Escrúpulos Una piedra en la conciencia del software libre, calidad y la vida misma

Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."

Read more of this story at Slashdot.

pcardno writes "The UK government has responded to a petition encouraging government departments to move away from IE6 that had over 6,000 signatories. Their response seems to be that a fully patched IE6 is perfectly safe as long as firewalls and malware scanning tools are in place, and that mandating an upgrade away from IE6 will be too expensive. The second part is fair enough in this age of austerity (I'd rather have my taxes spent on schools and hospitals than software upgrade testing at the moment), but the whole reaction will be a disappointment to the petitioners."

Read more of this story at Slashdot.

drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."

Read more of this story at Slashdot.

Hugh Pickens writes "The NY Times covers a report released by the National Research Council, which says the ability of the US to identify the source of a nuclear weapon used in a terrorist attack is fragile and eroding. The goals of the highly specialized detective work, known as nuclear attribution, is to clarify options for retaliation and to deter terrorists by letting them know that nuclear devices have fingerprints that atomic specialists can find and trace. 'Although US nuclear forensics capabilities are substantial and can be improved, right now they are fragile, under-resourced and, in some respects, deteriorating,' the report warns. 'Without strong leadership, careful planning and additional funds, these capabilities will decline.' The report calls on the federal government to take steps to strengthen its forensic capabilities and argues for the necessity of better planning, more robust budgets, clearer lines of authority and more realistic exercises."

Read more of this story at Slashdot.

Channard writes "While there have been occasional reports of previous PS3 firmware upgrades causing system crashes and so forth, Sony's new firmware upgrade for the system, 3.41, is apparently stopping PS3 owners from upgrading their hard disks. This problem has been encountered by many users on Sony's forums and occurs when you try to put a new hard disk into a PS3 that already has the firmware upgrade installed. The general course of action for upgrading a PS3's drive is that you download the latest PS3 firmware onto a memory stick and, after swapping the hard drive in the PS3, plug the stick in, allowing the PS3 to properly prepare the disk for use. But as of upgrade 3.41, the PS3 fails to recognize the firmware on the stick, complaining that it can't proceed until you insert the correct firmware. Repeating the process and re-downloading the firmware does not fix the problem, as I can confirm, having encountered the problem myself. Users can put the old hard disk back in, provided they've not reformatted it for some other purpose, so all is not lost. Sony have apparently told gaming website CVG that 'The information available to our Consumer Services Department does not suggest that this is a problem PlayStation owners are likely to experience when upgrading the HDD with 3.41 update.' This seems to fly in the face of the currently available information — although whether or not this statement was issued by Kevin Butler is unclear. Either way, PS3 owners encountering this problem will likely have to wait a few days for a fix and use their old HDDs for now."

Read more of this story at Slashdot.

eagledck tips news that the FCC has "finally approved the first 4G Long Term Evolution (LTE) phone for sale in the US." The Samsung device will use MetroPCS as a carrier, but tech specs, software details and a launch timetable are still uncertain. Meanwhile, Verizon is ramping up testing of their own LTE infrastructure, hoping to launch in 25 to 30 markets by the end of the year. An anonymous reader notes that LTE rollouts could be hampered by a confused and conflicted patent situation. "It is impossible to know where all the patents are but we have identified more than 60 companies holding essential patents. It is a very large landscape and fragmented. If there was one major patent pool and a handful of individual companies to deal with, that would be possible. But signing license deals with 40 plus [entities] is not. A unified patent pool is best," said a representative for one of three patent pool organizations trying to accomplish that.

Read more of this story at Slashdot.

snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees." The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.

Read more of this story at Slashdot.

Oh my. Poor Dave Neary. He was just trying to offer some insight into how GNOME gets put together, and it ends up serving as an outlet valve for some pent-up frustration towards Canonical, in this case via a blog entry by Greg DeKoenigsberg.

Perhaps Dave's presentation could have been a bit "safer" if it had looked at just more recent times, or covered more than just commit rates, but presentation time is limited and, really, any information on how your community works and is put together is invaluable to its health and improvement. If I were part of the GNOME community, I'd be looking for ways to embrace Dave's hard worked for information in positive ways.

Dave's intentions were undoubtedly good and he put an obvious amount of time and effort into his presentation, but was repaid with a very public and unflattering flame war about something rather tangential to his goals with that presentation. Ouch.

Tribalism

Why does this happen? That's a great question, and I'm not sure we can ever have all the answers with perfect accuracy. Maybe we can summarize and approximate, though, and discover useful things as a result. Mark Shuttleworth offers that the problem is tribalism, and that tribalism in the form of fanboyism is Bad(tm). I think Mark hit the heart of the matter.

Here's an unfortunate part of the truth, though: while Mark rightfully comes out against tribalism, Canonical has, in my experience, been as much a part of fostering tribalism in F/OSS as anyone else. In fact, I'd say they are right there among the leaders in doing so: it's a side effect of their immense drive to build a rabidly loyal community around their brand and their propensity to try tell other communities how to do things (e.g. how to schedule their releases).

After all, it's pretty meaningless to be a self appointed dictator for life if you don't have a kingdom to dictate, right? (That's said with my tongue placed firmly in my cheek. :)

Those are rather tribalistic concepts, though, and it is reflected in choices such as Canonical's decision to use launchpad rather than upstream repositories that already exist or how we see Ubuntu LoCo's displacing more diverse Linux interest groups at the local level. It isn't zero-sum, though: Canonical has their reasons and there are benefits that come along with the challenges. I even believe that Canonical's motivations are not conspiratorial in nature, but are similar to those that drive rest of us: making F/OSS awesome. I also recognize that mistakes get made, in spite of those good intentions. Most importantly: Canonical isn't alone in this set of interactions. We are all part of this thing.

If you are an Ubuntu or Canonical fan (or Mark :) and you read that, it might sting a bit (or maybe even a lot) and the instinct might be to react quickly, negatively and loudly. After all, who the hell am I to say something like that, right? :) Instead, maybe we can step back for a moment, turn off the flamethrowers for a little while (there's lots of time and opportunity to use them later if we wish to ;) and really think about the root causes of our tribalism. Much of it is going to turn out to be innocent, but all of it will show where we have room for improvement.

On Being Able To Admit Failure

One thing I've learned in my travels as someone who dabbles from time to time in providing leadership is that in doing so your faults will be put on display for everyone to see. We are each imperfect, we all screw up from time to time and being front-and-center means our screw ups get put front-and-center, too. It is humbling. It can be important to recognize when it happens and (even if it takes a while) come back and go "yep, I screwed up, let's see how we can improve on that going forward..." At that point we all grow and become better people for it. If we do that within our Free software communities, our communities will also become better for it. Linus' ability to do that makes up for many other faults he may exhibit from time to time.

Someone asked me the other day on the kde-promo list how KDE people can expect to get the KDE branding terms "right" when even I don't always get it right! I responded with the most honest answer I had: I still, even now, make mistakes when it comes to the branding terms, in large part because I've been doing the "KDE thing" for so long that it's like an old dog with new tricks. I asked them to continue to point out when I get it wrong so I can improve. It's often hard to say things like that without hedging, especially for those of us with hard heads and big hearts.

I've also discovered that, sadly, I'm going to offend or let down those I love dearly from time to time even though I really don't mean to and don't want to. When that happens, it's often more important to just say I'm sorry without worrying about defending what I did, even if I think it was a misunderstanding or justifiable. I have been working for many years on being able to prioritize the well being of those I care about more than I do about being "right". Let me be honest: it doesn't come naturally to me, and I still fail at times. But ... I also do manage to say "I'm sorry", to look for root causes without looking for blame to attach to it, and most importantly to me: to try and work on improvements that address root issues. I keep trying to remind myself: "I am an imperfect man reaching for the unattainable goal of perfection; and I am inching closer to never getting there every day."

Ok, so what's my point, already? Well ...

When Mark wrote about tribalism, Máirín dredged up in the comments section an unfortunate and regrettable public gaffe on Mark's part from the past and asked him if he'd apologized for that yet. Maybe Mark should consider doing just that, even if he doesn't consider what happened to be wrong in his own mind. It could help drain away some of the poison out there that is used to fuel some of those tribal fires. It certainly can't hurt.

In fact, all of those who have pointed fingers or defended themselves loudly, including (but certainly not limited to) Greg, could maybe try to step aside from their own correctness and ask what are the shared root causes that lead to this state of affairs. Can we instead create discussions with ourselves and with each other that reach for understand but don't include statements of blame or accusation? It is possible to discover the mechanisms of failure in a relationship and come up with new possible solutions to try in blame-neutral ways.

That's just another way of saying that others may be responsible for (a large or small) part of the current dynamic, but we don't need to use that as an excuse to sidestep responsibility for the roles we play in it or as a way to avoid addressing the issues altogether. After all, what's more important: the moral high ground in our own little kingdoms of "Me, Myself and I" or forging a stronger and unstoppable thing together?

On Being Part Of The Problem Solution

The good news is that when we are one of the people caught up in a problem, intentionally or not, we can be part of the solution. Yes, being part of the problem is an opportunity. To illustrate: we may not have invented proprietary software ourselves, but we are/were caught in the midst of the consequences of a world that was dominated by proprietary software; by writing Free software, we are creating part of the solution to the negative effects of that situation.

In the questioning of Canonical's contribution, right now I see a lot of people trying to make the case that they aren't a part of the problem or that others are more a part of the problem than they are. Quite clearly they axiomatically are all shareholders in whatever failure is happening (the flamefest itself is a failure, imho). It is axiomatic because the problem is being driven by how communities are interacting, and the people pointing fingers and making defenses are part of those communities. Some are even responsible for leading the relationship components of those communities. They could be identifying what the challenges are and being part of the solution, regardless of who is contributing what to those challenges in the first place.

If each of the parties (GNOME, Canonical, Red Hat, whoever else) involved took internal stock of the situation they might identify all kinds of things they can each do to improve. How much better than writing witty blog posts that won't alter the status quo that would be! Leadership will be self-evident when people start describing and implementing such improvements, regardless of whether others do so first, later or never.

On Alignment

Starting with the alignment of priorities and agreeing on the context for the conversation would be a reasonable place to start, perhaps. To illustrate what I mean by that: Jono Bacon
used the term "upstream" in his response to the issue in a way that is very different from what the people leveling the complaints at Canonical are. Jono used upstream in terms of Canonical's own efforts: their software developers are upstream of their packagers. However, it seems evident to me that Greg and others are using the term in the context of the global F/OSS economy, where in this case GNOME is the upstream of Canonical. It's the difference between looking at the supply chain within one particular company's factory, and looking at the role of that factory in the greater economy in which it operates.

Due to this difference in context, people are engaged in a conversation about upstream contribution in which both are 'right' in terms of the context they have chosen to speak from. This also means, though, that neither party is really addressing the same issue together. As long as those kinds of context and priority differences are not addressed so that a common conversation can be had, it will be a very long, hard, painful and probably unfruitful conversation.

I've been caught in many such conversations in the past with others in F/OSS. It happens; it's also fixable.

Why Care?

I believe it to be important that we care about these things because they are doing large amounts of unintended damage to F/OSS. But as my step-father used to tell me, "When you point a finger at someone else, you are pointing three fingers back at your own self." (Try it: point at something with your index finger, arm extended. :)

So let me address those three-fingers-pointing-at-myself. To be honest: the relationship between KDE and Canonical has not always been fruitful or friendly, ditto for KDE and Red Hat or KDE and GNOME. Even within KDE we have our moments of discord. It's not easy, it's not simple and I do not want to come off like I'm pretending it is or that my or KDE's track record is perfect either. KDE has managed to improve many of these things, some of them immensely though certainly not to perfection, but you know what is really unfortunate and sad when I reflect up on that? The root causes, tribalism and selfish misalignment of priorities relative to each other, were / are the same as those at the heart of today's tempest in a teapot over Canonical's upstream contribution and/or lack thereof. F/OSS has yet to truly learn the lessons we need to. We keep repeating the same unhealthy behaviors, we keep enabling each other in doing so.

I have to say that it was really tempting to delve into an analysis of what, in my opinion, the specific behaviors are that led to this particular blog storm, but when I thought about it I realized that it's not really my place to do so. After all, I'm not a direct stakeholder in this particular scenario and have not been invited to enter into the middle of what amounts to other people's relationship. So instead, let me get a little philosophical about what it might take to step away from our feudalistic ways:

We ought to be looking for F/OSS communities who can lead in demonstrating positive and useful ways of dealing with these somewhat inevitable moments of conflict. We need to encourage those who aren't leading in this way to improve their game; we need to give each other the opportunity to improve our game by avoiding blame games. We need to support each other in our hard times and our moments of brilliant alignment. For those who insist on tribalism, the rest of us need to move past them and minimize their impact and importance in the F/OSS ecosystem, so as to limit the harm they perpetuate.

We need to learn how to accept that someone is going to be a fan of $DISTRO or $PROJECT without using that against them. We need to learn how to be a fan of $DISTRO or $PROJECT without looking for ways to push for its advantage at the expense of F/OSS in general. We need to learn to recognize each others strengths, as well as to stop claiming that we're strong where we aren't. We need to learn to disagree without sabotaging each other. We need to learn how to cooperate, even sometimes by making local compromises to achieve a higher level of global win. We should be looking at how to put together what we are each doing well into a larger whole, even when we are also competing elsewhere. We can both compete and cooperate without dragging each other down in the process.

The path beyond tribalism is, in my humble opinion, to realize that despite our love for KDE, GNOME, Ubuntu, Red Hat, Suse and/or fluffy bunnies we must each hold aloft a common goal that trumps all else: F/OSS must succeed. The world is depending on us to do that, because the world needs Freedom, and Free software is an important part of that.

That is the challenge we have before us. Sort of puts things into perspective, doesn't it?

But Before I go ..

Kids are smart. They will learn that when you do something bad you get attention even if it is negative. If they don't get the attention all children need in the course of growing up, they put this together in their head and start to look for ways to break "the rules" to get that attention. To be fair, some adults do that too. :) As an adult who plays a role in the child's life (a parent, especially), that pattern can be prevented by (among other things) paying attention to the things they do that are positive.

In that spirit, I'd like to end this blog post by giving a shout out to a few of the communities out there that are doing good things. Good work deserves attention and recognition, and you shouldn't have to be in the middle of a controversy to get it.

I'm thinking of OpenSuse, for instance: they make hard decisions and are pretty open about how difficult things can be internally at times, but they've consistently been a pleasure to work with, even through difficult times.

I'm thinking of Pardus, a small but hardworking group of people making an awesome distribution aimed primarily at their own region, but who are also doing all kinds of wonderful things technology wise both in their project and upstream.

I'm thinking of Red Flag who, despite other possible negatives, have also been contributing more and more upstream over time.

I'm thinking of Mandriva who, despite their financial bumps over time, have not only never caused grief for us as an upstream project but have contributed significantly.

I'm thinking of the numerous small and medium size businesses who aren't distributions but who are as important as many of the distros in making sure upstream keeps ticking. I'm also thinking about you, reading this blog entry because you care enough about these issues to do so with an open mind.


p.s. I'm concerned, having re-read it (and edited it several times), that this blog entry could come across as preachy. I really hope it doesn't, but I do recognize that my communication skills have limits to them and some may choose to read it that way. It feels rather unsafe to push the "Publish Post" button, and honestly I am hesitant to do so. It seems, however, that these are things that need to be said, and I can only hope that some of it is useful and gets through to those who will make things better than they are now. Deep breath time!

Love and with hope for all the best things in life, Aaron.

Unfortunately I haven’t made any blog updates in awhile. I’ve been very busy between work and school (and I will likely spend this weekend working on a 20 page project that I’ve written 0 pages for ;). That doesn’t mean I have nothing to report though…

First off, I have renamed kdesvn-build to kdesrc-build to reflect the fact that it builds from Git-based software repositories. In conjunction I released kdesrc-build 1.12 which has various minor improvements, including a few Git improvements.

I’ve complained about my car breaking down. It’s fixed, although I will be selling it now (my wife and I were debating the merits of getting an improved car for awhile before, this incident sealed the decision).

Just today I’ve committed a new feature to JuK, the sadly neglected KDE Software Compilation music manager. Now you can use the scroll wheel in the track announcement popup to quickly switch tracks without having to use the Next/Prev buttons. It’s probably already in every other media player with a playlist, but it’s at least in JuK now. Note that this is a 4.6 new feature, not 4.5.

I’ve also been “reviewing” a patch to further remove Qt3 support code from JuK, which I will try to clean up and get comitted this release cycle. The big thing I still need to do is to finally convert from K3ListView to a real Model/View architecture to finally be rid of Qt3Support. Help is always appreciated btw =D

Burkhard Lück, the documentation super-hero, has been improving JuK documentation for me, but I still need to make some changes that he’s requested to bring the docs closer to 2008-era (let alone 2010) :(

That’s another good “intro to KDE Platform” kind of job by the way, it’s how I got introducing into coding for JuK myself. ;)

CurtMonash writes "Nontechnical people — for example marketers or small business owners — increasingly get the feeling they should know more about technology. And they're right. If you can throw up a small website or do some real number-crunching, chances are those skills will help you feed your family. But how should they get started? I started a thread with the question on DBMS2, and some consistent themes emerged, including: Learn HTML + CSS early on; Learn a bit of SQL, but you needn't make that your focus; Have your first real programming language be one of the modern ones, such as PHP or Python; MySQL is a good vehicle to learn SQL; It's a great idea to start with a project you actually want to accomplish, and that can be done by modifying a starter set of sample code (e.g., a WordPress blog); Microsoft's technology stack is an interesting alternative to some of the other technology ideas. A variety of books and websites were suggested, most notably MIT's Scratch. But, frankly, it would really help to get more suggestions for sites and books that help one get started with HTML/CSS, or with MySQL, or with PHP. And so, techie studs and studdettes, I ask you — how should a non-techie go about learning some basic technological skills?"

Read more of this story at Slashdot.

Thank you for your reply!

I unset the homepage options and the program opened my file!!! Thank YOU!!! I ran a consistency check. The problem was, as my research showed, with a scheduled transaction. Deleted that, and the software works very well now.

Have a great weekend!

Nathan

suraj.sun writes with news that the US Department of Justice has joined a lawsuit alleging Oracle of overcharging the federal government for its software products. Quoting: "In a nutshell, the lawsuit argues that Oracle's government customers — a wide array of agencies, including the State Department, the Energy Department, and the Justice Department itself — got deals 'far inferior' to those the enterprise software giant gave to its commercial clients. The allegations stem from a software deal between Oracle and the federal General Services Administration that the Justice Department says involved 'hundreds of millions of dollars in sales' and that ran from 1998 to 2006. Under the contract, Oracle was required to inform the GSA when commercial discounts improved and to offer those same discounts to government buyers. Oracle misrepresented its true commercial sales practices and thus defrauded the US, the lawsuit contends.

Read more of this story at Slashdot.

Looking for a good way to contribute and got some spare time this weekend? KDE BugSquad is holding a Bug Day revival this Sunday 1st of August and still looking for people who'd like to help out with getting Dolphin bugs under control.

We'll be gathering in our IRC channel (#kde-bugs) starting around 10:00 AM european time zone. As always, no coding skills required. All you need is a recent version of our beloved KDE Software Compilation. Senior bug triagers will be around to help you get started.

More info on: http://techbase.kde.org/Contribute/Bugsquad/BugDays/DolphinDay1 (available soon)

See you there! :-)

Can't make it then? That's ok, we'll have another. Promise.

But feel free to drop by anytime, bug reports always come in, and somebody has to look at all those duplicates!

Then the big question: do we hold our Bof in the back of a bus next year too? It makes it hard to take a group photo!

penciling_in writes "ISC has made the announcement that they have developed a technology that will allow 'cooperating good guys' to provide and consume reputation information about domains names. The release of the technology, called Response Policy Zones (DNS RPZ), was announced at DEFCON. Paul Vixie explains: 'Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. ... If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider. ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define 'the spec' whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.'"

Read more of this story at Slashdot.

As many of you know, the KDE Project is transitioning to using Git with Gitolite and CGit. As such, I thought I’d update my aging Gitweb/posix-permissions installation of git to use CGit and Gitolite, and now my public git repository is kicking away. (If you’d like commit access any place or would like to host your own repo on my server, drop me a line.)

Since Gitolite manages git repositories, it has the option of generating the necessary information for Git’s shipped gitweb. This includes making a static list of repository names that should be included in gitweb as well as optionally adding the gitweb.owner entry inside .git/config and the description file at .git/description. The static list of repository names is boring and standard and easy. The owner and description specifications are standards set by the Git project for this kind of information. Hence, Gitolite supports interfacing with them.

Meanwhile, CGit uses its own configuration format for determining the owner and description and repository path. For interfacing with Gitolite, in the past I have created a hook that writes out a CGit-formated configuration file, which is then included in the main cgitrc with the include directive. Essentially I had to do this:

gitcode@starfox ~ $ cat web/cgit/generaterepos.sh #!/bin/sh   cd $(dirname "$0") rm -f repos.tmp   cat ~/projects.list | while read gitname; do name=${gitname%.*} fullpath=/home/gitcode/repositories/$gitname owner=$(git --git-dir=$fullpath config --get gitweb.owner) desc=$(cat $fullpath/description) ( echo repo.url=$name echo repo.name=$name echo repo.path=$fullpath echo repo.desc=$desc echo repo.owner=$owner echo repo.enable-log-filecount=1 echo repo.enable-log-linecount=1 ) >> repos.tmp done   mv repos.tmp repos   gitcode@starfox ~ $ tail -n 1 web/cgit/cgitrc include=/home/gitcode/web/cgit/repos   gitcode@starfox ~ $ cat repositories/gitolite-admin.git/hooks/post-update.secondary #!/bin/sh exec /home/gitcode/web/cgit/generaterepos.sh

This worked decently, but it was cumbersome and ugly, and was likely not to scale as features in both Gitolite and CGit are added and changed. Luckily, CGit supports the scan-path option, which builds an internal list of repositories automatically by scanning a directory for git folders. One such solution for integrating with Gitolite would be to simply point scan-path at Gitolite’s repository directory. This works fine, but it has three main shortcomings, which I’ve addressed this in a generic non-Gitolite-specific way in three patches. Let’s walk through them one by one.

projects-list

We don’t want all Gitolite repositories showing up on CGit, and Gitolite provides a generic mechanism for controlling this: it writes a list of all the repositories selected for Gitweb to a file called projects.list. It’s just a flat file with each repository’s name written on a new line:

CheeseWhiz.git Geoemail.git MyCoolThangs.git

So, what about augmenting CGit’s scan-path feature with another setting called “project-list” that points to this file? That’s what this patch does. If project-list is set before scan-path is set, then scan-path only scans the git folders at project-list/${a line in the project-list file}. Problem solved, and this is a pretty generic way of doing it too.

git-suffix

Most people store git repositories on disk at MyGitRepository.git. Notice the .git ending. However, most people prefer to see it listed as just “MyGitRepository” and they especially would like to clone it at gituser@domain.com:MyGitRepository, without needing the .git ending. Usually, CGit’s scan-path infers the repository name directly from the folder name. This patch adds a setting called “remove-suffix” that, if set to 1 (default is 0) before scan-path is set, will remove the .git suffix from the repository name and url while still pointing to the correct physical path. This as well is fairly generic and not specific to Gitolite or Gitweb, but rather Git’s usual conventions.

config-owner

CGit’s scan-path infers the owner of the repository from the posix owner’s UID name. But there is an additional Git standard for overriding this for any interface: the “gitweb.owner” configuration key in .git/config, which Gitolite understands and respects, as well as Gitweb. This patch simply calls Git’s internal C functions for fetching this information from the current repository’s config, and prefers this as the owner to the posix owner’s UID name. If gitweb.owner is not set in the configuration, it falls back to the posix owner’s UID name. This is a standard Git behavior. This occurs only for scan-path — cgitrc specified owners are preferred over these former two, obviously. Again, this configuration standard has been determined by the Git project, and both Gitolite and Gitweb respect it. So, this patch adds support inside CGit for it.

it works

Now instead of the include and the ugly set of scripts and hooks, I can just place this at the bottom of my cgitrc:

remove-suffix=1 project-list=/home/gitcode/projects.list scan-path=/home/gitcode/repositories

and this integrates perfectly with Gitolite. All is harmonious in the Git universe.

On top of all this, I’ve cooked up a wicked good .htaccess file for CGit that allows me to have anonymous http pull at the same time as it rewrites the CGit urls to be pretty. Check it out:

Options FollowSymlinks ExecCGI   DirectoryIndex cgit.cgi Allow from all Order allow,deny   RewriteEngine on   SetEnv GIT_PROJECT_ROOT=/home/gitcode/repositories   RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule "^(.*)/(.*)/(HEAD|info/refs|objects/(info/[^/]+|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))|git-(upload|receive)-pack)$" /git-http-backend.cgi/$1.git/$2 [NS,L,QSA]   RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^.* /cgit.cgi/$0 [L,PT,NS]

A strange combination of stopping internal redirects and partial rewritings and odd stop conditions has made it so that the request gets forwarded and reformatted to git-http-backend if and only if it is first valid with cgit.cgi. Is this crackable? Can anyone figure out a backdoor to grab a repository that isn’t in projects.list?

I’ve also written a super generic script for uploading new repositories to my gitolite/cgit installation. From a git working directory, I run ~/Projects/uploadNewGit.sh "This is a description of my new git repo.", and wham-shabam, all the permissions get set and everything is uploaded just fine. Here is uploadNewGit, the latest version of which you can always find in my GitTools repository:

#!/bin/sh   GITOLITE_ADMIN="$HOME/Projects/gitolite-admin"   gitdir=$(readlink -f "$(pwd)") name=`basename "$gitdir" | cut -d / -f 2 | cut -d ' ' -f 1` description="$1"   if [ ! -d "$gitdir/.git" ]; then echo Not a git repo. exit 1 fi if [ -z "$description" ]; then echo You need to specify a description argument. exit 1 fi   pushd "$GITOLITE_ADMIN/conf" > /dev/null echo "Writing config..." (echo echo " repo $name" echo " RW+CD = $(whoami)" echo " R = @all" echo " $name \"$(git config --get user.name)\" = \"$description\"") >> gitolite.conf git commit -a -m "Adding $name to repository." git push popd > /dev/null   url=`git --git-dir=$GITOLITE_ADMIN/.git remote -v | grep push | cut -f 2 | cut -d ' ' -f 1 | sed "s/$(basename $GITOLITE_ADMIN)/$name/"` git remote add origin $url git push origin master git push --all git push --tags

(As a side note, I’m not really sure the best way to quote commands inside of commands with variables that have spaces. something=$(command $(othercommand $argument)) has issues if argument has a space or if othercommand produces something with a space or if command produces something with a space (not totally certain about the latter two — I should check). But I can’t do this: something=”$(command “$(othercommand “$argument”)”)” because of obvious quoting problems. What’s the common solution to this? I’ve been using an awkward combination of the backtick operator `…` and the $(…) syntax but the backtick has some weird rules too. What’s the deal? Can somebody point me in a good place to read about this?)

Anyway, most of what I’ve written about in this post is new to me. Or at the very least, I’m a bit uneasy. So if you have any suggestions, by all means please tell me. I’m looking forward to seeing what the KDE sysadmins do in the end. Hopefully the CGit authors accept my patches.

Update: After some back and forth with Lars, the CGit maintainer, I’ve added a few more patches, including putting the gitweb.owner functionality behind configuration setting and also caching the scan, among various other improvements. You can check out all the commits I’ve made on this at the cgit for my cgit clone.

As has been mentioned before, start KMyMoney using the option -n. That prevents opening the file. Next turn off all options available for the homepage. Then try to open the file. Does it still crash? If not, run Tools/Consistency check.

There's a reference to an account which does not exist (anymore) and that is causing the problem. We've had these reports before and they all were related to a reporting issue.

Hope that helps.
____________________
ipwizard, proud to be a member of the KMyMoney forum since its beginning.
openSuSE 11.1 32 bit, KDE 4.3.5 and openSuSE 11.0 64bit KDE 3.5.10, kubuntu 8.10 32bit KDE 4.3.2 via LTS

eldavojohn writes "According to AfterDawn, Google has given app makers the option to use a license server as DRM to ensure the user has paid for an app before they can download it. Reportedly, the Market app will communicate with a Google license server using RSA encryption. It is important to note this is only available for non-free apps (built with SDK 1.5 and later), and it was instituted to provide a better solution to the old and widely criticized copy protection scheme that was susceptible to Android app piracy (like sideloading). For better or for worse, Android's Marketplace appears to now have an optional, phone-home form of DRM." Following news of the new licensing service, Hexage Ltd, makers of a popular Android game called Radiant, released the data they had collected on piracy of Radiant over a 10-month period beginning last October. A series of charts shows total users, paid users and the piracy rate, by region.

Read more of this story at Slashdot.

Thank you for your response! I'll clarify a bit. The crash happens when I attempt to open the data file. The progress bar at the bottom moves over until the readout says "reports," then the crash happens with the pop up window. I have moved the data file to other computers and have had the same result!

Nathan

climenole points out a post from Canonical founder Mark Shuttleworth about internal strife in the free software community. He wrote, "Tribalism is when one group of people start to think people from another group are 'wrong by default.' It's the great-granddaddy of racism and sexism. And the most dangerous kind of tribalism is completely invisible: it has nothing to do with someone's 'birth tribe' and everything to do with their affiliations: where they work, which sports team they support, which Linux distribution they love. ... Right now, for a number of reasons, there is a fever pitch of tribalism in plain sight in the free software world. It's sad. It's not constructive. It's ultimately going to be embarrassing for the people involved, because the Internet doesn't forget. It's certainly not helping us lift free software to the forefront of public expectations of what software can be."

Read more of this story at Slashdot.

See you all there next year