home of the madduck/ blog/ feeds/
madduck's Planet LCA2008 posts

The following blog posts appear on Planet LCA2008. Please visit my main blog page for all my posts.

Bravo Greenpeace Switzerland! At Nestlé's annual shareholder meeting 2010 last week, you descended from the ceiling in the middle of the presentations with flyers and a banner asking for the company to take responsibility for their reckless actions in Indonesia.

Thousands of square kilometres of forest are cleared every day so that companies like Nestlé can make vast sums of money off consumers.

[[!img Error: Image::Magick is not installed]]

Meanwhile, Orangutans outside the venue were protesting Nestlé and asking for a break (copying Nestlé's own slogan "Have a Break! Have a …"). The Orang Utans are pushed towards extinction by capitalist interest.

One of my closest friends was part of the act, and he recounts breaking into the ventilation system before sawing through the ceiling, and descending on a rope. The police detained them for more than 24 hours, but the message has been sent.

Bravo!

Read more (and watch videos of the spectacular descent) on the Greenpeace webpage, the Greenpeace press announcement and their blog (all in German), or on 24heures (in French). Planetsave has a decent coverage in English.

NP: Emerson, Lake & Palmer: Brain Salad Surgery

Posted Mon 19 Apr 2010 14:04:59 CEST Tags:

Via internotes.ch:

[[!img Error: Image::Magick is not installed]]

NP: Emerson, Lake & Palmer: Tarkus

Posted Sat 17 Apr 2010 13:14:58 CEST Tags:

My relationship with Puppet is one of love and hate. I am forced to use it simply because there is no better tool around, but I hate it in so many ways that I don't even want to start to enumerate (hint: most have to do with Ruby, actually).

Today I decided to put an end to one thing that has been driving me insane: the fact that puppetd (the client) and puppetmasterd (the server) use the same working directory, /var/lib/puppet. Since I consider and would like to treatthe machine on which puppetmasterd is running just another puppet client, I was running into funky issues related to SSL certificate confusion, obscure errors, and SSL revocation horrors.

The following hence assumes that you have installed or are planning to install puppetd on the machine running your puppetmaster, and that you have two fully-qualified domain names for the machine. For instance, I run puppetmaster on vera.madduck.net, and puppetmaster.madduck.net is an alias for the same machine. I'll use these names in the following as examples.

The following may be Debian-specific, as I am solely using the puppet and puppetmaster packages for my experimentation and verification. Your mileage may vary, but the concept shall be the same.

  1. Stop everything:

    /etc/init.d/puppetmaster stop
    /etc/init.d/puppet stop
    
    

    (also verify that you have not instructed cron to restart these services)

  2. Rename the working directory:

    mv /var/lib/puppet /var/lib/puppetmaster
    
    

    and amend /etc/puppet/puppet.conf accordingly:

    [main]
    # …
    vardir=/var/lib/puppetmaster
    ssldir=$vardir/ssl
    # …
    
    
    [puppetmasterd]
    certname=puppetmaster.madduck.net
    # …
    
    

    I am doing this in [main], planning to override it for puppetd later, because puppetd is the only program which makes sense to be separated from the rest. Since only the puppetmaster needs a special certificate name, that is set specifically in the [puppetmasterd] section.

    If you use apache2 or nginx in front of your puppetmasters, make sure to amend the SSL file locations in the virtual host definition and restart (!) the service.

    You can verify that the configuration has been amended by making sure that there is no output from the following command:

    # puppetmasterd --genconfig | grep -q '/var/lib/puppet/' && echo SOMETHING IS WRONG
    
    
  3. Now restart puppetmaster:

    /etc/init.d/puppetmaster start
    
    

    and verify that it starts.

    If your puppetmaster previously ran under a different name, it will create itself a new certificate and sign it.

    Since the client will get its own working directory (and thus a new SSL certificate), you want to remove all records of the old certificate:

    # puppetca --list --all
    + puppetmaster.madduck.net
    + vera.madduck.net
    # puppetca --clean vera.madduck.net
    
    
  4. Change the configuration file to tell puppetd about its working directory:

    [puppetd]
    server=puppetmaster.madduck.net
    vardir=/var/lib/puppet
    ssldir=$vardir/ssl
    # …
    
    

    This you can verify with the following command, which should not print anything:

    # puppetd --genconfig | grep -q '/var/lib/puppet[^/]' && echo SOMETHING IS WRONG
    
    
  5. Now install puppet, or (re)start it if it's already installed:

    # /etc/init.d/puppet stop
    # puppetd --no-daemonize --onetime --verbose --waitforcert 30 &
    info: Creating a new SSL key for vera.madduck.net
    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for ca
    info: Creating a new SSL certificate request for vera.madduck.net
    
    
    # puppetca --list
    vera.madduck.net
    # puppetca --sign vera.madduck.net
    notice: Signed certificate request for vera.madduck.net
    notice: Removing file Puppet::SSL::CertificateRequest vera.madduck.net at '/var/lib/puppetmaster/ssl/ca/requests/vera.madduck.net.pem'
    
    
    # fg
    info: Caching certificate for vera.madduck.net
    info: Caching certificate_revocation_list for ca
    […]
    
    
    # puppetca --list --all
    + puppetmaster.madduck.net
    + vera.madduck.net
    
    
    # /etc/init.d/puppet start
    
    

    Do yourself the favour and check that it's all working.

  6. Optionally, you can now clean up the client stuff in the server's working directory, for instance like this (it worked for me, but this is the sledgehammer approach):

    # /etc/init.d/puppetmaster stop
    # cd /var/lib/puppetmaster
    # tar -cf /tmp/puppetmaster.workingdir-backup.tar .
    # find ../puppet -type f -printf '%P\n' | xargs rm
    # /etc/init.d/puppetmaster start
    
    
  7. If you stopped cron before (and your puppet recipes have not since restarted it):

    /etc/init.d/cron start
    
    

All done. I wish puppet, or at least Debian's puppet packages would do this by default. Please let me know if the above conversion works for you. Then I might start working on an automated migration.

NP: Genesis: Selling England by the Pound

Posted Tue 23 Mar 2010 07:24:31 CET Tags:

The most common criticism of the Anti-Counterfeiting Trade Agreement (ACTA) is the lack of transparency. Before the nations disclose the terms of the agreement under negotiation, we are unable to gain an idea of the big picture, let alone voice our opinions and push for changes. Our politicians don't want us to know. We rely on leaked documents for our information. This is backwards in a world where a state should represent its people. This smells foul to me.

There are undoubtedly some good reasons for the treaty, and if we can contain worldwide, large-scale trade of counterfeited goods and medicine, then that would be a net benefit to us all. However, we must not allow certain governments to succomb to the pressure of (commercially-motivated) lobbyists, to extend that pressure onto other nations using trade as a means of pressure, and to slash our freedom as if it were an inconvenient obstacle in their way.

Only if the terms under negotiation become publicly available, and the public is given a voice, then we can help our governments in entering an agreement that is in the interest of its people, rather than a threat to us.

It is hardly surprising that total capitalist nation USA are the strongest opponents of transparency, because the public might delay or even prevent the treaty. I was also not surprised to see South Korea and Germany in the list of supporters of secrecy either. It is interesting to see that the leaders of Singapore, Belgium, Portugal, and Denmark also seem to believe that these negotiations should be withheld from the public. Does anyone know about Switzerland?

I tip my hat to New Zealand, Canada, Australia, Netherlands, Sweden, Finland, Ireland, Hungary, Poland, Estonia, and Austria for their support of transparency.

ISPs fight a raging war over net neutrality because their infrastructure cannot keep up with the increasing demand (or rather supply) of content. Therefore, ISPs want to charge the users premiums if they wish to use certain services on the Net. For instance, since videos are usually large in size, one would have to purchase e.g. the "platinum package" to be able to access video hosting sites. It would be a serious loss of freedom if they won, and the Internet would never be the same.

Let's turn that idea around: since sites that use advertising make money off every visitor, they are really the ones that should pay the ISPs so that they can improve their infrastructure. The same applies to sites that make money off visitors in other ways.

At the moment, users pay to access the network (which is like paying a taxi to get to the market), so that they can visit sites where advertisers make money showing ads to the visitor, which might actually let them to pay a manufacturer for a product — the end user pays twice, and the advertisers take in money, leeching off the ISPs investing into their infrastructure.

I think that the advertiser and not the consumer should pay the ISP to keep the infrastructure afloat — improve it even. The manufacturer should then pay the advertisers for displaying the ad, and the user consumes if s/he chooses to — and everyone only pays once, for services they want. This will help improve competition among providers, which should always be the goal.

If my ISP would start to record the volume of HTTP traffic I produce for each target site, charge the targets appropriately (they could start with a couple at first), and I'd get free connectivity in turn, I'd be quite happy. The ISP wouldn't have to look at the contents at all for that.

I don't yet know what to do if the target sites choose not to pay up. ISPs could block them, or throttle or deprioritise traffic, but either of those might simply lead to an exodus of users, just like "premiums" would.

As usual, this just needs to be done by many ISPs in concert. Are you listening?

Posted Sat 20 Feb 2010 23:02:56 CET Tags:

The coffee place around the corner from where Penny and I lived for the past two months — Caffé Mode — offers to make your food using free-range eggs for NZ$1. Free-range eggs are more expensive than normal ones, but the price difference is not one dollar. Therefore, the cafe makes a profit every time a customer makes the right choice.

I went in this morning to ask them about it, and the guy taking my coffee order admitted stale-mate. When I suggested that the cafe should use free-range eggs exclusively, he agreed. Let's hope that he lets those making that decision know, and that the cafe soon stops making money on ethical choices.

Posted Sat 20 Feb 2010 12:05:32 CET Tags:

Tomorrow, Penny and I head off back home, and two months of living in NZ come to an end. (did you hear that, pleaserobme.com?)

Maybe I'll find the time to write about my impressions of living on this side of the planet, and being immersed in Kiwi culture while going after my daily routine and trying to work as much as I could. But there is one thing that should not wait:

Thank you, Catalyst IT for giving us workspaces! For the better part of 6 weeks, you gave us our own room, monitors, keyboards, mice, and connectivity. And more than that: you welcomed us, let us participate in sessions, invited us to your parties, received our parcels, sent out letters, and generally provided us with a great environment to work. This was certainly well above what we had dreamed of.

At times, I was forced to stay into the middle of the night — 12 hours time difference with Europe is not always easy — and spent waking hours in your building alone. Thank you for your trust!

Catalyst is a fully New Zealand owned company who deliver critical open source business systems to some of NZ's largest organisations, and organisations worldwide. Catalyst was also a major enabler of LCA2010, and a sponsor of Kiwi Foo Camp, both events that I had the privilege to attend.

Let me know when you're in my part of the world. ;)

NP: The Mamaku Project: Karekare

Posted Thu 18 Feb 2010 06:15:58 CET Tags:

Shortly after I wrote my last article about ACTA and the lack of transparency, I was delighted to find out that a report of the recent negotiations in Mexico has been leaked. I find it a bit disconcerting that our politicians, who are theoretically supposed to represent our interests, are writing documents that can "leak" to the public, when they should have been available to the public from the start.

The document and the coverpage are available for direct download.

Michael Geist has a first analysis

A brief report from the European Commission authored by Pedro Velasco Martins (an EU negotiator) on the most recent round of ACTA negotiations in Guadalajara, Mexico has leaked, providing new information on the substance of the talks, how countries are addressing the transparency concerns, and plans for future negotiations. (read more…)

NP: Dimmer: Degrees of Existence

Dear lazyweb: I am in search of a mailing list for discussion on matters related to digital identity and privacy in the information age. Unfortunately, my (limited) searching has not unveiled results, mostly because many mailing lists have "privacy agreements" or somesuch, polluting the results with pointers to those.

If you know such a list, or you don't but you are interested in the topic, don't hesitate to drop me a line. I will then either let you know when my search was successful, or subscribe you when I have created a list to fill the void.

NP: Sola Rosa: Solarized

Posted Wed 17 Feb 2010 02:34:06 CET Tags:

Right now, your government is probably engaged in the discussion of the Anti-Counterfeiting Trade Agreement (ACTA). You are likely not aware of that because your government has been actively keeping these negotiations and details surrounding them secret.

Your government does not want you to know about a treaty that has far-reaching negative effects on your freedom, as well as your basic human rights. If you did know, you might speak up and make it difficult for the drivers of ACTA to smoothly push their interests past you.

The red light should light up in your head right now!

The goals of the "trade agreement" that is being negotiated are multifarious, but essentially seem to centre around challenges related to intellectual property, and copyright in the digital age, even though it is sometimes claimed that the agreement serves primarily to contain trade of fake Prada bags and Rolex watches.

In reality, ACTA is about content producers like movie studios, who try everything to prevent you from copying their work without paying for it — even if you cannot actually purchase the work, because of e.g. technical measures designed to prevent certain people from legally obtaining content, or simply because the media companies are greedy and consider it PR-savvy to delay the release of a given work in certain countries until after people have had a chance to pay a lot of money to the cinemas.

In theory, a creative work goes out of copyright 50 or 75 years after its author died, depending on whether the creativity can be attributed to a person or a corporation, respectively. Therefore, 50 or 75 years after creation, it gets increasingly hard to monetise a work that has not been reinvented in that period of time.

Sounds plausible to you and me, but this sort of stuff frightens companies like Disney, who seem powerful enough to simply have the law changed. That is not how things should work.

The media producers are failing to control the Internet, and hence they want to turn it into something more like cable TV, which they do know how to control.

ACTA aims to make copyright infringement a criminal offence.

ACTA wants to make it possible for a government to cut you off the Internet because someone thinks you did something bad — they don't actually have to prove it though, accusation is enough. Similar efforts have already failed all over the world, e.g. in France and New Zealand. That's a sign, not a reason to try again.

ACTA wants to set in stone that you have absolutely no rights when you cross borders. This is largely already the case — border officials can pretty much do with you whatever they want — now it's supposed to be made official, and legally binding.

ACTA will create a culture of surveillance and suspicion.

ACTA is designed to break the Internet, among other things.

But worst of all: I am just speculating because we are not supposed to know the details.

The best current source of information on ACTA seems to be Canadian law professor Dr. Michael Geist, who has been collecting content and linking to articles consistently since the ACTA negotiations commenced 2–3 years ago. The Electronic Frontier Foundation also has comprehensive resources available.

It's even more important today than before to put an end to this secrecy. Don't let your government enter secret agreements that affect you and your life, refusing to talk to you about it beforehand, and probably refusing all responsibility afterwards. Talk to your politicians and ask questions that cannot be answered with stock replies.

If you have specific contact addresses for politicians, please let me know so I can add them.

Colin Jackson helped me with this article at Kiwi Foo Camp. He also takes an issue with the secrecy around ACTA.