tag:blogger.com,1999:blog-38663834055476222782024-03-12T20:29:36.412-07:00The Wilfox Blogs On<code>for thought in head:
blog(thought)</code>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.comBlogger33125tag:blogger.com,1999:blog-3866383405547622278.post-24295605581247263902018-09-08T17:50:00.002-07:002018-09-08T17:50:27.074-07:00Ridiculous unusable download URLs for open source projects<p>I told myself (and everyone I know) that I wouldn't write another blog post until I moved the blog off Google Blogger, but I can't stay silent on this issue.</p>
<p><a href="https://upower.freedesktop.org/">UPower</a>, the open source power management software used on Linux (and I believe the *BSD family), has recently changed their download URLs. As the lead of Adélie Linux, I personally maintain a significant chunk of "core" desktop experience packages. We consider UPower to be one of those, because it is important to conserve energy whenever possible.</p>
<p>Today I was notified by <a href="https://repology.org/">Repology</a> that UPower was out of date in Adélie. No big deal, I'll just bump it:</p>
<code>
>>> upower: Fetching https://upower.freedesktop.org/releases/upower-0.99.8.tar.xz
curl: (22) The requested URL returned error: 404 Not Found
</code>
<p>"Hmm", I wondered to myself, "maybe this is a git snapshot package someone uploaded". It turns out it wasn't; Debian, Arch, and Fedora are all shipping 0.99.8 now. What gives?</p>
<p>I looked at <a href="https://salsa.debian.org/utopia-team/upower/commit/922fe64597f1236761ca38f5b22a5c907f7e1c7a">Debian's packaging first</a>, since they typically have a good hold on stability. I didn't even understand the change, though, so I looked up <a href="https://git.exherbo.org/summer/packages/sys-apps/upower/index.html">Exherbo's packaging</a> and was horrified.</p>
<p>Instead of a simple URL, they are now using a GitLab Upload URL which contains an SHA-1 hash <strong><em>in the URL</em></strong>. That means all of our bump scripts can't work any more. Instead of simply typing a single <code>abump</code> command, for every release of UPower I will now have to:</p>
<ol>
<li>Open their GitLab instance in a Web browser, which isn't even installed on any of the staging computers to minimise security hazards:</li>
<li>Wait for all the JavaScript and miscellaneous crap to load;</li>
<li>Context-click the link for the UPower tarball;</li>
<li>Copy the link;</li>
<li>Connect to our staging system remotely from a computer with a Web browser installed;</li>
<li>Open vim on the APKBUILD file for UPower;</li>
<li>Paste the link into the source= line, replacing what is already there;</li>
<li>And then run <code>abuild checksum</code> manually to update the sha512sum in the file.</li>
</ol>
<p>WHY!? fd.o people, <strong>please</strong>, out of respect for us packagers that want to give your software to the people who need it, <em>please use your /releases/ directory again</em>!</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-23143986585238629332018-02-19T20:32:00.000-08:002018-02-19T20:32:00.121-08:00Poorly-worded codes of conduct<p>Below is the actual text (minus personally identifying information) that I have sent to the FreeBSD team for consideration.
<pre>
To: conduct@freebsd.org
From: A. Wilcox
Subject: Violation
Date: Mon, 19 Feb 2018 22:20:21 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
Hello FreeBSD team,
My name:
A. Wilcox
[alt emails redacted]
Names of those involved:
A. Wilcox
IRC nicks: [redacted]
When and where the incident occurred:
2014-2016 on IRC, possibly 2017 in email traffic
Your account of what occurred:
I hugged a great many people. Some were group hugs of celebration (we
fixed a bug! *hugs*). Some were hugs of consolation, like the loss of
a loved one. Some were hugs to and from those I had not communicated
with in a great number of years.
There may have been some on mailing lists as well. I am not very sure,
as that is not typically something I do on mailing lists (it is more of
a live / chat thing), but it is possible. Likely, even, if you include
private traffic between me and some of the regulars that used to hang
out together all the time.
Any extra context:
This CoC is demeaning and insensitive to people like me who have
emotional disabilities and need to give and receive hugs (at least
virtually) to feel better, and has a chilling effect on discussion due
to poorly defined word choices.
For instance: why does it only ban "gratuitous" sexual images, but
typing a hug is an immediate violation?
Are truthful comments between two people that care that maybe they
should live a healthier lifestyle "unwelcome"? I had a very long and
blunt talk with someone on IRC about their drug use, and they are now
years sober partially due to that "unwelcome" discussion.
In addition, making so many explicit bullet-points invites rule
lawyering, trolling about what is and is not a rule violation, and
leaves so many things up to interpretation as to be unhelpful.
I wish to be banned from this community so I am not tempted to
contribute to it again, as the CoC is <em>almost</em> as toxic as the behaviour
it is trying to prevent.
Is the incident ongoing:
Until the CoC is rewritten; yes.
Any other information you should have:
Yes, better CoCs that are not offensive, insensitive, demoralising, or
demeaning:
* <a href="https://www.djangoproject.com/conduct/">https://www.djangoproject.com/conduct/</a>
* <a href="https://www.alpinelinux.org/community/code-of-conduct.html">https://www.alpinelinux.org/community/code-of-conduct.html</a>
Sincerely,
--arw
--
A. Wilcox (awilfox)
</pre>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-78808970883531025572017-10-28T12:08:00.001-07:002017-10-28T12:08:05.020-07:00Identity, shame, stigma, and intolerance<p>I have seen a great number of people in the past few years disavow being a part of a culture or community that they once enjoyed or identified with due to an influx of sexism, nationalism, or other intolerance. I feel like this is a mistake and will only serve to strengthen intolerance amongst the masses, and this is what I'd like to write about and discuss today.</p>
<p>Virtually every person alive on Earth has at least <i>some</i> groups with which they identify. This could be a certain interest or hobby, ranging from music to photography to hiking and beyond. This could be their gender, male, female, or <a href="http://science.sciencemag.org/content/304/5673/965" title="The Wide Spectrum of Sex and Gender [Jolly, 2004]">other</a>. This could be a favourite pastime, whether that is sports, video games, or visiting museums. This list could go on for paragraphs and paragraphs. There are the fanatical and obsessive – just search your favourite social media platform for "Game of Thrones" for some decent examples. There are the truly interested and passionate – one of my favourite examples of this is <a href="https://www.youtube.com/user/phreakindee" title="LGR on YouTube">Lazy Game Reviews</a>, a channel on YouTube with enjoyably thorough reviews of old games and computer systems. There are all kinds of people and all kinds of ways to enjoy being part of a group or having an identity that is shared with others. This is typically a very healthy and normal thing for us social creatures.</p>
<p>In the past few years, political discourse <a href="http://www.people-press.org/2017/10/24/political-typology-reveals-deep-fissures-on-the-right-and-left" title="Beyond Red and Blue: 2017 Political Typology Report">has moved towards the more extreme</a>. This has pervaded everyday communication in a way that had not yet been seen in the Millennial generation. The Millennials, in my experience, are generally some of the most open-minded people; however, this leads to a darker side. Just as most Millennials are open-minded towards acceptance of so-called "non-traditional" lifestyles and viewpoints ranging from economics to sex to religion and beyond, some Millennials are open-minded towards violent rhetoric, nationalism, anarchy, and intolerance.</p>
<p>This has sent a great number of the first sort of Millennials running scared from groups and identities that they would otherwise enjoy, because they do not want to be seen as supportive of these views that they feel are regressive. Unfortunately, this may indeed backfire on the ones that want to see the regression stop; when the tolerant leave, the intolerant remain. Let us look at <a href="https://www.splcenter.org/20170118/google-and-miseducation-dylann-roof" title="Google and the Miseducation of Dylann Roof">the Southern Poverty Law Center's report</a> on the horrific 2015 church massacre in Charleston, S.C. for an example. The summary: a young man who was raised to respect all people found a series of blogs and Web sites condemning a race, and was so moved by it that he committed a mass murder of that race. How did these blogs and Web sites, written specifically to influence young minds to become hateful and enraged to the point of violence, end up so highly ranked by a search engine?</p>
<p>One answer is that there are so many communities today overrun with people who legitimately believe in the hate and intolerance spread in such writings. This is in part due to the mass exodus of more tolerant people from those communities. As more people put shame and stigma on something as simple as <a href="https://www.cnet.com/news/gamergate-to-trump-how-video-game-culture-blew-everything-up/" title="GamerGate to Trump: How Video Game Culture Blew Everything Up">playing video games</a> – the media claims that video games somehow led sick and twisted Internet trolls to threaten rape and murder to women – less people want to admit to being gamers. This causes a vicious cycle, as the ones left stating they are gamers are the ones who are intolerant. This leads to a form of normalisation of the idea of intolerance amongst gamers; it's no longer out of the ordinary to think that anyone who enjoys video games might also enjoy threatening or committing violence towards other groups in real life. Couple this with the fact that teenagers have loved, do love, and will continue to love playing video games. Teenagers also want desperately to fit in with groups, to feel a part of something bigger. If they feel that people who enjoy video games should also hate women, that is what they will begin to do.</p>
<p>This could apply to any number of groups. Many secular people in the United States look down at religious people as being "backwards" or "traditionalist", when the truth of the matter is well over 60% of Catholics and Protestants <a href="http://www.pewforum.org/fact-sheet/changing-attitudes-on-gay-marriage/">support gay marriage and homosexuality</a>. Many people view country music as regressive while <a href="http://www.metrolyrics.com/drunk-americans-lyrics-toby-keith.html" title="Drunk Americans by Toby Keith [Universal, 2014]">attitudes, they are a-shifting</a>. The stigma of being a gamer, or religious, or listening to country music comes not from any endemic intolerance, but from the tolerant people from these groups being too ashamed to admit their membership.</p>
<p>The most powerful statement that tolerant people can make in the groups they identify with is the very statement that they are tolerant and identify with said group. Don't erase your group identities to avoid being identified as intolerant. Show your group identity and tolerance; say out loud that you respect all your fellow humans <i>and</i> enjoy what you enjoy. This is the true path towards acceptance and togetherness.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-4891726039514783132017-10-07T22:02:00.001-07:002017-10-07T22:02:34.088-07:00Fixing the laptop I broke<p>Sometimes things happen that you don't expect. It can be anything: a power failure during a system upgrade, or maybe a careless <code>chmod 644 /usr/lib/libc.so</code> — in my case, it was the latter (tab completion failure).</p>
<p>Training yourself on the proper way to respond to unexpected failures is the key to recovering them without pain or further data loss. When I had realised my gaffe, the first thing I thought was: How do I <code>chmod</code> it back without the ability to run <code>chmod</code>?</p>
<h2>Static-linked rescue binaries are a must-have</h2>
<p>The first thing I learned from this experience is that having a set of static-linked rescue binaries somewhere on your system can help in a lot of unexpected situations. We're going to be adding a <kbd>busybox-static</kbd> package to Adélie Linux just for such an occasion, and we may put it in the base system depending on community feedback. If I had a static busybox in, say, <kbd>/var/recovery</kbd> or such a path, this would have been a ten second fix rather than a few hour fix.</p>
<h2>Embrace the system</h2>
<p>After a few other attempts, I realised I could drop to assembler. Long ago, I spent my days writing assembler for system-level code. Since assembler is by design writing "below" C, you are not using the C runtime. Theoretically, you should be able to perform the same tasks as any utility on the system as long as there's a matching system call for it. And by luck, there is a single syscall: SYS_chown. Following is x86_64 assembler for Linux to chown /usr/lib/libc.so back to 755 (executable for all users):</p>
<code>
_start:
mov $90,%rax /* SYS_chown */
mov $str,%rdi /* const char *filename */
mov $493,%rsi /* mode_t mode */
syscall /* do it! */
mov $60,%rax /* SYS_exit */
syscall /* bye */
str: .ascii "/usr/lib/libc.so\0"
</code>
<p>Then it was a matter of <code>as -o fixit.o fixit.S; ld -o fixit fixit.o; strip fixit</code> to generate a 440 byte binary file that would solve my issue. The next issue was transferring it to the laptop. I tried to use bash's /dev/tcp; unfortunately however, it does not support binary file transfer without something like `cat` or `dd`. Since I could only use the shell, I did what I had not done in over a decade: <code>echo -n</code> followed by the escape codes. Since a lot of the binary was still padding, I omitted the last 200 or so bytes. The output of the echo command needed to be redirected to a binary that was already executable (otherwise the file created would not have execute permission!), so I chose one I probably wouldn't need urgently: <kbd>neon-config</kbd>, a configuration utility for a library I installed for tinkering. The full shell transcript is <a href="http://foxkit.us/linux/literally-magic.txt">in my misc Linux directory</a>. This worked! And my laptop ran again...</p>
<p>As I said in the opening of this little musing: I could have made things a lot worse and lost all my open unsaved data by turning off the computer and trying to recover using media. Additionally, that computer is very picky about booting off external media, so that would have wasted even more time. Sometimes all you need is ingenuity and experience, and the only way to acquire either one is by messing about and poking at stuff! Happy hacking.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-28477799150140596312017-01-12T00:57:00.000-08:002017-01-12T01:00:01.303-08:00Configuring a more secure password hash for OpenLDAP<p>While working on the Galapagos infrastructure, we ran in to an interesting issue: using passwd(1) as an LDAP user would cause it to add another password instead of modifying it. Setting up the slapo-ppolicy(5) overlay then caused passwd(1) to then fail with:</p>
<pre>
password change failed: Password policy only allows one password value
passwd: Authentication token manipulation error
passwd: password unchanged
</pre>
<p>After consulting the #openldap channel on Freenode, the problem turned out to be that although OpenLDAP allows you to set <code>olcPasswordHash</code> on the root <code>cn=config</code> node, it does not work correctly when set there; it must be set under <code>olcDatabase={-1}frontend,cn=config</code>. Note, however, that <code>olcPasswordCryptSaltFormat</code> <em>does</em> belong in <code>cn=config</code> directly.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-55174125730671586892017-01-08T18:09:00.000-08:002017-01-08T18:09:41.307-08:00Configuring Apache 2.4 to serve GitLab over TLS / HTTPS<p>As part of my work assisting in the set up of the infrastructure for <a href="https://glpgs.io/">Galapagos Linux</a>, I volunteered to install and configure GitLab. My colleagues had attempted to use the Debian Omnibus package, but that failed in spectacular ways, including references to directories in the configuration that did not exist after package installation.</p>
<p>The most important piece of advice I can give is that you <b>absolutely must use Bundler v1.10.6</b> or older<sup><a href="http://stackoverflow.com/a/34281354/640296">[1]</a></sup> to ensure that you do not receive Gemfile.lock errors. You will also need to <a href="https://code.foxkit.us/snippets/15">make a small modification to the Gemfile and Gemfile.lock file</a> to ensure that libv8 is present if you wish to precompile the assets.</p>
<p>Now, for the Apache configuration. Note that I assume you have enabled <code>https</code> in GitLab's <code>config/gitlab.yml</code> and set <code>port: 443</code>. You will need to set a forwarding request header<sup><a href="http://stackoverflow.com/a/31593406/640296">[2]</a></sup> to ensure that GitLab does not throw CSRF authentication errors. Also, if you want to use the recommended Unix sockets of Unicorn, you will need to configure the ProxyPass and ProxyPassReverse to use unix:/path/to/socket|http://HOSTNAME (thanks, Xayto!) - the full VirtualHost for GitLab goes something like this:</p>
<pre>
<VirtualHost *:443>
ServerName git.glpgs.io
ServerAlias code.glpgs.io
ProxyPass / unix:/home/git/gitlab/tmp/sockets/gitlab.socket|http://git.glpgs.io/
ProxyPassReverse / unix:/home/git/gitlab/tmp/sockets/gitlab.socket|http://git.glpgs.io/
SSLEngine on
SSLCertificateFile /path-to-certificate.crt
SSLCertificateKeyFile /path-to-key.key
SSLCertificateChainFile /path-to-ca-chain.crt
Header always set Strict-Transport-Security "max-age=15768000"
RequestHeader set X_FORWARDED_PROTO 'https'
</VirtualHost>
<VirtualHost *:80>
ServerName git.glpgs.io
Redirect permanent / https://git.glpgs.io/
</VirtualHost>
</pre>
<p>Additionally, I recommend that you follow <a href="https://wiki.mozilla.org/Security/Server_Side_TLS">Mozilla MozWiki's great TLS advice</a> or use their <a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/">super handy, easy config generator</a> as a global configuration that applies to all of your VirtualHosts. On Debian, you can pop that in to <code>/etc/apache2/mods-available/ssl.conf</code>, replacing the parameters they already specify.</p>
<p>Happy hacking!</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-2066454097675806682016-12-21T20:35:00.000-08:002016-12-21T20:35:02.720-08:00Ah, wonderful health hazards<p>I can't tell what has been overall worse for my health in the past few weeks. The bathroom connected to my home office directly sits over the complex's "laundromat station". This did not used to bother me. In fact, I was quite okay with this, because it means I have the closest walking distance of any of my neighbours to it. However, for the past two or three weeks, I can smell — from the office, mind — a very strong odour of laundry detergent every time someone does a load. Turns out a lot of people do loads in the 18:00 to 21:00 time slot on weekdays, which happens to be when I am at my most productive in my office. I cannot imagine this is at all healthy for me.</p>
<p>But then I remember I've spent every day since Saturday spending multiple hours trying to set up OpenLDAP for <a href="https://glpgs.io/">new project</a>. I've always just used Active Directory on the server-side, so my only experience thus far with OpenLDAP has been client-side. It's a great client library with easy configuration and a great debug mode that will tell you exactly what is happening and what is going wrong. Unfortunately, the server part, at least on Debian, uses "dynamic configuration" which means everything is in LDAP.</p>
<p>Now, look, LDIF and LDAP are fine and great for phone book-style records. It makes perfect sense. That is what it was designed to do. <a href="http://www.openldap.org/lists/openldap-technical/201306/msg00068.html">Storing regexp in ASN.1 BER is pushing it</a>. But the way they do HDB/MDB grouping feels to me like trying to fit in with all those cool kids with their NoSQL and their MapReduce and their <strike>terrible</strike> terribly-great performance by using "shards" everywhere. And our leader wants replication so that it's fault tolerant. Now I get to convert <a href="http://www.openldap.org/doc/admin24/replication.html">decades-old documentation</a> about an "enterprise" feature to this "dynamic configuration" thing. I cannot imagine this is at all healthy for me.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-29881432483384299232016-12-21T00:00:00.000-08:002016-12-21T00:03:01.361-08:00Configuring OpenLDAP to authenticate using X.509 client certificates<p>This is not meant to be a comprehensive guide by any means, but information on the Web for configuring OpenLDAP to authenticate using X.509 client certificates is lacking. And in some cases, over a decade old! It took me hours to find the documentation I needed, but only minutes to see it working once I had the correct "recipe".</p>
<p>You should probably be running your own Certificate Authority for the purpose of generating client certificates, especially since you need one per user. You can lock it up tightly and only use it for the purposes of LDAP if you like. You can also use a certificate vendor like Thawte or GeoTrust or Comodo. Make sure you pick just one, though, because you will configure OpenLDAP to trust only that single CA to sign all the relevant client certificates. (This ensures that nobody can come in with a forged certificate signed by another vendor, or a self-signed one.)</p>
<p>The <a href="https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls" title="OpenLDAP Server: TLS">Ubuntu guide on making a CA</a> is pretty decent, though unfortunately it uses the inferior GnuTLS package. That's okay, because we are only using it for OpenLDAP. And actually, you can't use OpenSSL generated certificates on Debian's OpenLDAP because they patched it in such a way that the certificates cannot be read. (There are conflicting reports on whether this bug was <a href="https://wiki.debian.org/LDAP/OpenLDAPSetup#Configuring_LDAPS">fixed or not</a> upstream.) Note that you definitely want to set a higher <code>expiration_days</code> than the default 365! 10 or even 15 years isn't unheard of, which is 5475 days if you were wondering.</p>
<p>Once you have either created your CA, or decided on a vendor, you may begin configuring OpenLDAP. Replace <code>authority.pem</code> with the file name for your CA's root certificate, and <code>ldap_cert.pem</code> and <code>ldap_key.pem</code> for the server certificate and its private key. Note that the server certificate must have the FQDN of the LDAP server as its only CN. It may have a wildcard as a subjectAltName (or SAN) but the FQDN (normally something like ldap01.myproject.org) must be the CN.</p>
<h2>With <code>slapd.conf</code></h2>
<pre>
TLSCACertificateFile /etc/ssl/certs/authority.pem
TLSCertificateFile /etc/ssl/certs/ldap_cert.pem
TLSCertificateKeyFile /etc/ssl/private/ldap_key.pem
TLSVerifyCert try
</pre>
<h2>With Dynamic Configuration, aka <code>cn=config</code>, aka "OLC"/on-line configuration, aka ...</h2>
<pre>
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/authority.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_key.pem
-
add: olcTLSVerifyCert
olcTLSVerifyCert: try
</pre>
<p>Note that if you receive an error such as:</p>
<pre>ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: </pre>
<p>then you most likely forgot the <code>olcTLSVerifyCert</code> like I did the first time :) Note that there is nothing printed after "no mechanism available: ". That was the hardest part to debug! Hopefully this can help a few people out.</p>
<p>Also note that for client certificates to work correctly, the DN of the X.509 certificate must exactly match the DN of the LDAP object. If you cannot meet that requirement, you will need to look at authz-regexp: for cn=config, see <a href="http://www.openldap.org/lists/openldap-technical/201306/msg00070.html" title="Re: olcAuthzRegexp and SASL">this mailing list posting</a>, and for standard configuration see <a href="http://www.openldap.org/doc/admin24/sasl.html">the documentation</a>. Note that I was unsuccessful in making this seemingly-useful feature work, but you may have better luck than I did.</p>
<h2>References</h2>
<ul>
<li><a href="https://networknerd.wordpress.com/2008/10/26/configuring-openldap-for-client-certificate-authentication/">Configuring OpenLDAP for Client Certificate Authentication, The Moose and Squirrel Files</a></li>
<li><a href="http://www.zytrax.com/books/ldap/ch6/slapd-config.html">OpenLDAP using OLC (cn=config), Zytrax LDAP</a></li>
<li><a href="http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml">Kerberos, GSSAPI, and SASL Authentication using LDAP</a>: useful tips on ACLs for root DSE</li>
<li><a href="https://linux.die.net/man/5/ldif">ldif(5) man page</a>: always useful to have for cn=config</li>
<li><a href="http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=summary">The Source Code</a>: sometimes you just have to see what's going on inside</li>
<li><a href="http://www.gnutls.org/manual/html_node/certtool-Invocation.html">GnuTLS certtool man page</a>: for template format to make the CA cert much better than the Ubuntu guide suggested</li>
</ul>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-86624862849796719442016-12-14T15:19:00.000-08:002016-12-14T15:20:18.580-08:00Let's Encrypt and why I still pay for TLS certificates<p>I am asked with alarming regularity why I am not using Let's Encrypt for my personal Web sites, and for <a href="http://blog.adelielinux.org/">Adélie</a>'s site, and for my <a href="https://tambrastudios.com/">mother's art gallery</a> site, and so on. "Why do you pay money for something you could have for free? And then you aren't giving money to those evil CAs!"</p>
<p>TLS certificates are still very much "you get what you pay for". Let's Encrypt is free, and on paper it seems to be a great solution with roots in freedom and socialism. However, it has a number of large issues in practice that prevent me from being able to adopt it.</p>
<p>The first, and most evident, is the failure of the community to provide a single ACME client that is well-supported and provides configuration options. As of this writing, there are <b>49 different client implementations</b> on the <a href="https://letsencrypt.org/docs/client-options/">official site</a>. The problems with them are as numerous as the offerings; my main complaint is that most of them require themselves to run as the root user to automatically write to sensitive certificate files that are owned by the Web server user and are chmod 400.</p>
<p>The second large issue I've seen is that most of these 'automatic updates' break. This can be due to administrator error - and since there is not one single option, there cannot be a single repository of knowledge. This can also be due to APIs or endpoints changing. I have seen an official Mozilla blog and Void Linux's repository broken in the last week alone, all by botched ACME cron jobs. This solution is sold as "set and forget", but it requires <i>more</i> effort than simply going to a site every year and inputting a CSR and privkey.</p>
<p>Other issues with Let's Encrypt include: Let's Encrypt lacks a "site seal" which is very important on e-commerce sites to foster user trust. Let's Encrypt does not provide OV (let alone EV), which also compromises trust in people who know what to look for.</p>
<p>All in all, I think going forward Let's Encrypt may be suitable for power users and people who run TLS servers off their home servers. It may even be suitable for some personal sites and blogs. But I don't think it is a long-term solution for person who need trust, or those who have a complicated infrastructure (such as a distro, like Adélie).</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-14906641398519434002016-11-09T11:54:00.000-08:002016-11-09T11:54:06.349-08:00Trump and change<p>The ball is in your court now, American Republicans.</p>
<p>I normally avoid politics and other controversial topics on my blog, because I have always felt it is important to keep my audience focused on the technical. Our common ground is unifying and allows us to look past our differences and learn from one another. I feared that if I started talking about politics, people would look at me differently, and I'd lose some of that audience. They wouldn't trust me and I wouldn't be able to enrich their lives.</p>
<p>I feel like that part of life in America is over now. President-Elect Donald Trump talks outlandishly, without filter or censor. People love him, people hate him, people think he's a joke, people think he's the best non-politician the political world has ever seen. As for myself, I'm somewhere between; but if I have learned a single thing from Mr Trump, it is that the world will not end if you speak up and say what is really on your mind. And perhaps this is a good kind of change. Without open discussion, we can't ever heal the divisiveness that permeates the entire country's political landscape, and indeed, the entire world's. There is a not-too-distant past where the words 'conservative' and 'liberal' were words that describe someone's political views, and were not used as slurs or to denigrate someone. Perhaps now that the precedent has been set, we can have open and honest discussions with one another. I'm not sure if that is where we are headed or not. I can only hope that we can learn to be respectful of each other's differences.</p>
<p>Mr Trump has said some things I agree with; per <a href="https://isidewith.com/">I Side With</a>, I agree with almost 40% of his policies. It's not perfect, but it isn't exactly a disaster either. (For full disclosure, I only had just over 70% of agreement with Clinton.) He has also said a great deal of very offensive things. He has said things that have made some of my friends sick, depressed, and suicidal now that he has become President Elect of the United States. I urge these people especially to remember that first and foremost, Mr Trump is a showman. He knows how to pull in ratings, and was a reality television star. He may think less of Muslims than he should, but I don't think he will actually have every last one deported back to their homelands — especially since some of them were born and raised in the United States. He may think far less of women than he should, but that thinking is common in men from his generation. His objectification of women and misogyny is of course never acceptable, but women have had much worse oppressors than he ever could be.</p>
<p>I have friends of many classes. I have friends who are very well off — the typical Silicon Valley millionaire. I have friends who are destitute and live pay stub to pay stub, and would likely go homeless if they had even a small hiccup in work. I have friends who are in minority classes: African-American people, transgendered people, people with disabilities. We are all Americans. We all deserve a place in general society. Our society is built on the <b>fact</b>, not opinion, that everyone is created equal. There is room in the United States for the rich and poor, and the different races and religions that comprise this great country. No matter who won the United States election this year, our society has been broken, is broken, and will remain broken until it is healed.</p>
<p>Republicans, Democrats, Libertarians, Greens, other party members, independents, and even those disillusioned with the political system as a whole: society will only begin to be fully inclusive when we all learn to love each other. We have to work together. We have to stand up for what we believe in. Conflicting interests only break people into hate when they do not bend to compromise. I plan on writing letters to my state Senator, who is a Republican, and telling him my concerns going forward. I will have my voice heard. My Senator will, of course, have to balance my voice with others in our great state of Oklahoma. But together, I feel that we can find common ground and be able to find peace and happiness no matter what our political views.</p>
<p>Mr Trump. You promised to make America great again. If you can set an example with moderation and fairness, balancing differing viewpoints to create a clear path forward, you just may be able to succeed. I did not vote for you, but I still wish to work with you to create a common good for all of the United States.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com2Tulsa, OK, USA36.1539816 -95.99277535.7437026 -96.638222 36.564260600000004 -95.34732799999999tag:blogger.com,1999:blog-3866383405547622278.post-9836871695059891122016-08-06T04:02:00.000-07:002016-08-06T04:02:13.988-07:00Blogging in general, and a new project<p>It's been a long time since I wrote here. In the past few months, I have moved across the country, and helped four other people do the same. It is exhausting and tiring but so rewarding to improve not only my own life but the lives of others by sharing in new experiences.</p>
<p>Enough of that, though. I am starting up a new <a href="http://adelielinux.org/">Linux distribution</a>, titled Adélie Linux, aimed at being very fast, very small, and fully POSIX® compliant. It's almost meeting those three goals! Going forward, I think I will be starting a new blog specifically about my adventures with Adélie, which will probably take up a considerable amount of my writing time. This blog will stay around, though, not only for memories past but for non-Adélie related things in my life. I am still interested in Python, writing emulators, music, and other general geekiness; I just now have a new project that is taking up a large amount of my free time.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-86545290454141649572016-05-26T17:16:00.000-07:002016-05-26T17:21:40.208-07:00Going IPv6 native without IPv4<p>Now that I have finally moved in to my new apartment (which requires a long blog of its own), I have new routing equipment and a new network infrastructure. The native IPv6 on Cox Communications seems to be a bit better than the native IPv6 offered by Comcast Business; namely, Cox seems to be peered more widely and therefore ping times are much lower. Of course, this could be specific to the market I'm in - eastern Oklahoma - so YMMV.</p>
<p>However, because DHCP is a terrible protocol, it is constantly flaking, leaving me with IPv6-only access to the Internet. That is, no access to IPv4 whatsoever. Surprisingly, it's nearly usable. However, I am <i>highly</i> disappointed in a few surprises I've found that do <u>not</u> work over IPv6:</p>
<ul>
<li><b><a href="https://github.com">EVERY</a> <a href="https://bitbucket.org">SINGLE</a> <a href="https://sourceforge.net">CODE</a> <a href="https://gitlab.com">HOSTING</a> <a href="https://savannah.nongnu.org/">SERVICE</a> <a href="https://code.launchpad.net/">ON</a> <a href="https://www.codeplex.com/">THE</a> <a href="https://alioth.debian.org/">INTERNET</a></b>. This really, really, really, <b>really</b> upsets me. Luckily, I don't have to care any more, because <a href="https://code.foxkit.us/">I run my own</a> now.</li>
<li>DuckDuckGo. I am incredulous that a modern search engine is not accessible over IPv6.</li>
<li>eBay and PayPal. This isn't really surprising, I suppose, since eBay were running Windows NT 4 as recently as 2006... they always have been a decade off of the current technologies.</li>
<li>Any news Web site I tried: Bloomberg, BBC, New York Times, Washington Post.</li>
<li>The <a href="https://meta.stackexchange.com/questions/21592/would-it-be-possible-for-stack-overflow-to-be-accessible-over-ipv6">entire StackExchange family of properties, five YEARS after being asked for even a trial of IPv6 access</a>. This is entirely unacceptable. I expect news organisations and e-commerce conglomerates to be woefully behind the times, but a company designed from the ground up for computer scientists by computer scientists? I can't believe this is real.</li>
<li>Weather.gov. The US government actually has an IPv6 project with <a href="http://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov">real time online completion progress</a>, even available itself via IPv6; however, while NOAA's flashy Web 3.0 marketing pages are available over IPv6, the important research, life-saving data, and forecast information made by the National Weather Service are entirely IPv4-only. I understand that internally, their infrastructure is not entirely ready for IPv6, but they should be able to run the main radar and warning information over IPv6 at least. Americans need not feel singled out, though; the UK's Met Office is also unavailable over IPv6.</li>
</ul>
<p>At least Wikipedia and the Google properties are usable, so I have music, videos, and a reference library.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com1tag:blogger.com,1999:blog-3866383405547622278.post-10968962080839192016-01-20T22:15:00.000-08:002016-01-20T22:15:41.901-08:00How trans-people are really people, like all of us<p>Having spent a considerable and unfortunate amount of time around bigoted
people, I came to a rather interesting train of thought that I want to
share widely.</p>
<p>Let me start by asking you a simple question: would you treat a woman
differently based on whether or not she had an appendectomy performed?
What about a man who was born with six toes; would it change your opinion
of him whether or not he had it removed? For the vast majority of people,
and even the bigoted crowd that inspired this train of thought, the answer
would be a resounding no: who are we to judge someone based on a corrective
procedure they had to repair a defect with their body?</p>
<p>Okay, now here's a similar and still simple question: would you treat a
woman differently based on whether or not she had her penis removed?</p>
<p>"Stop," I hear some of you calling. "That is a completely separate subject,"
you ration. Why?</p>
<p>What makes the correction of a birth defect involving sex organs any different
from correcting birth defects or ailments with any <i>other</i> organ?
Are we, as a culture and society, so hyperfocused on sexuality that we can't
accept some people have congenital genital defects?</p>
<p>I have begun to wonder why trans equality and trans rights are even being
discussed or even exist; that is like stating we need kidney failure equality
or diabetic rights. They are all life-long conditions, involve a part of
the body being defective, and often require surgery. What is so offensive,
so different, so awful about a person having incorrect sex organs? The fault
lies with those people who 'other' people who suffer from transsexuality,
labelling them and saying they are different or somehow less of a person
due to a birth defect.</p>
<p>There have been numerous studies that have proven beyond a reasonable doubt
that the brain can develop independently of primary sex organs, and that the
brain can and does sometimes end up with the wiring of the gender opposite
that with which a person is born. It is not a "mental disorder" in that
there is no psychological problem; the brain is that of a man or woman,
in a woman or man's body. Why should it matter what organs they have?</p>
<p>You can argue that reproduction is a factor, and you may even be right
for a few years; but there are numerous research programmes being done as
you read this to find a way to reproduction for people with all manner of
reproductive organ troubles. Transsexuality is a subset of that; but some
women are born without ovaries, some men are born with undescended testes,
and so on. Why should we treat people who were born with the wrong set of
organs any different from people born with any other problem?</p>
<p>The way I see it, the labelling itself - the fact that people who have
this condition are considered a different kind of person - is the problem.
It is a medical disorder akin to spina bifida or cleft palette, not a
label or category of people. I would be hard-pressed to find anyone who
would discriminate against a person for having cleft palette; after all,
it isn't their fault, they were <i>born</i> that way. Why should we treat
transsexuals any differently?</p>
<p>To a final point, some may also claim that you must have the surgery
performed to count as a "true" transsexual. This belief is wrong for a
number of reasons. In the same way some people cannot have cleft palette
corrected - their body may not be capable of undergoing surgery; they may be
allergic to anaesthesia; they may not be able to afford the cost of surgery;
and in some communities where healthcare is not readily accessible, they
may not even know that a treatment even exists. The same factors can apply
to a man with a vagina or a woman with a penis. Some of these people are
still able to use hormonal therapy (also known as HRT) to correct at least
some of their attributes to more correctly fit with their gender and feel
better, while others are unable to obtain even that small amount of help.
Instead of ostracising them, we should be embracing them. We must begin
to acknowledge that we as a society should be caring for those who have real,
physical ailments instead of antagonising them.</p>
<p>After all, wouldn't you want compassion if you had a birth defect? What about
a birth defect that perhaps even persisted in to adulthood or even beyond?
Open your heart and mind, and show your fellow people dignity and respect.</p>
awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-69599375859318122172015-12-19T19:17:00.003-08:002015-12-19T19:17:26.872-08:00Time moves too quickly<p>I have many things to blog about and ideas in my queue - a few half-written drafts and one almost finished final copy. But none of that is important right now.</p>
<p>I'm incredibly late in finding this out, perhaps a side-effect of spending the last two months of my life packing to move to a much better, happier place than where I live now. It was reason enough to drop off of some of the places I frequent, I thought, because it's not like the same people won't be there when I have finished my move.</p>
<p>But I've just learned that <a href="http://puzzling.org/life/2015/11/remembering-telsa-gwynne/" title="Remembering Telsa Gwynne">Telsa Gwynne has died</a>. Possibly not a whole lot of people who read my blog will know her, but she was quite active in the open-source community when I was growing up. I loved to read her "<a href="http://zeniv.linux.org.uk/~telsa/Diary/diary.html">diary entries</a>", what today we would call a blog. It was during a re-read of her diary last year that I became inspired to create this blog, and indeed, my musing posts are basically my own version of it. It is directly as a result of her writing that this blog exists, and that I have been able to help others whether it be in FreeBSD, Gentoo, Python, or elsewhere. I am grateful to her and I am quite sorry that I never was able to tell her about it. I had considered it, at one time, but felt it would be silly, especially since I am not very well known yet outside of some FreeBSD circles. Who am I to bother someone whom I greatly respect, with a silly story of a small blog? Regret does not begin to express the emotions I feel from not telling her anyway.</p>
<p>Fare thee well, Telsa. I did not know you personally, but your writing style would betray that in my heart and mind, and those of many like me. You may have been removed from the open source communities you were once a large part of, but your legacy lives on, and will always live on. Your perseverance inspired me. And I give all of my deepest condolences to your family and friends, who will surely miss you more than I ever could.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com2tag:blogger.com,1999:blog-3866383405547622278.post-76133435156790194162015-11-28T14:00:00.000-08:002015-11-28T14:00:32.038-08:00Web browsers, music players, workarounds, and PulseAudio<p>As security researchers have discovered <a href="http://www.postandcourier.com/article/20151122/PC05/151129883" title="Chrome's V8 JavaScript engine has major security flaw">yet another horrible security bug in Chrome</a>, and Google <a href="http://www.zdnet.com/article/chrome-zero-day-flaw-places-millions-of-smartphone-users-at-risk/" title="Chrome 0day places millions of users at risk">yet again decides to put off fixing it</a>, I decided to finally give up Chrome entirely. I had dwindled down my usage of it from primary browser in 2009; to secondary browser for Flash and videos in 2013; and finally using it solely for streaming Google Play Music and Spotify, along with the occasional site compatibility test for my work, in 2015. Firefox's inspector tools and Firebug are good enough, and I have a Mac running Safari if I need a WebKit test, so I decided it was no longer important to test on Chrome. That left the issue of music streaming.</p>
<h2><a href="https://www.youtube.com/watch?v=FB6x9auLX3Q" title="Scandalous - Cobra Starship">Can't handle it, can't handle it</a></h2>
<p>Google Play Music, however, has a fatal flaw. It is a mess of terrible "one page" JavaScript. After only a few hours of music streaming, it had already leaked 150 MB(!) worth of orphan DOM nodes, and 282 MB(!!!!) worth of uncollectable JavaScript objects. This basically means it created buttons, links, and so on, and didn't properly remove them when it was done, so that memory is leaked out and I would have to restart Firefox to get that memory back. Restarting Firefox multiple times a day is not an option for me.</p>
<p>What's worse is that one of Firefox's best and most unknown features was also making my life worse. Every 10 seconds, it scans its memory to see if any of it can be reclaimed, to make sure that it does not use too much memory. Since Google Play Music's interface had leaked <b>so much</b> memory, the scan was taking about 2 seconds - during which the browser became completely unresponsive. That means that for about 20% of the entire time it was open, it was unresponsive (frozen, locked, etc), all because Google has no idea how to write JavaScript.</p>
<p>My mother (bless her soul, she's openly embraced Debian) suggested I try Rekonq, but it could not even load Google Play Music's user interface. I also tried Opera Classic (pre-Blink), and it too could not load Google Play Music. At this point I am very upset at Google; why did you write such a cluster#*$@ of terrible code instead of writing a simple multi-page player like YouTube? YouTube does not suffer from <i>any</i> of these issues, and is a Google product!* Anyway, my next goal was to see what I could do for streaming music that did not require a Web browser.</p>
<p><small>* I am aware that YouTube <i>has</i> a single-page mode, but I found a way to disable it except while using playlists. It works great and does not leak half a gigabyte of memory.</small></p>
<h2><a href="https://www.youtube.com/watch?v=gnVEG_waiqg" title="All My Life - Foo Fighters">Done, done, and I'm on to the next one</a></h2>
<p>It turns out that Google Play Music has no official API and no non-browser clients. Even Spotify has unofficial ones that are of questionable quality and legality, but Google has done a very good job of making their API so hard to use that nobody bothers to even try with them. (Future project idea.)</p>
<p>Then I realised their Android app is pretty reliable and certainly better than having my browser locked for 20% of the time it's open. However, I still need to be able to hear other things on my computer (if someone links me to a video or presentation, for instance), and I don't want to have to keep flipping back and forth between my phone and desktop.</p>
<p>My work-provided desktop did not come with a sound card (even though we use sound a lot internally...), so I am using a USB <a href="http://alsa.opensrc.org/Griffin_iMic">Griffin iMic</a> as my sound "card". It works fantastically in Linux/ALSA, but one thing I could not figure out was how to make it play line in as a monitor (i.e. playthrough, listening to line in/mic with headphones/out, whatever you like to call it). Thankfully, I found a very helpful <a href="https://thelinuxexperiment.com/pulseaudio-monitoring-your-line-in-interface/" title="PulseAudio: Monitoring your line in interface">blog post about this very issue</a>, and a solution involving PulseAudio: <code>pactl load-module module-loopback</code> was all it took to listen to crystal-clear, low-latency, glorious Nexus audio on my desktop!</p>
<h2>Final thoughts</h2>
<ul>
<li>While it certainly is great that PulseAudio offers the same great passthrough functionality that OS X had since Jaguar (and lost in Mavericks), they really need to document PulseAudio modules better.</li>
<li>Google needs to rethink making their music player in one page JavaScript. A native app would be amazing and make me a much happier catfox.</li>
<li>It just feels like... if Google hadn't royally screwed up Chrome, and they hadn't royally screwed up their music player, then hours of my life would have been saved because then I would not have <i>had</i> to learn how to monitor line in within Linux. It was interesting learning all this, but I still have this feeling that it should be entirely unnecessary, and like this is a very unclean workaround for what amounts to "Google is terrible at writing code".</li>
</ul>
<p>Oh well, at least Android 6.0 is good. (For now.)</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-83894359894541983042015-09-04T16:31:00.000-07:002015-09-04T16:45:45.828-07:00The Joys of Unix Programming: MAP_ANON(YMOUS)<p>I was trying to do a little late-night hacking last night on <a href="https://code.foxkit.us/emulators/supergameherm/">SuperGameHerm</a>, the Game Boy emulator my friends and I are writing, and I hit an error in the memory mapper. Specifically, certain OSes that used to be named after cats don't like calling mmap on /dev/zero (neither does Android). I thought it was odd that it was falling back to that code in the first place, though, because Apple's Mac OS X — I mean, certain cat themed OS — has always supported <code>MAP_ANON</code>, and I confirmed that by going to <code>man mmap</code> on a Mac.</p>
<p>What was going on? I dug deeper and saw <code>MAP_ANON</code> was guarded in sys/mman.h, so CMake wasn't finding it and it was instead compiling our fallback code. And so I started digging up other issues related to big endian machines and realised that I had only tested OS X and FreeBSD on big endian, and <i>never</i> tested OS X or FreeBSD on little endian. So was my big mistake.</p>
<p>This is a comprehensive guide to How to Make <code>MAP_ANON</code>(YMOUS) Visible, for every OS I could find information on:</p>
<h2>Mac OS X</h2>
<p><strong>On 10.3 and below</strong>, this is easy; it's always there! It is not guarded by any #ifdef.</p>
<p><strong>On 10.5 and above</strong>, it is slighly harder; you must define <code>_DARWIN_C_SOURCE</code> to cause <code>MAP_ANON</code> to be visible in a public scope.</p>
<p><strong>On 10.4 only</strong>, it's much harder! It is only protected by <code>#ifndef _POSIX_C_SOURCE</code>, so to use <code>MAP_ANON</code> against the 10.4 SDK, you must <strong>completely undefine</strong> <code>_POSIX_C_SOURCE</code>. You don't have any other choice.</p>
<p>I suppose that means my overall advice then is to use the 10.5 SDK no matter what, if you have a Leopard computer handy, because it can target as low as 10.0. Otherwise, use the Panther SDK included with Tiger's Xcode Tools. Don't ever use Tiger's SDK if you want <code>MAP_ANON</code>.</p>
<h2>FreeBSD</h2>
<p>Before 5.0, it's always visible, just as in OS X 10.3. There are no preprocessor options to show or hide <code>MAP_ANON</code>.</p>
<p>On 5.0 or above, the <strong>only</strong> way to cause MAP_ANON to be visible is to define <code>__BSD_VISIBLE</code> somewhere. Undefining <code>_POSIX_C_SOURCE</code> won't save you here.
<h2>Other BSDs (NetBSD, OpenBSD, DragonFly BSD)</h2>
<p>It's never guarded. <code>MAP_ANON</code> is always available.</p>
<h2>Solaris</h2>
<p>I could only get my hands on OpenSolaris, but considering the header having a copyright date of 1989 (by AT&T), I can't imagine it's any different on Real Solaris (or Oracle Solaris). There are no guards here, either; that's to be expected since they invented the damn thing.</p>
<h2>Linux</h2>
<p>glibc: <strong>I don't understand /usr/include/bits in the slightest.</strong> It seems to be always available no matter what options I toss to <code>clang</code>, but it is guarded by.. <code>__USE_MISC</code>? I presume this is some sort of feature macro buried deep in glibc that I don't care about or understand.</p>
<p>musl: It's always available, at least on 1.1.11 which is what I have on my test box.</p>
<p>Android: After searching through their spaghetti of includes to get to the actual file that defines constants, it appears they are all <a href="https://android.googlesource.com/platform/bionic/+/master/libc/kernel/uapi/asm-generic/mman-common.h">completely unguarded</a>, though that isn't surprising since it is Linux and embedded.</p>
<h2>In conclusion</h2>
<p>Perhaps it's best to avoid anonymous <code>mmap(2)</code> in applications that you want to actually be portable.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-8070660148273256882015-07-28T06:01:00.000-07:002015-07-28T06:01:05.721-07:00Musings: More Python 3 compat, Project Sunrise, InspIRCd modules and Portage<p>Some good news: as I eix-sync'd this morning, I noticed that <code>dev-python/ndg-httpsclient</code> and <code>dev-python/ipaddress</code> now have Python 3 compatibility. That means two of the packages I had thought had no chance of being upgraded actually have been. As for my own efforts, I have been very busy with work and musl support patches lately, but I have been looking at fixing up the htop package next.</p>
<p>I've found <a href="https://wiki.gentoo.org/wiki/Project:Sunrise">Project Sunrise</a>, a way for me to be able to contribute ebuilds to Gentoo in hopes of someday getting them in the master Portage repository. I'm hoping to add a few Python libraries first, then moving up to packaging <a href="https://github.com/supergameherm/supergameherm">SuperGameHerm</a> and <a href="https://github.com/Elizafox/PyIRC">PyIRC</a> once they've matured enough to be useable by external users.</p>
<p>While testing PyIRC, I needed to be able to use a few modules that are not a part of InspIRCd's main package. Since Portage didn't allow any way of including them in the installed package, I simply checked out the source code package, ran modulemanager to add the modules, then built only those modules. I copied them to the <code>/usr/lib64/inspircd/modules</code> directory and added them to modules.conf, and voila! Now I can do more IRCv3.2 testing.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-34804045486455649042015-07-14T19:23:00.000-07:002015-07-14T19:23:04.236-07:00Foxtoo: Gentoo + musl C library on 100MHz Pentium laptop<p>I haven't yet finished up writing all the content I want to write about the process needed to get this working, but I do have a little teaser picture to share:</p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjGBzDsZWq_xz90m-BnPI_O92GdShpQpuMYGsbhyphenhyphenOREX2X6KVYlUd2PhSOvx26JFZvXTK59G9wIUmLisLHeVln8Rlcr1_K9rjjCKPjUCAzKLVLSGaIcLI5qX1lcAqBgZiR7ul_RCNRUGBZ/s1600/IMAG2009.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjGBzDsZWq_xz90m-BnPI_O92GdShpQpuMYGsbhyphenhyphenOREX2X6KVYlUd2PhSOvx26JFZvXTK59G9wIUmLisLHeVln8Rlcr1_K9rjjCKPjUCAzKLVLSGaIcLI5qX1lcAqBgZiR7ul_RCNRUGBZ/s400/IMAG2009.jpg" /></a></div>
<p>That is a Compaq LTE 5150 with a 100MHz Pentium CPU and 40 MB EDO RAM running Gentoo Linux! The kernel version is 4.2-rc1 (because I'm an incorrigible ricer), it was all built with GCC 4.9.3 and it is using the venerable musl C library instead of glibc. Boot up takes only about 15 seconds off the 5400 RPM laptop IDE disk, and once booted, the minimal kernel I have + bash use only about 3 MB of the 40 MB total.</p>
<p>It may not seem like a very useful thing to have done, but I had a lot of fun building it up, and I've ended up finding and closing various bugs in everything from procps to the kernel itself. So I feel that not only has this been a fun personal project across two weekends, but it has been productive for the entire community :)</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-75275427691420927002015-07-05T12:55:00.000-07:002015-07-05T12:55:27.721-07:00Python 2 -> 3 upgrade: status update<p>This is a small update on my <a href="http://blog.foxkit.us/2015/06/removing-python-27-from-gentoo-one-port.html">bringing packages in Gentoo to Python 3</a>.</p>
<p>I haven't had time to contribute as much to this effort as I had hoped, but I have successfully finished with two packages and the patches are now in the hands of upstream maintainers. I've been toying with the <a href="http://www.musl-libc.org/">musl C library</a> as an alternative to glibc (and I'll be posting about my experiences with that later), which has distracted me a bit from Python 3 work.</p>
<dl>
<dt>app-misc/ca-certificates</dt>
<dd>Required a bit of effort. <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789753">Debian #789753</a> filed. Maintainer seems happy enough with it, but it's not in master yet.</dd>
<dt>dev-libs/evdev</dt>
<dd>This was simple enough; libevdev has had upstream support for Python 3 since 2013. <a href="https://bugs.gentoo.org/show_bug.cgi?id=553110">Gentoo #553110</a> filed with a patch to update the ebuild accordingly. No response as of post time.</dd>
</dl>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-60970187157822673972015-06-23T21:48:00.001-07:002015-06-23T22:03:00.801-07:00Musings: SSH key types, PayPal API documentation, and more<p>I have a few random musings to arf about today.</p>
<p>Sleep is miserable. I don't know why I even bother pretending to have a schedule to myself. Between work demands, personal issues, and the fact that I tend to favour going to sleep around the 05:00 hour naturally, it's impossible. Sure, I can hold a "normal person" schedule indefinitely... if I have no external factors. But my life is <b>full</b> of external factors that make it impossible. And there are some people in my life that try and make me feel guilty for not being able to hold a schedule. It feels miserable.</p>
<p>In other news, PayPal's API documentation for their SetExpressCheckout call lies. They say the xsi:type for the SolutionType is "ebl:SolutionTypeType", but I found out the hard way that passing that as the type causes a SOAP Fault (and leaks the API password and signature out in the error message)! The only way I can find to do it properly is to set xmlns="urn:ebay:apis:eBLBaseComponents" on the SolutionType node and then set xsi:type="SolutionTypeType" (no ebl: namespace). Then the API accepts it fine. Who knows why their systems do what they do.</p>
<p>I investigated making a new SSH key that would be stronger than my current one. Unfortunately, it doesn't seem I really have a choice in the matter. The only common denominator is RSA, as shown in this matrix:</p>
<style type="text/css">
td.keytype { font-weight: bolder; }
td.yes { background: darkgreen; color: white; }
td.no { background: darkred; color: white; }
</style>
<table>
<thead>
<tr><td>Key Type</td><td>Mac OS X</td><td>NetBSD</td><td>Debian</td></tr>
</thead>
<tbody>
<tr>
<td class="keytype">RSA</td>
<td class="yes">Yes</td>
<td class="yes">Yes</td>
<td class="yes">Yes</td>
</tr>
<tr>
<td class="keytype">DSA</td>
<td class="yes">Yes</td>
<td class="yes">Yes</td>
<td class="yes">Yes</td>
</tr>
<tr>
<td class="keytype">ed25519</td>
<td class="no">No</td>
<td class="no">No</td>
<td class="no">No</td>
</tr>
<tr>
<td class="keytype">ECDSA</td>
<td class="no">No</td>
<td class="yes">Yes</td>
<td class="yes">Yes</td>
</tr>
</tbody>
<tfoot>
<tr>
<td>SSH Version / OS Version</td>
<td>5.6 / 10.8.5</td>
<td>5.9 / 6.1.5/i386.</td>
<td>6.0 / 8.0 "Jessie".</td>
</tr>
</tfoot>
</table>
<p>Note that the following systems supported <i>all</i> listed key types:</p>
<ul>
<li>Gentoo 20150623</li>
<li>FreeBSD 10.1</li>
<li>OpenBSD 5.6</li>
<li>Alpine Linux 3.2</li>
<li>Windows 2000</li>
</ul>
<p>Truly a sad day when a 16 year old Windows OS has more SSH key types available (via mingw) than Mac OS X, NetBSD, and Debian <i>combined</i>. Looks like I'm sticking with RSA keys for the foreseeable future.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-44212320044985296892015-06-21T03:09:00.002-07:002015-06-21T03:09:27.575-07:00Removing Python 2.7 from Gentoo, one port at a time.<p>I'm highly motivated, as a Pythonista who loves Python 3 and all of the new features, syntax, and improvements, to help the rest of the community upgrade to Python 3 and enjoy all of its benefits.</p>
<p>To that end, I would like to end the dependence of Python 2 in the general community. Since I feel I am a fairly average power user of Gentoo, I figured I would start with the packages on my own system, and this is what I found:</p>
<pre>
dev-lang/python-2.7.10 pulled in by:
app-emulation/qemu-2.3.0-r2
app-emulation/virtualbox-4.3.28
app-misc/ca-certificates-20141019.3.19
app-text/gnome-doc-utils-0.20.10-r1
dev-lang/spidermonkey-1.8.5-r4
dev-lang/spidermonkey-17.0.0-r3
dev-lang/spidermonkey-24.2.0-r2
dev-lang/yasm-1.3.0
dev-libs/glib-2.44.1
dev-libs/gobject-introspection-1.44.0
dev-libs/libevdev-1.4
dev-libs/libgamin-0.1.10-r5
dev-libs/libnatspec-0.2.6-r1
dev-libs/libxslt-1.1.28-r4
dev-libs/protobuf-2.6.1-r3
dev-libs/zziplib-0.13.62
dev-python/google-apputils-0.4.0
dev-python/ipaddress-1.0.7
dev-python/librsvg-python-2.32.0-r1
dev-python/m2crypto-0.22.3-r3
dev-python/ndg-httpsclient-0.3.2
dev-python/pygobject-2.28.6-r55
dev-python/pygoocanvas-0.14.1-r1
dev-python/python-gflags-2.0
dev-python/twisted-core-15.2.1
dev-python/wxpython-3.0.2.0
dev-util/boost-build-1.56.0
dev-util/scons-2.3.4
dev-vcs/git-2.4.3
dev-vcs/mercurial-3.4.1
games-emulation/m64py-0.2.1-r1
gnome-base/gconf-3.2.6-r3
gnome-base/libglade-2.6.4-r2
kde-apps/kajongg-4.14.3
kde-base/krosspython-4.14.3
kde-base/plasma-workspace-4.11.20
media-gfx/gimp-2.8.14
media-libs/alsa-lib-1.0.29
media-libs/avidemux-plugins-2.6.8
media-libs/libcaca-0.99_beta19
media-libs/libgpod-0.8.3
media-video/openshot-1.4.3
net-analyzer/nmap-6.49_beta1
net-dns/avahi-0.6.31-r7
net-libs/farstream-0.1.2-r2
net-libs/gupnp-0.20.14
net-libs/libproxy-0.4.11-r2
net-print/cups-2.0.2-r2
net-wireless/crda-3.18
sys-apps/usbutils-008-r1
sys-devel/llvm-3.5.2
sys-process/audit-2.4.1-r1
sys-process/htop-1.0.3
www-client/firefox-38.0.1
x11-libs/xpyb-1.3.1-r3
x11-plugins/purple-plugin_pack-2.7.0-r1
</pre>
<p>Not terrible for a world that has 1,277 packages. Now, we can wipe some of those off:</p>
<dl>
<dt>dev-lang/spidermonkey, www-client/firefox</dt>
<dd>The Mozilla build system...</dd>
<dt>dev-libs/protobuf, dev-python/google-apputils, dev-python/ipaddress, dev-python/python-gflags-2.0</dt>
<dd>I can't make Google care about Python 3. I'm just a lone fox.</dd>
<dt>dev-python/ndg-httpsclient</dt>
<dd>This is apparently only pulled in because I have 2.7 compatibility enabled on other packages, and it also appears abandoned upstream.</dd>
<dt>dev-python/m2crypto</dt>
<dd>All but deprecated upstream. dev-python/cryptography pretty cleanly replaces it. I simply need to change dependencies to use that instead.</dd>
<dt>dev-python/twisted-*</dt>
<dd>The Twisted project is large, and already has a Python 3 objective. No need to worry about that until later, since they have others working on it.</dd>
<dt>dev-python/wxpython</dt>
<dd>They, too, are working on an official Python 3 port already. I've even used it; though it is ridiculously unstable, there has been a lot of progress made.</dd>
<dt>dev-util/scons</dt>
<dd>As of August 2014, they are officially porting to Python 3. Same as Twisted, then.</dd>
<dt>dev-vcs/mercurial</dt>
<dd>This is a very large codebase with a lot of issues related to 2->3. Not something one fox can help with either, I'm afraid.</dd>
<dt>any gnome package</dt>
<dd>Not really interested in contributing to the ever-dying and unmaintained GTK 2, and <i>definitely</i> not interested in contributing to the abomination of GTK 3.</dd>
<dt>KDE 4</dt>
<dd>As KDE 5 nears stability, this will become less and less maintained, so it probably isn't worth it either.</dd>
<dt>net-print/cups, sys-devel/llvm</dt>
<dd>I doubt there is any hope of getting Python 3 code into Apple projects, since they seem to enjoy clinging to <a href="http://stackoverflow.com/q/12902220/640296">1990-era development tech</a> :(</dd>
</dl>
<p>After doing some sorting to show the order I'd like to work on these, this leaves us with:</p>
<pre>
app-misc/ca-certificates-20141019.3.19
app-emulation/virtualbox-4.3.28
dev-libs/libevdev-1.4
media-libs/libcaca-0.99_beta19
media-libs/libgpod-0.8.3
media-libs/alsa-lib-1.0.29
dev-libs/libxslt-1.1.28-r4
net-wireless/crda-3.18
dev-vcs/git-2.4.3
sys-apps/usbutils-008-r1
dev-lang/yasm-1.3.0
x11-plugins/purple-plugin_pack-2.7.0-r1
sys-process/audit-2.4.1-r1
net-dns/avahi-0.6.31-r7
sys-process/htop-1.0.3
games-emulation/m64py-0.2.1-r1
net-libs/libproxy-0.4.11-r2
dev-libs/zziplib-0.13.62
dev-libs/libnatspec-0.2.6-r1
app-emulation/qemu-2.3.0-r2
net-analyzer/nmap-6.49_beta1
dev-util/boost-build-1.56.0
media-video/openshot-1.4.3
media-libs/avidemux-plugins-2.6.8
x11-libs/xpyb-1.3.1-r3
</pre>
<p>I would really like to do at least one per week, but there's no guarantees of course. Wish me luck!</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com2tag:blogger.com,1999:blog-3866383405547622278.post-27063357458111165922015-06-16T20:31:00.004-07:002015-06-21T03:10:20.395-07:00Linux 4.1 kernel: Finally, a movement in the upwards direction<p>No musings yesterday because I was having quite a time getting Linux to play well. I spent yesterday configuring the rest of the kernel until around 21:00, when I started searching for and applying all the patches I wanted. Found a small bug in <a href="https://gitweb.gentoo.org/proj/linux-patches.git/tree/5000_enable-additional-cpu-optimizations-for-gcc.patch?h=4.0">the CPU optimisation patch that Gentoo uses</a> (via <a href="https://www.grsecurity.net/~spender/cpuopt.patch">grsecurity</a>); namely, it doesn't enable P6_NOP for anything higher than a Core 2. I manually edited the patch and applied it.</p>
<p>I built the kernel, ran <code># emerge @module-rebuild</code>, signed the newly built modules, and rebooted in to my new system... Or I would have, if it had been able to read the init RAM disk. Doing the Apple EFI dance to switch between 3.18 to rebuild and 4.1 to test was not my idea of a good time, but after a while, I found the issue. There's something broken somewhere and it would not read XZ-compressed ones. I used my fallback algorithm, LZO (chosen because it's free and very fast), and it booted right up. Only now, I couldn't start KDE.</p>
<p>Typically, I start KDE by using <code>$ X_SESSION=KDE-4 startx</code>; I don't use KDM or XDM because I regularly test breaking changes to i915 that may cause X to hardlock, rendering my laptop useless. This time, however, it complained 'xterm: command not found'. Unsure why it was trying to load xterm, I checked around and I found no answer. I still haven't figured this out. The workaround I'm using is <code>$ XINITRC=/etc/X11/Sessions/KDE-4 xinit</code> which acts the same as the old command, only it's longer and less readable.</p>
<p>Then I had a world of i915 bugs that I will omit from my blog mainly because they were mostly configuration error and the ones that weren't were resolved by re-merging <code>media-libs/mesa</code>.</p>
<p>After all of that was over, I checked on my wireless chip. Lo and behold, for the first time since I've started using draft-n wireless networking on Linux in 2009, it was actually associating successfully to a 5GHz 802.11n AP! The speed is only 150mbit/s; the chip supports 300mbit, so I am not sure why that is, but I am still happy to be finally untethered from my Ethernet cord!</p>
<h2>Some benchmarks.</h2>
<p><strong>Running <code>emerge -1 openssl</code></strong></p>
<table>
<thead>
<tr><td>Kernel / Sched</td><td>Wall Time</td><td>System Time</td></tr>
</thead>
<tbody>
<tr><td>3.18 / CFQ</td><td>5m 3s</td><td>59s</td></tr>
<tr><td>4.1 / CFQ</td><td>4m 57s</td><td>55s</td></tr>
<tr><td>4.1 / BFQ</td><td>4m 53s</td><td>52s</td></tr>
</tbody>
</table>
<p>That's a pretty nice win for BFQ, and a huge improvement over 3.18. Note this is all on the same hardware, on a fresh boot, with nothing in fscache.</p>
<p><strong>Playing 720p MPEG-4 video in VLC</code></strong></p>
<table>
<thead>
<tr><td>Kernel</td><td>On-Die Temperature</td><td>CPU % used</td></tr>
</thead>
<tbody>
<tr><td>3.18</td><td>71° C</td><td>31.2%</td></tr>
<tr><td>4.1</td><td>63° C</td><td>46.3%</td></tr>
</tbody>
</table>
<p>Each measurement was taken at 2 minutes into playing the video. Not sure why the CPU's a bit more active, but wow, that temperature reduction is serious!</p>
<p>Overall, I am very, very happy with this upgrade. The Linux 4 series seems to be all about making things smoother, faster, and more battery-friendly. I'll update later with a benchmark of battery life.</p>
<p>If you have a MacBook Pro from the 2011 era (or you're just curious), you can <a href="http://foxkit.us/linux-4.1-rc8-config.txt">view my config file online</a>. Special thanks to <a href="http://elizabethmyers.me.uk">Elly</a> and <a href="http://mc.680x0.com/">Horst</a> for guidance, patchsets, and keeping me company while I was going insane with menuconfig. :)</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-81285133759870687152015-06-15T00:12:00.000-07:002015-06-21T03:10:11.541-07:00Musings: Just another lazy Sunday.<p>Okay, I guess I'm doing this daily. Sundays are usually pretty lazy for me, so this will be short.</p>
<p>Found more interesting tidbits, still configuring the 4.1 kernel for my laptop. RC8 came out before I even finished, so now I have some oldconfiging to do.</p>
<p>Still felt dizzy from yesterday, so spent 20 minutes on the treadmill. Blew all the cobwebs out of my blood, I suppose. Almost completely better afterwards, so that's a good thing.</p>
<p>Found a really intricate resource pack for Minecraft, <a href="http://resourcepack.net/sk-photo-realism-resource-pack/">S&K Photo Realism</a>. I'll have to try it out the next time I'm on the desktop with the Radeon 5700HD. My laptop can't handle resource packs; the poor little Sandy Bridge HD Graphics is too overwhelmed.</p>
<p>Helped Horst debug an i915_drm driver issue on 4.0.5. Not sure the root cause, will have to probe further tomorrow.</p>
<p>Started planning how to install Foxtoo, my own little brand of Gentoo, on to my Pentium-100 laptop. I think I have a way and it's going to make for quite an article if I manage to make it happen.</p>
<p>Actually excited for work tomorrow. Lots of cool things in the works there.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-69067033077462535522015-06-14T00:18:00.000-07:002015-06-21T03:09:59.958-07:00Musings: libxo, Python code quality, and Linux kernel shenanigans<p>I've been inspired to actually make this in to an actual bloggy journal thing instead of just writing occasional long-winded well thought out articles. I still want to <b>do</b> long-winded well thought out articles, but the entire reason I got this thing in the first place is to share my knowledge and experiences with the world. Might as well.</p>
<p>Caught up on the backlog of <a href="https://lists.freebsd.org/pipermail/freebsd-current/2015-March/054898.html">happenings</a> on the freebsd-current mailing list. Lots of people are upset about libxo, including myself. May mean a Linux migration in my professional future. Disappointing, especially since there is a lot of opposition, but it's understandable that it's going forward anyway. Juniper pays to keep the lights on at the FreeBSD foundation, so they have a lot of pull. Sad to see they don't really care about the community or what we have to say.</p>
<p>Looked harder at GCC 5.1 code output. Then looked harder at switching default compiler from GCC to Clang on Gentoo. ;) It's not all there yet but it seems to be improving every day. Looking forward to trying out a Clang-compiled kernel if that patchset advances.</p>
<p>Played with <a href="http://www.pylint.org/">Pylint</a> and <a href="https://pypi.python.org/pypi/pyflakes">Pyflakes</a>. Ran it on a few of the projects I work on and a few of the ones I write with Elly. <a href="https://github.com/Elizafox/PyIRC">PyIRC 3</a> got a rating of 8.5 out of 10. Really impressive. I hope to show Pylint to the people at work in the coming week and improve the quality and process there too.</p>
<p>Tried playing Minecraft. Already felt a bit dizzy before playing, so that was a mistake. Logged off after about 20 minutes from the ill feeling. Perhaps tomorrow.</p>
<p>Found out about a <a href="https://security-tracker.debian.org/tracker/TEMP-0000000-1CBA65">lovely years-old DoS vulnerability</a> in the Linux kernel's UDP stack. Ran netstat on my servers to make sure they had no UDP listeners. Not sure what to do about the Minecraft server, perhaps the DDoS protection we already have on it is good enough.</p>
<p>Read a hilarious <a href="http://www.phoronix.com/scan.php?page=article&item=intel-478-retro&num=4">article comparing the Pentium 4 Northwood to various new CPUs</a>, where the AMD "accelerated" notebook CPUs performed worse. I can't believe AMD has gone so downhill that a Pentium 4 from 2002 can spank its brand new designs.</p>
<p>Decided to start configuring a 4.1-rc7 kernel for my laptop. 3.18 is so old (by my own standards) and I really want to get off of this line since my checkout is still affected by <a href="https://lkml.org/lkml/2015/1/14/226">that stupid exit race bug</a> which sometimes causes Firefox to die. Found an interesting knob, CONFIG_EXT4_ENCRPYTION, which is apparently <a href="http://thread.gmane.org/gmane.comp.file-systems.ext4/48206">the same encryption stuff Android "M" will be using</a>. Pretty neat but seems useless for my needs. Might try it on the Pentium II for the hilarity.</p>
<p>Tried to tinker with the internals of <a href="https://developer.apple.com/osx/pre-release/">OS X Server 5.0 beta 1</a> before bed, but it's compressed with a weird algorithm (ADC?) that none of my Linux utilities can break open. I'll need to investigate that more tomorrow.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0tag:blogger.com,1999:blog-3866383405547622278.post-32067858559939564172015-05-12T11:46:00.001-07:002015-06-21T03:09:47.254-07:00FreeBSD on Apple MacBook Pro 8,2: Epilogue.<p>It is with a fairly heavy heart that I write I am no longer running FreeBSD on my MacBook Pro.</p>
<h2>What happened to improving?</h2>
<p>Part of the problem is that I finally received gainful employment in March, and that work is almost impossible to do on FreeBSD. A lot of it involves Chrome (which I still have been unable to run on FreeBSD), Qt5-based applications (which crash due to known bugs in libv8 that Google do not care to resolve), and some Python libraries that have truly terrible performance on FreeBSD.</p>
<h2>Why not run Linux in a VM for work?</h2>
<p>Sure, I could have, if VirtualBox ever worked...</p>
<h2>Weren't you excited to fix up FreeBSD?</h2>
<p>I was. I still am, but something just feels different. For over a decade, FreeBSD has for me been the go-to operating system for any use case: servers, embedded projects, desktop systems, and more. But the current heading of development seems to strongly suggest this is no longer encouraged or desired.</p>
<p>When I first started out with Gentoo nine years ago, they were pretty much bent on making it for newer hardware only. Back then, Pentium computers were like the Pentium 4s of now - something you give your grandma or little sister for web browsing, but nothing too serious. And Gentoo developers did not really care if they broke compatibility with these older systems. I can understand that, given that compiling the entire system by hand is something that is pretty taxing for older hardware.</p>
<p>The nice thing about FreeBSD was their community never looked down on you for using these older machines, and realised they still have use. My first interactions with #FreeBSDHelp on EFnet were in 2006 and related to getting SLIP support working in sysinstall so I could remotely install FreeBSD 6 on my Pentium 90 laptop. They were happy to help.</p>
<p>The roles have largely reversed now. Running into issues with older hardware get me looks of disdain and "great, upgrade your hardware and try again" from the FreeBSD community. Meanwhile, the Gentoo team was happy to help me with an issue regarding my retro <b>Intel486</b> box, in 2015. This computer has no business still functioning, and they were still willing to help me configure a kernel that would boot on it with its <i>anaemic</i> 20 MB RAM.</p>
<p>The other thing I have noticed is that even now, months later, none of my Ports bugs have been handled. In the same amount of time, I have filed three bugs against Portage packages... and <i>all of them were closed within one week of being opened</i>. I feel like my contributions <i>matter</i> to the Gentoo Linux team.</p>
<h2>What have you learned?</h2>
<p>FreeBSD is more fun to hack on than Gentoo. FreeBSD is harder to get things done on than Gentoo.</p>
<p>FreeBSD is lighter on resources than Gentoo. FreeBSD is heavier on bug backlog than Gentoo.</p>awilfoxhttp://www.blogger.com/profile/15374657761222061006noreply@blogger.com0