Noodles' Emptiness

I've been talking about replacing my laptop since November. Now I've somewhat forced the issue by giving away my R200, leaving myself with just the EEE 901. I'm not planning to bring a desktop with me to California (well, I might ship bits for a media box, but probably not even a complete machine), so I've been looking more seriously at what my options are.

I like smaller laptops; the R200 is 12", I had a Compaq N200 previous which was 10". There seem to be a number of 13" options that are light, so I'm prepared to look at those.

This is going to be my main machine, so I need something with some grunt. A decent amount of RAM with a reasonable processor. I'm probably prepared to take the price hit in order to get SSD. Also a decent resolution screen along with built in wifi (does anything not have this these days?) + 3G would be nice too.

Of course, it turns out I can't have all of this. In particular the US market seems pretty dire for 3G support (no, something locked or that can't take a GSM SIM doesn't count. I expect to travel.) The UK market is a bit better, but there are still no perfect answers.

Lenovo X201s

(It's really hard for me to think of this as a Lenovo rather than an IBM Thinkpad.)

This comes in a 1440x900 resolution variant, which is nice for 12". I can have a touchpad too. What I can't have is 3G; with the 1440x900 screen there's apparently no space for the 3G antenna. Doh! Also Thinkpads are *ugly*.

Sony Vaio VPCZ12Z9E/X

I want this. Core i7, 1920x1080 screen, SSD, 3G (Gobi), sub 1.5Kg.

But. Sony. Ridiculously expensive. If it was half the price and made by Lenovo or Toshiba I'd have bought one by now. As it is there's no way I can reasonably expect it to last 3 years (and really I'd want 5 given the cost).

Toshiba R700-155

I've been extremely happy with my R200 and spent a long time eying the R500/R600. The -155 is a Core i7, 1366x768 screen, 13", 3G, sub 1.5Kg.

2 problems. One, I'd like a better resolution if I'm going to 13" - both the Lenovo and the Sony manage that. Secondly, and more of an issue, nowhere seems to have them in stock.

HP Elitebook 2540p

This has potential. Seems to be a little heavier than the other options, and it's only a 1280x800 screen (but in 12"). Available with Core i7, SSD & 3G. Oh, except once again stock is a problem.

Have I missed anything else out there? I can probably buy from the UK or US with equal ease.

In a week I'll be in California. I'm not packed, though I've been spending a lot of time trying to figure how exactly what I need to take, what I want to take, and what I really shouldn't take.

One item I've been uncertain about are keyboards. When Simon went to France for a year he took a UK keyboard with him, but then they have AZERTY which is substantially different. There are a number of US keyboards lying around the office so a few weeks ago I switched to one for work to see how it went. I think I'm bringing a stash of UK keyboards with me. Annoyances with the US keyboard:

• Enter is too small. I have this problem on my EEE 901 as well. Usually this manifests as me typing lots of half written lines on IRC.
• The " moving location is actually much more irritating than I expected. Likewise ~
• And, the decider, PERSON RAISING BOTH HANDS IN CELEBRATION simply doesn't flow as easily. On a UK keyboard it's left, middle, right. On a US keyboard it's right, left, right.

On Thursday 19th August I will be leaving Northern Ireland and relocating to California. I'm keeping my current job with 3PAR (who I should point out are actively hiring in Belfast), just moving west by a few thousand miles. I'll be working in the Fremont office, but based on advice from most people I've talked to I plan to live in San Francisco.

I've got a few trips over to England planned between now and then which will give me an opportunity to see people before I go. Also I'll be at DebConf, where I hope to try and meet a least a few other Debian people from the Bay Area and pick their brains for advice about where to live & things to do.

This is something that's taken a lot longer to come together than I originally expected. I'm very glad it finally has, but obviously there's a degree of trepidation about the whole process. If I seem somewhat disconnected from reality for the next few months rest assured I'm sure I'll be back to normal soon enough once I've moved and found somewhere to live.

As SPI secretary I announced that nominations for the SPI board were open at the start of the month. The nomination period closes this Tuesday (13th July) with voting opening up on Thursday 15th. This year over half the board is up for election - 5 seats (currently held by Luk Claes, Joshua D. Drake, Bdale Garbee, Joerg Jaspert & Martin Zobel-Helas). So far I've received only 2 nominations, though I'm aware these things are often left to the last minute, so hopefully more will appear in the next few days. All anyone who wants to stand needs to do is drop secretary@spi-inc.org a (preferably PGP signed) email nominating yourself and providing a position statement (which will all be published once the nomination period is over).

Oh, and if you're a contributing SPI member please do remember to vote once voting is open!

I decided last night to upgrade the firmware on my G1. I've been fairly happy with my lightly hacked Android 1.6 (basically the stock T-Mobile image rooted and with a couple of apps added) but I'm interested in whether Froyo will bring performance improvements and the office is now full of Desire users so I figured I'd install 2.1 to see if it was any good, and prepare for 2.2. I went for CyanogenMod as it seems to be fairly sane ROM put together by someone with some clue.

Of course I decided to ignore some of the instructions; particularly the bit about doing a factory reset first. Most of my data is easily backed up, either to Google or locally, but I wanted to keep my SMS+MMS history. There's nothing really that interesting there, and the SMS stuff is backed up automatically via SMS Backup, but still. It was a challenge. What I ended up finding was that if I didn't do the data deletion then Contacts wouldn't work, but I'd keep the SMS/MMS. And if I did the data deletion everything worked fine but I didn't have the SMS/MMS history.

I fired up adb to have a look around the filesystem, to see if there was something obvious. And there was! I found /data/data/com.android.providers.telephony/databases/mmssms.db, which is actually an SQLite database of received messages. So I booted up with the old data present, logged in, tarred up all of /data, copied it across to my desktop, reset the phone and deleted all data, waited for it to boot, extracted mmssms.db from the tarball and put it back on the phone. Result! My message threads reappeared. Turns out that wasn't enough for MMS, but that was solved by copying the contents of /data/data/com.android.providers.telephony/app_parts/ across as well.

Yes, I accept this is kludgey and most end users aren't going to do it, but a couple of points:

• I'm flashing an unsupported ROM. I expect things to potentially break and not be able to complain to anyone about it. I'm very happy that it's an option, having had issues in the past where an operator wouldn't release an updated Nokia ROM for months after its release even when it fixed major issues.
• This is something I wouldn't have been able to do under WinMo or Symbian. I've had a world of pain in the past moving between phones, even when using Nokia's PC Suite to try and copy stuff from the old one to the new one. Being able to get a full shell on the phone is hugely useful for dealing with this stuff when it goes wrong or you want to do something slightly different.

While the above is Android specific I'm fairly sure WebOS on the Pre or Maemo on the N900 would offer me the same level of power and control. I think I've just convinced myself that alternative smartphone OSes are no longer viable options.

We appear to have a government again, which is always helpful. Let's see how they do. While all the deliberation was going on Dad and I had a ponder about exactly what your chances of voting for a winner were. The Guardian helpfully have the results dataset available, so I nabbed that. They may have updated it since I did; it certainly seemed to be a bit off compared with the BBC. Anyway.

29,577,337 - total votes cast.
13,982,219 - total votes cast for winning MPs.
7,279,220 - total votes cast for winning MPs in the new government (ie Conservative or LibDem).

So there was a 47.27% chance of a vote being for a winning MP, but only 24.61% chance that a vote was not only for a winning MP but also one that ended up being part of the coalition.

Another interesting number; 220 seats were won with 50% or more of the vote, 540 with more than 40%. That's higher than I expected.

Not that I ever thought I wasn't going, but due to some uncertainty about where I needed flights from I've only got round to booking things today - wish I'd gone ahead and done it last week!

Outbound:

2010-07-31 10:55 BHD -> 12:15 LHR BD85
2010-07-31 16:20 LHR -> 19:00 EWR VS001

Inbound:

2010-08-08 18:15 JFK -> 06:35 LHR VS004
2010-08-09 10:55 LHR -> 12:20 BHD BD84

See you all there!

Nearly a year ago people starting worrying about the complexity of SHA-1 being reduced and the potential availability of viable attacks against things such as PGP keys that used SHA-1. Many people (myself included) generated a new key, or updated preferences on keys that were otherwise strong enough. There were worries about what this might mean for Debian. We were getting ahead of ourselves a bit though. Firstly there haven't been any public viable attacks that I'm aware of (though of course this doesn't mean we shouldn't continue to migrate away), but secondly there's a much easier method of attack. PGP v3 keys. To quote RFC4880:

V3 keys are deprecated. They contain three weaknesses. First, it is relatively easy to construct a V3 key that has the same Key ID as any other key because the Key ID is simply the low 64 bits of the public modulus. Secondly, because the fingerprint of a V3 key hashes the key material, but not its length, there is an increased opportunity for fingerprint collisions. Third, there are weaknesses in the MD5 hash algorithm that make developers prefer other algorithms. See below for a fuller discussion of Key IDs and fingerprints.

At the time of writing Debian has 21 remaining v3 keys. This is a significant improvement over a year ago, when we had 200, but it's still 21 more than I'd like. I've been chasing people since last May (starting with those who had v3 + v4 keys, all of whom now only have a v4 key) and we're down to the stragglers. So it's time to name and shame, in the hope of kicking them into action. The following keys are what's left (doesn't match the currently active keyring because we've had a few replacements since the last promote):

0x0D2156BD3D97C149 Michael Stone <mstone>
0x225FD911CD269B31 Carlos Barros <cbf>
0x31E73F14E298966D James R. Van Zandt <jrv>
0x366CD3FEEBC11B01 Chris Waters <xtifr>
0x37A73FE355E8BC4D Frederic Lepied <lepied>
0x3E973117DCC528E9 Ardo van Rangelrooij <ardo>
0x5C7A46637953F711 Rich Sahlender <rsahlen>
0x5D6560F85F30F005 Craig Brozefsky <craig>
0x6B0E322836129171 Jim Westveer <jwest>
0x723724B4A5B6DD31 Christian Meder <meder>
0x7629B22ED71DAABD Adrian Bridgett <bridgett>
0x8FFC405EFD5A67CD Adam Di Carlo <aph>
0xB0D269DE17F3D4D1 Matthew Vernon <matthew>
0xBC151FC8D2A913A1 Peter S Galbraith <psg>
0xC1A0A171C2DCD3B1 Jim Mintha <jmintha>
0xC3168EBA23F5ADDB Ian Jackson <iwj>
0xCE951B1160D74C7D Patrick Cole <ltd>
0xE82A8B0D57137FE5 Paul Seelig <pseelig>
0xF20E242CE77AC835 Brian White <bcwhite>
0xFBAA570C3087194D Alan Bain <afrb2>
0xFFD1B4AC7C19FD19 David Engel <david>

Of these keys only 2 voted in the recent DPL election. 8 have failed to make any response to my mails (3 since last August). Only 9 have uploaded a package since August 2008. And 10 were already known to the MIA database. Some of them have stated they'll sort out a new key, but not yet done so.

If you are one of these people, please either get a new key sorted and signed and reply to the mails I've sent you, or reply and say you no longer wish to be involved in Debian. And if you know any of these people, encourage them to get a new key sorted and offer to sign it for them.

Inspired by a conversation about interview coding tasks from a list I'm on, I present the following - I considered it too long to email there. It took me longer than I expected to write; my x86 assembly is quite rusty. I'm not claiming it's pretty, but it fits in a single sector and most of the overhead is actually ELF structures.

; nasm -f elf fizzbuzz.asm
; ld -melf_i386 -s -o fizzbuzz fizzbuzz.o
; ./fizzbuzz

section .data

fizz	db	" fizz"
fizzlen	equ	$ - fizz
buzz	db	" buzz"
buzzlen	equ	$ - buzz
num	db	"   "
numend	equ	$ - 1
numlen	equ	$ - num
nl	db	0xa
nllen	equ	$ - nl

curnum	db 1

section .text

	global _start

_start:
	mov ax, [curnum]
	call printnum

	mov ax, [curnum]
	mov cx, 3
	xor dx, dx
	div cx
	cmp dx, 0
	jnz notfizz

	mov edx, fizzlen
	mov ecx, fizz
	call printstr

notfizz:
	mov ax, [curnum]
	mov cx, 5
	xor dx, dx
	div cx
	cmp dx, 0
	jnz notbuzz

	mov edx, buzzlen
	mov ecx, buzz
	call printstr

notbuzz:
	mov edx, nllen
	mov ecx, nl
	call printstr

	inc BYTE [curnum]
	cmp BYTE [curnum], 100
	jle _start

	xor ebx, ebx
	mov eax, 1
	int 0x80

printnum:
	mov edi, numend
	mov cx, 10
p1:
	xor edx, edx
	div cx
	add dx, '0'
	mov [edi], dl
	dec edi
	cmp ax, 0
	jne p1

	mov ecx, num
	mov edx, numlen
printstr:
	mov ebx, 1
	mov eax, 4
	int 0x80
	ret

(This has ended up longer than I intended, largely because I felt I should then get into why. I'm aware I haven't got into all the nuances, so I hope readers familiar with the area will appreciate this is the compact version.)

Thorsten had a rant last week about PGP keysigning problems. He apologises for his tone, but that's not the issue I take with his rant.

It starts "Keysigning is useless". And yet his complaints seem to be:

• Dealing with the private half of your GPG key securely involves some faff (in this case booting with a live CD and having to set things up ready to keysign).
• He doesn't get on with caff.
• People reject email from machines with invalid HELOs and perform other anti spam measures on ISP access ranges (I'm not clear if it's just greylisting or outright rejects as that's not made clear).
• PGP/MIME is a protocol violation (yes, but it's much better than inline OpenPGP. Unless you have to deal with RT, which mangles it. *sigh*)

None of these seem to actually be about keysigning being useless. The process of doing it, maybe, though he misses the main valid rant about this I'd have, which is that most mass keysignings don't actually allow you to accurately verify the identity of other participants unless you already know them reasonably well. (The LCA2010 keysigning and DebConf5 in Helsinki spring to mind as 2 good examples of bad keysignings I've attended, but speaking to others suggests it's far from an isolated thing.)

Torsten does say that he'll continue to do keysigning on a per-person basis, so it doesn't sound like he's completely given up. I'm posting this largely so other Debian related people don't get the idea that it's not important to think about keysigning.

Why should we care?

Firstly, let's clarify what I mean when I sign someone else's key. If I sign your key then I think that I believe you hold the private part of a key that has your name and an email address I believe I can use to contact you on it. It means I have seen government issued ID that matches that name. It also means that I have interacted with you (and watched others interact with you) under that persona. In short I am happy that the key is a reasonable digital representation of your identity - something signed by it either comes from you or has involved the key being compromised or you coerced  into using it against your will.

Why is this useful?

It gets useful thanks to the web of trust; ie the idea that there are a bunch of people I trust partially to sign other keys, and if enough of them have signed a key then I can have a reasonable expectation that the key belongs to the person I want to talk to. Which means I might be prepared to send private data to them. Or Debian might be prepared to accept an upload from them. Which, when you're dealing with a community that spans the planet and where most of the contributors haven't met each other, is pretty freakin' useful - I, as part of Debian's keyring team, don't need to personally be able to identify every Debian developer. All I need to do is be able to trust other DDs to be able to do so. (Though maybe I'm missing out on something here - perhaps Debian should be paying for Gunnar and me to travel the world verifying fingerprints. \o/)

(I still do mass keysignings btw. I'm picky about which keys I actually sign - this is in no way intended as a slight against those I don't, but a mass keysigning at least lets me know that the people involved are happy to exchange fingerprints. Though, FWIW, I normally have ID on me and frequently have fingerprint slips, so if you know me and want me to sign your key/want to sign mine then by all means ask me when you see me!)