I do not like it when people tell Web 2.0 sites to send me invitation e-mail. I won’t enumerate the reasons here. But there is one reason for why I don’t like you passing on my address to those sites, which is subject of this article:

Unlike popular belief, the Web 2.0 is not a money-printing machine. It’s a long road until you can actually generate real money with user content. Therefore, some shadey sites are probably selling contact details to advertisers to make ends meet while hoping for the big cashflow.

I don’t have any data to back this up, and I want to change that:

Please tell all your Web 2.0 sites to send me an invitation! Please use an address in the signmeup.madduck.net domain for that, and make sure to include the domain name of the service to which you sign me up before the @ symbol. Also append a hyphen/dash and a random, short string. More on that in just a sec.

For instance, if you are one of those people that believes that letting people know where you are (and have been) at any point in time, tell Foursquare to send an invitation to:

foursquare.com-ponies@signmeup.madduck.net

The reason for the random, short string (“ponies”) is simply so that I can later cross-check that a message receiving spam actually went through a social networking site — I intend to catalog the invitation messages.

Thank you for your time. Keep in mind: the more, the merrier. I’ll make sure to report back on the outcome of this little experiment right here, so watch this space.

NP: Billy Joel: Cold Spring Harbor

I had previously sought alternative, innovative search engines, but none of the proposed options made me particularly happy. About a year ago, I came across DuckDuckGo, and today, I’ve been using DDG as my primary search provider for exactly 10 months.

The reasons why I switched included

• my dislike of the Google information monopoly and the potential that a single, corporate entity with financial interests, gets to censor the information I see. I am sceptical of their “Do-no-evil” promise because there’s nothing binding about it, and if it gets in the way of money-making, I am sure it’ll be discarded at a whim — if it even still exists.

• the awareness that my usage augments their database (although I am probably too far away from mainstream to provide useful data), which translates into more funds available to them to further strengthen their market position.

• my belief that the days of index-based searches are over, given how 95% (or more) of user-generated content is bogus. Google undoubtedly optimises the results with obscure, secret algorithms, but that’s just not enough for me.

• Of course the name — DuckDuckGo — was perhaps the strongest reason to switch. :)

I am aware that DuckDuckGo is index-based itself, using the Yahoo API, which, in turns means that DuckDuckGo may already be using Bing data. Sounds a bit like out of the frying pan into the fire, unfortunately.

I am still investigating better search solutions, sticking with DuckDuckGo meanwhile.

Unfortunately, DuckDuckGo doesn’t quite cut the mustard at all times, forcing me to go to Google instead. For this reason I am glad to find that the CustomizeGoogle Firefox extension has not been discontinued, but simply renamed to OptimizeGoogle.

This extension allows me to anonymise my identity towards Google, remove click tracking (which Google doesn’t want you to know about and hence hide with JavaScript), hide ads, and customise a slew of other aspects of the giant’s search engine. It alleviates some of the aforementioned concerns, but not all.

Maybe it’s time to rethink the way I use the web and lower my search needs.

If you are using Firefox, try it out! If you’re still using Internet Exploder, you should not, and instead upgrade to Firefox. Users of other browsers might find similar functionality for their application, or might want to switch as well.

NP: Tunng: Comments from the Inner Chorus

I got involved with open-source software before I learnt about software development in a university course. Naturally, when my profs tried to teach the waterfall model to me, I couldn’t take them too seriously back then. After all, requirements specification → design → implementation → verification → maintenance is not really in line with the principle to release early, release often. Furthermore, since water cannot flow uphill, the waterfall model fails to represent development cycles, as they naturally appear, even in behemoth, ancient software nightmares.

And yet, when embarking on a new project, I do tend to find myself first thinking about the big picture, instead of churning out the code. I am certainly not the best coder out there, and it might well be that I could benefit from learning to break down problems to get an earlier start on the implementation of components.

However, I maintain that avoiding the waterfalls and engaging directly in extreme programming, agile software development, or pair-based approaches right away is not the answer.

Rather, the best approach should probably involve a certain level of conceptualisation before code is produced. I am a big fan of test-driven development, and I like the scrum method for the very reason that it involves talking and challenging ideas (although I wouldn’t follow the method down to the book).

I like to think about trickles in the mountains where water droplets joyfully jump around.

* * *

When Glyn Moody spoke in his LCA2010 keynote about challenges we (as in society) face, and how open-source seems to have many answers, he dropped the following gem, which spoke right to my heart:

Twitter is the “release early, release often” principle applied to thinking.

By this simile, journal articles are produced according to the waterfall model. This may well be why they are usually outdated at the time of publication. Microblogging (like Twitter), on the other hand, is primarily used to publish stuff before it’s ready, and which would never be published otherwise.

With journals on one end, and microblogging on the other, I think the epiphany is found in between — as with software development: web logs — web applications that allow for easy publishing by anyone (which is a different problem not to be discussed here).

Since articles on those platforms usually have at least a title and a body, they require just a little bit more thought than 140 characters of contracted brain farts, spilled into the world faster than it takes one to stand up, stretch, and sit down again.

* * *

Microblogging seems to be in line with where we’re heading: more information, more self-promotion, more access to more people, and all that with lower barriers of entry. It’s hard to argue against a trend, but I think we’ve taken a wrong turn somewhere.

The one specific instance of content is no longer relevant, and there is no more time in the day to read elaborate treatments of subject matters. Instead, what seems to prevail is a constant flow. This flow threatens to replace actual thinking and discourse, both of which require reflection and time — a scarce resource used up by ever new, fast-flowing media.

It seems to me that those who immersed in this flow are unable to get out, as if sucked in by a maelstrom. I’ve seen people enter serious withdrawal within hours of not knowing what’s going on in the world. One could miss out on something.

If you’re “following” people on one of those microblogging platforms, I challenge you to spend the weekend offline and when the urge hits, ask yourself what you are actually missing. I mean what you are really missing, and by that I mean anything other than the cozy buzz and hum of entertainment washed upon you, preventing you from having to think about what you could be (actively) doing instead.

I hope it’s not a lot. For else, I fear that this means that future generations will be stuck with this communication culture, just like water droplets can’t ever play in the mountain trickle again.

NP: Sola Rosa: Get It Together

Tollef forced me to take over libpam-passwdqc after I had reported bug #517967.

passwdqc is a toolset that can be used to enforce password strength policies at exactly the right place: there’s a PAM module, and with the next version, you can also use a library and command-line tools — read on below. The toolset gives administrators flexibility in defining the minimum password length based on the number of character classes a user tries to use. It also includes libpam-cracklib functionality and prevents the use of trivial passwords.

I appreciate this functionality, so I had little choice but to make the best out of it:

• I uploaded libpam-passwdqc 1.0.5-1 to unstable, fixing a few bugs on the way, and bringing the packaging up to speed.

• I wrote a message to upstream introducing myself and was happy when I got an almost immediate response from two developers, suggesting that development was thriving. Yay!

• Having been pointed to the upstream CVS-Git clone, I based the packaging off the repository, rather than the tarballs. This required me to juggle directories a bit, as well as to repack the tarballs. Oh well.

• Next, I fixed the bug I reported, and now libpam-passwdqc can be installed and configured in a jiffy, thanks to Steve Langasek’s impressive work on pam-auth-update. Someone also reported this feature request as LP#314775, but I don’t use Launchpad, so someone else will have to triage it there.

• Finally, I imported the latest upstream work into the repository, which had me change the source package name. The benefit of version 1.1.4 — in addition to improvements and bugs fixed — is that the functionality is now also available through client programs in the passwdqc package, as well as in an independent C library. Due to the new packages, the upload is currently waiting in the Debian NEW queue, so hold your horses for a few days.

Debhelper 7 is really nice. Thanks, Joey.

Linux.conf.au 2010 has come to an end and I am looking back at an intense week of conferencing. A big shout out to the organisers for their excellent work. I think LCA (as well as DebConf) just keeps getting better every year. This does not at all discredit previous organisers, because they were the best at their times and then passed on the wisdom and experience to help make it even better in the following year.

The week started off with the DistroSummit, which Fabio and I organised. Slides are forthcoming, as I failed to get them off the speakers right after their talks — it’s interesting how stress levels and adrenaline can cause one to forget the most obvious things. This is where experience comes in. I’ll be there again next year, I hope, to do things better.

The theme of the day was cross-distro collaboration, and we started the day a little bit on the Debian-side with Lucas Nussbaum telling us about quality assurance in Debian, alongside an overview of available resources. We hoped to give people from other distros pointers, and solicit feedback that would enable us to tie quality assurance closer together.

Next up was Bdale Garbee who talked about the status of the Linux Standard Base. While I am really interested in such standardisation efforts, I realised during his talks that I had considerable difficulties paying attention because as organiser of the conference, I had all sorts of other things occupying my thoughts.

I proceeded to tell the audience — the room was mostly filled throughout the day with an estimated 40–50 folks, and I’d say about half of them stayed throughout, while the other half came in and left the room between talks. I could not get the projector to work with my laptop after the upgrade to Kernel Mode Setting, and thus used the whiteboard to give a brief introduction to vcs-pkg.org, talk about the current state of affairs, summarise the trends in discussions around patch management and collaboration, give an outlook of what’s up next, and solicit some discussion.

Sadly, just like during Bdale’s talk, I found myself worrying over the organisation of the day, rather than actually taking in most of the discussion. Fortunately, others have written about the most important points, so I defer to them.

Michael Homer then told us about GoboLinux’s Aliens system, which is a way to integrate domain-specific packages with distro-specific package maintenance — e.g. how to get APT to handle CPAN directly, or how to let YUM manage Python packages. The ensuing discussion was interesting, and we carried it over to the next slot, because Scott, the next speaker, was stuck in traffic. To summarise briefly: scripting languages have a lot of NIH-style solutions because it works for them, but these are a nightmare to distro packagers. One symptom of the status quo is that complex software packages like Zimbra are forced to distribute all required components in their installation packages, which make distro packaging, quality assurance, and security support even harder. I don’t think we found a solution, other than the need for further standardisation (like the LSB), but the road seems to be a long and windy one.

Laszlo Peter introduced the audience to SourceJuicer, a new build system used by OpenSolaris. The idea is that contributors submit packages via a web interface, kicking off a workflow incorporating discussion and vetting, and only after changes have been signed-off are packages forwarded to auto-builders and eventually end up in the package repository. This is very similar to upload ideas I’ve had a while ago, which I’ve started to (finally) implement. Unfortunately, SourceJuicer seems very specific to OpenSolaris, as well as non-modular, so that I probably won’t be able to reuse e.g. the web interface on top of a Debian-specific package builder.

After the break, Dustin Kirkland stepped up to tell us about his user experience of Launchpad. Unfortunately, I found his talk a bit too enthusiastic. Launchpad undoubtedly has some very cool features and ideas, but it’s just one of the available solutions.

The dicussion of Launchpad also dominated the next talk, in which Lucas Nussbaum told us about the Debian-Ubuntu relationship. While his presentation showed that the relationship was improving (Matt Zimmerman made the point that there are rather many relationships, rather than one relationship), I was a bit disturbed by the comments of Launchpad developers in the room, ranging from “Debian is declining anyway” to “Just use Launchpad if you want to collaborate with others and not go down”. There was a slight aura of arrogance in their comments which tainted my experience of the otherwise constructive discussions of the day.

Overall I had a great time. Debian and Ubuntu made up the vast majority of attendants, with only a handful of representatives from other distros present. I wonder why that would be. One reason might be that around 70% of LCA attendants declared themselves Debian or Ubuntu users, and so there weren’t many other distros around. Another might be that I still haven’t spread the word enough. Let’s hope to do better next year!

Thanks to all the speakers. We may have organised the day, but you made it happen and interesting!

Slides and recordings of the talks will be linked from the archived website when they become available (yes, the archive page does not exist yet either).

Update: Jelmer informed me that the people who spoke up against Debian during and after the Launchpad talk were not officially affiliated with Launchpad. It’s a shame that this negatively reflected upon Launchpad for some of the attendees (not just myself).

Coming to New Zealand for an extended period of time, I figured it would make sense to purchase a prepay mobile plan to make it easier to mix with locals. Not knowing better, I went with Vodafone, which I whole-heartedly regret: their website is a massive pain in the ass, their price plans completely over the top, and their customer service representative incompetent and unfriendly.

My latest experience eclipsed all previous encounters, and makes me want to tell you about it:

Between all the obscure add-ons Vodafone threw at me when I bought this SIM card, two weeks ago I couldn’t figure out how my balance had decreased from $30 to $0 when I rarely ever made calls.

I wrote an e-mail to their customer service hotline, and it took them a week to get back to me, with the following text:

Due to being a Prepay Customer, unfortunately usage details are not available as per terms and conditions. I have although checked your usage and can confirm that all charges are correct.

Obviously, I wasn’t going to accept this claim of omniscience, so when last weekend, $20 disappeared over the course of a day, that was the catalyst for me to reopen the ticket and reply along the lines of:

Only I know when I used my phone and thus only I can determine whether the charges are correct. Please show the full records to me, or else …

This seemed to convince the representative, and 8 messages and 11 days after my initial request, I was told I could request the records at $5/30 records. Yes, you read that right: they wanted to charge me to view the records. I thus replied:

I am NOT willing to pay for that. If you are unable to comply with my desire for transparency, then I shall terminate the contract and make sure to inform the media as well as the consumer institute of this conduct. As stated previously, I shall also consult with a lawyer. Charging consumers to view data that is obviously available is a strong indication that you do not want me to see it. I can’t imaging why this would be the case other than the data being inconsistent with reality.

That worked, and I finally got an Excel sheet with my usage data, which allowed me to track down the depletion of my account: to lure customers in, they promise free calls to other Vodafone numbers for the first four weekends. There are three problems with that though:

1. Having purchased my card on Saturday afternoon, I was annoyed to find out that the remaining 34 hours of that weekend would be counted as a whole weekend.

2. They don’t provide a way by which to find out whether a given number actually belongs to Vodafone or not. The 021 prefix is not enough of an indication.

3. They don’t actually tell you anywhere but the aforementioned horrific website that the addon has expired.

So thanks, Vodafone. You’ve lost a customer, who should have gone with 2degrees in the first place, who have much lower rates, even though their data coverage doesn’t seem as good. I don’t need data anyway.

I’ll still insist on Vodafone providing the data in a Free format.

You can find more information about NZ mobile phone providers on the LCA2010 wiki page.

NP: Age Pryor: Shank’s Pony

After several months of not-too-intensive searching for a KVM-hoster with native IPv6 connectivity, Steve hooked me up with a VPS at Bytemark, and I am very pleased. In addition to a properly virtualised KVM instance, I got access to a console server, which allows me to reset the machine, switch kernels, and log in “locally”. It’s exactly what I wanted, but it was hard to find, as everyone else seems to offer only Xen or Vservers, both of which are nearing end-of-life.

Thanks Steve, and Bytemark.

NP: Porcupine Tree: Up the Downstair

It took us a bit longer than planned, but we are happy to announce the schedule for the Distro Summit at the upcoming LCA2010 conference. We focused on cross-distro aspects, and we hope that you are as excited as we are about the result.

The schedule is displayed on the Distro Summit homepage and I best refrain from duplicating it here.

Dear lazyweb: I am in a dreadful situation! I need to secure e-mail communication between five types of users:

• Outlook 2003 users who receive their mail by POP3 from Exchange,

• Thunderbird users downloading mail with POP3,

• Apple Mail users downloading mail with POP3,

• Webmail users (Squirrelmail and Roundcube),

• and a bunch of Unix folks using proper clients.

To make matters worse: there is no common provider or server infrastructure, so the solution must work across providers and mailboxes.

Requirements

• Human error should be anticipated and prevented.

• Mail between all parties must be encrypted (and signed) automatically. If encryption is not possible, the mail must not be sent. This includes the situation where not all mail recipients’ keys are known;

• Ideally, one can define rules (using wildcards or regular expressions) to enforce certain policies.

• Mail to other parties may be signed, and it would be good to be able to turn this on and off by default;

• The MIME standard should be employed so that the mail body is not altered, and attachments can be seamlessly encrypted too. Existing MIME parts should be encapsulated as children of a new multipart tree;

• Incoming mail should be automatically and seamlessly decrypted/verified, and the user must be alerted if the verification fails.

Ideally, the solution will be open-source. However, if proprietary software performs better, then we will gladly use that where required.

Previous attempts

So far, we’ve tried (and were let down by)

• GpgOL, which has very irky and brittle integration with Outlook and can only do inline signing/encryption.

• S/MIME, which seems supported by all involved clients, but Outlook does not really allow you to specify policies. Encryption seems to be opportunistic at best, which is not enough.

• GPGrelay, which is promising because transparent, but apparently messes with MIME, and I am unsure whether it can fit between Outlook and Exchange. I have yet to run real tests though. If you are a GPGrelay user, or you’d like to try it (it’s Windows-only), please get in touch.

• WinGEAM, but that apparently no longer exists, and neither is the underlying GEAM.

Help!

Does anyone have proper suggestions over what to use?

In fact, if you are interested in devising a solution, or even deploying it, there’s money to pay you for those services. Write in if you are interested.

I accompanied Penny to Prague, from where she embarked into the mountains today for a week-long Moodle developer meeting. We froliced in the city a bit, tried to avoid the hordes of anonymous tourists that flooded the city, steered clear of the Christmas kitsch that was all over, sampled Czech food wherever we could, and enjoyed the local beer.

On Friday, Petr Baudis took us out to The Pub, an ingenious concept by the Czech brewery Pilsner Urquell: every table has taps from where one can draw beers without waiting or having to get up, guests accumulate a tab measured in litres, and a huge screen shows which “The Pub” instance has the best beer throughput. Add to that an automated ordering system for salty snacks, and the brewery ensures a ready beer flow with need for no more than two staff members.

Penny and I had already decided that Pilsner Urquell was our favourite Czech beer, mostly due to its bitterness. We also sampled the local Staropramen, and the well-known Budvar, and found our preference reinstated.

At street prices of 50 CZK per half-litre of Pilsner, it was thus a punch in the face when the bartender at the airport bar asked for 145 CZK for the carelessly tapped beer, offering crap music and uncomfortable seating for the price.

I refused the beer, because I prefered to keep only the good memories of the brew.

NP: OSI: Blood