Recent blog entries for vorlon

On foreign policy

When you defend the death of a civilian
and say
he should have known better
he should have left his home
and his life
in the land of your enemy
that is hate.

When you say the boy's death was justified,
for daring to be born in that country
with such people
and such policies
it is because you hate.

When the war comes to your town
and you are caught in the cross fire,
I too will say,
you had it coming.

PGP keys I won't be signing... or trusting

This is the keysigning exchange service at Biglumber.

The owner of key F5538629A12E35418DFBF242FA89FA5556F42D8B has signed your key (DEA27BAA479CCA5876E5DE5628DEAE7F29982E5A). Your key with this signature on it will be emailed to you once you have uploaded a signed copy of their public key to Biglumber.

Log in to and look for the key exchange link.

Ah, the great democratization of PGP. Who needs security when we can just collect signatures like baseball cards and hawk our identities on eBay instead? Should be an easy profit, apparently I don't even have to show that I'm me to get in on the signature exchange market.

This PSA brought to you by the committee for not trusting Ryan Ward. ...whoever that is.


Are you using bind9-host? If so, which version?

If you're using the sarge version of bind9-host, with the sarge version of libssl0.9.7, and running all this on an i686-class system, then you're looking at bug #321721. The issue is that, if a binary includes hand-written assembly, gcc will assume by default that the code requires an executable stack unless you set a .note.GNU-stack section in the assembly file which says otherwise. And the i686 version of libcrypto includes (surprise!) hand-written assembly.

This bug is already fixed for etch, both in and

I've watched with growing dismay as Debian's press officer continued to blog prognostications of doom for the future of Debian security, which have done nothing but whet the press's appetite for a story of impending disaster. I find this kind of blogging to be irresponsible in the extreme; not only does it not help fix the problems, it doesn't even help users make informed decisions because it doesn't contain salient facts.

Here are a few facts to go along with Joey's blog entry "Debian Security still broken":

  • Three security advisories had already been issued for sarge on July 1. Binaries for the arm architecture were not included, but most users were covered by the binaries that were made available.
  • The arm autobuilder has since caught up with those advisories, so updated advisories will probably be available soon. In addition, three more security advisories were issued for sarge on July 5 that include binaries for all architectures, and two more have been issued so far today.
  • Security updates for woody were not being built on ia64 and arm because no buildd was configured to do so. (These are the missing builds Joey blogged about.) Once this issue was identified, it was quickly resolved; in any case, it had no impact on the infrastructure for sarge updates.
  • Joey correctly identified in his blog that there was an issue with two packages (one each from woody and sarge) not being picked up for building. Once this issue was identified to the people responsible for the infrastructure, it was quickly resolved.
  • There was one last missing sarge build on m68k, for zlib. This was a case of the package going missing after being built; this is something that happens from time to time with the autobuilders; it doesn't point to a (fixable) software failure, the only thing to be done is to re-try the build. This was done, and the advisory was issued today as DSA 740, before the corresponding advisory from Red Hat...
  • Lest this be seen as a fluke instead of being representative of Debian's security support going forward, it looks like there are six more advisories in the queue for sarge and about a dozen pending for woody.
  • While I agree that there's a need for Debian to expand its security team, following the controversy in June we now have three security team members actively working on security (two full members and a security team secretary), which AIUI is a 50% increase over where we'd been earlier this year.
  • And let's not forget Joey Hess's reminder that quantity isn't everything where security is concerned.

I share Joey Schulze's dissatisfaction with the state of security support for this past month, but his blog smacks of bitterness, not of measured objectivity. So here we are, five days after the first security advisories have been published for sarge, and new stories are still appearing in the press reporting that Debian is OMFG broken.

Is there any hope that the press will give the same coverage of the story that Debian's security infrastructure is not broken?

Dear Jeff Merkey, professional litigious fuck,

It is not a violation of your rights to free speech, free association, privacy, due process, or exercise of your religion to opine that you should commit suicide.

OTOH, it is evident that given how you choose to spend your time, your continued breathing has a chilling effect on freedom of speech and interferes with others' right to due process.

Suicide — the ethical choice.

If you are interested in adding me to the list of defendants in this case, so that I, too, may reap the windfall of your patent portfolio when you are countersued for this frivolous lawsuit, my address and location is believed to be within the State of Oregon, but is unknown at the present time.

Steve Langasek

P.S. — Jeff Merkey, idiot of the year: you do not create patents, you create inventions and are issued patents for them. At least, that's the system that the federal government has set up. Come to think of it, perhaps you actually are creating patents without actual inventions; that would explain a lot about your affinity for wrongful suits, wouldn't it?


The following has just been posted to debian-devel-announce:

A bug has been discovered in the 3.1r0 CD/DVD images: new installs from these images will have a commented-out entry in /etc/apt/sources.list for " testing/updates" rather than an active entry for " stable/updates", and thus will not get security updates by default. This was due to incorrect Release files on the images.

If you have already installed a system using a 3.1r0 CD/DVD image, you do not need to reinstall. Instead, simply edit /etc/apt/sources.list, look for any lines mentioning, change "testing" to "stable", and remove "# " from the start of the line.

If you installed other than from a CD or DVD (for example, netboot, or booting from floppy and installing the base system from the network), you are not affected by this bug.

New 3.1r0a images will be available shortly to correct this flaw. We apologise for the inconvenience.

The CD team is already working on making fixed ISOs/jigdos/torrents available; unfortunately, with 11 architectures and multiple media sizes, this process takes a while, so it will probably be a day or two before the fixed 3.1r0a images are available everywhere.

So yeah, don't go pressing those 10,000 copies of sarge just yet.

Let's see how many Planet Debian posts in a row we can get about the fact that sarge is released! Yeah! ;)

I've already been personally congratulated a number of times today on the release, and I know the other members of the release team have also been congratulated. This feels awkward to me, because even though I've certainly put in long hours trying to pull this together (and hold it together), this is a community effort: the release team cannot and does not do this alone. There are many other teams involved in achieving a Debian release, and all the release schedule frustrations and eventual triumphs :) happen in a much larger context than that of "the release team".

So when congratulating the people responsible for the release of this latest iteration of Debian's high-quality, free operating system, don't forget to congratulate and thank the FTP team, for their behind-the-scenes work keeping the system running that makes development possible; the documentation team, for their fine work on the sarge installation manual and the (somewhat hurried :) release notes; the CD team and mirror team, for the long hours they put in this weekend to get our official distribution channels in shape; the installation team, for the flexible new Debian-Installer; the porters, some of whom had to fight last minute buildd outages (naturally ;) to get those last few bugs fixed; and some other teams too that aren't unimportant to the process just because I'm in too much of a daze to acknowledge them here.

And thanks to the many maintainers, bug fixers, translators and documentors who have helped to make sarge a distribution worth releasing.

Sarge is once again proof that communities can do great things — even communities of irritable, cantankerous, grudge-holding, flaming Free Software nuts. ;)

Raphaël writes that Debian's decision to hold everything in the Debian main archive to the same standard of freeness (the DFSG) was a mistake, and that it's necessary to fix this mistake with another general resolution.

While it's fine to disagree with the outcome of the previous changes, please don't start a new GR unless you think there's a real reason to believe the outcome will be different. As you can see from the tally sheet for that vote, with 396 developers voting, we had the participation of a sizable percentage of all developers (though, interestingly, less than in most DPL elections), and came nowhere near the 3:1 supermajority needed to rescind the changes. Since everyone's votes on this issue are public, it should be straightforward to canvas the developers who didn't vote or who voted against reverting the change, to get support for this change before putting everyone through the GR process again.

In contrast, I don't think public pronouncements about how bad of an idea this change was are going to get us anywhere. In fact, we've had almost a year of such public pronouncements, from various people, that haven't gotten us anywhere.

No, jdub, the Ubuntu kernel team don't have real ultimate power; ninjas do.

8 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!