StumbleUpon is a web service that allows you to share links with other users. Sometimes readers have shared this site and my number of visitors have gone up (cheers for that).

StumbleUpon is commonly used through a toolbar provided as an extension through Firefox or Internet Explorer, and a comment-in-the-last-post reminded me about it.

This made me think, what is the licence of this Firefox extension? If you go to the StumbleUpon-homepage, there is no software licence or terms at all. If you click the "Download now - Free" button, you go through to the download-page, still no licence or terms. I unzipped the extension, looking for a software licence, nothing.

Eventually, after a bit of digging and Googling, I found their Toolbar-License and guess what it is proprietary software, so if you want to run free software/open source, then get it off your system now!

The licence only gives you:

"a non-transferable ... non-sublicensable ... license to reproduce (solely to install and execute) the Toolbar on one of your computers, in executable object code format only, for your personal, non-commercial use only,"

Of course, the "Toolbar" is released as a Firefox extension, in plain-text Javascript and XUL, not in object code format. There is not really object code at all in Javascript, object code is a C term. But the lawyer writing the boilerplate probably didn't know or care about the difference. Anyhow, the licence continues:

"You may not modify, make derivative works of, copy, reproduce, publish, or reverse engineer the Toolbar"

This is in complete opposition to free software/open source, where all users have four freedoms:

• The freedom to run the program, for any purpose (freedom 0)
• The freedom to study how the program works, and adapt it to your needs (freedom 1). Access to the source code is a precondition for this.
• The freedom to redistribute copies so you can help your neighbor (freedom 2).
• The freedom to improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3). Access to the source code is a precondition for this.

In the last-post, I went through the most popular Firefox extensions and talked about whether they were good ideas or not. However, it seems that not a lot of people think about another side to this, i.e. what are your Firefox extensions licenced under?

It turns out that a lot of the extensions available through Firefox are not free/open source software at all.

One example is the StumbleUpon Extension. StumbleUpon is a web service that allows you to share links with other users. Sometimes readers have shared this site and my number of visitors have gone up (cheers for that). StumbleUpon is commonly used through a toolbar provided as an extension through Firefox or Internet Explorer, (and a comment-in-the-last-post reminded me about it).

This made me think, what is the licence of this Firefox extension? If you go to the StumbleUpon-homepage, there is no software licence or terms at all. If you click the "Download now - Free" button, you go through to the download-page, still no licence or terms. I unzipped the extension, looking for a software licence, nothing. This made me very suspicious, when people are proud of their licence, they put it right in front of you, what are they hiding?

Eventually, after a bit of digging and Googling, I found their Toolbar-License and guess what? Yes you guessed it, it is proprietary software. So if you want to run free software/open source, then get it off your system now!

Their licence only gives you:

"a non-transferable ... non-sublicensable ... license to reproduce (solely to install and execute) the Toolbar on one of your computers, in executable object code format only, for your personal, non-commercial use only,"

Of course, the "Toolbar" is released as a Firefox extension, in plain-text Javascript and XUL, not in object code format. There is not really object code at all in Javascript, object code is a C term. But the lawyer writing the boilerplate probably didn't know or care about the difference. Anyhow, the licence continues:

"You may not modify, make derivative works of, copy, reproduce, publish, or reverse engineer the Toolbar"

This is in complete opposition to free software/open source, where all users have four freedoms:

• The freedom to run the program, for any purpose (freedom 0)
• The freedom to study how the program works, and adapt it to your needs (freedom 1). Access to the source code is a precondition for this.
• The freedom to redistribute copies so you can help your neighbor (freedom 2).
• The freedom to improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3). Access to the source code is a precondition for this.

Don't sell out your freedoms so cheaply! If you want the most free software computer possible, look up the licenses of your extensions.

For example, here are five popular extensions that are free software/open source:

• Firebug: Mozilla Public License 1.1
• Flashblock: Mozilla Triple Licence (MPL 1.1/GPL 2.0/LGPL 2.1)
• AdblockPlus: Mozilla Public License 1.1
• FireGPG: Mozilla Triple Licence (MPL 1.1/GPL 2.0/LGPL 2.1)
• NoScript: GPL

Please do audit your own, and let us know what you find. Knowing which extensions are free and which are not free would be really helpful.

Digg-entry

There are many things that seem reasonable to the average rational person, but then there are some that just seem absurd.

First, a little background. Security is not just a playground for hackers and software companies. It seems that way sometimes, but security has become a rather potent industry in its own right since the days of the first well publicized viruses and Windows exploits. So much so that finding and reporting security exploits is now commonly a job rather than an underground, subculture activity. There is a bunch of people who are employed to do this now, and who effectively drive the standards for security by publishing bugs in various products.

Now, whenever something has value of some kind, simple economic principles naturally imply that it can be used in a trade. Security vulnerabilities indeed have certain value. By discovering a weakness in a product that noone else knows about, you stand to gain something if you decide to use it maliciously. If not, you may still consider selling it to someone who will use it maliciously. And if you’re just not into that kind of evil, you still have a certain leverage over the vendor that sells this product, because you know more about it than they do. So you could easily contact them and say I found a weakness in your product, which allows people to steal your customers’ data. Although I don’t intend to abuse this personally, we both know there are plenty of people out there who do, and who work hard to find these bugs themselves. If this weakness in your software should remain intact, and abused by someone, you’re gonna be in a lot of trouble. So how about you recompense the efforts of my research and I will hand it over?

As a vendor, this isn’t the most pleasant email to get. But after all, this person has found something that is our fault, and we have only ourselves to blame for selling something that has such an obvious weakness in it (or we don’t think it’s serious and we’ll just wing it, hoping noone gets burnt on this). Okay, raw deal for the vendor, but if you’re selling something that your customers bought in good faith, and it turns out it could pose a threat to their data, it’s definitely your fault.

Depending on how successfully this person is able to negotiate with the vendor, the outcome may be various. But if the [let's call him a] researcher isn’t able to come to terms, the next best thing is just to make it public. Like we saw already, a vulnerability has a certain value. If you’re not able to claim this in hard currency, you’ll at least want the recognition for finding this bug so that you can hone your reputation as a security professional and maybe someone will give you a [better] job.

But there is a problem. As we know from every Hollywood corporation-vs-little-guy story, companies always respond to threats the same way: calling their lawyers. The lawyers always try the same thing: hush it up. So they send out lots of scary documents, trying to shut the guy up. And whatever your legal position is, you’ll never win, cause corporations have armies of lawyers (armies of janitors too, actually, armies of everything). So chances are they will successfully silence you and your plan of publishing the vulnerability fails. You don’t get any money, and you don’t get any credit. The vulnerability remains intact, the vendor, even if they know how to fix it, probably won’t do anything about it cause noone is pushing them to.

This is the bizzarre landscape in which an industry, which would otherwise seem absurd, somehow makes sense. These security researchers don’t have much leverage against the legal armies of corporations, so there are actually certain companies now that trade in vulnerabilities. They will buy them from researchers and then try to reclaim a profit from the vendor, or even sort of broker the deal without putting the researcher in jeopardy. This way, the researcher can either get money for it, or if that fails, publish it.

Not surprisingly, vendors make a big stink about what they call “responsible disclosure” (ie. telling them first, hoping they don’t try to silence you I guess), but the truth is they abhor these things being made public, as Jonathan Zdziarski explains at length.

*

Incidentally, if you’re at all interested in security, you should check out some of the fascinating talks on security from various security events. Conferences like DefCon generally publish all the talks online. You’ll be blown away by what’s actually possible (and not just possible, probably being done right now) and your perception of how secure you should feel online will be changed forever. If you want to be both enlightened and entertained, I would pick Dan Kaminsky, cause he likes to showboat.

I recently looked at the forthcoming Epiphany browser based-on-Webkit. However, some people told me that Firefox has so many extensions that it would not be possible for a new browser to compete, even among the target audience of GNOME users. Is this true?

I am not a C hacker and don't want to be at this stage, so I can't really help with the heavy lifting in finishing the new Epiphany. However, the previous Gecko-based version allowed you to write extensions in Python, so if that is true in the new version, I could write an extension or two.

The old gecko version of Epiphany had various extensions, and a dozen or so of the best were bundled in the Epiphany-Extensions package.

Firefox extensions

It is early days because, as far as I know, the new Epiphany extension API is not written yet, however, we can do a little research about Firefox extensions, and seeing which ones are worth replicating on Epiphany. I myself have FireGPG (allows you to use GPG with webmail), Flashblock (blocks Flash movies unless whitelisted) and FireBug (see below).

There are 2353 add-ons and themes in the Firefox add-on database, several are abandoned in that they have not been updated to work with modern versions of Firefox. The bottom 1000 have had very little impact. For example, the "Et Lolcat" extension translates English to 'locat', it has only been downloaded 26 times ever. I doubt the lack of a lolcat extension is going to prevent anyone from using Epiphany.

As you might expect, outside the big hitters, the popularity of extensions tails off pretty fast. The top few add-ons have been download hundreds of thousands of times, the 100th add-on has been downloaded 10,000 times, the 1000th add-on has hardly ever been downloaded by anyone.

So lets ignore all the themes as Epiphany themes according to your desktop theme; lets also ignore all the abandoned extensions and the extensions which have never really been downloaded by anyone. So we can say there are less than 500 extensions that are actually relevant for our purposes. This is still a massive number. I cannot think of another piece of software that has 500 active extensions.

In the rest of this post, I look through the list of the top 100 downloaded-add-ons. This list of course is dynamic, so will change according to when you view it. So where I have included a number, it is the position in the top 100 when I looked at it. Do not worry I don't talk about 100 add-ons, a lot of the top 100 add-ons are themes and dictionaries which I have ignored.

The top three

Video DownloadHelper (1) - This allows people to rip videos out of sites like Youtube, as does UnPlug (37) and a million others. This could be easily replicated by Epiphany but maybe a better approach would be a "save-as" button in Gnash? Likewise Flashblock would not be required if Gnash has an option for "only play when the user agrees to".

Adblock Plus (2) provides advert blocking, as does Adblock and Adblock Filterset.G Updater (38). In the old Epiphany, there already was a decent adblock. This can and no doubt will be easily replicated by an Epiphany extension.

NoScript (3) provides blocking and white-listing of Javascript. This could be easily replicated by an Epiphany extension. Epiphany already gives you the ability to turn Javascript on and off globally, the extension just needs to give the ability to control this behaviour per site.

Not all extensions are priorities

IE Tab (7) allows Windows users of Firefox to open non-standard webpages in IE. This is not available on Firefox for Linux so is irrelevant. People should not write IE only webpages.

Next we have the replacements for Firefox's rubbish download dialog: DownThemAll (4), Download Statusbar (6), PDF Download (10), Fast Video Download (15), ScrapBook (28). Hopefully Epiphany's download dialog will be good enough out of the gate. So these are not a priority.

Foxmarks (9) and Speed Dial (29) are replacements for Firefox's annoying bookmarks dialog. Epiphany's bookmark manager is better, so these extensions are not a high priority.

Greasemonkey (5) is a higher level extension tool, it basically makes it easier to write extensions for Firefox, especially per site extensions. If Epiphany's extensions are easy to write, this will not be needed.

The Fasterfox (17) extension allows you to prefetch pages, as well as make concurrent connections, i.e. download the same page ten times at the same time. I am undecided weather this extension is a good idea for the web. I wouldn't want people using it on my sites.

A web browser is not a desktop environment or package manager

Quite a few of the extensions use Firefox as a convenient way to make and distribute an application, not surprising as Windows does not have a package manager. These extensions may have none or only tangential connection to the fact that Firefox is a web browser. Many of these in Linux would work just as fine or better as a separate application, indeed many equivalent applications already exist and are probably better.

FireFTP (18) is an FTP client, GNOME has GFTP which is perfectly fine. FoxyTunes (27) is a media player frontend, Linux has billions of media players. Forecastfox (12) tells you the weather, the GNOME desktop already tells you the weather, we can even look out a window. Likewise, FoxClocks (30) tells you the time, which the GNOME desktop does by default. After 40, we have RSS Readers such as the "Feed Sidebar" and "Sage", as well the IRC client ChatZilla. GNOME has lots of RSS Readers, e.g. Straw and Liferea, and Linux has lots of IRC Clients. The best way to use IRC is to use a client that can run 24/7 on the server, such as Irssi.

ScribeFire is a Firefox extension that provides a text editor for blogging. There is GNOME-blog available through all the package managers, but I prefer to use a real text editor. FoxSaver is an extension to provide a screensaver and photoviewer, GNOME has the Eye of GNOME image viewer and its own screensaver. ReminderFox (35) provides reminders, as GNOME already does.

PicLens (8) provides desktop effects for Firefox on Windows. It is not available for Linux, but Compiz with Epiphany does a better job. The same applies to "Tab Effect" (21) and FireGestures (24).

The Firebug (13) extension is a fantastic toolkit for web designers that turns your browser into a complete Dreamweaver clone. This would perhaps be better as a webkit based application, the same goes for "Web Developer" (20).

"Better Gmail 2" (14) provides extra options for Gmail, turning Gmail into a rich desktop application. The whole point of web-based email is that you can access it from any computer anywhere without special software. If you want to use installed software, then Gnome has Evolution which is richer than any web application.

I also skimmed through the 100 to 200 most popular add-ons, and it was more of the same. I hate to be a snob, but it seems that the most downloaded extensions are not necessarily the best ones!

Conclusion

There are many hundreds of Firefox extensions, some of them are absolutely fantastic, however many are repetitive, many also replicate things that already exist on a GNOME based system by default or are quickly available in the package manager. A large number of the extensions are old and have not been ported to modern versions, and some of them are just bad ideas.

This survey has convinced me that it is quality not quantity that matters, that with just 20 well chosen extensions, Epiphany could offer the features that 80% of GNOME users want, with 50 well chosen extensions, it could offer the features that 95% of GNOME users want. I am talking about extensions that actually have something to do with web browsing, not turning Firefox into a jukebox, or into a calendar, into a Compiz replacement, or into an operating system of its own.

I made a few small changes to BIOSLEVEL tonight. This is after trying to complete a new review or two this morning, but found myself unable to complete because my camera has decided to go haywire. More on the camera later. Let's look at what I've changed with BIOSLEVEL.

Changes to BIOSLEVEL

The changes aren't too numerous, nor are they complete yet. First off, I've altered how the <title></title> tags are done, so article names are now displayed rather than just "Article & Reviews". Hopefully this improves the site's overall SEO. The second part of the update comes in the form of some buttons for our article & review pages: Digg It, E-Mail Page, and Stumble Upon.

E-mail Page will either open a new window (smaller) or within the same window a page that allows them to e-mail the article's introduction, title, image, and link to someone's e-mail. I obviously won't track e-mail addresses, but should I keep track of how many times the feature is used per article? Obviously, I haven't implemented this feature just yet.

Digg It submits the story to digg. Obviously. Stumble Upon submits the story to Stumble Upon, but I haven't added the link for this just yet. I'd also like to add some icons for Reddit and a few similar services as well. Anything to build up more traffic.

Camera Woes

My aunt bought me a Cannon PowerShot S1 IS a few years ago for Christmas. At $400 at the time, the S1 IS was only a 3.2MP camera, which is really more than I need. I spent some time debating this morning while looking through cameras on NewEgg.com

I almost bought the latest version of my camera, which boasted a whopping 8.1MP and a 12x optical zoom, whereas my camera only has a 10x zoom. I ended up purchasing the Nikon D40, a DSLR camera. It'll be my first DSLR, and I'm really hoping that my older SLR lenses will still work with it.

There's more functionality in this camera than I'll probably ever use, but I'm also up for experimenting with it. The important part, however, is that I'll be able to take shots of products to complete my reviews.

Take a peek at BIOSLEVEL for the said updates, and watch for a new review in a day or so. Also expect another entry here in the near future.

ssh.py provides three common SSH operations, get, put and execute. It is a high-level abstraction upon Paramiko.

I wrote it yesterday for my own needs, so it is still very much in the beta stage. Any improvements or comments gratefully accepted.

In short, it works as follows:

import ssh
s = ssh.Connection('example.com')
s.put('hello.txt')
s.get('goodbye.txt')
s.execute('du -h --max-depth=0')
s.close()

That is it, in the rest of this post, I walk through this line by line.

Installation

First, we need to install paramiko, if you don't have it already.

On Gentoo Linux:

emerge paramiko

On Ubuntu/Debian and so on:

apt-get install python-paramiko

If you want to use Python's easy_install then:

easy_install paramiko

Secondly, you need to grab the ssh.py module, grab it from my code-page, and save it as ssh.py.

Connecting to a remote server

To play with the script interactively, you need to start Python:

python

Now, import the ssh module:

import ssh

Next we need to initiate the connection. If your username is the same on both systems, and you have set up ssh-keys, then all you need to do is:

s = ssh.Connection('example.com')

Connection supports the following options:

The host is essential of course. Port defaults to 22. The username defaults to the username you are currently using on the local machine.

You need to use one of the authentication methods, a private key or a password. If you don't specify anything, then ssh.Connection will attempt to use a private_key at ~/.ssh/id_rsa or ~/.ssh/id_dsa.

So to specify a username and password, you can do it like this:

s = ssh.Connection(host = 'example.com', username = 'warrior', password = 'lennalenna')

Of course, Python also allows you to use the order to specify the arguments, so the last example can be written as:

s = ssh.Connection('example.com', 'warrior', password = 'lennalenna')

Operations

Once you have set up the connection, there are three methods you can use. Firstly, to send a file from the local machine, you can use put:

s.put('hello.txt')

The above example copies a file called hello.txt from the current local working directory to the remote server. We can also be more explicit if we want:

s.put('/home/warrior/hello.txt', '/home/zombie/textfiles/report.txt')

So the above example copies /home/warrior/hello.txt on the local server to /home/zombie/textfiles/report.txt on the remote server.

The second operation works in a similar way but in reverse:

s.get('hello.txt')

get takes the file from the remote server to the local server, again we can be more explicit if we want:

s.get('/var/log/strange.log', '/home/warrior/serverlog.txt')

The above example copies the strange.log from the server and saves it as serverlog.txt.

The last operation is execute, this executes a command on the remote server:

s.execute('ls -l')

This returns the output as a Python list.

Closing the connection

You can do as many operations you like while the connection is open, but when you are finished, you need to close the connection between the local and remote machines. You do this with the close method:

s.close()

There we go, that is all I needed to do with SSH. Please do let me know using the comments below if you have any problems using it.

If you import my module in your program and later find that you need more power or flexibility, you should be able to swap it out for the full paramiko with a minimum of fuss.

<someone> What are you doing in front of your computer all day?
<me> Hmmmmm, I'm working ... kind of.
<someone> All the time?
<me> Not all the time, but well, probably most of it.
<someone> Aren't you chatting or stuff like that?
<me> Yep, but that's not the type of chatting you're used to I guess.
<someone> What are you working on?

<me> Well, there's this Open Source project, called foo I am helping a little bit here and there.
<someone> What is Open Source?
<me> Hmmmm, well ... 
[skipping stuff about available source code, licenses, the M$ example of closed sources and so forth].
<someone> Aaaaaha (I haven't really understood 75% of what you've just said but).
<someone> Are you or the others getting paid for what you do?
<me> Actually, nope, there are exceptions of course.
<me> However, chances are that someone maybe donates a few bucks.
<someone> That doesn't make any sense at all, why are you doing this?

Fun

People

Reward

1. Find a girl
2. Invite her to your appartments
3. Use subject product V (or C)
4. Have fun
5. Take her number
6. Profit?

In your scripts or applications, you might need to copy a file from one server to another. One way to do this is to use SFTP, the secure file transfer program, which uses an encrypted SSH (Secure Shell) transport which in turns runs over TCP/IP.

One of the Python implementations of SSH is called Paramiko (available in package managers as paramiko or python-paramiko).

Paramiko is extremely comprehensive so you can get as complicated as you like, but for me, I just want to be able to copy files from a known remotepath to a known localpath and back again.

In this post I explain how to do this using Paramiko directly, in the next-post, I look at another approach.

So we start by importing the module, and specifying the log file:

import paramiko
paramiko.util.log_to_file('/tmp/paramiko.log')

We open an SSH transport:

host = "example.com"
port = 22
transport = paramiko.Transport((host, port))

Next we want to authenticate. We can do this with a password:

password = "example101"
username = "warrior"
transport.connect(username = username, password = password)

Another way is to use an SSH key:

import os
privatekeyfile = os.path.expanduser('~/.ssh/id_rsa')
mykey = paramiko.RSAKey.from_private_key_file(privatekeyfile)
username = 'warrior'
transport.connect(username = username, pkey = mykey)

Now we can start the SFTP client:

sftp = paramiko.SFTPClient.from_transport(transport)

Now lets pull a file across from the remote to the local system:

filepath = '/home/zeth/lenna.jpg'
localpath = '/home/zeth/lenna.jpg'
sftp.get(filepath, localpath)

Now lets go the other way:

filepath = '/home/zeth/lenna.jpg'
localpath = '/home/zeth/lenna.jpg'
sftp.put(filepath, localpath)

Lastly, we need to close the SFTP connection and the transport:

sftp.close()
transport.close()

In my humble opinion, one should not have to write so many lines or care about the SSH protocol just to send a file from a to b. In the next-post, I will share my own higher level API that runs on top of Paramiko.

I've been very busy the past week, mostly just for the fact that I worked eight days straight. It might have been good money, but tomorrow is a well-earned break. In these past eight days, I fell behind in some of the reviews I've been writing.

I meant to post a review of the OCZ Reaper HPC DDR2 RAM I used in my reviews of the 780G motherboard and Radeon HD3870 Toxic, but fell behind because of all the extra hours spent at work. There're several more reviews to follow the review of this RAM, but my main concern right now is the RAM.

BIOSLEVEL has several fantastic reviews coming up, but what I'm really excited about is a home theater series of articles I'm trying to plan out utilizing MythTV. We have one machine that's able to act as a MythTV box itself, as well as a MythTV server so other units can connect to it. This'll be a great option for some units such as the Asus barebones I recently reviewed for BIOSLEVEL

On the bright side of my time issues, I did manage to get a little done on a new design for this site, as well as business cards for BIOSLEVEL. Once both are completed, I'll post the final designs. Or, that is, change the design of the side and post an entry about the business cards.

1. Edit revoco-0.3.c and change the value of #define MX_REVOLUTION to the value you get for you mouse from `lsusb`. Mine is c525.
2. The auto setting was a bit whacko by default - the solenoid was clicking on and off without even moving the wheel. This worked:
   $ sudo revoco auto=10
3. Setting the manual click change to button "6" (find button) gives you the middle click (button 2) back *woot*
   $ sudo revoco manual=6
   and also gets rid of that annoying "search" keyevent which I have a keyboard for :)
4. But unfortunately, when I set the manual=6 option, the auto scroll feature turns off again :| But that's a small price to pay!
   

I listen to MP3s in the car and it's annoying when the volume isn't normalized. I can't be fumbling around with the tiny buttons on my MP3 player to adjust the volume while I'm driving. I found mp3gain and used it on a bunch of files and it appears to have worked.

If anyone knows of a better program for normalizing volume of lots and lots of MP3s, post now or forever hold your peace.

Here’s my perspective on it. We all have ideas, some good and some bad. Now it’s understandable that people who have invested themselves into a bad idea, especially if they thought it was good, are reluctant to walk away from it. It’s painful to have to realize that. But the flip side is that we have to maintain the myth of Santa Claus because, well, so many kids believe in him that we can’t let them down. Bad ideas deserve to die for the good of everyone.

The first thing a good idea must have is a real problem to solve. OpenID does very well here. The point of OpenID is to solve our common problem of the internet age: many websites, many accounts, many usernames and passwords. This is probably why OpenID still appears to some people as being a good idea.

Here’s how they do it. Instead of keeping track of your accounts on all the sites you’re a member of, just let one site keep all your account records (sound ominous yet? it did to me). Now, whenever you want to login to one of your sites, instead of using your username/password for that site, you use your OpenID login, which looks like this: http://username.myid.net. This url is effectively your OpenID provider, ie. the site you use to keep track of all your accounts. So now the site you’re logging into sends you to your provider, where you login with a username/password belonging to the account on the provider site, and that logs you into the site you were visiting. So in other words, your account on the provider is the gatekeeper to all your accounts. Sounds simple, right?

I remember when I first heard about this idea years ago. The first concern I had was that in order for this to work, I need a provider to keep track of all my accounts. So I asked myself the question: whom do I trust do this for me? The answer came back: myself. I don’t know about you, but the idea of some third party storing all my logins doesn’t make me feel warmy and cuddly. As it happens, the open in OpenID means you can choose any provider you want, including yourself. You just set up some php scritps and voila, you can use http://mysite.com as your provider. So basically, instead of storing your accounts in some “account manager” program on your computer, you do the same thing on your server. This is where the concept of OpenID died for me. I don’t want to have to depend on my own OpenID provider to work in order to use other sites. I don’t want to add a dependency on my ability to login to some other site contingent on the assumption that my own site is available and working properly at all times (which it isn’t, I have a little downtime like everyone else).

If you don’t want the hassle of being your own provider, you can pick a provider from a list. This is not an attractive fallback option, because now your account on the provider is your key to all your other accounts. If I have an account on some site and I forget my credentials, big deal, I only lose that one account. But if I lose my credentials on the provider, I lose everything.

In theory, OpenID tries to improve your overall security. The hassle of keeping track of accounts is known to us all, and we get around the problem by reusing the same (or similar) credentials on a lot of sites. This is obviously bad for security, because if someone gets your password to one site, they can access all your other accounts that use this password. So security people will always recommend that you use distinct credentials for every account. Suppose you do this, and you use OpenID to alleviate record keeping. Now, OpenID actually works against you. Your account on the OpenID provider is the key to everything. With a different password on every site, you’re that much less likely to remember what it was, therefore your account on the provider is proportionally more valuable.

There is a strange irony at play here. Supposedly, the more accounts you manage with OpenID the more useful it is. But on the other hand, the more accounts you manage with it, the more you depend on it, and the more you make it the one gateway to all your online identities for a potential attacker or for abuse by a dishonest or incompetent provider.

Most importantly, however, OpenID’s solution to the login problem isn’t a very clever solution at all. Typing http://username.myid.net is not a big improvement over a username/password form. My browser already gives me the option to login without typing anything.

Those are my reasons why OpenID is a bad idea and should have died years ago. If you want more, Stefan Brands has an exhaustive laundry list of problems with OpenID.

Something is very wrong here. Right after starting a KDE session everything looks normal.

But after running for a day we have a different story. I’m assuming this isn’t the expected behavior (if so I didn’t expect it).

This time I specifically took a screenshot to prove it, but I’ve seen it eat up as much as 1.3gb of my memory, which is rather unnerving.

kwin-kde4        4:4.0.4-0ubuntu1

Bug report.

Emacs has a, well, "unique" undo system. It only has undo, no redo. When you undo something, the act of undoing is added as itself onto a stack of undo actions. When you've un-done enough things, you do "something, like move the cursor, and that breaks the chain. From there if you undo again, you will traverse back over the undo actions you just did.

This is supposedly powerful. It does help with the following situation:

1. Type something.
2. Type something #2.
3. Type something #3.
4. Undo undo undo.
5. Type something #4.

In most programs once you reach step 4, you can redo to get back to the text you just undid But once you reach step 5, the first three things you typed are lost forever. You've gone back in time and changed history, eradicating the old future and replacing it with a new one. You can never get back to the old future. Emacs undo, on the other hand, where undo actions are just like any other actions and pushed onto a stack of actions, does let you undo back first three things you typed.

However in practice this doesn't work so well. This site has a nice quote:

“By [undoing] repeatedly, you can gradually work your way back to a point before your mistake. This is convenient if you’ve made a mistake four or five commands back. It is marginally useful if you’ve made a mistake twenty or thirty characters back. And it is completely useless if your mistake is ancient history.” - Learning GNU Emacs (page 42)

The problem being, supposing you undo 20 times, and break the chain (by moving the cursor for example), if you then decide to undo one step FURTHER back, you have to undo all 20 of your previous undos, undo 20 more times, then undo once more. Eventually you end up feeling like you're going up and down a roller coaster of undos.

If you hate this, which you probably do, you could use redo mode, which gimps up Emacs undo/redo to be like any other program's, i.e. you get the same behavior as Microsoft Notepad. (Although when I tried it, it was buggy as heck, failing to undo my actions properly, mangling text from different lines together and whatnot.)

Vim's undo system on the other hand is far better and equally powerful. You have a standard undo / redo option via u and CTRL-R. You also have a second completely different way to undo: you can "go back in time". In the above example, Vim will create two undo "branches" and you can jump from one to the other even if you undo and "break the chain" by typing something new.

Doing :undol lists the branches, in a somewhat confusing format. But you can just pound g- and g+ to go to older / newer text states, or use :earlier with a human-readable time (say, 10s or 5m) and it will take you to that point. These will get you all the power of Emacs' undo stack, with none of the pain or confusion. See also :h undo-two-ways.

This is one of many instances where Vim wins, hands-down. Vim's undo system isn't as reprogrammable as Emacs, but it's so powerful and so perfectly what you'd want that it doesn't matter. This is beautifully typical of Vim. I don't have a year to figure out all the nooks and crannies and edge cases and idiosyncrasies of Emacs undo system, let alone the time it'd take to write a custom, crusty elisp script to buggily re-implement it.

Being an "extensible text editor" doesn't help much when such basic functionality is so broken. Unless you want to play your undo history back like a movie, in rainbow colors, which I don't. I want undo/redo that works.

Dear Iain

You enquired about the Mio P560 a little while ago and this is to let you know that this model will not be released in Australia.

Sorry we are unable to assist you at this time.

Kind regards
mioEshop

Say you're at a party and the only internet is a wireless router and for whatever reason, no one can plug into it. Wireless internet only. You with your fancy laptop are sitting pretty and this is just fine. They your friend shows up lugging his clunky old desktop that only has an ethernet port for internet connectivity. Is he out of luck? Turns out not, because you an come to the rescue!

It's really easy, especially with Ubuntu.

To start with, you need to be a router, so you need firewall software that can do NAT (network address translation). This is part kernel side (NAT and iptables options enabled and modules loaded) and part user space side, in the form of the program 'iptables', so make sure it is installed, which it is by default on Ubuntu (I think).

Now all you really need to do is add two routing rules, one says anything coming on the ethernet port should go through the NAT procedure, which basically means it's IP headers are tweaked to make it look like they originated from your computer and then you send them along to the internet. The second rule helps facilitate this (I'm a little less sure what it does, but it's needed).

In this case we are assuming the interface eth0 is the wired network and eth1 is the wireless. Change as required.

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

Next you just need to tell the kernel port forwarding should be turned on, and you can do this through the wonderful /proc filesystem.

echo 1  > /proc/sys/net/ipv4/ip_forward

Now you're pretty much ready to go. Connect to the wireless, presumably though NetworkManager or your wireless toll of choice. Then enable the wired network manually.

ifconfig eth0 up 192.168.1.1

This turns on eth0 with a local network address of 192.168.1.1. Now plug your friend's computer into the ehternet port with a crossover ethernet cable or into a hub and then the hub into you with regular ethernet cable and have them manually pick an address on 192.168.1.* (or whatever local network you chose, it doesn't matter) and set you (192.168.1.1) as the gateway router.

If this is a little much for them or they are running an OS that makes this non trivial, than its really another easy step for you to set up a DHCP server and do all the configuration for them :).

So install dhcpd, on Ubuntu it's 'dhcp3-server', on Gentoo I think it's just 'dhcpd'.

Now we have to configure it. We have to tell it the gateway router, which is us (192.168.1.1), the nameservers (the servers in /etc/resolv.conf) and the pool of IPs to use and what interface/network to listen on.

Open the config file, on Ubuntu '/etc/dhcp3dhcpd.conf'.

The relevant parts are as follows

...
# servers in /etc/resolv.conf
option domain-name-servers 192.168.0.1;

...

# the local network you created
subnet 192.168.1.0 netmask 255.255.255.0 {
        #IPs free to assign
        range 192.168.1.100 192.168.1.200;
        #your computer, the router
        option routers 192.168.1.1;
}

And that's it. (Re)Start the server

/etc/init.d/dhcp3-server restart

And you are now serving all the information your friend's computer will need to automatically connect properly.

They should now be online once they restart their internet connection.

One annoying thing about Ubuntu vs Gentoo is that on Ubuntu, the init system is a bit more kludgy and old fashioned. Any server software installed is automatically configured to start at boot time, forever, which in this case isn't what you want. You only want the dhcpd server to run very rarely, at parties, the rest of the time it's a waste. So we need to turn it's auto starting off. Apparently the /ubuntu init system barely supports this, we have to force it.

update-rc.d -f dhcp3-server remove

Now just turn it on when you need with its init.d file.

I have a friend and fellow member of the Python West Midlands group. Whenever, someone mentions Django, he asks the person "but is it stable?". This has been repeated so much that is has become a local in-joke. However, lets take the question seriously.

To explore this further, we need to ask what does stable mean? I.e. can we replace the word "stable" with something else to provide some more meaningful questions:

• Can Django handle traffic loads?
• Is Django actively maintained, i.e. are bugs being fixed?
• Will the Django API evolve in the most backwards compatible way possible?

Lets take these one at a time.

Traffic loads

Django's frequently-asked-questions says:

Is Django stable?

Yes. World Online has been using Django for more than three years. Sites built on Django have weathered traffic spikes of over one million hits an hour and a number of Slashdottings. Yes, it's quite stable.

The first sentence is a testimony, useful but not a direct answer. In the second sentence, 'stable' is used as in 'strong table', i.e. Django can handle a heavy load, (i.e traffic rather than physical objects).

It goes on to explain that Django has a "shared-nothing" approach, i.e. you can throw more servers directly at whatever bottleneck you have. If the database is the database, then you can add more hardware to the databases, if it is images the are the problem, you can add more hardware to the media servers, and so on.

Is Django maintained?

The next question is whether Django is actively maintained. One simplistic measure is to look at the bug database and see what is going on. In what follows I use "ticket" in the broadest sense, i.e. not just a confirmed code error, but also enhancement requests, invalid bugs and so on.

At time of writing, Django has 1092 open tickets, out of which, 311 are new and unreviewed, I would guess that half of these are valid problems, and half are not.

Meaning the other 781 open tickets have reviewed by someone at least once. Some have been triaged and are waiting to be worked on, some are