Linux Users of Victoria, Inc.

While talking about how Mahara uses Gerrit and Gitorious for code reviews, I forgot to include details on how to link bugs in the commit logs to our bug tracker (Launchpad).



Links to Launchpad in the Gerrit review UITurning the bug numbers in git commit messages to links was just a matter of adding this to our etc/gerrit.config file.

[commentlink "launchpad"]

match = "([Bb]ug\\s+#?)(\\d+)"

link = https://bugs.launchpad.net/mahara/+bug/$2All mentions of a bug number like "(bug #1234)" or "bug 5678" in a commit message or Gerrit review will be converted into links to the appropriate page on Launchpad.



Updating Launchpad bugs after Gerrit mergesLinking the original bug reports in Launchpad to committed code (and its review in Gerrit) was a little more complicated. It makes use of the hooks available in Gerrit.



The first step was to create a new Launchpad account for these automated updates and to confirm the email address it will be sending emails from. In our case, the account is MaharaBot.



Then, we wrote a custom hook script (inspired by one for JIRA) which we placed in ~/mahara_reviews/etc/gerrit.config.



For an example of what it sends to the bug tracker, see bug 788457.

What do the following headlines have in common?

'Carbon Cate' Blanchett tells Aussies to pay up over carbon charge

Screams the Daily Telegraph

Will you listen to Carbon Cate?

Asks the Herald Sun

Cate Blanchett under fire for new carbon tax commercial

Declares the Adelaide Advertiser

Yup, thats right:

• they're all noise and smoke
• all of them imply that the "community" is outraged at our Cate (who seems to be too rich to have a valid opinion according to the papers above) daring to front a pro carbon tax ad campaign. Where community apparently == Barnaby Joyce and that well know advocate for Australian Families, the Australian Family Association
• None of them spend any amount of time attacking Michael Caton, the actor who played the lead in the movie the Castle and has been involved with programmes such as Hot Property and Packed To The Rafters. Perhaps he's too close to "average mums and dads" for the attack to be effective.

Someone asked why people were bothering getting worked up over such a cut dried example of newspaper creptitude. We know it's going to happen, it's not going to affect us, so why should we get all het up?

If we don't who will?

 

This is the same sort of crap that we saw during the election where we'd spend days talking about whether Julia Gillard should have worn earrings, or discussing why she doesn't carry a flapping hand bag. We could be having a serious debate about the most effective way to deal with carbon and being able to transition to a post hydrocarbon economy, but instead we're bitching about how much money an actress has, and whether this makes her unsuited to talk about a policy.

To make this round of "attack the person not the policy" even more moronic, Cate Blanchett actually appears to practice what she preaches:

• That mansion everyone is bitching about? It's off the grid. She has spent quite a bit of the money she has earned to ensure that what she uses she makes. She's living the green dream in that respect. 
• She's converted the Sydney Theatre Company digs to Solar.
• She is an active campaigner on environmental issues. This isn't exactly new for her.

So there you have it. The actress who News Ltd has declared to be "out of touch" and "elitist", and have trashed for daring to tell "average australians" (sorry are those the ones earning more than $150,000?) that a carbon tax might actually be a good idea, is actually someone who knows what they're talking about.

And meanwhile the policy debate sinks slowly into the mire, just as was intended in the first place.

• #Help Recommendations for sane pre-paid 3G Internet so I can use skype on Donna's Mac laptop? #
• So it appears the new antibiotic regime will involve being tied to an IV drip for most of the day. Still able to walk tho #
• Thanks all for suggestions on pre-paid 3G broadband; Donna had to go before most responses came in. #
• Several recommendations for @telstra but website doesn't work on #N900 so went @vodafone. #
• They have brought out the big guns in the battle with this infection, now on vancomycine… #
• They have brought out the big guns in the battle with this infection, now on vancomycine… #
• Today's CT scan shows some fluid around liver, likely infection cause. Will be transferred to Box Hill 1st thing Tuesday #
• Nil-oral again, keyhole surgery to clean this up, then will be under observation there. Bugger. #
• Nil-oral again, keyhole surgery to clean this up, then will be under observation there. Bugger. #
• Confirmed I'm off to Box Hill hospital today for second operation to clean up these pools of liquid #
• 2nd op went OK, now have three drain tubes and have been cleaned out inside. Sadly no window by this bed. People are good tho! #
• Survived night OK. #
• Latest update: http://www.csamuel.org/2011/05/12/adventures-in-hospital/comment-page-1#comment-102882 #
• Due for an MRI scan today (MRCP) to try and identify source of bile leak. (@ Box Hill Hospital) http://4sq.com/loUm2e #
• I now have a view after having moved bed at Box Hill hospital! http://flic.kr/p/9MfLp4 #
• Just back from a MRCP (specialist form of MRI) to see if they can pinpoint the bile leak. #
• Infectious diseases doc said I have a serious infection. Am on 3 different antibiotics for a few days now and responding #
• Major victory! I am allowed to eat solid food again! Starting with a biscuit, first non-fluid for at least a week! #
• Procedure this arvo to drain fluid pocket in my back under a local + guided by ultrasound. Now have 4th drainage tube. #
• Still in hospital, nil-oral from tonight in case can do ERCP on Monday to check stent+plumbing (@ Box Hill Hospital) http://4sq.com/iw7R0o #
• Lots of visitors this weekend, been great to see everyone. My favourite though was @donna_williams (but I'm biased) #

Powered by Twitter Tools

This item originally posted here:



Twitter Weekly Updates for 2011-05-29

• Everyone needs to get this book. It's awesome! "What's that?" "It's a book" "Does it tweet, blog?" "No its a book" #geek http://t.co/uR2SQeT #
• And I'm a dog person too RT @wobster: also, even for you cat haters… http://t.co/fem0vjr #kittensstillarecute #asaremums #
• Am writing a multipart blog 1) the geek shall inherit the earth 2) private the new public? & 3) freedom through responsibility. Interested? #
• The whiteboard overview of Richard Gill's talk for those interested #tedxsydney http://t.co/KJio0Hy #
• Just watched an incredible talk by Richard Gill at #tedxsydney about how music, particularly creating music opens up our minds. Incredible! #
• The #tedxsydney rule of no Tweeting/Blogging/tech in the room makes me feel repressed and disconnected from my "extended mind" #
• Watching Much Ado About Nothing at Canberra theatre, it is excellent! Currently in intermission. #
• Gotta run all, going to see "Much Ado About Nothing" at Canberra Theatre, then up to Sydney for TEDxSydney!!! Woot! #
• I will publish the audio this arvo for everyone RT @craigthomler: Allison Hornery now presenting at Gov 2.0 lunch in Canberra #gov2au #
• .@NickHodgeMSFT heh, perhaps I was however going for the Equilibrium look #
• Shiny new helmet for Bumblebee Woot! http://t.co/8c40Ft5 #
• .@certifiedwaif totally, the article was kinda pointing out how stupid the assumptions we put on girls are. #
• Good luck with that RT @citizen_cam: @piawaugh I use it to attract a stalker. I've always wanted one. #
• But it will make it rock! RT @redneckninja: Listening to the Tron soundtrack will not make your bus faster #
• It's funny how we each define our own acceptable privacy to some degree. I'm happy to have public tweets, photos, but find 4square creepy #
• Gar! RT @bourdieu: Doing math is for ugly girls http://t.co/WpsbcBa /via @JotaC #
• It's dark, cold and I'm awake. Obviously time to go out jogging! #madness #
• For tweetmp stuff ask the @tweetmp guys they are pretty cool, so be polite noobs /cc @grmsn @dotnetnoobie #
• Pretty! I miss Sydney RT @TagAlongTess: @piawaugh Damn I forgot! It looked like this for the walk home: http://t.co/FsiDDOE #
• Interesting post, as usual RT @grogsgamut Poll them up, poll them down, poll them round and round http://t.co/qlf2iOR #
• OK, I think it is time to go for lunch. #
• Heh, see http://xkcd.com/644/ for how, "the rest is software" @greatmechanism #meta2011 #
• To #gov2au RT @wsgcanberra Hear @piawaugh on Open data & the importance of visualisation at WSG Canberra 8 June RSVP http://bit.ly/mf1vgG #
• For #meta2011 peeps, info on @katelundy's #publicsphere at http://bit.ly/g5GOct & you can read #gov2au report http://bit.ly/iBANWD #gov2au #
• .@JPBarlow pfft, its in the very attempt to "civilise cyberspace" that they miss the point! #
• Totally! RT @wolfcat: Wait till Alan Jones hears about the data carrying capacity of a homing pigeon with a USB drive attached to its leg #
• .@chieftech We could use embedded chip for encrypted storage of private data, accessible through dna matching, expanding our capabilities #
• .@ChristophHewett I think many ppl look at mindfulness but don't integrate in everyday life. Treat meditation like a short holiday #mindful #
• Nice! New chilled "Sprawl" for your auditory pleasure http://t.co/ckS1WQF Harder version at http://t.co/Qb8wp1S /cc @mideion #music #fb #
• Brilliant! "When Wikipedia is down my apparent IQ drops" http://t.co/UEYWx7W #
• No I didn't thanks! RT @RobbieDashwood Not sure if you saw this today? http://bit.ly/jm9Hd0 <- social media review by Sensis #gov2au #
• Interesting thoughts RT @MrLicharo Gail Dines & 2nd wave feminism […] http://bit.ly/kYDbnE #
• Hi @RobbieDashwood @acmadotgov, the #publicsphere info and prezi is up at http://bit.ly/g5GOct More to come soon. /cc @katelundy #
• YES! What he said RT @grmsn: @chieftech Used for a purpose other than intended = hacking! @piawaugh #
• Nice "Principle two requires agencies engage the community online" RT @AusIT Open public sector info principles launched http://t.co/ZT1cVDO #
• Its worth checking out and engaging with @AUS_Hansard as they are experimenting with tweeting parliament biz /cc @moldor @renailemay #gov2au #
• WOW!!! Competition to map dark matter in the universe with prize being a trip to NASA http://www.kaggle.com/c/mdm Check it out! #gov2au #
• Argh! Belly pains making it hard to concentrate. Have triaged with nurse & likely not serious, but taking twice as long to do anything #
• Aww man! I got steamed vegies from staff cafe & not only got odd looks for my beanie but now I have belly pains! At least my head is warm #
• For anyone using WordPress+FeedBurner and wants ppl to be able to subscribe to Tags. http://bit.ly/lyd2rQ #tech #gov2au #
• Tee hee, can you tell I'm looking at phones atm? RT @jeamland: When's the George Negus S come out again? #
• Haha, I mispelt George Negus as George Nexus, whoops! Need another coffee obviously! /cc @renailemay @mwyres #
• Report worth reading by the Climate Commissioner: "The Critical Decade" http://bit.ly/ijQm1t #climatechange #climate #
• RT @KateLundy New post: Senator Lundy at a Climate Commission Forum http://bit.ly/lubpr4 #climatechange #criticaldecade #climate #
• Awesome! RT @miladyred http://bit.ly/iP9DwB Beanie town! #
• #ClimateChange Commission happening now in Parliament House Theatrette http://www.abc.net.au/news/abcnews24/ (via @katelundy) #
• RT to #gov2au @moblabs AR Dev Camp Sydney - June 11 sponsored by @phmuseum @layar. Come along and play http://bit.ly/l6n14q #AR #ARDevCamp #
• Hi all, thanks and I agree! @willozap @lozz @max_au @damana #
• Just for @lozz, me and my beanie today #dresslikeacatburglarday http://t.co/YhwqLhe #
• Why is it that beanies are so very comfortable, so very very warm, and look so utterly ridiculous! Today, I do not care #
• Very interesting stuff! RT Open Technology Foundation to increase govt interoperability in ANZ - http://bit.ly/mBBeW7 #gov2au #opengov #
• Thanks Seb! It is. RT @sebchan: spirited reply from @auchmill is well worth a read. http://bit.ly/jFPYIH #gov2au @sharingnicely #
• Always enjoy Nat's insights RT Four short links: 18 May 2011 http://t.co/7cJvKwH via @radar #
• "We need librarians more than we ever did", good post! RT @sharingnicely Seth Godin / Future of Library - http://bit.ly/jErBPB #gov2au #
• Anyone done a comparison of the HTC Desire and HTC Incredible S? I've got the Desire but considering going on a plan to get the Incredible #
• Wow, @mideion did another version of "Sever the Sprawl", I love it http://mideion.com/track/sprawl V1 at http://bit.ly/jOqbI0 #music #
• Mwah ha ha! RT @1159 That is some tough lettuce. #iceberg #
• Note to self: do not concentrate on other things when eating lettuce with a fork. I've just chipped my front tooth #
• Having yummy halouni cachetori with salad leftovers for lunch, thanks to the wonderful @jdub #noms #
• RT @dannolan: @piawaugh I actually really love engaging with Depts on social media. It makes me feel like a valued citizen, oddly.#gov2au #
• DIAC getting questions on role of Twitter. Be nice when ppl start accepting social media as valid public communications #estimates #gov2au #

Sitting on #drupal-support on IRC, you see people drop by with update problems from time to time. With Drupal 6.21, 6.22, 7.1 and 7.2 released earlier in the week, today was such a day.

The person in question had attempted a Drupal core update via drush, but ran it in the wrong directory. Drupal had picked up this incorrect location for its core modules, so when the drupal-6.22 directory got deleted, it was unable to load any of the core modules. Oops.

This led me to wondering whether the way I manage my Drupal updates is odd and whether sharing it would be useful. Being an open source person, I am of the opinion that sharing is virtual always useful (except when it comes to cheese) so I'll document the way I manage updates here.

There's a few ways to update Drupal core to a new minor version. I'll not discuss major version upgrades, for which it's best to follow the procedure set out in the UPGRADE.txt file that comes with Drupal anyway.

Unpack tarball or zip

I imagine a lot of people follow that UPGRADE.txt file regardless, so an update means down-time for them whilst they move directories out of the way, unpack the tarball or zip and then copy the files directory back. It's also tedious. if you have a large files directory, you'll spend ages waiting for it to copy. On the plus side, you know you have a backup.

The even more tedious version of this involves a server where all you have is FTP access, so you need to unpack the archive locally and then upload it file by file.

Update via git fetch/rebase1

If you've installed Drupal from git, you can simply fetch the new tag from the Drupal git repository and then rebase your local Drupal version. Certainly anyone who hates kittens is already doing this, as it allows you to  hack core and keep your changes separate and version controlled.

It's also nice and efficient, as git fetch would download only the changes to the code, not the full Drupal source. Admittedly, that's only 1MB (or 2MB for Drupal 7) which isn't that much of a deal these days.

1 ... because we don't git merge, do we? :-)

Make a patch and apply it

The way I handle Drupal updates is by making a patch file that contains the difference between the versions. It's effectively a combination of the tarball and git ways. I like it because by applying a patch I can see if there are any conflicting changes (changing .htaccess is hacking core too!) and manage them sensibly. In addition, I can apply such a patch to any staging sites I manage via git as well as stand-alone production sites.

Make a patch

Making a patch is trivially easy. First I download a copy of the original and new Drupal versions via drush:

drush dl drupal-6.20 drush dl drupal-6.22

Then I create a patch using the diff utility, where the urN options control the patch file format. By default diff outputs to the screen, so I redirect this output to my patch file instead:

diff -urN drupal-6.20 drupal-6.22 > drupal-620-to-622.patch

If you have a look at the patch file, you'll see that the contents list what gets removed (-) and what gets added (+) at which line numbers. Pretty straighforward.

diff -urN drupal-6.20/CHANGELOG.txt drupal-6.22/CHANGELOG.txt --- drupal-6.20/CHANGELOG.txt   2010-12-16 08:11:22.000000000 +1100 +++ drupal-6.22/CHANGELOG.txt   2011-05-26 06:43:55.000000000 +1000 @@ -1,4 +1,14 @@ -// $Id: CHANGELOG.txt,v 1.253.2.43 2010/12/15 21:11:22 goba Exp $ + +Drupal 6.22, 2011-05-25 +---------------------- +- Made Drupal 6 work better with IIS and Internet Explorer. +- Fixed .po file imports to work better with custom textgroups. Apply the patch

Now all that remains is to apply the patch to any Drupal instances that need updating, using the patch utility. It reads data from standard input, so I use a redirect2 again:

cd /path/to/drupal/root patch -p1 --dry-run < /path/to/drupal-620-to-622.patch

When you run that, patch will tell you which files it's patching and whether any errors have occurred. The -p1 option tells patch to remove the top level part of the file path from each file that's listed in the patch. In this example, it would strip off "drupal-6.20/" and "drupal-6.22", leaving it to patch the CHANGELOG.txt file in the current directory, which is what we want.

The --dry-run part means patch is not actually modifying the Drupal files yes, but only telling you what it would do. If there are any errors, you can find out what they are and then decide whether or not to apply the patch. To apply the patch for real, use:

patch -p1 < /path/to/drupal-6.20-to-6.22.patch

If there were errors that you decided to ignore during the dry-run, you'll find that patch has created created two copies of all the files it failed to patch successfully. One with the suffix .orig, which is the original unpatched copy of the file and one with the suffix .rej, which contains a listing of the parts of the patch that failed to apply to the file.

Fixing those up is effectively identical to resolving a failed git rebase or merge.

And there you have it, my reasonably fast, reasonably fool-proof and - above all - reasonably lazy way of updating a Drupal installation.

2 Because I'm an opponent of the needless use of cat, as in cat drupal-6.20-to-6.22.patch | patch -p1

Trackback URL for this post: http://cafuego.net/trackback/402

I’m hoping that someone already has a solution to this, but I couldn’t find one via Google Code Search.

What I want is a GtkCellRenderer that can render markup which contains links, exactly like a modern GtkLabel can. If it can also render small 16px inline images, that would be pretty awesome bonus.

Before I write it myself, does anyone already have one of these (with a GPL-compatible license)?

I have a bunch of notes from the O’Reilly MySQL Conference & Expo 2011, and I figure its about time I started blogging it. These are notes from the panel on the SkySQL Reference Architecture, led by Kaj Arno and Ivan Zoratti. The notes are raw (read their FAQ for more), and I talk a little bit about the SkySQL Configurator at the end (a tool I immediately used, and submitted some bugs/improvements for – 7 at last count, which I hear got fixed in the 0.02 release, which got pushed last night!).

There were 7 panelists. The MySQL world needs:

• technical support
• monitoring & administration tools
• simplified interfaces
• development & user tools
• consulting & training

Services & consulting generally are difficult to scale. The most comprehensive architecture around MySQL, scalable, adaptable and cloud ready Implementation:

• select and test specific components
• integrate components
• provision the components in a simple interface
• simplify monitoring & administration
• technical services & support
• validate solutions
• improvements and new releases can be done
• knowledge sharing related to the reference architecture

Technologies selected from Webyog, Sphinx, Drizzle, Monty Program, Calpont, Tokutek, ScaleDB, Schooner, Linbit, Zimory, Canonical.

SkySQL Provisioning tools:

• SkySQL Manager – control and administer the SkySQL/MySQL environment
• SkySQL Configurator – configure and update SkySQL reference architecture modules
• SkySQL Tuner – analyse the configuration and prepare the packages

I did a test, and it seemed like I got binaries built in under 5 minutes. Custom configurations with a stock build. You get a 70MB binary. Hosted at http://www.enovance.com/. A lot of people never configure their my.cnf, so I think having a GUI on the web might be a good idea to help people have sensible defaults.

lovegood:skysql byte$ ls total 143352 drwxr-xr-x 3 byte staff 102 14 Apr 06:13 ./ drwx------@ 598 byte staff 20332 14 Apr 06:13 ../ -rw-r--r--@ 1 byte staff 73395132 14 Apr 06:12 SkySQL-mariadb-poboffcfrm5bi054559q8iea74.tar.gz lovegood:skysql byte$ tar -zxvpf SkySQL-mariadb-poboffcfrm5bi054559q8iea74.tar.gz x etc/ x etc/my.cnf x install x packages/ x packages/xtrabackup-1.4-74.rhel5.x86_64.rpm x packages/MySQL-client-5.5.10-1.rhel5.x86_64.rpm x packages/MySQL-server-5.5.10-1.rhel5.x86_64.rpm

SkySQL is also going to have a customer advisory board, and they are starting it this week. (I don’t know any further details about this as of yet.)

The SkySQL Configurator can only get better. I expect it will do custom packages including things like Sphinx/SphinxSE, Drizzle, and other things in due time.

Related posts:

1. O’Reilly MySQL Conference & Expo 2011 – register now to save!
2. Services Oriented Architecture with PHP and MySQL
3. Federation at Flickr: A tour of the Flickr Architecture

Today I subscribed to Linux Weekly News for another 11 months at the new Professional Supporter level. Rusty asked for a higher level of subscription to be available a while back, and Jon (with his characteristic gentle, wry humour) implemented it recently.

It took me a little time to actually raise my subscription level - I had spent a bit of money on bike parts and other stuff and, though I could still have afforded it, just didn't feel like watching all my money escape in one go. (I'm still recovering from my somewhat exuberant donation to the flood relief funding at LCA 2011). But finally the stars aligned, the checksums matched and I paid for the shiny stars on my name.

Why? For two reasons. One, as Rusty says, is that Jon and the team at LWN are doing huge, exemplary, and difficult work condensing all the news that's important in the FOSS gamut into one easy-to-read site. If I had to buy a magazine for that I'd be paying at least half that. The second reason is congruent to my decision to support webcomic artists: that I love supporting anyone who is getting to do the thing they love. I love working with computers and I'm lucky enough to have found companies that employ me for my skills. If you want to be a journalist who writes about FOSS, it's much more difficult to find a company that gives you the freedom you need to write about the things you love. Being able to support them in that is a good thing.

Plus, I can write it off as an educational expense on my tax, and I get Jon owing me a beer rather than me owing him one :-). So it's good all round.

I'm not calling it maniacal. It's a perfectly sensible judgement in my opinion. There are lots of people who read LWN who are paid well and could easily afford to support them at that level. Hearing Jon's talk about running LWN for thirteen years was an insight into the trials and obstacles confronting anyone that wants to do as LWN has done. Given that there are well-known but not particularly well-respected IT news websites out there that also send their reporters to LCA - usually, it would seem, to stir up trouble - having LWN around to provide an intelligent, reasonably even-handed report on what goes on in the FOSS community is a great, unsung boon to us all.

Jon's philosophy in setting the prices for subscriptions - and allowing mostly unrestricted access for free - has been that Linux users like things to be free. I would argue that they like their software to be both zero-cost and unencumbered, but I don't think that necessarily extends to them expecting a free ride from other people. I'm sure there are lots of people that can afford to support LWN, even in a small way, for the service it provides. It maybe not at the professional support level, but having this option gives people like myself to support it at an appropriate level for our income.

As part of starting at my new place of employment, I've installed the beta of Fedora 15 (because the real thing comes out tomorrow, curse it). With it comes GNOME 3, the latest update of the GNOME window manager.

So far my experience is pretty good. Yes, it's different, but no, it's not that different that I can't learn how to use it. It's a case of not thinking "why can't I do that the old way" but "I wonder what the new way is", and for the most part it's not that painful. Of course, there were a few things that I did want to make work the same as my previous GNOME setup and the main one was focus following the mouse pointer. After a bit of research on the net, I found the necessary command and will post it here for reference:

gconftool-2 -s /apps/metacity/general/focus_mode -t string mouse (I'll spare my readers my cunning arguments about why focus following the mouse is the obvious, natural and optimal system for interfaces with an explicit focus indicator such as a mouse pointer. Save to say, just use it.)

Another thing that's changed is that Alt-TAB now groups all windows by application - all Firefox windows are treated as one group for the purpose of tabbing around, for example. When one application has multiple windows open, a little down-arrow appears at the bottom of its icon and, by mousing over it, you can then select the sub-window you require. This, however, is inconvenient if, like me, you use the keyboard a fair bit - moving to use the mouse takes time and effort. I discovered, with a bit of experimentation, that you can use the arrow keys for this as well - press Alt-TAB and use either TAB and Shift-TAB or left and right to navigate; when an application with sub-windows is selected, use down to show a list of its sub-windows and left and right to select from there.

Maybe there are other ways of using this; that's what worked for me. But it shows that a bit of experimentation can take less time than grumbling about how everything's changed and it no longer matches what you see.

And I think it's going to be a surpreme bit of irony that there'll be all these Linux experts complaining about how GNOME has broken everything and they want their old GNOME look and feel back - the same people who keep on looking down on their friends for not wanting to move from Windows or OS X to GNOME because "it's a different look and feel". Take it on the chin, people.

The month of May, must be time for a Zombie post. It is good (or hell funny, you choose) to see large organisations or other institutions getting more prepared and scientific about Zombies. Just this month the US Centers for Disease Control released their Zombie Apocalypse Preparedness Guide, I wonder if other countries have their information for citizens prepared.

The other thing to note is there is it seems increasing research happening in various institutions about Zombies. The Smithsonian has a good round up of some of the recent zombie research appearing in the field. That should do me until May next year, unless the Zombies get me (due to my lack of preparedness).

I should of course preface this with the statement that I think it is great to see anyone getting out and exercising and I should not belittle any efforts towards that. Also as always I make no claims to being a runner. (quite the opposite)

I was at a physio the other week trying to get an injury that had appeared better before the north face and overheard something that had me privately grinning. Another physio at the practice asked their client if they did any sport. The client said they were a bit of a runner. When asked what sort of runs they did the client said they would do a 3 to 5 km run occasionally.

This amused me, I had this image of someone like Julie, David, Davo, Gramps, Flan, etc doing a Mick Dundee sort of thing, "That's not a run, this is a run!" with a 6 foot track, TNF100, or 10 hour training run sort of display. The whole problem with the image is that all these people are far too modest (which sort of increased the humour of the image I had in my head I guess).

Yet another example of applying Crocodile Dundee to every day experiences to provide humour.

There’s been a lot going on in the world of Decaf Sucks lately. Let me fill you in:

Big Milestones

Back in February we passed 1000 reviews! Thanks to Jasmin Wong for getting us across the line with her review of Koko Espresso in Surry Hills. Since then, the pace has continued to pick up, and we’re on track to hit our next thousand in much less time.

We’ve also been busy keeping the Dispatch machine running. Just this week we sent out our sixth Dispatch! So far, we’ve taken our coffee subscribers on quite a journey, covering much of South America, and just recently setting foot in Africa. It’s a great feeling packaging and sending out bags of coffee, knowing they’re bringing lasting caffeinated joy around the nation. It’s never too late to join in — there’s plenty more good stuff coming.

In the Press

Decaf Sucks is also starting to garner a bit of attention around the web. This month I wrote a feature article for HerCanberra about Canberra’s best cafes according to Decaf Sucks reviewers (Hint: there’s plenty of good coffee to be had!). The article was also picked up by The RiotACT, and stimulated some hearty discussion in the comments section.

We’ve also been mentioned in the Editor’s Blog for CIO magazine, in a list of “Dirty little app secrets”. CIO editor Georgina Swan had some very flattering things to say:

I simply added the site to my home screen so you could argue that it’s not technically an ‘app’. My response: It’s better than an app, because it looks great, usability is awesome and it’s device agnostic. You can use it with or without location services enabled and you can sign in with either Twitter or Facebook accounts. Very tasty.

We’re glad you like it!

Mobile UI and Site Improvements

Speaking of Decaf Sucks' mobile web interface, we’ve recently updated the interface completely to match our new design for the desktop web version:

This new interface also looks beautiful on the retina display iPhone 4’s and iPod Touches, thanks to Max’s use of scalable SVGs for all the icons.

We’ve also enabled every feature of the site within the mobile interface. Now you can list and edit all your own reviews.

Finally, we’ve reinstated an oft-requested feature for Decaf Sucks: full text search! Now you can search for cafés by their names or any text mentioned in their reviews. Here are some suggestions to get you exploring: single origin, ristretto, chinotto, mocha, and pizza.

I'm running a full day Inkscape workshop for ICT in Education Victoria on Wed 15 June 2011 at the Statewide Resources Centre in Carlton (150 Palmerston Street)

It's aimed at absolute beginners - new to Inkscape and new to vector drawing in general.

It's sub-titled Drawing across the Curriculum because most of the attendees will be school teachers, from primary and secondary schools. We'll be exploring where graphics fit in the curriculum and how a tool like Inkscape might be helpful to teachers themselves, and whether their students might also find it useful.

We'll be exploring the vast resource of wikimedia commons SVG files and openclipart - searching for graphics relevant to classroom practice, and modifying them for specific use.

The day will start with a tour of Inkscape's tools, and an introduction to vector drawing techniques, understanding objects, editing nodes, a look at the magic of the trace bitmap tool.

We'll then shift gears to delve into graphics in the classroom - brainstorm how drawing can be just as useful in maths as it is in art, how an image might illustrate a story, or a diagram might help get the message across in an essay.

We'll finish up by diving deep into wikimedia commons and open clipart - and hopefully we'll be sharing some of our work back to those websites too.

If you're interested in coming along -  register on ICTEV's website 

Member Cost: $159.00

Non-member Cost: $189.00

Includes: Morning tea, lunch and tutorial files

 

Note for Mac Users...

http://inkscape-forum.andreas-s.net/topic/187497

Trackback URL for this post: http://kattekrab.net/trackback/268

03:39: Mikal shared: Before And After of the Day

Wow. Before and after shots of a suburb hit by a tornado.

Tags for this post: blather Comment RSS with no blather

John W. Dean wrote in insightful series of three articles for Findlaw about Authoritarian Conservatives [1]. In summary there are Authoritarian Followers who follow their leader blindly and Authoritarian Leaders who do whatever it takes to gain and maintain power. The Authoritarian mindset lends itself towards right-wing politics.

Mick Ebeling gave an inspiring TED talk about his work developing a system to produce art that is controlled by eye movements [2]. The development work was started to support the quadriplegic graffiti artist TEMPT1. Mick’s most noteworthy point is that all the hardware design and software are free so anyone can implement it without asking an insurance company or hospital (this is one of the few occasions when a TED speaker has received a standing ovation during a talk). The Eyewriter.org site has the designs and source which is licensed under the GPL [3].

Morgan Spurlock (who is famous for “Supersize Me”) gave an amusing TED talk titled “The Greatest TED Talk Ever Sold” [4]. He provides some interesting information about the brand sponsorship process and his new movie “The Greatest Movie Ever Sold”.

Ralph Langner gave an interesting TED talk about reverse-engineering the Stuxnet worm and discovering that it was targetted at the Iranian nuclear program [5]. The fact that the Stuxnet environment could be turned to other uses such as disrupting power plants is a great concern, particularly as it has special code to prevent automatic safety systems from activating.

Angela Belcher gave an interesting TED talk about using nature to grow batteries [6]. She is evolving and engineering viruses to manufacture parts of batteries and assemble them, the aim is to scale up the process to manufacture batteries for the Prius and other large devices at room temperature with no toxic materials. She is also working on biological methods of splitting water into hydrogen and oxygen which has the obvious potential for fuel-cell power and also solar PV cells. As an aside she mentions giving a copy of the Periodic Table to Barack Obama and he told her that he will “look at it periodically”.

Bruce Schnier gave a good overview of the issues related to human perceptions of security in his TED talk about The Security Mirage [7]. There isn’t much new in that for people who have been doing computer work but it’s good to have an overview of lots of issues.

TED has an interesting interview with Gerry Douglas about his work developing touch-screen computer systems for processing medical data in Malawi [8]. This is worth reading by everyone who is involved in software design, many of the things that he has done go against traditional design methods.

Mike Matas gave an interesting demo at TED of the first proper digital book [9]. The book is by Al Gore and is run on the iPad/iPhone platform (hopefully they will have an Android version soon). His company is in the business of licensing software for creating digital books. The demonstration featured a mixture of pictures, video, audio, and maps with the pinch interface to move them around.

Dr Sommers of Tufts University wrote an interesting post for Psychology Today titled “Why it’s Never About Race [10]. It seems that there are lots of patterns of people being treated differently on the basis of race but for every specific case no-one wants to believe that racial bias was involved.

The Register has an amusing article about what might have happened if Kate had left Prince William at the altar [11].

Fiorenzo Omenetto gave an interesting TED talk about synthetic silk [12]. He is working on developing artificial fibers and solids based on the same proteins as silk which can be used for storing information (DVDs and holograms), medical implants (which can be re-absorbed into the body and which don’t trigger an immune response), and cups among other things. Maybe my next tie will have a “no pupae were harmed in the production” notice. ;)

The CDC has released a guide to preparing for a Zombie apocalypse [13], while it’s unlikely that Zombies will attack, the same suggestions will help people prepare for the other medical emergencies that involve the CDC.

Salon has an interesting article by Glenn Greenwald who interviewed Benjamin Ferencz about aggressive warfare [14]. Benjamin was a prosecutor for war crimes at Nuremberg after WW2 and compares the US actions since 9-11 with what was deemed to be illegal by the standards of WW2.

Eli Pariser gave an interesting TED talk about Online Filter Bubbles [15]. He claims that services such as Facebook and Google should give more of a mixture of results rather than targetting for what people want. The problem with this idea is that presenting links that someone doesn’t want to click doesn’t do any good. It’s not as if the filter bubble effect relies on modern media or can be easily solved.

Terry Moore gave a TED talk about how to tie shoelaces [16]. Basically he advocates using a doubly-slipped Reef Knot instead of a doubly-slipped Granny Knot. Now I just need to figure out how to tie a doubly-slipped Reef Knot quickly and reliably. Terry uses this as a mathaphor for other ways in which one might habitually do something in a non-optimal way.

• [1] http://writ.news.findlaw.com/dean/20070925.html
• [2] http://www.ted.com/talks/mick_ebeling_the_invention_that_unlocked_a_locked_in_artist.html
• [3] http://www.eyewriter.org/developer/
• [4] http://www.ted.com/talks/morgan_spurlock_the_greatest_ted_talk_ever_sold.html
• [5] http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
• [6] http://www.ted.com/talks/angela_belcher_using_nature_to_grow_batteries.html
• [7] http://www.ted.com/talks/bruce_schneier.html
• [8] http://blog.ted.com/2011/04/29/fellows-friday-with-gerry-douglas/
• [9] http://www.ted.com/talks/mike_matas.html
• [10] http://www.psychologytoday.com/collections/201104/happy-birth-certificate-mr-president/why-its-never-about-race
• [11] http://www.theregister.co.uk/2011/04/28/operation_pumpkin/
• [12] http://www.ted.com/talks/fiorenzo_omenetto_silk_the_ancient_material_of_the_future.html
• [13] http://emergency.cdc.gov/socialmedia/zombies_blog.asp
• [14] http://www.salon.com/news/osama_bin_laden/index.html?story=/opinion/greenwald/2011/05/13/nuremberg
• [15] http://www.ted.com/talks/lang/eng/eli_pariser_beware_online_filter_bubbles.html
• [16] http://www.ted.com/talks/terry_moore_how_to_tie_your_shoes.html

What do Assholes do?

Rusty just wrote a post titled “If you didn’t run code written by assholes, your machine wouldn’t boot” [1] about some of the anti-social tendencies demonstrated by programmers, including some that are implied to be fairly important. His post seems to imply that there are really great programmers who are anti-social and that we should just put up with it because of their great code.

One of the problems with his post is that he doesn’t define “asshole”. Holocaust deniers and all other Nazi supporters seem to clearly by assholes by any definition. People who have silly ideas about medicine and tell others seem to be merely misguided (although my dictionary gives “stupid or irritating or ridiculous” in the definition of “asshole” so technically they can meet the criteria).

In the comments Rusty states that “nuttiness is relative”. While that is correct it doesn’t seem to have much bearing on whether someone is an asshole. For example I know some very nice people who are utterly convinced by creationism.

Is Anyone Essential to Free Software?

Most projects have one person or several people in leadership positions, usually there seems to be a combination of project management and lead-programmer positions. Such people are obviously quite important to a project. But we have seen examples of people dying, being employed by Microsoft, retiring, relicensing the source in a bad way, and just losing interest without the project ceasing.

It seems clear that in most cases when a project which has a significant amount of use has significant bugs and no maintainer then someone will step in. The cases where no-one takes over the project are often resolved by someone creating a competing project. If no-one takes over an abandoned Free Software project then it’s a strong indication that the project wasn’t particularly important anyway.

I have no doubt that if any bug or missing feature made Linux systems stop booting then someone would fix it quite quickly.

In a more general sense it seems that every time someone takes a position in a project that is of wide interest they are displacing someone else who might have done the job. When you volunteer to do significant work for a project you may be displacing someone who is more skillful than you – this isn’t necessarily a bad thing as there are plenty of other projects to work on, some of which require more skill.

Growing More Programmers

It seems to me that a large part of becoming a great programmer is facing great challenges. People who could be described as “optimistic” or “arrogant” will tend to take on more challenging tasks and therefore learn more. I’m sure that there are a lot of people out there who have the potential to be great programmers apart from not taking on the challenging work, this seems to be an unfortunate waste of talent. Given a large enough population if someone leaves a senior position there should be someone else who can obtain the skills needed to take over. One advantage of this for Free Software development is that even if the best person to take on the challenge isn’t living in the most convenient continent that won’t be an obstacle, while with proprietary software development projects the teams are small and it’s common that no-one else is capable of stepping up to a lead position. Another advantage is that when the lead developer leaves there are generally many candidates to replace them, all of whom can start work and be judged on the work that they do.

I think that the best claims that can be made regarding essential people are not in regard to technical skill alone but to a combination of technical and people skills. Getting a group of programmers to work together is really hard but it’s something that needs to be done for any significant project. Also the larger projects tend not to stand alone, being able to get changes included in other projects requires some skill.

Ben Collins-Sussman and Brian Fitzpatrick gave an insightful talk at Google IO 2008 titled “How to Protect Your Open Source Project From Poisonous People” [2]. The first half of their talk is mostly about people who are misguided or difficult rather than what most people would consider “poisonous” and the second half is more about people who are actively poisonous and need to be removed. They advocate a community based on Politeness, Respect, Trust, and Humility. They describe in detail how the methods they advocate result in the members of their community being more productive, it seems obvious that those principles will lead to better career growth for people within the community and more friendly people wanting to join.

When is being an Asshole OK?

I once worked for a company that apparently had a team consisting solely of assholes. Apparently one asshole got promoted to management and after some internal transfers they ended up with all the assholes in the company on one team. I guess that when someone has negative interactions with everyone they won’t notice the difference if they are put in a team where everyone is difficult. For a corporate environment that lacks a “no jerks” hiring policy this is probably a good way of improving productivity overall. I am not aware of any significant Free Software project that was comprised of mostly jerks – although I have seen a few with dysfunctional environments that encourage the worst behavior from their members.

The smaller Free Software projects have less need for people who can relate to other people. There are many useful Free Software projects which have only one developer, in most cases anyone can take the source code and use it without dealing with the author. But even for a single-developer project an asshole can cause some serious problems. One example I know of concerns a developer who had unclear licenses and started making legal threats in response to a request for a clear license. Another example is of a developer who released code that was designed to not work when one particular user compiled it and redistributed the binaries. Both of them caused some significant amounts of time to be wasted by people who were unfortunate enough to develop systems that interacted with the code in question, and even more time was wasted when some misguided people defended them in the inevitable flame-wars.

Even for a project with only one developer it’s still better for everyone if that developer isn’t an asshole.

One comment I’ve seen related to this issue suggesting that some types of asshole behavior shouldn’t be a problem – an example that was cited is a colleague who cheats on a romantic partner. Jeremy Clyman (who is currently doing a Ph.D in Psychology) has written an interesting article about this for Psychology Today [3]. He reviews the movie “The Dilemma” which deals with someone catching their colleague’s wife cheating. Jeremy analyses the psychological issues involved and how they can (among other things) impact the ability for such people to work. I once worked in an office where two married employees were very open about having an affair and we were all apparently expected to lie on their behalf if necessary, it really affected the quality of the working environment.

Extreme Assholes

There are lots of people involved in Free Software development who are difficult and many who are to some extent assholes. But some of them take being an asshole to the extreme, such as Holocaust deniers (an example which Rusty used). In the comments on his post the Westboro Baptist Church is also mentioned.

It is possible to entirely disagree with someone on a contentious issue such as abortion but still be able to get along with them. But when someone supports a hate-based organisation such as the WBC or supports Nazis in any way then there will be many people who just can’t tolerate them – and no-one should be expected to tolerate such people.

I have seen two instances where Free Software developers advocated pro-Nazi positions (one had an archive of neo-Nazi propaganda and the other claimed that Nazis were not responsible for the Holocaust). Neither of the pro-Nazi programmers was evicted for defending Nazis, but both of them ended up leaving the community in adverse ways – after causing other damage in the mean time.

I don’t think it takes any great ability to predict the future to determine that someone who defends Nazis will eventually end up doing something that requires expulsion and drive away users and developers in the mean-time. There is no possibility that someone can support the Nazi or WBC ideology only when not associated with your project, it will affect all aspects of their life.

When a Holocaust denier is allowed to be a member of a community it also sends out a message that members of the groups which were persecuted by Nazis aren’t particularly welcome in the community.

Helping Minor Assholes

There are a lot of people who don’t have malevolent aims but who unintentionally cause some difficulty (it seems that the truly malicious are a tiny minority). I don’t think that excusing the bad things that they do on the basis of writing good code helps them in the long term. Many of the suggestions that Ben Collins-Sussman and Brian Fitzpatrick make seem likely to help people who don’t want to be assholes and direct them towards positive involvement in the community.

One trend that seems apparent is the non-linear response to certain types of bad behavior. There is often little difference in severity between something that gets almost no attention and something that results in a large and extremely hostile reaction. If someone persists in acting like an asshole for long enough it seems to be inevitable that they will eventually exceed some threshold for what is tolerated and get a very significant negative response. It would be good if things didn’t need to get to that stage.

I think that the most unfortunate aspect of Rusty’s blog post is that most people will probably interpret it as encouragement to write better code as a way of getting a free pass for being an asshole. I know that this isn’t what Rusty intended, but most people on the Internet don’t know Rusty as well as I do.

Conclusion

Ben Collins-Sussman and Brian Fitzpatrick seem to have some of the best ideas for how to deal with these issues when you control a project, but most of us aren’t in that position.

Everyone can advocate better behavior.

Extreme assholes need to be removed quickly and without a great debate about their contributions, freedom of speech, or other issues.

Since considering this issue I’ve been wondering about when one should avoid the lesser assholes and asshole-positive environments. People tend to adapt to their environment, so if you associate with assholes a lot then there’s a good chance you will start to become like them. Is

• [1] http://rusty.ozlabs.org/?p=196
• [2] http://www.youtube.com/watch?v=-F-3E8pyjFo
• [3] http://www.psychologytoday.com/blog/reel-therapy/201105/what-causes-the-dilemma

KDE’s NetworkManager is a nicely integrated plasmoid, however it is missing some features (particularly ones I need to authenticate to University’s network).

It’s easy to swap out KDE’s plasmoid with GNOME’s more fully featured NetworkManager applet. Simply remove the KDE one, install GNOME’s one, tell it to start on login, then just log out and back in!

Remove and install:

sudo yum erase kde-plasma-networkmanagement

sudo yum install NetworkManager-gnome

Then go to System Settings, load Startup and Shutdown module to add the applet to Autostart. Simply click Add program and type:

nm-applet --sm-disable

Log out and back in and you’re away!

We’ve been doing some work where we really needed “direct” machine to machine access between an number of staff and their local file servers. The obvious way to approach this sort of thing is to use a Virtual Private Network technology, but which one?

There are a lot of VPN solutions out there. Quite a number of proprietary ones, and of course the usual contingent of “it’s-free-except-that-then-you-have-to-pay-for-it”. In both cases, why anyone would trust the integrity of code they can’t review is quite beyond me.

We’ve used OpenVPN for some of our enterprise clients, and it’s quite robust. Its model excels at giving remove users access to resources on the corporate network. Technically it is implemented by each user getting a point-to-point connection on an internal network (something along the lines of a 10.0.1.0/30) between the user’s remote machine and a gateway server, and then adding routes to the client’s system to the corporate IP range (ie good old 192.168.1.0/24). That’s fine so long as the assumption is that all the servers on the corporate network have the gateway as their default route, then reply packets to 10.0.1.2 or whatever will just go do default and be sent back down the rabbit hole. Gets messy with things like Postgres if your remote developers need access to the databases; in the configs you do need to add eg 10.0.1.0/24 to the list of networks that the database will accept connections from.

Anyway, that’s all fairly reasonable, and you can set up the client side from NetworkManager (install Debian package network-manager-openvpn-gnome) which is really important too. Makes a good remote access solution.

Peer to Peer

But for our current work, we needed something less centralized. We’re not trying to grant connectivity to a remote corporate network; we’re trying to set up a private network in the old-fashioned frame-relay sense of the word — actually join several remote networks together.

Traditional VPN solutions route all the traffic through the secure central node. If you’ve got one system in NSW and another in Victoria, but the remote access gateway is in California, then despite the fact that the two edges are likely less than 50 ms away direct path, all your traffic is going across the Pacific and back. That’s stupid.

A major complication for all of us was that everyone is (of course) stuck behind NAT. Lots of developers, all working remotely, really don’t need to send all their screen casts, voice conferences, and file transfer traffic into the central corporate network just to come all the way out again.

The 1990s approach to NAT implies a central point that everyone converges to as a means of getting their packets across the port address translation boundary. Things have come a long way since then; the rise of peer-to-peer file sharing and dealing with the challenges of internet telephony has also helped a great deal. Firewalls are more supportive and protocols have evolved in the ongoing attempt to deal with the problem.

Meet tinc

So the landscape is different today, and tinc takes advantage of this. According to their goals page, tinc is a “secure, scalable, stable and reliable, easy to configure, and flexible” peer-to-peer VPN. Uh huh. Because of its peer-to-peer nature, once two edges become aware of each other and have exchanged credentials, they can start sending traffic directly to each other rather than through the intermediary.

$ ping 172.16.50.2 PING 172.16.50.2 (172.16.50.2) 56(84) bytes of data. 64 bytes from 172.16.50.2: icmp_req=1 ttl=64 time=374 ms 64 bytes from 172.16.50.2: icmp_req=2 ttl=64 time=179 ms 64 bytes from 172.16.50.2: icmp_req=3 ttl=64 time=202 ms 64 bytes from 172.16.50.2: icmp_req=4 ttl=64 time=41.6 ms 64 bytes from 172.16.50.2: icmp_req=5 ttl=64 time=45.4 ms 64 bytes from 172.16.50.2: icmp_req=6 ttl=64 time=51.3 ms 64 bytes from 172.16.50.2: icmp_req=7 ttl=64 time=43.3 ms 64 bytes from 172.16.50.2: icmp_req=8 ttl=64 time=42.3 ms 64 bytes from 172.16.50.2: icmp_req=9 ttl=64 time=44.2 ms ... $

This is with the tincd daemons freshly restarted on each endpoint. The first packet clearly initiates edge discovery, key exchange, and setup of the tunnels. It, and the next two packets, are passed across the Pacific to the central node. Ok, fine. But after that, the tunnel setup completes, and both edge nodes have been informed of the peer’s network addresses and start communicating directly. Nice.

See for yourself

Watching the logs under the hood confirms this. If you run tincd in the foreground then you can specify a debug level on the command line; I find “3” a good setting for testing:

# tincd -n private -D -d3 tincd 1.0.13 (May 16 2010 21:09:47) starting, debug level 3 /dev/net/tun is a Linux tun/tap device (tun mode) Executing script tinc-up Listening on 0.0.0.0 port 655 Ready Trying to connect to einstein (1.2.3.4 port 655) Trying to connect to newton (5.6.7.8 port 655) ...

If you give it SIGINT by pressing Ctrl+C then it’ll switch itself up to the exceedingly verbose debug level 5, which is rather cool. SIGQUIT terminates, which you can send with Ctrl+\. If you’re not running in the foreground (which of course you’d only be doing in testing),

# tincd -n private -kINT

does the trick. Quite handy, actually.

Performance is respectable indeed; copying a 2.8 MB file across the Pacific,

$ scp video.mpeg joe@einstein.sfo.example.com:/var/tmp

gave an average of 31.625 seconds over a number of runs. Doing the same copy but sending it over the secure tunnel by addressing the remote machine by its private address,

$ scp video.mpeg joe@172.16.50.1:/var/tmp

came in at an average of 32.525 seconds. Call it 3% overhead; that’s certainly tolerable.

Setup

Despite my talking above about joining remote networks, an important and common subcase is merely joining various remote machines especially when those machines are both behind NAT boundaries. That’s our in-house use case.

The tinc documentation is fairly comprehensive, and there are a few HOWTOs out there. There are a few gotchas, though, so without a whole lot of elaboration I wanted to post some sample config files to make it easier for you to bootstrap if you’re interested in trying this (install Debian package tinc).

tinc has a notion of network names; you can (and should) organize your files under one such. For this post I’ve labelled it the incredibly original “private“. Note that when you specify host names here they are not DNS hostnames; they are just symbolic names for use in control signalling between the tinc deaemons. Flexibility = Complexity. What else is new. Obviously you’d probably use hostnames anyway but administration of the tinc network doesn’t need to be co-ordinated with people naming their laptop my-fluffy-bunny or some damn thing. Anyway, on system labelled hawking I have:

hawking:/etc/tinc/private/tinc.conf Name = hawking AddressFamily = ipv4 ConnectTo = einstein ConnectTo = newton Interface = tun0

Note that I’ve got an Interface statement there, not a Device one. That’s a bit add odds with what the documentation said but what I needed to make it all work. Only one ConnectTo is actually necessary, but I’ve got one server in California that is reliably up and one in Victoria that is not so I just threw both in there. That’s what your tincd is going to (compulsively) try to establish tunnels to.

hawking:/etc/tinc/private/hosts/hawking Subnet = 172.16.50.31/32

Somewhat confusingly, you need a “hosts” entry for yourself. Above is what you start with. Each host also needs a keypair which you can generate with:

# tincd -n private -K4096

with /etc/tinc/private/rsa_key.priv getting the private key and the public key being appended to the hosts/hawking file:

Subnet = 172.16.50.31/32 -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAzSd5V91X6r3NB3Syh2FV8/JC2M7cx6o2OKbVzP6X5SFPI1lEH1AD 7SfIlQF4TE++X8RcpJaBi4KjMS/Ul36Tuk75eKA18aNTBoVqH/ytY0BipQvJ6TUd BEkCjYrOUHFYOQn8MxQzziG6nk9tvhTWS0yKCNbd68e5i9uyKOem3R/pJsd/Kh9V wdVB51Wxs1Sv07OYmGYyRmGWh450wBNEmQfPHmM60Yh6uoQNJ0Ef41k1ZcswWcfO 0jp9EOvbW/ZCdBW6teIYZ3GMuMB/cFj0Dw2fx6dHNHZVZrPcivt0cuOG8L4jNoHj HQUGuzMrpDN8N1ymM/eDlx+kBFYreKiEYGoWWqlZPNoY+bCekMrNf6Sr9bBwbj23 xmY1jf6v1LkxGtOi4wWJfbU4xaMnquIRQe6FtB4LHp29l2SYWcpZnjuLcZ4ZoZLQ WK4bb0bUCAI/eYb19JRnfKEwS9MhYaQhZLWAJ3xyOt9u/Kk9KV7vWApxR1f5e2KT 77A446eQU5aedm8nBDbd+WHqTdklAQ7SdRyYmbD8PoXBd3DGP6dFiURVTy8Wn4gz Bn7PMI3zmhfCMtwq/3A/xfyjQY3qesGCmKUwTno3fhv1DScS0rS9TRxZfyxlaOB1 qjtlU79VhI0UKlha2Fv4XLshQ5dYEutpatpij0NzPYlwiQFphFQKStsCAwEAAQ== -----END RSA PUBLIC KEY-----

These are the public identifiers of your system and indeed the remote system in your ConnectTo statement must have a copy of this in its hosts/ directory. For nets of servers we maintain them in Bazaar and share them around using Puppet. Central distribution brings its own vulnerabilities and hassles; for very small team nets we just share around a tarball :).

You don’t need the /32, it turns out, but I left it in here to show you that tincd is effectively trading around network route advertisements, not host address.

hawking:/etc/tinc/private/tinc-up #!/bin/sh ifconfig $INTERFACE 172.16.50.31 netmask 255.255.255.0

This gets run when the net comes up. You can do all kinds of interesting things here, but the really magic part is assigning a broader /24 network mask than that given the interface in the hosts/hawking file. That means this interface is the route to the network as a whole (not just to a single-attached host on the other side of a point-to-point tunnel, which is what OpenVPN does, leaving the default gateway to sort it all out). Lots of other ways to wire it of course, but one /24 in RFC 1918 land is more than enough. I’ve even heard of some people using Avahi link-local networking to do the addressing.

I could have hard coded tun0 there, I suppose, but they supply some environment variables. Much better.

Now for the California node:

einstein:/etc/tinc/private/tinc.conf Name = einstein AddressFamily = ipv4 Interface = tun0 Device = /dev/net/tun

That one I did need a Device entry. Not sure what’s up there; it’s a server running Stable, so could just be older kernel interfaces. Doesn’t matter.

Note again though that the tinc.conf file doesn’t have a public IP in it or anything. Bit unexpected, but hey. It turns up in the hosts files:

einstein:/etc/tinc/private/hosts/einstein Address = 1.2.3.4 Subnet = 172.16.50.1/32 -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAqh/4Pmxy5fXZh/O7NkvebFK0OP+YD8Ph7JvK8RsUn75FY3DXjCCg VNRR+kRhnVoKVJcIAuvW7Tbs4fovWELOJbbUbKea8G+HANCgOY5F0rkJVtIAcTCL Jg1OelAfhF6yHV4vVgcawafWiMF2CtprveHomCnOwCbGuTDwTBqaUBZ9IOLzU2bx ArVA2No9Ks+xaaeSHejYoii3+WT58HUccntmIYkcdBa0uKZSis1XLUwdT7Evr1Ew K54RyMMEPC0MUziYZhAA0Qqpz79EzLXAGgQeuFxLjPoW/NbAD0PEBmsdmI5odprp t9Tx11v/UuhK2fszYKjM+DF2pYxxrKlOyus58zx5KKJQjjrzazrru5Ny0DNf/E6Y uB2kUtt7TCmoZg2CLAbIkyGJEiK+Wy2x2mabGDgicIs422XVslz2EODSI3qqF+f6 gu+h/vYvjZxglYrL0SxTRV7wkUc+o9OVXMMYPazgPIkwnBeLrEhGL8GS4wDIYu4G E89m9UBE0fhVPJyw4QSfdeJZ4PgpJk6SG/7koVsJqr9EZOLp53K7ipnPylUKaRLD mcarvoDO6ybCuHUVUsLuzZZStSG8JEEe/8jb/Ex7UNBzJ14Nglqtu0aUZ/tzkrdS nPFFhdIwlUctM7sWKVfBugEkWjs3sR+XRVsCjxMrpZX0lXzcw9vhu60CAwEAAQ== -----END RSA PUBLIC KEY-----

This file must be on every system in the net (that has a ConnectTo it) — it’s how the edges know where to call. So the same file is copied to hawking:

hawking:/etc/tinc/private/hosts/einstein Address = 1.2.3.4 Subnet = 172.16.50.1/32 -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAqh/4Pmxy5fXZh/O7NkvebFK0OP+YD8Ph7JvK8RsUn75FY3DXjCCg VNRR+kRhnVoKVJcIAuvW7Tbs4fovWELOJbbUbKea8G+HANCgOY5F0rkJVtIAcTCL Jg1OelAfhF6yHV4vVgcawafWiMF2CtprveHomCnOwCbGuTDwTBqaUBZ9IOLzU2bx ArVA2No9Ks+xaaeSHejYoii3+WT58HUccntmIYkcdBa0uKZSis1XLUwdT7Evr1Ew K54RyMMEPC0MUziYZhAA0Qqpz79EzLXAGgQeuFxLjPoW/NbAD0PEBmsdmI5odprp t9Tx11v/UuhK2fszYKjM+DF2pYxxrKlOyus58zx5KKJQjjrzazrru5Ny0DNf/E6Y uB2kUtt7TCmoZg2CLAbIkyGJEiK+Wy2x2mabGDgicIs422XVslz2EODSI3qqF+f6 gu+h/vYvjZxglYrL0SxTRV7wkUc+o9OVXMMYPazgPIkwnBeLrEhGL8GS4wDIYu4G E89m9UBE0fhVPJyw4QSfdeJZ4PgpJk6SG/7koVsJqr9EZOLp53K7ipnPylUKaRLD mcarvoDO6ybCuHUVUsLuzZZStSG8JEEe/8jb/Ex7UNBzJ14Nglqtu0aUZ/tzkrdS nPFFhdIwlUctM7sWKVfBugEkWjs3sR+XRVsCjxMrpZX0lXzcw9vhu60CAwEAAQ== -----END RSA PUBLIC KEY-----

Ok, you get the idea with the public keys, but I wanted to emphasize the point it’s the same file. This is what you need to share around to establish the trust relationship and to tell E.T. where to phone home.

The Address entry in the hosts/einstein files spread around is what tells edge nodes which have been configured to ConnectTo to einstein where the real public IP address is. You can use DNS names here, and could play dynamic DNS games if you have to (sure, further decentralizing, but). If you have a few machines capable of being full time central supernodes then you’ll have much better resiliency.

You do not, however, need to share a hosts/ file for every other node on the net! If laptop penrose is already connected in to einstein and has been assigned 172.16.50.142 say, and hawking joins einstein and tries to ping .142, the central node einstein will facilitate a key exchange even though neither hawking nor penrose have each others’ keys, and then get out of the way. Awesome.

And finally, this all works over further distributed topologies. When new nodes join the new edges and their subnets are advertised around to the rest of the net. So if central nodes einstein and curie are already talking, and sakharov joins currie, then traffic from our hawking will reach sakharov via eintstein and currie, and in fairly short order they will have handled key exchange, step out of the way, and hawking will be communicating with sakharov direct peer to peer. Brilliant.

Nothing stopping you from share around (or centrally managing out-of-band) the hosts/ files with the Subnet declarations and the public keys, of course; it’ll save a few round trips during initial key exchange. Up to you how you manage the trust relationships and initial key distribution.

For completeness,

einstein:/etc/tinc/private/tinc-up #!/bin/sh ifconfig $INTERFACE 172.16.50.1 netmask 255.255.255.0

No surprises there.

Applications

Using tinc to cross arbitrary NAT boundaries has turned out to be supremely useful. I have successfully used this from within my office, over 3G UTMS mobile broadband, at internet cafes around Australia, in airport lounges in the States, and even from beach-side resorts in Thailand. In all cases I was able to join the private network topology. In fact, I now just leave tincd running as a system daemon on my laptop. When I need to talk to one of the file servers, I ping, and it’s there.

One surprising benefit was in getting voice-over-Jabber running again. We had some horrible regressions with audio quality during the Maverick release series of Ubuntu Linux. At one point in our diagnostics we found that the STUN algorithms for local and remote candidate IP detection were preferentially choosing localhost virtual bridges with lower route metrics than the default gateway resulting in routing loops. We brought up tinc and since both parties were on 172.16.50.x, Empathy and Jingle chose those as the “best” network choice. Packet loss problems vanished and the audio quality really improved (it didn’t finally get resolved until we got a Natty base system, tore out the Unity stuff, and got GNOME 3 and Empathy 3.0 on board via ppa:gnome3-team/gnome3 but that’s a separate issue). And as a side-effect we’ve got some ice on our voice channel. Excellent.

I’ve since read about a number of other interesting applications. A frequent use case is not needing encryption. While most people would interpret the “private” in virtual private network as meaning “secure”, in the old days it just meant a custom routing and network topology layered over whatever the underlying physical transport was. One crew running a large farm of servers on cloud provided infrastructure struggled to enable their various distributed nodes to find and talk to each other. So they disabled the encryption layer but used tinc as a means to facilitate do IP-over-IP tunnelling and giving their sys admins a stable set of (private) addresses with which to talk to the machines. They gave a talk at FOSDEM [their slides here] about it.

Also at FOSDEM was a talk by the “Fair VPN” effort, who are looking at improving efficiency of the network when the number of nodes scales into the thousands. Some nodes are “closer” than others so presumably they should be used preferentially; you don’t really need to discover information about every other node in the network on joining, and so on. The fact that they were able to use tinc as a research platform for this is fascinating and a nice kudo.

Next steps

So I’m pretty pleased with tinc, obviously. We’ve had a very positive experience, and I wanted to put a word in. If you’re involved in network engineering or security hardening, then I’m sure they’d welcome your interest.

It would be outstandingly cool if we could work out a NetworkManager plugin to set this up on demand, but that can wait for tinc version 1.1 or 2.0. I gather they’re working on making the key exchange and configuration easier; what I showed above is obviously well thought out and flexible, but there’s no denying it’s a bit cumbersome; there are a fair number of little knobs that need to be just right. A fire-and-forget daemon cross-product with some form of automatic addressing would be brilliant. But on the other hand, when you put network and security in the same sentence there’s a limit to how much you want to happen without any direct influence over the process. As it stands now tinc strikes a good balance there, and is entirely suitable for an environment managed by properly competent sysadmins.

AfC

Updates

1. Turns out I was wrong about needing the Interface statement. After Dan’s post I tried it without one and tincd worked fine. Then I remembered why I’d done it that way — without an Interface statement the network interface was named for the tinc net label, private in this case. Preferring tun0, I went back to manually forcing it for my own personal aesthetic benefit.

In February Borders went bankrupt [1], since then they have been in the slow process of closing down. Now Borders is trying to clear the last of their stock and offering 80% discounts off the marked price.

I bought a book by Stephen Baxter and one by Peter F. Hamilton and those appeared to be the last two books worth buying (IMHO) on the almost empty sci-fi shelves, the books were a little tattered but at 80% discount I’m not complaining.

It’s been almost four years since I last bought books, and I still haven’t read all the free sci-fi stories and watched all the free sci-fi movies from the net which interest me [2]. So I’m not planning to buy many more books unless I see something better than a 50% discount.

Paul Wayper writes about the difficulty of buying ebooks [3]. It’s ironic that some people have claimed that ebooks were part of the cause of Borders financial troubles given that they really aren’t working well, not even for the most dedicated buyers. In related news Kobo (the company that runs the Borders ebook store) has assured customers that they won’t lose the books that they own [4]. There are very few situations in which a company needs to assure customers that they won’t lose property that they have paid for and received due to a corporate bankruptcy.

As further evidence that Digital Restrictions Management (DRM) is a bad thing, Apple have shut down the iFlow Reader [5] so that they can monopolise ebook sales on the iPhone and iPad. This is a good reason to avoid restricted platforms (such as anything from Apple) and encrypted content.

It seems to me that Cory Doctorow’s scheme for giving copies of his books to libraries is a more effective way of donating in return for a free ebook [6] (which is rather similar to the “buy one get one” scheme that they used to run for OLPC). Hopefully Charles Stross will end up doing something similar to make Paul Wayper happy.

• [1] http://www.smartcompany.com.au/retail/20110217-borders-australia-and-angus-robertson-chains-collapse.html
• [2] http://etbe.coker.com.au/2007/09/23/dmca-and-sci-fi/
• [3] http://www.mabula.net/tbfw/blosxom.cgi/2011/05/23#2011-05-23-dear-charles-stross
• [4] http://www.readwriteweb.com/archives/kobo_reassures_its_e-book_customers_after_borders.php
• [5] https://www.iflowreader.com/Closing.aspx
• [6] http://craphound.com/walh/contribute/give-a-copy

Andrew Hall finishing a lap (fullsize)

If you have a look at the link to my 24 Hour Solo MTB Nationals photos page you can see the photos I took at the 24 Hour MTB Nationals CORC ran in April.