robbat2: (Default)

For the mutt users with GnuPG, depending on your configuration, you might notice that mutt's handling of GnuPG mail stopped working with GnuPG. There were a few specific cases that would have caused this, which I'll detail, but if you just want it to work again, put the below into your Muttrc, and make the tweak to gpg-agent.conf. The underlying cause for most if it is that secret key operations have moved to the agent, and many Mutt users used the agent-less mode, because Mutt handled the passphrase nicely on it's own.

  • -u must now come BEFORE --cleansign
  • Add allow-loopback-pinentry to gpg-agent.conf, and restart the agent
  • The below config adds --pinentry-mode loopback before --passphrase-fd 0, so that GnuPG (and the agent) will accept it from Mutt still.
  • --verbose is optional, depending what you're doing, you might find --no-verbose cleaner.
  • --trust-model always is a personal preference for my Mutt mail usage, because I do try and curate my keyring
set pgp_autosign = yes
set pgp_use_gpg_agent = no
set pgp_timeout = 600
set pgp_sign_as="(your key here)"
set pgp_ignore_subkeys = no

set pgp_decode_command="gpg %?p?--pinentry-mode loopback  --passphrase-fd 0? --verbose --no-auto-check-trustdb --batch --output - %f"
set pgp_verify_command="gpg --pinentry-mode loopback --verbose --batch --output - --no-auto-check-trustdb --verify %s %f"
set pgp_decrypt_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - %f"
set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - --armor --textmode %?a?-u %a? --detach-sign %f"
set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - --armor --textmode %?a?-u %a? --detach-sign %f"
set pgp_encrypt_sign_command="pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --textmode --trust-model always --output - %?a?-u %a? --armor --encrypt --sign --armor -- -r %r -- %f"
set pgp_encrypt_only_command="pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --trust-model always --output --output - --encrypt --textmode --armor -- -r %r -- %f"
set pgp_import_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --import -v %f"
set pgp_export_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --export --armor %r"
set pgp_verify_key_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --with-colons --list-secret-keys %r"

robbat2: (ubercoder)

This is a slightly edited copy of an email I send to the mailing lists for my local hackspace, VHS. I run their mailing lists presently for historical reasons, but we're working on migrating them slowly.

Hi all,

Speaking as your email list administrator here. I've tried to keep the logs below as intact as possible, I've censored only one user's domain as being identifying information explicitly, and then two other recipient addresses.

There have been a lot of reports lately of bounce notices from the list, and users have correctly contacted me, wondering what's going on. The bounce messages are seen primarily by users on Gmail and hosted Google Apps, but the problems do ultimately affect everybody.

67.6% of the vhs-general list uses either gmail or google apps (347 subs of 513). For the vhs-members list it's 68.3% (both of these stats created by checking if the MX record for the user's domain points to Google).

Google deciding that a certain list message is too much like spam, because of two things:

  • because of content
  • because of DMARC policy


We CAN do something about the content.

Please don't send email that has one or twos, containing a URL and a short line of text. It's really suspicious and spam-like.

Include a better description (two or three lines) with the URL.

This gets an entry in the mailserver logs like:

delivery 47198: failure:

That was triggered by this email earlier in the month:

> Subject: Kano OS for RasPi
> Apparently it's faster than Rasbian

DMARC policy:

TL;DR: If you work on an open-source mailing list app, please implement DMARC support ASAP!

Google and other big mail hosters have been working on an anti-spam measure called DMARC [1].

Unlike many prior attempts, it latches onto the From header as well as the SMTP envelope sender, and this unfortunately interferes with mailing lists [2], [3].

I do applaud the concept behind DMARC, but the rollout seems to be hurting lots of the small guys.

At least person (Eric Sachs) at Google is aware of this [4]. There is no useful workaround that I can enact as a list admin right now, other than asking the one present user to tweak his mailserver if possible.

There is also no completed open source support I can find for DMARC. Per the Google post above, the Mailman project is working on it [5], [6], but it's not yet available as of the last release. Our lists run on ezmlm-idx, and I run some other very large lists using mlmmj ( and sympa; none of them have DMARC support.

The problem is only triggering with a few conditions so far:

  • Recpient is on a mail service that implements DMARC (and DKIM and SPF)
  • Sender is on a domain that has a DMARC policy of reject

Of the 115 unique domains used by subscribers on this list, here are all the DMARC policies:       600  IN TXT "v=DMARC1\; p=none\;"   7200 IN TXT "v=DMARC1\; p=reject\;\;\; adkim=s\; aspf=s"      3600 IN TXT "v=DMARC1\; p=none\;,\;,\;rf=afrf\;pct=100"         3600 IN TXT "v=DMARC1\; p=none\;\;\;"          3600 IN TXT "v=DMARC1\; p=none\;\;\;"        7200 IN TXT "v=DMARC1\; p=none\; pct=100\;\;"       1800 IN TXT "v=DMARC1\; p=none\; pct=100\;\;"     1800 IN TXT "v=DMARC1\; p=none\; pct=100\;\;"

Only one of those includes a reject policy, but I suspect it's a matter of time until more of them will include it. I'm going to use here as the rest of the example, and that user is indirectly responsible for lots of the rejects we are seeing.

Step 1.

User sends this email.

From: A User <>

Delivered to list server via SMTP (these two addresses form the SMTP envelope)


Step 2.

If the MAIL-FROM envelope address is on the list of list subscribers, your message is accepted.

Step 3.0.

The list adjusts the mail to outgoing, and uses SMTP VERP [7] to get the mail server to send the new message. This means it hands off a single copy of the email, as well as a list of all recipients for the mail. Envelope from address in this case will encode the name of the list and the number of the mail in the archive.

If it was delivering to me (, the outgoing SMTP connection would look roughly like:


And the mail itself still looks like:

From: A User <>

Step 3.1.

I got this email, and if I open it I see this telling me about the SMTP details:

Return-Path: <>

I don't implement DMARC on my domain. If my system bounced the email, it would have gone to that address, and the list app would know that message 18094 on list vhs-general bounced to user

Step 3.2.

Google DOES implement DMARC, so lets run through that.

The key part of DMARC is that it takes the domain from the From header.   7200 IN TXT "v=DMARC1\; p=reject\;\;\; adkim=s\; aspf=s"

The relevant parts to us are:

p=reject, aspf=s

The ASPF section applies strict mode, and says the mail with a From header of, must have an exact match of the MAIL FROM transaction of

It doesn't match, as the list changed the MAIL FROM address. The p=reject says to reject the mail if this happens.

This runs counter to the design principles of mailing lists, so DMARC has a bunch of options, all of which require changing the mail in some way.

Here's the logs from the above failure:

> 2014-03-19 11:19:50.783996500 new msg 98907
> 2014-03-19 11:19:50.783998500 info msg 98907: bytes 8864 from <[]> qp 32511 uid 89
> 2014-03-19 11:19:50.785359500 starting delivery 211352: msg 98907 to remote
> 2014-03-19 11:19:50.785385500 status: local 1/10 remote 1/40
> 2014-03-19 11:19:50.785450500 starting delivery 211353: msg 98907 to remote
> ...
> 2014-03-19 11:19:58.713558500 delivery 211352: failure:
> 2014-03-19 11:19:59.053816500 delivery 211353: failure:


robbat2: (ubercoder)

Munin is commonly used to graph lots of systems stuff, however it lacks a common piece of functionality: 95th percentile.

The Munin bug tracker has ticket #443 sitting open for 7 years now, asking for this, and proving a not-great patch for it.

I really wanted to add 95th percentile to one of my complicated graphs (4 base variables, and 3 derived variables deep), but I didn't like the above patch either. Reading the Munin source to consider implementing VDEF properly, I noticed an undocumented setting: graph_args_after. It was introduced by ticket #1032, as a way of passing things directly to rrdtool-graph.

Clever use of this variable can pass in ANYTHING else to rrdtool-graph, including VDEF! So without further ado, here's how to put 95th percentile into individual Munin graphs, relatively easily.

# GRAPHNAME is the name of the graph you want to render on.
# VARNAME is the name of the new variable to call the Percentile line.
# DEF_VAR is the name of the CDEF or DEF variable from earlier in your graph definition.
# LEGEND is whatever legend you want to display on the graph for the line.
#   FYI Normal rrdtool escaping rules apply for legend (spaces, pound, slash).
${GRAPHNAME}.graph_args_after \
  LINE1:${VARNAME}\#999999:${LEGEND}:dashes \
# Example of the above I'm using
bandwidth1.graph_args_after \
  VDEF:totalperc=gcdeftotal,95,PERCENT \
  LINE1:totalperc\#999999:95th\ Percentile\ (billable\):dashes \
robbat2: (ubercoder)

Running into another system today with the fun python-exec block, I realise that while it has been discussed on the Gentoo mailing lists, and the forums slightly, there's been hardly any posts about it in the blog stream.

I'm not going to go into what caused it, but rather solutions for package conflicts in the short term, and also the long-term. The TL;DR general solution is running "emerge -1 dev-python/python-exec"

Here's the latest conflict I got on it; I wanted to install mirrorselect to compare some hosts

hostname / # emerge -pv mirrorselect

These are the packages that would be merged, in order:
[ebuild  N     ] net-analyzer/netselect-0.3-r3  22 kB
[ebuild     U  ] dev-lang/python-2.7.5-r3:2.7 [2.7.3-r2:2.7] USE="gdbm hardened%* ipv6 ncurses readline ssl threads (wide-unicode) xml -berkdb -build -doc -examples -sqlite -tk -wininst" 10,026 kB
[ebuild     U  ] dev-lang/python-3.2.5-r3:3.2 [3.2.3:3.2] USE="gdbm hardened%* ipv6 ncurses readline ssl threads (wide-unicode) xml -build -doc -examples -sqlite -tk -wininst" 9,020 kB
[ebuild  N     ] dev-lang/python-exec-2.0:2  PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 79 kB
[ebuild  N     ] dev-util/dialog-1.2.20121230  USE="nls unicode -examples -minimal -static-libs" 422 kB
[ebuild  N     ] app-portage/mirrorselect-  PYTHON_TARGETS="python2_7 python3_2 -python2_6 (-python3_3)" 13 kB
[blocks B      ] <dev-python/python-exec-10000 ("<dev-python/python-exec-10000" is blocking dev-lang/python-exec-2.0)

Total: 6 packages (2 upgrades, 4 new), Size of downloads: 19,580 kB
Conflict: 1 block (1 unsatisfied)

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  (dev-python/python-exec-0.2::gentoo, installed) pulled in by
    dev-python/python-exec[python_targets_python2_7(-),-python_single_target_python2_5(-),-python_single_target_python2_6(-),-python_single_target_python2_7(-)] required by (dev-libs/libxml2-2.9.0-r2::gentoo, installed)

  (dev-lang/python-exec-2.0::gentoo, ebuild scheduled for merge) pulled in by
    dev-lang/python-exec:=[python_targets_python2_6(-)?,python_targets_python2_7(-)?,python_targets_python3_2(-)?,-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-)] (dev-lang/python-exec:=[python_targets_python2_7(-),python_targets_python3_2(-),-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-)]) required by (dev-python/setuptools-0.6.30-r1::gentoo, installed)
    dev-lang/python-exec:=[python_targets_python2_6(-)?,python_targets_python2_7(-)?,python_targets_python3_2(-)?,python_targets_python3_3(-)?,-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-),-python_single_target_python3_3(-)] (dev-lang/python-exec:=[python_targets_python2_7(-),python_targets_python3_2(-),-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-),-python_single_target_python3_3(-)]) required by (app-portage/mirrorselect-, ebuild scheduled for merge)
    dev-lang/python-exec:=[python_targets_python2_6(-)?,python_targets_python2_7(-)?,python_targets_python3_2(-)?,python_targets_python3_3(-)?,python_targets_pypy2_0(-)?,-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-),-python_single_target_python3_3(-),-python_single_target_pypy2_0(-)] (dev-lang/python-exec:=[python_targets_python2_7(-),python_targets_python3_2(-),-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-),-python_single_target_python3_3(-),-python_single_target_pypy2_0(-)]) required by (virtual/python-argparse-1::gentoo, installed)

For more information about Blocked Packages, please refer to the following
section of the Gentoo Linux x86 Handbook (architecture is irrelevant):

This system has just dev-lang/python-exec-2.0 presently. We can reduce the conflict down to a minimal version as follows:

HOST / # emerge -pv  dev-lang/python-exec

These are the packages that would be merged, in order:
[ebuild  N     ] dev-lang/python-exec-2.0:2  PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 79 kB
[blocks B      ] <dev-python/python-exec-10000 ("<dev-python/python-exec-10000" is blocking dev-lang/python-exec-2.0)

Total: 1 package (1 new), Size of downloads: 79 kB
Conflict: 1 block (1 unsatisfied)

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  (dev-python/python-exec-0.2::gentoo, installed) pulled in by
    dev-python/python-exec[python_targets_python2_7(-),-python_single_target_python2_5(-),-python_single_target_python2_6(-),-python_single_target_python2_7(-)] required by (dev-libs/libxml2-2.9.0-r2::gentoo, installed)

  (dev-lang/python-exec-2.0::gentoo, ebuild scheduled for merge) pulled in by
    dev-lang/python-exec:=[python_targets_python2_6(-)?,python_targets_python2_7(-)?,python_targets_python3_2(-)?,-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-)] (dev-lang/python-exec:=[python_targets_python2_7(-),python_targets_python3_2(-),-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-)]) required by (dev-python/setuptools-0.6.30-r1::gentoo, installed)
    dev-lang/python-exec:=[python_targets_python2_6(-)?,python_targets_python2_7(-)?,python_targets_python3_2(-)?,python_targets_python3_3(-)?,python_targets_pypy2_0(-)?,-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-),-python_single_target_python3_3(-),-python_single_target_pypy2_0(-)] (dev-lang/python-exec:=[python_targets_python2_7(-),python_targets_python3_2(-),-python_single_target_python2_6(-),-python_single_target_python2_7(-),-python_single_target_python3_2(-),-python_single_target_python3_3(-),-python_single_target_pypy2_0(-)]) required by (virtual/python-argparse-1::gentoo, installed)

For more information about Blocked Packages, please refer to the following
section of the Gentoo Linux x86 Handbook (architecture is irrelevant):

So what do we know?

  1. We have dev-python/python-exec-0.2 installed, it has the default SLOT=0.
  2. Here's what the packages in the tree right now look like:

$ egrep '^R?DEPEND|^SLOT' dev-{python,lang}/python-exec/*ebuild
  • If we try to bring in dev-lang/python-exec directly, it will trigger the block, because our version of dev-python/python-exec is too old.
  • This entire problem happens because the python*r1 eclasses bring in dev-lang/python-exec.
  • This leads to a simple user-actionable solution of "emerge -1 dev-python/python-exec", which will work as follows (notice that portage uninstalls the old version for us):

    HOST / # emerge -pv  dev-python/python-exec
    These are the packages that would be merged, in order:
    [ebuild  N     ] dev-lang/python-exec-0.3.1  PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 73 kB
    [ebuild  N     ] dev-lang/python-exec-2.0:2  PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 79 kB
    [uninstall     ] dev-python/python-exec-0.2  PYTHON_TARGETS="(jython2_5) (jython2_7) python2_5 (python2_6) (python2_7) python3_1 (python3_2) -pypy1_9 (-pypy2_0) (-python3_3)" 
    [blocks b      ] <dev-python/python-exec-10000 ("<dev-python/python-exec-10000" is blocking dev-lang/python-exec-2.0, dev-lang/python-exec-0.3.1)
    [ebuild  NS    ] dev-python/python-exec-10000.2:2 [0.2:0] PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 0 kB
    Total: 3 packages (2 new, 1 in new slot, 1 uninstall), Size of downloads: 152 kB
    Conflict: 1 block

    The above is not actually the minimal solution, but it is the best general solution. The minimal solution is to include the slot on the package, but in future if the slots change further and the default slot is removed, this won't work anymore.

    HOST / # emerge -pv dev-python/python-exec:0
    These are the packages that would be merged, in order:
    [ebuild  N     ] dev-lang/python-exec-0.3.1  PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 73 kB
    [ebuild     U  ] dev-python/python-exec-10000.1 [0.2] PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3) (-pypy1_9%) (-python2_5%*) (-python3_1%*)" 0 kB
    [blocks b      ] <dev-python/python-exec-10000 ("<dev-python/python-exec-10000" is blocking dev-lang/python-exec-0.3.1)
    Total: 2 packages (1 upgrade, 1 new), Size of downloads: 73 kB
    Conflict: 1 block

    But now the better question, is as developers, can we help users prevent this, and at what cost? If we don't mind new users having an extra placeholder package, then yes, we CAN actually solve it for the users. In all of the dev-lang/python-exec ebuilds we need to make this simple change:


    This provides a nice solution as follows:

    # emerge -pv dev-lang/python-exec
    These are the packages that would be merged, in order:
    [ebuild  N     ] dev-lang/python-exec-0.3.1  PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 73 kB
    [ebuild     U  ] dev-python/python-exec-10000.1 [0.2] PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3) (-pypy1_9%) (-python2_5%*) (-python3_1%*)" 0 kB
    [blocks b      ] <dev-python/python-exec-10000 ("<dev-python/python-exec-10000" is blocking dev-lang/python-exec-2.0, dev-lang/python-exec-0.3.1)
    [ebuild  N     ] dev-lang/python-exec-2.0:2  PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 79 kB
    [ebuild  NS    ] dev-python/python-exec-10000.2:2 [0.2:0] PYTHON_TARGETS="(jython2_5) (jython2_7) (python2_6) (python2_7) (python3_2) (-pypy2_0) (-python3_3)" 0 kB
    Total: 4 packages (1 upgrade, 2 new, 1 in new slot), Size of downloads: 152 kB
    Conflict: 1 block

    All that remains is convincing the Python team to accept this solution for users...

    robbat2: (ubercoder)

    For the many other open-source contributors and developers out there, I'm wondering if anybody has a complete list of all works they have created. It came up recently that such a list would be useful in asserting my own prior copyrights in any future employment, and avoiding claims that I'd taken any code [1].

    For version control systems are still accessible, this isn't too much of a problem, but for past historical creations, this is a lot harder. Has anybody else done it? To what level of detail did your listing go?

    Here's my initial broad listing(I'm going to come back often to fill it in more)

    I realized that this does form a sort of portfolio of work that I've done, and it shows just how flexible I am, esp. if I went and wrote this up better including a blurb about some of the larger or more standalone projects I've done.

    Additional sources to look up this stuff are:

    (list last updated 2015/06/20, partially)

    And I'm sure that I'm missing many more.

    Flattr this
    robbat2: (ubercoder)

    So I'm hunting for a new graphics card, and my set of requirements make this a difficult quest. I welcome all suggestions, either as comments, or as email.

    I haven't seen any passive cards in the new R7/R9 lines from ATI, not sure if those will come out later only


    • MUST be supported by the open-source Radeon or Noveau drivers.
    • MUST support at least 3 digital displays (DVI/HDMI/DP etc, not VGA)
    • SHOULD be cost less than $300
    • SHOULD occupy only one PCI-e slot (trying to avoid double-height cards)
    • SHOULD be passively cooled, or after-market water-cooled
    • NICE TO HAVE: good 3D performance

    Options so far (for further review)

    Name & Link Outputs Passive Card height Price
    ATI FirePro 2460 4x MiniDP Yes 1 slot $256 NCIX (no PP)
    VISIONTEK Radeon HD 7750, 2GB GDDR5, PCIe x16, 6x Mini-DP, Retail 6x MiniDP No 1 slot $273 NCIX (no PP)
    Radeon HD 7750 Low Profile - Eyefinity 4 CGAX-7758LM4 - PCI Express 3.0 - 2048 - GDDR5 - 128 BIT 4x MiniDP No 1 slot 136GBP AmazonUK, no NCIX listing
    SAPPHIRE FleX 100322FLEX Radeon HD 6450 1GB 64-bit DDR3 PCI Express 2.1 x16 HDCP Ready Low Profile Ready Video Card 1x DVI-D, 1x DVI-S, 1x HDMI Yes 2 slots LP $60 Newegg, $75 NCIX no-PP
    PowerColor HD7750 2GB GDDR5 Eyefinity 4 LP Edition (UEFI) AX7750 2GBD5-4DL 4x MiniDP No 1 slot $190 Ebay, no NCIX listing
    NVIDIA Quadro NVS 450 by PNY 512MB GDDR3 PCI Express Gen 2 x16 Quad DisplayPort or DVI-D SL Profesional Business Graphics Board, VCQ450NVS-X16-DVI-PB 4x MiniDP Yes 1 slot $295 AmazonUS, $495 NCIX non-PP
    FirePro W600 6x MiniDp No 1 slot $570 NCIX non-PP, $480 AmazonUS
    HIS 7750 iSilence 5 1GB GDDR5 PCI-E DP/DVI/HDMI DVI, HDMI, DP Yes 2 slot internally, 1 slot physically $100 AmazonUS


    I have tried the following cards already without success:

    • Galaxy MDT X4 GeForce210
      This card implements 4 DVI in a design like a pair of inline Matrox DualHead2Go units, it mucked badly with the EDID and crashed Noveau.
    • Matrox ??? older 3 or 4-head card: only first output supported on open-source driver
    • Gigabyte Radeon HD 7970 OC Edition: radeon driver very buggy when DP used and other outputs

    For reference, my monitors are 2x Dell U2410, 1x Dell U2413. So I have DVI/HDMI/DP on all displays, and the U2413 has DP1.2 MST as well.

    robbat2: (Default)

    In light of World IPv6 day, the Gentoo Linux Infrastructure team would like to announce new IPv6-availability of several services, and list the existing IPv6 services. Every service listed below is running a dual-stack native IPv4/IPv6 service, no tunnels.

    The new services available via IPv6 are:

    The existing services available via IPv6 are:

    • CVS/SVN/Git services for developers
    • rsync:// - our primary rsync rotation
    • rsync://${CC} - our regional community rsync rotations
    • A number of our mirrors

    All of our IPv6 services will remain online after today, unless serious IPv6 problems (esp. regarding routing) are encountered.

    Gentoo would like to extend thanks to all our sponsors & mirrors who have provided IPv6 service, and the servers to make use of it!

    robbat2: (Default)

    Working on my conference travel plans and wishes for the year. I am downgrading OLS to a maybe, the cost is becoming more of a factor. Likewise, while I had incredible fun at FOSDEM last year, and OSCON in 2006, I cannot justify the airfare/hotel expenses for them. I would like to attend SCALE at some point as well, but uncertain for the same cost reason.

    • February 25-27, SCALE 9x @ Los Angeles, CA, USA. [SCALE9x].
    • April 11-14, MySQL UC @ Santa Clara, CA, USA [MySQLconf].
    • April 13, Embedded Linux Conference @ San Francisco, CA [ELC].
    • April 27-30, STS-134 launch @ Kennedy Space Centre, FL, USA [STS134].
    • May 26-29, Bowen Island, BC, Canada.
    • June 25-26, Mini Maker Faire Vancouver @ Vancouver, BC, Canada.
    • August 17-19, LinuxCon 2011 @ Vancouver, BC, Canada [LinuxCon].
    • August 25-28, PAX Prime 2011 @ Seattle, WA, USA.
    • July 25-29, OSCON @ Portland, OR, USA.
    • August 7-11, SIGGRAPH 2011 @ Vancouver, BC, Canada.
    • October 19-22, Access 2011, @ Vancouver, BC, Canada.
    • October 22-23, Google Summer of Code 2011 Mentor Summit @ Mountain View, CA, USA.
    Would like to go, but out of my financial reach:
    • February 5-6, FOSDEM @ Brussels, Belgium.
    • June 13-15, Linux Symposium @ Ottawa, ON, Canada.
    • September 7-9, Linux Plumbers @ Santa Rosa, CA, USA.
    Arriving on the 24th actually
    I will be manning the phpMyAdmin booth, like past 5 years.
    Dropped in for just one day for hallway track
    KSC grandstand seats to see the penultimate launch :-)
    Local this year, so no travel costs :-)
    Page History
    Added GSoC, Access 2011, Bowen Island, STS-134
    robbat2: (Default)

    Those that have followed me for a while might have seen me previously complain at journalism that's misleading, wrong, or outright fictitious. Now I've got another case...
    This article by Ed Bott at ZDNet:
    Linux infection proves Windows malware monopoly is over; Gentoo ships backdoor? [updated]

    The article was first published 2010/06/12 20:37 UTC.
    It claims to be "worse" when updated at 2010/06/14 19:30 UTC.

    Gentoo had a revision bump to a known good copy of the tarball at 2010/06/12 16:34 UTC (using a different filename, and verified against the GPG signature provided by upstream), so it was ALREADY fixed when the article was published. The old revision was explicitly removed at 2010/06/12 21:18 UTC.
    Commit data for fixes:
    Changes for unrealircd-
    Changes for unrealircd-

    The trojaned tarball was then removed from the Gentoo master mirror at 2010/06/13 08:00 UTC, about 11 hours after the article was published. It would have been sooner, but it was a matter of bad timing.

    Gentoo bug 323691.

    The article also claims: "There’s a great deal of comment in the Talkback section of this post about how official repositories can be trusted. It appears that system broke down thoroughly in this case."
    This claim is bogus. The developer that updated the package made perhaps a mistake in trusting that the upstream had not been tampered with. However, in lacking anything to verify against (the upstream apparently did not sign releases at that point), he couldn't have detected the backdoor except by manual inspection of all the code. He downloaded the package AFTER it had been tampered with (2009/11/11 I believe), so he never saw the tamper-free version either.

    The entire point of the Gentoo Manifests are to ensure that OUR mirrors are not the point where a compromise is introduced. We can detect upstream changes by this same mechanism, but they mostly tend to be upstream deciding to 'fix' something without bumping the version number. In this regard, they functioned perfectly.

    P.S. I'm not saying the existing Gentoo mirroring is perfect either, see my prior writings on tree-signing, and the "Attacks on Package Manager" papers by Cappos et al., which are blocked only with the full tree-signing system.

    robbat2: (Default)

    (This post inspired by Petteri Räty (betelgeuse)'s similar post

    For this year's Gentoo GSoC projects, I'm a mentor on two of our suggested ideas (but also interested in totally new ideas that fit my fields):

    • upstart on Gentoo
    • Distfile Fetcher Intelligence
    Do you actually understand the project idea?
    This is actually a gap that I didn't expect to exist, but I have seen in previous years. This is mainly a difference of expectations between the proposal and what the potential student sees as what the idea really entails.
    Using Upstart as an example, it supports an existing init.d compatibility mode, but we're not interested in that. Instead we want our init.d scripts to be treated just like upstart jobs (located in /etc/init/). The init.5 manpage shipped with upstart gives a good start...
    Code maintainability
    betelgeuse spoke about long-term maintenance, but you should think about it long ahead of that. Some degrees of abstraction, and avoiding difficult to understand logic should be prevalent here. betelgeuse mentioned spaghetti code, but it's important to realize that even well formatted code can impose a much larger mental workload if not well thought out.
    Timezones, Timezones!
    Most of your project should not be blocking on asking for mentor advice, as timezones and real world pressures often conspire to prevent easy real world communication. I may live in UTC-7, but my hours drift as needed by work but I tend to be online anywhere between 17h00 UTC and 10h00 UTC. If you're trying to communicate with me on a regular basis, this can be tough, so being able work on a problem independently, ask highly directed questions via email can go a long way.
    robbat2: (Default)

    Good advice for any prospective GSoC student, regardless of gender

    I'm also a mentor for Gentoo again this year, after taking a break last year.
    You can find our list of potential ideas here: Google Summer of Code 2010 ideas for Gentoo
    But don't limit yourself to them! Creative ideas can get you very far too :-)

    I'll also be the infrastructure contact for the accepted SoC students, for any issues you have with the source code repositories (we'll be offering Git again), your shell accounts, and a sounding board on deploying your successful project (for those that hosting or larger resources).

    robbat2: (Default)

    In the early hours of this morning, a spammer managed to get the IP of the Gentoo list server on the NiX Spam RBL... simply by spamming the subscribe address :-(. This caused approximately 2000 deliveries of normal list mail to be rejected while the server was present on the RBL.

    Log details )

    Why did this happen? I do agree on the importance of spamtrap accounts, but they MUST check the content of their messages. A list confirmation message MUST NOT be considered as spam.

    The original subscribe request came from what seems to be a compromised server in Secunderabad, India. So it wouldn't have been detected by RBL focused on modem/dialup addresses.

    Short of raising the bar to subscribe (with a specific token that needs to be included, and then it's only a matter of time till spammers include it too), there isn't much we can do to block stuff like this at the list-server level. There is no way to detect than an address is a spamtrap. There cannot be by definition, as the spammers would avoid it themselves otherwise.

    robbat2: (Default)

    I've been prodding at the concept of the new network script in OpenRC-0.5, and I'm at a loss to try and see why Roy has decided to toss the old network config system away. The new system doesn't have a lot of capabilities, and most significantly totally loses the ability to restart a single interface without affecting the rest of the system. If it's just for a rewrite, then I'm not too worried, but unless all the functionality is still there, I'm worried we are going to move backwards with it.

    At the same time, I don't think many people are aware of how powerful the "old" network configuration mechanism is. The net.examples file is only the start, once you start mixing in the pre/post calls, there's a lot of power. It's capable of some feats that I don't see used even in certain parts of the Gentoo documentation[1]. I've put together some of my gems of conf.d/net, and if you have some, I'd love to hear them. Leave a comment or email me the scripts, along with a description.

    Configurations available
    • Easy to maintain (Hurricane Electric) IPv6 tunnels - Download
    • Running two ISPs at home (basic multi-homing) - Download
    • "Enterprise" multi-homing setup, with 4 paths to the Internet - Download

    I've also started a bit of storage in my Gentoo webspace for these collected works of network configuration, with a bit more documentation.

    1. The Gentoo docs have this for IPv6: Gentoo IPv6 Router Guide, Tunnel Configuration. You could bring it up manually, or you could just take the IPv6 config above and use it straight with your variables filled in. Volunteers welcome to help merge that config into the Gentoo IPv6 documentation.
    robbat2: (Default)

    solar was asking about release statistics, so I grabbed the current data from Bouncer. The nearly 34k releases for 10.0 is just in the 5 days that it's been out. I included the various architetures that were part of each released 'product', to make some degree of comparision possible.

    installcd-minimum 228561alpha,amd64,hppa,ia64,ppc,ppc64,sparc64,x86
    installcd-universal 374388alpha,amd64,hppa,ppc,sparc64,x86
    packagecd 162537alpha,amd64,ppc,ppc64,sparc64,x86

    livecd 242422x86
    minimal 287496alpha,amd64,hppa,ia64,ppc,ppc64,sparc64,x86
    packagecd 42572amd64,ppc-g4,ppc-ppc,sparc64
    packagecd-32ul 10909ppc64
    packagecd-64ul 2981ppc64
    universal 111359alpha,amd64,hppa,ppc,ppc64,sparc64

    livecd 307481amd64,x86
    minimal 330505alpha,amd64,hppa,ia64,ppc,ppc64,sparc64,x86
    packagecd 39118ppc,ppc-g3,ppc-g4,ppc64,ppc64-g5
    universal 122280alpha,hppa,ppc,ppc64,sparc64

    bt-http-seed 72980ALL
    livecd 411958amd64,x86
    minimal 496943alpha,amd64,hppa,ia64,ppc,ppc64,sparc64,x86
    packagecd 27593ppc-g4,sparc64
    universal 137554hppa,ppc,ppc64,sparc64

    livecd 19426amd64,ppc64,x86
    livedvd 4amd64,x86
    minimal 14069alpha,amd64,hppa,ia64,ppc64,sparc64,x86
    universal 1745ppc64,sparc64

    livecd 37771amd64,x86
    livedvd 17842amd64,x86
    minimal 55745alpha,amd64,hppa,ia64,ppc,sparc64,x86
    universal 3142ppc,sparc64

    livecd 477934amd64,x86
    minimal 406531alpha,amd64,hppa,ia64,ppc,sparc64,x86
    packagecd 12308sparc64
    universal 83600hppa,ppc,sparc64

    livedvd 4870amd64,x86

    livedvd 33703amd64,x86

    livedvd 0amd64,x86

    • 2008.* has the LiveDVD's pulled from mirrors due to size complaints.
    • bt-http-seed was an (failed) experiment with a set of mirror URLs for trying to load-balance Bittorrent's HTTP seeding
    • Bouncer really needs replacing, but there's nothing really good to do so that I'm aware of. mod_sentry isn't nice. Other suggestions welcome. Should support products, architectures within products, seperate check/serve URLs, detailed hit recording for analysis.
    robbat2: (Default)

    To add a new USE flag, that's globally enabled for all Linux profiles, what's the minimum set of profiles that need to change? Deprecated profiles must be handled as well, for users that need to migrate still.

    I ran into this today, while working on the USE=modules changes for linux-mod.eclass.

    As an attempt to solve this, I munged up some GraphViz work to show profile inheritance, pictures as the end. Both sets have the trailing profiles "/desktop", "/developer", "/server" turned off for the 2008.0 and 10.0 releases, to cut down on the noise.

    Graphs and script for download.

    Which profiles? )

    Odd observations

    • Several Prefix profiles (linux/{amd64,ia64,x86} link to 2008.0 profiles explicitly instead of the generic architecture)
    • default/linux does not bring in base. Some profiles at a glance neglect this and might not have base brought in at all.
    • "embedded" is all alone in the tree.
    Thumbnail of one graph )

    Question for any skilled GraphViz users:

    If all nodes in a given subgroup/cluster have an edge going to a single destination node, is there any way to get graphviz to replace them with a single fat edge from cluster to destination node?

    robbat2: (Default)

    So for our Vancouver heatwave (I noted 39C away from the water today, in the shade!), it's finally claimed some of my computer hardware. Most annoying, the battery backup unit (BBU) in the newer fileserver, and 1.5 of the disks of the RAID1 array in the old server...

    My website and personal email will be offline for a day or two while I ensure my backups are up to date, and redeploy to the newer fileserver (after I buy a new BBU tomorrow).

    robbat2: (Default)

    I really need to get back to writing in this blog. In the meantime, I scoured my email for the last 2 years of fortune submissions that I hadn't compiled together yet, and make a release. Go forth and amuse yourselves with it.

    robbat2: (Default)

    Now for the second set of statistics. These aren't directly useful to mirrors in estimating their traffic, but instead gives a good overview of how our mirroring setup works internally, and now much traffic is involved in the fan-out stage. Distfiles are the main content moved around by this system, but it is also used for the other directories for releases, experimental and snapshots.

    A very quick overview of the existing setup:

    1. Developer uploads new distfile directly to
    2. The master-distfiles box pulls from hourly.
    3. The master-distfiles box checks every ebuild, and downloads missing distfiles from their primary URI if they do not exist. The daily distfile report is also created at this point.
    4. Every hour, the cluster master of pulls the latest content from master-distfiles. (Averages 240MB/day of traffic).
    5. The OSL FTP cluster master (in Oregon) pushes to it's slave locations in Atlanta and Chicago.
    6. All distfiles mirrors pick up their content from one of the FTP nodes - Internet2-connected hosts are directed via DNS to an Internet2-connected slave for performance.

    Each of the distfiles mirrors has about 140-160MB of upstream traffic every day (including both the new files and the rsync overhead for scanning). If there are no files changed, the rsync traffic for a directory scan is 1-2MB. While this isn't a lot of traffic, it's very spiky, as mirrors tend to be on fast links.

    The new weekly builds from the Release Engineering team will probably be adding another 1.3GB per week, staggered as one arch per day.

    I got a small subset of the logs from the OSU FTP cluster for processing some of these statistics. They cover the 24 hour period of 2008/08/07 UTC. It does not have data of which traffic went via Internet2, and I've grouped the sources by country code (using IP::Country::Fast from CPAN).

    Numbers )

    As a bit of analysis, I think that more than half of our mirrors (Europe, Middle East, RU) would benefit from having a box to sync against in Europe.

    robbat2: (Default)

    I was doing some statistics about Gentoo mirrors to see about future plans, and thought that the indirect crowd that read my blog via the various aggregators might be interested in numbers.

    These are the traffic for, which is a newer box in the official box directly maintained by the Infrastructure team. Hardware specs are 2x Xeon 3050 @2.13Ghz, 4GB RAM. Disk is mostly irrelevant - the rsync workload is served purely from RAM (tail-packing reiserfs, backed via loop device pointing to a file on tmpfs).

    Inbound traffic is spiky, but does not exceed 10Mbit by more than a little bit - we can the inbound rsyncs from the rsync1 master to 10Mbit. Outbound traffic varies between 4Mbit and 9Mbit, with an average around 6-7Mbit.

    Numbers )
    robbat2: (Default)
    Many thanks to [ profile] logik for this work of brilliance. Posted with permission, and slightly reformatted here.

    A stoner, takes a puff of his joint and says, "Hi, I'm a mac!".
    The poorly dressed wannabe bank teller beside him says, "... and I'm a PC."

    The door nearby blows in and a heavily armed tactical team storms the room,
    throwing both of them to the floor, barrels of MP5k's against their skulls.

    Someone yells, "AREA CLEAR!"
    The lieutenant comes in after them, smoking a cigar, surveying the area.
    "I'm Solaris,
    the sergeant over there is BSD (You remember your daddy mac?),
    the pretty boy with the M14, he's Linux,
    and the guy toting the M60... That there is HPUX.
    Now, shut the fuck up, both of you.
    We've had about enough of your 'Bill and Ted Get a Computer' bullshit.
    Keep it up, and we're gonna do the same thing to you that we did to OS2, got it?"

    May 2017

    S M T W T F S
    141516171819 20


    RSS Atom

    Most Popular Tags

    Style Credit

    Expand Cut Tags

    No cut tags