If you happen to know a browser developer...
Do you happen to know a developer of Firefox or Chrome or some other mainstream browser?
If so, can you please talk to them about our experiments with Client Certificate authentication in Debian?
Client Certificate authentication rocks; with just a couple of little tweaks in the interface, it would be pretty close to perfect.
Visiting sites without using a certificate
If I want to browse a site unauthenticated instead of using a certificate, at the moment I can hit "Cancel" on the certificate popup menu, and it works nicely. I feel quite confused when I do that, though, because it's not clear to me if I am canceling use of certificates, or canceling the visit to the site.
Can you please change the wording on the Cancel button to something more descriptive?
See/change current certificate selection
My top wish is, once I choise to use (or not use) a certificate for a site, to be able to see which certificate I'm using and possibly change it.
At the moment I did not find a way to see what certificate I'm using, and the browser will remember the choice until it gets closed and reopened.
At the moment I can use a Private or Incognito window to switch identities or to stop authenticated access and continue anonymously, and that helps me immensely.
I think however that the ultimate solution could be to have the https lockpad popup show an indication of what certificate is currently being used, and offer a way to re-trigger certificate selection. That would be so cool.
Also, once the certificate choice can be seen and changed at any time, it could just get remembered so that sites can be visited again without any prompts, even after the browser has been closed and reopened. That would be, to me, the ultimate convenience.
Thank you very much for all the work you have already put into this: I have been told that a few years ago using client certificate was unthinkable, and now it seems to be down to just a couple of papercuts. And SPKAC/keygen seriously rocks!
I have been constantly impressed by how well this all works right now.
My semi serious stand up comedy notes
“Someone has said that it requires less mental effort to condemn than to think.”
(Emma Goldman, on several things including mailing list flamewars)
Look for "dogging etiquette" for more examples of code of conducts. Just don't take your computer for repair immediately afterwards™.
Every daring attempt to make a great change in existing conditions, every lofty vision of new possibilities for the human race, has been labeled Utopian.
(Emma Goldman, on the Debian Social Contract)
I am going to talk about many topics that we all know have so much in common:
- and Free Software
They are all, after all:
- Doing Things
A person is no less a slave because they are allowed to choose a new master once in a term of years.
(Lysander Spooner about proprietary cloud service providers)
If you thought you've seen it all with recursive acronyms, here's a chain acronym: Bondage Discipline, Dominance Submission, Sado Masochism.
Why I think BDSM is interesting: not (just) because of whips, but for having a lot of awareness about power releationships. Why should one accept from a coworker a level of abuse that would be considered a hard limit when negotiating with a trusted dom?
The BDSM Free Software definition: "I refuse to be bound by software I cannot negotiate with".
YKINMKBYKIOK (Your Kink Is Not My Kink But Your Kink Is Okay) is a nice example of dealing with diversity, and it also definitely solves the emacs vs vi debate.
Comfort zones, safewords, traffic light flow control, safety.
"No means no", and if someone insists after a "no", it becomes harassment.
"No means no" is a precondition for being able to say "yes": http://pervocracy.blogspot.de/2011/03/no-and-no-and-no-and-yes.html
Aftercare! Aftercare! Release parties! High fives! Solidarity after flamewars or votes!
If love does not know how to give and take without restrictions, it is not love, but a transaction that never fails to lay stress on a plus and a minus.
(Emma Goldman, on volunteer projects)
Polyamory is the practice, desire, or acceptance of intimate relationships that are not exclusive with respect to other sexual or intimate relationships, with knowledge and consent of everyone involved.
Compersion, n: the feeling you get when someone else also takes good care of one of your packages.
We currently allow only one value in the Maintainer field: * takeover is traumatic, because values can only be replaced * if values could be added instead, and removed when they don't make sense anymore...
What is your definition of love? My current one is: my world is better with you in it.
Relationship anarchy is the practice of forming relationships which are not bound by rules aside from what the people involved mutually agree on. How do you call a relationship that is bound by rules that the people involved do not agree on?
From discussions after the talk
New Relationship Energy, the excitement when you start to maintain a new package, and the risk of been carried away by the excitement and neglecting all the other ones.
Anarchism, to me, means not only the denial of authority, not only a new economy, but a revision of the principles of morality. It means the development of the individual as well as the assertion of the individual. It means self-responsibility, and not leader worship.
(Voltairine de Cleyre about trusting lintian warnings)
You need to know what you are doing, and what situation you're putting yourself into.
You need to know that the person asking a question really is able to accept any answer, and take it seriously.
You need to feel that you have alternatives.
Be selfish when you ask, honest when you reply, and when others reply, take them seriously. If any of this doesn't stand, I find it hard to trust that we are in a consensual situation.
When is one supposed to learn about consent?
- I see little consensuality in standard education.
- I see little consensuality at work.
Anarchism has but one infallible, unchangeable motto, ‘Freedom.’ Freedom to discover any truth, freedom to develop, to live naturally and fully.
(Lucy Parsons about the DFSG)
Relationship advice and work advice have a lot in common:
- Sick systems: How to keep someone with you forever
- What technical recruiters can learn from online dating
Relationship advice from 99 ways to ruin an open source project
Online participation advice from How to Screw Up Your Relationship (and make everyone miserable while you’re at it)
Packaging advice from BDSM Basics: 20 Unsolicited Tips for New Dominants
Advice about joining a new community from Advice to a newbie submissive about dominants
♥ ♥ ♥
Dear Debian, and dear everyone contributing to it: my world is better with you in it.
I love you all :* <3
Expectations and needs
All people ever say is: "thank you" (a celebration of life) and "please" (an opportunity to make life more wonderful). (Marshall Rosenberg)
Sometimes, when I see the word "expectation" I try to read it as "need" and see how things change.
I noticed that this tends to reframe situations in a way that makes me feel more comfortable.
I noticed that I tend to instinctively perceive "expectations" as "do this or there will be consequences", and I tend to instinctively perceive "needs" as "do this if you want to see me happy".
I noticed that my motivation to care for someone's expectations tend to be something close to fear, and my motivation to care for someone's needs tends to be something close to love.
This might give me a bit more hints on The art of asking: I will not expect you to do something for me, I'll just allow myself to be loved, liked or helped by you, and I'll try to be open about what I need.
I smile realising that since a long time, on the professional side of my life, I learnt to lead interaction with my customers along the same lines: "let's talk about what you need, not about what you expect of me".
Be selfish when you ask, honest when you reply, and when others reply, take them seriously.
(me, late at night)
Billing an Italian public administration
Here's a simple guide for how I managed to bill one of my customers as is now mandated by law in Italy.
Create a new virtualbox machine
I would never do any of this to any system I would ever want to use for anything else, so it's virtual machine time.
- I started virtualbox, created a new machine for Ubuntu 32bit, 8Gb disk, 4Gb RAM, and placed the .vdi image in an encrypted partition. The web services of Infocert's fattura-pa requires "Java (JRE) a 32bit di versione 1.6 o superiore".
- I installed Ubuntu 12.04 on it: that is what dike declares to support.
- I booted the VM, installed virtualbox-guest-utils, and de sure I also had virtualbox-guest-x11
- I restarted the VM so that I could resize the virtualbox window and have Ubuntu resize itself as well. Now I could actually read popup error messages in full.
- I changed the desktop background to something that gave me the idea that this is an untrusted machine where I need to be very careful of what I type. I went for bright red.
Install smart card software into it
apt-get install pcscd pcsc-tools opensc
- In virtualbox, I went to Devices/USB devices and enabled the smart card reader in the virtual machine.
- I ran
pcsc_scanto see if it could see my smart card.
- I ran Firefox, went to preferences, advanced, security devices, load. Module
name is "CRS PKCS#11", module path is
- I went to https://fattura-pa.infocamere.it/fpmi/service and I was able to log in. To log in, I had to type the PIN 4 times into popups that offered little explanations about what was going on, enjoying cold shivers because the smart card would lock itself at the 3rd failed attempt.
- Congratulations to myself! I thought that all was set, but unfortunately, at this stage, I was not able to do anything else except log into the website.
Descent into darkness
Set up things for fattura-pa
- I got the PDF with the setup instructions from here. Get it too, for a reference, a laugh, and in case you do not believe the instructions below.
- I went to https://www.firma.infocert.it/installazione/certificato.php, and saved the two certificates.
- Firefox, preferences, advanced, show certificates, I imported both CA certificates, trusted for everything, all my base are belong to them.
apt-get install icedtea-plugin
- I went to https://fattura-pa.infocamere.it/fpmi/service and tried to sign. I could not: I got an error about invalid UTF8 for something or other in Firefox's stdandard error. Firefox froze and had to be killed.
Set up things for signing locally with dike
- I removed icedtea so that I could use the site without firefox crashing.
- I installed DiKe For Ubuntu 12.04 32bit
- I ran dikeutil to see if it could talk to my smart card
- When signing with the website, I chose the manual signing options and downloaded the zip file with the xml to be signed.
- I got a zip file, unzipped it.
- I loaded the xml into dike.
- I signed it with dike.
- I got this error message: "nessun certificato di firma presente sul dispositivo di firma" and then this error message: "Impossibile recuperare il certificato dal dispositivo di firma". No luck.
Set up things for signing locally with ArubaSign
- I went to https://www.pec.it/Download.aspx
- I downloaded ArubaSign for Linux 32 bit.
- Oh! People say that it only works with Oracle's version of Java.
sudo add-apt-repository ppa:webupd8team/java
apt-get install oracle-java7-installer
- During the installation process I had to agree to also sell my soul to Oracle.
tar axf ArubaSign*.tar*
java -jar ArubaSign.jar
- I let it download its own updates. Another time I did not. It does not seem to matter: I get asked that question every time I start it anyway.
- I enjoyed the fancy brushed metal theme, and had an interesting time navigating an interface where every label on every icon or input field was truncated.
- I downloaded https://www.pec.it/documenti/Manuale_ArubaSign2_firma%20Remota_V03_02_07_2012.pdf to get screenshots of that interface with all the labels intact
- I signed the xml that I got from the website. I got told that I needed to really view carefully what I was signing, because the signature would be legally binding
- I enjoyed carefully reading a legally binding, raw XML file.
- I told it to go ahead, and there was now a
.p7mfile ready for me. I rejoiced, as now I might, just might actually get paid for my work.
Try fattura-pa again
Maybe fattura-pa would work with Oracle's Java plugin?
- I went to https://fattura-pa.infocamere.it/fpmi/service
- I got asked to verify java at www.java.com. I did it.
- I told FireFox to enable java.
- Suddenly, and while I was still in java.com's tab, I got prompted about allowing Infocert's applet to run: I allowed it to run.
- I also got prompted several times, still while the current tab was not even Infocert's tab, about running components that could compromise the security of my system. I allowed and unblocked all of them.
- I entered my PIN.
- Congratulations! Now I have two ways of generating legally binding signatures with government issued smart cards!
I shut down that virtual machine and I'm making sure I never run anything important on it. Except, of course, generating legally binding signatures as required by the Italian government.
debtags rewritten in python3
In my long quest towards closing #540218, I
have uploaded a new libept to experimental.
Then I tried to build debtags on a sid+experimental chroot and the result runs
but has libc's
free() print existential warnings about whatevers.
At a quick glance, there are now things around like a new libapt, gcc 5 with ABI changes, and who knows what else. I figured how much time it'd take me to debug something like that, and I've used that time to rewrite debtags in python3. It took 8 hours, 5 of pleasant programming and the usual tax of another 3 of utter frustration packaging the results. I guess I gained over the risk of spending an unspecified amount of hours of just pure frustration.
So from now on debtags is going to be a pure python3 package, with dependencies on only python3-apt and python3-debian. 700 lines of python instead of several C++ files built on 4 layers of libraries. Hopefully, this is the last of the big headaches I get from hacking on this package. Also, one less package using libept.
Internet references saved for May 2015
Instead of keeping substantial tabs open until I have read all of them, or losing them in the jungle of browser bookmarks, I have written a script that collects them into a file per month, and turns them into markdown files for my blog. This way I sort of know where to find them, and if I do not, some internet search might. And if I wish, I can even choose to share it.
Jacob Kaplan-Moss is known for his work on Django but, as he would describe in his keynote, many think he had more to do with its creation than he actually did. While his talk ranged quite a bit, the theme covered something that software development organizations—and open source projects—may be grappling with: a myth about developer performance and how it impacts the industry. It was a thought-provoking talk that was frequently punctuated by applause; these are the kinds of issues that the Python community tries to confront head on, so the talk was aimed well.
git-buildpackage-based packaging practices from dkg
Why are there so many more undocumented systems than documented ones out there, and how can we cause more well-documented systems to exist? The answer isn’t “people are lazy”, and the solution is simple – though not easy.
Free German courses
This book is about helping us to focus on good people creating good things, to preserve that spirit of sharing, and to protect against those whose primary contribution is obstruction and disrespect
Collection of vim tips that people actually use
This page describes how to use SSL with a certificate fingerprint to automatically identify your registered nickname with NickServ on connect. You must have an IRC client that supports SSL with a client certificate.
I manage a few servers for myself, friends and family as well as for the Libravatar project. Here is how I customize recent releases of Debian on those servers.
SIP service, also providing test call services for SIP clients
Developers can get better at their craft by learning from the great writers who mastered theirs. Writing software isn’t the same as writing a novel, but there are parallels. Besides, advice from writers is better because writers have been struggling with their craft for many centuries, not just a few decades. It’s better-written as well. This talk shares great writers’ best advice for coders: Stephen King on refactoring, Anne Rice on development hardware, Hemingway on modelling with personas, and Neil Gaiman on everything.