cvs, svn, and git -- a tangential revisit


A long-ish article about a talk that Michael Meeks gave about Libre Office, in which you find this gem (the emphasis is mine, not in the original):

OpenOffice.org has a somewhat checkered history when it comes to revision control. CVS was used for some years, resulting in a fair amount of pain; simply tagging a release would take about two hours to run. Still, they lived with CVS for some time until OpenOffice.org launched into a study to determine which alternative revision control system would be best to move to. The study came back recommending Git, but that wasn't what the managers wanted to hear, so they moved to Subversion instead - losing most of the project's history in the process. Later, a move to Mercurial was done, losing history again. The result is a code base littered with commented-out code; nobody ever felt confident actually deleting anything because they never knew if they would be able to get it back. Many code changes are essentially changelogged within the code itself as well. Now LibreOffice is using Git and a determined effort is being made to clean that stuff up.

This brings me back to my major beef with most "corporate" IT (even if the end product is open source): the people who have the knowledge don't have the power, and the people who have the power don't have the knowledge and won't listen.


the insecurity of religious people

Well, yesterday I attended my first ever Christian wedding. I guess it wasn't a true Christian wedding; the bride (Indian) and groom (Canadian, or Quebecois, as he would remind me) were members of a church called "the international church of christ".

Anyway, I took an instant dislike to the person who was officiating in the wedding. He talked patronisingly of India traditionally having many barriers against inter-caste, inter-language, and inter-state weddings, etc., and patted himself and his church on the back that this wedding was therefore unique or at least very special.

Of course, he conveniently left out "inter-religion". Probably because his church expressly prohibits it ;-)

Anyway, I'd say http://carm.org/what-international-church-christ (esp the last 2 paras) is more accurate than Wikipedia's wimpy "it is difficult to make any generalizations about the organization collectively". Google around for more if you're curious. Add the word "banned" to see even more interesting results.


Which brings me to my subject line. Why do most ultra-religious people feel the need to convince *you* of it? Or at least to praise it/themselves? Are they trying to justify their choice, maybe? Convince themselves, more than you?

I'm not against religion. I'm against the public display of religion. With few exceptions, my experience has been that people who feel compelled to *show* their religious affiliations overtly are, to put it delicately, very "imperfect".

There are two very good reasons I'm putting it "delicately" :-)

And oh... "against the public display of religion" also means "I won't tell you whether I believe in God or not" :-)

switching from Mandriva to Fedora

Well... all good things must come to an end, and so -- very regretfully, I should add -- I parted ways with Mandriva. I'd been a Mandrake user since '99 or so, and a die hard fan and evangelist since not long after.

Today I switched my work(horse) desktop from MDV to Fedora. The upgrade went amazingly smoothly, partly because ever since I started using git, almost everything I have except "documents" is in git; all I really did was restore my repos, my mail, and a "workdata" directory that contained all the ODT/ODP/ODS junk. A few commands here and there and it's all set. Pidgin, FF, TB, all setup exactly as they were before.

So.... why?

Well, it's not just that Fedora is using gitolite, it's also that Linux itself has come far enough in the usability department (much more thanks to Fedora than people realise due to Ubuntu's machinations of the press) that a "developer's" distro can probably be used by the neophyte now.

My focus has always been to help completely non-techie users switch to Linux, and Mandriva was just perfect. For a looooong time. But some issues linger...

(1) Every time I install MDV, I have to go to urpmi.zarb.org and setup the repos for plf to get libdvdcss and other goodies. With Fedora and livecd-creator, I just create a custom spin that already contains all of that and I carry that around. Done.

(2) MDV's repos for India suck. Actually, I take that back -- something that doesn't exist can't suck :-) And I hate the bloody Chinese mirror that MDV always ends up picking from geolocation.

[And I'd hate it even if the Chinese weren't trying to hack everyone on the planet. Fedora people: please give us a choice to exclude certain locations if we wish to. Or make gpg-signature checking mandatory if the packages are coming from certain locations. (And yes, I know "locations" is hard to pin down easily)]

(3) Curiously, 2 of my "non-technical" users have the Tata Photon or equivalent USB modem. And MDV's network control center just does *not* like that card. wvdial works fine, so it wouldn't be so bad if MDV supplied wvdial on the liveCD, but they don't. Catch-22, in the worst case.

stay off my master branch, off-shore dude!

someone on #git posted a link to a neat little website with a bunch of
git tips. One of them was
http://ryanflorence.com/git-hosting-solutions/ , which uses the phrase
"stay off my master branch, off-shore dude!" as an example of
gitolite's main feature (per branch permissions).

I'm sure he didn't know that gitolite is *written* by an "offshore dude" ;-)


with all due respect ;-)


what's with this fad of putting "open" in front of everything to do with the FOSS world? Openssl, openssh -- fine. Openoffice I can understand.

Openrespect? Is there also closed respect somewhere then?

And whatever the hell it means, I find the concept totally hilarious, and I can't see *any* possible use for such a fruitless exercise. It almost sounds like a Government project of some kind -- like Tom Lehrer's "National Brotherhood Week".

Anyway, for the record, I've been increasingly getting pissed off by Mark Shuttleworth and his gang. Installing mono by default is a big no-no for me. That's almost black-list worthy in itself -- wilfully enabling Microsoft's future lawsuits. [And if you have kept up with news in the FOSS world in general for the past few years and still believe MS will not -- ever -- sue the open source community, or a major player, over Mono, well... I *respect*fully call you a moron. A blind, deaf, and illiterate moron, actually. I think that was respectful enough ;-)]

And then there is their copyright policy for contributions -- horrible; it's like MySQL all over again...

So... with great *respect*, Mark: let me say you're a freeloader off of other FOSS projects. Or, in Hindi (English cannot convey respect the way Indian languages can): Mark-ji, aap chor hain. Choron key badshah hain. Aapki chori ki jitni taareef ke jaye, utni kam hai!

Let me break the respectful words down to explain. A "-ji" suffix is loosely like "-san" in Japanese, for those who know that. It denotes respect -- taking the name without a "-ji" attached (or equivalent in other languages) is... not disrespectful, but a sign of familiarity. The "aap" is the respectful version of "tum", which is "you". All Indian languages have respectful variants of the second and third person pronouns.

Chor is thief. Hain means "are", but again, the respectful variety. Without respect, that sentence would be "tum chor ho".

Choron key badshah is "king of thieves". The next sentence basically says "however much praise I heap on your thievery, it falls short" or something like that.

Phew... I think that's enough respect for one day.


best rant against C++ I've ever seen


I don't even know enough to summarise!

[edited to add a link to an excellent rant by Linus on C++ :-)


(job) security

context: some features of gitolite, and in this case of git itself -- the fact that in git, every developer has the entire repo on his machine.

<someone> wrote:

> In fact, our security team worries about having the full
> development history on "everyone's machine".  

At least in a corp. env., I think this is somewhat specious.  Even if you were using SVN or similar, it is trivial for a dev to just collect daily snapshots anyway.  Actually, in terms of IP, even one snapshot has all of it, if it's the latest (it's rare that only old versions have IP and new ones don't).


That's what I replied to him.  But if I could, I would add this to my response above:

I've always maintained that most "security" is about the job security of the person responsible for security :-)  Security people are a lukcy lot, by and large.  They get to make a lot of noise, cry wolf far more than 3 times and get budget, so when nothing happens, they get an attaboy for "doing so much to protect us".

And if something happens, ironically enough, the fact that they cried wolf so many times and spent so much money works in their favour -- the logic being "he did far more than you could have expected him to do, and if something happened even after all that, who can blame him?".

The secret to this brilliant escape from the consequences of attacking the wrong problem (forcing passengers to take off their shoes *after* Richard Reid, for instance!) is that no one else actually feels he is qualified to do the job properly anyway.  Everyone is too busy thinking "<phew> there but for the grace of God go I" and so they cut him a lot of slack!


consultant-speak for "crap"

'This model is showing signs of extreme organic growth,' I said, which
is consultant-speak for 'This model is a heap of @#$%! '


from http://blogs.computerworld.com/17138/oh_right?source=rss_sharkey


The Economist on the fallibility of biometrics

http://www.economist.com/blogs/babbage/2010/10/biometrics -- fairly short article, but packed with good stuff.  Anyone who has any interest in this field should read it.

Specifically, people involved in the UID project in India should read this.  Yes, this article is aimed at more at terrorism prevention than mass-scale UID, but many of the points mentioned still apply.  And if you take the problems described in that article, and add in collusion by the operator, which is very, *VERY* likely in India UID, you have the potential for massive fraud and systematic abuse by whoever is in power.

Some quotes:

  - But in its rush to judgment, the FBI did more than anything, before or since, to discredit the use of fingerprints as a reliable means of identification.

  - What the Mayfield case teaches about biometrics in general is that, no matter how accurate the technology used for screening, it is only as good as the system of administrative procedures in which it is embedded.

  - The panel of scientists, engineers and legal experts who carried out the study concludes that biometric recognition is not only "inherently fallible", but also in dire need of some fundamental research on the biological underpinnings of human distinctiveness.

  - The body of case law on the use of biometric technology is growing, with some recent cases asking serious questions about the admissibility of biometric evidence in court.


someone bites back at HTC

kudos to Matt, author of Hg for this: http://lwn.net/Articles/409864/

full text (it's small enough anyway):

On Wed, 2010-10-13 at 11:32 +0800, martin_liu@htc.com wrote:
> Dear Matt:
> Recently, I got an oops at pagemap_read(). I've tried to
> searched some patches and found a patch as below link.
> http://kerneltrap.org/mailarchive/git-commits-head/2010/4...

Dear Martin,

Are you from the same HTC mentioned here?


If so, please ask again in 90-120 days. Until then, you're on your own.

HTC in my personal bl again

IIRC the first time is for entering into a patent deal with MS.

Now it's for this:

HTC Willfully Violates the GPL in T-Mobile's New G2 Android Phone
(Freedom to Tinker) -- http://lwn.net/Articles/409548/


it's not rocket science!


Very crisp.  I didn't know it propagated through USB sticks -- those bozos deserve it if it did.

And screw you, ISRO, if India's INSAT 4B died due to stuxnet -- you guys deserve more like this before you'll come to your senses and stop using Windows.

Honestly, is Linux that hard that ROCKET SCIENTISTS can't use it?


Meanwhile, some funny stuff from the first link, since I like their sense of humour so much:


Q: Which factory is it looking for?
A: We don't know.

Q: Has it found the factory it's looking for?
A: We don't know.


Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan. Which is weird.


Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.

Q: When was it discovered?
A: A year later, in June 2010.

Q: How is that possible?
A: Good question.

Q: Was Stuxnet written by a government?
A: That's what it would look like, yes.

Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.

Q: Was it Israel?
A: We don't know.

Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.

Q: Was the target Iran?
A: We don't know.


Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.


Gosling: Oracle is ethically challenged, micro-managed, and creepy

Why I Quit "Creepy" Oracle: The Father Of Java James Gosling Speaks
Out -- http://www.eweekeurope.co.uk/interview/why-i-quit-oracle-the-father-of-java-james-gosling-speaks-out-9995/print

Quite a few hard hitting comments on the new villain for the open
source crowd (as if we needed another!).

Well at least he did it after leaving, unlike my old boss, who ranted
against his (then) employer (and my current employer) to a reporter
even *before* he had left -- talk about ethically challenged!

But while it's perfectly fine to talk about Oracle being "ethically
challenged" and "micro-managed", it just doesn't seem proper for a
senior person to talk about salary etc., or to say that the CEO "gives
me the creeps" to the press.

A friend of mine who reads a lot more than I do mentioned that this
was in line with any of Gosling's past writings that he had read --
nothing to learn, nothing to take away -- unlike people like Larry
Wall or Guido van Rossum, where you almost always learn something new
or get a new perspective on something old, etc. (We're talking about
"learn" in the academic sense here, not "I learned that Ellison is a
creep, so isn't that learning?")

And finally, I have to say this. I'm not a big fan of Gosling anyway.
I hate Java -- I call it the "COBOL of the internet", and I think it
has done a lot to remove any fun that programming could have had for
lots and lots of people, and made it a bloody chore. Comments like
this would have had a lot more weight for me if they had come from
Larry or Guido, but they're not the kind to stoop to this, I suspect,
even if they were in that situation.

And even if he felt compelled to, I bet Larry would say it with a heck
of a lot more humour and panache :-)


hacking embedded systems


One of the scariest articles I have seen recently.

The linked PDF is nice too, but the article about it just flows better.


found on a random list of funnies somewhere...

"I think part of a best friend's job should be to immediately clear your computer history if you die"



bikeshedding the twittube!


Lovely humour from a lady I'm starting to admire as much as JR (that's Joanna Rutkowska, not the zero-EQ JKR of Harry Potter fame).

There's no need to click the link unless you're a file systems maven though... the funny parts are right here:

----- quote -----

This series is the core mount and lookup infrastructure from union mounts, split up into small, easily digestible, bikeshed-friendly pieces.  All of the (non-documentation, non-whitespace) patches in this series are less than 140 lines long.  It's like Twitter for kernel patches.

VFS developers should be able to review each of these patches in 3 minutes or less.  If it takes you longer, email me and I'll post a video on YouTube making fun of you.


Fwd: Consumerization and Corporate IT Security

I can't recall when was the last time Bruce Schneier said something I did not quite agree with.  The last paragraph could have at least hedged a little, instead of making it sound so unequivocal.  Oh well...

-------- Original Message -------- 



via Schneier on Security by schneier on 9/7/10

If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some of you will line up on the first day it's available.

So why can't work keep up? Why are you forced to use an unfamiliar, and sometimes outdated, operating system? Why do you need a second laptop, maybe an older and clunkier one? Why do you need a second cell phone with a new interface, or a BlackBerry, when your phone already does e-mail? Or a second BlackBerry tied to corporate e-mail? Why can't you use the cool stuff you already have?

More and more companies are letting you. They're giving you an allowance and allowing you to buy whatever laptop you want, and to connect into the corporate network with whatever device you choose. They're allowing you to use whatever cell phone you have, whatever portable e-mail device you have, whatever you personally need to get your job done. And the security office is freaking.

You can't blame them, really. Security is hard enough when you have control of the hardware, operating system and software. Lose control of any of those things, and the difficulty goes through the roof. How do you ensure that the employee devices are secure, and have up-to-date security patches? How do you control what goes on them? How do you deal with the tech support issues when they fail? How do you even begin to manage this logistical nightmare? Better to dig your heels in and say "no."

But security is on the losing end of this argument, and the sooner it realizes that, the better.

The meta-trend here is consumerization: cool technologies show up for the consumer market before they're available to the business market. Every corporation is under pressure from its employees to allow them to use these new technologies at work, and that pressure is only getting stronger. Younger employees simply aren't going to stand for using last year's stuff, and they're not going to carry around a second laptop. They're either going to figure out ways around the corporate security rules, or they're going to take another job with a more trendy company. Either way, senior management is going to tell security to get out of the way. It might even be the CEO, who wants to get to the company's databases from his brand new iPad, driving the change. Either way, it's going to be harder and harder to say no.

At the same time, cloud computing makes this easier. More and more, employee computing devices are nothing more than dumb terminals with a browser interface. When corporate e-mail is all webmail, corporate documents are all on GoogleDocs, and when all the specialized applications have a web interface, it's easier to allow employees to use any up-to-date browser. It's what companies are already doing with their partners, suppliers, and customers.

Also on the plus side, technology companies have woken up to this trend and -- from Microsoft and Cisco on down to the startups -- are trying to offer security solutions. Like everything else, it's a mixed bag: some of them will work and some of them won't, most of them will need careful configuration to work well, and few of them will get it right. The result is that we'll muddle through, as usual.

Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.

This essay first appeared as the second half of a point/counterpoint with Marcus Ranum in Information Security Magazine. You can read Marcus's half here.

the effect of snake oil security


it's just a coincidence that the author's nickname is "rsnake" :-)

he makes a valid point, but as the comments show, not everyone agrees.  The most useful comment is the one that says "aah but this will apply equally to non-snake oil remedies" or some such...  worth thinking about


apple bashing...

...is always fun.  Even more so when it happens on otherwise staid and
sedate sites like LWN:



Broadcom releases an open-source driver for its wireless chipsets
Posted Sep 9, 2010 16:09 UTC (Thu) by djcapelis (subscriber, #53964)
Parent article: Broadcom releases an open-source driver for its
wireless chipsets

Oh my!

This is an amazing development. One of the last problems with a
macbook I was having was a broadcom chip.


Posted Sep 9, 2010 16:39 UTC (Thu) by lkundrak (subscriber, #43452) [Link]
The last one is being a macbook I presume ;)


Hg easy to use?


If Bram, author of vim, cannot do some simple version cutovers in Hg, is it really that easy to use?

The other thread at http://groups.google.com/group/vim_dev/browse_thread/thread/1ce709f61e5424e5/f70ea0132796c96a?hide_quotes=no#msg_f70ea0132796c96a is even more illustrative (and, as a friend on #git said, too fatiguing to read).

Branching it seems is still a mess in Hg...


fixups on an existing commit using tig and the new autosquash option on rebase

This shows how to use tig and the new option in rebase to do fixups very quickly.

What you need first is this line in your ~/.gitconfig:

# fixup, from http://permalink.gmane.org/gmane.comp.version-control.git/154460
fixup = "!f() { git commit -m\"fixup! $(git log -1 --pretty=%s $1)\"; }; f"

and these lines in your ~/.tigrc:

bind main = !git fixup %(commit)
bind main R !git rebase --autosquash -i %(commit)
bind generic s view-status

We need to make a quick change in conf/example.gitolite.rc. We first make the
change, then start tig

type 's' for status view, then cursor down to the file that you just changed

type 'u' to stage that file

type 'q' to quit status view and go back to main view; cursor down to the
commit you want to "fixup"

hit enter to make sure it is the right one; it is... the filelist confirms it

hit 'q' to get rid of the commit details, then '=' to invoke the "git fixup"

Notice the commit message?

hit enter to get past that commit confirmation message, then arrow down 1 line

hit "R" to rebase with respect to the selected commit

save and exit the editor

hit enter to see the new commits


long time Mandriva user tries Fedora

I have switched my laptop over to Fedora 13 LXDE to check things out properly in normal use; here are my findings so far.  (Remember I have > 10 years of history as a Mandriva user!)

Plus points

  • recognises the Tata Photon+ CDMA data stick out of the box.  The GUI is identical, except for color, to the one in Linux Mint; now why can't Mandriva also use that same software, whatever it is?  In Mandriva, you have to use wvdial (which means you have to install it first!).  The normal drakconf-spawned config screen asks you for a "PIN number" (huh?) and regardless of what you type or not, it responds saying "have you inserted your SIM card" or some such message I can't recall.
  • the ability to create a custom live CD with everything I want on it.  Thanks to my friend Raj, I now have a nice live CD (actually USB stick) that contains more than 200 packages of my choice.  This means I truly don't have to take my laptop around to many places, while still getting a LOT of work done.
  • having a sane set of package repos automatically configured even if you live in India!  Mandriva would always select some mirror in China that, consistently across the last 2-3 releases of Mandriva, has been dead or unresponsive or overloaded any time I try it.  I'd gotten to the point that I'd pretend to be in some US time zone, then change it to India after the install is all done.  Or go to easyurpmi.zarb.org and do a manual mirror selection.
Minus points
  • missing or outdated packages.  (For example, "recoll" -- if I ever have to switch my work desktop this would be a show stopper!  And "atop" is unmaintained.  And unison is apparently deprecated... in favour of what, I wonder?)

    However, the saving grace is that the Fedora ecosystem is just too big for anyone to ignore, so either the upstream themselves will have an RPM available (as in the case of recoll and atop), or someone else (like Dag) might, or -- worst case -- my PFE (personal Fedora expert/evangelist, a person who shall remain nameless in his own interest, lest he be swamped by others' requests for help!) will find me a link from somewhere!
  • keychain doesn't work.  I had to add these 3 magic lines into my own .bash_profile because the one in /etc/profile.d didn't seem to work.  I should probably dig deeper and report it if needed
        keychain ~/.ssh/id_rsa
        . ~/.keychain/$HOSTNAME-sh
        . ~/.keychain/$HOSTNAME-sh-gpg

  • There is no way to have the screen lock before suspend/hibernate.  This is not secure.  I finally had to put "xscreensaver-command -lock; sleep 2" somewhere inside a file called "pm-action".  There is just no other way as far as I know.  From a non-techie user perspective this is horrible, horrible, horrible.  (I realise this may be only the LXDE spin and perhaps the KDE or GNOME versions do it ok).
  • The touchpad doesn't let you click.  You have to run gnome-mouse-properties and change the settings, which would be fine, but they don't persist across a logout/login.  Each time you login you have to run that command again.  (Weirdly enough, you don't have to touch the settings; they're all there.  But the GUI has to come up once...)
Still, all in all it was a pleasant experience, especially because my friend Raj showed me how to make my own live image with whatever packages I want in it.  In the end that might be a bigger point than all the rest :-)


making a multi-boot USB (and mandriva troubles)

So today my young colleague Vignesh and I spent some time figuring out how to put more than one live CD onto a USB stick. Without using any external tools (except "unetbootin").

In brief:

  • make ext2/3 partitions for each live CD you want to install; make sure you add about 10-20% extra space (moving from iso9660 to ext2 seems to do that!)
  • run unetbootin for each live CD in turn, to its respective partition
  • on the first partition, edit extlinux.conf to remove any cruft, and then tack on to the end of it just the one or two relevant paragraphs from the same file of the other partitions (i.e., the other live CDs that you unetbootin-ed). Make the identifiers sequential (not sure it works if they repeat; by default they all start with 0)
  • make sure all the vmlinuz files and initrd files mentioned in these extract are all copied to the first partition. Watch for name duplication, extra components in the pathnames in the conf file paras that you didn't create (you just dumped 'em all into the first partition's top level directory!) etc., and change the conf lines to fit the filenames
  • make one final "extlinux -i /dev/first-partition"
  • make sure this is the one marked "bootable" in fdisk

and you're done.


Unless one of the live CDs you want is Mandriva :-(

God what a pain. First of all, without initrd tweaking it cannot be "unetbootin"-ed. This is because the extlinux.conf entries don't come with UUID= options, so unless it's the first partition it won't get past that. Worse, the "linuxrc" file inside the initrd.gz hardcodes"-t iso9660". Come on.... why? The mount command should be able to figure out the partition type dammit!

What Vignesh finally did to make it work was

  • add a root=UUID= parameter to the "kernel" lines in the config (2 of them; one for live, one for install)
  • patch linuxrc to comment out all the stuff to do with labels and add this line in their place:
    sh -c 'root=`grep -o "UUID=[a-zA-Z0-9\-]*" /proc/cmdline`; mount -o ro $root /live/media'

And that seemed to work for me too.


After that it never worked again (back to sqshfs errors). And after a couple more attempts I just gave up... Mandriva is not really worth it as a quick-check-your-email-on-a-borrowed-laptop live CD anyway so there's no point:

  • it's too slow (an *installed* Mandriva boots slower than mint or F13 running off a USB stick)
  • it doesn't support my Tata Photon+ USB thingie (what do they use, WiMax? not sure) out of the box -- you have to install wvdial, which it doesn't come with!
  • and most important, it's the only one that needs 5 clicks before it gets to the desktop. It's like they didn't intend to make it a real "live CD", but only as an installer


Looks like my MDV days may be numbered, and not just because I promised a friend of mine (who favours Fedora) that I'd switch to Fedora if they start using gitolite either. Sad... The future looks Fedora-ish blue for my machines and minty-green for the ones I manage for my non-tech f&f.


(gitolite) a non-techie explanation of "distributions"...

(...and why a couple of recent announcements have me sporting a 70-mm smile these days!)

When you install Windows, you're used to doing this:

  • install Windows from one CD
  • install drivers for all your hardware, one from each CD
  • install MS-Office from another CD
  • install CD-burning software from yet another CD
  • install PowerDVD or some other DVD player (maybe you don't like Windows Media Player or maybe someone told you WMP reports to MS on all movies you watch!)
  • install Yahoo messenger or Gmail chat or Skype from the websites
When people install Linux, (especially if it's from a DVD) most of these things come with it.  And most of them have more than one choice:
  • various web browsers (Firefox, Konqueror, Epiphany, ...)
  • word processors (OpenOffice, KOffice, AbiWord, ...)
  • chat clients (pidgin, empathy, ... -- by the way you can use one chat client for both Yahoo and Gmail chat!)
  • music and video players (mplayer, xine, vlc, ...)
  • common tools like cd-writers (k3b, xcdroast, gnome-burner, ...)
  • not to mention games (I like tuxracer, my wife and mom love kshisen, my kids and nephews/nieces like tuxkart or something.  And for Solitaire fans, the "kpat" game contains 12 variations of Solitaire, and if that's not enough, "pysol" contains 50 or so!)
Great.  So who writes all this stuff?

If you guessed "Linus Torvalds", you'd be wrong.  Of course, he created Linux, but he's only interested in the core of the operating system itself (called the "kernel").  Which is great because he's damn good at it, and really, if that doesn't work well, none of the others will.  When you hear people talk of Linux machines running for months together without a reboot, you can thank Linus and the hundreds of people all around the world that help him maintain the kernel.

So once again, who writes all the stuff you see, and how does it get to you?

Well there are people.  Lots of them.  Or, in some cases, there are organisations (like the Mozilla Foundation, which produces the Firefox browser and Thunderbird email client, etc.)

Just for fun, let's refer to all this software as upstream software and to their authors as upstream authors.

The problem is, each of them puts his software on their own website.  And most of the time they only give source code -- you're expected to compile and install it yourself.

Now how would someone who just installed Linux for the first time be expected to:
  • know that he needs to do this
  • figure out what software he needs (for example, who would ever guess that the best "photoshop"-like program on Linux is called "gimp"?  Or the best dvd/cd-writer software is called k3b?)
  • figure out where to go for each item on his list (what is the "upstream website"?)
  • be able to "compile" and "install" anything?
In fact, how would he solve the chicken-and-egg problem of not having the tools to build the tools?

What you want is to just pop in a CD, click Yes a few times, and have a brand new, working, Linux machine on your table.

That's where distributions come in.  Red Hat is one such company (perhaps the most famous), Mandriva is another, and recently Canonical (who make Ubuntu) is also becoming well-known.  There are many community-driven ones too, which are often better, depending on your special circumstances.  [Why there are so many distributions is a whole another story, but the short answer is that "one size does not fit all".  Some people want ease of use, some want raw power and a simple GUI, some want all sorts of whizz-bang, some want a rock solid system that they can use as a server and put it in a backroom, while some people want one that can fit within a 52-MB "business card CD" (see http://en.wikipedia.org/wiki/Bootable_business_card ) and so on and on...]

But whatever the size, scope,or goals, what a distribution does is:
  • take all the various pieces of software that a user might want
  • compile them all
  • put them all together in one CD
  • put a nice graphical "installer" tool to make things as painless as possible
  • take all the additional software they couldn't fit on the CD/DVD and put it on a series of websites/ftp servers
  • give you a nice graphical "package manager" to search for and grab stuff from those servers
All this is a lot of hard work.  Plus they have to:
  • keep track of all the upstream software
  • when a new version of the upstream software comes out, they get it, compile it, make sure it works ok, etc.
  • make any simple fixes if needed
  • make sure it works well with all the other software they're putting on the same CD
  • keep track of bug reports submitted by their users, determine the cause of the bug, and either fix it themselves or send it to "upstream" so that the upstream knows and has a chance to fix it.  (And once upstream fixes it, they have to bring those changes in, compile, test... the whole cycle repeats)
(In addition, they also have to look for security issues that get reported by the upstream author or by third parties, and if something comes up they have to do all this on an emergency basis).

[For those of you who know how the newspaper business works, I'd say this is not far from what goes into creating a newspaper or a weekly newsmagazine.  Each section has its own editor, they have to get stories from their sources, write them up, edit them, put pictures on them, and send it to someone who will put all of them together]

Now Fedora is one of the more popular distributions.  They have 10,000 repositories, and over 1000 "package maintainers".  Each of these maintainers is constantly working on one or more of the activities listed above, and, as the deadline for a major release comes closer, things get hectic.

Fedora needs a central sever to manage all this hectic activity, one where each of these package maintainers can log onto, and be able to change only the packages they volunteered to maintain.

Which means that server needs what is called "access control" -- prevent one person from changing stuff belonging to another, really.

And so we come to what gitolite does: it provides access control to a server hosting several thousand source projects with several hundred developers.  It wasn't originally designed for that -- I just wrote it for myself to use at work here.  It just turned out to be good enough, (with lots of help from others, of course, since that is how open source works) for something as ambitious as this!


Hope that helped.

And finally, the announcements themselves:
Fedora is one of the most popular distributions of Linux.

KDE is one of the 2 most popular/powerful "desktop environments" available for Linux.  See http://en.wikipedia.org/wiki/Kde for more on this.


Absolutely. The. Funniest. CFP. Ever.


CFP == call for papers, in case you're wondering, and this is a hacker conf in NZ called, (what else?) "Kiwicon"


(apple) 5 ways iPhone users get ripped off

"Using an iPhone is like taking a holiday to some corrupt country: It may be beautiful and offer simple pleasures, but you're going to pay bribes to people who shamelessly charge you for what's free elsewhere. "

 -- http://www.computerworld.com/s/article/9178836/5_ways_iPhone_users_get_ripped_off?source=CTWNLE_nlt_wktop10_2010-07-09


Fwd: [gitolite] Anybody knows a gitolite ready AMI

is it a good sign if people are looking around for AMIs with your software already installed?


/me is tickled pink!

-------- Original Message --------

Subject: [gitolite] Anybody knows a gitolite ready AMI
Date: Mon, 5 Jul 2010 06:33:00 -0700 (PDT)
From: [elided]
To: gitolite <gitolite@googlegroups.com>

Anybody knows a gitolite ready AWS' AMI ?  Tks. 


after a few days, the core starts stinking

An old friend of mine asked me about buying an iPad.  My first response to him was this:

---------- (1) ----------

iDon'tknow.  iDon'tEvenCare.  iHateApple.  iThinkJobsStinks


jokes apart, I don't mind recommending apple to my technically challenged (but financially non-challenged) friends, but I would never use one.  Ever.

I have several reasons.

The vaunted "intuitiveness" was lost on me during my first experience with an Apple in 1996, where I had to finally be told by someone that ejecting a floppy (yeah, those days!) required moving the floppy icon to the trashcan.  How that is intuitive I have never understood.

My real reason is that I hate control freaks like Jobs, who will not let you do what you want with your machine, in general.  That might be OK for a lot of people, but not for me.

I have, when in a facetious mood, said the following: "more money than brains?  use Apple.  more brains than money?  use Linux.  neither money nor brains?  use (pirated) Windows".  clearly applicable mainly in India (and China I guess).

There's a backhanded compliment to Apple in there, if you look hard enough ;-)

---------- (end 1) ----------

He responded with something about innovation and consumer products and marketing and so on.  Here's my reply:

---------- (2) ----------

My whole point is that a computer (and even an iPad is one, perhaps even an iPhone, arguably) never was, and never will be, a consumer product like a DVD player or a stereo system.  Those things have only one (or a few well-known-in-advance) functions, and no one expects a toaster to even become a microwave via software upgrade.

Looks don't matter to me, so now it's just an expensive piece of hardware you cannot customise or do what you want with.  For the "sheeple" who just take what they've been given, that's fine.  You know me better than that, but I also thought I knew *you* better than that :-)

The bottom line is that if you love the word freedom in *any* sense, you need to think about supporting this joker.  Probably the best comment (though not the funniest) is at http://apple.slashdot.org/comments.pl?sid=963229&cid=24996553 -- which I quote in its entirety because it's short:

I was exclusively a Mac user from 1990 through 1997. >From 1997 through 2000 I was a three platform user. Windows for games, Mac for art and linux for servers. Steve Jobs' return to Apple crushed the core of the spirit that made me a loyal user. My computer is not a status symbol. It's not a lifestyle choice. It's not a part of my image. It's a tool. When Apple shifted back to the current "Image above all else" mode, I went to Win/Lin PCs. I don't have the time of the money to stroke Steve Jobs' ego.

Some more links are below.  Two things I will ask: (1) don't let the tone of the first one fool you into ignoring the others; it was just too funny to let go, and (2) do follow the first level links within those links (one level only) also, even the ones that didn't turn into hyperlinks -- just copy-paste them into your browser.  Some of the comments are really insightful, despite the language used.

http://sitaramc.blogspot.com/2008/09/apple-idiocy.html (the Adithya in the comments is a young, NON-techie, nephew of mine who has -- independently it seems, seen the light)

---------- (end 2) ----------

But the main point I forgot to address was this.  He said, "The business user is not really interested in the gory details of coding".

The correct response is "sure, but shouldn't he care that if his son, or his friend, or his IT dept, can code it up for him, he still cannot use it unless Jobs allows him to?"


LinkedIn going the facebook way?

I got a LinkedIn invite from someone whose name was vaguely familiar,
but did not really recognise. So I asked her "who are you and how do
you know me"?

Her reply:

> sorry sir we dont know each other....i think i have got u from my gmail
> where i usually forward my resume for jobs.

Is this how networks are built up now? Is Linkedin becoming like bloody

Is this how some people have hundreds of contacts?


fake job acceptance letters

I just heard of a spate of fake job acceptance letters being sent out in the name of TCS, as well as many other large and small IT companies in India.  Typical phishing-type mails, all sorts of promises, bad spelling and grammar, and a "fee" for the "process" (not exact words; but then do the exact words matter?)

I spoke to a few guys here and there, turns out it's happening to many companies, and quite a few people are getting duped, then filing police complaints.

A friend and I were talking, and he says: "I can understand if a blue-collar worker gets duped looking for a job in Dubai.  But these guys are supposed to have bachelors or masters degrees, often in some branch of Engineering or Science!"

I agree.  My question to anyone who got duped by these guys is: were you *so* desperate for a job that you stopped thinking?

an agnostic's delight


read the whole thing, but the following was really nice:

Seriously though, species who hold on to religion past its sell-by date tend to be most likely to self destruct. They spend so much energy arguing about my true nature, and invest so much emotion in their wildly erroneous imagery that they end up killing each other over differences in definitions of something they clearly haven't got a clue about. Ludicrous behaviour, but it does weed out the weaklings.
And even though he speaks of "killing each other", I'm not just thinking about the terrorists here. You'll find such people, albeit with far less damage potential, much closer to home than you think. In your family. At work. They're bloody everywhere. All religions seem to be subject to such stupidity, although only a few carry it to extremes.

The next couple of paras after this are very funny, though I can't help feeling the author either caved in to the PC brigade or got scared of a fatwa ;-)

All in all, a very fun read...


a couple of funny ones...

First, on facebook:

via Comedy Central's Jokes.com: Joke of the Day by Comedy Central on 4/2/10

Now every idiot from high school's like, 'I'm back!' We weren't supposed to meet again. Stop poking me and inviting me to your weird vampire parties. No, I don't want to follow you on Twatter. Like, nobody's interested in you. I don't want to see you in real life, why would I want to follow you in the imaginary one?


Next, on MTV (and book stores these days!)

via Comedy Central's Jokes.com: Joke of the Day by Comedy Central on 10/29/08

The worst television is MTV. 'Music Television' -- they call it that, they don't even play music. How's that legal? What if everybody did that? 'Hey, thanks for calling New York Pizza.' 'Yeah, give me two large pepperoni pizzas.' 'Oh, we don't sell pizza.' 'What?' 'No, we just have raccoon hats and eye patches. Call a book store if you're hungry.'


why should anyone trust this b*st*rd now?


Apparently facebook CEO Mark Zuckerberg is promising to improve fb's privacy record.

I don't see why anyone should trust him anymore. I've seen and read enough about his opinions on his users' privacy to NEVER trust him.

Here's a sample, from that article (and this was something I had not known till now, by the way, so it just makes things worse): "Recently unearthed IM transcripts from the early days of Facebook showing Zuckerberg describing early adopters at Harvard "dumb fucks" for trusting him with their data have hardly helped Facebook's cause."

wow... calling your users "dumb fucks". Even Microsoft and Apple can't beat that; they at least don't come right out and *say* so ;-)


The article itself, and the comments on that article are all equally sceptical. In particular, take a look at http://forums.theregister.co.uk/post/771675 followed by http://forums.theregister.co.uk/post/771757 -- at the same time Zuckerberg was making these statements, people were being forced to either delete their "interests" data or make it public.


Re: Take a look at my photos on Facebook

someone sent me an invitation from facebook, with about 15 names and pictures (of which I recognised four).  This was my reply, and now that this post has been made I intend to just reply with this link from now on :-)


sorry, do I know you?

even if I do, please don't send me this stuff.

I predict facebook (and others like it) will be the single biggest problem in individual security over the next couple of years.  I think it will surpass all the so-called phishing and pharming attacks in impact, because unlike them, facebook attacks can move beyond e-security into physical and personal security.


on 04/05/10 22:38 <deleted> wrote:

<deleted invitation text/pictures>


(funny) VBA

"It was at this point that Jason decided Skynet wasn't a rogue military AI, but a mail merge macro trying to recover from a badly formatted postal code"

-- http://thedailywtf.com/Articles/Poke-a-Dot.aspx

or this:

"You see, the dots weren't dots. The original author wanted a place to store some variables, and couldn't think of a better place than the body of the document, "hidden" in a 1pt font. And then, in the four places those variables were used, a 22-line version of "Selection.Find" was used to retrieve them."



a refreshingly frank article about cloud security...

...focusing on the audit aspect.


The basic thrust is that cloud computing security claims rely on SAS70 type audits, which have an inherent conflict of interest of the kind that was at the heart of the recent financial meltdown.  Jay Heiser, a Gartner analyst who specializes in security, [says] "I found more parallels between what happened in the financial services and cloud computing than I anticipated."

The second point, which is probably even more important in my personal opinion, is that SAS70 is an auditing standard for financial statements, and never had anything to do with IT in the first place.  And the people who conduct them are, more often than not, accountants.  The kind of questions I asked Raghavan when we were discussing the TQMS cloud setup are probably not even asked in a SAS 70 audit ;-)

We Have Met the Enemy and He Is PowerPoint

a GREAT article in the NY Times.  The best line goes to Gen. Stanley A. McChrystal.  Referring to this slide, he said: "When we understand that slide, we'll have won the war".

More quotes:

"PowerPoint makes us stupid," Gen. James N. Mattis of the Marine Corps, the Joint Forces commander, said this month at a military conference in North Carolina. (He spoke without PowerPoint.) Brig. Gen. H. R. McMaster, who banned PowerPoint presentations when he led the successful effort to secure the northern Iraqi city of Tal Afar in 2005, followed up at the same conference by likening PowerPoint to an internal threat.

"It's dangerous because it can create the illusion of understanding and the illusion of control," General McMaster said in a telephone interview afterward. "Some problems in the world are not bullet-izable."


Commanders say that behind all the PowerPoint jokes are serious concerns that the program stifles discussion, critical thinking and thoughtful decision-making. Not least, it ties up junior officers  -- referred to as PowerPoint Rangers -- in the daily preparation of slides, be it for a Joint Staff meeting in Washington or for a platoon leader's pre-mission combat briefing in a remote pocket of Afghanistan.


Senior officers say the program does come in handy when the goal is not imparting information, as in briefings for reporters.

The news media sessions often last 25 minutes, with 5 minutes left at the end for questions from anyone still awake. Those types of PowerPoint presentations, Dr. Hammes said, are known as "hypnotizing chickens."


I don't fit in this group anymore

...or what I see of it anyway.

They're so much more affluent and powerful and just plain money-smart,
politics-smart, and street-smart than I ever will be or want to be.
Are we really all products of the same college?

Someone said something praising Pratap Reddy for bringing Apollo to
its supposed greatness, professionalism, and whatnot from supposedly
corrupt beginnings. I had already had 2 drinks by then, but that
would not have mattered anyway:

"I wouldn't go to Apollo even if I were dying". Not my drink
speaking. Stone cold sober I'd just say it louder and include my
family and loved ones also in the statement. I've had personal
experience of Apollo's "professionalism".

"That's your problem, not theirs. They're making money" [or words to
that effect; can't quite recall now].

It's amazing how big a disconnect there is between me and the guy(s)
who said/endorsed this. None of these guys will ever be "middle
class" like I am. They'll never feel "the system" is getting them
down because they *are* part of the system, or help to sustain it.
One guy is an entrepreneur whose turnover has doubled in the last year
(we're talking more than a few millions of USD). One is a very senior
person in the state bureaucracy -- pretty close to the top. The other
are all construction and real-estate czars, or at least mini-czars, in
their own right. One is a CEO of a small part of one of India's
largest (and IMNSHO most corrupt) industrial houses. One of the
absentees is a guy who's already made so much money he's on a 1-year
sabbatical to play golf. What a life...

And what a contrast to a guy whose most expensive possession is a flat
that cost about 32 lakhs (about 70,000 USD) and still has 11 years of
the mortgage to go.

That doesn't mean all 160+ of the batch are like this -- not at all.
But the group that tends to meet often... They'll never be able to
explain to me how they can idolise someone who essentially made his
millions the way I firmly believe he did (and they aren't even
contesting it; they seem to agree it is true but it is just not

And I'll never be able to explain to them how much fun I'm having,
say, building and supporting gitolite, or any of the other things that
drive me (all, sadly, to do with computers... maybe it is true I don't
have a life!)

I definitely don't fit. Too bad... they're really nice guys inside,
every single one of them. But sometimes that's just not enough.


I'm so proud...


The Music And Film Industry Associations are trying to get India to toe the line.  India says "sure" but it's actually "nice try, buddy!".


  - I can still watch DVDs on my Linux box.  Since I refuse to install any proprietary software on any computer that I own, and don't have a TV or consumer DVD player, the only way I watch movies is either at the theater (often enough, actually) or by buying a DVD.  The Music And Film Industry Associations and their friends would try to ban DeCSS, which is of course critical to watch DVDs on Linux.

  - these b*st*rds [ you know when Sitaram brings out the swear words that someone is threatening open source or some other freedom dear to his heart ;-) ] apparently want to add India's borderline friendliness to open source as a matter of concern.

I couldn't care less if I never got to watch another movie for the rest of my life (and the music I like best is stuff like Tchaikovsky so that doesn't matter either).  If DeCSS was made illegal I would have been slightly inconvenienced, but may have considered buying a personal DVD player to use occasionally.

But this... this means war!

With that one sentence thrown into the end of their PDF, they've lost the moral high ground.  It's very clear that copyright infringement is NOT their main priority -- if it were, they should be applauding the move toward open source for its impact in reducing software piracy.

If you take this to its logical conclusion, is it really that different (in it's **attempted** scope, even if not achieved) from the salt issue?  I thought this "forcing people to buy imported stuff they can't afford even if they have local, cheaper, stuff" went out with the British Raj!


bureaucracy gone crazy


Google won't allow the co-inventor of Unix and the C language to check-in code, because he won't take the mandatory language test.

Obama outdoing Kalam? Nice...


it's a short article, so:

The White House - the seat of the US presidency - has announced that it is releasing some of its improvements to the Drupal content management system. "By releasing some of our code, we get the benefit of more people reviewing and improving it. In fact, the majority of the code for WhiteHouse.gov is already open source as part of the Drupal project. The code we're releasing today adds to Drupal's functionality in three key ways." It is nice to see that the president's office cares about such things.


facebook's privacy issues

Let me make this point clear with an example. I met a teen whose abusive father was recently released from jail. Recognizing that a restraining order would not be enough protection, the teen and her mother moved thousands of miles away. As the teen began making friends in her new school, she begged for a Facebook account. Her mother caved and both the daughter and mother worked to make the account as private as possible; neither of them wanted to face the consequences of being found. In December, when Facebook changed its privacy settings, this teen and her mother didn't realize what the change in privacy settings meant until someone else pointed them out after the fact. Is putting her at-risk an acceptable bi-product of Facebook's changes?

-- http://www.danah.org/papers/talks/2010/SXSW2010.html


Matt Blaze and the afterword

[...] but basically, not much has changed in 15 years. If I had it to do over again, I wouldn't really need to change a word. If I had to tweak it, I might add something about human factors in security, a poorly understood and hugely important subject if ever there was one.

-- http://www.crypto.com/blog/afterword

Since about 2005 or so, the "brief profile" I send out whenever I have a speaking engagement of any kind, has had this line in it: He also has a good breadth of knowledge on e-security and related issues, ranging from technology aspects to the human factor aspects that are so important in implementations.

Looks like I'm in good company!

Not that claiming it means I can do it, or do it well, but I just wanted to reinforce the importance of this -- it's not just the algorithms that are important, it's how the algorithms fit into your big picture that counts.

PS: Matt Blaze is a well known crypto and security guru; currently he's at UPenn.  He's not just an eSecurity guru -- he's also an expert safe-cracker and lock picker, as far as I can remember :)  He runs http://www.crypto.com/ and his blog and articles are always interesting...


Matt Blaze on SSL certificates

A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.

-- http://www.crypto.com/blog/spycerts/


(git) first time Jon said something I didn't agree with :)

[background: I have a lot of admiration for Jon Corbet, kernel hacker and editor of LWN.  His writing skill, sense of humour, and clarity of thought are legendary in the Linux community]

But in http://lwn.net/Articles/382090 , Jon tried to draw a parallel between two recent heated discussions on LWN -- one in response to SVN's grandiose, disingenuous, borderline-FUDding (against DVCS), "vision" statement (hah!), and one about some UI change that Ubuntu had made.  Jon seemed to be trying to get people to calm down and be a little more mature in their reactions -- a sort of admonishment of their responses perhaps.  Considering that the last such debate I am aware of (Monty trying to steal MySQL back) did not get such a response from Jon, this was interesting.

I don't use or recommend Ubuntu anymore due to its installing Mono by default, so that discussion is out of my radar.  Reading the comments from the perspective of an all-out git fan, however, a few interesting comments stand out:

http://lwn.net/Articles/382459/ -- [...] another difference, is that the complaints about SVN are from people who want it to die and the complaints about Ubuntu are from people who want it be to be great.

http://lwn.net/Articles/382138/ -- Subversion, on the other hand, probably annoyed most people by a vision statement that implied it had a legitimate claim to be superior in those areas, which it doesn't - note that the latter found arguments (large binary blobs, among others) weren't in that statement, but that the claims it did make were at the expense of the "competition". It read like "DVCS: not simple to use, not controlled, don't support centralized work-flows". Of course that annoyed the hell out of DVCS users.  There's more good stuff in that comment, by the way.

http://lwn.net/Articles/382142/ -- The community has always responded rapidly to incorrect information. With the amount of FUD thrown our way from the outside, the responses have gotten faster and stronger. This is a good thing when the people making the false statements are companies like SCO, it's not as good when it's something like the Subversion vision statement. However I don't think that you can get one without the other.

The rest of the comments were details of how to do something or other in DVCSs and so on.  For the record, I have always suggested that folks whose main work product is binary formats like doc/xls/ppt should stick to a VCS that allows mandatory locking, such as VSS.  This holds true for OOo files also, even if they are XML underneath, so the key point is they are difficult to merge if parallel development happebs.

I also know that extremely large files do cause a problem for git, and checking out a partial tree is complicated by the SHA calculations being thrown out of gear (although in theory this *is* solvable).


...too late

OK, I'm ready.  Let's go.

No.  You forgot something.


Your smile :)


She was almost always in a temper at her brothers and parents.  I was 16 or 17, the same age as her younger brothers.  But I had two things going for me: I was sane enough to have a conversation with, and I was a cousin who just visited once in a while.

So I could risk her wrath, and say something cheeky or funny.  I could make her smile :)


I never did try and catch up with that smile in later years, even after I moved back to India and to the same city where she lived.  I just never bothered.  I can't explain why.

And now it's too late.


And I realised something today.  I tear up too easily.


99% approval rating for git

according to Martin Fowler anyway: http://martinfowler.com/bliki/VcsSurvey.html

The accompanying subjective article at http://martinfowler.com/bliki/VersionControlTools.html has more nuggets.

  - for all you VSS fans out there: "Before I finish with those behind the threshold, I just want to say a few things about a particularly awful tool: Visual Source Safe, or as I call it: Visual Source Shredder. We see this less often now, thank goodness, but if you are using it we'd strongly suggest you get off it. Now. Not just is it a pain to use, I've heard too many tales of repository corruption to trust it with anything more valuable than foo.txt."

  - the indictment of proprietary tools like clearcase and TFS: "I will, at least for the moment, leave it with the fact that developers I respect have worked extensively with, and do not recommend, these products."

  - on git: "Git certainly seems to be liked for its power. Folks go ga-ga over it's near-magical ability to do textual merges automatically and correctly, even in the face of file renames. I haven't seen any objective tests comparing merge capabilities, but the subjective opinion favors git."

  - and the best one: "Our view now is that msysgit is good enough to make comparison with Mercurial a non-issue for Windows."  Amen to that, buddy!


"scripts don't automate well"

enterprisestorageforum, its columnist Drew Robb, and "Mike Karp, an analyst with Ptak Noel and Associates" are now on my blacklist.

Not the one I reserve for arrogant media giants who install rootkits on your computer because you dared to buy an audio CD from them, no...

This is the one reserved for terminally clueless morons :-)

I am only thankful that the offending sentence was in the very first item on that list, saving me the time to read the rest of it.

If you're in a masochist mood, however, you can hit http://www.enterprisestorageforum.com/management/features/article.php/3867506/Top-10-Data-Storage-Technologies-That-Coul

Fwd: Fwd: Bhopal

Dear friends,

Some of you know I've always been against the nuclear deal as well as questioning the motivations, even patriotism (as if bloody politicians ever had any in the first place) of the people at the centre.

There has been an uproar about the way in which a future Bhopal is being almost legitimised, favouring American business over even the safety, leave alone financial security, of Indians.

Whether you go to the Greenpeace link below and add your signature to the petition or not, and how much you are willing to spread the word, is upto you.  But please do not ignore the issue.



top few paras of http://www.deccanchronicle.com/op-ed/liability-bill-nuclear-hara-kiri-610 :

The United Progressive Alliance government deferred the introduction of the controversial Civil Liability for Nuclear Damage Bill, 2010, (CLNDB) in the Lok Sabha on Monday. The aim of this bill is to meet specific American concerns which have arisen post Bhopal gas tragedy, by providing immunity to American nuclear plant suppliers from any victim-related litigation in the event of a major nuclear disaster. The bill transfers the liability, or compensation, to the Indian taxpayer instead. This proposal is risky for several reasons, including the fact that it provides the nuclear reactor manufacturers the option to maximise profits by reducing building and safety standards without fear of prosecution. 

Since Russia and France will supply reactors to India from their government-owned companies, this bill is really meant to cater to the United States where nuclear plants are not only owned and maintained by private companies like Westinghouse and General Electric, but it is the private "operator" and not the private "reactor supplier" who is held accountable for payment (through insurance) in case of a nuclear accident. No American "reactor supplier" would be willing to build nuclear plants in India unless the CLNDB is passed.

The bill is crucial to the operationalisation of the Indo-US nuclear deal, but India is under no international obligation to pass this bill which, in reality, attempts to convert the liability of a foreign reactor supplier (FRS) into a rather pathetic compensation, to be paid by the Indian taxpayer.

Though the bill is America-centric, if passed it will apply equally to reactors supplied by France and Russia for which presumably different, and as yet unpublicised, conditions would have been put in the contracts.

---------- Forwarded message ----------
From: Karuna Raina, Greenpeace India <Greenpeace.india@mailing.greenpeace.org>
Date: Wed, Mar 17, 2010 at 11:41 AM
Subject: Bhopal
To: sitaramc@gmail.com

If you are unable to see the message below, click here to view.
Click here to sign this petition: "India must hold a public consultation before changing the liability rules for any nuclear accidents caused by U.S. corporations."
Dear Sitaram,

Last week, Prime Minister Singh was ready to introduce the nuclear liability bill, which would let U.S. corporations off the hook for any nuclear accidents in India. But over 50,000 of us signed a petition asking him to hold this bill. Now he's not introducing the bill in this session of parliament after all!

In case of an accident at Indian nuclear plants, U.S. companies would get away by paying a small amount, and Indian tax payers would bear the bulk of the expenses involved. Imagine if this law passes, then we face a disaster even worse than Bhopal.

The bill has only been deferred until the next parliamentary session in a few weeks. Now's the time to increase pressure on the PM to drop this bill.

Can you sign our petition right away?


The petition says: "India must hold a public consultation before changing the liability rules for any nuclear accidents caused by U.S. corporations."

Your signature will be faxed to Dr. Manmohan Singh's office.

As The Times of India reports:

"Isolated over the civil nuclear liability bill, the government was forced to back off in the Lok Sabha on Monday when it decided to defer introducing the legislation in the face of spirited opposition..." [1]

The victims of the Bhopal gas tragedy are still struggling to get their due 25 years later. In spite of this, the government is pushing for this ridiculous bill which violates our right to life.

We cannot allow American companies to reap benefits without any responsibility. Sign the petition now to tell the PM what you want:


Thanks a billion!

Photo of Karuna Raina
Karuna Raina
Nuclear Campaigner
Greenpeace India

1. "Govt backs off on nuclear liability Bill," The Times of India, 15 March 2010
Greenpeace on the web
We're also on Facebook, Twitter and Youtube - join our friends list.

Why have I received this mail?
Either because you signed up as a Greenpeace India cyber-activist or a friend forwarded this mail to you.

How do I subscribe?
To receive regular updates from Greenpeace India, sign up here.

How do I unsubscribe?
To stop receiving messages on how you can help the planet click here.

How can I help more?
You can help by forwarding this message to everyone on your email list. You can also donate to keep us going strong!

Where do I send feedback?
Please send all feedback to ocampaig@greenpeace.org Greenpeace India, #60 Wellington Street, Richmond Town, Bangalore 560025



(malware) malware see, malware do

You may have noticed I always classify Microsoft stories as "malware" (not using blogspot's tagging system, but -- when I remember -- in the subject line itself, like in this post).

This is because I consider Microsoft to be the biggest piece of malware floating around.  Mostly legal, (although some posts are tagged "criminal" also; what can I say, a spade is a fscking shovel!).

Now there is proof that the 800-lb legal malware company is inspiring the really illegal malware authors.  Here's an excerpt from http://www.theregister.co.uk/2010/03/12/new_zeus_features/ :

The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows.


The hardware-based licensing system isn't the only page Zeus creators have borrowed from Microsoft. They've also pushed out multiple flavors of the package that vary in price depending on the capabilities it offers. Just as Windows users can choose between the lower-priced Windows 7 Starter or the more costly Windows 7 Business, bot masters have multiple options for Zeus.


(funny) Rick Moen on forking... an excerpt

The version numbers were a minor problem: The GNU/Linux guys had already reached 5.4.47, while FSF was just hitting 2.0. They probably pondered for about a millisecond asking Stallman to make his next version 6.0 for their benefit. Then they laughed, said "This is Stallman we're talking about, right?", and decided out-stubborning Richard was not a wise idea. So, the convention is that Linux libc version 6.0 is the same as glibc 2.0.


(geek stuff) starving in an elevator

I've always read that an "elevator scheduler has obvious starvation issues", but somehow it was never obvious to me.  I know how an elevator works, and the only time an elevator keeps you waiting is if it's stuck on some floor because someone held the door open or too many people were getting on/off.

I just naturally assumed that the analogy breaks down there; after all, if the disk head stops on a sector, it's a hardware fault so this cannot happen.  Hence the puzzlement about the "obvious" starvation.

Well, duh!  The analogy actually breaks down *much* earlier.  Your average elevator has at most 20 stops.  The largest ones maybe a hundred.  So as long as you keep moving and take short (occasionally longer) stops, you're bound to reach any floor soon enough, relatively speaking.

A 500GB disk effectively has a billion "floors", (a sector is 512 bytes, for now anyway).  If someone decides to do a streaming IO before the head gets to your sector, you're effectively starved until that whole stream is done.  And if that's a multi-gigabyte movie or whatever, you'll be waiting a loooong time!

Oh well, at least now I understood the "long distance bus with an enormous number of request stops" scheduler :)


they should, however, see this:



It's no news that the iPhone, the iPod touch, and the forthcoming iPad are closed systems. Reading the Agreement, however, reveals just how closed those systems are, and just how committed how Apple is to reversing decades of developers' abilities to publish and market apps as they see fit - not to mention the user's right to load whatever software they want onto devices they have purchased.


[...] even if you follow Apple's directives to the letter, Apple may, in the words of the Agreement, "reject Your Application for distribution for any reason, even if Your Application meets the Documentation and Program Requirements."


The reasoning behind Apple's seeming arbitrariness and demonstrable capriciousness was explained over 30 years ago by comedienne Lily Tomlin when she lampooned "the Phone Company" with a mocking summary of their attitude to customer service: "We don't care. We don't have to."



designing/certifying an encryption algorithm

[sometimes I write emails that are pedagogic enough that I like to blog the main points of it for my future quick reference].

Dear [elided],

Designing a crypto algorithm is not easy.  There's a saying in the crypto world: "anyone can create an algorithm that he himself cannot break".  The point is to design it so that no one else can break it.

Which brings us to certifying someone else's algorithm...  Certifying an encryption algorithm is not easy either.  In fact, it is never done by a single individual, but by a large, public, peer review process.  NIST spent more than 3 years from initial proposal to final selection of AES (see http://csrc.nist.gov/archive/aes/index2.html#overview ).

An honest cryptographer or a conscientious security analyst will refuse to design or certify any crypto algorithm on his personal say so.  That's just not the way things work in the crypto world.  If you want to know how many facets there are to actual cryptanalysis, and how much deep mathematics is involved in doing a good job of analysing a cipher, skim through section 6 of http://www.schneier.com/paper-self-study.pdf .  Once that has suitably scared you, read section 7 ("Conclusion", page 15) properly.  It's just 2 paras :-)

A more well known page, for someone wanting to become a cryptographer, is http://www.schneier.com/crypto-gram-9910.html#SoYouWanttobeaCryptographer

And finally, I just love this one: http://www.schneier.com/crypto-gram-9902.html#snakeoil!

Now, I realise that all 3 of my referenced links come from the same guy, but that's Bruce Schneier -- he writes well, and is willing to descend to the level of mere mortals like you and me to say what he needs to say in a way that we can understand it!

To come back to your problem, therefore, I'd be more comfortable trying my damnedest to fit TEA (or XTEA, or XXTEA) into the platform you're constrained to use, than try to design a new algorithm that is smaller than those *and* is secure enough for me (or TCS) to stand behind it.