November 2009 Archives

In order to produce a highly relevant feed for the OLPC planet, I wanted to provide an RSS/Atom feed of just that category in my blog, something that MT (annoyingly) doesn't do automagically by default (which I think it should).

No worries, though - MT is bar none the most customizable and extensible blogging platform that I've worked with (which is not many - just Blogger, some Wordpress, and MT).  So knowing that, I figured that I'd try and figure out how to do it. I came up with Google searches that were less than helpful, telling me to go places that simply don't exist (they must be referring to older versions of the software).

So I took the general concept from those posts, and assumed that it would apply to the new version. It does, sort of - but the convoluted process that they point you at is much easier in 4.32. Without further ado, here's what I did:

• In the blog dashboard, go to Design/Templates
• Select the "Feed - Recent Entries" template
• In the "More Actions" up at the top, choose "Clone Template(s)"
• Click the little arrow at the bottom for Template Options
• Change the output file to something else (I used olpc.xml for instance)
• In the actual body of the template, where you see '<mt:Entries lastn="15">' just change it to <mt:Entries lastn="15" category="OLPC> for instance.
• Save and publish the template, and everything should be good!
  

If Fedora is sponsoring your hotel room for FUDCon, and I don't have your checkin/checkout information here, drop me an email and let me know. I've already sent mail to everyone, but figure that asking in another forum people might see would be good too :)

Well, I migrated this blog here with Movable Type a few weeks ago, and I'm getting a reasonable amount of traffic to it - about what normally comes to my blog from sources other than search engines (according to Google Analytics anyways). 

My old blog is also getting a lot of traffic (more than this one), 66% of it coming from search engines (and most of that obviously Google). A minuscule amount of traffic from search engines comes here, by comparison.

The question that I guess this leaves me with is "how do I tell Google that the same content that's over there is over here as well"? I know that this for example is one of my most popular posts from my old blog (and probably could stand some updating), but Google has no idea it's here (at least a search for site:blog.jds2001.org kickstart didn't find it, but it did find the archive page it was linked from)

I guess there's no harm in leaving up the old site, but I feel that I should make one final entry in there to say that everything is over here now.....

I just saw this over on failblog and couldn't resist:


see more Epic Fails

But I really am looking forward to FUDCon and the FUDBus Experience(TM). I forgot to mention also earlier on this blog that $1 Bolt Bus tickets *do* exist and I'm the proud holder of one (for my return from Boston, getting to Boston is costing me $10.)  $11.50 travel costs to FUDCon can't be beat :D

First, prior to the meat of this post, I'm going to give some background since not all readers of the planet are packagers :)

For those that might not be familiar with our packaging environment in Fedora, our spec files, patches, and other small type things are stored in CVS. Since CVS is not suited to storing large binary blobs (read: source tarballs), there is something that sits alongside CVS called the lookaside cache, which is used to store these things. When they are required by koji, the buildsystem, it goes to get the source from the lookaside cache, all the applicable patches and spec files from CVS, and builds a SRPM which finally gets built into binary RPM's.

Up until yesterday, this lookaside cache was a big black box to Fedora packagers. There was no notification provided that a file was uploaded to it. This presented a minor, but plausible, security issue for our packaging process whereby a rogue individual could upload a doctored tarball of the next upstream release of a package, with an identical md5sum to the upstream version, and no one would ever know (if an identically named file with an identical md5sum exists in the lookaside cache, no upload is done). With this new enhancement, the package owner will be notified, and can take corrective action if he finds it necessary.

As promised, I've got the event report for the OLPC meetup that happened today.  It started at about 1PM in the meeting room of a church (apparently the same meeting room that AA meetings are held in - are they trying to tell me something? :) ). People from OLPC in Boston, the OLPC Learning Club DC, and virtually, people from San Francisco were there. All in all in the room in NYC we had about 30 people show up, who represented a very broad cross-section of the constituents of OLPC - teachers, marketing people, and techies such as myself. After an update on some deployments, the XO 1.5 (which will have both the Sugar interface as well as a more traditional GNOME desktop, will have 1GB of RAM so a lot of the memory constraints that came with attempting to run a normal desktop on the XO platform are gone), and learning about the people down in DC for about an hour, we split off into three groups - marketing/communication/community development, teachers and educators, and technology people. I obviously went to the technical side of the room :).

We had an interesting conversation on getting involved in Sugar development, and more importantly, the lack of a closed feedback loop from deployments, and the understanding of pain points that real teachers in the field were having. Adam Holt from OLPC mentioned that the Sugar Labs folks had attempted such a thing in the past, and the results of the feedback, while useful and valuable, were not exactly immediately actionable by Sugar Labs (or anyone else really - things like "battery life is too short").

However, we did find something that is immediately actionable for the techies in the crowd, and Adam will be reaching out for help revising and updating the Sugar Almanac and the Activity Handbook which are both currently out of date for current versions of the operating system, and making developer documentation more accessible. I also met and exchanged contact information with George Hunt, who is also a local techie who is heavily involved with OLPC and we're going to get together and work on the documentation side of things.

Adam also mentioned that the support FAQ needs some work, and that's an area that I could really help in.  I also met Kevin Mark, who from what I understand is the one man support army on IRC for the XO and Sugar, and I could help there as well.
\
All in all I think it was a good use of a Saturday afternoon (even though it was absolutely beautiful outside today, and that showed in having to get through the hoards of people in Times Square on the way to the meeting.... :) ) 

Just figured that I'd drop a quick note here that I'm going to the charter meeting of OLPC NYC. It happens tomorrow, conveniently located a few blocks from my apartment. Apparently we've got people from Boston, DC and San Francisco coming for this event.

This is an NYC local grassroots effort, and I'll be pimping Fedora obviously :) More to come after the event actually happens.

In the meantime, enjoy a picture of an OLPC deployment in Thailand :)

So I figured that I'd write about the whole current "non-root users can install stuff" fiasco. Here's my take on it, drawing heavily from my $DAYJOB experience of being a sysadmin of many systems.

First, in order for this to work, as I understand it (I don't have a convenient F12 machine at the moment), you have to be sitting at the console of the machine. As much as I despise Microsoft, they wrote a great paper some time ago, the 10 Immutable Laws of Security. And it's one of these laws that I'll refer to here (and it's sort of obvious):

If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Think about that for a minute - once someone has physical access to your machine, game over. This is true no matter if you're running Windows, Linux, z/OS, whatever. For a typical Fedora workstation, all that someone with physical access needs to do is intercept the grub prompt, boot into single user and not be prompted for a password to do so, and proceed to wreak whatever havoc he sees fit on your system.

When analyzed from this perspective, allowing a locally authenticated user to installed signed content from a signed repository isn't all that bad. Furthermore, when you look at Fedora's target audience, I don't see servers or large deployments anywhere in there. That obviously doesn't preclude people from using it in this way, but it's more fit to be a single-user desktop, where the user and administrator are the same person, and that user is physically situated at the console of that machine.

Note that the preceding paragraph is not intended to say that Fedora shouldn't be run on servers or that it has no place there, nor that we shouldn't cater to the needs of that user type. However, when considering the default settings, we should probably go with ones that are conducive to the use case of a single user desktop. If you wish to use Fedora in other ways, that's why we have spins, which can defaults of their own (which for a server spin, would likely not include PackageKit, include more sane (to that use case) PolicyKit defaults, etc.

Also, if you're using Fedora in some sort of large enterprise deployment where centralized control over what gets installed on the end-nodes is desirable, then you should be deploying custom policy in order to restrict this and likely many other aspects of the default desktop configuration (enforcing screen locking, strong passwords, account lockout, and any number of other things).

I did, however, like the idea that was floated on fedora-devel-list about having multiple policies for varying levels of control over the system.

I will concede that this should have been documented better, but with the threads o' doom on this topic, I do believe that there's plenty of documentation and awareness by this point :) 

While Clint Savage and I were testing Fedora Talk's conference streaming and recording capabilities, we both ran into the same very annoying issue - after exactly 6 minutes, our call would for some reason be disconnected. Well, with the NFR planning meeting happening tomorrow (OK, well today), Jeff Ollie and I finally found some time to figure it out (with Jeff doing the hard work and me being the guinea pig :D)

As it turns out, the problem was that with the upgrade to Asterisk 1.6, we had enabled a feature of SIP timeouts - periodically, the Asterisk server will send a SIP packet to you asking if you're still there. If you are, all is good. If not, Asterisk drops the call like a bad habit :). As it turns out, as I'm sure most of our users are, I'm both behind NAT (through an OpenWRT router) and am running iptables on my system.  The default UDP timeouts were simply too short, and the keepalive interval too long, for a default installation recognize the SIP re-invites as valid related traffic, therefore the calls were getting dropped. We lowered timeouts, and now calls aren't getting dropped, which I consider to be a Good Thing(TM).

Hopefully Fedora Talk is now the best platform that it can be.

In order to avoid any feelings of a lack of transparency of what transpired with me  and the FESCo elections, I'll just announce it here real quick :)

As most people know, I'm a current member of FESCo - so it should come as no surprise that I would be seeking re-election. However, due to various $REAL_LIFE obligations and (gasp!) Fedora system issues getting in the way (which highlights the need for update discipline that I had mentioned in my nomination, as my workstation that I normally use is still running F11) , I was unable to complete the self-nomination process until this evening. However, while it was timely as measured by my local time (US/Eastern), by UTC time, it was slightly late.

Therefore, I've withdrawn my nomination, so as to avoid any appearances of favoritism, and to show that everyone must abide by the same rules. I fail :D

OK, so this one is a tad late. I went up to Harrisburg, PA at Harrisburg University downtown for CPOSC 2009 a few weeks back, and had a great time. I only attended two talks, the rest of the time was spent manning the Fedora booth.  The first talk that I went to was ostensibly a talk about licensing, however, the presenter didn't have his facts straight on basic licensing issues (not surprising, they're fairly complex. and only a masochist could know everything there is to know). For instance, he posited that all GPL'ed software may automatically be utilized under any version of the GPL, regardless of if the copyright holder expressed that right or not, which is obviously incorrect. He then got into a talk about how to monetize open source, not the type of talk that I was wanting to attend at all. Oh well, at least he tried, which is more than me :D

The next talk that I went to was about how to get involved in open source. One of my friends here in NYC could have actually benefited from this talk, but it's coaching that I've been giving him off and on anyways. It's a problem that I see far too often - people actually WANT to get involved, but there is no clear, hospitable point of entry for them. Most project websites have no clear path to entry for becoming a contributor, for example. This is an area that I think that Fedora has done an excellent job, our front page contains not only a prominent link for joinig the project, but clear and concise steps on what to do - sign up for a FAS account first off, and several suggestions for what you might want to do based on various types of people.

As for the booth itself, it was a smash - manning the booth was myself, Todd Zullinger, and Ben Boeckel. The vertical banners that we had thanks to Clint Savage were one of the hits of the show - the Ubuntu people really liked em. I got to talking with them about how things work with regard to brand outreach in Ubuntu, and I learned some things that were surprising and disturbing to me. First, this isn't a slight on the Pennsylvania LoCo, but rather on the entire state of affairs of Ubuntu brand outreach efforts. They had no professional looking banners, etc, and seemed generally ill-prepared. When I asked them about this, and told them that I had seen pretty impressive Ubuntu booths (this is in parituclar reference to our veritcal banners), he told me that "yeah, those are the shows that Canonical cares about. If it's a small show such as CPOSC, then they just leave it to the LoCo teams and give them basically no support". I found this pretty appalling, for a small investment, Ubuntu could also have a professional presence at shows around the country - it just requires them to do what we do, have a set of reusable infrastructure for a show, and ship it from place to place as is required.

Well, I'm happy to be able to say that I've migrated this blog from the free Blogger hosting service over to Movable Type running on a VPS of mine successfully. MT is fairly easy to setup and run, and from the time I decided that I was going to migrate to writing this was just about 5-6 hours, most of it battling with the Blogger export and making Movable Type import it successfully.