nchip

Danske bank fiasco

Wed, 26 Mar 2008 15:45:38 GMT

Approximately one year ago danske bank swallowed the second-largest Finnish bank, Sampopankki. Last weekend, the perfectly fine working web-bank was flushed down the toilet and replaced with Danske Banks infrastructure. So far the results are quite horrific:

People are reporting missing/too much money been shown in their accounts.
Standard ssl/html based frontend has been replaced by a java applet. Worse, it needs a JNI library. Apparently to sniff your PC configuration. Surprisingly they provide a (ia32) Linux JNI lib as well. Compile once, run to the hills...
The new webbank has security holes. url's that show a competing banks login prompt instead of sampo/danske bank are circulating on IRC. Apparently the danish website has the same bug too. The bank representative has (so far) refused to acknowledge there is a security hole.

A surprising number people have dismissed the whole issue as "IT business as usual, why complain?". Sure, we all *know* that most IT projects deliver late, fail to work until the first service pack, fail to import data properly from previous versions or simply fail completely. But is that something we should just accept as part of life? Even for banks that are (were) holding our money?

Tue, 04 Mar 2008 21:56:03 GMT

Texas Instruments (TI) joins Linux foundation. Congrats.

TI will help foster the growth of the Linux platform and collaborate with industry leaders who define both technical and operational best practices around open source software. .... TI will further ensure that its customers have the necessary tools to create innovative and differentiated Linux-based mobile devices that use the OMAP platform and DaVinci technology.

How about starting with

Releasing the OMAPx TRM (Technical Reference Manuals) available to Linux community
Documenting your DSPs and providing a OSS bios for them (compilable with a OSS toolchain)
Release drivers for _all_ parts of OMAP chips, such as the AES accelerator, Jazelle java acceleration, powerVR 3d and so on.

If you continue providing documentation only for "high volume customers", your membership in Linux Foundation is a PR stunt at best.

And so it begins..

Tue, 05 Feb 2008 09:42:59 GMT

accepted: dpkg_1.14.16.6_armel.changes

AKA: ftp-master is now accepting armel packages

Thanks AJ!

current todo item: populating the archive cleanly

Where is debian/armel port

Sat, 03 Nov 2007 18:20:09 GMT

Sune asked where debian/armel is. Inspired by the blog, I posted a status update to debian-arm mailing list.

Other random updates

1) apt-get install recommends has now been enabled by default. This bites sbuild and pbuilder (#448562). In your buildd chroots set APT::Install-Recommends "false"; and be aware that you pbuilder build results might not be as pristine as we all have got used to..

2) I blame the rapidly growing kittens here for distracting me...

Teaser

Tue, 09 Oct 2007 17:47:39 GMT

Sneak preview of Debian/maemo packages running on Debian/Armel port device.

Debian armel status

Sat, 04 Aug 2007 12:07:30 GMT

The debian armel port reached one milestone yesterday: Being able to run debootstrap from DD-signed, upto-date unmodified debian/unstable packages.

Looking backward:

* When watching the buildd's, the worst of Debian is visible. You don't spend much time wondering on successful builds. The time goes into wondering about the crappy code that fails to compile, the maintainers who ignore RC bugs for months, code with dead upstream..
* bootstrapping a Debian port is still painful. Fortunately Lennert did that for us this time.
* Most maintainers are very responsive, and are happy enough apply patches that help even unofficial ports. The few who ignore patches or are else effectively MIA can cause long delays...
* C++ code is evil. or at least the g++ implementation of it. A random game written in C++ can take 5h to build, when even the most complex C apps compile in 2-3 hours (with a few exceptions like glibc and linux-2.6). Worse, g++-4.2 seems to be another 10-20% slower than g++-4.1... Remember God kills a kitten every time you upload a c++ package unnecessarily!.
* Esoteric language bindings suck too.

Looking forward:

There is some 500 (out of 7100) packages that in Dep-Wait state due some missing packages on armel port:
* ~290 packages that would need FORTRAN (!). specifically the old g77 version...
* ~80 packages waiting for objective C / gnustep
* ~70 packages waiting for ghc6 or related Haskell code
* ~40 packages waiting for Java (being worked on)
* ~15 packages waiting for mono (patch in BTS)
* Then there usual crop of esoteric languages, packages failing to build with current unstable on any port, and packages build-depending on stuff removed or to-be-removed packages.

Effectively this means getting armel over 90% built of Debian needs either g77 to armel or getting Debian to migrate from g77 to gfortran (which is available but not throughly tested on armel). I'm working on the second route..

* Start building d-i images. So that Eddyp can have blazingly fast softfloat rrdtool on his nslu-2 without bugs and trouble.

* Request inclusion into Debian ftp archives. I think with the latest milestones, armel should be ready for archive as a "second class citizen". Inclusion for lenny needs still some work.

* Finally: there's tablets and phones waiting to for Debian armel mobile ;)

Official statement of the year

Thu, 12 Jul 2007 17:47:49 GMT

UK military spokesman Major Mike Shearer said: "We can categorically state that we have not released man-eating badgers into the area."

Source: BBC

Fri, 22 Jun 2007 12:50:43 GMT

Since the release team update got the arm architecture names mixed, chances are that others are confused as well.

* arm - This is the current in-Debian, little-endian hard-float old-abi port.

This is somewhat inefficent port, as the hard-float code needs to be emulated
in the kernel. It is also depreciated by upstream.

* armeb - This was a effort to create an big-endian old-abi port.

Since the Linksys NSLU-2 got it's Ethernet driver reverse engineered and thus it became possible to run little-endian Debian on it, interest on this port has been weak. If interest in bigendian arm returns, it will probably be re-ported using EABI and softfloat.

* armel - This the shining new little-endian EABI (and thus soft-float) based architecture.

THIS IS SPARTA^W THE FUTURE.

state of arm port

Fri, 08 Jun 2007 19:57:46 GMT

All doom and gloom? far away from that.

The good:

* Arm port is now third most popular port according to popcon.
* This mostly thanks to the popularity of Linksys NSLU-2, a tiny 80€ computer able to run Debian. Do you have a old pentium sucking up electricity in your closet? Do a service to earth and replace it with a NSLU-2!
* Armel (Arm EABI) is now at "63.41% up-to-date. That's 4515 packages built out of 7121". See the fancy Graph for the progress. Catching up sid has been achieved with just two buildd's (Thecus N2100) in my apartment and Aurelien Jarno building selected packages. Plus of course pioneering work from Lennert Buytenhek and people who created EABI in upstream.
* All core packages except apt (which hasn't seen a upload to sid since etch) have now armel support in official Debian packages.
* the old arm port has started catching up in up-to-dateness again, now that all buildd's have a recent enough kernel for glibc 2.5 (2.6.12+)

The bad:

* We need someone to take responsibility on the toolchain for arm. Java is semi broken on arm, Fortran, Java and objc need work for armel.
* There is still communications problems. It took quite a while to find out why glibc 2.5 doesn't work on some buildd's.
* People have lost interest in Bigendian arm port after nslu-2 started working with the regular Little-Endian arm port. General consensus is that bigendian port would only matter for highend networking gear.

The future:

* More supported devices. Now we support NSLU-2, Thecus N2100 and a few related IOP based devices plus netwinders. Arm boasts their partners shipped 2450 Million units based Arm technology in 2006. Would you like to run Debian on your brand new scsi RAID card? mp3 player? Cellphone? Internet Tablet? Washing machine? Your choice!
* Better recovery options. Many arm devices are headless, and if it crashes or doesn't boot, figuring out what went wrong is tricky. This is not really arm specific, but comes up often enough in debian-arm list.
* Anti-bloat festival. Many arm devices have very little storage and RAM available. To run debian on these, we need to figure out who to get rid of extra FAT. Less bloated software is everyones advantage.

cdbs: empathic maybe

Sat, 18 Nov 2006 11:16:08 GMT

I tried to ask our cats if they felt threatened by CDBS. They didn't seem really worried.

I'm not sure if it is entirely fair to blame CDBS for complex packaging issues. If CDBS was not available, more maintainers would just cook up their own spaghetti packaging scripts. The balance needs to be somewhere between "everyone reinventing the wheel" and "frameworks that are harder to use than the raw stuff". Currently I would recommend only using CDBS for simple packages.

Dear lazyweb..

Tue, 25 Jul 2006 20:16:07 GMT

Relatively simple task - given a pid, find out if it is in the same chroot as you. Until now we simply used the following code, which would error out if the given pid was not in chroot like us:

readlink /proc/$pid/root

All good things end up eventually, this time with the soon to come out 2.6.18 Linux kernel release. A recent commit changes the permissions of symlinks in /proc, (not only /proc/$pid/fd like it would seem from the commit message). Using ptrace as security policy is not a bad idea. If you can access the information via ptrace, hiding it from /proc made little sense. Which leads to the scary observation that one can ptrace any process with same UID outside your chroot sandbox. This is not a security bug, since one can escape chroot anyway. I just hadn't realized *HOW* easy it was.

Back to the topic, using /proc/$pid/root was not a standard or even documented interface, so I can hardly complain. I'm still left without a proper replacement:

So what AM I supposed to use?

about DPL..

Tue, 11 Apr 2006 17:51:39 GMT

AJ, my congrats too. Together with your other positions in Debian you have accumulated, I feel you really need watch for yourself - don't burn out! Delegation time, please. In less serious tone, prepare for the hardest task of your life: [Flash warning] Herding CATS</> :)

planet techsupport

Tue, 11 Apr 2006 17:42:24 GMT

Ross, use


debuild --preserve-env

Now that we are aware of it, we might fix the default for the next release. Of course, if I guess correctly where you need scratchbox, you can't use a new version anyway anytime soon... Crappy Crap..

Speaking of new versions, Scratchbox 1.0.3 AKA Scratchbox Apophis (looks like our new developer is Stargåte fan..) is out. Most important change is:

* easier support for "foreign" toolchains and host binaries.

In older versions toolchains and other host had to be built with scratchbox's own HOST toolchain using a gar-based build system. While making your own toolchain using scratchboxes build system is really not hard, it seems to scare people away. With foreign toolchain support, you can for example take CodeSourcery's excellent prebuild Gcc 3.4 2005q3-2 arm EABI crosscompiling toolchain and just drop it in. OTOH copying, setting up the symlinks, support files etc is a bit tedious, so that particular example is available Prepackaged too ;)

lazyweb answers: gnokii

Wed, 08 Mar 2006 12:58:57 GMT

Ross, What you want is SyncML (WBXML encoded) over OBEX over bluetooth. Complex? Acronym overload? yes. There exists rumours that with an unreleased $REVISIONCONTROL snapshot of opensync syncml plugin it is actually possible with free software.

However you can cheat and just use (nostalogia alert!) AT commands to retrieve and write phonebook entries. gnokii --getphonebook and --writephonebook work perfectly here.

Linux destroys evidence!

Thu, 16 Feb 2006 19:03:56 GMT

Of all the evil things Linux does (promotes communism, is cancer, has higher TCO or destroys jobs, is unamerican..), A new horror has been found: Linux destroys evidence!.

In other news, we now know Linux is used even by Fortune 500 CEOs.

Allnet ALL6500: Next Debian/Arm porting machine?

Thu, 02 Feb 2006 20:57:25 GMT

Finding arm machines is not hard. In fact, everyone of you probably owns some of them. However, finding something suitable for Debian infrastructure usage is harder. For example Buildd load pattern requires not only a decent CPU, but above all good IO performance. Most ARM systems do not have a hard drive, and if they do like on personal media players like Archos pma400, the drives are slow and optimized to minimize power consumption.

Therefor, the logical place to look for machines would the NAS devices, like the already-being-Debianized Linksys nslu-2. NAS machines tend to (relatively) cheap, well available and need good IO performance. The main problem with NAS devices is the lack of RAM (to minimize costs they tend to have 32MB or something soldered to mainboard), so I was more than happy to spot a NAS with 256MB of ram:

Linksys NSLU2	Allnet ALL6500
266Mhz* ixp420	400/600Mhz IOP80219
32MB ram	256MB ram
USB 2.0	2xSATA & USB 2.0
100Mbit ethernet	2x 1000Mbit ethernet
95€	350€

*overclocked

The real shocker came when reading "Manual englisch": (arrows by me)

This bloody thing seems to have a DIMM socket!

GPL sources seem to be well available. Can someone from .de confirm if the memory is really there? (Why does so many cool hardware never end OEM'ed this north?) IOP80219 supports up to 1GB so it really seems quite promising :)

Weather..

Thu, 19 Jan 2006 21:45:30 GMT

...Suddenly I feel like a sissy remembering I thought in the morning that -20 Celsius we have here is bad.

You know you have seen to many personal flamewars when..

Sun, 15 Jan 2006 20:40:15 GMT

When you see


Subject: [mythtv] Problems with Bob Playback

And you wonder who is Bob Playback and what has he done..

Heading for demonstration

Tue, 04 Oct 2005 05:52:00 GMT

Today, a Demonstration against copyright law changes is happening. Never demonstrated before, I think this will turn into a interesting experience.

Debian developers on a google maps widget

Fri, 23 Sep 2005 22:40:20 GMT

And in less serious news, a small google maps hack (Requires fast CPU or LOTS of patience):

Debian developers around the world

This is from the data at http://www.debian.org/devel/developers.loc, which has the same thing rendered with xplanet. I have to wonder, if LDAP has more accurate cordinates, those seem a bit rounded.

The shadow of DMCA creeps to Finland

Fri, 23 Sep 2005 22:33:21 GMT

Tommi Kyyrä, IFPI finland:

“Now, we need to understand that listening to music on your computer is an extra privilege. Normally people listen to music on their car or through their home stereos”, says Kyyrä and continues; “If you are a Linux or Mac user, you should consider purchasing a regular CD player.”

This madness began in 2001, when EU passed EUCD, the European version of DMCA. Next year, Ministry of culture introduced the first proposal for the Finnish implementation of EUCD. After fierce criticism from EFFI and various citizens, the committee studying the proposal rejected it before parliaments vote, demanding that the ministry must consult everyone effected by the change in law. When creating this proposal, practically only Music Industry pressure groups where heard.

Fast forward September 2005, and Ministry of culture and Music Industry pressure groups are pushing the second proposal a lot harder. All the parts from we hate are still there - No interoperability, chilling effects on security research and freedom of speech, and so on. Minister Karpela Claims that she is surprised by the criticism, and complained that people should have criticized properly during the law preparation phase (Not telling that EFFI _WAS_ heard during preparation, and their opinion was ignored).

The Media was alsoquick to to find out, that Jukka Liedes, the bureaucrat who actually wrote the Law Proposal, has a also a position ESEK, a Finnish Music Industry Pressure group. Such corruption is almost unheard in Finland.

On friday, the "Grand Committee" passed the law forward without modifications, for the parliament to vote on later. A requirement was appended that "Ministry of culture must ensure, that all users are able to view/listen to copyprotected content". Several The chairman of Grand Committee, already declared the appended part "Naive". Which it very much is. Entertainment industry is not going to relax copyprotection for say, Linux users in Finland...

The worst part? According to the current proposal,

Downloading music from internet without copyright holders permission is not a punishable offence, but breaking copyprotection of a CD you have bought, is.

Me too!

Fri, 16 Sep 2005 12:01:38 GMT

I'm such a follower..

np: The gathering - strange machines

Tips for daytrip

Tue, 12 Jul 2005 15:54:43 GMT

* Wake up early
* Wear clothes suitable for *hot* weather
* Sun lotion might be a good idea too
* Be in the front of dorm building at 10:15
* Buy some snacks and take cold water with you
* DO NOT LITTER! Thou shall suffer death by one thousand paper cuts and burial in un-blessed soil if you do!
* Enjoy :-)

o_O

Fri, 08 Jul 2005 16:52:47 GMT

Debcamp has been slightly rough, but apparently not rough enough. Of all the things that have not gone perfectly, I heard most complaints when our web cam was down:

Other random notices:

* Foreigners like sauna but not Salmiakki (a kind of Licorice)
* Nobody has complained about missing lamps during nighttime
* April 1st was a while ago, right?

And as last point, I would like to remind debcampers, that from saturday morning breakfast will be available 08.00 -> 09.00 At TF, instead of all day at dorms. Also, for the weekend, the lunch time is limited from 11.00 -> 14.00. For more details, refer to the Food page at debconf site.

software patent directive gone

Wed, 06 Jul 2005 12:42:46 GMT

So software patent directive was shot down at 648-14 votes. Not time to rejoice yet (well, maybe one beer.

The media seems to have picked up examples like "ABS brakes" and "CAT scanners" as examples of rejected patents, which is terribly misleading. They are examples of Inventions having computers, rather than the pure-software patents free software developers and small businesses are against.

We need to start working for a sane patent unification directive, that does what it says, not this Computer-Implement-Invention crap, that in fact legalilizes pure-software patents. The industry lobbiers have probably already started lobbying a new weasel-language directive.

At the other end, we need to stop our local patent offices from issuing swpats on their own.

...