Advogato blog for cdfrey

14 May 2008

Wed, 14 May 2008 05:43:12 GMT

The Unfortunate Case of Debian's SSL Bug

I feel the need to post about this issue in the hope that similar problems can be avoided in the future.

My initial disclaimer is that I'm not a package maintainer for any of the major distros, so I'm not intimately familiar with the stresses or workloads that they may face everyday. I am, though, the lead developer on a project that I hope one day will be included in major distros.

Whenever I get some interest from potential distro maintainers, I try to stress my keen interest in getting any downstream patches. This is to hopefully lighten their workload as well as to improve the software for everyone.

Unfortunately, it appears to me that the patch that caused the trouble in Debian recently was not fed back to the upstream developers, and if it had, it may have been caught much earlier.

What can be done from an upstream developer's point of view to encourage these upstream patches to keep flowing?

And is it not almost a duty for all downstream package maintainers to send patches upstream whenever possible?

Perhaps in some cases, the upstream packages themselves are not actively maintained, in which case being a distro package maintainer is even harder. But OpenSSL is not such a case.

I've run into 3 cases so far where a bad patch to the libtar library has sneaked into various distros and caused trouble for people trying to compile Barry on their systems. Would it not be better for these distro-specific patches to be fed upstream, and get rejected with a proper reason? Would it not be better for all distro maintainers of a particular package to be subscribed to its development mailing list, and see these issues first hand?

Obviously I think so, but I'd like to hear your thoughts on it. I think it is an issue that needs to be discussed, and now's the perfect time.

2 May 2008

Fri, 2 May 2008 08:00:08 GMT

Is That A Herd Of Penguins I Hear?

The planning stage for the 2008 Ontario Linux Fest is well under way. Richard Weait recently posted an announcement on the KWLUG mailing list, which you can read in detail in the archives. I'll summarize briefly here:

When:

Saturday 25 October 2008

Where:

Days Hotel and Conference Centre - Toronto Airport East
1677 Wilson Avenue
Toronto, ON M3L 1A5

The venue is at "The Days". There is a shuttle from the airport, and it is an easy connection to the Wilson subway. If there is enough interest, a shuttle from the subway to the Fest can be arranged, so let us know. Since the venue is both a hotel and conference centre, there are special deals on rooms, and ample parking on-site.

Who:

The call for papers is now open. See the Papers page to submit your topic. There are spots open for formal presentations, for lightning talks, for Birds of a Feather sessions, for Demo room sessions, and for Vendor room sessions.

How:

There are also various levels of sponsorships open as well, for FLOSS-friendly companies and groups. See the Call for Sponsors page if you or someone you know is interested, from multi-nationals to family businesses to Linux oriented groups.

How To:

If you have a suggestion, idea, desire, or criticism, we want to know!

Mark your calendars. I hope to see you there!

17 Oct 2007

Wed, 17 Oct 2007 20:12:12 GMT

salimma,

newmail.cc mbox summary program (see update_mbox_cache()). You can work around it by replacing std::getline() with the normal .getline() member of the io class, and using a non-std::string buffer.

It's still processing things line-by-line, which when compared to something like grep, is inefficient. Grep reads large blocks of the file, I think 16k or more at a time, and does its own very fast processing. But replacing std::string with a char buffer made the performance acceptable for me.

I believe the main cause of performance issues with std::string stem from the way iostreams insert a character at a time, and when using std::string, it is not very smart when growing its buffer.

I also find Boost regex to be rather slow at times, but perhaps I'm not using them correctly.

9 Oct 2007

Tue, 9 Oct 2007 18:40:29 GMT

Ontario Linux Fest Rapidly Approaching

Ontario Linux Fest

It's going to be a day packed full of Linux goodness. I look forward to seeing you there... I'll be the big guy helping out at the sign-in area.

8 Sep 2007

Sat, 8 Sep 2007 20:21:59 GMT

kelly, I pretty much agree with you about PHP. It is useful in some ways, but once I start programming something of any real size, I start to miss simple things like how the compiler is forced to check the syntax of all code, whereas an interpreted language can let you write some invalid code in if statement, and you may miss it until it runs.

As for operator overloading in C++, that's a bit like saying you won't use C because it has some bloated feature like printf() instead of write(). :-) You don't have to use operator overloading, but it sure is handy when it makes sense to use, such as when creating fundamental types like money values or complex numbers.

4 Sep 2007

Tue, 4 Sep 2007 16:12:14 GMT

redi, I did try that. I desperately wanted it to work, but the rating didn't seem to make any difference in the resulting recentlog until I certified them. Perhaps I just didn't try hard enough. I'll have to try again when I have time.

The posting situation isn't really that bad, and I usually read the recentlog without being logged in. Just some days the thought crosses your mind... "there's got to be a better way." :-)

2 Sep 2007

Sun, 2 Sep 2007 18:26:54 GMT

Playing with Advogato ratings

That leaves filtering to bridge the gap between what I want to read, and what what Advogato displays. As usual, it seems quite tightly tied to the trust metric. I am unable to use the rating filter system unless I have certified them. And certification carries with it all the baggage of trust metrics. As the account page says: "Certify this user if you know them."

In addition, the rating system influences what other people see in their diary list, if they haven't performed a rating themselves. It does encourage participation in the certification and rating system, but it starts to carry the same annoyance of a click through license. People might just start certing in order to rate and filter.

I also think the rating spends too much effort maintaining information I don't need. For one, I don't really care to modify the list other people see. I don't want to censor, even indirectly, what others get to read. Plus, I don't need to rate the "interestingness" of a person's diary. I just want a flag so I never have to see their diary again.

26 Jul 2007

Thu, 26 Jul 2007 01:52:38 GMT

Ontario Linux Fest

Ontario Linux Fest which is to be held on October 13 in Toronto. Just returned from a planning meeting and things are moving along nicely.

There are still some slots open for presenters, so if you have a topic you'd like to present, send your proposal via one of the methods on the contact page, for best response. We have some great topics and presenters already lined up, including the likes of Theodore Ts'o and John "Maddog" Hall.

I'm personally looking forward to the OpenMoko presentation. I hadn't heard of this project until recently, but it sounds like everything a cell phone should be.

This Fest is planned in the same spirit as the Ohio Linux Fest: a grassroots knowledge conference instead of a product-based computer show. If you plan to be in the Toronto area in October, do sign up. Registration is cheaper if you do it in advance (only $40, and $20 for students).

Even if you can't make it, you can help by spreading the word to anyone you think would be interested. Help us pack the place.

I hope to see some fellow Advogators there! Drop me an email if you want to meet up.

28 Jan 2007

Sun, 28 Jan 2007 23:36:22 GMT

robogato: Thanks for the explanation of the history of that message. It makes more sense now.

In your context, it likely had to be strongly worded to get people's attention. Here, though, people might take it more seriously than you meant.

28 Jan 2007

Sun, 28 Jan 2007 06:35:31 GMT

I just noticed something new in the advogato pages. When looking at a user, you get the following warning:

Note: By certifying a user you are making a public statment that you know this person and can vouch for their identity.

When did this happen?

I must disagree with this sudden pseudo-gpg keysigning level of certification, especially since this warning is now retroactively applied to people's previous certifications, by mere virtue of being tacked on the bottom of the list.

I've written about the issues surrounding the certification process before. The above warning was never on advogato's pages before, or surely someone would have told me about it in response to earlier rants.

I also disagree that such a strict level certification is even practical. Is it really the goal of advogato to shut out the unknown? If so, this would seem to be a new development.

None of the people who have certified me know me personally. Are they all supposed to delist me?

Like it or not, I think Advogato is a virtual community, and has to live within its means. Not everyone can go to the effort of vouching for another user's identity, especially if said user lives in another country, or another continent. The best way is still to judge by their output as best you can.

I publically state that my certifications are not based on what identity I believe a user has, but on the simple binary decision of whether I believe their output qualifies as worthy to be seen on Advogato. (i.e. not an abuser or a spammer) The Journeyer setting is that binary switch for me.