What is the place for one-on-one communication in open-source?

One of Red Hat's mantras is "develop in the open". There is an entire website, opensource.com, with tons of articles about this idea (this article in particular is great).

One aspect of "develop in the open" means keeping conversations as public as possible. Don't email or IM a developer directly; instead, email a development mailing list (possibly using the To: and CC: fields for your intended developer) or public IRC channel instead. It's hard to overstate the community benefits of this, and again opensource.com explains the benefits in more detail than you could ever want.

Sometimes people send me direct instant messages seeking information, instead of asking in a public channel. I think there is a fear of "spamming the channel" or fear of looking foolish. I can respect people's desire to avoid looking foolish. I've even done the same, and some wise people called me out on it. I suggest that you will not look nearly as foolish as you expected, though. Let's face it, if this topic was so obvious, you would have found some documentation on it already, right :) Maybe things are just hard to figure out! Maybe many other people would benefit from this probably-under-documented information!

In these conversations, I try to steer back into an IRC channel, replying "That's a great question. Would you be ok if we continued the conversation in #channel-that-relates-to-what-we-are-talking-about?" Then I tab over to that channel and say "so-and-so: we were just discussing <my rephrasing of their question>" to give some context to everyone else in the room. Then I answer the question so everyone can see it.

I've been thinking about a corollary to this concept this week: There is also a time for one-on-one IM conversations, and that is when you have to bring up a sensitive topic and you need to build some relational credibility.

Let's say I've noticed a mistake in some code or process. Let's also imagine I do not have positive relational credibility with the person responsible. Maybe this person is a different personality type than me, and we both drive each other nuts. Maybe it's been a pressure-cooker situation for any number of other reasons. If I bring up this person's mistake in a public IRC channel, we just go deeper on the negative spiral, and my behavior can look threatening. I've found it's more effective to bring up mistakes as privately as possible.

Of course we want to default to open and develop in the open. On the other hand, sometimes there is a greater good, where we a trade bit of openness for relational credibility. Once the relationship is there, maybe we'll get a chance to discuss future problems more openly without fear.

Forwarding gpg-agent to a container

I use Fedora on my main laptop, but sometimes I need to GPG-sign something in an Ubuntu environment.

I store my GPG key on my Yubikey and access the device with gpg-agent. Here are instructions for forwarding my gpg-agent connection into a Docker container.

This will only work on with a ubuntu:xenial image and newer, because Trusty has GPG 2.0, and this needs 2.1. Earlier versions of GPG 2 failed because they still need access to the data in secing.gpg. See https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring for more information.

On the host, bind-mount the gpg-agent socket when running the container:

docker run --volume /home/kdreyer/.gnupg/S.gpg-agent-extra:/gpg-agent --env GPG_AGENT_INFO=/gpg-agent:0:1 -ti ubuntu:xenial

Within the container: Xenial's gpg2 looks for the socket in ~/.gnupg, ignoring GPG_AGENT_INFO, so we have to link it in:

mkdir -p ~/.gnupg && chmod 700 ~/.gnupg
ln -s /gpg-agent ~/.gnupg/S.gpg-agent

Trust the kdreyer@redhat.com key:

gpg2 --keyserver keys.fedoraproject.org --recv 478A947F782096AC
echo -e "trust\n5\ny\n" | gpg2 --command-fd 0 --edit-key kdreyer@redhat.com

Test a signature operation:
echo hi | gpg2 -as -u kdreyer@redhat.com --use-agent 

Now we can use GPG with other tools, for example debsign:
debsign -p gpg2 tambo_0.4.0-0ubuntu0.16.04.1_source.changes

Note there's a bug in dput that it hardcodes the use of /usr/bin/gpg when verifying sigs, so you'll have to import your key again into the gpg1 key store:
gpg --keyserver keys.fedoraproject.org --recv 478A947F782096AC

And then you can upload to a Launchpad PPA:
dput ppa:kdreyer-redhat/ceph-medic tambo_0.4.0-0ubuntu0.16.04.1_source.changes

Red Hat on NPR

https://soundcloud.com/fatherlinux/red-hat-on-npr

:)

Sigal packaging and CentOS

My home server was running CentOS 6, and this was getting a bit long in the tooth:

• The libwww-perl version that ships in CentOS 6 does not handle HTTPS certificates in a secure way. This was only fixed in LWP version 6. There's almost no chance of LWP getting rebased, since that module is part of Perl core, and it's so late in the RHEL 6 lifecycle.
• The Python version (2.6) is so old that many Python apps no longer support it. The one I was particularly interested in was Sigal to generate my own photo gallery for my family.

I tried using the Python 3.3 software collections, and this worked well to get Sigal running in a Python 3.3 virtualenv.

For Perl, I didn't want to deal with SCLs, because my application has a long dependency chain, and I would need to rebuild a lot of SCL-style RPMs to get my app to work. I could just use the "cpan" tool (similar to virtualenv/pip), but I wanted to avoid the security and stability issues associated with using an essentially random snapshot in time of modules that I grabbed from upstream. I like the fact that Bugzilla is a central place to track CVEs, and I like the waiting period in epel-testing and the possibility for community collaboration there, etc.

The idea of using multiple SCLs and lots of non-packaged upstream modules was what pushed me to just bite the bullet and update to CentOS 7. CentOS base + CentOS extras + EPEL 7 already had all the deps for Sigal, except python-pilkit. I buckled down and learned just enough Python packaging techniques in order to package python-pilkit and python-sigal. And the best part is that the packages actually work on my new EL7 system (knock on wood).

sigal bundles some Javascript bits, and I'm not sure about the JS guidelines for EPEL. But otherwise I think the packages are close to being ready to submit to Fedora.

work

"What we want is not more little books about Christianity, but more little books by Christians on other subjects—with their Christianity latent."

- C.S. Lewis

Typepad Antispam

I've just set up Typepad's open-source Akismet backend, also known as "Serotype". This software internally uses Perlbal for communicating HTTP, Gearman to delegate instructions, and dspam for content-based spam filtering. Other software requirements are MySQL and memcached.

Documentation is pretty scarce; a README file is basically all you get. However, if you're familiar with Perl you should be good to go. I put the pieces together in a CentOS 5 VM. Many of the required Perl modules were already in EPEL, but I did have to get some things directly from CPAN.

Here are my initial thoughts:

• Thank you TypePad for making this open source, and releasing it to the world!
• Most of Typepad's software is in Perl, and they are the creators of Perlbal/Gearman, so no surprise that this software is based on that as well. Since it uses Gearman, this Serotype server should be able to scale massively.
• Once I installed all the required Perl modules, the software essentially worked "out of the box". I did need to adjust the Gearman client timeout to fifteen seconds. I traced this delay to the yuidd daemon. I'm not sure why it can take up to ten seconds to give me a UID.
• The handling of API keys is very loose; the web service accepts API key by default. However, only keys that are "blessed" are able to actually train the database.
• I wish there were an easier way to "prepopulate" the database with spam.

Web forms are the spammers' new battlefields. Good thing the Akismet API even exists.

Life After Graduation

Wedding in IL

Honeymoon in VA

Beach Trip with Dreyers in NC

Birthday in Littleton CO

Skillet concert in VA... in the rain

New nephew

laura-dreyer.com redesign

Laura and I spent the past three days re-designing her website, adding a blog, re-vamping the gallery... it was hectic but fun!

6 days and counting till I'm married :-)

Last View from Moody

I thoroughly enjoyed my time at MBI, and I won't forget the many memories from the school or the city.

new kenandaudrey.com coming up

We're re-designing our wedding website to be more interactive, and it's getting a facelift in the process. Here's a sneak preview :)


Also, I've re-vamped the website for Gingrich Enterprises at www.gei-1.com.

RAID1 on nslu2

Can RAID1 work on the nslu2 for big drives? Yes! I've got two 750 GB SATA drives hooked in, and it's humming along. I had to upgrade to SlugOS5 in order to be able to boot to the md device. Be ready for long RAID sync times though... it's taking about 21 hours to sync a 650 GB partition :)

Authenticating Wordpress with multiple domains in Active Directory

Recently I've been working on a project involving authenticating Wordpress to Active Directory. There's a great plugin on wordpress.org for doing AD authentication, but I needed it to do a bit more than the author intended. The main thing I needed was support for authenticating users from many different domains.

In the original plugin, there is a single, universal "account suffix", stored in the Wordpress settings database. I'm guessing the intent here is to have a user simply enter their username, like "kdreyer", and have the suffix automatically appended to it ("kdreyer" + "@example.com"). Since we're using multiple domains, this won't work. I could have a "kdreyer@example.com", or a "jsmith@xyz.com", and I need to authenticate both.

So here is my hacked version of the Active Directory Authentication plugin. It pulls out the domain from the user's account using split('@', $username), and uses the user-supplied suffix instead of the universal suffix. This means I can get rid of the global Account Suffix and Default Email Domain settings altogether.

There are one or two other modifications here as well. I'm using SSL in my adLDAP instantiation... and so should you ;-) I've also added a bit to update the user's display_name to be "John Smith", instead of jsmith@xyz.com... the info's already there in AD, so, why not help our user out and put it in there for him :-)

I'm using Wordpress 1.7.1, and the patch is against Active Directory Authentication plugin 1.0.5.

• plugin
• patch

Laura's website

Just finished 1.0 of my sister Laura's website, www.laura-dreyer.com. Laura designed the whole thing in Inkscape, I carved it up with GIMP, put it into a custom Wordpress theme, and put the finishing touches with jQuery. It was really fun and I learned a lot along the way. Laura's a great designer (and sister :)

Going to pick Audrey up in a few hours from the airport... our final un-married New Year's :)

"trick" interviews

Apparently giving "trick" interviews is as popular as it is unprofessional.

Ethically, is there a difference between what Michael Moore does to Charlton Heston in Bowling for Columbine and what certain creationists have done to Richard Dawkins?

Fedora 9 impressions

I've been running Fedora 9 for a while now. Although some things in F8 felt half-baked to me (I had trouble with PulseAudio + Audacious), F9, like each Fedora release, feels more polished.

Improvements:

• Yum is much faster - not as fast as apt, but getting there.
• PackageKit is much more polished than the package manager GUI F8 used (Pirut and Pup).
• Swfdec works pretty well!

Gripes:

• Firefox 3 occasionally crashes, and many plugin authors haven't updated their plugins to version 3.
• Gkrellm: I haven't seen an error window like this in a while :)

summer internship

I'm interning this summer at Community Bible Church, at Pocono Lake, Pennsylvania. I drove up to the area on May 24, met the pastor that night, and met the church congregation on Sunday the 25th. They are a nice bunch of folks! I was so surprised to see the sign outside the church welcoming me.


So far I've been able to teach Sunday School on Sunday mornings, lead Bible study on Wednesday nights, and redesign the church website: poconolakechurch.org. Tomorrow I preach my first sermon there on the book of Esther.

My fiancée, Audrey, is on a plane to the Philippines for her internship this summer, where she'll be working with the missionaries there and discipling women in the church group.

first mac experience

A friend gave me an old G3 to play around with today. It's my first Mac experience... and I promptly managed to hose Safari by installing the latest version from apple.com. Apparently OS X 10.3 doesn't support the newer versions of Safari or WebKit. After struggling around trying to downgrade back to Safari 1.3, I finally found good instructions for what I needed. Apparently I have to go back to Safari 1.2, then to 1.3 :) Also, Pacifist was necessary; simply installing 1.2 the regular way doesn't work.

big news

I'm engaged :)

hacking the WGR614v7

Netgear often builds a telnet daemon into their routers, but sometimes it can be a little tricky getting in. I was curious to see if my WGR614v7 has any way to access a command line interface, so I fired up nmap:

$ nmap 192.168.1.12

Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-13 17:42 CST
Interesting ports on 192.168.1.12:
Not shown: 1694 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
8080/tcp open http-proxy

Nmap finished: 1 IP address (1 host up) scanned in 1.355 seconds

All right! Let's try to log in...

$ telnet 192.168.1.12
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Connection closed by foreign host.

Rats. For some reason we are kicked out as soon as we touch the daemon. A little hunting on the internet provides an explanation. Apparently the telnet daemon is disabled by default, but the Netgear staff have a Windows utility that will send a packet to the router in order to enable the telnet interface. A hacker has somehow reverse-engineered the encryption process and written it into a C program.

$ gcc -o telnetenable md5.c blowfish.c telnetenable.c

Now I use the program to construct the "unlock" packet with the IP and MAC address of my router, and the default username/password "Gearguy/Geardog":

$ ./telnetenable 192.168.1.12 00AABBCCDDEE Gearguy Geardog > modpkt.pkt

Then I send it to the router with netcat:

$ nc 192.168.1.12 23 < modpkt.pkt

Now I try to log in again...

$ telnet 192.168.1.12
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Login: Gearguy
Password: *******
U12H06400>

And we're in! "?" gives a list of commands. I'm most interested getting the network statistics from this and putting the results into cacti... but I'll save that for another time! :)

--Edit--

Apparently seattlewireless.net, the original website that hosted the files and information, is down. I've put the C files up for grabs here:

http://ktdreyer.googlepages.com/telnetenable.c
http://ktdreyer.googlepages.com/md5.h
http://ktdreyer.googlepages.com/md5.c
http://ktdreyer.googlepages.com/blowfish.h
http://ktdreyer.googlepages.com/blowfish.c

Good luck!

Junior Year

I'm back in Chicago for the semester. For classes, I've got Systematic Theology I, Communication of Biblical Truth (a preaching class), Greek Exegesis I, Interpersonal Communication, and Ministry and Staff Relationships. My PCM this year is at a nursing home where I'll be leading a Bible Study. It's awesome to be back on Dryer 2 and really great to start another year at Moody.

On the work side of things, I've quit using, or trying to use Cisco's VPN client on Linux. It was not very well maintained to begin with, and I couldn't even get it to compile against the kernel in Fedora 7. Now I'm using an opensource program for Cisco VPNs now called vpnc, and I really like it. It's 100% open, doesn't require a kernel module, runs as a daemon instead of an active program, and certainly feels faster. I had a great summer doing full time work and look forward to continuing part time for the rest of the year.

Speaking of Linux, my laptop has a Intel 3945ABG wireless card inside it, and Fedora 7 shipped with the new iwl3945 driver for this card. It is my understanding that the license is more open than the usual ipw3945 driver, and though the iwl3945 driver was new and kind of buggy, the Fedora devs had to decide to either bundle this one or none at all. I wasn't able to get the original iwl3945 driver on the CD to work, but when I updated to 2.6.22.4-65.fc7 I tried it again and it seems work well with both open and WPA networks.

Last Friday was the first "Programming Tonight" session I've attended (they started when I was in VA). It was a neat place, I had a good time, and learned something new about OpenLDAP - I didn't realize the registration dates were stored for each user! Pretty useful.