vblade-persist</code></dt>
<dd><a href="http://packages.debian.org/vblade"><code>vblade</code></a> offers a simple,
powerful utility to export a single file or block device as an
<a href="http://wikipedia.org/wiki/ATA_over_Ethernet">AoE</a> device.
<a href="http://packages.debian.org/vblade-persist"><code>vblade-persist</code></a>
(disclosure: i wrote <code>vblade-persist</code>) provides a system service to
configure exported devices, supervise them, keep them in service
across system reboots, etc.</dd>
</dl>
<h2 id="tools-are-not-services-a-proposal">Tools are not Services: a Proposal</h2>
<p>Let's consider an existing <code>foo</code> package which currently provides:</p>
<ul>
<li>the tool itself (say, <code>/usr/sbin/foo</code>) and</li>
<li>sets up a system service running <code>foo</code>, including stock <code>foo</code> daemon
configuration in <code>/etc/foo/*</code>, startup scripts at <code>/etc/init.d/foo</code>,
service configs at <code>/etc/default/foo</code>, etc.</li>
</ul>
<p>I suggest that this should be split into two packages. <code>foo-bin</code> would
contain the tool itself, and <code>foo</code> (which <code>Depends: foo-bin</code>) would
contain the service configuration information, postinst scripts to set
it up and start it, etc. This would mean that every instance of
<code>apt-get install foo</code> in someone's notes would retain identical
semantics to the past, but packages which need the <em>tool</em> (but not the
<em>service</em>) can now depend on <code>foo-bin</code> instead, leaving the system with
fewer resources consumed, and fewer unmanaged services running.</p>
<p>For brand new packages (which don't have to account for a legacy of
documentation which says <code>apt-get install foo</code>), i prefer the naming
convention that the <code>foo</code> package includes the tool itself (after all,
it does provide <code>/usr/sbin/foo</code>), and <code>foo-service</code> sets up a standard
system service configured and running (and depends on <code>foo</code>).</p>
<h2 id="side-effects">Side Effects</h2>
<p>This proposal would fix the problems noted above, but it would also
offer some nice additional benefits. For example, it would make it
easier to introduce an alternate system initialization process by
creating alternate service packages (while leaving the tool package
alone). Things like
<a href="http://packages.debian.org/runit-services"><code>runit-services</code></a> could
become actual contenders for managing the running services, without
colliding with the "stock" services installed by the bundled
tool+service package.</p>
<p>The ability to create alternate service packages would also mean that
maintainers who prefer radically different configuration defaults could
offer their service instantiations as distinct packages. For example,
one system-wide <code>foo</code> daemon (<code>foo-service</code>) versus a separate instance
of the <code>foo</code> daemon per user (<code>foo-peruser-service</code>) or triggering a
daemon via <code>inetd</code> (<code>foo-inetd-service</code>).</p>
<p>One negative side effect is that it adds some level of increased load on
the package maintainers — if the service package and the tool package
both come from the same source package, then some work needs to be done
to figure out how to split them. If the tool and service packages have
separate sources (like <code>vblade</code> and <code>vblade-persist</code>) then some
coordinating footwork needs to be done between the two packages when any
incompatible changes happen.</p>
<h2 id="questions-disagreements-next-steps">Questions? Disagreements? Next Steps?</h2>
<p>Do you disagree with this proposal? If so, why? Unfortunately (to my
mind), Debian has a long history of packages which conflate tools with
services. <a href="http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.3.2">Policy section
9.3.2</a>
can even be read as deliberately blurring the line (though i'd argue
that a cautious reading suggests that my proposal is not in opposition
to policy):</p>
<blockquote>
<p>Packages that include daemons for system services should place scripts
in <code>/etc/init.d</code> to start or stop services at boot time or during a
change of runlevel.</p>
</blockquote>
<p>I feel like this particular conflict must have been hashed out before at
some level — are there links to definitive discussion that i'm missing?
Is there any reason we shouldn't push in general for this kind of
distinction in debian daemon packages?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/daemons">daemons</a>,
<a href="https://debian-administration.org/tag/packaging">packaging</a>,
<a href="https://debian-administration.org/tag/policy">policy</a></p>
</p>xen etch to lenny upgrade serial console2009-09-13T23:33:00-04:002009-09-13T23:33:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-09-13:/blog/xen-etch-to-lenny-upgrade-serial-console.html<p>I maintain several xen machines. Most servers that i maintain use serial
consoles (i should probably write another post in more detail about why
serial consoles are the One True Way to manage a server).</p>
<p>Trouble is, the way that xen works with the serial console has changed
between etch …</p><p>I maintain several xen machines. Most servers that i maintain use serial
consoles (i should probably write another post in more detail about why
serial consoles are the One True Way to manage a server).</p>
<p>Trouble is, the way that xen works with the serial console has changed
between etch and lenny. So what's changed? From what i can tell:</p>
<ul>
<li>The way that the dom0 Linux kernel interacts with the hypervisor's
console has changed between Linux 2.6.18 (etch) and 2.6.26 (lenny),
and</li>
<li>the Xen hypervisor's method of specifying the console itself has
changed between Xen 3.0.3 (etch) and 3.2.1 (lenny)</li>
</ul>
<p>In etch systems, i had a standard GRUB specification like this (as
<a href="https://www.debian-administration.org/users/dkg/weblog/17">noted
earlier</a>):</p>
<div class="highlight"><pre><span></span><code>title Xen 3.0.3-1-i386-pae / Debian GNU/Linux, kernel 2.6.18-4-xen-686root (hd0,0)kernel /xen-3.0.3-1-i386-pae.gz dom0_mem=131072 com1=115200,8n1module /vmlinuz-2.6.18-4-xen-686 root=/dev/mapper/vg_monkey0-dom0 ro console=ttyS0,115200n8 module /initrd.img-2.6.18-4-xen-686savedefault
</code></pre></div>
<p>but in lenny, i find it necessary to do this:</p>
<div class="highlight"><pre><span></span><code>title Xen 3.2-1-i386 / Debian GNU/Linux, kernel 2.6.26-2-xen-686root (hd0,0)kernel /xen-3.2-1-i386.gz dom0_mem=131072 com1=115200,8n1 console=com1module /vmlinuz-2.6.26-2-xen-686 root=/dev/mapper/vg_monkey0-dom0 ro console=hvc0module /initrd.img-2.6.26-2-xen-686
</code></pre></div>
<p>In particular, the hypervisor itself needs an additional <code>console=com1</code>
argument to make sure that it uses the serial console (i suppose the
<code>com1=...</code> argument simply specifies <em>how</em> to use the serial console
should you need it, instead of a requirement <em>to</em> use the console).</p>
<p>And the Linux kernel itself for the dom0 needs to adopt <code>hvc0</code> as its
<code>console</code>, which i believe is an acronym for something like the
"hypervisor virtual console" -- this way, the dom0 kernel will come out
multiplexed over the hypervisor's console, no matter where that
hypervisor's console is directed (you might not even need to specify
this explicitly -- it might be set up by default).</p>
<p>When i tried to use the etch settings for the console with the lenny
hypervisor and kernel, i saw the hypervisor try to come out on the video
card, and a dom0 crash!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/serial">serial</a>,
<a href="https://debian-administration.org/tag/serial%20console">serial
console</a>,
<a href="https://debian-administration.org/tag/xen">xen</a></p>
</p>Wanted: Empowered, Active, Activist Users2009-08-27T16:34:00-04:002009-08-27T16:34:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-08-27:/blog/wanted-empowered-active-activist-users.html<p>The <a href="http://dangillmor.com/">other, better-known and wiser Dan Gillmor</a>
(disclosure: we don't just share names, we're related) has started a new
project called <a href="http://mediactive.com/">Mediactive</a>. His older project,
<a href="http://wethemedia.oreilly.com/">We the Media</a> was about the power and
coming growth of grassroots journalism. The new project focuses on media
"consumers", instead of media "producers". Economic …</p><p>The <a href="http://dangillmor.com/">other, better-known and wiser Dan Gillmor</a>
(disclosure: we don't just share names, we're related) has started a new
project called <a href="http://mediactive.com/">Mediactive</a>. His older project,
<a href="http://wethemedia.oreilly.com/">We the Media</a> was about the power and
coming growth of grassroots journalism. The new project focuses on media
"consumers", instead of media "producers". Economic metaphors usually
leave me cold, but it resonates with me when <a href="http://mediactive.com/2009/08/24/moving-along-mediactive/">he
says</a>:</p>
<blockquote>
<p>So I’m declaring victory, albeit early, on the supply side of the
equation. [...]</p>
<p>But that doesn’t solve what may be a bigger issue: crappy demand.</p>
<p><p>
We have raised several generations of passive consumers of news and
information. That’s not good enough anymore.</p>
</blockquote>
<p>The directional shift he's taking is an important one, and not just one
for an independent, grassroots media. It seems parallel in many ways to
the situation i see around free software.</p>
<p>The free software community has clearly demonstrated that we can build
quality, liberated tools for the public in and from the commons (though
there are admittedly tons of crap tools in the commons as well). But the
society-altering political goals of free software (that everyone should
have the right and the ability to freely use good tools fully under
their own control, a corollary of freedom 0 from <a href="http://www.gnu.org/philosophy/free-sw.html">the FSF's four
freedoms</a>) are still going
to fail if the majority of the tool users shrug their shoulders and
either:</p>
<ul>
<li>aren't active participants in the communities around their tools, or</li>
<li>concede to be pushed into proprietary tool use by people who are
more interested in being proprietors than in enabling the freedom of
their users.</li>
</ul>
<p>Software <em>needs</em> an active and engaged userbase if it is going to become
Good Software. Your software works for you? Fine. But if you can make it
work for a dozen people who are engaged enough to say “Wouldn't it be
great if...?” or “How come it acts like...?”, you can build a tool
capable of solving problems you couldn't have imagined on your own. And
those users can help and engage each other (and still more users) too;
the community makes the tool more powerful. More powerful free tools
provide more freedom to their community of users.</p>
<p>Dan's new project seems to acknowledge that not everyone is going to
become a grassroots journalist themselves. And great as the dream of
free software is, we <em>cannot</em> realistically insist that everyone become
a software developer either. For either grassroots journalism or free
software to live up to their promise, we need active and engaged (or
even activist) users.</p>
<p>This is a tough project. i'm an active and engaged software user -- i
have to be if i want to be a decent software developer, protocol
designer, system administrator, or participant in
<a href="http://debian.org/">debian</a>. But it takes work and mental energy just
to be a user like that, let alone the other responsibilities. But
frankly (sorry, Dan!), i'm a terribly passive media consumer. I know
Dan's right, that i can contribute to the cause of grassroots and
distributed media (a cause i believe in, without seeing myself as a
grassroots journalist) by being a more engaged and activist user of the
media. But i don't do it currently. Why? While i'm not sure exactly
<em>how</em> to be an active or engaged user of the media, i have no doubt that
if i threw myself at the task, i could figure it out. But this kind of
learning takes time and is real work, and even if i had it all figured
out, i'm sure that being active and engaged would take more time and
work than being passive. And i already feel swamped by other obligations
and plans.</p>
<p>Most software users must feel the same way about their tools. How can we
reduce those barriers? How can we not only help people see that their
contributions <em>as users</em> are vitally important, but help make those
contributions and that participation easy? As far as i know, Dan (who
understands the goals, tech issues, and social concerns around software
freedom as well as any non-programmer i know) doesn't run a free
operating system himself. And i don't participate in any significant way
as an engaged user of distributed, grassroots media. That sucks.</p>
<p>So:</p>
<ul>
<li>How do you make room for one more goal you believe in?</li>
<li>How do you make it so your own goals are appealing and easy enough
that natural allies can participate without feeling overwhelmed?</li>
<li>What do we need to do as participants in a free software culture to
encourage and engage active (and even activist) users?</li>
<li>What projects are there out there (by analogy with
<a href="http://mediactive.com/">Mediactive</a>) to encourage users of free
software to be active or activist? How are they doing?</li>
</ul>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/free%20software">free
software</a>,
<a href="https://debian-administration.org/tag/politics">politics</a>,
<a href="https://debian-administration.org/tag/users">users</a></p>
</p>Canon camera lens faiure (E18) -- resolved!2009-08-03T16:57:00-04:002009-08-03T16:57:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-08-03:/blog/canon-camera-lens-faiure-e18-resolved.html<p>I have a little old Canon SD200 point-and-shoot, which is a decent
camera. unfortunately, i've (ab)used it quite a bit, lugging it
everywhere in my pocket or in a bag and even <a href="http://gallery.fifthhorseman.net/v/dkg/kite/">sending it up in a
kite</a> (and, uh, bouncing
it off the ground on the way back …</p><p>I have a little old Canon SD200 point-and-shoot, which is a decent
camera. unfortunately, i've (ab)used it quite a bit, lugging it
everywhere in my pocket or in a bag and even <a href="http://gallery.fifthhorseman.net/v/dkg/kite/">sending it up in a
kite</a> (and, uh, bouncing
it off the ground on the way back down sometimes).</p>
<p>Unsurprisingly, things occasionally fail when you subject them to harsh
conditions, and for a couple months now, the lens has failed to retract,
showing a message "<code>E18</code>" on the screen and refusing to take pictures.</p>
<p>It turns out i'm <a href="http://www.e18error.com/repair.html">not the only one with this
problem</a>, and there is actually a
<a href="http://members.shaw.ca/gregs_space/Canon_E18_repair_guide_for_SD300.pdf">really nice guide with good
photos</a>
for the SD300, which is a very similar problem. I'd been putting off
fixing it until i had time to really focus, out of fear that it would
take forever, but it turned out to be a really quick fix (i did
"Procedure 1" in <a href="http://members.shaw.ca/gregs_space/Canon_E18_repair_guide_for_SD300.pdf">the step-by-step
guide</a>
and it worked after about a minute of fiddling with the position
sensor), and now i have my camera back!</p>
<p>So thank you, Greg Toews, for your excellent documentation!</p>keeping ssh host keys up-to-date with monkeysphere2009-07-23T23:04:00-04:002009-07-23T23:04:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-07-23:/blog/keeping-ssh-host-keys-up-to-date-with-monkeysphere.html<p><a href="http://www.enricozini.org/">Enrico</a> posted <a href="http://www.enricozini.org/2009/debian/known-hosts/">a neat trick to track the
SSH host keys of debian
machines</a>, thanks to
<a href="http://blog.zobel.ftbfs.de/">Zobel</a>. I wanted to mention
<a href="http://web.monkeysphere.info/">monkeysphere</a>, a project i'm involved
with which provides a more generalized structure for doing this kind of
update by taking advantage of the OpenPGP Web of Trust to distribute …</p><p><a href="http://www.enricozini.org/">Enrico</a> posted <a href="http://www.enricozini.org/2009/debian/known-hosts/">a neat trick to track the
SSH host keys of debian
machines</a>, thanks to
<a href="http://blog.zobel.ftbfs.de/">Zobel</a>. I wanted to mention
<a href="http://web.monkeysphere.info/">monkeysphere</a>, a project i'm involved
with which provides a more generalized structure for doing this kind of
update by taking advantage of the OpenPGP Web of Trust to distribute and
authenticate SSH keys.</p>
<p>Enrico's <code>known_hosts</code> update strategy is nice, but:</p>
<ul>
<li>it's centralized,</li>
<li>it's useful only for debian developers (and only when connecting to
debian machines),</li>
<li>it relies on users regularly running an update they wouldn't need to
do otherwise (re-fetching the file from <code>master.debian.org</code> via
<code>scp</code>) and</li>
<li>it relies on the maintainers of
<a href="https://db.debian.org/machines.cgi?host=master">master.debian.org</a>:<ul>
<li>to avoid compromise (there are a ton of other problems if
<code>master</code> was compromised, of course),</li>
<li>to keep <code>/etc/ssh/ssh_known_hosts</code> up-to-date, and</li>
<li>not to change the host key for <code>master</code> itself (or the user's
regular <code>scp</code> updates would fail).</li>
</ul>
</li>
</ul>
<p>These are relatively small flaws, and as a project debian is able to
work around them because we have infrastructure in place like <a href="https://db.debian.org/machines.cgi">the
machines database</a> (though checking
the machines db manually is tedious and therefore error-prone). But most
other projects don't have that level of organization, and the process
doesn't scale to other projects we (or our users) might be involved in.
And other projects (including debian, i'd think) might prefer to have a
less centralized process, to minimize bottlenecks and single points of
failure.</p>
<p>Check out Monkeysphere's <a href="http://web.monkeysphere.info/getting-started-admin/">documentation for a server
administrator</a> for
a quick rundown about how to easily publish your SSH host keys via the
Web of Trust (it's not mutually-exclusive with the technique Enrico
describes).</p>
<p>And this is just part of what the monkeysphere can do: using the same
web of trust, monkeysphere is capable of helping a host authenticate
<code>ssh</code> users based on their OpenPGP identities, which gives full
re-keying and revocation functionality for these accounts. But that's a
separate discussion!</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/monkeysphere">monkeysphere</a>,
<a href="https://debian-administration.org/tag/openpgp">openpgp</a>,
<a href="https://debian-administration.org/tag/ssh">ssh</a></p>
</p>HOWTO prep for migration off of SHA-1 in OpenPGP2009-05-06T06:15:00-04:002009-05-06T06:15:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-05-06:/blog/howto-prep-for-migration-off-of-sha-1-in-openpgp.html<p>Last week at eurocrypt, a small group of researchers announced a fairly
serious <a href="http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf">attack against the SHA-1 digest
algorithm</a>,
which is used in many cryptosystems, including OpenPGP. The general
consensus is that we should be “moving in an orderly fashion toward the
theater exits,” deprecating SHA-1 where possible with an …</p><p>Last week at eurocrypt, a small group of researchers announced a fairly
serious <a href="http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf">attack against the SHA-1 digest
algorithm</a>,
which is used in many cryptosystems, including OpenPGP. The general
consensus is that we should be “moving in an orderly fashion toward the
theater exits,” deprecating SHA-1 where possible with an eye toward
abandoning it soon (one point of reference: <a href="http://csrc.nist.gov/groups/ST/hash/statement.html">US gov't federal agencies
have been directed to cease all reliance on SHA-1 by the end of
2010</a>, and this
directive was issued <em>before</em> the latest results).</p>
<p>Since Debian relies heavily on OpenPGP and other cryptographic
infrastructure, i'll be blogging about how Debian users can responsibly
and carefully migrate toward better digests. This post focuses on some
first steps for users of <code>gpg</code>, and for Debian Developers and Debian
Maintainers in particular.</p>
<p>The good news is that <code>gpg</code> and <code>gpg2</code> both support digest algorithms
from the stronger SHA-2 family: SHA512, SHA384, SHA256, and SHA224.</p>
<p>By using these stronger digest algorithms some of your signatures may be
un-readable by users of older software. However, <code>gpg</code> and PGP (a
proprietary implementation) have both had support for at least SHA256
for well over 5 years. Debian's
<a href="http://packages.debian.org/gnupg">gnupg</a> packages have supported the
full SHA-2 family since sarge.</p>
<p>However, most existing signatures in today's Web of Trust were made over
the SHA-1 digest algorithm, which means that abandoning it immediately
would cause the Web of Trust as we know it to evaporate. So we need to
rely on SHA-1-based signatures until a reasonably-fleshed-out Web of
Trust based on stronger digests is in place. Since we don't want to have
to rely on SHA-1 for too much longer, we need to collectively start the
transition now.</p>
<p>So what can you do to help facilitate the move away from SHA-1? I'll
outline three steps that current <code>gpg</code> users can do today, and then i'll
walk through how to do each one:</p>
<ul>
<li>start making data signatures and web-of-trust certifications using
stronger digests,</li>
<li>explicitly state your preferences for stronger digests when
receiving private communications, and</li>
<li>If you are currently using a 1024-bit DSA primary key (which relies
for signatures on a 160-bit hash, traditionally SHA-1), transition
to a new 2048-bit RSA key.</li>
</ul>
<p>The first two are simple, quick, and painless actions. You'll be done
with them in minutes! The third is tougher, and while you can start it
today, key transitions take a little bit of time to complete. Read on
for a HOWTO!</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/48">read the full
entry</a>.</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/cryptography">cryptography</a>,
<a href="https://debian-administration.org/tag/gpg">gpg</a>,
<a href="https://debian-administration.org/tag/openpgp">openpgp</a>,
<a href="https://debian-administration.org/tag/security">security</a>,
<a href="https://debian-administration.org/tag/sha1">sha1</a>,
<a href="https://debian-administration.org/tag/tip">tip</a></p>
</p>NYC public services require Microsoft software2009-05-04T23:46:00-04:002009-05-04T23:46:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-05-04:/blog/nyc-public-services-require-microsoft-software.html<p>Providing city services only to users of specific proprietary software
is bad public policy.</p>
<p>I just discovered that New York City's <a href="https://application.nycsyep.com/">2009 Summer Youth Employment
Program</a> requires Internet Explorer in
order to apply online.</p>
<p>Even downloading the pdf version of the application to print out from
the site is impossible …</p><p>Providing city services only to users of specific proprietary software
is bad public policy.</p>
<p>I just discovered that New York City's <a href="https://application.nycsyep.com/">2009 Summer Youth Employment
Program</a> requires Internet Explorer in
order to apply online.</p>
<p>Even downloading the pdf version of the application to print out from
the site is impossible under non-IE browsers because <a href="https://application.nycsyep.com/Documents/SYEP_2009_Participant_Application.pdf">the actual pdf
link</a>
is wrapped in some IE-only javascript. And even if you could download
the PDF directly, any additional "online information to help you select
a SYEP provider" is inaccessible for the same reason.</p>
<p>I just called <a href="http://www.nyc.gov/311">311</a> and filed an official
complaint against the <a href="http://www.nyc.gov/html/dycd">NYC Dept. of Youth and Community
Development</a> (DYCD), who sponsor the
program.</p>
<p>I also called the number on the application page (1-800-246-4646), and
spoke with "Karen" from the DYCD, who explained that the site was a New
York City web site, and that it had been created by <a href="http://www.nyc.gov/html/doitt">DoITT (the
Department of Information Technology and
Telecommunications)</a> at the request of
the DYCD, but that the DYCD didn't program it directly. She seemed to
misunderstand the tech behind the situation, saying "we can't bring it
to a higher level (like Firefox) because then it wouldn't work for
everyone". I was happy that she understood that Firefox was a concern
here, but the point is not to build the site "higher" to Firefox, but to
use standard technology that all browsers can access for a public site.</p>
<p>Karen also seemed to think the situation was acceptable because the city
youth "can always use IE on local public library computers" to access
the site. Note that the applications involve submitting very detailed
information (SSN, health insurance, family income, criminal record,
selective service registration #, etc), which are things that i would
personally be unwilling to submit over a shared public computer if i had
any other choice. Furthermore, this crappy implementation decision
encourages the <a href="http://nypl.org/">NYPL</a> to continue to spend limited
resources on proprietary software to an out-of-state monopolist to run
their computer labs, which is money that could be better spent locally
(or even spent on books or something similarly quaint and library-like).</p>
<p>I'm frustrated. This is 2009. The application process for public
services here should not require any proprietary technology, but it uses
it gratuitously. This excludes legitimate citizens, and encourages
Microsoft in its ongoing pursuit of monopoly status. Both of these are
bad things.</p>
<p>I submitted feedback on <a href="http://www.nyc.gov/html/dycd/html/contact/customer_survey.shtml">the DYCD customer survey web
site</a>,
and submitted two 150-word-limited(!) complaints to <a href="http://www.nyc.gov/html/mail/html/maildycd.html">Commissioner
Mulgrav of the DYCD</a>
and <a href="http://www.nyc.gov/html/mail/html/maildoitt.html">Commissioner Cosgrave of
DoITT</a>.</p>
<p>I'm sure they'd be interested in hearing from other people about this.
Is this kind of proprietary lock-in what we should expect from <a href="http://www.nytimes.com/2002/05/28/nyregion/the-mouse-as-sacred-cow-mayor-s-cuts-spare-technology.html">a Mayor
who cuts budgets city-wide <em>except</em> for
IT</a>?
Where is all that money going? What is the city getting out of it?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/policy">policy</a></p>
</p>multiple USB serial adapters on a SheevaPlug2009-04-25T02:48:00-04:002009-04-25T02:48:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-04-25:/blog/multiple-usb-serial-adapters-on-a-sheevaplug.html<p>I just noticed Matthew Palmer's <a href="http://www.hezmatt.org/~mpalmer/blog/general/insane_brilliant_idea_of_the_day.html">Insane/Brilliant idea of the
day</a>:
he proposes to use large sets of USB serial adapters with a
<a href="http://www.cyrius.com/debian/kirkwood/sheevaplug/index.html">sheevaplug</a>
as a cheap serial console server.</p>
<p>As part of upstream on <a href="http://packages.debian.org/cereal">cereal</a>, i
feel obliged to mention that package as a tool for managing serial
console …</p><p>I just noticed Matthew Palmer's <a href="http://www.hezmatt.org/~mpalmer/blog/general/insane_brilliant_idea_of_the_day.html">Insane/Brilliant idea of the
day</a>:
he proposes to use large sets of USB serial adapters with a
<a href="http://www.cyrius.com/debian/kirkwood/sheevaplug/index.html">sheevaplug</a>
as a cheap serial console server.</p>
<p>As part of upstream on <a href="http://packages.debian.org/cereal">cereal</a>, i
feel obliged to mention that package as a tool for managing serial
console farms like this. It's designed to run in a small footprint,
stores timestamped logs for the consoles, supports concurrent remote
access, and uses standard unix accounts (usually via ssh) to permit read
and/or write access to each port. It has saved me exactly the headaches
Matt describes many times.</p>
<p>However, i've had trouble getting multiple identical USB serial adapters
to persist at standard device file locations across reboot. That is, if
you have four pl2303 devices from the same manufacturer, it seems to be
a crapshoot which one will be <code>/dev/ttyUSB0</code> after you restart your
system. I could find no distinguishing data in the sysfs to get udev to
persistently key off of, anyway. if you know a way to do it, i'd be
happy to see it!</p>
<p>Depending on how many ports you need, another alternative would be to
use a sheevaplug with a <a href="http://www.serialgear.com/8-Port-Serial-Adapter-USBG-8X-RS232.html">multiport USB-to-serial
adapter</a>.
While i haven't tried this specific hardware, it would remove the need
for the hub, and potentially would mean you didn't need any extra power.
I'm assuming that this device would give you persistent port naming, but
i haven't tried it. Pricewise, it seems to be a win, too: \$100 for the
SheevaPlug and \$100 for the 8-port adapter.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/cereal">cereal</a>,
<a href="https://debian-administration.org/tag/sheevaplug">sheevaplug</a></p>
</p>Leslie Pack Kaelbling for Ada Lovelace Day2009-03-25T06:27:00-04:002009-03-25T06:27:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-03-25:/blog/leslie-pack-kaelbling-for-ada-lovelace-day.html<p>So i'm a couple hours late for <a href="http://findingada.com/">Ada Lovelace
Day</a> (in my time zone at least), but i wanted to
mention <a href="http://people.csail.mit.edu/lpk/">Leslie Pack Kaelbling</a>, an
excellent technologist who has also had a significant impact on my life.</p>
<p>Her extremely <a href="http://people.csail.mit.edu/lpk/bio.html">short
biography</a> says (in full):</p>
<blockquote>
<p>Leslie Pack Kaelbling is Professor of …</p></blockquote><p>So i'm a couple hours late for <a href="http://findingada.com/">Ada Lovelace
Day</a> (in my time zone at least), but i wanted to
mention <a href="http://people.csail.mit.edu/lpk/">Leslie Pack Kaelbling</a>, an
excellent technologist who has also had a significant impact on my life.</p>
<p>Her extremely <a href="http://people.csail.mit.edu/lpk/bio.html">short
biography</a> says (in full):</p>
<blockquote>
<p>Leslie Pack Kaelbling is Professor of Computer Science and Engineering
at the Computer Science and Artificial Intelligence Laboratory (CSAIL)
at the Massachusetts Institute of Technology. Her research focuses on
decision-making under uncertainty, learning, and sensing with
applications to robotics.</p>
</blockquote>
<p>She is also the founder and co-editor-in-chief of the <a href="http://jmlr.csail.mit.edu/">Journal of
Machine Learning Research</a>, an active
open-access academic collection which encourages the development of
<a href="http://jmlr.csail.mit.edu/mloss/">open source software for the field of machine
learning</a>. Cool stuff!</p>
<p><code>lpk</code> was my professor when i was an undergraduate (before she went to
MIT), and she opened my mind to a lot of great ideas about artificial
intelligence, machine learning, robotics, and computation in general.
Beyond the specifics that she taught, though, she also demonstrated what
it means to be a spirited and engaged academic, both in research and in
teaching. I think i first read <a href="http://wikipedia.org/Stanislaw_Lem">Stanslaw
Lem</a> in one of her robotics classes
(it was one of the stories from <a href="http://english.lem.pl/index.php/works/novels/the-cyberiad/57-a-look-inside-the-cyberiad">The
Cyberiad</a>),
where she encouraged us to think not just about the technical
possibilities of machinery, but also about the social possibilities. And
it wasn't just theorizing: I also had the chance to do significant work
with robotics hardware (both real and emulated) in a lab under her
friendly and open supervision.</p>
<p>She developed a new introductory series of
<a href="http://www.cs.brown.edu/courses/csci0170.html">two</a>
<a href="http://www.cs.brown.edu/courses/csci0180.html">classes</a> for the
school's Computer Science department, which i was unfortunately too late
to take. They're designed to reach students who were discouraged by the
traditional programming-heavy approach, and focus instead on the issues
of theory, abstraction, and collaboration, with programming taking a
subordinate place to understanding the nature of computation itself.
Later in my scholastic career, I had the privilege of helping her out as
a teaching assistant, working with her on various robotics projects,
advising a handful of younger students with her, and having her advise
my final-year project, where i tested and evaluated variants of the
<a href="http://en.wikipedia.org/wiki/Boosting">boosting machine-learning
algorithm</a>. Throughout all of
this, and despite my typical collegiate distractions, Leslie helped me
understand technical details and nuance about the possibilities that we
have with these incredible machines, and how they might be made to
interact with the real world with all of its contradictory input and
uncertainty.</p>
<p>So here's to Leslie Pack Kaelbling: thank you for all your amazing
contributions to our field, and for the things you taught me and the
opportunities you shared!</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/adalovelaceday09">adalovelaceday09</a></p>
</p>Publicly-funded knowledge should be public2009-03-17T18:18:00-04:002009-03-17T18:18:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-03-17:/blog/publicly-funded-knowledge-should-be-public.html<p>I live in the USA. Our government issues many grants to scientists for
research via the <a href="http://nih.gov">National Institute of Health</a>. I
recently found out about the NIH's recent requirement that
<a href="http://publicaccess.nih.gov/">publicly-funded research must be published freely online within 12
months</a>. As you can imagine, i think this
is a remarkably …</p><p>I live in the USA. Our government issues many grants to scientists for
research via the <a href="http://nih.gov">National Institute of Health</a>. I
recently found out about the NIH's recent requirement that
<a href="http://publicaccess.nih.gov/">publicly-funded research must be published freely online within 12
months</a>. As you can imagine, i think this
is a remarkably Good Thing (though 12 months seems a little bit long for
fast-moving fields).</p>
<p>Apparently, <a href="http://conyers.house.gov/">John Conyers</a> and several
<a href="http://thomas.loc.gov/cgi-bin/bdquery/z?d111:HR00801:@@@P">co-sponsors</a>
have introduced <a href="http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.801:">HR
801</a>, which appears
intended to overturn this remarkable policy, primarily for the benefit
of the companies that publish scientific journals.</p>
<p>This bill is a shame, and i had hoped for better from Rep. Conyers, who
otherwise has a
<a href="http://en.wikipedia.org/wiki/United_States_National_Health_Insurance_Act">remarkably</a>
<a href="http://en.wikipedia.org/wiki/Downing_Street_memo">positive</a>
<a href="http://en.wikipedia.org/wiki/Nixon%27s_Enemies_List#Verbatim_text_of_Colson.27s_original_memo_.28with_his_comments.29">record</a>
as a legislator advocating for government transparency and the public
good. Sadly, his stance on so-called "Intellectual Property" seems
characterized by <a href="http://en.wikipedia.org/wiki/PRO-IP_Act">heavy-handed
legislation</a> designed to
benefit the parties already heavily favored by the current <a href="http://citesandinsights.info/v6i8e.htm">imbalanced
copyright</a> situation.</p>
<p>If you live in the US (and especially if you live in Conyers' district
in Michigan), please <a href="mailto:john.conyers@mail.house.gov?subject=Please+Abandon+HR+801">send him
e-mail</a>
or <a href="http://conyers.house.gov/index.cfm?FuseAction=Contact.ContactInformation">get in touch by
phone</a>
and tell him to drop the bill. You might also check the <a href="http://thomas.loc.gov/cgi-bin/bdquery/z?d111:HR00801:@@@P">list of
cosponsors</a>
to see if one of them is more local to you.</p>
<p>If you want to read more, <a href="http://lessig.org/">Lawrence Lessig</a> has
written about this issue, <a href="http://www.huffingtonpost.com/lawrence-lessig/a-reply-to-congressman-co_b_173030.html">addressing Congressman Conyers
directly</a>
in the Huffington Post. Curiously, Rep. Conyers' web site contains <a href="http://conyers.house.gov/index.cfm?FuseAction=Search.Results&Keywords=801">no
mention of HR
801</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/policy">policy</a></p>
</p>redundant DHCP service for a sprawling LAN?2009-02-27T19:44:00-05:002009-02-27T19:44:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-02-27:/blog/redundant-dhcp-service-for-a-sprawling-lan.html<p>I'm supporting a medium-sized (\~70 regular clients and a half-dozen
servers) LAN. It's a single logical ethernet segment, but it's built as
a tree of cascaded switches. DHCP service is provided by a single host
running ISC's DHCPD (via
<a href="http://packages.debian.org/dhcp3-server">dhcp3-server</a>).</p>
<p>DHCP itself is one of the single points of failure …</p><p>I'm supporting a medium-sized (\~70 regular clients and a half-dozen
servers) LAN. It's a single logical ethernet segment, but it's built as
a tree of cascaded switches. DHCP service is provided by a single host
running ISC's DHCPD (via
<a href="http://packages.debian.org/dhcp3-server">dhcp3-server</a>).</p>
<p>DHCP itself is one of the single points of failure in the network
layout. i'd really like to make this DHCP server redundant (so that i
can take that host down for service if needed and leave the rest of the
network intact). However, reading
<a href="http://linux.die.net/man/5/dhcpd.conf">dhcpd.conf(5)</a> makes me pretty
worried that the failover stuff is not well-tested or widely deployed.</p>
<p>I've read <a href="http://www.madboa.com/geek/dhcp-failover/">Paul Heinlein's <em>Failover with ISC
DHCP</em></a>, which makes it look
not unreasonable, but i was wondering if people have other preferred
mechanisms for providing DHCP redundancy. Do you have failover DHCP set
up for any LAN that you manage? If so, what do you use? Are there any
gotchas to watch out for?</p>
<p>I'm also concerned about the security implications. On a network that's
not using IPSEC, i don't see any mechanism for the two DHCP servers to
properly mutually authenticate. Is it really just by IP address? Could
someone spoofing the IP address of one host corrupt the state of the
other DHCP server? (i'm less concerned about them keeping network
traffic private, since most of what they communicate is likely to go out
in the clear on the wire anyway). Am i missing some clever
authentication technique?</p>
<p>From a security point of view, i understand that there are more severe
security problems with DHCP itself, of course (the protocol requires
that the client trust the (unauthenticated) server), but that doesn't
seem likes a good reason to introduce an opportunity to compromise any
given server directly.</p>
<p>Your thoughts on DHCP redundancy?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/dhcp">dhcp</a>,
<a href="https://debian-administration.org/tag/failover">failover</a>,
<a href="https://debian-administration.org/tag/redundancy">redundancy</a></p>
</p>Stricter GnuTLS rejects outmoded X.509 certs2009-02-15T17:20:00-05:002009-02-15T17:20:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-02-15:/blog/stricter-gnutls-rejects-outmoded-x509-certs.html<p>Recently, several people noticed that GnuTLS behavior did not match its
documentation with respect to two significant security concerns, both
regarding X.509 certificate validation:</p>
<ul>
<li><a href="http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332">Certificates with MD5 digests were considered acceptable for
validation</a>.
They should not be, because of <a href="http://www.win.tue.nl/hashclash/rogue-ca/">known weaknesses in that digest
algorithm</a>.</li>
<li><a href="http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351/focus=3365">Version 1 X.509 …</a></li></ul><p>Recently, several people noticed that GnuTLS behavior did not match its
documentation with respect to two significant security concerns, both
regarding X.509 certificate validation:</p>
<ul>
<li><a href="http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332">Certificates with MD5 digests were considered acceptable for
validation</a>.
They should not be, because of <a href="http://www.win.tue.nl/hashclash/rogue-ca/">known weaknesses in that digest
algorithm</a>.</li>
<li><a href="http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351/focus=3365">Version 1 X.509 certificates were being accepted as Certificate
Authorities if placed in the list of trusted
certificates</a>.
It is impossible to distinguish between a V1 Authority certificate
and a V1 End Entity certificate. This makes placement of such a cert
in the trusted certificates list dangerously ambiguous, because you
don't want holders of an end entity certificate to be able to act as
certificate authorities)</li>
</ul>
<p>GnuTLS has been fixed upstream, and <a href="http://www.debian.org/security/2009/dsa-1719">a fix to at least the latter
problem has already propagated into etch via a security
upload</a>. The lenny
packages should already behave as documented (no MD5 digests accepted in
cert validation, v1 certificates not explicitly acceptable as
authorities).</p>
<p><em>However</em>, this means that if you use GnuTLS-linked tools to connect to
systems whose certificate chains rely on either MD5 digests (in anything
but the root certificate) or on v1 certificates for any of the
certificate authorities, your connections may fail due to this stricter
validation.</p>
<p>There are already several bug reports about <a href="http://bugs.debian.org/514807">broken LDAP
connections</a> and <a href="http://bugs.debian.org/514578">broken mail
connections</a> due to these problems, and
there have been <a href="http://lists.debian.org/debian-release/2009/02/msg00390.html">reasonable concerns raised on
debian-release</a>
about this.</p>
<p>So what can you do to make sure that the infrastructure you rely on or
maintain does not depend on these outmoded and insecure features of
X.509? Read on for concrete steps for administrators,
developers/maintainers, and end users...</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/42">read the full
entry</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/gnutls">gnutls</a>,
<a href="https://debian-administration.org/tag/ldap">ldap</a>,
<a href="https://debian-administration.org/tag/openldap">openldap</a>,
<a href="https://debian-administration.org/tag/security">security</a>,
<a href="https://debian-administration.org/tag/tip">tip</a>,
<a href="https://debian-administration.org/tag/x.509">x.509</a></p>
</p>Python editor/IDE for new (high school) coders?2009-02-04T19:56:00-05:002009-02-04T19:56:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-02-04:/blog/python-editoride-for-new-high-school-coders.html<p>I'm supporting a class of high school students who are new to
programming, and will be learning some python. Most of these students
are comfortable with computers, but not hacker types, and few if any of
them have written code before.</p>
<p>I'm looking for an editor or an Integrated Development …</p><p>I'm supporting a class of high school students who are new to
programming, and will be learning some python. Most of these students
are comfortable with computers, but not hacker types, and few if any of
them have written code before.</p>
<p>I'm looking for an editor or an Integrated Development Environment (IDE)
that won't be too scary for them, and will help them get used to the
novel idea of writing code without simultaneously having to get used to
the novel idea of an unfamiliar user interface.</p>
<p>So i can't expect them to pick up my beloved emacs, for example. But on
the other end of the spectrum, i'd hate for them to try to write python
in an word processor (i've seen people do it!). Here's what i think i'm
looking for:</p>
<ul>
<li>comfortable graphical interface -- these students have not used the
command line before, and while they'll be introduced to the python
shell, they should be able to write code and browse for files, etc.
in the "normal" (sigh) way. This means, for instance, that tk-based
interfaces are less good because they don't integrate with the
common GTK-based UI.</li>
<li>syntax highlighting -- the students will need to figure out what's a
variable, what's a function name, what's an operator, what's a
reserved word, etc. Visual indications like font-lock-mode from
emacs would be really useful.</li>
<li>whitespace management -- since python has syntactic whitespace, it
would be great if there were convenient/intuitive ways for students
to adjust the whitespace in their programs. Of course, it's hard to
say what's going to be intuitive for other people. I like
tab-cycling whitespace myself; are there other approaches i should
be proposing?</li>
</ul>
<p>Do you have suggestions for tools that work well for the above needs?
Favorites? Are there features other than the "top three" i listed above
that you think i should pay attention to?</p>
<p>FWIW, they'll be working in a labful of machines running Ubuntu Hardy
for the most part, but i'm willing to port and deploy programs
(particularly ones that feel like a perfect fit) if they're not
available in hardy.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/ide">ide</a>,
<a href="https://debian-administration.org/tag/python">python</a>,
<a href="https://debian-administration.org/tag/recommendations">recommendations</a>,
<a href="https://debian-administration.org/tag/student">student</a></p>
</p>target disk mode (sbp-2 mass storage host mode?)2009-01-23T19:24:00-05:002009-01-23T19:24:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-01-23:/blog/target-disk-mode-sbp-2-mass-storage-host-mode.html<p>One very convenient feature of Apple's hardware is the ability for their
workstations to enter <a href="http://en.wikipedia.org/wiki/Target_Disk_Mode">target disk
mode</a>. This effectively
transforms the machine into a glorified
<a href="http://en.wikipedia.org/wiki/IEEE_1394_interface">ieee1394</a> (firewire)
block device, which can then be manipulated from outside the machine
using the standard <a href="http://en.wikipedia.org/wiki/SBP-2">SBP-2</a> protocol.</p>
<p>Is there a way to provide …</p><p>One very convenient feature of Apple's hardware is the ability for their
workstations to enter <a href="http://en.wikipedia.org/wiki/Target_Disk_Mode">target disk
mode</a>. This effectively
transforms the machine into a glorified
<a href="http://en.wikipedia.org/wiki/IEEE_1394_interface">ieee1394</a> (firewire)
block device, which can then be manipulated from outside the machine
using the standard <a href="http://en.wikipedia.org/wiki/SBP-2">SBP-2</a> protocol.</p>
<p>Is there a way to provide this same functionality from a running
GNU/Linux machine? For example, i have a GNU/Linux system with a block
device attached to it. I would prefer if the block device was available
to a neighboring machine, but (for whatever reason) i'm unable to
physically move it. However, i'm able to link the two machines via a
simple ieee1394 connection. A "virtual target disk mode" server (or
would it be better to say "an SBP-2 mass storage target service over an
ieee1394 link"?) would be really useful.</p>
<p>One thing that occurs to me is that i could do some sort of networking
abstraction over the link (using
<a href="http://www.linux1394.org/eth1394.php">eth1394</a>?), and then use
something like <a href="http://packages.debian.org/vblade">vblade</a> (an
<a href="http://en.wikipedia.org/wiki/ATA_over_Ethernet">ATA-over-Ethernet</a>
target service) to provide a virtual block device to the remote host.
However, this requires the remote host to run an operating system
capable of dealing with these (more obscure) protocols, and i'd like
this to work for any remote machine that knows how to deal with generic
SBP-2 ieee1394 mass storage.</p>
<p>I know that in general GNU/Linux is at least as powerful and capable as
the firmware that Apple ships ;) But it's possible that our community
just hasn't gotten around to implementing something like this. Is this
the case? My attempts to search for it haven't turned up anything, but
it's entirely possible that i'm reading the wrong docs (or reading the
docs wrong). Any pointers?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/firewire">firewire</a>,
<a href="https://debian-administration.org/tag/ieee1394">ieee1394</a>,
<a href="https://debian-administration.org/tag/sbp2">sbp2</a>,
<a href="https://debian-administration.org/tag/vblade">vblade</a></p>
</p>Trancendental Nonsense and the Functional Approach2009-01-22T05:32:00-05:002009-01-22T05:32:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2009-01-22:/blog/trancendental-nonsense-and-the-functional-approach.html<p>Poking around <a href="http://emoglen.law.columbia.edu/twiki/bin/view/LawContempSoc/WebHome">the web site for Law in Contemporary
Society</a>,
a class taught this semester by <a href="http://emoglen.law.columbia.edu/">Eben
Moglen</a>, (who is counsel for the <a href="http://fsf.org/">Free
Software Foundation</a> and founder of the <a href="http://softwarefreedom.org">Software
Freedom Law Center</a>), i found <a href="http://en.wikipedia.org/wiki/Felix_S._Cohen">Felix
Cohen</a>'s <a href="http://moglen.law.columbia.edu/LCS/cohen-transcendental.pdf">Trancendental
Nonsense and the Functional
Approach</a>,
which (according to wikipedia) is …</p><p>Poking around <a href="http://emoglen.law.columbia.edu/twiki/bin/view/LawContempSoc/WebHome">the web site for Law in Contemporary
Society</a>,
a class taught this semester by <a href="http://emoglen.law.columbia.edu/">Eben
Moglen</a>, (who is counsel for the <a href="http://fsf.org/">Free
Software Foundation</a> and founder of the <a href="http://softwarefreedom.org">Software
Freedom Law Center</a>), i found <a href="http://en.wikipedia.org/wiki/Felix_S._Cohen">Felix
Cohen</a>'s <a href="http://moglen.law.columbia.edu/LCS/cohen-transcendental.pdf">Trancendental
Nonsense and the Functional
Approach</a>,
which (according to wikipedia) is one of "the most-cited law review
articles ever written".</p>
<p>I haven't read the whole thing yet (and i'm neither a lawyer nor a
philosopher) but it's fascinating reading. And from what i've read so
far, it's a strong push toward directly addressing the <em>values</em> that lie
hidden beneath our technical or mechanical decisions, and to avoid
mistaking technical success or skill with a worthwhile outcome and clear
goals at a societal level. This is something we software developers and
system administrators struggle with as well (or at least i think we
should). It's neat to get my head around these concepts from a different
intellectual sphere, and a different era (74 years ago!) when the
technical and mechanical tools i work with didn't exist in anything like
their present form.</p>
<p>This kind of reading makes me wonder what works from Computer Science or
Systems Engineering or Information Technology will have this kind of
exhortative power and social relevance so far into the future. Do you
have a favorite (or abhorred?) text from your field that offers the kind
of moral and technical challenges that Cohen's work does?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/law">law</a>,
<a href="https://debian-administration.org/tag/moglen">moglen</a>,
<a href="https://debian-administration.org/tag/philosophy">philosophy</a></p>
</p>sysadvent -- 25 days of systems administration2008-12-31T23:56:00-05:002008-12-31T23:56:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-12-31:/blog/sysadvent-25-days-of-systems-administration.html<p>I just ran across Jordan Sissel's <a href="http://sysadvent.blogspot.com/">sysadvent
project</a>, where he posted one article
about systems administration each day from the 1st of December to the
25th.</p>
<p>Jordan has been a great communicator when we've exchanged mail (he's the
author of <a href="http://packages.qa.debian.org/xdotool">xdotool</a>, which i
maintain for debian). Unsurprisingly, his posts in …</p><p>I just ran across Jordan Sissel's <a href="http://sysadvent.blogspot.com/">sysadvent
project</a>, where he posted one article
about systems administration each day from the 1st of December to the
25th.</p>
<p>Jordan has been a great communicator when we've exchanged mail (he's the
author of <a href="http://packages.qa.debian.org/xdotool">xdotool</a>, which i
maintain for debian). Unsurprisingly, his posts in sysadvent are also
excellent. He has a broad knowledge of what tools are available, clever
insights in how to connect them together, an engaging and clear writing
style, and sharp sense of what really should matter to a systems
administrator. Definitely worth reading!</p>wireless hardware switches (pciehp is your friend)2008-10-16T17:43:00-04:002008-10-16T17:43:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-10-16:/blog/wireless-hardware-switches-pciehp-is-your-friend.html<p>I've been playing around with an eeePC 900, which is <a href="http://wiki.debian.org/DebianEeePC">very
well-supported by debian</a>. Kudos to
the eeepc team!</p>
<p>I had one problem with it, after upgrading
<a href="http://packages.qa.debian.org/eeepc-acpi-scripts"><code>eeepc-acpi-scripts</code></a>
from version 1.0.4 to 1.0.9: with 1.0.4, i was able to use an ACPI
hotkey to …</p><p>I've been playing around with an eeePC 900, which is <a href="http://wiki.debian.org/DebianEeePC">very
well-supported by debian</a>. Kudos to
the eeepc team!</p>
<p>I had one problem with it, after upgrading
<a href="http://packages.qa.debian.org/eeepc-acpi-scripts"><code>eeepc-acpi-scripts</code></a>
from version 1.0.4 to 1.0.9: with 1.0.4, i was able to use an ACPI
hotkey to disable and re-enable the wireless. With 1.0.9, the device did
not come back up for me after a toggle. The problem was resolved for me
with:</p>
<div class="highlight"><pre><span></span><code>echo pciehp >> /etc/modules
</code></pre></div>
<p>which i figured out from reading <a href="http://lists.alioth.debian.org/pipermail/debian-eeepc-devel/2008-October/001300.html">a brief
post</a>
on the very-informative <a href="http://lists.alioth.debian.org/mailman/listinfo/debian-eeepc-devel"><code>debian-eeepc-devel</code> mailing
list</a>.
The rest of this post explores why that was the answer for me.</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/37">read the full
entry</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/eeepc">eeepc</a>,
<a href="https://debian-administration.org/tag/wlan">wlan</a></p>
</p>Monkeysphere: an OpenPGP-based PKI for SSH2008-09-04T07:13:00-04:002008-09-04T07:13:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-09-04:/blog/monkeysphere-an-openpgp-based-pki-for-ssh.html<p>Ever thought that there should be an automated way to handle ssh keys?
Do you know the administrators of your servers, and wish that SSH could
verify new host keys from them automatically, based on your personal
connections to the web-of-trust? Do you wish you could revoke and/or
rotate …</p><p>Ever thought that there should be an automated way to handle ssh keys?
Do you know the administrators of your servers, and wish that SSH could
verify new host keys from them automatically, based on your personal
connections to the web-of-trust? Do you wish you could revoke and/or
rotate your old SSH authentication keys without having to log into every
single machine you have an account on?</p>
<p>Do you administer servers, and wish you could re-key them without sowing
massive confusion among your users (or worse, encouraging bad security
habits among them)? Do you wish you could grant access to your users by
name, instead of by opaque string? Do you wish you could rapidly revoke
access to a user (or compromised key) across a group of machines by
disabling authentication for that user?</p>
<p>A group of us have been working on a public key infrastructure for SSH.
<a href="http://web.monkeysphere.info">Monkeysphere</a> makes use of the existing
OpenPGP web-of-trust to fetch and cryptographically validate (and
revoke!) keys. This works in both direction: <code>authorized_keys</code> <em>and</em>
<code>known_hosts</code> are handled. Monkeysphere gives users and admins tools to
deal with SSH keys by thinking about the people and machines to whom the
keys belong, instead of requiring humans to do tedious (and error-prone)
manual key verification.</p>
<p>We have <a href="http://web.monkeysphere.info/download">debian packages
available</a> which should install
against lenny (for i386, amd64, powerpc, and arm architectures at the
moment), <a href="https://lists.riseup.net/www/info/monkeysphere">a mailing
list</a>, and open ears for
good questions, suggestions and criticism.</p>
<p>If you have a chance to give it a try (<a href="http://web.monkeysphere.info/getting-started-user/">as a
user</a> or <a href="http://web.monkeysphere.info/getting-started-admin/">as an
admin</a>), it would
be great to <a href="https://lists.riseup.net/www/info/monkeysphere">get
feedback</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/gpg">gpg</a>,
<a href="https://debian-administration.org/tag/monkeysphere">monkeysphere</a>,
<a href="https://debian-administration.org/tag/openpgp">openpgp</a>,
<a href="https://debian-administration.org/tag/openssh">openssh</a>,
<a href="https://debian-administration.org/tag/pgp">pgp</a>,
<a href="https://debian-administration.org/tag/ssh">ssh</a></p>
</p>transient "obsolete packages" with apt2008-06-18T20:43:00-04:002008-06-18T20:43:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-06-18:/blog/transient-obsolete-packages-with-apt.html<p>On the testing and unstable systems that i run, i occasionally get a
disturbing "there are <em>N</em> newly obsolete packages" message. For example</p>
<div class="highlight"><pre><span></span><code><span class="p">[</span><span class="mi">0</span><span class="w"> </span><span class="nx">root</span><span class="err">@</span><span class="nx">squeak</span><span class="w"> </span><span class="o">~</span><span class="p">]</span><span class="err">#</span><span class="w"> </span><span class="nx">aptitude</span><span class="w"> </span><span class="nx">updateHit</span><span class="w"> </span><span class="nx">http</span><span class="p">:</span><span class="c1">//cmrg.fifthhorseman.net unstable Release.gpg [...]Get:42 http://ftp.us.debian.org unstable/main [2077kB] Fetched 15.2MB in 57s …</span></code></pre></div><p>On the testing and unstable systems that i run, i occasionally get a
disturbing "there are <em>N</em> newly obsolete packages" message. For example</p>
<div class="highlight"><pre><span></span><code><span class="p">[</span><span class="mi">0</span><span class="w"> </span><span class="nx">root</span><span class="err">@</span><span class="nx">squeak</span><span class="w"> </span><span class="o">~</span><span class="p">]</span><span class="err">#</span><span class="w"> </span><span class="nx">aptitude</span><span class="w"> </span><span class="nx">updateHit</span><span class="w"> </span><span class="nx">http</span><span class="p">:</span><span class="c1">//cmrg.fifthhorseman.net unstable Release.gpg [...]Get:42 http://ftp.us.debian.org unstable/main [2077kB] Fetched 15.2MB in 57s (262kB/s) Reading package lists... DoneUpdating debtags database...... DoneCurrent status: 3 updates [+3], 1136 new [-21212].There are 1804 newly obsolete packages.[255 root@squeak ~]# </span>
</code></pre></div>
<p>Usually, i can fix this with another <code>aptitude update</code>. Does this mean
i've hit a mirror at an inopportune time? Or do i have apt
mis-configured somehow?</p>
<p><a href="http://www.debianhelp.org/node/7602#comment-42130">Other people have
documented</a> this
before, and casual conversation with friends lets me know it's not just
me.</p>
<p>If this is due to some inconsistency at the mirrors (particularly for
suites with rolling updates?), is there some way to engineer the mirror
transfers so that this doesn't happen? For example (i have no idea how
this stuff is done, so i'm just making this up):</p>
<ol>
<li>rsync the <code>pool/</code> without <code>--delete</code> to all mirrors,</li>
<li>rsync the <code>Packages</code> and <code>Release</code>, and <code>DiffIndex</code> files to all
mirrors,</li>
<li>rsync the <code>pool/</code> <em>with</em> <code>--delete</code></li>
</ol>
<p>Or should apt itself deal with these circumstances differently? It seems
like signed apt ought to be able to detect when something like this is
amiss.</p>
<p>I'm reluctant to consider the situation acceptable, because i'd like to
be able to trust apt in general. In particular, i can imagine apt
eventually becoming more assertive about suggesting removal of newly
obsolete and unsupported packages. If it is wrong about what's obsolete
and unsupported, this could be dangerous.</p>Can you mirror-read?2008-06-03T17:39:00-04:002008-06-03T17:39:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-06-03:/blog/can-you-mirror-read.html<p>A high school student i work with is trying to gather data on the
prevalence of mirror-reading (the ability to easily read text that is
reversed left-to-right).</p>
<p>He's posted a simple webapp to gather data points for his experiment. It
should take only a couple of minutes to <a href="http://leo.urbanacademy.org/">try it …</a></p><p>A high school student i work with is trying to gather data on the
prevalence of mirror-reading (the ability to easily read text that is
reversed left-to-right).</p>
<p>He's posted a simple webapp to gather data points for his experiment. It
should take only a couple of minutes to <a href="http://leo.urbanacademy.org/">try it out and give him some
data</a>. If he gets enough data to write
something up, i'll try to encourage him to publish his results as well.</p>New York State Electronic Records Report2008-05-22T07:26:00-04:002008-05-22T07:26:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-05-22:/blog/new-york-state-electronic-records-report.html<p>The CIO and <a href="http://www.oft.state.ny.us/">the Office For Technology of New York State
(USA)</a> just released a new <a href="http://www.oft.state.ny.us/policy/esra/erecords-study.htm">report on
electronic records strategy, titled <cite>A Strategy for Openness:
Enhancing E-Records Access in New York
State</cite></a>.</p>
<p>I submitted <a href="http://cmrg.fifthhorseman.net/wiki/NYSRFPC122807">my own
comments</a> during the
call for public comments earlier this year -- apparently there were …</p><p>The CIO and <a href="http://www.oft.state.ny.us/">the Office For Technology of New York State
(USA)</a> just released a new <a href="http://www.oft.state.ny.us/policy/esra/erecords-study.htm">report on
electronic records strategy, titled <cite>A Strategy for Openness:
Enhancing E-Records Access in New York
State</cite></a>.</p>
<p>I submitted <a href="http://cmrg.fifthhorseman.net/wiki/NYSRFPC122807">my own
comments</a> during the
call for public comments earlier this year -- apparently there were only
114 comments submitted by the public (you can see <a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIIerecordsStudy.pdf">the call for comments
and an overview/analysis of the
responses</a>).
I wish there'd been more, since it looks like the 59 <a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIII-BerecordsStudy.pdf">individual
commenters</a>
were <em>overwhelmingly</em> supportive of a requirement for the Gov't to use
ODF. The rest of the comments were from
<a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIII-CerecordsStudy.pdf">governments</a>,
<a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIII-DerecordsStudy.pdf">NGOs</a>,
and
<a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIII-EerecordsStudy.pdf">businesses</a>,
and they don't seem as unanimous as the individual commenters.</p>
<p>Looking at the metadata for the <a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIerecordsStudy.pdf">executive
summary</a>
shows just how far we have to go:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">0 dkg@squeak doc</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">pdfinfo</span><span class="w"> </span><span class="n">PartIerecordsStudy</span><span class="p">.</span><span class="n">pdf</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">egrep</span><span class="w"> </span><span class="s1">'^Title|Producer|Creator'</span><span class="nl">Title</span><span class="p">:</span><span class="w"> </span><span class="n">Microsoft</span><span class="w"> </span><span class="n">Word</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">PartIerecordsStudy</span><span class="p">.</span><span class="nl">docCreator</span><span class="p">:</span><span class="w"> </span><span class="n">PScript5</span><span class="p">.</span><span class="n">dll</span><span class="w"> </span><span class="n">Version</span><span class="w"> </span><span class="mf">5.2.2</span><span class="nl">Producer</span><span class="p">:</span><span class="w"> </span><span class="n">Acrobat</span><span class="w"> </span><span class="n">Distiller</span><span class="w"> </span><span class="mf">8.1.0</span><span class="w"> </span><span class="p">(</span><span class="n">Windows</span><span class="p">)</span><span class="o">[</span><span class="n">0 dkg@squeak doc</span><span class="o">]</span><span class="err">$</span><span class="w"> </span>
</code></pre></div>
<p>And in a message sent to commenters announcing the report, they seem to
be aware that they're not quite doing their best at interoperability:</p>
<blockquote>
<p>(Please note this is the first time any of NYS government's agencies
has ever published a document in ODF format. We ran into problems this
morning not caused by the format, but rather with some controls on our
systems which were not prepared to encounter such documents. So the
website links to ODF versions are not working at the moment, but will
be repaired soon).</p>
</blockquote>
<p>What web server are they running that is having trouble "encountering"
ODF? No surprise:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">0 dkg@squeak doc</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">wget</span><span class="w"> </span><span class="o">-</span><span class="n">S</span><span class="w"> </span><span class="o">-</span><span class="n">O</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="k">null</span><span class="w"> </span><span class="s1">'http://www.oft.state.ny.us/policy/esra/erecords-study.htm'</span><span class="w"> </span><span class="mi">2</span><span class="o">>&</span><span class="mi">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">grep</span><span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="nl">Server</span><span class="p">:</span><span class="w"> </span><span class="n">Microsoft</span><span class="o">-</span><span class="n">IIS</span><span class="o">/</span><span class="mf">6.0</span><span class="o">[</span><span class="n">0 dkg@squeak doc</span><span class="o">]</span><span class="err">$</span><span class="w"> </span>
</code></pre></div>
<p>Sigh. My initial reaction to the report (i've only read the <a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIerecordsStudy.pdf">executive
summary</a>,
not the <a href="http://www.oft.state.ny.us/policy/esra/erecords/PartIIerecordsStudy.pdf">supporting
documentation</a>)
is disappointment. While they claim that "openness" is an important
feature, they fall far short of taking a strong stand for free and open
formats. The main thrust of the executive summary seems to be
(paraphrasing here, i welcome corrections):</p>
<ul>
<li>it's a bad idea to mandate a single particular technology because
technologies will change faster than law.</li>
<li>we need an Electronic Records Committee (ERC) to provide regular,
executive guidance on electronic record storage and maintenance</li>
<li>"openness" is good, but needs to be weighed against (ill-specified,
at least in the executive summary) "other features"</li>
<li>we're not going to make any concrete recommendations about what to
do next</li>
</ul>
<p>While these are unsurprising conclusions, they don't take the strong
stand i'd like them to take. They seem aware of the "chicken and egg"
problem of wide adoption and vendor support, and aware of the
anti-democratic effects of proprietary formats. But they don't seem to
be willing to act as a catalyst to push free formats explicitly. If they
did, they could break the chicken/egg vendor lock-in cycle and
facilitate better open government practices while simultaneously
encouraging a healthy information ecosystem.</p>
<p>At this point, i suppose my biggest hope from the process is that the
proposed ERC forms pilot groups with long-term goals modeled after
<a href="http://www.muenchen.de/Rathaus/dir/limux/english/147197/">Munich</a>, but
i'm not holding my breath. If there are any advocates or participants in
the Munich process who want to share what's been working for you (and
what hasn't), i'd be interested in hearing about it.</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/government">government</a>,
<a href="https://debian-administration.org/tag/odf">odf</a>,
<a href="https://debian-administration.org/tag/policy">policy</a></p>
</p>on limiting damage from a compromised ssh host2008-05-20T20:06:00-04:002008-05-20T20:06:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-05-20:/blog/on-limiting-damage-from-a-compromised-ssh-host.html<p><a href="http://marc.info/?t=121067154000001&r=1&w=2">An interesting thread on
<code>openssh-unix-dev</code></a> points
out a way that a compromised remote ssh account or host could
potentially trick users into divulging the passphrase for their local
secret key. Given that we're all dealing with the potential for
compromised ssh hosts lately, i think this is an important
consideration …</p><p><a href="http://marc.info/?t=121067154000001&r=1&w=2">An interesting thread on
<code>openssh-unix-dev</code></a> points
out a way that a compromised remote ssh account or host could
potentially trick users into divulging the passphrase for their local
secret key. Given that we're all dealing with the potential for
compromised ssh hosts lately, i think this is an important
consideration. (this has apparently been raised on <code>openssh-unix-dev</code> as
far back as <a href="http://marc.info/?t=95066120400001&r=1&w=2">8 years ago</a>).</p>
<p>Unfortunately, a couple messages with mangled headers seem to have
broken the thread into
<a href="http://marc.info/?t=121067154000001&r=1&w=2">two</a>
<a href="http://marc.info/?t=121070538900003&r=1&w=2">chunks</a> in the archive,
severing the start of the thread from the part where it starts getting
really good: In particular, <a href="http://marc.info/?l=openssh-unix-dev&m=121124814818346&w=2">Damien Miller's suggestion is to forbid
in-terminal key-based authentication entirely, and rely instead on
<code>ssh-agent</code></a>.
My impression of this strategy is that it's analogous to forcing an
out-of-band verification process -- since the in-channel communication
is happening in the tty, and the remote host will have some level of
control over the tty once authentication succeeds, it's important that
any locally-divulged secrets (e.g. the passphrase for the local secret
key) <em>are not</em> transmitted over the tty in question.</p>
<p>Of course, disabling in-terminal key-based authentication creates
something of a usability problem for users who aren't using X11 (and who
don't have some other method for an out-of-band <code>ssh-askpass</code>). And it
also points out the additional problems with X11 forwarding (e.g. a
compromised host allowed to forward X connections could trigger a
mimicry of a standard <code>ssh-askpass</code> password prompt). This is something
that debian might want to consider, as we've diverged from upstream on
the default settings for <code>ForwardX11Trusted</code>.</p>
<p>I'm uncomfortable with how Damien's suggestion raises the bar to
key-based authentication in general, since users will now have to
understand both keys and agents in order to effectively authenticate
this way. But maybe that's what's needed, since we desperately need to
phase out password-based authentication (and all the security pitfalls
associated with it) in this brave new networked world.</p>
<p>At any rate, i've adopted the suggestion for now:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">0 dkg@squeak ~</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">tail</span><span class="w"> </span><span class="o">-</span><span class="n">n1</span><span class="w"> </span><span class="p">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">configIdentityFile</span><span class="w"> </span><span class="k">none</span><span class="o">[</span><span class="n">0 dkg@squeak ~</span><span class="o">]</span><span class="err">$</span>
</code></pre></div>
<p>I'm curious to know if other people have adopted this strategy, or have
other mitigating techniques.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/security">security</a>,
<a href="https://debian-administration.org/tag/ssh">ssh</a></p>
</p>debhelper 7 and lintian disagree2008-05-20T16:46:00-04:002008-05-20T16:46:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-05-20:/blog/debhelper-7-and-lintian-disagree.html<p>I'm excited by <a href="http://joey.kitenet.net/blog/entry/dh_implementation/">version 7 of
debhelper</a>, in
particular the opportunity for <code>debian/rules</code> minimization. I suspect
this will lower the barrier for rapid, reasonable packaging of simple
software tools in a way that should be easy to audit and maintain.</p>
<p>The most-minimized <code>debian/rules</code> possible with it is just …</p><p>I'm excited by <a href="http://joey.kitenet.net/blog/entry/dh_implementation/">version 7 of
debhelper</a>, in
particular the opportunity for <code>debian/rules</code> minimization. I suspect
this will lower the barrier for rapid, reasonable packaging of simple
software tools in a way that should be easy to audit and maintain.</p>
<p>The most-minimized <code>debian/rules</code> possible with it is just (from
<code>dh(1)</code>):</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><code>#!/usr/bin/make -f%: dh $@
</code></pre></div></td></tr></table></div>
<p>And all of the project-specific interesting bits go into nice, clean,
well-named files under <code>debian/</code>.</p>
<p>However, lintian (at least as of 1.23.48) complains loudly about the
minimized <code>debian/rules</code>:</p>
<div class="highlight"><pre><span></span><code><span class="n">E</span><span class="o">:</span><span class="w"> </span><span class="n">xdotool</span><span class="w"> </span><span class="n">source</span><span class="o">:</span><span class="w"> </span><span class="n">debian</span><span class="o">-</span><span class="n">rules</span><span class="o">-</span><span class="n">missing</span><span class="o">-</span><span class="n">required</span><span class="o">-</span><span class="n">target</span><span class="w"> </span><span class="n">binaryE</span><span class="o">:</span><span class="w"> </span><span class="n">xdotool</span><span class="w"> </span><span class="n">source</span><span class="o">:</span><span class="w"> </span><span class="n">debian</span><span class="o">-</span><span class="n">rules</span><span class="o">-</span><span class="n">missing</span><span class="o">-</span><span class="n">required</span><span class="o">-</span><span class="n">target</span><span class="w"> </span><span class="n">binary</span><span class="o">-</span><span class="n">archE</span><span class="o">:</span><span class="w"> </span><span class="n">xdotool</span><span class="w"> </span><span class="n">source</span><span class="o">:</span><span class="w"> </span><span class="n">debian</span><span class="o">-</span><span class="n">rules</span><span class="o">-</span><span class="n">missing</span><span class="o">-</span><span class="n">required</span><span class="o">-</span><span class="n">target</span><span class="w"> </span><span class="n">binary</span><span class="o">-</span><span class="n">indepE</span><span class="o">:</span><span class="w"> </span><span class="n">xdotool</span><span class="w"> </span><span class="n">source</span><span class="o">:</span><span class="w"> </span><span class="n">debian</span><span class="o">-</span><span class="n">rules</span><span class="o">-</span><span class="n">missing</span><span class="o">-</span><span class="n">required</span><span class="o">-</span><span class="n">target</span><span class="w"> </span><span class="n">buildE</span><span class="o">:</span><span class="w"> </span><span class="n">xdotool</span><span class="w"> </span><span class="n">source</span><span class="o">:</span><span class="w"> </span><span class="n">debian</span><span class="o">-</span><span class="n">rules</span><span class="o">-</span><span class="n">missing</span><span class="o">-</span><span class="n">required</span><span class="o">-</span><span class="n">target</span><span class="w"> </span><span class="n">clean</span>
</code></pre></div>
<p>I'm not sure the right way to proceed: should i try to manually add
overrides for each package that uses a minimized <code>debian/rules</code>? Should
lintian recognize debhelper-specific minimized <code>rules</code> files and accept
them? Should debhelper assuage lintian somehow? Or is this rules file
minimization actually not as good an idea as I think it is?</p>
<p>I notice that <a href="http://packages.qa.debian.org/mr">mr</a>, which is Joey
Hess's first example package using the minimized <code>rules</code> also <a href="http://lintian.debian.org/reports/maintainer/joeyh@debian.org.html#mr">reports
the same
errors</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/debhelper">debhelper</a>,
<a href="https://debian-administration.org/tag/lintian">lintian</a>,
<a href="https://debian-administration.org/tag/packaging">packaging</a></p>
</p>GNOME and libpam-mount2008-05-10T00:49:00-04:002008-05-10T00:49:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-05-10:/blog/gnome-and-libpam-mount.html<p>So i've been struggling with an Ubuntu 8.04 networked workstation. It
uses <a href="http://packages.qa.debian.org/libpam-mount"><code>libpam-mount</code></a> to
mount the user's homedir (actually, the mountpoint is one level up from
the homedir) automatically at login over CIFS.</p>
<p>One of the problems i ran into with this arrangement happened because i
was following the …</p><p>So i've been struggling with an Ubuntu 8.04 networked workstation. It
uses <a href="http://packages.qa.debian.org/libpam-mount"><code>libpam-mount</code></a> to
mount the user's homedir (actually, the mountpoint is one level up from
the homedir) automatically at login over CIFS.</p>
<p>One of the problems i ran into with this arrangement happened because i
was following the <code>pam_mount</code> configuration instructions too literally.
In particular, <code>README.Debian.gz</code> says:</p>
<blockquote>
<p>For every application used for logging in, there is a file of the form
<code>/etc/pam.d/xyz</code>, add the following line at the end of the file:<br>
<code>@include common-pammount</code></p>
</blockquote>
<p>In particular, ubuntu's <code>/etc/pam.d/gdm</code> defaults to:</p>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="o">%</span><span class="n">PAM</span><span class="o">-</span><span class="mf">1.0</span><span class="w"> </span><span class="n">auth</span><span class="w"> </span><span class="n">requisite</span><span class="w"> </span><span class="n">pam_nologin</span><span class="p">.</span><span class="n">soauth</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="n">pam_env</span><span class="p">.</span><span class="n">so</span><span class="w"> </span><span class="n">readenv</span><span class="o">=</span><span class="mi">1</span><span class="n">auth</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="n">pam_env</span><span class="p">.</span><span class="n">so</span><span class="w"> </span><span class="n">readenv</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">envfile</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="k">default</span><span class="o">/</span><span class="n">locale</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">authauth</span><span class="w"> </span><span class="n">optional</span><span class="w"> </span><span class="n">pam_gnome_keyring</span><span class="p">.</span><span class="n">so</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">accountsession</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="n">pam_limits</span><span class="p">.</span><span class="n">so</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">sessionsession</span><span class="w"> </span><span class="n">optional</span><span class="w"> </span><span class="n">pam_gnome_keyring</span><span class="p">.</span><span class="n">so</span><span class="w"> </span><span class="n">auto_start</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">password</span>
</code></pre></div>
<p>When i added the <code>@include common-pammount</code> directive to the bottom of
this file when using pam_mount, new GNOME sessions failed badly: the
gnome-panel didn't appear (which means that the user couldn't log out
conveniently), and two error messages popped up at each login with nasty
details like:</p>
<blockquote>
<p>No database available to save your configuration: Unable to store a
value at [...], as the configuration server has no writable
databases.</p>
</blockquote>
<p>The problem seems to be that <code>libpam-gnome-keyring</code> actually kicks off
<code>gconfd-2</code> during its PAM session invocation. If that comes before
<code>libpam-mount</code>'s PAM session invocation, then the home directory isn't
mounted for the keyring, and <code>gconfd-2</code> decides that it is unable to
save any settings. Since <code>gconfd</code> then persists for the rest of the
session, further GNOME session components try to talk to it and it
refuses, even though the gconf db is now available (via the mounted
homedir).</p>
<p>Since the order of the lines in a <code>/etc/pam.d/*</code> are semantically
relevant, i'm usually very reluctant to tamper with the defaults.
However, i think the correct <code>/etc/pam.d/gdm</code> for this scenario (or any
<code>pam-mount</code> scenario using GNOME where the homedir might not be present
at all before the session) is actually:</p>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="o">%</span><span class="n">PAM</span><span class="o">-</span><span class="mf">1.0</span><span class="w"> </span><span class="n">auth</span><span class="w"> </span><span class="n">requisite</span><span class="w"> </span><span class="n">pam_nologin</span><span class="p">.</span><span class="n">soauth</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="n">pam_env</span><span class="p">.</span><span class="n">so</span><span class="w"> </span><span class="n">readenv</span><span class="o">=</span><span class="mi">1</span><span class="n">auth</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="n">pam_env</span><span class="p">.</span><span class="n">so</span><span class="w"> </span><span class="n">readenv</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">envfile</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="k">default</span><span class="o">/</span><span class="n">locale</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">auth</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">accountsession</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="n">pam_limits</span><span class="p">.</span><span class="n">so</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="k">session</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">password</span><span class="nv">@include</span><span class="w"> </span><span class="n">common</span><span class="o">-</span><span class="n">pammountauth</span><span class="w"> </span><span class="n">optional</span><span class="w"> </span><span class="n">pam_gnome_keyring</span><span class="p">.</span><span class="n">sosession</span><span class="w"> </span><span class="n">optional</span><span class="w"> </span><span class="n">pam_gnome_keyring</span><span class="p">.</span><span class="n">so</span><span class="w"> </span><span class="n">auto_start</span>
</code></pre></div>
<p>With this configuration in place, i can successfully log in with a test
user, anyway (and move on to the next problem, which appears to be
SQLite over CIFS, ugh).</p>
<p>These sorts of problems are tough to nail down:</p>
<ul>
<li>Is this overall problem due to a bug in the documentation for
<code>libpam-mount</code>?</li>
<li>In <code>gdm</code> for its default weirdly-ordered PAM config?</li>
<li>In <code>libpam-gnome-keyring</code> for launching <code>gconf-d-2</code> in the first
place?</li>
<li>In <code>libgconf2-4</code> for <code>gconfd-2</code> not being able to notice when the
directories it wants become available?</li>
</ul>
<p>Or maybe it's just a configuration detail that i should have known about
and expected to deal with in the first place. Ah, well.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/gnome">gnome</a>,
<a href="https://debian-administration.org/tag/pam">pam</a></p>
</p>success with goodbye-microsoft.com2008-01-31T18:12:00-05:002008-01-31T18:12:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-01-31:/blog/success-with-goodbye-microsoftcom.html<p>I finally got to try out
<a href="http://goodbye-microsoft.com/">goodbye-microsoft.com</a> this past
weekend. It uses similar principles as UNetbootin, which <a href="https://debian-administration.org/users/Utumno/weblog/34">Utumno
recently wrote
about</a>. I had
a donated machine in a computer lab i volunteer at with a flakey CD-ROM
which i couldn't get to netboot. Since it had Windows already on …</p><p>I finally got to try out
<a href="http://goodbye-microsoft.com/">goodbye-microsoft.com</a> this past
weekend. It uses similar principles as UNetbootin, which <a href="https://debian-administration.org/users/Utumno/weblog/34">Utumno
recently wrote
about</a>. I had
a donated machine in a computer lab i volunteer at with a flakey CD-ROM
which i couldn't get to netboot. Since it had Windows already on it, i
booted to Windows, hooked into the network, downloaded <a href="http://goodbye-microsoft.com/pub/debian.exe">a debian
installer for Windows</a>, ran
it, and was on my way.</p>
<p>The project is clean, simply done, and provides a good interface in the
leadup to rebooting into a debian installer. I highly recommend it for
folks who need to switch a 'doze machine to the One True OS.</p>
<p>My one concern with this approach is if the debian install fails midway
through, (and you haven't done any gymnastics to preserve a dual-boot
scenario) you could be left with an unbootable machine. But the debian
installer is pretty much rock solid these days, especially with common
commodity hardware, so you'd probably have to trip over the power cord
to get caught out like that.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/windows">windows</a></p>
</p>looking at contents of virtual terminal remotely?2008-01-10T15:50:00-05:002008-01-10T15:50:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2008-01-10:/blog/looking-at-contents-of-virtual-terminal-remotely.html<p>There is a machine i have remote superuser access to which i know has
some interesting info on one of the VTs (<code>/dev/tty2</code> in particular in
this case). I can try to scare up someone physically on-site to plug in
a monitor, and painfully transcribe the text there by …</p><p>There is a machine i have remote superuser access to which i know has
some interesting info on one of the VTs (<code>/dev/tty2</code> in particular in
this case). I can try to scare up someone physically on-site to plug in
a monitor, and painfully transcribe the text there by hand, but i'd
prefer the simpler, politer (and less error-prone) option of getting the
data digitally myself via ssh.</p>
<p>Any ideas how i could find the text that is already displayed on that
VT? The machine is running a stripped-down debian etch, but i could add
packages if i need to.</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/28">read the full
entry</a>.</p>
<p><strong>Tags</strong>:
<a href="https://debian-administration.org/tag/screendump">screendump</a>,
<a href="https://debian-administration.org/tag/tip">tip</a>,
<a href="https://debian-administration.org/tag/tips">tips</a></p>
</p>xen NAT routing issues2007-12-17T19:52:00-05:002007-12-17T19:52:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-12-17:/blog/xen-nat-routing-issues.html<p>I have the unfortunate circumstance of a xen machine with a single
static, public IP address that needs to host multiple virtual servers
internally. I don't want to bridge the main physical NIC to the virtual
hosts, so i've created a bridge over a <code>dummy</code> NIC, and am trying to …</p><p>I have the unfortunate circumstance of a xen machine with a single
static, public IP address that needs to host multiple virtual servers
internally. I don't want to bridge the main physical NIC to the virtual
hosts, so i've created a bridge over a <code>dummy</code> NIC, and am trying to do
<code>iptables</code> filtering with NAT to pass specific ports through to specific
virtualized servers. I have one virtual server which should be granted
full outbound 'net connectivity, masqueraded as though it is coming from
the public IP address. But the source address in the packets from that
virtual host aren't being rewritten.</p>
<p>The dom0, <code>simian</code>, runs a stock debian etch xen-linux-system. It has
one public-facing ethernet interface, <code>eth0</code>. It has one dummy interface
(<code>dummy0</code>, using the <code>dummy.ko</code> kernel module).
<code>simian:/etc/xen/xend-config.sxp</code> contains:</p>
<div class="highlight"><pre><span></span><code>(network-script 'network-bridge netdev=dummy0')
</code></pre></div>
<p>The Public IP address for <code>simian</code> is 1.2.3.4, but it has an IP address
on <code>dummy0</code> of 10.10.10.1/24. The domU in question has a virtual
ethernet device bridged with <code>dummy0</code> with IP address 10.10.10.2/24
(gateway 10.10.10.1). I want all outbound requests from the domU to pass
(SNAT'ed) through the public IP address on <code>eth0</code>. To do this, i've
enabled forwarding and set up SNAT on <code>simian</code>:</p>
<div class="highlight"><pre><span></span><code>echo 1 > /proc/sys/net/ipv4/conf/dummy0/forwardingecho 1 > /proc/sys/net/ipv4/conf/eth0/forwardingiptables -t nat -A POSTROUTING -o eth0 -p tcp --src 10.10.10.2 -j SNAT --to 1.2.3.4
</code></pre></div>
<p>But when i capture traffic with:</p>
<div class="highlight"><pre><span></span><code>tcpdump -w /tmp/traffic.pcap -i eth0
</code></pre></div>
<p>i see packets heading out on <code>eth0</code> with a 10.10.10.2 source IP address.
Needless to say, TCP sessions from these RFC-1918 reserved addresses
never even get an ACK from a public internet server.</p>
<p>To verify, I just tried capturing packets seen by the next hop upstream
(using the same kind of <code>tcpdump</code>, but on the next router down the
line., and the captured packets indeed still have the 10.10.10.2 IP
addresses in them, which means that outbound traffic from the domU will
never be reciprocated.</p>
<p>So why isn't the SNAT rule triggering for these packets? What part of
the netfilter documentation should i re-read with a closer eye to
understand the situation? It seems buggy to me now, but i'm also aware
that i've only skimmed the surface of what's possible.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/nat">nat</a>,
<a href="https://debian-administration.org/tag/routing">routing</a>,
<a href="https://debian-administration.org/tag/xen">xen</a></p>
</p>Re-enabling Disabled IRQs?2007-12-13T16:40:00-05:002007-12-13T16:40:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-12-13:/blog/re-enabling-disabled-irqs.html<p>I'm seeing more instances with hardware recently where the linux kernel
gets an interrupt that it doesn't like or recognize, and it disables the
IRQ entirely. Is there a way to get that IRQ re-enabled without
restarting? My web searches haven't turned up anything fruitful.</p>
<p>To be clear, the error …</p><p>I'm seeing more instances with hardware recently where the linux kernel
gets an interrupt that it doesn't like or recognize, and it disables the
IRQ entirely. Is there a way to get that IRQ re-enabled without
restarting? My web searches haven't turned up anything fruitful.</p>
<p>To be clear, the error messages from the kernel look like this:</p>
<div class="highlight"><pre><span></span><code>irq 9: nobody cared (try booting with the "irqpoll" option) [<c01402e3>] __report_bad_irq+0x2b/0x69 [<c01404d0>] note_interrupt+0x1af/0x1e7 [<c01d60b5>] acpi_irq+0xb/0x14 [<c013fae7>] handle_IRQ_event+0x23/0x49 [<c013fbc0>] __do_IRQ+0xb3/0xe8 [<c01050e5>] do_IRQ+0x43/0x52 [<c01036b6>] common_interrupt+0x1a/0x20 [<c012182f>] __do_softirq+0x51/0xbb [<c01218cf>] do_softirq+0x36/0x3a [<c01050ea>] do_IRQ+0x48/0x52 [<c01036b6>] common_interrupt+0x1a/0x20 [<c0101a5a>] default_idle+0x0/0x59 [<c0101a8b>] default_idle+0x31/0x59 [<c0101b52>] cpu_idle+0x9f/0xb9 [<c03176fd>] start_kernel+0x379/0x380handlers:[<c01d60aa>] (acpi_irq+0x0/0x14)Disabling IRQ #9
</code></pre></div>
<p>booting with <code>irqpoll</code> has its own problems (on at least one machine
i've tried that kernel parameter on, it resulted in unrecoverable
lockups -- even ACPI signals didn't get through), so i'd rather not go
there. But it would be nice to be able to get the IRQ back without a
reboot, especially if it's shared across multiple devices.</p>
<p>Any suggestions?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/irq">irq</a></p>
</p>USB Infrared recommendations for debian?2007-12-12T05:08:00-05:002007-12-12T05:08:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-12-12:/blog/usb-infrared-recommendations-for-debian.html<p>I just noticed that one of the bodegas in my neighborhood sells
"universal remotes" for a few USD. These are designed to work with
arbitrary televisions, and can be switched/programmed to emit various IR
signals. I've got an <a href="http://www.cyrius.com/debian/nslu2/">NSLU2 running
sid</a>, which feeds audio to my
stereo using <a href="http://packages.debian.org/mpd">mpd …</a></p><p>I just noticed that one of the bodegas in my neighborhood sells
"universal remotes" for a few USD. These are designed to work with
arbitrary televisions, and can be switched/programmed to emit various IR
signals. I've got an <a href="http://www.cyrius.com/debian/nslu2/">NSLU2 running
sid</a>, which feeds audio to my
stereo using <a href="http://packages.debian.org/mpd">mpd</a>. I'd like to use one
of the cheap-o remotes to at least start/stop the audio and adjust the
volume.</p>
<p>I suspect that the way to do that is with
<a href="http://www.lirc.org/faq.html">LIRC</a> (as <a href="https://debian-administration.org/comment/onweblog/880">Utumno
mentioned</a>), but
i'm not sure what kind of USB infrared devices will be compatible. The
NSLU2 only has USB ports -- no RS-232 or anything else. Anyone with more
experience in this area care to suggest a USB IR receiver that works
well with a TV remote?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/ir">ir</a>,
<a href="https://debian-administration.org/tag/mouse">mouse</a>,
<a href="https://debian-administration.org/tag/mpd">mpd</a></p>
</p>interrupt (IRQ) prioritization under debian?2007-11-05T07:59:00-05:002007-11-05T07:59:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-11-05:/blog/interrupt-irq-prioritization-under-debian.html<p>Does anyone have pointers for how to ask a modern debian system to
prioritize certain interrupts (IRQs) ahead of others?</p>
<p><code>irqtune</code> is the historical option, but it hasn't been updated for 10
years, and looks <a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=hwtools">like a serious mess in
debian</a> at the
moment (it's not in etch or lenny …</p><p>Does anyone have pointers for how to ask a modern debian system to
prioritize certain interrupts (IRQs) ahead of others?</p>
<p><code>irqtune</code> is the historical option, but it hasn't been updated for 10
years, and looks <a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=hwtools">like a serious mess in
debian</a> at the
moment (it's not in etch or lenny, orphaned, and has many serious bugs
open).</p>
<p>Any thoughts or suggestions for what might be a better way to prioritize
interrupts on a modern system?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/hardware">hardware</a>,
<a href="https://debian-administration.org/tag/interrupt">interrupt</a>,
<a href="https://debian-administration.org/tag/irq">irq</a>,
<a href="https://debian-administration.org/tag/prioritization">prioritization</a></p>
</p>You should restart apache2 after DSA-1379 (libssl)2007-10-03T16:14:00-04:002007-10-03T16:14:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-10-03:/blog/you-should-restart-apache2-after-dsa-1379-libssl.html<p>The recently announced <a href="http://www.debian.org/security/2007/dsa-1379" title="DSA-1379">patch for
openssl</a> does a
good thing: it looks for services known to use <code>libssl</code> and offers to
restart them for you.</p>
<p>However, it doesn't seem to notice <code>apache2</code>, which relies heavily on
<code>libssl</code> when <code>mod_ssl</code> is enabled. You can check to see what services
still use …</p><p>The recently announced <a href="http://www.debian.org/security/2007/dsa-1379" title="DSA-1379">patch for
openssl</a> does a
good thing: it looks for services known to use <code>libssl</code> and offers to
restart them for you.</p>
<p>However, it doesn't seem to notice <code>apache2</code>, which relies heavily on
<code>libssl</code> when <code>mod_ssl</code> is enabled. You can check to see what services
still use the old libraries (as discussed <a href="https://debian-administration.org/users/dkg/weblog/8">earlier in my weblog
here</a>). If you see
<code>apache2</code> among that list, you should almost certainly do:</p>
<div class="highlight"><pre><span></span><code>/etc/init.d/apache2 restart
</code></pre></div>
<p>Alternately, if you already know that you're using <code>mod_ssl</code>, you'll
have an opportunity to add <code>apache2</code> to the list of services to be
restarted during the upgrade of <code>libssl</code>.</p>
<p>Many thanks to the debian security team for publishing this fix and
making it so straightforward to restart most of the affected services.
Your work is much appreciated!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/security">security</a>,
<a href="https://debian-administration.org/tag/tip">tip</a>, <a href="https://debian-administration.org/tag/tip%20security%20upgrade">tip security
upgrade</a>,
<a href="https://debian-administration.org/tag/upgrade">upgrade</a></p>
</p>using debian system-created user accounts?2007-09-14T21:47:00-04:002007-09-14T21:47:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-09-14:/blog/using-debian-system-created-user-accounts.html<p>Does anyone use the <code>backup</code> user for doing local system backups? or do
you create a new user specifically for that?</p>
<p>I ask because <code>backup</code> is debian-specific uid 34, provided by the
<code>base-passwd</code> package. But reading
<code>/usr/share/doc/base-passwd/users-and-groups.txt.gz</code>, i find only this:</p>
<div class="highlight"><pre><span></span><code>backup Presumably so …</code></pre></div><p>Does anyone use the <code>backup</code> user for doing local system backups? or do
you create a new user specifically for that?</p>
<p>I ask because <code>backup</code> is debian-specific uid 34, provided by the
<code>base-passwd</code> package. But reading
<code>/usr/share/doc/base-passwd/users-and-groups.txt.gz</code>, i find only this:</p>
<div class="highlight"><pre><span></span><code>backup Presumably so backup/restore responsibilities can be locally delegated to someone without full root permissions? HELP: Is that right? Amanda reportedly uses this, details?
</code></pre></div>
<p>So fellow admins: do you use debian-allocated accounts (<a href="http://www.debian.org/doc/manuals/system-administrator/ch-sysadmin-users.html">i.e., with uid
<
100</a>)
(other than root) for any local (non-distro) purpose? If so, when do you
do so? if not, why not?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/backup">backup</a>,
<a href="https://debian-administration.org/tag/systemuser">systemuser</a></p>
</p>debian etch updated to 4.0r12007-08-17T01:53:00-04:002007-08-17T01:53:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-08-17:/blog/debian-etch-updated-to-40r1.html<p>It looks like <a href="http://times.debian.net/1161-etch-r1">debian etch just received its first point
release</a>, updating many useful
packages with little nagging details that didn't make it into the first
release.</p>
<p>Aside from the security fixes, one update i'm particularly happy to see
is the fix of the <code>libneon26</code> kerberos/GSSAPI authentication mechanism,
which …</p><p>It looks like <a href="http://times.debian.net/1161-etch-r1">debian etch just received its first point
release</a>, updating many useful
packages with little nagging details that didn't make it into the first
release.</p>
<p>Aside from the security fixes, one update i'm particularly happy to see
is the fix of the <code>libneon26</code> kerberos/GSSAPI authentication mechanism,
which caused me a lot of pain.</p>
<p>What's your favorite update in the batch here? what update do you think
is highest priority for the next point release?</p>
<p>As always, thanks to everyone who does this work.</p>tzconfig failing on xen instances2007-08-09T02:31:00-04:002007-08-09T02:31:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-08-09:/blog/tzconfig-failing-on-xen-instances.html<p>I had trouble recently with a few xen etch instances built off the
typical etch xen packages. The problem was that the domUs all reported
time natively in UTC, despite my having used <code>tzconfig</code> to set it to my
local timezone (i'm not in UTC).</p>
<p>Within the domU, while i …</p><p>I had trouble recently with a few xen etch instances built off the
typical etch xen packages. The problem was that the domUs all reported
time natively in UTC, despite my having used <code>tzconfig</code> to set it to my
local timezone (i'm not in UTC).</p>
<p>Within the domU, while i could <code>cat /etc/timezone</code> and it would show the
correct zone, doing a
<code>cmp /etc/localtime /usr/share/zoneinfo/my/time/zone</code> indicated that
they were in fact different. and tools like `date` would report in UTC
if the TZ variable wasn't set.</p>
<p>` running <code>dpkg-reconfigure tzdata</code> did the proper thing, though, and
updated <code>/etc/localtime</code>. Had that failed, i would have just copied (or
linked, if <code>/usr</code> shared a partition with <code>/</code>) in the proper file to
<code>/etc/localtime</code>. given that <code>tzconfig</code> seems to have been removed from
lenny, i'm not sure where/how to report this problem, or if it's worth
it. It may be due to a weird interaction between tzconfig and xen's
default clock weirdnesses, too (the domU's inherit their clock from the
dom0 unless you deliberately detach them).</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/clock">clock</a>,
<a href="https://debian-administration.org/tag/timezones">timezones</a>,
<a href="https://debian-administration.org/tag/tzconfig">tzconfig</a>,
<a href="https://debian-administration.org/tag/xen">xen</a></p>
</p>Xen: how do i alert a domU to an lvresize on dom0?2007-06-19T22:36:00-04:002007-06-19T22:36:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-06-19:/blog/xen-how-do-i-alert-a-domu-to-an-lvresize-on-dom0.html<p>I have a simple Xen setup with two domains, a <code>dom0</code> and a <code>domU</code>. The
physical disks are handled by LVM in the <code>dom0</code>, and certain logical
volumes from the <code>dom0</code> are exported to the <code>domU</code> as <code>/dev/sda1</code>, etc.</p>
<p>If i resize one of the logical volumes from the …</p><p>I have a simple Xen setup with two domains, a <code>dom0</code> and a <code>domU</code>. The
physical disks are handled by LVM in the <code>dom0</code>, and certain logical
volumes from the <code>dom0</code> are exported to the <code>domU</code> as <code>/dev/sda1</code>, etc.</p>
<p>If i resize one of the logical volumes from the <code>dom0</code>, how can i
convince the <code>domU</code> to learn of the change in the underlying size? Is it
possible to do this without restarting the <code>domU</code>? I haven't had any
luck searching the 'net.</p>
<p>On the <code>domU</code>,i saw that the block device in question is 10G:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">domU</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">cat</span><span class="w"> </span><span class="o">/</span><span class="n">proc</span><span class="o">/</span><span class="n">partitions</span><span class="w"> </span><span class="n">major</span><span class="w"> </span><span class="n">minor</span><span class="w"> </span><span class="err">#</span><span class="n">blocks</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="mf">8</span><span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="mf">10485760</span><span class="w"> </span><span class="n">sda1</span><span class="w"> </span><span class="mf">8</span><span class="w"> </span><span class="mf">2</span><span class="w"> </span><span class="mf">524288</span><span class="w"> </span><span class="n">sda2</span><span class="w"> </span><span class="mf">8</span><span class="w"> </span><span class="mf">3</span><span class="w"> </span><span class="mf">10485760</span><span class="w"> </span><span class="n">sda3</span><span class="w"> </span><span class="mf">253</span><span class="w"> </span><span class="mf">0</span><span class="w"> </span><span class="mf">10485244</span><span class="w"> </span><span class="n">dm</span><span class="o">-</span><span class="mf">00</span><span class="w"> </span><span class="n">domU</span><span class="p">:</span><span class="err">~#</span>
</code></pre></div>
<p>and on the <code>dom0</code>, i check that it looks right, and then <code>lvresize</code> it:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">dom0</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">lvs</span><span class="w"> </span><span class="n">LV</span><span class="w"> </span><span class="n">VG</span><span class="w"> </span><span class="n">Attr</span><span class="w"> </span><span class="n">LSize</span><span class="w"> </span><span class="ow">Or</span><span class="n">igin</span><span class="w"> </span><span class="n">Snap%</span><span class="w"> </span><span class="n">Move</span><span class="w"> </span><span class="nb">Log</span><span class="w"> </span><span class="n">Copy%</span><span class="w"> </span><span class="n">domU</span><span class="o">-</span><span class="n">disk</span><span class="w"> </span><span class="n">vg0</span><span class="w"> </span><span class="o">-</span><span class="n">wi</span><span class="o">-</span><span class="n">ao</span><span class="w"> </span><span class="mf">10.00</span><span class="n">G</span><span class="w"> </span><span class="n">domU</span><span class="o">-</span><span class="n">srv</span><span class="w"> </span><span class="n">vg0</span><span class="w"> </span><span class="o">-</span><span class="n">wi</span><span class="o">-</span><span class="n">ao</span><span class="w"> </span><span class="mf">10.00</span><span class="n">G</span><span class="w"> </span><span class="n">domU</span><span class="o">-</span><span class="n">swap</span><span class="w"> </span><span class="n">vg0</span><span class="w"> </span><span class="o">-</span><span class="n">wi</span><span class="o">-</span><span class="n">ao</span><span class="w"> </span><span class="mf">512.00</span><span class="n">M</span><span class="w"> </span><span class="n">dom0</span><span class="w"> </span><span class="n">vg0</span><span class="w"> </span><span class="o">-</span><span class="n">wi</span><span class="o">-</span><span class="n">ao</span><span class="w"> </span><span class="mf">1.00</span><span class="n">G</span><span class="w"> </span><span class="mf">0</span><span class="w"> </span><span class="n">dom0</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">lvresize</span><span class="w"> </span><span class="o">--</span><span class="n">size</span><span class="w"> </span><span class="o">+</span><span class="mf">2</span><span class="n">G</span><span class="w"> </span><span class="n">vg0</span><span class="o">/</span><span class="n">domU</span><span class="o">-</span><span class="n">srv</span><span class="w"> </span><span class="n">Extending</span><span class="w"> </span><span class="nb">log</span><span class="n">ical</span><span class="w"> </span><span class="n">volume</span><span class="w"> </span><span class="n">domU</span><span class="o">-</span><span class="n">srv</span><span class="w"> </span><span class="kr">to</span><span class="w"> </span><span class="mf">12.00</span><span class="w"> </span><span class="n">GB</span><span class="w"> </span><span class="nb">Log</span><span class="n">ical</span><span class="w"> </span><span class="n">volume</span><span class="w"> </span><span class="n">domU</span><span class="o">-</span><span class="n">srv</span><span class="w"> </span><span class="n">successfully</span><span class="w"> </span><span class="n">resized0</span><span class="w"> </span><span class="n">dom0</span><span class="p">:</span><span class="err">~#</span>
</code></pre></div>
<p>but <code>domU:/proc/partitions</code> still looks the same. I've tried installing
<code>hdparm</code> on the <code>domU</code> and creating a fake <code>/dev/sda</code> for it to "re-read
the partition table from", but that didn't work:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="n">domU</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">mknod</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sda</span><span class="w"> </span><span class="n">b</span><span class="w"> </span><span class="mf">8</span><span class="w"> </span><span class="mf">10</span><span class="w"> </span><span class="n">domU</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">hdparm</span><span class="w"> </span><span class="o">-</span><span class="n">z</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sda</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sda</span><span class="p">:</span><span class="w"> </span><span class="n">BLKRRPART</span><span class="w"> </span><span class="n">failed</span><span class="p">:</span><span class="w"> </span><span class="n">Invalid</span><span class="w"> </span><span class="n">argument0</span><span class="w"> </span><span class="n">domU</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">cat</span><span class="w"> </span><span class="o">/</span><span class="n">proc</span><span class="o">/</span><span class="n">partitions</span><span class="w"> </span><span class="n">major</span><span class="w"> </span><span class="n">minor</span><span class="w"> </span><span class="err">#</span><span class="n">blocks</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="mf">8</span><span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="mf">10485760</span><span class="w"> </span><span class="n">sda1</span><span class="w"> </span><span class="mf">8</span><span class="w"> </span><span class="mf">2</span><span class="w"> </span><span class="mf">524288</span><span class="w"> </span><span class="n">sda2</span><span class="w"> </span><span class="mf">8</span><span class="w"> </span><span class="mf">3</span><span class="w"> </span><span class="mf">10485760</span><span class="w"> </span><span class="n">sda3</span><span class="w"> </span><span class="mf">253</span><span class="w"> </span><span class="mf">0</span><span class="w"> </span><span class="mf">10485244</span><span class="w"> </span><span class="n">dm</span><span class="o">-</span><span class="mf">00</span><span class="w"> </span><span class="n">domU</span><span class="p">:</span><span class="err">~#</span>
</code></pre></div>
<p>any suggestions for what else i should try? Is there a xen-specific
command to alert the <code>domU</code> of such a change?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/lvm">lvm</a>,
<a href="https://debian-administration.org/tag/xen">xen</a></p>
</p>modify /etc/skel to ease admin of key-based SSH2007-06-13T03:54:00-04:002007-06-13T03:54:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-06-13:/blog/modify-etcskel-to-ease-admin-of-key-based-ssh.html<p>When i set up a new machine these days, I often disable password-based
ssh access by setting <code>PasswordAuthentication</code> and
<code>ChallengeResponseAuthentication</code> to <code>no</code> in <code>/etc/ssh/sshd_config</code>.</p>
<p>This protects my users (and the machine) from dictionary attacks based
on the crappy passwords that humans seem to traditionally prefer.
However, <code>/usr/sbin …</code></p><p>When i set up a new machine these days, I often disable password-based
ssh access by setting <code>PasswordAuthentication</code> and
<code>ChallengeResponseAuthentication</code> to <code>no</code> in <code>/etc/ssh/sshd_config</code>.</p>
<p>This protects my users (and the machine) from dictionary attacks based
on the crappy passwords that humans seem to traditionally prefer.
However, <code>/usr/sbin/sshd</code> is justifiably picky about whether to trust
the contents of the user's key file, which is (by default) stored in
<code>~/.ssh/authorized_keys</code>. In particular, the file must be writable only
by the user or <code>root</code>, and the directory it is stored in should have the
same restrictions (so that an altered file can't be moved into place
maliciously).</p>
<p>so i set up the machine to automatically create a blank
<code>authorized_keys</code> file for the user upon account creation, with the
appropriate permissions and ownership. This is easy to do:</p>
<div class="highlight"><pre><span></span><code>mkdir /etc/skel/.sshtouch /etc/skel/.ssh/authorized_keys
</code></pre></div>
<p>Now, when i get a public key i want to use to authorize <code>fred</code>, i can
drop it into the appropriate file simply by doing:</p>
<div class="highlight"><pre><span></span><code>cat >> ~fred/.ssh/authorized_keys
</code></pre></div>
<p>followed by pasting the key into the buffer, and then <code>ctrl-D</code> (to
signify end-of-file). <code>fred</code> can now log in, and i don't have to worry
about tuning permissions or building out the directory if it's not
already there.</p>
<p>Note: i'm aware that there are problems with key-based authentication as
well, but given that the majority of these boxes are on the public
internet, it's a pretty good protection against the most common class of
attack out there: the brute-force password scanning attack. It also
tends to protect against the "I use a good password, but it's the same
password on every system i contact" class of foible, since a compromised
machine which knows a user's public key for authentication can't use it
to compromise another system which trusts the same pubkey. So at the
moment, it seems to me like the authentication option which sucks less
than all the others.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/public%20key%20authentication">public key
authentication</a>,
<a href="https://debian-administration.org/tag/ssh">ssh</a>,
<a href="https://debian-administration.org/tag/tip">tip</a></p>
</p>Magic SysRq to xen's dom0 on a serial console2007-05-11T02:34:00-04:002007-05-11T02:34:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-05-11:/blog/magic-sysrq-to-xens-dom0-on-a-serial-console.html<p>For a normal server running with the kernel console over a serial line,
you can get Magic SysRq behavior by sending a "break" signal, followed
by the character of the command you want triggered. How does that work
for dom0 of a Xen install?</p>
<p>I've just set up a xen …</p><p>For a normal server running with the kernel console over a serial line,
you can get Magic SysRq behavior by sending a "break" signal, followed
by the character of the command you want triggered. How does that work
for dom0 of a Xen install?</p>
<p>I've just set up a xen server which is running the hypervisor and dom0
over the serial line, using debian etch xen support. I'm finding that i
can't use my typical break-character sequence to get the SysRq effect on
dom0. If i boot the machine without the xen hypervisor (standard 686
kernel) the break-character sequence works fine.</p>
<p>I'm having a hard time searching for this, because a lot of posts have
been made about sending Magic SysRq signals to domUs, and what i'm
looking for seems to be lost in the noise.</p>
<p>I confess i'm also not sure who should handle the Magic SysRq: should
the hypervisor handle it and pass it off to the dom0 kernel? Or does the
dom0 kernel handle it and hand it off to the hypervisor? confusing...</p>
<p>Here's my grub stanza for the machine:</p>
<div class="highlight"><pre><span></span><code>title Xen 3.0.3-1-i386-pae / Debian GNU/Linux, kernel 2.6.18-4-xen-686root (hd0,0)kernel /xen-3.0.3-1-i386-pae.gz dom0_mem=131072 com1=115200,8n1module /vmlinuz-2.6.18-4-xen-686 root=/dev/mapper/vg_monkey0-dom0 ro console=ttyS0,115200n8 module /initrd.img-2.6.18-4-xen-686savedefault
</code></pre></div>
<p>and <code>/proc/sys/kernel/sysrq</code> is already set to <code>1</code>. Anyone have any
ideas what i should do to be able to re-enable this life-saving feature?
I know if my dom0 needs this kind of thing, i'm in bad shape already.
But that's exactly the time when i'll want it!</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/serial%20console">serial
console</a>,
<a href="https://debian-administration.org/tag/sysrq">sysrq</a>,
<a href="https://debian-administration.org/tag/xen">xen</a></p>
</p>trouble with umn.edu (ftp.us.debian.org) mirror?2007-03-26T16:41:00-04:002007-03-26T16:41:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-03-26:/blog/trouble-with-umnedu-ftpusdebianorg-mirror.html<p>is anyone else having trouble accessing the debian mirror at
<code>debian-mirror.mirror.umn.edu</code>?</p>
<p>I'm in the US, and <code>ftp.debian.org</code> is resolving to this host for me,
but the host itself is not responding (since last night, if my
<code>cron-apt</code> logs are accurate).</p>
<p>I haven't been able to …</p><p>is anyone else having trouble accessing the debian mirror at
<code>debian-mirror.mirror.umn.edu</code>?</p>
<p>I'm in the US, and <code>ftp.debian.org</code> is resolving to this host for me,
but the host itself is not responding (since last night, if my
<code>cron-apt</code> logs are accurate).</p>
<p>I haven't been able to find any contact info about that mirror in a
brief couple searches. Is there someone i should contact (either at
debian, to repoint the DNS, or at UMN, to fix the server)?</p>Interpreting vmstat's wait stats on linux 2.62007-02-09T17:19:00-05:002007-02-09T17:19:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-02-09:/blog/interpreting-vmstats-wait-stats-on-linux-26.html<p>I'm trying to figure out if the linux 2.6 kernel's “wait” cycles include
cycles waiting on network I/O or specifically just waiting on disk
access.</p>
<p>If network I/O is included, it would change my interpretation of a
system with spiking “wait” percentages. Maybe the disk controllers
aren't …</p><p>I'm trying to figure out if the linux 2.6 kernel's “wait” cycles include
cycles waiting on network I/O or specifically just waiting on disk
access.</p>
<p>If network I/O is included, it would change my interpretation of a
system with spiking “wait” percentages. Maybe the disk controllers
aren't saturated; instead, it could be that processes are connecting to
remote hosts which not responding, or delaying their responses.</p>
<p>Does anyone know? What would be the best way to go about finding the
answer to this? I can imagine a handful of different meanings: Time CPU
is idle while at least one process is:</p>
<ul>
<li>waiting on <em>any</em> I/O, regardless of subsystem (including
stdin/stdout for interactive processes?)</li>
<li>waiting on I/O that is eventually served by the disks (i.e. no
network)</li>
<li>waiting on I/O from the filesystem (this might be different from the
above: more in the case of NFS, tmpfs, sshfs, etc, or less in the
case of swap or other non-filesystem disk use)</li>
</ul>
<p>I'm sure there are other possible meanings too. Some <a href="http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.prftungd/doc/prftungd/vmstat_command.htm">AIX <code>vmstat</code>
notes</a>
seem to imply it is most like the third option above, but AIX and linux
are different enough (and this question is probably kernel-specific
enough) that i want to be sure about my particular O/S.</p>
<p>Background for folks who aren't clear what i'm asking about: <code>vmstat</code>
(and other tools) report CPU time broken out into <code>us</code>, <code>sy</code>, <code>id</code>, and
<code>wa</code>. The <code>wa</code> (wait) percentage is described in <code>man vmstat</code> this way:</p>
<blockquote>
<p><code>wa: Time spent waiting for IO. Prior to Linux 2.5.41, included in idle.</code></p>
</blockquote>
<p>Unfortunately, this doesn't go into enough detail for me, hence this
post...</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/vmstat">vmstat</a></p>
</p>Insane clock skew on amd64 host running etch/i3862007-02-02T02:07:00-05:002007-02-02T02:07:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-02-02:/blog/insane-clock-skew-on-amd64-host-running-etchi386.html<p>My impression was that the i386 debian distribution could run fine on an
amd64 processor (though i recognize that it wouldn't get the full
benefit of the 64-bit platform).</p>
<p>I have a machine which i'm trying to do this on, though, and while it's
up and running, i'm getting serious …</p><p>My impression was that the i386 debian distribution could run fine on an
amd64 processor (though i recognize that it wouldn't get the full
benefit of the 64-bit platform).</p>
<p>I have a machine which i'm trying to do this on, though, and while it's
up and running, i'm getting serious clock skew: something like 10x real
time. The machine is running stock debian etch, as up-to-date as you can
get it, with a 2.6.18-3-686 kernel.</p>
<p>Interestingly, the hardware clock is stable, and very close to real
time. I think i might just be getting way too many timer interrupts or
something. Any suggestions about what to do? Somehow, i don't think ntp
was designed to handle a skew of 10 seconds per second.</p>
<p>Here's a debugging attempt where you can see the skew:</p>
<div class="highlight"><pre><span></span><code><span class="mf">0</span><span class="w"> </span><span class="ow">or</span><span class="n">angutan</span><span class="p">:</span><span class="err">~#</span><span class="w"> </span><span class="n">hwclock</span><span class="w"> </span><span class="o">--</span><span class="n">hctosys</span><span class="p">;</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="n">foo</span><span class="w"> </span><span class="n">in</span><span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="mf">2</span><span class="w"> </span><span class="mf">3</span><span class="w"> </span><span class="mf">4</span><span class="p">;</span><span class="w"> </span><span class="n">do</span><span class="o">></span><span class="w"> </span><span class="n">date</span><span class="w"> </span><span class="o">+</span><span class="err">%</span><span class="n">c</span><span class="o">></span><span class="w"> </span><span class="n">hwclock</span><span class="w"> </span><span class="o">--</span><span class="n">show</span><span class="o">></span><span class="w"> </span><span class="n">ntpdate</span><span class="w"> </span><span class="o">-</span><span class="n">q</span><span class="w"> </span><span class="o">-</span><span class="n">u</span><span class="w"> </span><span class="n">sundial</span><span class="mf">.</span><span class="n">columbia</span><span class="mf">.</span><span class="n">edu</span><span class="o">></span><span class="w"> </span><span class="n">sleep</span><span class="w"> </span><span class="mf">10</span><span class="o">></span><span class="w"> </span><span class="n">doneThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">05</span><span class="p">:</span><span class="mf">53</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">ESTThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">05</span><span class="p">:</span><span class="mf">54</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">EST</span><span class="w"> </span><span class="o">-</span><span class="mf">0.997837</span><span class="w"> </span><span class="n">secondsserver</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="p">,</span><span class="w"> </span><span class="n">stratum</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">2.570964</span><span class="p">,</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="mf">0.40991</span><span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">21</span><span class="p">:</span><span class="mf">05</span><span class="p">:</span><span class="mf">55</span><span class="w"> </span><span class="n">ntpdate</span><span class="err">[</span><span class="mf">6909</span><span class="err">]</span><span class="p">:</span><span class="w"> </span><span class="kr">step</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">2.570964</span><span class="w"> </span><span class="n">secThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">05</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">ESTThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">05</span><span class="p">:</span><span class="mf">55</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">EST</span><span class="w"> </span><span class="o">-</span><span class="mf">0.256843</span><span class="w"> </span><span class="n">secondsserver</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="p">,</span><span class="w"> </span><span class="n">stratum</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">13.593056</span><span class="p">,</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="mf">0.41589</span><span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">21</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">07</span><span class="w"> </span><span class="n">ntpdate</span><span class="err">[</span><span class="mf">6913</span><span class="err">]</span><span class="p">:</span><span class="w"> </span><span class="kr">step</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">13.593056</span><span class="w"> </span><span class="n">secThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">17</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">ESTThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">05</span><span class="p">:</span><span class="mf">56</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">EST</span><span class="w"> </span><span class="o">-</span><span class="mf">0.252818</span><span class="w"> </span><span class="n">secondsserver</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="p">,</span><span class="w"> </span><span class="n">stratum</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">24.668502</span><span class="p">,</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="mf">0.41322</span><span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">21</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">19</span><span class="w"> </span><span class="n">ntpdate</span><span class="err">[</span><span class="mf">6917</span><span class="err">]</span><span class="p">:</span><span class="w"> </span><span class="kr">step</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">24.668502</span><span class="w"> </span><span class="n">secThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">29</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">ESTThu</span><span class="w"> </span><span class="mf">01</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">2007</span><span class="w"> </span><span class="mf">09</span><span class="p">:</span><span class="mf">05</span><span class="p">:</span><span class="mf">57</span><span class="w"> </span><span class="n">PM</span><span class="w"> </span><span class="n">EST</span><span class="w"> </span><span class="o">-</span><span class="mf">0.256849</span><span class="w"> </span><span class="n">secondsserver</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="p">,</span><span class="w"> </span><span class="n">stratum</span><span class="w"> </span><span class="mf">2</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">35.685214</span><span class="p">,</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="mf">0.41321</span><span class="w"> </span><span class="mf">1</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">21</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">31</span><span class="w"> </span><span class="n">ntpdate</span><span class="err">[</span><span class="mf">6921</span><span class="err">]</span><span class="p">:</span><span class="w"> </span><span class="kr">step</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="mf">128.59.59.177</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="o">-</span><span class="mf">35.685214</span><span class="w"> </span><span class="n">sec0</span><span class="w"> </span><span class="ow">or</span><span class="n">angutan</span><span class="p">:</span><span class="err">~#</span>
</code></pre></div>
<p>Any suggestions? What should i be looking for?</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/clock">clock</a></p>
</p>good OCR tools under debian?2007-01-26T18:39:00-05:002007-01-26T18:39:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2007-01-26:/blog/good-ocr-tools-under-debian.html<p>I have never needed to do Optical Character Recognition (turning scanned
documents back into text form), but it appears i may soon need to (in
english, FWIW).</p>
<p>Does anyone have a preferred tool/suite that is packaged for debian?</p>
<p>A scan of the archive turns up</p>
<ul>
<li><code>gocr</code></li>
<li><code>ocrad</code></li>
<li><code>unpaper</code></li>
<li><code>clara …</code></li></ul><p>I have never needed to do Optical Character Recognition (turning scanned
documents back into text form), but it appears i may soon need to (in
english, FWIW).</p>
<p>Does anyone have a preferred tool/suite that is packaged for debian?</p>
<p>A scan of the archive turns up</p>
<ul>
<li><code>gocr</code></li>
<li><code>ocrad</code></li>
<li><code>unpaper</code></li>
<li><code>clara</code></li>
</ul>
<p>none of which i've ever used, and some of which seem stale (<code>clara</code>'s
version number is <code>20031214-2</code>. Suggestions? Things to avoid? Have i
missed something important?</p>
</p>TLS Infrastructure frustrations (part 1)2006-11-25T00:57:00-05:002006-11-25T00:57:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-11-25:/blog/tls-infrastructure-frustrations-part-1.html<p>Prompted by <a href="https://debian-administration.org/articles/465">Steve's request for an SSL
cert</a>, i'm going to air
some grievances i have with the X.509 PKI that tends to go along with
SSL and TLS. The current real-world X.509/TLS infrastructure gets in the
way of real trusted, secure communication. It favors the creation …</p><p>Prompted by <a href="https://debian-administration.org/articles/465">Steve's request for an SSL
cert</a>, i'm going to air
some grievances i have with the X.509 PKI that tends to go along with
SSL and TLS. The current real-world X.509/TLS infrastructure gets in the
way of real trusted, secure communication. It favors the creation of
opaque, commercialized certificate authorities which are answerable to
no one and have incentives to behave in un-trustworthy ways.</p>
<p>A <a href="http://www.ietf.org/internet-drafts/draft-ietf-tls-openpgp-keys-11.txt">small change in
infrastructure</a>
to allow multiple signatures in each certificate could move us in the
direction of more trustworthy, reliable digital communication. User
education about digital trust would help too, of course, but i'm not
naive enough to think that'll happen soon.</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/12">read the full
entry</a>.</p>apt warnings about missing public keys2006-11-21T17:56:00-05:002006-11-21T17:56:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-11-21:/blog/apt-warnings-about-missing-public-keys.html<p>After running <code>apt-get update</code> on a typically-stable mixed etch/sid
machine (which also has experimental in the sources list), i'm getting
the following warnings from apt:</p>
<div class="highlight"><pre><span></span><code><span class="n">W</span><span class="o">:</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">IDs</span><span class="o">:</span><span class="n">A70DAF536070D3A1W</span><span class="o">:</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">IDs …</span></code></pre></div><p>After running <code>apt-get update</code> on a typically-stable mixed etch/sid
machine (which also has experimental in the sources list), i'm getting
the following warnings from apt:</p>
<div class="highlight"><pre><span></span><code><span class="n">W</span><span class="o">:</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">IDs</span><span class="o">:</span><span class="n">A70DAF536070D3A1W</span><span class="o">:</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">IDs</span><span class="o">:</span><span class="n">A70DAF536070D3A1W</span><span class="o">:</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="kd">public</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">IDs</span><span class="o">:</span><span class="n">A70DAF536070D3A1W</span><span class="o">:</span><span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">may</span><span class="w"> </span><span class="n">want</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">apt</span><span class="o">-</span><span class="kd">get</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">correct</span><span class="w"> </span><span class="n">these</span><span class="w"> </span><span class="n">problems</span>
</code></pre></div>
<p>Is anyone else seeing this? a quick glance at google makes me think it's
not very important, but i'd like some confirmation on this. Also, the
identical repeated error messages look odd. If it's one from each
upstream source, shouldn't apt include the message about which source is
generating the error? otherwise, why bother printing the same thing 3
times?</p>
</p>tremor-based alsaplayer?2006-11-14T20:30:00-05:002006-11-14T20:30:00-05:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-11-14:/blog/tremor-based-alsaplayer.html<p>Does anyone know of a simple, clean, ALSA-output ogg-vorbis audio player
that links (statically or otherwise) against the tremor integer-only
vorbis decoder? Here's why i want it:</p>
<p>I recently got a <a href="http://www.cyrius.com/debian/nslu2/">Linksys NSLU2</a>
which i'm happily running debian etch on (with the sid kernel, thanks a
million to the debian …</p><p>Does anyone know of a simple, clean, ALSA-output ogg-vorbis audio player
that links (statically or otherwise) against the tremor integer-only
vorbis decoder? Here's why i want it:</p>
<p>I recently got a <a href="http://www.cyrius.com/debian/nslu2/">Linksys NSLU2</a>
which i'm happily running debian etch on (with the sid kernel, thanks a
million to the debian arm team!). “<code>igor</code>” is tiny, slow, fanless,
silent, low-power ARM-based NIC/USB platform. It's plugged into a USB
disk, and hooked into my network, NFS-mounting my music from a different
server.</p>
<p>I recently added a <a href="http://www.newegg.com/Product/Product.asp?Item=N82E16829126101">USB audio
adapter</a>,
which is working for basic stereo output. (getting the other 4 audo
channels and the buttons on the USB device to work hasn't happened yet,
but that's another weblog post, probably).</p>
<p>I can easily and simply play back the mp3s that i have stored, but i
found i couldn't play back my ogg vorbis-formatted audio. Watching the
state of the system with</p>
<div class="highlight"><pre><span></span><code>vmstat 1
</code></pre></div>
<p>showed that playing mp3s (via <code>alsaplayer</code>, via <code>libmad</code>), \~25% of the
CPU is spent in userland, and \~25% is spent in the kernel, leaving
\~50% free for whatever else i want to do with <code>igor</code>. Not too bad for a
wimpy 266Mhz machine with 32 MB of RAM.</p>
<p>However, when i try to play ogg vorbis files, the <code>vmstat</code> output is
nasty: \~97% kernel, and the rest in userland. only the choppiest audio
comes out. It's unacceptable, basically. On further review, i'm pretty
sure that the problem is that <code>libvorbis</code> is using floating-point math,
while <code>libmad</code> uses integer math. i think the NSLU2 lacks a hardware
FPU, and does floating-point emulation in the kernel, which would
account for the stats i've been seeing.</p>
<p>Enter <a href="http://en.wikipedia.org/wiki/Tremor_(software)">Tremor</a>, the
integer-math-only ogg vorbis decoder. It appears that tremor isn't
packaged for debian yet, though i could get <a href="http://svn.xiph.org/trunk/Tremor">the
source</a> to build pretty easily on
<code>igor</code>. I'm willing to take a crack at packaging tremor for debian
(though i don't know anything about library packaging), but i want to
test it out first! i don't have any example players that link against
it. My preferred simple CLI audio player these days is <code>alsaplayer</code>, but
it links directly against <code>libvorbis</code>, and doesn't appear to know
anything about tremor in the code.</p>
<p>Should i try to modify <code>alsaplayer</code>? Is there a simple tremor demo app
that plays via alsa? Is there an <code>alsaplayer</code> patchset that i just
missed in my web searches? I'll probably try to dig into this in the
next couple of weeks, but if anyone has any suggestions, i'd appreciate
hearing about them.</p>Pros and Cons of secondary MX records2006-10-21T19:10:00-04:002006-10-21T19:10:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-10-21:/blog/pros-and-cons-of-secondary-mx-records.html<p>Many sites use multiple MX records in DNS. But i feel like i'm seeing
more and more which just have a single MX record. Why choose the one
strategy over the other?</p>
<p>Given that MTAs are increasingly complicated these days (with various
spam filtering techniques), what are some good arguments …</p><p>Many sites use multiple MX records in DNS. But i feel like i'm seeing
more and more which just have a single MX record. Why choose the one
strategy over the other?</p>
<p>Given that MTAs are increasingly complicated these days (with various
spam filtering techniques), what are some good arguments for (or
against) having multiple MX records for a relatively small domain
(<1000 users)? Here's a couple notes of my own (which i'm not wedded
to: please tell me if you disagree!):</p>
<p>For:</p>
<ul>
<li>more control over mail delivery: if your primary MTA is down or
unreachable, you still have a machine you control who will accept
mail deliveries on your behalf, rather than trusting the remote
mailer to retry properly.</li>
<li>it's "the standard" way to do things.</li>
<li>redundancy is good.</li>
</ul>
<p>Against:</p>
<ul>
<li>synchronizing settings between primary and secondary MTAs is
complicated and potentially error-prone. If settings are not
synchronized, the secondary MX could end up accepting messages for
delivery that the primary would not have accepted.</li>
<li>simplicity is good.</li>
<li>queues on the secondary MX provide yet another place for mail to be
lost or mangled in an already-complicated protocol</li>
<li>i've heard many reports of spammers preferring the secondary mail
exchangers over the primaries, though i'm not clear why that is.</li>
</ul>
<p>Your thoughts?</p>
</p>Ensuring system updates are actually in use2006-09-10T15:30:00-04:002006-09-10T15:30:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-09-10:/blog/ensuring-system-updates-are-actually-in-use.html<p>I keep my machines all patched with the latest updates from
security.debian.org. But sometimes, a simple
<code>apt-get update && apt-get dist-upgrade</code> is not enough, particularly
when system libraries are being upgraded (e.g. the latest openssl
vulnerability, DSA 1173). In this situation, running processes could
have loaded copies of …</p><p>I keep my machines all patched with the latest updates from
security.debian.org. But sometimes, a simple
<code>apt-get update && apt-get dist-upgrade</code> is not enough, particularly
when system libraries are being upgraded (e.g. the latest openssl
vulnerability, DSA 1173). In this situation, running processes could
have loaded copies of the old libraries, so they wouldn't get the
benefits of the old version. as DSA 1173 says:</p>
<blockquote>
<p>Note that services linking against the openssl shared libraries will
need to be restarted. Common examples of such services include most
Mail Transport Agents, SSH servers, and web servers.</p>
</blockquote>
<p></i></p>
<p>So after an upgrade, it's important to check that the affected services
are really restarted. The best way i've found so far is to check what
deleted files are currently being held open by any process. I use lsof
to look at this:</p>
<div class="highlight"><pre><span></span><code><span class="n">root</span><span class="nv">@serverX</span><span class="err">:</span><span class="o">~</span><span class="err">#</span><span class="w"> </span><span class="n">lsof</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">grep</span><span class="w"> </span><span class="s1">'path inode'</span><span class="n">apache2</span><span class="w"> </span><span class="mi">9255</span><span class="w"> </span><span class="n">www</span><span class="o">-</span><span class="k">data</span><span class="w"> </span><span class="n">mem</span><span class="w"> </span><span class="n">REG</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="mi">3</span><span class="w"> </span><span class="mi">725883</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">i686</span><span class="o">/</span><span class="n">cmov</span><span class="o">/</span><span class="n">libssl</span><span class="p">.</span><span class="n">so</span><span class="mf">.0.9.7</span><span class="w"> </span><span class="p">(</span><span class="k">path</span><span class="w"> </span><span class="n">inode</span><span class="o">=</span><span class="mi">725841</span><span class="p">)</span><span class="n">apache2</span><span class="w"> </span><span class="mi">9255</span><span class="w"> </span><span class="n">www</span><span class="o">-</span><span class="k">data</span><span class="w"> </span><span class="n">mem</span><span class="w"> </span><span class="n">REG</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="mi">3</span><span class="w"> </span><span class="mi">725770</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">i686</span><span class="o">/</span><span class="n">cmov</span><span class="o">/</span><span class="n">libcrypto</span><span class="p">.</span><span class="n">so</span><span class="mf">.0.9.7</span><span class="w"> </span><span class="p">(</span><span class="k">path</span><span class="w"> </span><span class="n">inode</span><span class="o">=</span><span class="mi">725839</span><span class="p">)</span><span class="n">root</span><span class="nv">@serverX</span><span class="err">:</span><span class="o">~</span><span class="err">#</span>
</code></pre></div>
<p><em>(note: i've excised some lines of the actual output for brevity)</em></p>
<p>I think the files that lsof lists with the (path inode=NNNN) designation
are files being held open by the system after having been removed or
replaced. So seeing the above output lets me know that i need to restart
<code>apache2</code> on this particular server. Otherwise, apache2 is still
vulnerable to the openssl vulnerability, despite having the updated
version installed on the system.</p>
<p>Try running this on one of your own systems. You might be surprised at
the services in want of an upgrade, especially if you tracked the latest
r3 of sarge, with its glibc upgrade.</p>
<p>i'm not convinced that my lsof|grep filter is the best way to look up
this information, but it seems to work for me. I'd be interested to know
if other people have better ways to check on the same situation.</p>Where does one report bugs in backports?2006-09-05T06:05:00-04:002006-09-05T06:05:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-09-05:/blog/where-does-one-report-bugs-in-backports.html<p>initramfs-tools 0.77b\~bpo.1 arrived in sarge-backports recently. It
appears to Depend: on klibc-utils (>= 1.4.19-2), but should probably
depend on klibc-utils (>= 1.4.19-2\~bpo.1) instead, since it's
otherwise uninstallable on a sarge/sarge-backports system. </p>
<p>Who should i report this problem to? it seems like filing …</p><p>initramfs-tools 0.77b\~bpo.1 arrived in sarge-backports recently. It
appears to Depend: on klibc-utils (>= 1.4.19-2), but should probably
depend on klibc-utils (>= 1.4.19-2\~bpo.1) instead, since it's
otherwise uninstallable on a sarge/sarge-backports system. </p>
<p>Who should i report this problem to? it seems like filing it as a
regular debian bug would amount to clutter on the BTS, but i can't find
a comparable system for bpo. </p>
<p>i just asked on #debian-backports, but i've gotten no response there in
my (admittedly short) attention span. the Maintainers: field is just the
kernel team, who i doubt deserves to be nagged about sarge-backports,
busy as they are. </p>Methods for testing Linux Software RAID?2006-07-17T21:31:00-04:002006-07-17T21:31:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-07-17:/blog/methods-for-testing-linux-software-raid.html<p>I have several machines with software RAID (both RAID1 and RAID5
configurations), with fairly modern kernels. I want to test the RAID
before anything bad happens to the machines for real. What methods do
you use to test software RAID on your servers? How do you verify that
the kernel …</p><p>I have several machines with software RAID (both RAID1 and RAID5
configurations), with fairly modern kernels. I want to test the RAID
before anything bad happens to the machines for real. What methods do
you use to test software RAID on your servers? How do you verify that
the kernel will detect device failures and deal with them properly? I
present some ideas below, but want to hear what other people do for
verification/peace of mind.</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/6">read the full
entry</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/raid">raid</a></p>
</p>debian testing security Release.gpg broken?2006-06-30T19:01:00-04:002006-06-30T19:01:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-06-30:/blog/debian-testing-security-releasegpg-broken.html<p>When i did an <code>apt-get update</code> on a mixed etch/sid system last night
(and again this morning), i got a couple errors:</p>
<div class="highlight"><pre><span></span><code><span class="p">[</span><span class="mi">0</span><span class="w"> </span><span class="nx">root</span><span class="err">@</span><span class="nx">squeak</span><span class="w"> </span><span class="o">~</span><span class="p">]</span><span class="err">#</span><span class="w"> </span><span class="nx">apt</span><span class="o">-</span><span class="nx">get</span><span class="w"> </span><span class="nx">update</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">Get</span><span class="p">:</span><span class="mi">3</span><span class="w"> </span><span class="nx">http</span><span class="p">:</span><span class="c1">//security.debian.org testing/updates Release.gpg ...Hit http://security.debian.org testing/updates Release Err http://security …</span></code></pre></div><p>When i did an <code>apt-get update</code> on a mixed etch/sid system last night
(and again this morning), i got a couple errors:</p>
<div class="highlight"><pre><span></span><code><span class="p">[</span><span class="mi">0</span><span class="w"> </span><span class="nx">root</span><span class="err">@</span><span class="nx">squeak</span><span class="w"> </span><span class="o">~</span><span class="p">]</span><span class="err">#</span><span class="w"> </span><span class="nx">apt</span><span class="o">-</span><span class="nx">get</span><span class="w"> </span><span class="nx">update</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">Get</span><span class="p">:</span><span class="mi">3</span><span class="w"> </span><span class="nx">http</span><span class="p">:</span><span class="c1">//security.debian.org testing/updates Release.gpg ...Hit http://security.debian.org testing/updates Release Err http://security.debian.org testing/updates Release Get:4 http://security.debian.org testing/updates Release [24.3kB] ...Hit http://security.debian.org testing/updates/main Sources Fetched 24.3kB in 3s (7830B/s) Reading package lists... DoneW: GPG error: http://security.debian.org testing/updates Release: Unknown error executing gpgvW: You may want to run apt-get update to correct these problems[0 root@squeak ~]#</span>
</code></pre></div>
<p>Fetching the files by hand shows the problem. Release.gpg appears to be
empty for the testing security archive at the moment!</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">0 dkg@squeak tmp.rwonk22339</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">wget</span><span class="w"> </span><span class="o">-</span><span class="n">q</span><span class="w"> </span><span class="nl">http</span><span class="p">:</span><span class="o">//</span><span class="n">security</span><span class="p">.</span><span class="n">debian</span><span class="p">.</span><span class="n">org</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">testing</span><span class="o">/</span><span class="n">updates</span><span class="o">/</span><span class="k">Release</span><span class="p">.</span><span class="n">gpg</span><span class="o">[</span><span class="n">0 dkg@squeak tmp.rwonk22339</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">wget</span><span class="w"> </span><span class="o">-</span><span class="n">q</span><span class="w"> </span><span class="nl">http</span><span class="p">:</span><span class="o">//</span><span class="n">security</span><span class="p">.</span><span class="n">debian</span><span class="p">.</span><span class="n">org</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">testing</span><span class="o">/</span><span class="n">updates</span><span class="o">/</span><span class="k">Release</span><span class="o">[</span><span class="n">0 dkg@squeak tmp.rwonk22339</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">ls</span><span class="w"> </span><span class="o">-</span><span class="n">ltotal</span><span class="w"> </span><span class="mi">24</span><span class="o">-</span><span class="n">rw</span><span class="o">-</span><span class="n">r</span><span class="c1">--r-- 1 dkg dkg 24305 2006-06-29 23:38 Release-rw-r--r-- 1 dkg dkg 0 2006-06-29 23:38 Release.gpg[0 dkg@squeak tmp.rwonk22339]$</span>
</code></pre></div>
<p>Does anyone know why this is? Is there anything i can do to help sort
things out?</p>
</p>looking for a STARTTLS-capable MANAGESIEVE client2006-06-28T05:17:00-04:002006-06-28T05:17:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-06-28:/blog/looking-for-a-starttls-capable-managesieve-client.html<p>I've got a mailserver running a lightly-patched cyrus21, based on debian
sarge.</p>
<p>The mailserver runs (among other things) <code>timsieved</code>, and all
connections are STARTTLS-capable (and enforced). But i'm having trouble
finding a useful client that can talk to it properly.</p>
<p>This entry has been truncated <a href="https://debian-administration.org/users/dkg/weblog/4">read the full
entry</a>.</p>looking at process activity on servers2006-05-12T17:46:00-04:002006-05-12T17:46:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2006-05-12:/blog/looking-at-process-activity-on-servers.html<p>The following is just a simple combination of tools that is probably
fairly unremarkable. However, i hope some people will find it useful.</p>
<p><code>top</code> is good at what it does (showing active processes), but the way
the processes jump around in the listings and the way that the process
lineage …</p><p>The following is just a simple combination of tools that is probably
fairly unremarkable. However, i hope some people will find it useful.</p>
<p><code>top</code> is good at what it does (showing active processes), but the way
the processes jump around in the listings and the way that the process
lineage is displayed makes it less useful for some purposes. For
example, it is difficult to catch relatively short-lived, respawning
processes and understand where they're coming from.</p>
<p>(of course, <code>top</code> is insanely featureful (<code>man top | wc -l</code> is <code>1073</code>!),
so maybe a <code>top</code> guru can come along and explain how to make it behave
better for these purposes.)</p>
<p>In the meantime, though, i wanted a command that gives a system-wide
overview of all processes and their lineage, and makes it easy to spot
things which are rapidly respawning on an otherwise stable system. I
want it to work without X11 on the monitored machine, and i'd prefer to
avoid opening up any additional network services where possible. I came
up with this (which can be run over an ssh connection):</p>
<div class="highlight"><pre><span></span><code>watch -d pstree -Apn
</code></pre></div>
<p>The only drawback is that <code>watch</code> will only show you the top screenful
of output, which is not good if your monitor is modestly-sized and the
machine you are monitoring is under fairly heavy load.</p>
<p>A simple workaround for this if you are working from an X11-based
desktop is simply to resize your terminal to be much larger than the
viewport of your monitor. Most X11 setups will let you alt-drag on a
window to move it around so you can see the regions that would otherwise
be cut off. i use <code>rxvt</code> for my terminal, so an example would be:</p>
<div class="highlight"><pre><span></span><code>rxvt -geometry 200x1000 -e ssh -t machine.to.monitor watch -d pstree -Apn
</code></pre></div>
<p>This is why i love unix. Each tool does its part of the job, and i can
put them together to do exactly what i want.</p>
</p>HFS+ recovery under linux?2005-10-20T04:57:00-04:002005-10-20T04:57:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2005-10-20:/blog/hfs-recovery-under-linux.html<p>I don't only administer debian (or even debian-based) systems,
unfortunately. i'm trying to deal with an HFS+ volume that Mac OSX
(10.3) appears to have trashed. I'd appreciate any suggestions or advice
people might have. It looks like the table of contents (or something
similar) have been scribbled over …</p><p>I don't only administer debian (or even debian-based) systems,
unfortunately. i'm trying to deal with an HFS+ volume that Mac OSX
(10.3) appears to have trashed. I'd appreciate any suggestions or advice
people might have. It looks like the table of contents (or something
similar) have been scribbled over. The disk is a 250GB disk, with \~80GB
of data on it. mac's Disk Utility and hditool, (i think hditool is the
underlying tool that the GUI Disk Utility uses) both choke on the disk
with the following output:</p>
<div class="highlight"><pre><span></span><code><span class="nv">ted</span><span class="o">:</span>~<span class="w"> </span><span class="nv">admin</span><span class="p">$</span><span class="w"> </span><span class="nv">sudo</span><span class="w"> </span><span class="nv">diskutil</span><span class="w"> </span><span class="nv">verifyDisk</span><span class="w"> </span><span class="nv">disk1s3Password</span><span class="o">:</span><span class="nv">Started</span><span class="w"> </span><span class="nv">verify</span><span class="o">/</span><span class="nv">repair</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">disk</span><span class="w"> </span><span class="nv">disk1s3</span><span class="w"> </span><span class="nv">Checking</span><span class="w"> </span><span class="nv">HFS</span><span class="w"> </span><span class="nv">Plus</span><span class="w"> </span><span class="nv">volume</span><span class="o">.</span><span class="nv">Invalid</span><span class="w"> </span><span class="nv">B</span><span class="o">-</span><span class="nv">tree</span><span class="w"> </span><span class="nv">node</span><span class="w"> </span><span class="nv">sizeThe</span><span class="w"> </span><span class="nv">volume</span><span class="w"> </span><span class="nv">needs</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">repaired</span><span class="o">.</span><span class="nv">Volume</span><span class="w"> </span><span class="nv">check</span><span class="w"> </span><span class="nv">failed</span><span class="o">.</span><span class="nv">Error</span><span class="w"> </span><span class="nf">detected</span><span class="w"> </span><span class="p">(</span><span class="o">-</span><span class="mi">9972</span><span class="p">)</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nv">verifying</span><span class="o">/</span><span class="nv">repairing</span><span class="w"> </span><span class="nv">disk</span><span class="w"> </span><span class="nv">disk1s3</span><span class="w"> </span><span class="nv">ted</span><span class="o">:</span>~<span class="w"> </span><span class="nv">admin</span><span class="p">$</span><span class="w"> </span><span class="nv">sudo</span><span class="w"> </span><span class="nv">diskutil</span><span class="w"> </span><span class="nv">repairDisk</span><span class="w"> </span><span class="nv">disk1s3Started</span><span class="w"> </span><span class="nv">verify</span><span class="o">/</span><span class="nv">repair</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">disk</span><span class="w"> </span><span class="nv">disk1s3</span><span class="w"> </span><span class="nv">Checking</span><span class="w"> </span><span class="nv">HFS</span><span class="w"> </span><span class="nv">Plus</span><span class="w"> </span><span class="nv">volume</span><span class="o">.</span><span class="nv">Invalid</span><span class="w"> </span><span class="nv">B</span><span class="o">-</span><span class="nv">tree</span><span class="w"> </span><span class="nv">node</span><span class="w"> </span><span class="nv">sizeVolume</span><span class="w"> </span><span class="nv">check</span><span class="w"> </span><span class="nv">failed</span><span class="o">.</span><span class="nv">Error</span><span class="w"> </span><span class="nf">detected</span><span class="w"> </span><span class="p">(</span><span class="o">-</span><span class="mi">9972</span><span class="p">)</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nv">verifying</span><span class="o">/</span><span class="nv">repairing</span><span class="w"> </span><span class="nv">disk</span><span class="w"> </span><span class="nv">disk1s3</span><span class="w"> </span><span class="nv">ted</span><span class="o">:</span>~<span class="w"> </span><span class="nv">admin</span><span class="p">$</span>
</code></pre></div>
<p>when i use Apple's fsck_hfs, i get the following:</p>
<div class="highlight"><pre><span></span><code><span class="nx">ted</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="nx">admin</span><span class="err">$</span><span class="w"> </span><span class="nx">sudo</span><span class="w"> </span><span class="nx">fsck_hfs</span><span class="w"> </span><span class="o">-</span><span class="nx">d</span><span class="w"> </span><span class="o">/</span><span class="nx">dev</span><span class="o">/</span><span class="nx">rdisk1s3</span><span class="o">**</span><span class="w"> </span><span class="o">/</span><span class="nx">dev</span><span class="o">/</span><span class="nx">rdisk1s3</span><span class="w"> </span><span class="nx">Block</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="nx">an</span><span class="w"> </span><span class="nx">MDB</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="nx">Volume</span><span class="w"> </span><span class="nx">Header</span><span class="w"> </span><span class="o">**</span><span class="w"> </span><span class="nx">Checking</span><span class="w"> </span><span class="nx">HFS</span><span class="w"> </span><span class="nx">Plus</span><span class="w"> </span><span class="nx">volume</span><span class="p">.</span><span class="w"> </span><span class="nx">Invalid</span><span class="w"> </span><span class="nx">B</span><span class="o">-</span><span class="nx">tree</span><span class="w"> </span><span class="nx">node</span><span class="w"> </span><span class="nx">size</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="o">**</span><span class="w"> </span><span class="nx">Volume</span><span class="w"> </span><span class="nx">check</span><span class="w"> </span><span class="nx">failed</span><span class="p">.</span><span class="nx">volume</span><span class="w"> </span><span class="nx">check</span><span class="w"> </span><span class="nx">failed</span><span class="w"> </span><span class="nx">with</span><span class="w"> </span><span class="nx">error</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="nx">volume</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">pure</span><span class="w"> </span><span class="nx">HFS</span><span class="o">+</span><span class="w"> </span><span class="nx">primary</span><span class="w"> </span><span class="nx">MDB</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">block</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mh">0x0</span><span class="mi">0</span><span class="w"> </span><span class="nx">alternate</span><span class="w"> </span><span class="nx">MDB</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">block</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mh">0x0</span><span class="mi">0</span><span class="w"> </span><span class="nx">primary</span><span class="w"> </span><span class="nx">VHB</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">block</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mh">0x0</span><span class="mi">2</span><span class="w"> </span><span class="nx">alternate</span><span class="w"> </span><span class="nx">VHB</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">block</span><span class="w"> </span><span class="mi">488134942</span><span class="w"> </span><span class="mh">0x1</span><span class="nx">d18591e</span><span class="w"> </span><span class="nx">sector</span><span class="w"> </span><span class="nx">size</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">512</span><span class="w"> </span><span class="mh">0x2</span><span class="mi">00</span><span class="w"> </span><span class="nx">VolumeObject</span><span class="w"> </span><span class="nx">flags</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mh">0x0</span><span class="mi">5</span><span class="w"> </span><span class="nx">total</span><span class="w"> </span><span class="nx">sectors</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">volume</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">488134944</span><span class="w"> </span><span class="mh">0x1</span><span class="nx">d185920</span><span class="w"> </span><span class="nx">total</span><span class="w"> </span><span class="nx">sectors</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">embedded</span><span class="w"> </span><span class="nx">volume</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mh">0x0</span><span class="mi">0</span><span class="w"> </span><span class="nx">ted</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="nx">admin</span><span class="err">$</span>
</code></pre></div>
<p>Seeing as i was getting nowhere with apple's own tools, i figured i'd
try out a debian-based system. i had an ubuntu 5.10 disk lying around
with hfsutils and hfsplus installed on it. hpfsck just chokes as well,
though i don't have the output to paste in right now. i'll put it up as
a comment on this post later. does anyone have any experience with
recovering weirdly garbled HFS+ partitions? any pointers would be most
welcome!</p>
<hr>
<p>Edit: here's the output from hpfsck under linux:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">dkg@squeak ~</span><span class="o">]</span><span class="err">$</span><span class="w"> </span><span class="n">hpfsck</span><span class="w"> </span><span class="o">-</span><span class="n">v</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sda3</span><span class="w"> </span><span class="o">***</span><span class="w"> </span><span class="n">Checking</span><span class="w"> </span><span class="n">Volume</span><span class="w"> </span><span class="nl">Header</span><span class="p">:</span><span class="nl">hpfsck</span><span class="p">:</span><span class="w"> </span><span class="nl">hpfsck</span><span class="p">:</span><span class="w"> </span><span class="n">Neither</span><span class="w"> </span><span class="n">Wrapper</span><span class="w"> </span><span class="n">nor</span><span class="w"> </span><span class="n">native</span><span class="w"> </span><span class="n">HFS</span><span class="o">+</span><span class="w"> </span><span class="n">volume</span><span class="w"> </span><span class="n">header</span><span class="w"> </span><span class="k">found</span><span class="w"> </span><span class="p">(</span><span class="k">Unknown</span><span class="w"> </span><span class="n">error</span><span class="w"> </span><span class="mi">4294967295</span><span class="p">)</span><span class="o">[</span><span class="n">dkg@squeak ~</span><span class="o">]</span><span class="err">$</span>
</code></pre></div>
<p>Any thoughts or pointers? <a href="http://www.opendarwin.org/pipermail/discuss/2003-January/003924.html">this
post</a>
seems to imply that fsck_hfs won't work on little-endian architectures
at all, but i imagine that's changed (or will change) with apple's move
to intel. and <a href="http://people.freebsd.org/~yar/hfs/fsck_hfs.html">these
guys</a> seem to have
done most of the work for the port a couple years ago, so apple would be
foolish to not incorporate it back in. too bad that it's licensed under
the APSL, which is non-DFSG-free...</p>
</p>Font creation2005-09-28T21:23:00-04:002005-09-28T21:23:00-04:00Daniel Kahn Gillmor (dkg)tag:dkg.fifthhorseman.net,2005-09-28:/blog/font-creation.html<p>i just used a set of tools from debian to create a new font based on my
handwriting. i'm providing the font as a ttf file, and as a .deb
package.</p>
<p>links and more details can be found <a href="http://noesis.fifthhorseman.net/node/54">on my
blog</a>.</p>
<p><strong>Tags</strong>: <a href="https://debian-administration.org/tag/font">font</a></p>
</p>