Planet Exherbo

March 16, 2019

Wulf C. Krueger

Christmas Eve by Jim Butcher

“Christmas Eve?”, I hear you cry. Why that?! Why pick an unimportant short story from the Harry Dresden universe and write about that?

Simply because it lets me make a point: Harry Dresden is a male chauvinist pig; he’s a misogynist arse. And even an impromptu short story is worth reviewing it because the stuff is just that good.

I read the first book, “Storm Front”, expecting nothing, getting something weird. I certainly didn’t really like it – generous 3 stars. I was wondering if it would get any better and read book two. More of the same – but people said, “WAIT! It’s going to get better soon-ish!”.

I read on. Same experience with books three, four (yes, the one that’s supposed to have gotten better!), five… All three stars, all… interesting. Somehow… exciting, though… Harry still is all the above and yet, there are redeeming qualities. Not sure what they are but why ever else would I have read on?!

Book 10, lo and behold, actually did get better! People – for ONCE! – were right! Harry Dresden is annoying but I’m sitting here and can’t wait for book – wait for it – 16 of this weird literary junk food that so entices me, that calls out to me, that sounds like a Siren’s song to me!



This story? It’s just nice. The most important people we’ve come to love from Harry’s neck of the Chicago woods are around, the atmosphere is right and, well, it has Harry…



Hello, I’m Wulf and I can’t get enough of Harry Blackstone Copperfield Dresden.



View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at March 16, 2019 11:02 AM

March 15, 2019

Wulf C. Krueger

When All Is Said by Anne Griffin

An interesting book, falling short of greatness for me.


I started reading this book with high expectations – interesting setting, highly praised on GoodReads. I really expected to love this book but it was not to be, unfortunately.

Maurice Hannigan, 84, sits in an old hotel at the bar and drinks to the people he loved most and who all have passed away before him, telling us about his relationship with them and, consequently, about his life. The son of an Irish farmer, he, too, sets out on this path and soon by far surpasses his parents and becomes a wealthy and well-respected man.

We learn about the Dollards, formerly major land owners and employing Maurice’s mother and himself, whom he loved to hate for his entire life. He toasts to his brother Tony who died as a young man, his first child, Molly, his sister-in-law Noreen, his son, Kevin, a well-known journalist who has emigrated to the USA and, last but not least, his wife Sadie.

Griffin tells her story, Maurice’s life, in long chapters most of which overlap with each other in narrated time. This gives her room to explore each relationship deeply and allows for concentrating on their respective unique aspects. Unfortunately, the overlap does cause some conflicts that are hard to handle gracefully. Let me give you an actual example:


“It was twenty-seven years later that I learned the origin of the coin from Emily at that special dinner she’d arranged. But even then she’d been holding back. And it wasn’t until a year after that again that I found out the real consequence of its theft. And it was all because of Noreen, would you believe.”


I’m calling this, well, clumsy. You might consider it a narrative device, I don’t like it, sorry.


In between each of those toasts we’re getting a small glimpse into the current time and Maurice’s state of mind which is – at the very least – bordering on depression. By his own admission, Maurice is sleeping very badly (“I’ve stopped sleeping, have I told you? Two hours, three if I’m lucky now and then I’m awake.”), feeling bad and guilty as well as being prone to pondering (“Staring at the ceiling, going over it again, this bloody decision”). He’s tired and pretty much hopeless (“I feel tired and, if I’m honest, afraid.”) – all clinical symptoms of a depression.

Maurice even has people worrying about him (e. g. David, a social worker; Emily, the hotel’s owner; Robert, his notary) but none of them seem to recognise that and help him.

Griffin ends the book as anyone past the first chapter will know – “when all is said”, Maurice tries to take his own life. I’m sure Griffin doesn’t want to “promote” suicide as a way out of acute grief but a bestselling book ending like that does make me feel uncomfortable.



Putting that thought aside, I still didn’t really warm to the book. I can’t even put my finger on the exact reasons: Griffin’s language is believable (if restricted to Maurice’s vocabulary) and vivid. The story itself is plausible – everything in Maurice’s life could have happened just like it is told. Maybe that’s in fact part of my problem with the book – I felt myself nodding and registering the narrated facts but I was rarely touched by the story.

There were a few passages that really gripped me, especially since I’m a father and, obviously, a son myself (“fathers have a lot to answer for”), and made me swallow, e. g. this passage:


“But no, I mean, sorry for the father I’ve been. I know, really I do, that I could’ve been better. That I could’ve listened more, that I could’ve accepted you and all you’ve become with a little more grace.”


Boy, can I relate to that…



Unfortunately, this emotional engagement remains the exception for me in this book. Too rare and, in the end, too late.

To be able to really love a book, it needs to strike a chord within myself. I’m not an analytic reader, you won’t catch me scientifically dissect a book. The books I’ve loved most so far are those that make me enthuse about them to my wife and children till they send me somewhere else (or leave themselves). There are books (you can find them in my “Favourites” shelf on GoodReads) that make my soul thrive and rejoice (or only mentioning their names brings tears to my eyes) and I cannot help but sing their praise.

I fully expected “When All Is Said” to be such a book but it felt too shallow, it never engaged me emotionally and, quite possibly, maybe it’s all me, myself and I who’s to blame for that.

I guess you’ll have to find out yourself.




View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at March 15, 2019 03:13 PM

March 11, 2019

Wulf C. Krueger

Der Trafikant by Robert Seethaler

Der Trafikant by Robert Seethaler

My rating: 5 of 5 stars


Durch eine Laune des Schicksals aus dem Salzkammergut ins Wien der Jahre 1937 und 1938 verschlagen, trifft Franz auf Otto Trsnjek, den Trafikanten (Betreiber eines Tabakwarenladens / Kiosks), findet mit Anezka die große Liebe und in Gesprächen mit Sigmund Freud heraus, daß er, Franz, nichts weiß und die Welt verrückt (und manchmal ziemlich unfair bis grausam) ist.

Franz ist ein netter Bauernbursche – respektvoll, freundlich und (scheinbar?) etwas “einfach gestrickt”. Der See bei seinem Heimatdorf und dessen mit den Jahreszeiten wechselnde Farbe ist bis zu Franz’ Aufbruch nach Wien sein größtes Interesse – von der Welt-Politik ist er weitgehend “unbehelligt” und Zeitungen werden von ihm zu eher “periphären” Zwecken genutzt:

“Hin und wieder hatte Franz vor dem Abwischen eine Überschrift, ein paar Zeilen oder vielleicht sogar einen halben Absatz gelesen, ohne daraus allerdings jemals einen sonderlichen Nutzen zu ziehen.”

Aus diesem amüsanten Versatzstück sollte man jetzt jedoch nicht schlußfolgern, daß das gesamte Buch nur nettes Geplänkel ist: Wir befinden uns in 1937 und damit der dunkelsten Epoche der deutschen Geschichte im 20. Jahrhundert und “Der Trafikant” schildert dies aus der Sicht Franz’, der ein feines Empfinden für Recht, Gerechtigkeit und ein respektvolles Miteinander besitzt.

Otto Trsnjek, sein Lehrmeister auch in ethischen Fragen, ahnt schon sehr klarsichtig, was noch passieren wird:

“»Bis jetzt ist nur das Geschäft eines Trafikanten besudelt worden. Aber hier und heute frage ich euch: Was oder wer kommt als Nächstes dran?«”

Ein Mensch wie Franz kann, ja, er muß in Konflikt mit der Ausgrenzung, Diskriminierung und Verfolgung geraten, die er in seinem Umfeld einerseits an Otto Trsnjek, aber auch an Freud, buchstäblich hautnah erlebt. Nun könnte man meinen, Franz werde sich zurückziehen, vielleicht in die innere Emigration, genau das aber tut er nicht.

Franz allein kann die Welt nicht verändern, so glaubt er, und wählt daher den Weg des “zivilen Ungehorsams”, der Widerständigkeit ohne Teil des organisierten Widerstandes zu sein.

Allein diese Geschichte erzählt zu haben, wäre bereits verdienstvoll und auch und gerade heute wichtig. Tut man das aber dann auch noch mit der wunderbaren Sprache, derer sich Seethaler wie nur wenige andere zu bedienen weiß, wird die Lektüre für den Leser zum absoluten Hochgenuß:

“Franz spürte einen merkwürdigen Stolz in sich aufsteigen, der irgendwo hinter seiner Stirn zerplatzte und wie ein warmer Schauer in seinen Kopf hineinrieselte.”

Als ich diesen Satz las, war das wie eine warme sprachliche Dusche; er evozierte Gedanken an ein Feuerwerk, das am Himmel explodiert und dessen Explosionsspuren herabsinken – ganz wundervoll!

Nimmt man dann noch Franz’ persönliche Liebesgeschichte – völlig frei Kitschigkeit, glaubwürdig und in ihrer Kompliziertheit so wahrhaftig – hinzu, so weiß man erst in seiner Gesamtheit diesen wunderbaren Roman wirklich zu würdigen.

Man leidet mit dem jungen Mann mit, wenn sein “böhmisches Mädchen”, seine “runde, böhmische Königin” plötzlich und unerwartet einfach mal wieder verschwindet:

“Nachdem es geschehen war und er wie ein Häuflein Glück auf dem Rücken neben ihr lag, stellte er sich vor, wie er am nächsten Morgen, gleich nach dem Aufstehen, um ihre Hand anhalten würde. Aber als er aufwachte, war sie weg.”

Selten wurde es so schön beschrieben und waren Glück und Unglück so nah bei einander.

An vielen Stellen jedoch zeigt sich in sprachlich ergreifendster Weise die innere Spannung dieses Menschen, der doch eigentlich nichts als leben und leben lassen möchte, der sein Mädchen lieben und ganz einfach sein möchte, es aber doch nicht sein kann, weil seine eigene Menschlichkeit und Anständigkeit dies nicht zulassen.

Dieses Buch kann nicht gut enden, aber es endet plausibel. Gerade in unserer Zeit muß man dieses großartige Buch beinahe schon lesen, aber es ist auch ein unglaubliches Erlebnis, das sich niemand verwehren sollte.



View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at March 11, 2019 04:15 PM

March 09, 2019

Wulf C. Krueger

Crooked Letter, Crooked Letter by Tom Franklin

Crooked Letter, Crooked Letter by Tom Franklin

Do you like watching glaciers move? Like, in real-time? Are you a German teacher of English? Do you hate someone very much? (You can even combine the last two!) 

Congratulations, this book is especially for you!  

I actually enjoy a good story, lavishly told in good time. Me possibly drinking coffee or wine and enjoying myself, even losing myself inside a story told slowly, delightfully, perhaps playfully. 

The story-telling here is mooooooooostly slooooooooow. Just slow. Not lavish, not delightful, not playful, just plain old slow.  

Now, slow food? Good stuff! Fast food only makes me fat anyway. Slow food doesn’t mean I have to enjoy chewing on a piece of granite – or reading this book. 

‘f slows the only prob, things mighta haven’t look so bleak. Ain’t just that, sirree, naw. The language. South’rn drawl my ass.  Short sentences. Clipped sentences, eh? Yeah, boy, might work. If yall are proper pen pushers, heh?! Franklin, ma boy, you ain’t a one.  

Ok, enough of this. It’s really annoying. I really, really hated those clipped sentences. They read like they hated their literary life for being, well, emaciated. 

Well, all of that could still have been forgiven (I can almost see the small teaching, pupil-hating, glacier-watching demographic from the introduction nod their approval!) but let’s take a look at the story itself: 

Young Larry (40 today) goes on a date, girl goes missing, people start hating Larry, apart from his “special friend” Silas (at this point, the German teachers get glassy eyes, remembering) and even more special Wallace Stringfellow. The former being a sorry excuse for a friend, the latter being worse.  

At the very beginning, poor Larry gets shot and Silas goes up and down memory lane for about 80% of the book, inspecting their miserable, boring lives in the past. Discovering “shocking” truths and a body. (Not, two, though. The mystery that all but ruined Larry’s life never gets solved.) 

The first words in chapter seven are basically a clue bat I, unfortunately, didn’t fully appreciate: 

“IT WAS 1982.” 

Yes, and we’re at 41% of the book and feeling like we’ve had to wade through decades of boredom but, wait, those guys are about 40 and no point whatsoever has been reached or made so far – we’re not safe yet, with decades before us yet! (Had I realised earlier and not only now, in hindsight, or given in to my instincts about bad books I might have preferred to watch grass grow but, alas, that exciting exercise has to wait for a worse book.) 

Still chapter seven (did mention those chapters can take an hour or more of a fast reader’s time (not to speak of the poor sod’s life!): “IT WAS THE slowest week of his life,” man, you’re taking the words right out of my mouth.

Anyway, why did I even finish this turd? Well, truth to be told, my daughter has to read this book for school and being the stupid oaf I’m sometimes maligned to be, I mouthed off to her about how good this book must be, having great reviews on Goodreads and how she should just get reading it! Sorry, my dear Schn…, I’m sure to do it again but for this book you have my sympathy. 

Drink, have fun with grass, do whatever you want with your life but don’t make people read this book. 

Oh, and if you really are a German teacher of English, I’m presenting you with a list of seven (because I can!) books better suited for your intended purpose which won’t make your pupils hate you (even more, at least): 

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at March 09, 2019 05:48 PM

March 04, 2019

Wulf C. Krueger

Die ewigen Toten by Simon Beckett

David “Selbstzweifel” Hunter ist zurück – leider nicht in Bestform

Der forensische Anthropologe David Hunter, bekannt aus Becketts früheren Romanen in dieser Reihe, wird diesmal zu einem Leichenfund in einem ehemaligen Krankenhaus, dem St. Jude, gerufen. Dort angekommen wird sehr schnell klar, daß sich ein größeres Geheimnis hinter den abrissreifen und finsteren Mauern des St. Jude verbirgt. Damit steht die Kulisse für einen ebenfalls eher düsteren Krimi mit gelegentlichen “Ausrutschern” in beinahe schon poetische Sprache und ein wenig Humor.

Ich freute mich auf einen neuen Krimi mit Hunter, der mir aus früheren Bänden sympathisch und interessant in Erinnerung war. Das bleibt auch bei diesem Buch so, jedoch wird es leider von den permanenten Querelen zwischen Haupt- und Nebencharakteren massiv überschattet – ein forensischer Taphonom verärgert Hunter, Hunter verärgert seine Auftraggeber bei der Polizei, ein frustrierter Bauunternehmer verärgert alle.

Als wäre das noch nicht genug, läßt sich auch Hunter von all dem Ärger ins Boxhorn jagen und an sich selbst zweifeln. Angesichts seiner Erfahrung und seines Renommees ist das aber nur sehr bedingt plausibel und hat mich zumindest doch sehr gestört.

So viel Ärger und Selbstzweifel machen einfach keinen Spaß mehr und trüben das gesamte Lesevergnügen deutlich ein. Völlig unnötigerweise noch dazu, denn Beckett schreibt – wie immer – gut und zeitweise geradezu poetisch…

“Die Stille, die auf allem ruht, hat eine andere Textur als tagsüber, ist besinnlich und noch gedämpfter. Sie hat ein fast spürbares Gewicht.”

… gepaart mit Einschüben (direkt auf das vorhergehende Zitat folgend) trockenen Humors…

“Vielleicht liegt es auch bloß an mir.”


Hemmend auf den Lesefluß wirken sich zudem die Zeitsprünge aus – da wird von einer dramatischen Entwicklung erzählt und an deren Höhepunkt ein Sprung in die Zukunft im nächsten Kapitel vollführt, von dem aus dann in Form einer Rückblende erzählt wird. Das nimmt Tempo heraus und mindert – ebenfalls völlig unnötig – die Spannung.

Ganz am Schluß tritt dann etwas ein, anläßlich dessen ich nur noch innerlich leise aufstöhnte, “nicht schon wieder!”. Völlig überflüssig und ärgerlich wird hier eine Nebenhandlung erneut in den Vordergrund gerückt, die besser einfach in der Vergangenheit verbleiben wäre.


“Die ewigen Toten” läßt mich insofern ein wenig ratlos zurück: Einerseits ist es ein durchaus gelungener Krimi, andererseits ist die Atmosphäre übermäßig angespannt und bedrückend. Darüber hinaus zieht sich das Buch bis zur Mitte reichlich in die Länge, um dann am Schluß im “Schweinsgalopp” zu einer mäßig glaubwürdigen Auflösung unter Einbeziehung “oller Kamellen” zu kommen.

Ich glaube, für mich ist der Zeitpunkt gekommen, mich von David Hunter und Simon Beckett zu verabschieden.

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at March 04, 2019 01:58 PM

March 01, 2019

Wulf C. Krueger

The Test by Sylvain Neuvel

The Test

The Test by Sylvain Neuvel

My rating: 3 of 5 stars


The Test – an exercise in superfluousness

“The Test” is a short story about an immigrant taking a citizenship test. What he doesn’t know: It’s all simulated. When a group of terrorists takes everyone hostage at the test and they put him into difficult situations, his behaviour is actually being evaluated with respect to suitability for citizenship.

The story isn’t bad at all but nothing here is new and all of it has already been executed a lot better by other authors. There are even a few things intrinsically implausible that are never explained and before you know it, you’ve finished the very short novella.

It’s a bit like Brecht once wrote: “Indeed it is a curious way of coping: To close the play, leaving the issue open…”

Unfortunately, Neuvel isn’t Brecht and can’t really pull this off as successfully but wrote a novella that’s simply superfluous.

Thus, to quote Brecht to the end, “There’s only one solution that we know: That you should now consider as you go What sort of measures you would recommend To help good people to a happy end.”

The measures I would recommend are simple: Find a better book to read.




View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at March 01, 2019 11:25 AM

February 28, 2019

Wulf C. Krueger

Muttertag by Nele Neuhaus

Muttertag (Ein Bodenstein-Kirchhoff-Krimi #9)

Muttertag by Nele Neuhaus

My rating: 4 of 5 stars


Nele Neuhaus auf dem Weg nach vorgestern

Ich war skeptisch, als ich die Lektüre des neuen Krimis um das Ermittler-Duo Bodenstein/Sander (vormals Kirchhoff) begann. Allzu routiniert und lieblos heruntergeschrieben fühlte sich das vorherige Buch „Im Wald“ für mich an.

Dies schien sich auch zu bestätigen: Nach kurzer Einführung startet „Muttertag“ mit dem Auffinden der Leiche eines alten Mannes langsam und behäbig. Viele Figuren werden eingeführt, die Ermittlungen laufen in verschiedene Richtungen und – zeitweise – wirkt das zäh und arg bemüht.

Es wechselt zudem immer wieder die Erzähl-Perspektive zwischen der Haupthandlung, einem Nebenstrang und einem inneren Monolog des Mörders. Das hilft nicht wirklich dabei, sich in der Erzählung zurecht zu finden und wird langatmig. Bis etwa zur Hälfte des Buches.

Erst danach beginnen die Zusammenhänge klarer zu werden und Ermittlung wie Erzählung nehmen Fahrt auf. Denn nach der langen Durststrecke findet Neuhaus zurück zu alter Form der früheren Bücher, vorgestern: Spannend, mitreißend, dramatisch wird es und ein bis dahin laues Belletristik-Lüftchen wird zum Sturm, der die Seiten geradezu umreißt.

Ein versöhnlicher Schluss mit Nettigkeit und Charme rundet „Muttertag“ ab und macht zwar leichte Krimi-Kost nicht nahrhafter, aber doch appetitlich und lecker!




View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at February 28, 2019 11:27 AM

February 20, 2019

Wulf C. Krueger

Mittagsstunde by Dörte Hansen

Mittagsstunde: Roman

Mittagsstunde: Roman by Dörte Hansen

My rating: 4 of 5 stars


Wieder ein großer Wurf, der an seinen Vorgänger erinnert.

Diesmal geht geht es um das Sterben eines Dorfes über Jahrzehnte hinweg. Damit einhergehend sterben aber nicht „nur“ das Dorf und seine Bewohner, sondern eine ganze „Dorf-Kultur“: Mit Flurbereinigung und allgemeiner Urbanisierung gehen Traditionen und manchmal auch Existenzen zugrunde.

Hansen glückt es jedoch, in diesem Untergangsszenario auch bereits den hoffnungsvollen Anfang einer Weiterentwicklung darzustellen. Insbesondere ist verdienstvoll, dass es Hansen mit großer Behutsamkeit und Zurückhaltung durchgängig glaubwürdig gelingt, die charakterliche Entwicklung insbesondere Ingwers sich organisch entwickelnd darzustellen.

Auch hier ist der „Wiedererkennungswert“ autobiografischer Erfahrungen potentiell groß: Viele Schilderungen im Buch haben mich schmunzeln lassen oder mich allgemein an meine eigene Kindheit „auf‘m Dorf“ denken lassen.

Insofern habe ich mich auch in „Mittagsstunde“ (bei uns übrigens eine Stunde später, von 13:00 bis 15:00 Uhr) sehr schnell heimisch gefühlt und habe Seite um Seite in Ruhe genossen; mit Ingwer, Sönke und Ella gebangt, geendet und neu begonnen.

Ganz reicht es dann doch nicht an „Altes Land“ heran, aber es fehlt nicht viel daran und ich freue mich schon auf den nächsten Roman.



View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at February 20, 2019 11:24 AM

February 17, 2019

Wulf C. Krueger

Altes Land by Dörte Hansen

Altes Land

Altes Land by Dörte Hansen

My rating: 5 of 5 stars


Ein Jahrhundert-Roman

Wie ein mächtiger Strom ist „Altes Land“ – mal ruhig und unaufgeregt erzählend von der Familie Eckhoff, Heinrich „Hinni“ Lührs und anderen Bewohnern des alten Landes, dann wieder mitreißend und voller Kraft.

Dörte Hansen erzählt mit größtmöglichem Respekt und großer Behutsamkeit von und über ihre Protagonisten. Keiner von ihnen ist frei von Fehlern, frei von Schuld, und alle erhalten Raum, ihren Blickwinkel darzulegen. So wird schwer Verständliches nicht besser, aber doch nachvollziehbarer. Man muss diese Menschen nicht mögen, aber es ist fast unmöglich, sich ihnen zu entziehen.

Das liegt wahrscheinlich auch daran, dass man Hansens Protagonisten beinahe zu kennen meint: Die Öko-„Familienmanagerinnen“, deren Kinder in die frühkindliche Begabtenförderung gequält werden, der alte Landwirt, der weiß, dass ihm niemand mehr nachfolgen wird und der trotzdem nicht aus seiner Haut kann, die seltsame (oder zumindest so wahrgenommene) ewig „Zugezogene“ – sie alle entstammen dem alten Land oder finden sich darin.

Es sind aber alles Menschen, die nicht nur dort anzutreffen sind, sondern die glaubwürdig und lebensecht in jeder Art von kleinem Ort leben könnten.

Meine Vera heißt Leane und lebt – mittlerweile über 90 Jahre alt – in einem kleinen Dorf irgendwo in Deutschland. Auch sie war geflohen und war jemand in Not, so war sie da und ihre Tür (natürlich die Hintertür!) stand (nicht nur) mir immer offen.
So vieles habe ich „wiedererkannt“ ohne jemals im alten Land gewesen zu sein. Über weite Teile des Romans hatte ich das Gefühl, Hansen schriebe mir förmlich aus der Seele.

Für mich ist „Altes Land“ ein Jahrhundert-Roman, ein seltener und kostbarer Glücksfall der Literatur, der mich begleiten wird wie sonst wohl nur Thomas Manns Buddenbrooks.



View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at February 17, 2019 11:28 AM

February 14, 2019

Wulf C. Krueger

You go me on the cookie! by Dana Newman

You go me on the cookie!

You go me on the cookie! by Dana Newman

My rating: 2 of 5 stars


Dear Dana,

I‘ve watched your videos on YouTube and really enjoyed myself – I like your style, your charming, fresh, delightful and funny presentation. It‘s both greatly amusing and relaxing as well as informative and interesting.
I’ll never forget the video in which you explain your opinions on the USA and their current administration as it deeply moved me and showed a side of you rarely seen.

Your book, too, started strong: Indiana Jones of linguistics – I could almost picture you wearing a fedora and whipping the German language; my native language. I feel thoroughly at home in English as well; I’m having a lifelong love affair with it. 😉

Unfortunately, the book becomes annoying pretty early as you start explaining even small things like quotation marks (“Anführungszeichen gewollt”). If you put something in quotation marks that doesn’t need it, your readers will get your meaning. We’re not daft, don’t spell it out.

At times, it looks like you’re forgetting you’re writing a book and not a blog post or something like that and start YELLING AT US.
Please don’t do that. It’s like taking a sledgehammer to crack a nut (Mit Kanonen auf Spatzen schießen 😉 ).

Another example of “blogisms” are the overused interjections like this one: “Haha! Scherz! Die versteht doch kein Mensch, oder?”
Either something is funny or it’s not. As you write yourself later, chances are high it’s not that funny if you have to explain it. Or, as you put it, “manchmal funktioniert der Witz auch nur für mich”. All to often that’s the case here.

At other times you start lecturing us, e. g. when writing about sentence structure and verb placement. Taking an unfunny longish sentence nobody would ever use doesn’t help either.

Really truly jarring are the factual mistakes, though: Starting with the fact that “Bretzel” is not a word but a simple misspelling of “Brezel” (cf. the Duden as the ultimate authority on German).
You don’t have to know that but your translator should have, and your editor, etc.

And don’t listen to Stefan, please, when it comes to German: The genetive might, unfortunately, not be used as it should be but that’s simply part laziness and part ignorance, sorry!
It really is “wegen des Regens”, not “wegen dem Regen”. If you want read about this, I strongly recommend Bastian Sick’s “Der Dativ ist dem Genetiv sein Tod” (sic).

By the way, wouldn’t you say “Sehnsucht” translates very well to “longing” or “yearning”?

Anyway, in spite of all of my criticism there is a lot of the 😉 Dana in here; if it’s you accidentally expressing your desire to eat all those animals in the park, or the following poetic passage which evoked images of you in some of your videos:

“[…] ich kann mich daran erinnern, dass mein Herz förmlich dahinschmolz, sich schnell wieder fasste, nur um dann vor Freude zu hüpfen und zu tanzen.”

I’m loving that one. 🙂

In short, Dana, please keep making amazing, funny, touching, beautiful videos. That’s where you shine the brightest.

(Oh, and while I certainly respect you deeply, I wouldn’t hesitate a second to Du’z you! 😉 )

Best regards, Wulf




View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at February 14, 2019 11:35 AM

December 31, 2018

Danilo Spinella

Announcing Exherbo subreddit

I am delighted to announce the opening of the unofficial Exherbo subreddit1! You can discuss topic relavant to the distro, take up any problem that you have encountered or share your thoughts and setups. Note that Exherbo development takes place on our Gitlab instance2 and the critical discussions still happen on #exherbo IRC channel on Freenode3. Furthermore, distro documentation4 is currently under reorganisation, and we encourage you to open an issue (or even better a Merge Request!

December 31, 2018 03:00 PM

August 28, 2018

Wulf C. Krueger

Age of War by Michael J. Sullivan

Age of War (The Legends of the First Empire, #3)

Age of War by Michael J. Sullivan

My rating: 5 of 5 stars


Modest underrated genius

TLDR; Legends of the First Empire are magical pieces of art but accessible to everyone, created by an amazing author and you don’t want to miss out on any of his books if you even remotely consider reading fantasy.


I rarely feel compelled to write a review and it’s actually the first time ever I feel an obligation to write one.

Michael J. Sullivan is the creator of Hadrian and Royce, two unlikely heroes, put together by circumstance, fate or whatever you prefer. I enjoyed those novels greatly and can hardly wait for the next installment. They, both the characters and the books, are clever, entertaining and feature very unobtrusive yet important morals.
Those novel have always hinted at what Michael might accomplish and what, to me, seems to rapidly become his magnum opus: The Legends of the First Empire

Calling the books of the Legends a prequel would be unfair because even though their narration predates Hadrian and Royce by far, they shine on their own. In Legends, Michael narrates slowly and patiently (at first at least!) how humanity rose to power beyond the elves, dwarves and other races around in his world. Is it actually Michael’s world, though?

I would laud his world building as brilliant and hardly ever matched. That would be wrong, though, because Michael didn’t just invent a world and built upon it; instead he cautiously took our world and gave it a living, breathing history. I can imagine how my great-grandparents lived but that’s pretty much it. Everything that came before them is a rather murky affair; I have read about earlier times and while it (sometimes) sated my curiosity, I never really “connected”. In countless museums I’ve seen in great detail how people from pretty much any period lived and that, too, was interesting on an intellectual level but I never felt pieces falling into place.

And then Michael came along: Starting from the day-to-day life in a small settlement to leveling entire mountains using magic, he tells us how we might have come to be. While Micheal is certainly most capable of painting said history with broad strokes, he has an immensely human understanding when to apply the small brushes and use tiny strokes to unerringly add details that fit in so neatly that you might not even notice them.

Every little details has its place and its meaning. Every character is a small world in itself and fits into the big picture or, actually, the piece of art Michael created (did you try burning something with your mind yet, Michael? 😉 ) and you’ll understand them, feel with them, sometimes want to shout at them or grab and shake them.

Speaking of characters: Michael’s characters are far from Aragorn, Gandalf or any other heroic types. Michael’s heroes are you and me, everyone. Most characters actually do what they do because they simply have no viable alternative. They don’t want power, or lord over anyone or even create things – they just can’t help it.

Now, go and read those books – both you and they deserve it!




View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at August 28, 2018 11:42 AM

June 13, 2018

Mike Kelly

Wunderground Datacollection in OpenNMS

I’ve become a fan of OpenNMS as a general purpose monitoring and datacollection platform.

It has a lot of “enterprise” features that I don’t need for most of my personal stuff, but (IMHO) it does a better job of doing basic service monitoring, performance metric collection, etc than things like Nagios (or other hacks I’ve made in the past).

One thing I’ve done with it is start to collect my local weather data, so that I can graph it side-by-side with data pulled from my thermostat, etc.

Unfortunately, the Weather Underground API is no longer free (“as in beer”) no longer available, but hopefully this serves as an example of the sort of stuff you can do with OpenNMS.


OpenNMS is able to collect data from a number of sources, including SNMP, and basically anything you get fetch over HTTP.

To get data from Wunderground, we’ll use the XmlCollector. Despite its name, it can also work with JSON, though in this case, Wunderground gives us XML anyways.

We need to update collectd-configuration.xml with two new parts:

   <package name="wunderground-conditions" remote="false">
      <filter>IPADDR != '0.0.0.0'</filter>
      <include-range begin="1.1.1.1" end="254.254.254.254"/>
      <include-range begin="::1" end="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"/>
      <service name="Wunderground-Conditions" interval="300000" user-defined="true" status="on">
         <parameter key="collection" value="wunderground_conditions_home"/>
         <parameter key="handler-class" value="org.opennms.protocols.xml.collector.DefaultXmlCollectionHandler"/>
      </service>
   </package>
   <!-- ... -->
   <collector service="Wunderground-Conditions" class-name="org.opennms.protocols.xml.collector.XmlCollector"/>

This tells OpenNMS that, if we have a node configured with the “Wunderground-Conditions” service, it should trigger this datacollection.

Next, we need to add some specific configuration for the XmlCollector, in xml-datacollection-config.xml:

    <xml-collection name="wunderground_conditions_home">
        <rrd step="300">
            <rra>RRA:AVERAGE:0.5:1:2016</rra>
            <rra>RRA:AVERAGE:0.5:12:1488</rra>
            <rra>RRA:AVERAGE:0.5:288:366</rra>
            <rra>RRA:MAX:0.5:288:366</rra>
            <rra>RRA:MIN:0.5:288:366</rra>
        </rrd>
        <xml-source url="http://api.wunderground.com/api/YOURAPIKEY/conditions/q/SOMEWHERE/Outthere.xml">
            <import-groups>xml-datacollection/wunderground.xml</import-groups>
        </xml-source>
    </xml-collection>

Here, the “name” of the collection matches up with the paramter we defined in the Collectd config.

If you’re lucky enough to still have a Wunderground API key, you just need to put it in place of YOURAPIKEY above, and change the rest of the query to be something like /conditions/q/NY/New_York.xml.

That tells OpenNMS where to get the data from, but we still need one more file to tell it how to parse the data, and decide what to store. We put that in xml-datacollection/wunderground.xml (the import-groups entry above):

<xml-groups>
   <xml-group name="wunderground_conditions" resource-type="node" resource-xpath="/response/current_observation">
      <xml-object name="temp_c" type="GAUGE" xpath="temp_c"/>
      <xml-object name="temp_f" type="GAUGE" xpath="temp_f"/>
      <xml-object name="UV" type="GAUGE" xpath="UV"/>
      <xml-object name="dewpoint_c" type="GAUGE" xpath="dewpoint_c"/>
      <xml-object name="dewpoint_f" type="GAUGE" xpath="dewpoint_f"/>
      <xml-object name="feelslike_c" type="GAUGE" xpath="feelslike_c"/>
      <xml-object name="feelslike_f" type="GAUGE" xpath="feelslike_f"/>
      <xml-object name="heat_index_c" type="GAUGE" xpath="heat_index_c"/>
      <xml-object name="heat_index_f" type="GAUGE" xpath="heat_index_f"/>
      <xml-object name="precip_1hr_in" type="GAUGE" xpath="precip_1hr_in"/>
      <xml-object name="precip_1hr_metric" type="GAUGE" xpath="precip_1hr_metric"/>
      <xml-object name="precip_today_in" type="GAUGE" xpath="precip_today_in"/>
      <xml-object name="precip_today_metric" type="GAUGE" xpath="precip_today_metric"/>
      <xml-object name="pressure_in" type="GAUGE" xpath="pressure_in"/>
      <xml-object name="pressure_mb" type="GAUGE" xpath="pressure_mb"/>
      <xml-object name="visibility_km" type="GAUGE" xpath="visibility_km"/>
      <xml-object name="visibility_mi" type="GAUGE" xpath="visibility_mi"/>
      <xml-object name="wind_degrees" type="GAUGE" xpath="wind_degrees"/>
      <xml-object name="wind_gust_kph" type="GAUGE" xpath="wind_gust_kph"/>
      <xml-object name="wind_gust_mph" type="GAUGE" xpath="wind_gust_mph"/>
      <xml-object name="wind_kph" type="GAUGE" xpath="wind_kph"/>
      <xml-object name="wind_mph" type="GAUGE" xpath="wind_mph"/>
      <xml-object name="windchill_c" type="GAUGE" xpath="windchill_c"/>
      <xml-object name="windchill_f" type="GAUGE" xpath="windchill_f"/>

      <xml-object name="display_location" type="String" xpath="display_location/full"/>
   </xml-group>
</xml-groups>

That should “just work” for any Wundergroud location, and should tell OpenNMS to hold on to basically all of the numeric values I saw in the results. All of that get stored in your time series database of choice (JRobin, RRDtool, or Newts).

It also holds onto the “display_location” string (just the latest value), which you can use to help give a more meaningful label to your graphs.

Finally, we’ll want to build a pretty graph to show that our datacollection is working:

reports=wunderground.conditions.temp

report.wunderground.conditions.temp.name=Temperature
report.wunderground.conditions.temp.columns=temp_f,feelslike_f,dewpoint_f
report.wunderground.conditions.temp.type=nodeSnmp
report.wunderground.conditions.temp.command=--title="Temperature" \
  --vertical-label="Degrees F" \
  DEF:temp_f={rrd1}:temp_f:AVERAGE \
  DEF:feelslike_f={rrd2}:feelslike_f:AVERAGE \
  DEF:dewpoint_f={rrd3}:dewpoint_f:AVERAGE \
  LINE2:temp_f#00ff00:"Temperature " \
  GPRINT:temp_f:AVERAGE:"Avg \\: %10.2lf" \
  GPRINT:temp_f:MIN:"Min \\: %10.2lf" \
  GPRINT:temp_f:MAX:"Max \\: %10.2lf\\n" \
  LINE2:feelslike_f#ee42f4:"Feels Like  " \
  GPRINT:feelslike_f:AVERAGE:"Avg \\: %10.2lf" \
  GPRINT:feelslike_f:MIN:"Min \\: %10.2lf" \
  GPRINT:feelslike_f:MAX:"Max \\: %10.2lf\\n" \
  LINE2:dewpoint_f#42e8f4:"Dewpoint    " \
  GPRINT:dewpoint_f:AVERAGE:"Avg \\: %10.2lf" \
  GPRINT:dewpoint_f:MIN:"Min \\: %10.2lf" \
  GPRINT:dewpoint_f:MAX:"Max \\: %10.2lf\\n"

That gets you a pretty little graph, like this:

Sample Weather Graph

Updated 2019-03-06: note that the Wunderground API appears to be really and truly dead.

by pioto at June 13, 2018 12:54 AM

May 27, 2018

Ali Polatel

alip's exherbo shortlog 20180527

Here is a summary of my recent Exherbo activity:

May 27, 2018 12:00 AM

January 30, 2018

Danilo Spinella

Termish = malloc(255 * size)

This is the preface for a series of post on terminal apps, called Termish. But why? I love staying in the terminal. A lot of things are faster to do and I don’t have to move my hands away from keyboard every now and then. The problem is: we don’t always have the right tool to use. Plus, a lot of goodies don’t have visibility. We will explore these programs covering a great range of categories, including a usage example for each one.

January 30, 2018 11:07 PM

January 12, 2018

Wulf C. Krueger

Operation Hail Storm by Brett Arquette

Operation Hail Storm (Hail, #1)

Operation Hail Storm by Brett Arquette

My rating: 1 of 5 stars


I was given this ebook for free by the author.

In short: An eccentric rich guy called Hail kills a North Korean bad guy, the US administration notices, sends Hail on a mission to break stuff and sends a female “supermodel” CIA agent, Kara, with him.

The story is lousy and the entire book has tons of useless techno babble in it that should simply have been scrapped. One of the main characters puts it very nicely:

“That meant nothing to Kara. But she did understand that the ship’s big gun was being loaded and brought online. How it worked, she didn’t care.”

Neither do we, especially not after having been treated to pages after pages about steering drones, activating weapons, etc.

The protagonist, Hail, is a highly annoying character:

Hail is sexist…
“It was so damn difficult to register this face, this body, this female package with a hardcore CIA agent.”
“It was just so damn difficult to take this supermodel for real.”

… a macho with nasty attitudes, seeing himself as “the executioner – an exterminator of vermin”, with a blatant disregard for people in general…

“The lieutenant said, “Even if I wanted to, look, there are people down there.” “They’ll move,” Hail argued. “I mean, if you saw a massive helicopter coming down on your head, wouldn’t you move?””

Then there are the typos and the grammar… One example:

“The truck is here,” Kornev said in English. “I have your man opening the warehouse doors.” He nodded sleepily and tried to stand.

/Kornev/ nodded sleepily? I don’t think so – it’s actually the guy he’s talking to but why would an author have to know how to write…

That’s really all you want to know about this book which consists pretty much entirely of sexism, senseless techno babble, copyright violations (multiple verbatim copies from Wikipedia) and not much else.




View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at January 12, 2018 10:27 AM

Test

dsfsdfsfsd

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by krueger at January 12, 2018 08:59 AM

January 13, 2017

Ali Polatel

Shell Meditation

Seek your music. As you please.

    while true; do
        (( z = ${RANDOM} % 100 ))
        (( a = $z % 10 ))
        mpc seek $z% &
        sleep $a
        kill $!
        wait
    done

January 13, 2017 12:00 AM

Bright Side of the Moon

Quick Update: I have a flat! My German was barely enough to make it. Und zwar komisch. You get a flat on your birthday. Hard to say how it could get any fucking better than that.

Oh: Ev buldum lan. Na aşağıdaki! #direnkigülsünyüzün. Yolu düşen gelsin. Yoksa. Ayıp. Olur. Bana. Bak. Manifestolâmin.

Ay gidiyor

Last and least. Here is a poem and a song that describes everything so far. Life. is. just. pregnant.

Çağırın! Güneşin zaptı yakın! #martılaraselam #petşişeistemezük.

kaotik/dN-rWSWe24w

Pregnant

Hayali Ali, Çengelköy

drawing curtains
hiding fetus
behind venus
all Night long
let it flow
into snow
crystals in a row
mothers will bow
and swallow
their unborn babies!

Do the Evolution: https://www.youtube.com/watch?v=aDaOgu2CQtI

January 13, 2017 12:00 AM

January 03, 2017

Ali Polatel

Endgame Tricks

Chess endgames often look deceptively simple. Reduced number of pieces on the board brings reduced alertness to the player. Thus, it is not uncommon for the adversary to come up with sneaky ways to take advantage of this relaxed state. Thinking in terms of psychology, the most important feature of this relaxed state is the reduced feeling of danger which in turn leads to reluctance to justify moves with concrete variations. Even though, schematic thinking is an important feature of endgame technique, it has a psychological danger where player's reliance upon natural moves rather than logical ones can lead h/er to trouble when there exists a non-obvious nuisance in the position which establishes a significant distinction between the natural and the logical. At the end of the day chess is purely mathematics and the term natural is nothing but pattern recognition. Yet, no pattern is exactly the same.

One form of blunder which is very common to such a frame of mind is quiescence errors where the player is decepted by the natural aesthetics of a seemingly winning move sequence and fails to spot a trap which is no further than half a move away. The main reason of the blunder is psychological, the sudden change of excitement coupled with the reduced sense of danger literally blinds the player who could otherwise easily spot the problem with the move sequence at hand. Below is a simple, illustrative example of such an error. This is an online blitz game where I had the white pieces.

January 03, 2017 12:00 AM

December 27, 2016

Ali Polatel

Envtag 0.6

Envtag-0.6 has been released.

  • Fix alt_getopt and envutils for Lua-5.2 and newer.

tarball: envtag-0.6.tar.bz2
sha1sum: e1e1179198cab15717daea986f0a27cbe3a0e963

December 27, 2016 12:00 AM

December 26, 2016

Ali Polatel

Envtag 0.5

Envtag-0.5 has been released.

  • Add support for Lua-5.2 and newer.
  • Fix –delimiter option of get-xiph and set-xiph commands
  • Update alt_getopt to 0.7
  • Follow symlinks when determining filetype information using libmagic

tarball: envtag-0.5.tar.bz2
sha1sum: 04a8fb00cadd452899620bd168d36a6015b6b772

December 26, 2016 12:00 AM

September 16, 2016

Mike Kelly

First Post in Foreverz

It’s been a while since I’ve made any blog posts…

Here’s a quick update since the last time:

  • I've changed jobs twice.
  • I've had a bunch of kids.

I also switched everything (both blog and website) over to a Jekyll site about… 2 years ago.

I don’t have the time to contribute as much to open source as I used to, but here’s a little tidbit.

Deploying a Jekyll Blog to a Traditional Web Host, using GitLab CI

I’ve been using GitLab at work for a while now, and it’s grown on me. I’ve recently managed to get my entire website fully deployed by GitLab, both to a staging area with their Pages tool, and to my ‘ole reliable pair Networks hosting account.

I still have to audit my repo before I can make it fully public, but here’s the .gitlab-ci.yml I’m using:

# This file is a template, and might need editing before it works on your project.
# Full project: https://gitlab.com/pages/jekyll
image: ruby:2.3.1

before_script:
  - bundle install

test:
  stage: test
  script:
  - bundle exec jekyll build -d test
  artifacts:
    paths:
    - test
  except:
  - master

pages:
  stage: deploy
  environment: staging
  script:
  - bundle exec jekyll build -b /pioto-org -d public
  artifacts:
    paths:
    - public
  only:
  - master

production:
  stage: deploy
  environment: production
  when: manual
  variables:
    JEKYLL_ENV: production
  before_script:
  - bundle install
  - apt-get update && apt-get install -y rsync
  - umask 0077 && mkdir -p /root/.ssh
  - umask 0047 && echo "${PROD_KNOWN_HOSTS}" >> /root/.ssh/known_hosts
  - umask 0077 && echo "${PROD_DEPLOY_KEY}" > /root/.ssh/id_rsa
  script:
  - bundle exec jekyll build -d public
  - rsync -crvz --delete-after --delete-excluded public/ "${PROD_USERNAME}@${PROD_HOSTNAME}:"
  artifacts:
    paths:
    - public
  only:
  - master

Here’s basically how this works:

  • There’s a basic “test” job, which just confims that everything can actually be built.
  • There’s a “pages” job, which is how things get deployed to GitLab Pages. Every commit on the master branch goes there automatically.
  • There’s a “production” job, which is where the magic happens to deploy my site live:
    • Before the build, we make sure we have rsync, and set up the ssh keys needed for the deploy. The contents of the key files are stored as secure variables.
    • We build with the correct baseurl setting.
    • We build with JEKYLL_ENV=production, so that things like Google Analytics get wired in.
    • We use rsync (with rrsync set up on the other end) to deploy the site.

by pioto at September 16, 2016 05:59 AM

April 17, 2016

Wulf C. Krueger

Rise by Jennifer Anne Davis

Rise (Order of the Krigers, #1)

Rise by Jennifer Anne Davis

My rating: 4 of 5 stars

I received this book as part of the Early Reviewers program. As I’ve often received sub-par books, I was somewhat sceptical about this book as well. Turns out I was wrong, to some extent at least.


While “Rise” does have quite a few deus-ex-machina moments (a certain rescue comes to mind), even some (more or less) glaring plot holes (what are the “apparitions” during a trial of our heroine, are some of them actually there, etc. etc.?) and some “why did she do *that* now?!” moments, this book was a real page-turner for me. I’ve lost a not-so-small number of hours of sleep over it, actually, which doesn’t happen all that often.


In spite of the shortcomings I mentioned before, our heroine is likeable, smart (sometimes…) and obviously fairly powerful. Her primary adversary is written as a multi-faceted character (but still fairly shrouded in mystery at the end of the book) and due to that, a fairly interesting figure. As are several side-kicks of the heroine (yes, sorry, I’ve forgotten her name as neither her nor the book are ultimately *that* remarkable 🙂 ) who grow (despite formulaically at times) into their respective roles mostly well.


Another gripe of mine with the book is that certain terms (e. g. “Krigers” from the title) rooted in German are used but mutilated, e. g. in German it’s “Krieger” (and has been for centuries!). So if you use foreign words in an attempt to make your book more “exotic” take at least the time to do your homework and “import” those foreign words properly. (After all, we don’t write “computer” as “Komputer” in German either.)


Anyway, ultimately, for any fan of the fantasy genre (who has read all the genre’s classics) willing to suspend their disbelief a bit more than usual this book is recommended (with some reservations). I’m looking forward to the next instalment in this series.




View all my reviews

I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

by Wulf at April 17, 2016 11:06 AM

March 13, 2016

Wulf C. Krueger

Gerrit updated to 2.12.2 / Jenkins updated to 1.652

I’ve updated Gerrit from 2.11.5 to the latest release 2.12.2. These are the user-visible highlights:

  • New Submit Whole Topic setting: All changes belonging to the same topic will be submitted at the same time. Currently disabled because it’s still experimental but I will enable this once it’s considered stable.
  • Support for GPG Keys and signed pushes. You can add your GPG key in Gerrit and git push –signed to use this. This should work right now – but doesn’t for me at least. If you have more success, let me know. 🙂
  • New search operators, e. g. author:, committer:, commentby: and a few others.
  • Your preferences for editing and diff presentation can now be configured in your user settings.
  • Gerrit’s in-line editor has now support for Emacs and Vim key maps.
  • There are several new API calls available for those using their own Gerrit clients (yes, I’m looking at you, Kylie McClain! 😉 ).

You can find the complete release notes for the Gerrit versions here:

Gerrit 2.11.6
Gerrit 2.11.7
Gerrit 2.12
Gerrit 2.12.1
Gerrit 2.12.2

As for Jenkins, I’ve updated it to 1.652 as well. Nothing spectacular there but some bug fixes in the backend mostly; including two security fixes.

The full changelog can be found here.

P. S.: If you’re from Germany, specifically from Baden-Württemberg, Rheinland-Pfalz or Sachsen-Anhalt: STOP READING THIS AND GO TO CAST YOUR VOTE. I did.

P. P. S.: If you (want to) vote for the AfD or other fascist parties: Please let me know. I like to know my enemies.

I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

     

    by Wulf at March 13, 2016 03:11 PM

    December 17, 2015

    Wulf C. Krueger

    A Banquet of Consequences by Elizabeth George

    A Banquet of Consequences (Inspector Lynley, #19)

    A Banquet of Consequences by Elizabeth George

    My rating: 1 of 5 stars


    Sodium azide? Just take it and be done with it, George.

    This book was so extraordinarily bad, I don’t even know where to start criticizing it.

    I’ve read all the Lynley novels and enjoyed them greatly until one of the protagonists was killed off. From then on, not only a life derailed but the entire series and its author.

    It looks like George would much prefer to become known for “serious” books instead of mysteries but doesn’t understand she simply doesn’t have it in herself to ever really succeed at that.

    Instead, she keeps writing horribly bad books that deserve no praise at all because they fail at being mysteries and serious social criticism both.

    Just calling it a Lynley novel doesn’t really make it one and this certainly was the last sham I’ve fallen victim of.



    View all my reviews

    I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

    by Wulf at December 17, 2015 11:01 AM

    October 27, 2015

    Wulf C. Krueger

    “Where have you been?!”

    As many of you will have noticed, I’ve been “gone” for almost two months. To some of you, I’ve explained my absence but I’d like to present a “compact” version here as well.

    As many of you know, I’ve been the head of my department at work last year. Due to problematic circumstances beyond my control, I decided it best for me to formally resign from said position effective December, 31st 2014.

    Fast-forward to mid 2015: A new head of department has been installed. Naturally, I’m her deputy. The “problematic circumstances” mentioned above have gone even more “challenging” by now. Both my new team lead and I do all we can for everyone involved.

    Mid September 2015 – things get rougher for a lot of reasons. The team lead goes on extended holidays and I’m taking over. There are lots of things to do and way too few hours in a day to work on them – even for a highly skilled and systematically working professional like myself.

    I’m working very long each week (I won’t mention how long exactly to avoid all kinds of trouble 🙂 ) and, thus, have to cut down on all other activities and since Exherbo is the most time-consuming one, it’s the first (but not the last) to suffer from that.

    By now, I have a few effective methods (and professional help) to avoid a burn-out, etc. and so, now that my team lead is back at work, things should slowly be going back to normal. Which – as you can see – effectively means: I’m back. 🙂

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

     

    by krueger at October 27, 2015 01:52 PM

    Into the Decay by Justin K. Arthur

    Into the Decay (Gods of Destruction, #1)

    Into the Decay by Justin K. Arthur

    My rating: 4 of 5 stars

    This was yet another pleasant surprise from LibraryThing’s Early Reviewers program.


    This is a classic example for not judging a book by its cover because – let’s be honest – the cover looks like a failed experiment.


    The book itself, though, is fairly enjoyable. In fact, the story telling, the writing and the overall style (which *is* somewhat rough at the edges) reminds me of an early Brandon Sanderson.


    The story was interesting and fairly well told. 




    View all my reviews

    I am and have been working on quite a few F/OSS projects: Exherbo (Nick: Philantrop), Gentoo (Nick: Philantrop), Calibre plugin iOS reader applications, Calibre plugin Marvin XD, chroot-manager, stuff on github, lots of other projects. If you like my work, feel free to donate. 🙂

    by krueger at October 27, 2015 11:11 AM

    September 01, 2015

    Wulf C. Krueger

    Jenkins updated to 1.627

    Another quick news blurb: I’ve updated Jenkins to 1.627. It has a few bugfixes but nothing really spectacular.

    The full changelog can be found here.

     

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

     

    by krueger at September 01, 2015 12:29 AM

    August 30, 2015

    Wulf C. Krueger

    Gerrit updated to 2.11.3 / Jenkins updated to 1.626

    I’ve just updated Gerrit to the latest release 2.11.3. These are the user-visible highlights:

    • When you choose a user (e. g. to add a reviewer) inactive accounts are not suggested anymore.
    • If you use side-by-side diffs (why ever would you?!), their performance has been improved
    • If your browser supports the JavaScript clipboard API (e. g. Chromium does) that’s preferred over the old Flash widget.
    • Quite a few bug fixes.

    You can find the complete release notes for Gerrit 2.11.3 here.

    As for Jenkins, I’ve updated it from 1.623 to 1.626 as well. Nothing spectacular there but some bug fixes in the backend mostly.

    The full changelog can be found here.

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

    by krueger at August 30, 2015 02:06 PM

    August 08, 2015

    Wulf C. Krueger

    Jenkins updated to 1.623

    Quick news blurb: I’ve updated Jenkins to 1.623. It has quite few bugfixes but nothing really spectacular.

    The full changelog can be found here.

     

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

     

    by krueger at August 08, 2015 09:37 AM

    July 14, 2015

    Wulf C. Krueger

    Gerrit updated to 2.11.2 / Jenkins updated to 1.620

    This morning, I’ve updated Gerrit to the latest release 2.11.2. These are the user-visible highlights:

    • Automatic suggestions in the search box work again.
    • Several issues that could potentially cause data loss have been fixed.
    • Newer jgit version

    You can find the complete release notes for Gerrit 2.11.2 here.

    As for Jenkins, I’ve updated it from 1.617 to 1.620 as well. Lots of bugfixes were implemented the most interesting of which concerned the console (log) output that could get truncated.

    The full changelog can be found here.

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

     

    by krueger at July 14, 2015 03:03 PM

    June 13, 2015

    Wulf C. Krueger

    Gerrit updated to 2.11.1

    I’ve just finished updating Gerrit to the latest release 2.11.1. These are the highlights:

    • You can now link accounts to each other (Settings / Identities / Link Another Identity). This means, if you want to be able to use both Github and Google, just use that button.
      Furthermore, if you accidentally create a new account (you’ll know it happened if you can’t +2 changes for your own repository anymore), you can now just link both yourself.
      If things still somehow go wrong, just let me know and I’ll link your accounts manually.
    • Performance improvements for pushing changes to Gerrit and some other areas
    • Newer jgit version
    • Lots of bugfixes

    You can find the complete release notes for Gerrit 2.11 here.

     

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

     

    by krueger at June 13, 2015 09:15 AM

    May 08, 2015

    Wulf C. Krueger

    Gerrit updated to 2.11 – being in-line, changing change screens and the return of the king!

    I’ve just finished updating Gerrit to the latest release 2.11. This gives us some amazingly cool new features to play with:

    • The Return of The King or: The Empire strikes back! Authentication using Google’s Oauth2 is supported now. When logging in, you can choose between github (the preferred supplier) or Google.
      (This is going to change once more this year and then hopefully never again. User accounts have been preserved now, though, and will be preserved when I’m done with the authentication changes I’m preparing.)
    • Gerrit is now back where it belongs – in Tomcat. That makes it faster and more reliable.

    You can find the complete release notes for Gerrit 2.11 here.

     

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂


    by krueger at May 08, 2015 05:06 PM

    May 07, 2015

    Wulf C. Krueger

    Great Article about Exherbo’s MultiArch is online!

    Here’s a great article about Exherbo’s MultiArch!

    You’ll find it on these sites as well (please up-vote it if you like it!):

    – http://slashdot.org/firehose.pl?op=view&type=submission&id=4410889

    – https://www.reddit.com/r/linux/comments/357rkz/exherbo_the_first_gnulinux_distribution_to_gain/

    – https://news.ycombinator.com/item?id=9508077

    Others will hopefully follow. I’ll update this post accordingly.

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂


    by krueger at May 07, 2015 08:42 PM

    Gerrit update tomorrow

    Just a short heads-up: I’m going to update our Gerrit installation tomorrow so please expect some downtime.

     

    I am and have been working on quite a few F/OSS projects:
  • Exherbo (Nick: Philantrop)
  • Gentoo (Nick: Philantrop)
  • Calibre plugin iOS reader applications
  • Calibre plugin Marvin XD
  • chroot-manager
  • stuff on github
  • Lots of other projects
  • If you like my work, feel free to donate. 🙂

    by krueger at May 07, 2015 05:23 PM

    April 04, 2015

    Ciaran McCreesh

    Paludis 2.4.0 Released

    Paludis 2.4.0 has been released:

    • Bug fixes.
    • We now use Ruby 2.2, unless –with-ruby-version is specified.

    by Ciaran McCreesh at April 04, 2015 11:55 AM

    October 01, 2014

    Ciaran McCreesh

    Paludis 2.2.0 Released

    Paludis 2.2.0 has been released:

    • Bug fixes.
    • Compilation fixes for Clang.
    • Added ‘cave resolve –chroot-path’.
    • Removed the “breaks Portage” feature.

    by Ciaran McCreesh at October 01, 2014 06:05 PM

    February 23, 2014

    Bryan Østergaard

    So I was dox'ed yesterday

    and nobody gives a fuck.

    Here's the associated spam:
    14:53 < ~dd0sb0ss> rip
    14:53 < ~dd0sb0ss> PARTY AT Vølundsgade 31, 3. th. 2200 København N
    14:53 < ~zsasz> ur unicode is broken dd0sb0ss
    14:53 < ~dd0sb0ss> fuq
    14:54 < ~dd0sb0ss> THE OFFICIAL FREENODE PARTYLINE IS REACHABLE AT +4533137886
    14:54 -!- dd0sb0ss was kicked from #freenode by kloeri_ [dd0sb0ss]

    Ignoring the broken unicode that's actually the correct information. Well done on finding this information that has been publically available (by my own choice) for several years.

    It's never been hard to find me and that's not changing in the future just because of some silly kids either. Unlike these kids I'm actually proud of what I do and I'm more than happy to stand by my actions with my real name and even address widely available.

    And for all those sensible people out there just shaking your heads at this sillyness - you're welcome to visit, especially if you are interested in open source software or need a consultant on some project :) I'd suggest contacting me by email first though.

    PS. Thanks to GNAA for this obvious advertising opportunity.

    by kloeri at February 23, 2014 08:49 PM

    October 13, 2013

    Ciaran McCreesh

    September 24, 2013

    Ali Polatel

    A Study in Sydbox

    Due to the fact that sydbox is a low level tool which inspects system calls, debugging its bugs become cumbersome at times. GDB and Valgrind are two valuable tools which comes to rescue.

    I hit this bug when I was investigating Exherbo bug 369. I wrote a small C program to reproduce the problem:

    #include <errno.h>
    #include <string.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <fcntl.h>
    #include <elf.h>
    #include <sys/auxv.h>
    #include <sys/types.h>
    
    int main(void)
    {
        pid_t pid;
        int pfd[2];
        unsigned long val;
        char buf[1024];
        int auxfd;
    
        val = getauxval(AT_SECURE);
        fprintf(stderr, "getauxval(%lu) = %lu (errno:%d %s)\n",
            AT_SECURE, val, errno, strerror(errno));
    
        pipe(pfd);
        pid = fork();
        if (pid == 0) {
            /* 23 is AT_SECURE as defined in elf.h */
            char *const argv[] = {"sh", "-c", "od -t u8 | awk '{if ($2 == 23) print }'", NULL};
            close(pfd[1]);
            dup2(pfd[0], STDIN_FILENO);
            execvp(argv[0], argv);
        } else {
            close(pfd[0]);
            auxfd = open("/proc/self/auxv", O_RDONLY);
            while (read(auxfd, buf, 1024) > 0)
                write(pfd[1], buf, 1024);
            close(pfd[1]);
        }
    }
    

    I compiled this small program with gcc and when I run it under sydbox-1 I witnessed an interesting output:

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % ./sydbox ./a.out
    getauxval(23) = 0 (errno:0 Success)
    sydbox@1379972151: bash[26306.0:26305] sys:4|stat| PANIC_KILL
    

    Note there is not a prompt at the end. sydbox-1 hung right after logging PANIC_KILL. Before firing up a debugger and start to debug, let’s gather as much information as possible by checking whether verbose logging will tell us something:

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % ./sydbox -m log/console_level:511 ./a.out
    ...
    sydbox@1379972294: [wait(-1, 0x857f) = 28848] WIFSTOPPED,sig=133|(null)|
    sydbox@1379972294: [wait(-1, 0x857f) = 28848] WIFSTOPPED,sig=133|(null)|
    sydbox@1379972294: [wait(-1, 0x857f) = 28848] WIFSTOPPED,sig=133|(null)|
    sydbox@1379972294: bash[28848.0:28847] sys:4|stat| entering system call
    sydbox@1379972294: bash[28848.0:28847] sys:4|stat| PANIC_KILL
    sydbox@1379972294: bash[28848.0:28847] sys:4|stat| trace_kill(sig:9) failed (errno:3|ESRCH| No such process)
    sydbox@1379972294: process 28848 ignored
    

    After a couple of wait(2) loops the stat(2) system call handler - which takes magic commands as input paniced for some reason and called the function panic() which decided to kill the traced process.

    So far so good. Although this looks unrelated to the bug at hand, it is still a good idea to fix it when you have some free time. Let’s fire up the debugger and try to do a reverse debug. I use cgdb which provides a nice curses frontend to gdb.

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % libtool --mode=execute cgdb --args ./sydbox -m log/console_level:511 ./a.out
    GNU gdb (GDB) 7.6.1
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-unknown-linux-gnu".
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>...
    Reading symbols from /home/alip/src/sydbox/sydbox-1/src/.libs/lt-sydbox...done.
    (gdb)
    

    First let’s break on main(), run the program and when the breakpoint is hit set another breakpoint on sys_stat (the stat(2) system call handler function) and start [recording][recording] the program instructions and continue.

    (gdb) break main
    Breakpoint 1 at 0x419d98: file sydbox.c, line 1255.
    (gdb) run
    Starting program: /home/alip/src/sydbox/sydbox-1/src/.libs/lt-sydbox -m log/console_level:511 ./a.out
    warning: no loadable sections found in added symbol-file system-supplied DSO at
    0x7ffff7ffa000
    warning: Could not load shared library symbols for linux-vdso.so.1.
    Do you need "set solib-search-path" or "set sysroot"?
    
    Breakpoint 1, main (argc=4, argv=0x7fffffffd428) at sydbox.c:1255
    (gdb) record
    (gdb) break sys_stat
    Breakpoint 2 at 0x411d58: file syscall-special.c, line 150.
    (gdb) cont
    Continuing.
    Do you want to auto delete previous execution log entries when record/replay buffer becomes full (record full stop-at-limit)?([y] or n)
    

    This takes some time. When the record/replay buffer is full, gdb kindly asks you whether you want to continue execution and auto-delete previous log entries or stop instantly and investigate further on. We’re not interested in the previous log entries so let’s just hit [enter] and continue.

    Process record and replay target doesn't support syscall number -1
    Process record: failed to record execution log.
    
    [process 8201] #1 stopped.
    

    This is a weird message by gdb which fortunately I have seen before. sydbox-1 makes use of some rather new system calls which gdb does not support. The newest of those are process_vm_readv and process_vm_writev which were added to Linux as of kernel version 3.2. I’ll add a small one-time tweak to the auto-generated pinktrace/system.h file telling sydbox-1 that these system calls are not supported by the system and let it use the good old ptrace(2) way of reading one long at a time:

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % cd ../pinktrace
    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % sed -i -e '/^#define PINK_HAVE_PROCESS_VM_\(READ\|WRITE\)V/s/1/0/' system.h
    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % grep PINK_HAVE_PROCESS system.h
    #define PINK_HAVE_PROCESS_VM_READV      0
    #define PINK_HAVE_PROCESS_VM_WRITEV     0
    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % make clean && make -j
    

    Now let’s return to src/ and rebuild sydbox:

    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % cd ../src
    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % make clean && make -j
    

    Let’s re-run sydbox to make sure the bug is still there:

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % ./sydbox ./a.out
    getauxval(23) = 0 (errno:0 Success)
    0000340                   23                    0
    

    This is where my luck kicks in! The bug is not there anymore. Now we know the problem is actually in pinktrace, the underlying library providing thin wrappers around the ptrace(2) system call. We have also narrowed the problem down to one of process_vm_readv and process_vm_writev functions. Now let’s go back to turn the #defines on and retry with gdb:

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % cd ../pinktrace
    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % sed -i -e '/^#define PINK_HAVE_PROCESS_VM_\(READ\|WRITE\)V/s/0/1/' system.h
    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % grep PINK_HAVE_PROCESS system.h
    #define PINK_HAVE_PROCESS_VM_READV      1
    #define PINK_HAVE_PROCESS_VM_WRITEV     1
    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % make clean && make -j
    alip@hayalet ~/src/sydbox/sydbox-1/pinktrace (git)-[master] % cd ../src
    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % make clean && make -j
    

    Now we will start recording only after we enter the sys_stat() function:

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % libtool --mode=execute cgdb --args ./sydbox -m log/console_level:511 ./a.out
    GNU gdb (GDB) 7.6.1
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-unknown-linux-gnu".
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>...
    Reading symbols from /home/alip/src/sydbox/sydbox-1/src/.libs/lt-sydbox...done.
    (gdb) break sys_stat
    Breakpoint 1 at 0x411d58: file syscall-special.c, line 150.
    (gdb) run
    ...
    sydbox@1379974050: [wait(-1, 0x857f) = 31387] WIFSTOPPED,sig=133|(null)|
    sydbox@1379974050: [wait(-1, 0x857f) = 31387] WIFSTOPPED,sig=133|(null)|
    sydbox@1379974050: bash[31387.0:31386] sys:4|stat| entering system call 
    
    Breakpoint 1, sys_stat (current=0x62fa00) at syscall-special.c:150
    (gdb) record
    (gdb) cont
    Continuing.
    Process record and replay target doesn't support syscall number -1
    Process record: failed to record execution log.
    
    [process 31382] #1 stopped.
    0x00007ffff78fa048 in process_vm_readv () from /usr/lib/libc.so.6
    

    Gdb kindly stopped where the bug is actually located. Let’s stop recording and single-step to see what error this function returns.

    (gdb) record stop
    Process record is stopped and all execution logs are deleted.
    (gdb) n
    Single stepping until exit from function process_vm_readv, which has no line number information.
    _pink_process_vm_readv (pid=31387, local_iov=0x7fffffffbe10, liovcnt=1, remote_iov=0x7fffffffbe00, riovcnt=1, flags=0) at vm.c:199
    (gdb) n
    (gdb) p r
    $1 = -1
    

    The function _pink_process_vm_readv is returning -1 which is the negated errno value EPERM. This makes pink_vm_cread_nul fail with -1 which in turn makes pink_read_vm_data_nul return -1 which in turn makes syd_read_string function to call panic(). Now we have a detailed information about the panic happening.

    Another valuable tool to aid in debugging system call inspection is strace. Let’s check with strace what these stat(2) system calls’ arguments are. I have not updated my strace.git tree for a while and trying to compile it I have found a problem due to an inconsistency between glibc and linux kernel headers which keruspe fixed for pinktrace with commit e1aa031 a week ago:

    alip@hayalet ~/src/strace (git)-[master] % make -j1
    ...
    gcc -DHAVE_CONFIG_H -I.  -I./linux/x86_64 -I./linux -I./linux  -Wall -Wwrite-strings -D__ALIP_WAS_HERE -g -ggdb3 -O2 -march=native -D__PINK_IS_BEHIND_THE_WALL -MT process.o -MD -MP -MF .deps/process.Tpo -c -o process.o process.c
    In file included from process.c:66:0:
    /usr/include/linux/ptrace.h:58:8: hata: 'struct ptrace_peeksiginfo_args' yeniden tanımlanmış
     struct ptrace_peeksiginfo_args {
            ^
    In file included from defs.h:169:0,
                     from process.c:37:
    /usr/include/sys/ptrace.h:191:8: bilgi: originally defined here
     struct ptrace_peeksiginfo_args
            ^
    

    struct ptrace_peeksiginfo_args is a recent addition to ptrace.h headers and both sys/ptrace.h of glibc-2.18 and linux/ptrace.h of Linux define it. Thus defining the same struct twice fails. Fortunately we have seen this error before with the IA64 architecture where the same happens with struct pt_all_user_regs and struct ia64_fpreg.

    Having hit another totally unrelated bug, I have prepared a patch and tested it:

    alip@hayalet ~/src/strace (git)-[master] % make
    gcc -Wall -Wwrite-strings -D__ALIP_WAS_HERE -g -ggdb3 -O2 -march=native -D__PINK_IS_BEHIND_THE_WALL   -o strace bjm.o block.o count.o desc.o file.o io.o ioctl.o ipc.o loop.o mem.o mtd.o net.o pathtrace.o process.o quota.o resource.o scsi.o signal.o sock.o strace.o stream.o syscall.o system.o term.o time.o util.o vsprintf.o  
    make[2]: `/home/alip/src/strace' dizininden çıkılıyor
    make[1]: `/home/alip/src/strace' dizininden çıkılıyor
    

    It compiles and runs fine. Time to prepare a git-format-patch and send to strace-devel mailing list. These git tools make it really easy to prepare patches and submit them. Here is the link to the actual mail.

    So far so good. Another bug fixed and submitted upstream. Let’s go ahead and see whether strace can make sense of those stat(2) arguments:

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % ~/src/strace/strace -f -e stat ./a.out Process 18698 attached [pid 18697] +++ exited with 0 +++ stat(0x9db090, {…}) = 0 stat(0x485897, {…}) = 0 stat(0x485897, {…}) = 0 …

    
    Note the `-f` argument. Remember our panic line started with
    `bash[31387.0:31386]` this does not happen in my small program but in bash which
    is spawned right after `fork(2)`. The `-f` argument of [strace][strace] follows
    forks.
    
    Now the question is what those hex values in the first arguments are.
    [strace][strace] usually does a good job in decoding strings so something is
    weird going on here. Let's go one step ahead and try to trace [strace][strace]
    using [strace][strace] itself. One has to be careful here not to use `-f` with
    the first [strace][strace] because *only one process may trace a process at a
    time* and we want the first [strace][strace] to only trace [strace][strace] not
    our small program `a.out`. We also use the option `-e 'signal=!all'` so that we
    filter some of the unwanted output:
    
    

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % strace -q -e ‘process_vm_readv’ -e ‘signal=!all’ – strace -e ‘signal=!all’ -f -e stat ./a.out getauxval(23) = 0 (errno:0 Success) Process 22286 attached [pid 22285] +++ exited with 0 +++ process_vm_readv(22286, 0x7fff71faed40, 1, 0x7fff71faed50, 1, 0) = -1 EPERM (Operation not permitted) stat(0x1938070, process_vm_readv(22286, 0x7fff71fafce0, 1, 0x7fff71fafcf0, 1, 0) = -1 EPERM (Operation not permitted) {…}) = 0

    
    The output of the two strace processes are mixed but here we can also see that
    the system call `process_vm_readv()` returns the error condition `EPERM`.
    Consulting the [process_vm_readv(2)][man_process_vm_readv] manual page:
    
    

    EPERM The caller does not have permission to access the address space of the process pid.

    
    Now, why on earth is `ptrace()` is permitted but `process_vm_readv()` is not? It
    is clear that they are two different APIs. It is time to dig into the kernel
    source. Having walked through the kernel code on [lxr][lxr] for a while, I
    figured this [sydbox-1][sydbox_1] PANIC was due to the fact that I have the
    sysctl `kernel.yama.ptrace_scope` set to 1 which is [YAMA restricting
    ptrace()][yama_restricts_ptrace]. After:
    
    

    alip@hayalet ~/src/sydbox/sydbox-1/src (git)-[master] % sudo sysctl kernel.yama.ptrace_scope=0 kernel.yama.ptrace_scope = 0 ~~~

    Everything works OK and now I am aware of the fact that there is another way to restrict ptrace() and I will work on sydbox-1 to make it handle such errors gracefully (without hanging) but that’s for another night.

    Confession: I started working at Özgür Yazılım A.Ş. as a Linux system administrator and programmer and I have been using Arch Linux for a while which means I have not been configuring/compiling my own kernel. This was a nice message to me that I should stop being a slacker and return to Exherbo now.

    The Exherbo bug 369 is still not fixed, but I am working on it :-)

    September 24, 2013 12:00 AM

    September 21, 2013

    Ali Polatel

    Killing tracees on exit with sydbox-1

    As I’ve written in my blog post Recent Linux changes to help sandboxing Linux has a few new features which may aid in enhancing sydbox-1.

    One of these features is PTRACE_O_EXITKILL. This is a new ptrace option to kill tracees upon tracer exit. Quoting from ptrace(2)

    PTRACE_O_EXITKILL (since Linux 3.8)
    If a tracer sets this flag, a SIGKILL signal will be sent to every
    tracee if the tracer exits.  This option is useful for ptrace
    jailers  that want to ensure that tracees can never escape the
    tracer's control.
    

    This is a simple feature providing a nice enhancement. sydbox-1 had a similar feature to prevent tracees from running upon an abnormal exit. There are two options, namely core/abort/decision and core/panic/decision, which when given the value killall sends SIGKILL to all traced processes upon abnormal exit. There is also the option core/trace/exit_wait_all to make sydbox-1 wait for all tracees to exit before exiting.

    However, doing this in user-space is tricky and error-prone. Considering it’s the tracer who is dying unexpectedly, it may not always be possible to kill tracees which will then run in potentially unsafe mode. You can read this lkml thread and many more to dive into the internals of ptrace(2).

    Thus, sydbox-1 learned a new magic command with the name core/trace/exit_kill to turn this functionality on with the two commits I pushed to master today:

    One restriction is the option core/trace/exit_kill is only useful when it is set upon startup. It does not work with the magic stat() system call. ptrace(2) options are inherited from parent to children thus trying to set this on a per-tracee basis requires one to change the value of the option for the parent and all its children. Although this is possible in theory (sydbox-1 keeps track of parent<->children relationships) it would add some complexity to the program which I do not want unless I see a well-founded reason to do so.

    September 21, 2013 12:00 AM

    September 14, 2013

    Alexander Færøy

    Enhancing SSL Security for IRC: DANE Support

    September 14, 2013.

    A couple of weeks ago, I had a discussion with some of the Quakenet coders on how to add SSL support to their IRC daemon, but the discussion ended up being about the false sense of security that SSL potentially can give to the user. The Quakenet hackers have an interesting article online about their thoughts on the matter and while I do understand their points, I do not agree with it being a good enough reason to completely avoid SSL on your IRC network.

    We quickly changed the discussion to be about how the IRC clients should be able to verify that the SSL certificate, received from the server, is not a malicious certificate from someone doing MITM attacks. This was not the discussion I had hoped for, but nevertheless, it was an interesting discussion to participate in and made me spend a few days thinking about their concerns.

    Sadly, as it is today, some IRC clients, including Irssi, only do full SSL certificate validation as an opt-in option (via the -ssl_verify option for /connect in Irssi’s case) rather than having it as an opt-out option, which would be ideal. This is simply because people in the IRC community have historically not wanted to spend money on certificates from the so called “trusted” Certificate Authorities like we have seen on the web. Changing this from opt-in to opt-out is something that I would like to see happen, but it is not something that is going to be easy. We saw how many web sites got a “proper” certificate after the Mozilla guys made it slightly harder to actually mark a self-signed certificate as trusted. This was at first a very annoying move, but these days we rarely see self signed certificates when we browse around the web.

    A few days after the discussion on IRC, I was having dinner at Thomas’s place and I mentioned the discussion with the Quakenet hackers. Thomas knows a lot about security, privacy and DNS, and he is an avid Quakenet user, so it appeared more than obvious to take the discussion with him and hear what his take to the problem was. His suggestion was to take a look at DNSSEC and DANE and see if that could be used as a possible solution.

    Luckily for me, it was exactly what I was looking for.

    A few days after the dinner conversation, I pushed a patch to Irssi’s source code repository that enabled support for DANE validation of SSL certificates.

    Let’s have a look at how DANE works. This will hopefully give you enough knowledge to understand the basics of what is going on. I will document how to compile Irssi with DANE support enabled and test whether it works or not.

    What is DANE?

    DANE is an acronym for “DNS-Based Authentication of Named Entities” and comes with a protocol named TLSA. DANE is an internet standard and you can read the full technical specification of DANE in RFC6698, but hopefully, this article will give you an introduction to get started using DANE for your IRC servers right away. The concepts are totally protocol agnostic so this will work for other protocols than IRC as well, but it does require modification to the client software to work.

    DANE is a simple way of storing information about a certificate in the DNS system. Adding DNSSEC on top of the cake, gives you a very powerful way of validating certificates where the client relies on a trusted source (their ISP’s DNS server and DNSSEC) validating the information from the possibly eavesdropped IRC server.

    DANE is implemented as a new DNS resource record named TLSA. You can see an example of such record here from our test IRC server linked to the IRCsource IRC network:

    $ dig TLSA _6697._tcp.ircsource.baconsvin.org
    
    ; <<>> DiG 9.8.3-P1 <<>> TLSA _6697._tcp.ircsource.baconsvin.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38406
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 9
    
    ;; QUESTION SECTION:
    ;_6697._tcp.ircsource.baconsvin.org. IN TLSA
    
    ;; ANSWER SECTION:
    _6697._tcp.ircsource.baconsvin.org. 3358 IN TLSA 3 0 1 9B954A014881108A9058DB80020909FFD8B4C44C6F41C8796B3A1EA4 3A444B94
    
    ;; AUTHORITY SECTION:
    baconsvin.org.      50607   IN  NS  ns1.gratisdns.dk.
    baconsvin.org.      50607   IN  NS  ns5.gratisdns.dk.
    baconsvin.org.      50607   IN  NS  ns3.gratisdns.dk.
    baconsvin.org.      50607   IN  NS  ns2.gratisdns.dk.
    baconsvin.org.      50607   IN  NS  ns4.gratisdns.dk.
    
    ;; ADDITIONAL SECTION:
    ns1.gratisdns.dk.   7417    IN  A       109.238.48.13
    ns1.gratisdns.dk.   36319   IN  AAAA    2a02:9d0:3002:1::2
    ns2.gratisdns.dk.   25447   IN  A       185.10.10.53
    ns3.gratisdns.dk.   31182   IN  A       194.0.2.6
    ns3.gratisdns.dk.   28269   IN  AAAA    2001:678:5::6
    ns4.gratisdns.dk.   31182   IN  A       87.73.3.3
    ns4.gratisdns.dk.   28269   IN  AAAA    2a01:558:4000::3
    ns5.gratisdns.dk.   25447   IN  A       85.17.221.46
    ns5.gratisdns.dk.   28269   IN  AAAA    2001:6f8:3ad::1
    
    ;; Query time: 55 msec
    ;; SERVER: 89.233.43.71#53(89.233.43.71)
    ;; WHEN: Sat Aug 10 13:16:23 2013
    ;; MSG SIZE  rcvd: 393

    Note: If your version of dig doesn’t recognize the TLSA type, you can easily replace it with TYPE52 like this: dig _6697._tcp.ircsource.baconsvin.org TYPE52.

    Notice how the port, 6697, and protocol, TCP, is part of the DNS query. This will be familiar for people who have worked with SRV DNS records.

    The interesting part of the output is the answer section where you see the following:

    3 0 1 9B954A014881108A9058DB80020909FFD8B4C44C6F41C8796B3A1EA4 3A444B94

    What does all of this mean?

    Let’s start out by looking at the format. The format for a TLSA reply is as following:

    <certificate usage> <selector> <matching type> <certificate association data>

    This means that our certificate usage field is 3, our selector is 0 and our matching type is 1. The associated data is the string "9B954A014881108A9058DB80020909FFD8B4C44C6F41C8796B3A1EA4 3A444B94".

    It is important to understand the semantics of these fields, because they will dictate how and if the client is going to do further validation of the certificate once the client has received it from the IRC daemon.

    Using 3 0 1 means that we are using a self-signed certificate and we will rely on DANE for validating the certificate only (3); that we are using the full certificate and not just the SubjectPublicKeyInfo part (0) and we will be using a hexadecimal encoded SHA256 hash of the DER-encoded certificate (1).

    To fully understand the various options available, I suggest you take a look at RFC 6698 section 2.1.

    Enable DANE Support for your IRC Server

    The first step you will have to take is to ensure that whoever runs your DNS servers supports both DNSSEC and TLSA records. In Denmark, a lot of users are using the free DNS hosting provider GratisDNS. GratisDNS supports both DNSSEC and TLSA records which makes setting this up a lot easier.

    Sadly, GratisDNS’ interface is currently only available in Danish, so you might have to look for other solutions available online.

    Once you have a DNS provider that supports DNSSEC and TLSA records, it is fairly easy to create the records. In our example, the following assumptions are made:

    1. You already have an IRC daemon running with SSL enabled on port 6697 and you have verified that it actually works as expected.

    2. Your certificate is self-signed, so you would like to rely on DANE support only for the validation. This means that the user will not see any self-signed certificate errors when connecting with certificate validation enabled.

    3. We will create a record using a SHA-256 hash of the certificate data. Feel free to use something stronger, if you are more crypto paranoid than I am.

    This means that our TLSA record will end up looking something similar to this:

    _6697._tcp.irc.example.org TLSA 3 0 1 <SHA-256 hash of the certificate data>

    This is basically going to be a description of the exact same setup that I am using for ircsource.baconsvin.org.

    To find the SHA-256 value of your certificate, start by logging onto the server running the IRC daemon and find the directory that contains your certificate files. We are then going to find the SHA-256 value of the DER representation of our certificate:

    $ openssl x509 -in ircsource.baconsvin.org.pem -outform DER | sha256sum
    9b954a014881108a9058db80020909ffd8b4c44c6f41c8796b3a1ea43a444b94  -

    This is the value we will be using in our final TLSA record, which now looks like the following:

    _6697._tcp.irc.example.net TLSA 3 0 1 9b954a014881108a9058db80020909ffd8b4c44c6f41c8796b3a1ea43a444b94

    Once you have added this record to your DNS zones, it is now time to actually test whether it works as expected.

    Building Irssi with DANE Support

    This part is tested on FreeBSD 9.2-PRERELEASE. Hopefully, it works for other people as well. Feel free to report any issues you may experience.

    1. Download the dnsval tarball from its download page. This is quite new software so I haven’t run into many distributions that have packages available, so we will assume that we have to compile it ourselves.

      $ mkdir dane
      $ cd dane
      $ fetch http://www.dnssec-tools.org/download/dnsval-2.0.tar.gz
      $ tar zxfv dnsval-2.0.tar.gz
      $ cd dnsval-2.0
      $ ./configure --prefix=/usr/local
      $ make
      $ sudo make install
    2. Next we will download the Irssi source code from the Git repository. We start by cloning the repository into our newly created dane directory:

      $ cd dane
      $ git clone git://git.irssi.org/irssi
      $ cd irssi
    3. We bootstrap the build system:

      $ sh autogen.sh
    4. We configure our test Irssi client:

      $ CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure --enable-dane --with-perl=no

      Make sure that somewhere near the end of the output of the configure script contains:

      Building with DANE support ....... : yes

      Otherwise you should take a look at the config.log file and look for places where libval is mentioned and figure out why it doesn’t find the library correctly.

    5. Compile Irssi:

      $ make
    6. Fire up your new Irssi client and give it a spin:

      $ ./src/fe-text/irssi -!
    7. Try to connect to our test server, ircsource.baconsvin.org, using DANE:

      /connect -ssl -ssl_verify ircsource.baconsvin.org 6697

      If everything was done correctly, Irssi will now connect to the server, verify the signature of the certificate using TLSA and allow you to connect without seeing any self-signed certificate errors.

    DANE Enabled IRC Servers

    Here’s a list of IRC servers that supports DANE. If you are running a public IRC server and would like to see the server added here, feel free to drop me an email at ahf@irc6.net with information about the server.

    IRCsource

    IRCsource is a small network where people with a general interest in IRC hang out together to discuss and test various new concepts and ideas for IRC.

    • ircsource.baconsvin.org (SSL ports: 6697 and 9999)

    I will do my best to maintain this list of servers supporting DANE in the future.

    Next Stop?

    The next step for me is to start securing server-to-server links within the IRC networks with DANE. This will require some modifications to the IRC daemons themselves. I plan on looking into adding support for DANE in a personal feature branch of ircd-ratbox and some of its derivatives.

    Conclusion

    I am unable to say if DANE support is what the IRC community will be adopting. The IRC community is very conservative in general so time will have to tell.

    If you believe you have found a bug in my code or have any troubles setting DANE up for your own IRC server, I will be more than happy to help. Drop me an email and I will take a look at it whenever I have time. Otherwise, feel free to poke me on IRC. My nickname is ahf and I am available on most of the “larger” IRC networks (EFnet, Freenode, IRCnet and Quakenet).

    All of this code will be available in the upcoming Irssi 0.8.16 release, but if you want to test it right away, my suggestion is to follow my guide from above and use Irssi directly from Git.

    Hopefully, we will see other IRC client and server hackers implementing DANE support in the nearby future. If you like what you have read here, please help me making this happen by spreading the word about the possibilities available for enhancing the SSL support in IRC clients as well as other SSL based online services.

    This is too easily implementable to be ignored.

    Credits

    I would like to thank Thomas Steen Ramussen for being the originator of the idea and setting up the initial DNS server for testing purpose; Peter Larsen for expeditiously implementing TLSA support for GratisDNS; the IRC6.net guys for late night discussions about DANE; Mickey Fischer for testing the Irssi patches on Gentoo Linux with various options enabled and disabled; the DNSSEC-Tools Project for creating the libraries used and finally the rest of the Irssi team for reviewing the patches and coming with recommendations for my code.

    September 14, 2013 12:00 AM

    September 02, 2013

    Ciaran McCreesh

    Paludis 1.4.1 Released

    Paludis 1.4.1 has been released:

    • Compatibility with newer Boost.
    • Minor bug fixes and UI tweaks.

    by Ciaran McCreesh at September 02, 2013 01:00 PM

    June 27, 2013

    Ali Polatel

    Sandboxing Skype with sydbox-1

    There are various tools to provide enhanced restriction mechanisms under Linux. In case security is the major concern, these mechanisms need to be in the kernel level which in turn means specific configurations or in some cases modifications (in forms of patches etc.) to the Linux kernel. Some examples are AppArmor, Security Enhanced Linux, Tomoyo Linux, and Grsecurity. User space solutions are either not as flexible or not as secure depending on the use case scenario.

    We, at Exherbo, need a sandbox for misbehaving package builds. One should note that such misbehaviours can sometimes be rather fun (or not safe for work at times). I used the term misbehaving on purpose because this does not mean the sandbox itself can make the build environment totally secure. Linux has good old UNIX goodies like separate permissions for users, chroots and new shiny stuff like per-process namespaces to implement further restrictions.

    Exherbo’s practical solution to this issue is sydbox. With the upcoming version sydbox-1 - which is yet to be released - this solution can easily be adapted to different use cases.

    As I was browsing through Arch Linux Wiki pages I stumbled upon the Skype page which describes different approaches to restrict such close sourced applications.

    I am not claiming using sydbox-1 for this purpose is secure but it is most certainly practical. Here is my proof-of-concept attempt at sandboxing Skype using sydbox-1. Below is a sample sydbox-1 profile for use with Skype. You can also find it in sydbox-1.git under examples/ directory.

    # sydbox profile for Skype4
    
    #
    # Sandboxing
    #
    core/sandbox/exec:deny
    core/sandbox/read:deny
    core/sandbox/write:deny
    core/sandbox/network:deny
    
    core/whitelist/per_process_directories:true
    core/whitelist/successful_bind:true
    core/whitelist/unsupported_socket_families:true
    
    core/abort/decision:killall
    core/panic/decision:kill
    core/panic/exit_code:-1
    core/violation/decision:deny
    core/violation/exit_code:-1
    core/violation/raise_fail:false
    core/violation/raise_safe:false
    
    core/trace/follow_fork:true
    core/trace/exit_wait_all:true
    core/trace/magic_lock:off
    core/trace/interrupt:while_wait
    core/trace/use_seccomp:true
    core/trace/use_seize:true
    core/trace/use_toolong_hack:true
    
    core/match/case_sensitive:true
    core/match/no_wildcard:literal
    
    #
    # Logging
    #
    log/file:
    log/level:511
    log/console_fd:2
    log/console_level:3
    
    #
    # /dev
    #
    whitelist/read+/dev
    whitelist/read+/dev/urandom
    whitelist/read+/dev/stdout
    whitelist/read+/dev/stderr
    whitelist/write+/dev/tty*
    whitelist/write+/dev/pts/***
    whitelist/read+/dev/snd/***
    whitelist/write+/dev/snd/***
    whitelist/read+/dev/video*
    whitelist/write+/dev/video*
    
    #
    # /proc & /sys
    #
    whitelist/read+/proc/cpuinfo
    whitelist/read+/proc/meminfo
    whitelist/read+/proc/stat
    whitelist/read+/proc/net
    whitelist/read+/proc/net/arp
    whitelist/read+/proc/net/route
    whitelist/read+/proc/net/unix
    whitelist/read+/proc/sys/vm/overcommit_memory
    whitelist/read+/proc/sys/kernel/osrelease
    whitelist/read+/proc/sys/kernel/ostype
    whitelist/read+/sys/devices/system/cpu/online
    whitelist/read+/sys/devices/system/cpu
    whitelist/read+/sys/devices/system/cpu/cpu?/cpufreq/scaling_cur_freq
    whitelist/read+/sys/devices/system/cpu/cpu?/cpufreq/scaling_max_freq
    whitelist/read+/sys/devices/virtual/dmi/id/board_name
    whitelist/read+/sys/devices/virtual/dmi/id/board_version
    whitelist/read+/sys/devices/virtual/dmi/id/board_vendor
    whitelist/read+/sys/devices/virtual/dmi/id/product_name
    whitelist/read+/sys/devices/virtual/dmi/id/product_version
    whitelist/read+/sys/devices/virtual/dmi/id/sys_vendor
    whitelist/read+/sys/devices/*/*/*/power_supply/ACAD/***
    whitelist/read+/sys/devices/*/*/*/*/*/*/modalias
    whitelist/read+/sys/devices/*/*/*/*/*/*/video4linux/video?/dev
    whitelist/read+/sys/devices/*/*/*/*/*/idProduct
    whitelist/read+/sys/devices/*/*/*/*/*/idVendor
    whitelist/read+/sys/devices/*/*/*/*/*/speed
    
    #
    # nscd (glibc)
    #
    whitelist/network/connect+unix:/var/run/nscd/socket
    whitelist/network/connect+unix:/run/nscd/socket
    
    #
    # /etc
    #
    whitelist/read+/etc/asound.conf
    whitelist/read+/etc/group
    whitelist/read+/etc/hosts
    whitelist/read+/etc/host.conf
    whitelist/read+/etc/ld.so.cache
    whitelist/read+/etc/ld.so.preload
    whitelist/read+/etc/nsswitch.conf
    whitelist/read+/etc/resolv.conf
    whitelist/read+/etc/ssl/certs/***
    whitelist/read+/etc/fonts/***
    whitelist/read+/etc/gtk-2.0/***
    whitelist/read+/etc/pango/***
    
    #
    # Libraries
    #
    whitelist/read+/lib*/***
    whitelist/read+/usr/lib*/***
    
    #
    # Share dirs
    #
    whitelist/read+/usr/share/alsa/***
    whitelist/read+/usr/share/ca-certificates/***
    whitelist/read+/usr/share/locale/***
    whitelist/read+/usr/share/zoneinfo/***
    whitelist/read+/usr/share/fonts/***
    whitelist/read+/usr/share/icons/***
    whitelist/read+/usr/share/pixmaps/***
    whitelist/read+/usr/share/texmf-dist/fonts/***
    whitelist/read+/usr/share/X11/***
    
    #
    # Xorg/X11 & dbus
    #
    whitelist/network/connect+unix-abstract:/tmp/.X11-unix/**
    whitelist/network/connect+unix-abstract:/tmp/.ICE-unix/**
    whitelist/network/connect+unix-abstract:/tmp/dbus-*
    whitelist/network/connect+unix:/run/dbus/system_bus_socket
    whitelist/network/connect+unix:/var/run/dbus/system_bus_socket
    
    #
    # /tmp
    #
    whitelist/read+/tmp/qtsingleapp-*
    whitelist/write+/tmp/qtsingleapp-*
    whitelist/network/bind+unix:/tmp/qtsingleapp-*
    whitelist/network/connect+unix:/tmp/qtsingleapp-*
    
    #
    # Skype
    #
    whitelist/read+/etc/Skype.conf
    whitelist/read+/etc/Skype/***
    whitelist/read+/usr/*bin/skype
    whitelist/exec+/usr/*bin/skype
    whitelist/exec+/usr/lib*/skype/skype
    whitelist/exec+/opt/skype/skype
    whitelist/read+/opt/skype/***
    whitelist/read+/usr/share/skype/***
    
    #
    # Host specific configuration under /home
    #
    whitelist/read+/home/*/.Xauthority
    whitelist/read+/home/*/.ICEauthority
    whitelist/read+/home/*/.gtkrc*
    whitelist/read+/home/*/.config/Trolltech.conf
    whitelist/write+/home/*/.icons/***
    
    #
    # Skype specific configuration
    #
    whitelist/read+/home/*/.asoundrc
    whitelist/read+/home/*/.config/Skype/***
    whitelist/write+/home/*/.config/Skype/***
    whitelist/read+/home/*/.Skype/***
    whitelist/write+/home/*/.Skype/***
    
    #
    # Temporary files & caches
    #
    whitelist/read+/home/*/.cache/fontconfig/***
    whitelist/write+/home/*/.cache/fontconfig/***
    whitelist/read+/home/*/.compose-cache/***
    whitelist/write+/home/*/.compose-cache/***
    
    #
    # Networking
    #
    # note: allow IPv4 and IPv6 by default since Skype operates on a P2P model.
    # You may further restrict access by only allowing access to SKYPENET,
    # Akamai and Microsoft Corporation together with your contact's IP
    # address.
    #
    whitelist/network/bind+LOOPBACK@0
    whitelist/network/connect+inet:0.0.0.0/0@0-65000
    whitelist/network/connect+inet6:::0/0@0-65000
    
    #
    # Allow some external programs
    #
    whitelist/exec+/usr/*bin/xdg-open
    exec/resume_if_match+/usr/*bin/xdg-open
    

    A couple of things to note:

    1. sydbox-1 is still in heavy development and the file format may change.
    2. This approach is not secure. Author claims no responsibility if Skype kills your goats.
    3. Three is the loneliest number since number two which is the loneliest number since the number one.

    Happy hacking!

    June 27, 2013 12:00 AM

    June 13, 2013

    Ali Polatel

    I Can Not Tell

    As the Garip poet Orhan Veli once wrote,

    Can you hear me if I cry,
    In my verses;
    Can you touch,
    My tears, with your hands?
    
    I hadn't known how songs were so lovely,
    And yet the words so inadequate
    Before I had fallen into this suffering.
    
    I know there is somewhere
    To say anything about which is possible;
    I am very close, I can hear;
    I can not tell...
    

    in his poem Anlatamıyorum (I Can Not Tell, translated by myself on 2013-06-13). Sometimes a photo may describe what we can’t describe with a thousand words.

    You know your government has failed, when your grandma starts to riot!

    Long story short, you know your government has failed, when your grandma starts to riot…

    Occupy Gezi! Diren Gezi!

    Update

    • 2013-06-14: Translation of the first quatrain was slightly modified.
    • 2013-06-16: More translation fixes.

    June 13, 2013 12:00 AM

    May 16, 2013

    Ciaran McCreesh

    Paludis 1.4.0 Released

    Paludis 1.4.0 has been released:

    • Tweaked ‘cave resolve’ output to add blank lines.
    • Support for libarchive 3.1.2.
    • Compatibility fixes for GCC 4.8.

    by Ciaran McCreesh at May 16, 2013 01:29 PM

    March 25, 2013

    Ciaran McCreesh

    Paludis 1.2.0 Released

    Paludis 1.2.0 has been released:

    • Bug fixes.
    • Dep specs can now use ‘[.key!=value]’. The behaviour of ‘<‘ and ‘>’ has changed: for key types where order comparisons don’t make sense, the match now always fails.
    • Various compiler-compatibility fixes.

    by Ciaran McCreesh at March 25, 2013 06:51 PM

    March 04, 2013

    Bryan Østergaard

    Looking for a few more volunteers

    It's that time of the year.. Only four days left before the big danish Open Source Days conference starts and we're tying up all the loose ends as quickly as possible.

    Things are looking great from my point of view but one of the things we need to sort out before the conference opens is all the different helper roles. And we're still looking for good wanting to be an active part of Open Source Days and get to know all the other great people involved.

    If you would like to take part in this you can sign up at Join Us and in return for helping out you get free entrance to the conference including the social event saturday night.

    by kloeri at March 04, 2013 11:09 PM

    February 22, 2013

    Ali Polatel

    Recent Linux changes to help sandboxing

    Linux kernel 3.8 has been released this week which reminded me to write about recent Linux kernel changes which may help in improving sydbox. Below is a short summary of new, and not so new, features merely to get myself to stop slacking and start coding again.

    Per-process namespace support

    Per-process namespace support is completed with linux-3.8. This feature provides a nice way to separate resources on a per-process basis, for example a process might see a set mountpoints, PID numbers, and network stack state, and a process in other namespace might see others. For more information see the Linux-3.8 Changes page on kernelnewbies and the Namespaces in Operation articles on LWN.

    PTRACE_O_EXITKILL

    New in linux-3.8, this ptrace(2) option makes the tracer send SIGKILL to tracees on exit. This is useful for ptrace(2) based sandboxes for which a resumed tracee is a security risk. See the related commit for more information.

    SECCOMP_MODE_FILTER

    This is by far my favourite feature. Introduced with Linux kernel 3.5 and also known as seccomp mode 2 or user filters this feature lets you add basic system call filters expressed as Berkeley Packet Filter programs. Even though sydbox still has to use ptrace(2) to do more sophisticated argument checking, this feature removes the need to stop the tracee on every system call entry and exit which is a PITA especially when tracing multithreaded programs. sydbox-1 takes advantage of this feature using SECCOMP_RET_TRACE which signals the tracer with the new ptrace(2) event PTRACE_EVENT_SECCOMP.

    Here are some useful links:

    PTRACE_SEIZE & PTRACE_INTERRUPT

    Probably even older than seccomp user filters, these ptrace requests allow the tracer to attach to tracee without trapping it or affecting its job control states. See, http://thread.gmane.org/gmane.linux.kernel/1136930 for more information.

    February 22, 2013 12:00 AM

    February 21, 2013

    Bryan Østergaard

    20.000 minutes

    20.000 minutes sounds like a lot but for sufficiently large projects with sharp deadlines it really isn't.

    Converted to a more manageable time scale it's roughly two weeks or roughly how much time until the Open Source Days conference opens. As some of you might know this is the second year I'm involved in organising this big open source conference.

    And just like last year it's an awesome experience but also very stressful with all the small things needing to fall into place for the conference to run smoothly. And unlike last year I haven't been sick so I'm getting to enjoy the full experience :)

    Having only two weeks left means really long hours every day while we scramble to close all the outstanding issues. But it also means we get to see a huge amount of things fall into place each day.

    Some of the things I'm excited about today:

    • Most of the talks are now announced on the website

    • The keynote talks are all confirmed. More on that later.

    • We've added several more sponsors

    The next two weeks should be very exciting and I'm sure the conference is going to be even better this year.

    See you all at the conference!

    by kloeri at February 21, 2013 11:13 PM

    February 15, 2013

    Ali Polatel

    The Wall

    As I took a sip from my tea, the room felt a bit different. Different in such a way that it enabled me to let my unconscious take over.

    The wall I was leaning against seemed to change. It was turning into a door. A door made of small curved mirrors… All paintings on the wall faded away slowly. There I was, left alone with a door to enter. Was this a question of bravery? “Temptation, temptation…” So I heard the voices sing. I must admit, I felt kind of scared. Like a baby felt giving birth to her first mother. Before I could change my mind, I quickly grabbed my book and opened the door. I was expecting a divine forest, green and huge. Quite the contrary, the door led me to another room with mirrors on all of its walls, ceiling and floor. I could see the reflection of everything in the room but not myself. The door had vanished and my book looked a lot different to me. What was it that I was to do here? What exactly did I leave behind? This thought made me smile, like a mother smiled while giving birth to her own mother…

    Leaving my book in a corner of the room, I observed the mirrors. Why was my reflection not there? In a room like this, how could I see what differences this journey might have made in me? After a couple of minutes, I was surprised to discover that I couldn’t see the reflections of the things that “touched” me. My clothes, my shoes, my earring… All became visible as I took them off. “The book!” I said, “where is it?” turning into the corner where I left it. Its reflection was still there. Looking at me and smiling like my mother smiled, giving birth to my grandmother…

    Somehow, I knew the cure was in this room but where? The endlessness, which the mirrors have formed, gave me an idea. Why was I thinking that the other side of the mirror was inaccessible to me? “Temptation, temptation…” So I heard the voices sing. I must admit, I felt kind of scared. Like a warrior felt, being slain by his new-born baby… Feeling I might have found the cure, I took a step into the mirror. There I saw my “other” self sitting in that room, looking at the wall, writing a truly odd story… I can’t say he was astonished though, seeing me standing against him, naked.

    February 15, 2013 12:00 AM

    February 02, 2013

    Ciaran McCreesh

    Paludis 1.0.0 Released

    Paludis 1.0.0 has been released:

    • EAPI 5 style subslot specs are allowed in user dependency specs.
    • We now support DWARF compression.

    by Ciaran McCreesh at February 02, 2013 03:14 PM

    November 16, 2012

    Ciaran McCreesh

    Paludis 0.82.0 Released

    Paludis 0.82.0 has been released:

    • Various EAPI 5 related fixes.

    by Ciaran McCreesh at November 16, 2012 11:46 PM

    October 23, 2012

    Ali Polatel

    Easy on the Eyes

    Writing with the intention to grow up:

    Rule 1: Stay out of the magical world. This your subconscious speaking.

    Rule 2: Never underestimate the power of goats.

    Rule 3: Pink Floyd after midnight is easy on the eyes.

    Rule ?: Numbers are bad.

    Rule: Actually they have no reason whatsoever to even exist.

    ?: No rule, no pain.

    Love: You are on the right path, Watson.

    Do not define sizeof(void *). Because in what you would call a primitive world you would only need love, pure, endless love.

    Ooomray!

    Now look at the sky, look at the river. Isn’t it good?

    If not, return to rule 3.

    October 23, 2012 12:00 AM

    October 19, 2012

    Ciaran McCreesh

    Paludis 0.80.2 Released

    Paludis 0.80.2 has been released:

    • Bug fixes.
    • Added ‘cave print-unmanaged-files’.

    by Ciaran McCreesh at October 19, 2012 02:17 PM

    October 13, 2012

    Ciaran McCreesh

    September 29, 2012

    Ali Polatel

    sydbox-1 is nearly there

    After nearly two years I began working on a sydbox replacement1 she is finally nearing completion. This post is meant both as a preliminary announcement and help request.

    sydbox-1 has been in ::arbor for sometime as sydbox-scm2 and paludis supports it since version 0.78.1. The git repository is hosted on exherbo.org3. Before going on to tell you about her I want to kindly ask you to help me with some tasks:

    • Proof read the manual page4. I am still unsure about the configuration file format and the magic command API so now is the time to share your ideas and views to help make sydbox-1 better.

    • For brave souls, unmask it and install it. Especially important is to run its tests. To do that you have to set the environment variable PALUDIS_DO_NOTHING_SANDBOXY5. You will notice that it doesn’t depend on pinktrace anymore. This is because sydbox-1 includes a rewrite of pinktrace which will eventually be released as pinktrace-1.

    • Once again for brave souls, use it on your system. I am especially interested in how it performs during the src_test phase of exhereseses so please make sure tests are enabled if you do so and report back any issues (accompanied with a poem of your choosing!). It is always a good idea to have a pbin of the package in question to easily rollback changes in case you hit a severe bug[^6].

    If you are bored, you can stop reading now. I will go on to introduce sydbox-1.

    Why?

    I am not a professional programmer. However, I have gained many experiences after writing sydbox-0 and watching it perform as the default sandbox of Exherbo. sydbox-0 has many shortcomings and drawbacks which made it rather hard to maintain. Such as:

    • sydbox-0 was based on the now unmaintained catbox initially. There are many design issues which didn’t fit with our use cases for Exherbo.
    • Being GPL-2 licensed it was problematic to share code with the well-established ptrace(2) based projects like strace and truss (of FreeBSD). I have partially solved this problem by writing pinktrace - a BSD3 licensed library providing thin wrappers around certain ptrace(2) calls but this was not enough. (See below about pinktrace-easy)
    • Being a crucial part of the system set, dependencies like GLib was obviously a bad idea.
    • Over the years as sydbox-0 codebase grew there were unforeseen code maintenance problems making it difficult to add new features.

    Features of sydbox-1

    Below are main features of sydbox-1. You may consult the manual page³ for more information.

    • No external dependencies. GLib dependency is gone for good among with the ini-format configuration file. sydbox-1 uses JSON format for configuration.
    • Most of the ptrace(2) work is now abstracted by a callback-driven higher-level BSD3 licensed library called pinktrace-easy. This makes both the maintenance easier and code sharing with strace less problematic.
    • Well designed, well documented magic command API which fits in with the configuration file format and provides an easier experience during command line invocation.
    • Process dump can be obtained by sending sydbox-1 the SIGUSR1 signal (or SIGUSR2 for a more verbose dump). This makes it easier to debug sydbox hangs.
    • Better signal handling to make sydbox more immune to interrupts.
    • More powerful and configurable rsync-like pattern matching.
    • Support for secure computing mode aka seccomp[^7]. This requires Linux-3.5 or newer and CONFIG_SECCOMP=y and CONFIG_SECCOMP_FILTER=y kernel configuration options. sydbox-scm exheres has a seccomp option to pass --enable-seccomp to econf. This is one of the key features which may make sydbox-1 faster compared to sydbox-0 because in this mode sydbox only traces the sandboxed system calls. Tracing other commonly used system calls - think threaded applications calling sched_yield() - is therefore avoided.
    • Logging is easier to filter. This still needs some work though.
    • Port numbers can now be entered as service names which will be queried from the services(5) database.
    • Unsupported socket families can be whitelisted/blacklisted.
    • New magic commands exec/resume_if_match and exec/kill_if_match are added. These commands may be used to resume or kill matching binaries upon successful execution. Paludis has esandbox resume and esandbox kill commands as an interface for exheres-0 (Make sure esandbox api returns 1 before using them). See systemd.exlib as an example on how we can now restart services from within exhereseses without worrying about sandboxing.
    • Read sandboxing to prevent unwanted filesytem reads.
    • Black listing is now also supported in addition to white listing. This may be used to make an “allow by default and black list unwanted accesses” sandboxing policy.
    • Many bugs fixed, some new system calls are sandboxed.

    How can I thank you?

    Send me poems[^8]!

    be more convenient. [^6]: sydbox-1 has been tested for some time by kind people and I have heard about only one such issue so far but it is always a good idea to be cautious. [^7]: http://lwn.net/Articles/475043/ [^8]: http://dev.exherbo.org/~alip/sydbox/poems.txt

    1. She used to be called pandora in the early days. 

    2. Not sydbox-0-scm which is the old one. 

    3. http://git.exherbo.org/sydbox-1.git/ 

    4. http://dev.exherbo.org/~alip/sydbox/sydbox.html 

    5. Eventually sydbox-1 will install its tests so this phase is going to 

    September 29, 2012 12:00 AM

    September 22, 2012

    Ciaran McCreesh

    Paludis 0.80.0 Released

    Paludis 0.80.0 has been released:

    • EAPI 5 is supported.

    Filed under: paludis releases Tagged: paludis

    by Ciaran McCreesh at September 22, 2012 06:50 PM

    September 07, 2012

    Ciaran McCreesh

    Paludis 0.78.2 Released

    Paludis 0.78.2 has been released:

    • Bug fix: || ( ) dependencies under a non-enabled label are now handled sensibly.
    • Bug fix: the resolver no longer attempts to create binaries for accounts.
    • Bug fix: 0-scm is now ordered correctly.

    Filed under: paludis releases Tagged: paludis

    by Ciaran McCreesh at September 07, 2012 09:02 PM