Tag Archives: Open Source

Open Source

How to get involved in Open Source

I had a fun chat with Anthony Bryan a while ago on the topic of how to get involved with Open Source. What projects generally need, what you can do, how you can help and things like that.

The recording/podcast was originally posted over at knowledgecaps.com, but the 22MB file is also available from my site. I’m not sure why, but when I play this in my audacious I get the chipmunk version (ie far too fast playback). So I haven’t yet listened to it myself!

A related article I wrote ages ago: What Can I do for Rockbox when not Programming?

Open Source

I won it! You guys are the best.

5 Comments

I am happy and very proud to mention that I was just this evening awarded the Nordic Free Software Award 2009 and I share the award with my good friend and hacker extraordinaire Simon Josefsson.

Thank you jury. Thank you mates all over who by your positive feedback makes it a joy to work in the open source and free software community. Thank you to all you fellow hackers and contributors who work hard and tirelessly and therefore enable me to do what I want to do and do these things I today got awarded for.

Getting recognition from actual fellow peers within my own community is just the best.

And you know what? I will continue to work hard and I will continue to do open source and free software intensively and with my strengthened beliefs of what I think is right.

Thank you.

The motivation quoted from the above mentioned site:

The other winner is awarded for his long term contributions to free software.This winner have been developing free software for at least 15 years, and is a prominent contributor to at least 10 different projects.

This winners most spread contribution is the program Curl and the library libCurl which both has an enormous installed base. Libcurl has bindings in more than 40 different languages and they are both deployed all over the world as a key components in software that people and businesses rely on every day. In addition to these projects the winner is also a key developer in Rockbox, c-ares and libssh2.

Open Source

15K commits and counting

Almost two years ago I blogged about me reaching 10K commits as counted by ohloh.net.

Just a few days ago their counter counting my commits surpassed 15K and right now it says: 15005 commits and 46 kudos – ranked #69 of 273705. I think more of my projects have found its way there since then rather than me actually having committed 5000 times since then!

On sourceforge I’m now member of 19 projects (most of them are stalled). The latest addition is pycurl, which I’m basically a member of in order to try to help getting more people involved.

(The image is dynamically generated so when you read the old blog post it looks a little funny since it says the current numbers now…)

Development

First month on my own

1 Comment

Yeah, it’s already been a month since I took off and started working for Haxx full time. Starting a company (even though the company already existed in the legal sense) certainly involves a lot of paperwork and talking to banks, insurance companies and getting arrangements with partners etc. A lot of that of course being just an initial phase, but some of it will be a more integrated part of my day now when I don’t have a well-oiled team of admins hired that deal with such matters.

I’m happy to say that I have had a whole slew of good talks with existing and potentially new customers, and I’m already cooperating with a few companies in very constructive ways – so that I can help others succeed with their undertakings. Several things that happened during this month involved open source (although I’m not able to talk about them in public), and I feel really good when my work and my beliefs can go hand in hand!

This said, I’m always ready for more and new missions. If you’re in need, you know where I am!

Linux, Open Source, Security

null-prefix domino

dominosAt the end of July 2009, Scott Cantor contacted us in the curl project and pointed out a security flaw in libcurl (in code that was using OpenSSL to verify server certificates). Having read his explanation I recalled that I had witnessed the discussion on the NSS list about this problem just a few days earlier (which resulted in their August 1st security advisory). The problem is basically that the cert can at times contain a name with an embedded zero in the middle, while most source code assumes plain C-style strings that ends with a zero. This turns out to be exploitable, and is explained in great detail in this document (PDF).

I started to work on a patch, and in the mean time I talked to Simon Josefsson of the GnuTLS team to see if GnuTLS was fine or not, only to get him confirm that GnuTLS did indeed have the same problem.

So I contacted vendor-sec, and then on the morning of August 5 I thought I’d just make a quick check how the other HTTPS client implementations do their cert checks.

Wget: vulnerable

neon: vulnerable

serf: vulnerable

So, Internet Explorer and Firefox were vulnerable. NSS and GnuTLS were. (OpenSSL wasn’t, but then it doesn’t provide this verifying feature by itself) (lib)curl, wget, neon, serf were all vulnerable. If that isn’t a large amount of the existing HTTPS clients then what is? I also think that this shows that it would be good for all of us if OpenSSL had this functionality, as even if it had been vulnerable we could’ve fixed a busload of different applications by repairing a single library. Now we instead need to hunt down all apps that use OpenSSL and that verify certificate names.

Quite clearly we (as implementers) have all had the same silly assumptions, and quite likely we’ve affected each other into doing these sloppy codes. SSL and certificates are over and over again getting hit by this kind of painful flaws and setbacks. Darn, getting things right really is very very hard…

(Disclaimer: I immediately notified the neon and serf projects but to my knowledge they have not yet released any fixed versions.)

Linux, Open Source

Open Android Alliance

6 Comments

In the past: cyanogenmod made one of the most popular 3rd party Android ROMs for HTC devices. Personally I haven’t yet tried it on my Magic, but friends tell me it’s the ROM to use.Android

On September 24th 2009, Google sets their legal team on the ROM creator, asking him to stop distributing the parts of Android that aren’t open source but in fact are good old traditional closed source apps – made by Google. Cyanogen himself (Steve Kondik) responded something in the spirit that since the ROM only runs on hardware that already runs the apps users already have a license to use them. Google responded, saying they protect the Google Phone Experience.

This C&D act triggered a huge reaction in the Android communities as people suddenly became aware of the fact that A) parts of the Android core OS aren’t at all open (source) and B) Google is not the cuddly Teddy Bear we all want it to be.

In the xda-developers.com front, where a lot of the custom ROMs are being discussed and users of them hang out, they created the Open Android Alliance with the intent of creating a completely open source Android.

In another end and indepedently of the xda-developers it seems, lots of participants in the google group android-platform pretty much decided the same thing but they rather started out discussing exactly what would be needed to do and what code there is and so on.

Currently, both camps have been made aware of each other and there have been expressed intents of joining into a single effort. I don’ t think such subtleties matter much, but we just might see the beginning of a more open more free Android project getting started here. I’ll certainly be interested in seeing where this is going…

Updated: they now have their own domain. Link in article updated.

libssh2, Open Source, Rockbox

My Nordic Free Software Awards 2009 nominees

2 Comments

Hey, it’s really about time to nominate your favourite Free Software persons and projects from the nordic region for the 2009 awards before the time runs out.

This year, I decided to nominate the following “nordic” heroes:

Simon Josefsson

For his excellent work in GnuTLS, libssh2 and a bunch of other projects.

Henrik Nordström

For his work in the Squid project, and his efforts within IETF and its HTTP related struggles and more.

Björn Stenberg

As the primary founder of the Rockbox project. He started somehting special back in 2001 that now is a huge, thriving and succesful Free Software project.

As you might spot, I favor “doers”. I don’t believe in the concept of “nordic projects” when it comes to free or open software – the entire concept of open and free should mean that projects cross borders and regions.

In fact, it feels so out of the ordinary to think about open source people in a geographical context I find it hard to come up with a lot of names. It would be cool if ohloh had some ways to list people and projects based on where people live.

Then again, if a person from a nordic country moves somewhere else, is he or she still a nordic person? Does it depend on where the person lived during the actual act? Is Linus Torvalds a nordic person since he was born, lived many years and started his big project in Finland?

(yeah I already blogged about this subject but hey, it can’t hurt can it?)

cURL and libcurl, Development, Open Source

How much for a bug?

7 Comments

no bugsWarning: blog post with no clear conclusion!

I offer support deals to companies that want to get help with Open Source programs I’ve contributed to. The deals I’ve made so far have primarily involved libcurl, c-ares or libssh2, but that’s basically because those are projects in which I participate a lot in (and maintain) so people find me easily in relation to those projects.

I wouldn’t mind accepting service and support deals for other projects or software products either, as long as they are products I know and am fairly familiar with already and I am not scared of digging in and fixing things under the hood when that is required.

In fact, I could very well consider to offer to fix bugs in any Open Source software. Like a general: if you have a bug in an open source project that you really want fixed and you can’t do it yourself I might be your man. Of course this would be limited to some certain kinds of projects and programs, but it could still include a wide range of software. A lot more than the ones I happen to be involved in at any particular point in time.

But while “a bug” is a fairly easily defined term to a user who can’t make something work in a given program it can be anything from dead simple to downright impossible for a developer to fix. The fact that users many times cannot determine if a “bug” is hard or easy, if it’s a bug or a feature not working on purpose, makes such a business deal very hard to provide.

How to pay to get a bug fixed?

Fixed price per bug? Presumably only tricky bugs would be considered for this so it would require a fairly high fixed price. But then it’ll also never be used for simple bugs either since the fixed price would scare away such use cases. I don’t think a fixed-price scheme works very well for this.One dollar bill

Then we only have a variable price approach left. A common way for a consultant like me is to charge for my time spent on a project: I set an hourly rate, I fix the issue in N hours. I charge hourly rate * N. For smallish projects, this is less attractive to customers. If we have no previous relationship, there’s a trust issue where the customer might not just blindly accept that I worked 10 hours on a task they think sounds easy so they feel overcharged. Also, there’s the risk that I estimate the job to be 2 hours but end up spending 12. My conclusion is that per-hour pricing doesn’t work for this either.

A variable price approach based on something else than number of hours it took for me to fix the problem is therefore needed.

A bug fix is of course worth whatever someone is willing to pay for it. But we don’t know what they are prepared to pay. On the other end, a bug fix can get done by someone for the price he/she is willing to accept to get the job done. So where is the cross section of those two unknown graphs?

I don’t have the answer here. I’m very interested in feedback and suggestions though. If you would pay for a bug fix, how would you like to get the price set?

Linux, Open Source

kernel hacker foodfights

1 Comment

The concept of flame wars and public pie throwing is not new in the open source world, and the open nature of the projects make us – the audience – get to see everything. To read every upset word and get to point back to the mails in retrospect.

I don’t think people in the open source community is any particularly more trigger-happy to start the flame wars than people are outside of the openness, but open it is and then we can see it.

I’ve always disliked the harsh attitude and language that seems to have become popular in some circles, and I believe Linus Torvalds himself is part of that movement as he’s often rude, bad-mouthed and very aggressive in his (leadership) style. I think that easily grows into a hostile and unfriendly atmosphere where little room is left for fun, for jest and for helping out among friends.

So even if that is not the reason for the recent developments, here’s two episodes from August 2009:

A short while ago we got to see well-known kernel hacker Alan Cox step down as tty maintainer after an emotional argument on the lkml. The argument there was basically Linus telling Alan he should’ve admitted his error and acted on it earlier than he did.

Nearby, on the mailing list linux-arm-kernel a long-going argument about the management of the actual mailing list itself again sparkled up a fire. The argument in this case have been a long going discussion whether the mailing list Russell King (the main ARM Linux maintainer) runs should be open to allow non-subscribers to post without them needing moderation or not. It ended today with Russell shutting down his lists.

Right now, it seems the linux-arm-kernel list is being transferred over to infradead.org by David Woodhouse to continue its life there, but I don’t think we’ve seen the end of this yet so things may settle differently. There’s also this patch pending which suggests using the linux-arm list on vger.kernel.org.

(Readers should note that I myself don’t take side in any of these arguments.)

cURL and libcurl, Open Source

libcurl in package management

A few days ago I noticed that the “urlgrabber” project now has switched to using pycurl (the python libcurl binding) in their bleeding edge development. It means that projects using that, such well-known apps like yum and anaconda then use libcurl. Already since ages the Suse installer named YaST is using libcurl and a few months ago I learned that the opensolaris package management (pkg) is also switching to become pycurl based.

According to the lead man on the urlgrabber project, Seth Vidal, there are several reasons to switch from Python’s native urllib for (mostly) HTTP transport and he was friendly enough to mention a few to me. Clearly the two primary reasons are FIPS certification and urllib’s lacking HTTP proxy support. The FIPS certification is something the Fedora project has been pushing for a lot during recent time and thus they’ve worked hard on making libcurl support NSS for SSL/TLS, and the lack of HTTP proxy support is supposedly hard to push into urllib itself due to its stagnant development etc.

In Debian-esque worlds, libcurl and curl are already used by the package system in forms of apt-transport-https and apt-file.

It seems that when you run an open source operating system tomorrow, chances are that libcurl is in the back-end of the package system.