Nardol

Today I finally went to attend some lectures. I decided that since I was to give one and Arena was over, I was allowed to just sit there and pretend I was just attending FISL10 and not organizing it.

Well, first things first. My lecture was on my fork to implement PubSub in XMPP4R-Simple. Nothing really fancy, just describing what we’re doing in Propus with that fork. I can upload the slides if somebody asks to, but everything there’s to know about it is in the code.

After having had lunch with some friends and talking with others I haven’t seen since last year (and that I still hadn’t seen in FISL), I went to the Key Signing Party we organized. That went fine. We had 114 different keys sent, but just 42 showed up for the party (including my 2). I don’t know what is the average in other parties, but I think it was enough given we had the competition of other 12 other activities, and it was a first-time experience.

Later I attended to High-Speed Cryptography and DNSCurve lecture by DJB, which was a really amazing talk. I was moderator for a panel between him and Frederico Neves on Wednesday (as I told you before), and I was present when they debated about NSEC3 and how prone to enumeration attacks it is. Frederico challenged DJB to enumerate NIC.br’s NSEC3 testing network under sec3.br. In this talk he told the audience that he enumerated 23 of the 26 hosts in that network just using desktop-level computers (and not some fancy Gigaflop crypto-breaker station)... that is until he had to prepare the last talk. (I am guessing, but he described the technique here)...

After I just learned how to Fail Faster and Succeed Sooner with Michael Tiemann, another good lecture in which Tiemann told how Fedora is coming from failure to failure until the successful last releases (and how did that tied up with RHEL strategy).

Then I went to the Panel on Electronic Frontier, one I was most curious to go. Really interesting panel talking about freedom in the Internet and how we, as citizens, have to oppose anything that takes away this freedom. One of the many good ideas I learned from that panel was how to fight against traffic shaping (one of the many things almost all ISP does in Brazil and don’t say a word about): building our own Community ISP. I found it an interesting idea, but have to research on how it fits in Brazilian legislation (it may even be unlawful).

My initial intent was to escape before the end of that panel in order to attend the session were DJB would announce this year’s Programming Arena winner group. But before I could get out, Marcelo Branco called me to join the panel in his place, since he had to take care of the proceedings to FISL10 final session. So that was it. I still have to ask Organization Committee who own the Arena…

The final session was kind of crazy. The usual announcements of numbers and a presentation of a piece of President Lula speech. Jon ‘maddog’ Hall recorded a video of the audience inviting Linus to come. It were also announced that FISL11 will be in Usina do Gasômetro. I am not too excited about this place, and I still doubt it’ll be ready to hold an event such as FISL… I’ll just play “wait and see” ;)

As usual, FISL10 most lasting “side-effect” was to see old friends. I am already missing people I am sure I’ll just see again next FISL…

I’d like to thank all the people that came to FISL10. Hope you enjoyed and come back for FISL11.

I am a little behind on the reports on FISL, but so much has got my attention during it that blogging was just put in second. I will catch up today, hopefully.

So, during the night of day 2, all those measures I mentioned had to be put in place. That was when I learned that I was suppose to be one of the selected lecturers to meet President Lula in private, representing small free software companies (how awesome!). Others include Peter Sunde, Bdale Garbee, Jon ‘maddog’ Hall, Richard Stallman, Marcelo Tosatti, Pau Garcia-Milá, Sérgio Amadeu, Marcos Mazoni, Ana Amorin, Bruno Souza, Marcelo Branco, Sady Jacques and Mário Teza.

I was told to dress accordingly… I asked what “accordingly” meant (we were in a free software event: jeans and t-shirt seemed “accordingly” to me)... but no reasoning was taken: I had to wear a tie.

Next day I went to PUCRS early, in order to prepare some lines and gather some data I could mention to the President. Something like Free Software adoption rate, which is around 26% per year, or the 134 million USD that this market moved just last year. I would also ask the President to enforce the Free Software priority in training programs sponsored by the Federal Government. I knew I would not have time for a speech or the like, and that this would be more an informal meeting… This, though, was even more difficult to prepare (I would prefer a speech!).

So, I got my pin and went to the Arena to wait for the scheduled evacuation, after which, I was told to wait in the private room, for the President arrival. I was there with the rest of the selected lecturers, so I couldn’t see when he arrived. People told me that he went all around the exposition area, and the user group area, shaking hands and being photographed with everybody there. He even entered the Programming Arena and told the contenders they were “genius” (after all, the Programming Arena was his idea, 3 years ago). People in Debian booth told me he entered the booth and wore a Debian hat…

When he finally entered the private room, everybody had about 2-3 minutes with him in the middle of a circle. Presidential photographer took lots of pictures we were told will be sent to us later this week, but of course some of us also took our own pictures. Some of those are below, taken from Sergio Amadeu’s camera:

Jon ‘maddog’ Hall gave him a Tux pin and a DVD with a animation produced only with Free Software (I cannot recall the title). Richard Stallman gave him a printed version of his book. Marcos Mazoni gave him a small totem with the stamp celebrating 10 years of FISL (the stamp was an idea I had two years ago but that we couldn’t do by ourselves – Mazoni’s SERPRO had the same idea and actually did it), and all others (including myself) just told him what we where there for. For me, in particular, he asked where I was born and how I went from being a doctor to own a free software company. I had the impression somebody already told him about me beforehand (Mário or Marcelo, for sure). I told him I was doing both right now… he smiled, hugged me and went on to the next of us.

After that, we were told to take our places in the audience room (FISL3 room in the map), where we heard Marcelo Branco, FISL10 coordinator, Dilma Rousseff, minister of Civil House (and appointed to succeed Lula), and President Lula. It’s easy to find this audience in youtube. Most interesting part of Lula speech, IMHO, can be loosely translated into English as:

I remember the first meeting we had at Granja do Torto [which is the presidential country residence – similar to Camp David, but less aristocratic], in which I understood absolutely nothing about what these people were discussing, and there was an enormous tension between those defending the adoption of Free Software by Brazil and those defending we should just do what we always did – remain the same, buying and paying for others’ intelligence. Thanks God, in our country, the decision to adopt Free Software prevailed.

He also said many things that pleased the audience. People raised a banner asking him to block Azeredo’s bill, and he said the bill was equivalent to censorship and that in Brazil it is “forbidden to forbid”.

After those speeches, he went to some other appointments, and the day 3 of FISL10 was over. I just wish that, if any President comes to FISL again, we’d be warned in advance, so we can prepare the map accordingly, and not have to run last-minute preparations. All in all, a great participation. I think all the hassle we had because of his coming were hugely compensated by what he said.

Today was a busy day for the Organization Committee. As faw told me: some people from Debian haven’t even see me yet… But all this have a reason: President Lula confirmed his coming and all his security personnel flooded FISL and asked a lot of things from the Committee.

We had to “partition” FISL. They draw a red area in our map:

and demanded that only 700 people (less than 10% of the people!!!) could access that area. We had to work all day, organizing a list of 400 people that had to work in there (people from booths, user groups, programming arena, robotics festival, etc). Those will receive a special pin. The other 300 spots, will be served in a counter that goes up and down (after 300 has entered, the only way of another person get in is someone getting out).

By noon, federal police will evacuate the red area, and will screen it (I believe looking for bombs or something like that). At 13h only those wearing the pin and the circulating 300 will be allowed back.

President will arrive by 15h. He’s scheduled to visit the red area (including the programming arena – Yeah!), then he should go into a private meeting with selected lecturers and people in Brazilian Free Software Community. Afterwards he should, himself, give a lecture in Room FISL3 (also marked in red). President will leave for other appointments and, hopefully, FISL will go back to normality.

So, all the demands from Federal Police and from the community took all day long to settle. I couldn’t attend to the sessions I wanted, nor hang out with people from Debian… Hopefully, I will not be dragged by the Organization tomorrow so I can give my lecture and attend the key signing party on Saturday… Don’t get me wrong: this is a great day for FISL (and Free Software in general) – a President of a large and democratic nation is acknowledging our existence and labour. But having to restrict access in a part of FISL is not something that pleases me (and I am sure doesn’t please the rest of the Committee). Anyways… on to day 3.

FISL10 began, as usual, with lots of people from lots of places packing PUCRS’ event center in Porto Alegre. This is indeed a special edition! The official numbers are not yet computed; as I write the counter reached 7168 attendees… But since the database has been running locally yesterday on, people that registered at PUCRS are not yet counted… Registration team will merge the databases eventually, but that’s not their top priority right now.

So, this year I am not helping TVSL, which is being taken care of by Luis Felipe instead. He’s been doing a good work and there could be nobody else better than him. My quality of life increased dramatically by letting TVSL in Felipe’s hands… Maybe this year I manage to actually attend to some sessions, and to hang out with Debian guys.

This year I will partially take care of the Programming Arena. The challenge was revealed today and 11 “heroes” are, right now, trying to respond to it. It has been requested that they implement DNSCurve. They could have no better coach at this than D. J. Bernstein, who has been helping them both at the Arena and through the Arena private mailing-list.

Earlier, DJB also were in DNSCurve x DNSSEC panel, one of the most interesting technical sessions so far (bias warning: I was moderator for it). DJB and Frederico Neves (from NIC.br) exchanged arguments exposing interesting details of both secure DNS alternatives.

Also, today we got the confirmation from Brazilian Presidency that the President will attend our event. It will be on Friday, and I am too excited to hear what he has to say about free software government policies. (Apparently, apart from Linus, we managed to get everybody to show up in FISL ;) ).

I am also taking care of the Key Signing Party. This has been a rather good experience, since it requires almost nothing from me (except preparing the keylist and showing up at the scheduled time and place) :-).

See you tomorrow, at FISL!

We’ll be holding a Keysigning Party at FISL10. This will be a good opportunity to renew my key, given I’ve been using it since 2001 and it’s an old 1024 DSA key.

I have to thank Aníbal Monsalve Salazar and Alexander Wirt for sharing their expertise in organizing this kind of event. More information on the KSP can be obtained from the announcement.

Just this week I went to the movies to check the latest incarnation of Cap. Kirk, Mr. Spock et al. It really was a great movie… I was expecting less, I have to admit. But the movie was not bad at all…

With all that “space and beyond” thing in my mind, yesterday I was surprised with a greatly inspiring picture taken from Hubble Florida, before STS-125 reach Hubble (thanks Florian Weimer for the heads-up):

How inspiring can that be?

You can find the original here, along with the explanation of how and when it was taken.

Months (even years) of activism, over 140 thousand signatures, and finally another small victory: Brazilian Minister of Justice – Mr. Tarso Genro – sent a letter [pt-BR] stating that Sen. Azeredo’ s bill is dangerous, and that the Ministry is working in an alternative (among other things). We had already incited a public hearing that were very fruitful [pt-BR] and might have brought the Ministry to the issue.

But don’t relax just yet, folks! Right now, working in this “alternative”, are people with every kind of agenda… It’s safe to assume that some of them are from the same lobby that pushed Sen. Azeredo first version of the thing. So, yes, this was another victory, but nothing really changed… The bill is still approved by the Senate and still has to be reviewed by the Chamber-of-Deputies, and the alternative that will be presented by the Ministry is still under construction. What we accomplished is nothing more than making the Minister aware of the issue…

So, keep the pressure over your representatives, send messages to the Ministry, stating how you feel about the issue! Let’s show them what we want them to do… After all, that’s why we elected them, in the first place, isn’t it?

[Published also at Trezentos, in portuguese]

Last few months since I got my EeePC have been a lot of fun. Playing and tweaking the little bastard is a joy in the end of a busy day. Besides, since I loaded it with the most useful SysAdmin tools, it became a powerful device in my “tool belt”.

Unfortunately, I’ve been stupid enough to drink a glass of orange juice while messing with it. I know, I know! Silly thing to do. I should know better! But life is like that… I spilled a few drops over it. Of course, the web is pouring off information on what to do in cases like this, so I’ll just summarize what I did:

1. Imediatelly, without thinking or questioning, I turned it upside down and removed the battery. It was a clumsy thing to do… I ended up spilling the rest of my orange juice on the floor while worrying about the EeePC. Concearns about filesystem corruption (or whatever) crossed my mind, but I can always deal with that later… First things first!
2. I went online in another computer and found out how to disassemble it. For me it was easy, since I got other two computers at home… but if I needed to leave it there while looking for information, I would! If it’s upside down and has no power whatsoever (the battery was removed), it’s safe, I think. The information was easily found. I decided I didn’t need to disassemble all of it, but having those information at hand was pretty useful.
3. I began by removing the keyboard. It’s tricky but not difficult. The secret relies on the spring-mounted tabs near the screen. I checked for spills under it and cleaned with a cotton swab.
4. I was not very confortable to open the case, but I decided that turning it back on without checking the electronic parts first was too risky. So I said “goodbye” to my warranty and unscrewed the 6 screws from the bottom and the 9 from the silver casing under the keyboard.
5. There I found some little drops! Good decision to open it up! I dried it using cotton swabs again.
6. Before putting it all together, I decided to leave it open until the next day. I was pretty sure everything was dry again, but “better safe than sorry”. The next day I successfully assembled it and turned it on. Great! Everything worked fine.

Now… that was just what worked for me. My EeePC is back, fully restored but, of course, the warranty is void :-( So I cannot recommend you to do the same. Best advice I can tell you: Keep liquids away your EeePC!

SSH is really the Swiss Army pocket knife of sysadmin tools. When I needed to periodically synchronize log files from an old server (old as in customer-would-never-update-it-or-install-anything-new), I built a simple and secure solution using rsync and ssh. This is what I did:

(I will call “remote” the system where the logs I want to retrieve are, and “local” system where I want them to be copied to) First I created an account with a restricted shell (ideally this should be a system account, but we’ll get there!):

remote# adduser --ingroup nogroup --shell /bin/rbash rlogs

Then locally, I created a new, password-less ssh key pair, copying it to my remote system:

local$ ssh-keygen
>>> When asked where to save it, I chose a different name, like .ssh/rlogs
local$ ssh-copy-id -i .ssh/rlogs.pub rlogs@remote
...
>>> You can delete the password of user rlogs, so it, effectively,
>>> cannot log-in with it (almost like a system user).
remote# passwd -d rlogs

Now you should be able to run password-less rsync already (note that I use -e option to point to a different key):

local$ mkdir logs
local$ rsync -av -e "ssh -i $HOME/.ssh/rlogs" rlogs@remote:"logs/" logs/
receiving file list ... done
./
file1
file2
...
fileN

But even with a restricted shell, I wanted even less possible things to happen. That’s what command= directive is for… It will only allow that command to be run in a session started by that key. Since rsync translates a lot of its command-line options, I run it again with a dirty ps-in-a-loop in the remote host, just to see what running rsync locally causes remotely:

remote$ while 1; do ps wp $(pgrep rsync); sleep 1; done
...
local$ rsync -av -e "ssh -i $HOME/.ssh/rlogs" rlogs@remote:"logs/" logs/
>>> in the remote loop you should be able to get the command:
  PID TTY      STAT   TIME COMMAND
 6183 ?        Ss     0:00 /usr/bin/rsync --server --sender -vlogDtpre.i . logs/

Here comes the authorized_keys magic. At the remote host I edited .ssh/authorized_keys to add a command= line with what I found out in my dirty loop. Also, I added a couple of directives to restrict it even further (they are pretty self-explanatory):

rlogs@remote$ cat .ssh/authorized_keys
command="rsync --server --sender -vlogDtpre.i . logs/",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa (...) myuser@local

Now everything is set. I just added the rsync command to the local crontab and it’s done.

One of the largest FLOSS events in the world, FISL (International Free Software Forum – in english) subscriptions are already being accepted. They also already called for papers! They’re calling this year’s a “special edition” since they expect to reach 10-thousand attendees (last year exceeded 7-thousand)... this is pretty big if you ask me.

As usual, it will take place at Porto Alegre, and is scheduled from June 24th to 27th. I think we can expect the usual activities (Programming Arena, Interesting Workshops, FLOSS shows, Great Speakers, Brazilian Government), but I think the “special edition” is not just due to the number of attendees. What surprises are being cooked by the Organization Committee is just something we’ll have to wait and see :-)

See you there!

As I already told you, I am using XMPP4R-Simple in an internal project. For this, I’d have to add PubSub capabilities to it, and I did when I decided to get serious with git. Today I committed a version with integration of various patches by other forks I found on GitHub plus a lot of improvements on PubSub functions.

With this version it’s simple to use PubSub like this:

require 'xmpp4r-simple'

# Simple function just to parse an event
require 'time'
def parse_event(event)
  item = event.children[0]
  node = item.node
  time = nil; item.each_element("//published") { |e| time = Time.parse(e.text) }
  text = nil; item.each_element("//body") { |e| text = e.text }
  return { :item => item, :node => node, :time => time, :text => text }
end

# Create the clients
im1 = Jabber::Simple.new "im1@example.com", "password" 
im2 = Jabber::Simple.new "im2@example.com", "password" 

# im1 creates a node
im1.create_node("/some/node")

# im2 subscribe to that node
im2.pubsubscribe_to("/some/node")

# We'll start a simple thread to get the events coming from that node to im2
Thread.new { loop {
  sleep 1 while ! im2.received_events?
  im2.received_events { |event|
    h = parse_event(event)
    puts ">>> Got an event from node #{h[:node]} published at #{h[:time]} with text #{h[:text]}" 
  }
}}

# Now im1 just publishes anything to that node.
im1.publish_atom_item("/some/node", "This is my node", "This is the content of my node")

# The thread should capture the event and run puts on the hash from parsing.

PubSub is great, isn’t it?

I finally took some days off. Those are most needed, since I spent carnival on call at the hospital (argh!)... So Brenda and I decided to spend those days at Maceio, capital of Alagoas state, and a very anticipated vacation. They have a lot of sun and beautiful beaches, enough to fill our week (and get some tan also).

This picture was taken at “Praia do Gunga” (Gunga’s Beach), a charming place with a calm shore, almost like a pool, protected by natural reefs. As you can see, I am having a bad time right now :-)

Food is excellent, so are the people. But there are some inconveniences (as always). Beaches around downtown are not proper for bathing… They’re fighting a long fight against pollution (and loosing, if you ask me)... Also, Alagoas is a poor state… Our guide said alphabetization covers less than 70% of the people…

Also, network connection is expensive in hotels. Ours charges BRL 1,00 every 5 minutes! And the speed is not the best. They have one of those systems requiring a web authentication before you go. I’ve seem people complaining about this kind of system in Planet Debian before (reference please!) and suggesting Tunneling over DNS as a “fix”. I’ve noticed it would work in our hotel, but I decided to try another approach I’ve already written about: just a quick tunnel over an ssh connection.

I know I told you I needed an authentication before, but that is for the first connection! Yes, once the connection is established, I could just log out (thus stop the charging). No new connections could be made, but the tunnel was already up, so just put everything through the tunnel and I should be fine right? Wrong. I got bitten by a drawback of the technique already pointed in a comment when I first wrote about it: in an error-prone network, TCP-in-TCP slowly dies of attempting to correct itself over and over… and I was using a poorly connected wi-fi (loosing almost 30% of the packets!).

So, I was left with the set-up of a not foreseen tunnel using DNS as the only option… This would take time (and money)... So I decided for a simpler approach: SOCKS proxy. Yes, everything I would do could be done through a SOCKS! So a simple:

bash$ ssh -D 8888 my.remote.location

was all that I needed. That and setting my Firefox to use a SOCKS proxy on localhost:8888 and all went fine. I paid to set-up the tunnel then, once established, I logged out and kept using my tunnel all this time. Simple and effective, and I got some time left to blog about it. :-)

I’ve been using git this last few days and I am still working on a workflow for my projects. Unfortunately, as others have noticed, git violates POLS is so many ways, it ends up being hard to get.

Creating a remote repository seems to be the first thing to bite a developer switching to git (mainly if coming from a centralized SCM). I have not decided which is the best way of doing it, but I’ve been using git-daemon via inetd and a path in my remote hosting holding all my repositories for public pulling, and ssh for pushing. Here is how to create it:

local$ ssh spectra@remotehost
remotehost$ mkdir /var/git/myproject.git
remotehost$ cd /var/git/myproject.git
remotehost$ git --bare init 
remotehost$ logout
local$ cd myproject
local$ git remote add remotehost spectra@remotehost:/var/git/myproject.git
local$ git push remotehost master
...
otherlocal$ git clone git://remotelocal/myproject.git
otherlocal$ cd myproject
otherlocal$ git remote add remotehost spectra@remotehost:/var/git/myproject.git
(hack hack hack)
otherlocal$ git push remotehost master

Now everybody can pull your repository at git://remotehost/myproject.git and you can push and pull to it via ssh. Note that you have to setup git-daemon, which is pretty straight forward. I am using it as an inetd daemon, but you can use it as a standalone one. Debian has a package which does just that.

Now, some people think logging in a remote server just to create an empty repository is too much. Well… repositories are just .git directories. It happens that you can “push” for the first time by rsyncing your .git with a remote host:

local$ cd myproject
local$ rsync -a .git/ spectra@remotehost:/var/git/myproject.git
local$ git remote add remotehost spectra@remotehost:/var/git/myproject.git
(hack hack hack)
local$ git push remotehost master

(Apparently you can “push” using rsync every time, but it’s regarded as wiser to keep your – probably – crappy local repository commits separated from the public repository… otherwise commit messages like “Please, don’t use this code” are likely to pop up everywhere :) ). Now, I don’t know if this have side effects, but it works :-)

Another thing to notice is that git is more directed at pulling than pushing. This may be because of its designer: the way Linus works is by pulling changes from others’ repositories and not by letting others push’em into his one. And this is another violation of POLS for most of the people, who is used to “commit” their changes into some remote repository. Rather than that, people using git would expose their own repositories in order to have it pulled by others.

I also agree with most of the git critics wrt git commands… There’s a lot of examples – and I am not going deeper in this – but I think it was a bad choice calling “checkout” what git does when told to “checkout”, for instance. Yes, I know… different tools, different ways of seeing it… but everyone was already used to what centralized SCMs call their operations, and I think it would only help git adopting same names for the same operations, and inventing new ones for those proper of decentralized operations. Anyway, once you get it (and I have not completely got it yet), it seems all flow as expected. If this adaptation fails, there’s still Easy Git to the rescue!

One last thing that I think contribute to the “git sucks” effect: git-svn. This is a great tool, but it was built from git’s point of view… Given it’s intended as a glue for Subversion newcomers, it would benefit more from being built from svn’s point of view. This was mentioned by a colleague developer in my company, when he just couldn’t understand why one have to git svn rebase instead of a simple update. So git-svn also suffers of the “bad command naming habit” git do. Of course, that given that you came from this environment (I am sure git and git-svn makes perfect sense for Linus & cia :-) ). I have not tried yet, but yap seems to be targeted on providing an alternative to git-svn.

I was browsing GitHub, getting to know the system and feeling pretty amazed by it (seriously… I felt I discovered Orkut for developers)... when some thought just stroke me: how do they save space?

Yes, I know git is pretty efficient when it comes to saving space. Yes, I also know that space are becoming cheaper with time, but still, they claim to have +50k developers hooked up their servers… if they’re not doing something about space, things will go inefficient quite quickly. Rails alone seems to have 464 forks! If all of them represent one bare clone of the ‘canonical’ repository on GitHub’s side, that is a lot of space wasted in duplicated things…

Git has one amazing feature: hashing the objects it keeps track of. It surely doesn’t seem too complicated to design a schema that avoids having two copies of objects with the same hash. So all those forks of Rails, on GitHub’s side, would be just hardlinks to the ‘canonical’ repository…

Surely people working in GitHub are smart enough to have though about it on their own… Who knows? Maybe that’s exactly what they’re doing already! If so, can I ask them to share their schema, since it can become very useful to the rest of us? If not, can we beat them ;-D?

Everybody seems to be using git these days… I am not very found of “hypes”, as I told you before, but there’s been some time I’ve been evaluating git. I was happy with svk for quite a long time… Lately, though, I’ve been developing and extending a lot of ruby libraries, and all of them seem to be hosted at GitHub and using git… So, why not give it a serious try?

I chose a simple task on my TODO-list: to extend xmpp4r-simple to support XMPP PubSub, so I could use it in an internal project at my company. So I “cloned” its git repo and started developing. Not a really hard task, since all I had to do was use the underlying library (xmpp4r – not surprisingly also in GitHub) and mimic what Blaine’s done for the callbacks and it was ready (and working… although I still need to put more time on the test suite).

I am still exploring… It will take some time to migrate my stuff (and maybe a lot will remain in my company’s Subversion), but that’s what git-svn is for, isn’t it? Right now I am looking for ways to work with git-buildpackage and Debian git tools… Do you have some advice on that?