Posts for November 2009

2009-11-01: Coming back

At the fence line

Looking along the fence line south of the Adobe Resort in Yachats, Oregon. This was taken yesterday on a grey, overcast day. The plus of the weather we had in Yachats is that I have tons of great cloud pictures, but the lighting was a touch challenging before the clouds broke up.

I'm still in Oregon and will be off-line for most of tomorrow, but otherwise I'm on my way back from vacation. I've been waking up with ideas about coding or packaging work that I want to do, which is a good sign. I'm not feeling ready for the social interactions of work yet, but I have some more time before I have to deal with that. I'll be working remotely one day before heading back to Stanford.

I've sorted through all of my mail, but not turned it into next actions or updated my to-do list. That's the next step, which I've been poking at a bit tonight and will probably start working on in earnest tomorrow night. I did get my last book review written today, which means that with two yesterday I'm now completely caught up. That's a great feeling. The total reading for vacation, with a few more days and hopefully a couple of books still to add, is nine books read, a tenth finished, and reviews written of two more books that I read before vacation. It's not as many as I've read some years, but it will make the total reading for the year a bit more respectable.

I have a ton of pictures to sort through and annotate, and I still haven't done that for last year's beach trip. The plan is to do that during the evenings for the next few nights as a light task that I can do while working on other things.

2009-11-02: Getting caught up

White driftwood

In Yachats along the 804 trail, there was a bunch of wonderful driftwood with lovely white bark texture. I have a few more pictures like this that I'll probably post later on.

I'm still making my slow way home, but we're driving less distance each day than we normally do, leaving me time in the mornings and evenings to catch up on e-mail. I've now read everything and started responding to some of the things I'd marked as needing attention. I have a lot of tagged stuff yet to get to, but I think I got through about a third of it today. I'm also annotating all of my pictures, and today did one of my largest days (117 pictures).

Tomorrow I'll be somewhere where (once I figure out how to make wireless authentication work without Network Manager) I'll be able to settle in and do some coding and tackle some larger projects. Hopefully I'll also finish getting caught up.

2009-11-03: First day of work

Soft and hard

Another photograph along the 804 trail in Yachats, Oregon during a cloudy, overcast day. I love weather like that, better than sunny and clear weather.

I'm now somewhere where I'm going to stay for a day, since four days in a row travelling would have been a bit much. We only had a two hour drive this morning, and then I got network and was able to get back to work. I've just uploaded new OpenAFS packages to Debian unstable that include a bunch of fixes that have gone into the stable branch, and will be backporting them shortly for Stanford and later for backports.org. I'll finish that off tomorrow.

I still have a fair number of messages marked to act on that I haven't done something useful with, like figured out next actions, but I wanted to accomplish something right off and feel better about being back to work. The tentative plan is to do more organization tomorrow.

2009-11-04: Mail organization

Runoff in red

The last few pictures haven't had much color, so here's something that's a bit brighter. The traces of places where water once was are often fascinating to my eye.

I did okay on catching up and organizing my mail. All the work messages except a couple of reports have now been dealt with and disposed of, and I updated a few scripts that I'd been meaning to update for quite some time. I still have some personal mail and a bunch of Debian mail that hasn't gotten the Getting Things Done treatment and turned into real action items, and I haven't been working from my to-do list at all, but baby steps. It was harder than I expected to focus and work from Roseville, so it's good that I'm headed home tomorrow.

Since I worked a full day on Tuesday, tomorrow will be a vacation day. Mostly it will be travel and reading, and then in the evening it will be life organization. Friday, I'll probably start working on the Debian bits. I have Shibboleth packages to update that will take a while; I was going to start on that today, but ran out of time.

Between other things, I've been finishing the AFS server balancing work I started before I left, since they were badly out of balance. Doing that, I can see the need for a bunch more audit scripts, improvements to the scripts we already have, and merging together some new scripts into features for scripts I'd previously written. But I'm not allowed to spend a lot of time on this right now....

Yes, the break tomorrow and quiet reading on the train will be very good for me.

2009-11-05: Welcome home

Evening storm

I'm finally back home. This was the sight that welcomed me. It hasn't actually rained here, but it was definitely raining around Davis and it's supposed to rain north of I80, with snow above 6000 feet.

I was hoping to start on Shibboleth packaging today, but I wasn't feeling that great for a lot of the trip home and it took a lot out of me. I was worried for a bit this evening that I was coming down with someting, but I'm feeling much better now, so it was apparently just one of those things. But it meant fairly low energy; I haven't even started unpacking.

Oh well, part of my new post-vacation equinamity is not to push myself beyond reasonable expenditures of energy. Things can wait until tomorrow.

2009-11-06: Still catching up

Light driftwood

Have a texture picture today.

Today was the first day back in the office, although not a full day of work since I was way ahead on hours today. I caught up on e-mail and talked to my boss about what happened while I was gone, and then started going through the remaining e-mail that I had tagged to work on, and then promptly got distracted by dealing with a pam-krb5 issue. Deciding to stick with the philosophy I took away from vacation of trying to focus and do one thing well, that was four hours of the day. pam-krb5 4.0 is now about ready to go out.

But I did get the laundry done, the car on the charger, and my postal mail picked up, and I suspect that tomorrow will be mostly devoted to unpacking, organizing the house, doing shopping, and otherwise catching up on life stuff.

Lintian needs some attention. Maybe soon. Shibboleth is getting attention right now; the first of the uploads is now in NEW.

2009-11-07: Voting mutual fund proxies

(This information may be very US-specific. I have no idea how this works in other countries.)

If you hold money (such as retirement savings) in a mutual fund, you have probably received, from time to time, mailings asking you to vote on some issue put before the shareholders. They usually involve elections of trustees and sometimes other administrative changes to the funds. These mailings always provide some option to vote the recommendations of the board without any further effort. If you're like I used to be, you probably either ignore these or, if made to feel guilty by the pleas to vote your shares so that they don't have to contact people again, vote the recommendations.

I'd like to encourage you to stop doing that and instead read and really vote.

First, voting, including not voting the recommendations, is very easy and doesn't require filling anything out and mailing it. Every one of these proxy votes that I've seen recently uses proxyweb.com, which is a simple and fairly usable web site. You just go to the web site, enter the number at the top of the proxy card, and click on the Vote button (without selecting the box to vote all the defaults).

Second, apparently in at least some circumstances all the shares held by a particular investment company are voted proportionately based on the people who respond. In other words, the votes that are received are taken as representative of the people who didn't vote. This means that your vote can actually have a substantial effect. (Cynically, I suspect this is the actual reason why they encourage uninterested people to vote to "save resources"; what they're really hoping is that those uninterested people will vote the recommendations because it's easier.)

When I read the literature, I usually end up voting against most of the proposals.

For example, my most recent proxy vote had a proposal to move the fund from Massachusetts to Delaware, which is a tax and regulation dodge to move into a very corporate-friendly legal state from one that cares more about individuals and has more regulation. I voted against.

It also had a bunch of proposals to relax investment requirements "not required by law" to give the fund more "flexibility." If you're like me, more "flexibility" in investing around things like borrowing, creating new senior shares, short-selling, and investing in real estate sounds like a rather bad idea. So does eliminating all restrictions not required by law. I voted against.

There was also a set of proposals that, so far as I could tell, basically allowed the management company of the mutual fund to execute a legal dodge to treat separate funds as separate corporate entities for the purposes of investment law in some countries, allowing it to bypass some limits. I voted against.

Voting for trustees is harder, since the typical invester isn't going to know anything about most of them, but I apply some similar logic to how I vote for judges in local elections. When voting for judges, I vote for all defense attorneys and against all prosecutors, since I think the legal system in California is too skewed towards prosecution and revenge. Similarly, when voting for trustees, I withhold my vote for anyone who holds positions with companies like J.P. Morgan or Citigroup or who works in businesses like corporate strategy, because I think the management of such funds is too biased towards insider Wall Street affiliations. It may not accomplish anything, but I'm fairly sure it's not going to hurt.

Next time you get one of those proxy cards, think twice before tossing it or returning it with the minimum number of checks. If you don't like the way that corporate governance in the US seems to be primarily about dodging taxes and avoiding regulation, you may be able to have more impact than you realize by taking ten minutes to visit the web site and vote against a few things.

2009-11-08: Domestic catchup

Cloudy view

I suspect I've taken some variation of this picture more times than I'm aware of, but I don't think I've posted any of them before, and I do love this picture.

Today was the cleanup and catch-up day. I've now done the grocery shopping and restocked the house, put away all of the clothes, finished unpacking, made my monthly charitable donations, and caught up on all of the paper mail, both the stack from before vacation and the mail that accumulated during vacation. The mail took most of the day, since it's one of those tasks that needs to be done weekly for me to stay on top of it and it had been about five weeks.

But it's all done, the place looks much more clean, and I've been snacking on good food. Which I should do less of, now that I'm back from vacation, but I'm getting a lot of exercise, so I'm not worrying too much about it.

No work on-line today other than a bit of AFS server balancing.

The new charity find this month is Swords to Plowshares, a local Bay Area charity devoted to helping reduce poverty and homelessness in veterans in the Bay Area and heal the lingering wounds of war, with an excellent overhead to service ratio.

I have mixed feelings about supporting military charities. I'm increasingly of the opinion that while there may be just wars, that doesn't describe any of the ones we've been fighting, and the US is abusing its military power in crusades that are at best ineffectual. However, I also believe that the people who are serving in the military are, by and large, doing so for the highest and best of motives and truly believe they're helping the country, and their misuse and abuse by the US government is largely not their fault. And the effect of war on the soldiers is truly horrible, way beyond what I think most had any idea they were signing up for. This organization caught my eye because it's local, because their web site explicitly talks about how war leaves wounds and suffering, and because it's not affiliated with traditional military organizations that support other things that I'm not as comfortable supporting.

2009-11-08: Slow Sunday

Grass hummock

This is the most "doctored" picture I've taken yet, since the day was very misty and the contrast of the original picture was horrible. Tweaking the contrast was more successful than I expected, bringing out the picture that I was seeing. There's also a bit of cropping and sharpening.

I was going to work on on-line things today, but I just didn't have the energy or motivation. I'm mildly annoyed by that, since I should have lots of energy coming off of vacation, but I don't want to fight it. I did do a bit more AFS work and a load of dishes, so it's not like I did nothing, and the two-hour nap in the afternoon indicates that I might have needed a bit more sleep.

I'm also happily eating a bit too much and haven't yet walked today, but I might still fix that before I go to sleep, despite having to get up a bit early tomorrow for a morning meeting.

2009-11-09: Meeting day

Sand on dark rock

Today was also not a day for getting a lot accomplished, mostly because I had three and a half hours of meetings and another hour of meeting prep. One of those meetings was a kick-off meeting for a new monitoring and metrics project, and much of the rest of the day was spent helping brainstorm the technical architecture we want to use to separate the data gathering from the data reporting and put a network protocol in the middle to make it easier to plug and unplug components later.

Maybe this time we'll follow this project through to completion and produce something we'll be able to keep using, unlike several of the previous iterations of this project.

I was going to write a review this evening, but I ran out of steam. I'm also not yet finding energy to work on Debian things. Hopefully tomorrow, with fewer meetings and more time for concentration, will go better on that front. I'm also hoping to get to play some volleyball for the first time in quite a while. I'm also considering writing the review in the morning before heading into work, taking advantage of morning energy.

I'm writing up some bits about authentication and directory systems on a Usenet group, which is reminding me of all the white papers I'd really like to write about how we do things at Stanford. It takes a lot of time to do that, but it feels so good to do it. Not this week; too many other things that are behind. But it's good to be reminded that I should make time for that.

Preliminary goals for tomorrow: finish getting ticked messages out of my mail and into my to-do system, and then finish the Heimdal implementation of password strength checking.

2009-11-12: Lintian 2.2.18

It's been a long time since a release, and we were overdue. And I finally got some time to catch up from having been on vacation.

There are a bunch of bug fixes in this version, and I tried to clean up the lowest-hanging fruit from the BTS, but a lot of the changes came from the discussion around the new rejects from ftp-master if certain Lintian tags are found. The subsequent discussion in debian-devel, and some other threads in debian-mentors, turned up a few problems and short-comings, most of which should now be fixed.

I also went through all of the tags that can result in an automated reject and made sure that nearly all of them were severity: serious. The ones that cannot be overridden are certainty: certain; the rest are mostly certainty: possible, although some of them are reliable enough that they're still certain. While doing that work, I also filed bugs against debian-policy for all of the reject tags that aren't documented in Policy now. These are mostly obvious gaps.

This version removes the flawed check for dh-make boilerplate for the upstream author (the infamous "Author(s)") and replaces it with much more reliable checks for template phrases that are only going to be generated by the helper problems and which don't make sense in the completed copyright file for a package.

2009-11-13: pam-krb5 4.0

When I introduced use_authtok in pam-krb5 2.0, I misunderstood the intention of the option. I thought it was intended to say to always use the stored authentication credentials in the PAM stack for any credential, either the current or the new one for password changes. So I implemented it for both the auth group and the password group, and for the latter it applied to both the current and new password.

use_authtok is actually supposed to only apply to the password group and there only to the new password. Otherwise, you can't stack the module with use_authtok with a module like pam_cracklib, since pam_cracklib will only ever prompt for the new password, not the old one.

This release corrects my mistake and changes the meaning of use_authtok to only apply to the new password in the password group. I introduced a new option, force_first_pass, which does what use_authtok used to do for the old password. It's like use_first_pass but will fail if there's no password already stored instead of prompt. (This may be what use_first_pass is supposed to do, and other modules implement it that way, but I find it nicer to allow use_first_pass to prompt if there's no password at all; it makes it easier to stack modules without fiddling with the options.)

Therefore, on upgrade, if you have use_authtok in the auth group, you should change it to force_first_pass. If you have it in the password group, you should add one of try_first_pass, use_first_pass, or force_first_pass as well, depending on what you want.

This release also stops ever returning PAM_IGNORE from pam_setcred, since this confused older versions of the Linux PAM libraries, such as the one shipped with RHEL5. In order to do this, I had to significantly refactor the way setcred was handled, so I also fixed the logging for pam_open_session and pam_close_session. It also stops using issetugid on Solaris to determine when to avoid refreshing the ticket cache, since this breaks screen savers.

Finally, since I was going to a 4.0 release anyway due to the incompatible change in the meaning of some options, I went ahead and switched to Automake and Libtool (which is why the size of the distribution doubled). This brings it closer to my other packages and I think will save maintenace work down the road. Hopefully this doesn't break the build on any platforms where it was previously working.

You can get the latest version from the pam-krb5 distribution page.

2009-11-20: pam-krb5 4.1

The 4.0 release, which moved away from using PAM_IGNORE as a return status for pam_setcred, returned an error instead. I had forgotten that I tried to do this once before and discovered that it didn't work with PAM configurations that use jumps, such as the recommended configuration with pam_afs_session. Whoops. Thanks to Ian Ward Comfort for pointing out the problem. pam_setcred now just returns PAM_SUCCESS if there's nothing for it to do.

This version also changes the password change implementation to always prompt for and store the new password even if pam_krb5 is going to ignore the user. This is required to allow the module to be stacked with other modules using use_authtok, which is the default configuration in Debian. Thanks to Steve Langasek for explaining why this is needed.

Finally, I added a bunch of new logging functions and rationalized and improved the logging throughout pam-krb5. It now uses pam_syslog where available, with a fallback for other systems, so that the logging looks like all the other Linux PAM modules. Successful authentications and failed authentications are now logged and should look much closer to what pam_unix does. I also increased the priority of a bunch of errors that were previously only logged at LOG_DEBUG to LOG_ERR so that the system administrator can see them. I suspect I'll need to fine-tune the logging levels a bit more in subsequent releases.

You can get the latest version from the pam-krb5 distribution page.

2009-11-25: pam-krb5 4.2

As feared, there were portability problems in 4.1 on Solaris. A dumb one, too: I forgot to modify Makefile.am to include additional files used only on some platforms in the distribution.

4.2 fixes that problem and also adds a new option to treat expired passwords as equivalent as invalid passwords rather than doing any sort of password change.

You can get the latest version from the pam-krb5 distribution page.

2009-11-25: rra-c-util 2.1

This release of my C utility library includes the modifications to the networking portability layer contributed by Jeffrey Altman to remctl (which will be in the upcoming release). The networking code should now also work on 64-bit Windows.

It also includes a minor addition to the macros for handling lib32 and lib64 paths used to set libdir to an appropriate value. This was required for pam-krb5 (and will also be used for pam-afs-session).

You can get the latest release from the rra-c-util distribution page.

2009-11-29: remctl 2.15

The primary change in this release is improved Windows build and portability support contributed by Jeffrey Altman. The remctl client (although not the server yet) should now build properly on both 32-bit and 64-bit Windows.

Also included in this release is a new special keyword for the remctld configuration file: EMPTY, which matches only the empty subcommand. Previously, configuration for the empty subcommand was only possible using ALL. ALL is now also supported when specifying the command.

The command-line client now matches the capabilities of the libraries by allowing the subcommand to be omitted.

Finally, the build and test system and supporting utility libraries have been updated to the current versions of rra-c-util and C TAP Harness.

You can get the latest version from the remctl distribution page.

2009-11-30: The GOP fails at spamming

Anyone have any bets on how long the US Republican Party will continue spamming postmaster@stanford.edu with their political fundraising attempts, all prefaced with "Dear ,"?

I'm very tempted to write mail back to "Michael Steele" (who is probably neither the author of any of these messages nor will ever go anywhere near any of the repsonses) saying that we would be delighted to purchase a plush elephant from the GOP Store, except that doing so would be illegal. Perhaps he should consider whether soliciting political contributions from a role address at a non-profit educational institution betrays a certain lack of comprehension of the nuances of the federal tax code.

If you are curious why the Democratic Party enjoys a huge on-line fundraising advantage over the Republican Party, there are at least three examples of obvious incompetence explaining this in every message that postmaster@stanford.edu receives from the RNC (and doesn't from the DNC).

2009-11-30: Vacation haul

I've been lax in posting recently due to a combination of trying to dive back into work after vacation and then having another vacation with company for the whole week of Thanksgiving. The latter was huge fun and a great break. Most years, I've tried to work some at the same time as hosting, but this year I just took the time off and focused on talking and playing video games together. That was exactly the right decision. I took an almost complete break from thinking about work and am now feeling much more focused and refreshed.

In all of that, though, I remembered I'd never posted my haul of books from vacation in October. So, belatedly, here it is.

Daniel Abraham — A Shadow in Summer (sff)
Daniel Abraham — A Betrayal in Winter (sff)
Eric Ambler — The Siege of the Villa Lipp (thriller)
Anne Bishop — Tangled Webs (sff)
Ben Bova — Titan (sff)
Emma Bull — Territory (sff)
C.J. Cherryh — Exile's Gate (sff)
Peter Crowther (ed.) — Cities (sff)
Dave Duncan — Children of Chaos (sff)
Bonnie Henderson — Strand (non-fiction)
George R.R. Martin (ed.) — Wild Cards, Volume One (sff)
L.E. Modesitt, Jr. — The Eternity Artifact (sff)
James Morrow — The Last Witchfinder (sff)
Pat Murphy — Wild Angel (sff)
Linda Nagata — The Bohr Maker (sff)
Larry Niven & Steven Barnes — Dream Park (sff)
Larry Niven & Edward M. Learner — Fleet of Worlds (sff)
Rebecca Ore — Being Alien (sff)
Tim Powers — Expiration Date (sff)
T.A. Pratt — Blood Engines (sff)
Elizabeth Ann Scarborough — Last Refuge (sff)
Michael Marshall Smith — Spares (sff)
Norman Spinrad — The Void Captain's Tale (sff)
Bruce Sterling — The Zenith Angle (sff)
Rory Stewart — The Places in Between (non-fiction)
Jeffrey Toobin — The Nine (non-fiction)
Gene Wolfe — Pirate Freedom (sff)

As you've probably seen, I've already read and reviewed a few of those. The Places in Between is waiting for me to find time to write a review, but is one of the best books I've read. Highly recommended.

Right now, I have my typical winter head cold (just a head cold, no flu symptoms at all), which thankfully waited until after vacation. I started getting a runny nose Sunday night. So far, I'm actually a bit happy about it, since it's a good excuse to work from home and really focus on getting things done instead of going to meetings and talking to people, and today was wonderfully productive.

Last modified and spun 2017-10-16