Hanno's blog

Today I found a note about the movie The Codebreakers. It's a free-licensed (cc-by-sa) documentary about free software in development countries.

It brings up different examples about successful usage of free software in different parts of the world. Worth watching.

Ein guter Tag also für alle meine Blog-Leser, sich mal wieder Gedanken drüber zu machen, welche Software sie nutzen und wem sie damit eigentlich vertrauen. Ich glaub der ein oder andere fühlt sich angesprochen.

Für alle im Umkreis von Backnang sei noch gesagt, dass die LUG heute abend in die Bar »Das Wohnzimmer« einläd und über ihre Aktivitäten informiert.

Heute ist der erste Tag auf der FrOSCon (Free and Open Source Conference), einem lokalen Free-Software-Event bei Bonn (Siegburg für die Ortskundigen). Vortragsprogramm ist umfangreich und interessant.

Werde um 19h noch einen kleinen Vortrag über OpenStreetMap halten. Mitschnitt wird versucht, ich kann aber noch nix versprechen.

I recently wrote that I'm sometimes a bit unhappy how security issues are handled in free software project.

Now, to have some contrast, today I'll talk about an example how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day, they announced it and provide updated packages. The finder of the vulnerability is also mentioned. Now, it is only able to get password-hashes, many other projects probably would've treated this vulnerability as »low-impact« or something like that.
But beside that, they also provide some tipps how to check if the vulnerability has already been exploitet and suggest to change user passwords.

A while back, there was another vulnerability reported in serendipity. The authors said they don't think that it's really a vulnerability and it probably can't be used for anything evil. But anyway, an update was released and announced just to be sure.

Now, that's good security-work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.

It's an often told story that the free software community cares more about security. That it's much better because everyone can look at the code. While this may sometimes be true and I know many free software projects really care about security issues, often enough it's the exact opposite.

On 26.04., some guy called Marsu released an advisory about the GIMP. Loading files in the sunras-format can lead to a buffer overflow. Now, while it was silently fixed in svn, for a month they didn't put an advisory on their page and they didn't provide an update. Even with the release of new versions (2.2.15, 2.3.17), they somehow »forgot« to mention that it was a security-update.
Now, after looking into the NEWS-file (which is their Changelog), for 2.2.15 there's this little line:
- guard against a possible stack overflow in the Sunras loader (bug #433902)
They didn't mention the word »security«, they didn't give credits to Marsu, they didn't provide a reference to the advisory or the CVE-ID. Now, even worse, for 2.3.17, they forgot to mention that bug at all (it's probably part of the mentioned »lots of bug fixes«).

Now one might say this isn't that critical, because who uses sunras (I also never heared of that format before)? But think about this: I could mail someone a crafted sunras-file, saying it's an old image I found on some backup HD, together with the note that gimp can open it. I think it's not unlikely that someone might open it, especially with some intelligent social engineering. Beside that, EVERY SINGLE security bug should be taken serious.

Now, don't take me wrong. I love the GIMP, it's a great application. I also think that free software is an important precondition for secure software. But it's not the only thing. And as long as many people in the free software community treat security bugs like this, it's no better than those in the proprietary world.

A thing that people often ask in the free software world: I can't program but I want to help out somewhere.

Theres one thing that's very simple to do for everyone using Linux. We have two tools called lspci and lsusb that look on the pci/usb-bus for installed devices. Each device has an ID, consisting of a vendor ID and a product ID. Everyone can check the own hardware if everything is detectet. For lspci, first run update-pciids, then lspci -v. Each »Unknown« represents some ID that's not in pci.ids. Report the exact device model name to the interface on http://pciids.sourceforge.net/.
For lsusb, run update-usbids and attach all usb devices you can find. lsusb doesn't show Unknown, if after a device number there's only a vendor name, then the ID is unknown. The usb.ids database is much more incomplete than the pci database. They don't have such a fancy interface as pciids, just send it to the current maintainer (listed in the file usually at /usr/share/misc/usb.ids or /usr/share/usb.ids).

So, die Bilder sind online (von Fabian gibt's auch ein paar).

Sehr nett fand ich heute den Vortrag »Linux und Freie Software richtig bewerben« von Meike Reichle. Einige eigentlich zwar selbstverständliche, aber dennoch sinnig mal auszuführende Anmerkungen zu typischen Fehlern a la »Umlaute brauch ich nicht« (was beim Benutzer als »Linux hat keine Umlaute« ankommt).

Die gerade noch laufende Linux-Nacht fiel etwas unangenehm auf durch eine seltsame "wer auf's Klo will, muss 5 EUR hinterlegen und darf nur 15 min brauchen«-Regelung, aufgrund einer im selben Gebäude stattfindenden Party auf. Im Messegebäude begrüßte einen ein Bücherstand mit einem Windows-System im Hintergrund auf dem Beamer.

Ansonsten isses aber ne gelungene Veranstaltung. Hab heute abend noch eine spontane Kurzvorführung von OpenStreetMap gemacht.

Binary drivers are imho a hughe problem for free software. Nvidia, leading graphics company, has produced binary linux drivers for a long time and there was no way to get free software 3D-support on their cards.
A group of people is working at the moment on a free nvidia driver, the project is called nouveau. I now had a chance to test the nouveau driver on a nvidia card (nv43). It doesn't do much at the moment, but at least it runs glxgears almost smooth.

It's nice to see development on that front. We made a small video of glxgears running on nouveau. Oh, for all those who can't play theora, I put it up on youtube (but seriously, was just curious how youtube works and if it accepts theora).

Some experimental nouveau-ebuilds, maintained by pq from the nouveau-project, are here:
svn co https://svn.hboeck.de/nouveau-overlay

Still here at the 23C3, I'll try to summarize some things about the talks I've visited yesterday.

First was a presentation about the Trust model of GPG/PGP and an alternative approach. I wasn't so impressed, because I think the main lack from the web-of-trust-infrastructure is that it's too complex to understand for the masses.

The Lightning-Talks were quite nice, some guy presented some live-hacks to a poorly designed travel agency, which was very funny. I personally presented compiz and told some short things about the situation of 3D-graphics and desktops.
I saw about the last 10 minutes of a talk about Drones, camera-supplied small devices flying around, and thoughts what these devices could mean for the society. A group is working on creating such devices on quite small costs. I'll have to fully view that on video after the congress.

Another very interesting Talk: »The gift of sharing«, the referent presented thoughts what kind of »economy-structure« the free software development should be called. It was a bit difficult to follow the talk, as it was in english and I'm no native english speaker. There's a paper from the guy which is probably worth reading.

The last talk was about wiki knowledge and citing that in science. The referents plan to create an RFC for citing-URLs in Wikis.
What irritated me was a computer science professor telling that she wouldn't allow her students to cite wikis, with the stupid argument they should cite their sources from books, completely igonring that science can happen in wikis and it may be the original source of the knowledge, not just something that has been explored elsewhere. Ruediger Weiss gave good arguments against that and mentioned that he thinks wiki is really a new kind of doing science and should be handled as such.

To be continued.

Inzwischen berichtet sogar Pro-Linux schon, wir (LUG Backnang) hatten vor kurzem die Idee, zu Weihnachten noch eine DVD voll mit freier Software und freien Filmen zu veröffentlichen.

Die Mischung ist uns glaub ganz gut gelungen, die Spanne der Musik reicht von Klassik bis zum Elektronischen, neben den bekannten CC-Filmen Route66 und ch7 haben wir auch so etwas wie den Klassier Nosferatu (Copyright abgelaufen) mit draufgepackt.

Bei der Recherche für die DVD ist mir wieder aufgefallen, dass es immer wieder in großen Mengen interessante freie Kulturgüter zu entdecken gibt. Das Projekt wird aller vorraussicht nach seine Fortsetzung finden, Vorschläge hierfür werden gerne entgegengenommen.

Die DVD gibt's unter http://tuxmas.lug-bk.de/

Die Weihnachts- und Silvestertage werde ich auf zwei Veranstaltungen zubringen, für die ich hier gerne etwas werben möchte.

Zum einen der Jugendumweltkongress (JUKSS), den ich schon sehr lange mitverfolge und diesmal auch etwas aktiver mitgestalte, imho eine der interessantesten Veranstaltungen der linken/ökologischen Bewegung im Moment. Der JUKSS ist stark fokusiert auf selbstorganisation und hierarchiearme Strukturen.
Traditionell werden auf dem JUKSS auch sehr häufig weitergehende Ideen außerhalb des ökologischen Spektrums thematisiert, so sind etwa Linux-Workshops und ähnliches seit Jahren quasi Standartprogramm. Diesmal soll dies im Rahmen einer (mangels besserer Ideen temporär so benannten) »Digital-Freedom-Plattform« intensiviert werden, wo alles im Bereich freier Software, Fragen des »geistigen Eigentums«, Projekte wie OLPC, ökologische Folgen von Technologieproduktion, Datenschutz etc. Platz haben soll. Mitgestaltung erwünscht, insbesondere kommt vielleicht der ein- oder andere Besucher des anderen Kongresses auf die Idee, temporär auf dem JUKSS vorbeizuschauen und den ein- oder anderen Workshop/Vortrag anzubieten.
Der JUKSS findet in Königs Wusterhausen bei Berlin statt.

Zum anderen ist natürlich zwischen Weihnachten und Neujahr immer der Chaos Communication Congress, diesmal der 23C3, statt. In dieser Form wohl einzigartig, gibt's eine geballte Ladung von gesellschaftsrelevanten oder einfach nur kreativen Technikvorträgen. Ich hab es diesmal trotz anderweitiger Pläne wieder nicht geschafft, mich selbst für einen Vortrag zu bewerben, aber vielleicht wird das ja nächstes Jahr was.
Spannend klingen schonmal »The gift of sharing«, »Kollaboratives Wissensmanagement im Bildungsbereich«, »Chaos und Kritische Theorie«, »Culture Jamming & Discordianism«.

Google has the reputation to be free software-friendly. Without doubt they did a lot in the past, especially many Summer of Code-Projects, that developed essential features for free software projects.

That google is also willing to put legal threat on free software projects if they compete in their are, they recently showed against the project gaia. It was a project to have a replacement client for google earth (google's own client is proprietary). It was done by pure reverse engineering. The author took the project down after he received a letter from google.

It's quite questionable if gaia is doing anything illegal. They didn't use any data from google, they just provided another client for the service. In my opinion it's very important to fight for the right to reverse engineer. Many essential free software projects wouldn't exist if we couldn't reverse engineer. Just think of many hardware drivers, filesystem support, samba, many multimedia codecs, support for proprietary document formats (e. g. doc in OOo) and lot's more.

By the way, I took the freedom to host a copy of the latest gaia-version (and, as requested by some comments, the win32-patch for gaia). It's GPL, so everyone is free to continue the development.

The weekend I was at the Wizards of OS conference in Berlin. I was so engaged that I didn't find time to blog from there (and the »freifunk« wasn't very stable, but they told me it's the fault of the Deutsche Telekom).

It was a very interesting conference, met a lot of cool people. I spent most of the time with the people of the Free Software Foundation at their booth.
I met people from the »Bayrischer Rundfunk« (german public television station) and discussed about abolishing the GEZ and free content licensing of public television materials. I talked to a free radio activist about historical copyright issues and we ended up in discussing the kyoto protocol and uranium mining in Kongo. Had some discussions about politics in latin america with one guy coming from argentinia. That may give you a short impression about the variety of interesting people I met there.

On the conference topics, it had the theme »Free Software, free culture, free infrastructure«. An interesting panel I want to mention was the discussion about open frequencies. It was basically that only a small number of the frequency spectrum are available to the public at the moment, but wireless lan is already creating some interesting things (freifunk), so the conclusion was that more open frequencies might lead to much more interesting technology. There was a guy from colt telecom talking about the political issues of this subject and the old telecommunication lobby (for example the ITU). Another guy was from Indonesia and talked about projects they did with public wireless technology and their efforts to build own antennas.

Lawrence Lessig helt the keynote, he is definitely a good speaker, while it was far to much »popstar«-like to me (book-signing session afterwarts). His topic was the «Read-Write-Society«, and for one thing I can fully agree with him: It's time to fight DRM.

This friday, there were two driver releases for linux graphics hardware. A new proprietary driver from nvidia and a new free driver for ati cards.

The release of the new nvidia driver was spread over all major news-pages. It's main new feature was the support of Xorg 7.1 just three months after it's release and about five months after the first release candidate. It still doesn't support the main new feature of Xorg 7.1, which is AIGLX. I couldn't find the release of the new free ati driver mentioned anywhere (even on linux news-pages) and probably even wouldn't have noticed if I wouldn't read the xorg-mailinglist. The new ati driver has much improved support for r300 and above chips, which is very important for the future development of 3D-desktops like compiz.

Now, the reason why this happens is probably that nvidia put out a colorful press release when they update their drivers. One could say that it's bad journalism from those news pages (especially if they are linux related) that if they get press releases from companies, they always post news, but they don't do so for rarely announced free releases. But news writers are lazy, if they get some ready-to-publish press release, they'll more likely take it than grabbing some announcement from some developers mailinglist. The problem from many free software projects is that their publicity sucks.

The work done by the xorg-developers to the ati-drivers is great. But I still meet people that even don't know the free drivers support anything above 9200. I never read big announcements on news pages about »free ati driver now supporting new card xy«. Now, if you have a look at the xorg-page, it doesn't even have release announcements. It looks boring. We know that xorg is cool, that it has wobbly windows and such, that development is happening. But looking at the webpage, it much more looks like xfree86.

This problem is not just related to xorg, it's just that I noticed this fact the last days (two driver-releases, only one noted). Same thing was e. g. with ffmpeg supporting h264 for a long time and then I read that some »I-forgot-their-name«-company said they'll bring a commercial h264-codec to linux. Or that about a week after ffmpeg supported wmv9 (also rarely noted by the public), real software said they want to bring wmv-support to linux. There's so much great stuff going on in free software development that would deserve more publicity.

Oh, and for a last note, Lars also has a nice example how not to do it.

The last hours on the RMLL, booths are being shut down. It was quite interesting to see how the french free software movement is organized.

The event was very french oriented, not many talks in english, so there wasn't much for me to visit. I noticed that it was much more political than similar events in germany, many booths about issues like the DADVSI law, DRM/TCPA, voting machines, filesharing, free music, ecological footprint of computer hardware, software patents and things like that.

I tool the chance to stay one more day to see some more of the city.