Talking at FOSSASIA 2016 in Singapore

This year I was able to attend this year’s FOSSASIA in Singapore. It’s quite a decently sized event with more than 150 speakers and more than 1000 people attending. Given the number of speakers you can infer that there was an insane number of talks in the two and a half day of the conference. I’ve seen recordings being made so I would expect those to show up at some stage, but I don’t have any details. The atmosphere was very friendly and the venue a-maze-ing. By that I mean that it was a fantastic and huge maze. We were hosted in Singapore’s Science Museum which exhibits various things around biology, physics, chemistry, and much more. It is a rather large building in which it was easy to get lost. But it was great being among those sciency exhibits and to exchange ideas and thoughts. Sometimes, we could see an experiment being made as a show to the kids visiting the museum. These shows included a Tesla coil or a fire tornado. Quite impressive.

One of the first things I could see was Cat Altmann talking about her position being in the field of marketing which, she says, engineers tend to not like. But as opposed to making people like things they don’t need or want, she is rather concerned with reaching out to people to open source code. The Making and Science team within Google exists to work on things like sending kids from under resourced schools to field trips. Science also plays a role in this year’s Summer of Code. 43+ out of 180 projects are related to science, she said.

Nikolai talked about the Nefertiti hack. In case you missed it, the Nefertiti was “cloned”. The bust is a 3000 years old artefact which is housed in Berlin and is publicly available (for people who can travel to Berlin…). The high resolution data of the scanned object is, however, not available, along with many many other data that the museums have about their objects. He compared that behaviour to colonisation; I couldn’t really follow why, though. Anyway, they managed to scan the bust themselves by sneaking into the museum and now they’ve released the data. Their aim, as far as I could follow, was to empower people to decide about what culture is and what not. Currently, it is the administration which decides, he said. With the data (and I think with a printed copy of the bust) they travelled to Egypt to make an exhibition. But beforehand, they had produced a video which substantiates the claim of having found a second bust while digging for artefacts. The talk itself was interesting, but the presentation was bad. the speaker was lost a few times and didn’t know how to handle the technical side of the presentation. Anyway, I like it when such guerrilla art makes it into the news.

Lenny talked about systemd which uncovered some news that you may have missed if you’re not following its development too closely. He said that systemd has moved to github and while it’s attracting new contributors it still has major issues which he didn’t mention though. A component named networkd is now the default on both Fedora and Ubuntu. It’s a rather underwhelming piece of software though, because it has no runtime interface. The nspawn tool is used by CoreOS’ rkt docker alternative. He also mentioned sd-bus which he claims is a replacement for the reference DBus implementation. Another interesting thing he mentioned is that systemd can not only do socket activation but also USB Function FS activation. So whenever you are in the need to start your USB gadget only when the USB cable has been plugged in, systemd may be for you.

In another session, Lenny continued talking about systemd with regards to its container capabilities. Containers are all the rage, right..? He said that all the systemd tools work on containers, too, with the -M switch. systemd also just works inside a container, with the exception of Docker, he said. It is also possible to make systemd download and verify images to run full system images. Funnily enough, he said, Ubuntu images are properly signed but Fedora images are not.

I also had a talk and a workshop to give. The workshop was titled “Functionality, Security, Usability: Choose any two. Or GNOME.” which is a bit sensational, I admit. I’m not experienced with holding workshops and it was unclear to me what to expect. Workshop sounds to me like people come and they want to hack on something. The venue, however, was not necessarily equipped with a reliable Internet connection for the attendees. Also, the time was set to one hour. I don’t think you can do a meaningful workshop within one hour. so I didn’t really know how to prepare. I ended up ranting about OpenPGP, GnuPG, and SKS. Then I invited people to hack on GNOME Keysign which was a bit difficult. given the time constraints we had. Well, that I mainly had, because I was meant to give a proper talk shortly after.

During my talk, I gave a glimpse on what to expect from GNOME 3.20 codename Delhi. It was a day before the release, so it was the perfect timing for getting people excited. And I think it worked reasonably well. I would have loved to be able to show the release video, but it wasn’t finished until then. So I mainly showed screenshots of the changes and discussed on a high level what GNOME is and what it is not. People were quite engaged and still believe GNOME 3 was designed for tablets.

FOSSASIA used to be in Vietnam and it was actually co-hosted with GNOME.Asia Summit once. It smells like we could see such a double event in the future, but probably in Singapore. I think that’d be great, because FOSSASIA is a well organised event, albeit a little chaos here and there. But who doesn’t have that… In fact, I nearly couldn’t make it to the conference, because GNOME did not react for two weeks so the conference removed me from the schedule. Eventually, things worked out, so all is good and I would like to thank the GNOME Foundation for contributing to the coverage of the costs.

Sponsored by GNOME!

FOSDEM 2016

It the beginning of the year and, surprise, FOSDEM happened :-) This year I even managed to get to see some talks and to meet people! Still not as many as I would have liked, but I’m getting there…

Lenny talked about systemd and what is going to be added in the near future. Among many things, he made DNSSEC stand out. I not sure yet whether I like it or not. One the one hand, you might get more confidence in your DNS results. Although, as he said, the benefits are small as authentication of your bank happens on a different layer.

Giovanni talked about the importance of FOSS in the surveillance era. He began by mentioning that France declared the state of emergency after the Paris attacks. That, however, is not in line with democratic thinking, he said. It’s a tool from a few dozens of years ago, he said. With that emergency state, the government tries to weaken encryption and to ban any technology that may be used by so called terrorists. That may very well include black Seat cars like the ones used by the Paris attackers. But you cannot ban simple tools like that, he said. He said that we should make our tools much more accessible by using standard FLOSS licenses. He alluded to OpenSSL’s weird license being the culprit that caused Heartbleed not to have been found earlier. He also urged the audience to develop simpler and better tools. He complained about GnuPG being too cumbersome to use. I think the talk was a mixed bag of topics and got lost over the many topics at hand. Anyway, he concluded with an interesting interpretation of Franklin’s quote: If you sacrifice software freedom for security you deserve neither. I fully agree.

In a terrible Frenglish, Ludovic presented on Python’s async and await keywords. He said you must not confuse asynchronous and parallel execution. With asynchronous execution, all tasks are started but only one task finishes at a time. With parallel execution, however, tasks can also finish at the same time. I don’t know yet whether that description convinces me. Anyway, you should use async, he said, when dealing with sending or receiving data over a (mobile) network. Compared to (p)threads, you work cooperatively on the scheduling as opposed to preemptive scheduling (compare time.sleep vs. asyncio.sleep).

Aleksander was talking on the Tizen security model. I knew that they were using SMACK, but they also use a classic DAC system by simply separating users. Cynara is the new kid on the block. It is a userspace privilege checker. A service, like GPS, if accessed via some form of RPC, sends the credentials it received from the client to Cynara which then makes a decision as to whether access is allowed or not. So it seems to be an “inside out” broker. Instead of having something like a reference monitor which dispatches requests to a server only if you are allowed to, the server needs to check itself. He went on talking about how applications integrate with Cynara, like where to store files and how to label them. The credentials which are passed around are a SMACK label to identify the application. The user id which runs the application and privilege which represents the requested privilege. I suppose that the Cynara system only makes sense once you can safely identify an application which, I think, you can only do properly when you are using something like SMACK to assign label during installation.

Daniel was then talking about his USBGuard project. It’s basically a firewall for USB devices. I found that particularly interesting, because I have a history with USB security and I do know that random USB devices pose a problem. We are also working on integrating USB blocking capabilities with GNOME, so I was keen on meeting Daniel. He presented his program, what it does, and how to use it. I think it’s a good initiative and we should certainly continue exploring the realm of blocking USB devices. It’s unfortunate, though, that he has made some weird technological choices like using C++ or a weird IPC system. If it was using D-Bus then we could make use of it easily :-/ The talk was actually followed by Krzyzstof who I reported on last time, who built USB devices in software. As I always wanted to do that, I approached him and complained about my problems doing so ;-)

Chris from wolfSSL explained how they do testing for their TLS implementation. wolfSSL is 10 years old and secures over 1 billion endpoints, he said. Most interestingly, they have interoperability testing with other TLS implementations. He said they want to be the most well tested TLS library available which I think is a very good goal! He was a very good speaker and I really enjoyed learning about their different testing strategies.

I didn’t really follow what Pam was talking about implicit trademark and patent licenses. But it seems to be an open question whether patents and trademarks are treated similarly when it comes to granting someone the right to use “the software”. But I didn’t really understand why it would be a question, because I haven’t heard about a case in which it was argued that the right on the name of the software had also been transferred. But then again, I am not a lawyer and I don’t want to become one…

Jeremiah referred on safety-critical FOSS. Safety critical, he said, was functional safety which means that your device must limp back home at a lower gear if anything goes wrong. He mentioned several standards like IEC 61508, ISO 26262, and others. Some of these standards define “Safety Integrity Levels” which define how likely risks are. Some GNU/Linux systems have gone through that certification process, he said. But I didn’t really understand what copylefted software has to do with it. The automotive industry seems to be an entirely different animal…

If you’ve missed this year’s FOSDEM, you may want to have a look at the recordings. It’s not VoCCC type quality like with the CCCongress, but still good. Also, you can look forward to next year’s FOSDEM! Brussels is nice, although they could improve the weather ;-) See you next year!

Using NetworkManager to export your WiFi settings as a barcode

With my new phone, I needed to migrate all the WiFi settings. For some reason, it seems to be hard to export WiFi configuration from Android and import it in another. The same holds true for GNOME, I guess.

The only way of getting WiFi configuration into your Android phone (when not being able to write the wpa_supplicant file) seems to be barcodes! When using the barcode reader application, you can scan a code in a certain format and the application would then create a wifi configuration for you.

I quickly cooked up something that allows me to “export” my laptop’s NetworkManager WiFis via a QR code. You can run create_barcode_from_wifi.py and it creates a barcode of your currently active configuration, if any. You will also see a list of known configurations which you can then select via the index. The excellent examples in the NetworkManager’s git repository helped me to get my things done quickly. There’s really good stuff in there.

I found out that I needed to explicitely render the QR code black on white, otherwise the scanning app wouldn’t work nicely. Also, I needed to make the terminal’s font smaller or go into fullscreen with F11 in order for the barcode to be printed fully on my screen. If you have a smaller screen than, say, 1360×768, I guess you will have a problem using that. In that case, you can simply let PyQRCode render a PNG, EPS, or SVG. Funnily enough, I found it extremely hard to print either of those formats on an A4 sheet. The generated EPS looks empty:

Printing that anyway through Evince makes either CUPS or my printer die. Converting with ImageMagick, using convert /tmp/barcode.eps -resize 1240x1753 -extent 1240x1753 -gravity center -units PixelsPerInch -density 150x150 /tmp/barcode.eps.pdf
makes everything very blurry.

Using the PNG version with Eye of GNOME does not allow to scale the image up to my desired size, although I do want to print the code as big as possible on my A4 sheet:

Now you could argue that, well, just render your PNG bigger. But I can’t. It seems to be a limitation of the PyQRCode library. But there is the SVG, right? Turns out, that eog still doesn’t allow me to print the image any bigger. Needless to say that I didn’t have inkscape installed to make it work… So I went ahead and used LaTeX instead

Anyway, you can get the code on github and gitlab. I guess it might make sense to push it down to NetworkManager, but as I am more productive in writing Python, I went ahead with it without thinking much about proper integration.

After being able to produce Android compatible WiFi QR codes, I also wanted to be able to scan those with my GNOME Laptop to not having to enter passwords manually. The ingredients for a solution to this problem is parsing the string encoded as a barcode and creating a connection via the excellent NetworkManager API. Creating the connection is comparatively easy, given that an example already exists. Parsing the string, however, is a bit more complex than I initially thought. The grammar of that WiFi encoding language is a bit insane in the sense that it allows multiple encodings for the same thing and that it is not clear to encode (or decode) certain networks. For example, imagine your password is 12345678. The encoding format now wants to know whether that is ASCII characters or the hex encoded passphrase (i.e. the hex encoded bytes 0x12,0x34,0x56,0x78). In the former case, the encoded passphrase must be quoted with double quotes, e.g. P:"12345678";. Fair enough. Now, let’s imagine the password is "12345678" (yes, with the quotes). Then you need to hex encode that ASCII string to P:22313233343536373822. But, as it turns out, that’s not what people have done, so I have seen quite a few weird QR codes for Wifis out there :(

Long story short, the scan_wifi_code.py program should also scan your barcode and create a new WiFi connection for you.

Do you have any other ideas how to migrate wifi settings from one device to another?

On GNOME Governance

On 2015-10-04 it was announced that the governing body of the GNOME Foundation, the Board, has a vacant seat. That body was elected about 15 weeks earlier. The elections are very democratic, they use an STV system to make as many votes as possible count. So far, no replacement has been officially announced. The question of what strategy to use in order to find the replacement has been left unanswered. Let me summarise the facts and comment on the strategy I wish the GNOME project to follow.

The STV system used can be a bit hard to comprehend, at first, so let me show you the effects of an STV system based on the last GNOME elections. With STV systems, the electorate can vote for more than one candidate. An algorithm then determines how to split up the votes, if necessary. Let’s have a look at the last election’s first votes:

elections-initial-votes

We see the initial votes, that is, the number of ballots in which a candidate was chosen first. If a candidate gets eliminated, either because the number of votes is sufficient to get elected or because the candidate has the least votes and cannot be elected anymore, the vote of the ballot is being transferred onto the next candidate.

In the chart we see that the electorate chose to place 19 or more votes onto two candidates who got directly elected. Overall, six candidates have received 13 or more votes. Other candidates have at least 30% less votes than that. If we had a “simple” voting mechanism, the result would be the seven candidates with the most votes. I would have been one of them.

But that’s not how our voting system works, because, as we can see below, the picture of accumulated votes looks differently just before eliminating the last candidate (i.e. me):

elections-final-votes

If you compare the top seven now, you observe that one candidate received votes from other candidates who got eliminated and managed to get in.

We can also see from the result that the final seat was given to 17.12 votes and that the first runner-up had 16.44 votes. So this is quite close. The second runner-up received 10.39 votes, or 63% of the votes of the first runner-up (so the first runner-up received 158% of the votes of the second runner-up).

We can also visually identify this effect by observing a group of eight which accumulated the lion’s share of the votes. It is followed by a group of five.

Now one out of the seven elected candidates needed to drop out, creating a vacancy. The Foundation has a set of rules, the bylaws, which regulate vacancies. They are pretty much geared towards maintaining an operational state even with a few directors left and do not mandate any particular behaviour, especially not to follow the latest election results.

But.

Of course this is not about what is legally possible, because that’s the baseline, the bare minimum we expect to see. The GNOME Foundation’s Board is one of the few democratically elected bodies. It is a well respected entity in industry as well as other Free Software communities. I want it to stay that way. Most things in Free Software are not very democratic; and that’s perfectly fine. But we chose to have a very democratic system around the governing body and I think that it would leave a bad taste if the GNOME Foundation chooses to not follow these rather young election results. I believe that its reputation can be damaged if the impression of forming a cabal, of not listening to its own membership, prevails. I interpret the results as a strong statement of its membership for those eight candidates. GNOME already has to struggle with accusations of it not listening to its users. I’d rather want to get rid of it, not fueling it by extending it to its electorate. We’re in the process of acquiring sponsors for our events and I don’t think it’s received well if the body ignores its own processes. I’d also rather value the membership more rather than producing arguments for those members who chose to not vote at all and try to increase the number of members who actually vote.

GUADEC 2015 in Gothenburg, Sweden

This summer, GUADEC, the GNOME Users and Developers Conference took place in Gothenburg, Sweden. It’s a lovely city, especially in summer, with nice people, excellent beers, and good infrastructure. Fun fact: Unisex toilet seem to be very popular in Gothenburg. The conference was hosted in sort of a convention centre and was well equipped to serve our needs. I guess we’ve been around 150 people to come together in order to discuss and celebrate our favourite Free Software project: GNOME.

One of the remarkable talks I attended was given by Matthias Kirschner from the FSFE presented on software freedom and how is concerned about the computer as a general purpose machine. So his talk was title “The computer as a Universal Machine”. He was afraid that the computing machines we are using become more and more special purpose devices rather than a general purpose machine. He gave examples of how he thinks that has happened, like corporations hiding the source code or otherwise limit access to change the behaviour of the computing machines we are using. Other examples were media with Digital Restrictions Management. Essentially it is about removing features instead of widening the functionality. As such, SIM locks also served an example. With SIM locks, you cannot change your SIM card when, say, you are on holidays. More examples he gave were the region code of DVDs or copy restrictions on CD-ROMs. He was also referring to the Sony CD story from a couple of years ago when they infected buyers of their CD-ROMs or the Amazon fiasco where they deleted books on their reader devices. Essentially, these companies are trying to put the user into the back-seat when it comes to take control over your devices.

While protecting the owner of the computer sounds useful in a few scenarios, like with ATMs, it can be used against the owner easily, if the owner cannot exercise control over what the machine considers trusted. A way to counter this, he said, is to first simply not accept the fact that someone else is trying to limit the amount of control you can exercise over your machines. Another thing to do, according to him, is to ask for Free Software when you go shopping, like asking for computers with a pre-installed GNU/Linux system. I liked most parts of the talk, especially because of the focus on Free Software. Although I also think that for most parts he was preaching to the choir. But I still think that it’s important to remind ourselves of our Free Software mission.

Impressively enough, you can already watch most of the Videos! It’s quite amazing that they have already been cut and post-process so that we can watch all the things that we missed. I am especially looking forward to Christian’s talk on Builder and the Design session.

I really like going to GUADEC, because it is so much easier and more pleasant to communicate with people in-person rather than on low bandwidth channels such as IRC or eMail. I could connect my students with all these smart people who know much more about the GNOME stack than I do. And I was able to ask so many things I hadn’t understood. Let’s hope there will be GUADEC next year! If you are interested in hosting next year’s edition, you should consider submitting a bid!

On my travel back I realised that the Frankfurt Airport is running Ubuntu:

I want to thank the GNOME Foundation for sponsoring my travel to GUADEC 2015.
Sponsored by GNOME!

Open Source Hong Kong 2015

Recently, I’ve been to Hong Kong for Open Source Hong Kong 2015, which is the heritage of the GNOME.Asia Summit 2012 we’ve had in Hong Kong. The organisers apparently liked their experience when organising GNOME.Asia Summit in 2012 and continued to organise Free Software events. When talking to organisers, they said that more than 1000 people registered for the gratis event. While those 1000 were not present, half of them are more realistic.

Olivier from Amazon Web Services Klein was opening the conference with his keynote on Big Data and Open Source. He began with a quote from RMS: about the “Free” in Free Software referring to freedom, not price. He followed with the question of how does Big Data fit into the spirit of Free Software. He answered shortly afterwards by saying that technologies like Hadoop allow you to mess around with large data sets on commodity hardware rather than requiring you to build a heavy data center first. The talk then, although he said it would not, went into a subtle sales pitch for AWS. So we learned about AWS’ Global Infrastructure, like how well located the AWS servers are, how the AWS architecture helps you to perform your tasks, how everything in AWS is an API, etc. I wasn’t all too impressed, but then he demoed how he uses various Amazon services to analyse Twitter for certain keywords. Of course, analysing Twitter is not that impressive, but being able to do that within a few second with relatively few lines of code impressed me. I was also impressed by his demoing skills. Of course, one part of his demo failed, but he was reacting very professionally, e.g. he quickly opened a WiFi hotspot on his phone to use that as an alternative uplink. Also, he quickly grasped what was going on on his remote Amazon machine by quickly glancing over netstat and ps output.

The next talk I attended was on trans-compiling given by Andi Li. He was talking about Haxe and how it compiles to various other languages. Think Closure, Scala, and Groovy which all compile to Java bytecode. But on steroids. Haxe apparently compiles to code in another language. So Haxe is a in a sense like Emcripten or Vala, but a much more generic source-to-source compiler. He referred about the advantages and disadvantages of Haxe, but he lost me when he was saying that more abstraction is better. The examples he gave were quite impressive. I still don’t think trans-compiling is particularly useful outside the realm of academic experiments, but I’m still intrigued by the fact that you can make use of Haxe’s own language features to conveniently write programs in languages that don’t provide those features. That seems to be the origin of the tool: Flash. So unless you have a proper language with a proper stdlib, you don’t need Haxe…

From the six parallel tracks, I chose to attend the one on BDD in Mediawiki by Baochuan Lu. He started out by providing his motivation for his work. He loves Free/Libre and Open Source software, because it provides a life-long learning environment as well as a very supportive community. He is also a teacher and makes his students contribute to Free Software projects in order to get real-life experience with software development. As a professor, he said, one of his fears when starting these projects was being considered as the expert™ although he doesn’t know much about Free Software development. This, he said, is shared by many professors which is why they would not consider entering the public realm of contributing to Free Software projects. But he reached out to the (Mediawiki) community and got amazing responses and an awful lot of help.
He continued by introducing to Mediawiki, which, he said, is a platform which powers many Wikimedia Foundation projects such as the Wikipedia, Wikibooks, Wikiversity, and others. One of the strategies for testing the Mediawiki is to use Selenium and Cucumber for automated tests. He introduced the basic concepts of Behaviour Driven Development (BDD), such as being short and concise in your test cases or being iterative in the test design phase. Afterwards, he showed us how his tests look like and how they run.

The after-lunch talk titled Data Transformation in Camel Style was given by Red Hat’s Roger Hui and was concerned with Apache Camel, an “Enterprise Integration” software. I had never heard of that and I am not much smarter know. From what I understood, Camel allows you to program message workflows. So depending on the content of a message, you can make it go certain ways, i.e. to a file or to an ActiveMQ queue. The second important part is data transformation. For example, if you want to change the data format from XML to JSON, you can use their tooling with a nice clicky pointy GUI to drag your messages around and route them through various translators.

From the next talk by Thomas Kuiper I learned a lot about Gandi, the domain registrar. But they do much more than that. And you can do that with a command line interface! So they are very tech savvy and enjoy having such customers, too. They really seem to be a cool company with an appropriate attitude.

The next day began with Jon’s Kernel Report. If you’re reading LWN then you haven’t missed anything. He said that the kernel grows and grows. The upcoming 4.2 kernel, probably going to be released on August 23rd. might very well be the busiest we’ve seen with the most changesets so far. The trend seems to be unstoppable. The length of the development cycle is getting shorter and shorter, currently being at around 63 days. The only thing that can delay a kernel release is Linus’ vacation… The rate of volunteer contribution is dropping from 20% as seen for 2.6.26 to about 12% in 3.10. That trend is also continuing. Another analysis he did was to look at the patches and their timezone. He found that that a third of the code comes from the Americas, that Europe contributes another third, and so does Australasia. As for Linux itself, he explained new system calls and other features of the kernel that have been added over the last year. While many things go well and probably will continue to do so, he worries about the real time Linux project. Real time, he said, was the system reacting to an external event within a bounded time. No company is supporting the real time Linux currently, he said. According to him, being a real time general purpose kernel makes Linux very attractive and if we should leverage that potential. Security is another area of concern. 2014 was the year of high profile security incidents, like various Bash and OpenSSL bugs. He expects that 2015 will be no less interesting. Also because the Kernel carries lots of old and unmaintained code. Three million lines of code haven’t been touch in at least ten years. Shellshock, he said, was in code more than 20 years old code. Also, we have a long list of motivated attackers while not having people working on making the Kernel more secure although “our users are relying on us to keep them safe in a world full of threats”

The next presentation was given by Microsoft on .NET going Open Source. She presented the .NET stack which Microsoft has open sourced at the end of last year as well as on Visual Studio. Their vision, she said, is that Visual Studio is a general purpose IDE for every app and every developer. So they have good Python and Android support, she said. A “free cross platform code editor” named Visual Studio Code exists now which is a bit more than an editor. So it does understand some languages and can help you while debugging. I tried to get more information on that Patent Grant, but she couldn’t help me much.

There was also a talk on Luwrain by Michael Pozhidaev which is GPLv3 software for blind people. It is not a screen reader but more of a framework for writing software for blind people. They provide an API that guarantees that your program will be accessible without the application programmer needing to have knowledge of accessibility technology. They haven’t had a stable release just yet, but it is expected for the end of 2015. The demo unveiled some a text oriented desktop which reads out text on the screen. Several applications already exist, including a file editor and a Twitter client. The user is able to scroll through the text by word or character which reminded of ChorusText I’ve seen at GNOME.Asia Summit earlier this year.

I had the keynote slot which allowed me to throw out my ideas for the future of the Free Software movement. I presented on GNOME and how I see that security and privacy can make a distinguishing feature of Free Software. We had an interesting discussion afterwards as to how to enable users to make security decisions without prompts. I conclude that people do care about creating usable secure software which I found very refreshing.

Both the conference and Hong Kong were great. The local team did their job pretty well and I am proud that the GNOME.Asia Summit in Hong Kong inspired them to continue doing Free Software events. I hope I can be back soon :-)

GNOME.Asia Summit 2015 in Depok, Indonesia

I have just returned from the GNOME.Asia Summit 2015 in Depok, Indonesia.

Out of the talks, the most interesting talk I have seen, I think, was the one from Iwan S. Tahari, the manager of a local shoe producer who also sponsored GNOME shoes!

Open Source Software in Shoes Industry” was the title and he talked about how his company, FANS Shoes, est 2001, would use “Open Source”. They are also a BlankOn Linux partner which seems to be a rather big thing in Indonesia. In fact, the keynote presentation earlier was on that distribution and mentioned how they try to make it easier for people of their culture to contribute to Free Software.
Anyway, the speaker went on to claim that in Indonesia, they have 82 million Internet users out of which 69 million use Facebook. But few use “Open Source”, he asserted. The machines sold ship with either Windows or DOS, he said. He said that FANS preferred FOSS because it increased their productivity, not only because of viruses (he mentioned BRONTOK.A as a pretty annoying example), but also because of the re-installation time. To re-install Windows costs about 90 minutes, he said. The average time to install Blank On (on an SSD), was 15 minutes. According to him, the install time is especially annoying for them, because they don’t have IT people on staff. He liked Blank On Linux because it comes with “all the apps” and that there is not much to install afterwards. Another advantage he mentioned is the costs. He estimated the costs of their IT landscape going Windows to be 136,57 million Rupees (12000 USD). With Blank On, it comes down to 0, he said. That money, he can now spend on a Van and a transporter scooter instead. Another feature of his GNU/Linux based system, he said, was the ability to cut the power at will without stuff breaking. Indonesia, he said, is known for frequent power cuts. He explicitly mentioned printer support to be a major pain point for them.

When they bootstrapped their Free Software usage, they first tried to do Dual Boot for their 5 employees. But it was not worth their efforts, because everybody selected Windows on boot, anyway. They then migrated the accounting manager to a GNU/Linux based operating system. And that laptop still runs the LinuxMint version 13 they installed… He mentioned that you have to migrate top down, never from bottom to top, so senior management needs to go first. Later Q&A revealed that this is because of cultural issues. The leaders need to set an example and the workers will not change unless their superiors do. Only their RnD department was hard to migrate, he said, because they need to be compatible to Corel Draw. With the help of an Indonesian Inkscape book, though, they managed to run Inkscape. The areas where they lack support is CAD (think AutoCAD), Statistics (think SPSS), Kanban information system (like iceScrum), and integration with “Computer Aided Machinery”. He also identified the lack of documentation to be a problem not only for them, but for the general uptake of Free Software in Indonesia. In order to amend the situation, they provide gifts for people writing documentation or books!

All in all, it was quite interesting to see an actual (non-computer) business running exclusively on Free Software. I had a chat with Iwan afterwards and maybe we can get GNOME shaped flip-flops in the future :-)

The next talk was given by Ahmad Haris with GNOME on an Android TV Dongle. He brought GNOME to those 30 USD TV sticks that can turn your TV into a “smart” device. He showed various commands and parameters which enable you to run Linux on these devices. For the reasons as to why put GNOME on those devices, he said, that it has a comparatively small memory footprint. I didn’t really understand the motivation, but I blame mostly myself, because I don’t even have a TV… Anyway, bringing GNOME to more platforms is good, of course, and I was happy to see that people are actively working on bringing GNOME to various hardware.

Similarly, Running GNOME on a Nexus 7 by Bin Li was presenting how he tried to make his Android tabled run GNOME. There is previous work done by VadimRutkovsky:

He gave instructions as to how to create a custom kernel for the Nexus 7 device. He also encountered some problems, such as compilations errors, and showed how he fixed them. After building the kernel, he installed Arch-Linux with the help of some scripts. This, however, turned out to not be successful, so he couldn’t run his custom Arch Linux with GNOME.
He wanted to have a tool like “ubuntu-device-flash” such that hacking on this device is much easier. Also, downloading and flashing a working image is too hard for casually hacking on it, he said.

A presentation I was not impressed by was “In-memory computing on GNU/Linux”. More and more companies, he said, would be using in-memory computing on a general operating system. Examples of products which use in-memory computing were GridGain, SAP HANA, IBM DB2, and Oracle 12c. These products, he said, allow you to make better and faster decision making and to avoid risks. He also pointed out that you won’t have breaking down hard-drives and less energy consumption. While in-memory is blazingly fast, all your data is lost when you have a power failure. The users of big data, according to him, are businesses, academics, government, or software developers. The last one surprised me, but he didn’t go into detail as to why it is useful for an ordinary developer. The benchmarks he showed were impressive. Up to hundred-fold improvements for various tests were recorded in the in-memory setting compared to the traditional on-disk setting. The methodology wasn’t comprehensive, so I am yet not convinced that the convoluted charts show anything useful. But the speaker is an academic, so I guess he’s got at least compelling arguments for his test setup. In order to build a Linux suitable for in-memory computation, they installed a regular GNU/Linux on a drive and modify the boot scripts such that the disk will be copied into a tmpfs. I am wondering though, wouldn’t it be enough to set up a very aggressive disk cache…?

I was impressed by David’s work on ChorusText. I couldn’t follow the talk, because my Indonesian wasn’t good enough. But I talked to him privately and he showed me his device which, as far as I understand, is an assistive screen reader. It has various sliders with tactile feedback to help you navigating through text with the screen reader. Apparently, he has low vision himself so he’s way better suited to tell whether this device is useful. For now, I think it’s great and I hope that it helps more people and that we can integrate it nicely into GNOME.

My own keynote went fairly well. I spent my time with explaining what I think GNOME is, why it’s good, and what it should become in the future. If you know GNOME, me, and my interests, then it doesn’t come as a surprise that I talked about the history of GNOME, how it tries to bring Free computing to everyone, and how I think security and privacy will going to matter in the future. I tried to set the tone for the conference, hoping that discussions about GNOME’s future would spark in the coffee breaks. I had some people discussing with afterwards, so I think it was successful enough.

When I went home, I saw that the Jakarta airport runs GNOME 3, but probably haven’t done that for too long, because the airport’s UX is terrible. In fact, it is one of the worst ones I’ve seen so far. I arrived at the domestic terminal, but I didn’t know which one it was, i.e. its number. There were no signs or indications that tell you in which terminal you are in. Let alone where you need to go to in order to catch your international flight. Their self-information computer system couldn’t deliver. The information desk was able to help, though. The transfer to the international terminal requires you to take a bus (fair enough), but whatever the drivers yell when they stop is not comprehensible. When you were lucky enough to get out at the right terminal, you needed to have a printed version of your ticket. I think the last time I’ve seen this was about ten years ago in Mumbai. The airport itself is big and bulky with no clear indications as to where to go. Worst of all, it doesn’t have any air conditioning. I was not sure whether I had to pay the 150000 Rupees departure tax, but again, the guy at the information desk was able to help. Although I was disappointed to learn that they won’t take a credit card, but cash only. So I drew the money out of the next ATM that wasn’t broken (I only needed three attempts). But it was good to find the non-broken ATM, because the shops wouldn’t take my credit card, either, so I already knew where to get cash from. The WiFi’s performance matches the other airport’s infrastructure well: It’s quite dirty. Because it turned out that the information the guy gave me was wrong, I invested my spare hundred somewhat thousands rupees in dough-nuts in order to help me waiting for my 2.5 hours delayed flight. But I couldn’t really enjoy the food, because the moment I sat on any bench, cockroaches began to invade the place. I think the airport hosts the dirtiest benches of all Indonesia. The good thing is, that they have toilets. With no drinkable water, but at least you can wash your hands. Fortunately, my flight was only two hours late, so I could escape relatively quickly. I’m looking forward to going back, but maybe not via CGK ;-)

All in all, many kudos to the organisers. I think this year’s edition was quite successful.

Sponsored by GNOME!

FOSDEM 2015

It’s winter again and it was clear that FOSDEM was coming. However, preparation fell through the cracks, at least for me, mainly because my personal life is fast-paced at the moment. We had a table again, and our EventsBox, which is filled with goodness to demo GNOME, made its way from Gothenburg, where I actually carried it to a couple of months ago.

Unfortunately though, we didn’t have t-shirts to sell. We do have boxes of t-shirts left, but they didn’t make it to FOSDEM :-\ So this FOSDEM didn’t generate nearly as much revenue as the last years. It’s a pity that this year’s preparation was suboptimal. I hope we can improve next year. Were able to get rid of other people’s things, though ;-) Like last year, the SuSE people brought beer, but it was different this time. Better, even ;-)

The fact that there wasn’t as much action at our booth as last years, I could actually attend talks. I was able to see Sri and Pam talking on the Groupon incident that shook us up a couple of months ago. It was really nice to see her, because I wanted to shake hands and say thanks. She did an amazing job. Interestingly enough, she praised us, the GNOME Foundation’s Board of Directors, for working very professionally. Much better than any client she has worked with. I am surprised, because I didn’t really have the feeling we were acting as promptly as we could. You know, we’re volunteers, after all. Also, we didn’t really prepare as much as we could have which led to some things being done rather spontaneously. Anyway, I take that as a compliment and I guess that our work can’t be all too bad. The talk itself showed our side of things and, if you ask me, was painting things in a too bright light. Sure, we were successful, but I attribute much of that success to network effects and a bit of luck. I don’t think we could replicate that success easily.

GNOME’s presence at FOSDEM was not too bad though, despite the lack of shirts. We had a packed beer event and more talks by GNOMEy people. The list includes Karen‘s keynote, Benzo‘s talk on SDAPDS, and Sri‘s talk on GNOME’s impact on the Free Software ecosystem. You can find more here.

A talk that I did see was on improving the keysigning situation. I really mean to write about this some more. For now, let me just say that I am pleased to see people working on solutions. Solutions to a problem I’m not sure many people see and that I want to devote some time for explaining it, i.e. in s separate post. The gist is, that contemporary “keysigning parties” come with non-negligible costs for both, the organiser and the participant. KeySigningPartyTools were presented which intend to improve they way things are currently done. That’s already quite good as it’ll reduce the number of errors people typically make when attending such a party.

However, I think that we need to rethink keysigning. Mostly, because the state of the art is a massive SecOps fail. There is about a gazillion traps to be avoided and many things don’t actually make so much sense. For example, I am unable to comprehend why we are muttering a base16 encoded version of your 160 bit fingerprint to ourselves. Or why we must queue outside in the cold without being able to jump the queue if a single person is a bit slow, because then everybody will be terribly confused and the whole thing taking even longer. Or why we need to do everything on paper (well, I know the arguments: Your computer can be hacked, be social, yadda yadda). I did actually give a talk on rethinking the keysigning problem (slides). It’s about a project that I have only briefly mentioned here and which I should really write about in the near future. GNOME Keysign intends to be less of a SecOps fail by letting the scan a barcode and click “next”. The rest will be operations known to the user such as sending an email. No more manually comparing fingerprints. No more leaking data to the Internet about who you want to contact. No more MITM attacks against your OpenPGP installation. No more short key ids that you accidentally use or because you mistyped a letter of the fingerprint. No more editing raw Perl in order to configure your keysigning tool. The talk went surprisingly well. I actually expected the people in the security devroom to be mad when someone like me is taking their perl and their command line away. I received good questions and interesting feedback. I’ll follow up here with another post once real-life lets me get to it.

Brussels itself is a very nice city. We were lucky, I guess, because we had some sunshine when we were walking around the city. I love the plethora of restaurants. And I like that Brussels is very open and cultural. Unfortunately, the makerspace was deserted when we arrived, but it is was somewhat expected as it was daytime… I hope to return again and check it out during the night ;-)

On GNOME and Groupon

You may have noticed that we ran a campaign calling for support regarding the Groupon trademark issue. Fortunately, everything was over much quicker than everybody expected.

It is fair to say that we were surprised by our campaign and the amount of support we had. And so were they (GroupOn). As Bradley said, the campaign could have failed miserably. It was a pure gamble. And I was everything but excited and full of expectations when we launched the campaign. We didn’t know how it would go and our preparation was.. simple, at best. I don’t mean to discredit any of the great work the volunteers around us (and we, ourselves) did. But it’s true that we’re not experts and that we didn’t have all the things in place you could have expected us to have. For example, we didn’t really have a bar of the money raised on the web page. In fact, that information was only available to a limited extent. It’s mainly my fault, but I also blame the fact that we only had mockups of the page, and not real code just until hours before the launch. Personally, my thinking was that we’d have days, if not weeks, to slowly fix things up.

Fortunately, things went differently. The coverage was amazing. I didn’t expect that our very simple page generated so much traffic. It’s hard to come up with an exact timeline of events as everything happened quickly and, in fairness, a bit chaotically. It may have been OMGUbuntu or Reddit who have reported first on our fundraiser. Other sites, such as Phoronix or Hackernews followed quickly. I was told that the latter was exceptional, because it ranked very high for rather long time.

We also had International coverage, i.e. on Heise (with somewhat interesting discussions), Golem (with two more articles!), Computerbase, and others… The usual suspects such as Slashdot, or, of course, LWN had an article as well. Even Arstechnica and Reuters covered our case. And that although we missed sending press releases to most of those sites. Sorry for that :-/

By quickly checking Google News, I know I haven’t found all the articles on the subject, but so far I’ve only found this article which was not in favour of our move. I think this was surprising to most, if not all of us.

Over the course of the day, this image was floating around, showing Brian’s LinkedIn profile which some people found hilarious. Some other pictures were floating around and comments were made. Some of them not in a not acceptable language but most of them were just expressing their concerns regarding Groupon’s behaviour. Some people cancelled all their accounts with Groupon while others started a petition.

We had close to one retweet per second and money was pouring in. The average amount donated was about 20 USD and the rate at which people donated was about 75 USD per minute. Every single minute. This can indeed be considered success. I think I noticed that this is going to be big when Freenode sent a message to all its 80000 connected users asking for supporting our case. “This is bigger than GNOME“, they said. Very correctly so. And it’s a shame, too. Not only for Groupon, because they needed to use the emergency break here, but for the system at large. It shouldn’t be the case that you need money in order to defend yourself against someone misusing your name.

timeline

Dear Internet, thanks. I am overwhelmed. We did not expect that amount of feedback to our recent trademark campaign, let alone the financial contributions. Our campaign was very successful. It was too successful, at least from a technical point of view. We are using a self made, very rudimentary Makefile for the business logic. We are still busy verifying the incoming transactions with Paypal… During the campaign, our servers were very busy handling the incoming requests.

I didn’t expect Groupon to be that cooperative given the behaviour I have observed over the last few months. It might have been Engagdet which were the first to report that Groupon backed up. Other news sites followed suit. All of that happened so quickly, that some news sites couldn’t even report on the case and could only report on Groupon abandoning their marks. That was probably Groupon’s strategy and, I guess, it was a wise choice. They retired their marks, but the app and their page are still online. They also still have a Gnome job posted. But I have no doubt that this will cease to exist.

Again: Thanks to everyone involved. This could as well have been the end to the GNOME Foundation, given that defending the GNOME marks is one of their main reasons for existing. A special thanks to all of you who have spread the word and made this campaign successful. Let’s hope we do not need such a campaign in the future.

For those of you who are interested in some pretty graphs (thanks benzo!), here is another one showing the transaction sizes and their volume. You can see, that we had many many small contributions. This is so amazing. I am very grateful and happy to see our community standing together so closely.

hist_10

GNOME at FSCONS14 in Gothenburg, Sweden

I was glad to be invited to FSONCS 2014 in Gothenburg, Sweden. Remember that this is also the place for next year’s GUADEC! This year’s FSCONS was attended by around 150 people or so. I guess it was a bit less. That might not sound like a lot, but it’s a very cool event with many interesting people and talks.

We, GNOME, had a presence at the event due to me bringing the EventsBox and T-Shirts to Gothenburg. It was quite a trip, especially with those heavy boxes…

The first keynote of the conference was given by Karl Fogel. He declared the end of copyright in 1993. He imagined copyright as a tree whose bottom has been chopped off, but the, the top hasn’t noticed that just yet. He put copyright on a timeline and drew a strong relation to the printing press. He claimed that in the United Kingdom, a monopoly used to control who prints and distributes books and it then transferred to a differently shaped monopoly which involved the actual authors. These could then transfer their rights to printers. He went on with ranting about the fact that nowadays you cannot tip the author for their (free) work. He appealed to the authors of f-droid or the firefox mobile app market to integrate such a functionality. Overall it was an interesting talk with many aspects. He is a talented speaker.

The second keynote was given by Leigh Honeywell. She talked about communities and community building. She said that she got most of the ideas presented in her talk from Sumana Harihareswara‘s “Models we use to change the world”. During her talk she referred to her experiences when founded the HackLabTO Hackerspace after having attended the CCCamp 2007. She basically shared models of understanding the community and their behaviour. The Q&A session was inspiring and informative. Many questions about managing a community were asked and answered.

Another interesting talk was given by Guilhem Moulin who went on to talk about Fripost. It is a democratic email service provider from Sweden. He gave a bit of an insight regarding the current Email usage on today’s Internet. He claimed that we have 2.7 billion internet users and that the top three email service providers accumulate roughly a third of this population. His numbers were 425 million for GMail, 420 million for Hotmail, and 280 million for Yahoo. All these companies are part of PRISM, he said, which worried him enough to engage with Fripost. In fact, he became a board member after having been a user and a sysadmin. As someone who operates a mail server for oneself and others with similar needs, I was quite interested in seeing concentrated efforts like this. Fripost’s governance seems to be interesting. It’s a democratic body and I wonder how to thwart malicious subversion. Anyway, the talk was about technical details as to how to create your own fripost.org. So I can only encourage to run your own infrastructure and found structures that care about running ecosystem. A memorable quote he provided to underpin this appeal is attributed to Schneier: “We were safer when our email was at 10,000 ISPs than it was at 10“.

My talk went sufficiently well. I guess I preached to the choir regarding Free Software. I don’t think I needed to convince the people that Free Software is a good thing. As for convincing the audience that GNOME is a good thing, I think I faced a big challenge. Some of the attendees didn’t seem to be very enthusiastic about their desktop which is great. But some others were more in the, what I would call, old school category using lynx, xautoscreenlock, and all that stuff from the 90s. Anyway, we had a great session with many questions from the audience such that I couldn’t even go through my slides.

I had a lightning talk about signing OpenPGP keys using GNOME Keysign. I probably need to write up a separate blog post for that. In short, I mentioned that short key IDs are evil, but that long key IDs are also problematic. Actually, using keyservers is inherently problematic and should be avoided. To do so, I showed how I transfer a key securely and sign it following best practices (thanks to Andrei for an initial version!). Bastian was nice enough to do the demo with me. We needed to cheat a little though, as currently, they key is transferred using the WiFi network you are on. The WiFi, however, didn’t allow us to create a TCP connection to each other. We thus opened a WiFi hotspot and used that. I think this would be a useful feature.

The last talk of the conference was given by Hans Lysglimt from Norway. He is, among other things, a politician, an activist, and an entrepreneur who founded an email service. His runbox has around 1000000 accounts and 30000 paid subscriptions, so it’s fairly big, compared to Fripost at least. Again, running email services myself, I found it interesting to listen to the stories he had to tell. His story was that he received a gag order for running his commercial email service provider. It remained unclear whether it was send because of his interview with Julian Assange or not.

Interestingly, he didn’t seem to have received many correct subpoenas in the sense that they were Norwegian court orders. However, in one case the American authorities went through the Norwegian legal system which he found funny in itself because the two legal system were not very similar. He eventually mentioned that every email service provider has at least one gag order, either an implicit or and explicit one. Ultimately, he concluded that you cannot trust a corporation.

FSCONS is an interesting event. Their manifesto is certainly impressive. I am glad to have visited and I am looking forward to visiting again. It is very atmospheric, very relaxed, and friendly. A very nice place to be.