zk-typechecker 0.2.0 Released

The zero-knowledge type-checker is a tool for automatically analyzing the security of protocols that use zero-knowledge proofs. The analysis is modular and compositional, and provides security proofs for an unbounded number of protocol executions. The type-checker relies on the SPASS (or E) automated theorem prover to discharge proof obligations. It is released under the terms of the Apache License.

This release of the zero-knowledge type-checker adds support for security despite compromise and fixes many of the issues in the initial release (release notes). You can grab it from the page of the project.

The Debian Patch for OpenSSL

A Slashdot comment linked to this very interesting post by a Debian developer on the openssl-dev list:

“What I currently see as best option is to actually comment out those 2 lines of code. But I have no idea what effect this really has on the RNG. The only effect I see is that the pool might receive less entropy. But on the other hand, I’m not even sure how much entropy some unitialised data has.

What do you people think about removing those 2 lines of code?”

This change made all keys generated over the last 2 years on any machine running Debian (or a derivative) be extremely easily guessable. Not only should you regenerate all your keys as soon as possible if affected, but if somebody recorded sensitive traffic you did in the last two years then you are in deep deep trouble.

Why on earth are the Debian developers patching security-critical packages without having absolutely any clue about the implications? How many other vulnerabilities did they actually introduce in this way?

Google Summer of Code 2008

Student applications are now open

Producing Open Source Software

If you want to learn how to successfully manage an open source project then you should definitely read Producing Open Source Software, by Karl Fogel. The book is published by O’Reilly and is available under a Creative Commons license.

Skype Plugin for Gaim/Pidgin/Adium

The URL: http://www.myjobspace.co.nz/images/pidgin/

The good. This is a plugin many people (me included) have been waiting for years. Most important, it allows you to have all your buddies in one place, and communicate with them in a stemless way (no matter whether they use GTalk, Yahoo!, AIM, ICQ, MSN, IRC, or whatever). This has always been one of the biggest advantages of using Gaim/Pidgin/Adium. But there was still one important protocol which it could not do, because the developers of this protocol tried their very best to make this impractical: Skype. Still, a while ago, in a sudden outbreak of common sense, the Skype developers released a public API, which now made this plugin possible.

The bad. The plugin requires Skype to be running as it uses the Skype public API to communicate with a running copy of Skype. This is needed since reverse-engineering the evil Skype protocol, while not impossible, would be a daunting task (see Silver Needle in the Skype for more details about this).

Many people are using Gaim/Pidgin/Adium because it is Free Software (GPL). It is also running in more or less the same way on any operating system. This is particularly interesting for people using proprietary instant messaging clients on non-Windows machines, because they had to stick with much older versions (while for Windows, Skype is at version 3.6, for Linux it is at 1.4 and for Mac at 2.6), this assuming there was some version for their operating system. These are problems that the current plugin can unfortunately not fix, since it relies on a running (proprietary and possible outdated) copy of Skype. Still, the plugin itself is GPL.

The uggly. No voice or video support, but this is a general problem with Gaim/Pidgin/Adium, which will only get solved if someone is willing to invest some time into it. The plugin itself worked fine for me so far with Adium, even though there are some Known Issues (see readme).

Related (good) news: GTalk now interoperates with AIM and ICQ.

FOSS Humor

muCommander is Now Free Software

… under the GPL version 3.

Time to Update

XWiki Plugins: Tips & Tricks

The ever growing XWiki documentation already explains how to write very simple plugins, so I won’t duplicate any of the information there. Instead I will focus on more advanced aspects, in particular on interfacing with XWiki itself, and using some of the not-very-obvious extension points.

Read the rest of this entry »

UML Plugin for XWiki

Yesterday I got the idea of making an UML plugin for XWiki based on uml2svg. But since there was the need for a new uml2svg release I could put this in practice only today. Developing XWiki plugins is not as easy as it could be (more about this later), however it was as easy as I originally expected. Also things are not yet quite polished so I need to test and document the plugin before I can submit it. However, as you can see it already works:

uml2svg-0.18 Released

After 10 months of silence we are pleased to announce that uml2svg 0.18 was just released. As promised, it is just focused on fixing some annoying bugs. We also updated the documentation and the website, and we fixed the online transformation service — we found another place to host it so that it works once again. However, because of an unexpected and unacceptably long downtime of the Sourceforge.org shell server we are unable to update our website accordingly.

( 2007-02-16 12:34:12 – Project Shell Service ) 2007-02-12: The shell server was taken offline for unscheduled maintenance. Due to a need to replace the old hardware and some unforeseen problems in getting the new hardware setup, we estimate that the shell service may not return until the 21st of February. We apologize for the inconvenience.

[Updated 2007-02-23] The problems on Sourceforge.org were fixed and we could update everything. Enjoy!

[Updated 2007-03-01] Thanks to Stephane Galland we now have Debian/Ubuntu packages of uml2svg 0.18 available for download on Arakhnê.org

Google Summer of Code 2007

Google has announced that they are organizing the Summer of Code again this year. And it seems that the impact is becoming visible, as many other programs are springing up to get students involved in open source. As always I’m not quite sure whether I will have enough time for it, still I would definitely love to participate.

FOSDEM 2007

Unfortunately this year I won’t make it to FOSDEM, but this doesn’t mean I cannot recommend everybody else to go

GPLv2 or Later

If you ever released software under the GNU General Public License you are probably familiar with this formulation:

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

While this is not part of the license itself, the Free Software Foundation recommends the use of this formulation when releasing programs under the GPL. Paragraph 9 of the license explains why the “or later” clause is useful,

The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

and what it precisely means for anybody using a program released using this clause:

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

And while the GPL FAQ gives more detail on the reasons developers would want to follow this recommendation, there is still a plenty of confusion surrounding this clause.

Read the rest of this entry »

Java Free as in Freedom

The news that made my day yesterday was that Sun is releasing Java (my favorite programming language) under the GPL. This holds for the (Open) JDK and the mobile Java platform, but also for their Glassfish enterprise application server (which was already available under the CDDL open source license). More information on Sun open sourcing Java in this FAQ and all over the web.

There are even speculations that OpenSolaris might follow the same license change from CDDL to GPL. This would also be awesome. Think of a GNU/Solaris enterprise operating system and the possible cross-pollination between Solaris and Linux.