Petter Reinholdtsen

Regjerningen forlater prinsippet om ingen royalty-betaling i standardkatalogen versjon 2

Mon, 6 Jul 2009 21:00:00 +0200

Jeg ble glad da regjeringen -annonserte -versjon 2 av -statens -referansekatalog over standarder, men trist da jeg leste hva som -faktisk var vedtatt etter -hÃ¸ringen. -De fleste av de valgte Ã¥pne standardene er gode og vil bidra til at -alle kan delta pÃ¥ like vilkÃ¥r i Ã¥ lage lÃ¸sninger for staten, men -noen av dem blokkerer for de som ikke har anledning til Ã¥ benytte -spesifikasjoner som krever betaling for bruk (sÃ¥kalt -royalty-betaling). Det gjelder spesifikt for H.264 for video og MP3 -for lyd. SÃ¥ lenge bruk av disse var valgfritt mens Ogg Theora og Ogg -Vorbis var pÃ¥krevd, kunne alle som Ã¸nsket Ã¥ spille av video og lyd -fra statens websider gjÃ¸re dette uten Ã¥ mÃ¥tte bruke programmer der -betaling for bruk var nÃ¸dvendig. NÃ¥r det nÃ¥ er gjort valgfritt for -de statlige etatene Ã¥ bruke enten H.264 eller Theora (og MP3 eler -Vorbis), sÃ¥ vil en bli tvunget til Ã¥ forholde seg til -royalty-belastede standarder for Ã¥ fÃ¥ tilgang til videoen og -lyden.

- -

Det gjÃ¸r meg veldig trist at regjeringen har forlatt prinsippet om -at alle standarder som ble valgt til Ã¥ vÃ¦re pÃ¥krevd i katalogen skulle -vÃ¦re uten royalty-betaling. Jeg hÃ¥per det ikke betyr at en har mistet -all forstÃ¥else for hvilke prinsipper som mÃ¥ fÃ¸lges for Ã¥ oppnÃ¥ -likeverdig konkurranse mellom aktÃ¸rene i IT-bransjen. NUUG advarte -mot dette i -sin -hÃ¸ringsuttalelse, men ser ut til Ã¥ ha blitt ignorert.

Today, the last piece of the puzzle for roaming laptops in Debian +Edu finally entered the Debian archive. Today, the new +libpam-mklocaluser +package was accepted. Two days ago, two other pieces was accepted +into unstable. The +pam-python +package needed by libpam-mklocaluser, and the +sssd package +passed NEW on Monday. In addition, the +libpam-ccreds +package we need is in experimental (version 10-4) since Saturday, and +hopefully will be moved to unstable soon.

+ +

This collection of packages allow for two different setups for +roaming laptops. The traditional setup would be using libpam-ccreds, +nscd and libpam-mklocaluser with LDAP or Kerberos authentication, +which should work out of the box if the configuration changes proposed +for nscd in BTS report +#485282 is implemented. The alternative setup is to use sssd with +libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take +care of the caching of passwords and group information.

+ +

I have so far been unable to get sssd to work with the LDAP server +at the University, but suspect the issue is some SSL/GnuTLS related +problem with the server certificate. I plan to update the Debian +package to version 1.2, which is scheduled for next week, and hope to +find time to make sure the next release will include both the +Debian/Ubuntu specific patches. Upstream is friendly and responsive, +and I am sure we will find a good solution.

+ +

The idea is to set up the roaming laptops to authenticate using +LDAP or Kerberos and create a local user with home directory in /home/ +when a usre in LDAP logs in via KDM or GDM for the first time, and +cache the password for offline checking, as well as caching group +memberhips and other relevant LDAP information. The +libpam-mklocaluser package was created to make sure the local home +directory is in /home/, instead of /site/server/directory/ which would +be the home directory if pam_mkhomedir was used. To avoid confusion +with support requests and configuration, we do not want local laptops +to have users in a path that is used for the same users home directory +on the home directory servers.

+ +

One annoying problem with gdm is that it do not show the PAM +message passed to the user from libpam-mklocaluser when the local user +is created. Instead gdm simply reject the login with some generic +message. The message is shown in kdm, ssh and login, so I guess it is +a bug in gdm. Have not investigated if there is some other message +type that can be used instead to get gdm to also show the message.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Microsofts misvisende argumentasjon rundt multimediaformater

Fri, 26 Jun 2009 15:30:00 +0200

I -Microsoft -sin hÃ¸ringsuttalelse til -forslag -til versjon 2 av statens referansekatalog over standarder, lirer -de av seg fÃ¸lgende FUD-perle:

- -

"Vorbis, OGG, Theora og FLAC er alle tekniske - spesifikasjoner overordnet styrt av xiph.org, som er en - ikke-kommersiell organisasjon. Etablerte og anerkjente - standardiseringsorganisasjoner, som Oasis, W3C og Ecma, har en godt - innarbeidet vedlikeholds- og forvaltningsprosess av en standard. - Det er derimot helt opp til hver enkelt organisasjon Ã¥ bestemme - hvordan tekniske spesifikasjoner videreutvikles og endres, og disse - spesifikasjonene bÃ¸r derfor ikke defineres som Ã¥pne - standarder."

- -

De vokter seg vel for Ã¥ nevne den anerkjente -standardiseringsorganisasjonen IETF, som er organisasjonen bak HTTP, -IP og det meste av protokoller pÃ¥ Internet, og RFC-standardene som -IETF stÃ¥r bak. Ogg er spesifisert i -RFC 3533, og er uten -tvil Ã¥ anse som en Ã¥pen standard. Vorbis er -RFC 5215. Theora er - -under standardisering via IETF, med -siste -utkast publisert 2006-07-21 (riktignok er dermed teksten ikke -skrevet i stein ennÃ¥, men det blir neppe endringer som ikke er -bakoverkompatibel). De kan vÃ¦re inne pÃ¥ noe nÃ¥r det gjelder FLAC da -jeg ikke finner tegn til at spesifikasjonen -tilgjengelig pÃ¥ web er pÃ¥ tur via noen -standardiseringsorganisasjon, men i og med at folkene bak Ogg, Theora -og Vorbis ogsÃ¥ har involvert seg i Flac siden 2003, sÃ¥ ser jeg ikke -bort fra at ogsÃ¥ den organiseres via IETF. Jeg kjenner personlig lite -til FLAC.

- -

Uredelig argumentasjon bÃ¸r en holde seg for god til Ã¥ komme med, -spesielt nÃ¥r det er sÃ¥ enkelt i dagens Internet-hverdag Ã¥ gÃ¥ -misvisende pÃ¥stander etter i sÃ¸mmene.

Since this evening, parallel booting is the default in +Debian/unstable for machines using dependency based boot sequencing. +Apparently the testing of concurrent booting has been wider than +expected, if I am to believe the +input +on debian-devel@, and I concluded a few days ago to move forward +with the feature this weekend, to give us some time to detect any +remaining problems before Squeeze is frozen. If serious problems are +detected, it is simple to change the default back to sequential boot. +The upload of the new sysvinit package also activate a new upstream +version.

+ +More information about +dependency +based boot sequencing is available from the Debian wiki. It is +currently possible to disable parallel booting when one run into +problems caused by it, by adding this line to /etc/default/rcS:

+ +

+CONCURRENCY=none
+

+ +

If you report any problems with dependencies in init.d scripts to +the BTS, please usertag the report to get it to show up at +the +list of usertagged bugs related to this.

Debian boots quicker and quicker

Wed, 24 Jun 2009 21:40:00 +0200

I spent Monday and tuesday this week in London with a lot of the -people involved in the boot system on Debian and Ubuntu, to see if we -could find more ways to speed up the boot system. This was an Ubuntu -funded -developer -gathering. It was quite productive. We also discussed the future -of boot systems, and ways to handle the increasing number of boot -issues introduced by the Linux kernel becoming more and more -asynchronous and event base. The Ubuntu approach using udev and -upstart might be a good way forward. Time will show.

- -

Anyway, there are a few ways at the moment to speed up the boot -process in Debian. All of these should be applied to get a quick -boot:

- -

In the recent Debian Edu versions, the +sitesummary +system is used to keep track of the machines in the school +network. Each machine will automatically report its status to the +central server after boot and once per night. The network setup is +also reported, and using this information it is possible to get the +MAC address of all network interfaces in the machines. This is useful +to update the DHCP configuration.

Use dash as /bin/sh.

To give some idea how to use sitesummary, here is a one-liner to +ist all MAC addresses of all machines reporting to sitesummary. Run +this on the collector host:

Disable the init.d/hwclock*.sh scripts and make sure the hardware - clock is in UTC.

+perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
+

Install and activate the insserv package to enable - dependency - based boot sequencing, and enable concurrent booting.

This will list all MAC addresses assosiated with all machine, one +line per machine and with space between the MAC addresses.

- -These points are based on the Google summer of code work done by -Carlos -Villegas. - -

Support for makefile-style concurrency during boot was uploaded to -unstable yesterday. When we tested it, we were able to cut 6 seconds -from the boot sequence. It depend on very correct dependency -declaration in all init.d scripts, so I expect us to find edge cases -where the dependences in some scripts are slightly wrong when we start -using this.

- -

On our IRC channel for this effort, #pkg-sysvinit, a new idea was -introduced by Raphael Geissert today, one that could affect the -startup speed as well. Instead of starting some scripts concurrently -from rcS.d/ and another set of scripts from rc2.d/, it would be -possible to run a of them in the same process. A quick way to test -this would be to enable insserv and run 'mv /etc/rc2.d/S* /etc/rcS.d/; -insserv'. Will need to test if that work. :)

To allow system administrators easier job at adding static DHCP +addresses for hosts, it would be possible to extend this to fetch +machine information from sitesummary and update the DHCP and DNS +tables in LDAP using this information. Such tool is unfortunately not +written yet.

Litt om valgfusk og problemet med elektronisk stemmegiving

Wed, 17 Jun 2009 14:20:00 +0200

Aftenposten -melder at det kan se ut til at Iran ikke har lÃ¦rt av USA nÃ¥r det -gjelder valgfusk. En bÃ¸r endre tallene fÃ¸r de publiseres, slik at en -kandidat aldri fÃ¥r fÃ¦rre stemmer under opptellingen, ellers blir det -veldig tydelig at tallene ikke er til Ã¥ stole pÃ¥. I USA er det -derimot rapporter om at -tallene har vÃ¦rt endret pÃ¥ tur mot opptellingen, ikke etter at -tallene er publiserte (i tillegg til en rekke andre irregulariteter). -En ting Iran Ã¥penbart har forstÃ¥tt, er verdien av Ã¥ kunne -kontrolltelle stemmer. Det ligger an til kontrolltelling i hvert fall -i noen omrÃ¥der. Hvorvidt det har verdi, kommer an pÃ¥ hvordan -stemmene har vÃ¦rt oppbevart.

- -

Universitetet -i Oslo derimot, har ikke forstÃ¥tt verdien av Ã¥ kunne -kontrolltelle. Her har en valgt Ã¥ ta i bruk elektronisk stemmegiving -over Internet, med et system som ikke kan kontrolltelles hvis det -kommer anklager om juks med stemmene. Systemet har flere kjente -problemer og er i mine Ã¸yne ikke bedre enn en spÃ¸rreundersÃ¸kelse, og -jeg har derfor latt vÃ¦re Ã¥ stemme ved valg pÃ¥ UiO siden det ble -innfÃ¸rt.

- -

Universitet i Bergen derimot har klart det kunststykket Ã¥ aktivt gÃ¥ -inn for Ã¥ gjÃ¸re det kjent at det elektroniske stemmegivingssystemet -over Internet kan -spore hvem som stemmer hva (det kan en forÃ¸vrig ogsÃ¥ ved UiO), og tatt -kontakt med stemmegivere for Ã¥ spÃ¸rre hvorfor de stemte som de gjorde. -Hemmelige valg stÃ¥r for fall. Mon tro hva stemmesedlenne hadde -inneholdt i Iran hvis de ikke hadde hemmelige valg?

The last few days a new boot system called +systemd +has been +introduced + +to the free software world. I have not yet had time to play around +with it, but it seem to be a very interesting alternative to +upstart, and might prove to be +a good alternative for Debian when we are able to switch to an event +based boot system. Tollef is +in the process of getting +systemd into Debian, and I look forward to seeing how well it work. I +like the fact that systemd handles init.d scripts with dependency +information natively, allowing them to run in parallel where upstart +at the moment do not.

+ +

Unfortunately do systemd have the same problem as upstart regarding +platform support. It only work on recent Linux kernels, and also need +some new kernel features enabled to function properly. This means +kFreeBSD and Hurd ports of Debian will need a port or a different boot +system. Not sure how that will be handled if systemd proves to be the +way forward.

+ +

In the mean time, based on the +input +on debian-devel@ regarding parallel booting in Debian, I have +decided to enable full parallel booting as the default in Debian as +soon as possible (probably this weekend or early next week), to see if +there are any remaining serious bugs in the init.d dependencies. A +new version of the sysvinit package implementing this change is +already in experimental. If all go well, Squeeze will be released +with parallel booting enabled by default.

Standarder fungerer best nÃ¥r en samler seg rundt dem

Tue, 19 May 2009 11:30:00 +0200

En standard er noe man samler seg rundt, ut fra ideen om at en fÃ¥r -fordeler nÃ¥r mange stÃ¥r sammen. Jo flere som stÃ¥r sammen, jo -bedre. NÃ¥r en vet dette, blir det litt merkelig Ã¥ lese noen av -uttalelsene som er kommet inn til -hÃ¸ringen -om versjon 2 av statens referansekatalog over standarder. Blant -annet Abelia, NHO og Microsoft tror det er lurt med flere standarder -innenfor samme omrÃ¥de. Det blir som Ã¥ si at det er fint om Norge -standardiserte bÃ¥de pÃ¥ A4- og Letter-stÃ¸rrelser pÃ¥ arkene, ulik -sporvidde pÃ¥ jernbaneskinnene, meter og fot som lengemÃ¥l, eller -hÃ¸yre- og venstrekjÃ¸ring - slik at en kan konkurrere pÃ¥ hvilken -standard som er best. De fleste forstÃ¥r heldigvis at dette ikke -bidrar positivt.

These days, the init.d script dependencies in Squeeze are quite +complete, so complete that it is actually possible to run all the +init.d scripts in parallell based on these dependencies. If you want +to test your Squeeze system, make sure +dependency +based boot sequencing is enabled, and add this line to +/etc/default/rcS:

+ +

+CONCURRENCY=makefile
+

+ +

That is it. It will cause sysv-rc to use the startpar tool to run +scripts in parallel using the dependency information stored in +/etc/init.d/.depend.boot, /etc/init.d/.depend.start and +/etc/init.d/.depend.stop to order the scripts. Startpar is configured +to try to start the kdm and gdm scripts as early as possible, and will +start the facilities required by kdm or gdm as early as possible to +make this happen.

+ +

Give it a try, and see if you like the result. If some services +fail to start properly, it is most likely because they have incomplete +init.d script dependencies in their startup script (or some of their +dependent scripts have incomplete dependencies). Report bugs and get +the package maintainers to fix it. :)

+ +

Running scripts in parallel could be the default in Debian when we +manage to get the init.d script dependencies complete and correct. I +expect we will get there in Squeeze+1, if we get manage to test and +fix the remaining issues.

+ +

If you report any problems with dependencies in init.d scripts to +the BTS, please usertag the report to get it to show up at +the +list of usertagged bugs related to this.

BSAs pÃ¥stander om piratkopiering mÃ¸ter motstand

Sun, 17 May 2009 23:05:00 +0200

Hvert Ã¥r de siste Ã¥rene har BSA, lobbyfronten til de store -programvareselskapene som Microsoft og Apple, publisert en rapport der -de gjetter pÃ¥ hvor mye piratkopiering pÃ¥fÃ¸rer i tapte inntekter i -ulike land rundt om i verden. Resultatene er tendensiÃ¸se. For noen -dager siden kom -siste -rapport, og det er flere kritiske kommentarer publisert de siste -dagene. Et spesielt interessant kommentar fra Sverige, -BSA -hÃ¶ftade Sverigesiffror, oppsummeres slik:

- -

-I sin senaste rapport slÃ¥r BSA fast att 25 procent av all mjukvara i -Sverige Ã¤r piratkopierad. Det utan att ha pratat med ett enda svenskt -fÃ¶retag. "Man bÃ¶r nog kanske inte se de hÃ¤r siffrorna som helt -exakta", sÃ¤ger BSAs Sverigechef John Hugosson. -

- -

Mon tro om de er like metodiske nÃ¥r de gjetter pÃ¥ andelen piratkopiering i Norge? To andre kommentarer er BSA -piracy figures need a shot of reality og Does The WIPO -Copyright Treaty Work?

- -

Fant lenkene via oppslag -pÃ¥ Slashdot.

One interesting feature in Active Directory, is the ability to +create a new user with an expired password, and thus force the user to +change the password on the first login attempt.

+ +

I'm not quite sure how to do that with the LDAP setup in Debian +Edu, but did some initial testing with a local account. The account +and password aging information is available in /etc/shadow, but +unfortunately, it is not possible to specify an expiration time for +passwords, only a maximum age for passwords.

+ +

A freshly created account (using adduser test) will have these +settings in /etc/shadow:

+ +

+root@tjener:~# chage -l test
+Last password change                                    : May 02, 2010
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 99999
+Number of days of warning before password expires       : 7
+root@tjener:~#
+

+ +

The only way I could come up with to create a user with an expired +account, is to change the date of the last password change to the +lowest value possible (January 1th 1970), and the maximum password age +to the difference in days between that date and today. To make it +simple, I went for 30 years (30 * 365 = 10950) and January 2th (to +avoid testing if 0 is a valid value).

+ +

After using these commands to set it up, it seem to work as +intended:

+ +

+root@tjener:~# chage -d 1 test; chage -M 10950 test
+root@tjener:~# chage -l test
+Last password change                                    : Jan 02, 1970
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 10950
+Number of days of warning before password expires       : 7
+root@tjener:~#  
+

+ +

So far I have tested this with ssh and console, and kdm (in +Squeeze) login, and all ask for a new password before login in the +user (with ssh, I was thrown out and had to log in again).

+ +

Perhaps we should set up something similar for Debian Edu, to make +sure only the user itself have the account password?

+ +

If you want to comment on or help out with implementing this for +Debian Edu, please contact us on debian-edu@lists.debian.org.

+ +

Update 2010-05-02 17:20: Paul TÃ¶tterman tells me on IRC that the +shadow(8) page in Debian/testing now state that setting the date of +last password change to zero (0) will force the password to be changed +on the first login. This was not mentioned in the manual in Lenny, so +I did not notice this in my initial testing. I have tested it on +Squeeze, and 'chage -d 0 username' do work there. I have not +tested it on Lenny yet.

+ +

Update 2010-05-02-19:05: Jim Paris tells me via email that an +equivalent command to expire a password is 'passwd -e +username', which insert zero into the date of the last password +change.

Webbasert tegneseriearkiv pÃ¥ trappene

Sat, 16 May 2009 19:05:00 +0200

For noen dager siden ble jeg tipset om en ny norsk webtjeneste for -Ã¥ holde styr pÃ¥ ens tegneseriesamling. Har sÃ¥ smÃ¥tt begynt Ã¥ -teste den og lagt inn noen hundre oppfÃ¸ringer, og det ser ut til Ã¥ -fungere fint. Utvikleren, Trond Hallstensen, er selv ivrig samler og -har laget systemet i fÃ¸rste omgang for seg selv, men altsÃ¥ gjort det -mulig ogsÃ¥ for andre Ã¥ bidra. Tjenesten har potensiale til Ã¥ bli -en komplett og verdifull tegneserieindeks over norske serier. Da jeg -oppdaget tjenesten var det endel mangler som gjorde meg skeptisk til -Ã¥ registrere min samling der. Det var nemlig ingen mÃ¥te Ã¥ hente ut -en maskinlesbar oversikt over det jeg registrerte, slik at mine data -ville vÃ¦re innelÃ¥st i tjenesten. Siden den gang har Trond lagt til -en eksportfunksjon til CSV-format, slik at i hvert fall noen av -feltene i databasen kan hentes ut for mine serier. Pr. i dag er det -serie, seriegruppe, Ã¥r, nr og tittel_pÃ¥_forside.

- -

Prinsipielt Ã¸nsker jeg Ã¥ kunne hente ut alle feltene om en -tegneserie, for Ã¥ unngÃ¥ repetisjon av det som skjedde med IMDB og -CDDB pÃ¥ 90-tallet. Begge begynte som fellesskapsprosjekter der -brukerne bidro pÃ¥ like vilkÃ¥r, og ble lukket inne da -initiativtageren og innehaveren av maskinen der tjenesten kjÃ¸rte -hadde fÃ¥tt nok innhold til at de ikke lenger fÃ¸lte at de trengte Ã¥ -behandle brukerne som likemenn. Trond har skrevet til meg at flere -felter vil bli lagt inn i eksporten (blant annet strekkode), men -uttrykt skepsis til Ã¥ gjÃ¸re all informasjonen tilgjengelig (han -Ã¸nsker slik jeg forsto han Ã¥ kontrollere tjenesten og ikke gjÃ¸re -det mulig Ã¥ lage konkurrerende tjeneste). Holdningen gjÃ¸r meg ennÃ¥ -mer skeptisk, men tjenesten fungerer fint, sÃ¥ jeg har bestemt meg for -Ã¥ ta den i bruk, men begrense meg til Ã¥ registrere informasjon som -er tilgjengelig i eksporten.

- -

Har ennÃ¥ ikke begynt masseregistrering, da jeg venter pÃ¥ stÃ¸tte for -strekkoder i tjenesten. Har strekkodeleser, og vil spare litt tid i -registreringen nÃ¥r jeg gÃ¥r lÃ¸s pÃ¥ mine esker. ForelÃ¸big har jeg -registrert litt tilfeldige serier som ligger rundt om i huset, men for -Ã¥ fÃ¥ et komplett arkiv mÃ¥ nok noen tusen tegneserier registreres.

- -

LÃ¸sningen er i fÃ¸lge utvikleren laget med et Oracle-spesifikt -verktÃ¸y for Ã¥ lage webtjenester, og ikke fri programvare. -Utvikleren tar imot innspill men det hÃ¸rtes ikke ut som om utvikling -av systemet var enkelt Ã¥ dele mellom flere, slik at det mÃ¥ via -ham.

- -

HÃ¸res dette interessant ut, besÃ¸k -mineserier.no og ta en -titt.

For some years now, I have wondered how we should handle laptops in +Debian Edu. The Debian Edu infrastructure is mostly designed to +handle stationary computers, and less suited for computers that come +and go.

+ +

Now I finally believe I have an sensible idea on how to adjust +Debian Edu for laptops, by introducing a new profile for them, for +example called Roaming Workstations. Here are my thought on this. +The setup would consist of the following:

+ +

During installation, the user name of the owner / primary user of + the laptop is requested and a local home directory is set up for + the user, with uid and gid information fetched from the LDAP + server. This allow the user to work also when offline. The + central home directory can be available in a subdirectory on + request, for example mounted via CIFS. It could be mounted + automatically when a user log in while on the Debian Edu network, + and unmounted when the machine is taken away (network down, + hibernate, etc), it can be set up to do automatic mounting on + request (using autofs), or perhaps some GUI button on the desktop + can be used to access it when needed. Perhaps it is enough to use + the fish protocol in KDE?
Password checking is set up to use LDAP or Kerberos + authentication when the machine is on the Debian Edu network, and + to cache the password for offline checking when the machine unable + to reach the LDAP or Kerberos server. This can be done using + libpam-ccreds + or the Fedora developed + System + Security Services Daemon packages.
File synchronisation with the central home directory is set up + using a shared directory in both the local and the central home + directory, using unison.
Printing should be set up to print to all printers broadcasting + their existence on the local network, and should then work out of + the box with CUPS. For sites needing accurate printer quotas, some + system with Kerberos authentication or printing via ssh could be + implemented.
For users that should have local root access to their laptop, + sudo should be used to allow this to the local user.
It would be nice if user and group information from LDAP is + cached on the client, but given that there are entries for the + local user and primary group in /etc/, it should not be needed.

+ +

I believe all the pieces to implement this are in Debian/testing at +the moment. If we work quickly, we should be able to get this ready +in time for the Squeeze release to freeze. Some of the pieces need +tweaking, like libpam-ccreds should get support for pam-auth-update +(#566718) and nslcd (or +perhaps debian-edu-config) should get some integration code to stop +its daemon when the LDAP server is unavailable to avoid long timeouts +when disconnected from the net. If we get Kerberos enabled, we need +to make sure we avoid long timeouts there too.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

Massiv overvÃ¥kning av kollektivtrafikken i Oslo planlegges

Sat, 16 May 2009 09:30:00 +0200

Flere -og -flere -protesterer pÃ¥ den massive overvÃ¥kningen og registrering av -trafikkmÃ¸nster i kollektivtrafikken som planlegges i Oslo. Det er -bra. Jeg mister lysten til Ã¥ bruke kollektivtransport nÃ¥r jeg ser -hvordan trafikkselskapet holder pÃ¥. Jeg forventer og forlanger Ã¥ -ikke bli overvÃ¥ket med mindre jeg mistenkes for Ã¥ ha gjort noe -alvorlig galt. Den massive registreringen av hvor og nÃ¥r -passasjerene reiser med kollektivtrafikk som planegges av Ruter i Oslo -er et grotesk overgrep mot alle som bruker buss, trikk T-bane og tog i -OsloomrÃ¥det.

The last few weeks i have had the pleasure of reading a +thought-provoking collection of essays by Cory Doctorow, on topics +touching copyright, virtual worlds, the future of man when the +conscience mind can be duplicated into a computer and many more. The +book titled "Content: Selected Essays on Technology, Creativity, +Copyright, and the Future of the Future" is available with few +restrictions on the web, for example from +his own site. I read the +epub-version from +feedbooks using +fbreader and my N810. I +strongly recommend this book.

3D-printing brer om seg - fabrikkene bestÃ¥r

Sun, 10 May 2009 16:50:00 +0200

I 2004 fikk jeg med meg en forelesning om 3D-printing under euro foo camp -der jeg lÃ¦rte mye nytt om 3D-printing. Fikk se et lite sjakktÃ¥rn -skrevet ut i plast, med vindeltrapp pÃ¥ innsiden av tÃ¥rnet, og en hul -gummiball som ogsÃ¥ var skrevet ut (med et lite hull for Ã¥ fÃ¥ ut -fyllmassen). Ble fortalt at det amerikanske kavaleriet skriver ut -reservedeler i metall i felt, og at det fantes amerikanske husbyggere -som eksperimenterer med utskrift av hus. De to siste har jeg ikke -funnet noen referanser til i ettertid, og har derfor lurt pÃ¥ om det -stemmer. Teknologisk skulle det ikke vÃ¦re noe i veien for slike -lÃ¸sninger, det er kun et spÃ¸rmÃ¥l om pris pÃ¥ skrivehoder og -skrivere. I dag ble jeg tipset om en lÃ¸sning som -kan -skrive ut hus, med sand og bindemiddel i 25 DPI opplÃ¸sning. Mon -tro om det er fremtidens byggemetode.

- -

Jeg er ikke i tvil om at 3D-utskrift vil fÃ¸re til endringer i -hvordan produksjon gjÃ¸res, og at tilgjengeligheten pÃ¥ en rekke produkter -som i dag er vanskelig eller umulig Ã¥ fÃ¥ tak i vil bedre seg. Men de -som tror at 3D-skrivere vil gjÃ¸re fabrikkene overflÃ¸dige, tror jeg har -forregnet seg. 3D-skrivere er fantastisk bra til Ã¥ lage spesielle -dingser pÃ¥ forespÃ¸rsel, f.eks. etter Ã¥ ha lastet ned et 3D-design fra -tjenester som Thingiverse. -De er derimot ikke spesielt bra til Ã¥ lage mange eksemplarer av samme -dings. Lav pris pr. enhet er fabrikkenes fortrinn. Hvis det skal -lages tusenvis, eller millioner av en dings, sÃ¥ vil fabrikkene -sannsynligvis fortsette Ã¥ slÃ¥ 3D-skriving ned i stÃ¸vlene -Ã¸konomisk, selv om en tar hensyn til transport og logistikk. Hvis -det derimot skal lages en hÃ¥ndfull, sÃ¥ vil 3D-skriving fremstÃ¥ som -et suverent alternativ. 3D-skriving er i sÃ¥ mÃ¥te lÃ¸sning for -den lange -halen, mens fabrikker nok fortsatt vil vÃ¦re lÃ¸sningen for -massemarkedet.

Yesterdays +NUUG presentation about Kerberos was inspiring, and reminded me +about the need to start using Kerberos in Skolelinux. Setting up a +Kerberos server seem to be straight forward, and if we get this in +place a long time before the Squeeze version of Debian freezes, we +have a chance to migrate Skolelinux away from NFSv3 for the home +directories, and over to an architecture where the infrastructure do +not have to trust IP addresses and machines, and instead can trust +users and cryptographic keys instead.

+ +

A challenge will be integration and administration. Is there a +Kerberos implementation for Debian where one can control the +administration access in Kerberos using LDAP groups? With it, the +school administration will have to maintain access control using flat +files on the main server, which give a huge potential for errors.

+ +

A related question I would like to know is how well Kerberos and +pam-ccreds (offline password check) work together. Anyone know?

+ +

Next step will be to use Kerberos for access control in Lwat and +Nagios. I have no idea how much work that will be to implement. We +would also need to document how to integrate with Windows AD, as such +shared network will require two Kerberos realms that need to cooperate +to work properly.

+ +

I believe a good start would be to start using Kerberos on the +skolelinux.no machines, and this way get ourselves experience with +configuration and integration. A natural starting point would be +setting up ldap.skolelinux.no as the Kerberos server, and migrate the +rest of the machines from PAM via LDAP to PAM via Kerberos one at the +time.

+ +

If you would like to contribute to get this working in Skolelinux, +I recommend you to see the video recording from yesterdays NUUG +presentation, and start using Kerberos at home. The video show show +up in a few days.

Lenker samlet 2009-05-09

Sat, 9 May 2009 22:40:00 +0200

Jeg, et offer -
Aage Borchgrevink drodler om offerrollens framvekst i den norske -offentligheten.
Opptak fra Go Open 2009 pÃ¥ web -
Endelig kan jeg fÃ¥ med meg foredragene jeg gikk glipp av.

Aftenposten +melder pÃ¥ forsiden av webavisen sin at de tror Erling Fossen +provoserer nordlendinger med sine uttalelser pÃ¥ +fotballtinget. Jeg er utflyttet nordlending, og mÃ¥ innrÃ¸mme at jeg +ikke kjennet sÃ¥ mye som et snev av provokasjon fra denne litt morsomme +uttalelsen til Hr. Fossen. Lurer pÃ¥ om Aftenposten har noen kilder +utenom redaksjonen for sin pÃ¥stand om at nordledinger er provosert av +Hr. Fossen. MÃ¥ innrÃ¸mme at jeg tviler pÃ¥ det.

MS Excel 2007 hÃ¥ndterer ODF dÃ¥rlig -
Microsoft har lykkes med Ã¥ implementere ODF slik at de ikke -samhandler med noen av de andre som hÃ¥ndterer ODF-regneark.
MS -Word 2007 hÃ¥ndterer ODF dÃ¥rlig -
Fotnoter laget i MS Office blir merkelige i OpenOffice.org.

Det hele bringer tankene tilbake til Sture Hansen i Hallo i Uken.