X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/6cb61f7923a69400792c8d6a7f9b73445ad342d3..8988e891075fcfb7c3c36b99a9bc41e725cd6dcd:/blog/archive/2014/03/03.rss
diff --git a/blog/archive/2014/03/03.rss b/blog/archive/2014/03/03.rss
index 516b9222b5..9ab9ccdd4a 100644
--- a/blog/archive/2014/03/03.rss
+++ b/blog/archive/2014/03/03.rss
@@ -6,6 +6,266 @@
http://people.skolelinux.org/pere/blog/
+
+ Public Trusted Timestamping services for everyone
+ http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html
+ http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html
+ Tue, 25 Mar 2014 12:50:00 +0100
+ <p>Did you ever need to store logs or other files in a way that would
+allow it to be used as evidence in court, and needed a way to
+demonstrate without reasonable doubt that the file had not been
+changed since it was created? Or, did you ever need to document that
+a given document was received at some point in time, like some
+archived document or the answer to an exam, and not changed after it
+was received? The problem in these settings is to remove the need to
+trust yourself and your computers, while still being able to prove
+that a file is the same as it was at some given time in the past.</p>
+
+<p>A solution to these problems is to have a trusted third party
+"stamp" the document and verify that at some given time the document
+looked a given way. Such
+<a href="https://en.wikipedia.org/wiki/Notarius">notarius</a> service
+have been around for thousands of years, and its digital equivalent is
+called a
+<a href="http://en.wikipedia.org/wiki/Trusted_timestamping">trusted
+timestamping service</a>. <a href="http://www.ietf.org/">The Internet
+Engineering Task Force</a> standardised how such service could work a
+few years ago as <a href="http://tools.ietf.org/html/rfc3161">RFC
+3161</a>. The mechanism is simple. Create a hash of the file in
+question, send it to a trusted third party which add a time stamp to
+the hash and sign the result with its private key, and send back the
+signed hash + timestamp. Both email, FTP and HTTP can be used to
+request such signature, depending on what is provided by the service
+used. Anyone with the document and the signature can then verify that
+the document matches the signature by creating their own hash and
+checking the signature using the trusted third party public key.
+There are several commercial services around providing such
+timestamping. A quick search for
+"<a href="https://duckduckgo.com/?q=rfc+3161+service">rfc 3161
+service</a>" pointed me to at least
+<a href="https://www.digistamp.com/technical/how-a-digital-time-stamp-works/">DigiStamp</a>,
+<a href="http://www.quovadisglobal.co.uk/CertificateServices/SigningServices/TimeStamp.aspx">Quo
+Vadis</a>,
+<a href="https://www.globalsign.com/timestamp-service/">Global Sign</a>
+and <a href="http://www.globaltrustfinder.com/TSADefault.aspx">Global
+Trust Finder</a>. The system work as long as the private key of the
+trusted third party is not compromised.</p>
+
+<p>But as far as I can tell, there are very few public trusted
+timestamp services available for everyone. I've been looking for one
+for a while now. But yesterday I found one over at
+<a href="https://www.pki.dfn.de/zeitstempeldienst/">Deutches
+Forschungsnetz</a> mentioned in
+<a href="http://www.d-mueller.de/blog/dealing-with-trusted-timestamps-in-php-rfc-3161/">a
+blog by David Müller</a>. I then found
+<a href="http://www.rz.uni-greifswald.de/support/dfn-pki-zertifikate/zeitstempeldienst.html">a
+good recipe on how to use the service</a> over at the University of
+Greifswald.</p>
+
+<p><a href="http://www.openssl.org/">The OpenSSL library</a> contain
+both server and tools to use and set up your own signing service. See
+the ts(1SSL), tsget(1SSL) manual pages for more details. The
+following shell script demonstrate how to extract a signed timestamp
+for any file on the disk in a Debian environment:</p>
+
+<p><blockquote><pre>
+#!/bin/sh
+set -e
+url="http://zeitstempel.dfn.de"
+caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
+reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
+resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
+cafile=chain.txt
+if [ ! -f $cafile ] ; then
+ wget -O $cafile "$caurl"
+fi
+openssl ts -query -data "$1" -cert | tee "$reqfile" \
+ | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
+openssl ts -reply -in "$resfile" -text 1>&2
+openssl ts -verify -data "$1" -in "$resfile" -CAfile "$cafile" 1>&2
+base64 < "$resfile"
+rm "$reqfile" "$resfile"
+</pre></blockquote></p>
+
+<p>The argument to the script is the file to timestamp, and the output
+is a base64 encoded version of the signature to STDOUT and details
+about the signature to STDERR. Note that due to
+<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742553">a bug
+in the tsget script</a>, you might need to modify the included script
+and remove the last line. Or just write your own HTTP uploader using
+curl. :) Now you too can prove and verify that files have not been
+changed.</p>
+
+<p>But the Internet need more public trusted timestamp services.
+Perhaps something for <a href="http://www.uninett.no/">Uninett</a> or
+my work place the <a href="http://www.uio.no/">University of Oslo</a>
+to set up?</p>
+
+
+
+
+ Video DVD reader library / python-dvdvideo - nice free software
+ http://people.skolelinux.org/pere/blog/Video_DVD_reader_library___python_dvdvideo___nice_free_software.html
+ http://people.skolelinux.org/pere/blog/Video_DVD_reader_library___python_dvdvideo___nice_free_software.html
+ Fri, 21 Mar 2014 15:25:00 +0100
+ <p>Keeping your DVD collection safe from scratches and curious
+children fingers while still having it available when you want to see a
+movie is not straight forward. My preferred method at the moment is
+to store a full copy of the ISO on a hard drive, and use VLC, Popcorn
+Hour or other useful players to view the resulting file. This way the
+subtitles and bonus material are still available and using the ISO is
+just like inserting the original DVD record in the DVD player.</p>
+
+<p>Earlier I used dd for taking security copies, but it do not handle
+DVDs giving read errors (which are quite a few of them). I've also
+tried using
+<a href="http://people.skolelinux.org/pere/blog/Ripping_problematic_DVDs_using_dvdbackup_and_genisoimage.html">dvdbackup
+and genisoimage</a>, but these days I use the marvellous python library
+and program
+<a href="http://bblank.thinkmo.de/blog/new-software-python-dvdvideo">python-dvdvideo</a>
+written by Bastian Blank. It is
+<a href="http://packages.qa.debian.org/p/python-dvdvideo.html">in Debian
+already</a> and the binary package name is python3-dvdvideo. Instead
+of trying to read every block from the DVD, it parses the file
+structure and figure out which block on the DVD is actually in used,
+and only read those blocks from the DVD. This work surprisingly well,
+and I have been able to almost backup my entire DVD collection using
+this method.</p> So far, python-dvdvideo have failed on between 10 and
+20 DVDs, which is a small fraction of my collection. The most common
+problem is
+<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720831">DVDs
+using UTF-16 instead of UTF-8 characters</a>, which according to
+Bastian is against the DVD specification (and seem to cause some
+players to fail too). A rarer problem is what seem to be inconsistent
+DVD structures, as the python library
+<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723079">claim
+there is a overlap between objects</a>. An equally rare problem claim
+<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741878">some
+value is out of range</a>. No idea what is going on there. I wish I
+knew enough about the DVD format to fix these, to ensure my movie
+collection will stay with me in the future.</p>
+
+<p>So, if you need to keep your DVDs safe, back them up using
+python-dvdvideo. :)</p>
+
+
+
+
+ Norsk utgave av Alaveteli / WhatDoTheyKnow på trappene
+ http://people.skolelinux.org/pere/blog/Norsk_utgave_av_Alaveteli___WhatDoTheyKnow_p__trappene.html
+ http://people.skolelinux.org/pere/blog/Norsk_utgave_av_Alaveteli___WhatDoTheyKnow_p__trappene.html
+ Sun, 16 Mar 2014 09:30:00 +0100
+ <p>Det offentlige Norge har mye kunnskap og informasjon. Men hvordan
+kan en få tilgang til den på en enkel måte? Takket være et lite
+knippe lover og tilhørende forskrifter, blant annet
+<a href="http://lovdata.no/dokument/NL/lov/2006-05-19-16">offentlighetsloven</a>,
+<a href="http://lovdata.no/dokument/NL/lov/2003-05-09-31">miljøinformasjonsloven</a>
+og
+<a href="http://lovdata.no/dokument/NL/lov/1967-02-10/">forvaltningsloven</a>
+har en rett til å spørre det offentlige og få svar. Men det finnes
+intet offentlig arkiv over hva andre har spurt om, og dermed risikerer en
+å måtte forstyrre myndighetene gang på gang for å få tak i samme
+informasjonen på nytt. <a href="http://www.mysociety.org/">Britiske
+mySociety</a> har laget tjenesten
+<a href="http://www.whatdotheyknow.com/">WhatDoTheyKnow</a> som gjør
+noe med dette. I Storbritannia blir WhatdoTheyKnow brukt i
+<a href="http://www.mysociety.org/2011/07/01/whatdotheyknows-share-of-central-government-foi-requests-q2-2011/">ca
+15% av alle innsynsforespørsler mot sentraladministrasjonen</a>.
+Prosjektet heter <a href="http://www.alaveteli.org/">Alaveteli</A>, og
+er takk i bruk en rekke steder etter at løsningen ble generalisert og
+gjort mulig å oversette. Den hjelper borgerne med å be om innsyn,
+rådgir ved purringer og klager og lar alle se hvilke henvendelser som
+er sendt til det offentlige og hvilke svar som er kommet inn, i et
+søkpart arkiv. Her i Norge holder vi i foreningen NUUG på å få opp en
+norsk utgave av Alaveteli, og her trenger vi din hjelp med
+oversettelsen.</p>
+
+<p>Så langt er 76 % av Alaveteli oversatt til norsk bokmål, men vi
+skulle gjerne vært oppe i 100 % før lansering. Oversettelsen gjøres
+på <a href="https://www.transifex.com/projects/p/alaveteli/">Transifex,
+der enhver som registrerer seg</a> og ber om tilgang til
+bokmålsoversettelsen får bidra. Vi har satt opp en test av tjenesten
+(som ikke sender epost til det offentlige, kun til oss som holder på å
+sette opp tjenesten) på maskinen
+<a href="http://alaveteli-dev.nuug.no/">alaveteli-dev.nuug.no</a>, der
+en kan se hvordan de oversatte meldingen blir seende ut på nettsiden.
+NÃ¥r tjenesten lanseres vil den hete
+<a href="https://www.mimesbrønn.no/">Mimes brønn</a>, etter
+visdomskilden som Odin måtte gi øyet sitt for å få drikke i. Den
+nettsiden er er ennå ikke klar til bruk.</p>
+
+<p>Hvis noen vil oversette til nynorsk også, så skal vi finne ut
+hvordan vi lager en flerspråklig tjeneste. Men i første omgang er
+fokus på bokmålsoversettelsen, der vi selv har nok peiling til å ha
+fått oversatt 76%, men trenger hjelp for å komme helt i mål. :)</p>
+
+
+
+
+ Freedombox on Dreamplug, Raspberry Pi and virtual x86 machine
+ http://people.skolelinux.org/pere/blog/Freedombox_on_Dreamplug__Raspberry_Pi_and_virtual_x86_machine.html
+ http://people.skolelinux.org/pere/blog/Freedombox_on_Dreamplug__Raspberry_Pi_and_virtual_x86_machine.html
+ Fri, 14 Mar 2014 11:00:00 +0100
+ <p>The <a href="https://wiki.debian.org/FreedomBox">Freedombox
+project</a> is working on providing the software and hardware for
+making it easy for non-technical people to host their data and
+communication at home, and being able to communicate with their
+friends and family encrypted and away from prying eyes. It has been
+going on for a while, and is slowly progressing towards a new test
+release (0.2).</p>
+
+<p>And what day could be better than the Pi day to announce that the
+new version will provide "hard drive" / SD card / USB stick images for
+Dreamplug, Raspberry Pi and VirtualBox (or any other virtualization
+system), and can also be installed using a Debian installer preseed
+file. The Debian based Freedombox is now based on Debian Jessie,
+where most of the needed packages used are already present. Only one,
+the freedombox-setup package, is missing. To try to build your own
+boot image to test the current status, fetch the freedom-maker scripts
+and build using
+<a href="http://packages.qa.debian.org/vmdebootstrap">vmdebootstrap</a>
+with a user with sudo access to become root:
+
+<pre>
+git clone http://anonscm.debian.org/git/freedombox/freedom-maker.git \
+ freedom-maker
+sudo apt-get install git vmdebootstrap mercurial python-docutils \
+ mktorrent extlinux virtualbox qemu-user-static binfmt-support \
+ u-boot-tools
+make -C freedom-maker dreamplug-image raspberry-image virtualbox-image
+</pre>
+
+<p>Root access is needed to run debootstrap and mount loopback
+devices. See the README for more details on the build. If you do not
+want all three images, trim the make line. But note that thanks to <a
+href="https://bugs.debian.org/741407">a race condition in
+vmdebootstrap</a>, the build might fail without the patch to the
+kpartx call.</p>
+
+<p>If you instead want to install using a Debian CD and the preseed
+method, boot a Debian Wheezy ISO and use this boot argument to load
+the preseed values:</p>
+
+<pre>
+url=<a href="http://www.reinholdtsen.name/freedombox/preseed-jessie.dat">http://www.reinholdtsen.name/freedombox/preseed-jessie.dat</a>
+</pre>
+
+<p>But note that due to <a href="https://bugs.debian.org/740673">a
+recently introduced bug in apt in Jessie</a>, the installer will
+currently hang while setting up APT sources. Killing the
+'<tt>apt-cdrom ident</tt>' process when it hang a few times during the
+installation will get the installation going. This affect all
+installations in Jessie, and I expect it will be fixed soon.</p>
+
+Give it a go and let us know how it goes on the mailing list, and help
+us get the new release published. :) Please join us on
+<a href="irc://irc.debian.org:6667/%23freedombox">IRC (#freedombox on
+irc.debian.org)</a> and
+<a href="http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss">the
+mailing list</a> if you want to help make this vision come true.</p>
+
+
+
How to add extra storage servers in Debian Edu / Skolelinux
http://people.skolelinux.org/pere/blog/How_to_add_extra_storage_servers_in_Debian_Edu___Skolelinux.html