Thoughts of the FSFE Community

Friday, 16 March 2018

OSCAL'18, call for speakers, radio hams, hackers & sponsors reminder - fsfe | 08:46, Friday, 16 March 2018

The OSCAL organizers have given a reminder about their call for papers, booths and sponsors (ask questions here). The deadline is imminent but you may not be too late.

OSCAL is the Open Source Conference of Albania. OSCAL attracts visitors from far beyond Albania (OpenStreetmap), as the biggest Free Software conference in the Balkans, people come from many neighboring countries including Kosovo, Montenegro, Macedonia, Greece and Italy. OSCAL has a unique character unlike any other event I've visited in Europe and many international guests keep returning every year.

A bigger ham radio presence in 2018?

My ham radio / SDR demo worked there in 2017 and was very popular. This year I submitted a fresh proposal for a ham radio / SDR booth and sought out local radio hams in the region with an aim of producing an even more elaborate demo for OSCAL'18.

If you are a ham and would like to participate please get in touch using this forum topic or email me personally.

Why go?

There are many reasons to go to OSCAL:

  • We can all learn from their success with diversity. One of the finalists for Red Hat's Women in Open Source Award, Jona Azizaj, is a key part of their team: if she is announced the winner at Red Hat Summit the week before OSCAL, wouldn't you want to be in Tirana when she arrives back home for the party?
  • Warm weather to help people from northern Europe to thaw out.
  • For many young people in the region, their only opportunity to learn from people in the free software community is when we visit them. Many people from the region can't travel to major events like FOSDEM due to the ongoing outbreak of immigration bureaucracy and the travel costs. Many Balkan countries are not EU members and incomes are comparatively low.
  • Due to the low living costs in the region and the proximity to larger European countries, many companies are finding compelling opportunities to work with local developers there and OSCAL is a great place to make contacts informally.

Sponsors sought

Like many free software communities, Open Labs is a registered non-profit organization.

Anybody interested in helping can contact the team and ask them for whatever details you need. The Open Labs Manifesto expresses a strong commitment to transparency which hopefully makes it easy for other organizations to contribute and understand their impact.

Due to the low costs in Albania, even a small sponsorship or donation makes a big impact there.

If you can't make a direct payment to Open Labs, you could also potentially help them with benefits in kind or by contributing money to one of the larger organizations supporting OSCAL.

Getting there without direct service from Ryanair or Easyjet

These notes about budget airline routes might help you plan your journey. It is particularly easy to get there from major airports in Italy. If you will also have a vacation at another location in the region it may be easier and cheaper to fly to that location and then use a bus to Tirana.

Making it a vacation

For people who like to combine conferences with their vacations, the Balkans (WikiTravel) offer many opportunities, including beaches, mountains, cities and even a pyramid (in Tirana itself).

It is very easy to reach neighboring countries like Montenegro and Kosovo by coach in just 3-4 hours. For example, there is the historic city of Prizren in Kosovo and many beach resorts in Montenegro.

If you go to Kosovo, don't miss the Prishtina hackerspace.

Tirana Pyramid: a future hackerspace?

Wednesday, 14 March 2018

Let's Encrypt Wildcard Certificate

Evaggelos Balaskas - System Engineer | 12:49, Wednesday, 14 March 2018

ACME v2 and Wildcard Certificate Support is Live

We have some good news, letsencrypt support wildcard certificates! For more details click here.

The key phrase on the post is this:

Certbot has ACME v2 support since Version 0.22.0.

unfortunately -at this momment- using certbot on a centos6 is not so trivial, so here is an alternative approach using: is a pure Unix shell script implementing ACME client protocol.

# curl -LO
# tar xf 2.7.7.tar.gz
# cd

[]# ./ --version


I have my own Authoritative Na,e Server based on powerdns software.

PowerDNS has an API for direct control, also a built-in web server for statistics.

To enable these features make the appropriate changes to pdns.conf


and restart your pdns service.

To read more about these capabilities, click here: Built-in Webserver and HTTP API

testing the API:

# curl -s -H 'X-API-Key: 0123456789ABCDEF' | jq .

  "zones_url": "/api/v1/servers/localhost/zones{/zone}",
  "version": "4.1.1",
  "url": "/api/v1/servers/localhost",
  "type": "Server",
  "id": "localhost",
  "daemon_type": "authoritative",
  "config_url": "/api/v1/servers/localhost/config{/config_setting}"


export PDNS_Url=""
export PDNS_ServerId="localhost"
export PDNS_Token="0123456789ABCDEF"
export PDNS_Ttl=60

Prepare Destination

I want to save the certificates under /etc/letsencrypt directory.
By default, will save certificate files under /root/ path.

I use selinux and I want to save them under /etc and on similar directory as before, so:

# mkdir -pv /etc/letsencrypt/

Create WildCard Certificate


# ./
  --dns dns_pdns
  --dnssleep 30
  -d *
  --cert-file /etc/letsencrypt/
  --key-file  /etc/letsencrypt/
  --ca-file   /etc/letsencrypt/
  --fullchain-file /etc/letsencrypt/


Using HTTP Strict Transport Security means that the browsers probably already know that you are using a single certificate for your domains. So, you need to add every domain in your wildcard certificate.

Web Server

Change your VirtualHost

from something like this:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/

to something like this:

SSLCertificateFile    /etc/letsencrypt/
SSLCertificateKeyFile /etc/letsencrypt/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/

and restart your web server.




Qualys SSL Server Test)



X509v3 Subject Alternative Name

# openssl x509 -text -in /etc/letsencrypt/ | egrep balaskas


Sunday, 11 March 2018

The Noble Volunteer (Again)

Paul Boddie's Free Software-related blog » English | 19:23, Sunday, 11 March 2018

I saw that the usual refrain of “we’re all volunteers here” had another outing on a recent LWN article about the Python 2 to 3 transition, specifically referring to who it is that supposedly does all the core development work on CPython (as well as constantly changing what the Python language is meant to be). There are a few different observations to be made here, so let me establish three main topics:

  1. The funding of Python implementation development.
  2. The hiring of various Python core development contributors.
  3. Python and Free Software as a hobby or spare time effort.

I have written about how the Python Software Foundation raises and spends money before. For the most part, nothing has changed since then: the PSF appears to raise and then spend hundreds of thousands of dollars every year (apparently down from over $300000 in 2016 to under $250000 in 2017, though), directing this money mostly towards events and promotion. In fact, the largest contribution to core-related Python software development in 2017 was actually from the Mozilla Open Source Support programme, with a $170000 grant to fix up the Python Package Index infrastructure. So the PSF is clearly comfortable leaving it to others to fund the P in PSF.

Lots of people depend on the Python Package Index, but like with Free Software in general, the people making good money while leaning on these common, volunteer-run resources never seem to pitch in significantly themselves. It is true that the maintainer of this resource was allowed to work on it as his day job, but then got “downsized”, and now works in a role where he can work on it again but only as part of his day job. But I imagine that the people at Mozilla, some of whom have connections to the world of Python packaging, quite possibly relying on the package infrastructure to get their own stuff done, were getting fed up with “volunteers” as being the usual excuse for nothing getting done.

Now there certainly are Python core developers who are employed in work that influences CPython development or that has some connection to Python, perhaps related to other implementations of Python. Notably, Pyston and Pyjion were both developed by core developers working at Dropbox and Microsoft respectively. Famously, Guido van Rossum, Python’s originator, was hired by Google and then Dropbox, seemingly being able to dedicate some of his time on Python topics as part of his day job at both places. After all, it was during Van Rossum’s time at Google, accompanied by other Google-employed Python core contributors, that Python 3 started to take shape.

So it seems that some very large companies recognise the value that Python brings, they even hire influential people in the Python core development community, but maybe this does not translate to proper corporate support for Python core development. It could very well be the case that most of these people really do have to write Python code in their day jobs but cannot direct much or any time towards developing Python – the implementations or the language – in their working hours. They would be volunteers in their own time, albeit volunteers facilitated by their employment, having the stability of a relatively well-paid job and the good fortune of having Python core development as a productive and hopefully rewarding hobby.

Maybe it suits everyone being paid as a result of their reputation in the Python community to indulge in core development as a hobby. But what about everyone else? All those other volunteers who are doing the donkey work of testing and fixing the code when it stops working for them, implementing things that others have deemed a good idea, making Python 3 a reality, or whatever? Well, I suppose they get “pizza and beer soda” paid for by the PSF at their sprints.

In certain circles, it seems that a lot of effort is spent promoting a lifestyle that involves feel-good “volunteerism” and getting your name known through selfless volunteering. If you are one of those “other” volunteers, maybe the ultimate goal is to have the senior hobbyists in the community recommending you to their employers, which would explain how Python core developers seem to cluster in various companies. Maybe this is the new “open source” dream: not actually being paid to work on Free Software but merely pursuing it as a hobby, dependent on an employer for the lifestyle but not influenced by them, at least not conspicuously, retaining the ability to play the volunteer card.

And this leads me to a more general observation that came to mind when reading a remark by someone trying to establish a viable enterprise, all for the benefit of Free Software and open hardware. It was about how he was on the ground, doing all the legwork, opening up new opportunities the hard way while people in their comfortable jobs let him get on with it, throwing pennies his way and waiting for their substantial but cheaply-acquired rewards. Now, in that particular instance my sympathy is muted, for various reasons that hopefully do not need a public airing, but I see the point being made and, once you are aware of it, it is an annoyingly familiar one.

You will often see people inviting others to contribute to their projects, writing things like “how about someone fix this, make this better, implement this, do this?” It sounds so constructive, so worthy, like you can make a difference. In Norwegian, there’s even a word for the spirit of this kind of thing – “dugnad” – which is awkward to translate to English, but it effectively denotes an event or general activity where everyone pitches in collectively to get something done in a way that is relatively painless for each participant. Being a cynic, I would often translate “dugnad” as to be too cheap to pay to get something done properly.

What can be even more galling is that people “howabouting” potential contributors are not only comfortable hobbyists, but some of them also solicit donations for their hobby, not because they need the money but because it might cover a few beers or pizzas, some entertainment, or whatever. And so, a notion is cultivated that everything can be done by voluntary effort, that the value of such work is effectively “beer money”, and with the likes of the PSF not willing to put its own money the way of its own technology, people start to think that if “pizza and beer soda” is enough to improve a Free Software product, why would anyone want to pay people real money to improve it?

And so the notion of the volunteer, so noble and selfless, actually cheapens the value of the work that has to be done. Why bother paying for Free Software or for anyone to work on it when the noble volunteers will get it done? The answer, of course, is that people typically don’t and so the important things typically don’t get done, either. Still, at least the hobbyists get to have some fun.

A Timely Example

In another comment on the referenced article, discussing the general Python 3 strategy and whether anyone who had criticised it might have been worth listening to, it was noted that such critics might be like a “broken clock”: wrong most of the time but coincidentally right on certain occasions. I guess that for those who don’t like to hear criticism of the Python 3 masterplan, I could be one of those broken clocks, having criticised the introduction of Python 3. But if as the saying goes “a broken clock is right twice a day”, maybe some of my other criticisms are also worth taking a look at: one of them is probably good.

Of course, it hardly requires special predictive powers to note that people with large investments in existing code might not like being told that it is “good for them” to have to rewrite it all. And it is hardly a surprise that people have been motivated to look at other languages partly as a consequence of that, partly because of Python’s lack of direction or progress on other fronts, as language evolution dominates over all other concerns.

Spare a thought for Guido van Rossum whose colleagues, no matter where he works, always seem to end up writing software in Go instead of in the language that presumably got him through the door. Perhaps things wouldn’t have played out that way if those benefiting from Python had also properly invested in it, instead of leaving it for the hobbyists or using “we’re all volunteers” as an excuse for not keeping Python competitive with other emerging languages and technologies.

Saturday, 10 March 2018

GitLab CI/CD for building RPM

Evaggelos Balaskas - System Engineer | 23:28, Saturday, 10 March 2018

Continuous Deployment with GitLab: how to build and deploy a RPM Package with GitLab CI

I would like to automate building custom rpm packages with gitlab using their CI/CD functionality. This article is a documentation of my personal notes on the matter.


You can find notes on how to install gitlab-community-edition here: Installation methods for GitLab. If you are like me, then you dont run a shell script on you machines unless you are absolutely sure what it does. Assuming you read and you are on a CentOS 7 machine, you can follow the notes below and install gitlab-ce manually:

Import gitlab PGP keys

# rpm --import 

# rpm --import

Gitlab repo

# curl -s '' \
  -o /etc/yum.repos.d/gitlab-ce.repo 

Install Gitlab

# yum -y install gitlab-ce

Configuration File

The gitlab core configuration file is /etc/gitlab/gitlab.rb
Remember that every time you make a change, you need to reconfigure gitlab:

# gitlab-ctl reconfigure

My VM’s IP is: Update the external_url to use the same IP or add a new entry on your hosts file (eg. /etc/hosts).

external_url ''

Run: gitlab-ctl reconfigure for updates to take effect.


To access the GitLab dashboard from your lan, you have to configure your firewall appropriately.

You can do this in many ways:

  • Accept everything on your http service
    # firewall-cmd --permanent --add-service=http

  • Accept your lan:
    # firewall-cmd --permanent --add-source=

  • Accept only tcp IPv4 traffic from a specific lan
    # firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s -j ACCEPT

or you can complete stop firewalld (but not recommended)

  • Stop your firewall
    # systemctl stop firewalld

okay, I think you’ve got the idea.

Reload your firewalld after every change on it’s zones/sources/rules.

# firewall-cmd --reload



Point your browser to your gitlab installation:

this is how it looks the first time:


and your first action is to Create a new password by typing a password and hitting the Change your password button.



First Page


New Project

I want to start this journey with a simple-to-build project, so I will try to build libsodium,
a modern, portable, easy to use crypto library.

New project --> Blank project



I will use this libsodium.spec file as the example for the CI/CD.


The idea is to build out custom rpm package of libsodium for CentOS 6, so we want to use docker containers through the gitlab CI/CD. We want clean & ephemeral images, so we will use containers as the building enviroments for the GitLab CI/CD.

Installing docker is really simple.


# yum -y install docker 

Run Docker

# systemctl restart docker
# systemctl enable  docker

Download image

Download a fresh CentOS v6 image from Docker Hub:

# docker pull centos:6 
Trying to pull repository ...
6: Pulling from
ca9499a209fd: Pull complete
Digest: sha256:551de58ca434f5da1c7fc770c32c6a2897de33eb7fde7508e9149758e07d3fe3

View Docker Images

# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE    6                   609c1f9b5406        7 weeks ago         194.5 MB

Gitlab Runner

Now, it is time to install and setup GitLab Runner.

In a nutshell this program, that is written in golang, will listen to every change on our repository and run every job that it can find on our yml file. But lets start with the installation:

# curl -s '' \
  -o /etc/yum.repos.d/gitlab-runner.repo

# yum -y install gitlab-runner

GitLab Runner Settings

We need to connect our project with the gitlab-runner.

 Project --> Settings --> CI/CD

or in our example:

click on the expand button on Runner’s settings and you should see something like this:


Register GitLab Runner

Type into your terminal:

# gitlab-runner register

following the instructions


[root@centos7 ~]# gitlab-runner register
Running in system-mode.                            

Please enter the gitlab-ci coordinator URL (e.g.

Please enter the gitlab-ci token for this runner:

Please enter the gitlab-ci description for this runner:

Please enter the gitlab-ci tags for this runner (comma separated):

Whether to lock the Runner to current project [true/false]:

Registering runner... succeeded                     runner=s6ASqkR8

Please enter the executor: docker, ssh, virtualbox, docker-ssh+machine, kubernetes, docker-ssh, parallels, shell, docker+machine:

Please enter the default Docker image (e.g. ruby:2.1):

Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!
[root@centos7 ~]#

by refreshing the previous page we will see a new active runner on our project.


The Docker executor

We are ready to setup our first executor to our project. That means we are ready to run our first CI/CD example!

In gitlab this is super easy, just add a

New file --> Template --> gitlab-ci.yml --> based on bash

Dont forget to change the image from busybox:latest to centos:6


that will start a pipeline


GitLab Continuous Integration

Below is a gitlab ci test file that builds the rpm libsodium :


image: centos:6

  - echo "Get the libsodium version and name from the rpm spec file"
  - export LIBSODIUM_VERS=$(egrep '^Version:' libsodium.spec | awk '{print $NF}')
  - export LIBSODIUM_NAME=$(egrep '^Name:'    libsodium.spec | awk '{print $NF}')

  stage: build
    untracked: true
    - echo "Install rpm-build package"
    - yum -y install rpm-build
    - echo "Install BuildRequires"
    - yum -y install gcc
    - echo "Create rpmbuild directories"
    - mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
    - echo "Download source file from github"
    - rpmbuild -D "_topdir `pwd`/rpmbuild" --clean -ba `pwd`/libsodium.spec

  stage: test
    - echo "Test it, Just test it !"
    - yum -y install rpmbuild/RPMS/x86_64/$LIBSODIUM_NAME-$LIBSODIUM_VERS-*.rpm

  stage: deploy
    - echo "Do your deploy here"


GitLab Artifacts

Before we continue I need to talk about artifacts

Artifacts is a list of files and directories that we produce at stage jobs and are not part of the git repository. We can pass those artifacts between stages, but you have to remember that gitlab can track files that only exist under the git-clone repository and not on the root fs of the docker image.

GitLab Continuous Delivery

We have successfully build an rpm file!! Time to deploy it to another machine. To do that, we need to add the secure shell private key to gitlab secret variables.

Project --> Settings --> CI/CD


stage: deploy

Lets re-write gitlab deployment state:


  stage: deploy
    - echo "Create ssh root directory"
    - mkdir -p ~/.ssh/ && chmod 700 ~/.ssh/

    - echo "Append secret variable to the ssh private key file"
    - echo -e "$SSH_PRIVATE_test_KEY" > ~/.ssh/id_rsa
    - chmod 0600 ~/.ssh/id_rsa

    - echo "Install SSH client"
    - yum -y install openssh-clients

    - echo "Secure Copy the libsodium rpm file to the destination server"
    - scp -o StrictHostKeyChecking=no rpmbuild/RPMS/x86_64/$LIBSODIUM_NAME-$LIBSODIUM_VERS-*.rpm  $DESTINATION_SERVER:/tmp/

    - echo "Install libsodium rpm file to the destination server"
    - ssh -o StrictHostKeyChecking=no $DESTINATION_SERVER yum -y install /tmp/$LIBSODIUM_NAME-$LIBSODIUM_VERS-*.rpm

and we can see that our pipeline has passed!


Possible Problems:

that will probable fail!


because our docker images don’t recognize

Disclaimer: If you are using real fqdn - ip then you will probably not face this problem. I am referring to this issue, only for people who will follow this article step by step.

Easy fix:

# export -p EXTERNAL_URL="" && yum -y reinstall gitlab-ce
Tag(s): gitlab, docker, CI/CD

Friday, 09 March 2018

Free Software Events in Europe in 2018

English Planet – Dreierlei | 16:23, Friday, 09 March 2018

Recently, I asked our community to share those upcoming events (conferences / global action days / anything) in 2018 that are or should be in interested for the FSFE community. We now did put all these events in the FSFE-wiki-calendar, to help our community to organise activities (like a booth, talks, meet-ups…) around these events. As an overview, I publish the list of all these events so far in this blogpost.

If you know a Free Software and Open Source Software related event in Europe, happening in 2018, that is not yet listed here but that you think is in interest to the FSFE community, please leave it in this pad or contact me directly. All valid events will be imported from here into our wiki calendar.

Valid events do not need to be a conference, they can be install fests or other activities. But to be in interest for our community, they have to be for the general public and happen in Europe.














Bug Squashing and Diversity - fsfe | 00:39, Friday, 09 March 2018

Over the weekend, I was fortunate enough to visit Tirana again for their first Debian Bug Squashing Party.

Every time I go there, female developers (this is a hotspot of diversity) ask me if they can host the next Mini DebConf for Women. There have already been two of these very successful events, in Barcelona and Bucharest. It is not my decision to make though: anybody can host a MiniDebConf of any kind, anywhere, at any time. I've encouraged the women in Tirana to reach out to some of the previous speakers personally to scope potential dates and contact the DPL directly about funding for necessary expenses like travel.

The confession

If you have read Elena's blog post today, you might have seen my name and picture and assumed that I did a lot of the work. As it is International Women's Day, it seems like an opportune time to admit that isn't true and that as in many of the events in the Balkans, the bulk of the work was done by women. In fact, I only bought my ticket to go there at the last minute.

When I arrived, Izabela Bakollari and Anisa Kuci where already at the venue getting everything ready. They looked busy, so I asked them if they would like a bonus responsibility, presenting some slides about bug squashing that they had never seen before while translating them into Albanian in real-time. They delivered the presentation superbly, it was more entertaining than any TED talk I've ever seen.

The bugs that won't let you sleep

The event was boosted by a large contingent of Kosovans, including 15 more women. They had all pried themselves out of bed at 03:00 am to take the first bus to Tirana. It's rare to see such enthusiasm for bugs amongst developers anywhere but it was no surprise to me: most of them had been at the hackathon for girls in Prizren last year, where many of them encountered free software development processes for the first time, working long hours throughout the weekend in the summer heat.

and a celebrity guest

A major highlight of the event was the presence of Jona Azizaj, a Fedora contributor who is very proactive in supporting all the communities who engage with people in the Balkans, including all the recent Debian events there. Jona is one of the finalists for Red Hat's Women in Open Source Award. Jona was a virtual speaker at DebConf17 last year, helping me demonstrate a call from the Fedora community WebRTC service to the Debian equivalent, At Mini DebConf Prishtina, where fifty percent of talks were delivered by women, I invited Jona on stage and challenged her to contemplate being a speaker at Red Hat Summit. Giving a talk there seemed like little more than a pipe dream just a few months ago in Prishtina: as a finalist for this prestigious award, her odds have shortened dramatically. It is so inspiring that a collaboration between free software communities helps build such fantastic leaders.

With results like this in the Balkans, you may think the diversity problem has been solved there. In reality, while the ratio of female participants may be more natural, they still face problems that are familiar to women anywhere.

One of the greatest highlights of my own visits to the region has been listening to some of the challenges these women have faced, things that I never encountered or even imagined as the stereotypical privileged white male. Yet despite enormous social, cultural and economic differences, while I was sitting in the heat of the summer in Prizren last year, it was not unlike my own time as a student in Australia and the enthusiasm and motivation of these young women discovering new technologies was just as familiar to me as the climate.

Hopefully more people will be able to listen to what they have to say if Jona wins the Red Hat award or if a Mini DebConf for Women goes ahead in the Balkans (subscribe before posting).

How we conduct ourselves

Posts - Carmen Bianca Bakker's blog | 00:00, Friday, 09 March 2018

The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.

H. L. Mencken (1880 - 1956)

More and more often, I find myself having to defend my political opponents, or having to argue against those whom I presumably agree with. The above quote pertains freedom of expression, which is very dear to my heart, and I can empathise very much with it. But freedom of expression is not what I want to write about. Rather, I want to write about the funny thing we humans do when interacting with other people. Instead of giving them a full load of our personal opinions, we censor ourselves and mute our convictions in the interest of co-existing. We call this politeness.

Overall, this self-censorship is a Good Thing™. When interacting with individuals from vastly different cultures, backgrounds or convictions, there are bound to be disagreements or clashes. There is a time and a place for those disagreements, but often times co-existence takes priority, so both parties agree to inhibit their dislike of one another’s peculiarities, and to practise tolerance.

To stimulate this co-existence and tolerance, someone (presumably) invented the Code of Conduct (CoC). Under a code of conduct, we agree to abide by a common set of rules for our mutual advantage and enjoyment. In effect, these rules enforce the self-censorship most people were already exercising anyway.

But what if the Code of Conduct itself does not self-censor?

Geek Feminism & FreeBSD

Recently, FreeBSD adopted a new code of conduct. With very good reason, this attracted more than a little bit of controversy. This article is not very interested in the controversy, though. Rather, I want to establish why this code of conduct is not liked very well.

In delving into this, we are off to a rough start. The FreeBSD CoC is derived from a code that contains the following text:

The Geek Feminism community prioritizes marginalized people’s safety over privileged people’s comfort. The Geek Feminism Anti-Abuse Team will not act on complaints regarding:

  • ‘Reverse’ -isms, including ‘reverse racism,’ ‘reverse sexism,’ and ‘cisphobia’ (because these things don’t exist)

  • Reasonable communication of boundaries, such as “leave me alone,” “go away,” or “I’m not discussing this with you.”

  • Refusal to explain or debate social justice concepts

  • Communicating in a ‘tone’ you don’t find congenial

  • Criticizing racist, sexist, cissexist, or otherwise oppressive behavior or assumptions

Source: Geek Feminism Code of Conduct.

I sincerely hope that I do not need to waste many keystrokes to state how awful this piece of text is. It is actively discriminatory, denies the hardships that some people may face, and censors criticism. It is extremely opinionated in its tone.

Fortunately, the FreeBSD people had the sense to remove this section. Unfortunately, they did not have the sense to find a different code of conduct to adapt and adopt. Thus they ended up with the following list:

Harassment includes but is not limited to:

  • Comments that reinforce systemic oppression related to gender, gender identity and expression, sexual orientation, disability, mental illness, neurodiversity, physical appearance, body size, age, race, or religion.*

  • Unwelcome comments regarding a person’s lifestyle choices and practices, including those related to food, health, parenting, drugs, and employment.*

  • Deliberate misgendering.*

  • Deliberate use of “dead” or rejected names.*

  • Gratuitous or off-topic sexual images or behaviour in spaces where they’re not appropriate.*

  • Physical contact and simulated physical contact (e.g., textual descriptions like “*hug*” or “*backrub*”) without consent or after a request to stop.*

  • Threats of violence.

  • Incitement of violence towards any individual, including encouraging a person to commit suicide or to engage in self-harm.

  • Deliberate intimidation.

  • Stalking or following.

  • Harassing photography or recording, including logging online activity for harassment purposes.

  • Sustained disruption of discussion.

  • Unwelcome sexual attention.*

  • Pattern of inappropriate social contact, such as requesting/assuming inappropriate levels of intimacy with others.*

  • Continued one-on-one communication after requests to cease.

  • Deliberate “outing” of any private aspect of a person’s identity without their consent except as necessary to protect vulnerable people from intentional abuse.*

  • Publication of non-harassing private communication without consent.

  • Publication of non-harassing private communication with consent but in a way that intentionally misrepresents the communication (e.g., removes context that changes the meaning).

  • Knowingly making harmful false claims about a person.

Source: FreeBSD Code of Conduct, asterisks mine.

If you are like me, you are unlikely to ever do any of the above things (barring the absurd line about virtual hugs, but I’m going to ignore that for the purpose of this article). Then surely there is no problem, right? Clearly the above things are despicable and rightfully banned from the FreeBSD project.

But then why don’t the above rules mention anything about making fun of someone’s speech patterns or language skills (or lack thereof)? Surely disallowing those things is extremely relevant in an international community with many non-native speakers of English. As a matter of fact, an even more glaring omission is that it makes no statement on culture, country of origin, or nationality at all.

Why does “misgendering”—an issue which affects a tiny fraction of the contributors—get a spot on that list, but not prejudice based on one’s skill in English, which affects a vast portion of contributors? Surely this can be included as well? But if we are going there, why not include even more? The Holocaust was a pretty bad thing that happened. Surely Holocaust denial should be somewhere on that list, too. Speaking of murder, perhaps we could also make it extra clear that it is not okay to boast about eating meat and other animal products in order to spite a vegan.

I jest, of course. Or rather, I do not jest at all. All of the things I mentioned are valid points, and it would be more than a little impolite to do any of the above things. Some are more severe than others, granted, but I would not expect to come across any of those things during a friendly encounter.

In practice, it is not possible to create an exhaustive list of all the things that are unacceptable/undesirable conduct. You would have to solve ethics, I suppose. But this does make one wonder: Why are the things that are on that list, on that list? Why were those things prioritised over other, equally valid things?

The answer is not very surprising. The code of conduct is biased. It wears its bias on its sleeve: Feminism. Now, whether you are a feminist or not matters little. What matters is that the code of conduct tells you to practise inhibition around others, but practises none of it itself. I have conservatively marked all feminism-related (and LGBT-related) items with an asterisk. I could have been greedy and marked more items, but this seemed sufficient to me. If you start counting, you will see that give-or-take half of the items have an obvious feminist slant.

Why is the bias a problem, though? If you sympathise with feminism or agree that the feminist-slanted items are unacceptable behaviour, this may be a legitimate question. At that point, you have to take a step back and “check your privilege”, to use some feminist lingo. Why does one bias or world view deserve precedence over that of others? It takes a certain kind of chauvinism to be so convinced of one’s own right that you codify your opinions such that others must behave in accordance with your world view.

The bias causes everyone who does not subscribe to this bias to feel othered, utterly destroying the entire point of having a code of conduct in the first place: To welcome people from vastly different backgrounds and convictions, and to get them to get along.

Thus we went from sensible self-censorship, inhibition and tolerance to simply ignoring all of that and making others submit to your world view.

A word on bigotry

Labeling people who have an unpopular view as somehow intrinsically bad or immoral, declaring such views as intolerable even to hold, is now a big part of our culture and is having an impact on our conversations and our politics.


I support same sex marriage, yet am deeply uncomfortable with the assumption that anyone with reservations must be a bigot and a homophobe. That is the level of the debate in Australia, and it is championed by so-called “progressives”, who display with glee the same intolerance they rightly accuse churches as historically holding.

Source: Gay Alcorn. Conservatives love to hate political correctness, but the left should rail against it too. The Guardian.

But Carmen, you may say, why are you protecting bigots? Because they aren’t, is the simple answer. More often than not, they are political opponents or people from a different background, not hateful individuals. A big part of a good code of conduct is to assume good intentions.

I have my own reservations about a lot of topics, which is why I empathise with my political opponents being targeted by these codes of conduct. I am a convinced vegetarian, erring vegan. I would never instigate harassment against meat-eaters, but a CoC entry that specifically protects carnivores from having their choice of food criticised would draw my ire. Not because it inhibits my freedom to be mean against people, but because such an entry would imply to me that this community takes an active stance against my personal beliefs to such an extent that they feel it necessary to protect my political opponents from harassment. The neutrality that is vital to getting varied people to get along is gone.

More importantly, these biased rules are counter-productive. Specifically in the case of misgendering and dead-naming, including the rule is more harmful than it is helpful. The people with reservations against transgenderism see “misgendering” in the same list as “threats of violence”, and rightfully see that their personal beliefs are discredited, disdained and attacked. They are told to tolerate something they firmly disagree with by a code of conduct that is actively intolerant of them. These people view this code of conduct as a law that is unjustly biased against them, rather than a unifying document preaching tolerance.

And what happens when people dislike a law?

Lex iniusta non est lex.

An unjust law is not a law at all.

St. Augustine (354 - 430)

A good code of conduct

Ubuntu is about showing humanity to one another: the word itself captures the spirit of being human.

We want a productive, happy and agile community that can welcome new ideas in a complex field, improve every process every year, and foster collaboration between groups with very different needs, interests and skills.

We gain strength from diversity, and actively seek participation from those who enhance it. This code of conduct exists to ensure that diverse groups collaborate to mutual advantage and enjoyment. We will challenge prejudice that could jeopardise the participation of any person in the project.


Source: Ubuntu Code of Conduct.

We invite and encourage everybody to express their opinions on relevant topics. All participants should at all times feel at ease to do so without fearing any form of attack, reprisal or harassment. We ask everybody to be respectful and considerate towards each other, especially when attempting to provide constructive criticism.

To foster tolerance, respect and hospitality in our community, we agree not to engage in discriminatory, disparaging or offensive speech or actions, including as to (but not limited to) gender, sexuality, race, nationality, religion or profession. We are a community of many different nationalities and backgrounds, and we cherish our strength in diversity.

Source: FSFE Code of Conduct. Disclaimer: I co-authored this code of conduct.

A good code of conduct invites, welcomes and protects everybody. It does not take any active ideological stance and fosters a neutral environment in which people of vastly different backgrounds and convictions are able to collaborate.

A good code of conduct assumes good faith and good intentions. It recognises that it is difficult for some people to get along, and that it is inevitable that some people will clash because of different understandings of appropriate behaviour. Here in the Netherlands it is common to kiss people thrice on the cheek as a greeting. Someone from another culture may not appreciate being kissed on the cheek at all. But instead of banning this perfectly normal custom or assuming bad intentions of cheek-kissers, the onus is on both parties to practise mindfulness and tolerance.

A good code of conduct is agreeable. You want everyone reading the code of conduct to feel better for having read it, and to want to follow it. The only disagreeable thing in that entire document is the obligation of all participants to be respectful and tolerant of one another. Some people are not respectful and tolerant, and you probably do not want these people, anyway. Everyone else is welcome, and it is important that all those readers of the code of conduct feel that this document sufficiently welcomes and protects them.

FreeBSD’s code of conduct fails on all these fronts. It is a codified opinion document that assumes bad faith and elevates the concerns of one political ideology over the concerns of all others. It reads almost like a law book, and I cannot imagine how anybody can feel better after having read it, having to suffer through a miserable list of descriptions of poor behaviour. As a matter of fact, FreeBSD’s CoC counter-intuitively makes me feel less safe. Reading through it, it feels like the moderators have to make an active effort to keep out perpetrators of literal criminal acts. That is not very reassuring.

But if those things are not explicitly forbidden, how can you be sure that the community will take a stance against them if they happen? The short answer is that you can’t, not with complete certainty. This is only fair, however, because nobody gets this explicit certainty. We all depend on our collective commitment to tolerance, rather than a biased list of explicitly forbidden things. This list is always biased, because a list that addresses everybody’s concerns would be infinitely long and contain multiple contradictions.

I can say with certainty, however, that all of the things that FreeBSD’s code of conduct forbids are forbidden in the Ubuntu and FSFE communities, too. Well, except virtual hugs, perhaps. I’ll take some of those.

TL:DR: Cats and dogs

In an ideal community, cats and dogs can get along. A good code of conduct facilitates that. Because dogs are sociable animals, they take the initiative to draft a code of conduct for all to get along. Among other things, it contains:

Unacceptable behaviour includes:

  • Sleeping on other people’s keyboards.

  • Purring too loudly.

  • Hissing.

It is little surprise that the cats are upset upon reading this. They know that doing these things is not good conduct, but they feel that the language unjustly targets them and favours dogs.

The cats are smarter than the dogs, though. Instead of proposing their grievances to also be included in the code of conduct (sniffing butts, barking loudly, licking faces), they create a new code of conduct that does not go into any specifics:

The Animal Software Foundation and the global Animal community welcome and encourage participation by everyone. Our community is based on mutual respect, tolerance, and encouragement, and we are working to help each other live up to these principles. We want our community to be more diverse: whoever you are, and whatever your background, we welcome you.

Source: Python Diversity Statement, slightly altered.

Under this new code of conduct, neither sniffing butts nor sleeping on other people’s keyboards are permitted (or at least, not without their consent), even though they are not specifically mentioned. This means that neither cats nor dogs have their ire drawn by the code of conduct.

And they lived happily ever after.

Thursday, 08 March 2018

An argument against proxies

Inductive Bias | 17:53, Thursday, 08 March 2018

Proxies? In companies getting started with an upstream first concept this is what people are called who act as the only interface between their employer and an open source project: All information from any project used internally flows through them. All bug reports and patches intended as upstream contribution also flows through them - hiding entire teams producing the actual contributions.

At Apache projects I learnt to dislike this setup of having proxies act in place of the real contributors. Why so?

Apache is built on the premise of individuals working together in the best interest of their projects. Over time, people who prove to commit themselves to a project get added to that project. Work contributed to a project gets rewarded - in a merit doesn't go away kind-of sense working on an Apache project is a role independent of other work committments - in the "merit doesn't go away" sense this merit is attached to the individual making contributions, not to the entity sponsoring that individual in one way or another.

This mechanism does not work anymore if proxy committers act as gateway between employers and the open source world: While proxied employees are saved from the tax that working in the public brings by being hidden behind proxies, they will also never be able to accrue the same amount of merit with the project itself. They will not be rewarded by the project for their committment. Their contributions do not end up being attached to themselves as individuals.

From the perspective of those watching how much people contribute to open source projects the concept of proxy committers often is neither transparent nor clear. For them proxies establish a false sense of hyper productivity: The work done by many sails under the flag of one individual, potentially discouraging others with less time from participating: "I will never be able to devote that much work to that project, so why even start?"

From an employer point of view proxies turn into single point of failure roles: Once that person is gone (on vacation, to take care of a relative, found a new job) they take the bonds they made in the open source project with them - including any street cred they may have gathered.

Last but not least I believe in order to discuss a specific open source contribution the participants need a solid understanding of the project itself. Something only people in the trenches can acquire.

As a result you'll see me try and pull those actually working with a certain project to get active and involved themselves, to dedicate time to the core technology they rely on on a daily basis, to realise that working on these projects gives you a broader perspective beyond just your day job.

Sunday, 04 March 2018

Encrypted files in Dropbox

Evaggelos Balaskas - System Engineer | 19:18, Sunday, 04 March 2018

Encrypted files in Dropbox

As we live in the age of smartphones and mobility access to the cloud, the more there is the need to access our files from anywhere. We need our files to be available on any computer, ours (private) or others (public). Traveling with your entire tech equipment is not always a good idea and with the era of cloud you dont need to bring everything with you.

There are a lot of cloud hosting files providers out there. On wikipedia there is a good Comparison of file hosting services article you can read.

I’ve started to use Dropbox for that reason. I use dropbox as a public digital bucket, to store and share public files. Every digital asset that is online is somehow public and only when you are using end-to-end encryption then you can say that something is more secure than before.

I also want to store some encrypted files on my cloud account, without the need to trust dropbox (or any cloud hosting file provider for that reason). As an extra security layer on top of dropbox, I use encfs and this blog post is a mini tutorial of a proof of concept.

EncFS - Encrypted Virtual Filesystem

(definition from encfs github account)

EncFS creates a virtual encrypted filesystem which stores encrypted data in the rootdir directory and makes the unencrypted data visible at the mountPoint directory. The user must supply a password which is used to (indirectly) encrypt both filenames and file contents.

That means that you can store your encrypted files somewhere and mount the decrypted files on folder on your computer.

Disclaimer: I dont know how secure is encfs. It is an extra layer that doesnt need any root access (except the installation part) for end users and it is really simple to use. There is a useful answer on stackexchange that you night like to read .

For more information on enfs you can also visit EncFS - Wikipedia Page

Install EncFS

  • archlinux

    $ sudo pacman -S --noconfirm encfs

  • fedora

    $ sudo dnf -y install fuse-encfs

  • ubuntu

    $ sudo apt-get install -y encfs

How does Encfs work ?

  • You have two(2) directories. The source and the mountpoint.
  • You encrypt and store the files in the source directory with a password.
  • You can view/edit your files in cleartext, in the mount point.
  1. Create a folder inside dropbox
    eg. /home/ebal/Dropbox/Boostnote

  2. Create a folder outside of dropbox
    eg. /home/ebal/Boostnote

both folders are complete empty.

  1. Choose a long password.
    just for testing, I am using a SHA256 message digest from an image that I can found on the internet!
    eg. sha256sum /home/ebal/secret.png

that means, I dont know the password but I can re-create it whenever I hash the image.

BE Careful This suggestion is an example - only for testing. The proper way is to use a random generated long password from your key password manager eg. KeePassX

How does dropbox works?

The dropbox-client is monitoring your /home/ebal/Dropbox/ directory for any changes so that can sync your files on your account.

You dont need dropbox running to use encfs.

Running the dropbox-client is the easiest way, but you can always use a sync client eg. rclone to sync your encrypted file to dropbox (or any cloud storage).

I guess it depends on your thread model. For this proof-of-concept article I run dropbox-client daemon in my background.


Create and Mount

Now is the time to mount the source directory inside dropbox with our mount point:

$ sha256sum /home/ebal/secret.png |
    awk '{print $1}' |
    encfs -S -s -f /home/ebal/Dropbox/Boostnote/ /home/ebal/Boostnote/

Reminder: EncFs works with absolute paths!

Check Mount Point

$ mount | egrep -i encfs
encfs on /home/ebal/Boostnote type fuse.encfs

View Files on Dropbox

Files inside dropbox:


View Files on the Mount Point


Unmount EncFS Mount Point

When you mount the source directory, encfs has an option to auto-umount the mount point on idle.
Or you can use the below command on demand:

$ fusermount -u /home/ebal/Boostnote

On another PC

The simplicity of this approach is when you want to access these files on another PC.
dropbox-client has already synced your encrypted files.
So the only thing you have to do, is to type on this new machine the exact same command as in Create & Mount chapter.

$ sha256sum /home/ebal/secret.png |
    awk '{print $1}' |
    encfs -S -s -f /home/ebal/Dropbox/Boostnote/ /home/ebal/Boostnote/


How about Android ?

You can use Cryptonite.

Cryptonite can use EncFS and TrueCrypt on Android and you can find the app on Google Play


Tag(s): encfs, dropbox

Monday, 26 February 2018

The Goal and The DevOps Handbook

Evaggelos Balaskas - System Engineer | 12:44, Monday, 26 February 2018

I’ve listened two audiobooks this month, both on DevOps methodology or more accurate on continuous improving of streamflow.

also started audible - amazon for listening audiobooks. The android app is not great but decent enough, although most of the books are DRM.

The first one is The Goal - A Process of Ongoing Improvement by: Eliyahu M. Goldratt, Jeff Cox

I can not stress this enough: You Have To Read this book. This novel is been categorized under business and it is been written back in 1984. You will find innovating even for today’s business logic. This book is the bases of “The Phoenix Project” and you have to read it before the The Phoenix Project. You will understand in details how lean and agile methodologies drive us to DevOps as a result of Ongoing Improvement.


The second book is The DevOps Handbook or How to Create World-Class Agility, Reliability, and Security in Technology Organizations by By: Gene Kim, Patrick Debois, John Willis, Jez Humble Narrated by: Ron Butler

I have this book in both hardcopy and audiobook. It is indeed a handbook. If you are just now starting on devops you need to read it. Has stories of companies that have applied the devops practices and It is really well structured. My suggestion is to keep notes when reading/listening to this book. Keep notes and re-read them.


Tag(s): books, devops

Friday, 23 February 2018

Okular gains some more JavaScript support

TSDgeos' blog | 15:53, Friday, 23 February 2018

Andre Heinecke did some patches [1][2][3][4][5] over the last few weeks that finally got landed this week.

With it we support recalculation of some fields based on others. An example that calculates sum, average, product, minimum and maximum of three numbers can be found in this youtube video.

<iframe allow="autoplay; encrypted-media" allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="560"></iframe>

This code will be available for the Okular version that will ship with KDE Applications 18.04

Tuesday, 20 February 2018

Hacking at EPFL Toastmasters, Lausanne, tonight - fsfe | 11:39, Tuesday, 20 February 2018

As mentioned in my earlier blog, I give a talk about Hacking at the Toastmasters club at EPFL tonight. Please feel free to join us and remember to turn off your mobile device or leave it at home, you never know when it might ring or become part of a demonstration.

Sunday, 18 February 2018

SwissPost putting another nail in the coffin of Swiss sovereignty - fsfe | 22:17, Sunday, 18 February 2018

A few people have recently asked me about the SwissID, as SwissPost has just been sending spam emails out to people telling them "Link your Swiss Post user account to SwissID".

This coercive new application of technology demands users email addresses and mobile phone numbers "for security". A web site coercing people to use text messages "for security" has quickly become a red flag for most people and many blogs have already covered why it is only an illusion of security, putting your phone account at risk so companies can profit from another vector for snooping on you.

SwissID is not the only digital identity solution in Switzerland but as it is run by SwissPost and has a name similar to another service it is becoming very well known.

In 2010 they began offering a solution which they call SuisseID (notice the difference? They are pronounced the same way.) based on digital certificates and compliant with Swiss legislation. Public discussion focussed on the obscene cost with little comment about the privacy consequences and what this means for Switzerland as a nation.

Digital certificates often embed an email address in the certificate.

With SwissID, however, they have a web site that looks like little more than vaporware, giving no details at all whether certificates are used. It appears they are basically promoting an app that is designed to harvest the email addresses and phone numbers of any Swiss people who install it, lulling them into that folly by using a name that looks like their original SuisseID. If it looks like phishing, if it feels like phishing and if it smells like phishing to any expert takes a brief sniff of their FAQ, then what else is it?

The thing is, the original SuisseID runs on a standalone smartcard so it doesn't need to have your mobile phone number, have permissions to all the data in your phone and be limited to working in areas with mobile phone signal.

The emails currently being sent by SwissPost tell people they must "Please use a private e-mail address for this purpose" but they don't give any information about the privacy consequences of creating such an account or what their app will do when it has access to read all the messages and contacts in your phone.

The actions you can take that they didn't tell you about

  • You can post a registered letter to SwissPost and tell them that for privacy reasons, you are immediately retracting the email addresses and mobile phone numbers they currently hold on file and that you are exercising your right not to give an email address or mobile phone number to them in future.
  • If you do decide you want a SwissID, create a unique email address for it and only use that email address with SwissPost so that it can't be cross-referenced with other companies. This email address is also like a canary in a coal mine: if you start receiving spam on that email address then you know SwissPost/SwissID may have been hacked or the data has been leaked or sold.
  • Don't install their app and if you did, remove it and you may want to change your mobile phone number.

Oddly enough, none of these privacy-protecting ideas were suggested in the email from SwissPost. Who's side are they on?

Why should people be concerned?

SwissPost, like every postal agency, has seen traditional revenues drop and so they seek to generate more revenue from direct marketing and they are constantly looking for ways to extract and profit from data about the public. They are also a huge company with many employees: when dealing with vast amounts of data in any computer system, it only takes one employee to compromise everything: just think of how Edward Snowden was able to act alone to extract many of the NSA's most valuable secrets.

SwissPost is going to great lengths to get accurate data on every citizen and resident in Switzerland, including deploying an app to get your mobile phone number and demanding an email address when you use their web site. That also allows them to cross-reference with your IP addresses.

  • Any person or organization who has your email address or mobile number may find it easier to get your home address.
  • Any person or organization who has your home address may be able to get your email address or mobile phone number.
  • When you call a company from your mobile phone and their system recognizes your phone number, it becomes easier for them to match it to your home address.
  • If SwissPost and the SBB successfully convince a lot of people to use a SwissID, some other large web sites may refuse to allow access without getting you to link them to your SwissID and all the data behind it too. Think of how many websites already try to coerce you to give them your mobile phone number and birthday to "secure" your account, but worse.

The Google factor

The creepiest thing is that over seventy percent of people are apparently using Gmail addresses in Switzerland and these will be a dependency of their registration for SwissID.

Given that SwissID is being promoted as a solution compliant with ZertES legislation that can act as an interface between citizens and the state, the intersection with such a powerful foreign actor as Gmail is extraordinary. For example, if people are registering to vote in Switzerland's renowned referendums and their communication is under the surveillance of a foreign power like the US, that is a mockery of democracy and it makes the allegations of Russian election hacking look like child's play.

Switzerland's referendums, decentralized system of Government, part-time army and privacy regime are all features that maintain a balance between citizen and state: by centralizing power in the hands of SwissID and foreign IT companies, doesn't it appear that the very name SwissID is a mockery of the Swiss identity?

Yellow in motion

No canaries were harmed in the production of this blog.

Wednesday, 14 February 2018

I love Free Software Day 2018

Ramblings of a sysadmin (Posts about planet-fsfe) | 22:10, Wednesday, 14 February 2018

Today isn't just Valentines day, but also I love Free Software Day! I've been using (and contributing) Free Software for years now and don't want anything else. Even when I've given non-Free Software another chance, every time I was glad when I returned to Free Software.

A big thank you goes out to all developers, sysadmins, network guru's, translators, bugsquashers and all other contributors.

A small selection of tools/libraries/projects/organizations I'm thankful for this year: debian, ubuntu, terminator, mate, vi(m), firefox, thunderbird, postgresql, apache, kvm, libvirt, bash, openssh, nextcloud, workrave, audacious, vlc, mtp (Media Transfer Protocol), ext2/ext3/ext4/btrfs, mdadm, postfix, the linux kernel, fosdem, fsfe, eff, bitsoffreedom, ccc and kodi.

For the next year, let's make sure we don't squabble amongst ourselves. Let us be even more understanding and help each other out more. Let us agree to disagree and be fine with that. I do not care which window manager, editor, desktop or database you use. Of course I have my own preferences and don't mind a good discussion. As long as we give each other the freedom to choose what we want, it's OK. We're all playing for the Free Software team. And yes, each of us known that we are right ;-)

At the previous FOSDEM I picked up the following card and gave it to my wife, she liked it a lot (just a tip)


What is the best online dating site and the best way to use it? - fsfe | 17:25, Wednesday, 14 February 2018

Somebody recently shared this with me, this is what happens when you attempt to access Parship, an online dating site, from the anonymous Tor Browser.

Experian is basically a private spy agency. Their website boasts about how they can:

  • Know who your customers are regardless of channel or device
  • Know where and how to reach your customers with optimal messages
  • Create and deliver exceptional experiences every time

Is that third objective, an "exceptional experience", what you were hoping for with their dating site honey trap? You are out of luck: you are not the customer, you are the product.

When the Berlin wall came down, people were horrified at what they found in the archives of the Stasi. Don't companies like Experian and Facebook gather far more data than this?

So can you succeed with online dating?

There are only three strategies that are worth mentioning:

  • Access sites you can't trust (which includes all dating sites, whether free or paid for) using anonymous services like Tor Browser and anonymous email addresses. Use fake photos and fake all other data. Don't send your real phone number through the messaging or chat facility in any of these sites because they can use that to match your anonymous account to a real identity: instead, get an extra SIM card that you pay for and top-up with cash. One person told me they tried this for a month as an experiment, expediently cutting and pasting a message to each contact to arrange a meeting for coffee. At each date they would give the other person a card that apologized for their completely fake profile photos and offering to start over now they could communicate beyond the prying eyes of the corporation.
  • Join online communities that are not primarily about dating and if a relationship comes naturally, it is a bonus.
  • If you really care about your future partner and don't want your photo to be a piece of bait used to exploit and oppress them, why not expand your real-world activities?

How to batch geotag your photos using Free Software and OpenStreetMap

English Planet – Dreierlei | 08:35, Wednesday, 14 February 2018

If you like shooting and collecting pictures, you might be interested in geotagging your pictures. More and more software can use such geospatial metadata information for categorizing and visualizing these pictures, for example in an interactive map. Today, on I love Free Software day, I show you a way how to batch geotag your pictures with OpenStreetMap and Free Software only.

Geospatial metadata, together with time-stamps, seem to me to be the most important meta-information a picture can have. It is extremely helpful in organizing pictures, for example to cluster pictures that have been taken at the same location but at different times. Personally, I always need this data whenever I upload my pictures to Wikimedia Commons, as it asks me during the process about the geolocation of these pictures. Before, each time I had to look up the data individually on OpenStreetMap and fill in the information manually. Pretty fast, I got bored of this and I was looking for a way to write this information automatically into my pictures even before uploading.

One solution to this is a GPS-recorder built-in or attached to the camera. Unfortunately, very few cameras come with a GPS-recorder built-in and additional GPS-modules are a way too expensive for most hobby enthusiasts. Fortunately, there are software-solutions, that enable you to use just any other device which is able to capture GPS-tracks and then later merge this recorded geo-information with your pictures taken.

For sure, there are multiple ways to do this. In this blogpost, I will show you how you can do this with a smarthphone, OpenStreetMap and Free Software. All you need is:

Set up your infrastructure

Get Osmand

If you have a phone that is running Android or a more privacy and freedom friendly fork of Android get yourself Osmand, the “Global Mobile Map Viewing and Navigation for Online and Offline OpenStreetMaps”.

You can get it in the usual app-stores, but as it is Free Software, you can also get in on F-Droid, the Free Software app repository. For your privacy I recommend the latter and I wrote up a short manual about how to do it in a previous blogpost. If you choose this way, however, please consider donating to finance further development.

Sync your time

It is crucial that you have the time on your devices in sync. If not, there are possibilities to fix that afterwards, but you save yourself a lot of work if you make sure that your GPS-recorder (your smartphone in our case) and your camera are in time sync.

In action: record your track

Once you have downloaded Osmand, there is no need to download additional plugins. However, you have to activate the Trip recording plugin first.

Here is how to do and use it:

<figure class="wp-caption aligncenter" id="attachment_1267" style="max-width: 400px"><figcaption class="wp-caption-text">In the menu, go for plugins.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2432" style="max-width: 400px"><figcaption class="wp-caption-text">Click on “Trip recording”</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2435" style="max-width: 400px"><figcaption class="wp-caption-text">Enable Trip recording here</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2434" style="max-width: 400px"><figcaption class="wp-caption-text">If you click on settings, you can fine-tune your GPS-recordings, also depending if you go by car, on a bicycle or by foot.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2433" style="max-width: 400px"><figcaption class="wp-caption-text">After enabling, your Plugin page should look like this.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2431" style="max-width: 400px"><figcaption class="wp-caption-text">As long as the Plugin is enabled, you will see a GPX-symbol in the top-right corner. Click it and you will be prompted with the following record screen.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2427" style="max-width: 400px"><figcaption class="wp-caption-text">Choose your logging interval and if you like to see your track while recording. That’s it! From here on your track is being recorded and the only thing you have to do is to stop it once you are finished.</figcaption></figure>

And by the way:

<figure class="wp-caption aligncenter" id="attachment_2428" style="max-width: 400px"><figcaption class="wp-caption-text">Once you have recorded some tracks, you will see a list of previously recorded tracks. You can export them, delete them and visualize them inside the app.</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2429" style="max-width: 400px"><figcaption class="wp-caption-text">This is an example of how you can also visualize individual trips and statistics afterwards.</figcaption></figure>

Afterwards: Geotag your pictures

Get GPS Correlate

There are many ways to get GPS Correlate. You can

  • get it from Github
  • via your terminal with $ apt-get install gpscorrelate
  • or via the Synaptic package manager:

Use GPS Correlate

The interface is pretty simple:

  • Press to “add photos” and choose the photos you like to geotag. It can be a single picture or multiple pictures (e.g. all pictures along one gpx-track).
  • Choose your recorded gpx-track where is written “GPS Data”
  • Keep the default ticked options to “Interpolate” and “Write DD MM SS.SS”
  • Choose a maximum gap time for a picture to be matched. I choose 5 minutes (300 seconds) here.
  • Put your time zone in UTC
  • Go ahead, correlate photos

Now you should see the interpolated match of your pictures and your gpx-track and you are done:

Enjoy your batch processed pictures!

A big hug and thank you to all the people behind OpenStreetMap, behind Osmand, to Daniel Foote and Dan Fandrich for making this possible! Happy I love Free Software Day 2018!

Related articles:

Tuesday, 13 February 2018

FOSDEM 2018 - recap

Inductive Bias | 06:13, Tuesday, 13 February 2018

Too crowded, too many queues, too little space - but also lots of friendly people, Belgian waffles, ice cream, an ASF dinner with grey beards and new people, a busy ASF booth, bumping into friends every few steps, meeting humans you see only online for an entire year or more: For me, that's the gist of this year's FOSDEM.

Note: German version of the article including images appeared in my employer's tech blog.

To my knowledge FOSDEM is the biggest gathering of free software people in Europe at least. It's free of charge, kindly hosted by ULB, organised by a large group of volunteers. Every year early February the FOSS community meets for two one weekend in Brussels to discuss all sorts of aspects of Free and Open Source Software Development - including community, legal, business and policy aspects. The event features more than 600 talks as well as several dozen booths by FOSS projects and FOSS friendly companies. There's several FOSDEM fringe events surrounding the event that are not located on campus. If you go to any random bar or restaurant in Brussels that weekend you are bound to bump into FOSDEM people.

Fortunately for those not lucky enough to have made it to the event, video recordings (unfortunately in varying quality) are available online at Some highlights you might want to watch:

One highlight for me personally this year: I cannot help but believe that I met way more faces from The Apache Software Foundation than at any other FOSDEM before. The booth was crowded at all times - Sharan Foga did a great job explaining The ASF to people. Also it's great to hear The ASF mentioned in several talks as one of the initiatives to look at to understand how to run open source projects in a sustainable fashion with an eye on longevity. It was helpful to have at least two current Apache board members (Bertrand Delacretaz as well as Rich Bowen) on site to help answer tricky questions. Last but not least it was lovely meeting several of the Apache Grey Beards (TM) for an Apache Dinner on Saturday evening. Luckily co-located with the FOSDEM HPC speaker dinner - which took a calendar conflict out of the Apache HPC people's calendar :)

Me personally, I hope to see many more ASF people later this year in Berlin for FOSS Backstage - the advertisement sign that was located at the FOSDEM ASF booth last weekend already made it here, will you follow?

Wednesday, 07 February 2018

KDE Applications 18.04 Schedule finalized

TSDgeos' blog | 20:56, Wednesday, 07 February 2018

It is available at the usual place

Dependency freeze is in 5 weeks and Feature Freeze in 6 weeks, so hurry up!

FSFE Assembly at 34C3: Wir taten was

English Planet – Dreierlei | 20:04, Wednesday, 07 February 2018

In December 2017, the Chaos Communication Congress moved for the first time onto the Messegelände Leipzig. The FSFE came along and as in recent years, our assembly attracted a lot of visitors. Together with EDRi, for the first time we have been setting up a cluster called “Rights & Freedoms” with our own stage for multiple sessions. Although there have been some organisational issues, this Cluster was a big success and during three days, it has been visited by thousands of people.

I am happy to see the FSFE assembly again growing every year and having the possibility to bring our message of Software Freedom to the people at the Chaos Communication Congress. The CCC is Germany’s biggest annual meetup of hackers and political activists and is “considered one of the largest events of this kind, alongside the DEF CON in Las Vegas” (wikipedia).

<figure class="wp-caption aligncenter" id="attachment_2382" style="max-width: 580px"><figcaption class="wp-caption-text">FSFE assembly by day</figcaption></figure>

<figure class="wp-caption aligncenter" id="attachment_2381" style="max-width: 580px"><figcaption class="wp-caption-text">FSFE assembly by night</figcaption></figure>

After setting up our own self-created track in the session-rooms offered by the CCC in the last two years [2015, 2016], we aligned this year with European Digital Rights (EDRi) and together we have been forming a Cluster called “Rights & Freedoms” around our own lecture hall with a 100-people-audience stage in one half – and room for several friendly organisations to settle their own assemblies in the other half.

<figure class="wp-caption aligncenter" id="attachment_2385" style="max-width: 580px"><figcaption class="wp-caption-text">Polina Malaja and Katharina Nocun give a presentation of FSFE’s Public Money? Public Code! campaign</figcaption></figure> <figure class="wp-caption aligncenter" id="attachment_2383" style="max-width: 580px"><figcaption class="wp-caption-text">Hanno Böck explains “Hacking with wget”</figcaption></figure>

This way, the FSFE’s track became for the first time official part of the CCC-program. Together with likeminded organisations we used our stage to set up a full-time-program in our cluster that in sum led thousands of visitors in there with the FSFE booth being prominently located directly at its entrance.

Also from the organisers of the CCC, people were very happy with us and our organisation and we were giving the hope to get an even bigger lecture room next year. I see this FSFE’s growing presence at the CCC as a strategically important success because it is not “the usual Free Software conference” but a general technology meet-up. So, a good presence at CCC is not simply stewing our own soup but instead extending our outreach into new networks.

As is true for most of our booths and activities, the whole booth would not have been possible to run without our dedicated volunteer booth team! You are the ones empowering FSFE. And I like to use this occasion to give a special thanks to André Klöpfel, Berlin-based volunteer, without whom I would have not been able to organise our booth so smooth this year and last year already.

<figure class="wp-caption aligncenter" id="attachment_2384" style="max-width: 580px"><figcaption class="wp-caption-text">No Free Software without some love …</figcaption></figure>

More XEPs for Smack

vanitasvitae's blog » englisch | 14:05, Wednesday, 07 February 2018

I spent the last weekend from Thursday to Sunday in Brussels at the XSF-Summit (here is a very nice post about it by JCBrand) and the FOSDEM. It was really nice to meet all the faces belonging to the JIDs you otherwise only see in the MUCs or on GitHub in real life.

There was a lot of discussion about how to make XMPP more accessible to the masses and one point that came up was to pay more attention to XMPP libraries, as they are often somewhat of a gateway for new developers who discovered the XMPP protocol. A good library with good documentation can help those new developers immensely to get started with XMPP.

During my stay and while on the train, I found some time to work on Smack again and so I added support for 3 more XEPs:

Ge0rG gave a talk about what’s currently wrong with the XMPP protocol.  One suggested improvement was to rely more on Stable and Unique Stanza IDs to improve message identification in various use-cases, so I quickly implemented XEP-0359.

XEP-0372: References is one dependency of XEP-0385: Stateless Inline Media Sharing, which I’m planning to implement next, so the boring lengthy train ride was spent adding support for XEP-0372.

A very nice XEP to implement was XEP-0392: Consistent Color Generation, which is used to generate consistent colors for usernames across different clients. I really like the accessibility aspect of that XEP, as it provides methods to generate colors easily distinguishable by users with color vision deficiency.

I hope my contributions will draw one or two developers who seak to implement a chat client themselves to the awesome XMPP protocol :)

Happy Hacking!

Friday, 02 February 2018

Everything you didn't know about FSFE in a picture - fsfe | 09:51, Friday, 02 February 2018

As FSFE's community begins exploring our future, I thought it would be helpful to start with a visual guide to the current structure.

All the information I've gathered here is publicly available but people rarely see it in one place, hence the heading. There is no suggestion that anything has been deliberately hidden.

The drawing at the bottom includes Venn diagrams to show the overlapping relationships clearly and visually. For example, in the circle for the General Assembly, all the numbers add up to 29, the total number of people listed on the "People" page of the web site. In the circle for Council, there are 4 people in total and in the circle for Staff, there are 6 people, 2 of them also in Council and 4 of them in the GA but not council.

The financial figures on this diagram are taken from the 2016 financial summary. The summary published by FSFE is very basic so the exact amount paid in salaries is not clear, the number in the Staff circle probably pays a lot more than just salaries and I feel FSFE gets good value for this money.

Some observations about the numbers:

  • The volunteers don't elect any representatives to the GA, although some GA members are also volunteers
  • From 1,700 fellowship members, only 2 are elected in 2 of the 29 GA seats yet they provide over thirty percent of the funding through recurring payments
  • Out of 6 staff, all 6 are members of the GA (6 out of 29) since a decision to accept them at the last GA meeting
  • Only the 29 people in the General Assembly are full (legal) members of the FSFE e.V. association with the right to vote on things like constitutional changes. Those people are all above the dotted line on the page. All the people below the line have been referred to by other names, like fellow, supporter, community, donor and volunteer.

If you ever clicked the "Join the FSFE" button or filled out the "Join the FSFE" form on the FSFE web site and made a payment, did you believe you were becoming a member with an equal vote? If so, one procedure you can follow is to contact the president as described here and ask to be recognized as a full member. I feel it is important for everybody who filled out the "Join" form to clarify their rights and their status before the constitutional change is made.

I have not presented these figures to create conflict between staff and volunteers. Both have an important role to play. Many people who contribute time or money to FSFE are very satisfied with the concept that "somebody else" (the staff) can do difficult and sometimes tedious work for the organization's mission and software freedom in general. As I've been elected as a fellowship representative, I feel a responsibility to ensure the people I represent are adequately informed about the organization and their relationship with it and I hope these notes and the diagram helps to fulfil that responsibility.

Therefore, this diagram is presented to the community not for the purpose of criticizing anybody but for the purpose of helping make sure everybody is on the same page about our current structure before it changes.

If anybody has time to make a better diagram it would be very welcome.

Thursday, 01 February 2018

containers containers containers

Evaggelos Balaskas - System Engineer | 21:08, Thursday, 01 February 2018


Latest systemd version now contains the systemd-importd daemon .

That means that we can use machinectl to import a tar or a raw image from the internet to use it with the systemd-nspawn command.

so here is an example


from my archlinux box:

# cat /etc/arch-release

Arch Linux release

CentOS 7

We can download the tar centos7 docker image from the docker hub registry:

# machinectl pull-tar --verify=no

Created new local image 'centos-7-docker'.
Operation completed successfully.

we can verify that:

# ls -la /var/lib/machines/centos-7-docker

total 28
dr-xr-xr-x 1 root root   158 Jan  7 18:59 .
drwx------ 1 root root   488 Feb  1 21:17 ..
-rw-r--r-- 1 root root 11970 Jan  7 18:59 anaconda-post.log
lrwxrwxrwx 1 root root     7 Jan  7 18:58 bin -> usr/bin
drwxr-xr-x 1 root root     0 Jan  7 18:58 dev
drwxr-xr-x 1 root root  1940 Jan  7 18:59 etc
drwxr-xr-x 1 root root     0 Nov  5  2016 home
lrwxrwxrwx 1 root root     7 Jan  7 18:58 lib -> usr/lib
lrwxrwxrwx 1 root root     9 Jan  7 18:58 lib64 -> usr/lib64
drwxr-xr-x 1 root root     0 Nov  5  2016 media
drwxr-xr-x 1 root root     0 Nov  5  2016 mnt
drwxr-xr-x 1 root root     0 Nov  5  2016 opt
drwxr-xr-x 1 root root     0 Jan  7 18:58 proc
dr-xr-x--- 1 root root   120 Jan  7 18:59 root
drwxr-xr-x 1 root root   104 Jan  7 18:59 run
lrwxrwxrwx 1 root root     8 Jan  7 18:58 sbin -> usr/sbin
drwxr-xr-x 1 root root     0 Nov  5  2016 srv
drwxr-xr-x 1 root root     0 Jan  7 18:58 sys
drwxrwxrwt 1 root root   140 Jan  7 18:59 tmp
drwxr-xr-x 1 root root   106 Jan  7 18:58 usr
drwxr-xr-x 1 root root   160 Jan  7 18:58 var


Now test we can test it:

[root@myhomepc ~]# systemd-nspawn --machine=centos-7-docker

Spawning container centos-7-docker on /var/lib/machines/centos-7-docker.
Press ^] three times within 1s to kill container.

[root@centos-7-docker ~]#
[root@centos-7-docker ~]#
[root@centos-7-docker ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@centos-7-docker ~]#
[root@centos-7-docker ~]# exit
Container centos-7-docker exited successfully.

and now returning to our system:

[root@myhomepc ~]#
[root@myhomepc ~]#
[root@myhomepc ~]# cat /etc/arch-release
Arch Linux release

Ubuntu 16.04.4 LTS

ubuntu example:

# machinectl pull-tar --verify=no

# systemd-nspawn --machine=ubuntu-xenial-core-cloudimg-amd64-root
Spawning container ubuntu-xenial-core-cloudimg-amd64-root on /var/lib/machines/ubuntu-xenial-core-cloudimg-amd64-root.
Press ^] three times within 1s to kill container.
Timezone Europe/Athens does not exist in container, not updating container timezone.
root@ubuntu-xenial-core-cloudimg-amd64-root:~# cat /etc/os-release 
VERSION="16.04.4 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04.4 LTS"
root@ubuntu-xenial-core-cloudimg-amd64-root:~# exit
Container ubuntu-xenial-core-cloudimg-amd64-root exited successfully.
# cat /etc/os-release 
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"

CS3 Workshop 2018 - Global Scale and the future of Federated Cloud Sharing

English on Björn Schießle - I came for the code but stayed for the freedom | 17:00, Thursday, 01 February 2018

At this years CS3 Workshop in Krakow I presented the current state of Nextcloud’s Global Scale architecture. Probably the most interesting part of the talk was the current development in the area of Federated Cloud Sharing, a central component of Global Scale. Originally, Federated Cloud Sharing was developed by Frank Karlitschek and me in 2014 at ownCloud. These day it enables cloud solutions from ownCloud, Pydio and Nextcloud to exchange files.

As part of Global Scale we will add federated group sharing in the coming months. Further we want to enable apps to provide additional “federated share providers” in order to implement federated calendar sharing, federated contact sharing and more.

The next iteration of Federated Cloud Sharing will be based on the Open Cloud Mesh (OCM) specification. The Open Cloud Mesh initiative by GÉANT aims to turn our original idea of Federated Cloud Sharing into a vendor neutral standard. Something I explicitly support. In the process of implementing OCM we will propose some minor changes and additions to the existing specification to meet all our requirements. Directly after my talk I received a lot of positive feedback from different members of the Open Cloud Mesh initiative. I was especially happy to hear that PowerFolder already started to implement OCM as well and that our friends at Seafile also want to join us. I’m looking forward to work together with the OCM-Community in the following weeks and months in order to make our changes part of the official specification.

I will write a more detailed article once we have a first prototype of our implementation. For now I want to share my presentation slides with you:

(This blog contain some presentation slides, you can see them here.)

Tags: #Nextcloud #cs3 #ocm #cloud #federation #slides

Our future relationship with FSFE - fsfe | 13:19, Thursday, 01 February 2018

Below is an email that has been distributed to the FSFE community today. FSFE aims to be an open organization and people are welcome to discuss it through the main discussion group (join, thread and reply) whether you are a member or not.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site. The "No Cloud" stickers and the Public Money Public Code campaign are examples of initiatives started by FSFE - you can request free stickers and posters by filling in this form.

Dear FSFE Community,

I'm writing to you today as one of your elected fellowship representatives rather than to convey my own views, which you may have already encountered in my blog or mailing list discussions.

The recent meeting of the General Assembly (GA) decided that the annual elections will be abolished but this change has not yet been ratified in the constitution.

Personally, I support an overhaul of FSFE's democratic processes and the bulk of the reasons for this change are quite valid. One of the reasons proposed for the change, the suggestion that the election was a popularity contest, is an argument I don't agree with: the same argument could be used to abolish elections anywhere.

One point that came up in discussions about the elections is that people don't need to wait for the elections to be considered for GA membership. Matthias Kirschner, our president, has emphasized this to me personally as well, he looks at each new request with an open mind and forwards it to all of the GA for discussion. According to our constitution, anybody can write to the president at any time and request to join the GA. In practice, the president and the existing GA members will probably need to have seen some of your activities in one of the FSFE teams or local groups before accepting you as a member. I want to encourage people to become familiar with the GA membership process and discuss it within their teams and local groups and think about whether you or anybody you know may be a good candidate.

According to the minutes of the last GA meeting, several new members were already accepted this way in the last year. It is particularly important for the organization to increase diversity in the GA at this time.

The response rate for the last fellowship election was lower than in previous years and there is also concern that emails don't reach everybody thanks to spam filters or the Google Promotions tab (if you use gmail). If you had problems receiving emails about the last election, please consider sharing that feedback on the discussion list.

Understanding where the organization will go beyond the extinction of the fellowship representative is critical. The Identity review process, championed by Jonas Oberg and Kristi Progri, is actively looking at these questions. Please contact Kristi if you wish to participate and look out for updates about this process in emails and Planet FSFE. Kristi will be at FOSDEM this weekend if you want to speak to her personally.

I'll be at FOSDEM this weekend and would welcome the opportunity to meet with you personally. I will be visiting many different parts of FOSDEM at different times, including the FSFE booth, the Debian booth, the real-time lounge (K-building) and the Real-Time Communications (RTC) dev-room on Sunday, where I'm giving a talk. Many other members of the FSFE community will also be present, if you don't know where to start, simply come to the FSFE booth. The next European event I visit after FOSDEM will potentially be OSCAL in Tirana, it is in May and I would highly recommend this event for anybody who doesn't regularly travel to events outside their own region.

Changing the world begins with the change we make ourselves. If you only do one thing for free software this year and you are not sure what it is going to be, then I would recommend this: visit an event that you never visited before, in a city or country you never visited before. It doesn't necessarily have to be a free software or IT event. In 2017 I attended OSCAL in Tirana and the Digital-Born Media Carnival in Kotor for the first time. You can ask FSFE to send you some free stickers and posters (online request with optional donation) to give to the new friends you meet on your travels. Change starts with each of us doing something new or different and I hope our paths may cross in one of these places.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site.

Please feel free to discuss this through the FSFE discussion group (join, thread and reply)

Wednesday, 31 January 2018

Network-Bound Disk Encryption

Evaggelos Balaskas - System Engineer | 23:25, Wednesday, 31 January 2018

Network-Bound Disk Encryption

I was reading the redhat release notes on 7.4 and came across: Chapter 15. Security

New packages: tang, clevis, jose, luksmeta

Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of the hard drives on physical and virtual machines without requiring to manually enter password when systems are rebooted.

That means, we can now have an encrypted (luks) volume that will be de-crypted on reboot, without the need of typing a passphrase!!!

Really - really useful on VPS (and general in cloud infrastructures)

Useful Links

CentOS 7.4 with Encrypted rootfs

(aka client machine)

Below is a test centos 7.4 virtual machine with an encrypted root filesystem:





Tang Server

(aka server machine)

Tang is a server for binding data to network presence. This is a different centos 7.4 virtual machine from the above.


Let’s install the server part:

# yum -y install tang

Start socket service:

# systemctl restart tangd.socket

Enable socket service:

# systemctl enable tangd.socket

TCP Port

Check that the tang server is listening:

# netstat -ntulp | egrep -i systemd

tcp6    0    0 :::80    :::*    LISTEN    1/systemd


Dont forget the firewall:

Firewall Zones

# firewall-cmd --get-active-zones

  interfaces: eth0

Firewall Port

# firewall-cmd --zone=public --add-port=80/tcp --permanent


# firewall-cmd --add-port=80/tcp --permanent



# firewall-cmd --reload


We have finished with the server part!

Client Machine - Encrypted rootfs

Now it is time to configure the client machine, but before let’s check the encrypted partition:


Every encrypted block devices is configured under crypttab file:

[root@centos7 ~]# cat /etc/crypttab

luks-3cc09d38-2f55-42b1-b0c7-b12f6c74200c UUID=3cc09d38-2f55-42b1-b0c7-b12f6c74200c none 


and every filesystem that is static mounted on boot, is configured under fstab:

[root@centos7 ~]# cat /etc/fstab

UUID=c5ffbb05-d8e4-458c-9dc6-97723ccf43bc          /boot  xfs  defaults  0 0

/dev/mapper/luks-3cc09d38-2f55-42b1-b0c7-b12f6c74200c  /  xfs  defaults,x-systemd.device-timeout=0 0 0


Now let’s install the client (clevis) part that will talk with tang:

# yum -y install clevis clevis-luks clevis-dracut


with a very simple command:

# clevis bind luks -d /dev/vda2 tang '{"url":""}'

The advertisement contains the following signing keys:


Do you wish to trust these keys? [ynYN] y

You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.

Do you wish to initialize /dev/vda2? [yn] y

Enter existing LUKS password:

we’ve just configured our encrypted volume against tang!

Luks MetaData

We can verify it’s luks metadata with:

[root@centos7 ~]# luksmeta show -d /dev/vda2

0   active empty
1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty


We must not forget to regenerate the initramfs image, that on boot will try to talk with our tang server:

[root@centos7 ~]# dracut -f


Now it’s time to reboot!


A short msg will appear in our screen, but in a few seconds and if successfully exchange messages with the tang server, our server with de-crypt the rootfs volume.


Tang messages

To finish this article, I will show you some tang msg via journalct:


Getting the signing key from the client on setup:

Jan 31 22:43:09 centos7 systemd[1]: Started Tang Server (
Jan 31 22:43:09 centos7 systemd[1]: Starting Tang Server (
Jan 31 22:43:09 centos7 tangd[1219]: GET /adv/ => 200 (src/tangd.c:85)


Client is trying to decrypt the encrypted volume on reboot

Jan 31 22:46:21 centos7 systemd[1]: Started Tang Server (
Jan 31 22:46:21 centos7 systemd[1]: Starting Tang Server (
Jan 31 22:46:22 centos7 tangd[1223]: POST /rec/Shdayp69IdGNzEMnZkJasfGLIjQ => 200 (src/tangd.c:168)

Tag(s): NBDE, luks, centos7

Tuesday, 30 January 2018

Fair communication requires mutual consent - fsfe | 20:33, Tuesday, 30 January 2018

I was pleased to read Shirish Agarwal's blog in reply to the blog I posted last week Do the little things matter?

Given the militaristic theme used in my own post, I was also somewhat amused to see news this week of the Strava app leaking locations and layouts of secret US military facilities like Area 51. What a way to mark International Data Privacy Day. Maybe rather than inadvertently misleading people to wonder if I was suggesting that Gmail users don't make their beds, I should have emphasized that Admiral McRaven's boot camp regime for Navy SEALS needs to incorporate some of my suggestions about data privacy?

Strava leaks layouts and locations of secret US bases like Area 51

A highlight of Agarwal's blog is his comment I usually wait for a day or more when I feel myself getting inflamed/heated and I wish this had occurred in some of the other places where my ideas were discussed. Even though my ideas are sometimes provocative, I would kindly ask people to keep point 2 of the Debian Code of Conduct in mind, Assume good faith.

One thing that became clear to me after reading Agarwal's blog is that some people saw my example one-line change to Postfix's configuration as a suggestion that people need to run their own mail server. In fact, I had seen such comments before but I hadn't realized why people were reaching a conclusion that I expect everybody to run a mail server. The purpose of that line was simply to emphasize the content of the proposed bounce message, to help people understand, the receiver of an email may never have agreed to Google's non-privacy policy but if you do use Gmail, you impose that surveillance regime on them, and not just yourself, if you send them a message from a Gmail account.

Communication requires mutual agreement about the medium. Think about it another way: if you go to a meeting with your doctor and some stranger in a foreign military uniform is in the room, you might choose to leave and find another doctor rather than communicate under surveillance.

As it turns out, many people are using alternative email services, even if they only want a web interface. There is already a feature request discussion in ProtonMail about letting users choose to opt-out of receiving messages monitored by Google and send back the bounce message suggested in my blog. Would you like to have that choice, even if you didn't use it immediately? You can vote for that issue or leave your own feedback comments in there too.

Imagine the world's biggest Kanban / Scrumboard - fsfe | 18:52, Tuesday, 30 January 2018

Imagine a Kanban board that could aggregate issues from multiple backends, including your CalDAV task list, Bugzilla systems (Fedora, Mozilla, GNOME communities), Github issue lists and the Debian Bug Tracking System, visualize them together and coordinate your upstream fixes and packaging fixes in a single sprint.

It is not so farfetched - all of those systems already provide read access using iCalendar URLs as described in my earlier blog. There are REST APIs to manipulate most of them too. Why not write a front end to poll them and merge the content into a Kanban board view?

We've added this as a potential GSoC project using Python and PyQt.

If you'd like to see this or any of the other proposed projects go ahead, you don't need to be a Debian Developer to suggest ideas, refer a student or be a co-mentor. Many of our projects have relevance in multiple communities. Feel free to get in touch with us through the debian-outreach mailing list.

Sunday, 28 January 2018

Let's talk about Hacking (EPFL, Lausanne, 20 February 2018) - fsfe | 21:54, Sunday, 28 January 2018

I've been very fortunate to have the support from several free software organizations to travel to events around the world and share what I do with other people. It's an important mission in a world where technology is having an increasing impact on our lives. With that in mind, I'm always looking for ways to improve my presentations and my presentation skills. As part of mentoring programs like GSoC and Outreachy, I'm also looking for ways to help newcomers in our industry to maximize their skills in communicating about the great work they do when they attend their first event.

With that in mind, one of the initiatives I've taken this year is participating in the Toastmasters organization. I've attended several meetings of the Toastmasters group at EPFL and on 20 February 2018, I'll give my first talk there on the subject of Hacking.

If you live in the area, please come along. Entrance is free, there is plenty of parking available in the evening and it is close to the metro too. Please try to arrive early so as not to disrupt the first speaker. Location map, Add to your calendar.

The Toastmasters system encourages participants to deliver a series of ten short (5-7 minute) speeches, practicing a new skill each time.

The first of these, the The Ice Breaker, encourages speakers to begin using their existing skills and experience. When I read that in the guide, I couldn't help wondering if that is a cue to unleash some gadget on the audience.

Every group provides a system for positive feedback, support and mentoring for speakers at every level. It is really wonderful to see the impact that this positive environment has for everybody. At the EPFL meetings, I've met a range of people, some with far more speaking experience than me but most of them are working their way through the first ten speeches.

One of the longest running threads on the FSFE discussion list in 2017 saw several people arguing that it is impossible to share ideas without social media. If you have an important topic you want to share with the world, could public speaking be one way to go about it and does this possibility refute the argument that we "need" social media to share ideas? Is it more valuable to learn how to engage with a small audience for five minutes than to have an audience of hundreds on Twitter who scrolls past you in half a second as they search for cat photos? If you are not in Lausanne, you can easily find a Toastmasters club near you anywhere in the world.

Friday, 26 January 2018

Local OsmAnd and Geo URL's

Ramblings of a sysadmin (Posts about planet-fsfe) | 22:50, Friday, 26 January 2018

Earlier this year I went on a long holiday to Japan and China. I have an Android phone and am a very big fan of OpenStreetMap. So I used OsmAnd (which uses OpenStreetMap data) to navigate through those countries. I made a spreadsheet with LibreOffice, which included a few links to certain location which are hard to find or do not have an address. Then I exported that .ods to a .pdf and was able to click on the links, which then openend perfectly in OsmAnd.

The URL I was able to use in my PDF document was this one (of course you can substitute longitude and latitude):

And then I helped a friend of mine with something similar to use on a website. Of course the link above did not work. After a short look on Wikipedia I found the page about Geo URI scheme. Constructing a URL with the Geo URI scheme will trigger the default navigation application on a mobile device to open the location. And of course, here you can also substitute the longitude and latitude.

<a href="geo:51.4404,4.3294;u=15">Hoogerheide</a>

Which will result in this link (usable on mobile devices) and of course you can still create a "normal one" for non-mobile device such as this one.

Thursday, 25 January 2018

Do the little things matter? - fsfe | 20:44, Thursday, 25 January 2018

In a widely shared video, US Admiral McRaven addressing University of Texas at Austin's Class of 2014 chooses to deliver a simple message: make your bed every day.

A highlight of this talk is the quote The little things in life matter. If you can't do the little things right, you'll never be able to do the big things right.

In the world of free software engineering, we have lofty goals: the FSF's High Priority Project list identifies goals like private real-time communication, security and diversity in our communities. Those deploying free software in industry have equally high ambitions, ranging from self-driving cars to beating the stock market.

Yet over and over again, we can see people taking little shortcuts and compromises. If Admiral McRaven is right, our failure to take care of little decisions, like how we choose an email provider, may be the reason those big projects, like privacy or diversity, appear to be no more than a pie-in-the-sky.

The IT industry has relatively few regulations compared to other fields such as aviation, medicine or even hospitality. Consider a doctor who re-uses a syringe - how many laws would he be breaking? Would he be violating conditions of his insurance? Yet if an IT worker overlooks the contempt for the privacy of Gmail users and their correspondents that is dripping off the pages of the so-called "privacy" policy, nobody questions them. Many people will applaud their IT staff for choices or recommendations like this, because, of course, "it works". A used syringe "just works" too, but who would want one of those?

Google's CEO Eric Schmidt tells us that if you don't have anything to hide, you don't need to worry.

Compare this to the advice of Sun Tzu, author of the indispensable book on strategy, The Art of War. The very first chapter is dedicated to estimating, calculating and planning: what we might call data science today. Tzu unambiguously advises to deceive your opponent, not to let him know the truth about your strengths and weaknesses.

In the third chapter, Offense, Tzu starts out that The best policy is to take a state intact ... to subdue the enemy without fighting is the supreme excellence. Surely this is only possible in theory and not in the real world? Yet when I speak to a group of people new to free software and they tell me "everybody uses Windows in our country", Tzu's words take on meaning he never could have imagined 2,500 years ago.

In many tech startups and even some teams in larger organizations, the oft-repeated mantra is "take the shortcut". But the shortcuts and the things you get without paying anything, without satisfying the conditions of genuinely free software, compromises such as Gmail, frequently involve giving up a little bit too much information about yourself: otherwise, why would they leave the bait out for you? As Mr Tzu puts it, you have just been subdued without fighting.

In one community that has taken a prominent role in addressing the challenges of diversity, one of the leaders recently expressed serious concern that their efforts had been subdued in another way: Gmail's Promotions Tab. Essential emails dispatched to people who had committed to their program were routinely being shunted into the Promotions Tab along with all that marketing nonsense that most people never asked for and the recipients never saw them.

I pointed out many people have concerns about Gmail and that I had been having thoughts about simply blocking it at my mail server. It is quite easy to configure a mail server to send an official bounce message, for example, in Postfix, it is just one line in the /etc/postfix/access file:   REJECT  The person you are trying to contact hasn't accepted Gmail's privacy policy.  Please try sending the email from a regular email provider.

(NOTE: some people read this and thought I meant everybody should run their own email server, but the above code is just an example to encourage discussion. There is discussion about adding a similar feature to block messages from Gmail to ProtonMail webmail accounts, so anybody can do this without their own server and take back control over their privacy)

Some communities could go further, refusing to accept Gmail addresses on mailing lists or registration forms: would that be the lesser evil compared to a miserable fate in Promotions Tab limbo?

I was quite astounded at the response: several people complained that this was too much for participants to comply with (the vast majority register with a Gmail address) or that it was even showing all Gmail users contempt (can't they smell the contempt for users in the aforementioned Gmail "privacy" policy?). Nobody seemed to think participants could cope with that and if we hope these people are going to be the future of diversity, that is really, really scary.

Personally, I have far higher hopes for them: just as Admiral McRaven's Navy SEALS are conditioned to make their bed every day at boot camp, people entering IT, especially those from under-represented groups, need to take pride in small victories for privacy and security, like saying "No" each and every time they have the choice to give up some privacy and get something "free", before they will ever hope to accomplish big projects and change the world.

If they don't learn these lessons at the outset, like the survival and success habits drilled into soldiers during boot-camp, will they ever? If programs just concentrate on some "job skills" and gloss over the questions of privacy and survival in the information age, how can they ever deliver the power shift that is necessary for diversity to mean something?

Come and share your thoughts on the FSFE discussion list (join, thread and reply).

Please also see the subsequent blog on this topic, Fair communication requires mutual consent

Planet FSFE (en): RSS 2.0 | Atom | FOAF |

  /127.0.0.?  /var/log/fsfe/flx » planet-en  Albrechts Blog  Alessandro at FSFE » English  Alessandro's blog  Alina Mierlus - Building the Freedom » English  Andrea Scarpino's blog  André Ockers on Free Software  Being Fellow #952 of FSFE » English  Bela's Internship Blog  Bernhard's Blog  Bits from the Basement  Blog of Martin Husovec  Blog » English  Blog – Think. Innovation.  Bobulate  Brian Gough's Notes  Carlo Piana :: Law is Freedom ::  Ciarán's free software notes  Colors of Noise - Entries tagged planetfsfe  Communicating freely  Computer Floss  Daniel Martí's blog  Daniel's FSFE blog - fsfe  David Boddie - Updates (Full Articles)  Don't Panic » English Planet  ENOWITTYNAME  English Planet – Dreierlei  English on Björn Schießle - I came for the code but stayed for the freedom  English – Kristi Progri  English – Max's weblog  English —  Escape to freedom  Evaggelos Balaskas - System Engineer  FLOSS – Creative Destruction & Me  FSFE Fellowship Vienna » English  FSFE interviews its Fellows  FSFE – Patis Blog  Fellowship News  Fellowship News » Page not found  Florian Snows Blog » en  Frederik Gladhorn (fregl) » FSFE  Free Software & Digital Rights Noosphere  Free Software with a Female touch  Free Software –  Free Software – Frank Karlitschek_  Free Software – GLOG  Free Software – hesa's Weblog  Free as LIBRE  Free speech is better than free beer » English  Free, Easy and Others  From Out There  Graeme's notes » Page not found  Green Eggs and Ham  Handhelds, Linux and Heroes  HennR's FSFE blog  Henri Bergius  Hook’s Humble Homepage  Hugo - FSFE planet  Inductive Bias  Jelle Hermsen » English  Jens Lechtenbörger » English  Karsten on Free Software  Losca  MHO  Mario Fux  Martin's notes - English  Matej's blog » FSFE  Matthias Kirschner's Web log - fsfe  Myriam's blog  Mäh?  Nice blog  Nico Rikken » fsfe  Nicolas Jean's FSFE blog » English  Norbert Tretkowski  PB's blog » en  Paul Boddie's Free Software-related blog » English  Planet FSFE on Iain R. Learmonth  Posts - Carmen Bianca Bakker's blog  Posts on Hannes Hauswedell's homepage  Pressreview  Ramblings of a sysadmin (Posts about planet-fsfe)  Rekado  Repentinus » English  Riccardo (ruphy) Iaconelli - blog  Saint's Log  Seravo  TSDgeos' blog  Tarin Gamberini  Technology – Intuitionistically Uncertain  The Girl Who Wasn't There » English  The trunk  Thib's Fellowship Blog » fsfe  Thinking out loud » English  Thomas Koch - free software  Thomas Løcke Being Incoherent  Told to blog - Entries tagged fsfe  Tonnerre Lombard  Torsten's FSFE blog » english  Viktor's notes » English  Vitaly Repin. Software engineer's blog  Weblog  Weblog  Weblog  Weblog  Weblog  Weblog  Werner's own blurbs  With/in the FSFE » English  a fellowship ahead  agger's Free Software blog  anna.morris's blog  ayers's blog  bb's blog  blog  drdanzs blog » freesoftware  egnun's blog » FreeSoftware  free software - Bits of Freedom  free software blog  freedom bits  gollo's blog » English  julia.e.klein's blog  marc0s on Free Software  mkesper's blog » English  nikos.roussos - opensource  pichel's blog  polina's blog  rieper|blog » en  softmetz' anglophone Free Software blog  stargrave's blog  the_unconventional's blog » English  things i made  tobias_platen's blog  tolld's blog  vanitasvitae's blog » englisch  wkossen's blog  yahuxo's blog