Elena ``of Valhalla'' valhalla@identi.ca

  • Pubblicati i video dell'End Summer Camp

    2016-09-24T20:30:07Z via social.gl-como.it To: Public

    I video dell'End Summer Camp sono stati pubblicati: https://www.youtube.com/user/endsummercamp/videos

    @Gruppo Linux Como consiglio caldamente la visione di ESC1605 PANDA A New Development Attitude (sul divano, ma miraccomando niente pop corn a meno che non abbiate qualcuno accanto a salvarvi se vi va di traverso)
  • 2016-09-22T07:37:34Z via social.gl-como.it To: Public

    mjg59 | Microsoft aren't forcing Lenovo to block free operating systems
    There's a story going round that Lenovo have signed an agreement with Microsoft that prevents installing free operating systems. This is sensationalist, untrue and distracts from a genuine problem.
    @Gruppo Linux Como yet another reason why we may have problems installing linux on computers.

    Douglas Perkins likes this.

    Douglas Perkins shared this.

  • 2016-09-20T20:12:45Z via social.gl-como.it To: Public


    Horrible Facebook Algorithm Accident Results In Exposure To New Ideas
    MENLO PARK, CA—Assuring users that the company’s entire team of engineers was working hard to make sure a glitch like this never happens again, Facebook executives confirmed during a press conference Tuesday that a horrible accident last night involving the website’s algorithm had resulted in thousands of users being exposed to new concepts.

    Jason Self likes this.

  • Candy from Strangers

    2016-09-06T18:46:55Z via social.gl-como.it To: Public

    A few days ago I gave a talk at ESC about some reasons why I think that using software and especially libraries from the packages of a community managed distribution is important and much better than alternatives such as pypi, nmp etc. This article is a translation of what I planned to say before forgetting bits of it and luckily adding it back as an answer to a question :)

    When I was young, my parents taught me not to accept candy from strangers, unless they were present and approved of it, because there was a small risk of very bad things happening. It was of course a simplistic rule, but it had to be easy enough to follow for somebody who wasn't proficient (yet) in the subtleties of social interactions.

    One of the reasons why it worked well was that following it wasn't a big burden: at home candy was plenty and actual offers were rare: I only remember missing one piece of candy because of it, and while it may have been a great one, the ones I could have at home were also good.

    Contrary to candy, offers of gratis software from random strangers are quite common: from suspicious looking websites to legit and professional looking ones, to platforms that are explicitly designed to allow developers to publish their own software with little or no checks.

    Just like candy, there is also a source of trusted software in the Linux distributions, especially those lead by a community: I mention mostly Debian because it's the one I know best, but the same principles apply to Fedora and, to some measure, to most of the other distributions. Like good parents, distributions can be wrong, and they do leave room for older children (and proficient users) to make their own choices, but still provide a safe default.

    Among the unsafe sources there are many different cases and while they do share some of the risks, they have different targets with different issues; for brevity the scope of this article is limited to the ones that mostly concern software developers: language specific package managers and software distribution platforms like PyPi, npm and rubygems etc.

    These platforms are extremely convenient both for the writers of libraries, who are enabled to publish their work with minor hassles, and for the people who use such libraries, because they provide an easy way to install and use an huge amount of code. They are of course also an excellent place for distributions to find new libraries to package and distribute, and this I agree is a good thing.

    What I however believe is that getting code from such sources and using it without carefully checking it is even more risky than accepting candy from a random stranger on the street in an unfamiliar neighbourhood.

    The risk aren't trivial: while you probably won't be taken as an hostage for ransom, your data could be, or your devices and the ones who run your programs could be used in some criminal act causing at least some monetary damage both to yourself and to society at large.

    If you're writing code that should be maintained in time there are also other risks even when no malice is involved, because each package on these platform has a different policy with regards to updates, their backwards compatibility and what can be expected in case an old version is found to have security issues.

    The very fact that everybody can publish anything on such platforms is both their biggest strength and their main source of vulnerability: while most of the people who publish their libraries do so with good intentions, attacks have been described and publicly tested, such as the fun typo-squatting one (http://incolumitas.com/2016/06/08/typosquatting-package-managers/" target="_blank">archived URL) that published harmless malicious code under common typos for famous libraries.

    Contrast this with Debian, where everybody can contribute, but before they are allowed full unsupervised access to the archive they have to establish a relationship with the rest of the community, which includes meeting other developers in real life, at the very least to get their gpg keys signed.

    This doesn't prevent malicious people from introducing software, but raises significantly the effort required to do so, and once caught people can usually be much more effectively prevented from repeating it than a simple ban on an online-only account can do.

    It is true that not every Debian maintainer actually does a full code review of everything that they allow in the archive, and in some cases it would be unreasonable to expect it, but in most cases they are at least reasonably familiar with the code to do at least bug triage, and most importantly they are in an excellent position to establish a relationship of mutual trust with the upstream authors.

    Additionally, package maintainers don't work in isolation: a growing number of packages are being maintained by a team of people, and most importantly there are aspects that involve potentially the whole community, from the fact that new packages that enter the distribution are publicity announced on a mailing list to the various distribution-wide QA efforts.

    Going back to the language specific distribution platforms, sometimes even the people who manage the platform themselves can't be fully trusted to do the right thing: I believe everybody in the field remembers the npm fiasco where a lawyer letter requesting the removal of a package started a series of events that resulted in potentially breaking a huge amount of automated build systems.

    Here some of the problems were caused by some technical policies that caused the whole ecosystem to be especially vulnerable, but one big issue was the fact that the managers of the npm platform are a private entity with no oversight from the user community.

    Here not all distributions are equal, but contrast this with Debian, where the distribution is managed by a community that is based on a social contract and is governed via democratic procedures established in its constitution.

    Additionally, the long history of the distribution model means that many issues have already been met, the errors have already been done, and there are established technical procedures to deal with them in a better way.

    So, shouldn't we use language specific distribution platforms at all? No! As developers we aren't children, we are adults who have the skills to distinguish between safe and unsafe libraries just as well as the average distribution maintainer can do. What I believe we should do is stop treating them as a safe source that can be used blindly and reserve that status to actual trustful sources like Debian, falling back to the language specific platforms only when strictly needed, and in that case:

    actually check carefully what we are using, both by reading the code and by analysing the development and community practices of the authors;
    if possible, share that work by becoming ourselves maintainers of that library in our favourite distribution, to prevent duplication of effort and to give back to the community whose work we get advantage from.

    der.hans , sazius , Sarah Elkins , j1mc and 5 others like this.

    der.hans , Sarah Elkins , S.M. Oliva , Laura Arjona and 1 others shared this.

  • 2016-08-31T15:42:42Z via social.gl-como.it To: Public

    Bd Sn , jrobertson like this.

    EricxDu , EricxDu , Bd Sn , der.hans and 1 others shared this.

    This is a terrific example of the unintended consequences (from the end users' points of view) of sharing contact information (and so much more) with these entities. I try not to beat people over the head on these issues, but I've definitely been sharing this story with loved ones to try to raise awareness of the fact that while they think "they have nothing to hide" that they actually do, and we need to protect each other from corporate surveillance.

    Charles ☕ Stanhope at 2016-08-31T15:51:56Z

    der.hans , Christopher Allan Webber , Elena ``of Valhalla'' like this.

  • Regenerating my laptop from scratch

    2016-08-28T12:54:23Z via social.gl-como.it To: Public

    * Old laptop.
    * New, empty hard disk.
    * One Debian basic installation (no gui, just ssh server and basics)
    * (one dist-upgrade to stretch, because of course)
    * One ansible command (and some waiting)
    * One mr command (and even more waiting)

    The result: a new shiny installation with almost¹ everything I need on a laptop, including the programs I usually use, my configuration files, my data and my projects.

    No proper backup involved, no wasted storage on backupping OS files.

    I will properly document what I've done (including how ansible is used to get the starting mr configuration, solving my bootstrapping issues), but right now I'm just celebrating the result.

    ¹ I still haven't completed the list of packages², and in some cases apt installing at need works probably best.

    ² but the essential ones are there, including vim, screen, wesnoth and widelands :D

    Claes Wallin (韋嘉誠) , Blaise Alleyne , Bd Sn , jrobertson and 1 others like this.

  • 2016-08-26T13:26:32Z via social.gl-como.it To: Public


    Pepper & Carrot comic goes animated! | Krita
    Freelance artist Nikolai Mamashev has launched an initiative to create an animated version of the open source webcomic “Pepper & Carrot” by David Revoy.
    Head to indiegogo to pledge for the campaign.

    Matteo Bechini likes this.

  • 2016-08-26T13:15:23Z via social.gl-como.it To: Public

    mjg59 | Priorities in security
    "Can a state-level actor break this" may be something we can legitimately write off. "Can a security expert continue reading their ex-partner's email" shouldn't be.
  • 2016-08-23T11:51:28Z via social.gl-como.it To: Public


    With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive
    Microsoft had an ambitious goal with the launch of Windows 10: a billion devices running the software by the end of 2018. In its quest to reach that goal, the company aggressively pushed Windows 10 on its users and went so far as to offer free upgrades for a whole year. However, the company’s strategy for user adoption has trampled on essential aspects of modern computing: user choice and privacy. We think that’s wrong.

    Bd Sn , Ben Sturmfels like this.

    Benjamin Cook , Benjamin Cook shared this.

  • 2016-08-21T19:45:33Z via social.gl-como.it To: Public


    OpenStreetMap | mvexel's diary | Introducing OpenStreetView
    After almost a year of thinking, development and testing, the OSM team at Telenav is ready to present OpenStreetView to all OSM mappers! OpenStreetview (OSV) is the free and open street level imagery platform designed 100% with OSM and mappers in mind.

    Charles ☕ Stanhope , David "Judah's Shadow" Blue , lnxwalt@microca.st , Jorge like this.

    Matteo Bechini , Benjamin Cook , Benjamin Cook shared this.

  • 2016-08-14T21:35:07Z via social.gl-como.it To: Public

    Software Freedom Doesn't Kill People, Your Security Through Obscurity Kills People - Bradley M. Kuhn ( Brad ) ( bkuhn )
    At least one person has already been killed in a crash while using a proprietary software auto-control system. Volkswagen decided to take a different route; they decided to kill us all slowly (rather than quickly) by using proprietary software to lie about their emissions and illegally polluting our air.

    Enrico Rossi likes this.

    Enrico Rossi shared this.

  • 2016-08-12T07:50:47Z via social.gl-como.it To: Public


    FSFE 15th Anniversary - FSFE
    The FSFE is celebrating its 15th anniversary this year and we would like you to be part of it.
  • 2016-08-10T07:55:05Z via social.gl-como.it To: Public

    Debian Day a Varese
    Come ogni anno, il 16 agosto è il Debian Day, il compleanno del Sistema Operativo Universale.

    Dato che in questo periodo molti sono in vacanza, non abbiamo organizzato eventi particolari, ma ci troviamo per una cena presso la Vecchia Varese in via Ravasi.

    Per informazioni o per unirvi alla prenotazione contattate prima possibile @Elena ``of Valhalla'' o fate un giro su #lifo@FreeNode.

    @Gruppo Linux Como

  • 2016-08-09T14:08:03Z via social.gl-como.it To: Public

    Hellwig Announces He Will Appeal VMware Ruling After Evidentiary Set Back in Lower Court - Software Freedom Conservancy
    In a statement on his website, Christoph Hellwig announced today that he will appeal the ruling of the Hamburg District Court, which recently dismissed his case against VMware. As Christoph underscores in his statement, the ruling concerned German evidence law and the Court did not rule on the merits of the case.

    gregor herrmann shared this.

  • 2016-08-08T07:11:09Z via social.gl-como.it To: Public


    Candidature Relatori
    Partecipa da protagonista al prossimo Linux Day! Candidati qui per farti conoscere dagli organizzatori del Linux Day, e partecipare in veste di relatore ad uno degli eventi in allestimento. Indicando la tua provincia di residenza verrai all'occorrenza contattato da uno dei gruppi locali ed invitato per raccontare, sabato 22 ottobre, la tua esperienza, far vedere il tuo progetto, tenere il tuo workshop o proporre la tua idea.
    Gli organizzatori stanno iniziando a preparare i programmi: per alcune città rimangono pochi giorni per proporsi, affrettatevi!
  • Personal git hosting, under https

    2016-08-07T19:37:48Z via social.gl-como.it To: Public

    I've finally found the time to finish configuring:

    * various stuff, including gitolite
    * a cgit server
    * letsencrypt

    on https://git.trueelena.org/ to host my public git repositories; I now only have to push the missing ones ("only"…).

    All of the configuration, especially the one related to letsencrypt, is under ansible, and thus as soon as the relevant people are home from the holidays we can work on configuring it on the @Gruppo Linux Como websites.

    jasonriedy@fmrl.me , Timo Kankare , Lars Wirzenius , lnxwalt@microca.st and 4 others like this.

    Jason Self , Claes Wallin (韋嘉誠) shared this.

  • 2016-08-07T13:03:14Z via social.gl-como.it To: Public


    History Jokes | rainbow-squirrels-7: So I learned my new...
    rainbow-squirrels-7:
    “ So I learned my new favorite history fact in my AP US class today. It’s hilarious and goes a bit like this
    In 1989, President Bush sent troops to Panama to capture the dictator...
    Uhm, no, this is not "ah, ah, funny, they really don't like our music", it's called torture (probably of the sleep deprivation variety, possibly something more) and not just of the target, but also of other people in the embassy who didn't commit any crime and possibly also of a number of innocent neighbors.
  • 2016-08-05T07:50:29Z via social.gl-como.it To: Public

    Why You Should Speak At & Attend LinuxConf Australia - Bradley M. Kuhn ( Brad ) ( bkuhn )
    Monday 1 February 2016 was the longest day of my life, but I don't mean that in the canonical, figurative, and usually negative sense of that phrase. I mean it literally and in a positive way.
  • 2016-08-04T11:16:59Z via social.gl-como.it To: Public

    Weblog for dkg - Changes for GnuPG in Debian
    Debian currently ships two versions of GnuPG in every maintained suite -- in particular, /usr/bin/gpg has historically always been provided by the "classic" branch.

    That's going to change!

    Debian unstable will soon be moving to the "modern" branch for providing /usr/bin/gpg. This will give several advantages for Debian and its users in the future, but it will require a transition. Hopefully we can make it a smooth one.
  • 2016-08-04T09:44:31Z via social.gl-como.it To: Public

    Feminismus und Gleichheit



    Hier noch mal auf die Idee von @(: aNNa :) blume hin. :-)





















    Tags: #feminismus #feminism #egalitarism #gleichheit #emanzipation #comic #comicstrip #ravenbird #2016-07-26

    B. Ross Ashley , Paco Vila , sazius , Freemor and 2 others like this.

    Freemor shared this.