I was due for another Google interview mail it seems. I have to say I wasn’t expecting it, but this week I had a follow up to my polite mail from 6 months ago that said “No thanks, I’m not looking” asking if it was still the case.

Normally I welcome this little bit of ego stroking; it’s always nice to be wanted. Except that’s not really the case, is it? It’s an invitation to interview for something, not any indication that you’ve done more than tick some initial boxes. Google mails inevitably ask me if I’d like to work in SRE. It’s always SRE. No one ever emails and asks if I want to work on self-replicating nanobots that will roam Mars searching for the perfect spot to build a beach house.

And that’s where things fall down. If someone currently has a job, then emailing them out of the blue to ask if they want to come and interview for something vague is hoping that they’re either looking, and just haven’t come to you yet, or not looking but unhappy enough with their current role that all they needed to start was an email asking them to submit a recent CV.

For the former, if you’re Google, do you really think that person doesn’t know where to find you? For the latter, you’re being quite presumptuous, aren’t you? The act of updating my CV my be some effort (actually it’s usually not, because the stuff that’s not on it is the stuff I can’t talk about because it’s not released yet, or stuff that’s specific and thus wouldn’t go on a CV for a vague job spec). Even if it’s not the act of interviewing is potentially a waste of time for both of us, if the role isn’t clear.

One argument used is that people will be placed according to the skills they show during the interview process. That’s fine from the employers point of view, but if you’re actively trying to get some interest from people who are gainfully employed you really need to grab their attention somehow. I can’t remember the last time I had an unsolicited email interview offer that actually wowed me, or indeed even showed more than a passing sign of tailoring a spec to my profile.

When I was running Black Cat I made a point of always replying to unsolicited CVs. How polite I was depended on how the covering emails were worded (a Word document with nothing else was likely to get short shrift, something well targeted in a Linux friendly format would normally get some comment about how we weren’t hiring and were unlikely to be, but if that changed it would be mentioned on the website), but I felt people deserved a reply - I have been disappointed by not receiving responses myself to what I considered well targeted job inquiries.

So far I’ve so far taken the same approach with mails from corporate recruiters (less so with recruiters that are associated with recruitment firms, rather than directly with the companies they are hiring for), but I’m starting to feel like changing that stance. Candidates are told to tailor CVs to the role being applied for, provide a decent cover letter, and in general make companies want to talk to them. Companies who are sending out recruitment emails should be held to the same standard. Even assuming you do a basic phone screen first, I can probably expect to need to take a day off work assuming that goes well. You need to convince me I can justify that before I’m going to feel like engaging at all.

(And if I’m honest, based on what I’ve seen so far, it’s unlikely to happen. All of the things I’ve considered have come from conversations with people I know directly about companies they own or work for, never some random contact via email. I try hard not to think of recruitment mail as spam, but I can how that line of thought follows through.)

I should apologize to Google here. They got mentioned as an example, but I don’t think they’re particularly bad. I did interview with them at one point, and made the decision not to continue that process after deciding a different, more certain, path was better for me. So I’ve displayed interest. And in response to my reply today of “I know where to find you, so please assume I’ll do so if I change my mind.” they’ve said they’ll make a note on their records.

The thing that finally made me install Chromium? The refusal of Google+ to work with Firefox 3.5 (from Debian/testing). Well played Google. Well played.

Update: Please note I didn’t say “switch to Chromium”, it was just installing it at all. I’ve also pulled in FF 5 from experimental which seems to be working nicely - I hope that it can make its way into unstable and thus to testing soon.

This is for my own reference more than anything else; periodically I find myself needing to boot DOS. Usually because I want to upgrade a BIOS and the upgrade tool only works with Windows or DOS. Yes, I’m aware of flashrom, but the scary messages about toasting laptops means I’m much happier going the DOS route there. So I need a writable medium with a DOS boot image. The easy way to do it is to find a DOS floppy image and write that to a USB stick with dd, but it’s basically a one off and means you can’t fit a whole lot on the image. I wanted to do a native USB boot. The following did the trick for me.

Firstly, this is all on a Debian testing box, in particular with dosfstools (3.0.9-1), mbr (1.1.11-4) and syslinux (2:4.04+dfsg-2). I don’t think I’m using anything particularly new from these tools, so I suspect Debian stable will work just fine.

In the below my USB stick is on /dev/sdb, I’ve got a copy of FreeDOS in ~/FreeDOS/ (I extracted the files from a balder10.img floppy image that’s easy enough to find, but all you need is kernel.sys and command.com), and I wanted things neatly in their own subdirectories so I could try and keep the key for repeated use and know which bits I wanted to keep and which were transient. I also added a copy of the Debian Installer for convenience; it would need a copy of the netinst ISO dropped into the root to actually be useful, as there’s not enough to do a full netboot from the wider Internet using just the HD initrd.

    # Create a single bootable LBA VFAT partition spanning entire stick.
    echo 0,,C,* | sfdisk /dev/sdb
    # Format as VFAT and give it a disk label.
    mkfs.vfat -n 'DOS BOOT' /dev/sdb1
    # Install an MBR
    install-mbr /dev/sdb
    # Mount it and create some directories for our files.
    mount /dev/sdb1 /media/DOS\ BOOT/
    cd /media/DOS\ BOOT/
    mkdir boot
    mkdir boot/syslinux/
    mkdir FreeDOS
    # Copy the chain.c32 syslinux tool over.
    cp /usr/lib/syslinux/chain.c32 boot/syslinux/
    # Copy FreeDOS over and move the important bits to /
    cp ~/FreeDOS/* FreeDOS/
    mv FreeDOS/command.com .
    mv FreeDOS/autoexec.bat .
    mv FreeDOS/fdconfig.sys .

    # Add the Debian Installer
    mkdir boot/d-i/
    cd boot/d-i/
    wget http://cdn.debian.net/debian/dists/squeeze/main/installer-amd64/current/images/hd-media/initrd.gz
    wget http://cdn.debian.net/debian/dists/squeeze/main/installer-amd64/current/images/hd-media/vmlinuz

    # Install syslinux
    syslinux -d boot /dev/sdb1

I made a boot/syslinux.help file containing:

    Available boot options are: FreeDOS d-i

and a boot/syslinux.cfg with:

    prompt 1
    display syslinux.help
    default FreeDOS

    label FreeDOS
    	COM32 /boot/syslinux/chain.c32
    	APPEND freedos=/FreeDOS/kernel.sys

    label d-i
    	KERNEL /boot/d-i/vmlinuz
    	INITRD /boot/d-i/initrd.gz

Initial testing was done using kvm which was a lot easier than constantly rebooting my laptop.

Hopefully this is of help to someone. The only neat bit that I didn’t see elsewhere when I was looking was the use of chain.c32 to load kernel.sys rather than having to use a FreeDOS provided boot sector image.

This should probably be an official FAQ, but a) I wanted to rant a bit more than is probably acceptable for something “official” and b) the sort of person this information is directed at never bloody reads keyring.debian.org, which is the logical place for it.

Who are keyring-maint?

Currently Gunnar Wolf (good cop) and Jonathan McDowell (bad cop). Previous keyring maintainers include Igor Grobman & James Troup.

I’d like to be a DM/DD. Do I send you my key?

No. You go through the DebianMaintainer or NM processes. Then the DM team or DAM tell us to add your key to the appropriate keyring.

I’d like to replace my DM/DD key in the Debian keyring. What should I do?

Read the instructions at http://keyring.debian.org/replacing_keys.html

I have a new key that isn’t signed by anyone else, will you accept it?

No. Did you read http://keyring.debian.org/replacing_keys.html ?

I’ve got a single DD signature on my new key. That’s enough, right?

Not unless your old key has been lost and you’re getting a different DD to request the replacement for you (and if they’re prepared to ask for a key replacement we’ll wonder why they’re not prepared to sign the new key too).

Did you read http://keyring.debian.org/replacing_keys.html ?

I’m still really confused about how I should request a key replacement. Help?

Try reading https://rt.debian.org/Ticket/Display.html?id=3141 (which just happens to be a recent decent example). Clear subject line (I’d have added a real name too, but it’s still fairly clear), full fingerprint of the old and new keys, inline signed so RT doesn’t mangle it. New key signed by old key and 3 other DDs. Request signed by old key.

That RT link needs a login. I don’t have one.

Have you tried reading up on the Debian RT system? There’s a generic read only login that’ll get you access.

That’s too hard. Can’t you just give me the details?

Damnit. It appears the read-only login details are currently disabled due to misuse (one wonders how). Try reading http://wiki.debian.org/rt.debian.org

Why are you using RT? Isn’t bugs.debian.org more appropriate?

We need the ability to for people to contact us is in a private fashion, for example if they need to us to remove a key because it’s been lost or compromised. We could only use RT for that purpose and use bugs.d.o for things that can be public, but this way all the information is in one place and we get to make the call about when it becomes a publicly viewable ticket.

What’s with jetring? Should I send you a jetring changeset?

jetring is a tool written by Joey Hess that used to be used to manage the Debian Maintainers keyring. keyring-maint borrowed a number of good ideas from jetring but don’t use it at all. We ignore jetring changesets.

So you just want key fingerprints, not attached keys?

Yes. Of course you have to make sure your key is actually on a public keyserver so we can get it. the.earth.li is a good choice (because Jonathan runs it and thus pays more attention to it), but subkeys.pgp.net or pool.sks-keyservers.net are also commonly used.

My key has expired and I want to update the key expiry date. I should email RT asking for this to be done, right?

No, you should send the updated key via HKP to keyring.debian.org. You can do this with

“gpg –keyserver keyring.debian.org –send-key "

Obviously replace with your own key ID.

I tried to send an entirely new key via HKP to keyring.debian.org, but I can’t see it there. What gives?

keyring.debian.org only accepts updates to keys it already knows about. That means you can send updated expiry dates, new uids and new signatures to your existing key, but not an entirely new key.

I sent my updated key via HKP to keyring.debian.org and can see it’s updated there, but the Debian archive processing tools (eg dak) don’t seem to recognize the update. Why not?

The updates sent via HKP are folded back into the HKP server automatically every 15 minutes or so. They are folded into the live Debian keyrings on a manual basis, at least once a month.

This means if your key has an expiry date then you probably want to update your key at least a month before it expires.

Where can I find these live Debian keyrings?

They’re what’s available via rsync from keyring.debian.org::keyrings/keyrings/

This is canonical location for the current Debian Developers and Debian Maintainers keyrings.

What about the debian-keyring package?

This is a convenience package of the keyrings. It’s usually the most out of date. We update it sporadically and try to ensure that the version shipped with a stable Debian release is current at the point of release. It is not used by any of the official Debian infrastructure.

Why don’t you automatically update my key in the live keyring when I send an update via HKP?

We think that automatic updates of keys that allow uploads to Debian are a bad thing and that invoking a human eye at some step of the process is a useful sanity check.

Paranoid much?

Never enough.

How are updates to the keyring tracked?

We use bzr to maintain the keyring, with a separate file per key that can then be easily combined into the various keyrings. You can see the repository at:

http://bzr.debian.org/scm/loggerhead/keyring/debian-keyring/changes

Note that this is only updated when a keyring is pushed to live; the working tree may contain details of compromised keys and thus isn’t public.

What’s with the whole replacement of 1024 bit keys?

2 things. Firstly 1024 bit keys tend to use SHA1 as a hash algorithm, which has been shown to be weaker than expected. While we’re not aware of active exploits against this updating all of the keys Debian uses is not a trivial process and it’s wiser to get it done /before/ there’s a known issue. Secondly computing power has moved on and we feel that upgrading to larger key sizes is prudent.

Elliptic curve cryptography (ECC) keys look like the future. Can I use one for Debian?

No, not at present. When there are tools that are part of a Debian stable release that support them we’ll look into it, after discussion with the major users of the keyring (DSA, ftpmaster, the secretary).

I’m sad to report that I won’t be attending DebConf11. I’d have loved to go, but unfortunately I couldn’t get the time off work due to various schedule conflicts. I’ll have to find another excuse to make it to Bosnia at some point.