Planet Apache

Last Christmas, The Girl begged and begged and begged for an iDog, which is a delightful little thing that dances to music either heard on its microphone or received from a audio input cable.

She played with it once or twice, but quickly lost interest. It's pretty stupid, and requires a lot of attention before it does anything interesting.

Earlier this week, The Girl and The Boy were fighting over it, so I brought it to work and plugged it into my desktop speakers. It is very weird. It whimpers occasionally, apparently when it doesn't like my music. It dances to stuff it likes. It blinks its lights in seemingly random patterns. It chirps and flashes green when you pat its head. It growls when you tweak its tail.

Here's the complete documentation, just in case you care.

When I was a kid, toys didn't come with 16-page users manuals. Sheesh.

A study last Fall in the UK found that swearing at work can inspire teamwork. According to the study:

"apparent misbehavior can serve an organization well." Taboo language, they said, can manifest itself in solidarity that helps create a much more pleasurable and productive place to work

I'll need to remember to point this out to the next manager who becomes offended by my recurrent use of the one magical, multipurpose word, fuck.

I went to one of our customers today to demo our Digital Asset Management System (it seems to be DAM-week, see also my presentation at the Henry Stewart Show) and one of the projects managers told me that he started playing around with Sling and how impressed he was with the power that is hidden in Sling and JCR and how easy it was to build something interesting. So, if you would like to see something cool, just as he did, download CRX Quickstart Edition, which contains CRX (a commerial grade content repository) and Sling (a web application framework built around the concepts of JCR, REST, AJAX, OSGi and Scripting) and take a look at Michael Marth's screencast first steps with CRX Quickstart. (This was the see something cool part)

Having seen something cool, it is time to learn something new, namely building applications using Sling and JCR and CRX Quickstart is a great way of doing to. Aside to the aforementioned screencast, there is a second one: the serverside.com in 15 minutes and the rest of the CRX Quickstart documentation we have assembled.

If you now want to win something shiny, namely a brand new MacBook Pro, apply your newly won knowledge and take part in the Day JCR Cup '08, which is one of the reasons we released CRX Quickstart. We want more developers to learn something new, more developers to build something cool and thought that winning something shiny might be a good incentive to do so.

Members of Qpid Nation,

I am exceptionally pleased to announce that Qpid M2.1 is out, loud and
proud. This version features AMQP 0-9 support, Access Control Lists
and Role Based Access Control, loadable exchanges via OSGi plugins and
the usual slew of enhancements, bug fixes and love.

Release notes

Known issues


But most importantly, you can get it from:
http://www.apache.org/dist/incubator/qpid/M2.1-incubating/

and via maven:
http://people.apache.org/repo/m2-incubating-repository

- Aidan

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c

And that is why you report bugs to upstream and let those that know what they are doing, sort them out. Not someone with a half-wit for a brain.

Random patching and “improvement” of code is evil. End of story.

“Given enough eyeballs, all bugs are shallow”, my ass. Look at all the debian, and debian related (hello, Ubuntu people!) users squirrel around to change every single bit of crypto that they created in the last two years.  Repeat after me: TWO YEARS.

Who of them freedom lovers ever bothered to look at the patches that this oh-so-trustworthy distribution provider has put into a package. Speaking of “single vendor lock-in”: How many distributions call themselves “free and open” just because they recompile or just ship the debian packages verbatim.

That is as good as shipping an OEM Windows, folks! And now you got burned. Bad for you. Good for community health in the long run. Keeps you on your toes.

bug debian linux openssl

Apache ActiveMQ 5.1.0 is now out. Both Bruce and Hiram cover this nicely - if you use ActiveMQ I'd recommend upgrading, its got tons of bug fixes.

Just found this amazing animation film made from graffity by BLU. Must have taken weeks to make!

It was years since I'd done this, and I'd forgotten everything about it but niq's article gets it all across nice and concise.

Here’s another example of the natural progression of Moore’s law and privacy invading systems; where in the powerless (shipping containers, pets, cattle, prisoners, solders, women and children, shoppers, etc) pay the start up costs.  In this case we are tracking high school students.  I think I may need to touch up my model a bit.  Clearly the police states are also a fertile source of funding for innovation.

First reference to karma on an apache mailing list:http://markmail.org/message/jrp2vtljf5ot3phf   Next clue, the following post points to CVS as a possible source: http://markmail.org/message/gieddyl4tmqupezt   Wading through the CVS archives, It looks like we have a person named dprice (Derek Price?) to blame at the very least for checking in a contribution into CVS: http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/contrib/cvs_acls.in?annotate=1.1&hideattic=0http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/contrib/cvs_acls.in?hideattic=0&view=log#rev1.1 [...]

The third milestone release of the Apache ServiceMix 4.0 Kernel was pushed just this week. Check out the release notes to see all the new features that have been added.

ServiceMix 4.0 a new container architecture for Apache ServiceMix and it is progressing nicely. The ServiceMix 4.0 runtime is an OSGi based container that supports many core services and the ability to easily add additional services. See the diagram below for a high level view of the architecture:



Based on conversations I had with folks at JavaOne, the interest in ServiceMix 4.0 is really building. If you'd like to ask questions or discuss it, please join the ServiceMix mailing lists.

B1.1 of Agile Web Development with Rails, 3rd Edition is out.  Unless you have an deep interest in the migration function, there isn’t much new content here — the primary focus on this update is addressing the errata and forum comments received to date.

This effort has turned out to be both harder and more rewarding than I would have ever anticipated.  Harder in that Rails has changed so much, there has been so much to learn (in terms of Rails 2.0, SQLite3, and also in terms of working with a different publisher, operating system, and toolset).  But I can’t begin to express how much I like the beta books program — the readers that this book has attracted so far have been great and their comments, questions, and feedback have been most appreciated.

Also, while this book has always had ample source code provided, I’m continuing to look for ways to both expand and automate.  Rerunning the code on rails edge, for example is now something I can repeatedly do in a matter of minutes.

Just got an update to version "286u-7" via Cydia. Basically, this is a nice terminal for the iPhone that lets me do usual shell things, and the packages that come via Cydia make it very powerful. Full apt, for example. ssh, svn. (I can setup a tunnel to an internal JIRA server at 10gen so that I can use my iPhone browser...)

The UI is half-screen of keyboard, and half-screen of terminal window. What's interesting is seeing how they are learning how to leverage the touch features of the screen. A terminal using the iPhone kbd is a little challenging, especially w/ the small screen for those of us where glasses are required more and more :) so finding ways of incorporating graphics and touch will make this tool all the more useful.

They are using single-finger touch to bring up a neat "grid" menu, short and long single finger swipe, and two finger swipe. I'm still figuring it out, but what I know is nice. For example, short swipes up and down gets you the up/down command history in the shell, just like an up/down arrow would. Short swipe up to the "northeast" is a ctrl-c, to the "southwest" is tab. "west" is backspace, and "east" is space. Two-finger swipe up ("north") is the conf page, down is hide/show keyboard, "west" and "east" flip between the multiple terminal sessions. When you touch and hold, a square "menu" of buttons comes up, and sliding to them either does the function (e.g. "clear"), or changes the "menu" to a set of variants. For example, sliding to the "ls" button - which is darker to indicate that there are options there - switches the rest of the squares to variants : "ls -a", "ls -al", "ls -s" etc.

The results are pretty nice - if you have experience working in a shell, you can go pretty fast. I've only used it for a few things so far - ssh-ing into a server at work, or setting up a tunnel so that I can control a Hudson instance running inside our firewall. The iPhone is an incredibly powerful little computer, and having a good command line makes it more so. I wonder when Android will run on it? :)

There have been an astonishing number of comments on my post about the Debian OpenSSL debacle, clearly this is a subject people have strong feelings about. But there are some points raised that need addressing, so here we go.

Firstly, many, many people seem to think that I am opposed to removing the use of uninitialised memory. I am not. As has been pointed out, this leads to undefined behaviour - and whilst that’s probably not a real issue given the current state of compiler technology, I can certainly believe in a future where compilers are clever enough to work out that on some calls the memory is not initialised and take action that might be unfortunate. I would also note in passing that my copy of K&R (second edition) does not discuss this issue, and ISO/IEC 9899, which some have quoted in support, rather post-dates the code in OpenSSL. To be clear, I am now in favour of addressing this issue correctly.

And this leads me to the second point. Many people seem to be confused about what change was actually made. There were, in fact, two changes. The first concerned a function called ssleay_rand_add(). As a developer using OpenSSL you would never call this function directly, but it is usually (unless a custom PRNG has been substituted, as happens in FIPS mode, for example) called indirectly via RAND_add(). This call is the only way entropy can be added to the PRNG’s pool. OpenSSL calls RAND_add() on buffers that may not have been initialised in a couple of places, and this is the cause of the valgrind warnings. However, rather than fix the calls to RAND_add(), the Debian maintainer instead removed the code that added the buffer handed to ssleay_rand_add() to the pool. This meant that the pool ended up with essentially no entropy. Clearly this was a very bad idea.

The second change was in ssleay_rand_bytes(), a function that extracts randomness from the pool into a buffer. Again, applications would access this via RAND_bytes() rather than directly. In this function, the contents of the buffer before it is filled are added to the pool. Once more, this could be uninitialised. The Debian developer also removed this call, and that is fine.

The third point: several people have come to the conclusion that OpenSSL relies on uninitialised memory for entropy. This is not so. OpenSSL gets its entropy from a variety of platform-dependent sources. Uninitialised memory is merely a bonus source of potential entropy, and is not counted as “real” entropy.

Fourthly, I said in my original post that if the Debian maintainer had asked the developers, then we would have advised against such a change. About 50% of the comments on my post point to this conversation on the openssl-dev mailing list. In this thread, the Debian maintainer states his intention to remove for debugging purposes a couple of lines that are “adding an unintialiased buffer to the pool”. In fact, the first line he quotes is the first one I described above, i.e. the only route to adding anything to the pool. Two OpenSSL developers responded, the first saying “use -DPURIFY” and the second saying “if it helps with debugging, I’m in favor of removing them”. Had they been inspired to check carefully what these lines of code actually were, rather than believing the description, then they would, indeed, have noticed the problem and said something, I am sure. But their response can hardly be taken as unconditional endorsement of the change.

Fifthly, I said that openssl-dev was not the way to ensure you had the attention of the OpenSSL team. Many have pointed out that the website says it is the place to discuss the development of OpenSSL, and this is true, it is what it says. But it is wrong. The reality is that the list is used to discuss application development questions and is not reliably read by the development team.

Sixthly, my objection to the fix Debian put in place has been misunderstood. The issue is not that they did not fully reverse their previous patch - as I say above, the second removal is actually fine. My issue is that it was committed to a public repository five days before an advisory was issued. Only a single attacker has to notice that and realise its import in order to start exploiting vulnerable systems - and I will be surprised if that has not happened.

I think that’s about enough clarification. The question is: what should we do to avoid this happening again? Firstly, if package maintainers think they are fixing a bug, then they should try to get it fixed upstream, not fix it locally. Had that been done in this case, there is no doubt none of this would have happened. Secondly, it seems clear that we (the OpenSSL team) need to find a way that people can reliably communicate with us in these kinds of cases.

The problem with the second is that there are a lot of people who think we should assist them, and OpenSSL is spectacularly underfunded compared to most other open source projects of its importance. No-one that I am aware of is paid by their employer to work full-time on it. Despite the widespread use of OpenSSL, almost no-one funds development on it. And, indeed, many commercial companies who absolutely depend on it refuse to even acknowledge publicly that they use it, despite the requirements of the licence, let alone contribute towards it in any way.

I welcome any suggestions to improve this situation.

Incidentally, some of the comments are not exactly what I would consider appropriate, and there’s a lot of repetition. I moderate comments on my blog, but only to remove spam (and the occasional cockup, such as people posting twice, not realising they are being moderated). I do not censor the comments, so don’t blame me for their content!

Share This

I’ve been to so many conferences and seen so many talks that it’s hard for me to really get excited about conference presentations. I went to talks here and there, but nothing at JavaOne was really reaching out at grabbing me (in fairness, this happens at other conferences also, so it’s not just JavaOne). Or at least that was true until the last day.

Friday opened with a keynote by James Gosling, who served as the MC for a train of presenters on various cool projects.

Cool stuff

First up was Tor Norbye, who has done a lot of good work on support for editing different languages in NetBeans. Tor has been working on JavaScript support for NetBeans 6.1, and he showed off some cool features, like detecting all the exits from a function, semantic highlighting of variables, and integrated debugging between NetBeans and Firefox. All of which was cool. When I was managing the Cosmo group at OSAF, I tried a bunch of Javascript IDE’s and never really liked any of them. I haven’t done a lot with NetBeans 6.1 yet, but I will. Tor showed one feature, which was the killer one for me. NetBeans knows what Javascript will work in which browser. You can configure the IDE for the browsers that you want to support, and this affects code completion, quick fix checking and so on. Definitely useful. Here are several more references on the Javascript support in NetBeans 6.1.

The Java Platform

It’s easy for me (and others, I’d bet) to think mostly of JavaEE or perhaps JavaME when thinking about Java. That’s understandable given the worlds fixation on web applications, and looking ahead to mobile. But the majority of the talks in Gosling’s keynote session had nothing to do with Java SE, EE, or ME (at least in the phone sense).

Probably the hit (applause meter wise) of the keynote was LiveScribe’s demonstration of their Pulse Smart Pen. This is an interesting pen that records the ink strokes that it makes, and any ambient audio that it records while the writing is happening. The ink and audio can be uploaded to a computer, as long as that computer runs Windows (apparently a Mac version is in the works). Unfortunately, the pen works by sensing marks on a special paper (that would be the razor blades), so there’s a limitation on how useful this can be. The presenter said that a future version of the software would allow people to print their own special paper, but that’s still a future item for now. By reading special marks on the special paper, you get a pretty cool user interface. The pen itself can run Java programs, and there is a developer kit available for it. If they can get by the limitation of special paper, I think that this is going to be pretty interesting.

Sentilla showed off their Mote hardware, which seem like RFID chips that can run Java programs. except that these RFID chips can form mesh networks amongst themselves and can have various kinds of sensors attached. There are lots of applications for these things, going well beyond inventory tracking and such.

Sun Distinguished Engineer Greg Bollella demonstrated Blue Wonder, which is a replacement for the computers used to control factories. Blue Wonder combines off the shelf x86 hardware, Solaris, and real time Java to provide a commodity solution for factory control applications. This is far afield of Web 2.0 applications, but just as cool, in my mind.

By the end of the keynote I was reminded of the long reach of the JVM platform, something that I’d lost sight of. The latest craze in the Web 2.0 space is location data — O’Reilly has an entire conference devoted to the topic. I think that sensor fusion of various kinds (not just location sensors) is going to play a big role in the next generation of really interesting applications. The JVM looks like it’s going to be a part of that. I don’t think than any other virtual machine technology is close in this regard.

Java’s future

I also went to a talk on Maxine, a meta-circular JVM. By the twitter reactions of the JRuby and Jython committers, I’d say that Maxine is going to get some well deserved attention when it is open sourced in June. I’m particularly interested because the PI’s for Maxine worked on PJava, and MVM. Given the differences between the Erlang VM and the JVM, I think that the ability to experiment with MVM is going to be pretty interesting. Apparently, there’s already some form of MVM support in Maxine - we’ll find out for sure in June.

During the conference I had a meeting with Cay Horstmann, and at the end of the meeting Josh Bloch saw Cay and wanted to talk to him about the BGGA closures proposal for Java. Turns out that Josh has an entire slide deck which consists of a stream of examples where BGGA does the wrong thing, generates really cryptic error messages, or requires an unbelievable amount of code. The fact that BGGA depends on generics, which are already really hard, doesn’t give me much confidence about closures in Java. If you are a statically typed language fan, I think that you ought to be worried about whether Java, the language, has any headroom left.

The last session that I went to was Cliff Click and Brian Goetz’s session on concurrency. Unsurprisingly, the summary of the talk is “abandon all hope, ye who enter here”. I was glad to see a section in the talk about hardware support/changes for concurrency. The problem is that concurrency is going to introduce end-to-end problems, from the hardware all the way up to the application level, and I think that every stop along the way is going to be affected. Unlike sequential programming, where we are still largely reinventing the wheels of the past, there is no real previous history of research results to be mined for concurrency. Hotspot and other VM’s are close to implementing most of the tricks learned from Smalltalk and Lisp, but those systems were mostly used in a sequential fashion, and while there were experiments with concurrency, there was much less experience with the concurrent systems than the sequential ones. Big challenges ahead.

JavaOne is a pretty intense experience, simply by virtue of the size. If CommunityOne was twice the size of OSCON, then JavaOne is three times the size of OSCON, and it shows . There was an immediate change in feel and atmosphere once JavaOne got into full swing. You could barely move sometimes, and there were a bunch of people whose job was to corral the crowds into some semblance of order.

As a Sun employee, I was on a restricted badge, which made it hard to get into sessions (you are basically flying standby). On the other hand, I had plenty to do. I participated in a dynamic languages panel for press and analysts (who have their own track), which was pretty fun. The discussion was lively enough that we could have gone for another hour. There was one persistent fellow who really wanted there to be just one language, or wanted us to declare language X better for task Y. When I got started in computing, people learned and worked in several languages. Its only been recently that a language (Java) was popular enough that people could just learn one language, and the growth of web applications pretty much guarantees a multi-language future because of server side and client side differences. In the end, we’re back to finding and using the best tool for the job, or at least the most comfortable tool for the job. This is probably going to cause heartburn for big IT shops, but developers seem to be happy about it.

I took a walk through the Java Pavilion with Tim Bray one afternoon. He got into the AMD booth’s aromatherapy display (and yes, he has a similar shot of me doing the same thing). One of the highlights of that excursion was Tim introducing me to Dan Ingalls, who made a number of very substantial contributions to Smalltalk, including its original VM and the BitBlt graphics operation. I am a great admirer of the work that was done in Smalltalk, and it was an honor to meet Dan and have him explain the Lively Kernel to me. A short (and probably not quite fair) description of the Lively Kernel is to take the lessons learned from Smalltalk/Squeak and implement them in the browser using Javascript, AJAX, and SVG.

Unsurprisingly, I got the most value at JavaOne from the networking. And that means dinners, hallway conversations, and yes, the parties. Usually when I go to conferences, I am just a party attender. This time, I also worked at some of the parties. It was a little different to walk around the SDN party wearing a t-shirt with “SDN Event Staff” painted large on the back. I still had a good time. Between the T-shirt and the camera, I definitely had some good conversations.

Another benefit of being at a huge is company is that they can really throw a big party. Like hiring Smash Mouth to play for a private concert:

I’ve uploaded the rest of my photos from the conference to this Flickr set.

I actually do have some technical commentary, but I am going to put that into another post.

Yesterday I drove past that place
I used to live,
on the way home to you.

I cowered behind that very window,
afraid
of the world outside,
afraid
that it wouldn't miss me,
that it wouldn't notice
that I had vanished behind that frame.

I watched, through that frame,
others living the life
I could not live,
because I was
afraid,
I knew not of what,

nor why I had been exiled
to this penitentiary
which I paid good money
to inhabit.

There, framed in that window,
another lonely soul
gazed out at me, wondering
if I saw as I went on my way,
past this refuge of those
too young to have lived,
and those done with it.

Last year, I tried very hard to write every day, and did a pretty good job of sticking to that. This year, it's been spotty, at best.I wrote a lot while in Amsterdam, and very little since I got back. Trying very hard to write, but, as Bradbury observes in the foreword of Dandelion Wine:

Like every beginner, I thought you could beat, pummel, and thrash an idea into existence. Under such treatment, of course, any decent idea folds up its paws, turns on its back, fixes its eyes on eternity, and dies.

Having met two of my very favorite authors - Douglas Adams and Arthur C Clarke - I can not think of any author I'd more like to meet than Mr. Bradbury, but I have no idea what I'd ask him, for I feel that I already know him, from what he has written. And the most important thing I've learned from him is simply to write every day, whether I have something to write or not. Of course, very very few can ever hope to rise to his level, but I imagine I have good story or two hiding away somewhere, waiting for me to write it.

So the reason for having rich client applications is for a better off-line experience, right? Why then, does outlook suck? Why is it actually less responsive than gmail on firefox?

Why, when you have set 'empty deleted items on shutdown' does it try and delete the deleted items folder contents (a directory on the server), one by one, with some animation? Not only does this take so long on OS reboot (it's reboot tuesday) that the OS gets fed up and kills it, making the database corrupt, given that the mailbox is server hosted, surely a quick request to the server (rm, "inbox/deleted/*") could do the work. The client -that is meant to be a cache of the server- could do its cleanup in the background, some other time.

Many people including me usually use a USB sound card or a USB speaker to enjoy noise-free high-fidelity sound. I simply don't understand why all the main board manufacturers ship with a built-in sound chipset which just sucks. It's not an exception for all laptops.

In a non-portable system such as a desktop PC, you usually don't need to change your default sound card because your USB sound card is always connected. However, it's a whole different story for a laptop computer. USB sound card is often disconnected and connected again. For example, I connected my USB speaker to the docking station. The expected behaviour is that the default sound card is chosen automatically - the sound system should be reconfigured so that my USB speaker becomes the default sound card when I dock to the docking station.

Currently, there's no desktop environment that addresses this problem AFAIK, so I wrote a quick and dirty script file that reconfigures the sound system automatically when a new sound card is detected. The script assumes that you are running HAL and DBUS, which are very common in modern Linux distributions.

#!/bin/sh
# Path: /usr/local/bin/alsa-watch

if [ "x`pgrep -of 'alsa-watch'`" != "x$$" ]; then
    exit 1
fi

/usr/local/bin/alsa-reconfigure

{
dbus-monitor --system --monitor "type='signal',path='/org/freedesktop/Hal/Manager',interface='org.freedesktop.Hal.Manager'" | while read -r EVT; do
  echo "$EVT" | egrep -qi "(DeviceAdded|DeviceRemoved)"
  if [ "$?" = '0' ]; then
    read -r EVT_VAL
    echo "$EVT_VAL" | egrep -qi 'sound_card_[0-9]+"'
    if [ "$?" = '0' ]; then
      /usr/local/bin/alsa-reconfigure
    fi
  fi
done
} &

Another script needed to run alsa-watch is alsa-reconfigure. The following is what I put into the alsa-reconfigure script. You could do something different such as restarting PulseAudio daemon and modifying relevant GConf settings.

#!/bin/sh
# Path: /usr/local/bin/alsa-reconfigure

# Update /etc/asound.conf.
cat /proc/asound/cards | grep -q USB-Audio
if [ "$?" == "0" ]; then
    CARD=`cat /proc/asound/cards | grep USB-Audio | head -1 | perl -pi -e "s/\\s*([0-9])+.*/\\1/"`
else
    CARD=`cat /proc/asound/cards | head -1 | perl -pi -e "s/\\s*([0-9])+.*/\\1/"`
fi

echo \
"pcm.foo {
    type dmix
    slave.pcm \"hw:$CARD\"
    ipc_key 1024
}

pcm.!default {
    type plug
    slave.pcm \"foo\"
}

ctl.!default {
    type hw
    card $CARD
}
" > /etc/asound.conf

I execute alsa-watch in my /etc/rc.local file and it works perfectly for me. :)

Debian have announced that with immense stupidity they decided to remove the entropy from the OpenSSL. This is not a good idea. Off to change my SSH keys and passwords...

We've just released the third milestone of ServiceMix Kernel 1.0-m3. This small OSGi based container is really nice, if you haven't had a look at it yet, go and grab it.

It adds a bunch of cool new features. For example you can run:

osgi list | utils grep ServiceMix

or

log d | utils grep WARN

If you want to have a quick run at it, go and look at the quick start guide.

Through the years, I've used lots and lots of UPSs. Lots.

I have never had such troubles as I have had with the Cyber Power units. They are basically worthless. They have a lifetime of maybe 1 year (with basically NO usage at all... Maybe a total of 3 cycles, down to only say 75% capacity) and fail without warning. Power hiccup and they simply die. You plug 'em back in, run the diagnostic tests and "Lordy Lordy All is in perfect operating condition!"... unless, of course, you unplug the unit from the wall at which point it will go belly up and die with nary a whimper.

I can see UPSs failing... it happens, sure. But with every other UPS type I've ever used I've gotten advance notice when the unit is starting to go south. Not with these. You have absolutely no idea if it's good or bad. It will fail at the drop of a hat and with no warning at all.

Avoid 'em.

DNS is still hosed. Either the the network stack is dropping most of the DNS packets or Virgin Media are screwing up. Either hypothesis is currently valid. What is clear is that DNS takes 30s to respond. What is more interesting is what fails. Ivy, deserves special mention here. On a machine where DNS is playing up, sorting dependencies takes forever. The only way to get the build to work is to disable the network adapter. I've filed a bug.

OpenOffice is complaining a lot on start up. I'm not the only one. It looks like a recurrence of an old problem -bad migration of settings.

Power management? The SCSI driver wont go into ACPI D3 state, so no Hibernate for me. Same as before.

I have managed to roll back to FireFox 2, by removing my .mozilla directory. Before upgrading to Ubuntu 8.04, take a copy of the .mozilla directory if you ever want to roll back to firefox 2.

I can't say its been a seamless upgrade. The network is unusable; everything else on the LAN seems happy, DNS is just not working properly. I've turned off ipv6, disabled mDNS, edited resolv.conf, edited /etc/host.conf, edited /etc/nsswitch.conf. No use whatsoever. Next: ethernet packet sniffing time.

Abbot and Costello in typeface. Beautiful. Many versions exist, but I agree they should have explicitly named the last outfielder - Naturally.

Apache ActiveMQ 5.1 has been released! For more info, check out the changelog and the raw release notes. The stability of ActiveMQ was a high priority in this release so the reliability has been improved quite a lot.

Congratulations to all those involved!

I kind of like the idea of installing machines that take spare change which is then given to the homeless by the city. I never give anyone change anymore because after my experience with the homeless and owning a night club, I know that all it is used for is drugs. Handing someone money doesn't help them get the help they really need. I really believe that panhandling and homelessness in San Francisco is totally out of control. I've done a fair bit of traveling around Asia and Europe in the last few years and I'd say I haven't seen a homeless problem this bad in any other large cities I've seen. Our Mayor hasn't done nearly enough to fight it. Sadly, I do think that the reality of doing something like this in San Francisco is that the machines will be quickly attacked and disabled.

via Reddit, this Debian Security announcement:

‘Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems (ie since 2006! –jm) is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.’

and, of course, here’s the Ubuntu Security Notice for the hole:

Who is affected

Systems which are running any of the following releases:

• Ubuntu 7.04 (Feisty)
• Ubuntu 7.10 (Gutsy)
• Ubuntu 8.04 LTS (Hardy)
• Ubuntu “Intrepid Ibex” (development): libssl <= 0.9.8g-8
• Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

It was apparently caused by this incorrect “fix” applied by the Debian maintainers to their package. One wonders why that fix never made it upstream.

Bad news….

Update: Ben Laurie tears into Debian for this:

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to “add value” by getting in between the user of the software and its author.

+1!

For what it’s worth, we in Apache SpamAssassin work closely with our Debian packaging team, tracking the debbugs traffic for the spamassassin package, and one of the Debian packagers is even on the SpamAssassin PMC. So that’s one way to reduce the risk of upstream-vs-package fork bugs like this, since we’d have spotted that change going in, and nixed it before it caused this failure.

Here’s a question: should the OpenSSL dev team have monitored the bug traffic for Debian and the other packagers? Do upstream developers have a duty to monitor downstream changes too?

Update 2: this Reddit comment explains the hole in good detail:

Valgrind was warning about unitialized data in the buffer passed into ssleay_rand_bytes, which was causing all kinds of problems using Valgrind. Now, instead of just fixing that one use, for some reason, the Debian maintainers decided to also comment out the entropy mixed in from the buffer passed into ssleay_rand_add. This is the very data that is supposed to be used to see the random number generator; this is the actual data that is being used to provide real randomness as a seed for the pseudo-random number generator. This means that pretty much all data generated by the random number generator from that point forward is trivially predictable. I have no idea why this line was commented out; perhaps someone, somewhere, was calling it with uninitialized data, though all of the uses I’ve found were with initialized data taken from an appropriate entropy pool.

So, any data generated by the pseudo-random number generator since this patch should be considered suspect. This includes any private keys generated using OpenSSH on affected Debian systems. It also includes the symmetric keys that are actually used for the bulk of the encryption.

A pretty major fuck-up, all told.

Update 3: Here’s a how-to page on wiki.debian.org put together by the folks from the #debian IRC channel. It has how-to information on testing your keys for vulnerability using a script called ‘dowkd.pl’, details of exactly what packages and keys are vulnerable, and instructions on how to regenerate keys in each of the (many) affected apps.

It notes this about Apache2 SSL keys:

According to folks in #debian-security, if you have generated an SSL key (normally the step just prior to generating the CSR, and then sending it off to your SSL certificate provider), then the certificate should be considered vulnerable.

So, bad news — SSL keys will need to be regenerated. Add ‘costly’ to the list of downsides.

Looking at ‘dowkd.pl’, it gets even worse for ssh users. It appears the OpenSSH packages on affected Debian systems could only generate 1 of only 262148 distinct keypairs. Obviously, this is trivial to brute-force. With a little precomputation (which would only take 14 hours on a single desktop!), an attacker can generate all of those keypairs, and write a pretty competent SSH worm. :(

A little off-topic exercise conducted in the "eye of the storm", when Ilenia and Helen were still in the hospital:

A post on Seth Robert's blog brings up the idea that many Chinese restaurants were opened as a way to go into business without competing with native male workers. The post made the rounds of several other online journals.

That was the push I needed to get up and go collect a few statistics of my own, regarding an idea I've been kicking around for a while. My theory is that the number of restaurants of a given type, divided by the number of immigrants from that country might be an interesting way of guaging the popularity of the cuisine in question.

In order to simplify things just a bit, I actually used data from Italy, for the following reasons:

• Most immigration to Italy is pretty recent, so it's not necessary to account for the length of time different immigrant groups have been present, and the effects that may have had on the diffusion of a given cuisine.

• Immigration statistics were readily available: http://demo.istat.it/str2006/index.html

• Italian the language almost completely corresponds to Italy the country (outside of a chunk of Switzerland, San Marino, and the Vatican), something that makes things that much easier.

• I speak Italian, so it was easy to find out all the information I needed

Unfortunately, finding out the number of restaurants of various types is far from an exact measurement, and since this is a quick fun project, I just went for Yahoo search (they deserve credit for keeping their search API open when Google's was closed) results on terms like "Ristorante Turco" (Turkish), "Ristorante Messicano" (Mexican), and so on. This was the most expedient means of gathering information quickly, but this approach does present a number of obvious problems, listed here in the hope that someone without diapers to change and a business to run might come up with some good answers:

• Some hits likely come from people talking about a restaurant that happens to be in a country, like "ristorante americano". "Nel tipico ristorante americano, ...." or in other words, "In a typical American restaurant", rather than an American-style restaurant in Italy, which is what we were looking for in the first place. This is probably also true of countries close to Italy, where people go on vacation and thus have occasion to write about their experiences in a "ristorante tedesco" (German), rather than going to eat in a German restaurant in Italy. Perhaps the search query could be improved in an attempt to eliminate this sort of false positive.

• Some restaurants probably are not known as, nor brand themselves with a country name, but instead utilize titles like "Middle Eastern", "Arab", "South American", "African", or others that do not correspond with any one country in particular. It would be possible to group countries together with other adjectives, and get statistics for these clusters as well.

• Measuring hits is measuring what people are talking about, rather than simply restaurants that exist, so if restaurants from a certain country are more talked about than others, that would muddy the statistics a bit. However, it seems reasonable that people would mostly talk about restaurants in proportion to their popularity, and I don't see a particular reason why there would be more talk of Vietnamese restaurants, say, than Thai restaurants, compared to the actual numbers.

That said, for a quick project, this approach seemed to work out ok, and the results appear credible. Obviously, the results also reflect people discussing certain cuisines, rather than an actual number of restaurants, but since it does reflect interest, we'll use the number in any case.

Since the number of restaurants/interest in a type of restaurant was clearly not correlated directly with the number of immigrants, other factors must come into play. For instance, "ristorante giapponese" turns up 125,000 hits, but the stats say only 6873 Japanese nationals live in Italy. As above, hits don't mean actual restaurants, but clearly Japanese cuisine is not being popularized through immigration.

Here's my guess: these statistics show, to some degree, what people in the host country actually like to eat. Food that tastes good means more restaurants. Things that aren't that popular mean few restaurants, even if there are many immigrants. To pick on one country, there are many Philippino immigrants in Italy, but very few search hits - and anecdotally, I've never seen a Philippino restaurant in Italy either, whereas even smaller towns like Padova have Chinese, Mexican (well, it's called that, even if it's a shadow of the real thing), Japanese, various Arab and middle eastern restaurants, and even a few less common things like Eritrean. And I know that many native and foreign restaurants employ Philippino cooks.

Below is the chart I whipped up showing the number of Yahoo hits per immigrant. The Italian names shouldn't be too hard to figure out. A few tricky ones: Giordano-Jordanian, Giamaicano-Jamaican, Spagnolo-Spanish. If you're interested in numbers or source code, contact me.

Tonight, Josh Fix and his band will play the second of four shows at Arlene’s Grocery on 95 Stanton Street in New York. I haven’t been there but we’re great fans of Josh and you should go check it out. And then tell your friends so you can all pack the house next week. Tons of music on Josh’s website.

The Nairobi-Mombasa Road
For Three Word Wednesday
May 12, 2008

The highway stretches
from here to there,
shimmering with the heat
of a long season of drought.
All that lies between,
in these huge empty spaces --
empty to us, that is -- filled
with the inconsequential,
forgotten, ignored millions,
who we choose to thunder
past on the way
from here to there.
Who eke out their daily
nothing
in this place we would
never have noticed
but for a flat tire
or the call of nature
halfway between
here and there.

They, for their part,
watch us hurry
past on our way to places
they're better off not knowing,
leaving exhaust and empty
Fanta Orange bottles,
and a vague feeling that somewhere
else might be better than here,
wonder what could be so important
there, that we'd want to rush
there, from that other there,
and back again.

I’ve ranted about this at length before, I’m sure - even in print, in O’Reily’s Open Sources 2. But now Debian have proved me right (again) beyond my wildest expectations. Two years ago, they “fixed” a “problem” in OpenSSL reported by valgrind[1] by removing any possibility of adding any entropy to OpenSSL’s pool of randomness[2].

The result of this is that for the last two years (from Debian’s “Etch” release until now), anyone doing pretty much any crypto on Debian (and hence Ubuntu) has been using easily guessable keys. This includes SSH keys, SSL keys and OpenVPN keys.

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to “add value” by getting in between the user of the software and its author.

Secondly, if you are going to fix bugs, then you should install this maxim of mine firmly in your head: never fix a bug you don’t understand. I’m not sure I’ve ever put that in writing before, but anyone who’s worked with me will have heard me say it multiple times.

Incidentally, while I am talking about vendors who are bad for security, it saddens me to have to report that FreeBSD, my favourite open source operating system, are also guilty. Not only do they have local patches in their ports system that should clearly be sent upstream, but they also install packages without running the self-tests. This has bitten me twice by installing broken crypto, most recently in the py-openssl package.

[1] Valgrind is a wonderful tool, I recommend it highly.

[2] Valgrind tracks the use of uninitialised memory. Usually it is bad to have any kind of dependency on uninitialised memory, but OpenSSL happens to include a rare case when its OK, or even a good idea: its randomness pool. Adding uninitialised memory to it can do no harm and might do some good, which is why we do it. It does cause irritating errors from some kinds of debugging tools, though, including valgrind and Purify. For that reason, we do have a flag (PURIFY) that removes the offending code. However, the Debian maintainers, instead of tracking down the source of the uninitialised memory instead chose to remove any possibility of adding memory to the pool at all. Clearly they had not understood the bug before fixing it.

P.S. I’d link to the offending patch in Debian’s source repository. If I could find a source repository. But I can’t.

(Update)

Thanks to Cat Okita, I have now found the repo. Here’s the offending patch. But I have to admit to being astonished again by the fix, which was committed five days before the advisory! Do these guys have no clue whatsoever?

Share This

One of the many very cool things about being involved in Open Source is that you get to meet and become close to many other people who share a very similar world view with yourself regarding volunteerism. Heck, when you think about it, most of the really successful Open Source projects are based on people sharing their time, energy and talents to create code that is then used by numerous entities to impact the world. If that's not a core concept of volunteerism, I don't know what is. I've known, and been humbled by, people who have expanded their involvement in Open Source to other more "traditional" concepts of volunteering, transplanting themselves (and their families) to remote locations to improve literacy, reduce hunger, or increase the usage of technology to improve living conditions.

There is one non-profit which is especially near and dear to my heart: The Maryland State Boychoir. The MSB offers young men the opportunities to grow in their musical ability, but, even more importantly, the opportunity to understand and appreciate the arts (via the boychoir choral tradition) and grow in self-confidence. We have boys and young men from pretty much every social, religious, racial and economic background, and yet despite these "differences", they grow as a team, as a group, as a choir. They create life-long friendships. So more so than the musical training, these incredible young men learn that it's OK to be musical or "artistic" and that you are still masculine, that being "a man" is not just sports (although most of our boys are very successful there as well), and that cultural "differences" aren't divisive at all.

I volunteer quite a bit of my time to the MSB; I use vacation time to attend and proctor camps and tours, I volunteer at events and serve as proctor of the Concert Choir and on the board of the MSB, and help out financially. If you are located in the Maryland region, I encourage you to get to know the MSB and attend a concert. And with the economy the way it is, it is getting harder to find people willing and able to financially help out as well. If you can, then that would certainly be most appreciated!

But even if the MSB isn't your cup of tea, I encourage to find something to volunteer for. It makes a big difference, not only in your life, but also in lives of the people you touch.

From an article on TSS :

"Most successful open source projects are using GPL," Mårten Mickos, former CEO at MySQL and now of Sun.

While "most" is debatable, I think it's interesting that it successful OSS projects either don't use the GPL, or don't just use the GPL alone, but have to modify it in some way to get around the enforcement of Freedom(SM) in GPL so people can use the project.

OpenJDK has the Classpath Exception along with the strict requirement of having Sun have complete copyright (so they can relicense to something commercially useful), MySQL also does the complete copyright thing (how else could they be worth $1B) plus several exceptions including one which I think of as The "We want to use Apache's APR, and we can for our commercial licensees because the Apace License doesn't restrict what we can do, but it's a big problem for those taking MySQL under the GPL" Exception, which I interpret as saying the FSF's opinion on license compatibility should be ignored when it gets in the way. Linux supposedly has some sort of exception for modules (I can't find it), and of course the standard unix library under linux is offered under the LGPL.

So yes, there are a lot of successful open source projects under the GPL, but there are a few others (Apache Httpd (aka "the webserver running the inter-truck" [Apache License], Apache EverythingElse [Apache License], Eclipse [Eclipse Public License], Firefox [Mozilla Public License], etc) that seem to do ok despite their non-GPL handicap :)

Are there actually *any* major, successful open source / free software projects available under a pure GPL?

Paul Fremantle: For me the core difference between Open Standards and Open Source is this: Open Standards enable companies to compete in a structured way, Open Source projects enable people or companies to collaborate in a structured way

I think Paul may be onto something.  It is rapidly becoming the case that this more than this is becoming the exemplar for open standards.  While it is popular to malign the JCP, it is worth noting that many (most?) JSRs have TCKs which actively promote the idea of multiple, independent, interoperable implementations.

In a previous post, which happens to be high on Google’s search results when looking for OS X drivers and Logitech products, I lamented Logitech’s driver support for not working and mostly keeping quiet about it.

I’ve recently upgraded my MacBook Pro to Leopard and it seems that the freezing problem has been fixed. I haven’t encountered the spinning beach ball of death due to connecting my Logitech headset. But I must confess that I am very cautious currently when attaching the headset, and haven’t used it for a while. I’m slightly optimistic that this problem is solved.

sharkbait posted a photo:

An arbour in the walled garden in Brockwell Park, on a stunning Sunday Afternoon.

sharkbait posted a photo:

Gather ye rose-buds while ye may,
Old Time is still aflying,
And this same flower that smiles today,
Tomorrow will be dying.
-- Robert Herrick --

As of this morning I have just resigned my position as a freenode staffer.

I just couldn't offer the sort of time that is needed to operate as a staff member for this busy IRC network. I deeply regret not having 32 hour days so I could fit all my daily activities into one day.

So I have had to decide which projects I do have time for, and of those which am I more involved with and/or passionate about.

this looks interesting -the Yahoo! Internet Location Platform

There's an Artima Article on Java TCKs that seems to have been got at by the JCP management

Why?

Because it argues in favour of a strong Test suite (the TCK) and that it needs to be kept a secret for the return on investment of the companies behind it. And it criticises lots of OSS projects -hibernate, Apache HTTPD- for not having a 'specification' or an independent TCK.

I disagree

1. Unless the specification is a mathematically rigorous one, written in a formal language like Z, it is of limited value. It will get mis-interpreted by all the developers, including those of the test kit
2. But its the test kit that is used to sign off 'compliance'.
3. So really, the test kit is the formal, machine readable specification
5. Admittedly, often one written procedurally, in languages like Junit+Java, rather than in a higher level declarative syntax (compare with Prolog's PLUnit). It also lacks the ability to enable proofs of correctness or temporal reasoning, which something like PolyML offers.
6. All OSS projects I've been involved in have excellent test kits. Team Ant wrote AntUnit for its testing, the SmartFrog test framework can be used for functional testing of large distributed apps. Axis run their own tests alongside the TCK. As for Hadoop, they test on 500 nodes before every release.
7. All these tests are run by machines, many times a day
8. All the home-grown tests are public, open for maintenance with the cost-sharing benefits of OSS processes
9. Try doing that with a committee-designed specification.

In the upcoming release of WSO2 registry we are going to have a number of SOA related features. I spent considerable amount of time and get the eclipse WSDL validator working out the eclipse as well. So we are going to have that in the next registry version. Among the some of the SOA features.

- WSDL validation
- Schema validation
- WSDL import (when there are imports , registry automatically import them into the registry and add as resources)
- Schema imports (same as WSDL imports)
-Extracting WSDL mata-data (such as targetnamespace , documentation and etc)

Recently the Wicket team released the first milestone release of Wicket 1.4, the new and Java 5 based release that will supplant Wicket 1.3 rather soon. We have adopted the release schema of Eclipse as our M.O. to smooth the process of introducing (amongst others) generics into our code base.

In the same tradition as Eclipse, we now have our very own New and Noteworthy release document for Wicket 1.4-m1.

Now I hear you ask… How can I help out? Well, you can! By using this milestone release and providing us feedback on how this release suits you.

Enjoy!

Today was rather interesting. For the first time in many years, I fell victim to an UnsubscribeMe Storm. First a little back story. Years ago, I was added to an email mailing list for a hair salon a friend of mine once worked at. Puddin gave me a really fun haircut and color that day. Pictures of the cut are even still online. Every 6 months or so, I get one email from the owner of the Blow Salon talking about a new fashion show they are having. No big deal. Hit delete and move on.

For years I’ve been hearing complaints about the Finder, chiefly from John Siracusa and John Gruber. They have mostly gone in one ear and out the other, because of a little secret I have.

See, back in the day of Mac OS X Public Beta (pre-1.0), the Finder was really bad. Dog slow (much worse than now), highly crash-prone, and very limited (compared to both the Mac OS 9 Finder and the Leopard Finder).

When I was still working at The Shooting Gallery, fixing Macs, learning UNIX, and trying to jettison hacked Windows servers (unsuccessfully), the Mac OS X Public Beta was a very big deal. Its Terminal application and command-line environment much more stable than the still-very-beta Finder, so, I used them as much as possible. Over the years, as I have read ongoing complaints about the Finder, I have continued to use Terminal and the command line, and been largely insulated from the Finder’s failings.

I would like to mention three Apple tricks for mixing the GUI and CLI worlds — not that there couldn’t be others I don’t know. One is that you can drag files into Terminal, and it