Bits from Debian - DebConf16 schedule available

DebConf16 will be held this and next week in Cape Town, South Africa, and we're happy to announce that the schedule is already available. Of course, it is still possible for some minor changes to happen!
As usual, streaming and videos will be available for people who is not able to be there, thanks to the great job of the video team (no link yet, however, afaik).
32.9% english, 23.1% pidgin, 16.7% italian

Stéphane Guillou wrote the following post:

Economists HATE them: constitutional monarchy discovers one WEIRD trick to lose billions of pounds OVERNIGHT!

32.7% english, 22% pidgin, 18.7% french

mjg59 | I've bought some more awful IoT stuff

I bought some awful WiFi lightbulbs a few months ago. The short version: they introduced terrible vulnerabilities on your network, they violated the GPL and they were also just bad at being lightbulbs. Since then I've bought some other Internet of Things devices, and since people seem to have a bizarre level of fascination with figuring out just what kind of fractal of poor design choices these things frequently embody, I thought I'd oblige.
An entertaining read, if you are entertained by knowing that horrible design choices and GPL violations in this device are not your problem. :)

(it is still a shame that as a community we don't have the resources to do GPL enforcing in the myriad of cases like this.)
32.8% english, 23.9% pidgin, 18.7% danish

StickerConstructorSpec compliant swirl

This evening I've played around a bit with the Sticker Constructor Specification and its template, and this is the result:


Now I just have to:

* find somebody in Europe who prints good stickers and doesn't require illustrator (or other proprietary software) to submit files for non-rectangular shapes
* find out which Debian team I should contact to submit the files so that they can be used by everybody interested.

But neither will happen today, nor probably tomorrow, because lazy O:-)

Edit: now that I'm awake I realized I forgot to thank @Enrico Zini Zini and MadameZou for their help in combining my two proposals in a better design.

Source svg
@enrico zini blog
32.8% english, 20.1% pidgin, 18.2% italian

Maintainers Matter: The case against upstream packaging

While most people are taking about the new future of Universal Linux Packages from a technical standpoint, the social perspective isn't getting much attention. Frankly any technical issue can be solved by a better "universal package" but the social changes can't be improved by emailing a patch. So let's examine the relationship between upstream developers, distribution maintainers and end users. With a focus on how we got here and where we might go next.
This. This. This.

BTW, a few years ago I wrote an article on more or less the same topic, but the one above is a much better read, so feel free to ignore mine :)
30.8% english, 23.2% pidgin, 18.1% italian

Verifying gpg keys

Suppose you have a gpg keyid like 9F6C6333 that corresponds to both key 1AE0322EB8F74717BDEABF1D44BB1BA79F6C6333 and 88BB08F633073D7129383EE71EA37A0C9F6C6333, and you don't know which of the two to use. You go to and find out that the site uses short key IDs, so the two keys are indistinguishable. Building on Clint's hopenpgp-t...
#gnupg @Gruppo Linux Como @LIFO
24.6% english, 17.5% pidgin, 11.5% spanish

David Benfell wrote the following post:
I wasn't particularly looking for an argument against top-posting. In fact, since very few of my correspondents are technically-oriented, I'm on the verge of giving in. But here's Rhymes with Oranges today:

26.6% english, 19.7% pidgin, 16.9% german

Typosquatting programming language package managers

In this blog post I will show how:

* 17000 computers were forced to execute arbitrary code by typosquatting programming language packages/libraries
* 50% of these installations were conducted with administrative rights
* Even highly security aware institutions (.gov and .mil hosts) fell victim to this attack
* a typosquatting attack becomes wormable by mining the command history data of hosts
* some good defenses against typosquatting package managers might look like
Yes, my policy "if it's not in debian it does not exist" is paranoid. But it works.
26.8% english, 21% pidgin, 17.3% italian

A Raspberry Pi Zero in a Handy Tech Active Star 40 Braille Display

TL;DR: I put a $5 Raspberry Pi Zero, a Bluetooth USB dongle, and the required adapter cable into my new Handy Tech Active Star 40 braille display. An internal USB port provides the power. This has transformed my braille display into an ARM-based, monitorless, Linux laptop that has a keyboard and a braille display...
24.8% english, 18% spanish, 17.8% italian

debacle wrote the following post:

Pyra pre-order countdown: Only ten missing for first batch!

It looks like, there are only 10 pre-orders missing to fund the first batch of 1000 Pyra units. Perfect moment to pre-order now, isn't it? #pyra #debian #freesoftware #freehardware #handheld

Pyra Handheld

31.8% english, 26.3% pidgin, 19.5% danish

No more unencrypted emails to gpg contacts · Dhole's blog

But the reason for this post is an issue that I believe happens in every email client (or should I say, MUA, to be more precise). I’ve seen it happening to people using both Thunderbird and mutt, and I bet it has happened in other cases: sending an email to someone for which you have their GPG key unencrypted unwillingly.
A script (for mutt) to give a better interface to the choice between encrypting and not-encrypting emails. (And there are always reasons not to encrypt a significant number of emails, e.g. when they are to a public mailing list.)

33.3% english, 22.9% pidgin, 19% danish

Evil 32: Check Your GPG Fingerprints

It takes 4 seconds to generate a colliding 32bit key id on a GPU (using scallion). Key servers do little verification of uploaded keys and allow keys with colliding 32bit ids. Further, GPG uses 32bit key ids throughout its interface and does not warn you when an operation might apply to multiple keys. Key servers do not use transport encryption (e....
Sadly, one of the main tools used to analyze Web of Trust data, wotsap, is still using 32 bit key ids in its data files, and is mostly abandoned upstream, so there are little real hopes to see it fixed. Wotsap data is also used by the PGP pathfinder & key statistics website, which is thus vulnerable to a number of attacs.

The workaround is to manually verify the paths shown by wotsap using gpg --check-sigs, which should be done anyway, since wotsap data comes from an untrusted source (cryptographically speaking), but AFAIK is still not done automatically by any tool.

Thanks to @Enrico Zini Zini for the link.

#gnupg @Gruppo Linux Como
32.2% english, 23.5% pidgin, 19.3% italian


Nuand abusing the term "Open Source" for non-free Software

Back in late April, the well-known high-quality SDR hardware company
Nuand published a blog post about an Open Source Release of a VHDL ADS-B

I was quite happy at that time about this, and bookmarked it for further investigation at some later point.

Today I actually looked at the source code, and more by coincidence noticed that the LICENSE file contains a license that is anything but Open Source: The license is a "free for evaluation only" license, and it is only valid if you run the code on an actual Nuand board.
I don't know about this specific case, but this is not the first time that somebody claimed that something was Open Source when it wasn't.

From one point of view it isn't a completely bad thing: it means that being Open Source is perceived as having a marketing value, and that at least some markets are voting for it with their wallets, which is a good thing.

Other than that, it's a misleading practice, especially when done with malice. Unluckily IIRC "Open Source" in itself couldn't be trademarked (and there goes one of the supposed advantages over using the term "Free Software"), so there are probably no ways to stop it via legal means, and it's very important that the communities involved take care to spread the word to prevent this tactic from being successful.
39.2% english, 25.4% pidgin, 21.2% danish

Why Privacy is more than Crypto | emergency exit

During the last year hell seems to have frozen over: our corporate overlords neighbours at Apple, Google and Facebook have all pushed for crypto in one way or another. For Facebook (WhatsApp) and Google (Allo) the messenger crypto has even been implemented by none less than the famous, endorsed-by-Edward-Snowden anarchist and hacker Moxie Marlinspi...
30.7% english, 21.1% pidgin, 19.9% danish

27.2% italian, 22% portuguese, 21.3% spanish

Sandro wrote the following post:

Please don’t use Slack for FOSS projects

I’ve noticed that more and more projects are using things like Slack as the chatmedium for their open source projects. In the past couple of days alone, I’vebeen directed to Slack for Babel and Bootstrap. I’d like to try and curb thisphenomenon before it takes off any more.
34.6% english, 27.4% pidgin, 20.1% danish

Bits from Debian - What does it mean that ZFS is included in Debian?

Petter Reinholdtsen recently blogged about ZFS availability in Debian. Many people have worked hard on getting ZFS support available in Debian and we would like to thank everyone involved in getting to this point and explain what ZFS in Debian means. The landing of ZFS in the Debian archiv...
32.2% english, 27.1% pidgin, 18.4% danish