On hardy after the latest round of updates:


matt@krypton:~$ dpkg -s flashplugin-nonfree | grep Version
Version: 10.0.1.218+10.0.0.525ubuntu1~hardy1+really9.0.124.0ubuntu2


Granted this package is in hardy-backports not hardy proper, but still, what on earth?!?!

I highly recommend making some time to read the The Australian Open Source Industry & Community Report. Based on a census of the Australian Open Source community conducted at the end of last year, it presents a range statistics about the state of the Open Source community and industry in Australia.

The report seems to be aimed at demonstrating to Government and Businesses that Open Source has become a very viable business strategy in Australia and in particular how increased adoption of Open Source would reduce the Australian trade deficit. You don’t need to worry about being put to sleep. The report is relatively casual in tone and easy to read with lots of bright graphs to present the key statistics and findings. Including:

• The Australian Open Source industry generates around AUD$500M in annual revenue. A small proportion of the AUD$54.4B total revenue for the Australian ICT Industry in 2004-2005. Lots of growth potential!
• 70-80% of the industry is based on the traditional development, customisation, support and maintenance business model.
• Most of the individuals making up the Australian Open Source community are working professionals, over half the community are in a relationship and a third of the community have children.

It would be fascinating to see a similar study of the New Zealand industry. I suspect that we would find that Open Source businesses are spread across the country similar to Australia. Obviously our community and financial figures would be smaller in absolute terms but would our proportion of Open Source based businesses be similar?

Maybe a good task for the current NZOSS committee would be to round up some of the larger Open Source businesses in New Zealand, along with the Ministry of Economic Development to sponsor a similar study for New Zealand!

I (as root) have a directory hierarchy that I want a particular group to always have write access to. The files and folders inside the hierarchy are owned and manipulated by a wide variety of diffrent users.

Essentially I want to delegate ‘root’ access for a portion of the filesystem to a particular group.

My first attempt at implementing this was to use the standard POSIX ACLs that are available for almost every filesystem Linux supports.

I recursively set an ACL on the top-level directory to give the group write access to all files and directories that currently exist and then I recursively set a default ACL to give the group write access on all the directories. This default ACL should be inherited by any new files that are created ensuring that the group keeps write access to everything.

Problem solved? Unfortunately not.

The intricacies of complying with POSIX means that ACLs are implemented as an ACL plus a mask. To gain access to a particular file or directory the user or group must match an appropriate ACL granting the access and the mask for that file or directory must also allow the requested permission to be granted.

When you add an ACL to a file or directory, the ‘group’ bits of the standard Unix permissions magically switch from controlling group access to controlling the mask portion of the ACL, effectively providing an upper bound on the permissions that an ACL entry can grant. This prevents legacy POSIX applications that do not understand ACLs from unintentionally granting excessive permissions - arguably a good thing.

Unfortunately this also makes it very hard to preserve the ACL granting write access to the ‘root’ group which I legitimately intended to have in place on this portion of the filesystem.

Newly created files under the hierarchy generally inherit the ACL as intended, as most applications attempt to create files with as many permissions as possible, leaving it up to the umask to remove undesired permissions.

However any file that is copied into the hierarchy without the ‘group’ write bit set, or any file that has the ‘group’ write bit removed via chmod will actually remove the write bit from the ACL mask invalidating the ACL and leaving me back at square one!

After a bit of Googling I thought that NFSv4 ACLs might be the answer to this problem, as they are marketed as “very similar to Windows ACLs” and I’m sure that I vaugely recall Windows being able to properly inherit ACLs from parent directories. Unfortunately after downloading the NFSv4 ACL patches and trying all the various mount options I cannot find any combination that will offer the functionality I need. The implementation conforms to POSIX, so it still has a mask parameter and the same problems as the standard POSIX ACLs. The only benefit from using NFSv4 ACLs that I can see is that you have more permissions to grant.

So once again, I’m back to square one. I’m hoping that there is some fundamental point that I’m missing as this seems like a very common use-case that I would have thought would be well supported.

If a command-line example is clearer to you look at:
http://www.mattb.net.nz/blog/dump/acl-inheritance-problems.txt

My current solution is to run a cronjob every X minutes to recursively ‘chmod -R g+w /dir’, however that’s far from optimal as it exposes all sorts of race conditions and just seems ugly!

Any suggestions or solutions will be gratefully received.

Now that we’ve settled into our new apartment in Dublin, the ADSL has been connected and I’m back on the net!

Obviously I’ve had Internet access at work during this time, but there has been so much new information to take in that I haven’t really had time to do any Debian or WLUG work.

I’m still waiting for the shipping company to deliver my computers, so it will be another week or two before I have a development environment that can build and test package. Once that’s setup again I have updates queued for the following:

• PHPwiki - Upgrade to 1.3.13p1
• libtrace - Upgrade to 3.0.2

Unfortunately I’m not going to make it to Debconf this year, despite being the closest geographically that I’ve ever been.

In just a few hours, I’m hopping on Emirates flight EK433 from Auckland to Singpore, to start the first leg of my trip to Dublin. I’ll be travelling for pretty much the next month, so if you’re trying to get hold of me please don’t be offended if I take several days to reply.

Kat and I have setup another blog to detail our travels, and I’ll try and keep this blog free of too much personal stuff so as to not clutter the various planets that it is syndicated to. If you’re interested in our travels and what we are up to then head over to http://www.mattandkatbrown.com.

There is also a calendar at mattandkatbrown.com if you’re wanting to try and meet up with me for keysigning, etc.


- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
e0acebd2-71f1-4df8-ae4d-50355ad7aa81
[ 6 ] Choice 1: Wouter Verhelst
[ 6 ] Choice 2: Aigars Mahinovs
[ 3 ] Choice 3: Gustavo Franco
[ 3 ] Choice 4: Sam Hocevar
[ 2 ] Choice 5: Steve McIntyre
[ 4 ] Choice 6: Raphaël Hertzog
[ 1 ] Choice 7: Anthony Towns
[ 6 ] Choice 8: Simon Richter
[ 5 ] Choice 9: None Of The Above
- - -=-=-=-=-=- Don’t Delete Anything Between These Lines =-=-=-=-=-=-=-=-


*yawn* It’s made me tired writing all of that out. Maybe sometime soon I should explain in more detail exactly what parts of Debian’s governance model I think need changing or maybe I need to wait until I’ve achieved a few more technical things and gained enough respect before anyone will listen to my opinions…

I’ve accepted a job with Google and we’re shifting to Dublin!

Back in January, Kat and I decided that it was about time we put thoughts into action, and booked some one-way plane tickets to get ourselves to Europe. Our plan is to spend at least a couple of years (more if I have my way) exploring the other side of the world and generally broadening our horizons.

We leave NZ on the 31st of March flying on Emirates to Singapore. We plan to spend a couple of weeks in Malaysia visiting some of Kat’s extended family (who I’ve never met), followed by 3 nights in Singapore, a night in Dubai, finally ending up in London at Heathrow Airport on the 17th of April.

Soon after we booked the flights I started applying for Jobs in Europe, as the prospect of converting NZD to EUR or GBP to live on is not at all attractive. I was immediately rejected by the first place I applied to (Data Connection) because I didn’t have straight A-grades in high school! (The recruiter said they didn’t even bother to look at my University Degree!). Luckily that wasn’t the only job that I had applied for!

A day or two after hearing back from Data Connection, I received a call from one of the Google recruiters in Dublin, following up on the CV that I’d sent through via their website a week or two earlier. The rest, as they say, is history. I had a couple of phone interviews, followed by a whistle stop trip to Dublin (photos here) for 4 hours of onsite interviews, a week or two of waiting and finally an offer.

I’ve just accepted the offer, and sometime after the 17th of April, I’ll be starting as a Linux/Unix Systems Administrator for Google in Dublin, Ireland! Moving to Dublin to work for Google seems to be somewhat of a trend these days, and I’m looking forward to catching up with all the other Debian people who have recently posted similar news.

The realities of shifting across the world in less than a month are starting to sink in now! We left our apartment this weekend just gone, and we’re staying with my parents for a few weeks while we get all our household stuff into storage and sort out what we’re taking to Dublin with us. It’s a big job packing up a house and it’s scary looking at the amount of stuff we’ve accumulated over just two short years! Luckily we have some exciting opportunities to look forward and keep us motivated!

About a month ago Dell announced with great fan-fare that they were the first computer company that offered their customers the chance to be carbon neutral, by planting trees to offset the carbon dioxide generated in producing a years worth of electricity for the computer. Nice idea.

They’re lucky that they specifically didn’t mention packaging, and saving the forests. I was down in Hamilton today for work, and a box from Dell arrived with two sticks of RAM for a new Dell server. We’re talking standard 1GB ECC sticks of ram. The packaging for these two unremarkable sticks of memory amounted to no less than seven boxes of increasing size (think japanese dolls), 8 peices of packaging foam, and one long strip of “air bubbles”. Two of the boxes contained absolutely nothing except for packaging foam, and were just used to pad out the medium size boxes, so that the boxes containing the actual ram didn’t bounce around. The two sticks could easily have fit in just one of the smaller boxes! The waste is unbelievable, see the picture below with your own eyes.

click for fullsize image

With the number of trees that died to support this packaging effort, I sure hope that the $6 I pay to make my desktop carbon neutral plants a lot more trees than is strictly necessary!

Taiwanese phone manufacturer FIC, recently announced the timeline for the release of the FIC Neo1973 smart phone. It’s shaping up to be a very cool device. The phone is nice to look at, has a completely open software stack via the OpenMoko project and at US$350 it’s actually relatively cheap!

Feature wise the Neo1973 is relatively similar to the iPhone, right down to using a touchscreen for the user interface. It will be interesting to see how many of the people who have been complaining about the restrictive and walled-garden iPhone model migrate over to the OpenMoko platform. The Neo1973 will work with any GSM cellular network in the world (as opposed to only Cingular in the states, and other apple partners elsewhere) and will allow you to run essentially any application that you want on the phone itself. The contrast in approach between Apple and FIC is stark, and I hope that FIC wins out in the end, although it will no doubt be an uphill battle for them to get anywhere near the mindshare that Apple receives.

The one feature that really drew my eye to the Neo1973 is the built-in GPS chipset. For a while now I’ve been looking for a device that would allow me to reveal my current location (possibly obfuscated to a certain radius) to selected family and friends. Once the source code is released in a week or two I imagine that it won’t be long before someone (maybe me…) whips up an application to make this possible.

Here’s hoping that the phone lives up to the expectations set for it and that I can come up with a suitable excuse to purchase one when they become available in early March!

Update: Found a linuxdevices.com post with some good technical detail on the hardware

There has been a lot of interest recently in the VFX VoIP service launched by WorldXchange (WXC), no doubt partly driven by the fact that there is no monthly charge until April 2007. I had a spare Linksys PAP2T so I thought I would try the service out to see how it performed.

The signup process didn’t go anywhere near as smoothly as it did when I signed up for my WXC DSL connection. The online signup form tried to force me to select a new WXC DSL Plan (I don’t want to do that, I want to keep my old plan with free National traffic). Despite trying several times and making sure that the only checkbox ticked was VFX each time, it refused to let me go any further.

Giving up on the web form, I rang the WXC helpdesk who answered promptly. It is easy to see why WXC won the 2006 award for best call centre. Every time I deal with them over the phone it is a pleasant experience. This time was no exception. The CSR I was talking to explained that the webform was dying because I tried to use a VFX username that differed from my WXC DSL username. There was no mention of this restriction on the website! Anyway, 15 minutes later, with my MAC address taken down and my voice recording completed, I was told we were all done and that I would receive my welcome email and account details with 2 working days!

24 hours later I received the email with the details, followed promptly by a phone call from WXC CSR who was ready to talk me through the process of setting up my PAP2. Configuring the PAP2 was a simple procedure, I had to copy and paste a URL into the Provisioning Rule field of the web interface and reboot the device. It then downloads configuration information directly from WXC (based off the device MAC adddress) and configures itself. I was up and running with dial-tone about 2 minutes after receiving the email. Very smooth. I understand that the process is even easier if you purchase a pre-configured PAP2.

The downside to the whole scheme is that in trying to make the process as simple as possible WXC has locked the entire system down very tightly and remove a lot of the flexibility that I would desire. In particular my PAP is now completely locked, I can’t access any of the web interfaces, and even the dial-in prompt on the PAP2 replies with a curt “cancelled” before hanging up. There is no way for me to configure the second line of the device to talk to a second SIP provider. Apparently WXC will create a custom configuration for me so that I can still use the second line, but I imagine this requires giving them all my account details for my second SIP provider, which I’m not sure I’m comfortable doing.

It also appears that WXC has an arrangement with Linksys such that every PAP2 now sold in New Zealand comes pre-configured to be used with WXC. I haven’t had a chance to look at one of these PAP2s yet, but if it were to turn out that I had to contact WXC to remove the locking on my PAP2 before I was able to use it with another VoIP provider I would be fairly annoyed.

The MyVFX portal is very underwhelming. It insists on opening itself in a new browser window, and isn’t integrated with the rest of the WXC/VFX website. From what I can make out it’s just a branded frontend on to the management system that WXC has purchased. The user interface is reminiscent of the design of the 1990s. I think there is a lot of potential for WXC to improve the experience in this area and I doubt that the average user would be comfortable updating settings via MyVFX in its present state.

On the technical side of things the VFX service seems to be fairly well designed and secured. The devices are provisioned and configured using the Linksys/Sipura provisioning tools, which appear to encrypt all conversations with the device. The setup process downloaded two configuration files and a firmware file (v 3.1.10) to my PAP2. Both of the configuration files were binary and appear to be encrypted. Interestingly it appears that WXC downgraded the firmware from 5.1.1 to 3.1.1 during the provisioning process. The MyVFX portal and SIP server appear to be using some sort of BroadWorks device.

The device fetches it’s configuration file from the WXC server every time it is powered on, so it will be easy for WXC to push out updates and configuration changes as they desire. The VoIP side of things is performed using SIP, which appears to be using standard HTTP Digest authentication. The username and passsword for this being hidden inside the encrypted configuration files which are downloaded to the device. The voice data uses the G.729 codec inside an RTP stream, and from a few short calls seems to be relatively good quality.

Conclusion
Overall, VFX seems like a very easy to use and simple service. Simple being the keyword. By locking down the devices so securely and preventing people from using softphones and devices other than Linksys equipment I imagine many people like myself are excluded from the potential market. I can’t see myself keeping the service after I have to start paying money for it. But I would definitely recommend it to friends and family who are looking for a simple, easy to use VoIP system.