Planet FOSDEM

Philip Paeps: French code

2008-08-20T17:12:00+00:00

An application I've recently inherited is making my eyes bleed. Its authors felt it would be a good idea to write the application in "French C". All the comments are in French, and there are wrapper functions (like boucle) for for "English" C constructions.

I've said it before: localization sucks. French is a very nice language but not for software. Software is written in C and C looks a bit like English.

Live with it.

Philip Paeps: The travel adapted sausage

2008-08-17T11:54:00+00:00

12:54 BST

Our little devsummit in Cambridge is proceeding well. Excellent dinner last night, gracefully paid for by a large FreeBSD-using company. Mark Murray showed up too, it was good to finally meet in person.

King's College is having it's so-called "wedding season". I learned that graduates are allowed to get married there and many seem to take the opportunity. There was quite some drunken ritual chanting going on until very, very late last night and when I checked out this morning, there were a number of very hungover people queueing in front of me (Brits will queue for anything?).

This morning, we went punting on the Cam. The weather was a bit drab earlier, but the skies cleared and it was a very nice trip. After punting, Dag-Erling somehow managed to leave a travel adapter at a sausage place, which gave rise to an interesting wordgame between me and Ollivier.

I'm travelling back to Heathrow and Brussels later today. Pity I'll be missing the piss-up at Mark's place which appears to be scheduled this evening, but that can't be helped. Turns out that David is flying out from Gatwick around the same time as I'm flying from Heathrow, so that should make the train ride a bit less dull.

Quite a lot of vimage work got done at this devsummit and I got a number of interesting things done too. I think I've found a way to unbreak the bridge mayhem I caused, but I'll need a bit more thought. I also volunteered to mentor Ben Laurie for a src commit bit. He'll be working on OpenSSL and with a bit of luck, we can get trick him into taking crypto(9) and crypto(4) duty too. :-)

Philip Paeps: Productive devsummit so far

2008-08-15T23:07:00+00:00

00:07 BST

Our developer summit here in Cambridge started off rather well today. Robert decided that a brisk half hour walk from King's to the computer lab was a good start of the day. I happen to agree.

During the "trying to get organized" phase of the early morning, I sent out a core report which spawned a little discussion and committed a trivial patch adding a hw.ata.ata_dma_check_80pin loader tunable to work around bugs in systems which don't set the "pin 34 is grounded" bit in the ATA config register to indicate that speeds faster than UDMA mode 2 (UDMA33) are okay.

This makes the Soekris net5501 SATA experience a much happier one. I'm told a number of laptops and even blade servers have issues like this too.

Just before committing the patch, I noticed that marck had submitted a virtually identical one as a PR about a year ago. I need to trawl the PR database more often...

In the afternoon, attended a weekly meeting of the "security group". Markus made an interesting case for providers to "sell distributed attacks", which reminded me of why I've always looked upon academia with a certain level of caution. "Warning, the real world may be very different from the one being discussed in this room". Nevertheless, it was good food for thought. Stuff to keep in mind when dealing with ISPs...

Dinner at a very nice Thai place. Dessert was something green of which I didn't quite catch the name. Tasty though. Unfortunately, the King's bar was closed when we returned from dinner, so a subgroup headed off to The Eagle.

England has not yet realized that World War I has been over for a good while, and pubs still close at 23:00 to ensure that factory workers building artillery are in bed in time. Grr...

I liked the "please keep this bar clear for returning glasses" sign. I'm sure the girls at Delirium would love one of those for the next FOSDEM beer event lest they get showered by returning beer glasses again.

Tomorrow, I'll be looking at unbreaking some of the damage my bridge patch from a couple of months ago caused. There seem to be some subtle failure modes in ARP and PFIL(9) which need to be addressed. I've received a patch for the ARP issue, but PFIL needs a bit more thought.

I love developer summits. Empties my laptop of patches!

Philip Paeps: Minding the gap

2008-08-14T21:53:00+00:00

22:53 BST

After a fairly uneventful flight, I found my way from Brussels to Heathrow earlier today. From there, I took the tube and the train to Cambridge where I found King's College. I am trying to decide if this is the oldest building I've stayed in.

On the way here, I learned that there are fourteen treacherous gaps to be minded along the Piccadilly line from LHR terminal 1 to King's Cross, at least another two at King's Cross and curiously not a single one between King's Cross and Cambridge. I have successfully minded each of these gaps.

I also discovered (yet again, gods damn it!) that it is not a good idea to put a train ticket with a magnetic stripe in the same pocket as a mobilephone which is desperately - if unsuccessfully - trying to find a network to talk to. It will be the usual fun trying to get that ticket refunded... Funny that my credit cards do not suffer from these problems.

Anyway: I have arrived at Cambridge. I am minding the gaps. This island must be the most sign-posted one in the world. I don't know why this amuses me. It always has. I will try to take pictures of some of the more amusing signs I find. The best ones so far, are the ones at the airport suggesting various types of abuse you might like to try out on Her Majesty's Customs officers which they will not tolerate. There were quite a few modes of abuse I would never have thought of without those very helpful signs!

English beer hasn't changed.

Philip Paeps: Webcomics

2008-08-14T07:47:00+00:00

Damn and blast webcomics! Especially the ones which are amazingly well-drawn and have a brilliant storyline. Gaaah! I spent until 02:30 this morning reading through the archives of Anders Loves Maria.

The occasional Swedishisms are hopelessly funny. They probably make absolutely no sense to anyone who doesn't know a Scandinavian language, but let this be your excuse to learn one.

I will never be able to say 'bork' with a straight face again. Not that the opportunity to say 'bork' often presents itself, but...

Anyway. Super comic! And one without tshirts! My closet is safe. :-)

Philip Paeps: Making lists

2008-08-11T09:58:00+00:00

The details for my hiking trip in the wilderness of British Columbia are getting sorted out. This weekend I bought a new tent. A tunnel-type, much lighter and quicker to set up than my aging dome-type. I also bought some more wilderness-proof clothing.

Last night a Wanderung moderator sent me map references for the area I'll be visiting and this morning, I ordered nice large laminated copies of the maps from Map Town. Tim also sent me some tips on how to deal with bears (or rather, how to avoid dealing with bears), those should come in handy!

This weekend I'll be in Cambridge for a FreeBSD Developer Summit, so I'll have to do some last minute shopping next weekend.

Still looking for travel companions. I posted a planning callout to the Wanderung list. I hope some people are interested.

Making checklists of stuff not to forget.

Philip Paeps: Committed glxsb

2008-08-09T19:17:00+00:00

Earlier this afternoon, I committed the glxsb driver to FreeBSD-CURRENT. This was ported from OpenBSD by Patrick Lamaizière. This driver deals with the security block in the AMD Geode LX application processors.

I am now cooking up patches to implement rndtest(4) and have been investigating some ways to make it perform (even) better, in particular on parallel loads.

Initial performance tests show some fun results:

[400] (philip@detritus)~% /usr/bin/time -h \
> openssl enc -e -aes-128-cbc -k abcdefghi \
> -nosalt -in ./crypt -out /dev/null
        1m19.48s real           1m9.08s user            3.70s sys

[401] (philip@detritus)~% /usr/bin/time -h \
> openssl enc -e -aes-128-cbc -k abcdefghi \
> -nosalt -in ./crypt -out /dev/null -engine cryptodev
engine "cryptodev" set.
        34.22s real             1.51s user              6.88s sys

Not too shabby. But I'm sure we can do even better than this. :-)

In particular, I'd like to try reducing the load on the kernel. The driver currently busy-loops waiting for the operation to complete because the interrupts are very very slow. For some reason, that feels wrong to me.

We'll see where this goes. :-)

Philip Paeps: One time passwords

2008-08-08T19:34:00+00:00

Because I'm paranoid, I use one time passwords for logging in when I don't have my private key (translated: my laptop) with me. For some reason, people look at me strangely when I log in with a one time password because they think it's difficult to set up or something.

On FreeBSD, at least, it's amazingly easy to set up:

[522] (philip@carrot)~% opiepasswd -c
Adding philip:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:

ID philip OTP key is 499 ca0476
HAW JUDY DUTY GUN SONG MINK

Linux distributions will probably want to make it a bit more difficult, but I can't imagine them making it much more difficult. You'll probably just have to jump through hoops to install OPIE or S/Key or something similar.

Next time you need to log in without having your private key nearby, the password prompt will ask you for a one time password:

otp-md5 498 ca0476 ext
Password:

Note the 498 above. opiepasswd only told us 499, so you'll need to use opiekey to calculate the response to 498. Not too difficult:

[756] (philip@vimes)~% opiekey 498 ca0476
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
AGO SINK ROLL ROWE ENDS WORE

I like to print out a list of twenty or so one time passwords and carry them around with me. Easy!

Pascal Bleser: Thunderbird/Enigmail: fix quoting

2008-08-07T07:53:17+00:00

At some point Thunderbird/Enigmail started quoting using "|" instead of the standard ">".
Finally bothered to find a way to fix this!

When you have the about:config extension, read this thread on the enigmail forum.

When not, do it by directly editing Thunderbird's prefs.js:

for f in ~/.thunderbird/*/prefs.js; do 
echo 'user_pref("mailnews.send_plaintext_flowed", false);' >>"$f";
done

Philip Paeps: Looking for travel companions

2008-08-03T20:04:00+00:00

I have a return ticket to Vancouver leaving 29 August and returning 15 September. I don't have any "real" plans for what to do there yet, but I'm vaguely planning in the direction of exploring the Stein Valley Nlaka'pamux Heritage Park.

As I'm not suicidal, I'm looking for two or three travel companions to go hiking with me.

Suggestions for sites or newsgroups for hooking up hiking geeks would be appreciated.

Philip Paeps: Warning: you cannot fly!

2008-08-03T16:31:00+00:00

Yes, it's that time of the year again. There is nothing newsworthy to report, so other things are being reported. This makes newspapers and their online equivalents all the more interesting to read!

Today, De Morgen reports on the untimely demise of a gentleman who decided to jump out of a window after reacting badly to a paddo dinner. Curiously, the man didn't expire immediately after learning that he couldn't fly. For some reason, the oxygen-supply in the ambulance exploded when the operators tried to use it to keep the man alive.

Interesting case of sensationalist reporting. I bet that if they'd reported on this as "a man who jumped out of a window died after an oxygen bottle intended to revive him exploded in the ambulance", a number of people would make noise about the maintenance of ambulances. Instead, many people will just write this off as "just another confused psilocybinophile" taking one trip too many.

Perhaps it's time to insist on warning labels "you cannot fly" being added to mushroom packaging?

Christophe Vandeplas: ITIL v3 Foundations recommended

2008-08-02T13:23:00+00:00

Last week I followed a course called ITIL v3 Foundations. During three days you get an overview of the ITIL principles and terminology.
If you're busy in the IT services world, I really advise you to follow the course. The things you'll see are usually logic and obvious but putting them all together give a more clear view over the whole process. Another useful extra is that you'll recognize and understand the terminology better. This terminology has become a kind of standard so it's not only 'yet new acronyms to learn' ;-)

Oh, btw, if you subscribe for this course at Dolmen during the summer you'll get the exam for free. More info here. Version 3 is currently given by Tom Segers, next to his daily consultancy for our customers he gives courses regularly and does a great job.

Christophe Vandeplas: Hacking at Random 2009

2008-07-31T20:30:21+00:00

Don't forget to reserve a week in your agenda around August 2009. After WTH and CCC2k7 HAR is coming. To stay updated don't forget to subscribe to their RSS feed.

In 1989 a great tradition started with GHP (Galactic Hacker Party), which continued four years later in 1993 with HEU (Hacking at the End of the Universe), HIP (Hacking In Progress) in 1997, HAL (Hacking At large) in 2001 and finally WTH (What The Hack) in 2005. We want to continue this tradition in 2009 with another great outdoor hacker event.

The name is HAR: Hacking At Random 2009.

Christophe Vandeplas: 5 years after a change in attitude

2008-07-31T19:08:34+00:00

It has been approximately 5 years I finished using stolen or pirated software. I must admit: I love it!
I love the look on the face of others when they hear I have no illegal software on my machine.
I love the feeling of being legit with all that software.
I love to help others do their first steps in this uncommon world.
And no, I love my money and don't spend it when it's not necessary.

It's all about the attitude.

The most difficult part is the attitude that needs to change.
My previous attitude was to look for a well known brand, download the software, crack it and play with it. If it could do what I needed it for I kept using it. But what with all the unused features? What with the price of this software? That's not important, it's "free" says the thief.

Like with everything in this world there are different options you can choose from. But do we have the choice with software?

Sure we have. I usually see two different options: a) use open source software or b) find an alternative that is worth it's price.
Many (almost all) open source software packages are available for free. Many are even of a great quality, but finding the right packet is difficult. There is a great site around called osalt. It's a huge list with well known commercial software and their similar alternatives in the open source world. There is a short description and a list of supported operating systems. Be sure to check out this site and find what you need.

In the rare case it is possible that you can't find what you need, just look around for other software that is less expensive. Dare to try free beta's, usually when pre-ordering you get a reduction.

aether - Mac OS X

On my Mac I have three commercial software packages that need to be payed for. The first one is Mac OS X, but this one I payed for when buying the computer.

The second one is VMWare Fusion. When I was in then need for a hypervisor on my Mac the only open source alternative was Q. Unfortunately it had a huge performance impact on my machine. So I tried Fusion's beta program. The product worked very well and a few months before the final release there was a 50% off from the price of $80 making it $40 or €30 (by then).
Right now you can use VirtualBox as alternative, but that wasn't available yet when I needed it.

The third commercial software is called Bibble. I couldn't find a good open source alternative that ran on Mac and Adobe Lightroom 2 with it's $300 is really to expensive for me. So I bought Bibble that delivers the required features for $130 or €83.

What about the rest? It's fairly simple here's a short list:

Browsing - Mozilla Firefox
Email - Mozilla Thunderbird
Office Suite - OpenOffice.org (or NeoOffice in the past)
Chat - Adium
Launcher - Quicksilver
Notification - Growl
Video - VLC
Burning - Burn
(s)FTP - Cyberduck
Code editor - Smultron
Backup - iBackup (not open source, free for personal use)
...

sws00448 - Microsoft Windows

This is the computer I have from my company. I'm 'forced' to use many commercial software but they do pay for it. So it's not really my problem. Let's skip that boring non-Office or administrative software if you want.

Browsing - Mozilla Firefox
Full-Disk Encryption - TrueCrypt
Secure Erasing - Eraser
Office Suite 2- OpenOffice.org
PortableApps - Portable Apps
Chat - Pidgin
Launcher - Launchy
Video - VLC
Burning - Infrarecorder
(s)FTP - FileZilla
Code editor - Notepad++
Shell - Cygwin
...

neptunus - Linux / Ubuntu

No need to make a list here. For all the software you want just got to the "Add/Remove Software" menu item. In contrary to some other Operating Systems you can really add software in this place.

Conclusion: I changed my attitude

Do I miss something on my machine? No, and I'm really happy with the things I use, and (almost) all for free.

Jump on the bus and try out free software.

FOSDEM news: Kickoff BBQ

2008-07-30T19:17:55+00:00

Last Saturday some fellow FOSDEM organizers joined for the FOSDEM 2009 kickoff BBQ. The meteorological institute predicted a lot of rain, but the Open Source gods were in a good mood and gave us a fantastic weather. Some of us even had a swim as you can see.

Don't forget to subscribe to the RSS feed to stay tuned.

Ralph Meijer: XMPP and Social Networks, part 2: Nodes

2008-07-30T15:25:02+00:00

In part 1 I wrote about what you can subscribe to and how a social network service will send out notifications. I often used node as the thing you subscribe to, a term comes directly from the XMPP Publish Subscribe specification. In other publish-subscribe implementations this is often referred to as topic. Nodes are kept by a publish-subscribe service, and, among other things, this service is responsible for keeping the list of subscribers and sending out notifications.

Publish-subscribe services currently come in two forms: dedicated publish-subscribe services with their own domain (e.g. pubsub.ik.nu) and publish-subscribe services tied to a user account (often mentioned in combination with the Personal Eventing Protocol, also known as PEP). In the latter case, nodes are kept at the bare JID of a user's account (e.g. ralphm@ik.nu. Personal pubsub-nodes have nice properties, like the ability to directly associate a particular node with a person, and the possibility of doing access control on the user's contact list (roster).

Node organization

In the context of federating social networks, a service needs to decide where to put the nodes it wants to allow other entities to subscribe to and send out notifications from. In some cases it makes sense to keep nodes at user accounts, though in some other cases it is better to provide the nodes at the domain of the service itself. This depends on the nature of the social objects and the subscribable unit you provide. Let's explore some use cases.

Jaiku

In Jaiku, social objects (microblog posts and aggregated items like photos, bookmarks, etc), are organized in streams. Streams are tied to either a user, or a channel, and don't change ownership. The social objects themselves are static, once created, they cannot be edited. They can have comments associated with them, but those also cannot be edited. The only thing that can happen to streams, stream items, and comments is deletion.

Here, it makes sense to have a node for each stream, and possibly a stream for the comments to each stream item. Those can be tied to the owner's JID (e.g. ralphm@jaiku.com or #jabber@jaiku.com). Another possible node could be: all comments by a person. Another node an entity might want to subscribe to is: all public microblog posts. Such a node would be associated with the domain of the service rather than any particular user's JID.

anyMeta

The company I work for, Mediamatic Lab has a (proprietary) CMS called anyMeta. Instead of 'content', the C in CMS here stands for Community, to highlight the social network properties it provides. anyMeta is a highly semantic system that deals in things (a person, an article, an event, a blog), and edges (the relations between things, each with a predicate like friend-of, author-of, etc). I mainly work on federating instances of anyMeta.

Things in anyMeta are usually editable, so it makes sense to want to keep informed about changes. For example, an article can have a large number of edits, and a person might move, change employers or have other changes to his profile. Thus, we chose to at least provide each thing as a subscribable unit. Upon creating a thing, a new node is created, and a representation of the thing is published to the node. Editing a thing, results in subsequent publishes. Subscribers will receive notifications as the node gets published to.

We organized the nodes in a flat namespace, tied to a domain, rather than a user. One reason is that the owner of any particular thing might change. Tying a node to the first owner, and then needing to move it when the owner changes, is cumbersome.

Node naming

Each node has an identifier that is unique within the publish-subscribe service holding them. So you could have two nodes named updates tied to two different users. Node identifiers are opaque; one should not derive meaning from how the node identifier looks. Embedded slashes might suggest some hierarchy, for example, but an application should not assume that such a hierarchy actually exists.

That said, it makes perfect sense to use logical, human readable identifiers for nodes. They might even be very similar to the URI layout of the service's web site. Let's check what one could do for the examples given above.

Jaiku

It makes sense to have the node identifier for the regular posts (called presence) be presence and the nodes for the individual posts (with comments) presence/123456, where the number is the same as used in the web page for that post. Those two examples could be tied to a JID representing me at Jaiku: ralphm@jaiku.com.

The node for all public posts could be called explore and located at the JID of the whole service: jaiku.com. This would be similar to the web site, where all public posts can be viewed at http://jaiku.com/explore.

It might also make sense to have a dedicated node for a user's profile information, that can be retrieved and presented at a service or application that consumes the social object updates. At least a (full) name and some icon or headshot would be nice to have there. Obviously, subscribing to such a node would mean that future profile changes will also propagate to the consuming entities. An example identifier would be profile, to be kept at the user's JID.

anyMeta

In anyMeta, each thing has an identifier, that could be used for the node identifier as well. However, in the current implementation, all nodes are held by a loosely coupled, generic publish-subscribe service that caters multiple anyMeta instances. We chose to use unique identifiers as generated by the publish-subscribe service, which don't have any relation with the thing identifier.

As you might have guessed, some of the stuff being discussed here has already been implemented in anyMeta. The publish-subscribe service used is Idavoll. It has grown an HTTP interface that is used (internally) to create new nodes, publish items that represent things, and subscribe to, and receive notifications from, remote publish-subscribe nodes. The thing that holds my Mediamatic profile is represented by the node generic/4efe2253-2242-4e01-bfdf-957cc2a9481d at pubsub.mediamatic.nl. All things in this site, but also the PICNIC site, have nodes like this. In a future post I will explore what we do with these nodes.

In this part, we explored how one could organize the nodes that entities can subscribe to to get updates. Some might be tied to the (virtual) JID of the user's account, or associated with the JID of the service itself. Node identifiers might be human guessable, and like the web URIs, or could be seemingly random opaque strings. Implementations that consume subscribe to, and consume notifications from, the nodes at social networking services, should not assume anything about the organization and naming of the providing service. This presents a challenge for the next episode: how does one know which nodes are there and what they are called? So, up next: discovery. Homework assignment: look carefully at the HTML of my Mediamatic profile page.

Philip Paeps: The price of the bleeding edge

2008-07-30T08:10:00+00:00

Lionel reports that his fancy Ubuntu toy is starting to suck more and more. It won't surprise anyone that the words I told you so are on my lips.

As I've blogged before (at length!) Ubuntu is not a very good operating system. It completely ignores decades of proven Unixy technology (like the command line and the toolbox approach) and presents users with complicated experimental solutions to simple problems which have already been adequately fixed ages ago.

The predictable result is that in an overwhelming number of use-cases Ubuntu simply does not work. The only way to get it to do anything at all, is to forget everything you know about computers and to perform a lot of counterintuitive jumping-through-hoops. Hours of frustrating mouse-clicking and trying to figure out what fuzzy (friendly) messages and prompts actually mean.

Engineers have a very good description for software like this: the bleeding edge.

The price of the bleeding edge is blood. Engineers know this. They also know that if bleeding edge software breaks and extracts blood, they get to keep the pieces and they're on their own for restoring their blood volume.

Not-very-amusingly, Ubuntu targets their bleeding edge software to novice users. Weren't novices in particular best served with tried and trusted technology? Nobody in their right mind would throw bleeding edge software at novices!

I guess this says something about the Ubuntu mindset. Do they realize that the more they diverge from the path of tried and trusted technology, the more blood they will extract? I expect to see many more blogs like Lionel's in the coming months.

Play with fire. Get burnt.

The sad thing, of course, is that innocent novices who have been told that Ubuntu is Linux, will now blame Linux for all the suckage.

Philip Paeps: FOSDEM circus restarted

2008-07-27T12:22:00+00:00

Conferences don't organize themselves. This weekend we kicked off the organization of FOSDEM 2009 with our annual kickoff BBQ at Jan-Frederik's.

We were extremely lucky with the weather. A number of water-loving people even decided to cool off in the swimming pool.

There goes my free time for another six months. Yay. :-)

Ralph Meijer: XMPP and Social Networks, part 1: Notifications

2008-07-26T14:12:11+00:00

The use of XMPP publish-subscribe in federation and third-party applications deviates a bit from the standard use-case. Usually publishing, subscribing and receiving notifications happen through the same protocol on specific (leaf) nodes. Entities subscribe to a node that represents a particular thing they are interested in getting updates for, and when an item is published to that node, these subscribers will receive a notification for that item.

For federating social networks, the focus is on the exchange of updates on social objects or comments between services. For third-party applications, the most important thing is getting updates, preferably as soon as possible. So, for both of those use cases, receiving notifications through XMPP gives it an edge over HTTP: no polling, lower latency, less connections.

How these items are published, does not really matter that much. What you will typically see is that services somehow have a new item available (submission via the web, SMS, e-mail or a web-based API) and want to expose that through XMPP. Posting a new update through XMPP from a third-party client usually does not provide an advantage over existing web-based APIs.

For a service like Jaiku, Twitter or Identi.ca to provide XMPP publish-subscribe support, it is important to define the subscribable unit and provide that as a node. Such a node will usually not be published to directly, but is more of an aggregate node. Examples would be: all updates by a particular user, all updates in particular channel, all updates by a user and his contacts, all public updates. An other example could be: all comments on a particular social object.

Conceptually, all such aggregate nodes are internally subscribed to a particular subset of new and updated social objects and comments. You might even implement it exactly like that. Think of a prospective search that is captured by a node: every time a new item comes into the service, it is determined which of the provided nodes would be a match for this item, based on author, contact lists and permissions. Subsequently, for all of those nodes, a notification will be sent out to its subscribers. Telling items apart in this scenario is then likely not done using the service JID, node identifier of item identifier, but using some identifier in the payload, like Atom's id element, although those other identifiers might provide a context.

For those familiar with the concept of XMPP publish-subscribe collection nodes: those would be a special form of aggregate nodes that make it explicit what their relationship to the nodes they aggregate items for is.

Ralph Meijer: XMPP Summit #5: XMPP and Social Networks

2008-07-26T14:12:05+00:00

The major topics on the 5th XMPP Summit were Jingle, and XMPP as a complementary protocol next to HTTP for building social networking services, as stpeter briefly mentioned. While I think that the consensus on OAuth over XMPP, was very important, I think we also settled on a good set of best practices for federating social networks using XMPP Publish Subscribe.

This particular topic has had my full attention over the last year or so, and it is about time that I start writing about that, explaining the afore mentioned best practices in their context. As this covers a lot of ground, I'd like to make a series out of it, each detailing a particular aspect.

Topics that will come by include: the subscribable unit and how notifications are generated, payload formats, discovery, local representation and implementation strategies.

Philip Paeps: Story of my life

2008-07-25T13:46:00+00:00

After two days of staring at a particularly nasty bug, this feels strangely appropriate...

Of course, I would never write bad comments. Ahem.

Philip Paeps: New CAPTCHAs

2008-07-22T17:55:00+00:00

All credit (and blame!) to Zombie. :-)

I also garbage collected some of the dustier CAPTCHAs whose answers were a bit too ambigious. More suggestions always welcome...

Philip Paeps: More open access points

2008-07-22T06:48:00+00:00

So the trains are messed up again. This has stopped bothering me ages ago. There are so many fun things to get annoyed about in life, the trains are not among them.

There is an open access point (well essid "default") at the station in Haacht. Unfortunately, the connection drops every time a train goes by, so I am guessing that it is on the other side of the tracks.

Would someone near here please set up an access point on this side of the tracks? Thank you. :-)

Pascal Bleser: rtorrent with DHT

2008-07-21T13:50:15+00:00

rtorrent is a lightweight, low-memory footprint BitTorrent client that runs in the console (and teams up nicely with GNU screen).

The latest version is now available for openSUSE 10.1 to 11.0 in the Packman repository and supports DHT.

Philip Paeps: National holiday - pah!

2008-07-21T10:02:00+00:00

I've mentioned it before: I don't like random one-day holidays. So today we are supposed to be celebrating the inauguration of some German (or was he Austrian, I can't remember) as King of the Belgians, many years before I was born.

Instead of giving us these holidays piecemeal, why can't we just settle on "ten free days a year" (-ish). If you want to use these days to celebrate so-called "holy" people taking off like rockets and subsequently remembering about gravity (or being remembered by gravity) and thundering down again, that's your lookout. If you want to celebrate the birth of countries or linguistic genocide, that's entirely your business.

And if you want to take a contiguous ten-day break: why not?

These one-day holidays are a nightmare for planning.

Christophe Vandeplas: Belgium rocks

2008-07-21T08:50:39+00:00

Pascal Bleser: Reattaching to ssh-agent

2008-07-19T12:08:34+00:00

A rather rare situation, hopefully... I happened to clean up /tmp and delete a temporary directory used by ssh-agent, that held the UNIX domain socket that was used to communicate with it. Arguably, that's a pretty stupid thing to do and fixing it is as simple as logging out (of your X session) and in again.
But I didn't want to close running applications and hence, hacked a little bash function to re-attach to a running ssh-agent (which means setting the environment variables SSH_AGENT_PID and SSH_AUTH_SOCK appriopriately) after having started another ssh-agent process.
As it might be useful to others (or just an interesting sample of bash scripting), here it is:

function reattach-ssh-agent {
   local pid
   local line
   local r=$(ps h -o pid -C ssh-agent | while read pid; do
      sudo lsof -a -w -LPn -p "$pid" -U -Fn \
      | grep '^n/tmp/ssh-.*/agent\..*' | while read line; do
         line=${line#?}
         [ -e "$line" ] && {
            echo "FOUND: pid=$pid sock=$line" >/dev/tty;
            echo "export SSH_AGENT_PID=$pid; export export SSH_AUTH_SOCK=\"$line\"";
         }
      done;
   done)
   [ -n "$r" ] && { eval $r; } \
   || { echo "Failed to find running and operational ssh-agent" >&2; }
}

Note that it must be a function, not a script as the latter would be executed as a sub-process of the current shell and, hence, not be able to modify the environment of the current shell (which is the whole idea about it). So if you need that function here and then, make sure to add it to ~/.bashrc

Also note that a major drawback of this function is that it requires executing lsof as root (here using sudo) as the open files of ssh-agent are only visible to root. Another approach would be to implement the above in a separate script that would just output the shell code to execute (export SSH_AGENT_PID ...) and run setuid (using a C wrapper or such) but.. not necessarily easier nor much more secure.

Damien Sandras: Back from GUADEC and RMLL

2008-07-16T19:21:39+00:00

I am now back from the RMLL and from GUADEC.

Both events were fantastic and the talk about Ekiga 3.00 drew much attention from the audience, with interesting questions and general enthousiasm.

I would like to thank the organizers of both events.

You can find both talks hereunder. The GUADEC talk contains more information about the new Ekiga Engine introduced for Ekiga 3.00 :

Philip Paeps: Sigh.

2008-07-15T18:13:00+00:00

So the Belgian government toppled again. What a surprise.

Could the clowns leave now, please? You've had your chance to show off how good you are at making a mess of things. I think it's about time some serious people took over from here.

Nobody -- save some extremist fools -- is interested in "regional issues" and everyone has had it with linguistic racism and kindergarten-level "it's all their fault" whining.

First get some serious people in to clean up the federal level. Then take a large axe to the silly regional and sub-regional levels. Belgium is small enough to be 'regional' in European terms. There is no need for further expensive complexity.

The last year of political idiocy has demonstrated again that complexity kills. Keep it simple. We have too many governments in Belgium. Fix the big one, kill off the small ones. Instead of looking for differences, look for similarities. Think "abstraction".

I would like to thank N-VA in particular for services rendered (unbidden). Always ready with a big stick to insert in the clockwork of a solution being made. If you need to resort to sabotage to prove that something is "broken", perhaps it's time to consider the possibility that it's not.

Get over it. Go on holidays, preferably to a different planet, and let some serious people sort out the mess you've made of things.

Thank you.

Christophe Vandeplas: What politicians should do

2008-07-15T17:16:56+00:00

Instead of showing off to the press and pushing the fault on others backs they should simply stay silent and be ashamed of the situation they created.

And yes, I consider the media also as partially responsible by giving those minority extre mists such a big voice.

Pascal Bleser: lame-3.98

2008-07-13T21:32:11+00:00

Today I've upgraded the package lame (an MP3 encoder that is available in the Packman repository) to the latest version (3.98).

I've taken the opportunity to revamp the package a bit:

split into lame, libmp3lame0, libmp3lame-devel
add -debuginfo support, making the package smaller and enabling debugging/backtracing
build lame-mp3rtp, an MP3 to RTP streamer
build lame-mp3x, an MP3 frame analyzer (uses GTK 1.x)

It does have a drawback though, which cannot be solved automagically by rpm: if you install libmp3lame0, it will conflict with the package lame-3.97 (because libmp3lame.so.0 is now in the package libmp3lame0 instead of lame as with previous versions).
Make sure to also upgrade the package lame to 3.98, which should then work out smoothly.

Philip Paeps: MIT-SCREEN-SAVER

2008-07-13T20:10:00+00:00

Found in vlc (modules/misc/screensaver.c - GPL) after I found gnome-screensaver-command: not found on stderr once too often:

/*****************************************************************************
 * Run: main thread
 *****************************************************************************
 * This part of the module is in a separate thread so that we do not have
 * too much system() overhead.
 *****************************************************************************/
static void Run( intf_thread_t *p_intf )
{
    int i_lastcall = 0;

    while( !p_intf->b_die )
    {
        msleep( 100000 );

        /* Check screensaver every 30 seconds */
        if( ++i_lastcall > 300 )
        {
            vlc_object_t *p_vout;
            p_vout = vlc_object_find( p_intf, VLC_OBJECT_VOUT, FIND_ANYWHERE );
            /* If there is a video output, disable xscreensaver */
            if( p_vout )
            {
                vlc_object_release( p_vout );

                /* http://www.jwz.org/xscreensaver/faq.html#dvd */
                system( "xscreensaver-command -deactivate >&- 2>&- &" );
                system( "gnome-screensaver-command --poke >&- 2>&- &" );

                /* FIXME: add support for other screensavers */
            }

            i_lastcall = 0;
        }
    }
}

My eyes bleed... This is what the MIT-SCREEN-SAVER extension is for, Sam. If I can only figure out how to get at the Display pointer from p_intf, I'll send you a patch.

What do non-geeks do on Sunday evenings? Code-reading is fun.

Philip Paeps: Every library known to man

2008-07-13T18:12:00+00:00

I tried to build vlc today. I'm not unhappy with mplayer. It generally just works. I wanted to test something multicast-y though, and I'm told vlc is simply the path of least pain.

Hah!

For some unfathomable reason, it wants to be linked with every single library known to man. It also feels I should install a number of things which are never going to be on my system (things like gconf, hal, dbus and other crimes against humanity).

Furthermore, my machine doesn't have any kind of optical drive. I couldn't imagine why I would want to waste diskspace on libraries accessing such things (libdvdread, libdvdnav, libcdio, and many more).

More Makefile hacking it is. No problem. I'll be submitting patches. My life would be significantly easier however, if people porting software would be nice enough to take a "default to exclude" rather than a "default to include" stance.

Especially when it comes to criminal software like hal, dbus and gconf.

Patches coming up. :-) I love the way the FreeBSD ports system (and pkgsrc, by extension) lets me fix problems like this. I'm sure binary package management systems make it much more difficult to avoid evil software which destroys your mind (and any kittens nearby too).

Philip Paeps: You can teach an old dog new tricks

2008-07-12T12:01:00+00:00

A couple of days ago, someone pointed me at this Slightly Advanced Introduction to Vim. I spend most of my life in Vim and I like to think I know how to use it fairly effectively. Nevertheless, I did learn a couple of interesting new tricks from this particular "introduction".

Two things in particular I learned are some more things to do with g and the fact that the + register contains the operating system paste buffer. Registers are probably one of the Vim features I use most often (together with marks, csope, split windows and various forms of g), and yet I never knew about the + register.

I don't think it's possible to know everything about Vim.

Pascal Bleser: MPlayer package updates

2008-07-11T14:26:01+00:00

I made a few changes to the MPlayer package in the Packman repository, now version 1.0rc2-4.pm.4:

-debuginfo package to help trace down crashes and such
added libnemesi support for RTSP/RTP streaming (which is also available in the Packman repository)
added the following Provides symbols to the MPlayer package: mplayer, mplayer-gui, MPlayer-gui, gmplayer and mencoder
fixed FAAC support in mencoder

Please test and report success or issues to us, especially if you are using RTSP/RTP streaming.

Pascal Bleser: Reporting Packman package bugs

2008-07-11T01:08:46+00:00

Coincidence or not, recently I ran into several people (on IRC or on openSUSE mailing-lists) who did not know how to report bugs for packages from the Packman repository.

So, once and for all, here is how to do it: just send an email to packman@links2linux.de

It's an open mailing-list you may (but don't have to) subscribe.

Obviously, this also works for package requests, informing us about new upstream releases of your favourite packages (in case we didn't notice, as unfortunately not all projects report releases to sites such as freshmeat), but also for telling us that a package works great for you. Well, feedback in general.

One must always keep in mind that most people in the Packman packager team maintain several hundreds of packages and, obviously, we can only test a fraction of them. Hence, we're interested in any feedback, positive and negative. So if you want to do your part in having high quality packages there, please take a few minutes to send us feedback about them -- remember that this is a collaborative process ;)

Christophe Vandeplas: Belgian eID to login on Mac OS X

2008-07-08T08:11:46+00:00

This short howto explains how to use the Belgian eID to login on your Mac OS X machine. In this document I assume your cardreader is detected/installed and you are administrator of your machine. I am using Mac OS X 10.4.11.

Enable SmartCard authentication (only Mac OS X 10.4)

The happy owners of Leopard, Mac OS X 10.5, shouldn't change anything in their configuration file. Just jump to the part about access permissions.

Probably for performance reasons Apple didn't activate SmartCard login by default. So we will need to change a few configuration files to enable it. This procedure is explained on this page. Here's my own documentation with the examples for the Belgian eID.

The instructions in this part should be exactly the same on your system.

$ sudo -s
Password:
$ cd /etc/
$ cp authorization authorization.20080707.orig
$ cp authorization /tmp/authorization.mod

Now edit the temporary file using your favorite editor or by using the graphical editor if you prefer.

$ vi /tmp/authorization.mod
$ open -a "Property List Editor" /tmp/authorization.mod

Make the following changes to the mechanisms Array inside the system.login.console rights (Line 452):
After the string <string>builtin:auto-login,privileged</string> add the string <string>builtin:smartcard-sniffer,privileged</string>.
After the string <string>builtin:reset-password,privileged</string> remove the string <string>authinternal</string> then add string <string>builtin:authenticate,privileged</string>

Make the following changes to the "mechanisms" Array inside the "authenticate" rules (Line 649):
Add the following string to the beginning of the array <string>builtin:smartcard-sniffer,privileged</string>
After the string <string>builtin:authenticate</string> remove the string <string>authinternal</string> then add the string <string>builtin:authenticate,privileged</string>

Now copy the file to the right place on your system:

$ cp /tmp/authorization.mod /etc/authorization

You can check the differences here or download the original and modified file (Mac OS X 10.4.11)

$ diff -uN /etc/authorization /tmp/authorization.mod 
--- /etc/authorization  2008-03-23 17:53:36.000000000 +0100
+++ /tmp/authorization.mod      2008-07-07 11:19:05.000000000 +0200
@@ -449,9 +449,10 @@
                        <key>mechanisms</key>
                        <array>
                                <string>builtin:auto-login,privileged</string>
+                               <string>builtin:smartcard-sniffer,privileged</string>
                                <string>loginwindow_builtin:login</string>
                                <string>builtin:reset-password,privileged</string>
-                               <string>authinternal</string>
+                               <string>builtin:authenticate,privileged</string>
                                <string>builtin:getuserinfo,privileged</string>
                                <string>builtin:sso,privileged</string>
                                <string>HomeDirMechanism:login,privileged</string>
@@ -645,8 +646,9 @@
                        <string>evaluate-mechanisms</string>
                        <key>mechanisms</key>
                        <array>
+                               <string>builtin:smartcard-sniffer,privileged</string>
                                <string>builtin:authenticate</string>
-                               <string>authinternal</string>
+                               <string>builtin:authenticate,privileged</string>
                        </array>
                </dict>
                <key>authenticate-admin</key>

Access permissions (everyone)

We now enabled SmartCard authentication. The question that remains open is: Who owns what SmartCard?

On the eID card there are two private keys present. One for signing purposes and one for authentication. We will use the authentication key of course.
Go back to your Terminal that was logged in as root and type the following command. This will list the hashes of the keys.

$ sc_auth hash
3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C PrK#2 (authentication)
35BDB8600FA219204D28FAD856380F6E06123B62 PrK#3 (signature)

$ sc_auth accept -u chri -h 3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C

If desired, more than one smart card can be associated with a single user account by running the script again with the hash from the additional card(s).
We can check if it's OK:

$ dscl . -read /Users/chri
...
AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>
  ;pubkeyhash;3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C
...

Test your configuration

That's it. Save all your open files, log out of the system and connect your SmartCard. You should see the Enter PIN when your card is connected:

Debug info

When entering the cardreader in /var/log/secure.log (open using Console). If you don't see these messages check that your cardreader is configured correctly on the system.

com.apple.SecurityServer: Token reader CCID Smart Card Reader 0 0 inserted into system
com.apple.SecurityServer: token inserted into reader CCID Smart Card Reader 0 0
com.apple.SecurityServer: reader CCID Smart Card Reader 0 0 inserted token
  "BELPIC-534C494E336600296CFF2491AB111E14" (BELPIC-534C494E336600296CFF2491AB111E14) 
  subservice 2 using driver com.apple.tokend.belpic

After a successfull login see these messages:

SecurityAgent[1994]: Showing Login Window
SecurityAgent[1994]: User Authenticated: continue login process
com.apple.SecurityServer: Succeeded authorizing right system.login.console 
  by process /System/Library/CoreServices/loginwindow.app for authorization 
  created by /System/Library/CoreServices/loginwindow.app.
com.apple.SecurityServer: Succeeded authorizing right system.login.done 
  by process /System/Library/CoreServices/loginwindow.app for authorization 
  created by /System/Library/CoreServices/loginwindow.app.

Links

Apple Smart Card Setup Guide
Mac OS X 10.4: Enabling smart card login

Philip Paeps: C rules!

2008-07-07T18:39:00+00:00

I've been fighting with OpenSSL for the last couple of days. OpenSSL is purportedly very easy to use if you happen to have a TCP socket descriptor for it to play with. When you don't have this, you have to drive SSL_connect() yourself. Once you understand how this works, it's quite simple, really.

Left to its own devices, OpenSSL will helpfully malloc() (and presumably free()) any memory it needs. Unfortunately, this is not desirable in a memory-constrained system or a system where heap fragmentation is not welcome.

With a minimum of fuss (though quite a serious amount of cursing and trying to figure out what the damn thing was doing) I made OpenSSL submit to my memory management. All it took were the usual pointer gymnastics and shuffling lengths and offsets.

Again, I wonder how people survive in languages and development environments which try to hide memory from them. How do they get any work done (with any degree of efficiency)?

Yes, C makes it easy to shoot yourself in the foot. Only your foot will be shot though. Unless you ask for it, the rest of your leg won't be blown off. This is a feature, not a bug.

I like simple. Simple is good.

Christophe Vandeplas: TrueCrypt did the impossible again

2008-07-05T19:10:16+00:00

Starting from version 5.0 TrueCrypt has support for Full-Disk Encryption using the pre-boot authentication principle.

TrueCrypt has a history of extreme security by providing the functionality of plausible deniability. The problem with encryption is that people can force you to enter your password, but if they can't prove that you are using encryption they can't force you. It is plausible that you are telling the truth.

But why am I telling this? Well, the problem with the full-disk encryption was that the TrueCrypt bootloader was easily detectable. There was no way to have plausible deniability for the fully encrypted disk.

Starting from version 6 the great guys found a way to include plausible deniability and full-disk encryption.But how are they doing it? Well from what I read you can have two passwords in the bootloader. One password will give access to your 'normal OS' and the other password to your 'private and hidden' OS.

They also added a huge performance increase: Support for parallelized encryption/decryption on multi-core processors (or multi-processor systems). Increase in encryption/decryption speed is directly proportional to the number of cores and/or processors.
For example, if your computer has a quad-core processor, encryption and decryption will be four times faster than on a single-core processor with equivalent specifications (likewise, it will be twice faster on dual-core processors, etc.)

Well done guys. I'll soon upgrade my v5.1 to the latest v6 edition.

Pascal Bleser: Deluge 0.5.9.3

2008-07-04T10:20:56+00:00

Packages of the latest Deluge (a torrent client), 0.5.9.3, are finally available for openSUSE, in the Packman repository.

It took so long to upgrade because the Deluge developers upgraded the in-tree rblibtorrent to a more recent build that, in turn, requires the very latest Boost 1.35. Took me some hours of work to make a boost1_35 package that can be installed aside the (older) boost package that ships with openSUSE.

BTW, if Deluge doesn't start properly, run "deluge" from a shell and if you see the following error message: "deluge.core.DelugeError: 'No such unique_ID.'" then you have to delete your Deluge configuration (rm -rf ~/.config/deluge) and start+configure Deluge again.

Pascal Bleser: openSUSE and Packman mirror in India

2008-07-03T22:29:59+00:00

debayan told me today that he has an 8mbit mirror for openSUSE (and other distros) as well as Packman in India.

Cool stuff, definitely an added value for openSUSE users there :).

Pascal Bleser: Freetype2 packages with subpixel hinting

2008-07-02T20:15:41+00:00

openSUSE packages of the latest freetype2 (2.3.7) are available on opensuse-community.org, with subpixel hinting enabled. See SubpixelHinting for further details.

Philip Paeps: The brain is a stack

2008-07-02T19:01:00+00:00

For the last couple of weeks, I've been fuzz testing some code I wrote. On its own, that sort of thing is mind-numbingly boring, so instead of just handling the problems I found the "simple way" (check for NULL before dereferencing, check if offsets make sense, etc) I decided to refactor where possible so the bugs just couldn't happen. This kept the fuzzing fun too.

Moving error handling upwards nearer to the cause of the errors in an existing code base is sometimes surprisingly tricky. Lots of reshuffling of structures, hiding data from header files and clever encapsulation tricks and pointer gymnastics.

When you're working in ten or twelve files at the same time, you realize how much like a stack the brain is and how good it is at caching information. You push the consumers of a structure on the stack and you roll it up as you change the structure. Sometimes you find yourself branching because you found a way to abstract something and when you get back, the stack is back pretty much as if it had never been gone.

I haven't been able to precisely calculate the depth of my brain stack yet, but it seems to be fairly accomodating. After a couple of hours of shuffling code around, even rough line numbers seem to be getting cached for fast retrieval too. Much fun.

Yet another research opportunity for 'students of the mind'.

Philip Paeps: The brain is a stack

2008-07-02T19:01:00+00:00

Yet another research opportunity for 'students of the mind'.

Pascal Bleser: Miro 1.2.4 for openSUSE 11.0, 10.3 and 10.2

2008-07-02T13:23:57+00:00

The latest Miro (1.2.4) is now available for openSUSE 11.0, 10.3 and 10.2 in the Packman repository.

Pascal Bleser: Miro 1.2.4 for openSUSE 11.0

2008-07-01T07:30:59+00:00

The latest Miro (1.2.4) is now available in the Packman community repository for openSUSE 11.0.

Builds of Miro 1.2.4 for openSUSE 10.3 will follow shortly.

Damien Sandras: GUADEC & RMLL

2008-06-30T21:08:42+00:00

I will be talking at the RMLL on Thursday afternoon.

Right after the RMLL, I will be flying back from Mont-de-Marsan to Belgium on Friday.

On Saturday, I’ll take the plane to Istanbul for GUADEC.

I will present Ekiga 3.00 to both events : what’s new, what’s old, what’s to expect.

I have just committed a large piece of missing code in the Ekiga engine.

See you there !

Philip Paeps: Patches everywhere

2008-06-29T16:54:00+00:00

It is amazing how patches have a tendency to pile up on laptop disks. While MFC'ing a silly change this afternoon, I accidentally typed svn diff in $HOME/projects/freebsd/head/sys and the output was rather interesting.

In addition to random patches that occur to me while I'm sitting on the train, I have a good chunk of syscons changes that I really should put somewhere safely.

Laptops are dangerous. Not only do they burn your lap -- and other sensitive areas -- they allow you to do work which is very easy to forget about (and then lose).

Time to sort through this mess and send out some patches.

Pascal Bleser: Smart on openSUSE 11.0

2008-06-28T22:31:16+00:00

zypper ar -r http://download.opensuse.org/repositories/smart/openSUSE_11.0/smart.repo
zypper ref smart
zypper install smart
smart channel --add http://linux01.gwdg.de/~pbleser/files/smart/opensuse-11.0.txt
smart mirror --add http://linux01.gwdg.de/~pbleser/files/smart/mirrors-eu.txt
smart update

Pascal Bleser: Dad 2.0

2008-06-28T20:59:15+00:00

And here's my son, Thomas, 3.25kg, 50cm, born at 10:45am on Thursday (26th), healthy and (subjectively) cute.

Everything went great (as "great" as giving birth can be, won't argue with women about that), mother is in good shape and feeling well too.

Such a tiny little thing to hold in one's arms, almost forgot how it is, even though our daughter Gaëlle is just (almost) 3.

So don't be surprised if I'm a bit "inactive" and slow to reply to emails and stuff, currently having higher priorities ;)

Mark Van den Borre: U.S. and EU near deal on sharing data

2008-06-28T13:23:47+00:00

U.S. and EU near deal on sharing data

Christophe Vandeplas: See access to disk Mac OS X

2008-06-26T18:47:48+00:00

sudo fs_usage -f filesys

Christophe Vandeplas: eID things

2008-06-26T18:30:17+00:00

Some output from some commands:

Welke slots zijn er ?

$ ./pkcs11-tool --list-slots
Available slots:
Slot 0           CCID Smart Card Reader 0 0
 token label:   BELPIC (Basic PIN)
 token manuf:   (unknown)
 token model:   PKCS #15 SCard
 token flags:   rng, login required, PIN initialized, token initialized
 serial num  :  6CFF2491AB111E14
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
Slot 4           (empty)
Slot 5           (empty)
Slot 6           (empty)
Slot 7           (empty)

Hier zijn dus nog 7 vrije slots die we kunnen gebruiken voor alles en nog
wat. Sommigen gebruiken het voor SSL certificaten, anderen voor kun
private PGP/GPG keys

Wat kan de kaart zoal:

 ./pkcs11-tool --list-mechanisms
Supported mechanisms:
 SHA-1, digest
 SHA256, digest
 SHA384, digest
 SHA512, digest
 MD5, digest
 RIPEMD160, digest
 RSA-PKCS, sign, verify, unwrap, decrypt
 SHA1-RSA-PKCS, sign, verify
 MD5-RSA-PKCS, sign, verify
 RIPEMD160-RSA-PKCS, sign, verify
 RSA-PKCS-KEY-PAIR-GEN, keypairgen

De objecten die op de kaart staan (certificaten dus):

$ ./pkcs11-tool --login --list-objects
Please enter User PIN:
Private Key Object; RSA
 label:      Authentication
 ID:         02
 Usage:      sign
.... enzovoort.

Welke certs staan er op :

$ ./pkcs15-tool --list-certificates
X.509 Certificate [Authentication]
       Flags    : 3
       Authority: no
       Path     : 3f00df005038
       ID       : 02

X.509 Certificate [Signature]
       Flags    : 3
       Authority: no
       Path     : 3f00df005039
       ID       : 03

X.509 Certificate [CA]
       Flags    : 3
       Authority: yes
       Path     : 3f00df00503a
       ID       : 04

X.509 Certificate [Root]
       Flags    : 3
       Authority: yes
       Path     : 3f00df00503b
       ID       : 06

En natuurlijk ook expliciet de details over de private keys. We zien dat
de private keys niet extractable zijn:

$ ./pkcs15-tool --list-keys
Private RSA Key [Authentication]
       Com. Flags  : 3
       Usage       : [0x4], sign
       Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract,
local
       ModLength   : 1024
       Key ref     : 130
       Native      : yes
       Path        : 3f00df00
       Auth ID     : 01
       ID          : 02

Private RSA Key [Signature]
       Com. Flags  : 3
       Usage       : [0x200], nonRepudiation
       Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract,
local
       ModLength   : 1024
       Key ref     : 131
       Native      : yes
       Path        : 3f00df00
       Auth ID     : 01
       ID          : 03

Pascal Bleser: webpin CLI 1.0.0

2008-06-24T06:40:11+00:00

webpin 1.0.0 is available in the openSUSE:Tools build service repository.

The only change is that it supports searching for openSUSE 11.0 packages (and that there is an openSUSE 11.0 package of webpin).