Tag Archives: Open Source

Going Fosdem 2010

Oh what the heck, we plan to bring every single employee of Haxx over to Fosdem 2010. Yes, that means all two of us!

I hope we’ll manage to join up with fellow Rockbox hackers then and it would be great fun to meet other friends from other projects and open source activities too.

I’ve not been to Fosdem before, and I’ve offered to do a talk there but so far I’ve not gotten a response from the responsible guy in the “embedded dev room”. We’ll see how that ends.

FOSS-sthlm

Me and Claes Jakobsson had a talk in #curl the other day about how we rarely meet Open Source people in the Stockholm Sweden area outside of our own little circles and friends.

In that moment we decided we’d try to arrange a meeting. Free Sofware and Open Source people in the area. In one place. Possibly involving beer. And why not some talks by some clueful people? We’re aiming for it to happen already during early spring 2010, but no date has been set yet.

We’ve already sent out a few mails to people, and we’ve posted about this idea at a few places and now I’ve setup a dedicated mailing list for this purpose. The foss-sthlm mailing list.

Do you want to participate at a meeting like this?

Do you want to help arranging the meeting and get the word spread in all the communities that we would like to get the word spread to?

Do you have any experience in arranging a meeting of this sort? We currently have no idea if people are interested enough, or if we get people interested how many we might be able to attract!

Do you by any chance have connections or friends at companies that would be interested in helping out with sponsorships or similar? My company (Haxx) will certainly make a contribution.

Don’t be shy. Join in and help us get some fun going.

Update: we now have web site monitoring our progress.

How to get involved in Open Source

I had a fun chat with Anthony Bryan a while ago on the topic of how to get involved with Open Source. What projects generally need, what you can do, how you can help and things like that.

The recording/podcast was originally posted over at knowledgecaps.com, but the 22MB file is also available from my site. I’m not sure why, but when I play this in my audacious I get the chipmunk version (ie far too fast playback). So I haven’t yet listened to it myself!

A related article I wrote ages ago: What Can I do for Rockbox when not Programming?

I won it! You guys are the best.

I am happy and very proud to mention that I was just this evening awarded the Nordic Free Software Award 2009 and I share the award with my good friend and hacker extraordinaire Simon Josefsson.

Thank you jury. Thank you mates all over who by your positive feedback makes it a joy to work in the open source and free software community. Thank you to all you fellow hackers and contributors who work hard and tirelessly and therefore enable me to do what I want to do and do these things I today got awarded for.

Getting recognition from actual fellow peers within my own community is just the best.

And you know what? I will continue to work hard and I will continue to do open source and free software intensively and with my strengthened beliefs of what I think is right.

Thank you.

The motivation quoted from the above mentioned site:

The other winner is awarded for his long term contributions to free software.This winner have been developing free software for at least 15 years, and is a prominent contributor to at least 10 different projects.

This winners most spread contribution is the program Curl and the library libCurl which both has an enormous installed base. Libcurl has bindings in more than 40 different languages and they are both deployed all over the world as a key components in software that people and businesses rely on every day. In addition to these projects the winner is also a key developer in Rockbox, c-ares and libssh2.

15K commits and counting

Almost two years ago I blogged about me reaching 10K commits as counted by ohloh.net.

Just a few days ago their counter counting my commits surpassed 15K and right now it says: 15005 commits and 46 kudos – ranked #69 of 273705. I think more of my projects have found its way there since then rather than me actually having committed 5000 times since then!

On sourceforge I’m now member of 19 projects (most of them are stalled). The latest addition is pycurl, which I’m basically a member of in order to try to help getting more people involved.

(The image is dynamically generated so when you read the old blog post it looks a little funny since it says the current numbers now…)

First month on my own

Yeah, it’s already been a month since I took off and started working for Haxx full time. Starting a company (even though the company already existed in the legal sense) certainly involves a lot of paperwork and talking to banks, insurance companies and getting arrangements with partners etc. A lot of that of course being just an initial phase, but some of it will be a more integrated part of my day now when I don’t have a well-oiled team of admins hired that deal with such matters.

I’m happy to say that I have had a whole slew of good talks with existing and potentially new customers, and I’m already cooperating with a few companies in very constructive ways – so that I can help others succeed with their undertakings. Several things that happened during this month involved open source (although I’m not able to talk about them in public), and I feel really good when my work and my beliefs can go hand in hand!

This said, I’m always ready for more and new missions. If you’re in need, you know where I am!

null-prefix domino

dominos

At the end of July 2009, Scott Cantor contacted us in the curl project and pointed out a security flaw in libcurl (in code that was using OpenSSL to verify server certificates). Having read his explanation I recalled that I had witnessed the discussion on the NSS list about this problem just a few days earlier (which resulted in their August 1st security advisory). The problem is basically that the cert can at times contain a name with an embedded zero in the middle, while most source code assumes plain C-style strings that ends with a zero. This turns out to be exploitable, and is explained in great detail in this document (PDF).

I started to work on a patch, and in the mean time I talked to Simon Josefsson of the GnuTLS team to see if GnuTLS was fine or not, only to get him confirm that GnuTLS did indeed have the same problem.

So I contacted vendor-sec, and then on the morning of August 5 I thought I’d just make a quick check how the other HTTPS client implementations do their cert checks.

Wget: vulnerable

neon: vulnerable

serf: vulnerable

So, Internet Explorer and Firefox were vulnerable. NSS and GnuTLS were. (OpenSSL wasn’t, but then it doesn’t provide this verifying feature by itself) (lib)curl, wget, neon, serf were all vulnerable. If that isn’t a large amount of the existing HTTPS clients then what is? I also think that this shows that it would be good for all of us if OpenSSL had this functionality, as even if it had been vulnerable we could’ve fixed a busload of different applications by repairing a single library. Now we instead need to hunt down all apps that use OpenSSL and that verify certificate names.

Quite clearly we (as implementers) have all had the same silly assumptions, and quite likely we’ve affected each other into doing these sloppy codes. SSL and certificates are over and over again getting hit by this kind of painful flaws and setbacks. Darn, getting things right really is very very hard…

(Disclaimer: I immediately notified the neon and serf projects but to my knowledge they have not yet released any fixed versions.)

Open Android Alliance

In the past: cyanogenmod made one of the most popular 3rd party Android ROMs for HTC devices. Personally I haven’t yet tried it on my Magic, but friends tell me it’s the ROM to use.Android

On September 24th 2009, Google sets their legal team on the ROM creator, asking him to stop distributing the parts of Android that aren’t open source but in fact are good old traditional closed source apps – made by Google. Cyanogen himself (Steve Kondik) responded something in the spirit that since the ROM only runs on hardware that already runs the apps users already have a license to use them. Google responded, saying they protect the Google Phone Experience.

This C&D act triggered a huge reaction in the Android communities as people suddenly became aware of the fact that A) parts of the Android core OS aren’t at all open (source) and B) Google is not the cuddly Teddy Bear we all want it to be.

In the xda-developers.com front, where a lot of the custom ROMs are being discussed and users of them hang out, they created the Open Android Alliance with the intent of creating a completely open source Android.

In another end and indepedently of the xda-developers it seems, lots of participants in the google group android-platform pretty much decided the same thing but they rather started out discussing exactly what would be needed to do and what code there is and so on.

Currently, both camps have been made aware of each other and there have been expressed intents of joining into a single effort. I don’ t think such subtleties matter much, but we just might see the beginning of a more open more free Android project getting started here. I’ll certainly be interested in seeing where this is going…

Updated: they now have their own domain. Link in article updated.

My Nordic Free Software Awards 2009 nominees

Hey, it’s really about time to nominate your favourite Free Software persons and projects from the nordic region for the 2009 awards before the time runs out.

This year, I decided to nominate the following “nordic” heroes:

Simon Josefsson

For his excellent work in GnuTLS, libssh2 and a bunch of other projects.

Henrik Nordström

For his work in the Squid project, and his efforts within IETF and its HTTP related struggles and more.

Björn Stenberg

As the primary founder of the Rockbox project. He started somehting special back in 2001 that now is a huge, thriving and succesful Free Software project.

As you might spot, I favor “doers”. I don’t believe in the concept of “nordic projects” when it comes to free or open software – the entire concept of open and free should mean that projects cross borders and regions.

In fact, it feels so out of the ordinary to think about open source people in a geographical context I find it hard to come up with a lot of names. It would be cool if ohloh had some ways to list people and projects based on where people live.

Then again, if a person from a nordic country moves somewhere else, is he or she still a nordic person? Does it depend on where the person lived during the actual act? Is Linus Torvalds a nordic person since he was born, lived many years and started his big project in Finland?

(yeah I already blogged about this subject but hey, it can’t hurt can it?)

How much for a bug?

no bugsWarning: blog post with no clear conclusion!

I offer support deals to companies that want to get help with Open Source programs I’ve contributed to. The deals I’ve made so far have primarily involved libcurl, c-ares or libssh2, but that’s basically because those are projects in which I participate a lot in (and maintain) so people find me easily in relation to those projects.

I wouldn’t mind accepting service and support deals for other projects or software products either, as long as they are products I know and am fairly familiar with already and I am not scared of digging in and fixing things under the hood when that is required.

In fact, I could very well consider to offer to fix bugs in any Open Source software. Like a general: if you have a bug in an open source project that you really want fixed and you can’t do it yourself I might be your man. Of course this would be limited to some certain kinds of projects and programs, but it could still include a wide range of software. A lot more than the ones I happen to be involved in at any particular point in time.

But while “a bug” is a fairly easily defined term to a user who can’t make something work in a given program it can be anything from dead simple to downright impossible for a developer to fix. The fact that users many times cannot determine if a “bug” is hard or easy, if it’s a bug or a feature not working on purpose, makes such a business deal very hard to provide.

How to pay to get a bug fixed?

Fixed price per bug? Presumably only tricky bugs would be considered for this so it would require a fairly high fixed price. But then it’ll also never be used for simple bugs either since the fixed price would scare away such use cases. I don’t think a fixed-price scheme works very well for this.One dollar bill

Then we only have a variable price approach left. A common way for a consultant like me is to charge for my time spent on a project: I set an hourly rate, I fix the issue in N hours. I charge hourly rate * N. For smallish projects, this is less attractive to customers. If we have no previous relationship, there’s a trust issue where the customer might not just blindly accept that I worked 10 hours on a task they think sounds easy so they feel overcharged. Also, there’s the risk that I estimate the job to be 2 hours but end up spending 12. My conclusion is that per-hour pricing doesn’t work for this either.

A variable price approach based on something else than number of hours it took for me to fix the problem is therefore needed.

A bug fix is of course worth whatever someone is willing to pay for it. But we don’t know what they are prepared to pay. On the other end, a bug fix can get done by someone for the price he/she is willing to accept to get the job done. So where is the cross section of those two unknown graphs?

I don’t have the answer here. I’m very interested in feedback and suggestions though. If you would pay for a bug fix, how would you like to get the price set?