Feeds

nano @ Savannah: GNU nano 2.8.0 was released

GNU Planet! - Sun, 2017-04-02 06:54

This version of nano changes the way softwrap works: the <Up> and <Down> cursor keys now move through visual rows instead of jumping between logical lines. And nano now makes use of gnulib, to get rid of some custom shims and to avoid the need for new ones. The use of gnulib has increased the size of nano's tarball by some thirty percent, but... in lines of code this is the smallest nano since 2.2.0.

Categories: FLOSS Project Planets

freedink @ Savannah: New FreeDink game data release

GNU Planet! - Sun, 2017-04-02 04:34

Here's a new release of freedink-data :)
http://ftp.gnu.org/gnu/freedink/freedink-data-1.08.20170401.tar.xz

It adds 2 new sounds, a new Swedish translation and updates the
Catalan, Spanish and German ones.

As a side note all the (simple) build process is now reproducible.

About GNU FreeDink:

Dink Smallwood is an adventure/role-playing game, similar to Zelda, made by RTsoft. Besides twisted humor, it includes the actual game editor, allowing players to create hundreds of new adventures called Dink Modules or D-Mods for short.

GNU FreeDink is a new and portable version of the game engine, which runs the original game as well as its D-Mods, with close
compatibility, under multiple platforms.

freedink-data contains the original game story, along with free sound and music replacements.
Your help is welcome to fill the gap!
https://www.gnu.org/software/freedink/doc/sounds/

Categories: FLOSS Project Planets

FSF Blogs: Friday Free Software Directory IRC meetup: March 31st starting at 12 p.m. EDT/16:00 UTC

GNU Planet! - Thu, 2017-03-30 14:35

Participate in supporting the FSD by adding new entries and updating existing ones. We will be on IRC in the #fsf channel on irc.freenode.org.

Tens of thousands of people visit directory.fsf.org each month to discover free software. Each entry in the FSD contains a wealth of useful information, from basic category and descriptions, to providing detailed info about version control, IRC channels, documentation, and licensing info that has been carefully checked by FSF staff and trained volunteers.

While the FSD has been and continues to be a great resource to the world over the past decade, it has the potential of being a resource of even greater value. But it needs your help!

This week we hope to be welcoming back some of the new friends we made at LibrePlanet 2017, and continue on with the process of adding new entries to the FSD. We hope we'll be joined by our regular volunteers as well, as there will still be a need to help train up new volunteers.

If you are eager to help and you can't wait or are simply unable to make it onto IRC on Friday, our participation guide will provide you with all the information you need to get started on helping the FSD today! There are also weekly FSD Meetings pages that everyone is welcome to contribute to before, during, and after each meeting.

Categories: FLOSS Project Planets

FSF Blogs: Free Software Directory meeting recap for March 26th, 2017

GNU Planet! - Thu, 2017-03-30 14:20

Every week free software activists from around the world come together in #fsf on irc.freenode.org to help improve the Free Software Directory. This recaps the work we accomplished at the Sunday, March 26th, 2017 meeting at LibrePlanet.

This week featured a special in-person meetup at the LibrePlanet conference in Cambridge, Massachusetts. Joined by our usual crew in IRC, we welcomed some new friends to the Directory. Many stopped by just to get some training and ask questions about the Directory, but a few were able to stick around and start hacking. This was the second time we were able to have an in-person meetup, and we hope to do more in the future. For now, we're getting back to our regularly scheduled Friday meetings via IRC.

If you would like to help update the directory, meet with us every Friday in #fsf on irc.freenode.org from 12 p.m. to 3 p.m. EDT (16:00 to 19:00 UTC).

Categories: FLOSS Project Planets

FSF Events: Richard Stallman - "Free Software and Your Freedom" (Philadelphia, PA)

GNU Planet! - Wed, 2017-03-29 17:09
The Free Software Movement campaigns for computer users' freedom to cooperate and control their own computing. The Free Software Movement developed the GNU operating system, typically used together with the kernel Linux, specifically to make these freedoms possible.

Richard Stallman's speech will be nontechnical, admission is gratis, and the public is encouraged to attend.

Location: Fitts Auditorium, Law School, 3501 Sansom St., Philadelphia, PA 19104

Please fill out our contact form, so that we can contact you about future events in and around Philadelphia.

Categories: FLOSS Project Planets

Sylvain Beucler: Practical basics of reproducible builds 2

GNU Planet! - Tue, 2017-03-28 15:46

Let's review what we learned so far:

  • compiler version need to be identical and recorded
  • build options and their order needs to be identical and recorder
  • build path needs to be identical and recorded
    (otherwise debug symbols - and BuildIDs - change)
  • diffoscope helps checking for differences in build output

We stopped when compiling a PE .exe produced a varying output.
It turns out that PE carries a build date timestamp.

The spec says that bound DLLs timestamps are refered to in the "Delay-Load Directory Table". Maybe that's also the date Windows displays when a system-wide DLL is about to be replaced, too.
Build timestamps looks unused in .exe files though.

Anyway, Stephen Kitt pointed out (thanks!) that Debian's MinGW linker binutils-mingw-w64 has an upstream-pending patch that sets the timestamp to SOURCE_DATE_EPOCH if set.

Alternatively, one can pass -Wl,--no-insert-timestamp to set it to 0 (though see caveats below):

$ i686-w64-mingw32.static-gcc -Wl,--no-insert-timestamp hello.c -o hello.exe $ md5sum hello.exe 298f98d74e6e913628a8b74514eddcb2 hello.exe $ /opt/mxe/usr/bin/i686-w64-mingw32.static-gcc -Wl,--no-insert-timestamp hello.c -o hello.exe $ md5sum hello.exe 298f98d74e6e913628a8b74514eddcb2 hello.exe

If we don't care about debug symbols, unlike with ELF, stripped PE binaries look stable too!

$ cd repro/ $ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe $ md5sum hello.exe 6e07736bf8a59e5397c16e799699168d hello.exe $ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe $ md5sum hello.exe 6e07736bf8a59e5397c16e799699168d hello.exe $ cd .. $ cp -a repro repro2/ $ cd repro2/ $ i686-w64-mingw32.static-gcc hello.c -o hello.exe && i686-w64-mingw32.static-strip hello.exe $ md5sum hello.exe 6e07736bf8a59e5397c16e799699168d hello.exe

Now that we have the main executable covered, what about the dependencies?
Let's see how well MXE compiles SDL2:

$ cd /opt/mxe/ $ cp -a ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp $ rm -rf * && git checkout . $ make sdl2 $ md5sum ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a 68909ab13181b1283bd1970a56d41482 ./usr/i686-w64-mingw32.static/lib/libSDL2.a 68909ab13181b1283bd1970a56d41482 /tmp/libSDL2.a

Neat - what about another build directory?

$ cd /usr/srx/mxe $ make sdl2 $ md5sum usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a c6c368323927e2ae7adab7ee2a7223e9 usr/i686-w64-mingw32.static/lib/libSDL2.a 68909ab13181b1283bd1970a56d41482 /tmp/libSDL2.a $ ls -l ./usr/i686-w64-mingw32.static/lib/libSDL2.a /tmp/libSDL2.a -rw-r--r-- 1 me me 5861536 mars 23 21:04 /tmp/libSDL2.a -rw-r--r-- 1 me me 5862488 mars 25 19:46 ./usr/i686-w64-mingw32.static/lib/libSDL2.a

Well that was expected.
But what about the filesystem order?
With such an automated build, could potential variations in the order of files go undetected?
Would the output be different on another filesystem format (ext4 vs. btrfs...)?

It was a good opportunity to test the disorderfs fuse-based tool.
And while I'm at it, check if reprotest is easy enough to use (the manpage is scary).
Let's redo our basic tests with it - basic usage is actually very simple:

$ apt-get install reprotest disorderfs faketime $ reprotest 'make hello' 'hello' ... will vary: environment will vary: fileordering will vary: home will vary: kernel will vary: locales will vary: exec_path will vary: time will vary: timezone will vary: umask ... --- /tmp/tmpk5uipdle/control_artifact/ +++ /tmp/tmpk5uipdle/experiment_artifact/ │ --- /tmp/tmpk5uipdle/control_artifact/hello ├── +++ /tmp/tmpk5uipdle/experiment_artifact/hello ├── stat {} │ │ @@ -1,8 +1,8 @@ │ │ │ │ Size: 8632 Blocks: 24 IO Block: 4096 regular file │ │ Links: 1 │ │ -Access: (0755/-rwxr-xr-x) Uid: ( 1000/ me) Gid: ( 1000/ me) │ │ +Access: (0775/-rwxrwxr-x) Uid: ( 1000/ me) Gid: ( 1000/ me) │ │ │ │ Modify: 1970-01-01 00:00:00.000000000 +0000 │ │ │ │ Birth: - # => OK except for permissions $ reprotest 'make hello && chmod 755 hello' 'hello' ======================= Reproduction successful ======================= No differences in hello c8f63b73265e69ab3b9d44dcee0ef1d2815cdf71df3c59635a2770e21cf462ec hello $ reprotest 'make hello CFLAGS="-g -O2"' 'hello' # => lots of differences, as expected

Now let's apply to the MXE build.
We keep the same build path, and also avoid using linux32 (because MXE would then recompile all the host compiler tools for 32-bit):

$ reprotest --dont-vary build_path,kernel 'touch src/sdl2.mk && make sdl2 && cp -a usr/i686-w64-mingw32.static/lib/libSDL2.a .' 'libSDL2.a' ======================= Reproduction successful ======================= No differences in libSDL2.a d9a39785fbeee5a3ac278be489ac7bf3b99b5f1f7f3e27ebf3f8c60fe25086b5 libSDL2.a

That checks!
What about a full MXE environment?

$ reprotest --dont-vary build_path,kernel 'make clean && make sdl2 sdl2_gfx sdl2_image sdl2_mixer sdl2_ttf libzip gettext nsis' 'usr' # => changes in installation dates # => timestamps in .exe files (dbus, ...) # => libicu doesn't look reproducible (derb.exe, genbrk.exe, genccode.exe...) # => apparently ar timestamp variations in libaclui

Most libraries look reproducible enough.
ar differences may go away at FreeDink link time since I'm aiming at a static build. Let's try!

First let's see how FreeDink behaves with stable dependencies.
We can compile with -Wl,--no-insert-timestamp and strip the binaries in a first step.
There are various issues (timestamps, permissions) but first let's check the executables themselves:

$ cd freedink/ $ reprotest --dont-vary build_path 'mkdir cross-woe-32/ && cd cross-woe-32/ && export PATH=/opt/mxe/usr/bin:$PATH && LDFLAGS='-Wl,--no-insert-timestamp' ../configure --host=i686-w64-mingw32.static --enable-static && make -j$(nproc) && make install-strip DESTDIR=$(pwd)/destdir' 'cross-woe-32/destdir/usr/local/bin' # => executables are identical! # Same again, just to make sure $ reprotest --dont-vary build_path 'mkdir cross-woe-32/ && cd cross-woe-32/ && export PATH=/opt/mxe/usr/bin:$PATH && LDFLAGS='-Wl,--no-insert-timestamp' ../configure --host=i686-w64-mingw32.static --enable-static && make -j$(nproc) && make install-strip DESTDIR=$(pwd)/destdir' 'cross-woe-32/destdir/usr/local/bin' │ --- /tmp/tmp2yw0sn4_/control_artifact/bin/freedink.exe ├── +++ /tmp/tmp2yw0sn4_/experiment_artifact/bin/freedink.exe │ │ @@ -2,20 +2,20 @@ │ │ 00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... │ │ 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ │ 00000030: 0000 0000 0000 0000 0000 0000 8000 0000 ................ │ │ 00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th │ │ 00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno │ │ 00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS │ │ 00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$....... │ │ -00000080: 5045 0000 4c01 0a00 e534 0735 0000 0000 PE..L....4.5.... │ │ +00000080: 5045 0000 4c01 0a00 0000 0000 0000 0000 PE..L........... │ │ 00000090: 0000 0000 e000 0e03 0b01 0219 00f2 3400 ..............4. │ │ 000000a0: 0022 4e00 0050 3b00 c014 0000 0010 0000 ."N..P;......... │ │ 000000b0: 0010 3500 0000 4000 0010 0000 0002 0000 ..5...@......... │ │ 000000c0: 0400 0000 0100 0000 0400 0000 0000 0000 ................ │ │ -000000d0: 00e0 8900 0004 0000 7662 4e00 0200 0000 ........vbN..... │ │ +000000d0: 00e0 8900 0004 0000 89f8 4e00 0200 0000 ..........N..... │ │ 000000e0: 0000 2000 0010 0000 0000 1000 0010 0000 .. ............. │ │ 000000f0: 0000 0000 1000 0000 00a0 8700 b552 0000 .............R.. │ │ 00000100: 0000 8800 d02d 0000 0050 8800 5006 0000 .....-...P..P... │ │ 00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ │ 00000120: 0060 8800 4477 0100 0000 0000 0000 0000 .`..Dw.......... │ │ 00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ │ 00000140: 0440 8800 1800 0000 0000 0000 0000 0000 .@.............. ├── stat {} │ │ │ @@ -1,8 +1,8 @@ │ │ │ │ │ │ Size: 5121536 Blocks: 10008 IO Block: 4096 regular file │ │ │ Links: 1 │ │ │ Access: (0755/-rwxr-xr-x) Uid: ( 1000/ me) Gid: ( 1000/ me) │ │ │ │ │ │ -Modify: 2017-03-26 01:26:35.233841833 +0000 │ │ │ +Modify: 2017-03-26 01:27:01.829592505 +0000 │ │ │ │ │ │ Birth: -

Gah...
AFAIU there is something random in the linking phase, and sometimes the timestamp is removed, sometimes it's not.
Not very easy to track but I believe I reproduced it with the "hello" example:

# With MXE: $ reprotest 'i686-w64-mingw32.static-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -Dmain=SDL_main -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello' # => different # => maybe because it imports the build timestamp from -lSDL2main # With Debian's MinGW (but without SOURCE_DATE_EPOCH): $ reprotest 'i686-w64-mingw32-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -Dmain=SDL_main -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello' ======================= Reproduction successful ======================= No differences in hello 0b2d99dc51e2ad68ad040d90405ed953a006c6e58599beb304f0c2164c7b83a2 hello # Let's remove -Dmain=SDL_main and let our main() have precedence over the one in -lSDL2main: $ reprotest 'i686-w64-mingw32.static-gcc hello.c -I /opt/mxe/usr/i686-w64-mingw32.static/include -I/opt/mxe/usr/i686-w64-mingw32.static/include/SDL2 -L/opt/mxe/usr/i686-w64-mingw32.static/lib -lmingw32 -lSDL2main -lSDL2 -lSDL2main -Wl,--no-insert-timestamp -luser32 -lgdi32 -lwinmm -limm32 -lole32 -loleaut32 -lshell32 -lversion -o hello && chmod 700 hello' 'hello' ======================= Reproduction successful ======================= No differences in hello 6c05f75eec1904d58be222cc83055d078b4c3be8b7f185c7d3a08b9a83a2ef8d hello $ LANG=C i686-w64-mingw32.static-ld --version # MXE GNU ld (GNU Binutils) 2.25.1 Copyright (C) 2014 Free Software Foundation, Inc. $ LANG=C i686-w64-mingw32-ld --version # Debian GNU ld (GNU Binutils) 2.27.90.20161231 Copyright (C) 2016 Free Software Foundation, Inc.

It looks like there is a random behavior in binutils 2.25, coupled with SDL2's wrapping of my main().

So FreeDink is nearly reproducible, except for this build timestamp issue that pops up in all kind of situations. In the worse case I can zero it out, or patch MXE's binutils until they upgrade.

More importantly, what if I recompile FreeDink and the dependencies twice?

$ (cd /opt/mxe/ && make clean && make sdl2 sdl2_gfx sdl2_image sdl2_mixer sdl2_ttf glm libzip gettext nsis) $ (mkdir cross-woe-32/ && cd cross-woe-32/ \ && export PATH=/opt/mxe/usr/bin:$PATH \ && LDFLAGS="-Wl,--no-insert-timestamp" ../configure --host=i686-w64-mingw32.static --enable-static \ && make V=1 -j$(nproc) \ && make install-strip DESTDIR=$(pwd)/destdir) $ mv cross-woe-32/ cross-woe-32-1/ # Same again... $ mv cross-woe-32/ cross-woe-32-2/ $ diff -ru cross-woe-32-1/destdir/ cross-woe-32-2/destdir/ [nothing]

Yay!
I could not reproduce the build timestamp issue in the stripped binaries, though it was still varying in the unstripped src/freedinkedit.exe.

I mentioned there was other changes noticed by diffoscope.

  • Changes in file timestamps.

That one is interesting.
Could be ignored, but we want to generate an identical binary package/archive too, right?
That's where archive meta-data matters.
make INSTALL="$(which install) install -p" could help for static files, but not generated ones.
The doc suggests clamping all files to SOURCE_DATE_EPOCH - i.e. all generated files will have their date set at that timestamp:

$ export SOURCE_DATE_EPOCH=$(date +%s) \ && reprotest --dont-vary build_path \ 'make ... && find destdir/ -newermt "@${SOURCE_DATE_EPOCH}" -print0 | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"' 'cross-woe-32/destdir/'
  • Changes in directory permissions

Caused by varying umask.
I attempted to mitigate the issue by playing with make install MKDIR_P="mkdir -p -m 755" (1).
However even mkdir -p -m ... does not set permissions for intermediate directories.
Maybe it's better to set and record the umask...

So, aside from minor issues such as BuildIDs and build timestamps, the toolchain is pretty stable as of now.
The issue is more about fixing and recording the build environment.
Which is probably the next challenge

Categories: FLOSS Project Planets

FSF Blogs: LibrePlanet Day 2, DRM, contributing, and advice

GNU Planet! - Tue, 2017-03-28 14:13

Doctorow presented "Beyond unfree: The software you can go to jail for talking about." Related to his current anti-Digital Restrictions Management (DRM) work, he addressed the wide range of risks threatened by copyright, trademark, and patent laws, as well as the use and institutionalization of DRM. But he did not just paint a bleak image, instead reminding the audience that the fight against DRM and similar restrictions is ongoing. "My software freedom," Doctorow said, "is intersectional."

The day also saw LibrePlanet's first birds of a feather (BoF) sessions. BoFs are self-organized sessions that gather people around a shared interest. Sessions this year included:

  • Liberating the education system
  • Free and open source geospatial technology
  • Peer-to-peer crypto-social networking
  • Collective action for political change
  • A look at Snowdrift.coop
  • and a cryptoparty

Over the course of the weekend, there were two raffle drawings and door prizes courtesy of free software/open hardware companies including Aleph Objects, Technoethical, and ThinkPenguin, as well as DRM-free publisher No Starch Press and local brewery Aeronaut.

The conference closed with Sumana Harihareswara's discussion of things she wishes she had known in 1998, when she first got involved in free software. Drawing inspiration from the work of the theater company the Neo-Futurists, she invited the audience to help her choose from a list of 35 topics by calling out by number the item they wanted to hear about next--until a timer set for 35 minutes ran out. Her topics ranged from technical to personal to the importance of welcoming communities, and she closed by discussing the value of harm reduction in free software. Video of her talk is available now.

Nearly 400 people participated in LibrePlanet 2017, which was powered by 41 amazing volunteers, who did everything from hanging signs, stacking chairs, and sweeping floors to introducing speakers, fielding questions, and running the video streaming system.

Between Saturday and Sunday, there were more than fifty speakers, and almost as many sessions. Some videos of this year's talks are available now and the rest will be added in the next few days.

Categories: FLOSS Project Planets

FSF News: SecureDrop and Alexandre Oliva are 2016 Free Software Awards winners

GNU Planet! - Sat, 2017-03-25 19:15

The Award for Projects of Social Benefit is presented to a project or team responsible for applying free software, or the ideas of the free software movement, to intentionally and significantly benefit society. This award stresses the use of free software in service to humanity.

This year, SecureDrop received the award, which was accepted by Conor Schaefer, Senior DevOps engineer for Freedom of the Press Foundation.

SecureDrop is an anonymous whistleblowing platform used by major news organizations and maintained by Freedom of the Press Foundation. Originally written by the late Aaron Swartz with assistance from Kevin Poulsen and James Dolan, the free software platform was designed to facilitate private and anonymous conversations and secure document transfer between journalists and sensitive sources. It has been used in newsrooms across the world, including the Intercept, Associated Press, the Washington Post, the Guardian, ProPublica, and the New Yorker.

In his speech, Stallman emphasized the importance of whistleblowers in the maintenance of a free society. "[SecureDrop] provides a necessary channel for whistleblowers to communicate through."

"At Freedom of the Press Foundation, we believe strongly that an obstinate and cantankerous press is fundamental to keeping populations informed and empowered," Schaefer said when accepting the award. "Secure and anonymous communication is more important today than ever before, and is vital for protecting high-risk individuals such as investigative journalists and their confidential sources.

"SecureDrop is one way we try to tackle that problem, by defending the right of the press to inform the public. The project is the result of hard work by security engineers and contributors in the free software community. Under the hood, it's a medley of free software tools, and could not exist without the vibrant free software movement to depend on.

"On behalf of Freedom of the Press Foundation, thank you, to everyone in the free software community, to those brave enough to fight to inform the public, and to the Free Software Foundation in particular. It's a privilege to work with you all. Keep fighting the good fight, we're right there with you."

The Award for the Advancement of Free Software goes to an individual who has made a great contribution to the progress and development of free software, through activities that accord with the spirit of free software.

This year, it was presented to Alexandre Oliva. An advocate of free software and the GNU Project, Oliva's impact has been felt far beyond his home in Brazil, from giving talks about free software to his role as maintainer of linux-libre, the fully free version of the kernel Linux. A leader in the robust Latin American free software community, he started a project to reverse engineer the proprietary software used by Brazilian citizens to submit their taxes to the government, giving people there the opportunity to complete this interaction almost entirely with free software, and offering inspiration (and free code) for those wanting to tackle this common issue elsewhere.

Stallman said that he is "especially impressed with [Oliva's] project Softwares Impostos. His project provides a free replacement for proprietary software required by the [Brazilian] government to submit taxes." Stallman praised the efficacy of Oliva's work and the dedication it showed to creating and maintaining software that has significant impact while respecting user freedoms. "In many years, he had his updates ready before the official software came out."

"I first met Richard 21 years ago," Oliva said. "That defined the rest of my life. I've shared his message—our message—since then and now I think I know that I've been doing it right."

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software—particularly the GNU operating system and its GNU/Linux variants—and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at and , are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. Its headquarters are in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

Media Contacts

John Sullivan
Executive Director
Free Software Foundation
+1 (617) 542 5942
campaigns@fsf.org

Categories: FLOSS Project Planets

health @ Savannah: GNU Health 3.0.8 patchset released

GNU Planet! - Sat, 2017-03-25 16:36

Dear community

GNU Health 3.0.8 patchset has been released !

Priority: High

Table of Contents
  • About GNU Health Patchsets
  • Updating your system with the GNU Health control Center
  • Installation notes
  • List of issues related to this patchset
About GNU Health Patchsets

We provide "patchsets" to stable releases. Patchsets allow applying bug fixes and updates on production systems. Always try to keep your production system up-to-date with the latest patches.

Patches and Patchsets maximize uptime for production systems, and keep your system updated, without the need to do a whole installation.

For more information about GNU Health patches and patchsets you can visit https://en.wikibooks.org/wiki/GNU_Health/Patches_and_Patchsets

NOTE: Patchsets are applied on previously installed systems only. For new, fresh installations, download and install the whole tarball (ie, gnuhealth-3.0.8.tar.gz)

Updating your system with the GNU Health control Center

Starting GNU Health 3.x series, you can do automatic updates on the GNU Health and Tryton kernel and modules using the GNU Health control center program.

Please refer to the administration manual section ( https://en.wikibooks.org/wiki/GNU_Health/Control_Center )

The GNU Health control center works on standard installations (those done following the installation manual on wikibooks). Don't use it if you use an alternative method or if your distribution does not follow the GNU Health packaging guidelines.

Summary of this patchset
  • Fix missing view declaration on module health_disability in pypi based installers (eg, SuSE, Debian). This issue does not affect to installations that used the vanilla installation method (gnuhealth-setup install)

Refer to the List of issues related to this patchset for a comprehensive list of fixed bugs.

Installation Notes

You must apply previous patchsets before installing this patchset. If your patchset level is 3.0.7, then just follow the general instructions. You can find the patchsets at GNU Health FTP site (ftp://ftp.gnu.org/gnu/health/)

Follow the general instructions at

List of issues and tasks related to this patchset
  • bug #50635: Missing declaration of view directory on setup.py on health_disability module

For detailed information about each issue, you can visit https://savannah.gnu.org/bugs/?group=health
For detailed information about each task, you can visit https://savannah.gnu.org/task/?group=health

Categories: FLOSS Project Planets

Sylvain Beucler: Practical basics of reproducible builds

GNU Planet! - Fri, 2017-03-24 04:40

As GNU FreeDink upstream, I'd very much like to offer pre-built binaries: one (1) official, tested, current, distro-agnostic version of the game with its dependencies.
I'm actually already doing that for the Windows version.
One issue though: people have to trust me -- and my computer's integrity.
Reproducible builds could address that.
My release process is tightly controlled, but is my project reproducible? If not, what do I need? Let's check!

I quickly see that documentation is getting better, namely https://reproducible-builds.org/ :)
(The first docs I read on reproducibility looked more like a crazed date-o-phobic rant than actual solution - plus now we have SOURCE_DATE_EPOCH implemented in gcc ;))

However I was left unsatisfied by the very high-level viewpoint and the lack of concrete examples.
The document points to various issues but is very vague about what tools are impacted.

So let's do some tests!

Let's start with a trivial program:

$ cat > hello.c #include <stdio.h> int main(void) { printf("Hello, world!\n"); }

OK, first does GCC compile this reproducibly?
I'm not sure because I heard of randomness in identifiers and such in the compilation process...

$ gcc-5 hello.c -o hello-5 $ md5sum hello-5 a00416d7392442321bad4afc5a461321 hello-5 $ gcc-5 hello.c -o hello-5 $ md5sum hello-5 a00416d7392442321bad4afc5a461321 hello-5

Cool, ELF compiler output is stable through time!
Now do 2 versions of GCC compile a hello world identically?

$ gcc-6 hello.c -o hello-6 $ md5sum hello-6 f7f52c2f5f82fe2a95061a771a6c5acd hello-6 $ hexcompare hello-5 hello-6 [lots of red] ...

Well let's not get our hopes too high ;)
Trivial build options change?

$ gcc-6 hello.c -lc -o hello-6 $ gcc-6 -lc hello.c -o hello-6b $ md5sum hello-6 hello-6b f7f52c2f5f82fe2a95061a771a6c5acd hello-6 f73ee6d8c3789fd8f899f5762025420e hello-6b $ hexcompare hello-6 hello-6b [lots of red] ...

OK, let's be very careful with build options then. What about 2 different build paths?

$ cd .. $ cp -a repro/ repro2/ $ cd repro2/ $ gcc-6 hello.c -o hello-6 $ md5sum hello-6 f7f52c2f5f82fe2a95061a771a6c5acd hello-6

Basic compilation is stable across directories.
Now I tried recompiling identically FreeDink on 2 different git clones.
Disappointment:

$ md5sum freedink/native/src/freedink freedink2/native/src/freedink 839ccd9180c72343e23e5d9e2e65e237 freedink/native/src/freedink 6d5dc6aab321fab01b424ac44c568dcf freedink2/native/src/freedink $ hexcompare freedink2/native/src/freedink freedink/native/src/freedink [lots of red]

Hmm, what about stripped versions?

$ strip freedink/native/src/freedink freedink2/native/src/freedink $ md5sum freedink/native/src/freedink freedink2/native/src/freedink 415e96bb54456f3f2a759f404f18c711 freedink/native/src/freedink e0702d798807c83d21f728106c9261ad freedink2/native/src/freedink $ hexcompare freedink/native/src/freedink freedink2/native/src/freedink [1 single red spot]

OK, what's happening? diffoscope to the rescue:

$ diffoscope freedink/native/src/freedink freedink2/native/src/freedink --- freedink/native/src/freedink +++ freedink2/native/src/freedink ├── readelf --wide --notes {} │ @@ -3,8 +3,8 @@ │ Owner Data size Description │ GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) │ OS: Linux, ABI: 2.6.32 │ │ Displaying notes found in: .note.gnu.build-id │ Owner Data size Description │ GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) │ - Build ID: a689574d69072bb64b28ffb82547e126284713fa │ + Build ID: d7be191a61e84648a58c18e9c108b3f3ce500302

What on earth is Build ID and how it is computed?
After much digging, I find it's a 2008 plan with application in selecting matching detached debugging symbols.
https://fedoraproject.org/wiki/RolandMcGrath/BuildID is the most detailed overview/rationale I found.
It is supposed to be computed from parts of the binary. It's actually pretty resistant to changes, e.g. I could add the missing "return 0;" in my hello source and get the exact same Build ID!
On the other hand my FreeDink binaries do match except for the Build ID so there must be a catch.

Let's try our basic example with default ./configure CFLAGS:

$ (cd repro/ && gcc -g -O2 hello.c -o hello) $ (cd repro/ && gcc -g -O2 hello.c -o hello-b) $ md5sum repro/hello repro/hello-b 6b2cd79947d7c5ed2e505ddfce167116 repro/hello 6b2cd79947d7c5ed2e505ddfce167116 repro/hello-b # => OK for now $ (cd repro2/ && gcc -g -O2 hello.c -o hello) $ md5sum repro2/hello 20b4d09d94de5840400be05bc76e4172 repro2/hello $ strip repro/hello repro2/hello $ diffoscope repro/hello repro2/hello --- repro/hello +++ repro2/hello2 ├── readelf --wide --notes {} │ @@ -3,8 +3,8 @@ │ Owner Data size Description │ GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) │ OS: Linux, ABI: 2.6.32 │ │ Displaying notes found in: .note.gnu.build-id │ Owner Data size Description │ GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) │ - Build ID: 462a3c613537bb57f20bd3ccbe6b7f6d2bdc72ba │ + Build ID: b4b448cf93e7b541ad995075d2b688ef296bd88b # => issue reproduced with -g -O2 and different build directories $ (cd repro/ && gcc -O2 hello.c -o hello) $ (cd repro2/ && gcc -O2 hello.c -o hello) $ md5sum repro/hello repro2/hello 1571d45eb5807f7a074210be17caa87b repro/hello 1571d45eb5807f7a074210be17caa87b repro2/hello # => culprit is not -O2, so culprit is -g

Bummer. So the build ID must be computed also from the debug symbols, even if I strip them afterwards :(
OK, so when https://reproducible-builds.org/docs/build-path/ says "Some tools will record the path of the source files in their output", that means the compiler, and more importantly the stripped executable.

Conclusion: apparently to achieve reproducible builds I need identical full build paths and to keep track of them.

What about Windows/MinGW btw?

$ /opt/mxe/usr/bin/i686-w64-mingw32.static-gcc hello.c -o hello.exe $ md5sum hello.exe e0fa685f6866029b8e03f9f2837dc263 hello.exe $ /opt/mxe/usr/bin/i686-w64-mingw32.static-gcc hello.c -o hello.exe $ md5sum hello.exe df7566c0ac93ea4a0b53f4af83d7fbc9 hello.exe $ /opt/mxe/usr/bin/i686-w64-mingw32.static-gcc hello.c -o hello.exe $ md5sum hello.exe bbf4ab22cbe2df1ddc21d6203e506eb5 hello.exe

PE compiler output is not stable through time.
(any clue?)

OK, there's still a long road ahead of us...

There are lots of other questions.
Is autoconf output reproducible?
Does it actually matter if autoconf is reproducible if upstream is providing a pre-generated ./configure?
If not what about all the documentation on making tarballs reproducible, along with the strip-nondeterminism tool?
Where do we draw the line between build and build environment?
What are the legal issues of distributing a docker-based build environment without every single matching distro source packages?

That was my modest contribution to practical reproducible builds documentation for developers, I'd very much like to hear about more of it.
Who knows, maybe in the near future we'll get reproducible official builds for Eclipse, ZAP, JetBrains, Krita, Android SDK/NDK...

Categories: FLOSS Project Planets

denemo @ Savannah: Version 2.1 is released

GNU Planet! - Thu, 2017-03-23 12:50

GTK Upgrade

UI manager dropped

All deprecations to version 3.22 fixed

New Features

Gregorian Chant Support

Easier Mirrored Dynamics

Lyrics verses can be mirrored to other staffs

Easy selection of staffs to typeset

Improved Playback Controls

Less Cluttered Dynamics Line

Cross Voice Arpeggios

Baritone Clef support

Invoke Command Center on commands from Object Editor

Tear-off Menus

Now tear off as palettes

Keep them around, dock them, edit the tooltips…

Clearer Display

Object Position indicators only where needed

Bug Fixes

Setting playback start via button is now reliable

Playback View sometimes playing from wrong point fixed

Instability on Undo after delete of staff with lyrics

Ledger lines in display for staffs of less than 5 lines fixed

Fix display of Drum Clef

Fix positioning of graphics in display for windows

Fix Playback View for certain locales

Improved Lyrics display

Fix Lyric aligment syntax

Fix for wrong note names after octave up/down

Categories: FLOSS Project Planets

FSF Blogs: Meet the LibrePlanet 2017 Speakers: Christian Fernandez

GNU Planet! - Thu, 2017-03-23 12:07

His session, Pentesting loves free software, takes place on Saturday, March 25th in session block 5A (15:40 - 16:25).

Could you tell us a bit about yourself?

I moved to the US in 1997. Since then I been traveling around and moving to different cities. I've been into social justice movements in the past. I started into hacking in the late 80s with BBS’ FidoNet, exploring and trying to sniff out all the information I could.

At the same time I got into hacking, I got into free software after that—. Most people I knew online were also involved in both since they go hand by hand.

How did you first get interested in penetration testing with free sotware?

I've seen a lot of newcomers to the security field from academia. As with any other tech field, they learn commercial, proprietary, non-free tools.

I like to point out and show people that you can get the job done even better using free tools. I'm very passionate about this as a free software activist.

Have you been to LibrePlanet before?

Yes, I am a longtime Free Software Foundation member and have been to a number of LibrePlanets.

How can we follow you on social media?

I have A LOT of handles...some nobody knows. :) I use @rek2fernandez on Twitter. B1naryFreed0m is the one I use for politics.

What is a skill or talent you have that you wish more people knew about?

In order to make things better first you have to break them apart and study them. Learning is not about reading a book and going to school, it is about passion and practice, and a lot of frustration sometimes. :D

Categories: FLOSS Project Planets

FSF Blogs: Meet the LibrePlanet 2017 Speakers: Denver Gingerich

GNU Planet! - Wed, 2017-03-22 15:55

Would you tell us a bit about yourself?

I was born and raised in British Columbia, Canada, and although I currently live in the New York City area, I am undeniably a West Coast boy at heart. I was always an extremely quiet and shy kid, but had no problem making friends with computers. So naturally, my high school socializing involved a lot of LAN parties, which is where I discovered that installing Apache on GNU/Linux was MUCH easier than on Windows. That was where my interest in free software really began, and it has been a big part of my life ever since. When I'm not sitting at a computer, I love traveling, and generally being outdoors as much as possible—hiking and skiing are favourite pastimes, as well as exploring new places I have never been before. I am also a transit enthusiast; I love learning about the history of subway systems, transit networks and infrastructure, and trains of all kinds. I generally find it fascinating to learn about how things work, and how things came to be the way the are, and because of that, I often fall down Wikipedia rabbit holes. I will also eat just about anything, and never turn down a free conference T-shirt, no matter how hideous the colour.

How did you first become interested in having your cell phone be fully free?

I first got a cell phone number in mid-2009, but I didn't have a cell phone—the number was hosted by Google Voice. I was mostly able to use the number with free software (using email for SMS and SIP for calls) so I didn't think a lot about the freedom implications of cell phones then.

I purchased a Nokia N900 and used it when I wasn't near a computer. It still ran a lot of non-free software. Later I learned that the most significant piece of this non-free software was the baseband firmware.

A few years ago I started my transition away from all Google services. I wanted my computer to remain my primary device for SMS and calls, so I needed a Google Voice replacement. I tried to find an equivalent service, but could not find one. So I decided to write my own.

That led to the first version of Soprani.ca, which I use to this day. I've recently created a newer version of the software, called JMP, which is easier to use for the average person. Both allow a person to use phone features like SMS and calling without a cell phone (and thus without baseband firmware). And both are free software, licensed under the GNU Affero General Public License, version 3 or later.

I'm still interested in this topic because people still use phone numbers and cell phones, even though they have certain "reprehensible" features, as RMS puts it. I hope by showing people ways to communicate with cell phone users that do not require a baseband firmware that we can take back control of our communication from the cellular companies and proprietary firmware makers.

Is this your first LibrePlanet?

No, this will actually be my fifth LibrePlanet in a row! I'm looking forward to chatting with all the wonderful people that I know I'll find there, and hearing some great ideas for how we can advance the free software movement.

In particular, it is becoming increasingly difficult to buy a computer that will function with only free software. I've met people at past LibrePlanet conferences who are building their own hardware so they can continue to run exclusively free software (such as the EOMA68 CPU card). These efforts are critically important, since existing computer manufacturers will no longer create the hardware we need. I hope to learn more about these efforts and ways I can contribute to them so that we'll still be able to run free software even after the last ThinkPad without a Management Engine stops working.

How can we follow you on social media?

I'm @ossguy on many social media sites, including Pump.io and Twitter.

What is a skill or talent you have that you wish more people knew about?

My wife says that if stubbornness and perfectionism could be counted as Olympic sports, I would win all the gold medals... She is smarter and much better looking than me, so she is probably right.

Want to hear Denver and the other amazing speakers Join us March 25-26th for LibrePlanet 2017!

Edited for content and grammar.

Categories: FLOSS Project Planets

parallel @ Savannah: GNU Parallel 20170322 ('TRAPPIST-1') released

GNU Planet! - Tue, 2017-03-21 18:36

GNU Parallel 20170322 ('TRAPPIST-1') has been released. It is available for download at: http://ftpmirror.gnu.org/parallel/

Haiku of the month:

--rpl
used to be a static string
Now it can take args
--ole-tange

New in this release:

  • --rpl can now take arguments by adding '(regexp)' in the replacement string.
  • Bug fixes and man page updates.

GNU Parallel - For people who live life in the parallel lane.

About GNU Parallel

GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.

If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.

GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.

You can find more about GNU Parallel at: http://www.gnu.org/s/parallel/

You can install GNU Parallel in just 10 seconds with: (wget -O - pi.dk/3 || curl pi.dk/3/) | bash

Watch the intro video on http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1

Walk through the tutorial (man parallel_tutorial). Your commandline will love you for it.

When using programs that use GNU Parallel to process data for publication please cite:

O. Tange (2011): GNU Parallel - The Command-Line Power Tool, ;login: The USENIX Magazine, February 2011:42-47.

If you like GNU Parallel:

  • Give a demo at your local user group/team/colleagues
  • Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
  • Get the merchandise https://www.gnu.org/s/parallel/merchandise.html
  • Request or write a review for your favourite blog or magazine
  • Request or build a package for your favourite distribution (if it is not already there)
  • Invite me for your next conference

If you use programs that use GNU Parallel for research:

  • Please cite GNU Parallel in you publications (use --citation)

If GNU Parallel saves you money:

About GNU SQL

GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.

The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.

When using GNU SQL for a publication please cite:

O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.

About GNU Niceload

GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.

Categories: FLOSS Project Planets

FSF News: LibrePlanet free software conference returns to MIT this weekend, March 25-26

GNU Planet! - Tue, 2017-03-21 15:45

LibrePlanet is an annual conference for people who care about their digital freedoms, bringing together software developers, policy experts, activists, and computer users to learn skills, share accomplishments, and tackle challenges facing the free software movement. LibrePlanet 2017 will feature sessions for all ages and experience levels.

In accordance with the theme "The Roots of Freedom," the conference's sessions will examine the roots of the free software movement, including the Four Freedoms, the GNU General Public License and copyleft, and the community's focus on security and privacy protections. Other sessions will explore new ideas and current work that has arisen from those roots, reaching in to activism, the arts, business, and education.

Keynote speakers include Kade Crockford, Director of the Technology for Liberty Program at the American Civil Liberties Union of Massachusetts, special consultant to the Electronic Frontier Foundation and author Cory Doctorow, Changeset Consulting founder Sumana Harihareswara, and Free Software Foundation founder and president Richard Stallman.

This year's LibrePlanet conference will feature over 50 sessions, such as The secret life of the bitcoin blockchain, SecureDrop: Leaking safely to modern news organizations, and Accessibility, free software and the rights of people with disabilities, as well as workshops covering digital security for beginners, an introduction to the Ansible tool for system administrators, and an in-depth look at how to create reproducible software packages.

"The LibrePlanet conference has expanded over the years, from a relatively small meeting of Free Software Foundation members to a two-day conference with social gatherings, the contributions of dozens of speakers and volunteers, and hundreds of people exploring free software," said Georgia Young, program manager at the Free Software Foundation. "This year, people have the opportunity to do lots of hands-on learning, self-organize conversations about free software topics they're interested in, and even give an impromptu lightning talk. Whether grappling with worldwide concerns or using free software tools for the first time, there are lots of different ways to explore the roots of software freedom here."

Due to high demand, advance registration is closed, but attendees may register in person at the event. For those who cannot attend, this year's sessions will be streamed at https://libreplanet.org/2017/live/ and recordings will be available after the event at https://media.libreplanet.org/.

About LibrePlanet

LibrePlanet is the annual conference of the Free Software Foundation, and is co-produced by MIT's Student Information Processing Board. What was once a small gathering of FSF members has grown into a larger event for anyone with an interest in the values of software freedom. LibrePlanet is always gratis for associate members of the FSF and students. Sign up for announcements about the LibrePlanet conference.

LibrePlanet 2016 was held at MIT from March 19-20, 2016. About 400 attendees from all over the world came together for conversations, demonstrations, and keynotes centered around the theme of "Fork the System." You can watch videos from past conferences at https://media.libreplanet.org, including the opening keynote, a conversation with NSA whistleblower Edward Snowden.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. Its headquarters are in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

Media Contact

Georgia Young
Program Manager
Free Software Foundation
+1 (617) 542 5942
campaigns@fsf.org

Categories: FLOSS Project Planets

FSF Events: Richard Stallman - "Ethical Principles for Service-Oriented Computing" (Potsdam, Germany)

GNU Planet! - Tue, 2017-03-21 09:00

Richard Stallman will be speaking at the 12th annual symposium on Future Trends in Service-Oriented Computing (2017-04-26–28).

His speech will be in English, without any translation. It will be nontechnical, admission is gratis, and the public is encouraged to attend.

Location: Lecture Hall Building, Hasso Plattner Institute, University of Potsdam, Campus Griebnitzsee, Prof.-Dr.-Helmert-Straße 2-3, 14482 Potsdam, Germany (directions, campus map)

Registration for the conference is required; registration for Stallman's speech alone, which can be done anonymously, while not required, is appreciated, as it will help us ensure we can accommodate all the people who wish to attend.

Please fill out our contact form, so that we can contact you about future events in and around Potsdam.

Categories: FLOSS Project Planets

GNUtls: Improving the GnuTLS PRNG

GNU Planet! - Mon, 2017-03-20 20:00

Our blog post on improving the GnuTLS PRNG.

Categories: FLOSS Project Planets

FSF Blogs: Your guide to LibrePlanet 2017, wherever you are, March 25-26

GNU Planet! - Mon, 2017-03-20 17:14

If you are planning to attend LibrePlanet in Cambridge, we encourage you to register in advance through Tuesday morning at 10:00 EST (14:00 UTC) -- advance registration helps us plan a better event. Walk ups are also welcome. Students and FSF members receive gratis admission.

The LibrePlanet program offers something for everyone in the free software movement, from newcomers concerned about preserving their digital privacy to longtime free software developers.

Keynote speakers will include Kade Crockford, Director of the Technology for Liberty Program, ACLU of Massachusetts; Cory Doctorow, Special Advisor to the Electronic Frontier Foundation; Sumana Harihareswara, Founder of Changeset Consulting; and Free Software Foundation Founder Richard Stallman.

On Sunday, the FSF Licensing and Compliance team will host a special edition of the weekly Free Software Directory meetup in person at LibrePlanet. Whether you're attending at MIT or participating from afar, this is your opportunity to contribute to a valuable free software resource.

Each year, we livestream and record LibrePlanet proceedings in order to make the event accessible to all. This requires significant staff time and equipment purchases: please make a $25 donation at https://donate.fsf.org to support this effort.

Another way to participate if you can't make it to Cambridge is to join the conversation around the conference on the libreplanet-discuss mailing list. Subscribe now and start a conversation.

Finally, we'd like to express our excitement about working with the Massachusetts Institute of Technology's Student Information Processing Board, our organizing partner for LibrePlanet 2017.

We hope see you at LibrePlanet 2017 this weekend, whether in Cambridge or on the Web.

Categories: FLOSS Project Planets

FSF Blogs: LibrePlanet Free Software Directory Sprint & IRC meetup: Sunday March 26th starting at 2 p.m. EDT/18:00 UTC

GNU Planet! - Mon, 2017-03-20 15:32

Participate in supporting the FSD by adding new entries and updating existing ones. We will be in room 26-142 at LibrePlanet and on IRC in the #fsf channel on irc.freenode.org.

Tens of thousands of people visit directory.fsf.org each month to discover free software. Each entry in the FSD contains a wealth of useful information, from basic category and descriptions, to providing detailed info about version control, IRC channels, documentation, and licensing info that has been carefully checked by FSF staff and trained volunteers.

While the FSD has been and continues to be a great resource to the world over the past decade, it has the potential of being a resource of even greater value. But it needs your help!

LibrePlanet is finally here, and that means we get to have an in-person Directory sprint. If you are attending LibrePlanet, please join us to help train new volunteers and help get them up and running on the Directory. Make sure to bring your laptop so you can edit and improve the Directory. Both Donald and Ted will be there to guide the session so please come by and join the fun in room 26-142. If you can't be there in person, then make sure to join us on IRC to help welcome all the new friends.

If you are eager to help and you can't wait or are simply unable to make it on Sunday, our participation guide will provide you with all the information you need to get started on helping the FSD today! There are also weekly FSD Meetings pages that everyone is welcome to contribute to before, during, and after each meeting.

Categories: FLOSS Project Planets

Andy Wingo: it's probably spam

GNU Planet! - Mon, 2017-03-06 10:16

Greetings, peoples. As you probably know, these words are served to you by Tekuti, a blog engine written in Scheme that uses Git as its database.

Part of the reason I wrote this blog software was that from the time when I was using Wordpress, I actually appreciated the comments that I would get. Sometimes nice folks visit this blog and comment with information that I find really interesting, and I thought it would be a shame if I had to disable those entirely.

But allowing users to add things to your site is tricky. There are all kinds of potential security vulnerabilities. I thought about the ones that were important to me, back in 2008 when I wrote Tekuti, and I thought I did a pretty OK job on preventing XSS and designing-out code execution possibilities. When it came to bogus comments though, things worked well enough for the time. Tekuti uses Git as a log-structured database, and so to delete a comment, you just revert the change that added the comment. I added a little security question ("what's your favorite number?"; any number worked) to prevent wordpress spammers from hitting me, and I was good to go.

Sadly, what was good enough in 2008 isn't good enough in 2017. In 2017 alone, some 2000 bogus comments made it through. So I took comments offline and painstakingly went through and separated the wheat from the chaff while pondering what to do next.

an aside

I really wondered why spammers bothered though. I mean, I added the rel="external nofollow" attribute on links, which should prevent search engines from granting relevancy to the spammer's links, so what gives? Could be that all the advice from the mid-2000s regarding nofollow is bogus. But it was definitely the case that while I was adding the attribute to commenter's home page links, I wasn't adding it to links in the comment. Doh! With this fixed, perhaps I will just have to deal with the spammers I have and not even more spammers in the future.

i digress

I started by simply changing my security question to require a number in a certain range. No dice; bogus comments still got through. I changed the range; could it be the numbers they were using were already in range? Again the bogosity continued undaunted.

So I decided to break down and write a bogus comment filter. Luckily, Git gives me a handy corpus of legit and bogus comments: all the comments that remain live are legit, and all that were ever added but are no longer live are bogus. I wrote a simple tokenizer across the comments, extracted feature counts, and fed that into a naive Bayesian classifier. I finally turned it on this morning; fingers crossed!

My trials at home show that if you train the classifier on half the data set (around 5300 bogus comments and 1900 legit comments) and then run it against the other half, I get about 6% false negatives and 1% false positives. The feature extractor interns sequences of 1, 2, and 3 tokens, and doesn't have a lower limit for number of features extracted -- a feature seen only once in bogus comments and never in legit comments is a fairly strong bogosity signal; as you have to make up the denominator in that case, I set it to indicate that such a feature is 99.9% bogus. A corresponding single feature in the legit set without appearance in the bogus set is 99% legit.

Of course with this strong of a bias towards precise features of the training set, if you run the classifier against its own training set, it produces no false positives and only 0.3% false negatives, some of which were simply reverted duplicate comments.

It wasn't straightforward to get these results out of a Bayesian classifier. The "smoothing" factor that you add to both numerator and denominator was tricky, as I mentioned above. Getting a useful tokenization was tricky. And the final trick was even trickier: limiting the significant-feature count when determining bogosity. I hate to cite Paul Graham but I have to do so here -- choosing the N most significant features in the document made the classification much less sensitive to the varying lengths of legit and bogus comments, and less sensitive to inclusions of verbatim texts from other comments.

We'll see I guess. If your comment gets caught by my filters, let me know -- over email or Twitter I guess, since you might not be able to comment! I hope to be able to keep comments open; I've learned a lot from yall over the years.

Categories: FLOSS Project Planets
Syndicate content