Meester, ze beginnen weer!
Gisteravond was er een item op het nieuws dat er een nieuwe editie van het Groene Boekje uitkwam, met weer maar eens een aangepaste spelling. Dit zat er uiteraard al even aan te komen, maar het is nu ietwat officiëel, met de uitgave van een nieuw Groene Boekje. De heren professoren van de Nederlandse Taalunie vonden die aanpassingen blijkbaar nodig.
Wel, ik niet. Persoonlijk kan het me geen ene reet schelen of het nu paardebloem of paardenbloem is; of het nu online dan wel on line is. Wat me wél kan schelen is dat er continuïteit moet zijn. Ik heb in 1984 leren spellen volgens de regels van de naoorlogse spelling, en da's nog altijd de spelling die ik het beste beheers. Dat ging goed.
In 1996 heb ik opnieuw moeten leren spellen, volgens nieuwe regels die uitgegeven werden. Plots was het niet langer pannekoek, maar wel pannenkoek. Plots was er niet langer een progressieve spelling. Op zich had ik wel begrip voor de nieuwe spellingsregels; een hoop onduidelijkheden verdwenen, en in het algemeen werd de spelling wel een stuk makkelijker. Maar het betekende wel dat alles wat ik in 1984 heb geleerd, opnieuw moest evalueren. Dat was niet leuk, maar alla, ik kon er mee leven. Zelfs al duurde het een aantal jaren vooraleer ik het gevoel had dat ik de nieuwe spellingsregels beheerste, en zelfs al kan ik nu nog niet met 100% zekerheid zeggen of iets nu op de één of de andere manier geschreven wordt.
Nu blijkt dat de heren professoren in hun ivoren toren besloten hebben om mij, en met mij alle Nederlandstaligen, hier elke tien jaar aan te onderwerpen. Wat het nut daarvan is, ik begrijp het niet. Het is hen misschien ontgaan, maar er zijn mensen die andere dingen te doen hebben dan elke tien jaar alles wat ze denken te weten over een onderwerp dat ze denken te beheersen, overboord te gooien en geheel en al opnieuw aan te leren. Dat geldt in elk geval voor mij. Spelling is niet iets dat je beheerst door de toepassing van een aantal regels; het is iets dat je beheerst door aanvoelen. Dat wordt grondig verstoord als je aanvoelen elke tien jaar door externe factoren niet meer de juiste manier blijkt te zijn. Ik heb niet de tijd om vijfendertig keer na te denken tijdens het schrijven van een tekst over wat nu de juiste spelling is; ik moet dat aanvoelen.
Ik zou de heren professoren dan ook in de richting van de Franse, Duitse, en Engelse taalunies willen sturen, met de mededeling om een voorbeeld aan hen te nemen.
U zegt dat deze niet bestaan? Klopt. Is dat niet geweldig?
Interesting things to do with an electronic ID card and a cardreader
So, now that I finally feel that belpic in Debian is in working order (in unstable), let's talk about the interesting things one can do with it. You have an eID, run Debian, just bought yourself a cardreader, and feel "now what"? This is the blog post for you
Note that there are still some rough edges; but I still have time to fix those before etch releases, so that's not much of an issue.
First, you need some support packages. If you bought a cardreader
from Zetes or got one from the Government somehow, then you have an
ACR38 reader and you need a hardware support package to be able to use
it; the package in question is called libacr38u
.
Obviously you will also need the belpic packages. For now, just install all of them—there still appears to be a dependency issue which I will need to fix; I'll announce on this blog when that has been done. Just run
aptitude install $(apt-cache showsrc belpic|sed -e '/^Binary/!d;s/^Binary: //;s/,//g')
and you will install them. I uploaded these packages to backports.org, too, where they'll hopefully show up some time soon (the current packages are still at 2.3.13 for some weird reason). This will give you:
- beidgui
- a graphical application that will allow you to view the data on the card, and to change your PIN code (as long as you still know your current PIN code and don't need to unblock it with the PUK; for the latter, you need to go to your local town or city or district hall).
- beid-pkcs11-tool
- a command-line tool that will allow you to change your pin and do some other interesting things. Note that while this is a command-line tool, you still need a GUI environment to be able to run it; there are cases where the libbeidlibopensc2 library will open a dialog window to ask you for your pin, without going through the application.
- beid-tool
- a command-line tool with not much options; it doesn't allow for much more than to test whether your installation works.
- beidcrld
- a daemon that will update the CRLs (Certificate Revocation Lists) when there is a network connection, so that you can verify the validity of the card in your reader. If you have a permanent Internet connection, there is also OCSP (Online Certificate something Protocol) which will verify the validity of your certificates against an online server, and which the preferred way to do this. Future versions of the belpic packages will have a /etc/default/beid which will allow you to disable beidcrld.
- beidpcscd
- a daemon that is used if you need libpcsclite to talk to your cardreader. If you have an ACR38 cardreader, you need this. I personally have a different one, which uses openct, so I don't...
- a whole bunch of libraries
- However, only three are really interesting: libbeidlibopensc2, for low-level operations on the card (such as "read a file", "sign some data"; libbeid2, for high-level operations on the card (such as "read identity data", "read a picture"), and libbeidlibjni (JNI library, if you want to use the eID from Java). Libbeidlibopensc2 and libbeid2 are packaged separately; libbeidlibjni is packaged together with libbeid2 (though that might change in the future, not sure).
- Some files to support mozilla, firefox, and other browsers.
- The most interesting ones from a user point of view are /usr/share/beid/beid-pkcs11-register.html and /usr/share/beid/beid-pkcs11-unregister.html. Note that registering the module isn't enough to be able to use it; you will have to perform some additional steps which are outlined on eid.belgium.be, the government website about the eID.
Additionally, there is also OpenSC which you may want to install. The point there is that things like OpenSC's pkcs15-tool and pkcs15-crypt do not have a counterpart in the eID toolkit, so if you want that, you need to install it.
So, that's the software in the eID toolkit. But what can you do with it? There are a number of things. For starters, of course, there's the beidgui, which allows you to view, save, print out, and do other interesting things with data on a card. If you work on a place where you regularly need to work with eID data, this may just be the appliation for you.
If you have set up your browser to support the eID, you may want to go to mijndossier.rrn.fgov.be, a website set up so that everyone can view their own information in the Rijksregister. I'm sure there is a French version of that URL, but don't ask me—I don't know it.
You probably already know about tax-on-web, where you can do your tax application online.
It is possible to install a signing module into Mozilla Thunderbird, and to sign your emails using S/MIME and the eID card. This will give you a signed email which is legally binding; might be interesting for those of you out there interested in not having to use as much paper signatures. Details, again, on eid.belgium.be. The same is true for signing documents in OpenOffice.org. I haven't tried doing any of this myself yet, though.
Of course, you can sign any text file as well, using pkcs15-crypt from OpenSC, or extract the certificates on the card using pkcs15-tool. Just run them with the --help parameter to find out about their options.
And that's about it, I guess. More interesting links can be found on a a portal maintained by Danny 'godot' Decock on the eID.
Password expiration sucks!
Just a few moments ago, I was trying to commit a minor fix to the NBD subversion repository. However, suddenly the server refused my commit; the password which I knew to be right wasn't working. So I loaded SourceForge.net in my browser and went to the admin link there to find out whether I had perhaps fucked up my own commit rights. I've been known to do that before. Doing so of course required me to log in.
Which revealed the problem that was causing this in the first place: apparently my password had expired. I had been using the very same password since ages, but for some reason unknown to me, sourceforge has now decided that they want to introduce password expiry.
Of course, good password management is very important if you want to avoid issues with people stealing your passwords. For that reason, I usually generate my passwords with pwgen -s 15, which generates passwords that are impossible to guess—one example of an actual password that I have used in the past (but that I do not have in use in any other system anymore today) is qChjZeWIbSDGON/. The hard part is, probably, to memorize that; for that, I have a pretty simple method: I enter 'gpg -o ~/foo' and enter my new password. Then I pick out some random .jpg file somewhere on my hard disk, and concatenate the gpg data to that file. It is usually still possible to view the file in a viewer with that extra data added to it; IME, most image viewers have the ability to view all data in a corrupt JPG-encoded image that occurs before the corruption—which in this case, will be all of the image. As such, if you don't know which file it is, and you don't know my GPG password, chances are low that you'll find it and steal my login data. Additionally, of course the .jpg file is either removed or restored to its original state when I memorized the password, and finally I also update my GPG key and the password of the system that contained the file with the encrypted password to be using the same new password, so chances of stomeone stealing it get even lower.
However, even with this method, it still takes me a few days or weeks to memorize it. Also, synchronizing the new password to all the systems and websites on which I have an account takes a while. For that reason, I prefer not to do it too often.
With that in light, it is slightly problematic to have an account on a system that has a password expiration policy in force, because a) this makes it impossible for me to use the highly secure passwords that I use "everywhere else" on these expiration-using systems, b) because the average expiration policy is 2 months, making it impractical for me to generate secure passwords for these sites as well (by the time I memorized the new password, we're already at least halfway through the two months if I need to use that password fairly regularly—or it might even be too short if I don't use the password regularly.
The result of the above is that password expiration policies, in my case, force me to use less secure passwords of which I'm sure I can remember them—old passwords which I used before I had a GPG key or had learned about pwgen. I still use those on websites that require me to enter a password but which I do not trust to handle my passwords in a secure manner; I don't want to give these sites the password to unlock my gpg key, for example. The problem with these passwords is that they are easy to guess; they're usually not some unintelligible bit of random letters, but are six to eight characters that actually have a meaning.
In fairness, I did have one of those old and insecure passwords in use at sourceforge, because I indeed didn't trust them with my secure passwords. If they base their password expiration policy on the strength of the password, then this whole blog post should be ignored.
But in general, it is my point that password expiration policies do not improve security at all. It forces people to use passwords that they can quickly memorize (otherwise they're trying to memorize all the time), and it does not give people who usually pick easy to guess passwords any incentive to pick better, harder to guess passwords. On the contrary, in fact.
Password expiration policies suck.
Planet.grep.be and broken blogs
Occasionally, some blogs that are aggregated on Planet Grep break. The server may break down, or the blogger may have changed blogging software, or the domain may expire, or any of a number of things may happen that would result in the blog not working anymore.
Since planet sends data to stderr when it receives a 404 or 5xx-style status from a webserver (or when it does not receive a reply at all), and since it's called from cron every thirty minutes, I usually disable blogs that break down like this. As a result, they will not be automatically re-added to Planet Grep when the problem is solved.
This is just so that my mailbox doesn't overflow, and when the issues are fixed, I will be happy to re-add blogs that were previously broken to Planet Grep. If you used to be on Planet Grep, but you are not anymore right now, chances are high that your blog was broken at some point in time and I disabled it. When the issue is fixed, just send me an email (wouter@grep.be), and I'll put it back. I just re-enabled all blogs that were still disabled for some reason; so everyone should be happy for now. Unless I made a mistake somewhere. Do let me know if I did
Occasionally, I've been thinking of a way to add hackergochi's to Planet Grep after all. Stay tuned.
Deploying MIDlets
I've been playing with the mobility suite in Netbeans, writing some application for my cellphone. This seems to be pretty easy, since the mobility suite comes with an emulator in which you can test these MIDlets. Which is great.
Unfortunately, there is one slight problem: I can't seem to find out how I can deploy these MIDlets to my cellphone using bluetooth. Netbeans gives me the option of immediately deploying to a webserver, using a variety of protocols (WebDAV, FTP, or even SSH, just to name a few), and to just put them in a directory if that isn't enough. When I choose the latter, it puts two files in that directory; a .jar and a .jad. However, sending either of these files to my mobile phone doesn't work—it receives them, but does not recognize them properly.
It's probably possible to download them through the Intenet using WAP or similar technologies; but doing that involves connection costs, which is silly considering that I can send files to it through bluetooth. I'd like to do it that way if at all possible.
So, dear Lazyweb, I guess that leaves me with a question: is it possible to send Java MIDlets to my cellphone using bluetooth, and if so, what do I need to do?
Why...
... do all most free modern Linux games with
1993-era graphics and gameplay (which is a feature, not a bug) require
2009-era computers?
Take Freetennis, as an example. A few years back, my brother used to play a game called just "tennis" on my parent's 133Mhz computer. It looked about the same, had a slightly larger number of features, and ran pretty quickly on that system.
Freetennis doesn't work on my laptop, because it hogs the CPU and doesn't appear to be getting enough. Especially not if I try to run it fullscreen.
My laptop is a 1.3Ghz PowerPC G4.
Now if it were just freetennis, I wouldn't care much. But it's a lot, lot more. The only game which I've found that does not make my laptop squirm and die is a little game called "Starfighter". But only barely so, and only if I do not run it fullscreen.
I blame the layers and layers and layers and layers and layers and layers of SDL and X and libpng and libalsaplayer and other utter crap that are between my CPU on the one side, and the output devices on my laptop on the other side.
Especially SDL.
Not Happy.
Re: SDL
I received a number of comments on my previous blog post. I was going to reply to each of them separately, but then decided that this was worthy of a blog post of its own.
Two people posted comments telling me to check whether I had OpenGL acceleration switched on.
In case you guys missed it, Freetennis is a sprite-based and essentially 2D game. It does not use OpenGL, by the looks of it. Neither does starfighter, powermanga, or a number of other 2D games I tried. Yet they all require the full 1.3Ghz of my processor, and some of them, including freetennis, think even that isn't enough.
I received some other claim that SDL by itself performs pretty well. While this may be true, the fact remains that many simple games that should work well on older hardware seem to require a lot of CPU time, and that they all seem to use SDL. If it's not SDL at fault, then it's probably the SDL documentation which doesn't stress the need to KISS enough. Or so.
A final remark compared the situation to Quake2 on his X40. I don't know what you've been doing, but I'd been happily playing Quake2 on my 650Mhz PentiumIII until that one got migrated to become my parent's computer. Without hardware acceleration. And, luckily, without SDL, too.
Darn
As I'm starting this blog post, I'm sitting on the 22:19 train
Breda->Roosendaal, on my way home. I'm coming from the Debian
Birthday Party that happened in café Zeezicht
on the Grote Markt
in Breda, where a number of Dutch Debian people gathered. I'm not Dutch,
but I do speak Dutch, and it's always nice to meet fellow
Debianistas without having to revert to English. I had a fairly
entertaining chat with some people, and eventually Jeroen van Wolffelaar
showed up, with whom I had some interesting talk about the state of m68k
and related dak-matters. I stayed there for two hours, but they were
worth it.
So why did give this post a title of Darn
?
When I got on the train, I broke my wristwatch. When I was taking my backpack off my back, my watch got stuck behind the strap that is supposed to keep the backpack on my back—whatever its name is—and as a result, it fell off my arm. Which isn't supposed to happen under normal conditions.
It doesn't seem to be FUBAR, but it's still going to be have to be repaired before I can wear it again.
I feel naked now.
SMTP-time bayes filtering
- Requiring people to register sucks.
- So does folding your feed
... but I ranted on those two before already on this blog, so won't repeat that. What I wanted to say:
Of course it's possible to do bayesian filtering at SMTP time. If you use the exiscan features of Exim 4 (available in the mainline since exim 4.50, or as a separate patch before that), you can run external programs (virusscanners and/or SpamAssassin's spamd) on the mail data. Read section 40, "Content scanning at ACL time", of the exim4 info file for the documentation.
j2me
A while back, I started developing a little application for my cell phone. It's progressing nicely, although I do have a few issues; the main one is the fact that the java mobility toolkit is written in C rather than Java, and that it is not open source. As a result, I cannot run it on my powerbook, but have to install the thing on an i386 machine to be able to use it. Which sucks, majorly.
I had started to write a blog post to outline how this sucks, and that I didn't think highly of sun, until I stumbled upon this:
Sun plans to open source the entire Java ME (mobile) platform (both CLDC and CDC) and we are targeting to roll this out by the end of 2006.
Well, that would be interesting.
Ikiwiki
It's been interesting to read Joey Hess' progress on developing ikiwiki, a wiki implementation that can, somehow, also be edited through doing a commit in a subversion repository; and apart from that, it has a number of other interesting features that would make my website much better.
Right now, my website has been written using a lot of NIHolism plus some small amount of blosxom for the blog part. It works, except that I'm getting less and less happy about the blosxom bits as time passes. I need a huge and ugly script in my post-commit hook to add stuff to my blog, and even then there is still a bug which I haven't yet had the motivation to fix. The rest of the site is less ugly, but then the way it's written isn't very flexible. I am happy about the way the comments have been implemented (some PHP code plus a postgres database backend), but if I can do something similar with ikiwiki (every comment is moderated, nothing shown by default), I'll be just as happy.
So, I guess I'll be looking at ikiwiki a bit closer during the next few days and/or weeks, and see whether it's going to be easy and/or feasible to migrate my blosxom stuff and my other articles to ikiwiki. Would be cool.
Hackergochi's
When I initially set up Planet Grep, I decided not to do hackergochi's in the layout, because the server that runs it does not have the bandwidth to serve a number of hackergochis, no matter how small.
However, since it makes a planet so much more fun to read if there are hackergochi's, I wasn't very happy with that decision. Also, a while back it occurred to me that in order to show hackergochi's, I do not necessarily have to serve them myselves—it is very possible to show hackergochi's that are served on another system.
So, as of today, it is possible to show a hackergochi on planet grep, but you have to put it on your own webserver. If you're interested and you're already listed on Planet Grep, just let me know; I'll update the configuration ASAP.
Accept to gettext
In 2003, I needed to write a PHP site that would need to be internationalized, and decided to use gettext() for this purpose. While PHP has proper support for gettext, it unfortunately does not have any builtin way to easily convert the data in the Accept-Language and Accept-Charset HTTP headers into something that can be understood by gettext.
So I sat down, and over the course of an afternoon, I wrote 83 lines of PHP code (excluding comments) that would do just that: parse the above two headers, and return a gettext string which represents the best match out of a set of strings specified. It's pretty easy in use, and was written quite generically, so I put a GPL tag on top of it, put it online, added a comment to the documentation of the gettext stuff in the PHP manual advertising the URL, and stopped thinking of it. The project that I wrote this file originally for eventually wasn't even finished; today, I don't even recall what it was.
In early 2005, I received a mail from Matthew Palmer thanking me for the code, and telling me that he'd incorporated it in IRM of which he's part of the development team. Which reminded me of its existance. For a short while.
Today, I was cleaning out my INBOX, and stumbled upon this old email again. Which got me curious, so I started googling for those 83 lines of code that I'd entrusted to the Free Software world three years ago. I must say I'm pleasantly surprised. My file accept-to-gettext.inc seems to be used in a variety of free software projects, including of course IRM, but also the GnuCash website, or in this french educational thing called SLIS. It seems to be quoted in its entirety on some turkish PHP-related forum. It has been adapted to support different translation systems. And so on... the list is rather long.
Can't say I'm not proud. And yet, the code contains a rather silly bug: the assumption that character set encodings are somehow linked to translations. They are not; gettext is perfectly capable of transparently transcribing one character set to another.
Oh well...
CAPS LOCK.
Using a macro to capitalize the names of other macros where used? What crap are you on?
"Who's writing C anymore these days". Err, let's throw out the kernel, the X server, GNOME, perl, and python, shall we? All of those are written in C. As are many other things, but these are just the more popular bits.
If a key sits in your way, allow me to point you to xmodmap, or just the XKB extension. That's what it's for. Personally, on my keyboard I have mapped \ to the (totally useless) key that has ù printed on it.
Finally, a modal keyboard is useful, if only for ergonomics. Having to hold down bucky bit keys for long sequences of characters is very bad for the joints in your fingers...
This post brought to you by an inofficial member of the International Society of Caps Lock Fanciers. 7 lower case characters were hurt in the production of this entry, but no finger joints)
Weekend
This blogpost brought to you by the use of Steve's electricity, network connection, and couch.
And hospitality, of course.
For some reason, I appear to have lost my voice again. I don't know why it is that every time I meet Debian people during a weekend, I lose my voice, but this appears to be what's happening; I lost my voice during the last two FOSDEMs, and again this weekend. Oh well.
We had a nice little barbecue last night, with lots and lots of Debian-UK people attending. And some non-UK people, too. Met some people that I hadn't seen since Helsinki and some others that had been at FOSDEM. Plus, obviously, some new faces. Only need to put names to them, now, which I will probably have forgotten by next time I see them. As usual.
I was planning on harassing someone into helping me to get my Airport Express to work again, but when I tried it just once to get some useful printk output, it suddenly seemed to work. Strange.
Oh well, not as if I care. Watching the F1 race now, let's see what happens after that. Nice start of the race, though, with a spectacular crash of a number of people.
Trains...
I had booked this trip to Cambridge and back well beforehand.
According to my intinerary, I should've been able to get a train from
Cambridge to London King's Cross at 17:28. Unfortunately, today London
King's Cross is closed because of 'engineering', a eufemism for we
need to work on a few things without knowing what the fuck we're
doing
.
I had known that they were going to be closed today, since it was announced yesterday. However, I had (incorrectly) assumed that the train which was assumed to go to King's Cross would go part of the way and that I could take the underground from there, or that at least the train would be diverted to another station. Apparently I was wrong; instead of helping me out, they simply cancelled it. So now I had to figure out another way of making it to King's Cross.
While I was considering forking out an insane amount of money to a cab from London Stansted (at least there was a train that could get me there from Cambridge), Cambridge Station staff suggested me that I could make it to Tottenham Hale from Stansted using a connecting train with Liverpool Street as its final destination, which would get me right next to an underground station. A ticket from there to London Waterloo, where the Eurostar leaves, will cost me slightly more than one from London King's cross, but at least I'll still be on time -- and I won't have to pay a cab.
Lessons learned: next time, ask right away when you see something
about engineering
that might interfere with your travel schedule,
so that you can actually get there in time without issues, and
without unnecessary stress...
...and the fact that engineering
in the UK is not
done sensibly, as opposed to Belgium; this type of insane work should be
done during night hours, when no trains have to be routed to that
station anyway.
Divisivity meter
How to verify whether a discussion is about a divisive subject.
- If everybody cheers: not very divisive.
- If some people grumble: slightly divisive.
- If some people threaten to resign: somewhat divisive.
- If many people threaten to resign: quite divisive.
- If many people threaten to resign, and insist that it's not a threat: very divisive.
This post brought to you by the International Foundation for the Betterment of Flame Wars
"pissing contest"
Thanks for a nice metaphor, Gunnar.
Not very impressive, I know, except if you consider the "City Rail" icon there
I'm also not very sure about the Paris one; it could've been the RER one instead. But hey, it was over six years ago.
Additionally, Helsinki isn't there, even though I've been to that city; but then I haven't been in the metro there.
(occasionally, the logo for the München U-bahn is on that site, all down the bottom)