X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/f7c22ab984131ca652c0260c76ffff22398a2bae..aa49fa65d96f7ceb8c72c638b31e07f435ad5a79:/blog/index.rss diff --git a/blog/index.rss b/blog/index.rss index 4541e6eaad..9dbe2035b3 100644 --- a/blog/index.rss +++ b/blog/index.rss @@ -7,993 +7,683 @@ - Testing if a file system can be used for home directories... - http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html - http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html - Sun, 8 Aug 2010 21:20:00 +0200 + Debian in 3D + http://people.skolelinux.org/pere/blog/Debian_in_3D.html + http://people.skolelinux.org/pere/blog/Debian_in_3D.html + Tue, 9 Nov 2010 16:10:00 +0100 -<p>A few years ago, I was involved in a project planning to use -Windows file servers as home directory servers for Debian -Edu/Skolelinux machines. This was thought to be no problem, as the -access would be through the SMB network file system protocol, and we -knew other sites used SMB with unix and samba as the file server to -mount home directories without any problems. But, after months of -struggling, we had to conclude that our goal was impossible.</p> - -<p>The reason is simply that while SMB can be used for home -directories when the file server is Samba running on Unix, this only -work because of Samba have some extensions and the fact that the -underlying file system is a unix file system. When using a Windows -file server, the underlying file system do not have POSIX semantics, -and several programs will fail if the users home directory where they -want to store their configuration lack POSIX semantics.</p> - -<p>As part of this work, I wrote a small C program I want to share -with you all, to replicate a few of the problematic applications (like -OpenOffice.org and GCompris) and see if the file system was working as -it should. If you find yourself in spooky file system land, it might -help you find your way out again. This is the fs-test.c source:</p> - -<pre> -/* - * Some tests to check the file system sematics. Used to verify that - * CIFS from a windows server do not work properly as a linux home - * directory. - * License: GPL v2 or later - * - * needs libsqlite3-dev and build-essential installed - * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test -*/ - -#define _FILE_OFFSET_BITS 64 -#define _LARGEFILE_SOURCE 1 -#define _LARGEFILE64_SOURCE 1 - -#define _GNU_SOURCE /* for asprintf() */ - -#include <errno.h> -#include <fcntl.h> -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <sys/file.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -#ifdef TEST_SQLITE -/* - * Test sqlite open, as done by gcompris require the libsqlite3-dev - * package and linking with -lsqlite3. A more low level test is - * below. - * See also <URL: http://www.sqlite.org./faq.html#q5 >. - */ -#include <sqlite3.h> -#define CREATE_TABLE_USERS \ - "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT ); " -int test_sqlite_open(void) { - char *zErrMsg; - char *name = "testsqlite.db"; - sqlite3 *db=NULL; - unlink(name); - int rc = sqlite3_open(name, &db); - if( rc ){ - printf("error: sqlite open of %s failed: %s\n", name, sqlite3_errmsg(db)); - sqlite3_close(db); - return -1; - } - - /* create tables */ - rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL, 0, &zErrMsg); - if( rc != SQLITE_OK ){ - printf("error: sqlite table create failed: %s\n", zErrMsg); - sqlite3_close(db); - return -1; - } - printf("info: sqlite worked\n"); - sqlite3_close(db); - return 0; -} -#endif /* TEST_SQLITE */ - -/* - * Demonstrate locking issue found in gcompris using sqlite3. This - * work with ext3, but not with cifs server on Windows 2003. This is - * done in the sqlite3 library. - * See also - * <URL:http://www.cygwin.com/ml/cygwin/2001-08/msg00854.html> and the - * POSIX specification - * <URL:http://www.opengroup.org/onlinepubs/009695399/functions/fcntl.html>. - */ -int test_gcompris_locking(void) { - struct flock fl; - char *name = "testsqlite.db"; - unlink(name); - int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, 0644); - printf("info: testing fcntl locking\n"); - - fl.l_whence = SEEK_SET; - fl.l_pid = getpid(); - printf(" Read-locking 1 byte from 1073741824"); - fl.l_start = 1073741824; - fl.l_len = 1; - fl.l_type = F_RDLCK; - if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); - - printf(" Read-locking 510 byte from 1073741826"); - fl.l_start = 1073741826; - fl.l_len = 510; - fl.l_type = F_RDLCK; - if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); - - printf(" Unlocking 1 byte from 1073741824"); - fl.l_start = 1073741824; - fl.l_len = 1; - fl.l_type = F_UNLCK; - if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); - - printf(" Write-locking 1 byte from 1073741824"); - fl.l_start = 1073741824; - fl.l_len = 1; - fl.l_type = F_WRLCK; - if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); - - printf(" Write-locking 510 byte from 1073741826"); - fl.l_start = 1073741826; - fl.l_len = 510; - if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); - - printf(" Unlocking 2 byte from 1073741824"); - fl.l_start = 1073741824; - fl.l_len = 2; - fl.l_type = F_UNLCK; - if (0 != fcntl(fd, F_SETLK, &fl) ) printf(" - error!\n"); else printf("\n"); - - close(fd); - return 0; -} - -/* - * Test if permissions of freshly created directories allow entries - * below them. This was a problem with OpenOffice.org and gcompris. - * Mounting with option 'sync' seem to solve this problem while - * slowing down file operations. - */ -int test_subdirectory_creation(void) { -#define LEVELS 5 - char *path = strdup("test"); - char *dirs[LEVELS]; - int level; - printf("info: testing subdirectory creation\n"); - for (level = 0; level < LEVELS; level++) { - char *newpath = NULL; - if (-1 == mkdir(path, 0777)) { - printf(" error: Unable to create directory '%s': %s\n", - path, strerror(errno)); - break; - } - asprintf(&newpath, "%s/%s", path, "test"); - free(path); - path = newpath; - } - return 0; -} - -/* - * Test if symlinks can be created. This was a problem detected with - * KDE. - */ -int test_symlinks(void) { - printf("info: testing symlink creation\n"); - unlink("symlink"); - if (-1 == symlink("file", "symlink")) - printf(" error: Unable to create symlink\n"); - return 0; -} - -int main(int argc, char **argv) { - printf("Testing POSIX/Unix sematics on file system\n"); - test_symlinks(); - test_subdirectory_creation(); -#ifdef TEST_SQLITE - test_sqlite_open(); -#endif /* TEST_SQLITE */ - test_gcompris_locking(); - return 0; -} -</pre> - -<p>When everything is working, it should print something like -this:</p> - -<pre> -Testing POSIX/Unix sematics on file system -info: testing symlink creation -info: testing subdirectory creation -info: sqlite worked -info: testing fcntl locking - Read-locking 1 byte from 1073741824 - Read-locking 510 byte from 1073741826 - Unlocking 1 byte from 1073741824 - Write-locking 1 byte from 1073741824 - Write-locking 510 byte from 1073741826 - Unlocking 2 byte from 1073741824 -</pre> - -<p>I do not remember the exact details of the problems we saw, but one -of them was with locking, where if I remember correctly, POSIX allow a -read-only lock to be upgraded to a read-write lock without unlocking -the read-only lock (while Windows do not). Another was a bug in the -CIFS/SMB client implementation in the Linux kernel where directory -meta information would be wrong for a fraction of a second, making -OpenOffice.org fail to create its deep directory tree because it was -not allowed to create files in its freshly created directory.</p> - -<p>Anyway, here is a nice tool for your tool box, might you never need -it. :)</p> +<p><img src="http://thingiverse-production.s3.amazonaws.com/renders/23/e0/c4/f9/2b/debswagtdose_preview_medium.jpg"></p> + +<p>3D printing is just great. I just came across this Debian logo in +3D linked in from +<a href="http://blog.thingiverse.com/2010/11/09/participatory-branding/">the +thingiverse blog</a>.</p> - Autodetecting Client setup for roaming workstations in Debian Edu - http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html - http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html - Sat, 7 Aug 2010 14:45:00 +0200 + Datatilsynet mangler verktøyet som trengs for å kontrollere kameraovervåkning + http://people.skolelinux.org/pere/blog/Datatilsynet_mangler_verkt__yet_som_trengs_for____kontrollere_kameraoverv__kning.html + http://people.skolelinux.org/pere/blog/Datatilsynet_mangler_verkt__yet_som_trengs_for____kontrollere_kameraoverv__kning.html + Tue, 9 Nov 2010 14:35:00 +0100 -<p>A few days ago, I -<a href="http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html">tried -to install</a> a Roaming workation profile from Debian Edu/Squeeze -while on the university network here at the University of Oslo, and -noticed how much had to change to get it operational using the -university infrastructure. It was fairly easy, but it occured to me -that Debian Edu would improve a lot if I could get the client to -connect without any changes at all, and thus let the client configure -itself during installation and first boot to use the infrastructure -around it. Now I am a huge step further along that road.</p> - -<p>With our current squeeze-test packages, I can select the roaming -workstation profile and get a working laptop connecting to the -university LDAP server for user and group and our active directory -servers for Kerberos authentication. All this without any -configuration at all during installation. My users home directory got -a bookmark in the KDE menu to mount it via SMB, with the correct URL. -In short, openldap and sssd is correctly configured. In addition to -this, the client look for http://wpad/wpad.dat to configure a web -proxy, and when it fail to find it no proxy settings are stored in -/etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is -configured to look for the same wpad configuration and also do not use -a proxy when at the university network. If the machine is moved to a -network with such wpad setup, it would automatically use it when DHCP -gave it a IP address.</p> - -<p>The LDAP server is located using DNS, by first looking for the DNS -entry ldap.$domain. If this do not exist, it look for the -_ldap._tcp.$domain SRV records and use the first one as the LDAP -server. Next, it connects to the LDAP server and search all -namingContexts entries for posixAccount or posixGroup objects, and -pick the first one as the LDAP base. For Kerberos, a similar -algorithm is used to locate the LDAP server, and the realm is the -uppercase version of $domain.</p> - -<p>So, what is not working, you might ask. SMB mounting my home -directory do not work. No idea why, but suspected the incorrect -Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be -the cause. These are not properly configured during installation, and -had to be hand-edited to get the correct Kerberos realm and server, -but SMB mounting still do not work. :(</p> - -<p>With this automatic configuration in place, I expect a Debian Edu -roaming profile installation would be able to automatically detect and -connect to any site using LDAP and Kerberos for NSS directory and PAM -authentication. It should also work out of the box in a Active -Directory environment providing posixAccount and posixGroup objects -with UID and GID values.</p> - -<p>If you want to help out with implementing these things for Debian -Edu, please contact us on debian-edu@lists.debian.org.</p> +<p>En stund tilbake ble jeg oppmerksom på at Datatilsynets verktøy for +å holde rede på overvåkningskamera i Norge ikke var egnet til annet +enn å lage statistikk, og ikke kunne brukes for å kontrollere om et +overvåkningskamera i det offentlige rom er lovlig satt opp og +registrert. For å teste hypotesen sendte jeg for noen dager siden +følgende spørsmål til datatilsynet. Det omtalte kameraet står litt +merkelig plassert i veigrøften ved gangstien langs Sandakerveien, og +jeg lurer oppriktig på om det er lovlig plassert og registrert.</p> + +<p><blockquote> +<p>Date: Tue, 2 Nov 2010 16:08:20 +0100 +<br>From: Petter Reinholdtsen &lt;pere (at) hungry.com&gt; +<br>To: postkasse (at) datatilsynet.no +<br>Subject: Er overvåkningskameraet korrekt registrert?</p> + +<p>Hei.</p> + +<p>I Nydalen i Oslo er det mange overvåkningskamera, og et av dem er +spesielt merkelig plassert like over et kumlokk. Jeg lurer på om +dette kameraet er korrekt registrert og i henhold til lovverket.</p> + +<p>Finner ingen eierinformasjon på kameraet, og dermed heller ingenting å +søke på i &lt;URL: +<a href="http://hetti.datatilsynet.no/melding/report_search.pl">http://hetti.datatilsynet.no/melding/report_search.pl</a> &gt;. +Kartreferanse for kameraet er tilgjengelig fra +&lt;URL: +<a href="http://people.skolelinux.no/pere/surveillance-norway/?zoom=17&lat=59.94918&lon=10.76962&layers=B0T">http://people.skolelinux.no/pere/surveillance-norway/?zoom=17&lat=59.94918&lon=10.76962&layers=B0T</a> &gt;. + +<p>Kan dere fortelle meg om dette kameraet er registrert hos +Datatilsynet som det skal være i henhold til lovverket?</p> + +<p>Det hadde forresten vært fint om rådata fra kameraregisteret var +tilgjengelig på web og regelmessig oppdatert, for å kunne søke på +andre ting enn organisasjonsnavn og -nummer ved å laste det ned og +gjøre egne søk.</p> + +<p>Vennlig hilsen, +<br>-- +<br>Petter Reinholdtsen +</blockquote></p> + +<p>Her er svaret som kom dagen etter:</p> + +<p><blockquote> +<p>Date: Wed, 3 Nov 2010 14:44:09 +0100 +<br>From: "juridisk" &lt;juridisk (at) Datatilsynet.no&gt; +<br>To: Petter Reinholdtsen +<br>Subject: VS: Er overvåkningskameraet korrekt registrert? + +<p>Viser til e-post av 2. november. + +<p>Datatilsynet er det forvaltningsorganet som skal kontrollere at +personopplysningsloven blir fulgt. Formålet med loven er å verne +enkeltpersoner mot krenking av personvernet gjennom behandling av +personopplysninger.</p> + +<p>Juridisk veiledningstjeneste hos Datatilsynet gir råd og veiledning +omkring personopplysningslovens regler på generelt grunnlag.</p> + +<p>Datatilsynet har dessverre ikke en fullstendig oversikt over alle +kameraer, den oversikten som finner er i vår meldingsdatabase som du +finner her: +<a href="http://www.datatilsynet.no/templates/article____211.aspx">http://www.datatilsynet.no/templates/article____211.aspx</a></p> + +<p>Denne databasen gir en oversikt over virksomheter som har meldt inn +kameraovervåkning. Dersom man ikek vet hvilken virksomhet som er +ansvarlig, er det heller ikke mulig for Datatilsynet å søke dette +opp.</p> + +<p>Webkameraer som har så dårlig oppløsning at man ikke kan gjenkjenne +enkeltpersoner er ikke meldepliktige, da dette ikke anses som +kameraovervåkning i personopplysningslovens forstand. Dersom kameraet +du sikter til er et slikt webkamera, vil det kanskje ikke finnes i +meldingsdatabasen på grunn av dette. Også dersom et kamera med god +oppløsning ikke filmer mennesker, faller det utenfor loven.</p> + +<p>Datatilsynet har laget en veileder som gjennomgår når det er lov å +overvåke med kamera, se lenke: +<a href="http://www.datatilsynet.no/templates/article____401.aspx">http://www.datatilsynet.no/templates/article____401.aspx</a></p> + +<p>Dersom det ikke er klart hvem som er ansvarlig for kameraet, er det +vanskelig for Datatilsynet å ta kontakt med den ansvarlige for å få +avklart om kameraet er satt opp i tråd med tilsynets regelverk. Dersom +du mener at kameraet ikke er lovlig ut fra informasjonen ovenfor, kan +kameraet anmeldes til politiet.</p> + +<p>Med vennlig hilsen</p> + +<p>Maria Bakke +<br>Juridisk veiledningstjeneste +<br>Datatilsynet</p> +</blockquote></p> + +<p>Personlig synes jeg det bør være krav om å registrere hvert eneste +overvåkningskamera i det offentlige rom hos Datatilsynet, med +kartreferanse og begrunnelse om hvorfor det er satt opp, slik at +enhver borger enkelt kan hente ut kart over områder vi er interessert +i og sjekke om det er overvåkningskamera der som er satt opp uten å +være registert. Slike registreringer skal jo i dag fornyes +regelmessing, noe jeg mistenker ikke blir gjort. Dermed kan kamera +som en gang var korrekt registrert nå være ulovlig satt opp. Det +burde også være bøter for å ha kamera som ikke er korrekt registrert, +slik at en ikke kan ignorere registrering uten at det får +konsekvenser.</p> + +<p>En ide fra England som jeg har sans (lite annet jeg har sans for +når det gjelder overvåkningskamera i England) for er at enhver borger +kan be om å få kopi av det som er tatt opp med et overvåkningskamera i +det offentlige rom, noe som gjør at det kan komme løpende utgifter ved +å sette overvåkningskamera. Jeg tror alt som gjør det mindre +attraktivt å ha overvåkningskamera i det offentlige rom er en god +ting, så et slikt lovverk i Norge tror jeg hadde vært nyttig.</p> - Debian Edu roaming workstation - at the university of Oslo - http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html - http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html - Tue, 3 Aug 2010 23:30:00 +0200 + Making room on the Debian Edu/Sqeeze DVD + http://people.skolelinux.org/pere/blog/Making_room_on_the_Debian_Edu_Sqeeze_DVD.html + http://people.skolelinux.org/pere/blog/Making_room_on_the_Debian_Edu_Sqeeze_DVD.html + Sun, 7 Nov 2010 11:45:00 +0100 -<p>The new roaming workstation profile in Debian Edu/Squeeze is fairly -similar to the laptop setup am I working on using Ubuntu for the -University of Oslo, and just for the heck of it, I tested today how -hard it would be to integrate that profile into the university -infrastructure. In this case, it is the university LDAP server, -Active Directory Kerberos server and SMB mounting from the Netapp file -servers.</p> - -<p>I was pleasantly surprised that the only three files needed to be -changed (/etc/sssd/sssd.conf, /etc/ldap.conf and -/etc/mklocaluser.d/20-debian-edu-config) and one file had to be added -(/usr/share/perl5/Debian/Edu_Local.pm), to get the client working. -Most of the changes were to get the client to use the university LDAP -for NSS and Kerberos server for PAM, but one was to change a hard -coded DNS domain name in the mklocaluser hook from .intern to -.uio.no.</p> - -<p>This testing was so encouraging, that I went ahead and adjusted the -Debian Edu scripts and setup in subversion to centralise the roaming -workstation setup a bit more and avoid the hardcoded DNS domain name, -so that when I test this tomorrow, I expect to get away with modifying -only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the -university servers.</p> - -<p>My goal is to get the clients to have no hardcoded settings and -fetch all their initial setup during installation and first boot, to -allow them to be inserted also into environments where the default -setup in Debian Edu has been changed or as with the university, where -the environment is different but provides the protocols Debian Edu -uses.</p> +<p>Prioritising packages for the Debian Edu / +<a href="http://www.skolelinux.org/">Skolelinux</a> DVD, which is +supposed provide a school with all the services and user applications +needed on the pupils computer network has always been hard. Even +schools without Internet connections should be able to get Debian Edu +working using this DVD.</p> + +<p>The job became a lot harder when apt and aptitude started +installing recommended packages by default. We want the same set of +packages to be installed when using the DVD and the netinst CD, and +that means all recommended packages need to be on the DVD. I created +a patch for debian-cd in <a href="http://bugs.debian.org/601203">BTS +report #601203</a> to do this, and since this change was applied to +the Debian Edu DVD build, we have been seriously short on space.</p> + +<p>A few days ago we decided to drop blender, wxmaxima and kicad from +the default installation to save space on the DVD, believing that +those needing these applications are few and can get them from the +Debian archive.</p> + +<p>Yesterday, I had a look what source packages to see which packages +were using most space. A few large packages are well know; +openoffice.org, openclipart and fluid-soundfont. But I also +discovered that lilypond used 106 MiB and fglrx-driver used 53 MiB. +The lilypond package is pulled in as a dependency for rosegarden, and +when looking a bit closer I discovered that 99 MiB of the 106 MiB were +the documentation package, which is recommended by the binary package. +I decided to drop this documentation package from our DVD, as most of +our users will use the GUI front-ends and do not need the lilypond +documentation. Similarly, I dropped the non-free fglrx-driver package +which might be installed by d-i when its hardware is detected, as the +free X driver should work.</p> + +<p>With this change, we finally got space for the LXDE and Gnome +desktop packages as well as the language specific packages making the +DVD more useful again.</p> - Circular package dependencies harms apt recovery - http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html - http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html - Tue, 27 Jul 2010 23:50:00 +0200 + Norgeskartet på mange vis - via OpenStreetmap.org + http://people.skolelinux.org/pere/blog/Norgeskartet_p___mange_vis___via_OpenStreetmap_org.html + http://people.skolelinux.org/pere/blog/Norgeskartet_p___mange_vis___via_OpenStreetmap_org.html + Mon, 1 Nov 2010 11:15:00 +0100 -<p>I discovered this while doing -<a href="http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html">automated -testing of upgrades from Debian Lenny to Squeeze</a>. A few packages -in Debian still got circular dependencies, and it is often claimed -that apt and aptitude should be able to handle this just fine, but -some times these dependency loops causes apt to fail.</p> - -<p>An example is from todays -<a href="http://people.skolelinux.org/~pere/debian-upgrade-testing//test-20100727-lenny-squeeze-kde-aptitude.txt">upgrade -of KDE using aptitude</a>. In it, a bug in kdebase-workspace-data -causes perl-modules to fail to upgrade. The cause is simple. If a -package fail to unpack, then only part of packages with the circular -dependency might end up being unpacked when unpacking aborts, and the -ones already unpacked will fail to configure in the recovery phase -because its dependencies are unavailable.</p> - -<p>In this log, the problem manifest itself with this error:</p> - -<blockquote><pre> -dpkg: dependency problems prevent configuration of perl-modules: - perl-modules depends on perl (>= 5.10.1-1); however: - Version of perl on system is 5.10.0-19lenny2. -dpkg: error processing perl-modules (--configure): - dependency problems - leaving unconfigured -</pre></blockquote> - -<p>The perl/perl-modules circular dependency is already -<a href="http://bugs.debian.org/527917">reported as a bug</a>, and will -hopefully be solved as soon as possible, but it is not the only one, -and each one of these loops in the dependency tree can cause similar -failures. Of course, they only occur when there are bugs in other -packages causing the unpacking to fail, but it is rather nasty when -the failure of one package causes the problem to become worse because -of dependency loops.</p> - -<p>Thanks to -<a href="http://lists.debian.org/debian-devel/2010/06/msg00116.html">the -tireless effort by Bill Allombert</a>, the number of circular -dependencies -<a href="http://debian.semistable.com/debgraph.out.html">left in Debian -is dropping</a>, and perhaps it will reach zero one day. :)</p> - -<p>Todays testing also exposed a bug in -<a href="http://bugs.debian.org/590605">update-notifier</a> and -<a href="http://bugs.debian.org/590604">different behaviour</a> between -apt-get and aptitude, the latter possibly caused by some circular -dependency. Reported both to BTS to try to get someone to look at -it.</p> +<p>Har oppdaget at mange ikke er klar over at OpenStreetmap.org er +tilgjengelig i en rekke forskjellige formater. Her er en liste med +eksporter jeg kjenner til for Norge, for de som trenger et +fribrukskart til sine tjenester:</p> + +<p><ul> + +<li>Cloudmade tilbyr OSM XML, Garmin Map Files, Osmosis country +bounding polygon, Shapefile, Navit maps, GPX POI, TomTom POI og OSM +XML feature extracts via +<a href="http://downloads.cloudmade.com/europe/norway">sine +nedlastingssider</a>.</li> + +<li>Geofabric tilbyr +<a href="http://download.geofabrik.de/osm/europe/norway.osm.bz2">OSM +XML</a>, +<a href="http://download.geofabrik.de/osm/europe/norway.osm.pbf">OSM +protobuf binærformat</a> og +<a href="http://download.geofabrik.de/osm/europe/norway.shp.zip">ESRI +Shapefile (EPSG:4326)</a> fra sine nedlastingssider.</li> + +<li>Frikart.no tilbyr +<a href="http://www.frikart.no/garmin/">Garmin-kart</a> i uike +varianter for veibruk og turbruk sommer og vinter.</li> + +</ul></p> + +<p>Kartene oppdateres regelmessig, som oftest hver uke. Det skulle +dermed være noe for enhver smak.</p> - First Debian Edu test release (alpha0) based on Squeeze is released - http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html - http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html - Tue, 27 Jul 2010 17:45:00 +0200 + Best å ikke fortelle noen at streaming er nedlasting... + http://people.skolelinux.org/pere/blog/Best____ikke_fortelle_noen_at_streaming_er_nedlasting___.html + http://people.skolelinux.org/pere/blog/Best____ikke_fortelle_noen_at_streaming_er_nedlasting___.html + Sat, 30 Oct 2010 11:20:00 +0200 -<p>I just posted this announcement culminating several months of work -with the next Debian Edu release. Not nearly done, but one major step -completed.</p> - -<blockquote> -<p>This is the first test release based on Squeeze. The focus of this -release is to test the user application selection. To have a look, -install the standalone profile and let the developers know if the set -of installed packages i.e. applications should be modified. If some -user application is missing, or if there are some applications that no -longer make sense to be included in Debian Edu, please let us know. -Also, if a useful application is missing the translation for your -language of choice, please let us know too.</p> - -<p>In addition, feedback and help to polish the desktop (menus, -artwork, starters, etc.) is appreciated. We would like to ship a nice -and handy KDE4 desktop targeted for schools out of the box.</p> - -<p>The other profiles should be installable, but there is a lot more -work left to be done before they are ready, so do not expect to -much.</p> - -<p>Changes compared to the lenny based version</p> - -<ul> -<li>Everything from Debian Squeeze -<ul> - <li>Desktop environment KDE 4.4 => the new KDE desktop in - combination with some new artwork - <li>Web browser Iceweasel 3.5 - <li>OpenOffice.org 3.2 - <li>Educational toolbox GCompris 9.3 - <li>Music creator Rosegarden 10.04.2 - <li>Image editor Gimp 2.6.10 - <li>Virtual universe Celestia 1.6.0 - <li>Virtual stargazer Stellarium 0.10.4 - <li>3D modeler Blender 2.49.2 (new application) - <li>Video editor Kdenlive 0.7.7 (new application) -</ul></li> -<li>Now using Kerberos for password checking (migration not finished). - Enabled for: -<ul> - <li>PAM - <li>LDAP - <li>IMAP - <li>SMTP (sender verification) -</ul> -</li> -<li>New experimental roaming workstation profile for laptops.</li> -<li>Show welcome page to users when they first log in. The URL is - fetched from LDAP.</li> -<li>New LXDE desktop option, in addition to KDE (default) and Gnome.</li> -<li>General cleanup (not finished)</li> -</ul> -<p>The following features are not working as they should</p> - -<ul> -<li>No web based administration tool for creating users and groups. The - scripts ldap-createuser-krb and ldap-add-user-to-group can be used - for testing.</li> -<li>DVD installs are missing debian-installer images for the PXE boot, - and do not set up the PXE menu on eth0 because of this. LTSP - clients should still boot from eth1 on thin client servers.</li> -<li>The restructured KDE menu is not implemented.</li> -<li>The LDAP server setup need to be reviewed for security.</li> -<li>The LDAP directory structure need to be reworked.</li> -<li>Different sets of packages are installed when using the DVD and the - netinst CD. More packages are installed using the netinst CD.</li> -<li>The jackd package fail to install. This is believed to be caused by - some ongoing transition, and hopefully should be solved soon. The - jackd1 package can be installed manually for those that need it.</li> -<li>Some packages lack translations. See - http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status, - and help out with translations.</li> -</ul> - -<p>To download this multiarch netinstall release you can use</p> - -<ul> -<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li> -<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</a></li> -<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-CD.iso</li> -</ul> -<p>To download this multiarch dvd release you can use</p> - -<ul> -<li><a href="ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li> -<li><a href="http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</a></li> -<li>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-6.0.0+edua0-DVD.iso</li> -</ul> - -<p>There is no source DVD available yet. It will be prepared when we -get closer to the final release.</p> - -<p>The MD5SUM of these images are</p> - -<ul> -<li>3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-6.0.0+edua0-CD.iso</li> -<li>22f2cbfce281d1c6e478be452638675d debian-edu-6.0.0+edua0-DVD.iso</li> -</ul> - -<p>The SHA1SUM of these images are</p> -<ul> -<li>c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-6.0.0+edua0-CD.iso</li> -<li>2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-6.0.0+edua0-DVD.iso</li> -</ul> -<p>How to report bugs: -http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla</p> - -<p>Please direct replies to debian-edu@lists.debian.org</p> -</blockquote> +<p>I dag la jeg inn en kommentar på en sak hos NRKBeta +<a href="http://nrkbeta.no/2010/10/27/bakom-blindpassasjer-del-1/">om +hvordan TV-serien Blindpassasjer ble laget</a> i forbindelse med at +filmene NRK la ut ikke var tilgjengelig i et +<a href="http://www.digistan.org/open-standard:definition">fritt og +åpent format</a>. Dette var det jeg skrev publiserte der 07:39.</p> + +<p><blockquote> +<p>"Vi fikk en kommentar rundt måten streamet innhold er beskyttet fra +nedlasting. Mange av oss som kan mer enn gjennomsnittet om systemer +som dette, vet at det stort sett er mulig å lure ut ting med den +nødvendige forkunnskapen."</p> + +<p>Haha. Å streame innhold er det samme som å laste ned innhold, så å +beskytte en stream mot nedlasting er ikke mulig. Å skrive noe slikt +er å forlede leseren.</p> + +<p>Med den bakgrunn blir forklaringen om at noen rettighetshavere kun +vil tillate streaming men ikke nedlasting meningsløs.</p> + +<p>Anbefaler forresten å lese +<a href="http://blogs.computerworlduk.com/simon-says/2010/10/drm-is-toxic-to-culture/index.htm">http://blogs.computerworlduk.com/simon-says/2010/10/drm-is-toxic-to-culture/index.htm</a> +om hva som ville være konsekvensen hvis digitale avspillingssperrer +(DRM) fungerte. Det gjør de naturligvis ikke teknisk - det er jo +derfor de må ha totalitære juridiske beskyttelsesmekanismer på plass, +men det er skremmende hva samfunnet tillater og NRK er med på å bygge +opp under.</p> +</blockquote></p> + +<p>Ca. 20 minutter senere får jeg følgende epost fra Anders Hofseth i +NRKBeta:</p> + +<p><blockquote> +<p>From: Anders Hofseth &lt;XXX@gmail.com> +<br>To: "pere@hungry.com" &lt;pere@hungry.com> +<br>Cc: Eirik Solheim &lt;XXX@gmail.com>, Jon Ståle Carlsen &lt;XXX@gmail.com>, Henrik Lied &lt;XXX@gmail.com> +<br>Subject: Re: [NRKbeta] Kommentar: "Bakom Blindpassasjer: del 1" +<br>Date: Sat, 30 Oct 2010 07:58:44 +0200</p> + +<p>Hei Petter. +<br>Det du forsøker dra igang er egentlig en interessant diskusjon, +men om vi skal kjøre den i kommentarfeltet her, vil vi kunne bli bedt +om å fjerne blindpassasjer fra nett- tv og det vil heller ikke bli +særlig lett å klarere ut noe annet arkivmateriale på lang tid.</p> + +<p>Dette er en situasjon NRKbeta ikke ønsker, så kommentaren er +fjernet og den delen av diskusjonen er avsluttet på nrkbeta, vi antar +konsekvensene vi beskriver ikke er noe du ønsker heller...</p> + +<p>Med hilsen, +<br>-anders</p> + +<p>Ring meg om noe er uklart: 95XXXXXXX</p> +</blockquote></p> + +<p>Ble så fascinert over denne holdningen, at jeg forfattet og sendte +over følgende svar. I og med at debatten er fjernet fra NRK Betas +kommentarfelt, så velger jeg å publisere her på bloggen min i stedet. +Har fjernet epostadresser og telefonnummer til de involverte, for å +unngå at de tiltrekker seg uønskede direkte kontaktforsøk.</p> + +<p><blockquote> +<p>From: Petter Reinholdtsen &lt;pere@hungry.com> +<br>To: Anders Hofseth &lt;XXX@gmail.com> +<br>Cc: Eirik Solheim &lt;XXX@gmail.com>, +<br> Jon Ståle Carlsen &lt;XXX@gmail.com>, +<br> Henrik Lied &lt;XXX@gmail.com> +<br>Subject: Re: [NRKbeta] Kommentar: "Bakom Blindpassasjer: del 1" +<br>Date: Sat, 30 Oct 2010 08:24:34 +0200</p> + +<p>[Anders Hofseth] +<br>> Hei Petter.</p> + +<p>Hei.</p> + +<p>> Det du forsøker dra igang er egentlig en interessant diskusjon, men +<br>> om vi skal kjøre den i kommentarfeltet her, vil vi kunne bli bedt om +<br>> å fjerne blindpassasjer fra nett- tv og det vil heller ikke bli +<br>> særlig lett å klarere ut noe annet arkivmateriale på lang tid.</p> + +<p>Godt å se at du er enig i at dette er en interessant diskusjon. Den +vil nok fortsette en stund til. :)</p> + +<p>Må innrømme at jeg synes det er merkelig å lese at dere i NRK med +vitende og vilje ønsker å forlede rettighetshaverne for å kunne +fortsette å legge ut arkivmateriale.</p> + +<p>Kommentarer og diskusjoner i bloggene til NRK Beta påvirker jo ikke +faktum, som er at streaming er det samme som nedlasting, og at innhold +som er lagt ut på nett kan lagres lokalt for avspilling når en ønsker +det.</p> + +<p>Det du sier er jo at klarering av arkivmateriale for publisering på +web krever at en holder faktum skjult fra debattfeltet på NRKBeta. +Det er ikke et argument som holder vann. :)</p> + +<p>> Dette er en situasjon NRKbeta ikke ønsker, så kommentaren er fjernet +<br>> og den delen av diskusjonen er avsluttet på nrkbeta, vi antar +<br>> konsekvensene vi beskriver ikke er noe du ønsker heller...</p> + +<p>Personlig ønsker jeg at NRK skal slutte å stikke hodet i sanden og +heller være åpne på hvordan virkeligheten fungerer, samt ta opp kampen +mot de som vil låse kulturen inne. Jeg synes det er en skam at NRK +godtar å forlede publikum. Ville heller at NRK krever at innhold som +skal sendes skal være uten bruksbegresninger og kan publiseres i +formater som heller ikke har bruksbegresninger (bruksbegresningene til +H.264 burde få varselbjellene i NRK til å ringe).</p> + +<p>At NRK er med på DRM-tåkeleggingen og at det kommer feilaktive +påstander om at "streaming beskytter mot nedlasting" som bare er egnet +til å bygge opp om en myte som er skadelig for samfunnet som helhet.</p> + +<p>Anbefaler &lt;URL:<a href="http://webmink.com/2010/09/03/h-264-and-foss/">http://webmink.com/2010/09/03/h-264-and-foss/</a>> og en +titt på +&lt;URL: <a href="http://people.skolelinux.org/pere/blog/Terms_of_use_for_video_produced_by_a_Canon_IXUS_130_digital_camera.html">http://people.skolelinux.org/pere/blog/Terms_of_use_for_video_produced_by_a_Canon_IXUS_130_digital_camera.html</a> >. +for å se hva slags bruksbegresninger H.264 innebærer.</p> + +<p>Hvis dette innebærer at NRK må være åpne med at arkivmaterialet ikke +kan brukes før rettighetshaverene også innser at de er med på å skade +samfunnets kultur og kollektive hukommelse, så får en i hvert fall +synliggjort konsekvensene og antagelig mer flammer på en debatt som er +langt på overtid.</p> + +<p>> Ring meg om noe er uklart: XXX</p> + +<p>Intet uklart, men ikke imponert over måten dere håndterer debatten på. +Hadde du i stedet kommet med et tilsvar i kommentarfeltet der en +gjorde det klart at blindpassasjer-blogpostingen ikke var riktig sted +for videre diskusjon hadde dere i mine øyne kommet fra det med +ryggraden på plass.</p> + +<p>PS: Interessant å se at NRK-ansatte ikke bruker NRK-epostadresser.</p> + +<p>Som en liten avslutning, her er noen litt morsomme innslag om temaet. +&lt;URL: <a href="http://www.archive.org/details/CopyingIsNotTheft">http://www.archive.org/details/CopyingIsNotTheft</a> > og +&lt;URL: <a href="http://patentabsurdity.com/">http://patentabsurdity.com/</a> > hadde vært noe å kringkaste på +NRK1. :)</p> + +<p>Vennlig hilsen, +<br>-- +<br>Petter Reinholdtsen</p> - One step closer to single signon in Debian Edu - http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html - http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html - Sun, 25 Jul 2010 10:00:00 +0200 + Software updates 2010-10-24 + http://people.skolelinux.org/pere/blog/Software_updates_2010_10_24.html + http://people.skolelinux.org/pere/blog/Software_updates_2010_10_24.html + Sun, 24 Oct 2010 22:45:00 +0200 -<p>The last few months me and the other Debian Edu developers have -been working hard to get the Debian/Squeeze based version of Debian -Edu/Skolelinux into shape. This future version will use Kerberos for -authentication, and services are slowly migrated to single signon, -getting rid of password questions one at the time.</p> - -<p>It will also feature a roaming workstation profile with local home -directory, for laptops that are only some times on the Skolelinux -network, and for this profile a shortcut is created in Gnome and KDE -to gain access to the users home directory on the file server. This -shortcut uses SMB at the moment, and yesterday I had time to test if -SMB mounting had started working in KDE after we added the cifs-utils -package. I was pleasantly surprised how well it worked.</p> - -<p>Thanks to the recent changes to our samba configuration to get it -to use Kerberos for authentication, there were no question about user -password when mounting the SMB volume. A simple click on the shortcut -in the KDE menu, and a window with the home directory popped -up. :)</p> - -<p>One step closer to a single signon solution out of the box in -Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now -also Samba. Next step is Cups and hopefully also NFS.</p> - -<p>We had planned a alpha0 release of Debian Edu for today, but thanks -to the autobuilder administrators for some architectures being slow to -sign packages, we are still missing the fixed LTSP package we need for -the release. It was uploaded three days ago with urgency=high, and if -it had entered testing yesterday we would have been able to test it in -time for a alpha0 release today. As the binaries for ia64 and powerpc -still not uploaded to the Debian archive, we need to delay the alpha -release another day.</p> - -<p>If you want to help out with implementing Kerberos for Debian Edu, -please contact us on debian-edu@lists.debian.org.</p> +<p>Some updates.</p> + +<p>My <a href="http://pledgebank.com/gnash-avm2">gnash pledge</a> to +raise money for the project is going well. The lower limit of 10 +signers was reached in 24 hours, and so far 13 people have signed it. +More signers and more funding is most welcome, and I am really curious +how far we can get before the time limit of December 24 is reached. +:)</p> + +<p>On the #gnash IRC channel on irc.freenode.net, I was just tipped +about what appear to be a great code coverage tool capable of +generating code coverage stats without any changes to the source code. +It is called +<a href="http://simonkagstrom.github.com/kcov/index.html">kcov</a>, +and can be used using <tt>kcov &lt;directory&gt; &lt;binary&gt;</tt>. +It is missing in Debian, but the git source built just fine in Squeeze +after I installed libelf-dev, libdwarf-dev, pkg-config and +libglib2.0-dev. Failed to build in Lenny, but suspect that is +solvable. I hope kcov make it into Debian soon.</p> + +<p>Finally found time to wrap up the release notes for <a +href="http://lists.debian.org/debian-edu-announce/2010/10/msg00002.html">a +new alpha release of Debian Edu</a>, and just published the second +alpha test release of the Squeeze based Debian Edu / +<a href="http://www.skolelinux.org/">Skolelinux</a> +release. Give it a try if you need a complete linux solution for your +school, including central infrastructure server, workstations, thin +client servers and diskless workstations. A nice touch added +yesterday is RDP support on the thin client servers, for windows +clients to get a Linux desktop on request.</p> - Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk - http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til____slutte____kj__pe_musikk.html - http://people.skolelinux.org/pere/blog/Digitale_restriksjonsmekanismer_fikk_meg_til____slutte____kj__pe_musikk.html - Thu, 22 Jul 2010 23:50:00 +0200 + Pledge for funding to the Gnash project to get AVM2 support + http://people.skolelinux.org/pere/blog/Pledge_for_funding_to_the_Gnash_project_to_get_AVM2_support.html + http://people.skolelinux.org/pere/blog/Pledge_for_funding_to_the_Gnash_project_to_get_AVM2_support.html + Tue, 19 Oct 2010 14:45:00 +0200 -<p>For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at -musikkbransjen var godt i gang med å selge platene sine med DRM som -gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg -hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en -plate om den var ødelagt eller ikke, og jeg hadde jo allerede en -anseelig samling med plater, så jeg bestemme meg for å slutte å gi -penger til en bransje som åpenbart ikke respekterte meg.</p> - -<p>Jeg har mange titalls dager med musikk på CD i dag. Det meste er -lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har -ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer -musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt -fornøyd.</p> - -<p>Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de -setter pris på meg som kunde, og ikke skremme meg bort med DRM og -antydninger om at kundene er kriminelle.</p> - -<p>Filmbransjen er like ille, men mens musikk gjerne varer lenge, er -filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men -holder meg til DVD-filmer som kan spilles av på mine Linuxbokser. -Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene -«Ultraviolet» som be annonsert her om dagen.</p> +<p><a href="http://www.getgnash.org/">The Gnash project</a> is the +most promising solution for a Free Software Flash implementation. It +has done great so far, but there is still far to go, and recently its +funding has dried up. I believe AVM2 support in Gnash is vital to the +continued progress of the project, as more and more sites show up with +AVM2 flash files.</p> + +<p>To try to get funding for developing such support, I have started +<a href="http://www.pledgebank.com/gnash-avm2">a pledge</a> with the +following text:</P> + +<p><blockquote> + + <p>"I will pay 100$ to the Gnash project to develop AVM2 support but + only if 10 other people will do the same."</p> + + <p>- Petter Reinholdtsen, free software developer</p> + + <p>Deadline to sign up by: 24th December 2010</p> + + <p>The Gnash project need to get support for the new Flash file + format AVM2 to work with a lot of sites using Flash on the + web. Gnash already work with a lot of Flash sites using the old AVM1 + format, but more and more sites are using the AVM2 format these + days. The project web page is available from + http://www.getgnash.org/ . Gnash is a free software implementation + of Adobe Flash, allowing those of us that do not accept the terms of + the Adobe Flash license to get access to Flash sites.</p> + + <p>The project need funding to get developers to put aside enough + time to develop the AVM2 support, and this pledge is my way to try + to get this to happen.</p> + + <p>The project accept donations via the OpenMediaNow foundation, + <a href="http://www.openmedianow.org/?q=node/32">http://www.openmedianow.org/?q=node/32</a> .</p> + +</blockquote></p> + +<p>I hope you will support this effort too. I hope more than 10 +people will participate to make this happen. The more money the +project gets, the more features it can develop using these funds. +:)</p> - OpenStreetmap one step closer to having routing on its front page - http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html - http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html - Sun, 18 Jul 2010 16:45:00 +0200 + Standardkrav inn i anbudstekster? + http://people.skolelinux.org/pere/blog/Standardkrav_inn_i_anbudstekster_.html + http://people.skolelinux.org/pere/blog/Standardkrav_inn_i_anbudstekster_.html + Sun, 17 Oct 2010 19:30:00 +0200 -<p>Thanks to -<a href="http://feedproxy.google.com/~r/Opengeodata/~3/wUTCzDZk3lc/project-of-the-week-which-way-home">todays -opengeodata blog entry</a>, I just discovered that the -OpenStreetmap.org site have gotten -<a href="http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT">support -for calculating routes</a>. The support is still experimental and -only available from the development server, until more experience is -gathered on the user interface and any scalability issues.</p> - -<p>Earlier, the routing I knew about using the OpenStreetmap.org data -was provided by <a href="http://maps.cloudmade.com/">Cloudmade</a>, -but having it on the main page is required to make everyone aware of -the issue. I've had people reject Openstreetmap.org as a viable -alternative for them because the front page lacked routing support, -and I hope their needs will be catered for when routing show up on the -www.openstreetmap.org front page.</p> +<p>Hvis det å følge standarder skal ha noen effekt overfor +leverandører, så må slike krav og ønsker komme inn i anbudstekster når +systemer kjøpes inn. Har ikke sett noen slike formuleringer i anbud +så langt, men har tenkt litt på hva som bør inn. Her er noen ideer og +forslag. Min drøm er at en kan sette krav til slik støtte i +anbudstekster, men så langt er det nok mer sannsynlig at en må nøye +seg med å skrive at det er en fordel om slik støtte er tilstede i +leveranser.</p> + +<p>Som systemadministrator på Universitetet er det typisk to områder +som er problematiske for meg. Det ene er admin-grensesnittene på +tjenermaskiner, som vi ønsker å bruke via ssh. Det andre er nettsider +som vi ønsker å bruke via en nettleser. For begge deler er det viktig +at protokollene og formatene som brukes følger standarder våre verktøy +støtter.</p> + +<p>De fleste har nå støtte for SSH som overføringsprotkoll for +admin-grensesnittet, men det er ikke tilstrekkelig for å kunne stille +inn f.eks BIOS og RAID-kontroller via ssh-forbindelsen. Det er flere +aktuelle protokoller for fremvisning av BIOS-oppsett og +oppstartmeldinger, og min anbefaling ville være å kreve +VT100-kompatibel protokoll, for å sikre at flest mulig +terminalemulatorer kan forstå hva som kommer fra admin-grensesnittet +via ssh. Andre aktuelle alternativer er ANSI-terminalemulering og +VT220. Kanskje en formulering ala dette i anbudsutlysninger vil +fungere:</p> + +<p><blockquote> +BIOS og oppstartmeldinger i administrasjonsgrensesnittet til maskinen +bør/skal være tilgjengelig via SSH-protokollen som definert av IETF +(RFC 4251 mfl.) og følge terminalfremvisningprotokollen VT100 (ref?) +når en kobler seg til oppstart via ssh. +</blockquote></p> + +<p>Har ikke lykkes med å finne en god referanse for +VT100-spesifikasjonen.</p> + +<p>Når det gjelder nettsider, så er det det HTML, CSS og +JavaScript-spesifikasjonen til W3C som gjelder.</p> + +<p><blockquote> +Alle systemets nettider bør/skal være i henhold til statens +standardkatalogs krav om nettsider og følge HTML-standarden som +definert av W3C, og validere uten feil hos W3Cs HTML-validator +(http://validator.w3.org). Hvis det brukes CSS så bør/skal denne +validere uten feil hos W3Cs CSS-validator +(http://jigsaw.w3.org/css-validator/). Eventuelle JavaScript skal +være i henhold til EcmaScript-standarden. I tillegg til å følge de +overnevnte standardene skal websidene fungere i nettleserne (fyll inn +relevant liste for organisasjonen) Firefox 3.5, Internet Explorer 8, +Opera 9, etc. +</blockquote></p> + +<p>Vil et slikt avsnitt være konkret nok til å få leverandørene til å +lage nettsider som følger standardene og fungerer i flere +nettlesere?</p> + +<p>Tar svært gjerne imot innspill på dette temaet til aktive (at) +nuug.no, og er spesielt interessert i hva andre skriver i sine anbud +for å oppmuntre leverandører til å følge standardene. Kanskje NUUG +burde lage et dokument med forslag til standardformuleringer å ta med +i anbudsutlysninger?</p> - What are they searching for - PowerDNS and ISC DHCP in LDAP - http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html - http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html - Sat, 17 Jul 2010 21:00:00 +0200 + Datatilsynet svarer om Bilkollektivets ønske om GPS-sporing + http://people.skolelinux.org/pere/blog/Datatilsynet_svarer_om_Bilkollektivets___nske_om_GPS_sporing.html + http://people.skolelinux.org/pere/blog/Datatilsynet_svarer_om_Bilkollektivets___nske_om_GPS_sporing.html + Thu, 14 Oct 2010 15:00:00 +0200 -<p>This is a -<a href="http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html">followup</a> -on my -<a href="http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html">previous -work</a> on -<a href="http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html">merging -all</a> the computer related LDAP objects in Debian Edu.</p> - -<p>As a step to try to see if it possible to merge the DNS and DHCP -LDAP objects, I have had a look at how the packages pdns-backend-ldap -and dhcp3-server-ldap in Debian use the LDAP server. The two -implementations are quite different in how they use LDAP.</p> - -To get this information, I started slapd with debugging enabled and -dumped the debug output to a file to get the LDAP searches performed -on a Debian Edu main-server. Here is a summary. - -<p><strong>powerdns</strong></p> - -<a href="http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend">Clues -on how to</a> set up PowerDNS to use a LDAP backend is available on -the web. - -<p>PowerDNS have two modes of operation using LDAP as its backend. -One "strict" mode where the forward and reverse DNS lookups are done -using the same LDAP objects, and a "tree" mode where the forward and -reverse entries are in two different subtrees in LDAP with a structure -based on the DNS names, as in tjener.intern and -2.2.0.10.in-addr.arpa.</p> - -<p>In tree mode, the server is set up to use a LDAP subtree as its -base, and uses a "base" scoped search for the DNS name by adding -"dc=tjener,dc=intern," to the base with a filter for -"(associateddomain=tjener.intern)" for the forward entry and -"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for -"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For -forward entries, it is looking for attributes named dnsttl, arecord, -nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord, -txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord, -srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord, -ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord, -spfrecord and modifytimestamp. For reverse entries it is looking for -the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord, -ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord, -locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent -ldapsearch commands could look like this:</p> - -<blockquote><pre> -ldapsearch -h ldap \ - -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \ - -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \ - cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \ - rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \ - nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \ - rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp - -ldapsearch -h ldap \ - -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \ - -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)' - dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \ - hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \ - srvrecord naptrrecord modifytimestamp -</pre></blockquote> - -<p>In Debian Edu/Lenny, the PowerDNS tree mode is used with -ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two -example LDAP objects used there. In addition to these objects, the -parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no -also exist.</p> - -<blockquote><pre> -dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no -objectclass: top -objectclass: dnsdomain -objectclass: domainrelatedobject -dc: tjener -arecord: 10.0.2.2 -associateddomain: tjener.intern - -dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no -objectclass: top -objectclass: dnsdomain2 -objectclass: domainrelatedobject -dc: 2 -ptrrecord: tjener.intern -associateddomain: 2.2.0.10.in-addr.arpa -</pre></blockquote> - -<p>In strict mode, the server behaves differently. When looking for -forward DNS entries, it is doing a "subtree" scoped search with the -same base as in the tree mode for a object with filter -"(associateddomain=tjener.intern)" and requests the attributes dnsttl, -arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, -mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord, -naptrrecord and modifytimestamp. For reverse entires it also do a -subtree scoped search but this time the filter is "(arecord=10.0.2.2)" -and the requested attributes are associateddomain, dnsttl and -modifytimestamp. In short, in strict mode the objects with ptrrecord -go away, and the arecord attribute in the forward object is used -instead.</p> - -<p>The forward and reverse searches can be simulated using ldapsearch -like this:</p> - -<blockquote><pre> -ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \ - '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \ - cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \ - rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \ - nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \ - rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp - -ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \ - '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp -</pre></blockquote> - -<p>In addition to the forward and reverse searches , there is also a -search for SOA records, which behave similar to the forward and -reverse lookups.</p> - -<p>A thing to note with the PowerDNS behaviour is that it do not -specify any objectclass names, and instead look for the attributes it -need to generate a DNS reply. This make it able to work with any -objectclass that provide the needed attributes.</p> - -<p>The attributes are normally provided in the cosine (RFC 1274) and -dnsdomain2 schemas. The latter is used for reverse entries like -ptrrecord and recent DNS additions like aaaarecord and srvrecord.</p> - -<p>In Debian Edu, we have created DNS objects using the object classes -dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS -attributes) and domainrelatedobject (for associatedDomain). The use -of structural object classes make it impossible to combine these -classes with the object classes used by DHCP.</p> - -<p>There are other schemas that could be used too, for example the -dnszone structural object class used by Gosa and bind-sdb for the DNS -attributes combined with the domainrelatedobject object class, but in -this case some unused attributes would have to be included as well -(zonename and relativedomainname).</p> - -<p>My proposal for Debian Edu would be to switch PowerDNS to strict -mode and not use any of the existing objectclasses (dnsdomain, -dnsdomain2 and dnszone) when one want to combine the DNS information -with DHCP information, and instead create a auxiliary object class -defined something like this (using the attributes defined for -dnsdomain and dnsdomain2 or dnszone):</p> - -<blockquote><pre> -objectclass ( some-oid NAME 'dnsDomainAux' - SUP top - AUXILIARY - MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ - DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $ - TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $ - NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ - A6Record $ DNAMERecord - )) -</pre></blockquote> - -<p>This will allow any object to become a DNS entry when combined with -the domainrelatedobject object class, and allow any entity to include -all the attributes PowerDNS wants. I've sent an email to the PowerDNS -developers asking for their view on this schema and if they are -interested in providing such schema with PowerDNS, and I hope my -message will be accepted into their mailing list soon.</p> - -<p><strong>ISC dhcp</strong></p> - -<p>The DHCP server searches for specific objectclass and requests all -the object attributes, and then uses the attributes it want. This -make it harder to figure out exactly what attributes are used, but -thanks to the working example in Debian Edu I can at least get an idea -what is needed without having to read the source code.</p> - -<p>In the DHCP server configuration, the LDAP base to use and the -search filter to use to locate the correct dhcpServer entity is -stored. These are the relevant entries from -/etc/dhcp3/dhcpd.conf:</p> - -<blockquote><pre> -ldap-base-dn "dc=skole,dc=skolelinux,dc=no"; -ldap-dhcp-server-cn "dhcp"; -</pre></blockquote> - -<p>The DHCP server uses this information to nest all the DHCP -configuration it need. The cn "dhcp" is located using the given LDAP -base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The -search result is this entry:</p> - -<blockquote><pre> -dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no -cn: dhcp -objectClass: top -objectClass: dhcpServer -dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no -</pre></blockquote> - -<p>The content of the dhcpServiceDN attribute is next used to locate the -subtree with DHCP configuration. The DHCP configuration subtree base -is located using a base scope search with base "cn=DHCP -Config,dc=skole,dc=skolelinux,dc=no" and filter -"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))". -The search result is this entry:</p> - -<blockquote><pre> -dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no -cn: DHCP Config -objectClass: top -objectClass: dhcpService -objectClass: dhcpOptions -dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no -dhcpStatements: ddns-update-style none -dhcpStatements: authoritative -dhcpOption: smtp-server code 69 = array of ip-address -dhcpOption: www-server code 72 = array of ip-address -dhcpOption: wpad-url code 252 = text -</pre></blockquote> - -<p>Next, the entire subtree is processed, one level at the time. When -all the DHCP configuration is loaded, it is ready to receive requests. -The subtree in Debian Edu contain objects with object classes -top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions, -top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options -and information about netmasks, dynamic range etc. Leaving out the -details here because it is not relevant for the focus of my -investigation, which is to see if it is possible to merge dns and dhcp -related computer objects.</p> - -<p>When a DHCP request come in, LDAP is searched for the MAC address -of the client (00:00:00:00:00:00 in this example), using a subtree -scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as -the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet -00:00:00:00:00:00))" as the filter. This is what a host object look -like:</p> - -<blockquote><pre> -dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no -cn: hostname -objectClass: top -objectClass: dhcpHost -dhcpHWAddress: ethernet 00:00:00:00:00:00 -dhcpStatements: fixed-address hostname -</pre></blockquote> - -<p>There is less flexiblity in the way LDAP searches are done here. -The object classes need to have fixed names, and the configuration -need to be stored in a fairly specific LDAP structure. On the -positive side, the invidiual dhcpHost entires can be anywhere without -the DN pointed to by the dhcpServer entries. The latter should make -it possible to group all host entries in a subtree next to the -configuration entries, and this subtree can also be shared with the -DNS server if the schema proposed above is combined with the dhcpHost -structural object class. - -<p><strong>Conclusion</strong></p> - -<p>The PowerDNS implementation seem to be very flexible when it come -to which LDAP schemas to use. While its "tree" mode is rigid when it -come to the the LDAP structure, the "strict" mode is very flexible, -allowing DNS objects to be stored anywhere under the base cn specified -in the configuration.</p> - -<p>The DHCP implementation on the other hand is very inflexible, both -regarding which LDAP schemas to use and which LDAP structure to use. -I guess one could implement ones own schema, as long as the -objectclasses and attributes have the names used, but this do not -really help when the DHCP subtree need to have a fairly fixed -structure.</p> - -<p>Based on the observed behaviour, I suspect a LDAP structure like -this might work for Debian Edu:</p> - -<blockquote><pre> -ou=services - cn=machine-info (dhcpService) - dhcpServiceDN points here - cn=dhcp (dhcpServer) - cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions) - cn=10.0.2.0 (dhcpSubnet) - cn=group1 (dhcpGroup/dhcpOptions) - cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions) - cn=192.168.0.0 (dhcpSubnet) - cn=group1 (dhcpGroup/dhcpOptions) - ou=machines - PowerDNS base points here - cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux) -</pre></blockquote> - -<P>This is not tested yet. If the DHCP server require the dhcpHost -entries to be in the dhcpGroup subtrees, the entries can be stored -there instead of a common machines subtree, and the PowerDNS base -would have to be moved one level up to the machine-info subtree.</p> - -<p>The combined object under the machines subtree would look something -like this:</p> - -<blockquote><pre> -dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no -dc: hostname -objectClass: top -objectClass: dhcpHost -objectclass: domainrelatedobject -objectclass: dnsDomainAux -associateddomain: hostname.intern -arecord: 10.11.12.13 -dhcpHWAddress: ethernet 00:00:00:00:00:00 -dhcpStatements: fixed-address hostname.intern -</pre></blockquote> - -</p>One could even add the LTSP configuration associated with a given -machine, as long as the required attributes are available in a -auxiliary object class.</p> +<p>I forbindelse med Bilkollektivets plan om å skaffe seg mulighet til +å GPS-spore sine medlemmers bevegelser +(<a href="http://people.skolelinux.org/pere/blog/Bilkollektivet_vil_ha_retten_til____se_hvor_jeg_kj__rer___.html">omtalt +tidligere</a>), sendte jeg avgårde et spørsmål til <a +href="http://www.datatilsynet.no/">Datatilsynet</a> for å gjøre dem +oppmerksom på saken og høre hva de hadde å si. Her er korrespondansen +så langt.</p> + +<p><blockquote> +Date: Thu, 23 Sep 2010 13:38:55 +0200 +<br>From: Petter Reinholdtsen +<br>To: postkasse@datatilsynet.no +<br>Subject: GPS-sporing av privatpersoners bruk av bil? + +<p>Hei. Jeg er med i Bilkollektivet[1] her i Oslo, og ble i dag +orientert om at de har tenkt å innføre GPS-sporing av bilene og krever +at en for fremtidig bruk skal godkjenne følgende klausul i +bruksvilkårene[2]:</p> + +<p><blockquote> + Andelseier er med dette gjort kjent med at bilene er utstyrt med + sporingsutstyr, som kan benyttes av Bilkollektivet til å spore biler + som brukes utenfor gyldig reservasjon. +</blockquote></p> + +<p>Er slik sporing meldepliktig til datatilsynet? Har Bilkollektivet +meldt dette til Datatilsynet? Forsøkte å søke på orgnr. 874 538 892 +på søkesiden for meldinger[3], men fant intet der.</p> + +<p>Hva er datatilsynets syn på slik sporing av privatpersoners bruk av +bil?</p> + +<p>Jeg må innrømme at jeg forventer å kunne ferdes anonymt og uten +radiomerking i Norge, og synes GPS-sporing av bilen jeg ønsker å bruke +i så måte er et overgrep mot privatlivets fred. For meg er det et +prinsipielt spørsmål og det er underordnet hvem og med hvilket formål +som i første omgang sies å skulle ha tilgang til +sporingsinformasjonen. Jeg vil ikke ha mulighet til å sjekke eller +kontrollere når bruksområdene utvides, og erfaring viser jo at +bruksområder utvides når informasjon først er samlet inn.<p> + +<p>1 &lt;URL: http://www.bilkollektivet.no/ > +<br>2 &lt;URL: http://www.bilkollektivet.no/bilbruksregler.26256.no.html > +<br>3 &lt;URL: http://hetti.datatilsynet.no/melding/report_search.pl > + +<p>Vennlig hilsen, +<br>-- +<br>Petter Reinholdtsen +</blockquote></p> + +<p>Svaret fra Datatilsynet kom dagen etter:</p> + +<p><blockquote> +Date: Fri, 24 Sep 2010 11:24:17 +0200 +<br>From: Henok Tesfazghi +<br>To: Petter Reinholdtsen +<br>Subject: VS: GPS-sporing av privatpersoners bruk av bil? + +<p>Viser til e-post av 23. september 2010.</p> + +<p>Datatilsynet er det forvaltningsorganet som skal kontrollere at +personopplysningsloven blir fulgt. Formålet med loven er å verne +enkeltpersoner mot krenking av personvernet gjennom behandling av +personopplysninger. Vi gjør oppmerksom på at vår e-post svartjeneste +er ment å være en kortfattet rådgivningstjeneste, slik at vi av den +grunn ikke kan konkludere i din sak, men gi deg innledende råd og +veiledning. Vårt syn er basert på din fremstilling av saksforholdet, +andre opplysninger vi eventuelt ikke kjenner til og som kan være +relevante, vil kunne medføre et annet resultat.</p> + +<p>Det er uklart for Datatilsynet hva slags GPS-sporing Bilkollektivet +her legger opp til. Dette skyldes blant annet manglende informasjon i +forhold til hvilket formål GPS-sporingen har, hvordan det er ment å +fungere, hvilket behandlingsgrunnlag som ligger til grunn, samt om +opplysningene skal lagres eller ikke.</p> + +<p>Behandlingen vil i utgangspunket være meldepliktig etter +personopplysningslovens § 31. Det finnes en rekke unntak fra +meldeplikten som er hjemlet i personopplysningsforskriftens kapittel +7. Da dette er et andelslag, og andelseiere i en utstrekning også kan +karakteriseres som kunder, vil unntak etter +personopplysningsforskriftens § 7-7 kunne komme til anvendelse, se +lenke: <a href="http://lovdata.no/for/sf/fa/ta-20001215-1265-009.html#7-7">http://lovdata.no/for/sf/fa/ta-20001215-1265-009.html#7-7</a></p> + +<p>Datatilsynet har til orientering en rekke artikler som omhandler +henholdsvis sporing og lokalisering, samt trafikanter og passasjerer, +se lenke: +<br><a href="http://www.datatilsynet.no/templates/article____1730.aspx">http://www.datatilsynet.no/templates/article____1730.aspx</a> og +<br><a href="http://www.datatilsynet.no/templates/article____1098.aspx">http://www.datatilsynet.no/templates/article____1098.aspx</a></p> + + +<p>Vennlig hilsen +<br>Henok Tesfazghi +<br>Rådgiver, Datatilsynet +</blockquote></p> + +<p>Vet ennå ikke om jeg har overskudd til å ta opp kampen i +Bilkollektivet, mellom barnepass og alt det andre som spiser opp +dagene, eller om jeg bare finner et annet alternativ.</p> - Combining PowerDNS and ISC DHCP LDAP objects - http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html - http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html - Wed, 14 Jul 2010 23:45:00 +0200 + Links for 2010-10-14 + http://people.skolelinux.org/pere/blog/Links_for_2010_10_14.html + http://people.skolelinux.org/pere/blog/Links_for_2010_10_14.html + Thu, 14 Oct 2010 14:45:00 +0200 -<p>For a while now, I have wanted to find a way to change the DNS and -DHCP services in Debian Edu to use the same LDAP objects for a given -computer, to avoid the possibility of having a inconsistent state for -a computer in LDAP (as in DHCP but no DNS entry or the other way -around) and make it easier to add computers to LDAP.</p> - -<p>I've looked at how powerdns and dhcpd is using LDAP, and using this -information finally found a solution that seem to work.</p> - -<p>The old setup required three LDAP objects for a given computer. -One forward DNS entry, one reverse DNS entry and one DHCP entry. If -we switch powerdns to use its strict LDAP method (ldap-method=strict -in pdns-debian-edu.conf), the forward and reverse DNS entries are -merged into one while making it impossible to transfer the reverse map -to a slave DNS server.</p> - -<p>If we also replace the object class used to get the DNS related -attributes to one allowing these attributes to be combined with the -dhcphost object class, we can merge the DNS and DHCP entries into one. -I've written such object class in the dnsdomainaux.schema file (need -proper OIDs, but that is a minor issue), and tested the setup. It -seem to work.</p> - -<p>With this test setup in place, we can get away with one LDAP object -for both DNS and DHCP, and even the LTSP configuration I suggested in -an earlier email. The combined LDAP object will look something like -this:</p> - -<blockquote><pre> - dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no - cn: hostname - objectClass: dhcphost - objectclass: domainrelatedobject - objectclass: dnsdomainaux - associateddomain: hostname.intern - arecord: 10.11.12.13 - dhcphwaddress: ethernet 00:00:00:00:00:00 - dhcpstatements: fixed-address hostname - ldapconfigsound: Y -</pre></blockquote> - -<p>The DNS server uses the associateddomain and arecord entries, while -the DHCP server uses the dhcphwaddress and dhcpstatements entries -before asking DNS to resolve the fixed-adddress. LTSP will use -dhcphwaddress or associateddomain and the ldapconfig* attributes.</p> - -<p>I am not yet sure if I can get the DHCP server to look for its -dhcphost in a different location, to allow us to put the objects -outside the "DHCP Config" subtree, but hope to figure out a way to do -that. If I can't figure out a way to do that, we can still get rid of -the hosts subtree and move all its content into the DHCP Config tree -(which probably should be renamed to be more related to the new -content. I suspect cn=dnsdhcp,ou=services or something like that -might be a good place to put it.</p> - -<p>If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.</p> +<p>Personvernet et under kontinuerlig og kraftig angrep. Her er noen +stemmer i debatten.</p> + +<p><ul> + +<li><a href="http://efn.no/hemmelig-retthaversk.txt">Hemmelig + "Retthaversk" notat vil amputere person- og rettsvernet</a> - + pressemelding fra EFN etter at de ble kjent med hårreisende + lovforslag fra "Dele, ikke stjele"-kampanjen. + +<li><a href="http://borud2.borud.no/2010/10/verdidebatt.html">Verdidebatt</a> + av Bjørn Borud. Klargjørende omramming av debatten med bakgrunn i + oppdagelsen fra EFN.</li> + +<li><a href="http://www.dagbladet.no/2010/10/14/kultur/data_og_teknologi/tekno/personvern/opphavsrett/13804298/">Må + personvernet vike for opphavsretten?</a> av Jan Omdahl i + Dagbladet</li> + +<li><a href="http://www.archive.org/details/CopyingIsNotTheft">Copying + Is Not Theft</a> - fin jingle om opphavsrett vs. eiendom</li> + +<li><a href="http://cleanternet.org/">Cleanternet</a> - satire om +forslag for et rent og sikkert Internet.</li> + +<li><a href="http://www.dubistterrorist.de/en/">You are a + terrorist!</a> - innspill om den massive overvåkningen som er + gjennomført i Tysland og resten av den vestlige verden de siste + årene.</li> + +<li><a href="http://www.dagbladet.no/2010/10/12/kultur/debatt/debattinnlegg/13787554/">Farlig + hemmelighold</a> - debattinnlegg i Dagbladet fra Thomas Gramstad og + Bjørn Remseth i EFN</li> + +</ul></p>