Petter Reinholdtsen

It is days like today I am really happy to be a member of the Norwegian Unix User group, a member association for those of us believing in free software, open standards and unix-like operating systems. NUUG announced today it will try to bring the seizure of the DNS domain popcorn-time.no as unlawful, to stand up for the principle that writing about a controversial topic is not infringing copyrights, and censuring web pages by hijacking DNS domain should be decided by the courts, not the police. The DNS domain was seized by the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime a month ago. I hope this bring more paying members to NUUG to give the association the financial muscle needed to bring this case as far as it must go to stop this kind of DNS hijacking.

I dag tok jeg mot til meg og pakket sammen en ny versjon av den frie norske stavekontrollen, ca. tre og et halvt år etter forrige gang. Resultatet kan lastes ned fra no.speling.org-prosjeksiden, både som kildekodepakke og som "pack"-fil som kanskje fortsatt kan brukes av OpenOffice.org/LibreOffice. Byggesystemet trenger oppussing, men i denne omgang hadde jeg bare tid til å fikse byggefeil forårsaket av endringer i GNU grep. De øvrige endringene var gjort tidligere i påvente av en ny utgave.

Her er det som er nytt (fra NEWS-fila i kildekodepakken):

Release 2.2 (2016-04-15)

• Rewrite how scripts/speling2words handle tripple consonants, to avoid importing duplicate words from no.speling.org, and getting rid of the existing duplicates in norsk.words.
• Remove duplicate entries with tripple consonants from norsk.words.
• Update frequency for entries in norsk.words based on (ran 'make freq-update').
• Correct nn ispell build, avoid crash in munchlist causing lots of words to fall out of the database.
• Use grep -a to convince grep it is working on text files, to work with newer grep versions.
• Remove some words disputed in the no.speling.org review process:
  • apparent (nb)
  • likke (nb)
  • ugjest, ugjesten, ugjestens (nb)

I first got to know I.F. Stone when I came across an article by Jon Schwarz on The Intercept about his extraordinary contribution to investigative journalism in USA. The article is about a new documentary in two parts (part one is 12 minutes and part two is 30 minutes), and I found both truly fascinating. It is amazing what he was able to find by digging up public sources and government papers. He documented lots of government abuse and cover ups, and I find his weekly news letters inspiring to read even today.

All governments are run by liars and nothing they say should be believed.
- I. F. Stone

His starting point was that reporters should not assume governments and corporations are telling the truth, but verify all their claims as much as possible. I wonder how many Norwegian reporters can be said to follow the principles of I. F. Stone. They are definitely in short supply. If you, like me half a year ago, have never heard of him, check him out.

I'm happy to report that the French paperback edition of my project to translate the Free Culture book by Lawrence Lessig is now available for sale on Lulu.com. Once I have formally verified my proof reading copy, which should be in the mail, the paperback edition should be available in book stores like Amazon and Barnes & Noble too.

This French edition, Culture Libre, is the work of the dblatex developer Benoît Guillon, who created the PO file from the initial translation available from the Wikilivres wiki pages and completed and corrected the translation to match the original docbook edition my project is using, as well as coordinated the proof reading of the final result. I believe the end result look great, but I am biased and do not read French. In addition to the paperback edition, the book is available in PDF, EPUB and Mobi format from the github project page linked to above.

When enabling book store distribution on Lulu.com, I had to nearly triple the price to allow the book stores some profit. I also had to accept that I will get some revenue when a book is sold via Lulu.com. But because of the non-commercial clause in the book license (CC-BY-NC), this might be a problem. To bypass the problem I discussed how to handle the revenue with the author, and we agreed that the revenue for these editions go to the Creative Commons non-profit Corporation who handle donations to the Creative Commons project. So far they have earned around USD 70 on sales of the English and Norwegian Bokmål editions, according to Lulu.com. They will get the revenue for the French edition too. Their revenue is higher if you buy the book directly from Lulu.com instead of via a book store, so I recommend you buy directly from Lulu.com.

Perhaps you would like to get the book published in your language? The translation is done using a web based translator service, so the technical bar to enter is fairly low. Get in touch if you would like to make this happen.

During this weekends bug squashing party and developer gathering, we decided to do our part to make sure there are good books about Debian available in Norwegian Bokmål, and got in touch with the people behind the Debian Administrator's Handbook project to get started. If you want to help out, please start contributing using the hosted weblate project page, and get in touch using the translators mailing list. Please also check out the instructions for contributors.

The book is already available on paper in English, French and Japanese, and our goal is to get it available on paper in Norwegian Bokmål too. In addition to the paper edition, there are also EPUB and Mobi versions available. And there are incomplete translations available for many more languages.

Just for fun I had a look at the popcon number of ZFS related packages in Debian, and was quite surprised with what I found. I use ZFS myself at home, but did not really expect many others to do so. But I might be wrong.

According to the popcon results for spl-linux, there are 1019 Debian installations, or 0.53% of the population, with the package installed. As far as I know the only use of the spl-linux package is as a support library for ZFS on Linux, so I use it here as proxy for measuring the number of ZFS installation on Linux in Debian. In the kFreeBSD variant of Debian the ZFS feature is already available, and there the popcon results for zfsutils show 1625 Debian installations or 0.84% of the population. So I guess I am not alone in using ZFS on Debian.

But even though the Debian project leader Lucas Nussbaum announced in April 2015 that the legal obstacles blocking ZFS on Debian were cleared, the package is still not in Debian. The package is again in the NEW queue. Several uploads have been rejected so far because the debian/copyright file was incomplete or wrong, but there is no reason to give up. The current status can be seen on the team status page, and the source code is available on Alioth.

As I want ZFS to be included in next version of Debian to make sure my home server can function in the future using only official Debian packages, and the current blocker is to get the debian/copyright file accepted by the FTP masters in Debian, I decided a while back to try to help out the team. This was the background for my blog post about creating, updating and checking debian/copyright semi-automatically, and I used the techniques I explored there to try to find any errors in the copyright file. It is not very easy to check every one of the around 2000 files in the source package, but I hope we this time got it right. If you want to help out, check out the git source and try to find missing entries in the debian/copyright file.

For litt mer enn et år siden laget jeg litt statistikk for 2013 og 2014 basert på Offentlig elektronisk postjournal (OEP). Tallene finnes i tre bloggposter, en over hvem som er mest hemmelighetsfulle, en annen med hvor mye som mangler og en om hvor stor andel dokumenter som journalføres mer enn 180 dager etter dokumentdato. Jeg synes det er interessant å se hvordan det utvikler seg over tid, så her er tallene for 2015 og 2014. 2014-tallene bør være de samme som sist, men kan ha litt avvik på grunn av endringer/korreksjoner gjort i OEP. Denne gangen har jeg samlet alle tallene i samme bloggpost.

Først kommer statistikken over antall dokumenter som er registrert unntatt offentligheten i OEP. Merk at klassifiseringen i OEP er foreløpig, slik at en kan få innsyn i dokumenter merket unntatt offentlighet når en spør, etter nærmere vurdering. Det er dermed ikke gitt at prosentsatsen representerer hvor mange dokumenter som ville blitt holdt tilbake på forespørsel.

Interessant å se hvordan Utenriksdepartementet tilsynelatende er blitt ekstremt mer hemmelighetsfull på tre år. I 2015 var 99,8% av 71409 dokumenter merket som unntatt offentlighet, mens i 2014 var det 44,3% av 65121 og og i 2013 var det bare 12,1% av 67828. Lurer på hva som har skjedd. (Oppdatering 13:40: Dette er en teknisk feil i databasen, da UD har begynt å legge inn '-' der det ikke er unntak, mens det tidligere var et tomt felt. Skal lage ny statistikk, men det tar noen timer å lage ny tabell. Oppdatering 15:30: Ny tabell på plass, mer forklaring nederst i teksten.)

Dernest kommer statistikken over hvor mange saksnummer og dokumenter som ikke finnes i OEP (dvs. hull i saksnummer- og dokumentnummerserien). Se tidligere omtalte bloggpost for å forstå hvordan slike hull kan oppstå uten at det er noe galt eller mistenkelig med det.

Til sist er statistikken over hvor stor andel av utgående, inngående, og andre dokumenter som blir journalført mer enn 180 dager etter dokumentets dato, dvs. hvor stor andel som blir journalført ekstremt sent for utgående og interne dokumenter, mens det for innkommende like gjerne kan være at det tok lang tid før de ble mottatt.

Jeg lurer virkelig på hvordan så mange i det offentlige klarer å ikke journalføre utgående dokumenter med en gang de gjøres ferdig. Er det manglende opplæring, vanskelige systemer, vond vilje eller noe helt annet som er årsaken? Det hadde vært interessant å finne ut om det var noen fellestrekk for dokumenter som ikke blir journalført før det er gått et halvt år.

Oppdatering 2016-04-07: En nærmere undersøkelse av OEP-oppføringene til Utenriksdepartementet viste at det var en teknisk feil i måten jeg laget statistikken, der alle oppføringer med '-' i unntaksgrunnlagsfeltet ble talt opp som unntatt offentlighet. Det var UD ikke alene om. Det viste seg å gjelde Barne-, likestillings- og inkluderingsdepartementet (4), Helse- og omsorgsdepartementet (3525), Landbruks- og matdepartementet (1753), Nærings- og fiskeridepartementet (11780), Nærings- og handelsdepartementet (7), Nærings- og handelsdepartementet (frem til 31.12.13) (10417) og Utenriksdepartementet (78798) også. Antall påvirkede oppføringer står i parentes. Jeg har fikset problemet og oppdatert tabellen for hemmelighold over. Oppføringene for Nærings- og handelsdepartementet, Landbruks- og matdepartementet, Utenriksdepartementet og Helse- og omsorgsdepartementet fikk ny plassering i lista.

Two years ago, I had a look at trusted timestamping options available, and among other things noted a still open bug in the tsget script included in openssl that made it harder than necessary to use openssl as a trusted timestamping client. A few days ago I was told the Norwegian government office DIFI is close to releasing their own trusted timestamp service, and in the process I was happy to learn about a replacement for the tsget script using only curl:

openssl ts -query -data "/etc/shells" -cert -sha256 -no_nonce \
  | curl -s -H "Content-Type: application/timestamp-query" \
         --data-binary "@-" http://zeitstempel.dfn.de > etc-shells.tsr
openssl ts -reply -text -in etc-shells.tsr

This produces a binary timestamp file (etc-shells.tsr) which can be used to verify that the content of the file /etc/shell with the calculated sha256 hash existed at the point in time when the request was made. The last command extract the content of the etc-shells.tsr in human readable form. The idea behind such timestamp is to be able to prove using cryptography that the content of a file have not changed since the file was stamped.

To verify that the file on disk match the public key signature in the timestamp file, run the following commands. It make sure you have the required certificate for the trusted timestamp service available and use it to compare the file content with the timestamp. In production, one should of course use a better method to verify the service certificate.

wget -O ca-cert.txt https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
openssl ts -verify -data /etc/shells -in etc-shells.tsr -CAfile ca-cert.txt -text

Wikipedia have a lot more information about trusted Timestamping and linked timestamping, and there are several trusted timestamping services around, both as commercial services and as free and public services. Among the latter is the zeitstempel.dfn.de service mentioned above and freetsa.org service linked to from the wikipedia web site. I believe the DIFI service should show up on https://tsa.difi.no, but it is not available to the public at the moment. I hope this will change when it is into production. The RFC 3161 trusted timestamping protocol standard is even implemented in LibreOffice, Microsoft Office and Adobe Acrobat, making it possible to verify when a document was created.

I would find it useful to be able to use such trusted timestamp service to make it possible to verify that my stored syslog files have not been tampered with. This is not a new idea. I found one example implemented on the Endian network appliances where the configuration of such feature was described in 2012.

But I could not find any free implementation of such feature when I searched, so I decided to try to build a prototype named syslog-trusted-timestamp. My idea is to generate a timestamp of the old log files after they are rotated, and store the timestamp in the new log file just after rotation. This will form a chain that would make it possible to see if any old log files are tampered with. But syslog is bad at handling kilobytes of binary data, so I decided to base64 encode the timestamp and add an ID and line sequence numbers to the base64 data to make it possible to reassemble the timestamp file again. To use it, simply run it like this:

syslog-trusted-timestamp /path/to/list-of-log-files

This will send a timestamp from one or more timestamp services (not yet decided nor implemented) for each listed file to the syslog using logger(1). To verify the timestamp, the same program is used with the --verify option:

syslog-trusted-timestamp --verify /path/to/log-file /path/to/log-with-timestamp

The verification step is not yet well designed. The current implementation depend on the file path being unique and unchanging, and this is not a solid assumption. It also uses process number as timestamp ID, and this is bound to create ID collisions. I hope to have time to come up with a better way to handle timestamp IDs and verification later.

Please check out the prototype for syslog-trusted-timestamp on github and send suggestions and improvement, or let me know if there already exist a similar system for timestamping logs already to allow me to join forces with others with the same interest.

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.