Planet Debian

Syndicate content
Planet Debian - http://planet.debian.org/
Updated: 1 day 6 hours ago

Matthew Palmer: Moving forward with an SSL Co-op

Wed, 2014-06-25 00:00

Since first posting my idea for an SSL co-op a couple of weeks ago, I’ve gotten some positive feedback from people, and further thinking and research has convinced me that it is feasible to at least attempt it.

As a result, I’d like to announce the public unveiling of The SSL Co-op. It is intended to be a commercial, not-for-profit1 organisation that issues widely-trusted certificates to members, for their use or for resale. Eventually, I’d like the co-op to be a root CA in its own right, with its certificate trusted by all the browsers and other X.509-using applications out there, but that isn’t something that’s achievable immediately.

At this stage, the co-op hasn’t been formed, and I’m looking for expressions of interest from individuals and organisations who would be interested in becoming members. If you fit that description, I’d really appreciate it if you could fill out a short survey so I can get a better idea of what sort of scale the co-op will be operating at initially.

This is the first step towards an interesting future, where there is more choice of provider for online identity verification. Exciting times.

  1. Despite a lot of misunderstanding to the contrary, “commercial, not-for-profit” is not a contradiction. “Commercial” means “doing things for money”, and “not-for-profit” means “not returning a dividend to investors”. In the case of the SSL co-op, it will be providing services to members on a cost-recovery basis, and any excess funds left over from that will be re-invested in the co-op to improve the services provided to members.

Categories: FLOSS Project Planets

Russell Coker: Fixing Strange Directory Write Access

Tue, 2014-06-24 21:40

type=AVC msg=audit(1403622580.061:96): avc:  denied  { write } for  pid=1331 comm="mysqld_safe" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1403622580.061:96): arch=c000003e syscall=269 success=yes exit=0 a0=ffffffffffffff9c a1=7f5e09bfe798 a2=2 a3=2 items=0 ppid=1109 pid=1331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/dash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

For a long time (probably years) I’ve been seeing messages like the above in the log from auditd (/var/log/audit/audit.log) when starting mysqld. I haven’t fixed it because the amount of work exceeded the benefit, it’s just a couple of lines logged at every system boot. But today I decided to fix it.

The first step was to find out what was going on, I ran a test system in permissive mode and noticed that there were no attempts to create a file (that would have been easy to fix). Then I needed to discover which system call was triggering this. The syscall number is 269, the file linux/x86_64/syscallent.h in the strace source shows that 269 is the system call faccessat. faccessat(2) and access(2) are annoying cases, they do all the permission checks for access but don’t involve doing the operation so when a program uses those system calls but for some reason doesn’t perform the operation in question (in this case writing to the root directory) then we just get a log entry but nothing happening to examine.

A quick look at the shell script didn’t make the problem obvious, note that this is probably obvious to people who are more skilled at shell scripting than me – but it’s probably good for me to describe how to solve these problems every step of the way. So the next step was to use gdb. Here is the start of my gdb session:

# gdb /bin/sh
[skipped]
Reading symbols from /bin/dash…(no debugging symbols found)…done.
(gdb) b faccessat
Breakpoint 1 at 0×3960
(gdb) r -x /usr/bin/mysqld_safe
[lots skipped]
+ test -r /usr/my.cnf
Breakpoint 1, 0x00007ffff7b0c7e0 in faccessat ()
from /lib/x86_64-linux-gnu/libc.so.6

After running gdb on /bin/sh (which is a symlink to /bin/dash) I used the “b” command to set a breakpoint on the function faccessat (which is a library call from glibc that calls the system call sys_faccessat()). A breakpoint means that program execution will stop when the function is called. I run the shell script with “-x” as the first parameter to instruct the shell to show me the shell commands that are run so I can match shell commands to system calls. The above output shows the first call to faccessat() which isn’t interesting (it’s testing for read access).

I then ran the “c” command in gdb to continue execution and did so a few times until I found something interesting.

+ test -w / -o root = root
Breakpoint 1, 0x00007ffff7b0c7e0 in faccessat ()
from /lib/x86_64-linux-gnu/libc.so.6

Above is the interesting part of the gdb output. It shows that the offending shell command is “test -w /“.

I filed Debian bug #752593 [1] with a patch to fix this problem.

I also filed a wishlist bug against strace asking for an easier way to discover the name of a syscall [2].

Related posts:

  1. Tracking down Write/Execute mmap() calls with LD_PRELOAD One of the access controls in SE Linux is for...
  2. How not to write the way dumb people think smart people write Don Marti has written an amusing and informative little post...
  3. Fixing execmod (textrel) Problems in Lenny I’ve just updated my repository of SE Linux related packages...
Categories: FLOSS Project Planets

Wouter Verhelst: The art of soccer, and ivory towers

Mon, 2014-06-23 18:31

Twenty years ago, I was sixteen and in high school. The school at the time, if memory serves right, was the "Kunsthumaniora voor muziek en woord van het gemeenschapsonderwijs" in Brussels (which translates approximately to "art high school for music and word of the communal educational branch"... that's not entirely right, but it's late and I'm too tired to look for a dictionary). I was taking drama classes there. No, I'm not making this up. Except maybe the sixteen bit—I might be off by one or two years.

Hey, I did a lot of things during high school. Stop looking at me like that.

At one point in time during my stint in drama, a group of educational interns—the sort of people who would be teaching some sort of stuff somewhere after their graduation—cooperated with our school to come up with a whole day of classes around one subject. I'll never forget the title: "Can art rescue the democracy?" If that sounds pompous and silly, that's because it was. However, I was at art school, fer crying out loud, so I drank it up like it was cool-aid. Which it wasn't. It was worse.

At the end of the day (literally, that is), the educational interns had booked some hot shot art person for a debate. I've since completely forgotten his name. He must've been not that hot shot after all, since I never even once read anything about him in the next few years. Of course I can't exclude the most recent decade, not remembering him and all, but whatever. I also don't remember whether he was a hot shot art critic, a hot shot artist, or just some random hot shot person who writes about art, but doesn't actually do it himself. Whatever.

One of the main topics during the whole day was the point about how artsy people find it extremely difficult to define what art actually is. I mean, it's all they do all day, but they can't come up with a decent definition of the damn thing.

During the afternoon break, just before the debate with this maybe-sortof-semi hot shot art person, I walk around the playground and think about the whole thing. And come up with some personal definition of art. My definition.

As the time of the debate comes up, the hot shot art person sits in the front of the gym behind some table, and the whole school (literally) is sitting in chairs in the rest of the gym. Some questions are asked. Many of those are just shot down.

At some point, I raise my finger when it's asked if anyone has further questions. I walk up to the microphone. I ask him:

"Could we maybe define art as that thing that, though it might be easy to reproduce, in no case is easy to produce?"

He sits (he never got up, really). He thinks. I stand, and wait. After a few seconds of this, he answers. He seems impressed. His reply is something along the lines of "that's not a perfect definition, but it's pretty good. There's a lot to be said for that, and I urge you to write about art when you grow older".

I never followed his advice. I got a bit more interested in art, but quickly found out that art consists of one group of people who spend their time doing things other people find pretty, and another group of people who spend their time doing things that makes other people "think", whatever that is. They may not have a brain, they may be silly as hell, but they still want to "think". It's not for me, it's never been. Art, that is -- not the think bit. That is something I don't mind doing.

Don't get me wrong. I still like art. I like going to museums from time to time; I like the performing arts. I mean, I play the flute. Not the piano, not the guitar, not the flipping drums, the flute. Which I like, for what it's worth.

But if the intent is to make people think, there are better ways to do that. If I want to make people think, I'm not going to make some obscure object that may or may not have a message, in the hope that a millionaire with no better use for his money would buy it just to make his friends jealous, after which he's going to put it in a safe for a few years so he can sell it at a higher value. Without thinking about it. If I want to make people think, I'm not going to write a play or piece of music that's so obscure it will make people all confused, so they can fill their evening afterwards drinking cocktails at a reception, claiming it was all nice and thought-provoking, quoting little parts of it to people they've never met, just so they can make their social status look more than it actually is.

Good thing I never finished drama school, I suppose.

No, if I want to make people think, I'll try doing so where it actually matters. Like, say, in politics. Not that I have any political ambitions, mind you. But I think the answer to that question of twenty years ago should be a firm "no." Art cannot rescue democracy. Not if they don't have a lot of interesting things to say to anyone but themselves. Maybe the reverse is true, though; maybe democracy can rescue art. Not that I care much.

Why is all this relevant today?

A few days ago, as I was driving somewhere, there was some show on the radio relating to the current exploits of the Belgian national soccer team. There are a lot of them these days. Radio shows about that subject, that is—not Belgian national soccer teams. I suppose having a lot of competition makes it hard to find a new angle to come up with, and still keep things interesting. I also suppose having a lot of stuff going on about that squad gets people annoyed if they're not the least bit interested. I suppose that could be a new angle. Presumably that radio host supposed the same, because he'd been looking for, and asking questions of, people who didn't like soccer and who weren't going to watch the match. Most of them said they weren't interested and added one or two words about what they were going to be doing instead.

One of them said that "they" would be better off spending money on "art and culture", rather than on soccer. No, I don't know who "they" were, he didn't say. Never mind that, let me go on now.

I don't know who this dude was; they—the radio people—didn't say. He sounded like someone between 50 and 65, and had a somewhat tenor-y voice. I suspect he had two kids, and a mercedes. Yes, I just made that up. The part about the kids. And the car. No, it doesn't matter. But it's still likely. He sounded like that sort of guy.

Whoever this dude was, though, I'd like to just say one thing: Dude, you're an idiot. There's a time and a place for everything.

The time and place for art is "everywhen", and "in any random art gallery, opera house, or theatre, out of the public eye". Not because the rest of us doesn't want to deal with art, but because artsy people like it that way. They like to feel all pompous and important, and therefore use difficult words. Words that nobody except those along with them in their ivory tower like to use. Words that don't actually mean anything. But in doing so, they make this Art thing uninteresting to look at for people who don't care about their pompous and silly words. And strengthen the walls of their ivory tower. Only to complain later on that nobody ever shows up at art galleries, and that the really good ones keep going out of business.

The time and place for the world championship soccer is "once every four years", and "everywhere". Not because soccer people want to annoy you—although, yes, I'll grant you that the KBVB has gone a little overboard with the merchandising this time around—but rather because it's so simple. You kick the ball, and you hit the goal. There, done. Everyone can do it. Yes, true, there are some pompous people talking about it on TV, too. And yes, true, some people are better at it than others. But nobody claims you can't do soccer unless you're part of the "in" club. There are plenty of people who claim you can't do art unless you are. And if everyone can do it, then everyone can understand it. If you can understand it, it's easier to enjoy it. This is why so few people enjoy cricket or baseball outside of the few countries where it's popular.

That's also why so few people enjoy art: because you make it so difficult. And people just don't care. They want to be entertained.

I'm not saying that soccer is the best sport in the world, or that watching it is the most entertaining thing one can do. It isn't. In fact, beyond the national team, I'm not really following it all that well myself. If through some weird spacial anomaly the world championship would suddenly cease to exist and I would be the only person alive remembering it, I don't think I'd spend a lot of time trying to get it back.

But don't compare it to art. Because, well, in the grand scheme of things, neither of those two really matters all that much.

That is all.

Categories: FLOSS Project Planets

Steve Kemp: So I accidentally ... a service.

Mon, 2014-06-23 14:44

This post is partly introspection, and partly advertising. Skip if it either annoys you.

Back in February I was thinking about what to do with myself. I had two main options "Get a job", and "Start a service". Because I didn't have any ideas that seemed terribly interesting I asked people what they would pay for.

There were several replies, largely based "infrastructure hosting" (which was pretty much 50/50 split between "DNS hosting", and project hosting with something like trac, redmine, or similar).

At the time DNS seemed hard, and later I discovered there were already at least two well-regarded people doing DNS things, with revision control.

So I shelved the idea, after reaching out to both companies to no avail. (This later lead to drama, but we'll pretend it didn't.) Ultimately I sought and acquired gainful employment.

Then, during the course of my gainful employment I was exposed to Amazons Route53 service. It looked like I was going to be doing many things with this, so I wanted to understand it more thoroughly than I did. That lead to the creation of a Dynamic-DNS service - which seemed to be about the simplest thing you could do with the ability to programatically add/edit/delete DNS records via an API.

As this was a random hack put together over the course of a couple of nights I didn't really expect it to be any more popular than anything else I'd deployed, and with the sudden influx of users I wanted to see if I could charge people. Ultimately many people pretended they'd pay, but nobody actually committed. So on that basis I released the source code and decided to ignore the two main missing features - lack of MX records, and lack of sub-sub-domains. (Isn't it amazing how people who claim they want "open source" so frequently mean they want something with zero cost, they can run, and never modify and contribute toward?)

The experience of doing that though, and the reminder of the popularity of the original idea made me think that I could do a useful job with Git + DNS combined. That lead to DNS-API - GitHub based DNS hosting.

It is early days, but it looks like I have a few users, and if I can get more then I'll be happy.

So if you want to to store your DNS records in a (public) GitHub repository, and get them hosted on geographically diverse anycasted servers .. well you know where to go: Github-based DNS hosting.

Categories: FLOSS Project Planets

Daniel Pocock: Bendigo: a risk of becoming the Australian capital of Islamophobia?

Mon, 2014-06-23 14:25

I spent most of my high-school years in a small town called Bendigo in Australia. These days, I'm living in the centre of Europe, Switzerland.

Oddly enough, a more than trivial number of people in Bendigo are now trying to imitate one of the darkest moments in Switzerland's history, a crusade to prevent the construction of a mosque.

At least in Switzerland, they tried to be slightly diplomatic: the official question on the referendum was about banning minarets rather than a whole religion. The placards in the street were more explicit, with the silhouette of blackened minarets arranged to resemble a field of inter-continental ballistic missiles:

In Bendigo, however, the gloves are off. One councillor has already declared "I wouldn't want to live near a mosque. Would you?"

Will Bendigo ban the internet too?

In Australia and Britain, the press has been fascinated with the recent release of a Jihad video on Youtube created by Brits and Aussies fighting in Syria. Fear-mongering fanatics claim the mosque will bring jihadists to Bendigo. If they genuinely believe that, shouldn't they be pushing to censor or ban the internet too, so that the children of Bendigo won't get their hands on these recruitment videos?

Weeds will grow if nobody plucks them out

The fact is, most of these anti-Islam campaigners are nutcases or opportunists looking for a political career. Hundreds of millions of muslims worship their God in peace every day. As the referendum in Switzerland demonstrates, if good people do nothing, the nutcases will flourish like weeds. Only 30% of Swiss people voted to ban minarets, but with 47% of people not voting at all, the nutcases won. Citizens of Bendigo who value their human rights (which includes freedom of religion) would be wise to avoid complacency. Even though the mosque may now have council approval, sinister groups from around the whole country are now conspiring to overturn the decision or perhaps just make the town a focal point for their Islamophobia campaigns.

Categories: FLOSS Project Planets

Francesca Ciceri: Adventures in Mozillaland #2

Mon, 2014-06-23 09:15

Time for an update from my internship at Mozilla, as part of the OPW.

The last weeks have been a bit rough: I have my usual migraines to thank for that. It's not easy to work with them: you are either stoned by the meds, or cannot look at a monitor. And while you're trying to sleep your headaches away, the world keeps rolling. Silly world.
As Liz, my mentor, suggested I tried to stick with the little things and to do a bit of something everyday.
"Waiting for the miracle", you know.
So, here's what I've been up to:

Triaging

I probably failed my personal 5-bugs-a-day policy, in the last two weeks, but beside that I'm pretty satisfied of my progress:

  • I learnt how to find regression windows
  • I verified some more bugs (mostly Developer Tools or Theme related) on both Linux and Windows (yeah. Don't.Ask.)
  • I triaged a lot of them. Also botched a couple, and felt an idiot for that.

All in all, I realized that I really love triaging/verifying bugs: being not a developer nor a simple user, but a bit of both, gives me the right mindset - I think - to mediate between these two worlds.

Community

On the community front, I finally managed to meet - virtually - the Mozilla Italian community. The guys are great and beside running the forum to give user support, they do a whole lot of activities related to localization. They are also trying to encourage participation of Italian users and enthusiasts to Mozilla events: don't miss, for instance, the upcoming Marketplace Day when a couple of us will be available to help other Italian users with the day's activities. Read Daniele's post on the forum for more information in Italian.

Documentation

On the documentation front, I finally managed to get out the Bugdays FAQ, draft a guide on how to run different versions of Firefox and multiple profiles for triaging purposes on Linux and Windows - still have to finish this one, though -, and participate to a very interesting discussion on the current state of QMO - the entry point for QA contributors in Mozilla.
The site, in my opinion, needs some love and I'd very much like to help in that sense.
Check out the discussion, and give us some feedback about the website on the dev-quality mailing list!

Lessons learned
  • when you're not feeling well, stick with the little things and don't feel guilty for that
  • don't try to reproduce a bug when you're tired, you'll end up Doing It Wrong™
Categories: FLOSS Project Planets

Simon Josefsson: Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard

Mon, 2014-06-23 06:18

I have moved to a new OpenPGP key. There are many tutorials and blog posts on GnuPG key generation around, but none of them matched exactly the setup I wanted to have. So I wrote down the steps I took, to remember them if I need to in the future. Briefly my requirements were as follows:

  • The new master GnuPG key is on an USB stick.
  • The USB stick is only ever used on an offline computer.
  • There are subkeys stored on a YubiKey NEO smartcard for daily use.
  • I want to generate the subkeys using GnuPG so I have a backup.
  • Some non-default hash/cipher preferences encoded into the public key.

After writing down the notes below, I posted about how to create a small JPEG image to embed in my OpenPGP key. I was planning to go live with the first key I generated, however as was gently pointed out to me, the JPEG image I generated was not optimal (too low quality and not sufficiently compressed). I have decided to retake the photo so I have a color image as a basis for size optimization. I don’t want to postpone using the new key though, so I stepped through all of these steps again (except adding the photo) to get a new key. This is why the notes below are for a key 1C5C4717 that is now revoked. My new real key is 54265E8C. I will add the photo to my 54265E8C key once I have a JPEG file that I’m happy with.

Offline machine

The offline machine setup I use is a Live CD on a machine that is physically well protected. I’m using the Debian Live CD version 7.5.0 GNOME Desktop. The password for the auto-logged in user is “live” which you need if the screen-saver kicks in. Configure the keyboard layout if you need to. Insert an USB memory stick. I’m using a VFAT filesystem to keep things simple; and for this writeup it happened to be mounted as /media/FA21-BEC7 so you will have to replace that path with something that points to your USB stick. Open a terminal since the rest of this writeup will be done from a terminal window.

GnuPG configuration

Set your GnuPG home directory to point at the USB memory device. You will need to do this in every terminal windows you open that you want to use GnuPG in.

user@debian:~$ export GNUPGHOME=/media/FA21-BEC7/gnupghome user@debian:~$ mkdir $GNUPGHOME user@debian:~$

The GnuPG defaults (as of version 1.4.16) to rank SHA1 higher than SHA384, SHA512, and SHA224 in the default hash preference list. To be precise, the default hash preference order is SHA256, SHA1, SHA384, SHA512, SHA224. I consider SHA1 broken so I don’t advertise it all, although I believe that will not prevent some implementations of using SHA1 anyway since it is the mandatory to implement hash algorithm. Regarding symmetric ciphers, the default order is AES256, AES192, AES128, CAST5, 3DES. I don’t like ciphers with 64-bit block lengths, so I don’t advertise them but similarily, I believe this will not prevent some implementations of using CAST5 or 3DES anyway. I also advertise support for Twofish and Camellia in case someone wants to use them, they are 128-bit block length and relatively modern ciphers after all. The “default-preference-list” keyword is used to override the default settings, which will be recorded into any newly generated keys.

GnuPG self-sign keys with SHA1 by default, and I prefer to use a member of the SHA2 family, hence the “cert-digest-algo” keyword. Further down below we will use the GnuPG Agent to talk to the smartcard, so configure GnuPG to use it with the “use-agent” keyword. GnuPG prints ugly warning messages about locking (gpg: DBG: locking for `/media/FA21-BEC7/gnupghome/secring.gpg.lock' done via O_EXCL), presumably because of the VFAT filesystem, so I use “lock-never” to silence that.

user@debian:~$ cat > $GNUPGHOME/gpg.conf default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAMELLIA256 CAMELLIA192 CAMELLIA128 TWOFISH cert-digest-algo SHA512 use-agent lock-never user@debian:~$

Generate master key

Below I will use a 3744 bit RSA key, where the key size is selected based on the assumption that people will focus efforts to crack RSA keys on the usual power-of-two key sizes. I have chosen to not generate an encryption key, since I will use subkeys on a smartcard. With my old B565716F key I noticed that sometimes people will encrypt to my main encryption key even though I have encryption subkeys. Presumably this happens due to implementation flaws or user configuration mistakes. It could happen “intentionally” if someone had a public key from me with an expired subkeys but not expired main keys. This could be a reason to use the same expiration day for all your keys. Still, I chose to not generate an encryption key at all at this point. For additional protection, I’m using a passphrase on the key.

user@debian:~$ gpg --gen-key gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keyring `/media/FA21-BEC7/gnupghome/secring.gpg' created gpg: keyring `/media/FA21-BEC7/gnupghome/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 3744 Requested keysize is 3744 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 100 Key expires at Fri 26 Sep 2014 10:50:22 PM UTC Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Simon Josefsson Email address: simon@josefsson.org Comment: You selected this USER-ID: "Simon Josefsson " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ... gpg: /media/FA21-BEC7/gnupghome/trustdb.gpg: trustdb created gpg: key 1C5C4717 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2014-09-26 pub 3744R/1C5C4717 2014-06-18 [expires: 2014-09-26] Key fingerprint = EF0A 1996 7B3B 4BAD 9D5C A97F 1A44 08DD 1C5C 4717 uid Simon Josefsson Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. user@debian:~$

Add photo

I’m in the process of creating a better JPEG photo, so I skipped this step for my new key. However the notes here are correct anyway.

user@debian:~$ gpg --edit-key 1C5C4717 gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate [ultimate] (1). Simon Josefsson gpg> addphoto Pick an image to use for your photo ID. The image must be a JPEG file. Remember that the image is stored within your public key. If you use a very large picture, your key will become very large as well! Keeping the image close to 240x288 is a good size to use. Enter JPEG filename for photo ID: /media/FA21-BEC7/simon-gpg.jpg Is this photo correct (y/N/q)? y You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate [ultimate] (1). Simon Josefsson [ unknown] (2) [jpeg image of size 6048] gpg> save user@debian:~$

Add another identity

Most people have multiple email addresses, and this needs to be reflected in the GnuPG key. Use the primary command to specify your main User ID.

user@debian:~$ gpg --edit-key 1C5C4717 gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate [ultimate] (1). Simon Josefsson [ultimate] (2) [jpeg image of size 6048] gpg> adduid Real name: Simon Josefsson Email address: simon@yubico.com Comment: You selected this USER-ID: "Simon Josefsson " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate [ultimate] (1) Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ unknown] (3). Simon Josefsson gpg> uid 1 pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate [ultimate] (1)* Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ unknown] (3). Simon Josefsson gpg> primary You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate [ultimate] (1)* Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ unknown] (3) Simon Josefsson gpg> save user@debian:~$

Create a revocation certificate

It is good practice to generate a revocation certificate in case you lose your key. Store this in a safe place, possibly printed out on paper.

user@debian:~$ gpg --output $GNUPGHOME/../revocation-certificate.txt --gen-revoke 1C5C4717 sec 3744R/1C5C4717 2014-06-18 Simon Josefsson Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Created during key creation, emergency use only. > Reason for revocation: Key has been compromised Created during key creation, emergency use only. Is this okay? (y/N) y You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others! user@debian:~$

Make a backup of the master key

To have an easy way to move back and forward in time in GnuPG, I both export the key to a stable data format and keep a backup of the actual GnuPG home directory.

user@debian:~$ gpg -a --export-secret-keys 1C5C4717 > $GNUPGHOME/../masterkey.txt user@debian:~$ cp -a $GNUPGHOME $GNUPGHOME-backup-masterkey user@debian:~$

Create subkeys

Now I will generate three keys that will go onto the smartcard. I have chosen to generate these using GnuPG and then move the keys onto the smartcards, instead of generating the keys directly on the card. The difference is that with this approach, I get a backup of the keys and can import them to another key in the future if I need to.

Each key has its own purpose: Signature, Encryption, and Authentication. Smartcards typically have limitation on key sizes, so I select 2048 as a widely supported size. Expert mode is required to generate authentication subkeys.

user@debian:~$ gpg --expert --edit-key 1C5C4717 gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate [ultimate] (1). Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ultimate] (3) Simon Josefsson gpg> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 100 Key expires at Fri 26 Sep 2014 11:03:16 PM UTC Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++ ....+++++ pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate sub 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 usage: S [ultimate] (1). Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ultimate] (3) Simon Josefsson gpg> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 100 Key expires at Fri 26 Sep 2014 11:03:31 PM UTC Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ......+++++ Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 7 more bytes) .+++++ pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate sub 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 usage: S sub 2048R/A11F46D2 created: 2014-06-18 expires: 2014-09-26 usage: E [ultimate] (1). Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ultimate] (3) Simon Josefsson gpg> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 8 Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? e Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? a Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Authenticate (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 100 Key expires at Fri 26 Sep 2014 11:03:59 PM UTC Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++ Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 56 more bytes) +++++ pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate sub 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 usage: S sub 2048R/A11F46D2 created: 2014-06-18 expires: 2014-09-26 usage: E sub 2048R/D6987A02 created: 2014-06-18 expires: 2014-09-26 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ultimate] (3) Simon Josefsson gpg> save user@debian:~$

Export subkeys for backup

This is a good time to save a restore point for your key. Note in the output of --list-secret-keys the keywords sec and ssb which means the main key and the subkeys are available. If the secret keyring contained only stubs, it would be sec> and sec#.

user@debian:~$ gpg --list-keys /media/FA21-BEC7/gnupghome/pubring.gpg -------------------------------------- pub 3744R/1C5C4717 2014-06-18 [expires: 2014-09-26] uid Simon Josefsson uid [jpeg image of size 6048] uid Simon Josefsson sub 2048R/72D5245B 2014-06-18 [expires: 2014-09-26] sub 2048R/A11F46D2 2014-06-18 [expires: 2014-09-26] sub 2048R/D6987A02 2014-06-18 [expires: 2014-09-26] user@debian:~$ gpg --list-secret-keys /media/FA21-BEC7/gnupghome/secring.gpg -------------------------------------- sec 3744R/1C5C4717 2014-06-18 [expires: 2014-09-26] uid Simon Josefsson uid [jpeg image of size 6048] uid Simon Josefsson ssb 2048R/72D5245B 2014-06-18 ssb 2048R/A11F46D2 2014-06-18 ssb 2048R/D6987A02 2014-06-18 user@debian:~$ gpg -a --export-secret-keys 1C5C4717 > $GNUPGHOME/../mastersubkeys.txt user@debian:~$ gpg -a --export-secret-subkeys 1C5C4717 > $GNUPGHOME/../subkeys.txt user@debian:~$ cp -a $GNUPGHOME $GNUPGHOME-backup-mastersubkeys user@debian:~$

Configure machine for smartcards

The YubiKey NEO requires that RSA keys are imported with some additional parameters, used for CRT speedups. This was fixed in GnuPG 2.0.22. Unfortunately, it is not fixed in GnuPG 1.x. However, GnuPG 1.x can use gpg-agent and scdaemon from GnuPG to communicate with the smartcard. So let’s work around the limitation in GnuPG 1.x by installing parts from GnuPG 2.x and use those.

You will need to install the following packages: gnupg-agent, libpth20, pinentry-curses, libccid, pcscd, scdaemon, libksba8. Make sure that scdaemon is version 2.0.22 or later (get it from backports). I downloaded these packages and put them on the USB stick.

Unfortunately, libccid in Debian is a bit outdated, and does not contain the USB device vendor/product ID in /etc/libccid_Info.plist. You will need to manually add this, and restart pcscd.

user@debian:~$ sudo gedit /etc/libccid_Info.plist
user@debian:~$ sudo service pcscd restart

Start gnupg-agent and setup the environment variable for this session:

user@debian:~$ gpg-agent --daemon gpg-agent[22556]: directory `/media/FA21-BEC7/gnupghome/private-keys-v1.d' created GPG_AGENT_INFO=/tmp/gpg-wGji5C/S.gpg-agent:22557:1; export GPG_AGENT_INFO; gpg-agent[22557]: gpg-agent (GnuPG) 2.0.22 started user@debian:~$ GPG_AGENT_INFO=/tmp/gpg-wGji5C/S.gpg-agent:22557:1; export GPG_AGENT_INFO; user@debian:~$

Prepare YubiKey NEO

Make sure you have a recent firmware version, 3.1.8 or later; use lsusb -v to find out.

Make sure the device is in OTP/CCID or CCID mode, use ykpersonalize -m from the YubiKey Personalization project to switch.

Make sure you have the OpenPGP applet loaded properly, otherwise see the YubiKey NEO OpenPGP applet project on installing it. You may want to set a proper Application ID, see herlo’s ssh-gpg-smartcard-config github repository for some hints.

Configure OpenPGP applet

This also changes the PIN and Admin codes.

user@debian:~$ gpg --card-edit Application ID ...: D2760001240102000060000000420000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: 00000042 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> admin Admin commands are allowed gpg/card> passwd gpg: OpenPGP card no. D2760001240102000060000000420000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 3 PIN changed. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 1 PIN changed. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? q gpg/card> name Cardholder's surname: Josefsson Cardholder's given name: Simon gpg/card> lang Language preferences: sv gpg/card> url URL to retrieve public key: https://josefsson.org/1c5c4717.txt gpg/card> sex Sex ((M)ale, (F)emale or space): m gpg/card> login Login data (account name): jas gpg/card> Application ID ...: D2760001240102000060000000420000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: 00000042 Name of cardholder: Simon Josefsson Language prefs ...: sv Sex ..............: male URL of public key : https://josefsson.org/1c5c4717.txt Login data .......: jas Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> quit user@debian:~$

Move subkeys to YubiKey NEO

Moving subkeys to a NEO is a destructive operation, so make sure you took backups of the subkeys as above. After this step, your GnuPG keyring will contain stubs for the subkeys.

user@debian:~$ gpg --edit-key 1C5C4717 gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: ultimate sub 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 usage: S sub 2048R/A11F46D2 created: 2014-06-18 expires: 2014-09-26 usage: E sub 2048R/D6987A02 created: 2014-06-18 expires: 2014-09-26 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) [jpeg image of size 6048] [ultimate] (3) Simon Josefsson gpg> toggle sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb 2048R/72D5245B created: 2014-06-18 expires: never ssb 2048R/A11F46D2 created: 2014-06-18 expires: never ssb 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> key 1 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb* 2048R/72D5245B created: 2014-06-18 expires: never ssb 2048R/A11F46D2 created: 2014-06-18 expires: never ssb 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> keytocard Signature key ....: [none] Encryption key....: [none] Authentication key: [none] Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 You need a passphrase to unlock the secret key for user: "Simon Josefsson " 2048-bit RSA key, ID 72D5245B, created 2014-06-18 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb* 2048R/72D5245B created: 2014-06-18 expires: never card-no: 0060 00000042 ssb 2048R/A11F46D2 created: 2014-06-18 expires: never ssb 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> key 1 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb 2048R/72D5245B created: 2014-06-18 expires: never card-no: 0060 00000042 ssb 2048R/A11F46D2 created: 2014-06-18 expires: never ssb 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> key 2 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb 2048R/72D5245B created: 2014-06-18 expires: never card-no: 0060 00000042 ssb* 2048R/A11F46D2 created: 2014-06-18 expires: never ssb 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> keytocard Signature key ....: EF34 D1F7 95C0 3392 E52A 54FE DFF1 6372 72D5 245B Encryption key....: [none] Authentication key: [none] Please select where to store the key: (2) Encryption key Your selection? 2 You need a passphrase to unlock the secret key for user: "Simon Josefsson " 2048-bit RSA key, ID A11F46D2, created 2014-06-18 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb 2048R/72D5245B created: 2014-06-18 expires: never card-no: 0060 00000042 ssb* 2048R/A11F46D2 created: 2014-06-18 expires: never card-no: 0060 00000042 ssb 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> key 2 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb 2048R/72D5245B created: 2014-06-18 expires: never card-no: 0060 00000042 ssb 2048R/A11F46D2 created: 2014-06-18 expires: never card-no: 0060 00000042 ssb 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> key 3 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb 2048R/72D5245B created: 2014-06-18 expires: never card-no: 0060 00000042 ssb 2048R/A11F46D2 created: 2014-06-18 expires: never card-no: 0060 00000042 ssb* 2048R/D6987A02 created: 2014-06-18 expires: never (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> keytocard Signature key ....: EF34 D1F7 95C0 3392 E52A 54FE DFF1 6372 72D5 245B Encryption key....: E24D 5135 C2FC 905C 8995 ACD8 EC96 9E77 A11F 46D2 Authentication key: [none] Please select where to store the key: (3) Authentication key Your selection? 3 You need a passphrase to unlock the secret key for user: "Simon Josefsson " 2048-bit RSA key, ID D6987A02, created 2014-06-18 sec 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb 2048R/72D5245B created: 2014-06-18 expires: never card-no: 0060 00000042 ssb 2048R/A11F46D2 created: 2014-06-18 expires: never card-no: 0060 00000042 ssb* 2048R/D6987A02 created: 2014-06-18 expires: never card-no: 0060 00000042 (1) Simon Josefsson (2) [jpeg image of size 6048] (3) Simon Josefsson gpg> save user@debian:~$

Take another backup

Can you tell yet that I like having backup options? Note that the subkeys are now marked ssb> indicating they are stubs for a smartcard key.

user@debian:~$ gpg --list-secret-keys /media/FA21-BEC7/gnupghome/secring.gpg -------------------------------------- sec 3744R/1C5C4717 2014-06-18 [expires: 2014-09-26] uid Simon Josefsson uid [jpeg image of size 6048] uid Simon Josefsson ssb> 2048R/72D5245B 2014-06-18 ssb> 2048R/A11F46D2 2014-06-18 ssb> 2048R/D6987A02 2014-06-18 user@debian:~$ gpg -a --export-secret-keys 1C5C4717 > $GNUPGHOME/../masterstubs.txt user@debian:~$ gpg -a --export-secret-subkeys 1C5C4717 > $GNUPGHOME/../subkeysstubs.txt user@debian:~$ gpg -a --export 1C5C4717 > $GNUPGHOME/../publickey.txt user@debian:~$ cp -a $GNUPGHOME $GNUPGHOME-backup-masterstubs

Transfer to daily machine

Copy publickey.txt to your day-to-day laptop and import it.

jas@latte:~$ gpg --import < publickey.txt gpg: key 1C5C4717: public key "Simon Josefsson " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) jas@latte:~$

Insert the YubiKey NEO and generate secret key stubs:

jas@latte:~$ gpg --card-status Application ID ...: D2760001240102000060000000420000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: 00000042 Name of cardholder: Simon Josefsson Language prefs ...: sv Sex ..............: male URL of public key : https://josefsson.org/1c5c4717.txt Login data .......: jas Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: EF34 D1F7 95C0 3392 E52A 54FE DFF1 6372 72D5 245B created ....: 2014-06-18 23:03:16 Encryption key....: E24D 5135 C2FC 905C 8995 ACD8 EC96 9E77 A11F 46D2 created ....: 2014-06-18 23:03:31 Authentication key: 2768 2EF9 415C 19FC F0CC 9CA5 DA81 BA39 D698 7A02 created ....: 2014-06-18 23:03:59 General key info..: pub 2048R/72D5245B 2014-06-18 Simon Josefsson sec# 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 ssb> 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 card-no: 0060 00000042 ssb> 2048R/A11F46D2 created: 2014-06-18 expires: 2014-09-26 card-no: 0060 00000042 ssb> 2048R/D6987A02 created: 2014-06-18 expires: 2014-09-26 card-no: 0060 00000042 jas@latte:~$

Now you should have a offline master key with subkey stubs. Note that the master key is not available (sec#) and the subkeys are stubs for smartcard keys (ssb>).

jas@latte:~$ gpg --list-secret-keys 1c5c4717 sec# 3744R/1C5C4717 2014-06-18 [expires: 2014-09-26] uid Simon Josefsson uid [jpeg image of size 6048] uid Simon Josefsson ssb> 2048R/72D5245B 2014-06-18 [expires: 2014-09-26] ssb> 2048R/A11F46D2 2014-06-18 [expires: 2014-09-26] ssb> 2048R/D6987A02 2014-06-18 [expires: 2014-09-26] jas@latte:~$

Mark the key as ultimately trusted.

jas@latte:~$ gpg --edit-key 1c5c4717 gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: unknown validity: unknown sub 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 usage: S sub 2048R/A11F46D2 created: 2014-06-18 expires: 2014-09-26 usage: E sub 2048R/D6987A02 created: 2014-06-18 expires: 2014-09-26 usage: A [ unknown] (1). Simon Josefsson [ unknown] (2) [jpeg image of size 6048] [ unknown] (3) Simon Josefsson gpg> trust pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: unknown validity: unknown sub 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 usage: S sub 2048R/A11F46D2 created: 2014-06-18 expires: 2014-09-26 usage: E sub 2048R/D6987A02 created: 2014-06-18 expires: 2014-09-26 usage: A [ unknown] (1). Simon Josefsson [ unknown] (2) [jpeg image of size 6048] [ unknown] (3) Simon Josefsson Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 3744R/1C5C4717 created: 2014-06-18 expires: 2014-09-26 usage: SC trust: ultimate validity: unknown sub 2048R/72D5245B created: 2014-06-18 expires: 2014-09-26 usage: S sub 2048R/A11F46D2 created: 2014-06-18 expires: 2014-09-26 usage: E sub 2048R/D6987A02 created: 2014-06-18 expires: 2014-09-26 usage: A [ unknown] (1). Simon Josefsson [ unknown] (2) [jpeg image of size 6048] [ unknown] (3) Simon Josefsson Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> quit jas@latte:~$

Signing keys

This needs to be done using your master key, since it is your certification key that will be used. So boot the Live CD and make the usual GnuPG configurations. Below I’m signing my own old key (0xB565716F) so the output may look a bit confusing with me signing my own key, but there is really two different keys involved here. The same process apply if you want to sign someone else’s key too.

Before signing the key, you need to put the public key on a USB stick and move it to the “secure” machine. On your laptop:

jas@latte:~$ gpg -a --export b565716f > /media/KINGSTON/b565716f.txt jas@latte:~$

On the disconnected machine:

user@debian:~$ gpg --import < /media/KINGSTON/b565716f.txt gpg: key B565716F: public key "Simon Josefsson " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2014-09-26 user@debian:~$ gpg --sign-key b565716f pub 1280R/B565716F created: 2002-05-05 expires: 2014-11-10 usage: SC trust: unknown validity: unknown sub 2048R/105E722E created: 2012-03-13 expires: 2014-11-10 usage: S sub 2048R/728AB82C created: 2012-03-13 expires: 2014-11-10 usage: E sub 2048R/9394F626 created: 2012-03-13 expires: 2014-11-10 usage: A sub 1280R/4D5D40AE created: 2002-05-05 expires: 2014-11-10 usage: E sub 1024R/09CC4670 created: 2006-03-18 expired: 2011-05-23 usage: A sub 1024R/AABB1F7B created: 2006-03-18 expired: 2011-05-23 usage: S sub 1024R/A14C401A created: 2006-03-18 expired: 2011-05-23 usage: E [ unknown] (1). Simon Josefsson [ unknown] (2) Simon Josefsson [ revoked] (3) Simon Josefsson Really sign all user IDs? (y/N) y User ID "Simon Josefsson " is revoked. Unable to sign. pub 1280R/B565716F created: 2002-05-05 expires: 2014-11-10 usage: SC trust: unknown validity: unknown Primary key fingerprint: 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F Simon Josefsson Simon Josefsson This key is due to expire on 2014-11-10. Are you sure that you want to sign this key with your key "Simon Josefsson " (1C5C4717) Really sign? (y/N) y You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 1C5C4717, created 2014-06-18 user@debian:~$

Then export the newly signed key back to your laptop for further distribution.

user@debian:~$ gpg -a --export b565716f > /media/KINGSTON/signed-b565716f.txt user@debian:~$

On your laptop, either email it encrypted to the other person, or upload it to keyservers directly depending on your preference. By emailing it encrypted to the other person, they need to prove posession of the key before receiving your signature. In my case, I’m the other person, so I just import the signed key and then send the key:

jas@latte:~$ gpg --import < /media/KINGSTON/signed-b565716f.txt jas@latte:~$ gpg --send-keys b565716f

Key transition

Since I'm migrating from an key to a new, I sign my new key using my old key, and publish that signature on keyservers. This allows people to trust my new key more easily.

To let the world know about your key transition, I created a key transition statement. The transition statement should be signed by both keys. I created a new temporary GnuPG home directory and imported both master keys, and clearsigned the file. Note that I used "54265e8c!" to make GnuPG use the master key for signing rather than a subkey, which it would normally do.

user@debian:~$ export GNUPGHOME=/tmp/kts user@debian:~$ mkdir $GNUPGHOME user@debian:~$ gpg --import b565716f.txt gpg: WARNING: unsafe permissions on homedir `/tmp/kts' gpg: keyring `/tmp/kts/secring.gpg' created gpg: keyring `/tmp/kts/pubring.gpg' created gpg: key B565716F: secret key imported gpg: /tmp/kts/trustdb.gpg: trustdb created gpg: key B565716F: public key "Simon Josefsson " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1 user@debian:~$ gpg --import /media/FA21-AE97/secret-master-subkeys.txt gpg: WARNING: unsafe permissions on homedir `/tmp/kts' gpg: key 54265E8C: secret key imported gpg: key 54265E8C: public key "Simon Josefsson " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1 user@debian:~$ cat key-transition-2014-06-22-unsigned.txt | gpg --clearsign --personal-digest-preferences "SHA512" --local-user b565716f --local-user 54265e8c! > key-transition-2014-06-22.txt gpg: WARNING: unsafe permissions on homedir `/tmp/kts' You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 54265E8C, created 2014-06-22 You need a passphrase to unlock the secret key for user: "Simon Josefsson " 1280-bit RSA key, ID B565716F, created 2002-05-05 user@debian:~$

My statement is available as https://josefsson.org/key-transition-2014-06-22.txt if you want to download the signed text file directly. Feel free to base your own document on it, as I based mine on earlier examples.

Categories: FLOSS Project Planets

Mario Lang: Slashdot did not improve

Mon, 2014-06-23 02:30

I used to read Slashdot, many many years ago. However, when they started to do more and more "Your rights online" articles, I gradually stopped to read them.

Someone just sent me a link to a slashdot article: m.slashdot.org. If I try to open this with Lynx, I get the following error page:

It looks like your browser doesn't support JavaScript or it is disabled. Please use the desktop site instead.

OK FaceBook^WSlashdot, all the geeks formerly employed by you have obviously left. And no, I am not going to read you anytime soon.

BTW, the link to the "desktop site" goes here, which looses the reference to the particular story, if you notice. So your redirection site is totally useless. Thanks for nothing. Hush hush, to the ethernal internet graveyard where you belong.

Categories: FLOSS Project Planets

Simon Josefsson: OpenPGP Key Transition Statement

Sun, 2014-06-22 17:29

I have created a new OpenPGP key 54265e8c and will be transitioning away from my old key. If you have signed my old key, I would appreciate signatures on my new key as well. I have created a transition statement that can be downloaded from https://josefsson.org/key-transition-2014-06-22.txt.

Below is the signed statement.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenPGP Key Transition Statement for Simon Josefsson I have created a new OpenPGP key and will be transitioning away from my old key. The old key has not been compromised and will continue to be valid for some time, but I prefer all future correspondence to be encrypted to the new key, and will be making signatures with the new key going forward. I would like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition. My new and old keys are signed by each other. If you have signed my old key, I would appreciate signatures on my new key as well, provided that your signing policy permits that without re-authenticating me. The old key, which I am transitioning away from, is: pub 1280R/B565716F 2002-05-05 Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F The new key, to which I am transitioning, is: pub 3744R/54265E8C 2014-06-22 Key fingerprint = 9AA9 BDB1 1BB1 B99A 2128 5A33 0664 A769 5426 5E8C The entire key may be downloaded from: https://josefsson.org/54265e8c.txt To fetch the full new key from a public key server using GnuPG, run: gpg --keyserver keys.gnupg.net --recv-key 54265e8c If you already know my old key, you can now verify that the new key is signed by the old one: gpg --check-sigs 54265e8c If you are satisfied that you've got the right key, and the User IDs match what you expect, I would appreciate it if you would sign my key: gpg --sign-key 54265e8c You can upload your signatures to a public keyserver directly: gpg --keyserver keys.gnupg.net --send-key 54265e8c Or email simon@josefsson.org (possibly encrypted) the output from: gpg --armor --export 54265e8c If you'd like any further verification or have any questions about the transition please contact me directly. To verify the integrity of this statement: wget -q -O- https://josefsson.org/key-transition-2014-06-22.txt|gpg --verify /Simon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iLwEAQEKAAYFAlOnV+AACgkQ7aIelLVlcW89XgUAljJgYfReyR9/bU+Om6UHUttt CAOgSRqdcQSQ2hT69vzuhb/bc8CslIQcBtGqTgxDFsxEFhbm5zKn+tSzy5MHNHqt MsqHcZjlYuYVhMXDhka+cfyhtd9zIxjVE5vk8v+GqEGoh8DGYq0vPy3VfvcSz5Z3 MSUpSj8gN00jlU1z4nad3maEq0ApvsLr8EsLZmtxF5TNFvzJ8mmwY+gHBGHjVYkB 8AQBAQoABgUCU6dX4AAKCRAGZKdpVCZejD1eDp46XGL2puMp0le2OF75WIUW8xqf TMiZeB99ruk3P/jvuLnGPP2J5o7SIKE50FkMEss0yvxi6jBlHk+cJeKWGXVjBpxU 0QHq063NU+kjbMYwDfi5ZxXqaKeYODJm8Xmfh3d7lRaWF5rUOosR8nC/OROSrhg4 TjlAbvbxpQsls/JPbbporK2gbAtMlzJPD8zC8z/dT+t0qjlce8fADugblVW3bACC Kl53X4XpojzNd/U19tSXkIBdNY/GVJqci+iruiJ1WGARF9ocnIXVuNXsfyt7UGq4 UiM/AeDVzI76v1QnE8WpsmSXzi2zXe3VahUPhOU2nPDoL53ggiVsTY3TwilvQLfX Av/74PIaEtCi1g23YeojQlpdYzcWfnE+tUyTSNwPIBzyzHvFAHNg1Pg0KKUALsD9 P7EjrMuz63z2276EBKX8++9GnQQNCNfdHSuX4WGrBx2YgmOOqRdllMKz6pVMZdJO V+gXbCMx0D5G7v50oB58Mb5NOgIoOnh3IQhJ7LkLwmcdG39yCdpU+92XbAW73elV kmM8i0wsj5kDUU2ys32Gj2HnsVpbnh3Fvm9fjFJRbbQL/FxNAjzNcHe4cF3g8hTb YVJJlzhmHGvd7HvXysJJaa0= =ZaqY -----END PGP SIGNATURE-----

Categories: FLOSS Project Planets

Asheesh Laroia: Interactive semi-automated package review (by abusing Travis-CI)

Sun, 2014-06-22 17:02

I just did some Debian package review in a somewhat unusual way, and I wanted to share that. I'm hoping other Debian developers (and other free software contributors) that need to review others' contributions can learn something from this, and that I can use this blog post as a way to find out if other people are doing something similar.

It was pretty exciting! At the end of it, I joined #debian-mentors to talk about how my cool process. Someone summarized it very accurately:

<sney> it almost sounds like you're working to replace yourself with automation Context about alpine in Debian

(Skip to "Package review, with automation" if you're familiar with Debian.)

I'm the maintainer of alpine in Debian. There are quite a few problems with the alpine package in Debian right now, the biggest of which are:

  • We're one version behind -- 2.11 is the latest available, but 2.10 is the newest that we have in Debian.
  • The packaging uses a decreasingly-popular packaging helper, cdbs, about which I happen to know less than the dh-style helper (aka dh7).
  • There are lots of bugs filed, and I don't respond in a timely fashion.

This doesn't change my deep love for alpine -- I've had that for about half my life now, and so far, I don't see it going away.

A month or so ago, I got a friendly private message from Unit193, saying he had converted the package to the dh style, and also packaged the newer version. They wanted to know if they should clean this up into something high-enough quality to land in Debian.

(In Debian, we have a common situation where enthusiastic users update or create a new package, and aren't yet Debian Developers, so they don't have permission to upload that directly to the "Debian archive", which is the Debian equivalent of git master. Package "sponsorship" is how we handle that -- a Debian Developer reviews the package, makes sure it is of high quality, and uploads it to the Debian archive along with the Debian Developer's OpenPGP signature, so the archive processing tools know to trust it.)

On Friday evening, I had a spare moment, so I sent a private message to Unit193 apologizing for not getting back to them in a reasonable amount of time. Having another person help maintain is a pretty exciting prospect, and I wanted to treat that enthusiasm with the respect it deserves, or at least apologize when I haven't. I was surprised to see a reply within a few minutes. At that point, I thought: I wasn't planning on doing any package review this weekend, but if they're online and I'm online... might as well!

Package review, with automation

Unit193 and I popped into ##alpine on irc.freenode.net, and I started reading through their packaging changes, asking questions. As I asked questions, I wondered -- how will I know if they are going to fix the issues I'm raising?

Luckily, Unit193 wanted to use git to track the packaging, and we settled on using git-buildpackage, a tool that was fairly new to both of us. I thought, I might as well have some executable documentation so I don't forget how to use it. ("Executable documentation" is Asheesh-speak for a shell script.)

One thing I knew was that I'd have to test the package in a pbuilder, or other pristine build environment. But all I had on me at the moment was my work laptop, which didn't have one set up. Then I had a bright idea: I could use Travis-CI, a public continuous integration service, to check Unit193's packaging. If I had any concerns, I could add them to the shell script and then point at the build log and say, "This needs to be fixed." Then there would be great clarity about the problems.

Some wonderful things about Travis-CI:

  • They give you root access on an Ubuntu Precise (10.04) virtual machine.
  • Their build hosts are well-connected to the Internet, which means fast downloads in e.g. pbuilder.
  • They will let you run a build for up to 50 minutes, for free.
  • Build just means "command" or "set of commands," so you can just write a shell script and they will run it.
  • Travis-CI will watch a github.com repository, if you like. This means you can 'git commit --allow-empty' then 'git push' and ask it to re-run your script.

Since Unit193's packaging was in git (but not on github), I created a git repo containing the same contents, where I would experiment with fixes for packaging problems I found. It'd be up to Unit193 to fix the problems in the Alioth packaging. This way, I would be providing advice, and Unit193 would have an opportunity to ask questions, so it would be more like mentorship and less like me fixing things.

We did a few rounds of feedback this way, and got the packaging to higher and higher quality. Every time Unit193 made a fix and pushed it, I would re-run the auto-build, and see if the problems I spotted had gone away.

While the auto-build runs, I can focus on conversing with my mentee about problems or just generally chatting. Chatting is valuable community-building! It's extremely nice that I can do that while waiting on the build, knowing that I don't have to read it carefully -- I can just wait a few minutes, then see if it's done, and see if it's red or green. Having the mentee around while I'm reviewing it means that I can use the time I'm waiting on builds as fun free software social time. (Contrast this with asynchronous review, where, all alone, I would wait for a build to finish, then write up an email at the end of it all.)

This kind of mentorship + chatting was spread out over Friday night, Saturday night, and Sunday morning. By the end of it, we had a superb package that I'm excited to sign and push into Debian when I'm next near my OpenPGP key.

Implementation details

You can see the final shell script here:

And you can see the various builds here:

The shell script:

  • Alternates between the Alioth packaging vs. my fork of it. (This way, I can test packaging changes/suggestions.)
  • Disables ccache in pbuilder, due to a permissions problem with ccache/pbuilder/travis-ci, and I didn't need ccache anyway.
  • Handles 'git dch' slightly wrong. I need to figure that out.
  • Optionally passes --git-ignore-new to git-buildpackage, which was required initially, but should not be required by the time the package is ready. (This is an example of a thing I might forget to remark upon to my mentee.)
  • Plays games with git branches so that git-buildpackage on Travis-CI can find the pristine-tar branch.
  • Tries to use cdn.debian.net as its mirror, but on Saturday ran into problems with whicever mirror that is, so it falls back to mirror.mit.edu in case that fails.
  • Contains a GPG homedir, and imports the Debian archive key, so that it can get past Ubuntu-Debian pbuilder trust issues.

I also had a local shell script that would run, effectively:

  • git commit --allow-empty -m 'Trigger build'
  • git push

This was needed since I was basically using Travis-CI as remote shell service -- moreover, the scripts Travis-CI runs are in a different repo (travis-debcheck) than the software I'm actually testing (collab-maint/alpine.git).

Unit193 and I had a technical disagreement at one point, and I realized that rather than discuss it, I could just ask Travis-CI to test which one of us was right. At one point in the revisions, the binary package build failed to build on Precise Pangolin (the Ubuntu release that the Travis-CI worker is running), and Unit193 said that it was probably due to a problem with building on Ubuntu. So I added a configuration option to build just the source package in Ubuntu, keeping the binary package test-build within the Debian sid pbuilder, although I believed that there was actually a problem with the packaging. This way, I could modify the script so that I could demonstrate the problem could be reproduced in a sid pbuilder. Of course, by the time I got that far, Unit193 had figured out that it was indeed a packaging bug.

I also created an option to SKIP_PBUILDER; initially, I wanted to get quick automated feedback on the quality of the source package without waiting for pbuilder to create the chroot and for the test build to happen.

You might notice that the script is not very secure -- Niels Thykier already did! That's fine by me; it's only Travis-CI's machines that could be worsened by that insecurity, and really, they already gave me a root shell with no password. (This might sound dismissive of Travis-CI -- I don't mean it to be! I just mean that their security model already presumably involves throwing away the environment in which my code is executing, and I enjoy taking advantage of that.)

Since the Travis virtual machine is Ubuntu, and we want to run the latest version of lintian (a Debian packaging "lint" checker), we run lintian within the Debian sid pbuilder. To do that, I use the glorious "B90lintian" sample pbuilder hook script, which comes bundled with pbuilder in /usr/share/doc/pbuilder/.

The full build, which includes creating a sid pbuilder from scratch, takes merely 7-10 minutes. I personally find this kind of shockingly speedy -- in 2005, when I first got involved, doing a pbuilder build seemed like it would take forever. Now, a random free shell service on the Internet will create a pbuilder, and do a test build within it, in about 5 minutes.

Package review, without automation

I've done package review for other mentees in the past. I tend to do it in a very bursty fashion -- one weekend day or one weeknight I decide sure, it's a good day to read Debian packages and provide feedback.

Usually we do it asynchronously on the following protocol:

  1. I dig up an email from someone who needed review.
  2. I read through the packaging files, doing a variety of checks as they occur to me.
  3. If I find problems, I write an email about them to the mentee. If not, success! I sign and upload the package.

There are some problems with the above:

  • The burstiness means that if someone fixes the issues, I might not have time to re-review for another month or longer.
  • The absence of an exhaustive list of things to look for means that I could fail to provide that feedback in the first round of review, leading to a longer wait time.
  • The person receiving the email might not understand my comments, which could interact really badly with the burstiness.

I did this for Simon Fondrie-Teitler's python-pypump package recently. We followed the above protocol. I wrote a long email to Simon, where I remarked on various good and bad points of the packaging. It was part commentary, part terminal transcript -- I use the terminal transcripts to explain what I mean. This is part of the email I sent:

I got an error in the man page generation phase -- because at build-time, I don't have requests-oauthlib: make[2]: Leaving directory `/tmp/python-pypump-0.5-1+dfsg/docs' help2man --no-info \ -n 'sets up an environment and oauth tokens and allows for interactive testing' \ --version-string=0.5.1 /tmp/python-pypump-0.5-1+dfsg/pypump-shell > /tmp/python-pypump-0.5-1+dfsg/debian/pypump-shell.1 help2man: can't get `--help' info from /tmp/python-pypump-0.5-1+dfsg/pypump-shell Try `--no-discard-stderr' if option outputs to stderr make[1]: *** [override_dh_auto_build] Error 1 This seems to be because: ➜ python-pypump-0.5-1+dfsg ./pypump-shell Traceback (most recent call last): File "./pypump-shell", line 26, in <module> from pypump import PyPump, Client File "/tmp/python-pypump-0.5-1+dfsg/pypump/__init__.py", line 19, in <module> from pypump.pypump import PyPump, WebPump File "/tmp/python-pypump-0.5-1+dfsg/pypump/pypump.py", line 28, in <module> from six.moves.urllib import parse ImportError: No module named urllib $ ./pypump-shell Traceback (most recent call last): File "./pypump-shell", line 26, in <module> from pypump import PyPump, Client File "/tmp/python-pypump-0.5-1+dfsg/pypump/__init__.py", line 19, in <module> from pypump.pypump import PyPump, WebPump File "/tmp/python-pypump-0.5-1+dfsg/pypump/pypump.py", line 29, in <module> from requests_oauthlib import OAuth1 ImportError: No module named requests_oauthlib

The deeper problem was a missing build-dependency, and I explained that in my email. But the meta problem is that Simon didn't try building this in a pbuilder, or otherwise clean build environment.

Simon fixed these problems, and submitted a fresh package to Paul Tagliamonte and myself. It happened to have some typos in the names of the new build dependencies. Paul reviewed the fixed package, noticed the typos, fixed them, and uploaded it. Simon had forgotten to do a test build the second time, too, which is an understandable human failure. There was a two-day delay between Simon's fixed resubmission, and Paul signing+uploading the fixed result.

In a pedagogical sense, there's something disappointing about that exchange for me: Paul fixed an error Simon introduced, so we're not teaching Simon to take total responsibility for his packages in Debian, nor to understand the Debian system as well as he could. (Luckily, I think Simon already understands the importance of taking responsibility! In this case, it's just a hypothetical in this case.)

For the future

The next time I review a package, I'm going to try to do something similar to my Travis-CI hack. It would be nice to have the do.sh script be a little more abstract; I imagine that as I try to use it for a different package, I'll discover the right abstractions.

I'd love it if Travis-CI did not require the git repositories to be on GitHub. I'd also like if the .travis.yml file could be in a different path. If so, we could create debian/travis-configuration (or something) and keep the packaging files nice and separate from the upstream source.

I'd also love to hear about other people's feedback. Are you doing something similar? Do you want to be? Would you have done some of this differently? Leave a comment here, or ping me (paulproteus) on #debian-mentors on irc.debian.org (aka irc.oftc.net).

I'll leave you with some conversation from #debian-mentors:

<paulproteus> The automation here, I think, is really interesting. <paulproteus> What I really want is for mentees to show up to me and say "Here is my package + build log with pbuilder, can you sponsor it please?" <Unit193> Oooooh! -*- Unit193 gets ideas. <paulproteus> Although the irony is that I actually like the community-building and relationship-building nature of having these things be conversations. <bremner> how will this brave new world cope with licensing issues? <paulproteus> bremner: It's not a replacement for actual review, just a tool-assist. <paulproteus> bremner: You might be relieved to know that much of Unit193's and my back and forth related to get-orig-source and licensing. (-: <bremner> I didn't doubt you ;). <paulproteus> If necessary I can just be a highly productive reviewer, but I would prefer to figure out some way that I can get other non-paulproteus people to get a similar assist. <paulproteus> I think the current blocker is "omg travis why are you bound to githubbbbbbbb" which is a reasonable concern.
Categories: FLOSS Project Planets

Paul Tagliamonte: Adventures in AsyncIO: Moxie

Sun, 2014-06-22 12:49

This week, I started work on something I’m calling moxie. Due to wanting to use my aiodocker bindings on the backend, I decided to implement it in 100% AsyncIO Python 3.4.

What pushed me over the edge was finding the aiopg driver (postgres asyncio bindings), with very (let me stress - very) immature SQLAlchemy support.

Unfortunately, no web frameworks support asyncio as a first-class member of the framework, so I was forced into writing a microframework. The resulting “app” looks pretty not bad, and likely easy to switch if Flask ever gets support for asyncio.

One neat side-effect was that the framework can support stuff like websockets as a first-class element of the framework, just like GET requests.

Moxie will be a tool to run periodic long-running jobs in a sane way using docker.io.

More soon!

Categories: FLOSS Project Planets

DebConf team: First set of talks accepted; we are still waiting for yours! (Posted by Ana Guerrero Lopez)

Sun, 2014-06-22 09:40

We’re now in the middle of the talk submission period. Our new web interface doesn’t allow to show all the proposals and we decided to start accepting some talks in order to inspire you to propose your own talks.

If your talk is not on the list doesn’t mean is not accepted, don’t panic!

And now, we’re calling you all to bring up your best Debian-related ideas, proposals, stories. To think about what you want to organize a discussion on. Which tracks would you like to coordinate or see populated with interesting talks.

Talks are the main ingredient for a successful, interesting, discussion-sparking DebConf. Don’t be shy, and read how to submit your talk

Categories: FLOSS Project Planets

Gunnar Wolf: Yo tampoco / #yotampoco / neither do I → A bit of local action

Sun, 2014-06-22 01:06

Only a very short summary in English: I am Mexican. I am Jewish. I am almost completely disconnected from the local Jewish communities. And understanding the local Jewish communities is hard. There is a very interesting and brave campaign, recently started, called Neither do I — The Mexican Jewish gay activist group Guimel, started off with this video (with English subtitles, if you are interested in following along). But how did I learn about this very bold initiative? By getting a hateful spam, inviting people to join a hate campaign. Right, the hate mail is not calling to violence, but it is based on premises as stupid as everybody's right not to include (to begin with).

So, the least I can do about this is to share both said hate mail and publicly denounce my shock on reading this nonsense nowadays. And, also in Spanish (I know many people following me don't understand it — Sorry, it would just take too long, and after all, it's mainly for local "consumption"), this is the reply I sent to them (and to the other recipients). Sorry in advance to the Spanish speakers for my exabrupts :) This was written "as is", without much prior thought, and quite angry about what I had just read.

Buf... Expresiones como esta, que hacen evidente la cerrazón de tanta gente en las comunidades judías, justifican claramente por qué tantos nos hemos ido abriendo, integrándonos a la sociedad circundante. Me da vergüenza ser asociado como judío a comunidades donde se defienden estos puntos de vista; si bien yo no soy de la comunidad Monte Sinai (como resultará obvio por mi nombre), para la sociedad en su conjunto sí soy un judío (así, a secas: Judío).

Mucho nos hemos quejado colectivamente a lo largo de los siglos acerca de la discriminación, de que seamos considerado la "basura" del mundo, los "apestados". Y es precisamente esa actitud, ante todo y en todo momento, lo que me ha llevado a alejarme del judaísmo. Soy un ser humano más, con una historia personal única, con una historia cultural compartida pero también única, con algunas elecciones y algunas características que me son inherentes únicas.

¿Algo de eso no le gusta a alguien? ¿Por motivos racionales o irracionales? No lo puedo ni pienso evitar. Pero el que una comunidad completa sea llamada a ignorar, humillar, alienar a sus hijos, por una estupidez así de anacrónica (en el caso que lo presenta el video al que hacen referencia, y a la gente que valientemente ha conformado Guimel) me parece que simplemente va más allá de toda estupidez.

Piensen bien antes de adherirse a esta campaña de odio. Substituyan la sexualidad por cualquier otra razón en la que somos minoría. ¿No les da asco vivir con un vendedor de telas? ¿Con un judío apestoso?

Y sí, aquí ya estoy yo también dejando ir a esos demonios... que hay que mantener bajo control. Porque somos hombres y mujeres de nuestro siglo, y porque el mundo y las nuevas generaciones merecen nuestro mejor esfuerzo para ir colectivamente destruyendo la estupidez de nuestros ancestros.

Seamos más racionales. Dejemos el odio, dejemos los prejuicios. Aceptemos a los diferentes, porque todos queremos que nos acepten. Porque todos somos diferentes.

AttachmentSize tambien.txt8.55 KB
Categories: FLOSS Project Planets

Matthew Palmer: Key Transition Statements: Worthless?

Sun, 2014-06-22 00:00

Ten days ago, I blogged about (finally) generating a GPG key transition statement. As the title of this post suggests, I have received zero signatures. Have other people had any success with transition statements? Perhaps it’s time to hit up Debian developers I know one-by-one…

To the IRCz!

Categories: FLOSS Project Planets

Andreas Metzler: GnuTLS 3.x transition

Sat, 2014-06-21 09:37

The GnuTLS 3x transition is slowly starting. If you are maintaing a package (build-)depending on libgnutls-dev please test/consider building against libgnutls28-dev. TIA

Categories: FLOSS Project Planets

Ian Donnelly: Week 4: New Release Work

Fri, 2014-06-20 17:44

Hi All,

Team Elektra recently released version 0.8.6 to download, more information on that here: http://sourceforge.net/p/registry/mailman/message/32418614/

However, since I am working with Debian, and the Debian package isn’t ready yet I have spent a large chunk of the week working on that. Namely I fixed a few minor lintian errors and worked on packaging the lua and python bindings for Elektra. These two packages, libelektra-python4 and libelektra-lua4 uses a tool called SWIG. SWIG allows C and C++ programs to connect to programs written in higher-level languages such as Python. So these two packages use the power of SWIG to bring the features of the Elektra API (which is written in C) to Python and Lua developers. I personally think it is a really neat feature and allows Elektra to be used more widely than ever before. As our project develops Elektra will support more languages and we are even moving to allowing Developers to write Elektra plugins using other languages.

Additionally, I worked on improving the MergeTools library for Elektra. This library just contains the necessary functions to allow developers to complete a three-way merge of KeySets. This library also serves as the backbone of the kdb merge command. First, the KeySetMerge command now returns an empty KeySet if its unsuccessful. I added operator overloads for == and != to the KeySet.hpp class so developers can tell if the returned keyset is empty. I created a new function that takes in 3 KeySets, their parent keys (for the purposes of merging), and a merge_root key which will be where the merged keys are stored under. The prototype for this function is KeySet(KeySet base, Key base_root, KeySet ours, Key our_root, KeySet theirs, Key their_root, Key merge_root). A function still exists that just takes in 3 KeySets and a key, merge_root. That function attempts to find each root key and then calls the previously mentioned function. Why?

This week I finalized the kdb merge command (not including options). This command takes in 4 root keys, one for base, one for ours, one for theirs, and one for where the merged keys should be stored. The merge command now uses the new function to be able to handle more complex KeySets and so far it works great! In this case we don’t need to make any assumptions about the KeySet since the user needs to pass in the root keys (this is how the kdb commands typically work) so we make good use of this information. Now the kdb merge command only appends the merge KeySet to the database upon successful merge, otherwise it tells you what went wrong.

Also, looking into the main feature of my GSoC project, automatic conffile merging, it seems that it will require patching dpkg. Originally I though package maintainers would have to edit their packages to not define their conffiles as such in order to use the automatic merge. However this is obviously a messy workaround. Patching dpkg however would allow very clean integration of this feature. If this project is successful and the patch makes its way upstream, all Debian packages that utilize conffiles (most of them) will basically allow automatic merging practically overnight. dpkg would attempt a merge on the conffiles during an upgrade and if unsuccessful would just prompt the user like it does now. In most situations however, because of the features of Elektra, conffiles should merge fine. This would make Debian much more user-friendly and could save users a lot of time manually merging conffiles.

Oh, and look for a little tutorial and explanation of the kdb mount command in the next few days. I will post it here.

Until Then,
Ian S. Donnelly

Categories: FLOSS Project Planets

Steve Kemp: The perils of the cloud..

Fri, 2014-06-20 07:18

Recently two companies have suffed problems due to compromised AWS credentials:

  • Code Spaces
    • The company has effectively folded. Thier AWS account was compromised, and all their data and backups were deleted.
  • Bonsai
    • Within two minutes all their instances were terminated.
    • This is still live - watch updates of the recovery process.

I'm just about to commit to using Amazon for hosting DNS for paying customers, so this is the kind of thing that makes me paranoid.

I'll be storing DNS-data in Git, and if the zones were nuked on the Amazon-side I could re-upload them, but users would be dead regardless - because they'd need to update the nameservers in whois before the re-uploaded data would be useful.

I suspect I need to upload to two DNS providers, to get more redundency.

Currently I have a working system which allows me to push DNS records to a Git repository, and that seamlessly triggers a DNS update (i.e. A webhook trigged by github/bitbucket/whatever).

Before I publish anything I need to write more code, more documentation, and agree on pricing details. Then I'll setup a landing-page at http://dns-api.com/.

I've been challenged to find paying customers before launching, and thus far have two, which is positive.

The DHCP.io site has now been freed. I'm no longer going to try to commercialize it, instead I will only offer the Git-based product as a commercial service. On that basis I upped the service so users could manage up to five names per account, more if you mail me privately and beg ;)

(ObRandom: Google does hosted DNS with an API. They're expensive. I'm surprised I'd not heard of them doing this.)

Categories: FLOSS Project Planets

Wouter Verhelst: Supporting the eID

Fri, 2014-06-20 07:12

Since about a month, I've been working for a customer whose customer is FedICT, and am now helping out with maintaining the official software for the Belgian electronic ID card (eID). One of the first things I did was revamp the way in which the official Linux binaries are built and distributed, and also made work of the (somewhat overdue) new release for Linux.

Previously, the website contained downloadable packages for a number of distributions: two .deb files (one for i386 and one for amd64, for all .deb-based distributions), and a number of RPM files (one each for fedora 15, 16, and red hat enterprise 5, also for both architectures).

The builds as well as the supported distributions were somewhat outdated. This was a problem in and of itself, as eID cards issued since March 2014 are signed by the new government CA3 certificate rather than the older CA2 one, which required minor updates for the middleware to work. Since the Linux packages available on the website predated the required change, they wouldn't work for more recent cards.

Moreover, the actual distributions that were supported were also outdated—Fedora 16 hasn't been supported in over a year by the Fedora project, for instance—and there was a major gap in our list of supported distributions, in that openSUSE RPMs were not provided.

If you check out the install on Linux pages now, however, you'll see that the installation instructions have been changed somewhat. Rather than links to packages to install, we now pass you an 'eid-archive' package that you can install; this package adds relevant configuration for your distribution, after which you can install the packages you need—eid-mw for the PKCS#11 library and the firefox and chrome plugins; eid-viewer for the graphical viewer application to view and possibly print data from your id card.

Apart from the fact that there are now repositories rather than just single-file downloads, the repositories (and in case of RPM packages, the RPM files themselves) are now also signed with an OpenPGP key. Actually, they are signed with two OpenPGP keys; the first one is for officially released builds (i.e., builds that have seen some extensive testing before they were deemed "working"), while the second one is for automatic builds that are generated through a continuous integration system after each and every commit. These untested packages are also in a separate repository that is disabled by default. In addition, there's also support for openSUSE now—which required more work than I expected, but wasn't a major problem.

Enjoy!

(for clarity: while I now work at FedICT, there's an obvious reason why I'm publishing this on my blog and not on any .belgium.be website—don't assume this is an official Belgian message or anything...)

Categories: FLOSS Project Planets

Russell Coker: Expectations of Skill and Time

Fri, 2014-06-20 05:30

On many occasions I’ve seen discussions about the background knowledge that people are expected to have to contribute to FOSS projects. Often the background knowledge is quite different from the core skills related to their contributions (EG documentation mark-up skills required for coding work or knowledge of code required for writing documentation). One argument in favor of requiring such skills is of the form “anyone who’s good at one aspect of the project can learn skills for the other areas”. Another is of the form “anyone who has time to contribute in one area has time to learn all the other areas, anyone who doesn’t want to learn is being lazy”.

I think it’s reasonable that someone who is considering donating their time to a project would want to start doing something productive immediately. If someone has to spend many hours learning how things work before contributing anything of value they may decide that it’s not a good use of their time – or just not fun. Also if the project is structured to require a lot of background knowledge then that will increase the amount of time that long-term contributors spend teaching newbies which is another way of sucking productive energy out of a project.

I don’t think it’s lazy to want to avoid learning unusual tools before starting a project. Firstly there is the issue of wanting to make productive use of your time. If you have a day for FOSS contributions and you can choose between spending 6 hours learning an environment for one project or 1 hour for another project then there’s a choice of 2 hours or 7 hours of productive work. Someone who has the luxury of being able to spend several days a month on FOSS projects might think it’s lazy to want to make effective use of 1 day, but there are a lot of people out there who are really busy and can only spend a few days a YEAR contributing, spending half a day learning an obscure development environment or documentation system can take a significant amount of someone’s yearly time for such work. To make things even worse some of the best programmers are the ones who have little free time.

For documentation MediaWiki (the software behind Wikipedia and Wikia.com) has a lot going for it. While it’s arguable that it’s not the best Wiki software out there (many people have wanted to argue this with me even though I don’t care) it’s obvious that MediaWiki is the most widely used Wiki software. If you have documentation stored in MediaWiki then most people who have any exposure to the IT industry, the FOSS community, or the Internet in general will already have experience using it. Also Wikipedia serves as a large example of what can be done with MediaWiki, there have been more than a few occasions when I have looked at Wikipedia for examples of how to layout text. Some people might think I’m lazy for never reading the MediaWiki documentation, but again I’ve got lots of other things to do and don’t want to spend a lot of time learning about MediaWiki instead of doing more useful things like creating content.

Project source code should be as consistent as possible. While large projects may have lots of modules and dependencies it’s best to try and keep them all in one place. If your project depends on libraries of code from other sources then it’s helpful to distribute copies of those libraries from the same location as the project source – particularly when the project depends on development versions of libraries. Then if there’s any mismatch between versions of libraries it will be a clear unambiguous bug that can be reported or fixed instead of being an issue that requires checks of what versions everyone is using.

One thing we should aim for in FOSS projects is to get the “long tail” of contributions. If someone spends a day fixing bugs in a dozen projects to get their own system working as desired then it would be good if they could submit patches without excessive effort at the same time.

This doesn’t just apply to FOSS development, it also applies to a large extent to any collaborative project on the Internet. For example if I was to start a Wiki for fans of a sci-fi series wikia would be the first option I’d consider because most potential contributors know it.

Proprietary Software Development

I’ve seen all the same problems when developing proprietary software. The difference is that money and morale is wasted instead of contributions. Often in commercial projects managers choose products that have a good feature list without considering whether all their staff need to be retrained. Programmers can usually train themselves so it’s often a hidden cost, the training is paid for in lost development time (both directly in time spent learning and indirectly when people make mistakes).

One significant advantage of using free software on Windows is that programmers can play with it on their own. For example I’ve never done a fresh installation of SourceSafe or ClearCase, but if I was going to work on a project that involved Git or Subversion on Windows then I could play with it and learn without risking disruption to the rest of the team. If commercial software is to be used then being common and relatively cheap is a significant advantage. MS SourceSafe offers significant benefits over most version control software on Windows simply because the vast majority of Windows developers have already used it and because it’s cheap and easy to setup a test instance if necessary.

I don’t care about the success or failure of proprietary software projects in general (I only care when I’m paid to care). I also don’t expect that people read my blog with the aim of getting advice on running successful proprietary software development projects. This section is merely to illustrate the general nature of such wasted effort on collaborative projects – and I should put my observations of failing proprietary software development projects to use.

Debian

Some Debian Developers are having a discussion about such things at the moment. That discussion inspired me to write this post. But I’m mostly writing about my experience over the course of 20+ years working in the IT industry and contributing to FOSS projects – not in a direct response to the Debian discussion (most of which I haven’t yet read).

Related posts:

  1. Expectations and Fandom Russ Allbery has written about the hostile reactions of sci-fi...
  2. It’s Election Time Again Linux People and Voting Chris Samuel (a member of LUV...
  3. CPU time use from WordPress Javascript Currently I have some significant problems with Javascript CPU use...
Categories: FLOSS Project Planets