After reading a lot about interesting stuff happening at this years FOSDEM, I decided very short term to go there. The FOSDEM in Brussels is probably one of the biggest (if not the biggest at all) meetings of free software developers. Unlike similar events (like several Linuxtag-events in Germany), it's focus is mainly on developers, so the talks are more high level.

My impressions from FOSDEM so far: There are much more people compared when I was here a few years ago, so it seems the number of free software developers is inceasing (which is great). The interest focus seems to be to extend free software to other areas. Embedded devices, the BIOS, open hardware (lot's of interest in 3D-printers).

Yesterday morning, there was a quite interesting talk by Richard Clayton about Phishing, Scam etc. with lots of statistics and info about the supposed business models behind it. Afterwards I had a nice chat with some developers from OpenInkpot. There was a big interest in the Coreboot-talk, so I (and many others) just didn't get in because it was full.

Later Gentoo-developer Petteri Räty gave a talk about "How to be a good upstream" and I'd suggest every free software developer to have a look on that (I'll put the link here later).

I've just attended a rather interesting talk about 3D-printers like RepRap and MakerBot.

At least since 2005 it's well known that the cryptographic hash function SHA1 is seriously flawed and it's only a matter of time until it will be broken. However, it's still widely used and it can be expected that it'll be used long enough to allow real world attacks (as it happened with MD5 before). The NIST (the US National Institute of Standards and Technology) suggests not to use SHA1 after 2010, the german BSI (Bundesamt für Sicherheit in der Informationstechnik) says they should've been fadet out by the end of 2009.

The probably most widely used encryption protocol is SSL. It is a protocol that can operate on top of many other internet protocols and is for example widely used for banking accounts.

As SSL is a pretty complex protocol, it needs hash functions at various places, here I'm just looking at one of them. The signatures created by the certificate authorities. Every SSL certificate is signed by a CA, even if you generate SSL certificates yourself, they are self-signed, meaning that the certificate itself is it's own CA. From what I know, despite the suggestions mentioned above no big CA will give you certificates signed with anything better than SHA1. You can check this with:
openssl x509 -text -in [your ssl certificate]
Look for "Signature Algorithm". It'll most likely say sha1WithRSAEncryption. If your CA is good, it'll show sha256WithRSAEncryption. If your CA is really bad, it may show md5WithRSAEncryption.

When asking for SHA256 support, you often get the answer that the software still has problems, it's not ready yet. When asking for more information I never got answers. So I tried it myself. On an up-to-date apache webserver with mod_ssl, it was no problem to install a SHA256 signed certificate based on a SHA256 signed test CA. All browsers I've tried (Firefox 3.6, Konqueror 4.3.5, Opera 10.10, IE8 and even IE6) had no problem with it. You can check it out at https://sha2.hboeck.de/. You will get a certificate warning (obviously, as it's signed by my own test CA), but you'll be able to view the page. If you want to test it without warnings, you can also import the CA certificate.

I'd be interested if this causes any problems (on server or on client side), so please leave a comment if you are aware of any incompatibilities.

Update: By request in the comments, I've also created a SHA512 testcase.

Update 2: StartSSL wrote me that they tried providing SHA256-certificates about a year ago and had too many problems - it wasn't very specific but they mentioned that earlier Windows XP and Windows 2003 Server versions may have problems.

Today I faced an interesting Linux problem that made me learn a couple of things I'd like to share. At first, we found an issue on a Thinkpad X301 notebook that was fixed in a newer BIOS version. So we wanted to do a BIOS update. Lenovo provides BIOS updates either for Windows or as bootable ISO CD-images. But the device had no CD-drive and only Linux installed. First we tried unetbootin, a tool to create bootable USB sticks out of ISO-Images. That didn't work.
So I had a deeper look at the ISO. What puzzled me was that when mounting it as a loopback device, there were no files on it. After some research I learned that there are different ways to create bootable CDs and one of them is the El Torito extension. It places an image of a harddisk on the CD, when booting, the image is loaded into memory and an OS can be executed (this probably only works for quite simple OSes like DOS, the Lenovo BIOS Upgrade disk is based on PC-DOS). There's a small PERL-script called geteltorito that is able to extract such images from ISO files.
It's possible to boot such harddisk images with grub and memdisk (part of syslinux). Install syslinux, place the file memdisk into /boot (found in /usr/lib/syslinux/ or /usr/share/syslinux/) and add something like this to your grub config:

Or for grub2:

Now you can select bios update in your boot menu and it should boot the BIOS upgrade utility.

(Note that this does not work for all Lenovo BIOS updates, only for those using an El Torito harddisk image - you can mount your iso with mount -o loop [path_to_iso] [mount_path] to check, if there are any files, this method is not for you)

Tobias Scherbaum already blogged this, but only in german, so I'm writing this again for the Planet Gentoo readers.

A german webpage called jugendschutzprogramm.de provides filters for webpages potentially dangerous for children. Now some people noticed that this page considers quite a lot dangerous.

Both gentoo.de and gentoo.org are considered only suitable for people over 14. So if you ever thought about installing Gentoo on the PC of a kid, think again what you might do to that kid.

Beside, my blog is even more dangerous: It's blocked by default.

The page is supported by a couple of companies providing pornographic content. Interesting enough, it's also supported by a big german Newspaper (BILD) that regularly has pornographic images on their frontpage. However, their page is considered harmless.

But what's really frightening is that jugendschutzprogramm.de is part of ICRA, an international system by big content and internet providers. It's even supported by the european union.

Update: Page has XSS, maybe someone wants to play with it?

<form action="http://jugendschutzprogramm.de/webmaster/label-generator.php" method="post">
<input name="URL" value='"><script>alert(1)</script>' type="text">
<input name="submit" type="submit">
</form>

A common way to check the health state of a hard disk is SMART. It gives various informations about occuring errors. In Linux, there's the smartmontools package containing tools to read SMART data of hard drives (smartctl -a /dev/[hddevice] gives you a bunch of information).

I found it always frustrating that SMART didn't work with USB drives. It's a standard bound to IDE/ATA. Although common USB-drives are internally IDE/SATA, sending the SMART commands to the drive requires proprietary extensions. But now, the smartmontools-developers have included support for some USB drives. It worked with the USB HDs I had available for testing.

There's no release yet containing the USB-support. If you're on Gentoo, you can fetch a live-CVS ebuild here.

The free software projects for media playing did a good job in the past on supporting a wide variety of formats. From the common to many very obscure formats, current versions of the free software mediaplayers were usually able to play them. Today it's even common to suggest vlc for Windows users if they can't play unusual media formats.

Though there were a few exceptions, the most notable probably the long-time missing support for many of the Real formats. While these are rarely used today, many archived videos in the Internet still rely on it. For example, many german television stations provide real video files on their webpages.

Recently and without much public notion, ffmpeg first got support for RV40, some weeks later also for RV30. This fills a long time gap in free software support for video formats. ffmpeg is used by all major free software video players (vlc, xine, mplayer), so you should get the support within some time in all of them. For now, it's quite easy to checkout mplayer from subversion and build it on your own.

Want something to try out? Here's a video from Desert Planet in real format.

The only gap I know of a format that really got usage in the wild and that is not yet supported by free software is WMA3.

As an FSFE fellow, I got interviewed for their webpage.

You can read it here.

Recently there were some News that Lenovo does not like Linux any more. This was supported by comments like this at Lenovoblogs (by a Lenovo engineer):

»Again, what’s the incentive for us to start providing all of this intellectual property for free to the Linux community? You may say it drives support for Linux on ThinkPads and people would buy more ThinkPads as a result. I think that’s a dubious assertion at best.«
(the subject was driver support for switchable graphics on modern thinkpads and brings up some common urban legends about linux and driver support)

Sadly, I experienced one more place where Lenovo seems to shift away from a Linux friendly viewpoint: I tried to return the windows license of my new Thinkpad with a pre-made form by Lenovo itself (I got this from someone else by eMail, not from Lenovo directly). In the net, you can find tons of reports that it was easy for people to get money back for their windows licenses by Lenovo.

Though what I got was this:
»Leider können wir Ihrem Wunsch nach Rückerstattung der Kosten für das auf Ihrem Lenovo Produkt vorinstallierte Microsoft-Betriebssystem nicht entsprechen, da das Betriebssystem aus unserer Sicht einen integralen Bestandteil des jeweiligen Lenovo Produkts darstellt.«
(rough translation: We won't refund your windows-license, because we think it's an integral part of the product)

I find it hard to understand why Lenovo makes this shift. When running around on linux conferences in recent months, the number of thinkpads is hughe. While many other vendors shift to a much more free software friendly behaviour (think of AMD/ATI), Lenovo seems to go the different direction. It's especially strange because Lenovo is probably one of the few vendors that has a notable market share in the linux community.

By the way, I welcome any hints how I should continue with the windows refunding. I'd prefer not to capitulate yet (like I did with my last laptop by Samsung), and I assume the law is clearly on my side.

Update: As some of you asked, here is the form by Lenovo, though you'll probably just get the same reply I got.

Probably interesting, here you can find all EULAs from Microsoft. They are quite clear on the subject and say that you MUST return the windows license to the vendor if you don't agree to the EULA.

In the meantime, I wrote several messages about the issue to various people and instutitions. The FSFE is also working on the subject.

Today my new IBM/Lenovo Thinkpad T61 8895WFJ laptop arrived. While my P30 did a good job, it really was time to replace it.

I'm currently in the phase of installing Gentoo and getting used to the device, but I think it was a very good choice.

Beside the fact that Lenovos are probably popular for a reason, the 1400x1050-resolution, the well Linux-supported Intel-graphics and a quite acceptable weight (2,4 kg) were reasons for this model. I'm still in favour of 4:3 screens, because if you wanna have a 16:10 one with a decent resolution (e. g. > 1000 pixels height) they become either very expensive or very heavy. I still wonder why no vendor seems to produce 4:3 screens any more (from my research, not a single Montevina laptop has 4:3).

Some time soon you'll probably find some documentation about Linux on the T61 8895WFJ at http://www.int21.de/t61/.

Recently I was asked by a friend for a linux tool to extract ressources from windows exe files, especially icons. He used a windows tool in wine till then.

I said that this shouldn't be so hard and already started writing my own parser (I came to the point where I could extract headers and content separately), when I found that there already is an appropriate tool called wrestool. It's part of the icoutils package.

wrestool -o . -x filename.exe
will extract all ressources (icons, cursors etc.) to the current directory.

Seems with the latest versions of webkit-gtk and midori, a long-standing crasher-bug got fixed and it now allows you to run the browser-test ACID3.

I just bumped the webkit-gtk ebuild in Gentoo to the latest snapshot.

ACID3 is a test for the standards compliance of modern web browsers. I wrote about ACID2 some years ago.

There are two tools out there for Linux to put Garmin maps (which you can convert from OpenStreetMap Data) on devices, sendmap (proprietary) and qlandkarte (free). Sadly, both don't support my device (Garmin Quest), so I had to find an alternative solution. This should also work with other garmin devices.

After some playing around, I managed to get it running with MapSource on wine. I've used wine 1.1.0 on Gentoo, if you have problems, be sure to get a recent wine version.

Steps to do:

• Download MapSource_6137.exe from the Garmin webpage.
• Use 7-Zip to unpack the exe to some directory: 7z x MapSource_6137.exe
• Install MAIN.msi: wine start MAIN.msi
• Install MapSource: wine Setup.exe
• Get one of the MapSource Installers from here and install it: wine Setup_OSM-Germany-2008-06-11.exe
• wine doesn't support usb, so you need the garmin_gps module. If it's installed on your system, it should load automatically after attaching your device and switching it on.
• You should now have a device ttyUSB0, which you need to symlink as com1 for wine: ln -s /dev/ttyUSB0 ~/.wine/dosdevices/com1
• Run MapSource: wine ~/.wine/drive_c/MapSource/MapSource.exe
• Go to Settings -> Transfer, there you can select a serial port. Select COM1.
• Click the map selection tool from the buttons and select an area.
• Select Transfer -> Transfer to device. If everything went fine, it'll detect your garmin device attached to the serial port and you can start your upload.

I couldn't believe it, but afterwards I had routable OpenStreetMap maps on my garmin.

Today I played around a bit with the stuff done by the Wii homebrew/hacking community, which is far more advanced than I had expected.

I had the game Twilight Princess borrowed by a friend. For those who don't know, using this game you can run homebrew software on the Wii without the need of a modchip.

The way this works is that first you install a modified savegame for Twilight Princess, afterwards you can install the Homebrew Channel. The Homebrew Channel will stay in the main Wii Menu and you'll be able to run various stuff from there. While looking around the various webpages covering the topic, I found that wiibrew.org is a good place to find documentation and links to the appropriate projects. So look there for the details.

The gc-linux project (originally porting linux to the gamecube) has a simple Linux image available.

A warning: Nintendo released a new firmware that stops this method to work, so if you wanna have fun, don't update your Wii. And the obvious warning: Everything you do is at your own risk.

Update: Seems the Firmware update is no longer a problem.

Phoronix has just published an article about the development of xorg and they have a statistics of contributors from Distributions.

I'm listed there on the Gentoo part with 0.01 % contributions to Xorg. Yay!

Sometimes in the past I had the wish to produce some simple videos, e. g. from political actions. Though I was looking for some free software solutions for video editing.

I asked around but it seemed that most people didn't use free solutions. I never did any video editing before, so I had no comparison on what proprietary tools are able to do. My requirements where not that advanced, basically I wanted to be able to cut some videos together, fade them in and out, add some text over them. Beside, I wanted to be able to display images for some seconds.

I knew of three free video editing tools for linux, Kino, PiTiVi and Cinelerra. Kino and PiTiVi are quite simple to use, they have an intuitive interface. But I soon came to the conclusion that they are far too limited in features. So Cinelerra is left.

Cinelerra is not a simple tool, it's interface is not intuitive. So this was keeping me away from using it for a long time. But the good news is, Cinelerra has all the features I wanted and can do much more. As I said above, I don't have any experience with commercial tools, but I think Cinelerra can do pretty much everything one will need when doing professional video editing.

To learn how to use Cinelerra, there are some great video tutorials at the_source. It's a (CC-by licensed) video show about free software and video stuff and they did four Cinelerra tutorials in their show. You should at least watch the first three and try the stuff out between the tutorials, but that will give you the basic knowledge to get started with Cinelerra.

So, the first Cinelerra-produced video by me should be available here within the next days.

Beside, I just bumped the Cinelerra package in Gentoo, so emerge it and have fun.