October 31, 2014

FUDCon Managua

The FUDCon is a special event to me, because I have the opportunity to meet the guys that I interact almost every day online, and meet new mates from the Fedora community and the local people that attending the event. This year the FUDCon LATAM was held in the pleasant city of Manágua in Nicaragua.

This year, the trip not began so nice to me, I had to rebook the flight on the airport because my passport had only 172 days to expire, the minimum to go to Nicaragua is 180 days and I did not knew it, so because of this I had to ask an invite letter from Neville to issue an emergency passport that is issued in the same day, but after this trouble I landed on time in Managua and everything else occurred nice.

After landed in Managua, I went to an university when the guys were promoting the event to the students. In the end of afternoon, Neville took me and Luis Bacan to a Hotel nearby from the Mansion Teodolinda (Hotel that hosted us), to meet Efren and Oscar, two guys ffrom Mexico that traveled 4 days by bus to attend the FUDCon, they told us their experiences in Mexico and the work that they did unofficially. Now they joined the Fedora Community.

The first day of FUDCon started with a formal presentation by the directors of Universidad de Ciencias Comerciales, the university that hosted the event, and Neville that spoke about the FUDCon and about the Fedora Project. After this, Robert Mayr (robyduck) did a talk about the impact of Fedora.Next in the Fedora websites, followed by Dennis Gilmore that spoke about the Fedora.Next. After the lunch time, started the normal schedule of the event, when I did a talk about the Apache Libcloud (a python lib that I maintain in Fedora), and some interesting activities like the robotic session by Valentin Basel and the talk about Flask by Eduardo Echeverria.

Neville speaking speaking at the opening ceremony.

Neville speaking speaking at the opening ceremony.

In the second day of FUDCon we had a full day of activities with talks, workshops and interacting with the people between the sessions. At this day I did a talk about the Cloud and Big Data SIGs and a workshop to deploy a pseudo distributed Hadoop environment.

At the end of the day, we had a nice hacking session at the Hotel where was useful to some people practice what they learned in the event. A very nice fact on this hacking session was the involvement of Lili, a girl from local staff, in the Fedora website, she started to work after attended a workshop about Fedora Websites by Robert Mayr, and guided by him she did her first commit.

Hacking session at the second day.

Hacking session at the second day.

In the third and last day, was full of talks and hands on activities like arduino hacking by Kiara. I had a free day, and it was very nice, because I had the opportunity to better interact with the people who went to the event, like asking questions about what I said in my talkings, mainly about OpenStack and Hadoop and questions about Fedora in general.


The last FUDCon day

At night we had the so much waited FudPub, where we had a tasteful dinner with traditional region’s food. After the dinner was held a very funny Football match.

Dinner at FudPub.

Dinner at FudPub.

A fact very positive at this FUDCon, was the talks with Alejandro, Luis Bazan, Abdel Potty, Itamar, Kiara, Valentin, Rino and all the other guys from LATAM, to discuss about we did in the last year, and align the ideas to improve our community. And was really good to see the people getting involved with the Fedora Project and I hope to helped on this, and I want to thanks Neville, Eduardo Mayorga, Lilli, Fernando and the all the guys from local community that worked to make it happen.

Introducing project SCAPtimony
How do I archive all the SCAP result coming from my infrastructure? For how long? What kind of SCAP result post-processing would help me retain control over environment? How do I ensure that all the nodes in given perimeter has been audited by given policy in last week? What are the good practices for operating SCAP audit of multiple nodes? It is a a heck of a lot of XML files and there has to be a better way!

These are common question amongst operational guys and there needs to be piece of software to help answer them. Let me introduce project SCAPtimony, its motives and mission statements.

SCAPtimony project gives full testimony about compliance of your infrastructure. SCAPtimony is open source compliance center build on top of SCAP, the U.S. Government standard. SCAPtimony is a collection (database) of auditable assets, SCAP policies, audit schedules, SCAP results, and waivers. SCAPtimony is modern, RESTful, highly efficient, robust, and cloud-class scalable solution to the common problem of SCAP document storage. Going forward, SCAPtimony pushes the envolope by leveraging OpenSCAP to empower administrators in a sustainable way! ... Bingo!

Planned Features
+ Define security/compliance policies
    + Archive distinct versions of the policy
    + Upload SCAP content and assign it with the policy
    + Set-up a periodical schedule of audits for the policy
    + Organization defined targeting (Assign a set of nodes with the policy)
    + Define known-issues and waivers (Assign waivers with a set of nodes and the policy)
    + Set-up rules for automated deletion of SCAP results
+ Achieve SCAP audit results from your infrastructure
    + Provide API for tools to upload collected SCAP results
+ Result post-processing
    + Search SCAP results
    + Search for non-compliant systems
    + Search for not audited systems
    + Comparison of audit results
    + Waive known issues

Let me know, if your feature is missing. In the meantime, source codes are brewing at https://github.com/OpenSCAP/scaptimony.

And by the way, project SCAPtimony would never be possible if there was no oscap_source redesign in OpenSCAP. That redesign significantly improved post-processing capabilities of OpenSCAP needed especialy for SCAPtimony's waivers.

Fudcon es una gran oportunidad para compartir con las demás personas que también aman trabajar y ayudar a que Fedora project siga creciendo.El congreso latino americano no solo tiene como principal objetivo motivar a que nuevas personas formen parte del proyecto si no que también nos reúne como familia para poder estar a lado de aquellas personas que estimamos o apreciamos ya que una gran barrera de distancias y fronteras no separan, solo podemos conocernos por listas de correo, chat IRC y si tenemos suerte por redes sociales y vídeos llamadas, pero no hay nada que compare la emoción y la felicidad de estar cerca hablar cara a cara y poder trasmitir y compartir conocimientos para ayudarnos a crecer como profesionales y mejorar nuestro rendimiento dentro de Fedora project.

Fedora es una familia internacional y donde estemos siempre seguiremos innovando y haciendo amigos.    :)

10671247_10152406915047116_339934858692422291_n 10703613_704460476302212_6480633573211137663_n 247107_10152796106589583_4168863398459591196_n 1016480_670080883112252_8294687182250870327_n

October 30, 2014

Condor’s Book Report on Information and the Modern Corporation
Information and the Modern Corporation
by James W. Cortada

Taylor Swift has been invading Manhattan for the past few days and doing a great job of it. The video is of Times Square and her stage set in the middle of the street the morning of October 30, 2014. A few words of encouragement to Taylor Swift, Manhattan is an island, like most other islands, and the folks living on Manhattan island are typical of island folk elsewhere.

<iframe class="youtube-player" frameborder="0" height="382" src="http://www.youtube.com/embed/Zt3jCsxV-rY?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent" type="text/html" width="625"></iframe>

“People collect, analyze, and user information to do their work, to gain insights, to make more informed decisions, and even to share those roles and decision-making capabilities with machines, some of which are computers and some of which have computers built into them.” Quote from Information and the Modern Corporation

The first time your opinion is accepted as valid, meaningful, and of value on a topic after having been scrutinized by accepted authorities of that topic you may attempt to guard against further airings of your opinion in front of casual audiences until you’ve thought through things completely for some time after that initial success.  The author is an IBM evangelist with experience presenting before exacting audiences.  His book is of value to anyone in a contemporary organization and worth purchasing for your bookshelf. IBM evangelist seems a difficult gig from what every angle the stage is viewed from.

While working for the New York City Department of Parks and Recreation several years ago, I was introduced to the Parks version of, “Coworkers Are Customers Too.”  Parks was a fun gig and the best job I’ve had this century! Was “01-110″ code for an ignition system? Was “01-120″ code for an ignition system and “01-110″ the code for a suspension system? I can’t remember. I do remember to say nice things about my Parks coworkers and supervisors whenever I can though. I breathed inventory control and good customer service while working at Parks.  I lived on Throggs Neck pizza, Spanish Harlem bodega leftovers, and those meat pies made in Chinatown.

The biography in this book states, “James W.Cortada has worked at IBM for more than 35 years in various sales, consulting, and managerial positions. He currently works in IBM’s core business research center, The Institute for Business Value.” The Institute sounds like a nice venue. I’ve been to some cool venues. I’ve seen some hot stages. Dr. Cortada has a cool, hot stage.

IBM has tens of thousands of employees. Fedora is comprised predominantly of volunteers. How can the musing of an IBM evangelistic be of value to the Fedora Community?

I’ll poke my finger into chapter 3, “The Informed Supply Chain.” The Fedora Project as a supply chain. The analogy could could work without tilting anyone’s belief system to far off plumb. I follow QA activity. Everybody who submits or reads a bug report is a QA customer. What QA does is a product. Perhaps Fedora already operates as a supply chain and I didn’t notice it till reading this book. Food for thought – what’s the next step in the process?

Cover of Information and the Modern Corporation.

The cover of the book that is Condor’s subject this month.

I’m thinking of changing the batting order in honor of “Women In Technology,”

perhaps the next book report will be on:

The Lenovo Way
by Gina Qiao and Yolanda Conyers

By the way, I am a terrible volunteer. I volunteer for stuff and forget to introduce myself. Then I forget to offer my services to the group I volunteered for. The truth be known, I didn’t forget, I was waiting till after beta.

FUDCon (Fedora Users and Developers Conference) – Managua, Nicaragua. Bitácora 1.
Del Jueves 23 al 25 de Octubre en Managua, Nicaragua se estuvo realizando uno de los eventos más grandes dentro de la comunidad Fedora a nivel regional: El Fedora Users and Developer Conference o mejor conocido como: Fudcon. Es un placer para mi comenzar a escribir estas líneas que formarán parte de una de las tres bitácoras que narrarán o al menos tratarán de describir con palabras, desde mi punto de vista lo acontecido días antes y durante el Fudcon.

<figure class="wp-caption aligncenter" id="attachment_6380" style="width: 300px;"><figcaption class="wp-caption-text">Fedora Users and Developers Conference.</figcaption></figure>

Antes de iniciar el evento, cierto grupo de colaboradores habíamos llegado unos días antes para ayudar en ciertas áreas de la organización, algunos de estos compañeros fueron: Valentín, Luis, Rino, Eduardo, Abdel que en conjunto con la comunidad de Nicaragua estuvimos haciendo promoción del evento en distintas universidades de Managua, además de tener a disposición la información necesaria en la web del fudcon para aquellas personas que desearan llegar al evento.

<figure class="wp-caption aligncenter" id="attachment_6362" style="width: 300px;"><figcaption class="wp-caption-text">Panamá, Nicaragua y Brasil representados de izquierda a derecha: Abdel Martínez, Lila Gutierrez, Valentin Basel, Daniel Bruno.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6366" style="width: 300px;"><figcaption class="wp-caption-text">Rinó invitando a la audiencia.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6365" style="width: 300px;"><figcaption class="wp-caption-text">Luis invita a los chicos al FUDCon.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6364" style="width: 300px;"><figcaption class="wp-caption-text">Público expectador.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6363" style="width: 300px;"><figcaption class="wp-caption-text">Eduardo conversándoles a los chicos de por qué es importante asistir a este magno evento.</figcaption></figure>

A parte de hacer promoción al evento, Luis en esos días estaba de cumpleaños así que se aprovecho para celebrarlo con un pequeño dulce =) y conviviencia, en ese tiempo que estuvimos celebrando el cumpleaños de Luis pude tener la oportunidad de conversar con otros colaboradores acerca de temas diversos, entre los que destaca la utilización de oVirt para el manejo de máquinas virtuales donde Rino pudo ayudarme a crear mi primera máquina virtual en esta potente plataforma creada por Red Hat.

<figure class="wp-caption aligncenter" id="attachment_6400" style="width: 199px;"><figcaption class="wp-caption-text">Luis y la tortaaaaaaaaaa.</figcaption></figure>

Por otro lado, ya se acercaban los días del Fudcon y se avecinaba la llegada de otros colaboradores de distintas regiones del mundo como lo es Italia en Europa, con la participación de Robert Mayr que forma parte del grupo de fedora-websites. Además de Robert, se encontraba Dennis Gilmore, Release Engineer de Red Hat para Fedora que había tomado un vuelo directamente desde Australia. Esperábamos también la participación de Jared días antes del evento, sin embargo lamentablemente fue imposible debido a problemas con su vuelo =(.

Otro punto a destacar es lo nuevo que está brindando el proyecto Icaro donde pude conversar con Valentín acerca de las próximas características que ofrecerá la plataforma como lo es la integración del proyecto hecho en python llamado Pilas, creado por el argentino Hugo Ruscitti en donde esta plataforma permite crear de manera sencilla videojuegos en dos dimensiones. La idea de integración con Icaro es que se pueda manejar los intérpretes de pilas desde el mundo real a través de un potenciómetro utilizando la placa.

<figure class="wp-caption aligncenter" id="attachment_6401" style="width: 300px;">Kiara y Valentin.<figcaption class="wp-caption-text">Kiara y Valentin.</figcaption></figure>

Valentín me estuvo mostrando éste video muy pero muy interesante en donde utiliza un potenciómetro desde la placa y el intérprete en pilas en este caso una nave se mueve en función de la posición del mismo. ¡Fenomenal! Además de eso, ya estará por salir la próxima versión de la placa Icaro en donde se han realizado mejoras en la utilización de regulares de voltajes además de la realización de algunas correcciones de la placa anterior.

Con todo lo comentado, les presento el robot que se ha hecho Valentín con una impresora 3D y que le ha quedado espectacular para presentaciones oficiales del proyecto.

<figure class="wp-caption aligncenter" id="attachment_6375" style="width: 300px;"><figcaption class="wp-caption-text">El robot del Fudcon utilizando la placa Icaro.</figcaption></figure>

Y así pasaron los días y llegamos al primero del Fudcon, en donde toda la comunidad Fedora se dirigió a la sede del evento, la Universidad de Ciencias Comerciales ubicado en el municipio de León en Nicaragua. Fue allí en donde pasé todas las horas del día conociendo, aprendiendo, compartiendo y por supuesto disfrutando de todo lo que ofrece el Fudcon.

<figure class="wp-caption aligncenter" id="attachment_6368" style="width: 300px;"><figcaption class="wp-caption-text">Hemos llegado a la UCC.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6367" style="width: 300px;"><figcaption class="wp-caption-text">Universidad de Ciencias del Comercio.</figcaption></figure>

Para este primer día tuvimos charlas enfocadas en distintas áreas, Dennis habló acerca de Fedora.Next y Robert conversó acerca de cómo funciona el equipo de fedora-websites y cuáles son las próximas implementaciones que se están haciendo, por ejemplo el cambio completo en el diseño gráfico, para posteriormente tener presentaciones simúltaneas en distintos salones dentro de la Universidad. Como mi área es la electrónica decidí estar en la presentación que tenía Valentín acerca de Hardware Libre en donde al público presente se les presentó las herramientas que pueden utilizar en Fedora para empezar un proyecto de hardware libre desde cero.


<figure class="wp-caption aligncenter" id="attachment_6369" style="width: 300px;"><figcaption class="wp-caption-text">¡¡¡Una foto con las chicas por favor!!!</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6373" style="width: 300px;"><figcaption class="wp-caption-text">Italia, Panamá, Australia y Argentina. El poder del fundamento: AMISTAD.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6374" style="width: 300px;"><figcaption class="wp-caption-text">Fedora Argentina, Nicaragua y Panamá. De izquierda a derecha: Fernando Espinoza, Eduardo Echeverria, Robert Mayr y Rino Rondán.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6378" style="width: 300px;"><figcaption class="wp-caption-text">El proyectofedora.org</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6371" style="width: 300px;"><figcaption class="wp-caption-text">Abdel y Luis, todos unos personajes.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6376" style="width: 300px;"><figcaption class="wp-caption-text">Fedora Argentina, Nicaragua y Panamá. De izquierda a derecha: Rino Rondán, Kiara Navarro, Luis Bazán, y Lila Gutiérrez.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6372" style="width: 199px;"><figcaption class="wp-caption-text">Dennis y Lila.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6379" style="width: 300px;"><figcaption class="wp-caption-text">Robert Mayr dando la presentación sobre Fedora Websites.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_6370" style="width: 199px;"><figcaption class="wp-caption-text">Esto es lo que Fedora brinda como comunidad, los cuatro fundamentos más importantes.</figcaption></figure>

Valentín presentó cómo se puede utilizar herramientas que están disponible dentro del spin de Fedora Electronic como lo es KiCad y PCBnew para crear una placa PCB desde cero. Se mostró el proceso de cómo crear el circuito, que incluye el proceso de uniendo de componentes a través de las pistas, exportación del circuito para impresión y finalmente se mostró cómo utilizar una placa de cobre y plancha para adherir el circuito impreso a la placa de cobre. Una experiencia única para todas las personas que asistieron y que no hubiesen visto antes el proceso de fabricación de PCB’s.

<figure class="wp-caption aligncenter" id="attachment_6377" style="width: 300px;"><figcaption class="wp-caption-text">Valentín explicando acerca del PCB en KiCad</figcaption></figure>

Para terminar este artículo, quisiera comentar que quizás uno de los puntos más importantes de tener proyectos como Icaro en la comunidad es que éste sirve como son una puerta de enlace entre Fedora y usuarios que estén especializados en áreas de electrónica o que al menos quisiera aprender de ella. Por lo tanto, encontrar nuevas formas de integrar esta área dentro del proyecto Fedora despierta el interés de usuarios que pueden llegar a ser en un futuro próximos colaboradores del proyecto.

Y ya para no extenderme, les dejo con el enlace a las fotos que pude tomar de todas aquellos momentos descritos aquí, que en definitiva se han convertido en momentos inolvidables.

Y aún faltan dos bitácoras más, ¡está atento!.

The post FUDCon (Fedora Users and Developers Conference) – Managua, Nicaragua. Bitácora 1. appeared first on Panama Hitek.

Ease your kernel tracing struggle with LTTng Addons

If you are new to Linux tracing and/or LTTng, go no further. Head on to the new and awesome LTTng Docs to know what this stuff is all about. I wrote an article on basics of LTTng and then followed it up with some more stuff a few month back too.

Ok, so now for those who have been using LTTng for sometime and especially, the kernel tracer, I am pretty sure, you must have faced a moment when you would have asked yourself – what if I could just modify those default tracepoints provided by LTTng and maybe add some more functionality to them. As an example, here is an interesting use-case I recently encountered -

Consider the netif_receive_skb event. A tracepoint is present in a function of the same name in the kernel. This function notifies the kernel whenever the data is received in the socket buffer for any of the net devices and when this event in enabled, the tracepoint is hit and skbaddr, data length and device name are recorded by default. For more info on how this works, refer to the TRACE_EVENT macro in the kernel. There are a few articles on LWN explaining how this all works. The LTTng tracepoint definitions are no alien to this mechanism. They basically act as a probe to hook onto these tracepoints in the kernel and are provided in the form of kernel modules. Refer to the internals of lttng-modules package and do have a look at what LTTng Docs have to say about this. Coming back to our use-case, so now consider that I want to just record a netif_receive_skb event only when its a localhost device (skb->dev->name == "lo"). Hmm, interesting.

Now, instead of forcing you to understand the deep internals of how the LTTng’s macros were magically working behind the scenes, Francis Giraldeau did some little sorcery and churned out…*drum roll*… lttng-addons! Checkout the addons branch in the repo. Apart from a massive help in running research experiments rapidly, it can be used for some practical scenarios too. Do have a look at the current modules available in that. I have added a new netif_receive_skb_filter event (provided in addons/lttng-skb-recv.c) to explain the use-case which we were discussing about previously. It can also act as a mini template for adding your own addon modules. Basically the flow is – create your module C file, make entry in Makefile, add the custom TRACE_EVENT entry in instrumentation/events/lttng-module/addons.h for your module, build and install modules, modprobe your new module, fire lttng-sessiond as root and then enable your custom event. Such happiness, much wow!

Once you have built the modules and installed them, restart lttng-sessiond as root and try to see if your newly created events are available:

$ lttng-list -k | grep netif
netif_receive_skb (loglevel: TRACE_EMERG (0)) (type: tracepoint)
netif_rx (loglevel: TRACE_EMERG (0)) (type: tracepoint)
netif_receive_skb_filter (loglevel: TRACE_EMERG (0)) (type: tracepoint)

Do the usual stuff next and have a look at the trace:

$ lttng create
$ lttng enable-event -k netif_receive_skb_filter
$ lttng start
$ ping -c2 localhost
$ ping -c2 suchakra.in
$ lttng stop
$ lttng view
[22:51:28.120319188] (+?.?????????) isengard netif_receive_skb_filter: { cpu_id = 3 }, { skbaddr = 18446612135363067648, len = 84, name = "lo" }
[22:51:28.120347949] (+0.000028761) isengard netif_receive_skb_filter: { cpu_id = 3 }, { skbaddr = 18446612137085857024, len = 84, name = "lo" }
[22:51:29.120071966] (+0.999724017) isengard netif_receive_skb_filter: { cpu_id = 3 }, { skbaddr = 18446612137085856768, len = 84, name = "lo" }
[22:51:29.120102320] (+0.000030354) isengard netif_receive_skb_filter: { cpu_id = 3 }, { skbaddr = 18446612137085857280, len = 84, name = "lo" }

And there you have it, your first filtered kernel trace with your first custom addon module. Happy tracing!

USB on Mustang

When I got APM Mustang at home I knew that one day I will use it to test desktop environments. Lack of graphics and USB kept me away from it. And I am closer now…

Yesterday Mark Langsdorf wrote two patches which allow to use USB3 ports from Mustang’s backplate. I applied first version of them, altered DeviceTree blob a bit and after reboot I got that:

16:36 hrw@pinkiepie-rawhide:~$ lsusb
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 1234:2088 Brain Actuated Technologies 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

All with slightly modified 3.18-rc2 kernel from Fedora rawhide.

Now need to sort out graphics… But first need to buy yet another card…

All rights reserved © Marcin Juszkiewicz
USB on Mustang was originally posted on Marcin Juszkiewicz website

Ability to remove TLS 1.0 from httpd in CentOS 6

Due to a bug in mod_ssl, the ability to remove TLS 1.0 (and only support TLS 1.1 and/or TLS 1.2) has not been available.  The fix has now made it to CentOS 6 and you can now fine-tune your cryptographic protocols with ease.

Before the fix my /etc/httpd/conf.d/ssl.conf file had this line:

SSLProtocol all -SSLv2 -SSLv3

This allows all SSL protocols except SSLv2 and SSLv3 to be used with httpd.  This isn’t a bad solution but there are a couple of sites that I’d prefer to further lock down by removing TLS 1.0 and TLS 1.2 1.1.  With the fix now in mod_ssl my settings can now look like this:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

…and I’ll only support TLS 1.2 and beyond.  Of course doing this will significantly reduce the number of clients that can connect to my server.  According to SSLLabs I’m blocking all IE users before IE 11, Android before 4.4.2, Java 7, and Firefox 24.2.0 ESR.  But luckily I really don’t have a problem with any of these browsers for a couple of things I do so I’ll likely tighten up security there and leave my more public sites alone.

Security Specifications

There are many potential sources for security specifications. Some of them are government standards. For example, in the United States, HIPAA, the Health Insurance Portability and Accountability Act of 1996, specifies requirements for administrative safeguards, physical safeguards, and technical safeguards of medical records and personally identifiable information. Anyone dealing with Protected Health Information must comply with HIPAA.

The credit card industry has the Payment Card Industry Data Security Standard or PCI DSS, which must be followed by anyone who is handling credit card information.

The SANS Institute offers a wide range of security training and resources, including a set of Information Security Policy Templates that provide examples of best practices that can be customized for your organization. For example, the Server Security Policy specifies things like “all internal servers deployed at <company name> must be owned by an operational group that is responsible for system administration” – in other words, no zombie servers that no-one is responsible for!

The United States Department of Defense has prepared Security Technical Implementation Guides which specify how government computers will be configured and managed.

Of course there are numerous books on computer security, many including guidelines and checklists.

Finally, each organization must prepare their own security guide which lays out the security rules that they choose to follow. This is critical because each organization has their own set of requirements, needs, and threats. You can’t simply say “all computer systems must be completely secure” – first, this is impossible. There is a famous observation that the only truly secure computer system is one that is melted into slag, ground into dust, cast into a block of concrete, and dumped into the deepest part of the ocean. Second, implementing the highest levels of security for all systems is expensive and makes the systems very difficult to use.

As we have discussed before, computer security in the real world is a risk management exercise. Risk can’t be eliminated, it can’t be ignored, and it should be managed intelligently.

An organizations security guide should be based on applicable government and industry requirements, accepted best practices, and the specific requirements of the organization.

Hacker News metrics (first rough approach)
I'm not a huge fan of Hacker News[1]. My impression continues to be that it ends up promoting stories that align with the Silicon Valley narrative of meritocracy, technology will fix everything, regulation is the cancer killing agile startups, and discouraging stories that suggest that the world of technology is, broadly speaking, awful and we should all be ashamed of ourselves.

But as a good data-driven person[2], wouldn't it be nice to have numbers rather than just handwaving? In the absence of a good public dataset, I scraped Hacker Slide to get just over two months of data in the form of hourly snapshots of stories, their age, their score and their position. I then applied a trivial test:
  1. If the story is younger than any other story
  2. and the story has a higher score than that other story
  3. and the story has a worse ranking than that other story
  4. and at least one of these two stories is on the front page
then the story is considered to have been penalised.

(note: "penalised" can have several meanings. It may be due to explicit flagging, or it may be due to an automated system deciding that the story is controversial or appears to be supported by a voting ring. There may be other reasons. I haven't attempted to separate them, because for my purposes it doesn't matter. The algorithm is discussed here.)

Now, ideally I'd classify my dataset based on manual analysis and classification of stories, but I'm lazy (see [2]) and so just tried some keyword analysis:

A few things to note:
  1. Lots of stories are penalised. Of the front page stories in my dataset, I count 3240 stories that have some kind of penalty applied, against 2848 that don't. The default seems to be that some kind of detection will kick in.
  2. Stories containing keywords that suggest they refer to issues around social justice appear more likely to be penalised than stories that refer to technical matters
  3. There are other topics that are also disproportionately likely to be penalised. That's interesting, but not really relevant - I'm not necessarily arguing that social issues are penalised out of an active desire to make them go away, merely that the existing ranking system tends to result in it happening anyway.

This clearly isn't an especially rigorous analysis, and in future I hope to do a better job. But for now the evidence appears consistent with my innate prejudice - the Hacker News ranking algorithm tends to penalise stories that address social issues. An interesting next step would be to attempt to infer whether the reasons for the penalties are similar between different categories of penalised stories[3], but I'm not sure how practical that is with the publicly available data.

(Raw data is here, penalised stories are here, unpenalised stories are here)

[1] Moving to San Francisco has resulted in it making more sense, but really that just makes me even more depressed.
[2] Ha ha like fuck my PhD's in biology
[3] Perhaps stories about startups tend to get penalised because of voter ring detection from people trying to promote their startup, while stories about social issues tend to get penalised because of controversy detection?

comment count unavailable comments
appdata-tools is dead

PSA: If you’re using appdata-validate, please switch to appstream-util validate from the appstream-glib project. If you’re also using the M4 macro, just replace APPDATA_XML with APPSTREAM_XML. I’ll ship both the old binary and the old m4 file in appstream-glib for a little bit, but I’ll probably remove them again the next time we bump ABI. That is all. :)

FUDCon Managua day 0

FUDCon is a really great event and permits to get in contact not only with many other contributors, but also to speak to new users and often these people are very interested in learning how to contribute to the Fedora Project. Therefor my day 0 started weeks before the event itself and I decided to do a talk about websites and also a working session where to show how things work in the websites group.

My expectations were high and I wanted to gather as much interest as possible within the LATAM people.

I started from Milan tuesday, october 21th, in order to have at least one day to get used to the new timezone (it’s 8 hours earlier than in Europe) and my 20-hour-trip went through Paris and Atlanta to Managua, where Neville Cross and Dennis Gilmore, who arrived at the same time, were waiting for me. Although very long, the flight was much better than expected and after a short drive we reached finally Mansion Teodolinda, a nice hotel with a pool and comfortable rooms. Some of the other people were already there and we started immediately to talk about FUDCon and had some beers before jumping into the bed.

Ready for FUDCon Managua

The next day Neville, who was the main organizer and cared very much about us, introduced us to the local habits and then left to the University to set the last things for the next day. Me and Dennis decided to go to the near Shopping Mall to lunch and then returned to the Hotel, where in the meanwhile all the others, except Jared Smith, who unfortunately missed his flight connection, arrived.

Lunch with Dennis

After a jump into the swimming pool we hang around discussing on many topics and started some hacking with Luis Bazan, Kiara Navarro, Alejandro Perez, Eduardo Echeverria, Daniel Bruno, Valentin Basel and many many others. Luis very soon became our FUDCon mascotte and we had a lot of fun together.

All of us were ready for the first FUDCon day, and it promised to be very interesting.


Backup Server – Samba | Debian | Fedora/Centos

I wanted a server I could use to backup all my data, I’ve been toying with the idea of Windows server, it’s easy enough to install it and create a share so that I can use it to backup my laptops.  But then I stopped being silly and just installed debian.  I then had to setup samba.  This is how I did it on Debian 7, but as it’s samba, it’ll probably work on Fedora or any linux distro.

The end result is to have a network share, you can mount, then use what ever method to backup your machines/data to.

  • Install server OS
  • Install samba – Debian I used apt-get install samba, on a fedora/centos then it’s more than likely yum install samba
  • edit the samba conf – vi /etc/samba/smb.conf
  • search for the global group and update your workgroup
  • search for [homes] section
  • enable read/write for the homes by setting read only = no
  • create your own share

read only = no
path = /home/paulsfiles
guest ok = no

  • make sure you’ve set the smb password for the user or they won’t be able to connect.  The user must exist on the server.  smbpasswd -a username
  • restart samba – /etc/init.d/samba restart or service restart samba

You should then be able to map your drive on your own pc/laptop

That’s it in a nutshell.  There are more options you can use, if you use man samba you’ll be able to see them all.

Have fun.

The post Backup Server – Samba | Debian | Fedora/Centos appeared first on Paul Mellors [DOT] NET.

flattr this!

Ohio Linux Fest 2014 — Observations from the Fedora Booth

Ohio Linux Festival, Columbus Ohio Oct 24-26, Greater Columbus Convention Center Main Venue section D.

Fedora Ambassadors report for Andrew Ward (award3535) and Julie Ward (jward78)

We arrived at the olf1Drury Friday afternoon and got settled into the room. We then checked on the event and got our registration stuff all taken care off that afternoon. I checked out where we needed to set up. We had the table right next to the Red Hat table. We were in a good location at the end or the isle for easy access for everyone to get to. This weekend the weather was good and there was not a cloud in the sky. We were hoping for a busy day on Saturday.


Booth almost ready to go

We got down to the venue at 0730 a. m. to get started on setting up. We were shortly joined by the Red Hat Folks and we were all set up by 815 a. m. We noticed that while we were getting set up that there were already a lot of people walking around waiting on the first talk session. There were almost no one there yet except us, Red Hat, and the BSD people. This proved to be a great advantage to get their attention. We didn’t have anything that flashed, nor did we have any big presentation boards, we only had the product and a few simple items. That was more than enough for us, between the presentation and questions that got answered we did more than was was needed to make some hard core Debian users at least try fedora. That was a 100 percent success to us. The first talk was scheduled for 9 a. m. and we were all set and ready to go, and to say, we did. From 9 a. m. until 4 p. m. The two of us were extremely busy. A special thanks goes to Ricky Elrod (from the Dayton Ohio area) for helping out at the booth with us, an unexpected positive surprise. I had not checked the event wiki page a few days prior to the event. We left on Thursday morning to head up to Ohio, and Ricky had updated and volunteered. A great many thanks to him.

By 930 a. m. the Fedora booth was about 4 deep waiting to get a look at our table. There was many questions posed to us about why should I switch from my current O/S, Ubuntu and Debian seemed to be the hard pressed distributions. Some individuals were very hard to discuss anything concerning Fedora, but if I got through to even one of them, I felt successful. What I found interesting was even though those few individuals who were hard to convince to a change to Fedora, they still picked up the free media anyway. There were other individuals (some of them those hard pressed Debian individuals) were also asking questions about Fedora were unaware of the other media available to them as well.


The Southeast Linux Fest Coordinators

The focus seemed to be on GNOME with the default was not what they were looking for, I then explained that there are many others available to them on the DVD or for down load that included KDE, LXDE, and XFCE. That surely got their attention, so I presented that they should try it before making a judgment call on Fedora. That was enough to get those individuals to pick up the multimedia DVD. Again success in getting the word out to others about the diversity of the product we offer.

The morning was going by so fast, we both felt exhausted by 1030 a. m. I had 300 multimedia DVDs that came with me and by 1030 a. m. they were all gone. Lucky Nick Bebout had mailed to boxes to us that arrived at 1145 a. m. In the mean time, the Linux Pro Magazine that featured Fedora to replace the old windows XP came in quite handy. The magazine included an in-depth look at the Fedora, and a installation guide for novice users. This was a wonderful tool for us to use, made great advantage with novice and mid range users, and which in turn we also handed out all of the magazines that we had. I believe that we had over 200 of the magazines and every one of them went. The last one left the table at 4 p. m. I also had approximately 40 USB Keys from the last two events, since I had no multimedia DVDs at the time I handed those out also turn out to be a hit at the table. I would ask a question along the nature of what they were currently using and why, I would then ask what would make it easier for them to at least try Fedora, I got a wide variety of answers but when they found that I would hand them a USB key, their attitude changed quite quickly. Even though they were happy with what they had, a simple USB Key turned things around.


One the resupply arrived, we went through another entire box that approximately contained 150.

Some of the other vendors in attendance was Chef, HP, Linode, POGO, the Local Ohio PythonGroup just to name a few.

Since the day began we were ready for anything that could be thrown at us, I believe the attendance was approximately 850 if not more. Since before the booth opened we began to see a steady inflow of people. I can only speculate but here is what we believe that was given out, about 450 Multimedia DVD’s, 60 pens, over 500 stickers, 300 case badges, 200 small Fedora pin on buttons, 40 USB Keys, 60 t shirts, all of the LinuxPro Magazines (about 280 or so, maybe more) 2 ball caps, 50 tattoos, and the last of the Beefy Miracles. For some reason our booth again seemed to be the most popular in-site. Julie noted that the more items that were on your table for presentation or the more SWAG definitely attracted more people to the tables. In this case she kept a stocked table ensuring that the attraction to the Fedora table continued.


This Magazine gave us the advantage on promoting Fedora. There is some really good information inside for beginners to get started with Fedora

Julie also noted that the facility did not provide enough trash receptacles throughout the venue. To get to a trash can we either had to leave the area or go to the other side where there was one trash can which half was dedicated to recycling materials.olf3

Some of the questions that were asked about Fedora were quite common and some were not so obvious. For some people changing from what they are already using is not an easy task, but for others seamless. There were a few questions that concerned me but I believe they were answered. The most difficult question to answer came about the back support of previous releases. They did not want to be tied to a 12 month or so required upgrade. I pointed them out to our website and towards fedup. The biggest concern was the moving of data back and forth to satisfy new loads of the O/S. That seems to be the main concern of the faithful users of Fedora I spoke with. They were for the most part unaware that they did not need to keep moving data off the machine, but of course I recommended a back up prior to executing just to be safe. There were more than the fair share of “why should I change from my current O/S (Debian,Ubuntu) to Fedora”? We did our best to answer everyone of those why should I use Fedora questions, but even those hardcore other distribution people still picked up one of our Multimedia Dvd’s, funny how that works.

One person during this event stood out with a few questions. A man from the western part of Kentucky wanted to know if we could give him a few multimedia DVD’s so that he could bring them home to his part of the state. He was a local television broadcaster (media personality) with the local TV station in his area. He also asked that if he contacted us would we be willing to send him more of the DVD’s. He proceeded to tell me why. This person was trying to get his community involved with some new ideas in computing. There has been a lot of job loss in his area and a lot of really down people trying to get out of and try some new ideas for jobs, hobbies, and skills. I was more than happy to aide him in is request. He also asked if there were to be an event scheduled in his area would we as Fedora be willing to attend (invited). I let him know that we could surely ask when the time came to make the invite for Fedora through the website or get a hold of an Ambassador to get the request on the schedule. This may turn into a good opportunity to distribute more and help others learn about Linux.


All that was left at the end of a great Fedora Day

We had a lot more than usual stop by and tell us how much they loved Fedora. We kept getting compliments all day long about how Fedora has been such a great Operating System for them. That was quite pleasing to hear. This was a very successful event for Fedora. I am looking forward to going again next year to Ohio Linux Fest.

yarn: change configuration and restart resource manager on a live cluster

This procedure is to change Yarn configuration on a live cluster, propagate the changes to all the nodes and restart Yarn resource manager.

Both commands are listing all the nodes on the cluster and then filtering the DNS name to execute a remote command via SSH. You can cusomize the sed filter depending on your own needs. This is filtering DNS names with Elastic Mapreduce format (ip-xx-xx-xx-xx.eu-west-1.compute.internal).

1. Upload the private key (.pem) file you are using to access the master node on the cluster. Change the private key permissions to at least 600 (i.e chmod 600 MyKeyName.pem)

2.  Change /conf/yarn-site.xml and use a command like this to populate the change across the cluster.

yarn node -list|sed -n "s/^\(ip[^:]*\):.*/\1/p" | xargs -t -I{} -P10 scp -o StrictHostKeyChecking=no -i ~/MyKeyName.pem ~/conf/yarn-site.xml hadoop@{}://home/hadoop/conf/

3. This command will restart Yarn Resource manager on all the nodes.

 yarn node -list|sed -n "s/^\(ip[^:]*\):.*/\1/p" | xargs -t -I{} -P10 ssh -o StrictHostKeyChecking=no -i ~/MyKeyName.pem hadoop@{} "yarn resourcemanager stop"




Durante el fudcon 2014 realizado en Managua Nicaragua, mi estimado compañero Luis segundo(luis@blackfile.net) originario de panamá desarrollo una aplicación  para el nuevo sistema operativo firefox OS, originalmente yo propuse la idea y colabore un poco con el diseño pero Luis fue el que puso todo su ingenio en desarrollar toda la aplicación al cabo de 2 días.

Tuc app, consiste en un sistema de consulta de saldo para las tarjetas de trasporte publico que utilizamos en Nicaragua, la aplicación fue construida utilizado angularjs, que es un lenguaje de programación scrip basado en javascrip, ngularJS es un framework de JavaScrip de código abierto, mantenido por Google, que ayuda con la gestión de lo que se conoce como aplicaciones de una sola página. Su objetivo es aumentar las aplicaciones basadas en navegador con capacidad de Modelo Vista Controlador (MVC), en un esfuerzo para hacer que el desarrollo y las prueba sean más fáciles.Tuc app estará disponible en el marketplace de firefox muy pronto.

1013760_10152398606662116_5456553029951382809_n 10411900_10152398612237116_4363843797121897838_n

On joining the FSF board
I joined the board of directors of the Free Software Foundation a couple of weeks ago. I've been travelling a bunch since then, so haven't really had time to write about it. But since I'm currently waiting for a test job to finish, why not?

It's impossible to overstate how important free software is. A movement that began with a quest to work around a faulty printer is now our greatest defence against a world full of hostile actors. Without the ability to examine software, we can have no real faith that we haven't been put at risk by backdoors introduced through incompetence or malice. Without the freedom to modify software, we have no chance of updating it to deal with the new challenges that we face on a daily basis. Without the freedom to pass that modified software on to others, we are unable to help people who don't have the technical skills to protect themselves.

Free software isn't sufficient for building a trustworthy computing environment, one that not merely protects the user but respects the user. But it is necessary for that, and that's why I continue to evangelise on its behalf at every opportunity.


Free software has a problem. It's natural to write software to satisfy our own needs, but in doing so we write software that doesn't provide as much benefit to people who have different needs. We need to listen to others, improve our knowledge of their requirements and ensure that they are in a position to benefit from the freedoms we espouse. And that means building diverse communities, communities that are inclusive regardless of people's race, gender, sexuality or economic background. Free software that ends up designed primarily to meet the needs of well-off white men is a failure. We do not improve the world by ignoring the majority of people in it. To do that, we need to listen to others. And to do that, we need to ensure that our community is accessible to everybody.

That's not the case right now. We are a community that is disproportionately male, disproportionately white, disproportionately rich. This is made strikingly obvious by looking at the composition of the FSF board, a body made up entirely of white men. In joining the board, I have perpetuated this. I do not bring new experiences. I do not bring an understanding of an entirely different set of problems. I do not serve as an inspiration to groups currently under-represented in our communities. I am, in short, a hypocrite.

So why did I do it? Why have I joined an organisation whose founder I publicly criticised for making sexist jokes in a conference presentation? I'm afraid that my answer may not seem convincing, but in the end it boils down to feeling that I can make more of a difference from within than from outside. I am now in a position to ensure that the board never forgets to consider diversity when making decisions. I am in a position to advocate for programs that build us stronger, more representative communities. I am in a position to take responsibility for our failings and try to do better in future.

People can justifiably conclude that I'm making excuses, and I can make no argument against that other than to be asked to be judged by my actions. I hope to be able to look back at my time with the FSF and believe that I helped make a positive difference. But maybe this is hubris. Maybe I am just perpetuating the status quo. If so, I absolutely deserve criticism for my choices. We'll find out in a few years.

comment count unavailable comments
Fudcon Managua 2014

La Previa al Evento:

Durante los dias previos al evento se realizaron varias visitas a universidades de la zona para invitar a los alumnnos y explicarles acerca del evento y que van a encontrar en ellos. Esta iniciativa fue muy importante dado que sirvio para poder publicitar el evento y ademas tener un acercamiento mas hacia los estudiantes, poder contarle de una forma mas personalizada de que se trata el evento y hablarles un poco de lo que es una comunidad . Visitamos 3 universidades diferentes de Managua.






Durante los dias previos al evento llegaban de a tandas los diferentes participantes de cada pais…


El transcurso del evento fue muy emocinante tanto como para todo lo que pudimos intercambiar entre diferentes experiencias dentro del grupo y como todo lo que fue la llegada hacia la gente nueva que estaba interesada en formar parte de Fedora.

Se pudo lograr una cantidad interesante de ambassador y empaquetadores , gente de Mexico que vino exclusivamente para el Fudcon y pudiendo asi ser un nexo para la comunida dentro de ese pais.


La organizacion y logistica del evento fue excelente, muy ordenado y siempre brindando soporte tanto a los disertantes como a los participantes. Un poco de calor para algunos un poco fresco para otros, cuestiones climaticas de cada uno en particular..

La parte de robotica y arm llevo gran cantidad de expectadores, despues los talleres de empaquetamiento tambien, se pasaron por diversiones temas, qa, virtualizacion, documentacion , desarrollo, big data, etc.. Muy variado con disertantes de la comunidad e invitados de la zona. Mi primer fudcon me dio a conocer de una forma muy distinta como trabaja la comunidad, roles, tareas, formas de organizarse que desde el irc no se muestran tanto como cuando lo charlas en persona con  cada uno con un rol diferente, me llevo una idea mas particular de cada rol y de como se encastra cada pieza dentro de la comunidad, la sumatoria de todos hace lo que tenemos..

Las charlas de Robotica ,arduino y Arm fueron las mas convocadas..


Un par de charlas interesantes que hubo que hacer metamorfosis..


Y podriamos dejar para el recuerdo la gran participacion de Fedora en el Dojo de Aikido !!











October 29, 2014

knotification, kde connect and what we can do to make future connected

So, i was “politely” annoying people on kde channels last days because i found some interconnected pieces of KDE software that is not really integrated, but are screaming to do that.

All started when i questioned on our older knotify dialog, which for years we blamed to not be extensible, and mck182,  our own Martin Klapetek, give me a class about the wonders of knotification on Frameworks 5. What lead me to this, is the desire of have several devices ( and possibly machines ) interconnecting their notifications, in both ways. and mostly KDE Connect is one of the middle guys to do that.

At same time, not expected but welcome, Albert Vaca  blogged about the other side of my idea, the goals for KDE Connect. He clearly asked of usable plugins to do exchange of information on devices, like Android, iOS, etc..

Where we as KDE are not seeing is that this, like all of our frameworks, should be transparent, in a way that ANY frameworks application that uses knotification could directly access ANY device registered, in both ways.

Simple example:

We work daily on computers, mostly on the time want to be not bothered. We receive a message coming from some person on mobile, then suddenly, unless we muted, the notification appears on your screen, even far from your mobile. KDE Connect ALREADY do that.  But, if is other way ? I have konversation irc opened, but i marked away, then someone from work ping me about some important thing. Konversation could pick this message and forward to my mobile. Or ANY device i choose to do that. This KDE Connect not do, and probably not designed to do.

And what could be done to aiming for this kind of future. ?

First of all, i think i should be got to VDG group to create a feasible knotification extended dialog where we can register multiple endpoints ,like, one mobile android, one mobile iOS, one tablet Windows, one desktop, and then we can simple connect our software notifications to hits on that. And receive from this or that mobile.

This conceptually is easy to imagine if we are using a diagram representing the devices and the notification sources, but i hardly imagine how this could be put the the desktop ground, that’s why VDG is my bet.

Second, we need make some unification on the KDE Connect plugins idea and our knotification system, so talking talk as one framework, this i would love to discuss with Albert and Martin, and everyone that can buy this idea, if someone on the deep grounds of KDE labs already not started.

Hope someone buy this idea and push forward, because this is kind of thing is impossible to do it alone, and thanks our beloved KDE project is specialized to work as a family, and make things happens.



Left 4 Dead Bundle + More – Linux games cheap

If you haven’t bought Left 4 dead 1 or Left 4 dead 2, then it’s time you do it. Green man gaming has a bundle for them very cheap this week.

Left 4 Dead Bundle

You can find the bundle on the right side in the list Top Seller.
This pack contains:

Left 4 Dead, Left 4 Dead 2


Was £22.99, Now £5.74

From Valve (the creators of Counter-Strike, Half-Life and more) comes Left 4 Dead, a co-op action horror game for the PC and Xbox 360 that casts up to four players in an epic struggle for survival against swarming zombie hordes and terrifying mutant monsters.

Set in the zombie apocalypse, Left 4 Dead 2 (L4D2) is the highly anticipated sequel to the award-winning Left 4 Dead, the #1 co-op game of 2008.


If you already own Left 4 dead 1 or Left 4 dead 2 only, you can buy one of them very cheap.

Left 4 dead 1: £3.24

Located under Trick or Treat, first pumpkin.

Left 4 dead 2:  £3.74

Located under Trick or Treat, second pumpkin.


Left 4 dead 1 doesn’t work native on Linux, need to use Wine though. But Left 4 dead 2 works perfectly.


Valve Complete Pack

Deal of the day, ends 30 oct.

This pack contains:


Team Fortress Classic

Day of Defeat

Deathmatch Classic

Half-Life: Opposing Force



Counter-Strike: Condition Zero

Half-Life: Blue Shift

Half-Life 2

Counter-Strike: Source

Half-Life: Source

Day of Defeat: Source

Half-Life 2: Deathmatch

Half-Life 2: Lost Coast

Half-Life 2: Episode One

Half-Life Deathmatch: Source

Left 4 Dead

Half-Life 2: Episode Two

Team Fortress 2


Left 4 Dead 2

Portal 2

Counter-Strike: Global Offensive


Prize: £12.49 

Only Left 4 dead 1 doesn’t work native on Linux.

FUDCon Managua

Del Jueves 23 al sábado 25 de octubre la Universidad de Ciencias Comerciales (UCC) fue la sede la Conferencia de Usuarios y Desarrolladores de Fedora en América Latina (FUDCon Latam), este es el primer evento premiere de la comunidad al que asisto, claro con la ventaja de estar como local de evento.<o:p></o:p>

From Thursday 23 to Saturday 25 October the University of Commercial Sciences (UCC) hosted the Conference of Users and Developers of Fedora in Latin America (FUDCon Latam), this is the first premiere community event to which I go, of course with the advantage of being at event city.

Foto: Alejandro Pérez

Antes que nada agradecer a Neville, Aura Lila, Fernando, Eduardo y Samuel por su trabajo de organización del evento, yo en realidad fue muy poco lo que colabore con la organización de la conferencia.<o:p></o:p>

First of all thank Neville, Aura Lila, Fernando, Edward and Samuel for their work in organizing the event, I was actually very little to assist the organization of the conference.

Fueron tres días de charlas, conferencias, talleres y sesiones de trabajo y es difícil resumir en un post todo lo que paso en el evento, algunos puntos remarcables fueron:<o:p></o:p>

There were three days of talks, lectures, workshops and work sessions and is difficult to summarize in a post everything that happened at the event, some remarkable points were:

Robótica Educativa (Educational Robotics):
No cabe duda que el trabajo de Valentín Bazel con Icaro es algo más que destacable, junto con las mesas de trabajo de Kiara Navarro fueron de los eventos más concurridos.<o:p></o:p>

No doubt the work of Valentin Bazel with Icarus is more than remarkable, along with worktables with Kiara Navarro were among the most popular events.

Foto: Eleazar Muñoz

Foto: Luis Bazan
 Computación en la Nube (Cloud Computing):
Mucho se habla de computación en la nube en estos días pero es difícil encontrar a alguien que pueda explicar cómo funciona la computación en la nube mejor que alguien que trabaja día a día en eso. Gracias a Abdel de Panamá y Eduardo de Venezuela pudimos ver un poco de computación en la nube con temas como Docker, OpenShift y OpenStack. También tuvimos la participación de Rino Rondan de Argentina quien compartió con los asistentes su experiencia en virtualización en Fedora.<o:p></o:p>

Much is said about cloud computing these days but it's hard to find someone who can explain how the cluod computing works better than someone who works every day in this . Thanks to Abdel  of Panama and Eduardo from Venezuela we could see some cloud computing topics such as Docker, OpenShift and OpenStack. We also had the participation  Rino Rondan from Argentina who shared with the audience his experience  virtualizacion in Fedora.

Foto: Rino Rondan

Empaquetado de RPM (RPM Packaging):
Un tema infaltable en un evento de este tipo: como contribuir con Fedora creando paquetes RPM que puedan ser incluidos dentro de la distribución, en este particular mi primer paquete fue revisado, corregido y aprobado, cabe mencionar que el Nicaragua tiene a uno de las empaquetadores más jóvenes dentro del Proyecto Fedora siendo Eduardo Mayorga un colaborador activo que esta a punto de terminar su secundaria, cuatro colaboradores mas están  trabajando en ser aprobados como empaquetador así que esperamos que la comunidad de empaquetadores en Nicaragua crezca aun mas despues de FUDCon Managua.<o:p></o:p>

An important topic at an event of this kind: to contribute to Fedora creating RPM packages that can be included in the distribution, in this particular my first package was reviewed, edited and approved, it should be mentioned that Nicaragua has one of the youngest packers within the Fedora Project, Eduardo Mayorga being an active contributor who is about to finish his high school, four collaborators are working on being approved as packager so hopefully packers community grow even more in Nicaragua after FUDCon Managua.

Foto: Rino Rondan

Talentos locales (Local talent):
En un evento lleno de colaboradores extranjeros es importante que varios miembros de la comunidad local dieran un pie al frente para compartir que es lo que ellos hacen actualmente en la comunidad local, entre ellos: Leandro Gómez, Yader V, Marconi Poveda entre otros.<o:p></o:p>

In an event filled with foreign partners is important that several members of the local community give a foot to the front to share what they are currently doing in the local community, including: Leandro Gomez, Yader V,Marconi Poveda  and others.

Foto: Luis Bazan
Chicos de México (Boys of Mexico):
Parte de la experiencia FUDCon es conocer gente, y toda la comunidad de Fedora Latam se llevo a la grata de sorpresa de conocer a dos colaboradores mexicanos:  Efren Robledo y Oscar Gonzales viajaron por dos días en bus para asistir al evento, ellos tienen tiempo de estar promoviendo el uso de Fedora por su cuenta en México y tuvieron la oportunidad de conocer más la comunidad latinoamericana en FUDCon, además hay que mencionar que la conferencia tuvo una afluencia de participantes relativamente baja, por lo que su esfuerzo de pertenecer a este evento merece mención.<o:p></o:p>

Part of the FUDCon experience is meeting people, and the entire community of Fedora Latam pleasantly surprised to meet two Mexican contributors took: Efren Gonzales and Oscar Robledo traveled for two days by bus to attend the event, they have promoting the use Fedora in Mexico and had the opportunity to meet the Latin American community in FUDCon, we must also mention that the conference had a relatively low influx of participants, so your effort to be part of this event deserves mention.

Foto: Robert Mayr

Jared Smith (Jared Smith):

Para quienes no conozcan a Jared Smith fue líder del Proyecto Fedora, desarrollador de Asterix y coautor del libro La Guía Definitiva a Asterix, tuvimos la suerte de tenerlo en  FUDCon Managua compartiendo sus conocimientos sobre Publican y Asterix, deben saber que él se tomo el tiempo de venir a Managua en su apretada agenda que implica viajar de Australia a Managua y se ahí salir al día siguiente a Estados Unidos.

For those unfamiliar with Jaden Smith was leader of the Fedora Project developer of Asterix and co-author of The Definitive Guide to Asterix, we were lucky to have him in FUDCon Managua sharing their knowledge in Publican and Asterix, should know that he took the time coming to Managua in his busy schedule involving travel from Australia to Managua and then leave the next day to the United States.

Foto: Fernando Ezpinoza

Fedora Next (Fedora Next):

Un tema importante para la comunidad global de Fedora estuvo en manos de Robert Mayr y Dennis Gilmore, consideramos que es muy importante que de FUDCon Managua no solo participarón embajadores y empaquetadores, si no que tuvimos presencia de otros equipos dentro de la comunidad Fedora.

A major issue for the global community of Fedora was held by Robert Mayr and Dennis Gilmore, we consider it very important that not only participarón FUDCon Managua ambassadors and packagers, if we did not have the presence of other teams within the Fedora community.

Conclusiones (Conclusions:

En conclusión, nuestro evento no fue pequeño, llego poca gente fuera de la comunidad local, quienes lamentablemente se perdieron el que seguramente fue el evento mas importante sobre software libre en Nicaragua de todo el 2014.

In conclusion, our event was not small, few people came out of the local community who unfortunately lost that surely was the most important event on free software in Nicaragua of 2014.

How to build updated Fedora Live.iso for yourself

I have been in on way or another producing Respins of the media isos for over 8 years. And i am constantly asked how to do them.

With a Fedora installed computer and an internet connect it is easy to do.


Fedora installed on your computer and arch of choice

selinux set to permissive


sudo yum install livecd-tools fedora-kickstarts

and as an example:

sudo livecd-creator -c /usr/share/spin-kickstarts/fedora-livecd-xfce.ks –fslabel=F20-x86_64-LIVE-XFCE-20141028

as long as you have a good internet connection come back in about an hour and you should have a new updated iso in the location you ran that command

**No you can not create i686 isos on a x86_64 box or otherwise

*** All of the fedora kickstart are install to /usr/share/spinkickstarts/  you can type in any of the fedora-livecd-{Desktop Environment of your choice.ks} and they will build.



I am happy to announce the availability of F20-20141027 updated Live isos

These Isos have the updates as of time of creation (including Heartbleed and Shellshock fixes).

and as always they can be found at http://tinyurl.com/Live-respins


resolv_wrapper 1.0.0 – the new cwrap tool

I’ve released a new preloadable wrapper named resolv_wrapper which can be used for nameserver redirection or DNS response faking. It can be used in testing environment to route DNS queries to a real nameserver separate from resolv.conf or fake one with simple config file. We tested it on Linux, FreeBSD and Solaris. It should work on other UNIX flavors too.


You can download resolv_wrapper here.

flattr this!

ownCloud updates for Fedora 19 and EPEL 6

Hi, folks. Instead of relval (for a change) I spent some of my non-work time today working on ownCloud packaging (I’m the owner/’primary contact’/whatever for the ownCloud package, these days).

I’ve been in touch with ownCloud’s awesome security folk, Lukas Reschke, recently, and he confirmed that the ownCloud version currently in Fedora 19 and EPEL 6 – 4.5.13 – is known to have some security vulnerabilities. It’s also unmaintained and is very unlikely to be upgradable directly to ownCloud 7, so I really needed to Do Something for folks on those releases.

So I did! There’s now an ownCloud 5.0.17 update candidate for Fedora 19 and an ownCloud 6.0.5 update candidate for EPEL 6. Well, the ownCloud 6 update for EPEL 6 has been around for a while, but it never actually installed before, it had all sorts of dep issues.

There is also an ownCloud 5 build for EPEL 6 in my oc5 side repository – you can grab https://www.happyassassin.net/temp/oc5_repo/oc5.repo and put it in /etc/yum.repos.d to enable that. This is intended for upgrading: ownCloud only officially supports upgrading one major version at a time, so if you have an existing EPEL 6 ownCloud 4.5.13 deployment it is probably best to upgrade from 4.5.13 to 5.0.17 via the side repo, then from 5.0.17 to 6.0.5. 4.5 to 6.x upgrade may work, I have no idea – I haven’t tested it – but AFAIK it’s not supported and can’t be relied upon.

I’ve actually done some testing on these: I’ve tested upgrade of an F19 4.5.13 MySQL deployment to 5.0.17 and clean 5.0.17 install, and both worked fine. On EPEL 6 (on a CentOS 6.6 install) I tested upgrade from 4.5.13 to 5.0.17 via the side repo, then upgrade to 6.0.4-3, then upgrade to 6.0.5-1; it survived the whole process without obvious problems. I didn’t test fresh deployment of OC 5 or OC 6 on EPEL 6, yet.

ownCloud 5 is still in maintenance upstream for a few months, and ownCloud 6 should be maintained for a while. I plan to send ownCloud 6 to Fedora 19 just before it goes EOL, the hope being people have a few weeks to upgrade from 4.5 to 5 now, then they can upgrade from 5 to 6, before upgrading to Fedora 20 or 21 where they’ll get 7. I wanted to take roughly the same approach for EPEL 6, but Remi sent a 6.0.2 update to testing some time ago and I don’t think I can ‘rewind’ to 5.x now that’s happened.

I intend to keep the oc5 and oc6 repos available with both F19 and EPEL 6 builds of the latest 5 and 6 builds as long as I can (notwithstanding the /temp in the path – I really shouldn’t have put ‘em in that directory…), so there’s at least some way to do a staged upgrade of old installations if you miss any boats.

I’ll try and look at EPEL 7 later this week; I’ll probably aim to start it out on 6.x then see if we can get it to 7.x. I think some dependent packages do not yet have EPEL 7 branches, though, so I may have to wait on other maintainers before I can possibly do an EPEL 7 build.

Fedora 21 Hangout Release Party

Not everyone can attend a release party, so I thought I’d try and have a virtual one.  So if you’re free or are near a computer, then come along and say hello :)


Sat, 13 Dec, 20:00

The post Fedora 21 Hangout Release Party appeared first on Paul Mellors [DOT] NET.

flattr this!

People driven people show.

Well the title doesn’t make that much sense but I’ve had an idea, and I’m going to roll with it.  This post is just my thoughts, and I’m sure all the people that read this are going to make suggestions or just mock me :D

I’m a people [ish] kinda person, I like knowing what makes them tick, why they like working on something, what they like to do in their spare time, ok so you might call me nosey, and yes you’d be right, but it’s something I am.  One of the things I like watching are videos or reading posts where someone has interviewed someone, in this case I’m really referring to the Fedora community at large, which would probably include all the Red Hatters out there.  So I’ve had an idea.   I’m currently living in England, so it would be impossible, unless someone loved me loads and wants to pay me to travel the world, for me to travel the globe just to interview Fedora/Redhat users and developers.  The planet feed, does provide insight, and you can find information about people on various social media platforms, but there is nothing where all information is stored.  Here’s where my idea comes in.

I call it “The Deck Chair Show”, silly name but let me explain.

I know various members of the Fedora community, they are living here in the UK and are quite near me.  The plan is to get two of my deck chairs, go visit them and interview them on camera.  Uploading the video to youtube after.  Your task, if you choose to accept it, is to grab two of your chairs, doesn’t have to be a deck chair, in fact it doesn’t have to be your chairs at all, it could be park bench, field, your living room, corportate head quarters any thing.  The point is to find a Fedora/Red HAT user or developer and give them a quick interview.  Let the people of the world know who is doing what.  I’m probably going to put myself on cam soon.  All I suggest you do is that when you’ve uploaded it, or put a link on twitter, you include the hash tag #deckchairshow so we can get them all together.

Interview questions can be what ever you choose, who are you? what do you do?  What you like to do in spare time , stuff like that.

It would be nice to see who is who, when all you seen on irc is a handle.

Any one interested?

The post People driven people show. appeared first on Paul Mellors [DOT] NET.

flattr this!

Fedora Join workshop at Nha Trang IT Day 2014
Sunday, October 26th, 2014, at Nha Trang university, Nha Trang, Vietnam, the Nha Trang IT Day 2014 was taken place. During that day, the Fedora Join workshop was held to introduce about Fedora Project to professors, teachers and students who work and study at NTU and nearby universities and to help them to join into. […]

October 28, 2014

Put LXQt to work on Fedora 21 and epel 7

After i joined RedHat on some time ago, i slowly start to been involved more and more on Qt and KDE matters, even been more active joining Fedora KDE SIG,  as a newbie :-).

One of the recently internal discussions lead to a necessity of bring lightweight desktop, at least one, in a polish state.

Since LXQt is finally came on 0.8.0 to Qt5, and we’re actively working on Fedora 21, Qt5 builds and KDE Frameworks,  and there are needs to jump and do at least the first usable state of the project, i jumped the wagon.

Eugene Pivnev was already working on initial packaging for Fedora, but i was advanced in the work when lead KDE packager from Fedora, Rex Dieter, told me, but at least i could use part of his work on sysstat packages and qtxdg packages. I borrowed his full packages.

was only two days of work and is still in the baby steps, that’s why i packaged everything on Fedora copr buildsystem until we have proper review. We still have no group for install whole desktop and need to install packages by hand, and there’s an explicit dependency on openbox as window manager, but was a quick decision to make things work fast.

I’m still deciding how to deal with lxqt-admin package due some dependencies, but is the only missing from the 0.8.0 series on http://www.lxqt.org

So, if you want to try it, recompile, help me, complain to me, you can find the work here:


For the repository on copr:

  • Fedora 21 – dnf copr enable heliocastro/lxqt or yum copr enable heliocastro/lxqt
  • Epel 7 – yum copr enable heliocastro/lxqt 

Ps. I will not intend to compile/enable Qt 4 builds, only Qt 5 build because this is the direct goal

ing3 Una pequeña radio para latinoamérica


Holas a todos :) , en esta ocasión les traigo a “ing3” una pequeña aplicación que hice en Ruby y GTK+3 con la cual podrás escuchas distintas estaciones de radios online. Por ahora sólo sintoniza emisoras de Chile pero espero dentro de los próximos días ir añadiendo radios de los demás países.
Más info en mi GitHub https://github.com/n0oir/ing3

Instalación En Fedora

Instalación en Ubuntu(derivadas)


Vista Previa
<iframe allowfullscreen="true" class="youtube-player" frameborder="0" height="519" src="http://www.youtube.com/embed/NXb8Wm6dH64?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent" type="text/html" width="869"></iframe>



Let’s talk about Fedora Project objectives — why, how, and eventually what. Featuring thrilling ASCII diagrams!

Fedora Magazine is written for a general Fedora audience and typically focuses on content for users rather than for contributors. This article is aimed primarily at contributors, but covers an important topic which ultimately affects everyone: the practical goals we aim for as a project, and how (and why) we select them.

One of the crucial duties of the new Fedora Council will be the selection of two to four 18-month objectives (and then finding people to own and drive each of them). Although the new body is not yet in place, this is to be a community conversation, so there’s no need to wait to start talking about what we want. (If this is new to you, you might want to read the Fedora Council charter and about upcoming community elections.)

A few months ago, the Fedora Board Discuss mailing list (which is for everyone including the board to discuss high-level policies, not just the the board talking amongst ourselves) had a good discussion about “winning”… that is, what success means for Fedora. Here, I’m presenting a structure intended to bring that to a more concrete level, so we have some things we can plan around and act on.

Presenting the Logic Model

Please bear with me for a minute while I bust out an ASCII diagram:

 |            |            |             ||             |             |
 | Resources  | Activities |  Outputs    || Outcomes    |   Impact    |
 |            |            |             ||             |             |
 |What we     |What we do  |The direct   ||The specific | Mission and |
 |have: time, |with our    |products of  ||change in the| vision; our |
 |money, code,|resources   |our          ||world due to | long term   |
 |hardware... |            |activities   ||those outputs| effect      |
 | Things we can affect directly         || Out of our direct control |
 |           <----- planning flows right to left ---------<           |
 |           >------ effort flows left to right ---------->           |
Of course, in a largely volunteer organization like Fedora, we don’t just declare goals at the top and expect people to line up at the bottom. The goals have to align with what the community actually wants to do. But, that doesn’t mean that we shouldn’t — or don’t! — have goals, and it’s the role of the council to help discern and articulate those, and to inspire more people to join in work on them. Having a framework for this might even be more important than in a “command and control” organization.

Beautiful! This is what’s called an organizational logic model. I like it a lot, because it draws a meaningful connection from what we’re doing to what we want to achieve — and from what we want to achieve to what we’re doing. When we need resources for something, we can show stakeholders (sponsors for funding, volunteers for time, donors for hardware) the clear line to the expected big-picture result.

Mission and Vision

A lot of times, organizations draw up beautiful mission and vision statements, put them on the wall, and then do whatever makes tactical sense based on the feeling in the moment. Fedora may be guilty of that to some degree — I think we tend to focus on our outputs — the Fedora distribution, documentation, websites, etc., and skip the connecting step. If we don’t skip it, though, we’ll be able to accomplish even more with our limited resources.

Over on the right hand side, we have our long-term impact: the project mission and vision. These are defined on the project wiki: Mission and Vision Statement. The Fedora Project’s mission is to lead the advancement of free and open source software and content as a collaborative community, while the vision asks us to create a world where free culture is welcoming and widespread, collaboration is commonplace, and people control their content and devices.

Of course, we can revisit these whenever we like, but I think they’re basically sound and I don’t think we need to overdo the fundamental soul-searching.

That said, there are few updates to the current objectives which we might consider. For example, the create-a-distro objective could include description of new Fedora.next ideas, and I think that we should focus on building one Fedora community rather than on building communities in general. And I’m not sure that “developing the science and practice of building communities” is something we’ve been concerned with much lately — maybe that too should be folded into building our own community; or alternatively, something we need to expand work on. But, anyway, this is really a tangent. Like the mission and vision, I don’t think we need to mess with this much.

Objectives and Outcomes

We do have an existing list of project Objectives, which are further to the left (that is, the more concrete side of the chart) in the model. There are about three dozen specifics, falling under three high-level categories:

  • Creating a Free (as in Freedom) distribution
  • Building open source software communities
  • Developing the science and practice of building communities

These are pretty decent, but none have a timeframe attached — they are things we want to do continuously, and guidelines for how we want to do them, rather than things we want to accomplish. There’s nothing wrong with that, but we also need targets for “how much of what will be achieved by when“.

So, in the logic model framework, when we talk about our 18 month goals, we’re talking about Outcomes. Sometimes people break that box down into short-, medium-, and long-term goals, and we could do some of that if we want. For this conversation, the target is medium scale, and I think it’s fine to not overburden our own model with too many boxes.

Let’s zoom in on the top-right corner of the (did I mention, gorgeously-drawn?) ASCII diagram from above and fill in what we have:

 ... |              Outcomes             |            Impact          |
 ... | 18 Month Goals:                   | Mission: to lead the       |
     |                                   |   advancement of free and  |
 ... |    1. _________________________   |   open source software and |
     |                                   |   content as a             |
 ... |    2. _________________________   |   collaborative community. |
     |                                   |. . . . . . . . . . . . . . |
 ... |    3. _________________________   | Vision: the Fedora Project |
     |                                   |   creates a world where:   |
 ... |. . . . . . . . . . . . . . . . . .|  * free culture is         |
     |Ongoing Objectives:                |   welcoming and widespread,|
 ... | * Creating a Free (as in Freedom) |  * collaboration is        |
     |   distribution                    |   commonplace, and         |
 ... | * Building a open source software |  * people control their    |
     |   community                       |   content and devices.     |
 ... |                ...                |           ...              | 

Filling in those blanks is what this is all about. As explained in the Council charter, these will be refreshed on a continuous basis. Typically, we will make Flock, our annual planning conference, the “centerpiece” of this discussion (but always being mindful that final decisions can’t be made in a conference limited by time and space). However, with Flock just past, we don’t want this to drift in limbo until next year.

Next: Community Discussion

As I’ve mentioned previously, I have some ideas in mind for where to start (none of them surprising). I’ll post about those in individual threads on the Board Discuss mailing list over the next few days (and, given busyness with getting the F21 beta out the door, weeks). I encourage you to do the same, and comment and help improve everyone’s ideas. That way, by the time we have the initial Council in place, we’ll have a good collective idea of where to start and can seat a few of the Objective Leads quickly.



Making a bootable CD-ROM/ISO from virt-builder

virt-builder can throw out new virtual machines with existing operating systems in a few seconds, and you can also write these directly to a USB key or hard disk:

# virt-builder fedora-20 -o /dev/sdX

What you’ve not been able to do is create a bootable CD-ROM or ISO image.

For that I was using the awful livecd-creator program. This needs root and is incredibly fragile. You can have a kickstart that works one day, but not the next, and requires massive hacks to get working … which is the exact reason why I set off to find out how to make virt-builder create ISOs.


The background as to why this is difficult: CDs are not writable.

You can take all the files from a Fedora guest built by virt-builder and turn them into an ISO, and put ISOLINUX on it but such a guest would not be able to boot, or at least, it would fail the first time it tried to write to the disk. One day overlayfs (which just went upstream a few days ago) will solve this, but until that is widely available in upstream kernels, we’re going to need something that creates a writable overlay at boot time.

Boot Time

I have chosen dracut (another tool I have a love/hate, mainly hate, relationship with), which has a useful module called dmsquash-live. This implements the boot side of making a live CD writable, for Fedora and RHEL. It’s what livecd-creator uses.

dmsquash-live demands a very particular ISO layout, but it wasn’t hard to reverse engineer it by reading the code carefully and a lot of trial and error.

It requires that we have a filesystem containing a squashfs in a particular location on the CD:


That squashfs has to contain inside it a disk image with this precise name:


and the disk image is the root filesystem.

The Script

The script below creates all of this, and effectively replaces livecd-creator with something manageable that doesn’t require root, and is only 100 lines of shell (take that OO/Python!)

Update: Kashyap notes that the script will fail if you’re using tmp-on-tmpfs, so you might need to disable that or modify the script to use /var/tmp instead.

Once you’ve run the script you can try booting the image using:

$ qemu-kvm -m 2048 -cdrom boot.iso -boot d

The Future

One improvement to this script would be to remove the dependency on dmsquash-live. We don’t need the baroque complexity of this script, and could write a custom dracut module (perhaps even, a tiny self-contained initramfs) which would do what we need. It could even use overlayfs to simplify things greatly.

#!/bin/bash -

set -e

# Make bootable ISO from virt-builder
# image.
# This requires the Fedora
# squashfs/rootfs machinery.  See:
# /lib/dracut/modules.d/90dmsquash-live/dmsquash-live-root.sh

cd /tmp

# Build the regular disk image, but also
# build a special initramfs which has
# the dmsquash-live & pollcdrom modules
# enabled.  We also need to kill SELinux
# relabelling, and hence SELinux.
cat > postinstall <<'EOF'
#!/bin/bash -
version=` rpm -q kernel | sort -rV | head -1 | sed 's/kernel-//' `
echo installed kernel version: $version
dracut --no-hostonly --add "dmsquash-live pollcdrom" /boot/initrd0 $version

virt-builder fedora-20 \
    --install kernel \
    --root-password password:123456 \
    --edit '/etc/selinux/config:
        s/SELINUX=enforcing/SELINUX=disabled/' \
    --delete /.autorelabel \
    --run postinstall

# Extract the root filesystem (as an ext3/4 disk image).
guestfish --progress-bars --ro -a fedora-20.img -i \
    download /dev/sda3 rootfs.img

# Update /etc/fstab in the rootfs (but NOT in the original guest)
# so it works for the CD
virt-customize -a rootfs.img \
  --write '/etc/fstab:/dev/root / ext4 defaults 1 1'

# Turn the rootfs.img into a squashfs
# which must contain the layout
# /LiveOS/rootfs.img
rm -rf CDroot
rm -f squashfs.img
mkdir -p CDroot/LiveOS
mv rootfs.img CDroot/LiveOS
mksquashfs CDroot squashfs.img

# Create the CD layout.
rm -rf CDroot
mkdir -p CDroot/LiveOS

cp squashfs.img CDroot/LiveOS/

mkdir CDroot/isolinux

# Get the kernel (only) from the disk
# image.
pushd CDroot/isolinux
virt-builder --get-kernel ../../fedora-20.img
mv vmlinuz* vmlinuz0
rm init*

# Get the special initrd that we built
# above.
guestfish --ro -a fedora-20.img -i \
    download /boot/initrd0 CDroot/isolinux/initrd0

# ISOLINUX configuration.
cat > CDroot/isolinux/isolinux.cfg <<EOF
prompt 1
default 1
label 1
    kernel vmlinuz0
    append initrd=initrd0 rd.live.image root=CDLABEL=boot rootfstype=auto rd.live.debug console=tty0 rd_NO_PLYMOUTH

# Rest of ISOLINUX installation.
cp /usr/share/syslinux/isolinux.bin CDroot/isolinux/
cp /usr/share/syslinux/ldlinux.c32 CDroot/isolinux/
cp /usr/share/syslinux/libcom32.c32 CDroot/isolinux/
cp /usr/share/syslinux/libutil.c32 CDroot/isolinux/
cp /usr/share/syslinux/vesamenu.c32 CDroot/isolinux/

# Create the ISO.
rm -f boot.iso
mkisofs -o boot.iso \
    -J -r \
    -V boot \
   -b isolinux/isolinux.bin -c isolinux/boot.cat \
   -no-emul-boot -boot-load-size 4 -boot-info-table \

Server Working Group Weekly Meeting Minutes (2014-10-28)

<html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-type"/>
<style type="text/css">/* This is for the .html in the HTML2 writer */body { font-family: Helvetica, sans-serif; font-size:14px;}h1 { text-align: center;}a { color:navy; text-decoration: none; border-bottom:1px dotted navy;}a:hover { text-decoration:none; border-bottom: 0; color:#0000B9;}hr { border: 1px solid #ccc;}/* The (nick, time) item pairs, and other body text things. */.details { font-size: 12px; font-weight:bold;}/* The 'AGREED:', 'IDEA', etc, prefix to lines. */.itemtype { font-style: normal; /* un-italics it */ font-weight: bold;}/* Example: change single item types. Capitalized command name./* .TOPIC { color:navy; } *//* .AGREED { color:lime; } */</style>


#fedora-meeting-1: Server Working Group Weekly Meeting (2014-10-28)

Meeting started by sgallagh at 15:01:34 UTC(full logs).

Meeting summary

  1. roll call (sgallagh, 15:01:34)
  2. Agenda (sgallagh, 15:05:07)
    1. Agenda Item: Beta RC Validation Testing (sgallagh, 15:05:11)
    2. Agenda Item: Test Day Planning (sgallagh, 15:05:15)

  3. Beta RC Validation Testing (sgallagh, 15:06:38)
    1. https://lists.fedoraproject.org/pipermail/server/2014-October/001536.html (sgallagh, 15:06:39)
    2. ACTION: nirik and pwhalen to perform ARM validation (sgallagh, 15:14:12)
    3. ACTION: sgallagh to handle Active Directory-related validation (sgallagh, 15:14:28)
    4. ACTION: danofsatx to validate Cockpit and firewall test cases. (sgallagh, 15:16:41)
    5. https://www.happyassassin.net/wikitcms/ (sgallagh, 15:19:11)
    6. For anyone who hates editing wiki pages to enter results but loves 1980s-style ‘please select a number’ TUIs, try relval (sgallagh, 15:19:27)
    7. Anyone who wants to test should do so. Do not feel limited to your committed tests either. (sgallagh, 15:21:09)
    8. https://dl.fedoraproject.org/pub/alt/stage/21_Beta_RC2/Server (sgallagh, 15:21:38)
    9. Disregard the Database Role test, as that was always a “nice-to-have” and it didn’t get implemented. (sgallagh, 15:22:46)
    10. ACTION: sgallagh to make sure that non-functional Roles don’t show up in rolekit for Final. (sgallagh, 15:24:01)
    11. ACTION: simo to try to handle the FreeIPA-based validation. May have a conflict. (sgallagh, 15:26:35)

  4. Test Day Planning (sgallagh, 15:27:19)
    1. https://fedoraproject.org/wiki/Category:FreeIPA_Test_Cases and https://fedoraproject.org/wiki/Category:Realmd_Test_Cases (adamw, 15:32:14)
    2. https://fedoraproject.org/wiki/Category:FreeIPA_Test_Cases (sgallagh, 15:32:26)
    3. https://fedoraproject.org/wiki/Category:Realmd_Test_Cases (sgallagh, 15:32:26)
    4. Test with stable packages where possible, please (sgallagh, 15:35:12)
    5. https://apps.fedoraproject.org/calendar/list/QA/?subject=Test+Day (sgallagh, 15:40:03)
    6. Fedora Server Test Day on November 7, 2014 (sgallagh, 15:44:00)
    7. ACTION: junland to set it up (sgallagh, 15:44:10)

  5. Open Floor (sgallagh, 15:44:50)

Meeting ended at 15:48:42 UTC(full logs).

Action items

  1. nirik and pwhalen to perform ARM validation
  2. sgallagh to handle Active Directory-related validation
  3. danofsatx to validate Cockpit and firewall test cases.
  4. sgallagh to make sure that non-functional Roles don’t show up in rolekit for Final.
  5. simo to try to handle the FreeIPA-based validation. May have a conflict.
  6. junland to set it up

Action items, by person

  1. danofsatx
    1. danofsatx to validate Cockpit and firewall test cases.
  2. junland
    1. junland to set it up
  3. nirik
    1. nirik and pwhalen to perform ARM validation
  4. sgallagh
    1. sgallagh to handle Active Directory-related validation
    2. sgallagh to make sure that non-functional Roles don’t show up in rolekit for Final.
  5. simo
    1. simo to try to handle the FreeIPA-based validation. May have a conflict.

People present (lines said)

  1. sgallagh (98)
  2. junland (33)
  3. adamw (26)
  4. simo (25)
  5. zodbot (13)
  6. danofsatx (11)
  7. nirik (7)
  8. stefw (3)
  9. tuanta (1)
  10. andreasn (1)
  11. mitr (0)
  12. davidstrauss (0)
  13. mizmo (0)

Generated by MeetBot 0.1.4.</body></html>

Create a chat speechbubble icon using inkscape

Here is a neat tutorial on creating a simple chat icon using inkscape by . It uses a lot of the essential basics of using inkscape, so some basic knowledge of Inkscape features is required, but


[GNU IceCat] 31.2.0

GNU Icecat is now available on Fedora repositories.

We’ve packaged latest release 31.2.0 based on Firefox 31 ESR. The 21st October, it has been announced by IceCat’s new maintainer, Rubén Rodríguez:

After many small changes and improvements I managed to produce a new
release for IceCat, available (by now) here:

Some notes:

- It is based on Firefox 31 ESR. I decided to stick to the ESR upstream
releases (https://www.mozilla.org/en-US/firefox/organizations/faq/)
because they provide security updates over a stable base. This way we
won't have to fight with changes in the APIs we base our features on.
That will also eventually allow to port privacy features from
TorBrowser, which is being upgraded to follow v31 ESR too.

- To filter privacy trackers I modified Adblock Plus to allow filter
subscriptions to be optionally enabled during Private Browsing mode. I
did some other small changes, along with removing the "acceptable ads"
pseudofeature. Because of all this I decided to rebrand the extension to
"Spyblock", to avoid confusion with the upstream project.
I also set custom lists at http://gnuzilla.gnu.org/filters/ and I made a
point of preserving self-served advertisement, as the goal is not to
block ads but to preserve privacy. That's another reason for rebranding.

- I compiled binary packages for GNU/Linux using Trisquel 6, both for 32
and 64 bit. Those binaries should work in most recent distros. These are
the ones I'm more certain that should work: Trisquel 6 and 7, Ubuntu
Precise or newer, Debian Wheezy, testing and sid. Please test in other
distros and send reports of success and any bugs you find.

- Video in h264 format (youtube, vimeo...) only shows a black screen in
my machines, but so do the precompiled Firefox bundles, so I guess they
need to be compiled in a less "portable" way for that feature to work.
It seems to work when packaged for Trisquel.

== Changes since v24 ==

 * Javascript can be disabled through the configuration interface.
 * Third party cookies are disabled.
 * Referrers are spoofed (to the same server where the file lives).
 * The user is not asked to install plugins (such as flash or java).
 * Only free software gets offered by IceCat.
 * Installed plugins (flash, java) require per-site activation.
 * DuckDuckGO as default search engine, through https and without JS.
 * DoNotTrack header enabled.
 * Reporting features disabled (Avoids send data to mozilla's partners 
   about crashes or security related events).
 * Disabled "Social API" that brings integration with Facebook.
 * Disabled "Safe browsing", which asks Google if websites are safe 
   before browsing them.
 * Disabled access to the clipboard from JS.
 * Don't recommend online services for IRC.

Preinstalled add-ons:

 * LibreJS 6.0.1 checks for the freedom of the javascript you run
 * Spyblock, custom made and based on AdblockPlus, provides:
   - A blacklist of trackers that is used in any browsing mode.
     Self-served, privacy-friendly advertising is preserved.
   - A filter for all third-party requests while in private browsing.
   - A filter for javascript data retrieval while in private browsing.
   - Autoupdate for filter lists is optional.
 * A custom homepage lists this and other features with links to 
   documentation and the possibility to disable them quickly if needed.


 * Spoofing the useragent to:
   - Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
 * Fonts can be listed with this methods:
   - Plugins like java or flash: these are disabled by default in
   IceCat, requiring the user to enable them in a per-site basis. Also 
   Gnash doesn't work for fingerprinting.
   - JS probing: the custom homepage allows to disable custom fonts.
 * Plugins: IceCat no longer discloses the list of installed plugins.
 * Extra spoofing: appname, appversion, buildID, oscpu and platform.
 * Request pages in english by default.

HTTPS-Everywhere is already packaged in Fedora. Request Policy is NOT included in Icecat but package separately.
I don’t exclude the packaging of additional free addons in future.


If you have enabled Icecat copr project previously, disable it before to install Icecat by Fedora repositories:

# dnf copr disable sagitter/Icecat
# yum install icecat --enablerepo=updates-testing


If you’re interested, please, install IceCat by yum or dnf from Fedora updates-testing repositories and leave a positive/negative karma or open a bug report if something is wrong.

Filed under: Articoli, English, FedoraPlanet, Fedoraproject, GNU, IceCat, Packaging, RPM, Software
Weekend hack, updated

After a bit more debugging, and with some help from Jasper, here is the inspector debugging an X11 application while displaying under Wayland:

Wayland inspection!It also turns out that the GTK_INSPECTOR_DISPLAY environment variable is sufficient to make this work. I started this demo with

GTK_DEBUG=interactive GDK_BACKEND=x11,wayland \
GTK_INSPECTOR_DISPLAY=wayland-0 ./gtk3-demo

The reverse (application displaying under Wayland, inspector  on X) also works:

Reverse inspection



RPM Packaging Workshop (Fedora)

4fe4d37dA mainly technical workshop for beginners and intermediate knowledged people that would like to build a RPM package from their own software or from software they like and use. It also covers the basics and gives useful hints to avoid common mistakes and adds recommendations about optimized build environments for reproducible results. Additionally there will be a live RPM packaging demonstration for a small software including the possibility for participants for a practical exercise by packaging another small software as RPM.

Robert Scheck is a long-time Fedora volunteer and Open Source contributor living and working near Stuttgart in Germany.

In his free time, Robert is maintaining various software packages at Fedora, a leading Linux distribution, and promoting the Fedora Project as an ambassador at conferences and trade fairs. Furthermore he’s an official Fedora Mentor and supports different teams and individuals where ever needed.

The workshop will be conducted remotely from Germany on November 15, 2014 from 2pm to 8pm at Development Innovations. Use this link to register your name there, because there is only 20 seats available. Refreshment, coffee and soft-drinks will be provided at the venue.

FudCon Managua 2014

There is nothing like FudCon's the opportunity to share with old friends meet new ones, but over all to share with old and new Fedora Users, some of then will become Fedora Contributors some will not, but we always give the best to them.

This year it was Managua, Nicaragua Fedora group, lead by Neville Cross, who had the opportunity to host the event, one hour flight from Panama, was easy as we meet Dennis Gilmore, Jared Smith and Robert Mayr, who had to the long flight hours to be there. But this year travel heroes are the guys from Mexico, we actually never hear of them before and was not aware they were coming, so it was a nice an interesting surprise to have them there, they travel about 53 hours by bus from Mexico City to Nicaragua, across Guatemala, El Salvador, Honduras and almost half of Nicaragua to reach Managua. Thinking about them while writing this from the commodity of my home, hope they are well in their adventure back home.

It needs to be mention that this two guys have been working on events and teaching Fedora on Mexico city for over 3 years now but they were not Fedora Ambassadors or any relation with Fedora and they have both Oscar and Efren create a user community on Mexico City. It is a great job and really nice to hear that when you want to do something do not need more than motivation to do it. Congrats Efren and Oscar hope we have you as members of the Fedora Community now.

This FudCon had the interesting assistant of Rober Mayr who works on Fedora Web Sites, he show us and let us know how Fedora Web sites works and how we can help, on the last day of the Fudcon Aura Lila (member of the Nicaragua community) join the Web sites team as she did her first commit.

Others work on their Packages as we had Eduardo and others to teach packaging.

There were many talks and we develop bonds withing Nicaragua students and people who join the event.

It was pretty nice to meet Eduardo Mayorga the kid from Nicaragua who has been working on the community as packager and more.

 Mozilla community was there and Luis Manuel from Panama show how to develop small app for Firefox OS.

 Hacking nights thanks to the people at Mansion Teodolinda Hotel

While Valentin Basel was giving talks and workshops about Icaro Proyect Yader Velazquesstarted the migration of Icaro from gtk 2 to gtk3 so it can be include in Sugar, it was almost completed.

While there are other details that may skip my mind it was a great fudcon as many things where accomplish many of them where lead by Nicaragua community and we were there only to guide and help.

Thanks to you all for host us and support us. We will be specking great things from you.

October 27, 2014

Computer Security Audits

In conversations with large companies and small companies, literature review and looking at best practices for security, one of the most common tools that essentially everyone uses is a security audit. In most cases the security audit is performed regularly – it isn’t just a one time event. OK, this sounds good, but what is it?

Dictionary.com definitions of audit include “an official examination and verification of accounts and records”, “the inspection or examination of a building or other facility to evaluate or improve its appropriateness, safety, efficiency or the like” as well as “to examine and verify an account by references to vouchers”.

A computer security audit means verifying that the system complies with specifications for computer security.

So far we haven’t really said anything – we’ve just laid the foundation for the three big questions:

  • What are these magical specifications for computer security? And where do they come from?
  • How is compliance against the security specifications measured?
  • How is the computer security audit performed?

Missing from this list is the huge question of what is done about lack of compliance against the security specifications. Is fixing any security issues identified in the audit considered part of the audit, or is it a separate exercise?

The oscap_source API Redesign
This blog is concerning API redesign in libopenscap, its motives, and implications. It is rather significant change coming to OpenSCAP 1.2.0, though it is expected to come unnoticed by OpenSCAP users. Let me just start with historical background.

Prior the introduction of the DataStream file format to SCAP version 1.2, there has been a jungle of distinct file formats in the SCAP world. The OpenSCAP has implemented the very most of them, however common bind between them has been utterly missing.

Hence, we have ended-up with a dozen of independent file parsers. Each parser carried its own structures and its own ways to approach things. Any generic routines that would exist took in the path to file. The processing of SCAP content took us subsequent multiple file openings and multiple initializations of DOM or xmlReader parsers.

When the DataStream file format was introduced to the standard, OpenSCAP followed the easiest path to implement it. That means, we have just created very thin layer that was just decomposing a DataStream file to multiple other SCAP files. We have spin the DataStream support in OpenSCAP quickly and the most easy use-cases were covered. Remember that nobody has been using DataStreams at that time, so we didn't know if DataStreams will be adopted, neither we could anticipate what would be more advanced use-cases. OpenSCAP slitted the DataStream internally to a temporally directory and then we used the old file-openings parser to parse the content of DataStream. Later, we started to be unhappy with this approach, it was hard to add new functionality, the advanced functions for DataStream handling.

This September we have reworked whole file handling. We have introduced oscap_source structure as the abstract handle to any SCAP content. The oscap_source abstracts all the parsers from the medium, be it either file, HTTP response or part of another SCAP content (DataStream).

The oscap_source also abstracts from common operations one may want to call over the content. The oscap_source can tell the document type and schema version, or validate the document. Overall the code is a bit more cleaner, efficient, and flexible.

We have also introduced source DataStream session and result DataStream session. These structures hold internal information about the opened DataStream and they can return parts of DataStream in a form of another oscap_source.

The change involved more than 300 commits. During the work we have modified each parser to bind well with oscap_source and old the routines were deprecated. While OpenSCAP may carry the deprecated routines working for a while, library users are advised to upgrade to a new API. Each deprecated function points to the new and preferred function.

OpenSCAP is now able to work with DataStreams natively and efficiently without creating temporally files. And as a bonus, we have introduced native support for bzipped files. If the filename is *.xml.bz2, OpenSCAP will recognize the file and process it as a plain XML. That is pretty cool, because it will allow us to build an efficient SCAP results storage, the project SCAPtimony.
How to add a BUCS printer at the University of Bath on a Lubuntu Linux machine
You may follow the official instructions here. But the content is a bit out-dated.

If you have Lubuntu 14.04 like I do, you may try the following steps.
  1. Go to System Tools -> Printers, and click "add printer"
  2. In the text-box of "Enter URI", enter the following text (replace BUCSUSERNAME with your university username):
  3. Choose Generic driver
  4. Choose Generic Postscript Printer (Foomatic/Postscript) ....
  5. And... done! You may print a test page then.
Changing the Behaviour of Eclipse’s Update Manager

If you’ve developed plugins for the Eclipse environment, you’re moderately aware that Eclipse’s update manager can behave in strange ways from a user perspective. Things have gotten better with the p2 Remediation Support in Kepler (4.3.0) but what about dependency resolution done by Maven plugins, like Tycho, at build-time ? You get to specify a list of repositories, their content is aggregated, and if your request is satisfiable, it will be satisfied. Of course there’s some criteria p2 will attempt to optimize. For example, preferring highest version with fewest dependencies (minimize transitive closure) from a set of identically named units.

However with the increasing usage of things like software collections, I’m starting to care much more about where and how dependencies are being resolved during a build.

To understand how to even go about changing p2’s behaviour, we first need to know what is actually happening when you request to have some unit installed.  There’s a few different things happening :

  1. Installable Units are collected from the user input (units to install, and repositories provided)
  2. Installable Units are made part of a Profile Change Request
  3. Planner takes the Profile Change Request and delegates solution finding to the Projector
  4. Projector transforms request into a boolean satisfiability problem and delegates to SAT4J library
  5. If solution is found, Projector passes result back to Planner, which creates a plan (set of operations on the profile) to achieve the new state
  6. The plan is then executed on the profile by the Engine

For more information on some of the finer details of (4) I would recommend reading http://www.cril.univ-artois.fr/spip/publications/lash2010.pdf .

As a demonstration we can define an OSGi bundle org.foo.root versioned 1.0.0 which has a Require-Bundle on org.foo.bar (unversioned). We then provide org.foo.bar at various versions (eg. 1.0.0, 5.0.0, 10.0.0, 20.0.0, 50.0.0, 99.0.0). Performing the installation of org.foo.root 10 times yields the following results :

$ for i in {1..10}; do eclipse -nosplash -application org.eclipse.equinox.p2.director -repository fedora:/tmp -installIU org.foo.root -destination $(pwd)/install_$i ; done;
Installing org.foo.root 1.0.0.
Operation completed in 742 ms.
$ (for f in `find ./install_*/plugins/ -type f`; do basename $f ; done;) | sort | uniq -c
     10 org.foo.bar_99.0.0.jar
     10 org.foo.root_1.0.0.jar

So in every case that we attempted to install org.foo.root, p2 decided to satisfy the version-less requirement org.foo.bar using the latest version available (99.0.0).

Note that the p2 Director will always use the latest version of a root, so to truly test the Projector and SAT4J it is necessary to define some root and see how its dependencies are satisfied, as we did above. Also, if that “fedora:” repository scheme seemed a little strange to you, it’s because we ship a special plugin in Fedora that allows treating filesystem locations as p2 repositories , without needing all that metadata/artifact repository data on disk.

To make p2 prefer certain installable units over others, we need to hook into the component that sets the constraints for the SAT4J Solver. The Projector seems like the place for this and a quick look reveals createOptimizationFunction is probably a good starting point. We’ll want to define our own optimization (instead of StandardOptimizationFunction) function.

To favour certain locations over others, we could look at sets of units that have the same ID, and are not installed, or roots, and assign them weights based on their location. Since SAT4J will attempt to satisfy the contstraints while minimizing the objective function, we can assume that lower weighted units will be preferred over higher weighted ones. In fact, installed/root units have a weight of 1. All we need to do is subclass OptimizationFunction, override createOptimizationFunction to call its parent, and then just modify the weight for the units we care about as per the repository precedence before returning the final list of weighted units.

Once we’re done adding the necessary code, and rebuilding our modifications, we’re ready to test things out.

We now change the structure of our repository as follows :

  • /tmp/repo_priority/low_priority contains org.foo.bar versions 5.0.0, 20.0.0 and 50.0.0
  • /tmp/repo_priority/high_priority contains org.foo.bar version 10.0.0.
  • /tmp/repo_priority/ contains org.foo.bar versions 1.0.0 and 99.0.0
$ export JAVACONFDIRS='/tmp/repo_priority:/tmp/repo_priority/high_priority:/tmp/repo_priority/low_priority'
$ for i in {1..10}; do eclipse -nosplash -application org.eclipse.equinox.p2.director -repository fedora:/tmp -installIU org.foo.root -destination $(pwd)/install_$i -vmargs -Dfedora.p2.scl.order=/tmp/repo_priority/high_priority,/tmp/repo_priority,/tmp/repo_priority/low_priority ; done;
Installing org.foo.root 1.0.0.
Operation completed in 550 ms.
$ (for f in `find ./install_*/plugins/ -type f`; do basename $f ; done;) | sort | uniq -c
     10 org.foo.bar_10.0.0.jar
     10 org.foo.root_1.0.0.jar

So clearly we’ve made p2 favour units within /tmp/repo_priority/high_priority over others. This was a very basic example, and I didn’t really define what should happen when multiple units are in the same “preferred” repository but hopefully even a modification as basic as this shows the kind of things possible.

Fedora 21 Beta slips by one week

The Fedora 21 Beta release, originally slated for 28 October, has slipped by one week. It is now targeted for the first week of November.

The decision was made at the last go/no-go meeting, due to several accepted blockers against the beta release. You can see the buglist with proposed and accepted blockers for the beta.

The next go/no-go meeting is scheduled for 30 October at 17:00 UTC in the #fedora-meeting-2 channel on Freenode.

All milestones and tasks are pushed back by one week, including the final release. The schedule is available on the Fedora wiki. If the schedule does not slip farther, the final freeze will be on 25 November, with the final release scheduled for 9 December.

Live Tutorial: Draw a Halloween pumpkin lantern in Inkscape!

Today István Szép of Pesto Design is holding another live tutorial event on Google Hangouts Event is now done, but you can watch the video here. This will be a halloween themed event, so he will be showing us all how to draw a pumpkin jack-o-lantern in Inkscape! Don’t stress if you cannot view it live, as the videos are always available afterwards to view as well!halloweendrawing

This is part of a series of Live Drawing Events that István has been conducting over the last few months, and they are pretty awesome! Jump over to his Google+ page to find all the videos of past events.

version module is missing from SRPM build root
Fedora 21 Release Party Phnom Penh


Currently, Fedora is serving its version of 20. Every year, Fedora releases its own version. And it comes to Fedora 21 this year. We are happy to host a Fedora 21 Release Party this November 14, 2014 from 5:00pm to 9pm. This event is free and open for everyone to attend.

By participating this event, you will explore and learn more about Fedora. There will be local and International speakers who are the Fedora Ambassadors from Germany and Vietnam. You will be able to interact with another Ambassadors from China, India and Sri Lanka.

You can find out detailed agenda below

5:00pm-5:30pm Registration
5:30pm-6:00pm Fedora 21 Cake
6:00pm-6:30pm Introduction to Fedora Somvannda Kong

Fedora Ambassador

6:30pm-7:00pm Fedora.Next Troung Anh Tuan

Member of FAmSCo & Fedora Ambassador

7:00pm-7:30pm Fedora 21 Feature Ban Nisa

Fedora Lead Translation Team & Ambassador

7:30pm-8:00pm How can you contribute to Fedora Sirko Kemter

Fedora Design Team & Ambassador

8:00pm-9:00pm Party Time (networking) Everyone

Please use this link to register your seats and join with us the Release Party. We hope to see you there!!!

Authenticated Key Exchange with SPEKE or DH-EKE

I’ve been researching PAKE algorithms recently and there doesn’t seem to be a good explanation of Encrypted Key Exchange with Diffie Hellman (DH-EKE) out there. The best way to learn something is to teach it. So in that spirit, here follows my explanation of SPEKE and DH-EKE.

The Problem

Alice and Bob want to exchange data. This data is sensitive, so it needs to be encrypted and authenticated. Traditionally, there are two methods that can be used to solve this problem.

The first method is to use public-key cryptography; most commonly x509 certificates. This can provide very strong cryptography. However, it also has some weaknesses. The biggest weakness is how to trust the remote certificate. PKI is the traditional solution. But this involves trusting a third party (or, more usually, many third parties). In the current climate of espionage, this is likely to be unacceptable to Alice and Bob. Additionally, in many x509 setups, the user authentication actually happens within the encrypted channel; often by sending a password over the wire. Ewww.

The second method is to use symmetric cryptography; most commonly a shared password. The problem here is that the strength of the cryptography is inversely related to the usability of the cryptography: no easy to remember password can have the same entropy as a randomly generated 4096-bit number.

The Solution

Enter PAKE. Password Authenticated Key Exchange allows Alice and Bob to establish an ad hoc session key used to encrypt all their data with strong cryptography while establishing mutual trust through a shared password. Further more, when using PAKE, an attacker who is able to listen in on the conversation or modify the packets sent will learn nothing about the password used to authenticate the exchange nor about the strong session key itself. Nor is any trust on a third party required.

The basic principle of PAKE is to use a weak shared password to authenticate an exchange of strong, randomly generated public keys. Once completed, these keys can be used to derive session keys. Even though weak passwords are used, they are (hopefully) used in such a way so as not to jeopardize the creation of a strong session key.

While there are a variety of PAKE algorithms, in this article I will be focusing on two very similar algorithms: SPEKE and DH-EKE. These two algorithms are well defined and tested. That is not to say that they are perfectly secure. Both algorithms have various weaknesses. Some newer algorithms promise to solve some of these problems. It is, however, outside the scope of this article to evaluate all of these. So I’ll stick with two of the more traditional algorithms.

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

In order to understand DH-EKE or SPEKE, we must first understand the underlying Diffie-Hellman Key exchange (DHKE). DHKE allows two parties to create a key used for exchanging encrypted data from the exchange of two public keys from a set of public/private key pairs.

In the table above, uppercase values are private (they need to be secret) and lowercase values are public.

Here is how it works (these numbers correspond to the steps in the above table):

  1. Both parties agree on parameters of the exchange. These parameters are public and this agreement can happen over the network. The variable p is a large safe prime. Similarly, g is a generator for a finite cyclic group.
  2. Alice generates a random private key (A) and a corresponding public key (a). Bob does the same (B and a, respectively).
  3. Both parties exchange their public keys over the network.
  4. Alice calculates the encryption key (K) by raising Bob’s public key (b) to the power of her own secret key (A) modulo p. Similarly, Bob calculates the same encryption key (K) by raising Alice’s public key (a) to the power of his own secret key (B) modulo p.
  5. All network data is encrypted using the calculated key. Data can be decrypted by either party’s secret key. Since these are never transmitted over the network and it is not possible to determine the private key from the public key or the parameters, an eavesdropper cannot decrypt the data.

A few caveats are necessary at this point.

First, K is almost never used as the encryption key directly, since it may have some weak bits. Usually, a derived key (K’) is calculated using hashing to eliminate this weakness.

Second, while it is true that K (or K’) is secret and anything it encrypts can be decrypted only by the two parties who performed this exchange, this is completely vulnerable to a man-in-the-middle (MitM) attack. This is because neither side of the exchange is authenticated. Hence the need for an authenticated key exchange.

Simple Password Exponential Key Exchange (SPEKE)

Simple Password Exponential Key ExchangeSPEKE makes only one small change to the Diffie-Hellman Key Exchange. Rather than agreeing on a shared generator, each party will compute a generator (G; Step 2) by squaring the hash of some shared password. Because the generator (G) is now derived from a password, it is private.

Note that in Step 5, Alice’s computation of K will be the same as Bob’s computation of K if and only if the shared password used in Step 2 are the same. Hence, if only Alice and Bob know the shared password, then this algorithm is safe from a MitM attack. And since the generator (G) is private, no offline dictionary attack is possible.

Note well, however, that no validation of K has occurred. So while Alice knows that data encrypted with K cannot be read by anyone but Bob, she still doesn’t know whether the person on the other end of the exchange is, in fact, Bob. If it isn’t Bob on the other end, K will contain a nonsensical value and any data encrypted by it will be irretrievable (assuming the security of the underlying cryptography system).

SPEKE has two major weakness, however.

First, because the hash of the password is squared to create the generator (G), there is a guaranteed collision of an inverse hash. That is, both the hash of the password and the inverse of the hash of the password will output the same generator (G). This means that a clever attacker could, with some advanced planning, attempt at least two password guesses at once; halving the time required to successfully execute a dictionary attack.

Second, because the square of the hash of the password cannot efficiently generate a point on an elliptic curve, SPEKE is entirely incompatible with elliptic curve cryptography. It is possible to work around this by using an admissible encoding formula to ensure that all potential password hash values can be permuted to fall as a point on an elliptic curve.

Diffie-Hellman Encrypted Key Exchange

Diffie-Hellman Encrypted Key ExchangeLike SPEKE, DH-EKE presumes that each side knows a shared secret. This is typically a hash of a password (Step 1). However, instead of changing the generator (g), DH-EKE encrypts one or both of the public keys during transmission (Step 4a, 4b, and 4c list the traditional variants; all of equal strength). This leads to two outcomes.

First, because this encryption is unauthenticated, so long as the public keys (a or b) are indistinguishable from random, it will be impossible to tell whether or not decryption of these values was successful or not; making offline dictionary attacks impossible.

Second, if Alice’s password is different from Bob’s, then Alice’s K will be different than Bob’s K. This implies that a MitM attack is also impossible. Note well, again, that no validation of K has occurred. Hence, if Alice encrypts something for Bob using K, it will be decryptable if and only if Bob is on the other side of the connection and he knows the password. Otherwise, the resulting encrypted data will be undecryptable.

Like SPEKE, DH-EKE has two weaknesses. Both of these weaknesses are caused by the presumption that the public keys are indistinguishable from random.

First, when using standard discrete log problems, at least some of the bits of the public keys are predictable. This is by definition since the value of the public key is between 1 and p-1 and the buffer it is sent in is a multiple of 8-bits. Thus, there will always be some zero bits. While this is not likely to enable an offline dictionary attack, it may be sufficient to allow offline elimination of some passwords. There may be some way to mitigate these weak bits, but there is no such mitigation standardized so any attempted mitigation is of unknown value.

Second, the same problem exists for elliptic curves, only much worse. This weakness at least has a workaround where admissible encodings can be used to hash the elliptic curve points before being encrypted. This has been well defined in the EC-DH-EKE with an admissible encoding variant; along with several other derivatives of this approach. It is beyond the scope of this article to enumerate all of these.

Key Validation

Key Validation

I have elected to omit key validation from the descriptions of SPEKE and DH-EKE above. However, key validation is necessary in most cases to establish trust. There are a variety of methods for implementing key validation. I have listed two commonly used validation techniques in the above table. Both of them use some undefined key derivation technique to derive K’ from K.

In validation Option 1, Alice and Bob independently create a random value. After exchanging the random values using the specified schema, each side can test that the returned random value matches the one that was sent. This proves that both sides have the same K.

In validation Option 2, Alice and Bob simply exchange hashed values of K’. Since either side can compute these values independently, each side can verify the other value. Again, this proves that both sides have the same K.








October 26, 2014

How I got a laptop

In May, I started a Pledgie campaign and I wrote an email to Fedora Drupal Development list, where I told my plan. But few weeks later my EEE PC died so I had to look for a used/new laptop. I could use my mother's computer and the old desktop PC of my bride's father for a while, nevertheless I could not package anything since August.
However, Jared Smith sent an email and offered his help, he has an old Thinkpad that he could bring with him to Flock. I thought this is a very generous offer but I did not want this to be a burden to him. Since I could not go to Flock therefore he did not give it to me, but he was persistent. :)

In the middle of September I got some email from Jared, he said...

Are you (or someone else from Hungary) going to be at DrupalCon Amsterdam? I have a laptop for you that I'd like to get to you. If not, I can try to ship it from Amsterdam.

I just talked to Gábor Hojtsy, and he said he'd be happy to take the laptop back to Hungary. Now we just have to figure out how to get it from him to you back in Hungary.

Almost a week before, I went to Gábor to get that laptop. Later, I knew that Jared's employer, Bluehost, donated this laptop, so I would like to thank this one, Bluehost!

Jared, Gábor, I really appreciate your help and support!

How to automatically crop an exported pdf diagram produced by LibreOffice Draw?
A cropped pdf diagram is particularly useful when you need a diagram for a LaTex document. I have not found a neat and direct way to solve this by using Draw alone. Here is a handy method I concluded, to handle this automatically.

  1. Export the diagram as a pdf file as normal. It is unnecessary to change the size of the page.
  2. Use pdfcrop to automatically crop the exported pdf file. For example, you may use the following command:
pdfcrop original.pdf cropped.pdf

More usages are found at: http://manpages.ubuntu.com/manpages/gutsy/man1/pdfcrop.1.html

You may also add some margins. There are options available.

pdfcrop has some dependencies on tex tools and it is included in the package texlive-extra-utils. To install it on ubuntu (or its derivations), you may use the following command:
sudo apt-get install texlive-extra-utils

October 25, 2014

Latinoware 2014
A Conferência Latino Americana de Software Livre - Latinoware, foi realizada nos dias 15 à 17 de Outubro de 2014 nas mediações do Parque Tecnológico ITAIPU(PTI) na cidade de Foz do Iguaçu - PR.

Foto 1 - Espaço onde ficam localizado os Stand.

O Projeto Fedora esteve presente a mais um grande evento, com o objetivo de apresentar aos participantes o valor do software livre na sociedade, esferas empresariais, órgãos público e privado. Buscando também agregar valores ao Projeto Fedora, como novos contribuintes. O Projeto Fedora contou com a participação de Embaixadores de diversas localidades do Brasil e América Latina.

Foto 2 - Embaixadores.

Nesta edição o Projeto Fedora esteve ministrando várias palestras, dentre elas destacamos:

  • Inclusão Digital com o Fedora (Eduardo Sena);
  • ARM no Fedora (Marcelo Barbosa);
  • Servidor Barcula com o Fedora +  caso de sucesso (Daniel Lara);
  • Fedora QA (Wolnei Junior);
  • Fedora: Além de projeto: Spin Fedora Eletronic Labs - FEL (Davi Souza);

Também tivemos várias atividades no nosso stand, com minicurso de Empacotamento com o Embaixador Rino, além de sorteios e brincadeiras com os participantes.  

Foto 3 - Palestra do Davi.

                                                                 Foto 4 -Stand Fedora.

                                                               Foto 5 - Stand Fedora.

                                                             Foto 6 - Brindes Fedoras.

Foto 7 - Minicurso Empacotamento com Rino.

O projeto Fedora tambpem distribuiu midias, canetas, botons e adesivos. No final do evento posso dizer que plantamos muitas sementes, que com certeza nos darão muitos frutos. Agradeço ao Projeto Fedora pelo apoio, e por acreditar em nosso trabalho perante a comunidade.

                                                                          Outras Fotos