Gunnar Wolf

Last week (July 7-13) was basically hell on Earth, for me and for the group that somehow got the name Cabras locas, of which I am part since I joined the National Pedagogical University, where I worked full-time 2003-2005.
It was, yes, the first of my officially three weeks of Summer holiday at IIEc-UNAM, so no problems here. So, why hell on Earth? Because we were in charge basically of anything related with information flow, retrieval and manipulation at the 11th International Congress on Mathematical Education, in Monterrey.
What we thought would basically be one or two days of hard work followed by six days of relaxed vacations (we had even planned to have an internal seminar, showing off the shiny stuff each of us is working on) became... A mind-boggling eight day experience where we worked over 12 hours a day on being human replacements for Google, SQL engines, full-text parsers, report generators, printer watchdogs, and in general lines, just a bunch of unhappy firemen, ready to be called off for whatever task was necessary.
We did have, of course, several calm periods every now and then. We even had to learn how to look busy while doing something compeltely unrelated (that would explain, for example, a couple of low-hanging bugs I fixed for Debian, or some dozens of lines of code I could get off my head).
But my advice for whoever reads this: Don't trust people with long database-handling experience. Specially when they insist that hand-capturing a thousand registers is preferrable (i.e. less error-prone) than parsing three separate databases and discarding duplicates. And, of course, specially when this person is your boss, which is enough of an argument to have it his way.

I think I should follow up on Victor's lament. Yes, we have a Rails application which works fine most of the time... But quite often, throws out a segmentation fault I just have been unable to pin-point. It might be related to rmagick, the only non-pure-Ruby component I am using (and I'm tempted to try minimagick instead, even if I prefer in-memory operations than on-disk, piping an image and slurping it again).
Victor came up with an easy script to check the server - but to reduce the impact it has (I was running a single Mongrel instance, which meant, whenever it dies the whole system becomes inaccessible for everybody; I replaced it with a mongrel_cluster of five processes, plus pound as a easy-to-use balancer which looks quite nice), the very simplistic and to-the-point script did no longer work.
Anyway... Ruby rocks ;-) I'm sharing this with you mostly because I am sure some readers will find more than one useful construct, not because it is precisely beautiful code. And besides, we should work on fixing the cause, not the consequence, of the bug! :)

#!/usr/bin/ruby
require 'yaml'
confdir = '/etc/mongrel-cluster/sites-enabled'
restart_cmd = '/etc/init.d/mongrel-cluster restart'
needs_restart = false
 
(Dir.open(confdir).entries - ['.', '..']).each do |site|
  conf = YAML.load_file "#{confdir}/#{site}"
  pid_location = [conf['cwd'], conf['pid_file']].join('/').gsub(/\.pid$/, '*.pid')
  pid_files = Dir.glob(pid_location)
 
  pid_files.each do |pidf|
    pid = File.read(pidf)
    begin
      Process.getpgid(pid.to_i)
    rescue Errno::ESRCH
      warn "Process #{pid} (cluster #{site}) is dead!"
      File.unlink pidf
      needs_restart = true
    end
  end
end
 
system(restart_cmd) if needs_restart

I usually don't like me too comments... But this is something that really disappoints me of my otherwise-favorite development framework. I must echo Matt Palmer's comment on Luke Kanies' entry:
Ruby. Has. A. Distribution. Problem.
Nice, good read. Sadly, many Rails pushers see distributability as something very minor, something that should not worry Rails developers right now, as there is too much other serious work to be done - Better UTF8, a clearer language, better performance... And besides, any programmer can live well with gems. (yes, that's all taken from a rant I had with a very convinced person)
My gripe is that... Rails is no longer a small, fringe project. Rails is an enterprise-grade development framework, with thousands of deployed production systems. And if they don't start to act responsably, if the Rails developers keep pushing said problems as low-priority, the Rails developers' (that is, their users) culture will become rigid - and will constitute a serious harm to Rails' future.
Distributability and packageability is not only for OS distributors. Not only we Debian zealots care about software being easily packageable. By using Ruby Gems, you dramatically increase entropy and harm your systems' security.
Read Luke's text for more details. It is quite worth the time.

I'm about to leave for Monterrey, Nuevo León, some 700Km North. Why? Because I was invited to be at the Monterrey FLISOL. And what exactly is a FLISOL? A very nice and interesting idea: Festival Latinoamericano de Instalación de Software Libre, Latin American Free Software Install Festival.

So far, I have stayed away from install-fests. I don't like them. And I will keep what I have always said: I am going because I was invited to talk about network security (of course, giving more than a little bit of relevance to Free Software as the IMHO only way to get to a decent level of security). But I do want to be part of this. It is large. Very large. So large, you don't want to miss out.
According to Beatriz Busaniche, FLISOL will be simultaneously held in 210 cities all over Latin America, in Argentina, Bolivia, Brasil, Chile, Colombia, Costa Rica, Cuba, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, Paraguay, Peru, Uruguay and Venezuela. In short: everywhere.
Spread the word. Spread the love. Spread the fun!

One week ago, I went to a branch office of Servicio de Administración Tributaria, the government office in charge of processing taxes. This year, I plan on doing something quite bold, as my Mexican friends will acknowledge: I will prepare my (quite simple, I hope) tax declaration by myself. I do not want to be held hostage of the accountant guild - So I might end doing some fuckup which in the end costs me money or time. I hope it is not the case.
Anyway... Last week I went to this office, as I needed either a CIECF (Clave de Identificación Electrónica Confidencial Fortalecida - Strengthened Confidential Electronic Identification Key) or a FIEL (Firma Electrónica Avanzada - Advanced Electronic Signature). No, please don't believe it is a security token, a card with printed numbers, a one-time-pad or the sort - The CIECF is... A password. Why is it strengthened? Because it has the feature of including a question, in case you forget the key, to allow you to change it. I guess the FIEL is a more reliable device, but I prefer not to even request it.
And as far as the questions go, the emergency questions for CIECF suck. First, I was not even asked the meta-question - I was not told why this information was needed. So imagine the clerk saying: Full name? ... Date of birth? ... RFC (Tax ID)? ... Favorite color? I was there just... Stunned. Why do you need it? Oh, just in case you forget your password. Ok... Don't you have any other questions which I am not prone to answer a different thing, and that are not dead obvious for a casual passer-by? (I guess that at least 1/4 of the public will say blue. Feel like brute-forcing SAT to its knees?) Other questions include your fathers' second family name, your favorite soccer team, your pet's name... It seems they took the first "security dos and don'ts" book off the wall, and started reading backwards.
But anyway, that's the system, and I must play nice with it. So I get back home, and decide to start hacking up my declaration. No, Mr. Policeman, I'm not saying I would try to break into the SAT - I just say it is a complex and non-obvious task to do. Now please release me. Thanks.
And I enter the system. Of course, I tried first with Iceweasel, knowing it would fail (it is documented: MSIE 5.5 recommended). I tried again with Konqueror. I tried, sigh, with MSIE from inside Wine. No luck. Well, even from within qemu's Windows 2000. Wrong password. WTF?! Stranger: It worked with SAT's My portal, although it didn't with the declaration, which is what matters now.
I cannot take the time every day to come to the SAT and move my data - It was a full week until I came back again. I insisted on fully logging in to the system, to be sure the password I entered this time was right. As well as my über-secret safety question, of course.
And it failed.
Twice.
Until the clerk noticed something strange in the way I typed...
Sir, excuse me..., he muttered, why are you typing such a long password? Well, basically because I value my tax declaration, and I know brute force is a powerful force. (explain it, of course, in simple terms) Oh... No, the password must be eight characters long.
No wonder.
So I entered the first eight characters of my password, which was a true work of prose for their standards, at around 20 characters. And it worked.
Now, for bonus points: What do we gather from the fact that the long password works fine in one system, but in another system it only the short version? Why, but of course! I guess the passwords for every economically active Mexican is stored in their master database in plain text. Isn't it just beautiful?
Anyway, it seems I have a lot of work to do. If all goes as planned, maybe next year I will be for hire as a public accountant? Hmh, does not sound too much like fun, does it?

Wouter, you seem to enjoy using huge filesystem volumes. So, dear lazyweb...
I have a 500GB disk for my users' home partitions - they mainly use it to back up their desktop data, but I do expect them to give it more usage. Anyway - I am currently using around 350GB of it, leaving the rest still unpartitioned. I have switched over to ReiserFS, as online resizing it is way faster than online resizing ext3 - it's basically instantaneous.
It seems I do belong to the old sysadmin school, and I value highly the reliability that comes from not having filesystems too large for their own good - After all, recovering from failure in 10GB is way more probable than doing the same in 100 or 1000, isn't it? But then again, it's just impractical to create /home/samba/{1,2,3,4,5,6,7,8,9}/ and randomly split users' directories inside them. Most users won't use more than a couple MB, but some users (legitimately!) back up tens of GB... It's hard for me to anticipate their needs.
Does any of you have scary stories regarding huge volumes? Or any data supporting the idea that I'm just too old fashioned and that half a TB is a good partition size?
Note that I _am_ holding full backups :)
[update]: So I'm undoubtley an old fart? Everybody seems to have partitions larger than me. Ok, I will stop crying...

Like many people interested in bringing computer security awareness to the public at large, some eight years ago I was thrilled to get acquinted with sudo. A great tool for giving specific admin rights to specific users in a very granular way, with great semantics... And allowing for a degree of flexibility much higher than my needs, honestly.
I think it was the Canonical crew who first thougt of using it backwards, "solving" (for some definition of solution, of course) the long-known problem that desktop users cannot be bothered to understand they are using a normal account which is, for their own personal security, completely separated from the priviledged account.
So, in short, Ubuntu uses a passwordless sudo to grant users (at least I understand it is limited to the first system user, am I right?) access to whatever and whatnot... And most users seem to like this.
Yes, the same way they like Windows: Because it is the no-brainer solution. Now, give a person with no brains some choices... Guess which choice they will pick.
Now, it's assumed by most semi-newbie Linux users that sudo basically means "go ahead". I have tried to get this point across to people complaining that Debian ships a b0rken sudo because it is not basically a ALL ALL = NOPASSWD: ALL
So, as it is currently used... I do feel sadness: Unix systems tend to Windowsification, where real administrator privileges are just a matter of asking whether you are sure. Assuming single, local users for local machines.
[update] Oops! lots of comments explaining my world-view is somewhat flawed... Anyway, I'll reply to the comments themselves.

I have been maintaining several minor sites hosted at Dreamhost for about a year. And since over one month ago, my personal website is with them as well. And I must say, I am very pleased with them. No, not (well, not only) because they run Debian on their servers, nor because they are probably the cheapest game in town (I paid something like US$200 for a basically unlimited package , for three years), but because of their degree of responsability and personal service.
Responsability? Aren't they well-known for their network outages? Why, yes, of course - Today's example is paramount: Somebody edited the wrong firewall entry, and all of Dreamhost became unavailable. In general terms, Dreamhost has a great blog-like structured page where they inform customers of every network or server problem they have - No, you don't have to dig in to understand why your site is down: They bring it up to you. Upfront. And in a familiar, very non-formal style.
Whenever I have submitted an issue to their request tracker, I get prompt reply. Does it always solve the situation? no, by far. I'm often told to, basically, go screw myself if I really need such feature... But they are straightforward with that, they are good, nice BOFHs (if such thing ever existed), and they don't present you with corporate-minded studies backing up their solution. Yes, I know that in their servers, it's plainly their way or the highway. But hey, that's what I paid for, right?
That is what wins my heart. Yes, Dreamhost is no good for many, many tasks - including, for example, anything that requires a real RDBMS (forgodssake, they offer MySQL but not PostgreSQL, damnit! WTF!?), nor any legendary five-nines reliability. But they are great for the vast majority of the Internet sites' needs. They even exceed what a simple person like me would ever dream of.
So, my hat off to you guys. Again.
(No, and I'm not getting paid or discounted on services because of this blog post. Although maybe I should! ;-) )

I just spent the productive part of the last couple of days going over several alternatives, as I didn't want to do the most obvious thing.
But I ended up doing it.
I think I did it carefully... And in a restricted system.
Still, having a Web-facing script that executes a password-changing script running with Sudo-granted privileges... No matter how much correctness and sanity checking it involves...
Makes me feel dirty.

As of late, I've shifted quite dramatically my sysadmining/development activities. On the development front, although Perl is still my mother tongue and I maintain many systems I wrote with it (and my main involvement in Debian is through the pkg-perl group, of course), I've been largely switching over to Ruby - both under the Rails framework and doing standalone stuff.

But somehthing that's new to me (well, relatively - it has been observed I have been playing with the idea in and out for some more time) is entering this maze of twisty little passages, all alike called Drupal. What can I say? I'm quite surprised by it. It is such a reach CMS, and so twistable for almost-anything, that it still defeats me.

I've been asked (ordered? pushed?) to propose a complete plan to replace my Institute's current static-and-butt-ugly-HTML site with something dynamic and manageable, so, of course, this last week has been an intensive Drupal crash-course for me.

Drupal itself is quite complex, yes, and I thought I had it mostly mastered for the trivial tasks. But then, I started looking for some I-thought-quite-simple extra thingies - And I started discovering its user-contributed modules. I've been having quite a bit of fun with them, and as I hate messing up my clean and nice installation, I've even set up a Drupal5 modules APT repository for Etch, where I'm putting the modules as I process them.

As I'm really not into PHP, and I still lack enough of the Drupal framework understanding to really step forward and become responsable for them, I'm not yet even suggesting packaging them for Debian - but a time might come where I upload them as well ;-)

BTW, in case somebody is wandering about this Jaws-to-Drupal scripty I mentioned that other time: It basically works for blog entries (as you can see in my test site - barring some trivial latin1-UTF discrepancies). I have not yet migrated because I'm also trying to migrate my Phoo photo galleries to Acidfree albums... And it's quite a more challenging task than just migrating blog+comments. But soon, I hope - I have a bit more time than in the last weeks to be able to play with it. Anyway, here it is as it is.

One solution of modern programming is to move database abstraction from the code to the infrastructure using a ORM (Object-Relational Mapper) or Data Mapper. A ORM and Data Mapper abstracts the database for you so you no longer have to do tie db abstraction to each app. Not only does it let you code once for multiple databases it lets your users migrate their data from one database to another. This blog runs Typo which is based on Ruby on Rails and ActiveRecord. I've been contemplating migrating Typo from MySQL to PostgreSQL and I've been told that it would be as simple as exporting the data with YAML, updating the database.yml file and importing the data.

ActiveRecord is a data mapper and isn't as flexible as a full blown ORM but it gets the job done for the most part. For a full-blown ORM, I think of Perl's DBIx::Class which provides a full OO interface to the RDBMS allowing you to code just once for multiple DBs without limiting you when you want to use some esoteric database-specific SQL

There are PHP frameworks out there like Symfony and Cake but do any of them have stand-alone ORMs? If so, could Drupal move to something like that and solve their maintainership problems once and for all? Drupal is part of the Go PHP5 effort so there should be no issue using PHP 5 OO. Something to think about for the Drupal folks if a PHP ORM is available