Yutaka Niibe gniibe@identi.ca

Maebashi, Japan

GNU wannabee ['gnu:be], FSIJ chairman, Debian Developer

  • MicroPython on ESP32

    2017-10-17T04:57:08Z via Pumpa To: Public CC: Followers

    I bought ESP32 thing and installed MicroPython.

    While the chip is only 5mm x 5mm, quite easily, I can write a script of simple web service for GPIO control through WiFi.

    I wonder if it were "MicroGNU"... Possibly, the scripting would be done by Scheme.

  • A Solution for the Emulation (of USB device)

    2017-10-05T23:38:20Z via Pumpa To: Public CC: Followers

    I decided to introduce a feature specifying VID:PID at runtime, like:

    $ /usr/local/libexec/gnuk --vidpid=VVVV:PPPP
    

    That is, it is the end user who will specify the VID:PID. The distributed binary won't have any VID:PID, thus, no violation (of the USB-IF member agreement) will occur when someone will distribute Gnuk binary for emulation.

    And when an end user does specify VID:PID of existing one, with her knowledge of emulation, I don't think it is violation of anything, either.

    Correct?

    Claes Wallin (韋嘉誠) likes this.

    As long as VID:PID cannot be copyrighted, or registered as a trademark.

    Yutaka Niibe at 2017-10-05T23:41:19Z

  • USB vendor ID for emulation

    2017-10-05T03:18:26Z via Pumpa To: Public CC: Followers

    In the USB Implementers Forum's member agreement, it says:

    Vendor ID (VID) Number. Company hereby applies for a USB Vendor ID Number and agrees to the following: The USB Implementers Forum is the authority which assigns and maintains all USB Vendor ID Numbers. Each Vendor ID Number is assigned to one company for its sole and exclusive use, along with associated Product ID Numbers. They may not be sold, transferred, or used by others, directly or indirectly, except in special circumstances and then only upon prior written approval by USB-IF. Unauthorized use of assigned or unassigned USB Vendor ID Numbers and associated Product ID Numbers are strictly prohibited.

    That's reasonable for hardware product.

    FSIJ owns a Vendor ID (234B) and uses it for Gnuk and NeuG.

    Now, I have a problem, because I'm now working for the emulation for those devices on GNU/Linux.

    The idea is to allow those who don't have hardware use "virtual" product by a program on GNU/Linux using USBIP. The problem is that we need to use some vendor ID and product ID within the program, which is not the one of hardware product.

    It is best if the program can use FSIJ's vendor ID, but it would violate the member agreement if FSIJ allows everyone to use its vendor ID for such a program.

    Claes Wallin (韋嘉誠) likes this.

    Now it works!

    $ /usr/local/bin/gnuk-emulation-setup # To generate flash image
    

    From terminal A:

    $ /usr/local/libexec/gnuk
    

    From terminal B:

    # usbip attach -r 127.0.0.1 -b 1-1
    

    From terminal C:

    $ gpg --card-status
    Reader ...........: 234B:0000:FSIJ-1.2.5-EMULATED:0
    Application ID ...: D276000124010200FFFEF1420A7A0000
    Version ..........: 2.0
    Manufacturer .....: unmanaged S/N range
    Serial number ....: F1420A7A
    Name of cardholder: [not set]
    Language prefs ...: [not set]
    Sex ..............: unspecified
    URL of public key : [not set]
    Login data .......: [not set]
    Signature PIN ....: forced
    Key attributes ...: rsa2048 rsa2048 rsa2048
    Max. PIN lengths .: 127 127 127
    PIN retry counter : 3 3 3
    Signature counter : 0
    Signature key ....: [none]
    Encryption key....: [none]
    Authentication key: [none]
    General key info..: [none]
    $
    

    Yutaka Niibe at 2017-10-05T05:05:44Z

  • Bug fix for Amelia Mary Earhart?

    2017-09-08T02:31:42Z via Pumpa To: Public CC: Followers

    It found GnuPG "make check" fails with "UTC-12":
    https://dev.gnupg.org/T3393

    So far, no developers from this timezone.
    But I think that it's worth to fix for the aviation pioneer.

    Ben Sturmfels, Claes Wallin (韋嘉誠) likes this.

    Scorpio, Scorpio shared this.

  • Curve25519

    2017-09-06T23:39:52Z via Pumpa To: Public CC: Followers

    Probably, I was the worst implementer of Curve25519 ECDH (see CVE-2017-0379).

    Given the situation of libgcrypt structure, I had to use general purpose MPI routines, which was far from "constant-time".
    I had known that it killed the important point of Curve25519, which is designed to be "constant-time".

    I thought that "Still, it's better than nothing". Perhaps, this kind of attitude would not be good.

    Well, along with quick fix of the vulnerability, I also do real improvement: https://dev.gnupg.org/T3358; While this becomes better implementation, it has not yet had field specific representation. The representation is still MPI. (Original implementation of Curve25519 uses limb of 2^51 to avoid carry between limbs.)

    And... during this CVE handling, I realized that libgcrypt from Fedora/RedHat doesn't support Curve25519, because of ECC patent fear. It only enabled in the development version recently.

    George Standish, Christopher Allan Webber likes this.

    Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠) shared this.

    I didn't know you worked on libgcrypt... thank you for the work! What an important project!

    Christopher Allan Webber at 2017-09-07T00:03:06Z

    George Standish, Yutaka Niibe likes this.

    The bonus for the library developer is that I can learn its usage; I learn git-crypt and pidgin-openpgp can use Curve25519 encryption (along with gpg+enigmail) by the paper of the attack:
    https://eprint.iacr.org/2017/806

    Yutaka Niibe at 2017-09-07T02:17:28Z

    ... in the development version recently.

    I wrote this based on this comment:

    https://bugzilla.redhat.com/show_bug.cgi?id=1413618#c3

    But it seems that Curve25519 is already available in F26, with libgcrypt-1.7. If so, security fix by libgcrypt-1.7.9 should be used.

    Yutaka Niibe at 2017-09-07T11:26:42Z

  • 1984 and 2017

    2017-09-05T06:41:27Z via Pumpa To: Public CC: Followers

    I remember that the Soviet Union was considered to be a threat for Japanese. I was afraid of their (nuclear) weapons.

    On the other hand, it seems that nobody is serious against North Korea, these days.

    I wonder why.

    Maybe because their leader is seen as a clown (which he is). But it's a very dangerous clown nonetheless.


    And now this clown is playing the threat game with another particularly orange, and also dangerous clown.


    I think there are plenty of reasons to be afraid.

    JanKusanagi at 2017-09-05T13:38:01Z

    Claes Wallin (韋嘉誠), Yutaka Niibe likes this.

    "Clowns to the left of me, Jokers to the right, Here I am, stuck in the middle with you..." :-/

    Charles Stanhope at 2017-09-05T14:41:19Z

    Yutaka Niibe likes this.

    North Korea is super scary *because* he is a clown and because the other clown is doing nothing but egging him on.

    Claes Wallin (韋嘉誠) at 2017-09-08T07:05:54Z

  • libgcrypt 1.8.1 released on Sunday

    2017-08-27T09:42:53Z via Pumpa To: Public CC: Followers

    That's because to fix CVE-2017-0379.

    These days, the title of papers are too good.

  • Stuffed penguin with egg

    2017-08-16T07:29:23Z via Pumpa To: Public CC: Followers

    My daughter lost her stuffed penguin (with egg) around E77 at YYZ or the flight AC005.

    I wrote to aircanada.com.

    Like this one

    She said that she bought it at biodome, Montreal.

    I got reply from aircanada, which suggested to contact lost+found by thier "web chat" system.  Thus, I told that it didn't work, that's the reason why I wrote by email.

    Their web pages has been fixed to remove links to the "web chat" system.  That's the improvement.  But I don't know they accepted my request to forward my message to lost+found.

    Yutaka Niibe at 2017-08-24T01:54:03Z

  • Demonstration by family

    2017-08-11T20:13:31Z via Pumpa To: Public CC: Followers

    We had a talk in Debconf17: Link

    George Standish likes this.

  • For Cat Babe

    2017-08-03T00:26:47Z via Pumpa To: Public CC: Followers

    Someone found that my fingerprint of PGP (RSA) can be read as: For Cat Babe (0x4ca7babe)

    It is not intentional, but it's good when it is easy to remember. It's sad that 32-bit is not enough to distinguish a key these days, though.

    Here, we have a dog, but no cat. Since she became older, she has tendency to stay inside. We accept the exception (it is unusual for our culture. You know, we take off our shoes when we enter inside).

    Claes Wallin (韋嘉誠) likes this.

    easy to remember

    McClane at 2017-08-06T10:53:03Z

  • /bin -> /usr/bin

    2017-07-18T04:49:45Z via Pumpa To: Public CC: Followers

    Yeah, this has been brewing for years in Fedora. Overall the page is informative and correct and in particular it explains well why they chose to symlink /bin -> /usr/bin rather than the other way around. The only thing that annoyed me was:
    The biggest part of Linux software is built with GNU autoconf/automake (i.e. GNU autotools), which are unaware of the Linux-specific /usr split. Maintaining the /usr split requires non-trivial project-specific handling in the upstream build system, and in your distribution's packages.
    Well. You call ./configure --prefix=/ instead of ./configure --prefix=/usr. But maybe that's instead a bit of an oversimplification, and anyway I do buy the argument that higher uniformity among packages reduces the maintenance burden.

    Claes Wallin (韋嘉誠) at 2017-07-18T08:18:26Z

    Yutaka Niibe likes this.

    Oh, Mageia did this years ago. So did Archlinux =)

    JanKusanagi at 2017-07-18T11:57:05Z

    Yutaka Niibe likes this.

  • Libgcrypt 1.7.8 released to fix CVE-2017-7526

    2017-06-30T01:44:02Z via Pumpa To: Public CC: Followers

    New vulnerability was found, and we introduced exponent blinding.

    Announcement

  • Like season's gift exchange

    2017-06-26T08:13:00Z via Pumpa To: Public CC: Followers

    From friends (whom I haven't met), we got new paper (about software vulnerability), for this season.

    These years, it's something like regular greetings. :-)

  • Itadakimasu (Now, I get your soul)

    2017-06-23T10:19:07Z via Pumpa To: Public CC: Followers

    In Japan, it is common practice for everyone to say "itadakimasu" for each meal. Without saying that, we can't start eating.

    The direct translation would be: "Now, I get your soul". It's a very short version of prayer before meals. We recognize "soul" for each food.

    I was explained that it's because of Buddhism, but I don't see such a practice in China, Thailand, or India.

    McClane, Claes Wallin (韋嘉誠) likes this.

    Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠), Claes Wallin (韋嘉誠) and 2 others shared this.

    Show all 5 replies
    Or.. it would be: thanks creatures.

    The philosophy behind is:

    草木国土悉皆成仏

    Everything is Buddha.  Those who eat or be eaten.

    Yutaka Niibe at 2017-06-24T12:15:44Z

    In China, it's just "EAT RICE". :-)

    Claes Wallin (韋嘉誠) at 2017-06-25T23:24:36Z

    Yutaka Niibe likes this.

    The practice is basically between those who eat and those being eaten.
    For example, I say "itadakimasu" even if I eat alone.

    Yutaka Niibe at 2017-06-26T07:35:06Z

  • Greetings

    2017-06-21T23:22:12Z via Pumpa To: Public CC: Followers

    In Japan, we say good morning, ohayou!, each other in the morning (usually among family, neighbers,and colleagues).

    I thought that it is a common practice around the world.

    In Chinese language program, I learned that there is no such practice in China.

    It reminds me that in Mainland, they called my name "Xin Bu Yu!" (in Chinese), or asked "Have you eaten?". Well, it might be better than mere greeting, since it can express we can recognize each other explicitly, or can get most important information.

    Ben Sturmfels likes this.

    At least in our family we tend to say "good morning" to family, friends and colleagues, though maybe it should be "have you had coffee?"

    Ben Sturmfels at 2017-06-22T00:52:18Z

    Yutaka Niibe, George Standish likes this.

  • GnuPG Fundraising Banner

    2017-06-09T00:36:06Z via Pumpa To: Public CC: Followers

    I put it on my own website.
    And if you are lucky, you can see it on the web page of SKS keyserver.

    https://dev.gnupg.org/w/artwork/
  • GnuPG Fundraising Rally

    2017-06-06T02:04:19Z via Pumpa To: Public CC: Followers

    Ben Sturmfels, George Standish, Claes Wallin (韋嘉誠) likes this.

    Claes Wallin (韋嘉誠) shared this.

    Let's gooooooo!!

    JanKusanagi at 2017-06-06T06:05:14Z

    Yutaka Niibe likes this.

  • GnuPG 2.1.21 released!

    2017-05-15T23:19:41Z via Pumpa To: Public CC: Followers

    I did many clean up; where I saw a compiler warning, I reviewed the code around to see a problem. Most warnings were no problem, but I could find and fix a bug or two. :-)

    https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000405.html

    Ben Sturmfels likes this.

    To satisfy dependencies, the following package is going to be installed:
      Package                        Version      Release       Arch    
    (medium "Core Release")
      gnupg2                         2.1.21       1.mga6        x86_64  



    Already on Mageia's updates xD

    JanKusanagi at 2017-05-16T00:08:11Z

    Yutaka Niibe likes this.

    Sorry, I was confused. I wrongly assumed that Mageia were based on Arch.

    It seems it's using RPM.

    Yutaka Niibe at 2017-05-16T00:25:18Z

  • GnuPG develpment with Phabricator

    2017-04-05T00:35:34Z via Pumpa To: Public CC: Followers

    We now have a site: https://dev.gnupg.org/
  • GnuPG e.V. Founded

    2017-03-30T07:48:21Z via Pumpa To: Public CC: Followers

    in March, 2017.

    What was your motivation for that step after all those years?

    mray INACTIVE at 2017-03-30T10:44:55Z

    If I understand correctly, non-profit status is needed to manage donation effectively.

    Yutaka Niibe at 2017-03-30T22:41:07Z