Thoughts of the FSFE Community

Monday, 23 October 2017

A REUSE compliant Curl

free software - Bits of Freedom | 08:47, Monday, 23 October 2017

A REUSE compliant Curl

The REUSE initiative is aiming to make free and open source software licenses computer readable. We do this by the introduction of our three REUSE best practices, all of which seek to make it possible for a computer program to read which licenses apply to a specific software package.

In this post, I'll be introducing you to the steps I took to make cURL REUSE compliant. The work is based on a branch made about three weeks ago from the main curl Git repository. The intent here is to show the work involved in making a mid-sized software project compliant. You can read this post, and reference the Git repository (GitHub mirror) with its reuse-compliant branch to see what this looks like in practice.

A REUSE compliant Curl

The reason we decided to work on the curl code base for this demonstration is that it's a reasonably homogenous code base, has a good size for this demonstration, and has an award winning maintainer!

REUSE curl

The first two practices in the REUSE practices, which are often the only ones relevant, introduce some clarity around the licenses applicable to each file in a repository. They ensure that for each file, regardless of what kind of file it is, there's a definite and unambiguous license statement. Either in the file itself and if that's not possible, in a standardised location where it's easy to find.

If the practices are implemented, it's possible to create utilities which easily retrieve the license applicable to a particular source code file, assemble a list of all licenses used in a source code repository, create a list of all attributions which need to go into a binary distribution, or similarly.

Here are the practices, one by one:

1. Provide the exact text of each license used

The curl repository includes code licensed under a variety of licenses, including several BSD variants. The primary license of the software is a permissive license inspired by the MIT license. REUSE practices mandate that when a software includes multiple licenses, these are all included in a directory called LICENSES/.

This practice intends to make sure each license is included in the source code, such that it can be referenced from the individual source code files. In the current curl repository, only the principal licens for curl is included as a separate file. All other licenses are included in individual copyright headers.

However, the intent of the REUSE practices here is to make sure a computer can understand what the license snippet is. Merely leaving the license information in the headers doesn't really suffice. We still need a way to identify which text constitute the license.

Adding them explicitly in the LICENSES/ folder would work for this, as we would then use the License-Filename tag (see later) to reference the explicit license relevant for a file. Another way, which is easier and cleaner in this case, is to copy over the relevant license statement to a DEP5/copyright file. The DEP5/copyright format is designed to be computer readable, and can include custom license texts, which we copy from the individual files.

So for curl, we will leave the curl license where it is, but add ancillary licenses in a computer readable way later on.

REUSE practices give the filename for the license file as LICENSE, and not COPYING. This has been amended in the next release version of the REUSE practices to allow for both common variants, and so we opt here to not change the name of the file but to leave it as COPYING.

2. Include a copyright notice and license in each file

curl is exemplary in that almost all files have a consistent header, which looks like this:

Copyright (C) 1998 - 2017, Daniel Stenberg, daniel@haxx.se, et al.

This software is licensed as described in the file COPYING, which you should have received as part of this distribution. The terms are also available at https://curl.haxx.se/docs/copyright.html.

You may opt to use, copy, modify, merge, publish, distribute and/or sell copies of the Software, and permit persons to whom the Software is furnished to do so, under the terms of the COPYING file.

This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.

The REUSE practices are explicit in that we should not change the header, but we can (and in this case should) add information to it: a reference to the license file, and an SPDX license identifier.

SPDX license identifiers aren't new, but they're starting to make inroads into larger code bases (such as the Linux kernel) for one important reason: it's far easier to parse and understand what a well-known tag with a well-known content means, than to parse a license file.

For the SPDX license identifier, curl is a special case. While the license is MIT inspired, it is not an exact copy of the MIT license. It's a free and open source software license, but we can not use the default MIT license identifier. Had the curl license not been included in the SPDX license list, we would have opted to not include an SPDX license identifier.

However, the curl license has been explicitly included in the SPDX license list with the name curl. So we use this reference in our identifier:

SPDX-License-Identifier: curl

The REUSE practices also give that we should include a reference to the license file. The reference is already there, but it doesn't make use of the REUSE practices License-Filename tag, and as such, it's computer readable. Adding the License-Filename tag with the name of the license file will ensure tools supporting REUSE compliant source code can understand the reference to the license filename without previously having encountered the format of the curl headers.

License-Filename: COPYING

This makes the license, and the reference to the license file, very clear, and making these two additions to the copyright headers, resolve the situation for the majority of included files in the repository.

It's worth noting that adding both is relevant. The License-Filename tag is more specific than the SPDX-License-Identifier and doesn't depend on an external repository to convey information, but including the SPDX-License-Identifier tag also means generic tools working with SPDX can parse the source code, regardless of if supportig the full REUSE practices or not.

We fix up the headers with the following two sed scripts (improvements welcome!):

/^# This software is distributed/,/^# KIND, either express or implied./c\
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY\
# KIND, either express or implied.\
#\
# License-Filename: COPYING\
# SPDX-License-Identifier: curl

and

/^ \* This software is distributed/,/^ * KIND, either express or implied./c\
@*@ This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY\
@*@ KIND, either express or implied.\
@*@\
@*@ License-Filename: COPYING\
@*@ SPDX-License-Identifier: curl

We run these with:

$ find . -type f -exec sed -i -f sed-hash.script {} \;
$ find . -type f -exec sed -i -f sed-star.script {} \;
$ find . -type f -exec sed -i 's/^@\*@/ */' {} \;

(The trick with @*@ is to preserve proper formatting since sed has a tendency to want to strip spaces. Unfortunately for us, there are plenty of files with other types of comments, some starting with .\" * for man pages, others with # * and yet others with rem *, so some manual work is needed for this.)

A good way to find problems is to do a git diff and look for lines removed. Since we never intend to remove any information, but only add to it, anytime a git diff flags a line as having been removed, there's a fair chance we've done something wrong.

The curl repo includes 2783 files. Adding the SPDX license identifier and license filename to the headers leave us with 1693 files remaining.

A lot of the remaining files concern test cases (files in tests/data) and documentation which can not include copyright headers.

The REUSE practices offer two ways of resolving this. Either add one supplementary file for each file which can not include a copyright header. Name this supplementary file FILENAME.license and include in it the standard copyright header. We don't want to do this, as it would add some 1693 additional files to the repository!

The other way is to make a single file, in this case in the DEP5/copyright file format, which documents the license of each file which can not in itself include a license header.

In a debian/copyright file, we can include license information such as:

Files: tests/data/*  
Copyright: Copyright (c) 1996 - 2017, Daniel Stenberg, <daniel@haxx.se>  
License: curl  

This allows us to get rid of a large chunk of files which can not have a header. This gets us down to about 289 files remaining, which do in one way or another require some manual processing.

For many, they can include headers, but for various reasons, this has been forgotten. This is the case for winbuild/Makefile.vc which was committed at the same time as winbuild/MakefileBuild.vc. I didn't look deeper at the commit history, but the latter includes a proper header; the former does not.

For most files which can include a copyright header, we've added the SPDX-License-Identifier and License-Filename tags to the header, but we did not add the full curl header. It would be up to the curl developers to determine whether a file should have a curl header, and if so, what to include in the header in terms of copyright information.

The case of Public Domain

lib/md4.c is in the public domain, or in the absence of this under a very simplified BSD license. There are excellent reasons for why public domain doesn't have an SPDX license identifier, so this file is left untouched. Debian has opted, in their repository, to explicitly mark the file as in the public domain. We do the same. But as the public domain is a concept which differs by jurisdiction, it is up to the final recipient to make the judgement about whether the file can be used.

Important lesson: do pick a license, even if it's a simple one, which does the same thing as dedicating a file to the public domain. Don't just slap "public domain" on a file and hope all is well.

Why we need source-level information

tests/python_dependencies/impacket/smbserver.py and related files serve a good example of why our principles ask for as much information as possible to be included in the source code files themselves. These files have the following copyright header:

# Copyright (c) 2003-2016 CORE Security Technologies
#
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.

Unfortunately of course, as often happens, these files have been copied without being accompanied by the corresponding LICENSE file. In fact, the curl repository contains no file at all called LICENSE, which can leave one to wonder: what does the "slightly modified" version look like?

The answer can be found by looking up the original repository from where these files were taken. It's mainly an Apache 1.1 license with "Apache" replaced by "CORE Security Technologies".

This is one situation where it is warranted to add this obviously missing license information to the repository, and update the header with a License-Filename indicating the right license file. We can not add an SPDX license identifier as there are modifications to the original license (even if they are minor).

Do note that for consistency with the header, I add the license file from the original repository in the impacket directory, and not in the top level LICENSES/ directory which the REUSE practices recommend. The location of the licenses is a SHOULD requirement, however, so we can violate it here, as long as we follow the MUST requirement of actually including all license files.

The original repository is somehow inconsistent in its licensing though. Two files, smb.py and nmb.py are indicated in the LICENSE file as being licensed under a custom license, and not the modified Apache license.

However, the individual files have headers which indicate the license is the modified Apache license, with a reference to the LICENSE file. This would ideally be clarified upstream, but since the LICENSE file includes both licenses and an explanation of the situation, referencing it from the copyright header at least ensures the recipient receive as much information as is available upstream.

OpenEvidence licensed files

curl contains a small number of files licensed by the OpenEvidence Project, using a license inspired by the OpenSSL license, but using different advertisement clauses. Specifically, in one of the files docs/examples/curlx.c (which, admittedly, is not included in the builds), the license advertisement clause is given as:

 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgments:
 *    "This product includes software developed by the OpenEvidence Project
 *    for use in the OpenEvidence Toolkit (http://www.openevidence.org/)
 *    This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (https://www.openssl.org/)"
 *    This product includes cryptographic software written by Eric Young
 *    (eay@cryptsoft.com).  This product includes software written by Tim
 *    Hudson (tjh@cryptsoft.com)."

While the license is very similar to the OpenSSL license, we can not use the OpenSSL SPDX identifier in this case, since the obligations are different. While the same can happen with the BSD licenses as well, SPDX deal with the two differently.

In BSD-4-Clause, as one example, the text representation of the license included in SPDX has a variable for the attribution requirement:

This product includes software developed by the <<var;name=organizationClause3;original=the organization;match=.+>>.  

This should then, in theory, enable the license to be matched regardless of what organisation is specified in the license, and license scanners would know to expect an organisation name in this place. The same isn't true of the OpenSSL entry in SPDX which means that OpenSSL means precisely that; OpenSSL, without any variables or deviations in the text. So it would not match against the OpenEvidence license.

For this file, we'll use, as Debian does, the convention of specifying the license "other" in the DEP5/copyright file and including the license header license text in full.

Finding the copyright holder

It's worth noting some files in curl has no author or copyright information given. Such is the case of packages/vms/curl_release_note_start.txt and related files. We can infer from the Git log who the author might be, but the REUSE practices should not be interpreted as an archaeological expedition! You have to decide for yourself the length you go to in this.

From a project perspective, it might sometimes be useful to document this, but for a project like curl, whose list of contributors is upwards of 1600 people, untangling this becomes a project as a whole, and might not even be relevant.

So the priority becomes identifying the right license for the files included. If some files are under a different license from the one covering most of the other distribution, this would be important to note. But do solve one problem at a time. Digging through to identify every single copyright holder would be time consuming, prone to errors, and in most cases not answer to a problem anyone has.

3. Provide an inventory for included software, but only if you can generate it automatically.

For curl, we will deal with this practice in an easy way: we simply won't do it. Ideally, we should ship, together with curl, or generated at build time, a bill of material of included software with their copyrights and licenses marked. There are some initiatives and tooling which would be helpful in this, but currently, providing a complete inventory would be more trouble than it's worth.

If we did provide an inventory, the likelihood of it not being updated and maintained is significant. So since we can't do it automatically right now, we will not.

Parsing a REUSE compliant repository

Having passed through the REUSE practices, added the appropriate license headers and the DEP5/copyright file, where does this leave us? It leaves us in a state where finding the license of a source file included in curl is easy and can be automated.

  1. If the file includes the SPDX-License-Identifier tag, then the tag value corresponds to the license from the SPDX license list.
  2. If the file includes the License-Filename tag, then the tag value corresponds to the file containing the actual license text in the repository. This tag takes precedence over the SPDX license identifier.
  3. If there are no SPDX or License-Filename tags, look for a file with the same name with the suffix .license. If it exists and contains the tags in (1) and (2), parse them the same way as if they were included in the file itself.
  4. If there's a debian/copyright file, match the filename against it, and if found, extract the license indicated.
  5. If neither of the above works, the repository is not REUSE compliant.

Where to next?

This has been an example and demonstration of the work involved in making a repository REUSE compliant. We will continue to review the REUSE practices and release further guidance in the future, but more importantly: we hope others will pick up this work and include support for REUSE compliant repositories in tools which serve to understand software licensing.

We're also looking forward to see more tools being built in general. One of our interns, Carmen, is currently working on a tool which would lead to the generation of a lint checker for REUSE compliance. That's one of many tools needed to help us on the way towards making copyrights and licenses computer readable. And computer understandable.

Sunday, 22 October 2017

Free Software Efforts (2017W42)

Planet FSFE on Iain R. Learmonth | 22:00, Sunday, 22 October 2017

Here’s my weekly report for week 42 of 2017. In this week I have replaced my spacebar, failed to replace a HDD and begun the process to replace my YubiKey.

Debian

Eariler in the week I blogged about powerline-taskwarrior . There is a new upstream version available that includes the patches I had produced for Python 2 support and I have filed #879225 to remind me to package this.

The state of emscripten is still not great, and as I don’t have the time to chase this up and I certainly don’t have the time to fix it myself, I’ve converted the ITP for csdr to an RFP.

As I no longer have the time to maintain map.debian.net, I have released this domain name and published the sources behind the service.

Tor Project

There was a request to remove the $ from family fingerprint on Atlas. These actually come from Onionoo and we have decided to fix this in Onionoo, but I did push a small fix for Atlas this week that makes sure that Atlas doesn’t care if there are $ prefixes or not.

I requested that a Trac component be created for metrics-bot. I wrote a seperate post about metrics-bot.

I also attended the weekly metrics team meeting.

Sustainability

I believe it is important to be clear not only about the work I have already completed but also about the sustainability of this work into the future. I plan to include a short report on the current sustainability of my work in each weekly report.

I have not had any free software related expenses this week. The current funds I have available for equipment, travel and other free software expenses remains £60.52. I do not believe that any hardware I rely on is looking at imminent failure.

I do not find it likely that I’ll be travelling to Cambridge for the miniDebConf as the train alone would be around £350 and hotel accomodation a further £600 (to include both me and Ana).

Call for sessions at the FSFE assembly during 34C3

English Planet – Dreierlei | 12:35, Sunday, 22 October 2017

From December 27 to 30, there will be the 34th Chaos Communication Congress happening in Leipzig. As in recent years, the FSFE is happy to host an assembly that includes an information booth, self-organised sessions and a meeting point for all friends of Free Software to come together, share or simply relax. This is our call for participation.

<figure class="wp-caption alignright" id="attachment_1936" style="width: 300px"><figcaption class="wp-caption-text">Free Software song sing-along at the FSFE-assembly during 33C3</figcaption></figure>

With the CCC moving from Hamburg to Leipzig, there are not only logistic changes to be done but also some organisational changes. We are still figuring out the details, but in the context of this call, one of the major changes will be the loss of free available rooms to book for self-organised sessions. Instead, assemblies that match with each other are asked to cluster around 1 of several stages and use that as a common stage for self-organized sessions together. To make the most of this situation, the FSFE will for the first time not join the Noisy Square this year but form a new neighbourhood with other freedom fighting NGOs – in particular with our friends from European Digital Rights. However, at this point of time, we do not yet have more information about the concrete or final arrangements.

Call for session

Regardless of those details that still need to be sorted out, this is our call for participation. Sessions can be inspiring talks, hands-on workshops, community/developer/strategy meetings or any other public, informative or collaborative activity.

Topics can be anything that is about or related to Free Software. We welcome technical sessions but we also encourage to give non-technical talks that address philosophical, economical or other aspects of/about Free Software. We also like sessions about related subjects that have a clear connection to Free Software for example privacy, data protection, sustainability and similar related topics. Finally, we welcome all backgrounds – from your private project to global community projects.

You have something different in mind? For our friends, it is also possible to have informal meetings, announcements or other activities at our assembly. In this case, get in contact with me (OpenPGP) and we figure it out.

<figure class="wp-caption aligncenter" id="attachment_1940" style="width: 580px"><figcaption class="wp-caption-text">Crowded room during What makes a secure mobile messenger? by Hannes Hauswedell, one of our sessions during 33C3.</figcaption></figure>

Formalities

If you are interested in hosting a session at the FSFE assembly, please apply no later than

* Sunday, November 19, 18:00 UTC *

by sending an email to Erik Albers (OpenPGP) with the subject “Session at 34C3” and use the following template:

Title: name of your session
Description: description of your session
Type: talk / discussion / meeting / workshop …
Tags: put useful tags here
Link: (if there is a helpful link)
Expected number of participants: 20 or less / up to 40 / up to 100
About yourself: some words about you/your biography

You will be informed latest on Monday, November 27, if your session is accepted.

Good to know

  • If your session is accepted we happily take care of its proper organisation, publicity and everything else that needs to be done. You are welcome to simply come and give/host your session : )
    But this is neither a guarantee for a ticket nor do we take care of your ticket! Check the CCC-announcements and get yourself a ticket in time!
  • You do not need to be a supporter of the FSFE to host a session. On the contrary, we welcome external guests.
  • Please share this call with your friends or your favorite mailing list.

Related information:

For your inspiration:

The Catalan experience

agger's Free Software blog | 09:28, Sunday, 22 October 2017

Yesterday, I went to the protest in Barcelona against the incarceration of the leaders of Omnium and ANC, two important separatist movements.

The Catalan question is complex, and there are lots of opinions on all sides. However, after speaking with a lot of people down here and witnessing a quite large demonstration – as shown in these photos – it seems clear that Catalan nationalism is *not* about excluding anyone the way Danish racism and British UKIP-ism is.

After all, Catalonia has been an immigration destination for years, and people are used to living together with two or more languages, with family members from all over Spain. The all-too-familiar right-wing obsession with Islam and the “terror threat” is conspicuously absent from Catalan politics.

And it’s not all about language or regional identity, as many Spanish-speaking people with origins in other parts of Spain wholeheartedly support Catalan indepence.

Rather, it’s about a rejection of and rebellion against the Spanish state which is seen as oppressive and riddled by remnants of Francoism. The slogans were radical: “Fora les forces d’ocupació”, “out with the occupation forces!” and “the streets will always be ours!”

Indeed, for many of the young people it seems to be about getting rid of the Spanish state in order to implement a much more leftist policy on all levels of society – as one sign had it, “we’re seditious, we want to rebel and declare indepence and have a revolution!” First independence, afterwards people will take charge themselves, seems to be the sentiment.

“The people rules and the government obeys!” – is another slogan. The conservative forces behind Puigdemont (the current president) may have other ideas, but for now these are the people they have allied themselves with – people who actually believe in the direct rule of the people themselves. Looking at the people present in the demo, it’s clear that it’s a really broad section of society – old and young, but everybody very peaceful and friendly. There were so many people in the streets that it was getting too much, some especially old people had to be escorted out through the completely filled streets.

The European Union may have decided that Catalans should forget all about independence for the sake of the peace of mind of everyone, but these people honestly don’t seem to give a damn.

22553253_777264459124827_2886093528424466394_o 22555492_777264152458191_1709007909184149325_o 22550348_777263749124898_6054010246909111227_o 22552959_777263275791612_2905689775816324492_o 22553176_777263385791601_3743735690650421196_o 22550254_777263345791605_5027012145955183903_o 22550270_777262515791688_7865849037065231016_o 22769824_777262315791708_417350780511116324_o 22552370_777262439125029_7317470391949472226_n

Saturday, 21 October 2017

Using Gitea and/or Github to host blog comments

Posts on Hannes Hauswedell's homepage | 16:00, Saturday, 21 October 2017

After having moved from FSFE’s wordpress instance I thought long about whether I still want to have comments on the new blog. And how I would be able to do it with a statically generated site. I think I have found/created a pretty good solution that I document below.

How it was before

To be honest, Wordpress was a spam nightmare! I ended up excluding all non-(FSFE-)members, because it was just too difficult to get right. On the other hand I value feedback to posts so what to do?

This blog is now statically generated so it is not designed for comments anyway. The most common solution seems to be Disqus which seems to work well, but be a privacy nightmare. It hosts your comments on their server and integrates with all sorts of authentication services, of course sharing data with them et cetera. Not exposing my site visitors to tracking is very important to me and I also don’t want to advertise using your Facebook login or some such nonsense.

A good idea

However, I had vague memories of having read this article a while ago so I read up on it again:

http://donw.io/post/github-comments/

The idea is to host your comments in a GitHub bug tracker and load them dynamically via Javascript and the GitHub-API. It integrates with GoHugo, the site-generator I am also using, so I thought I’d give it a try. Please read the linked article to get a clearer picture of the idea.

Privacy improvements and other changes

It all worked rather well, but there were a few things I was unhappy with so I changed the following:

  • In addition to GitHub, it now works with Gitea, a Free Software alternative, too; this includes dynamically generating Markdown from the comments via ShowdownJS, because Gitea’s API is less powerful than GitHub’s.
  • The comments are not loaded automatically, but on-demand (so visitors don’t automatically make requests to other servers).
  • It is possible to have multiple instances of the script running, with different server types, target domains and/or repos.
  • Gracefully degrade and offer external links if no Javascript is available.
  • Some visual changes to fit with my custom theme.

You can see the results below. I am quite happy with the solution as many of my previous readers from FSFE can still use FSFE’s infrastructure to reply (in this case FSFE’s gitea instance). I expect many other visitors to have a GitHub account so they don’t need to sign up for another service. I am aware this still relies on third parties and that GitHub may at some point commodify the use of its API, but right now it is much better than to store and share the data with a company whose business model this already is. And it is optional.

And of course the blog itself will remain entirely free of Javascript!

The important files are available in this blog’s repo:

What do you think? Feel free to adapt this for your blog and thanks to Don Williamson for the original implementation!

Friday, 20 October 2017

Presenting Baobáxia at the 2017 Plone conference

agger's Free Software blog | 13:28, Friday, 20 October 2017

Baobáxia at the 2017 Plone conference

Today, I presented the Baobáxia project at the 2017 Plone Conference in Barcelona. Check out the slides for the talk for more information.

Thursday, 19 October 2017

KDE Edu sprint 2017 in Berlin

TSDgeos' blog | 21:29, Thursday, 19 October 2017

I had the privilege to attend the KDE Edu sprint in Berlin that happened from the 6th to the 9th of October.

There i mostly worked in the KTuberling port to Android. If you have children (or maybe if you want to feel like one for a few minutes) and an Android device please try it and give some constructive feedback ;)



Though of course that's not all we did, we also had important discussions about "What is kde edu", about how we should be involved in the "Making KDE software the #1 choice for research and academia" KDE goal and other organization stuff like whether we want a phabricator rule to send email to the kdeedu mailing list for a set of projects, etc.



Thanks go to all the people that donate to KDE e.V. that made sponsoring the trip possible, and to Endocode for hosting us and sponsoring all kind of interesting drinks and pizza on Sunday :)

FOSDEM 2018 Real-Time Communications Call for Participation

DanielPocock.com - fsfe | 08:33, Thursday, 19 October 2017

FOSDEM is one of the world's premier meetings of free software developers, with over five thousand people attending each year. FOSDEM 2018 takes place 3-4 February 2018 in Brussels, Belgium.

This email contains information about:

  • Real-Time communications dev-room and lounge,
  • speaking opportunities,
  • volunteering in the dev-room and lounge,
  • related events around FOSDEM, including the XMPP summit,
  • social events (the legendary FOSDEM Beer Night and Saturday night dinners provide endless networking opportunities),
  • the Planet aggregation sites for RTC blogs

Call for participation - Real Time Communications (RTC)

The Real-Time dev-room and Real-Time lounge is about all things involving real-time communication, including: XMPP, SIP, WebRTC, telephony, mobile VoIP, codecs, peer-to-peer, privacy and encryption. The dev-room is a successor to the previous XMPP and telephony dev-rooms. We are looking for speakers for the dev-room and volunteers and participants for the tables in the Real-Time lounge.

The dev-room is only on Sunday, 4 February 2018. The lounge will be present for both days.

To discuss the dev-room and lounge, please join the FSFE-sponsored Free RTC mailing list.

To be kept aware of major developments in Free RTC, without being on the discussion list, please join the Free-RTC Announce list.

Speaking opportunities

Note: if you used FOSDEM Pentabarf before, please use the same account/username

Real-Time Communications dev-room: deadline 23:59 UTC on 30 November. Please use the Pentabarf system to submit a talk proposal for the dev-room. On the "General" tab, please look for the "Track" option and choose "Real Time Communications devroom". Link to talk submission.

Other dev-rooms and lightning talks: some speakers may find their topic is in the scope of more than one dev-room. It is encouraged to apply to more than one dev-room and also consider proposing a lightning talk, but please be kind enough to tell us if you do this by filling out the notes in the form.

You can find the full list of dev-rooms on this page and apply for a lightning talk at https://fosdem.org/submit

Main track: the deadline for main track presentations is 23:59 UTC 3 November. Leading developers in the Real-Time Communications field are encouraged to consider submitting a presentation to the main track.

First-time speaking?

FOSDEM dev-rooms are a welcoming environment for people who have never given a talk before. Please feel free to contact the dev-room administrators personally if you would like to ask any questions about it.

Submission guidelines

The Pentabarf system will ask for many of the essential details. Please remember to re-use your account from previous years if you have one.

In the "Submission notes", please tell us about:

  • the purpose of your talk
  • any other talk applications (dev-rooms, lightning talks, main track)
  • availability constraints and special needs

You can use HTML and links in your bio, abstract and description.

If you maintain a blog, please consider providing us with the URL of a feed with posts tagged for your RTC-related work.

We will be looking for relevance to the conference and dev-room themes, presentations aimed at developers of free and open source software about RTC-related topics.

Please feel free to suggest a duration between 20 minutes and 55 minutes but note that the final decision on talk durations will be made by the dev-room administrators based on the received proposals. As the two previous dev-rooms have been combined into one, we may decide to give shorter slots than in previous years so that more speakers can participate.

Please note FOSDEM aims to record and live-stream all talks. The CC-BY license is used.

Volunteers needed

To make the dev-room and lounge run successfully, we are looking for volunteers:

  • FOSDEM provides video recording equipment and live streaming, volunteers are needed to assist in this
  • organizing one or more restaurant bookings (dependending upon number of participants) for the evening of Saturday, 4 February
  • participation in the Real-Time lounge
  • helping attract sponsorship funds for the dev-room to pay for the Saturday night dinner and any other expenses
  • circulating this Call for Participation (text version) to other mailing lists

Related events - XMPP and RTC summits

The XMPP Standards Foundation (XSF) has traditionally held a summit in the days before FOSDEM. There is discussion about a similar summit taking place on 2 February 2018. XMPP Summit web site - please join the mailing list for details.

Social events and dinners

The traditional FOSDEM beer night occurs on Friday, 2 February.

On Saturday night, there are usually dinners associated with each of the dev-rooms. Most restaurants in Brussels are not so large so these dinners have space constraints and reservations are essential. Please subscribe to the Free-RTC mailing list for further details about the Saturday night dinner options and how you can register for a seat.

Spread the word and discuss

If you know of any mailing lists where this CfP would be relevant, please forward this email (text version). If this dev-room excites you, please blog or microblog about it, especially if you are submitting a talk.

If you regularly blog about RTC topics, please send details about your blog to the planet site administrators:

Planet site Admin contact
All projects Free-RTC Planet (http://planet.freertc.org) contact planet@freertc.org
XMPP Planet Jabber (http://planet.jabber.org) contact ralphm@ik.nu
SIP Planet SIP (http://planet.sip5060.net) contact planet@sip5060.net
SIP (Español) Planet SIP-es (http://planet.sip5060.net/es/) contact planet@sip5060.net

Please also link to the Planet sites from your own blog or web site as this helps everybody in the free real-time communications community.

Contact

For any private queries, contact us directly using the address fosdem-rtc-admin@freertc.org and for any other queries please ask on the Free-RTC mailing list.

The dev-room administration team:

Tuesday, 17 October 2017

How to feel happy using your Apple MacBook (again)

Blog – Think. Innovation. | 19:44, Tuesday, 17 October 2017

In short: wipe Mac OS and install Elementary OS. In some more words: read on.

If you are thinking: “I am feeling happy using my MacBook, what is he talking about?”, then open your calendar and make an entry for in 2 years to come back to this post. See you then!

Yes, in time your MacBook gets slow, right? Using it just does not feel as swift and smooth anymore as it once did. Everything you do is becoming a bit sluggish. Up to a point where it even becomes almost unusable. High time to go buy that new model!

But wait a minute. Your computer does not become slow at all. In fact, it is exactly as fast as it was when you bought it. Unless you have one of those MacBook’s that is still upgradeable (like I do) and you upgraded the RAM and/or HDD to SSD. Then it is even faster! Let me say it again: your MacBook does not become slow!

Then why does it feel like it is? That is because Apple is making you install updates and new versions again and again that take up ever more resources from your laptop. And you do not have a choice. Of course in the name of security, a better user experience, more features or a nicer look. But that is just what Apple tells you: in fact the company has every interest to make you feel that your ‘old’ laptop is slow, unfashionable, too heavy and in time even unusable.

And it is not just Apple that is doing this (it is always easy to pick on the famous kid), the same happens with laptops that run Windows, with tablet computers and smartphones, regardless if they are made by Apple, Samsung or pretty much any other company (FairPhone is hopefully here to stay as an
enlighning counter example).

It makes perfect sense. At least, for them. Their primary responsibility is to grow profits, or more accurately, to infinitely grow shareholder value. And they use any means at their disposal to do so, as long as it has a ‘positive business case’. At one time that sounded pretty good, and we benefited from this model a long time, but at the moment it simply is not good enough anymore.

But enough with the rant already! Back to the question, how to feel happy about using your MacBook again?

It started as an experiment a few months ago. I was growing a bit bored with using my ThinkPenguin Korora laptop. A fine laptop, do not get me wrong, but not a spectacular piece of hardware. The keyboard is a bit spongy, the screen is so-so and given its all plastic dark gray and black casing, not all that eye-catching. And to be honest, even though I have deep respect for what the people at ThinkPenguin have accomplished, it did not provoke any responses from people like my FairPhone does, which is a nice conversation starter about things that matter.

So I was considering maybe going for that pretty nice looking Slimbook KDE laptop. But I found the price a bit steep, and buying a new laptop while I still have a perfectly working one, is not that environmentally conscious. In fact, I have several laptops lying around which I do not use (shame on me; want one?).

And then I saw my annyoingly ‘slow’ 2012 Apple MacBook Pro lying around and thought: would that run GNU/Linux in any acceptable way? Oh, for anyone not familiar with GNU/Linux: it is a so-called “Operating System” like Mac OS and Windows. It comes in over 500 versions (called distributions) instead of the handful that Apple and Microsoft produces. And you can find a GNU/Linux version for pretty much any computer, no matter how old it is. It is also used for servers (90% of the internet runs on it) and is even used in industrial machines.

How is the GNU/Linux company making this possible? Well, it is not, because there is no such company. GNU/Linux is so-called Open Source, which gives anyone the freedom to use, study, change and share the software. And so many people (and companies) do, resulting in a huge ecosystem that creates value for everyone involved. Needless to say the Open Source is by far the superior way to innovate and its principles are vital in the survival of humankind and this planet (perhaps you guessed it, I am a bit of a fan of Open Source).

So, I talked my wife out of continuing to use ‘my’ MacBook (it suddenly became ‘mine’ again) and convinced her that another laptop was just as good and I started the experiment (in fact: by the time I am writing this she is using ‘her’ 2009 MacBook White runnig GNU/Linux as well).

Coincidentally (or?) I stumbled on a fairly new distribution (version) of GNU/Linux called Elementary OS. The team of Elementary OS intends to create an elegant, stylish, yet superfast version that is perfectly suited for people familiair with Mac OS. What a coincidence indeed!

To keep things simple, I swapped the hard disk (HDD) with a new solid state drive (SSD), so it would be easy to go back to Mac OS if the experiment failed. And as a side benefit, the laptop would even be faster than it was.

Installing Elementary OS was super simple and went very smooth. Since Elementary OS is so new, I expected it to be somewhat unstable, buggy and not actually suited for everyday use. But in fact I have been using my 2012 Apple MacBook Pro running Elementary OS for 2 months now and the system
is very stable and I have been using it every day, mostly for work! And I love it! There are some small nuisances, but I found that these are smoothed out as the Elementary OS team keeps publishing updates which can be easily installed. And which do not result in a slower laptop! 😉

The transition of going from Mac OS and the familiair programs (sorry, I mean apps) you have there is perhaps an entirely new story. As I have been using Linux Mint for quite some time, I did that transition years ago. At first it was not easy, but in the end it is well worth it. Perhaps material for another blogpost? Anyone?

So, if you also want to feel happy about using your MacBook again, give Elementary OS a try! Hopefully you are fortunate enough to also still be able to swap the drives, that makes the experiment a lot easier. Otherwise, you should be a bit more careful not to mess up your Mac OS partition if you ever decide to go back.

I created a wiki page on the technical details of running Elementary OS on a 2012 MacBook Pro, you can start from there. Or if you have another model MacBook then the Arch wiki and Ubuntu forums are a great way to start. And of course you can drop me a line as well.

You can also run the beautiful Elementary OS when you are still feeling happy about your MacBook, but would like to add that warm fuzzy feeling to it that comes with using a great piece of free (as in freedom) software that was made with love by an awesome world-wide community! Sorry you had to wait 2 years for this great piece of advice.

Oh, not to forget: once you are running GNU/Linux on your laptop, putting a bunch of stickers is mandatory!

– Diderik

P.S.: If you like using Elementary OS, then consider donating. That keeps up the good work, as the volunteers making this incredible software also need food on the table. I donated EUR 25 recently. Perhaps that should become a standard yearly recurring thing?

Fiduciary License Agreement 2.0

Hook’s Humble Homepage | 19:00, Tuesday, 17 October 2017

After many years of working on it, it is with immense pleasure to see the FLA-2.0 – the full rewrite of the Fiduciary License Agreementofficially launch.

What is the FLA?

In short, the FLA is a well-balanced contributor agreement, which gives the trustee responsible for managing the rights within a FOSS project, power and responsiblity to make sure the contributed software always remain free and open. This way the project, together with all the respective contributors, are protected against misuse of power by a new holder of exclusive rights.

If you are more of a audio-visual type, you can see my 15' intro at Akademy 2013 or my 5' intro at Akademy 2015 to understand the basics of the FLA. The talks are about FLA-1.2, but the basic gist of it is the same.

Reasons for update and changes

In the decade since the last update of the FLA (version 1.2, back in 2007), the world of IT has changed quite a bit and, apart from copyright, patents and trade marks have become a serious concern for FOSS projects.

For my LL.M. thesis I analysed the FLA-1.2 within its historic context and use in practice. The following topics that should be improved have been identified in the thesis:

  • include patents;
  • better compatibility with other jurisdictions (e.g. Belgium and India);
  • more practical selection of outbound licensing options;
  • usability and readability of the text itself.

Trade marks were also identified as an important issue, but not a topic a CA could fix. For that a project might want to look at the FOSSmarks website instead.

To implement the changes, there were two possibilities – either modernise the text of the FLA-1.x to meet modern needs or tweak a more modern CA to include all checks and balances of the FLA.

In the true spirit of FOSS, I decided to re-base the FLA-2.0 on the best researched CA I could find – the ContributorAgreements.org templates. Luckily, Catharina Maracke was not only merely OK with it, but very supportive as well. In fact, several of the changes that FLA brought with it trickled down into the new versions of (the rest of) the ContributorAgreements.org templates as well.

Changes inherited from ContributorAgreements.org

With simply re-basing the FLA-2.0 on the ContributorAgreements.org templates, we inherited some very cool features:

  • improved compatibility with more jurisdictions – thanks to the academic research invested already into it;
  • changed to an exclusive CLA (previously: a full-on copyright assignment, with an exclusive CLA as a fall-back) – which is both easier to manage as well as less scary to the contributors;
  • added a patent license (based on Apache CLA) – so the project itself can be protected from a potential patent troll contributing to it.

Further changes to FLA-2.0

But we did not stop there! With the combined enthusiasm of both Catharina and yours truly, as well as ample support of a number of very smart people1, we pushed onward and introduced fixes and new features both for the FLA and the ContributorAgreements.org.

Below is a list only the biggest ones:

  • improved both the legibility of the wording and the usability of the CA chooser;
  • compatibility with even more jurisdictions – we improved the wording even further, so it should work as expected also in countries like India and Belgium;
  • narrower list of allowed outbound licenses – i.e. intersection between Free Software and Open Source licenses (instead of Free Software OR Open Source licenses as is more common);
  • introduced more outbound licensing options:
    • any FOSS license;
    • specific FOSS license(s);
    • separate (re)licensing policy – this is particularly useful for larger and longer-standing projects such as KDE, who have (to have) their own (re)licensing policies in place.

Future plans

While the 2.0 is a huge leap forward, we do not plan to leave it at rest. We are already gathering ideas for a 2.1 update, which we plan to launch much faster than in a decade. Of course, the changes in the minor update will not be as huge either, but more fine-tuning. Still, for a legal document such as a license it is in general not a good idea to release soon and release often, so if you are in need of a well-balanced CLA, the FLA-2.0 is here and ready to be used.

hook out → blog is back online, and I’m in Prague for OSSEU. Woot²! \o/


  1. At this point I would like to humbly apologise if I left anyone out. I tried my best to list everyone. 

Monday, 16 October 2017

MiniDebConf Prishtina 2017

English – Kristi Progri | 09:18, Monday, 16 October 2017

On 7th of October in Prishtina, Kosova’s capital, was hosted the first mini deb conference.
The MiniDebConf Prishtina was an event open to everyone, regardless of their level of knowledge about Debian or other free and open source projects. At MiniDebConf Prishtina there were organized a range of topics incidental to Debian and free software, including any free software project, Outreachy internship, privacy, security, digital rights and diversity in IT.

I was happy to be the first speaker and open the presentations with my talk: “Outreachy”

It was the first MiniDeb conf where naturally 50% of talks were held by women(without having any goals for that number) and it feels always so good when diversity in Free Software events are diverse in any perspective and happens by default.
Part of the event were also a group of women from Prizren (codergals.com). In August they successfully organized a hackathon with more then 25 women involved. The Mini DebConf was a great environment and opportunity to spread the word for Outreachy and other internships opportunities for women and people from underrepresented groups.
I was not the only one Outreachy alumni in the audience, Renata Gega was also part of the audience and speaker.
We both shared our experience and gave tips on how to make a successful application and how to explore which project was best for them and fit their level of knowledge.
I presented also the work that I did with my mentors and other Mozilla interns in my round, working for the “Diversity and Inclusion” team, how our work was structured and the product we came out with after 3 months and how it is going now.
Personally, I thought that a presentation with this topic would be with a high interest since the call for applications in Outreachy are still open and giving a hand in this moment would be helpful for everyone who aspired to have a spot.

It is definitely one of the talks that I have enjoyed the most, talking about something for which you have been working to improve and empower for the last 4 years is always a wonderful experience, where words can hardly describe the feelings I have when I see women inspired after watching examples that WOMAN CAN DO IT TOO!

See you in the next “Outreachy”  experiences( hopefully next time as a mentor)

#FreeasinFreeSoftware.

Sunday, 15 October 2017

Free Software Efforts (2017W41)

Planet FSFE on Iain R. Learmonth | 22:00, Sunday, 15 October 2017

Here’s my weekly report for week 41 of 2017. In this week I have explored some Java 8 features, looked at automatic updates in a few Linux distributions and decided that actually I don’t need swap anymore.

Debian

The issue that was preventing the migration of the Tasktools Packaging Team’s mailing list from Alioth to Savannah has now been resolved.

Ana’s chkservice package that I sponsored last week has been ACCEPTED into unstable and since MIGRATED to testing.

Tor Project

I have produced a patch for the Tor Project website to update links to the Onionoo documentation now this has moved (#23802 ). I’ve updated the Debian and Ubuntu relay configuration instructions to use systemctl instead of service where appropriate (#23048 ).

When a Tor relay is less than 2 years old, an alert will now appear on Atlas to link to the new relay lifecycle blog post (#23767 ). This should hopefully help new relay operators understand why their relay is not immediately fully loaded but instead it takes some time to ramp up.

I have gone through the tickets for Tor Cloud and did not find any tickets that contain any important information that would be useful to someone reviving the project. I have closed out these tickets and the Tor Cloud component no longer has any non-closed tickets (#7763, #8544, #8768, #9064, #9751, #10282, #10637, #11153, #11502, #13391, #14035, #14036, #14073, #15821 ).

I’ve continued to work on turning the Atlas application into an integrated part of Tor Metrics (#23518 ) and you can see some progress here.

Finally, I’ve continued hacking on a Twitter bot to tweet factoids about the public Tor network and you can now enjoy some JavaDoc documentation if you’d like to learn a little about its internals. I am still waiting for a git repository to be created (#23799 ) but will be publishing the sources shortly after that ticket is actioned.

Sustainability

I believe it is important to be clear not only about the work I have already completed but also about the sustainability of this work into the future. I plan to include a short report on the current sustainability of my work in each weekly report.

I have not had any free software related expenses this week. The current funds I have available for equipment, travel and other free software expenses remains £60.52. I do not believe that any hardware I rely on is looking at imminent failure.

I’d like to thank Digital Ocean for providing me with futher credit for their platform to support my open source work.

I do not find it likely that I’ll be travelling to Cambridge for the miniDebConf as the train alone would be around £350 and hotel accomodation a further £600 (to include both me and Ana).

Secure and flexible backup server with dm-crypt and btrfs

Seravo | 17:29, Sunday, 15 October 2017

In our previous article we described an idea setup for a modern server with btrfs for flexibility and redundancy. In this article we describe another kind of setup that is ideal only for a backup server. For a backup server redundancy and high availability are not important, but instead maximal disk space capacity and the […]

Tuesday, 10 October 2017

Automatic Updates

Planet FSFE on Iain R. Learmonth | 18:00, Tuesday, 10 October 2017

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

We have instructions for setting up new Tor relays on Debian. The only time the word “upgrade” is mentioned here is:

Be sure to set your ContactInfo line so we can contact you if you need to upgrade or something goes wrong.

This isn’t great. We should have some decent instructions for keeping your relay up to date too. I’ve been compiling a set of documentation for enabling automatic updates on various Linux distributions, here’s a taste of what I have so far:


Debian

Make sure that unattended-upgrades is installed and then enable the installation of updates (as root):

apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Fedora 22 or later

Beginning with Fedora 22, you can enable automatic updates via:

dnf install dnf-automatic

In /etc/dnf/automatic.conf set:

apply_updates = yes

Now enable and start automatic updates via:

systemctl enable dnf-automatic.timer
systemctl start dnf-automatic.timer

(Thanks to Enrico Zini I know all about these timer units in systemd now.)

RHEL or CentOS

For CentOS, RHEL, and older versions of Fedora, the yum-cron package is the preferred approach:

yum install yum-cron

In /etc/yum/yum-cron.conf set:

apply_updates = yes

Enable and start automatic updates via:

systemctl start yum-cron.service

I’d like to collect together instructions also for other distributions (and *BSD and Mac OS). Atlas knows which platform a relay is running on, so there could be a link in the future to some platform specific instructions on how to keep your relay up to date.

Sunday, 08 October 2017

Free Software Efforts (2017W40)

Planet FSFE on Iain R. Learmonth | 22:00, Sunday, 08 October 2017

Here’s my weekly report for week 40 of 2017. In this week I have looked at censorship in Catalonia and had my “deleted” Facebook account hacked (which made HN front page). I’ve also been thinking about DRM on the web.

Debian

I have prepared and uploaded fixes for the measurement-kit and hamradio-maintguide packages.

I have also sponsored uploads for gnustep-base (to experimental) and chkservice.

I have given DM upload privileges to Eric Heintzmann for the gnustep-base package as he has shown to care for the GNUstep packages well. In the near future, I think we’re looking at a transition for gnustep-{base,back,gui} as these packages all have updates.

Bugs filed: #877680

Bugs closed (fixed/wontfix): #872202, #877466, #877468

Tor Project

This week I have participated in a discussion around renaming the “Operations” section of the Metrics website.

I have also filed a new ticket on Atlas, which I am planning to implement, to link to the new relay lifecycle post on the Tor Project blog if a relay is less than a week old to help new relay operators understand the bandwidth usage they’ll be seeing.

Finally, I’ve been hacking on a Twitter bot to tweet factoids about the public Tor network. I’ve detailed this in a separate blog post.

Bugs closed (fixed/wontfix): #23683

Sustainability

I believe it is important to be clear not only about the work I have already completed but also about the sustainability of this work into the future. I plan to include a short report on the current sustainability of my work in each weekly report.

I have not had any free software related expenses this week. The current funds I have available for equipment, travel and other free software expenses remains £60.52. I do not believe that any hardware I rely on is looking at imminent failure.

A step change in managing your calendar, without social media

DanielPocock.com - fsfe | 17:36, Sunday, 08 October 2017

Have you been to an event recently involving free software or a related topic? How did you find it? Are you organizing an event and don't want to fall into the trap of using Facebook or Meetup or other services that compete for a share of your community's attention?

Are you keen to find events in foreign destinations related to your interest areas to coincide with other travel intentions?

Have you been concerned when your GSoC or Outreachy interns lost a week of their project going through the bureaucracy to get a visa for your community's event? Would you like to make it easier for them to find the best events in the countries that welcome and respect visitors?

In many recent discussions about free software activism, people have struggled to break out of the illusion that social media is the way to cultivate new contacts. Wouldn't it be great to make more meaningful contacts by attending more a more diverse range of events rather than losing time on social media?

Making it happen

There are already a number of tools (for example, Drupal plugins and Wordpress plugins) for promoting your events on the web and in iCalendar format. There are also a number of sites like Agenda du Libre and GriCal who aggregate events from multiple communities where people can browse them.

How can we take these concepts further and make a convenient, compelling and global solution?

Can we harvest event data from a wide range of sources and compile it into a large database using something like PostgreSQL or a NoSQL solution or even a distributed solution like OpenDHT?

Can we use big data techniques to mine these datasources and help match people to events without compromising on privacy?

Why not build an automated iCalendar "to-do" list of deadlines for events you want to be reminded about, so you never miss the deadlines for travel sponsorship or submitting a talk proposal?

I've started documenting an architecture for this on the Debian wiki and proposed it as an Outreachy project. It will also be offered as part of GSoC in 2018.

Ways to get involved

If you would like to help this project, please consider introducing yourself on the debian-outreach mailing list and helping to mentor or refer interns for the project. You can also help contribute ideas for the specification through the mailing list or wiki.

Mini DebConf Prishtina 2017

This weekend I've been at the MiniDebConf in Prishtina, Kosovo. It has been hosted by the amazing Prishtina hackerspace community.

Watch out for future events in Prishtina, the pizzas are huge, but that didn't stop them disappearing before we finished the photos:

Tor Relays on Twitter

Planet FSFE on Iain R. Learmonth | 14:00, Sunday, 08 October 2017

A while ago I played with a Twitter bot that would track radio amateurs using a packet radio position reporting system, tweet their location and a picture from Flickr that was taken near to their location and a link to their packet radio activity on aprs.fi. It’s really not that hard to put these things together and they can be a lot of fun. The tweets looked like this:

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

This isn’t about building a system that serves any critical purpose, it’s about fun. As the radio stations were chosen essentially at random, there could be some cool things showing up that you wouldn’t otherwise have seen. Maybe you’d spot a callsign of a station you’ve spoken to before on HF or perhaps you’d see stations in areas near you or in cool places.

On Friday evening I took a go at hacking together a bot for Tor relays. The idea being to have regular snippets of information from the Tor network and perhaps you’ll spot something insightful or interesting. Not every tweet is going to be amazing, but it wasn’t running for very long before I spotted a relay very close to its 10th birthday:

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

The relays are chosen at random, and tweet templates are chosen at random too. So far, tweets about individual relays can be about age or current bandwidth contribution to the Tor network. There are also tweets about how many relays run in a particular autonomous system (again, chosen at random) and tweets about the total number of relays currently running. The total relays tweets come with a map:

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

The maps are produced using xplanet. The Earth will rotate to show the current side in daylight at the time the tweet is posted.

Unfortunately, the bot currently cannot tweet as the account has been suspended. You should still be able to though and tweets will begin appearing again once I’ve resolved the suspension.

I plan to rewrite the mess of cron-activated Python scripts into a coherent Python (maybe Java) application and publish the sources soon. There are also a number of new templates for tweets I’d like to explore, including number of relays and bandwidth contributed per family and statistics on operating system diversity.

Update (2017-10-08): The @TorAtlas account should now be unsuspended.

Saturday, 07 October 2017

Twitter for Websites

Planet FSFE on Iain R. Learmonth | 14:00, Saturday, 07 October 2017

In yesterday’s post, I tried out the Hugo shortcode for embedding tweets from Twitter.

After having gone to some effort to remove external assets from my website, it’s not great that this shortcode will automatically include JavaScript from the Twitter website. The way that Twitter for Websites seems to work is that the JavaScript provides enhancement but the JavaScript is not required for the content to work. This is great, as it means that content still works when syndicated on planets or viewed in an RSS reader or through a text-only browser.

I haven’t looked at the JavaScript in detail yet, but I did see that there is an option for websites to opt-out of tracking for all users loading the JavaScript as a result of visiting that website. All you need to do is include the following <meta> tag on any page that uses the Twitter widgets.js:

<meta name="twitter:dnt" content="on">

To be safe, I’m including this on every page generated as part of my Hugo site.

In the past, Twitter used to honour the Do Not Track setting in browsers but have now replaced this with granular controls which make it more difficult to generally opt-out of tracking. While I think I trust that the twitter:dnt value will be honoured for now, I don’t believe it will be forever.

I’m thinking about writing a cut-down widgets.js that maybe isn’t as functional but could be self-hosted. This would also allow for it to be fetched via an Onion service. If this already exists, you’ve found another solution, or would like to collaborate on a solution then please let me know.

Thursday, 05 October 2017

Building an IoT dashboard with NASA Open MCT

Henri Bergius | 00:00, Thursday, 05 October 2017

One important aspect of any Internet of Things setup is being able to collect and visualize data for analysis. Seeing trends in sensor readings over time can be useful for identifying problems, and for coming up with new ways to use the data.

We wanted an easy solution for this for the c-base IoT setup. Since the c-base backstory is that of a crashed space station, using space technology for this made sense.

OpenMCT view on c-base

NASA Open MCT is a framework for building web-based mission control tools and dashboards that they’ve released as open source. It is intended for bringing together tools and both historical and real-time data, as can be seen in their Mars Science Laboratory dashboard demo.

c-beam telemetry server

As a dashboard framework, Open MCT doesn’t really come with batteries included. You get a bunch of widgets and library functionality, but out of the box there is no integration with data sources.

However, they do provide a tutorial project for integrating data sources. We started with that, and built the cbeam-telemetry-server project which gives a very easy way to integrate Open MCT with an existing IoT setup.

With the c-beam telemetry server we combine Open MCT with the InfluxDB timeseries database and the MQTT messaging bus. This gives a “turnkey” setup for persisting and visualizing IoT information.

Getting started

The first step is to install the c-beam telemetry server. If you want to do a manual setup, first install a MQTT broker, InfluxDB and Node.js. Optionally you can also install CouchDB for sharing custom dashboard layouts between users.

Then just clone the c-beam telemetry server repo:

$ git clone https://github.com/c-base/cbeam-telemetry-server.git

Install the dependencies and build Open MCT with:

$ npm install

Now you should be able to start the service with:

$ npm start

Running with Docker

There is also an easier way to get going: we provide pre-built Docker images of the c-beam telemetry server for both x86 and ARM.

There are also docker-compose configuration files for both environments. To install and start the whole service with all its dependencies, grab the docker-compose.yml file (or the Raspberry Pi 3 version) and start with:

$ docker-compose up -d

We’re building these images as part of our continuous integration pipeline (ARM build with this recipe), so they should always be reasonably up-to-date.

Configuring your data

The next step is to create a JavaScript configuration file for your Open MCT. This is where you need to provide a “dictionary” listing all data you want your dashboard to track.

Data sets are configured like the following (configuring a temperature reading tracked for the 2nd floor):

var floor2 = new app.Dictionary('2nd floor', 'floor2');
floor2.addMeasurement('temperature', 'floor2_temperature', [
  {
    units: 'degrees',
    format: 'float'
  }
], {
  topic: 'bitraf/temperature/1'
});

You can have multiple dictionaries in the same Open MCT installation, allowing you to group related data sets. Each measurement needs to have a name and a unit.

Getting data in

In the example above we also supply a MQTT topic to read the measurement from. Now sending data to the dashboard is as easy as writing numbers to that MQTT topic. On command-line that would be done with:

$ mosquitto_pub -t bitraf/temperature/1 -m 27.3

If you were running the telemetry server when you sent that message, you should’ve seen it appear in the appropriate dashboard.

Bitraf temperature graph with Open MCT

There are MQTT libraries available for most programming languages, making it easy to connect existing systems with this dashboard.

The telemetry server is also compatible with our MsgFlo framework, meaning that you can also configure the connections between your data sources and Open MCT visually in Flowhub.

This makes it possible to utilize the existing MsgFlo libraries for implementing data sources. For example, with msgflo-arduino you can transmit sensor data from Tiva-C or NodeMcu microcontrollers to the dashboard.

Status and how you can help

The c-beam telemetry server is currently in production use in a couple of hackerspaces, and seems to run quite happily.

We’d love to get feedback from other deployments!

If you’d like to help with the project, here are couple of areas that would be great:

  • Adding tests to the project
  • Implementing downsampling of historical data
  • Figuring out ways to control IoT devices via the dashboard (so, to write to MQTT instead of just reading)

Please file issues or make pull requests to the repository.

Wednesday, 04 October 2017

MAC Catching

Planet FSFE on Iain R. Learmonth | 08:00, Wednesday, 04 October 2017

As we walk around with mobile phones in our pockets, there are multiple radios each with identifiers that can be captured and recorded just through their normal operation. Bluetooth and Wifi devices have MAC addresses and can advertise their presence to other devices merely by sending traffic, or by probing for devices to connect to if they’re not connected.

I found a simple tool, probemon that allows for anyone with a wifi card to track who is at which location at any given time. You could deploy a few of these with Raspberry Pis or even go even cheaper with a number of ESP8266.

In the news recently was a report from TfL about their WiFi data collection. Sky News reported that TfL “plans to make £322m by collecting data from passengers’ mobiles”. TfL have later denied this but the fact remains that collecting this data is trivial.

I’ve been thinking about ideas for spoofing mass amounts of wireless devices making the collected data useless. I’ve found that people have had success in using Scapy to forge WiFi frames. When I have some free time I plan to look into some kind of proof-of-concept for this.

On the underground, this is the way to do this, but above ground I’ve also heard of systems that use the TMSI from 3G/4G, not WiFi data, to identify mobile phones. You’ll have to be a bit more brave if you want to forge these (please do not, unless using alternative licensed frequencies, you may interfere with mobile service and prevent 999 calls).

If you wanted to spy on mobile phones near to you, you can do this with the gr-gsm package now available in Debian.

Tuesday, 03 October 2017

Facebook Lies

Planet FSFE on Iain R. Learmonth | 12:00, Tuesday, 03 October 2017

In the past, I had a Facebook account. Long ago I “deleted” this account through the procedure outlined on their help pages. In theory, 14 days after I used this process my account would be irrevocably gone. This was all lies.

My account was not deleted and yesterday I received an email:

<figure> Screenshot of the email I received from Facebook <figcaption>

Screenshot of the email I received from Facebook

</figcaption> </figure>

It took me a moment to figure it out, but what had happened here is someone had logged into my Facebook account using my email address and password. Facebook simply reactivated the account, which had not had its data deleted, as if I had logged in.

This was possible because:

  1. Facebook was clinging to the hope that I would like to return
  2. The last time I used Facebook I didn’t know what a password manager was and was using the same password for basically everything

When I logged back in, all I needed to provide to prove I was me was my date of birth. Given that old Facebook passwords are readily available from dumps (people think their accounts are gone, so why should they be changing their passwords?) and my date of birth is not secret either, this is not great.

I followed the deletion procedure again and in 2 weeks (you can’t immediately request deletion apparently) I’ll check to see if the account is really gone. I’ve updated the password so at least the deletion process can’t be interrupted by whoever has that password (probably lots of people - it’ll be in a ton of dumps where databases have been hacked).

If it’s still not gone, I hear you can just post obscene and offensive material until Facebook deletes you. I’d rather not have to take that route though.

If you’re interested to see if you’ve turned up in a hacked database dump yourself, I would recommend hibp.

Update (2017-10-04): Thanks for all the comments. Sorry I haven’t been able to reply to all of them. Discussion around this post occured at Hacker News if you would like to read more there. You can also read about a similar, and more frustrating, case that came up in the HN discussion.

Monday, 02 October 2017

CopyCamp: Public Money, Public Code

Posts - Carmen Bianca Bakker | 00:00, Monday, 02 October 2017

This weekend, I attended CopyCamp in Warsaw. I arrived in a hurry and on a whim, because I was substituting for someone who could not attend last-minute.

Erik Da Silva and I together held a talk on the FSFE’s latest campaign, «Public Money, Public Code». It is a campaign that postulates that software used or created by public institutions ought become Free Software and available to the public that paid for it.

As part of the campaign, we compiled an open letter that will be sent to representatives in the European Parliament and in national parliaments. You can sign the open letter to add your support:

Click

I have uploaded the talk here ☺:

<video controls="controls" height="360" width="640"> <source src="https://www.carmenbianca.eu/videos/copycamp-pmpc.webm"> </video>

Sunday, 01 October 2017

Free Software Efforts (2017W39)

Planet FSFE on Iain R. Learmonth | 22:00, Sunday, 01 October 2017

Here’s my weekly report for week 39 of 2017. In this week I have travelled to Berlin and caught up on some podcasts in doing so. I’ve also had some trouble with the RSS feeds on my blog but hopefully this is all fixed now.

Thanks to Martin Milbret I now have a replacement for my dead workstation, an HP Z600, and there will be a blog post about this new set up to come next week. Thanks also to Sýlvan and a number of others that made donations towards getting me up and running again. A breakdown of the donations and expenses can be found at the end of this post.

Debian

Two of my packages measurement-kit from OONI and python-azure-devtools used to build the Azure Python SDK (packaged as python-azure) have been accepted by ftp-master into Debian’s unstable suite.

I have also sponsored uploads for comptext, comptty, fllog, flnet and gnustep-make.

I had previously encouraged Eric Heintzmann to become a DM and I have given him DM upload privileges for the gnustep-make package as he has shown to care for the GNUstep packages well.

Bugs closed (fixed/wontfix): #8751251, #8751261, #861753, #873083

Tor Project

My Tor Project contributions this week were primarily attending the Tor Metrics meeting which I have reported on in a separate blog post.

Sustainability

I believe it is important to be clear not only about the work I have already completed but also about the sustainability of this work into the future. I plan to include a short report on the current sustainability of my work in each weekly report.

The replacement workstation arrived on Friday and is now up and running. In total I received £308.73 in donations and spent £36.89 on video adapters and £141.94 on replacement hard drives for my NAS (which includes my local Debian mirror and backups).

For the Tor Metrics meeting in Berlin, Tor Project paid my flights and accommodation and I paid only for ground transport and food myself. The total cost for ground transport during the trip was £45.92 (taxi to airport, 1 Tageskarte) and total cost for food was £23.46.

The current funds I have available for equipment, travel and other free software expenses is now £60.52. I do not believe that any hardware I rely on is looking at imminent failure.


  1. Fixed by a sponsored upload, not by my changes [return]

Sorry for Spain

TSDgeos' blog | 21:17, Sunday, 01 October 2017

Today the Spanish police has committed in Catalonia what can only be described as barbarism.

Beware of the videos, they may hurt your feelings.

They have hit people on the street and fought catalan police over it https://twitter.com/jaumeclotet/status/914484855450333184
They have hit people sitting on stairs https://twitter.com/LaVanguardia/status/914447807754448896
They have hit old ladies https://twitter.com/asiercorc/status/914395993193504768
They have hit people standing on the street https://twitter.com/julia_otero/status/914466508570595329
Did i mention they hit people on the street? https://twitter.com/isaacfcorrales/status/914508531654676480
They also hit someone that was already injured and walking away https://twitter.com/Ulldebou1/status/914497525033390080
They have broken (on purpose) all the fingers of a woman that was already on the floor https://twitter.com/hectorjuanatey/status/914538706299707392
They have hit some more people https://twitter.com/QuicoSalles/status/914504909508218880
They have hit firefighters https://twitter.com/Jorfs_/status/914482953954177024

Currently we're officially speaking of more than 800 injured people https://twitter.com/emergenciescat/status/914584719060275200 but i wouldn't be surprised if the count was much higher.

Meanwhile a dude voting wrapped in a spanish+bull flag gets a round of clapping https://twitter.com/JoseJPriego/status/914485977158209536

And I'm saying sorry for Spain, because it's obvious that after today Catalonia will leave Spain, sooner or later but it's going to happen, but the rest of Spain will have to live with these beasts ingrained in their police and politics.

Sorry and good luck.

Saturday, 30 September 2017

HTML presentations as OER from Org mode with Emacs

Jens Lechtenbörger » English | 13:04, Saturday, 30 September 2017

This post has an exceptional topic given the main theme of my blog, but I’d like to advertise and share what I created during summer term 2017, supported by a fellowship for innovation in digital university teaching funded by the Ministry of Innovation, Science and Research of the State of North Rhine-Westphalia, Germany, and Stifterverband.

I switched my course on Operating Systems from more traditional lectures to Just-in-Time Teaching (JiTT; see here for the Wikipedia entry) as teaching and learning strategy, where students prepare class meetings at home. In a nutshell, students work through educational resources (texts, presentations, videos, etc.) on their own and submit solutions to pre-class assignments. Students’ solutions are corrected prior to class meetings to identify misunderstandings and incorrect prior beliefs. Based on those finding, class meetings are adjusted just-in-time to create a feedback loop with increased students’ learning.

As part of the course preparations, I adopted a different textbook, namely “Operating Systems and Middleware: Supporting Controlled Interaction” by Max Hailperin, whose LaTeX sources are available under a Creative Commons license on GitHub, and I decided to publish my teaching and learning material as Open Educational Resources (OER).

I briefly experimented with LaTeX with the Beamer package and LibreOffice Impress to create slides with embedded audio, but eventually I decided to go for the HTML presentation framework reveal.js. To simplify creation of such presentations, I developed my own infrastructure, whose main part, emacs-reveal, is available as free software on GitLab and satisfies the following requirements:

  • Self-contained presentations embedding audio, usable on lots of (including mobile and offline) devices with free software
  • Separation of layout and content for ease of creation and collaboration
  • Text format for diff and merge for ease of collaboration

Technically, presentations are written down in Org mode. The recommended editor to do so is, of course, GNU Emacs. In theory, you could use other editors because HTML presentations are generated from Org files, and you are free to use my infrastructure on GitLab (which, under the hood, is based on a Docker image containing Emacs and other necessary software).

You can find the source files for my presentations on Operating Systems on GitLab. The resulting presentations on Operating Systems as OER are published as GitLab Pages.

I created a Howto on GitLab explaining the use of emacs-reveal based on a simple presentation. The Org file of that Howto is translated by a so-called CI runner into an HTML presentation whenever changes are committed. The resulting presentation is then published as Howto on emacs-reveal as GitLab Page.

I hope this to be useful for somebody else’s talks or teaching as well.

Breaking RSS Change in Hugo

Planet FSFE on Iain R. Learmonth | 12:00, Saturday, 30 September 2017

My website and blog are managed by the static site generator Hugo. I’ve found this to be a stable and flexible system, but at the last upgrade a breaking change has occurred that broken the syndication of my blog on various planets.

At first I thought perhaps with my increased posting rate the planets were truncating my posts but this was not the case. The problem was in Hugo pull request #3129 where for some reason they have changed the RSS feed to contain only a “lead” instead of the full article.

I’ve seen other content management systems offer a similar option but at least they point out that it’s truncated and offer a “read more” link. Here it just looks like I’m publishing truncated unfinished really short posts.

If you take a look at the post above, you’ll see that the change is in an embedded template and it took a little reading the docs to work out how to revert the change. The steps are actually not that difficult, but it’s still annoying that the change occurred.

In a Hugo site, you will have a layouts directory that will contain your overrides from your theme. Create a new file in the path layouts/_default/rss.xml (you may need to create the _default directory) with the following content:

<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>{{ if eq  .Title  .Site.Title }}{{ .Site.Title }}{{ else }}{{ with .Title }}{{.}} on {{ end }}{{ .Site.Title }}{{ end }}</title>
    <link>{{ .Permalink }}</link>
    <description>Recent content {{ if ne  .Title  .Site.Title }}{{ with .Title }}in {{.}} {{ end }}{{ end }}on {{ .Site.Title }}</description>
    <generator>Hugo -- gohugo.io</generator>{{ with .Site.LanguageCode }}
    <language>{{.}}</language>{{end}}{{ with .Site.Author.email }}
    <managingEditor>{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}</managingEditor>{{end}}{{ with .Site.Author.email }}
    <webMaster>{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}</webMaster>{{end}}{{ with .Site.Copyright }}
    <copyright>{{.}}</copyright>{{end}}{{ if not .Date.IsZero }}
    <lastBuildDate>{{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}</lastBuildDate>{{ end }}
    {{ with .OutputFormats.Get "RSS" }}
        {{ printf "<atom:link href=%q rel=\"self\" type=%q />" .Permalink .MediaType | safeHTML }}
    {{ end }}
    {{ range .Data.Pages }}
    <item>
      <title>{{ .Title }}</title>
      <link>{{ .Permalink }}</link>
      <pubDate>{{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}</pubDate>
      {{ with .Site.Author.email }}<author>{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}</author>{{end}}
      <guid>{{ .Permalink }}</guid>
      <description>{{ .Content | html }}</description>
    </item>
    {{ end }}
  </channel>
</rss>

If you like my new Hugo theme, please let me know and I’ll bump tidying it up and publishing it further up my todo list.

Friday, 29 September 2017

Tor Metrics Team Meeting in Berlin

Planet FSFE on Iain R. Learmonth | 14:00, Friday, 29 September 2017

We had a meeting of the Metrics Team in Berlin yesterday to organise a roadmap for the next 12 months. This roadmap isn’t yet finalised as it will now be taken to the main Tor developers meeting in Montreal where perhaps there are things we thought were needed but aren’t, or things that we had forgotten. Still we have a pretty good draft and we were all quite happy with it.

We have updated tickets in the Metrics component on the Tor trac to include either “metrics-2017“ or “metrics-2018“ in the keywords field to identify tickets that we expect to be able to resolve either by the end of this year or by the end of next year (again, not yet finalised but should give a good idea). In some cases this may mean closing the ticket without fixing it, but only if we believe that either the ticket is out of scope for the metrics team or that it’s an old ticket and no one else has had the same issue since.

Having an in-person meeting has allowed us to have easy discussion around some of the more complex tickets that have been sitting around. In many cases these are tickets where we need input from other teams, or perhaps even just reassigning the ticket to another team, but without a clear plan we couldn’t do this.

My work for the remainder of the year will be primarily on Atlas where we have a clear plan for integrating with the Tor Metrics website, and may include some other small things relating to the website.

I will also be triaging the current Compass tickets as we look to shut down compass and integrate the functionality into Atlas. Compass specific tickets will be closed but some tickets relating to desirable functionality may be moved to Atlas with the fix implemented there instead.

Wednesday, 27 September 2017

REUSE templates and examples

free software - Bits of Freedom | 14:01, Wednesday, 27 September 2017

REUSE templates and examples

The FSFE's REUSE initiative, in which we're encouraging the uptake of practices which enable computer-readable licensing and copyright information is progressing well. In the next couple of days, I'll be working on implementing these practices for a few different projects I know of, to make some examples for what a project needs to do to adhere to the REUSE practices and get a nice REUSE compliant badge!

REUSE templates and examples

What we've already done is to create three different Git repositories, each of which is REUSE compliant, and which demonstrate different parts of the REUSe practices. You can already have a look at them here, here and here. Here's more information about each one:

Simple Hello

https://git.fsfe.org/reuse/simple-hello/
This repository contains perhaps the simplest example of a REUSE compliant program. It has a single source code file, a single license and copyright holder. As you can see if you browse it, it has a single LICENSE file, which contains a copy of the license, the GPLv3 in this case.

The LICENSE file is unchanged and used in verbatim format, which makes it possible to get an MD5/SHA1 hash of it to verify it has not been changed from the original.

There's no way to include a reasonable comment in a Markdown file, so rather than placing the license header in the README.md file, we place it separately, in README.md.license. The format of the header follow a standard format and is the same also in the src/server.js source code file.

What's important to keep in mind is that aside from having a consistent style, each header also includes the SPDX-License-Identifier tag which signals which license the file is covered by, and the License-Filename tag which gives a reference to the exact license file in use (relative to the project root).

And that's pretty much it! This is a simple, REUSE compliant, project. It may not look like much, but this is now a project which any software tool supporting the REUSE practices can understand.

Included Hello

https://git.fsfe.org/reuse/included-hello/

Building on the simple version before it, this repository looks much the same. The difference is that there are two different licenses involved. The src/index.js file is licensed under an MIT license, and the README.md under GPLv3. Since two license files are involves, we put both of them in the LICENSES/ directory and make sure to explicitly refer to them from the source files.

SPDX Hello

https://git.fsfe.org/reuse/spdx-hello/

The final practice recommended by the REUSE project is to use the best available information in a repository and automatically create an SPDX file with license and copyright information. You should never try to do this manually: the SPDX file gets very difficult to update if you do it manually, and generating it automatically is the only sensible way to make sure it's continuously updated.

The SPDX Hello example is a repository which does exactly this. It's extraordinarily hack-ish and will break on anything which doesn't look exactly like the example, but it may serve as inspiration for further work.

The repository uses two hooks, a pre-commit and a post-commit, which anyone with commit access to the repository must make sure to enable. On each commit, the post-commit hook uses the lint-bom program from https://git.fsfe.org/reuse/lint/ (this is the very hackish part), which goes through all inluded files, picks out the license headers, looks at the SPDX-License-Identifier and License-Filename tags and assembles what is meant to be a complete SPDX file.

Since this is run automatically on each commit, it should always be accurate. In practice, you would want to do more than this repository does. You may want to verify the SPDX file after creation, look into adding concluded license information, and adding more metadata to the SPDX file than what I currently have.

But this is still a functional example of what we hope REUSE will lead to: repositories, big and small, with copyrights and licenses which can be read not by humans, but by computers too!

"Security Scanners" Again

Planet FSFE on Iain R. Learmonth | 14:00, Wednesday, 27 September 2017

Early this morning I was flying from Aberdeen Airport to Berlin for the Tor Metrics Team meeting. I noticed that they have finally put up some signage before the security area and writing this blog post I really wish I’d taken a picture of it just to show how ridiculous it was.

It didn’t have much information on it, but the information it had was almost laughable. For example: “The scanner is lower than a mobile phone”. As someone who understands radio, I assume they mean field strength, but they don’t specify this so they could mean height or long distance call prices.

There is also a notice explaining that you are allowed to opt-out from use of the scanner. This is welcome, but the wording of the alternative “enhanced private search” is not great. In practice, this routine involves waiting around for someone to become available as they are understaffed (I’ve waited up to 20 minutes before for someone to become available) and then being taken off into a side room where someone will pat you down and go over you with a handheld metal detector.

Given that every other country I’ve visited in Europe seems to be able to not be dreadful at this, I have no idea how the UK can be so dreadful. If you’re interested in this area, I have previously written up some research at the Open Rights Group wiki.

Nextcloud gets End to End Encryption

Free Software – Frank Karlitschek_ | 12:45, Wednesday, 27 September 2017

Today is a special day for Nextcloud and me because Nextcloud gets a cool and important new capability. This is end to end encryption for file sync and share. Nextcloud supports server side encryption for a long time and all file transfer over the internet is encrypted with

TLS/SSL of course. But there is still the need for full end to end encryption to make sure that the data is secure in all scenarios. One

example is that the current server side encryption doesn’t protect the data against an evil server admin or if the server is hacked. The new end to end solution does that.

This feature is more important then ever in the light of Trump and other governments including western ones like the UK who want to have access to the private data of users.

Please read this blog post about the upcoming dangers in the next few months. European datacenter is no solution, recent developments show

Most requested feature

End to end encryption is our most ever requested feature. Users and customers have been asking for this for many many years so I am super happy that we finally do this now. So you might ask “what took you so long?” There are many reasons.

The first is that it is hard. This needs to be done without compromising the user experience. Then we wanted to support as many core Nextcloud features as possible, for example sharing. And we wanted to do this in a way that doesn’t compromise performance. Obviously security is the highest priority and that is hard in itself. But another must have requirement is to make the feature truly enterprise ready. So real key management is necessary and it has to be designed with the assumption that users make mistakes. We don’t need another solution that is aimed at technical users, losing their data when they forget their password for example… Our solution doesn’t even let users pick their own password, taking away the risk of passwords that are easy to hack due to reuse or shortness! We also wanted to implement this feature fully transparent and native in all clients and fully open source instead of integrating a third party tool. It was hard to find a solution that balanced all these requirements. But I’m happy to say that Björn, who already designed and developed the server side architecture and Lukas our security lead, found a good architecture, with a lot of feedback from a number of other team members of course. This has been a real collaborative effort, building on our years of experience and a good understanding of the needs of our users and customers.

How does it work?

The feature consists of several components. There is the actual encryption and decryption code which is implemented in the Nextcloud iOS and Android apps and in the Mac, Windows and Linux clients. And then there is a server component which is implemented as a Nextcloud app to do the key management. This is useful to make it easy for the users to distribute private and public keys to all clients and share with each other. Obviously the private keys are encrypted with very strong auto generated passwords which are only known by the users and clients and are never accessible by the server. The key server also supports an optional recovery key which can be activated to make it possible to recover lost passwords/keys. This feature can be activated or deactivated to balance user convenience and security. The clients will warn users when the feature is or gets enabled.

End to end encryption can be activated by the users on a folder by folder basis. Once a user decided to encrypt a folder everything inside the folder will be encryption including the content of the files and folder and the metadata like filenames. From now on the folder is no longer accessible from the Nextcloud web-interface and WebDAV. But it is still fully readable and writable from iOS, Android and Mac, Windows, Linux. Sharing still works via public keys of other users. The full design is explained here and the architecture is further documented here

Enterprise ready

It was a key requirement to implement this feature in a way that it is not only useful for home users who want to protect their data on home-servers or at service providers. It had to be done in a way that it is useful for companies and other large organisation. We had conversations with some of our bigger customers over the last few month to make sure that this integrated nicely into the enterprise infrastructure and is compliant with existing policies. One example is that we will try to integrate this into Desktops like KDE, Gnome, Mac and Windows and will support Hardware Security Modules.

Where are we today?

This feature will be fully production ready and included in Nextcloud 13 which will be out later this year. But we didn’t want to wait until then and announce and release something as soon as possible so we can get feedback from encryption experts and the wider infosec community. So today we have our architecture document ready here. The server component is fully implemented and can be found in our github. There is a preview version of the Android app available which is fully working. The Desktop client and the iOS app are in the middle of the development. You can expect preview builds in the next few days. You can see the development and give feedback in the repositories in github.

More information can be found here:

The software can be found here:

So please give feedback about the architecture and the code if you want to get involved. This is a big step forward to protect the data of users and companies against hackers and organisations who want to abuse it in various ways!

 

 

Planet FSFE (en): RSS 2.0 | Atom | FOAF |

  /127.0.0.?  /var/log/fsfe/flx » planet-en  Albrechts Blog  Alessandro at FSFE » English  Alessandro's blog  Alina Mierlus - Building the Freedom » English  Andrea Scarpino's blog  André on Free Software » English  Being Fellow #952 of FSFE » English  Bela's Internship Blog  Bernhard's Blog  Bits from the Basement  Blog of Martin Husovec  Blog » English  Blog – Think. Innovation.  Bobulate  Brian Gough's Notes  Carlo Piana :: Law is Freedom ::  Ciarán's free software notes  Colors of Noise - Entries tagged planetfsfe  Communicating freely  Computer Floss  Daniel Martí's blog  Daniel's FSFE blog  DanielPocock.com - fsfe  David Boddie - Updates (Full Articles)  Don't Panic » English Planet  ENOWITTYNAME  Elena ``of Valhalla''  English Planet – Dreierlei  English on Björn Schießle - I came for the code but stayed for the freedom  English – Kristi Progri  English – Max's weblog  English — mina86.com  Escape to freedom  Evaggelos Balaskas - System Engineer  FLOSS – Creative Destruction & Me  FSFE Fellowship Vienna » English  FSFE interviews its Fellows  FSFE – Patis Blog  Fellowship News  Fellowship News » Page not found  Florian Snows Blog » en  Frederik Gladhorn (fregl) » FSFE  Free Software & Digital Rights Noosphere  Free Software with a Female touch  Free Software –  Free Software – Frank Karlitschek_  Free Software – GLOG  Free Software – hesa's Weblog  Free as LIBRE  Free speech is better than free beer » English  Free, Easy and Others  From Out There  Graeme's notes » Page not found  Green Eggs and Ham  Handhelds, Linux and Heroes  Heiki "Repentinus" Ojasild » English  HennR's FSFE blog  Henri Bergius  Hook’s Humble Homepage  Hugo - FSFE planet  Inductive Bias  Jelle Hermsen » English  Jens Lechtenbörger » English  Karsten on Free Software  Losca  MHO  Mario Fux  Martin's notes - English  Matej's blog » FSFE  Matthias Kirschner's Web log - fsfe  Myriam's blog  Mäh?  Nice blog  Nico Rikken » fsfe  Nicolas Jean's FSFE blog » English  Norbert Tretkowski  PB's blog » en  Paul Boddie's Free Software-related blog » English  Planet FSFE on Iain R. Learmonth  Posts - Carmen Bianca Bakker  Posts on Hannes Hauswedell's homepage  Pressreview  Ramblings of a sysadmin (Posts about planet-fsfe)  Rekado  Riccardo (ruphy) Iaconelli - blog  Saint's Log  Seravo  TSDgeos' blog  Tarin Gamberini  Technology – Intuitionistically Uncertain  The Girl Who Wasn't There » English  The trunk  Thib's Fellowship Blog » fsfe  Thinking out loud » English  Thomas Koch - free software  Thomas Løcke Being Incoherent  Told to blog - Entries tagged fsfe  Tonnerre Lombard  Torsten's FSFE blog » english  Viktor's notes » English  Vitaly Repin. Software engineer's blog  Weblog  Weblog  Weblog  Weblog  Weblog  Weblog  Werner's own blurbs  With/in the FSFE » English  a fellowship ahead  agger's Free Software blog  anna.morris's blog  ayers's blog  bb's blog  blog  drdanzs blog » freesoftware  egnun's blog » FreeSoftware  free software - Bits of Freedom  free software blog  freedom bits  gollo's blog » English  julia.e.klein's blog  marc0s on Free Software  mkesper's blog » English  nikos.roussos - opensource  pichel's blog  polina's blog  rieper|blog » en  softmetz' anglophone Free Software blog  stargrave's blog  the_unconventional's blog » English  things i made  tobias_platen's blog  tolld's blog  vanitasvitae's blog » englisch  wkossen's blog  yahuxo's blog