Public Money, Public Code

I have been waiting for Free Software Foundation Europe to launch the Public Money, Public Code campaign for almost a year now, when first Matthias told me about this being in the works. I have been arguing the same point, although not quite as organized, since back in 2009 when I complained about how the administration of Venice commissioned a GIS application to a company they directly own.

For those who have not seen the campaign yet, the idea is simple: software built with public money (that is, commissioned and paid for by public agencies), should be licensed using a FLOSS license, to make it public code. I like this idea and will support it fully. I even rejoined the Fellowship!

The timing of this campaign ended up resonating with a post on infrastructure projects and their costs, which I find particularly interesting and useful to point out. Unlike the article that is deep-linked there, which lamented of the costs associated with this project, this article focuses on pointing out how that money actually needs to be spent, because for the most part off the shelf Free Software is not really up to the task of complex infrastructure projects.

You may think the post I linked is overly critical of Free Software, and that it’s just a little rough around the edges and everything is okay once you spend some time on it. But that’s exactly what the article is saying! Free Software is a great baseline to build complex infrastructure on top of. This is what all the Cloud companies do, this is what even Microsoft has been doing in the past few years, and it is reasonable to expect most for-profit projects would do that, for a simple reason: you don’t want to spend money working on reinventing the wheel when you can charge for designing an innovative engine — which is a quite simplistic view of course, as sometimes you can invent a more efficient wheel indeed, but that’s a different topic.

Why am I bringing this topic up together with the FSFE campaign? Because I think this is exacly what we should be asking from our governments and public agencies, and the article I linked shows exactly why!

You can’t take off the shelf FLOSS packages and have them run a whole infrastructure, because they usually they are unpolished, and might not scale or require significant work to bring them up to the project required. You will have to spend money to do that, and maybe in some cases it will be cheaper to just not use already existing FLOSS projects at all, and build your own new, innovative wheel. So publicly funded projects need money to produce results, we should not complain about the cost¹, but rather demand that the money spent actually produces something that will serve the public in all possible ways, not only with the objective of the project, but also with any byproduct of it, which include the source code.

Most of the products funded with public money are not particularly useful for individuals, or for most for-profit enterprises, but byproducts and improvements may very well be. For example, in the (Italian) post I wrote in 2009 I was complaining about a GIS application that was designed to report potholes and other roadwork problems. In abstract, this is a way to collect and query points of interests (POI), which is the base of many other current services, from review sites, to applications such as Field Trip.

But do we actually care? Sure, by making the code available of public projects, you may now actually be indirectly funding private companies that can reuse that code, and thus be jumpstarted into having applications that would otherwise cost time or money to build from scratch. On the other hand, this is what Free Software has been already about before: indeed, Linux, the GNU libraries and tools, Python, Ruby, and all those tools out there are nothing less than a full kit to quickly start projects that a long time ago would have taken a lot of money or a lot of time to start.

You could actually consider the software byproducts of these project similarly to the public infrastructure that we probably all take from granted: roads, power distribution, communication, and so on. Businesses couldn’t exist without all of this infrastructure, and while it is possible for a private enterprise to set out and build all the infrastructure themselves (road, power lines, fiber), we don’t expect them to do so. Instead we accept that we want more enterprises, because they bring more jobs, more value, and the public investment is part of it.

I actually fear the reason a number of people may disagree with this campaign is rooted in localism — as I said before, I’m a globalist. Having met many people with such ideas, I can hear them in my mind complaining that, to take again the example of the IRIS system in Venice, the Venetian shouldn’t have to pay for something and then give it away for free to Palermo. It’s a strawman, but just because I replaced the city that they complained about when I talked about my idea those eight years ago.

This argument may make sense if you really care about local money being spent locally and not counting on any higher-order funding. But myself I think that public money is public, and I don’t really care if the money from Venice is spent to help reporting potholes in Civitella del Tronto. Actually, I think that cities where the median disposable income is higher have a duty to help providing infrastructure for the smaller, poorer cities at the very least in their immediate vicinity, but overall too.

Unfortunately “public money” may not always be so, even if it appears like that. So I’m not sure if, even if a regulation was passed for publicly funded software development to be released as FLOSS, we’d get a lot in form of public transport infrastructure being open sourced. I would love for it to be though: we’d more easily get federated infrastructure, if they would share the same backend, and if you knew how the system worked you could actually build tools around it, for instance integrating Open Street Map directly with the transport system itself. But I fear this is all wishful thinking and it won’t happen in my lifetime.

There is also another interesting point to make here, which I think I may expand upon, for other contexts, later on. As I said above, I’m all for requiring the software developed with public money to be released to the public with a FLOSS-compatible license. Particularly one that allows using other FLOSS components, and the re-use of even part of the released code into bigger projects. This does not mean that everybody should have a say in what’s going on with that code.

While it makes perfect sense to be able to fix bugs and incompatibilities with websites you need to use as part of your citizen life (in the case of the Venetian GIS I would probably have liked to fix the way they identified the IP address they received the request for), adding new features may actually not be in line with the roadmap of the project itself. Particularly if the public money is already tight rather than lavish, I would surely prefer that they focused on delivering what the project needs and just drop the sources out in compatible licenses, without trying to create a community around them. While the latter would be nice to have, it should not steal the focus on the important part: a lot of this code is currently one-off and is not engineered to be re-used or extensible.

Of course on the long run, if you do have public software available already as open-source, there would be more and more situations where solving the same problem again may become easier, particularly if an option is added there, or a constant string can become a configured value, or translations were possible at all. And in that case, why not have them as features of a single repository, rather than have a lot of separate forks?

But all of this should really be secondary, in my opinion. Let’s focus on getting those sources, they are important, they matter and they can make a difference. Building communities around this will take time. And to be honest, even making these secure will take time. I’m fairly sure that in many cases right now if you do take a look at the software that is running for public services, you can find backdoors, voluntary or not, and even very simple security issues. While the “many eyes” idea is easily disproved, it’s also true that for the most part those projects cut corners, and are very difficult to make sure to begin with.

I want to believe we can do at least this bit.

Okay, so there are case of artificially inflated costs due to friends-of-friends. Those are complicated issues, and I’ll leave them to experts. We should still not be complaining that these projects don’t appear for free.
^[return]

Using the SHA2 hash family with OpenPGPv2 cards and GnuPG

I’m sure I said this before, but I don’t remember when or to who, but most of the time it feels to me like GnuPG only works out of sheer luck, or sometimes fails to work just for my disgrace. Which is why I end up writing stuff down whenever I come to actually coerce it into behaving as I wish.

Anyway, let’s start with a bit of background; a bit of time ago, the SHA1 algorithm has been deemed by most experts to be insecure, which means that relying on it for Really Important Stuff was a bad idea; I still remember reading this entry by dkg that provided a good start to set up your system to use the SHA2 family (SHA256 in particular).

Unfortunately, when I actually got the FSFe smartcard and created the new key I noticed (and noted in the post) that only SHA1-signature worked; I set up the card to use SHA1 signatures, and forgot about it, to be honest. Today though, I went to sign an email and … it didn’t work, it reported me that the created signature was invalid.

A quick check around and it turns out that for some reason GnuPG started caring about the ~/.gnupg/gpg.conf file rather than the key preferences; maybe it was because I had to reset the PIN on the card when I mistyped it on the laptop too many times (I haven’t turned off the backlight since!). The configuration file was already set to use SHA256, so that failed because the card was set to use SHA1.

A quick googling around brought me to an interesting post from earlier this year. The problem as painted there seemed to exist only with GnuPG 1.4 (so not the 2.0 version I’m using) and was reportedly fixed. But the code in the actual sources of 2.0.16 tell a different story: the bug is the same there as it was in 1.4 back in January. What about 1.4? Well it’s also not fixed in the last release, but it is on the Subversion branch — I noticed that only afterwards, though, so you’ll see why that solution differs from mine.

Anyway, the problem is the same, in the new source file: gpg does not ask the agent (and thus scdaemon) to use any particular encoding if not RMD160, which was correct for the old cards but it definitely is not for the OpenPGP v2 that FSFE is now providing its fellows with. If you want to fix the problem, and you’re a Gentoo user, you can simply install gnupg-2.0.16-r1 from my overlay while if you’re not using Gentoo but building it by hand, or you want to forward it to other distributions’ packages, the patch is also available…

And obviously I sent it upstream and I’m now waiting on their response to see if it’s okay to get it applied in Gentoo (with a -r2). Also remember that you have to edit your ~/.gnupg/gpg.conf to have these lines if you want to use the SHA2 family (SHA256 in this particular case):

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

This work by Diego Elio Pettenò is licensed under Creative Commons Attribution-ShareAlike 3.0 Unported License.
Based on a work at blog.flameeyes.eu.

Smart Cards and Secret Agents

Update, 2016-11: The following information is fairly out of date, six years later, as now GnuPG uses stable socket names, which is good. Please see this newer post which includes some information on setting up agent forwarding.

I’ve been meaning to write about my adventure to properly set up authentication using the Fellowship of FSFe smartcard for quite a while, and since Markos actually brought the subject up earlier tonight I guess today is the right time. Incidentally, earlier in my “morning” I had to fight with getting it working correctly on Yamato so it might be useful after all…

First of all, what is the card and what is needed to use it… the FSFe Fellowship card is a smartcard with the OpenPGP application on it; smartcards can have different applications installed, quite a few are designed to support PKCS#11 and PKCS#15, but those are used by the S/MIME signature and encryption framework; the OpenPGP application instead is designed to work with GnuPG. When I went to FOSDEM, I set up my new key using the card itself.

The card provides three keys: a signing key, an encryption key, and an authentication key; the first two are used for GnuPG, as usual; the third instead is something that you usually don’t handle with GnuPG… SSH authentication. The gpg-agent program can actually handle your standard RSA/DSA keys for SSH, but that’s generally not very useful; if combined with the OpenPGP smartcard, this comes very useful.

So first of all you need a compatible smartcard reader; thankfully the CCID protocol is pretty standard and should work fine; I’ve got luck and three out of three smartcard readers I have work fine; one is from an Italian brand (but most likely built in Taiwan or China), the other is a GemAlto PinPad, and the third is the one integrated in my Dell laptop, Broadcom BCM5880v3. The last one requires an updated firmware and a ccid package capable of recognizing it… the one in Gentoo ~arch is already patched so that it works out of the box. I got mine at Cryptoshop which seems a decent place to get them in Europe.

Out of experience, at least GnuPG seems to have problems dealing with pinpads, and quite a few pinpad-provided readers seem to have driver problems; so get a cheaper, but just as valid, non-pinpad reader.

On the software side, there isn’t much to need: GnuPG itself could use the CCID readers directly, but my best luck has been using pcsc-lite; just make sure your pcsc-lite does not use HAL but rather has libusb support directly, by setting -hal usb as USE flags for it. GnuPG has to be built with the smartcard USE flag; pcsc-lite USE flag will give you the dependency as well, but it does not change the build at all. Update: Matija noted that there is also the need to install app-crypt/ccid (which is the userspace driver of the CCID-based smartcard readers); for whatever reason I assumed it was already a dependency of the whole set but that is not the case.

Make sure the pcscd service is started with the system, you’re gonna need it.

To actually make use of the key properly you’re going to need to replace ssh-agent with gnupg-agent…. more interesting, GNOME-Keyring also replaces ssh-agent, but if you let it do so, it won’t handler your OpenPGP card auth key! So you’re going to override that. Since using keyring with this setup seem to be impossible, my solution is to use a simple wrapper which I now release under CC-BY license.

You got run this script on every shell and your X session as well, for this to work as intended (it is needed in X session so that it works with libvirt over SSH otherwise virt-manager will still try to get the key from gnome-keyring). To do so I added a source of that script from both my ~/.shrc file and my ~/.xsession file, and make sure the latter is called; to do so I have this:

# in both ~/.shrc and ~/.xsession:
. /path/to/gpg-agent-wrapper

# in /etc/X11/xinit/xinitrc.d/01-xsession
[ -f ${HOME}/.xsession ] && . ${HOME}/.xsession

The trick of the script is making sure that gpg-agent is not already running, that it does not collide with the current information, but also it takes care of overriding gnome-keyring (it could be also done by changing the priority of ~/.xsession to be higher than gnome-keyring), and ensures that the SSH Agent Forwarding works… and yes it works even if on the client there is gpg-agent used for SSH, which means it can forward the card’s authentication credentials over a network connection.

So here it is, should be easy enough to set up for anybody interested.

This work by Diego Elio Pettenò is licensed under Creative Commons Attribution-ShareAlike 3.0 Unported License.
Based on a work at blog.flameeyes.eu.

Why do FLOSS advocates like Adobe so much?

I’m not sure how this happens, but I see more and more often FLOSS advocates that support Adobe, and in particular Flash, in almost any context out there, mostly because they are now appearing a lot like an underdog, with Microsoft and Apple picking on them. Rather than liking the idea of cornering Flash as a proprietary software product out of the market, they seem to acclaim any time Adobe gets a little more advantage over the competition, and cry foul when someone else tries to ditch them:

Microsoft released Silverlight; which is evil – probably because it’s produced by Microsoft, or in alternative because it uses .NET that is produced by Microsoft – we have a Free as in Speech implementation of it in Novell’s Moonlight; but FLOSS advocates ditch on that: it’s still evil, because there are patents in .NET and C#; please note that the only implementation I know of Flash in the FLOSS world is Gnash which is not exactly up-to-speed with the kind of Flash applets you find in the wild;
Apple’s iPhone and iPad (or rather, all the Apple devices based on ~~iPhone OS~~ iOS) don’t support Flash, and Apple pushes content publishers to move to “modern alternatives” starting from the <video> tag; rather than, for once, agreeing with Apple and supporting that idea, FLOSS advocates decide to start name-calling them because they lack support for an ubiquitous technology such as Flash — the fact that Apple’s <video> tag suggestions were tied to the use of H.264 shouldn’t have made any difference at all, since Flash does not support Theora, so with the exclusion of the recently released WebM in the latest 10.1 version of the Flash Player, there wouldn’t be any support for “Free formats”;
Adobe stirs up a lot of news declaring support for Android; Google announces Android 2.2 Froyo, supporting Flash; rather than declaring Google an enemy of Free Software for helping Adobe spread their invasive and proprietary technology, FLOSS advocates start issuing “take that” comments toward iPhone users as “their phone can see Flash content”;
Mozilla refuses to provide any way at all to view H.264 files directly in their browser, leaving users unable to watch Youtube without Flash unless they do a ton of hacky tricks to convert the content into Ogg/Theora files; FLOSS advocates keep on supporting them because they haven’t compromised;

What is up here? Why should people consider Adobe a good friend of Free Software at all? Maybe because they control formats that are usually considered “free enough”: PostScript, TIFF (yes they do), PDF… or because some of the basic free fonts that TeX implementations and the original X11 used come from them. But all of this doesn’t really sound relevant to me: they don’t provide a Free Software PDF implementation, rather they have their own PDF reader, while the Free implementations often have to run fast towards, with mixed results, to keep opening new PDF files. As much as Mike explains the complexity of it all, the Linux Flash player is far from being a nice piece of software, and their recent abandon of the x86-64 version of the player makes it even more sour.

I’m afraid that the only explanation I can give to this phenomenon is that most “FLOSS advocates” line themselves straight with, and only with, the Free Software Foundation. And the FSF seem to have a very personal war against Microsoft and Apple; probably because the two of them actually show that in many areas Free Software is still lagging behind (and if you don’t agree with this statement, please have a reality check and come back again — and this is not to say that Free Software is not good in many areas, or that it cannot improve to become the best), which goes against their “faith”. Adobe on the other hand, while not really helping Free Software out (sorry but Flash Player and Adobe Reader are not enough to say that they “support” Linux; and don’t try to sell me that they are not porting Creative Suite to Linux just so people would use better Free alternatives).

Why do I feel like taking a shot at FSF here? Well, I have already repeated multiple times that I love the PDFreaders.org site from the FSFe; as far as I can see, FSF only seem to link to it in one lost and forgotten page, just below a note about CoreBoot … doesn’t make it any prominent. Also, I couldn’t find any open letter that blame PDF for being a Patent-risky format, which instead is present in the PDFreaders site:

While Adobe Systems grants a royalty-free use of any patents to the PDF format, in any application that adheres to the PDF specifications, other companies do hold patents that may limit the openness of the standard if enforced.

As you can see, the first part of the sentence admits that there are patents over the PDF format, but royalty-free use is granted… from Adobe at least, but nothing from eventual other parties that might have them.

At any rate, I feel like there is a huge double-standard issue here: anything that comes out of Microsoft or Apple, even with Free Software licenses or patent pledges is evil; but proprietary software and technologies from Adobe are fine. It’s silly, don’t you think so?

And for those who still would like to complain about websites requiring Silverlight to watch content, I’d like to propose a different solution to ask for: don’t ask for them to provide it with Flash, but rather with a standard protocol, for which we have a number of Free Software implementations, as well as being supported on the mainstream operating systems for both Desktops and mobile phones: RTSP is such a protocol.

Religiosity and Free Software

This is a post which for many might sound inflammatory. I wish to warn anybody interested in commenting on this post that I’ll be deleting comments if they show you only read two paragraphs out of it and ignored the whole rest of it, I’ll also be deleting comments of people who just take on judging my qualities on the pure fact that I’m atheist. This is both to preserve my health and to avoid making the commenters look like idiots.

I am an atheist. I’m proud of it. I am lucky to be one. Most people aren’t as lucky as me, to be able to both accept that our life on earth is not part of a plan of an higher-level being, and at the same time not look for comfort in religious organisations and similar institutions.

I’m not the kind of atheist who can’t accept people have different views of the world; I’m neither going to judge the capacity and skills of other people based on their religious beliefs; I am, though, the kind of atheist that preaches for atheism. I don’t intend to force anybody to be an atheist, but I find it important to show why we should be atheists.

Religion (at least in its most common form) is a threat to the development of society: “it’s because God does it” or “that’s the will of God” used to block advances in many science, and some people still try to do so. It’s not a simple matter of researching fields with the use of experiments that might be “controversial”; abuses on animals and humans alike are matters of importance for ethics, even when religion is not in the mix. What I find obnoxious is how still people believe that science shouldn’t go to investigate on some matters simply because some book (if it’s a book at all) stated “This is the only truth”.

On this matter, a couple of years ago I became interesting on a book, The Universe in a Single Atom written by the current Dalai Lama, that seek to go into the matter of giving up on religious dogmas when they are proven false by science. Unfortunately the Italian translation left lots to desire: the translator is a philosopher, which is good in the sense that he knows how to translate the religious and philosophic thoughts in the book, but it’s a book that speaks of science as well, and getting the terms wrong there dilutes the meaningfulness of the book. I was really appalled when they actually provided the wrong meaning to the fMRI term. I could understand those mistake though, what I couldn’t understand is the translator adding notes regarding common American culture knowledge, such as a note on the Larry King show, or the political landscape of USA in the first half of the 20th century.

Anyway back on track on Free Software; ethics, to an extent, applies to software development as well. Having draconian terms in licenses, or DRM in content, can be accepted as bad things from both the users and developers of Free Software and those of Proprietary Software. Of course the Free software people will find them even more draconian by the fact they are usually kept out of the loop even if they were to accept them (Adobe, where the heck is Digital Editions for Linux, for instance?).

So for sure the Free Software movement is based on ethics: software should be free, there should be no DRM, and people deserves the Freedom 0: “The freedom to run the program, for any purpose”. It would be all fine, if it wasn’t that the FSF (with Stallman first) decided to cross the dividing line between ethics and religion by mandating and blaming.

I think most of the problem is already well covered by Jürgen’s blog on the matter, that he posted yesterday, after I wrote mine, but before I could actually post it. Also, as Matija pointed out in the comments, while the original FSF has this obsession with blaming, with “purity” and “evilness”, FSFe is generally better and tries to approach the problem from the positive point of view: Our software is better.

I’m still not sure what the problem is with FSF and those (rare, hopefully) blind supporters who can go as far as attacking a Free Software developer for expressing his technical opinion on the quality of a language – and not even of any particular software implementation, mind you – just because the original idea came from an “evil source”. I guess a lot of the problem has to do with a cultural difference between USA and Europe, but I’m not the kind of sociologist who can understand why that is the case. The same kind of negative approach seem to transpire in electoral campaigns, and other events in the social life of the American people, so maybe it’s not something we can blame them for.

Now, it is true that other groups of “supporters” seem to have religious nature, such as many “Apple fanboys”, and this actually seems to aggravate the problem further: it rationalise the lumping together in that category of anybody who gives a positive technical opinion about Apple’s software, hardware or strategies. The same goes for Microsoft.

What are the religious aspects that hinder Free Software development? There are a number of taboos, some of which have reasons to exist, most that seem to be just there to nip in the bud the “chance of rebellion”. In this optics, you can compare Eric S. Raymond with Martin Luther (the 16th century rebel, mind you), the fact that he’s a religious figure as well is no coincidence.

Some of the taboos in this are:

you’re frown upon if you even use proprietary software for day to day activities, and even worse for actual development; operating systems, editors, compilers… of course it doesn’t take into considerations that at some point you have to use something proprietary before you can replace it, nor the fact that you have to learn what the other proprietary (and free as well) software is doing to find out what you can do better, and what you already do best;
you’re shunned if you praise the technical qualities of non-free software: it might be a feature that is implemented better in a proprietary software, it might be a better result achieved by a language whose only implementation is proprietary, or whatever else; the bigots will look bad at you if you even admit that Free Software might not be perfect;
you’re outright attacked if you concede that the best tool for a job is proprietary, at any given point; it might be software or format, but even here, you cannot concede the point unless you want to irate the zealots; you’re also eyed badly if you work on software that has to deal with these formats, especially if they are covered by patents; while the patent issue is very real, and very bad, if you don’t concede to their existence as they are now, you’re basically screwed;
you’re straight out accused of heresy if you work even partly on proprietary software, or if you develop Free Software with technologies that are frown upon. This is mostly what Miguel is attacked for, and what I also get flak about from time to time.

Now instead, my view is that you have to drop the religious taboos, and pay attention to the ethics instead:

Prefer free tools even though they are not perfect, but admit if that’s the case! I’m fine with using F-Spot, but if I were to say iPhoto wasn’t better I would be deluding myself.
Use the right format for the job, if it has to be shared with others, make sure you use the best format. It doesn’t matter if the format is not entirely free, but you’ll just be laughed at, and won’t make any good to Free Software, if you stubbornly insist that the free format is “better because it’s free”. For audio, Vorbis is acceptable, but Ogg is a PITA; for video, Theora is no competition to H.264 (VP8, to some extent, is), for documents, don’t pretend ODT solves all problems, use PDF instead.
Let people live their life with the tools they want, even when they are proprietary, but keep them on their toes! If your friends start asking for cracks and hacks to be able to use illicit copies of software refuse to help them, instead point them out to (acceptable) Free alternatives. I’ll keep repeating it but the Free PDF Readers site from FSFe is one of the best action I ever seen for what concerns Free Software!
Finally, do your best to create new, better Free Software to cover what is not covered yet. This is the most important one. Just talking about how you’re holier than others because you use only Free Software does not make you better, at all. Do your best to improve Free Software, for its users and, if that’s what gets you going, for “saving humanity”.

Free Software is not only GNU

I don’t try to hide the fact that I think that FSF’s continuous stress over “GNU/Linux” is a huge ego stroke toward GNU that tries to deny that there is other Free Software beside GNU. But even considering this I don’t usually take stance against GNU for the sake of it. I disagree with some of the ways of Free Software Foundation (the original one), and I have said that I like Free Software Foundation Europe better (because they take positive approaches toward Free Software rather than negative approaches toward proprietary software), yet I don’t think this should deem me a bad person for what concerns Free Software.

And those who could still doubt of my caring for Free Software against proprietary software can take a look at my Ohloh page — keeping in mind that Ohloh only tracks assigned commits, and thus does not count most of the patches sent around the world of Free Software, where DVCS are not used, and thus are committed without my direct attribution. You thus only have my own word that there are many of those, as well.

With this on the table, would you still believe that I’ve been slandered before to be an anti-Free Software activist? Would you believe that when I criticised the quality of GNU’s code somebody went out of their way to say that my approach is “mining it [GNU’s code] to improve your work” (because wanting to use fold’s code and then release an utility based on it as GPL-3 is not giving back, it seems, unless I sell my soul and blood over to FSF, maybe?).

I know I’m getting boring with quoting Bill Maher, and re-using his own criticism strategies in my blog posts. And I also already used this line but never on this blog so I’ll use it again:

We’ve got to worship principles, not people.

With this I mean that even if I agree with the idea behind FSF and the GNU Project, I don’t have to see either Richard Stallman or Linus Torvalds as my personal God, nor I would have to accept the GNU project as the owner of all good software in this world. There is more to that. The same principles apply to other situations, even situations where GNU is laughed at, even situations where GNU’s code is laughed at but their license is used. Because what makes me dislike some of the GNU project’s applications and in general the FSF (America) approach, is not the license, otherwise I wouldn’t be using it extensively for my own projects, both personal and work-related.

When I criticise the over-engineering status of an utility such as fold, I’m not attacking either the idea of Free Software nor the GPL license. I’m just stating that the fold.c code is utterly a piece of crap, as it jumps through a ton of hoops, and is unreadable and impossible to re-use, to do something as simple as what fold is supposed to.

When I say that the groff code is a real mess, it’s because the code itself is messed up if you try to follow it; when I further add that requiring C++ (but not the STL) to do something as simple a what groff does is like shooting oneself on a foot, I’m not saying that Free Software sucks and proprietary software is always better. I’m just trying to find a better Free Software alternative. And I’m not entirely sure Heirloom’s doctools are the way to go, by the way.

When I find FSF’s negative approach excessively bad then I’m criticising their way to support Free Software, not detracting on Free Software altogether. Although I start to think this is simply the American way of getting your points through: you don’t show your best side, you try to point people at the others’ bad sides; another thing that I should probably learn from Bill Maher, when he talked about the way Political elections and Oscar nominations go in USA.

But this does not obviously cover all of GNU’s code… although I guess it does cover a lot of that; the fact that GNU project is now comprised of loosely connected smaller packages doesn’t make it much better. You have projects that are doing very connected work that keep separated (autoconf and automake), others that are developed behind closed doors without a public repository of any kind, and totally different code styles or development practises every two projects.

So GNU’s not perfect; what’s your solution? Keeping your eyes shut and screaming “GNU’s perfect”? I still prefer mine: saying that GNU’s not perfect, when it’s not, and either improve it or make something better. With the best tools available; with the best knowledge available; with the best license available (which, most of the time, will be the GNU General Public License, of some sort, but doesn’t mandate that).

I do support FSFE… it’s positive!

I have, before, written about my concerns regarding the way the Free Software Foundation is working nowadays, and the fact that I feel RMS is taking too seriously his role as a “semi-religious” figure (and the whole “Church of Emacs” business). On the other hand, I’m happy to be a supporter of Free Software Foundation Europe. I do find the two taking pretty different stances on a lot of things.

Before leaving for FOSDEM, I read (and re-dented) Lydia’s link to a post by Joe Brockmeier (of OpenSUSE fame — of course there will be a vocal minority that will find his involvement with OpenSUSE, and thus Novell, as a bad sign to begin with, I feel happy that I’m not that closed minded) that summarised quite well my feeling with the way Free Software Foundation is behaving nowadays. Let me quote Joe:

Update (2017-04-21): Joe’s article is gone from the net and I can’t even find it on the Wayback Machine. Luckily I quoted it here!

It isn’t that the folks at the Free Software Foundation are wrong that DRM is bad for users, it’s that they are taking an entirely negative and counter-productive approach to the problem. Their approach to “marketing” may resonate with some in the FLOSS community, but their efforts are not at all likely to win hearts and minds of users who don’t get out of bed in the morning singing the Free Software Song.

While Defective By Design highlights legitimate problems with the iPad (and other products) where are the alternatives? Stop telling people what they shouldn’t buy, and make it easier for them to get hands on some kit that lets them do what they want to do with free software. In other words, stop groaning about Apple and deliver a DRM [I guess he meant DRM-free here — Flameeyes] device of your own, already.

And I agree with him wholeheartedly (of course as long as my note above is right): we should propose alternatives, and they need to be valid alternatives. When I say that I use an iPod because it has 80GB of storage space on it (well, my current, old version has 80GB, newer versions have 160GB of course), people suggest me as an alternative to not carry around so much music. Well, I do want to carry around that much music! If you can get me a player with an equivalent disk space and featureset I’d be grateful to get rid of Apple’s lock-ins… while that’s not available, I don’t really care about reducing my music library, as long as I can use it with Rhythmbox and other Free Software tools.

On the other hand, I cannot praise enough one in particular of the FSFE projects: PDFreaders.org website. Instead of telling the users how bad Adobe is, the site provides them with valid alternatives, specific to their operating system! This includes even the two biggest proprietary operating systems, Windows and Mac OS X. Through this website I actually was able to get more people used to Free Software, as they are glad to use something that is, in many ways, better than Adobe’s own Reader.

As I keep repeating, to bring Free Software to the masses, we need to be able to reach and improve over the quality of proprietary software. We are able to do that, we did so before, and we keep doing so in many areas (it’s definitely not a random chance that FFmpeg is one of the most widely used Free Software projects, sometimes even unbeknownst by its users, on the most varied platforms). When we settle for anything less, we’re going to lose. When we say that something is better and everybody should use that just because it’s Free, then we’re deluding ourselves.

I’m not sure what will happen with OpenOffice now that Oracle ate Sun as a snack, but if this will bring enough change in the project, it might actually make it really go mainstream. Right now, myself, I feel it has so many holes that it’s not even funny… on the other hand, as I wrote, it has some very important strong points, including the graphing capabilities (not charting!), and of course, the fact that it is Free Software.

New OpenPGP key

After seven years of “service”, I finally decided to discard my old OpenPGP key. I was already planning on doing so for a while (especially since it was still a 1024-bit DSA key), but the tipping point was reached today for two reasons: the first is that I received the FSFe Fellowship smartcard (as “Lefty” put it, FSFe seem to be concerned with matters more at hand than those the main FSF is concerned with, so I feel much more at ease to help FSFe rather than FSF itself), the second is that this year I should finally be able to attend FOSDEM (thanks to the fact I can finally board a plane without risking a heart attack; on the other hand I’m not going to board a plane alone so I’m going to take a train to Turin and then move with Luca).

FOSDEM here is a key reason for my switching key: my current key has no web of trust, the only signatures are those from the PGP Directory (automated non-human signatures), so it’s almost impossible to be sure I really exist. Finally being able to meet friends and colleagues is going to be helpful to fix that as well, and at this point starting from a new, clean key (which does not list outdated user IDs, nor my “old”
name) sounded like a good plan.

Anyway, I’d like to thank Daniel Kahn Gillmor (dkg from Debian) for his howto on key migration (although it still is signing with SHA1 — I wonder if it’s because of the card not supporting other digests?), and for his template for replacing the old key, in my case it’s available here and is signed with both my old and new keys for verification.

I’m currently uncertain on whether to replace my Gentoo manifest signing key with a sub-key of the new key after I got it signed, so that it also gets to be part of the web of trust.

Anyway, to finish it off, my new new key details are these:

pub   2048R/BB592443 2010-01-16
      Key fingerprint = F204 568C 03BD FD49 60EC  2DCC 1A82 AD57 BB59 2443

Hardware signatures

If you read Planet Debian as well as this blog, you probably have noticed the number of Debian developers that changed their keys recently, after the shadows cast over the SHA-1 hash algorithm. It is debatable on whether this is an issue now or not, but that’s not what I want to discuss.

There are quite a few reasons why Debian developers are more interested in this than Gentoo developers; while we also sign manifests, there are quite a few things that don’t work that well in our security infrastructure, which we should probably pay more attention to (but I don’t want to digress now), so I don’t blame their consideration of tighter security.

I’m also considering the switch; while I have my key for quite a while, there are a few issues with it: it’s not signed by any Gentoo developer (I actually don’t think I have met anybody in person to be able to exchange documents and stuff), the Manifest signing key is not a subkey of my actual primary key (which by the way contains lots of data of my previous “personas” that don’t matter any longer), and so on so forth. Revoking this all and starting anew might be a good solution.

But, before proceeding, I want finally go get over with the thing and move to hardware cryptography if possible; I already expressed the interest before, but I never dug enough to find the important information, now I’m looking for that kind of information. And I want a solution that works in the broadest extension of cases:

I want it to work without SHA-1; I guess this starts already to be difficult; while it’s not clear whether SHA-1 is weak enough to be a vulnerability or not, being able to ignore the issue by using a different algorithm is certainly a desirable feature;
I want it to work with GnuPG and OpenSSH at least; if there is a way to get it to work with S/MIME it might also be a good idea;
I want it to work on both Linux and Mac OS X: I have two computers in my office: Yamato running Gentoo and Merrimac running OSX; I have to use both, and can’t do without either; I don’t care if I don’t have GnuPG working on OSX, I still need it to work with OpenSSH, since I would like to use it for remote access to my boxes;
as an extension to the previous point, I guess it has to be USB; not only I can switch it between the two systems (hopefully!), I’m also going to get a USB switch to use a single console between the two;

I guess the obvious solution would be a tabletop smartcard reader with one or more cards (and I could get my ID card to be a smartcard), but there is one extra point: one day I’m going to have a laptop again, what then? I was thinking about all-in-one tokens, but I have even less knowledge about those than I have about smartcards.

Can anybody suggest me a solution? I understand that the FSFE card only supports 1024 bit for the keys, which seems to be tied to weakness lately, no idea how much of that is true though, to be honest.

So, suggestions, very welcome!