telenet snelheden

Niet waar, Tom!

In '99 hàd je helemaal geen 10Mbps. Het is correct dat je kabelmodem geen beperkingen invoerde, en het is ook correct dat je verondersteld werd een 10Base-T netwerkkaartje te gebruiken. Alleen had 'de kabel' toen niet de capaciteit om aan 10Mbps data door te sturen—indertijd was dat allemaal 4Mbps. Min of meer.

Het was ook rond die periode dat ze de upstream snelheid gecapped hebben. Op dat moment heeft men de snelheid die je had effectief "bevestigd" en officiëel gemaakt. 4Mbps dus. Later, toen "Telenet Mono" of "Telenet Duo" vervangen werd door "Telenet Expressnet" (waar je expliciet om moest vragen -- bij mij heeft dat ook eventjes geduurd voor ik dat doorhad) werd het 5Mbps. En nu dus 10.

Met andere woorden, het is inderdaad zo dat ze het – zo maar, meneer – verhogen naar snelheden die je eerder niet had. Zelfs al lijkt het anders.

Posted
bluetooth spam

Bluetooth spam

I have a laptop that supports bluetooth. By using gnome-bluetooth (which unfortunately isn't packaged yet—and no, I don't have the time to start doing more packages), I can accept data transfers over Bluetooth to my laptop, which sometimes is handy.

Some people seem to think it's funny to start sending me unsolicited files while I'm on the train, hacking away on my laptop. I swear, they're spamming me. Of course, it's not something that can't be solved by running killall gnome-obex-server, but it's annoying.

I'm thinking of writing my own obex server (or modifying g-o-s) so that the box that appears when it asks whether I want to accept some file has the option to "spam back", i.e., send the same file to the sending device over and over again. But then, that wouldn't be ethical, would it?

Posted
28

28

As of 20 minutes ago, I've officially reached that age. I don't think that's worth celebrating much. Especially not since I would much rather have celebrated it in .mx rather than in .be.

Grmbl.

In other (and totally unrelated) news, I joined another choir. It's called 'Caljente', it's for everyone between the age of 25 and 45, and it's part of the same choir family as the youth choir 'Cantilene' (16-25) that I was a member of for the better part of a decade.

This is a brand new choir; today was its third ever rehearsal. Things are going rather well there; for interested people, we'll be doing a small concert in a month or two. Nothing big and fancy, but at least something.

Watch this space. Or this space, if you speak Dutch.

Posted
traffic shaping

Traffic shaping and iptables

Someone just asked something on be.comp.os.linux for which I spent quite some time on reading relevant documentation to find a working solution. It's not hard if you know it, but since it's hidden in a lot of documentation, some of which only partially relevant, I thought it'd be nice to show it here.

The question was about how to do some traffic shaping based on the process which is sending out the data. This is not directly possible; however, it is possible to match packets based on the PID by using iptables' -m owner. The nice thing about this solution is that it doesn't have to be the PID you're selecting on; you can really use anything (yes, anything) in iptables to decide on traffic shaping later on.

The trick is to use the -j MARK stuff from iptables. In our example:

iptables -t mangle -A PREROUTING -m owner --owner-pid <some PID> -j MARK --set-mark 1

Now our packets are marked based on what PID is sending them out. Next, we'll have to make sure those packets are given lower priority over other packets:

tc qdisc add dev $OUTIF root handle 1: htb default 10

tc class add dev $OUTIF parent 1: classid 1:1 htb rate 256kbit burst 15k

tc class add dev $OUTIF parent 1:1 classid 1:10 htb rate 100kbit burst 15k
tc class add dev $OUTIF parent 1:1 classid 1:20 htb rate 50kbit burst 15k

tc qdisc add dev $OUTIF parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $OUTIF parent 1:20 handle 20: sfq perturb 10

tc filter add dev $OUTIF protocol ip parent 1:0 prio 1 u32 match mark 1 0xffff flowid 1:20

Et voila, you have traffic shaping based on the iptables -J MARK stuff. Nice, huh?

Posted
ross burton dropbox

"Dropbox"

Ross, I don't think something like that exists. But it's not actually hard to make, really.

  • Apache can be configured to redirect any PUT request to a given script. Just write yourself a small PHP or CGI script that will take a file, put it somewhere safe, and send a 200(ish) status code back. PHP has a function for precisely that purpose.
  • Writing something to give you an HTML form back if someone does a GET / isn't exactly hard.

Altogether, it sounds like a bit of tinkering that'll be finished in an hour or so.

Posted
kerberos II

Kerberos II

So about two weeks ago I started playing with Kerberos. And I'm still not finished with it, kerberizing one service after the other. Really fun, that.

Kerberizing a network protocol involves somehow sending the Kerberos ticket in-band with the rest of the conversation. This is not entirely defined by the Kerberos protocol, and indeed, different network protocols have come up with different ways of sending the Kerberos ticket to the service. So far, I've encountered SPNEGO for HTTP, GSSAPI for IMAP and SSH, and SASL for LDAP. It sounds like a complex mess, but it really isn't; in general, kerberizing a service involves three steps:

  1. Installing the Kerberos plugin (if any) for both the server and the client;
  2. Generating the service principal, and adding it to a/the keytab;
  3. Configuring the service so that it knows it can do Kerberos, and so that it knows how to act when a Kerberos request is sent

Yes, in the cases I've seen it's really that simple. Although I'm skipping step 0 here–reading the documentation. But I've done that for you already ;-)

The hardest part is the initial setup. But even that isn't very hard, because the process is very well documented. For starters, install the krb5-doc package, and read the excellent /usr/share/doc/krb5-doc/README.KDC which explains just enough of the system to get you started. The rest will be explained to you through debconf and the like; and if you want more, the krb5-doc package also contains three info files which explain concepts and usage very well. There's an alternative implentation called heimdal, which I presume works similar; but I haven't tried it, so I don't have much details on that one. The process of installing krb5 is very straightforward; the only thing I'll let you know is that you should ensure that any host you're going to kerberize should have reverse name lookups configured and working correctly; otherwise, you're going to run into a bunch of serious problems.

After the initial setup, you'll have a Kerberos realm, usually your domain name in upper case (GREP.BE in my case). You'll now want to set up principals for your users and principals for your hosts. Now, let me show you how to configure Kerberos for LDAP, PAM, HTTP, IMAP, and SSH:

PAM
By installing and using the libpam-krb5 package, you'll log in to kerberos and receive your TGT immediately at login time; the alternative would be having to use kinit (in the krb5-user package) afterwards. pam_krb5.so also takes care of destroying your tickets when you log out, so that you don't have to worry about that. This is very handy, but not really required; you could just use kinit all the time. Of course, using pam_krb5.so also means you have only one password for everything—and that is a very good argument to use it.
Anyway; our three steps:
  1. Installing the plugin
  2. As you've guessed, libpam-krb5 is the package you'll need. That, or the heimdal implementation.

  3. Generating and installing the service principal
  4. In the case of any service such as PAM that will give you a shell (thus, as we'll see later on, also SSH), the principal is supposed to be host/<hostname>@<REALM>. For instance, on rock.grep.be, the principal PAM will use is host/rock.grep.be@GREP.BE. We'll create it with kadmin (which can be done on any kerberized host):

    wouter@rock:~$ sudo kadmin
    Password for root/admin@GREP.BE:
    kadmin:  addprinc -randkey host/rock.grep.be@GREP.BE
    WARNING: no policy specified for host/rock.grep.be@GREP.BE; defaulting to no policy
    Principal "host/rock.grep.be@GREP.BE" created.
    kadmin:  ktadd host/rock.grep.be@GREP.BE
    Entry for principal host/rock.grep.be@GREP.BE with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
    Entry for principal host/rock.grep.be@GREP.BE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
    kadmin:  q
    

    Generating the principal can really be done as any /admin user; but as the same isn't true for writing the keytab, I'm using sudo in the above example to become root.

  5. Configuring
  6. account	required	pam_krb5.so ignore_root
    auth	sufficient	pam_krb5.so ignore_root forwardable
    password optional	pam_krb5.so ignore_root
    session	optional	pam_krb5.so ignore_root
    

    After adding the above lines to the relevant files in /etc/pam.d, you should log off, then log on again, run 'klist', and marvel.

    If you add the lines to your passwd file as shown above, and don't remove the pam_unix.so lines, then local passwd-based authentication will still work. This can be nice if, for example, the Kerberos server is down, or you're working on a laptop that isn't always within reach of the Kerberos server. It doesn't do any harm; the worst that can happen is that at some point you happen to be on a network where there's a firewall which drops packets on the floor rather than sending you an ICMP port unreachable; in that case, you need to wait for the Kerberos login to time out, which takes half a minute or so (I haven't timed).

SSH
  1. Installation
  2. If you're running unstable, you don't need to do anything. The OpenSSH packages in unstable are all set to understand Kerberos.

    If, however, you're running stable, you'll want to replace your ssh package by the ssh-krb5 package, which is the regular SSH package plus some patches to enable GSSAPI (read: Kerberos) authentication.

  3. Service principal
  4. If you've done the PAM setup above, you're all set; SSH, being a service which gives you a shell, also uses the host/ service principal.

  5. Configuration
  6. Make sure both the server and the client have the GSSAPIAuthentication option enabled. After you've done so, restart the server.

IMAP
I'm using dovecot as my IMAP server, which has builtin support for GSSAPI authentication (at least in unstable; haven't checked stable in this regard).
  1. Installation
  2. As dovecot comes with everything compiled in, there is no need for installing extra packages.

  3. Service principal
  4. You'll need the imap/ principal (e.g., imap/rock.grep.be@GREP.BE). Note that the host name which is found by doing a reverse lookup on the ip of the server is what counts, not the name of the server as you're using it (so not, e.g., imap/imap.grep.be@GREP.BE)

  5. Configuration
  6. Edit your dovecot.conf, and find the line that starts with "mechanisms" in the auth default stanza. Make sure it contains at least the word gssapi. Restart dovecot.

    I haven't found a Free (as in speech) IMAP client that supports GSSAPI authentication. My client of choice, offlineimap, doesn't seem to support it; mutt doesn't either (unless I'm missing something); and while thunderbird in unstable is supposed to support it, I haven't been able to configure it correctly yet. Probably me. I have, however, been able to verify that it works by using a non-free software package. Obviously, this isn't good enough. In addition, I found that horde and imp don't like an IMAP server that has GSSAPI enabled if they don't, while enabling GSSAPI in horde requires a PHP extension that isn't packaged in Debian. So I've disabled it for the time being. Stay tuned.

LDAP
  1. Installation
  2. LDAP requires uses SASL for authentication, which doesn't have GSSAPI modules in the default package; for those, you need the libsasl2-modules-gssapi-heimdal package.

    Attentive readers will have noticed that this package contains the string heimdal in it, rather than krb5, and that this is not the same implementation that I've been using previously. Yes, true. But since there's no libsasl2-modules-gssapi-krb5, and since Kerberos is, after all, a well-defined protocol, this is not an issue—except in that you need a bit more diskspace for the additional libraries.

    Note that the modules have to be installed on both the client and the server.

  3. Service principal
  4. You need a service principal that starts with ldap/, obviously followed by the hostname and the realm.

  5. Configuration
  6. For those people whom you want to allow to authenticate themselves using Kerberos, make sure they have '{SASL}<principal>' in their userPassword attribute set (e.g., I have userPassword: {SASL}wouter@GREP.BE). You can have that in addition to a regular encrypted password; the userPassword attribute is a multi-value attribute. Now if you use ldapsearch or anything similar, it will try to negotiate GSSAPI authentication as the SASL mechanism. If it doesn't do so, you can force it by adding -Y GSSAPI to the command line.

HTTP
  1. Installation
  2. You need the libapache-mod-auth-kerb or libapache2-mod-auth-kerb modules on the server. For the client, you need a browser which has SPNEGO support; Konqueror and Firefox are two examples of browsers that do.

  3. Service principal.
  4. The prefix here should be HTTP/. That's right, in upper case, contrary to previous examples where this wasn't the case.

    HTTP is also different in that apache usually isn't running as root. This is a good thing; however, it does mean that the kerberos authentication module is unable to read /etc/krb5.keytab. You'll have to write the service principal to a different keytab for apache; I've used the -k option to the ktadd command in kadmin to specify the keytab as /etc/apache2/keytab; I'll assume you do the same.

  5. Configuration
  6. Something like this, on the server:

    <Location /some/URL>
    	AuthType Kerberos
    	KrbMethodNegotiate on
    	Require valid-user
    	Krb5Keytab /etc/apache2/keytab
    </Location>
    

    This will enable SPNEGO authentication; and if SPNEGO authentication fails for some reason (for example, because the used browser doesn't support SPNEGO, or because the user isn't logged in to Kerberos), it will fall back to Basic Authentication.

    While the latter is usually a good idea, it's less of a good idea if you're not using SSL, since then your password would be sent over the wire in cleartext. Luckily, the basic authentication can be switched off, by using KrbMethodK5Passwd off. If you go to my webserver logs, you'll see that you'll get a 401 right away, while the HTTPS version of the same allows you to try to log in by using basic authentication.

    On the client side, if you're using Firefox, you need to go to about:config, and set the option network.negotiate-auth.trusted-uris to a string that will identify the servers that may do SPNEGO authentication in your realm. In my case, I've set it to grep.be. For konqueror, doing something similar is not required—it'll do SPNEGO authentication out of the box.

So, that's what I've got set up on my network currently. Next on the list: NFS4 kerberos auth (requires updated nfs utilities, which aren't in Debian yet because of issues with NFS2, IIRC), PostgreSQL (it does seem to support it), and finding out if or how I can create principals can't be used for one authentication scheme or the other.

Phew, that was a long post. I'll stop now.

Posted
how not to handle bugreports

How not to handle bugreports.

David Woodhouse reports on a bug in Evolution he reported ages ago where Evolution wasn't acting RFC-compliant, which meant that it was impossible for it to communicate with some MTA's in their default configuration.

At the time, the evolution (upstream) maintainers claimed it wasn't a bug, and that he should fix his mailservers instead. While the RFC clearly states the contrary. David rightfully called the evolution maintainers idiots in his blog post.

The patch did eventually get applied, however, so all was well. However, then the guy whom he called an idiot took offense at being called so, and started reverting fixes for bugs, and even closing valid ones, just because they were filed by David Woodhouse.

Way to go. Someone use the cluebat, please. And the LART.

Posted
nbd-2.9.0-test2

NBD 2.9.0-test2

A few days ago, I released nbd 2.9.0-test2 to sourceforge.net, and a bit later, to Debian's experimental distribution, too—which, occasionally, means I'll have to skip the 2.9.0 release, because I don't feel like increasing my epoch. The new release contains a few new things, most notably support for a configuration file and, coupled with that, the ability to run multiple nbd exports from one nbd-server instance.

This is an experimental version in that it hasn't been tested much outside my artificial testing environments, and in that the configuration file format is a first proposal, on which I'm hoping to get feedback, so that it can be improved before it's finalized.

Unfortunately, the latter hasn't happened as of yet. I'd love to see that change.

Anyone?

Posted
2.40 bug found

2.40: Bug found.

A long time ago, I reported about how I couldn't compile belpic 2.40 on Debian. At the time, I'd assumed it had something to do with my (mis)understanding of SCons, a make/automake/autoconf/... replacement written in python that upstream had migrated to.

As it turns out, that isn't the case.

Script started on do 11 mei 2006 11:28:01 CEST
 wouter@country:~/Desktop/bel-eid-nl-linux/_stap_2/src/pkcs11/src/include/opensc$ 
ls -l
totaal 4
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 asn1.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 cardctl.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 emv.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 errors.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 log.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 opensc.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 pkcs11.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 pkcs15.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 pkcs15-init.h
drwxr-xr-x 2 wouter wouter 4096 2005-12-01 10:14 ;34mrsaref
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 scconf.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 scdl.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 scldap.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 scrandom.h
-rw-r--r-- 1 wouter wouter    0 2005-12-01 10:14 types.h
wouter@country:~/Desktop/bel-eid-nl-linux/_stap_2/src/pkcs11/src/include/opensc$ 

Script done on do 11 mei 2006 11:28:05 CEST

AAAAARGh!

Posted
debconf remote

Joining Debconf by remote

For those of you who don't read my blog through Planet Debian: at this very moment, people are gathering in Oaxtepec, Mexico, for DebConf6, the yearly Debian conference. While I joined it last year (when it was in Helsinki, Finland), for various reasons I was under the impression that I wouldn't be able to join this year (eventually it turned out that I would have been able to, but when I found that out it was too late to go ahead and organize things).

This year they'll be doing something new for the first time: live Internet streaming of the talks that will be held. While it doesn't even remotely compare to actually being there—the talks are only part of the Debconf experience; far more important, at least IMHO, is the ability to meet people whom you otherwise only know as their IRC nick or email From: header— the ability to follow the talks as they are happening is something very nice indeed, and I'm sure going to try to attend some of them.

However, there's one thing. Since Oaxtepec is in the -0500 timezone while I live in +0200, that means some of the talks will be very, very late at night. Since they'll undoubtedly all end up at the Meetings archive afterwards (and probably in much better quality at that), I don't really see any added value in following it live—unless I can actually join in while having a look at the live stream.

So, I guess this is a question: is the network in Oaxtepec good enough to allow for IRC sessions in the rooms where the talks will be held? And if so, is there going to be a way for me to ask questions or provide feedback or anything through IRC? Because that would make it worthwile to stay up at night for me...

Posted
adam kessel-comcast

On huge ISPs and multi-level support requests.

Adam

They just told you how to get past their front lines: Call their business support on the toll-free phone number she gave you. Here's my take at what happened:

  • You entered a question on a web form which is intended for user support questions.
  • A first-line technical support person called Irene (who, most likely, is not trained as a computer person; since 90% of all calls can be fixed by going with the customer through their connection and email settings, you can train anyone to be a first-line technical support person in one day, with most of the time spent in How do I handle the phone and How do I handle the ticket tracking system) had a look at your request, saw that you had problems with sending email from remote systems, and copied a standard text about mail bounces in her reply to you. Remember that there are many people out there who think they know a lot about computers because they know how to start regedit and know a few buzzwords; the presence os such words in a support request is not necessarily a sign that there's some clue at the other end of the line.
  • You replied that no, this does not apply, and that yes, it's really a problem at your end, because lots of words Irene does not understand. She then decided you're totally out of her league, and redirected you to their second-line support; second-line supportlines do consist of people knowledgeable about computers, because at that point it's no longer a trivial problem. Since you happen to be an ISP, which is a company in her book, she referred you to the Business support line; such a Business support line usually consists of people even more knowledgeable about computers in general and the Internet specifically, because companies usually have rather specific needs that go a bit further than I have an ADSL modem and a Windows box.

Really. Call them. You'll find that you will be talking to someone knowledgeable about what SMTP is, and who is able to put a request with SMTP administrators to fix this issue if that is required.

Take it from someone who used to work at one of Belgium's largest ISP's (at least, it was that when I used to work there—they've lost some market share since).

Posted
kerberos III

Kerberos: final note.

Just a little followup to my two previous blog posts about kerberos:

Kerberos needs a few things to be set up correctly before it'll work. If you've set up everything correctly as I explained it previously, and it doesn't work, make sure you have these done right:

  • Parts of the kerberos protocol require your computer's clocks to be in sync (with a slight error margin; I believe 10 minutes is the default). Using NTP is one way of achieving this.
  • Other parts of the MIT implementation rely on forward/reverse name resolving of localhost to work. The details are uninteresting, but in general, if you say ping localhost, then the replies you get should contain your FQDN. If they don't, fiddle with /etc/hosts until they do.

Posted since I just revived newwave, my Quara 700, which hadn't been kerberized yet, bumped against the latter of the above two points, and played with the machine for a few hours until I realized what the problem was... and because this wasn't the first time that it happened and, I guess, not the last time either.

Posted
ShelleyTheRepublican

Linux: a means of circumventing valuable copyrights and patents.

At least according to this clueless republican:

Like all the greatest American engineering, it's an example of innovation that makes a growing group of European and Chinese hackers jealous. They hate our lead in computing technology and will stop at nothing until they have control of all our computers.

Hah. Let me tell you, Shelley, I am not jealous of anything. The only thing I feel about people using Windows is pity; you are giving away your freedom in return for some Pride.

If you see a company using Linux, it may be that they have not paid for this software. Report them to the Business Software Alliance who have the legal authority to inspect any company's computers for illegal programs like Linux.

Rotfl. First, the BSA has the legal authority to do absolutely zilch. Second, using Linux is anything but illegal.

Get a life. No, really.

Update: While I was sleeping, I received no less than 24 comments that the site is not real. I get the picture. Get off my back. :-)

Posted
udev is crap

udev is pure crap.

For some reason, the kernel developers seem to like the "udev" system. For those of you who've been living under a rock for the past few years: udev is a pile of scripts that react to kernel hotplug events and will start setting up device nodes and go mount them, etc. While this is all probably very nice for users not very familiar with the system, it has one fatal flaw:

It removes the perfectly deterministic and reproducible boot characteristics of a Linux system, and replaces them with something that will work when you're there, but break the next time. According to murphy's law, that "next time" is obviously when you're on vacation, the guy with access to the data center ran under a bus and is in hospital, and the breakage introduced with udev somehow also broke the VPN to your router, so you can't even remotely powercycle the beast. Or so.

I don't like a system that starts playing with my device nodes. I have a static /dev, which does everything I need it to do; when I put a CD-ROM in the drive, I'll mount it myself, thank you. If I change something about my system configuration, I'm perfectly capable of modifying the configuration to match myself. I am perfectly happy with a system that will autoload kernel modules when I plug in some USB device, however, and there's nothing wrong with the ability to create some scripts that will set up stuff the way I want them to be.

Hotplug allows all of that. By using hotplug, a USB mouse Just Works(TM) when I plug it in. There are more things like that, which Just Work. A USB key is not one of them, nor is a CD-ROM. And that's a good thing; I don't want filesystems to be mounted at random just because someone got hold of my laptop for a while.

So don't use udev, I hear you say. And, well, I'm not. But the problem is that the kernel maintainers seem inclined to make it harder and harder to do so. And eventually, the result will be that I'll have to install a system which will break my boot sequence every other day just to be able to have a mouse work two seconds after I plug it in.

Madness.

Posted
nfs4

NFSv4

a.k.a., NFS on crack.

Supposedly NFSv4 is able to support kerberos authentication. I guess that means this post should really be called kerberos_IV, or so. Oh well. Doing NFSv4 involves some magic bits, which isn't something I principally oppose. It also involves a lot of extra daemons, making the thing a lot more complex to set up, which is a pity. Well; at least the procedure is documented.

The crack bit, though, is that, according to that HOWTO, you need to bind mount whatever you want to export before being able to actually export stuff. Anyone care to explain to me why that is?

Posted
jazz oops

Jazz' Oops.

wouter@jazz:~$ ps aux | grep [k]swapd
root         4  0.1  0.0      0     0 ?        Z    Apr26  63:19 [kswapd] <defunct>
wouter@jazz:~$ dmesg | tail -n 23
Warning: kfree_skb passed an skb still on a list (from 000e4416).
Negative d_count (-1) for sparc32/soft-fp
Unable to handle kernel NULL pointer dereference at virtual address 00000000
Oops: 00000000
PC: [<00027c16>]
SR: 2004  SP: 043f9f24  a2: 043f8000
d0: 0000002d    d1: 00000001    d2: 04181f50    d3: fffffbd5
d4: 000001af    d5: 00140d6c    a0: 00000014    a1: 0000003a
Process kswapd (pid: 4, stackpage=043f9000)
Frame format=7 eff addr=043f9f4c ssw=0485 faddr=00000000
wb 1 stat/addr/data: 0005 00027c0e 0010e024
wb 2 stat/addr/data: 0085 00000000 00000000
wb 3 stat/addr/data: 0005 00000000 00000000
push data: 0010e024 ffffffff 01d33ae0 04181fb0
Stack from 043f9f8c:
        01b97300 00000001 00027da8 04181f50 00000001 00000005 00000030 00000005
        00000001 00000002 043f8000 00002000 04371830 00191ff8 00028070 000005d9
        ffffffff 00000020 00019740 00000005 00000030 00000000 00000005 00000000
        000197f6 00000030 00002980 000029b4 00000000
Call Trace:
        [<00027da8>] [<00002000>] [<00028070>] [<00019740>]
        [<000197f6>] [<00002980>] [<000029b4>]
Code: 265f 285f 4e75 2f0c 2f0b 286f 000c 41ec 0018 b1d0 

That's bad, right?

I guess I'll have to reboot it when I get anywhere near it. In the mean time, I've had to shut down its buildd, since not running kswapd is wreaking havoc with the load on jazz. And while I'm at it, might try to install 2.6 on the box, too, see whether that works yet.

Only that has a different set of issues; it doesn't seem to be possible to generate initrd images for 2.6 kernels while you're running 2.2. And I'm not compiling my own kernels; Debian's kernels are just fine. If I can get them to work. Suggestions, anyone?

Posted
incomplete description

Incomplete blog feeds.

I'm considering to remove feeds from Planet Grep a few weeks from now that do not contain the entire text of the post in their feed; i.e., those feeds for which it is necessary to go to the blog itself to read it. The reason is that I want Planet Grep something which you can read, not just a bunch of links to other people's sites. By having only teasers, or (in some cases) not even that, this breaks.

Thoughts?

Posted
duck with whisky

Duck with whisky

One of the classic recepies that get forwarded by mail over and over again to me is the following. It's usually in Dutch, but I've translated it:

Get yourself a duck of about 1.5 to 2kg, and two large bottles of Scottish whisky, bacon strips and a bottle of olive oil.
Put the bacon around the duck, and treat the inside with pepper and salt.
Preheat the oven for 10 minutes at 180 degrees Celcius.
Fill a large glass with whisky.
Drink the whisky while the oven is preheating.
Put the duck on a fireproof platter and fill out a second glass of whisky.
Drink out the second glass of whisky and put the duck in the oven.
After 20 minutes, put the oven to 200 degrees celsius and vill 2 glazzes of whisky.
Drink out the glazzes and pick ub the piecez of the first glazz
Fill anozzer half glazz and drinkit.
After halven our, open the ovven to cheq the duck.
Fetch the burninjury oindmend in the bathrthroom and pud it on the ubber zide of the lef thand.
Vill anozzer two glazzez of whiskey.
Open the ovven after the first glazz izz embdy and biggub the bladder.
Pud the oindmend on the inner zide o the righdhand.
Biggub the dug.
Biggub the dug again and use a towel to rrremovve the oindmend from the dug.
Degreaze th hand with visky and biggub the oindmend dube whisj is laying onthe ground.
Clean ub the brokan glazz and put the dug bag in the ovven.
Pig ub the dug and open the ovve firs.
Open the segond boddle of bisk and pud id straight ub again.
Get ub from the fllloorr and puz the bagon under ve cabined.
Geddub again and siddown aniwey.
Pud the boddle on the flooj.
Dring fromve boddle since the glazzez are borken or unreadjable.
Switch ovv the ovven, gloze your eyez, and ffffall over.

No, I didn't try it. But it might sound like something nice for a DebConf in Edinburgh...

Posted
icewm rocks

IceWM

I had been an Enlightenment user for a long time—halfway the Summer of 2000 up to the early fall of 2004—before someone finally decided to pick up the pieces where they were left somewhere around 2000 and restart its development. Unfortunately, that also meant causing #219925, which was irritating me more and more each day. Eventually, in the early fall of 2004 (almost a year after I filed that bug), I gave up and started looking for something else.

The problem, of course, was that I'd grown so accustomed to using Enlightenment and its way of doing things that I felt at a loss. I wanted to be able to move windows above the upper edge of my screen again. I needed focus-follows-mouse. I was having a hard time without edge-flipping. Eventually I found that there was functionality for all of the above, but it wasn't flawless. Especially not the edge flipping—GNOME implements that in a truly horrible way1. Not to mention the fact that brightside, the application which implements edge-flipping for GNOME, segfaulted on me an annoyingly high number of times, sometimes even taking away my entire session with it. Even Enlightenment never did that; it would just misbehave instead.

Apart from that, of course GNOME also had some extra annoyances that I didn't get rid of. The fact that it insists on mucking with my keyboard settings, to name just one example. Even so, I used it for about nine months. Then, slightly after DebConf5 in Helsinki, I realized what the true horror of GNOME is: not the fact that they hide away features or try to make the desktop void of superfluous options; the fact that they remove features that are critical to some of its users. I know I was horrified to find out that something I really used a lot had been removed in that new release. I kept using it for three more months before I threw in the towel and tried something totally different.

Ion3.

After coming from the mostly mouse-oriented interfaces that GNOME and Enlightenment were, ion3 was truly different. I liked it at first; it was a welcome change from what I'd previously been doing. Eventually, though, I found that the ion way of doing things just wasn't my way. The fact that, by default, it puts new windows right in front of the window you're working on was rather offputting. Any serious attempt at configuring the thing involves learning lua which, though supposedly not hard to do, is not something I ever found the time for. In the end, I discovered that I disliked working with ion, as I often felt that it gave me a fragmented and tunneled view on the world, and that it was working with me instead of the other way around. In short, it was getting the fun out of computing for me. Which wasn't good, at all.

So that's when I started looking for something else again. When I'd made the decision to move way from ion3, I didn't want to keep using that "until I'd found something else"; instead, I quickly installed IceWM instead—which I still knew from back when I had a Yopy YP3000—and used that until I had found something better.

Little did I know the beaty of IceWM. I've decided, by now, that it does all I need, and more: By default, it tries the best it can to put a window on your screen so that it overlaps with as little other windows as possible. I can have it not focus a new window by default. I does focus-follows-mouse, if enabled. It even does edge-flipping. Of course it's not perfect—the edge-flipping, though not as horrible as the GNOME implementation, can still use some improvement. As if to prove my point, I accidentally closed the window in which I was writing this very post before it had been written to disk, the cause of which could be described as an interface problem in IceWM (though it's more likely an example of PEBMAC (Problem Exists Between Mouse And Chair). But, all in all, using IceWM feels like finally coming home.

Thanks, Marko and Mathias, for a truly wonderful piece of software.

1 I know that there are a lot of people who dislike edge-flipping. I am 99% sure that this is because they've never seen it implemented right. Edge-flipping is great, if done right; it's nightmare if done wrong. GNOME does it horribly wrong. IceWM does it better, though not perfect. The implementation in Enlightenment is perfect. I'll discuss the details in another post.

Posted
edge flipping

Edge flipping.

So, in my previous blog post, I mentioned that Enlightenment, bug-ridden as it is, is the only application I've seen thus far that implements edge flipping the right way. Since it's been a long time since I last used the only windowmanager that actually implements it the right way, I've been able to give it quite some thought by now. Here's my take at it:

The central thing to remember is that the edge flipping interface will trigger accidentally. No matter how well you implement your interface, sometimes a user will accidentally move his or her mouse, or he/she will want to click somethin near the edge of the screen and touch it. Therefore, there are two things an implementer should do:

  1. Make every effort to avoid accidental edge flipping where possible, and
  2. Make it as easy as possible for the user to correct an accidental triggering of the interface.

The best way is to make sure your interface has the following characteristics:

  • The code should not trigger if the mousebutton is pressed down. The reason for this is that many people like to maximise their windows, and that many interfaces keep their scrollbars near the edge of the window. Scrolling is often accomplished by moving the mouse over the scrollbar; and since human beings are not machines, it's usually impossible for them to move their mouse in a straight line. It's fair to say that when you're holding your mouse down, you're usually not interested in edge flipping. GNOME's brightside gets this wrong, which makes it a horrible nightmare.
  • The code should not trigger immediately. When you move your mouse, it's fairly common to touch the edge of the screen. Thus, edge flipping should only happen after a delay. However, when it is happening, it should continue to do edge flipping until the mouse has not touched the edge anymore before another delay has passed (otherwise moving two or three workspaces at once takes too much time). While I haven't seen any implementation get this horribly wrong, I've seen implementations get this wrong in their default configuration (again, brightside).

Getting the above two right will ensure that accidental edge flipping is reduced to a minimum. This is the first step, and one that only Enlightenment and IceWM got right. The final step, however, is something that IceWM does not get right; and this is what makes Enlightenment's edge flipping implementation such a natural thing to do:

  • After edge flipping, warp the mouse to the opposite side of the screen, just far enough away from the edge so that it will not immediately flip back again.

Some people will find that last point evil, I'm sure. I'll admit it took me a while to get accustomed to it as well. But it's the only natural thing to do. You should think of your virtual workspaces as one large desktop; if you're using four workspaces next to eachother, that means one large desktop four workspaces wide. When you move the mouse one quarter to the left, it's normal that it ends up about the same place on that same desktop. In other words, warp the mouse.

Additionally, the mouse warping will have the effect that it makes recovery from accidental edge flipping easy and fast. If the mouse stays where it was after edge flipping (as in the case of brightside and IceWM), then if I accidentally hit my mouse, by the time I've moved my arm towards the mouse and started moving it back, I've moved away three workspaces from where I was already (because of the second bullet point in this post). If, however, the mouse does warp to the opposite side of the screen (i.e., the side where it was coming from), then going back to where you were is just a matter of moving the mouse a few millimeters in the opposite direction. Very easy to accomplish, that...

Oh, and finally, you also shouldn't segfault at random. Again something that brightside did not get right when I used it—did I mention that brightside is crap? Well, I did now. Hopefully it's changed for the better in the mean time.

Back in my Enlightenment days, I used workspaces a lot, because Enlightenment made it so natural with its excellent edge flipping implementation, and with the help of the pagers which would always, at any time, give me a snapshot of all my workspaces, helping me to remember where this or that application was running. IceWM doesn't replace that, but it sure gets close.

Posted
nmbs travel schedule

The NMBS sucks.

I'm typing this entry in the Antwerp Central Station, after having missed three trains.

When I go from Mechelen (where I work) to Ekeren (where I live), I have a few options: either I take a train at 48 past the hour, in which case I can stay on the train until I'm home; or I can take another train, in which I have to change trains in Antwerp Central. Unless I take the train at 11 past the hour in Mechelen, which doesn't call in Antwerp Central, so I have an extra stop in Antwerp Berchem in that case.

Today, I just missed the 48' train when I arrived in the Mechelen station (as in, I saw it close its doors and leave), so had to wait for the next. Which was the 11' train. But it was a bit late.

When I arrived in Berchem, the train was still a bit late, and my connecting train (which leaves at 33') was just leaving (as in, I saw it close its doors and leave).

I took the next, which is only four minutes later. But those four minutes mean a great deal; when that train was coming to a stop in Antwerp Central on track two, I saw a train leaving on track 6. Take one guess which train I had to get.

So right now, I'm waiting for the next train home, which is over an hour later than the previous one. Better not miss it, too, since it's the last one for today.

I wish the NMBS would create some less frustrating timetables.

Posted