xenoterracide's blog

OpenWRT static DHCP

2009-07-06T02:47:00.005-04:00

I use OpenWRT on my Linksys WRT54GL, all shell, no web interface. My basic problem is that both me and my roomate need ports forwarded from the internet to our systems. This means NAT, for nat you need to know the IP address that you're forwarding too. I could just 'static' the IP on our boxes and then set up the NAT. This is not the correct way to do things, as it would be much more difficult to keep track of who uses what IP and make sure that dnsmasq doesn't give out our static-ed IP's. Also when you static an IP on the client side that usually means setting dns, and remembering to unstatic it when you move. So we really want our dhcp server to give out the same IP address to a given mac address. to do this in OpenWRT you need to edit /etc/ethers.local the syntax of that file is basically


mac ip
mac ip

mine currently looks like this.

00:1e:8c:09:e7:13 192.168.1.2
00:21:9b:06:4c:c9 192.168.1.3

These 2 computers will always get the same IP address while any other computer on the network may get a random IP address. After editing this file you need to run /etc/init.d/luci_ethers start which will then generate /etc/ethers which is what is actually used. You could also reboot the router but that is unnecessary.

To pointer, or not to pointer: That is the question

2009-06-27T17:53:00.005-04:00

For a very long time now I've been looking for good explanations of pointers, and how the varying kinds differ.I've finally found a book that does a good job of explaining what they are and how they differ. The book is by Bjarne Stroustrup (the creator of C++) it's called Programming -- Principles and Practice Using C++
The book is supposed to teach you how to program (become a good programmer) using C++ not teach the C++ language. The question that Stroustrup poses is How do we choose between using a reference argument and using a pointer argument? his answer to the question is quite in depth, however I'll reiterate his summary here in the hopes that it's useful for someone.

So, the real answer is: "The choice depends on the nature of the the function":
For tiny objects prefer pass-by-value.
For functions where "no object" (represented by a 0) is a valid argument use a pointer parameter (and remember to test for 0).
Otherwise, use a reference parameter.

Ok, that alone seems a little confusing. I'm just going to use function declarations to denote the differences in code.

According to him, pass by value is the least error prone, but it copies memory and is therefore more expensive. To do this you'd declare a function like int func_name(int x);.

"No object" in my quote is another term for "Null pointer" which he defined previous to this but wasn't in my quote. If no argument to the function is valid you'd use that. It's declared like int func_name(int* x);

The last option is to use a reference pointer. these are declared as int func_name(int& x).

I still have some trouble with the what/why/when to use pointers, but I'll probably just go back through this a few times. Stroustrup's explanation is still the best I've seen. I'd suggest his book to any novice programmer. I'm not sure if it's the best for someone who's never seen any code as it goes quite fast. It doesn't spend hardly any time at all on language constructs, which most books do. I don't think so fast that you couldn't use it as a 'first programming book' but it might be good to have a book that covers the constructs (like for loop) in depth.

iptables browsing samba shares

2009-05-16T00:37:00.004-04:00

NOTE: this assumes that you've read my previous post on basic iptables setup on the desktop

So I just spent the longest time trying to determine what ports I needed to browse and use samba shares. The sad answer is it's just one.


iptables -A INPUT -p udp --sport 137 -j ACCEPT

the catch with all the information I found with google was that most of it was for samba servers. I didn't want that. I just want to be able to browse my roommates network shares, and download from them. None of the information google provided suggested I need to allow the source port on the other end.

Git Presentation

2009-05-11T16:27:00.005-04:00

I'm doing a git presentation and the Lansing Coldfusion User Group tomorrow night. Anyone who wants to is welcome to come Below are the slides for the presentation.

EDIT: I don't know why but google doesn't show all slides formatted right in mini mode. It's cut off some of the text and overlapped some things.

Jeff Atwood fails at password security

2009-05-06T19:10:00.010-04:00

This was originally written for a class assignment and as that has not been modified (much) for the web.

Jeff Atwood's password was compromised, the following includes a summary of how it happened, and how better security policies could have avoided it. This was written for Advanced Report Writing at Baker College.

Summary of Article

On May 3, 2009, Jeff Atwood reports that his Stack Overflow password was compromised an that he received an email explaining the details. The following is an excerpt of that email, that was posted in his blog post.

How? Well, there were two pieces of the puzzle, the password and the openid provider. I had a possible password; today your blog post revealed the openid provider. I logged in, freaked out that it actually worked, then logged out. The only reason I had the password is because your password is totally inadequate for someone running a site like StackOverflow. I don't want to go into any more detail than that, but man - dictionary password! -A friend of the site (Atwood, 2009)

Jeff confirmed that the authentication logs for Stack Overflow did include a valid login from an unrecognized IP address. Although Jeff defends that his password was not a dictionary password. He also states that this particular OpenID account is for low security transactions online, and not particularly valuable. He digresses that because this account is a Stack Overflow moderation account, with special privileges, that he should have used a more secure login.

Jeff goes on to explain, the various ways which the account could have been compromised. The first method he describes is the "educated guess". An educated guess basically uses what you know about someone to guess there password. The second is "Brute force dictionary attack". Jeff describes this as an attack vulnerable to non-rate limited logins where the password is a word out of the dictionary. The third method described is "interception". This method is basically where the password was captured at some point between the user and its destination, this could be kelogger, packet sniffing, and/or simple lack of encryption. The final method was "Impersonation" where a site pretends to be a different site, and prompts you for credentials, this is also known as phishing.

Jeff presents that none of these methods were used to compromise his account.

I guess I can tell you, so you don't fall into this trap again. There's a site I help out with that doesn't salt their passwords. They're MD5 encrypted, but if you've got a dictionary password, it's very easy to use a reverse-MD5 site to get the original. I was able to figure out you were a user on the site some time back, and realized I could do this, if only I knew your openid provider... (Atwood, 2009)

Jeff then re-iterates that he is to blame, and this is a problem with programmers at large. He then suggests that programmers should get out of the business of storing credentials, if they don't want to take responsibility for it.

Evaluation of the Article

Jeff Atwood, is a fairly famous ~~full time blogger~~ entrepreneur, software developer and blogger, and often seen as an authority in the community. He is self admittedly not an expert and these articles truly show this. Jeff's articles will undoubtedly lead many programmers to be confused and ignorant about the types of attacks possible and the type of attack that actually took place. One good thing does come from these articles however. It increases developer awareness (and hopefully user) awareness of just how easy it is to compromise a password and how inadequate there own authentication systems may be.

Jeff seems to not understand the basics of all the attacks he's described so I will elaborate on what they really are.

1. Educated Guess: Jeff mostly has this right, however, in the article he calls this in with social engineering. It is in no way shape or form social engineering. Social Engineering generally requires convincing someone to give you information. An educated guess requires that you use information you already have to break the password. In a sense this was used to gain the login name, although it was not a guess, it was known. I once used an educated guess to break into the account of someone based on there age, gender, race, and password hint, none of which I had to gain any additional information on. note: my cracking of this account was 100% legal as it was authorized by the computer owner.

2. Brute Force: This is combined with 'dictionary attack' and although the two are often combined they are separate attacks. A brute force attack is simply generating account credentials (username password typically) with an automated computer program and sending them to the system you are attacking until it lets you in, until you are permanently blocked, or until you give up. A brute force attack is 100% successful unless somehow stopped as it will eventually try all combinations. The exception to this is when the password could be changed to a password already tried during the attack. This only works on a live system however, if the attacker manages to gain a copy of the password db they can attack at their leisure and may instead get a stale password. It can mostly be prevented by locking users out after a certain number of failed attempts.

3. Dictionary Attack: A Dictionary attack, although it does reference words from an actual dictionary, such as Webster's, it is not limited to just those words or even words. Dictionary attacks consist of lists of words which may come from any language, including fictional ones like Star Trek's Klingon, slang, names and pop culture references. Because of modern security standards they will often append, and prepend numbers to the words, and even change case around. Dictionary attacks may also include coded words such as 1337 also know as leet or l337 or l33t, etc. 1337 is a substitution cipher popularized online which substitutes letters for numbers that slightly resemble letters. A dictionary attack is usually run before a brute force as it is much faster, and has a high probability of success compared to time used. It can be mostly prevented by forcing users passwords to be compared against known dictionaries (such as cracklib) and making sure their password isn't in them, and forcing them to pick something else if it is.

4. Interception: Interception is another name for "the Man in the Middle" attack, which is
what it more commonly goes by. Jeff seems to be under the assumption that "Man in the Middle" requires the attacker to get the credentials verbatim. "Man in the Middle" basically means getting the data after the user enters it and before it reaches it's destination, this include keyloggers, screen scrapers, and packet sniffers. it may include other methods I'm forgetting. "Man in the Middle" is easily prevented by user strong 'stream encryption' in which all data sent between the client and the host is encrypted, SSL is commonly used for this on websites, note the 'lock' icon, in your browser. This is different from hash encryption which is how the password is (should be) stored as it encrypts all data being transferred including the username and password hash.

5. Impersonation: Or Phishing is a form of social engineering in which you pretend to be something you aren't and attempt to get people to give you sensitive data such as account credentials. It is most commonly done by creating a website which closely resembles the site for which you are trying to get credentials for, and then sending out emails to try to get people to log in.

6. Social Engineering: Social Engineering is simply misrepresenting yourself to get information. It can go as far as full blown fraud, or as simply as talking a person into giving me what they may not even believe is sensitive data. One could for example talk to someone, get there name, mention that they knew a woman who married a man with that last name and ask for a mother maiden name, pretending like they knew her. A mothers maiden name is a highly common question to prove identity in account verification and password resets online. People have also dressed up and walked into nuclear power plants with clipboards making themselves look like they belonged there, and were never stopped. An IT guy asking for your password may also be social engineering, as you think you should trust him. Social Engineering may be used to get account credentials or to formulate an educated guess.

7. Rainbow Tables: Rainbow Tables are databases of all possible straight password hashes up to a certain number of characters, and there corresponding passwords, these hashes may or may not be included with a dictionary attack, they typically include the full contents of a brute force. The largest Rainbow tables includes all possible combinations up to 8 characters for md5 hashes. These make reversing a hash from a password instant and easy. It still requires the attacker get the hash in the first place, this is usually done by "man in the middle", SQL Injection, or compromising the database server. This can generally be avoided by salt-ing the hash making it more difficult for the attacker to get the original password.

Jeff's Password was lost due to a combination of attacks. Firstly was public information, his 'user' credentials (OpenID) were publicly available (this isn't actually an attack), the second was "Man in the Middle", as obviously no one published the hash, so it had to be gotten somehow enroute (unless the db was cracked). The third was "Rainbow Tables" which allowed the attacker to reverse the hash into a real password. I don't believe that Atwood truly understands the attack vector's, and I don't think that people should read these articles for learning purposes. It is good though that he accepts some responsibility for lack of proper security practices on a sensitive account.

In my opinion this is what's wrong with programmers, they think they know better and instead of learning how to do it correctly and all the things that could go wrong, they just go ahead and do.

Atwood, J. (2009). I Just Logged In As You. Retrieved
May 6 2009, from Coding Horror
Web site: www.codinghorror.com/blog/archives/001262.html

Atwood, J. (2009). I Just Logged In As You: How it happened. Retrieved
May 6 2009, from Coding Horror
Web site: www.codinghorror.com/blog/archives/001263.html

EDIT: Sincerest apologies for originally spelling Atwood as Attwood and spreading misinformation about about his profession. Thanks to Stu for pointing this out. For some reason I thought those were both true, and did not check them, since I've been reading Coding Horror for at least a year.

@Grade I'll post it next week when I get it

@Spelling errors, I had reinstalled my system the morning of writing and apparently had forgotten to configure it. They should be corrected now.

@Assignment the assignment was not an essay but the evaluation of an article, and its content. It didn't require me to cite any sources for why I agree or disagree with the article.

Regen2. don't care anymore

2009-05-05T01:53:00.002-04:00

Yep, I don't really care anymore. So much work needs to be done, I can't do it alone, but neither Gentoo, Funtoo, Sabayon, or Exherbo, are going down the right path to the salvation of the 'gentoo way'. Without help or regular feedback I lost the will to work on it. Will regen2 ever be revived? I don't know.

if you want go to Funtoo, it should be easy enough to do


git remote add funtoo git://github.com/funtoo/portage.git
git remote update
git checkout funtoo/funtoo.org
emerge -avuDN world

at this time I'm not actually using gentoo*, I'm using arch, I may also check out debian sid, or maybe some other rolling distro.

Arch, Funtoo, and Regen2's future

2009-04-30T11:52:00.003-04:00

as I've been saying here recently I'm burned out, on so many angles it's not funny. I'm apathetic, I'm not really sure I care anymore. I'm actually playing with arch at the moment to see if it's a better fit. I also here debian sid might work. I don't want to maintain the tree 7 days a week anymore, and I'd like an up to date system.

I've been talking w/ drobbins lately about the possibility of a common tree with funtoo, I'm not sure he wants to do it the same way I do, which is unfortunate. doing this might take the load off me that I don't want, but it's entirely possible that it's too late for it to matter.

I'm going to take a few days and see what happens, it's entirely possible that I'm just going to give up at this point. I'll let people know in a few days what I've decided.

Regen2 0.9.1.0 Released

2009-04-22T00:45:00.004-04:00

_Release Highlights_

vanilla-sources-2.6.28.9
gcc-4.3.3
glibc-2.9_20081201-r2
openrc-0.4.3-r1
baselayout-2.0.0-r2
git-1.6.2.3
perl-5.10.0
bash-4.0_p17

app-sh/dash is now included in the tarball, in the next major release I hope to make it /bin/sh please test and report any bugs with doing this. apache2 and mysql are known to have issues. openrc works fine, the average desktop system should work.

_Known Issues_

emerge --sync will not clone the tree if it does not exist in portage 2.1

so for now you'll have to work around that issue. by manually doing the git clone.

_Download_

torrents are here http://www.mininova.org/user/xenoterracide and here http://code.google.com/p/regen2/downloads/list?q=label:0.9.1.0 actual tracker is TPB

http downloads are here http://regen2.devangels.org/release/ thanks to is_null for the mirror. If you're interested in mirroring them let me know. I'll put up a proper mirror list at some point.

EDIT: Thanks to theappleman for more hosting

HTTP (Europe):
http://g.applehq.eu/files/regen2/0.9.1.0/amd64/stage3-amd64-2009.04.18.tar.bz2
http://g.applehq.eu/files/regen2/0.9.1.0/x86/stage3-x86-2009.04.18.tar.bz2

FSP (just for fun ^^, it'd take about 8-9hrs to download the x86):
fsp://fsp.applehq.eu:2009/regen2/0.9.1.0/amd64/stage3-amd64-2009.04.18.tar.bz2
fsp://fsp.applehq.eu:2009/regen2/0.9.1.0/x86/stage3-x86-2009.04.18.tar.bz2

--
Caleb Cushing

http://regen2.org

Looking for tree maintainers

2009-04-21T20:01:00.002-04:00

I'd like to see multiple people merging the tree, with best case scenario being that it happens more than once a day. worst case status quo. I'm willing to write the scripts and teach anyone how to do it. I just ask that you can read an ebuild (to some degree) and have good judgement, or at least not too embarrassed to ask. Most ebuild merges are IUSE, KEYWORDS, and cvs line. the rest is really almost automated, merge (del package.mask) merge (fix ebuilds), repoman manifest, gen_metadata, commit, push. This will allow me to focus on other things hopefully, and make the distro better quality.

email the dev list if you're interested.

Regen2 0.9.1.0

2009-04-14T23:54:00.003-04:00

I haven't forgotten about it. I seem to lack all motivation on Spring Break. Nothing to procrastinate on. Now that school has started I'm working in full swing, I've been learning metro the past few days. I should have the tarballs ready by the end of the week. I'm not sure on mirrors right now. Have at least one volunteer mirror, and I will be torrent-ing them. I've been seriously procrastinating on finding out how to get on the Uni mirror ring.

~arch will be testing again not stable

2009-03-24T05:29:00.005-04:00

I think the idea of a meta distro on top of a stable base is the way to go, let people choose just what they want on bleeding edge. I like my kernel, gcc, and perl solid, sometimes I want firefox's beta's but that doesn't mean I want the rest of the system like that. At some point gentoo's ~arch became more stable that stable, this needs to end. Even if it means making stable a bit more unstable. I'd like to see more people running stable systems.

~arch is going to be aimed more at things that are stable enough, and pending stable. It's going to become more unstable than it is in a sense because I'm not afraid to hardmask stuff that was ~arch and is found to be broken. I'm also not afraid to release slightly broken stuff into ~arch, for example I'll release a new git into ~arch without an update noperl patch which means using -perl won't work. I won't release completely broken or overtly buggy things into ~arch though, I'm just not afraid to release with a missing patch (set) as long as it'll build and work in most cases and update later.

I've decided on a policy for stabilizing the kernel, first of regen2's kernel is vanilla-sources, if you're running another sources this doesn't apply. I will stabilize the previous kernel when the new major version is released so I will stabilize 2.6.28.x when 2.6.29 comes out, after that I will stabilize each new kernel a few days after it hits the tree (actually I may not wait), since the kernel's development model makes it highly unlikely that regressions will be introduced that late in the cycle. I may use a similar update scheme for other packages but it will be a package by package basis. But likely once a major version moves to stable it will be trivial to move new minor versions to stable.

I want to know what people use? what should be stable in regen2. 2 things I won't stabilize right now are qt-4.5 and kde-4.2. They work well enough but have too many bugs upstream, imho (should a kde developer look at this feel free to look at my buglist on your bug tracker, prtscrn must work before I'll mark kde stable, but hey at least dpms works with screensaver now). Anything else goes what do you use/need that's in ~arch and has been there for a long time. feel free to mention in comments, the dev list or the Bug tracker

Regen2 0.9.1.0 soon

2009-03-23T02:44:00.004-04:00

Last night I decided I'd be rolling out the first release of Regen2 in the first week of April.

So as I'm sure everyone knows version are arbitrary they mean nothing... well ours are going to mean something. The first 2 numbers are the year, so 20(0.9).1.0. the Third number is the quarter, we are going to be mass stabilizing system once per quarter. I'm not sure that this will include new profiles. 4rth number is kinda arbitrary at this point, I'm not sure how/if I want to use it, opinions welcome. since releases will be 'stable' I could use 0 as kind of an alpha, first release. 1 as beta, 2 as rc, and 3 as final. I could also do a 0-alpha1, 0-beta1, etc. and when stage4's and other stuff are rolled out use the version number to denote updated non-system software. In other words I could do releases each month of say kde in stage4's but I wouldn't change system more than once a quarter.

So far my list of packages that'll be marked stable include.

gcc-4.3.3(maybe r1)
glibc-2.9_20081201-r2
openrc-0.4.3-r1
baselayout-2.0.0-r2
git-1.6.2.1
perl-5.10.0

I'll have to spend the next few days figuring out the rest.

I'm debating also on whether I'm locking down major or minor versions. meaning I might consider stabilizing gcc-4.3.4 in the middle of this quarter but not gcc-4.4.

I'm open to opinions on anything. This may be a dictatorship, but I still don't mind hearing from people not me, as with enough eyes all bugs are shallow.

postgresql initial setup (users and databases)

2009-03-18T05:22:00.006-04:00

This guide assumes that you've managed to install and start the postgres server. I'm ignoring these because they are well documented in several places, probably including your distribution, however, what to do next isn't.

first you need to connect to the postgres database with psql as postgres, on gentoo* distributions you must be in the postgres group to do this. In the event this doesn't work you may have to su to the postgres unix user account somehow and run psql from there.

psql postgres postgres

you now have connected to what is essentially the 'root' user for postgres. as with all 'super user' accounts be careful and know what you are doing. also, as with all 'super user' accounts you don't normally want to run as them, so we need to create another user. I recommend creating the user with the same name as whatever shell account you may be connecting to it from (if applicable) because then you don't have to specify the username when typing psql.

CREATE USER xenoterracide WITH PASSWORD 'YeahLikeIdTellYou';

next you need to give the user a database. like the user account if you make it the same name as the shell account you won't have to pass it to psql.

CREATE DATABASE xenoterracide WITH OWNER xenoterracide;

now you're done with the setting up your users account so quit psql by tying \q at the prompt. now you can simply log in from your users shell by typing psql and SQL-ing away.

Tree hasn't been updated - why

2009-03-12T12:54:00.002-04:00

So 2 days ago, when I went to sync to gentoo I didn't get any updates. I'm not really sure why as the process seemed to go alright. It could have something to do with the next bit.

My System appeared to have been compromised. Syslog-ng was disabled and all logs post dec 30 2008 were removed. So i've spent the better part of yesterday/today reinstalling my system. Tree should be synced and merged tonight.

SYNC_METHOD

2009-03-07T20:18:00.003-05:00

I'm going to be pushing out an new feature to portage today, since testing has gone well.

SYNC_METHOD is a new portage variable, I've also gone to the trouble of defining it in make.globals. The default for Regen2. is git, however, rsync and cvs have also been defined although not tested.

the main benefit of SYNC_METHOD is to use one way of detecting the program you should use to detect the tree. previous variations were problematic, as rsync does not have a directory like .git and .git supports the rsync:// protocol.

I've added these defaults to make.globals

# Default sync method
SYNC_METHOD="git"

# Default sync mirror
SYNC="git://github.com/regen2/portage.git"

# default git method specific settings
PORTAGE_GIT_METHOD="checkout"
PORTAGE_GIT_REMOTE="origin/regen2.org"

you may of course override them with make.conf.

changes will officially be in portage-2.2_rc23-r3.

to Gentoo dev or not to Gentoo dev

2009-03-04T18:15:00.002-05:00

So after a little post about Regen2 on the Gentoo-dev mailing list. I've been offered mentoring to become an official gentoo dev. I'm conflicted, my main reason for saying yes would be to learn stuff that I can't learn on my own. But I'm not sure I really want to be a gentoo-dev this means doing these other time consuming things, and I wouldn't be able to do nearly enough from the inside. I still have to proceed with regen2... as I don't believe gentoo (in spirit) can be saved from within. So should I work to become an offical gentoo dev?

regen2 maintaining it's own openrc

2009-02-22T20:50:00.002-05:00

So openrc was updated recently, and I noticed it, I decided it was time to find out why drobbins had created his own version. so I viewed them, ultimately I decided that drobbins had made too many changes but the gentoo ebuild had its own issues. So I modified the Gentoo ebuild to use EAPI 2, removed all of the live ebuild code that shouldn't be in it, updated the branding, and we're ready to rock.

split package.mask

2009-02-21T23:30:00.002-05:00

There's been a problem with ${PORTDIR}/profiles/package.mask since I added sunrise, I didn't realize at the time the problem wouldn't be adding atoms, it would be keeping track of when they should be removed. I've decided that the best way to do it is to use portages 'directory concatenation' feature, I turned package.mask into a directory, it now contains a file for each overlay that has a package.mask, and one for gentoo.org and regen2.org. This will make it much easier to keep track of removals. They originals are being merged in from a package.mask 'overlay' on regen2's github account. Let me know if anything is now masked that shouldn't be or unmasked that shouldn't be.

merged java-overlay

2009-02-21T23:24:00.003-05:00

Java in Gentoo is horribly out of date, and from what I've seen of the java overlay, it doesn't improve the situation much, but it's still better than without it. I've merged it into regen2.org, since this was I think the most painful merge since the first I ever did, I may have made mistakes on some ebuilds, let me know if you experience problems.

USE="experimental-git" sys-apps/portage

2009-02-19T23:14:00.003-05:00

drobbins recent tip made me think, that maybe I should point out that his solution to the problem is an annoying work around. I had this problem for a while, it was caused by my having autocrlf = input in my .gitconfig settings. Several people have told me that they have this problem without changing their crlf settings for git. After a while I decided that Funtoo/Gentoo's git handling patches were incomplete at best and unfriendly at worst. So I wrote a patch that brings complete git handling to portage.

Why is it experimental? well it hasn't been officially accepted into portage, and as far as I know I'm the only one using it. One of the reason's it's not officially accepted is I haven't documented it.

WARNING: enabling it will cause auto git detection to fail, so if you don't finish setting it up portage will default to rsync.

So first you need to be using my regen2 tree, or get the ebuild and the patch from my tree, and enable the experimental-git flag for sys-apps/portage.

Now, like all the other protocols portage supports you need to set the SYNC variable in /etc/make.conf.

SYNC="git://github.com/regen2/portage.git"

the first 6 characters need to be git:// for git to work.

if you don't already have a git repository then sync will clone the repository at this url, in fact you may need to delete your portage and do a fresh clone for things to work in certain situations. I never discerned the reason for this.

now you need to set your method the most reliable, yet slowest is checkout.

PORTAGE_GIT_METHOD="checkout"

I believe this method will never experience the problem that drobbins was referring to.

for checkout you also need to set the remote branch you want to run off.

PORTAGE_GIT_REMOTE="origin/regen2.org" changing this variable and resyncing will allow you to change branches. checkout is even immune to upstreams forced updates, which is why I prefer to use it myself as sometimes I force updates on my development branch.

PORTAGE_GIT_LOCAL="regen2.org" is also a valid variable, however checkout doesn't use it. It's used by the methods rebase, which will run the git rebase command, this is recommended for people who don't run their own remote repo yet have there own custom git patches.

The final method available is merge, it works similar to the current pull behavior of portage, except it will actually merge from whatever remote you have specified into whatever local you have specified.

all methods use git remote update to avoid problems figuring out where to get updates from. I had problems with git knowing what to do with pull, when my origin was my personal repo on github and where I really needed to be updating from was funtoo not origin.

WARNING: git-experimental will probably be where I merge patches such as the upcoming manifest patch.

Heritage Paper - Cultural Diversity

2009-02-19T14:34:00.002-05:00

This blog entry is a test of Google Docs blog publish feature. I thought some might be interested in this paper I wrote for my Cultural Diversity class that I'm currently attending at Baker College of Auburn Hills, MI.

    My name is Caleb William Cushing, born Caleb Lee Rogers. I was born on October 21, 1984 in Lansing, Michigan, USA. I'm German / Norwegian by birth and German / English by law. I consider myself a full blooded American, and pay little heed to my lineage. Due in part to the fact of my culture, and in part to the fact that I am adopted and am not truly able to associate with either my biological family or my adopted one, as far as lineage goes.

   I consider myself a part of the 'Hacker Culture'. A Hacker is commonly defined as “A malicious meddler who tries to discover sensitive information by poking around. Hence password hacker, network hacker. The correct term for this sense is cracker.”¹ . Our definition, however, is a bit different, an acceptable version is “A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.”². I myself have never broken into a system illegally, nor have I have ever maliciously attacked another system. We hackers are a sort of counter culture. We tend to exist on the fringe of what society expects, and we explicitly seek not to conform to society, but to make up our own minds. This means that we conform to society only when societies view are the same as ours.

   The hacker culture is generally a meritocracy, meaning the person with the most skill, talent, or experience leads, although often there are other concerns as well, but this is quite common. If a person ceases to satisfy with leadership, Hackers tend to just move on. I myself have gone from the very bottom ranks of knowing almost nothing, to my own little peak in the mountain range of leaders and followings we have. Even though I myself am becoming a respected member of my community, I still look up to those who have much more knowledge than me. This is not to say I agree with them unconditionally. The merit of ones claims, like in science, is only good so long as no one can disprove it. It is the duty of all to attempt to debunk a claim. Some claims are not debunk-able as they are based entirely on opinion and there is no scientifically correct answer for all cases. This is why there are so many 'similar mountains' in the community, no correct answer was realized and so both parties went their own way. This is the reason why I now have my own mountain.

   "Hackers dress for comfort, function, and minimal maintenance hassles rather than for appearance (some, perhaps unfortunately, take this to extremes and neglect personal hygiene). They have a very low tolerance of suits and other ‘business’ attire; in fact, it is not uncommon for hackers to quit a job rather than conform to a dress code."3 I find that I generally fit this stereotype, I can be found where my pajamas and a t-shirt or jeans and a t-shirt more often than anything else. I only dress up when it's required, although counter to many of my hacker comrades I do not completely abhor dressing up, I simply prefer not to.

    "Many (perhaps even most) hackers don't follow or do sports at all and are determinedly anti-physical. Among those who do, interest in spectator sports is low to non-existent; sports are something one does, not something one watches on TV."⁴ I whole-heartily agree with this sentiment, and although I've tried sports in the past I've never stuck with them. Many members of my family enjoy watching varying sporting events such as football, I've never understood this. The major exception in sports with hackers is martial arts, I've partaken in them and enjoyed them when I did, I hope to start practicing again soon.

    "Nearly all hackers past their teens are either college-degreed or self-educated to an equivalent level. The self-taught hacker is often considered (at least by other hackers) to be better-motivated, and may be more respected, than his school-shaped counterpart."5 I personally work towards a college degree only because it is required by many employers. I tend to avoid working on my school work as much as possible to focus on more important things such as practical education through doing. Academia has become a largely commercialized institution that seeks not to teach but to make a profit, and in my opinion it charges more for its product than it is worth.

    Hackers tend to detest "All the works of Microsoft. Smurfs, Ewoks, and other forms of offensive cuteness. Bureaucracies. Stupid people. Easy listening music. Television (with occasional exceptions for cartoons, movies, and good SF like Star Trek classic or Babylon 5). Business suits. Dishonesty. Incompetence. Boredom. COBOL. BASIC. Character-based menu interfaces."_⁶Although some of these dislikes are harmless, such as Ewoks, others are not. I have found that many times my culture clashes with that of the rest of the world, because of my contempt for things like bureaucracy, incompetence, and dishonesty. The rest of society seems to find these ineffective behaviors acceptable to the point of expected. I do not like the idea that I am expected to lie, so that other people may feel good about there own incompetence rather than improving themselves.

    "For those all-night hacks, pizza and microwaved burritos are big. Interestingly, though the mainstream culture has tended to think of hackers as incorrigible junk-food junkies, many have at least mildly health-foodist attitudes and are fairly discriminating about what they eat. This may be generational; anecdotal evidence suggests that the stereotype was more on the mark before the early 1980s."⁷ We hackers actually tend to be slight gourmets, preferring the finer, and more exotic foods in life. I myself enjoy going out for sushi on a regular basis. It is not uncommon for hackers to enjoy strongly ethnic foods of other cultures. We are very discriminating and many of us can probably tell the difference between good ethnic food, and cheap knockoffs almost as well as people who are native to that ethnicity. I have a strict policy of "don't knock it 'till you try it", this applies to many things including food.

    "Hackerdom is still predominantly male. However, the percentage of women is clearly higher than the low-single-digit range typical for technical professions, and female hackers are generally respected and dealt with as equals."8 I generally concur with this, we tend to be quite blind to gender, although this may have something to do with the fact that rarely we know the gender of who we are working with. On the note of 'equals' I should clarify in saying that a male would be treated the same as a female in the same scenario. Remember, we are a meritocracy, and a moron is still that.

    "In the U.S., Hackerdom is predominantly Caucasian with strong minorities of Jews (East Coast) and Orientals (West Coast)."9 "The ethnic distribution of hackers is understood by them to be a function of which ethnic groups tend to seek and value education. Racial and ethnic prejudice is notably uncommon and tends to be met with freezing contempt."¹⁰ I personally recall that my High School seemed to have a fairly high number of racists in it, and I suspect that St. Johns, MI is quite racist, which is why there is a very low number of non-whites in the community. I find this behavior beyond contempt. I admit to having some personal contempt for the Indians (India) this is caused not so much by any true racism and more of a contempt for Help Desks being outsourced to their country. There incompetence and inability to be an effective tool at what they've been tasked is the source of my disdain. I also disdain the US Companies that have made this unpatriotic, greedy, and unquality decision.

    Religiously Hackers tend to be "Agnostic. Atheist. Non-observant Jewish. Neo-pagan. Very commonly, three or more of these are combined in the same person. Conventional faith-holding Christianity is rare though not unknown."1 I was raised to be a Protestant Christian, and sometimes it comes through as it was very much ingrained as a child. I am actually an agnostic, wit slight leanings towards Buddhism and the occult, neither of which are uncommon in the hacker community.

    I was not raised a Hacker, at least not in my opinion, although there were things that were slightly Hackish in my upbringing. My adoptive mother makes all her food from scratch, and for a "home cooked" meal it is by far the best I have ever had, restaurants such as Bob Evans can't hold a candle to what she makes. My adoptive father could be described as a wood turning hacker. He turns wood on a lathe to make things such as bowls and vases, his work is unique, and among some of the best, he has even created his own tools and methods for doing so, this is definitely of the hacker nature. They are both conservative Christians, and a bit less open to new things than most hackers, they have a profound inability to learn new things, or try new things, I've found that in recent years I have been able to somewhat broaden there horizons, but this is quite limited.

    Both of my adopted parents were born in 1936 around Lansing, Michigan, Grand Ledge and Dewitt, respectively. They grew up at the end of the depression, and in fact my mothers earliest memory is that of getting electricity. She summarized her childhood as, "If you didn't need it, you didn't buy it". This was a 50/50 way in my childhood years, as I was a bit spoiled because she was unable to bear children herself. At the same time I didn't really get my first computer until I was 16, even though I'd been clamoring for something for years. I believe this was a two-fold cheapness they carried from the depression and a fear of new technology given there age. I had trouble acquiring things like cd players as well in the 90s. I've brought some of this with me into my adult years, although I prefer to be called frugal, as I don't buy what I don't need, but if I do need something I'm not cheap, you get what you pay for in my opinion. This was demonstrated by a cheap Apex dvd player they bought for me on my b-day, it died a year later, 2 weeks before it's warranty was up, circuit city replaced it with a newer Sony (I picked it) plus 3 year warranty and money back. These days I do my research on what I'm buying before I buy it, but I never pick the cheapest and rarely the most expensive, as neither end of the spectrum is a wise purchase.

    I find that my current mindset is one much more that of genetics than upbringing. Two of my three half sisters were straight A students in school and although I wouldn't call them Hackers they obviously have a high IQ, although they seem to be quite good at not putting there brains to use. I'm sure that they share a mutual opinion of me though.

   I share many of the same attributes as my biological parents, including my intelligence and stubbornness. Both of which I believe are considered 'German' traits. I lack many of there negative traits, except for the fact that I'm not the most pleasant person and I may get some of that from them. I feel as if I have actually picked the best attributes from both my upbringing and my genes and combined them.

    My grandparents on my adopted side were born around the turn of the century between 1897 and 1908. They'd gone from horse and buggy to men on the moon, color tv, and personal computers; I'm not entirely sure they actually had experience with the latter. All of them had passed before I was born. They were all natives to this country all though my Mothers Grandmother came from germany to flee the war, one that predated world war 1.

    The celebration of Christmas, Thanksgiving and Easter has been in our family 3, or more, generations although I do not truly celebrate them as holidays, I merely attend to be with family. The commercialization of these holidays is perverse, and the religious meaning holds no weight for me.

    My biological family seems to celebrate these holidays as well. However, my biological family is not close, to me or each other, the family on both sides is highly segmented into clicks even among immediate family. My biological grandparents are still alive but truthfully I don't know how to reach one of them at all, another I might have an email for, yet another I'm not on good terms with, and the last I do talk to occasionally but they are very sick.
    In general I now associate less with my family, and heritage than I do with the Hacker Culture.

Jargon File http://catb.org/jargon/html/H/hacker.html
Jargon File http://catb.org/jargon/html/H/hacker.html
Jargon File http://catb.org/jargon/html/dress.html
Jargon File http://catb.org/jargon/html/physical.html
Jargon File http://catb.org/jargon/html/education.html
Jargon File http://catb.org/jargon/html/hates.html
Jargon File http://catb.org/jargon/html/food.html
Jargon File http://catb.org/jargon/html/demographics.html
Jargon File http://catb.org/jargon/html/demographics.html
Jargon File http://catb.org/jargon/html/demographics.html

Banned from #funtoo

2009-02-16T09:25:00.006-05:00

After significant time, consideration, and consultation with others in #funtoo, there is a consensus that the discussion in #funtoo should focus on Funtoo. Therefore, I have decided to ban you from #funtoo and encourage you to set up your own channel(s) for your personal efforts.
Please utilize Daniel Cordero (TheAppleMan) as your liaison for submitting patches and discussing technical issues.

I like how all of this was done behind the scenes... oh and I was never asked to leave. I just woke up this morning banned. I find it interesting that Gentoo and Sabayon are considered ok topics of discussion, and I probably wouldn't have gotten banned for saying use one of those. But Regen2 seems to be a sore spot. I would have left if asked... I find the ban unnecessary. Or maybe I would have just idled watching for bug reports, I've unfortunately ended up laughing at most of them, as there have been quite a few on qt, and I preemptively masked the new qt, knowing that upstream wouldn't have it all sorted yet. Anyways... I'd like to state that I personally disagree with all the private discussions that go on in Funtoo. In gentoo the problems are public and distracting, when I was part of Funtoo, they were made private, this does not appear to be different now. It's possible this was discussed in #funtoo-dev as I stopped hanging out in that room when I stopped being a funtoo-dev. I think in general it's a bit hypocritical. I suppose you could say, "you were asked to not talk about regen2 what did you expect?", I didn't actually expect not to get banned, I did expect to be asked to leave, or shut up, with the threat of being banned first.

Daniel Cordero (TheAppleMan) has offered to grab patches from the regen2-dev mailing list. no solution for overlays for funtoo was ever decided. I have left it up to them to figure it out, since I refuse to maintain both my tree and apply patches to theirs... (and remove them when they don't want them). I can't actually guarantee either my individual patches or the overlays will be merged.

I'll be continuing to import patches from funtoo, although recently I realized it will be most likely impossible to get them all as drobbins commits quite a few patches during his merges. I recently found out that udev had been updated and had some house cleaning done (there is no stable udev in funtoo now (I think I didn't actually check keywords)) all versions before 135 are gone. So I checked to see if I missed a patch... I didn't which means it was changed in a merge... those are the only commits affecting those directories.

Best of luck to Funtooers.

NOTE: ah... I apologize for the formatting issue in the blockquote, seems to be a problem with blogger. I've fixed it best I can.

open letter to Dan Robbins - merge regen2

2009-02-11T06:15:00.004-05:00

I had an interesting conversation with thewtex on #funtoo yesterday. My conclusion is, this divergence of tree's is stupid. We should be working on a common base, at least common enough that users could relatively easily merge our tree's. My tree is currently ahead of yours in content by 3 sunrise merges, 1 mpd, and the 2 merges of the python overlay. Your users can't easily get these updates.

Due to the fact that we have irreconcilable views on what patches we allow, the fork must remain. However, users don't have to suffer for it. The solution is to base funtoo.org on regen2.org. I can't base regen2.org on funtoo.org because I have stricter QA policies, however those policies shouldn't negatively affect funtoo, I can continue to cherry-pick patches that you wish to put into funtoo, so they end up in regen2 as well.

This will require that you, trust me enough to merge the tree. I will be handling the gentoo and overlay merges. You will simply merge my tree daily.

In order to resolve the differences of the tree as they stand I suggest creating a funtoo.org2 branch that's based on regen2.org and discontinuing the maintenance of funtoo.org. cherry-pick any patches I haven't applied to regen2 (I can point out which ones) and apply any other changes you need to. The other option is to merge my tree, this will be painful and arduous for you, but require no work on the part of your users.

This resolves many problems. 1 you won't have to deal with the main tree or overlays, 2 you won't have to run your patches by me and can do what you want, 3 users get the best of both worlds, 4 developers can choose to email you inline patches, or send me pull requests. Everyone should go home happy from this.

what say you?

P.S. I will not have it said that I want a rift in the community, I want whats best for all kinds of users and the status quo is not.

EDIT: in short the answer is no. drobbins doesn't want to merge my tree, as it's supposedly untrusted, he also doesn't want to cherry-pick patches out of my tree. I don't want to spend time merging the overlays just for Funtoo, on top of merging them for Regen2. Apparently my bug fixes, and version bumps aren't good enough for Funtoo.

tag builds

2009-02-08T01:18:00.002-05:00

This is just a feature concept. May or may not ever happen. Live builds for portage usually run off the trunk/master branch of a scm tool. This is a great idea, but why couldn't we take this a step further, usually people who use scm's 'tag' there releases, so why couldn't the same 'live' build have an option for using a tag instead of trunk. This would allow releases to roll out much faster too. The downside of this is hard drive space for keeping repository checkouts.

a snake in regen2

2009-01-30T07:01:00.002-05:00

I'm sure you're thinking I'm talking about me ;) nope first order of business, add more stuff which should be in gentoo.

I'm pleased to announce that I've added py3k also know as Python 3.0 to Regen2. It will remain hardmasked as unmasking could create stability issues on a gentoo based system given it's reliance on python.