Michael's musings

Thu, 25 May 2006

Peace Tower clocked killed by DMCA?

Well, not literally, but Howard Knopf jokes about this in his blog at:

http://excesscopyright.blogspot.com/2006/05/knopf-v-speaker-of-house-of-commons.html

The original point of the article: http://www.canada.com/components/print.aspx?id=891da412-8d83-418b-8617-c12c0533acdc&k=53721

Wed, 24 May 2006

git rebase

I just moved some patches to the Linux kernel from a 2.6.15 base to a 2.6.16.18 base.

This is how I did it:

- I started by going to my copy of the Linus Torvalds tree, and updating it.

% cd /mara1/git/torvalds
% cg-branch-ls
origin  http://www.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
% cg-update

- I then cloned the tree.

% cd /mara1/git
% cg-clone torvalds stable2.6.16.y

- I then added the 2.6.16 branches:

% cd stable2.6.16.y
% cg-branch-add stable2.6.16.y http://www.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.16.y.git
% cg-update stable2.6.16.y

- I then added the stable 2.6.16 tree to my working tree. I prefer to have

seperate trees like this so that I can poke around. I could added the stable branch to my torvalds tree, btw.

% cd /mara1/git/klips-ocf
% cg-branch-add stable  /mara1/git/stable2.6.16.y
% cg-fetch stable

- Then I ran git rebase.

% cg-tag ocf_v2.6.15
% git rebase stable ocf
% cg-branch-chg origin git+ssh://git.openswan.org/public/scm/klips.git#ocf_v2.6.16

I made sure to leave a tag, because "git rebase" changes the branch, and you might not be able to get it back.

How to unscrew your LVM

I had a system with a single 40Gb PATA drive in it. It had two 160GB SATA drives in it too, but the SATA controller on the motherboard was not supported yet by Fedora Core 5. (It's a VIA controller. VIA has drivers, but they aren't stable yet)

I got a 2-port Adaptec SATA controller, hooked it up while moving the machine to a 3U case, and booted. Great, everything works.

I then added the two new volumes to my "VolGroup00", and took the system down to the colo. Oh. shit. It won't boot.

Why? because the initrd for the system didn't have the Adaptec controller, so the system couldn't see the extra physical volumes, so it couldn't construct the logical volume group, so it couldn't find the "root" disk.

DAMN.

I booted a Fedora Core 5 rescue CD. (I am, btw, looking for a 30-50Mb image that I can stick on /boot, and invoke from grub, which would be a serial-console happy rescue image. It should have sshd, and be able to dhcp an address ideally.... I was going to take apart some CD-based .iso, but I haven't done hat yet)

I then fixed this by running mkinitrd properly, and the system found the right disks, and booted.

I thought: I don't want all my disks in the same volume group if a screw up will prevent the system from booting.

I came across the command "pvremove", which I proceeded to run on /dev/sda1 and /dev/sdb1. OOPS. System won't boot again, because I actually destroyed the physical volumes (from LVM's point of view), not removed them.

Another run through with the rescue CD. Need to figure out what to do. The command "lvm" is nice, because as a wrapper around all the commands, it also tells you quickly what are actual commands and not.

The solution:

lvm> vgreduce VolGroup00 --removemissing
  Couldn't find device with uuid 'nwprFB-HWF3-GRL7-ow4P-JUXO-Zp2J-ckZ8fe'.
  Couldn't find all physical volumes for volume group VolGroup00.
  Couldn't find device with uuid 'nwprFB-HWF3-GRL7-ow4P-JUXO-Zp2J-ckZ8fe'.
  Couldn't find all physical volumes for volume group VolGroup00.
  Couldn't find device with uuid 'nwprFB-HWF3-GRL7-ow4P-JUXO-Zp2J-ckZ8fe'.
  Couldn't find device with uuid 'tLpEoy-X3jh-7QgU-oWTY-dmrh-4dKx-jCOLVm'.
  Wrote out consistent volume group VolGroup00

Now, I have:

trout-[~] root 1 #lvs
  LV         VG           Attr   LSize  Origin Snap%  Move Log Copy%
  FlorinRoot GuestGroup00 -wi-a-  5.00G
  LogVol00   VolGroup00   -wi-ao 35.19G
  LogVol01   VolGroup00   -wi-ao  1.94G
trout-[~] root 2 #pvs
  PV         VG           Fmt  Attr PSize   PFree
  /dev/hdb2  VolGroup00   lvm2 a-    37.16G  32.00M
  /dev/sda1  GuestGroup00 lvm2 a-   149.05G 144.05G
  /dev/sdb1  GuestGroup00 lvm2 a-   149.05G 149.05G
trout-[~] root 3 #vgs
  VG           #PV #LV #SN Attr   VSize   VFree
  GuestGroup00   2   1   0 wz--n- 298.09G 293.09G
  VolGroup00     1   2   0 wz--n-  37.16G  32.00M

Why you should use SIP

http://www.theregister.co.uk/2006/05/24/skype_vuln/

describes a vulnerability in Skype's clients. Okay, no big deal, bugs happen in programs. Just switch to another program for awhile until it gets fixed.

What? you mean, the program and the protocol are one? You can't switch without switching networks? Isn't that bad?

Yes, it is.

The reason why we should strive to use standards in our network protocols is so that one can have a competitive marketplace where one can use the best software that there is.

And one should be able to trivially switch from one to another: we do this all the time everywhere. Let's take an example from motoring: we get upset if the vendors of gasoline (petrol) do not compete! We expect all of the gasoline to be essentially interchangeable. Honestly, anything else is communism.

Liam is 1

One year ago, my son Liam Ronald Morris Richardson was born.

http://www.sandelman.ca/lrmr/

What an amazing year it is has been.

Fri, 19 May 2006

RMS Protests ATI

I too am not very happy with what ATI and Nvidia have done with their binary drivers only.

http://www.fsf.org/blogs/community/rms-ati-protest.html

http://www.zmag.org/content/showarticle.cfm?ItemID=9350

(curiously, ZNet says:

ZNet has begun to explore the possibility of converting to free software. If you would like to help in this effort, please go to the Free ZNet Project forums, register, and introduce yourself.

and give the link: http://znet.2y.net/zbb/index.php )

It seems that the correct approach for companies that want to make pieces of hardware that offload work from the CPU is for them to create open specifications about how to interface to their hardware --- at the system level, and publish these.

DirectX and OpenGL, for instance, are two such specifications. They are unfortunately at the level of C-API, rather than PCI register definitions. As such, they need a driver part for the backend. If the video manufacturers could see their way to making it a higher level interface, there would be many advantages, including an obvious way to run accelerated video over networks.

My company http://www.xelerance.com/ is involved in making a better specification for interfacing to hardware cryptographic accelerators. This is called OpenBSD Cryptographic Framework (OCF), and we are proposing extensions that we call OCF level2. Unfortunately our interface is also at the C-API level, and we have to deal with the question: would we want to permit binary-only drivers?

Mon, 15 May 2006

Canadian census debacle

http://trends.newsforge.com/trends/06/05/04/233250.shtml?tid=136&tid=2&tid=132 contains a lively debate about the Canadian Census vs open source.

http://www.digital-copyright.ca/node/2425 is another review of the situation.

I too am very frustrated with the situation. As soon as I realized that the Java applet involved was in fact Entrust's TruePass, I realized what had happened.

Once filled out, the Census information is considered "Protected". That is, it is classified information, and its classification is just above Top-Secret.

If you want to collect information of that classification, you have to use systems that have been evaluated for that classification. It turns that there is only one such system available: the Entrust TruPass system. They wrote it for Java on the theory that it was cross-platform, but the evaluation process requires that it be evaluated on specific pieces of hardware and software.

That means that the version of Safari, IE, Firefox, etc. and the versions of Java involved had to be locked down.

So, actually, they are violating the process - most end-user systems can not be guaranteed to actually be close to the evaluated platform. This should be a show-stopper. (I've been through this process)

Where is the real bug? It's in the evaluation (Common) criteria, which were basically designed before the Internet, and were first applied in 1995.

We in the open source community are actually fortunate that they even got to doing anything other than IE--- but that's only because the whole ePass system is targetted for widespread use by the Government of Canada.

Frankly, I find the whole ePass system of dubious value. Yes, finally, client side certificates... but how did they get enrolled? Are they being left on my desktop? can I put them on a USB key? what else is going on? My understanding is that the on-the-wire protocols are actually relatively standard, but the cryptography isn't used to protect me, but to assure SecureChannel that they are in fact talking to a "legitimate" copy of TruPass.

Why are those Performance Specifications not mentioned on the web sites? It's a violation of NAFTA 1007 to use the brand names as they have been used. The web site should go off line for THAT reason alone. This is really a scandal larger than Gomery. The amount of money involved is 10x that of Gomery.

Next problem: the helpdesk people were clearly not briefed or trained, and the Bell people that were contacted were clearly NOT qualified to be doing this work. Sure, Bell did some work. They procured the Entrust Toolkits, and typed "make"

When it comes down to it, this Java Applet another chink in the war over who owns my computer. See Bruce Schneier's comments: http://www.wired.com/news/columns/1,70802-0.html

The purpose of the Java Applet is not to make sure that your information is secure. That's easily accomplished with run-of-the-mill SSL. If you wanted more traceability and the ability to communicate multiple times, you'd use client side certificates. The purpose of this Applet is to protect the servers from being abused by network connections. In this case, it's very effective, as it keeps the system from being used as well.

This is in the same way that the barely legible words-in-pictures (such as on gmail.com, or yahoo, or random web logs) are designed to keep away robots. It's not about covering our asses, or protecting our privacy --- it's about covering theirs.

What can we do about this:

• make governments realize that saying "Please use product X" is in fact an endorsement of that product.
• make governments procure products using proper Performance Specifications
• this isn't about Microsoft vs Linux. It's about interoperability. Interoperability benefits Microsoft too: they are currently fighting against having SAP being listed as a "requirement"

In practice, this won't really happen until we have some Linux, BSD and Mac using members of parliament. Ones who refuse to run the junk that the Parliament of Canada (a department with a whole file of procurement violations) provides them. They will have to make a "federal case" of it. So, ask candidates what browser they use on their computer. Expect your MPs to be sufficiently technologically saavy to understand the question. We expect them to understand economics, and it's a lot more complicated.

Sun, 14 May 2006

Open source weekend

So, I'm here at Open Source Weekend, we have a reasonable turn out given the amount of planning that was done.

http://www.osw.ca/

We are well positioned to have a longer event in the fall.

The location here works well, and seems pleasant enough.

Fri, 12 May 2006

French plans about DRM

http://www.theregister.co.uk/2006/05/12/french_drm_concessions/ reports on Apple iTunes vs the French government.

It's interesting that the french government gets the concept that computer and network protocols must be open, and must be cross-platform. This is more than the Canadian government does ( http://www.sandelman.ca/mcr/blog/2006/05/03#canadian_online_census_violates_privacy ).

This is really very good news. I don't know much about the bill or the proposals to force DRM to be that way. I'm not clear that one can really have an open source DRM implementation --- if the DRM is actually well designed, then one would need to have some kind of private key embedded in the application, such that it can decrypt things, and the public key part would need to be signed by some industry consortium. So, the source code might be public, but the private key would have to be... private. I'm not sure how this can work, since the private key could trivally be reverse engineered out.

The alternative is that every citizen needs to get online and ask for session keys that permit the citizen to decode the content. That doesn't scale, and more importantly, there is little incentive for the citizen not to share the key.

Wed, 03 May 2006

TV inventor's wife dies

The story of his life:

http://www.wired.com/wired/archive/10.04/farnsworth.html

and how RCA screwed him over for his patents:

http://righttocreate.blogspot.com/2006/05/invention-of-television.html

Canadian online census violates privacy

On May 16, 2006, Canadians will do their 5-year census. There is an option to fill it out online.

According to:

http://www50.statcan.ca/census2006/settings_1-0_e.htm#

You need to have one of:

Internet Explorer 7.0 Internet Explorer 6.0 Internet Explorer 5.5 Internet Explorer 5.01 Netscape Navigator 7.0 or higher Firefox 1.0.4 Mozilla 1.7.8 Safari 1.2.4 with webkit 125.5.7

This is because:

Notice: You must have a browser with Java virtual machine (JVM) from Sun
Microsystems Inc. (Version 1.4.2_3 or higher), Microsoft virtual machine (any
version), or Apple JVM (1.4.2_5 or higher) that supports 128-bit encryption.

Now if there is one thing everyone should have learnt --- client side Java is not a way to deal with private information.

If I were doing an online census, I would require the opposite: that you have Java, Javascript and ActiveX disabled when you fill out the forms. While there is no practical or theoretical way to be sure that there are no key-loggers running as a Windows BackOrifice service, at least one can be sure that there are no trivial ones living in the web browser.

I intend to bring this up with the Chief Statistician.

Tue, 02 May 2006

log analyzers

A big problem for anything that manages many systems is keeping the systems working. A company recently put out something that I think is basically a GPL'ed syslogd for windows. http://www.loglogic.com/logforge/ It looks like hey are thinking about syslog, and mention "TCP syslog".

(A joke... you can't use the same port. syslog is UDP port 514, while TCP port 514 is... rlogin! That was a surprise one day in firewall land, a decade ago)

TCP syslog is not perfect --- the problem is that you want reliability, but you need to not slow the machines down due to network congestion. That calls, really, for SCTP.

For now, I stick to UDP, and use IPsec to keep it private, if available.

I've long pointed the syslogd on my Unix machines to one machine, usually my desktop, and arrange for my desktop to show them on my screen. Okay, when I'm not plugged in at that IP, I don't see suff.

It used to be that you could run xconsole or xterm -C, and you'd get the /dev/console stolen to that pty. This doesn't work as well anymore, but one can now use:

xconsole -file /dev/xconsole -geometry 1000x30+0+1 -font 5x7 -fg green -bg black -name Console

along with the default entries in /etc/syslog.conf:

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
	news.crit;news.err;news.notice;\
	*.=debug;*.=info;\
	*.=notice;*.=warn	|/dev/xconsole

Note that xconsole's geometry is in pixels, vs xterm's which is in characters.

Don't forget to edit /etc/init.d/sysklogd to set

SYSLOGD="-r"

You'd expect to see an /etc/default/syslog file on Debian, but I don't.

The challenge now, is actually to get a better xconsole program-- one with a menu of some kind, and a way to interactively set filters, and have it show me logs with a given pattern, from a given host, etc.

installing git/cogito on cygwin

go to http://sources.redhat.com/cygwin and install the cygwin system.

It runs a setup program that downloads core pieces that gives you bash, gcc, etc. under Windows. While you won't be compiling the code on your windows desktop/laptop, you may want to browse documents or code.

get and install cygwin (http://www.cygwin.com (http://www.cygwin.com/setup.exe)) when you are asked for the components make shure you install curl, curl-devel, openssl, make, gcc, openssh, cvs, openssl-devel, wget, zlib. Run the cygwin setup program a second time if you missed something.

wget http://kernel.org/pub/software/scm/cogito/cogito-0.17.2.tar.gz
wget http://kernel.org/pub/software/scm/git/git-1.3.1.tar.gz
zcat git-1.3.1.tar.gz | tar xf -
cd git-1.3.1
make
make install
cd ..

zcat cogito-0.17.2.tar.gz | tar xf -
cd cogito-0.17.2
make
make install
ssh-keygen
cat .ssh/id_rsa.pub

The key that is displayed should be copied your server.

Mon, 01 May 2006

various blog things

My blog doesn't work with the additional options. I.e. you can visit it at: http://www.sandelman.ca/mcr/blog/ but, you can't get the RSS feed at: http://www.sandelman.ca/mcr/blog/index.rss. This seems to be a problem with AcceptPathInfo, which I haven't figured out.

http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo

In discussing this, I was told I am to run "vimblog", care of: http://www.jukie.net/~bart/blog/ and http://www.dmo.ca/blog/.

AHA. I had done:

> ScriptAlias /mcr/blog/ "/home/mcr/cgi-bin/blosxom.cgi"
> AcceptPathInfo  on

which doesn't quite work, because the mcr/blog gets spell checked to mcr/blog/, which no longer has a path part to look at.

ScriptAlias /mcr/blog "/home/mcr/cgi-bin/blosxom.cgi"
AcceptPathInfo on

Does the right thing.