Older blog entries for RyanMuldoon (starting at number 34)

apw: It seems like you are oversimplifying the problem space to an enormous degree. For instance, if I present you with a valid cert, how do you know that it is actually mine? If we have no pre-defined trust relationship, you can't know. But then let's say we do have a pre-defined trust relationship, and someone identifying themselves as me with my cert tries to make some kind of transaction with you. This requires you to trust me in two very important (but distinct) ways: first, you need to trust that I am technically competent enough to keep my private keys to myself. And second, you need to trust that I am reliable enough a person that I am not going to give someone else my private key. It's not as simple as saying "lets all get smart cards and make browser plugins" - it is a rich and complicated area of research. If it were an easy problem, it would be solved by now. People have been working on this for a couple decades. It's good to think about, but please realize that there is a lot of hard work still to be done. And it isn't all just technological. If you're aiming to have a solution to counter Passport, there are a number of existing projects to look into. I'm involved in the Internet2 web-iso and Shibboleth projects, for example. I know that there are many others. Just some food for thought.

Negative Certs: I have mixed feelings about negative certs. They may not be appropriate for Advogato, but in terms of a trust metric, they do make a lot of sense. Trust is not just measured in positive amounts. There should be a difference between ambivalence (Observer) and active distrust. If I have had a dealing with someone, and they acted in a dishonorable manner somehow, I should be able to publish that fact, to help others judge whether or not that person can be trusted.

As I've said, this probably does not make sense for Advogato. Ambivalence is adequate. Unless you think that someone stole code and published it as their own, and is a no-talent hack that has convinced everyone of their greatness, there is no need for negative certification. But I think that negative certs are extremely useful when transactions come into play. Any time someone actively violates a trust relationship, that should be noted. In the coming future of peer to peer transactions, I want to make sure that I'm only dealing with trustworthy people.

I had a kind of cool thought - combining UDDI with a trust graph, so I always find the best service provider. For that to work, though, negative certs need to be taken into consideration. Once you get to something like this, trust becomes more complicated. You have to consider *how* you trust someone. Trust is not all-encompassing. How we represent that is going to be an interesting policy issue. I could go on, but this is a rant for another day. ;-)

jamesh:The free software CA idea is interesting. I have been thinking about issues surrounding Certificate Authorities a good deal recently. Pretty much all of the projects I am working on at work end up requiring certificates all over the place. Servers need them, but people also need some form of them. Since these are all higher education projects, it seems like a lot of people will be using this stuff once it is finished. The licenses on the projects are all Free, but I'm worried about the tens of thousands of needed certificates. It doesn't seem like that aspect of things scales very well. But I do think that absolute certificates are needed, rather than an advogato-style trust metric, since in this case trust is a binary issue. Trust is a hard problem....you have to implement a system where you can be sure that no untrustorthy people get trust, but it can't be overly hard to use, or cost too much, and ideally no trustworthy person should be denied trust.

School is all done with now, and has been for a few weeks. I am now working for my school's IT department, in the Architecture group. It is turning out to be a pretty cool job. I am working on several Internet2 projects, like MACE-dir, eduPerson, and Shibboleth. The work is really interesting, and I am enjoying the opportunity to do design analysis and such. Also, a very nice aspect of doing work for higher education is that everything I write is Free Software. So it is a pleasant work environment.

I have also just started my DVD collection. I bought Almost Famous, High Fidelity, American Beauty, and Fight Club. Now I am in the process of deciding what other movies I should get, and what versions of those movies are the good ones to get. Beyond the annoyance with CSS and Region Encoding, DVD consumers are really taken for a ride in terms of releasing multiple versions of the same movie. Some movies have a normal version, a collectors edition, and an ultimate edition. I can understand a movie-only cheap version, and a special/collector's edition, but having multiple enhanced version is frustrating. And then you also have to consider quality of transfers, etc. I love the higher quality of DVDs though, and I certainly can't go back to VHS. I intentionally held off on buying movies until I started collecting with DVDs. To make myself feel better about buying DVDs, I am buying used copies off of half.com, so I don't support the MPAA's DVD policies. The flip side is that I am also not supporting the actors or writers, but they get so little anyway, it doesn't make a difference. Too bad I can't decide where my money goes in terms of royalties.

Phoon: Be careful with the line of reasoning that you are using. While, yes, there are some instances where someone is accused of rape without having actually raped someone, I promise you that this is a very, very small percentage of the cases reported - let alone the uncounted numbers of rapes that are never reported. You have to realize that the victim of rape suffers a great deal from just reporting the rape - they don't really want other people to know about it. Bringing charges is not a simple matter, and decisions to are not made flippantly. And, as someone else has said, rape is not about sex. Rape is flat-out violence. Rape is violating someone in the worst way possible. That has nothing at all to do with sex, which is a mutual exchange. I am sure (or, at least I hope) that you are a decent person - just please, I urge you, to carefully think about such things. Hopefully you will come to the conclusion that some things are simply beyond reproach.

Until today, I've stuck to writing diary entries solely about computer-related topics and fairly light conversation. But, I really can't let myself ignore comments like this. I wouldn't feel very good about myself if I did. So, for those of you reading this that find this discussion off-topic, sorry. But, just like RMS says that economics is something to worry about once freedom is assured, the world of computers is something we can worry about once our basic human rights have been assured. I worry that some very smart-seeming people in various online communities are so involved with computers that they fail to see the world around them, and all of the very serious problems that need to be addressed. It is great to have strong ethics with software, but unless you also have strong ethics in the real world, it doesn't matter much.

Phoon: I really hope that you don't believe what you wrote. 90% of rape claims being false? That really disturbed me to read such a thing. If anything, the much more likely scenario is a large percentage of rapes go unreported, because the victim feels that they are somehow responsible, or that they were "asking for it." I'm sure that there are a few reported rape cases that are not true, but that goes for any crime out there. Innocent people are accused sometimes. BUT, I beg of you, don't trivialize something as serious as a rape charge. If anything, we should be working towards creating an environment where it is more ok for a victim to bring charges against a rapist. Rape it pretty much the worst thing that you can do to someone. Even comparing it to something like intellectual property rights is disturbing. If someone takes source code that I license with a less restrictive free software license, like BSD, they are in no way stealing. It was my choice to offer my code that way, and not be in a position to demand contributions. But claiming that this is somehow remotely similar to the trauma one goes through with being raped is just horribly wrong. Computers, and even intellectual property, are a really small part of life. There are many more serious problems in the world. I see too many people in forums like this or slashdot forget that while it is great to notice injustice in the world of intellectual property, we can only do that out of extreme luxury of circumstance. Have some perspective on life.

It's been a long time since I've written. Oops. I have been pretty busy with school, and my life in general, to do much computer type stuff. I have been trying to go on MonkeyTalk every day and help out a little bit - it's nice because I can help a bunch of people with minimal effort, as most of their questions are pretty easy. MonkeyTalk is a great idea, as simple as the implementation may be.

I'm writing here to basically vent my frustration. Slashdot has an article slamming Ximian, Eazel, the FSF, and GNOME. These are among the few organizations that I have any amount of respect for in the whole linux "community." And it bothers me to see them slammed so unfairly. What makes it worse is that I can imagine how shitty it must be to be those individuals that such slams are directed at. Working really hard on something, and being proud of your work, then watching everyone rip it to pieces for no good reason can't be a very rewarding experience. As I posted on slashdot, I am becoming increasingly saddened by all of this. People care less and less about Freedom, and more and more in entitlement and things being no cost and convenient. It is becoming rather self-destructive. I wonder if it is people that have been (at least peripherally) involved in the Free Software world for a while getting somehow disillusioned, or if it is a new batch of people that never took the time to understand the tenets of Free Software so they don't understand how the dynamic is supposed to work. I think it is the latter. Ah well. I'm just going to try and let it not bother me so much.

Iain: Have you listened to any Grandaddy? They are kind of Radiohead-esque, and are pretty good. An excellent song by them is "So you'll aim toward the sky." But, as for Amnesiac, I must say that I enjoy "Knives out" quite a bit. But The Bends is still their best album in my opinion. Amnesiac has a little more of the vintage Radiohead feel when compared to Kid A, which is kind of nice. And I enjoy the more tame horn accompaniments this time around....kind of a cool jazz feel.

As for my little Nautilus patch, I am having a hard time actually compiling Nautilus. It's complaining about me not having gtk and glib headers, even though I do. Hopefully I'll figure out what the problem is. It's annoying to not be able to do run-time testing now that I have my patch "complete" and without compiler errors. Once I have time I'll figure it out, and submit the patch. Then, hopefully I'll take on another little task that isn't too time-critical. At some point I'll have to write down a list of little things that annoy me about the software I use, and actively try and fix the problems.

I've been reading the available material on the Reef project - it sounds damn cool. I'm glad that it is clearly intended as a community project. It is great to see the ideals of the free software community, and their potential benefits, well-represented in web-enabled services. Once the semester is over I'm going to see if I can play with it a bit, and perhaps contribute some. My goal is to be a reasonably regular contributor to the GNOME project by the time GNOME 2 rolls around. We'll see how it goes.

I've been working on my first patch for Nautilus.....a right-click menu for the "Up" button in the toolbar. I am really enjoying the quality of the code in Nautilus - at least what I've looked at. It is all really easy to read and understand. Hopefully my changes follow suit. I'm pretty much done with the first pass at the patch, except I need to figure out how I can get a NautilusScalableIcon for a given uri. Once I have that, I'm pretty much set I think. So hopefully on Monday or Tuesday I'll have completed my patch, assuming I find some coding time. It should be a nice little feature though. And hopefully something of a jumping off point for other small little fixes/features in Nautilus. We'll see how it goes.

jaq:I'm glad to read that you're working on a GNOME version of Gnutella. I'd suggest that you *not* use the same UI as gtk_gnutella. It is pretty hideous. I was thinking about spending some time reworking the UI for gnapster and gtk_gnutella, as I don't really like either too much. One big improvement in both would be to use the shortcut bar that is in evolution for switching between sections. And in gtk_gnutella's case, actually having preferences in a preference dialog would be better. Also, some means to auto-grab active gnutella servers would be useful.....similar to how gnapster has a listing of OpenNap servers. Anyway, if you're interested in more ideas (and maybe a little code) email me.