Posts on tag: source

David Chaum and Co-Authors Javani, Kate, Krasnova, de Ruiter and Sherman have published a new paper called "cMix: Anonymization by High-Performance Scalable Mixing" proposing a new cryptographic mix protocol called "cMix" which he plans to implement with "Privategrity". The system aims to provide anonymity to users while also providing law enforcement the means to both identify users and decrypt their messages.

The relevant (prosa) section of the paper reads:

Independent from cMix, PrivaTegrity addresses potential abuse of anonymity services by establishing a trust model that offers a balance of anonymity and accountability. On the one hand, PrivaTegrity aims to provide privacy at a technical level that is not penetrable by nation states. On the other hand, PrivaTegrity aims to provide integrity, both prior restraint and accountability after the fact, that is inescapably tied to individuals. Only if all of the mixing nodes cooperate, can the senders and receivers of messages be linked or identified.

PrivaTegrity implements a new approach to user identification requiring each user to provide a small but different type of identifying information to each mix node. Some nodes may require photos or answers to personal history questions; others may request mobile phone numbers or email addresses. A user reveals comparatively little to any single node, but collectively the nodes possess significant identifying information. Each node can obligate itself contractually to trace and aggregate identifying information only according to a published policy, resulting in accountability and effective identification of users who violate the policy.

I'd say this scheme is Unfug:

• If some third party is able to identify an "anonymous" user, then the user is not anonymous. It doesn't count how much effort a third party would have to put into this. If it IS possible, it's not anonymous. Calling it as such is just a lie.
• If some third party is able to decrypt a message, then the system is not secure. Wether you operate nodes in nine different countries, 190 different countries or even 1 million different planets - if it IS possible, then it's not secure.
• Also something like "accountability" might score high on government wishlists, it has nothing to do with "anonymous communication". This newspeak is only introduced to justify the scheme.
• The whole concept ignores the problems with multiple jurisdictions. Something may be worth a warrant in one country but not in another. So it will be next to impossible to reach a consensus among all admins in most cases. Of course governments will catch this and demand a simple solution: operate all nodes in friendly jurisdictions (say: only in "five eyes countries").
• And, last but not least: how can a user know which node runs in which country? What if all nodes are operated by a state company in turkey? Or what if all nodes are running on the very same system?

So this scheme is nothing else as just another surveillance infrastructure, which is something no cryptographer shall ever propose.

Wired article. Hackernews Thread. 

 

Netaniel Rubin continues his crusade to eradicate Perl from the planet, on 32C3 this time. I will not respond to the technical details, as others are already doing so.

During his talk Netaniel complains about the Perl Community, which he assumes is being represented by the people on  perlmonks.org, responding to his talk last year aggressively, personally and with trolling. Well, this comment will be personal as well and surely offending. 

Let's be clear first: the problems pointed out by Netaniel during his second talk are indeed real in a sense. But they are not new, nor are they perl specific. At least they are well known for years (see the gist linked above for more details). The problem I'm seeing with this talk is the tone.

You see, there's criticism and there's rants. Netaniel's talk is a rant. And it's not justified. Obviously he REALLY hates perl. He makes fun of it, he shouts at it, he even insults it. However, we're talking about a fucking programming language, not a human being, or an organisation or the like. This boy stands on the stage and behaves like a five year old shouting at his non-functioning Lego construction: "You Moron!".

My impression of this talk (and thus Netaniel) is worse than the last one. It's funny if you don't have a clue but insults the intelligence of the initiated.

Dear Netaniel: "Stop using Perl!" is a childish, ridiculous and unrealistic demand. And your "arguments" aren't getting the more valid the louder you shout them. Therefore, let me explain to you how the real world looks like:

There are lots of computers running these days (not counting PCs, notebooks, tablets or phones). The majority of them is not connected to the internet. These are headless servers running unattended most of the time (just to make sure you understand what I'm talking about since you're a windows user: headless in this context means "no GUI", just a console). Such systems are operated by system administrators, labeled as "DevOps" these days.

Administrators are responsible for lots of systems, hundreds or even thousands of servers. Many of such servers are legacy systems running legacy operating systems and legacy software. Sometimes it's not possible to update them, sometimes it's not allowed, sometimes there's no developer for the particular software running on it left in the company. So they keep running. And running, and running, and running.

Administrators are a lazy species. If they ever watch themselfes entering the same cascade of commands twice they put them into an shell alias. And if it grows so much that it doesn't fit into an alias, they put it into a shell function. Sometimes such a function grows and grows so much that it doesn't make any sense any more to maintain it as a shell function in .bashrc or something. So, the administrator puts the function into a script.

The script grows further and sometimes reaches a point where it is a pain in the ass to continue to develop it as a shell script. The administrator decides to go to the next level and rewrite the thing with something more powerful and flexible than a shell script. In essence he wants to convert the script from a beast into an elegant lady.

Now, Netaniel, remember what I told you earlier about legacy systems. You cannot install node.js on an AIX system of the past decade. You're not allowed to install Go on a mainframe. There's no modern ruby package for that ancient Sun machine. But there's Perl.

Let me repeat: but there's Perl!

Perl is part of the base installation of most operating systems of relevance (that is: not Windows, Netaniel, sorry) for decades. A well crafted perl script can be deployed over dozens of different platforms doing the same simple thing, stable, portable and maintainable. Sometimes Python can be used instead. If all servers have python. Sometimes even ruby might be used. But the more heterogeneous a network gets and the more legacy systems it contains the higher the probability that you will be stuck with Perl.

The reason is simple: Perl itself is a legacy system. It was born out of system administration, designed by system administrators just to make their live easier. Not necessarily yours, that is.

Of course, since its inception, people have done things with Perl beyond imagination. The even wrote CGI scripts, replaced them with application servers which they then replaced with content management systems. And all those dirty features built into Perl to make administrators happy are still there, waiting to be exploited by Kids like yourself.

That's the reason thousands of developers all over the world implemented better systems like Mojolicious, because we already know of those features. Your demo code will not work if you just put an "use strict" in there. And we urge people to do so since years after years. The fact that you don't seem to know it, shows how unfamiliar you are with perl. And the fact that you don't seem to know that flexibility with variables is not in any way specific to Perl, shows you never developed anything. Someone in the monk thread (linked above) from last year pointed out that he couldn't find anything you ever developed. This didn't change 2015: there's still nothing to find made by you. Even your Github account with which you responded to the gist post linked above is fresh and has not a single repository or contribution.

Let me say it bluntly: Don't diskuss battle tactics with us unless you bled with us! 

There's a problem with more and more perl modules I'd like to call "Module Dependency Disorder", MDD. Many perl modules, especially the newer ones have so many dependencies - it's just a mess. In the old times you could install modules by using "perl Makefile.PL && make && sudo make install", under some OSes like Linux and FreeBSD most modules are packaged. But this is over.

Thanks goodness there's Perlbrew so I don't have to mess with my system in order to just test a new module. Today I wanted to play a little with Geo::GPX and GIS::Distance, so I installed them inside my perlbrew environment using 'cpanm'. This is what it looked like:

% cpanm GIS::Distance
--> Working on GIS::Distance
Fetching http://www.cpan.org/authors/id/B/BL/BLUEFEET/GIS-Distance-0.09.tar.gz ... OK
Configuring GIS-Distance-0.09 ... OK
==> Found dependencies: Type::Tiny, Moo, Class::Measure, namespace::clean, strictures
--> Working on Type::Tiny
Fetching http://www.cpan.org/authors/id/T/TO/TOBYINK/Type-Tiny-1.000005.tar.gz ... OK
Configuring Type-Tiny-1.000005 ... OK
Building and testing Type-Tiny-1.000005 ... OK
Successfully installed Type-Tiny-1.000005
--> Working on Moo
Fetching http://www.cpan.org/authors/id/H/HA/HAARG/Moo-2.000002.tar.gz ... OK
Configuring Moo-2.000002 ... OK
==> Found dependencies: Module::Runtime, Role::Tiny, Devel::GlobalDestruction, Class::Method::Modifiers
--> Working on Module::Runtime
Fetching http://www.cpan.org/authors/id/Z/ZE/ZEFRAM/Module-Runtime-0.014.tar.gz ... OK
Configuring Module-Runtime-0.014 ... OK
Building and testing Module-Runtime-0.014 ... OK
Successfully installed Module-Runtime-0.014
--> Working on Role::Tiny
Fetching http://www.cpan.org/authors/id/H/HA/HAARG/Role-Tiny-2.000001.tar.gz ... OK
Configuring Role-Tiny-2.000001 ... OK
Building and testing Role-Tiny-2.000001 ... OK
Successfully installed Role-Tiny-2.000001
--> Working on Devel::GlobalDestruction
Fetching http://www.cpan.org/authors/id/H/HA/HAARG/Devel-GlobalDestruction-0.13.tar.gz ... OK
Configuring Devel-GlobalDestruction-0.13 ... OK
==> Found dependencies: Sub::Exporter::Progressive
--> Working on Sub::Exporter::Progressive
Fetching http://www.cpan.org/authors/id/F/FR/FREW/Sub-Exporter-Progressive-0.001011.tar.gz ... OK
Configuring Sub-Exporter-Progressive-0.001011 ... OK
Building and testing Sub-Exporter-Progressive-0.001011 ... OK
Successfully installed Sub-Exporter-Progressive-0.001011
Building and testing Devel-GlobalDestruction-0.13 ... OK
Successfully installed Devel-GlobalDestruction-0.13
--> Working on Class::Method::Modifiers
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/Class-Method-Modifiers-2.11.tar.gz ... OK
Configuring Class-Method-Modifiers-2.11 ... OK
Building and testing Class-Method-Modifiers-2.11 ... OK
Successfully installed Class-Method-Modifiers-2.11
Building and testing Moo-2.000002 ... OK
Successfully installed Moo-2.000002
--> Working on Class::Measure
Fetching http://www.cpan.org/authors/id/B/BL/BLUEFEET/Class-Measure-0.05.tar.gz ... OK
Configuring Class-Measure-0.05 ... OK
==> Found dependencies: Sub::Exporter
--> Working on Sub::Exporter
Fetching http://www.cpan.org/authors/id/R/RJ/RJBS/Sub-Exporter-0.987.tar.gz ... OK
Configuring Sub-Exporter-0.987 ... OK
==> Found dependencies: Data::OptList, Sub::Install, Params::Util
--> Working on Data::OptList
Fetching http://www.cpan.org/authors/id/R/RJ/RJBS/Data-OptList-0.109.tar.gz ... OK
Configuring Data-OptList-0.109 ... OK
==> Found dependencies: Params::Util, Sub::Install
--> Working on Params::Util
Fetching http://www.cpan.org/authors/id/A/AD/ADAMK/Params-Util-1.07.tar.gz ... OK
Configuring Params-Util-1.07 ... OK
Building and testing Params-Util-1.07 ... OK
Successfully installed Params-Util-1.07
--> Working on Sub::Install
Fetching http://www.cpan.org/authors/id/R/RJ/RJBS/Sub-Install-0.928.tar.gz ... OK
Configuring Sub-Install-0.928 ... OK
Building and testing Sub-Install-0.928 ... OK
Successfully installed Sub-Install-0.928
Building and testing Data-OptList-0.109 ... OK
Successfully installed Data-OptList-0.109
Building and testing Sub-Exporter-0.987 ... OK
Successfully installed Sub-Exporter-0.987
Building and testing Class-Measure-0.05 ... OK
Successfully installed Class-Measure-0.05
--> Working on namespace::clean
Fetching http://www.cpan.org/authors/id/R/RI/RIBASUSHI/namespace-clean-0.26.tar.gz ... OK
Configuring namespace::clean-0.26 ... OK
==> Found dependencies: Package::Stash, B::Hooks::EndOfScope
--> Working on Package::Stash
Fetching http://www.cpan.org/authors/id/D/DO/DOY/Package-Stash-0.37.tar.gz ... OK
==> Found dependencies: Dist::CheckConflicts
--> Working on Dist::CheckConflicts
Fetching http://www.cpan.org/authors/id/D/DO/DOY/Dist-CheckConflicts-0.11.tar.gz ... OK
Configuring Dist-CheckConflicts-0.11 ... OK
Building and testing Dist-CheckConflicts-0.11 ... OK
Successfully installed Dist-CheckConflicts-0.11
Configuring Package-Stash-0.37 ... OK
==> Found dependencies: Package::Stash::XS, Module::Implementation
--> Working on Package::Stash::XS
Fetching http://www.cpan.org/authors/id/D/DO/DOY/Package-Stash-XS-0.28.tar.gz ... OK
Configuring Package-Stash-XS-0.28 ... OK
Building and testing Package-Stash-XS-0.28 ... OK
Successfully installed Package-Stash-XS-0.28
--> Working on Module::Implementation
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/Module-Implementation-0.09.tar.gz ... OK
Configuring Module-Implementation-0.09 ... OK
Building and testing Module-Implementation-0.09 ... OK
Successfully installed Module-Implementation-0.09
Building and testing Package-Stash-0.37 ... OK
Successfully installed Package-Stash-0.37
--> Working on B::Hooks::EndOfScope
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/B-Hooks-EndOfScope-0.15.tar.gz ... OK
Configuring B-Hooks-EndOfScope-0.15 ... OK
==> Found dependencies: Variable::Magic
--> Working on Variable::Magic
Fetching http://www.cpan.org/authors/id/V/VP/VPIT/Variable-Magic-0.59.tar.gz ... OK
Configuring Variable-Magic-0.59 ... OK
Building and testing Variable-Magic-0.59 ... OK
Successfully installed Variable-Magic-0.59
Building and testing B-Hooks-EndOfScope-0.15 ... OK
Successfully installed B-Hooks-EndOfScope-0.15
Building and testing namespace::clean-0.26 ... OK
Successfully installed namespace::clean-0.26
--> Working on strictures
Fetching http://www.cpan.org/authors/id/H/HA/HAARG/strictures-2.000001.tar.gz ... OK
Configuring strictures-2.000001 ... OK
==> Found dependencies: indirect, bareword::filehandles, multidimensional
--> Working on indirect
Fetching http://www.cpan.org/authors/id/V/VP/VPIT/indirect-0.36.tar.gz ... OK
Configuring indirect-0.36 ... OK
Building and testing indirect-0.36 ... OK
Successfully installed indirect-0.36
--> Working on bareword::filehandles
Fetching http://www.cpan.org/authors/id/I/IL/ILMARI/bareword-filehandles-0.003.tar.gz ... OK
==> Found dependencies: B::Hooks::OP::Check, ExtUtils::Depends
--> Working on B::Hooks::OP::Check
Fetching http://www.cpan.org/authors/id/Z/ZE/ZEFRAM/B-Hooks-OP-Check-0.19.tar.gz ... OK
==> Found dependencies: ExtUtils::Depends
--> Working on ExtUtils::Depends
Fetching http://www.cpan.org/authors/id/X/XA/XAOC/ExtUtils-Depends-0.404.tar.gz ... OK
Configuring ExtUtils-Depends-0.404 ... OK
Building and testing ExtUtils-Depends-0.404 ... OK
Successfully installed ExtUtils-Depends-0.404
Configuring B-Hooks-OP-Check-0.19 ... OK
Building and testing B-Hooks-OP-Check-0.19 ... OK
Successfully installed B-Hooks-OP-Check-0.19
Configuring bareword-filehandles-0.003 ... OK
==> Found dependencies: Lexical::SealRequireHints
--> Working on Lexical::SealRequireHints
Fetching http://www.cpan.org/authors/id/Z/ZE/ZEFRAM/Lexical-SealRequireHints-0.009.tar.gz ... OK
Configuring Lexical-SealRequireHints-0.009 ... OK
Building and testing Lexical-SealRequireHints-0.009 ... OK
Successfully installed Lexical-SealRequireHints-0.009
Building and testing bareword-filehandles-0.003 ... OK
Successfully installed bareword-filehandles-0.003
--> Working on multidimensional
Fetching http://www.cpan.org/authors/id/I/IL/ILMARI/multidimensional-0.011.tar.gz ... OK
Configuring multidimensional-0.011 ... OK
Building and testing multidimensional-0.011 ... OK
Successfully installed multidimensional-0.011
Building and testing strictures-2.000001 ... OK
Successfully installed strictures-2.000001
Building and testing GIS-Distance-0.09 ... OK
Successfully installed GIS-Distance-0.09
27 distributions installed
% cpanm Geo::Gpx
–> Working on Geo::Gpx
Fetching http://www.cpan.org/authors/id/A/AN/ANDYA/Geo-Gpx-0.26.tar.gz … OK
Configuring Geo-Gpx-0.26 … OK
==> Found dependencies: XML::Descent, DateTime, DateTime::Format::ISO8601
–> Working on XML::Descent
Fetching http://www.cpan.org/authors/id/A/AN/ANDYA/XML-Descent-1.04.tar.gz … OK
Configuring XML-Descent-1.04 … OK
==> Found dependencies: XML::TokeParser, Test::Differences
–> Working on XML::TokeParser
Fetching http://www.cpan.org/authors/id/P/PO/PODMASTER/XML-TokeParser-0.05.tar.gz … OK
Configuring XML-TokeParser-0.05 … OK
==> Found dependencies: XML::Parser
–> Working on XML::Parser
Fetching http://www.cpan.org/authors/id/T/TO/TODDR/XML-Parser-2.44.tar.gz … OK
Configuring XML-Parser-2.44 … OK
==> Found dependencies: LWP::UserAgent
–> Working on LWP::UserAgent
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/libwww-perl-6.13.tar.gz … OK
Configuring libwww-perl-6.13 … OK
==> Found dependencies: File::Listing, HTTP::Cookies, HTTP::Request::Common, WWW::RobotRules,
      HTTP::Request, URI, URI::Escape, HTTP::Daemon, HTTP::Date, LWP::MediaTypes, HTTP::Negotiate,
      Net::HTTP, HTTP::Status, HTTP::Response
–> Working on File::Listing
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/File-Listing-6.04.tar.gz … OK
Configuring File-Listing-6.04 … OK
==> Found dependencies: HTTP::Date
–> Working on HTTP::Date
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/HTTP-Date-6.02.tar.gz … OK
Configuring HTTP-Date-6.02 … OK
Building and testing HTTP-Date-6.02 … OK
Successfully installed HTTP-Date-6.02
Building and testing File-Listing-6.04 … OK
Successfully installed File-Listing-6.04
–> Working on HTTP::Cookies
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/HTTP-Cookies-6.01.tar.gz … OK
Configuring HTTP-Cookies-6.01 … OK
==> Found dependencies: HTTP::Headers::Util
–> Working on HTTP::Headers::Util
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/HTTP-Message-6.11.tar.gz … OK
Configuring HTTP-Message-6.11 … OK
==> Found dependencies: URI, IO::HTML, LWP::MediaTypes
–> Working on URI
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/URI-1.69.tar.gz … OK
Configuring URI-1.69 … OK
Building and testing URI-1.69 … OK
Successfully installed URI-1.69
–> Working on IO::HTML
Fetching http://www.cpan.org/authors/id/C/CJ/CJM/IO-HTML-1.001.tar.gz … OK
Configuring IO-HTML-1.001 … OK
Building and testing IO-HTML-1.001 … OK
Successfully installed IO-HTML-1.001
–> Working on LWP::MediaTypes
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/LWP-MediaTypes-6.02.tar.gz … OK
Configuring LWP-MediaTypes-6.02 … OK
Building and testing LWP-MediaTypes-6.02 … OK
Successfully installed LWP-MediaTypes-6.02
Building and testing HTTP-Message-6.11 … OK
Successfully installed HTTP-Message-6.11
Building and testing HTTP-Cookies-6.01 … OK
Successfully installed HTTP-Cookies-6.01
–> Working on WWW::RobotRules
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/WWW-RobotRules-6.02.tar.gz … OK
Configuring WWW-RobotRules-6.02 … OK
Building and testing WWW-RobotRules-6.02 … OK
Successfully installed WWW-RobotRules-6.02
–> Working on HTTP::Daemon
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/HTTP-Daemon-6.01.tar.gz … OK
Configuring HTTP-Daemon-6.01 … OK
Building and testing HTTP-Daemon-6.01 … OK
Successfully installed HTTP-Daemon-6.01
–> Working on HTTP::Negotiate
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/HTTP-Negotiate-6.01.tar.gz … OK
Configuring HTTP-Negotiate-6.01 … OK
Building and testing HTTP-Negotiate-6.01 … OK
Successfully installed HTTP-Negotiate-6.01
–> Working on Net::HTTP
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/Net-HTTP-6.09.tar.gz … OK
Configuring Net-HTTP-6.09 … OK
Building and testing Net-HTTP-6.09 … OK
Successfully installed Net-HTTP-6.09
Building and testing libwww-perl-6.13 … OK
Successfully installed libwww-perl-6.13
Building and testing XML-Parser-2.44 … OK
Successfully installed XML-Parser-2.44
Building and testing XML-TokeParser-0.05 … OK
Successfully installed XML-TokeParser-0.05
–> Working on Test::Differences
Fetching http://www.cpan.org/authors/id/D/DC/DCANTRELL/Test-Differences-0.63.tar.gz … OK
Configuring Test-Differences-0.63 … OK
Building and testing Test-Differences-0.63 … OK
Successfully installed Test-Differences-0.63
Building and testing XML-Descent-1.04 … OK
Successfully installed XML-Descent-1.04
–> Working on DateTime
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/DateTime-1.21.tar.gz … OK
Configuring DateTime-1.21 … OK
==> Found dependencies: Test::Warnings, DateTime::TimeZone, DateTime::Locale, Params::Validate
–> Working on Test::Warnings
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/Test-Warnings-0.021.tar.gz … OK
Configuring Test-Warnings-0.021 … OK
==> Found dependencies: CPAN::Meta::Check
–> Working on CPAN::Meta::Check
Fetching http://www.cpan.org/authors/id/L/LE/LEONT/CPAN-Meta-Check-0.012.tar.gz … OK
Configuring CPAN-Meta-Check-0.012 … OK
==> Found dependencies: Module::Metadata
–> Working on Module::Metadata
Fetching http://www.cpan.org/authors/id/E/ET/ETHER/Module-Metadata-1.000027.tar.gz … OK
Configuring Module-Metadata-1.000027 … OK
Building and testing Module-Metadata-1.000027 … OK
Successfully installed Module-Metadata-1.000027 (upgraded from 1.000011)
Building and testing CPAN-Meta-Check-0.012 … OK
Successfully installed CPAN-Meta-Check-0.012
Building and testing Test-Warnings-0.021 … OK
Successfully installed Test-Warnings-0.021
–> Working on DateTime::TimeZone
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/DateTime-TimeZone-1.94.tar.gz … OK
Configuring DateTime-TimeZone-1.94 … OK
==> Found dependencies: Class::Singleton, Params::Validate, List::Util
–> Working on Class::Singleton
Fetching http://www.cpan.org/authors/id/S/SH/SHAY/Class-Singleton-1.5.tar.gz … OK
Configuring Class-Singleton-1.5 … OK
Building and testing Class-Singleton-1.5 … OK
Successfully installed Class-Singleton-1.5
–> Working on Params::Validate
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/Params-Validate-1.21.tar.gz … OK
Configuring Params-Validate-1.21 … OK
Building and testing Params-Validate-1.21 … OK
Successfully installed Params-Validate-1.21
–> Working on List::Util
Fetching http://www.cpan.org/authors/id/P/PE/PEVANS/Scalar-List-Utils-1.42.tar.gz … OK
Configuring Scalar-List-Utils-1.42 … OK
Building and testing Scalar-List-Utils-1.42 … OK
Successfully installed Scalar-List-Utils-1.42 (upgraded from 1.27)
Building and testing DateTime-TimeZone-1.94 … OK
Successfully installed DateTime-TimeZone-1.94
–> Working on DateTime::Locale
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/DateTime-Locale-0.92.tar.gz … OK
Configuring DateTime-Locale-0.92 … OK
Building and testing DateTime-Locale-0.92 … OK
Successfully installed DateTime-Locale-0.92
Building and testing DateTime-1.21 … OK
Successfully installed DateTime-1.21
–> Working on DateTime::Format::ISO8601
Fetching http://www.cpan.org/authors/id/J/JH/JHOBLITT/DateTime-Format-ISO8601-0.08.tar.gz … OK
Configuring DateTime-Format-ISO8601-0.08 … OK
==> Found dependencies: DateTime::Format::Builder
–> Working on DateTime::Format::Builder
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/DateTime-Format-Builder-0.81.tar.gz … OK
Configuring DateTime-Format-Builder-0.81 … OK
==> Found dependencies: DateTime::Format::Strptime, Class::Factory::Util
–> Working on DateTime::Format::Strptime
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/DateTime-Format-Strptime-1.57.tar.gz … OK
Configuring DateTime-Format-Strptime-1.57 … OK
Building and testing DateTime-Format-Strptime-1.57 … OK
Successfully installed DateTime-Format-Strptime-1.57
–> Working on Class::Factory::Util
Fetching http://www.cpan.org/authors/id/D/DR/DROLSKY/Class-Factory-Util-1.7.tar.gz … OK
Configuring Class-Factory-Util-1.7 … OK
Building and testing Class-Factory-Util-1.7 … OK
Successfully installed Class-Factory-Util-1.7
Building and testing DateTime-Format-Builder-0.81 … OK
Successfully installed DateTime-Format-Builder-0.81
Building and testing DateTime-Format-ISO8601-0.08 … OK
Successfully installed DateTime-Format-ISO8601-0.08
Building and testing Geo-Gpx-0.26 … OK
Successfully installed Geo-Gpx-0.26
30 distributions installed

Yes that's right. 55 perlmodules were installed as dependencies, which doesn't take the ones I already had installed into account.Of course the most of them are recursive dependencies. But these days developers don't look at the dependency tree when they decide which module to use.

This is just shit. Fucking shit. Stinking shit. Idiotic shit. No wonder most people think perl is dead. Perl itself might be alive but the founding idea behind it is surely dead. What a nightmare.

As I already wrote elsewhere, I'm using separate users, email addresses and passwords for any account I create somewhere. For the passwords I use diceware passwords, which are the most secure ones. Until now I "generated" them myself without really using dices or some kind of dictionary. A somewhat boring process, so I decided to do something about it and wrote a little tool for this: dicepwgen.

 

It's written in C, licensed under the GPL version 3 and doesn't have any special dependencies, that is, it shall compile on almost any unix platform. The tool uses a dictionary file (there's a built-in default location, but it can be changed via the -f flag). It does a couple of "tricks" to fullfill the diceware process: since a dictionary file has way more entries than reachable via five dices (in fact, a diceware word list contains only 7776 entries), it jumps over a random number of lines when reading in the dictionary file. It indexes each entry with a "dicey" number, that is, a number consiting of 1,2,3,4,5,6. 

Then there are two operational modes: in the default mode it generates a couple of dice rolls (by default 4, which can be changed as well), looks up the matching words from the list and prints them. In interactive mode, which can be enabled by setting the -t switch, it asks the user to enter the dice rolls. In that mode the user has to roll physical dices and enter whatever shows up. Passwords generated this way are truly random.

It should be noted that dicepwgen only uses words consiting of plain ASCII characters (a-zA-Z) and ignores all others. So, passwords generated with dicepwgen do not contain UTF8 or latin1 characters or whatever encoding the dictionary file may use. This behavior is intentional, since it is not wise to use UTF8 or other non-ASCII characters for passwords anyway. It also ignores words which are too short or too long, however these parameters can be tweaked (with -l or -m).

Usage example (default mode, the tool "rolls" the dices):

% dicepwgen
granting frightens parrakeet flukes

And here is how it looks if the user rolls the dices:

% dicepwgen -t
dice roll 1 - enter 5 digits, each between 1-6: 34112
dice roll 2 - enter 5 digits, each between 1-6: 62155
dice roll 3 - enter 5 digits, each between 1-6: 33431
dice roll 4 - enter 5 digits, each between 1-6: 16261
Gonzalo armrest Capistrano eaters 

Ok, not much to see :) But good tools are simple to use, aren't they?

Update 2016-08-26:

I added a new flag -y which causes whitespaces to be replaced with dashes and adds %8 to the end of the generated passphrase.

Often I stumble upon sites with so called "password policies" and in many cases it's not possible to use unaltered diceware passphrases on such sites. Either they do not support whitespaces or they require numbers and non-letter characters to be present.

So, this is what -y does: satisfy those sites with their horrible policies while still being able to use a diceware passphrase. This is possible because it doesn't matter if the dice words are separated with a dash, a whitespace or even nothing. Entropy is the same. That -y adds a constant %8 to the end, doesn't matter either: the security lies in the dice words.

Github now has an Open Code of Conduct as well. While I support the general idea to have such a code, which makes it possible to hold non behaving community members accountable, I do not agree with everyting.

Be welcoming: We strive to be a community that welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, colour, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.

Just no. If I would be the one to maintain an opensource community, I'd not welcome everyone. For instance, I would not accept contributions by intelligence agency employees, or by members of the military (from whatever country, including my own). I would also not welcome government officers or employees in general, of any government. I would not accept Theo de Raadt (not that he would ever try to join my hypothetical community *g*). Although I accept religious people I would reject religious comments from them or arguments about the software on religious grounds, in fact I would even reject such people if they are not able to hold their religion private. The same applies for political or any other views. If the community is about some piece of software, then we can talk about that software, not about political ideologies or idiocy.

On the other hand the list above excludes a couple of potential members: what about an artificial intelligence? Or an alien being? So, it might be better (more future proof) to state, that All Sentient Beings are welcome as long as they want to contribute to the software in one way or another.

Be careful in the words that you choose: we are a community of professionals, and we conduct ourselves professionally.

Nope. In most cases opensource developers might have a daytime job in the industry, but they are participating in projects in their spare time. This makes them "hobbyists" as they say, although I don't like the term. However, I, working on a project, am not acting as a professional, but as a private citizen exercising my constitutional rights by trying to contribute to a higher matter, i.e. making the lives of others better. And I, like many others, am doing it for free. No one has to pay me for my work on opensource. I'm already fullfilled with satisfaction if 1 Users finds a use for my software. But I'm not acting as a professional and I'm not behaving as such. Of course I've got a decent education and try always to be polite and respectful. As long as the peer does so as well. If she doesn't, I'll either tell her or stop communicating. I will always tell the truth, argue based on facts, not on feelz, wether the other person likes it or not.

Diversity Statement

We encourage everyone to participate and are committed to building a community for all. Although we will fail at times, we seek to treat everyone both as fairly and equally as possible. Whenever a participant has made a mistake, we expect them to take responsibility for it. If someone has been harmed or offended, it is our responsibility to listen carefully and respectfully, and do our best to right the wrong.

I'd assume, that if some organisation has no such statement about diversity, that actual diversity is the default. Why do I have to state the ovious?

And I do not think it is a good idea to "right the wrong". That sounds utterly like Facebook's "Report User" function. User A claims, that User B offended her. User B denies. In most cases it might be obvious what counts as offending like calling someone names, threat someone with violence or reveal private information to the public. But what about the more subtle cases (as they happen every day on Facebook)? Is it really the role of the community to act as investigator, prosecutor and judge in unison? And who is "WE" anyway? Some unspoken kind of elected governmentally body within the community?

Let me digress a little. Once I operated a forum. It was public, subscription was totally anonymous and I had disabled all logging. Even an email adress wasn't required to join. And I was the sole dictator. The forum was no democracy, because where I live, in germany, the site operator might be responsible for what users on that site are doing. And so I told my users a simple rule: if two of them had a problem with each other and if it was not easily recognizable who is right or who is the offender, I deleted them both. Because I am not the one to judge upon the idiocy of others or to decide which one is the idiot. So if in doupt, I dropped them altogether. They knew it very well in advance. And you know what? I did never delete a user because of that rule! They just behaved. Lo and behold!

Anyone asked to stop unacceptable behavior is expected to comply immediately. If an individual engages in unacceptable behavior, the representative may take any action they deem appropriate, up to and including a permanent ban from our community without warning.

This is actually dangerous. We've seen such rules before. A user complains, an admin "reviews" the case and as a result deletes another user. What was not known, is that the complaining user and the reviewing admin had a relationship. Oops.

Now let me digress a little more. I'm a huge fan of democracy. You know why? Because I actually fought for it. 1989 on the streets of Leipzig in east germany. I grew up in a dictatorship. One of the fundamental features of a dictatorship is fear. And the easiest way to seed fear among the populace is to let do it to each other. If you don't like someone and want him to disappear, all you had to do was to report the person to the authorities, telling them the person acts suspiciously. Then they took care of that person. And care they took! People have ben incarcerated merely for having ideas. Thinking crimes were a common cause of going to prison in east germany pre 1989.

The very same happend during the third reich. But during those times reported people had a different fate. They've been sent to concentration camps and eventually been killed. Torture was mandatory. All you had to do during that times in order to get someone out of your way was to tell the SS, that the person was a jew or was helping jews. Bam! Dead!

So, this is a complicated issue. Once you state you take responsiblity to solve conflicts between people, you cannot do this anymore in a fair way unless you have a justice system in place like in a democracy state. Everything else is dictatorship and it will be definitely abused sooner or later. In my opinion either you just don't take that responsibility or state that the community is a dictatorship in the first place. Otherwise this is just brainwashing.

Yes, an old fool's rant that is. Sorry.

Update 2015-10-07:

And here we can watch more of this bullshit: Sarah Sharp quits from Linux kernel development because "verbal abuse" and stuff like this.

Actually, this view of hers is not new. In fact she did the same thing in 2013. Linus' answer to this bullshit underlines my argument above:

[..]
Because if you want me to "act professional", I can tell you that I'm not interested. I'm sitting in my home office wearign a bathrobe. The same way I'm not going to start wearing ties, I'm *also* not going to buy into the fake politeness, the lying, the office politics and backstabbing, the passive aggressiveness, and the buzzwords. Because THAT is what "acting professionally" results in: people resort to all kinds of really nasty things because they are forced to act out their normal urges in unnatural ways.

(please read the full post!)

The same thread contains these two contributions:

One thing you should keep in mind in your discussion is what can happen if people get too polite with each other.

I have seen this happen at two large companies I worked for. Early on, flames are acceptable and expected as response to someone publishing bad code which breaks everything for everyone. Then, at some point, it is not acceptable anymore to flame, and one is expected to be polite and friendly at all times. "Your code breaks the build for every platform. Would you please kindly consider fixing it ?" Result is that code quality suffers, to the point where images don't even build anymore.

I hope the Linux kernel never gets into that stage. To avoid that, I am willing to be cursed at by Linus if I am the responsible party.

and:

Didn't Jim Zemlin show some research where there were two groups: One that did a bunch of brain storming where no idea was a bad idea. The other required you to defend your idea while the others bashed it. The results always showed that the second group not only did a better job, but also faster and more efficient. I'm afraid if we worry too much about politeness, we will fall into that first group.

Finally, Fefe has some say about this as well [german]. So, if you ever come across such demands, there are lots of arguments against it.