mdlbear: (technonerdmonster)
2025-02-19 04:03 pm

Public Service Announcement: Back up your e-books!

TL;DR: After February 26th, you will no longer be able to download books to your computer from that bookseller named after a river in Brazil. That means that you will not be able to back up your library to, say, a hard drive, or convert your books to a format you can read somewhere else.

Either of those would be a non-problem for people -- like me, until yesterday -- who only read books on their kindle, or the kindle app on their phone, and are comfortable with trusting $A to keep their books safely stored in the cloud. BUT, as pointed out in this article on Good E-Reader, they can no longer be trusted. They have been known to remove books from their store, and from the libraries of everyone who "bought" them, without notice, recourse, or recompense. They have also silently replaced books with modified (censored) versions.

You have until Tuesday the 25th to download your books.

After that you'll be able to sideload them onto a Kindle via USB, or use Calibre to remove the DRM and convert them to more portable ebook formats.

You can download books up to 25 at a time by putting them in collections. Not fun, if you have lots of books. Colleen and I had over 1000 between us. There is a bulk downloader: bellisk/BulkKindleUSBDownloader: Quick script to download all your Kindle ebooks. It's in Python and should be portable; the requirements can be installed with pip. It also needs Chromium. (Or Chrome, but you really don't want that.)

Good luck and happy hacking.

ETA: Claim Your Free COVID-19 Tests Now in Case the USPS Program Gets Shut Down - CNET

mdlbear: blue fractal bear with text "since 2002" (Default)
2024-06-26 01:00 pm

Public Service Announcement: Stop Using polyfill dot io

If you happen to be developing websites using the polyfill.io javascript library, drop everything and DELETE IT NOW! The domain was purchased by what's said to be a Chinese malware organization, which is using the library to redirect users to sport betting websites. More at

@ solarbird | if you use polyfill dot io, stop RIGHT NOW and read this @ Renaud Chaput: "polyfill.io malware injection" - Oisaur @ Remove Polyfill.io code from your website immediately • The Register @Polyfill.io JavaScript supply chain attack impacts over 100K sites

... and a tip of the hat to solarbird, who put me on to this.

If you develop websites using a framework or javascript library but you're not sure what a polyfill is, search your codebase for the string "polyfill.io". Then look it up and either eliminate it as a dependency, or find a different place to fetch it from.

This, BTW, is one more reason to like Chris Ferdinandi's's Daily Developer Tips | Go Make Things.

mdlbear: (hacker glider)
2022-12-03 09:55 pm

Down the Rabbit Hole

1: The Turing Machine

So, Wednesday I looked at Wikipedia's front page and saw, under the "On this day" heading:

1936 – English mathematician Alan Turing published the first details of the Turing machine (model pictured), an abstract device that can simulate the logic of any computer algorithm by manipulating symbols.

It was the ""model pictured" that grabbed me. The caption was/is "A physical Turing machine model. A true Turing machine would have unlimited tape on both sides, however, physical models can only have a finite amount of tape."

I knew that -- everyone who studies computer science knows that, and a few have dreamed, as I had, of building a physical model. I even figured out how to build one out of wood, minus a few details. But there it was.

(If you're not interested in the details, you can skip this and the other indented blocks. But I digress...)

A Turing Machine is a remarkably simple device. It has a read head, a write head, a strip of tape that they operate on, and a controller with a finite number of states. It can read what's on the tape -- the classic machine uses blank, "0", and "1". (Some versions use "X" instead of "1", and some dispense with "0" and just have 1 and blank. That makes programming them a little more complicated, but not by much. Some have more symbols. It doesn't matter -- you can program around it.) The machine can move the tape backward and forward. Numbers are usually represented in Unary, so you count "1", "11", "111", ..., although with both 1 and 0 you could use binary, and some versions do.

The machine has a "state", which selects a line in the machine's program that tells it what to write, which direction to move the tape, and which state to go to next, depending on what symbol the read head is looking at. (Think of the table as a drum with pegs on it, like a music box.)

That's it. That's all you need to compute any function that can be computed by any kind of mechanical or digital computer. Of course you may need a lot of tape -- so you need to attach it to a tape factory -- and a lot of time.

The critical thing is that it's possible to design a universal Turing machine: it takes a tape, and the state table of a Turing machine (in 1's, 0's and blanks), and it uses that description to do exactly what that machine is programmed to do. Turing's big accomplishment was using the universal Turing machine to prove that there some things that a computer can't do, no matter how much time and tape you give it.

But of course I was much more fascinated by the machines, starting at the website of the model that first grabbed my attention., and proceeding to a Turing machine made of legos. I spent some time in the Turing machine gallery. But the rabbit hole went deeper than that.

2: The Universal Constructor

At about that point it ocurred to me to look at the Wikipedia page for the Von Neumann universal constructor. Because once you have a kind of machine that can simulate itself, the natural question is whether you can have a machine that can build a copy of itself.

The trivial answer to this question is "Yes, of course. Cells have been reproducing themselves for billions of years." But in the 1940s when von Neumann was thinking about this, the structure of DNA had not yet been determined -- that was 1953 -- and although it had been known since the late 1920s that DNA had something to do with heredity, nobody knew how it worked. So his insight into the machinery of reproduction was pretty remarkable.

Like Turing's insight into the machinery of computation, von Neumann's insight into the machinery of reproduction was to separate the machine -- the Universal Constructor -- from the description of what it was to construct, stored on something simple -- a tape.

Von Neumann's machine was/is a cellular automaton; it "lived" (if you can call it that) on a grid of squares, where each square can be in one of 29 different states, with rules that tell it what to do depending on the states of its neighbors. A completely working machine wasn't simulated until 1995. Its constructor had 6329 32-state cells, and a tape with a length of 145,315. It took it over 63 billion timesteps to copy itself. (Smaller and faster versions have been constructed since then).

At, say, 1000 steps/second, that would have taken over two years. It wasn't until 2008 that a program, Golly, became able to simulate it using the hashlife algorithm; it now takes only a few minutes.

Which led me even further down the rabbit hole. Because no discussion of cellular automata would be complete without Conway's Game of Life.

3: The Game of Life

It's not really a game, of course, it's a cellular automaton. Each cell in the square grid is either dead or alive. You start with an arrangement of live cells, and turn them loose according to four simple rules:

  1. If a live cell has fewer than two live neighbors (out of the 8 cells surrounding it), it dies of loneliness.
  2. A live cell with two or three live neighbors, stays alive.
  3. A live cell with more than three live neighbors dies of overpopulation.
  4. A dead cell with exactly three live neighbors becomes live.

I first encountered the game in the October 1970 issue of Scientific American, in Martin Gardner's "Mathematical Games" column. The Wikipedia article gives a good introduction.

Patterns in Life evolve in a bewildering variety of ways. Many of them die out quickly -- an isolated cell, for example. Some patterns sit there and do nothing -- they're called "still lifes". A 2x2 block of cells for an example. Some blow up unpredictably, and may or may not leave a pile of random still lifes behind. Some patterns oscillate: a horizontal row of three cells will become a vertical row in the next turn, and vice versa -- it's called a "blinker".

And some patterns move. The simplest, called a "glider", appears in this post's icon. You can crash gliders into blocks or gliders into gliders, and depending on the timing they will do different interesting things. It didn't take people long to figure out that you can build computers, including a universal Turing machine. Or a machine that prints out the digits of Pi.

Or a universal constructor.

4: The universal constructor

While I was falling into this rabbit hole, I happened to remember a passing mention of a universal constructor that can build anything at all out of exactly 15 gliders. (Strictly speaking, anything that can be constructed by crashing gliders together. Some patterns can't be made that way. But almost all the complicated and interesting ones that people are building these days can.) If this intrigues you, go read the article. Or wait until the next section, where I finally get to the bottom of the rabbit hole.

On the way down I encountered lots of weird things -- the aforementioned universal Turing machine and Pi printer, and a variety of "spaceships" that travel by, in effect, repeatedly constructing a new copy of themselves, then cleaning up the old copy. It took a while for me to get my head around that.

Then, sometime Wednesday evening, I found the book.

5: The Book of Life

It's not called "The Book of Life", of course, it's called Conway's Game of Life: Mathematics and Construction. But you get the idea. You can download the PDF.

The book ends with a pattern that simulates a Life cell. There are several different versions of this; this is the latest. It works by making copies of itself in any neighboring cells that are coming alive, then destroying itself if it's about to die. Wild.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (wtf)
2022-09-10 07:23 pm

What Were You Thinking, Patreon?

So, a couple of days ago (September 8th, to be exact) Patreon laid off their entire five-person security team. WTF? The linked article goes on to say,

The firm, which is still doing business in Russia, simply calls it “a strategic shift” (which seems to be corporate mumbo-jumbo for “cheaper outsourcing”). But infosec experts call it a “nightmare” caused by an “untrustworthy” company that’s “just put a massive target on its back.”

You can see links to more articles below in the resources.

The minimum reasonable response to this would be to change your password. Done that. It's not unreasonable to delete your account. I'm still supporting a few sites, so I'll leave my account in place until I see what's going to happen. And laying in a supply of popcorn.

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2022-08-16 11:25 am
Entry tags:

Update Zoom on Mac ASAP

According to this article posted yesterday on Ars Technica, there is a major security hole in Zoom for the Mac. Zoom issued a security bulletin on Saturday. The article suggests that you should download the update directly from Zoom or click on your menu bar options to "Check for updates" rather than waiting for the auto-update, although if you've already updated since Saturday you're probably ok.

The article goes into more detail; tl;dr is that Zoom's installer is owned by and runs as root, and has a major bug that allows unsigned updates to be installed.

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2022-01-18 06:55 pm
Entry tags:

Which tax software platform should I use this year?

I've been using the same software for doing my taxes for somewhere around 30 years. It was called TaxCut back then; the company that made it was bought by H&R Block in 1993, though they didn't rename the software until 2008. For much, if not all, of that time I've been doing it on a Mac of some sort.

Last year I looked at the system requirements and discovered that it would no longer run on my ageing Mac Mini. It also wouldn't run on Windows 7. It needed either NacOS High Sierra or Windows 8.1. So I used their web version, which I remember as rather slow, and enough different from the offline version of previous years to be annoying.

So for this year (which is to say tax year 2021), my options would appear to be:

  1. Use the web version again. Ugh, but at least it would import 2020 without trouble. Maybe. It didn't let me upload a 2019 data file; I had to feed it a PDF and do a lot of fixing up.
  2. Run it on the laptop that has Win 8.1, or put the Win 10 disk that came with (new) Sable back in and use that. Ugh.
  3. Buy a newer Mac Mini. I could get a minimal one for about $100-150, or a more recent one (running Mojave) for around $200-250. (Those are eBay prices, of course.)

(Note that cost of the software is the same for all three options.)

I'm really leaning toward #3. But really that would just be an excuse to buy another computer, and would leave me with two Mac Minis that I'd hardly ever use. More likely I'll dither about it until the end of March and then break down and go use the web version again.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2021-11-02 09:04 pm
Entry tags:

Trojan Source

This post in Krebs on Security describes an unusual and potentially very dangerous attack technique that can be used to sneak evil code past code reviews and into the supply chain. Briefly, it allows evildoers to write code that looks very different to a human and a compiler. It should probably come as no surprise that it involves Unicode, the same coding standard that lets you make blog posts that include inline emoji, or mix text in English and Arabic.

In particular, it's the latter ability that the vulnerability targets, specifically Unicode's "Bidi" algorithm for presenting a mix of left-to-right and right-to-left text. (Read the Bidi article for details and examples -- I'm not going to try plopping random text in languages I don't know into the middle of a blog post.)

Now go read the "Trojan Source Attacks" website, and the associated paper [PDF] and GitHub repo. Observe, in particular, the Warning about bidirectional Unicode text that GitHub now attaches to files like this one in C++. Observe also that GitHub does not flag files that, for example, mix homoglyphs like "H" (the usual ASCII version) and "Н" (the similar-looking Cyrillic letter that sounds like "N"; how similar it looks depends on what font your browser is using). If you're unlucky, you might have clicked on a URL containing one or more of these, that took you someplace unexpected and almost certainly malicious.

The Trojan Source attack works by making use of the control characters U+202B RIGHT-TO-LEFT EMBEDDING (RLE) and U+202A LEFT-TO-RIGHT EMBEDDING (LRE), which change the base direction explicitly.

And remember: ШYSINAШYG - What You See Is Not Always What You've Got!

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2021-10-06 04:06 pm
Entry tags:

What happened to facebook yesterday?

If you're sensible enough not to use Facebook, WhatsApp, or Instagram, or to have set up "log in with Facebook" on any site you use regularly, you might not have noticed that they all disappeared from the internet for about six hours yesterday. Or if you noticed, you might not have cared. But you might have read some of the news about it, and wondered what the heck BGP and DNS are, and what they had to do with it all.

And if not, I'm going to tell you anyway.

You're more likely to have heard of DNS: that's the Internet's phone book. Your web browser, and every other program that connects to anything over the Internet, uses the Domain Name System to look up a "domain name" like, say, "www.facebook.com", and find the numerical IP address that it refers to. DNS works by splitting the name into parts, and looking them up in a series of "name servers". First it looks in a "root server" to find the address of the Top-Level Domain (TLD) server that holds the lookup table for the last part of the name, e.g., "com". From the TLD server it gets the address of the "authoritative name server" that holds the lookup table for the next part of the name, e.g., facebook, and looks there for any subdomains (e.g. "www").

(When you buy a "domain name", what you're actually buying is a line in the TLD servers that points to the DNS server for your domain. You also have to get somebody to "host" that server; that's usually also the company that hosts your website, but it doesn't have to be.)

All this takes a while, so the network stack on your computer passes the whole process off to a "caching name server" which remembers every domain name it looks up, for a time which is called the name's "time to live" (TTL). Your ISP has a caching name server they would like you to use, but I'd recommend telling your router (if you have full control over it) to use Cloudflare's or Google's nameserver, at the IP address 1.1.1.1 or 8.8.8.8 respectively. Your router will also keep track of the names of the computers attached to your local network.

Finally, we get to the Border Gateway Protocol (BGP). If DNS is the phone book where you look up street addresses, BGP is the road map that tells your packets how to get there from your house, and in particular what route to take.

The Internet is a network of networks, and it's split up into "autonomous systems (AS), each of which is a large pool of routers belonging to a single organization. Each AS exchanges messages with its neighbors, using BGP to determine the "best" route between the itself and every other AS in the Internet. (The best route isn't always the shortest; the protocol can also take things like the cost of messages into account.) BGP isn't entirely automatic -- there's some manual configuration involved.

What happened yesterday was that somebody at Facebook accidentally gave a command that resulted in all the routes leading to Facebook's data centers being withdrawn. In less than a minute Facebook's DNS servers noticed that their network was "unhealthy", and took themselves offline. At that point Facebook had basically shot themselves in the foot with a cannon.

Normally, engineers can fix server configuration problems like this by connecting to the servers over the internet. But Facebook's servers weren't connected to the internet anymore. To make matters worse, the computers that control access to Facebook's buildings -- offices as well as data centers -- weren't able to connect to the database that told them whose badges were valid.

Meanwhile, computers that wanted to look up Facebook or any of its other domains (like WhatsApp and Instagram), kept getting DNS failures. There isn't a good way for an app or a computer to determine whether a DNS lookup failure is temporary or permanent, so they keep re-trying, sometimes (as Cloudflare's blog post puts it) "aggressively". Users don't usually take an error for an answer either, so they keep reloading pages, restarting their browsers, and so on. "Sometimes also aggressively." Traffic to Facebook's DNS servers increased to 30 times normal, and traffic to alternatives like Signal, Twitter, Telegram, and Tiktok nearly doubled.

Altogether a nice demonstration of Facebook's monopoly power, and great fun to read about if you weren't relying on it.

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: blue fractal bear with text "since 2002" (Default)
2021-10-06 01:02 pm
Entry tags:

Public Service Announcement: Recent leaks and other news

1. The entirety of Twitch has reportedly been leaked: source code, user payouts, hashed passwords. Change your password RIGHT NOW.

2. Company That Routes Billions of Text Messages Quietly Says It Was Hacked; Criminals were inside Syniverse for 5 years before anyone noticed - Malwarebytes; Syniverse responds to data breach. Good reason to switch to Signal, if you haven't already. Won't help with ordinary SMS text messages, though. Don't send secrets via SMS.

... and in other news,

3. Facebook whistleblower Frances Haugen details company's misleading efforts on 60 Min. Facebook, over and over again, has shown it chooses profit over safety. It is subsidizing, it is paying for its profits with our safety. But you knew that already, right?

4. This morning I got an email from my mobile provider, AT&T, offering me a pair of free security apps collectively called AT&T ActiveArmor (details). I'd quote the email, but it was nothing but a pretty image. I went to the Google and Apple app stores and read the reviews. Apparently, it's just like all the other AT&T bloatware I've deleted over the years: flaky, a memory and bandwith hog, and not worth the price you pay for it. And when I can say that about something free, well...

5. ...and speaking of free, Windows 11 drops Oct. 5: Mark your calendars - TechRepublic. That would be today. Also, Windows 11 upgrade: Five questions to ask first | ZDNet. Fortunately it won't run on any of my machines, so I don't have to care.

P.S. In case you're trying to understand yesterday's Facebook et. al. outage, that's what I'll be writing about next.

mdlbear: (technonerdmonster)
2021-06-05 05:59 pm

Finding ELIZA

Note: Despite being posted on a Saturday and a title that includes the name of a a character from a well-known musical, this is not a Songs for Saturday post. It doesn't have anything to do with fish, either.

Remarkably, Joseph Weizenbaum's original source code for ELIZA has been rediscovered, after having been missing and believed lost for over half a century, and was made public on May 23rd of this year. ELIZA is probably the oldest and almost certainly the best-known implementation of what is now known as a chatbot.

If you decide to look at the code, start by reading the web page it's embedded in before you dive into the listing. The "Notes on reading the code" section, which comes after the listing, will prevent a lot of confusion. The listing itself is a scan of a 132-column listing, and definitely benefits from being viewed full-screen on a large monitor.

The first thing you see in the listing is the script -- the set of rules that tells the ELIZA program how to respond to input. The program itself starts on page 6. You might be misled by the rules, which are in the form of parenthesized lists, into thinking that the program would be written in LISP. It's not; it's written in MAD, an Algol-like language, with Weisenbaum's SLIP (Symmetric List Processing) primitives embedded in it.

SLIP uses circular, bidirectionally-linked lists. Each list has a header with pointers to the first and last list element; the header of an empty list points to itself. I've lost track of how many times I've implemented doubly-linked lists, in everything from assembly language to Java.

ELIZA is the name of the program, but "Eliza" usually refers to the combination of an Eliza-like program with the Doctor script. The most common script is a (rather poor) simulation of a Rogerian psychotherapist called "Doctor". According to the note at the bottom of the Original Eliza page, actual Rogerian therapists have pronounced it a perfect example of how not to do Rogerian therapy. Nevertheless, many people are said to have been helped by ELIZA, and it's possible to have a surprisingly intimate conversation with her as long as you suspend your disbelief and respect her limits.

If you have Emacs installed on your computer, you can access a version of Doctor with M-X doctor. Otherwise, browse to Eliza, Computer Therapist if you don't mind having a potentially intimate conversation with something hosted on a public website. (Or simply download the page -- it's written in Javascript.)

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2021-03-05 10:45 pm
Entry tags:

Operation Exchange Marauder

If you happen to be the administrator of a Microsoft Exchange Server that can be accessed from the internet, you need to immediately

  1. Apply the patches that Microsoft released on Tuesday: Multiple Security Updates Released for Exchange Server – updated March 5, 2021 – Microsoft Security Response Center
  2. Use this script (on GitHub) to scan your logs, as described in HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security to determine whether you are one of the at least 30,000 organizations that have been hacked via the holes you just patched (see Step 1). (You did patch them, right?) If you are,...
  3. Figure out what it means to your organization that all of your organization's internal email is now sitting on a disk somewhere in China. If that sounds like A Very Bad Thing,...
  4. Panic.

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2021-02-24 01:18 pm

RIP Fry's Electronics -- the end of an era

Today I was shocked to read that Fry's Electronics has gone out of business, as of midnight last night (February 24th). Their web page has the announcement:

After nearly 36 years in business as the one-stop-shop and online resource for high-tech professionals across nine states and 31 stores, Fry’s Electronics, Inc. (“Fry’s” or “Company”), has made the difficult decision to shut down its operations and close its business permanently as a result of changes in the retail industry and the challenges posed by the Covid-19 pandemic. The Company will implement the shut down through an orderly wind down process that it believes will be in the best interests of the Company, its creditors, and other stakeholders.

It's a sad, sad day. Their first ad, a full page in the San Jose Mercury-News, was like nothing seen before (or since), listing computer chips and potato chips on the same page. (Its relationship to Fry's Food and Drug, which had recently been sold by the founders' father, was obvious.) As time went by the groceries largely disappeared, but soft drinks and munchies remained, and some of the larger stores included a cafeé.

I (snail) mailed a copy of that first ad to my father, and that first Sunnyvale store was one of the tourist attractions we visited on his next visit to the West Coast. I have no idea how much money I spent there over the years.

After I moved to Washington in 2012 my visits to Fry's became much less frequent, and more of my electronics started coming from Amazon. It's been years since I saw the inside of a Fry's store.

I'll miss it.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2021-02-16 06:56 pm

Dependency Confusion

I've always been a little uncomfortable about build systems and languages that start the build by going out to a package repository and pulling down the most recent (minor or patch) version of every one of the package's dependencies. Followed by all of their dependencies. The best-known of these are probably Python's pip package manager, Javascript's npm (node package manager), and Ruby's gems. They're quite impressive to watch, as they fetch package after package from their repository and include it in the program or web page being built. What could possibly go wrong?

Plenty, as it turns out.

The best-known technique for taking advantage of a package manager is typosquatting -- picking a name for a malware package that's a plausible misspelling of a real one, and waiting for someone to make a typo. (It's an adaptation of the same technique from DNS - picking a domain name close to that of some popular site in hopes of siphoning off some of the legitimate site's traffic. These days it's common for companies to typosquat their own domains before somebody else does -- facbook.com redirects to FB, for example.)

A few days ago, Alex Birsan published "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies", describing a new attack that relies on the way package managers like npm resolve dependencies, by looking for and fetching the most recent compatible version (i.e. with the same major version) of every package, and the fact that they can be made to look in more than one repository.

Fetching the most recent minor version of a package is usually perfectly safe; packages have owners, and only the owner can upload a new version to the repository. (There have been a few cases where somebody has gotten tired of maintaining a popular package, and transferred ownership to someone who turned out to be, shall we say, less than reliable.)

The problem comes if, like most large companies and many small ones, you have a private repository that some of your packages come from. The package manager looks in both places, public and private, for the most recent version. If an attacker somehow gets the name and version number of a private package that doesn't exist in the public repository, they can upload a bogus package with the same name and a later version.

It turns out that the names and versions of private packages can be leaked in a wide variety of ways. The simplest turns out to be looking in your target's web apps -- apparently it's not uncommon to find a copy of a `package.json` left in the app's JavaScript by the build process. Birsan goes into detail on this and other sources of information.

Microsoft has published 3 Ways to Mitigate Risk When Using Private Package Feeds, so that's a good place to look if you have this problem and want to fix it. (Hint: you really want to fix it.) Tl;dr: by far the simplest fix is to have one private repo that includes both your private packages, and all of the public packages your software depends on. Point your package manager at that. Updating the repo to get the most recent public versions is left as an exercise for the reader; if I was doing it I'd just make a set of dummy package that depend on them.

Happy hacking!

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2020-11-27 08:38 pm

More on branch name changes

You may remember this post about renaming the default branch in Git repositories. Since then I've done some script writing -- they say you don't really understand a process until you can write a program that does it, and this was no exception. (There are lots of exceptions, actually, but that's rather beside the point of this post...)

Anyway, here's what I think is the best way to rename master to main in a clone of a repository where that rename has already been done. (That's a common case anywhere you have multiple developers, each with their own clone, or one developer like me who works on a different laptop depending on the time of day and where the cats are sitting.)

     git fetch
     git branch -m master main
     git branch -u origin/main main
     git remote set-head origin main
     git remote prune origin

The interesting part is why this is the best way I've found of doing it: 1. It works even if master isn't the current branch, or if it's out of date or diverged from upstream. 2. It doesn't print extraneous warnings or fail with an error. Neither of those is a problem if you're doing everything manually, but it can be annoying or fatal in a script. So here it is again, with commentary:

git fetch -- you have to do this first, or the git branch -u ... line will fail because git will think you're setting upstream to a branch that doesn't exist on the origin.

git branch -m master main -- note that the renamed branch will still be tracking master. We fix that with...

git branch -u origin/main main -- many of the pages I've seen use git push -u..., but the push isn't necessary and has several different ways it can fail, for example if the current branch isn't main or if it isn't up to date.

git remote set-head origin main -- This sets main as the default branch, so things like git push will work without naming the branch. You can use -a for "automatic" instead of the branch name, but why make git do extra work? Many of the posts I've seen use the following low-level command, which works but isn't very clear and relies on implementation details you shouldn't have to bother with:

    git symbolic-ref refs/remotes/origin/HEAD refs/remotes/origin/main

git remote prune origin -- I've seen people suggesting git fetch --prune, but we already did the fetch way back in step 1. Alternatively, we could use --prune on that first fetch, but then git will complain about master tracking a branch that doesn't exist. It still works, but it's annoying in a script.

Just as an aside because I think it's amusing: my former employer (a large online retailer) used and probably still uses "mainline" for the default branch, and I've seen people suggesting as an alternative to "main". It is, if anything, more jarring than "master" for someone who has previously encountered "mainlining" only in the context of self-administered street drugs.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2020-11-10 08:30 pm

How to Git out of trouble (part 1)

Hopefully, this post will become the first of a series about solving various common problems with Git. Note that the grouping in that phrase is intentionally ambiguous – it could be either “(solving various common problems) with Git”, or “solving (various common problems with Git)”, and I expect to cover both meanings. Often there are aspects of both: Git got you into trouble, and you need to use Git to get yourself out of it.

“It is easy to shoot your foot off with git, but also easy to revert to a previous foot and merge it with your current leg.” —Jack William Bell

In many cases, though, this will involve git rebase rather than merge, and I think “rebase it onto your current leg” reads better.

Overcoming your fear of git rebase

Many introductions to Git leave out rebase, either because the author considers it an “advanced technique”, or because “it changes history” and the author thinks that it’s undesirable to do so. The latter is undermined by the fact that they usually do talk about git commit --amend. But, like amend, rebase lets you correct mistakes that you would otherwise simply have to live with, and avoid some situations that you would have a lot of trouble backing out of.

In order to rebase fearlessly, you only need to follow these simple rules:

  • Always commit your changes before you pull, merge, rebase, or check out another branch! If you have your changes committed, you can always back out with git reset if something goes wrong. Stashing also works, because git stash commits your work in progress before resetting back to the last commit.
  • Never rebase or amend a commit that’s already been pushed to a shared branch! You can undo changes that were pushed by mistake with git revert. (There are a few cases where you really have to force-push changes, for example if you foolishly commit a configuration file that has passwords in it. It’s a huge hassle, and everyone else on your team will be annoyed at you. If you’re working on a personal project, you’ll be annoyed at yourself, which might be even worse.)
  • If you’re collaborating, do your work on a feature branch. You can use amend and rebase to clean it up before you merge it. You can even share it with a teammate (although it might be simpler to email a patch set).

That last rule is a lot less important if you’re working by yourself, but it’s still a good idea if you want to keep your history clean and understandable – see Why and How To Keep Your Master Happy. And remember that you’re effectively collaborating if your project is on GitHub or GitLab, even if nobody’s forked it yet.

Push rejected (not fast forward)

One common situation where you may want to rebase is when you try to push a commit and it gets rejected because there’s another commit on the remote repo. You can detect this situation without actually trying to push – just use git fetch followed by git status.

I get into this situation all the time with my to-do file, because I make my updates on the master branch and I have one laptop on my desk and a different one in my bedroom, and sometimes I make and commit some changes without pulling first to sync up. This usually happens before I’ve had my first cup of coffee.

The quick fix is git pull --rebase. Now all of the changes you made are sitting on top of the commit you just pulled, and it’s safe for you to push. If you’re developing software, be sure to run all your tests first, and take a close look at the files that were merged. Just because Git is happy with your rebase or merge, that doesn’t mean that something didn’t go subtly wrong.

Pull before pushing changes

I get into a similar situation at bedtime if I try to pull the day’s updates and discover that I hadn’t pushed the changes I made the previous night, resulting in either a merge commit that I didn’t want, or merge conflicts that I really didn’t want. You can avoid this problem by always using git pull --rebase (and you can set the config variable pull.rebase to true to make that the default, but it’sa little risky). But you can also fix the problem.

If you have a conflict, you can back get out of it with git merge --abort. (Remember that pull is just shorthand for fetch followed by merge.) If the merge succeeded and made an unwanted merge commit, you can use git reset --hard HEAD^.

Another possibility in this situation is that you have some uncommitted changes. In most cases Git will either go ahead with the merge, or warn you that a locally-modified file will be overwritten by the merge. In the first case, you may have merge conflicts to resolve. In the second, you can stash your changes with git stash, and after the pull has finished, merge them back in with git stash pop. (This combination is almost exactly the same as committing your changes and then rebasing on top of the pulled commit – stash actually makes two hidden commits, one to preserve the working tree, and the other to preserve the index. You can see it in action with gitk --all.

… and I’m going to stop here, because this has been sitting in my drafts folder, almost completely finished, since the middle of January.

Resources

NaBloPoMo stats:
   5524 words in 11 posts this month (average 502/post)
    967 words in 1 post today

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2020-11-03 10:48 pm

Renaming master to main in Git

If you've been paying attention to the software-development world, you may have noticed a movement to [remove] racist terms in tech contexts. The most obvious such terms are "master" and "slave", and there are plenty of good alternatives: primary/secondary, main/replica, leader/follower, etc. The one that almost every software developer sees every day is Git's "master" default branch. This issue on GitLab includes some good discussion of what makes "main" the best choice for git. (I've also seen "mainline" used.)

Renaming your master branch is easy. If you have a local repo that isn't a clone of anything (so it doesn't have any remotes), it's a one-liner:

   git branch -m master main

Renaming the default branch on an existing repo is trivial. If it has no remotes, for example if it's purely local or a shared repo on a server you have an ssh account on, it's a one-liner:

   git branch -m master main

It's a little more complicated for a clone, but not much more complicated:

   git branch -m master main
   git push -u origin main
   git symbolic-ref refs/remotes/origin/HEAD refs/remotes/origin/main
   git pull

What you need to do at this point depends on where your origin repo is located. If you've already renamed its default branch, you're done. If you haven't, the git push -u created it. At this point if your origin repo is on GitHub, need to log in and change its default branch from master to main because it won't let you delete its default branch.

Then, delete the old master branch with

   git push --delete master

This works for simple cases. It gets a little more complicated on GitHub because you might have web hooks, pull requests, and so on that still refer to master. GitHub says that renaming master will be a one-step process later in the year, so you may want to wait until then. For less complicated situations, any URLs that reference master will get automatically redirected to main. See this page for details.

I had a slightly different problem: my shared repositories are on my web host, and there are hook scripts that pull from the shared repo into the web directory. My version of the post-update only looks for changes in the master branch. Fortunately that's a one-liner, too:

   ssh HOST sed -i -e s/master/main/g REPO/hooks/post-update

 

The next problem is creating a new repo with main as the default branch. GitHub already does this, so if you are starting your project there you're good to go. Otherwise, read on:

The Git project has also added a configuration variable, init.defaultBranch, to specify the default branch for new repositories, but it's probably not in many distributions yet. Fortunately, there's a workaround, so if you don't want to wait for your distribution to catch up, you can take advantage of the way git init works, as described in this article by Leigh Brenecki:

  1. Find out where Git keeps the template that git init copies to initialize a new repo. On Ubuntu, that's /usr/share/git-core/templates, but if it isn't there look at the man page for git-init.
  2. Copy it to someplace under your control; I used .config/git/init-template.
  3. cd to the (new) template and create a file called HEAD, containing ref: refs/heads/main.
  4. Set the init.templateDir config variable to point to the new template.

Now when git wants to create a new repo, it will use HEAD to tell it which branch to create. Putting all that together, it looks like:

   cp -a /usr/share/git-core/templates/ ~/.config/git/init-template
   echo ref: refs/heads/main > ~/.config/git/init-template/HEAD
   git config --global init.templateDir ~/.config/git/init-template

You can actually replace that initial copy with mkdir; git is able to fill in the missing pieces. Alternatively, you can add things like a default config file, hooks, and so on.

(I've already updated my configuration repository, Honu, to set up the modified template along with all the other config files it creates. But that probably doesn't help anyone but me.)

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

NaBloPoMo stats:
   2146 words in 4 posts this month (average 536/post)
    814 words in 1 post today

mdlbear: (technonerdmonster)
2020-10-23 10:22 am

Keeping backups

It's been a while since I described the way I do backups -- in fact, the only public document I could find on the subject was written in 2006, and things have changed a great deal since then. I believe there have been a few mentions in Dreamwidth and elsewhere, but in this calamitous year it seems prudent to do it again. Especially since I'm starting to feel mortal, and starting to think that some day one of my kids is going to have to grovel through the whole mess and try to make sense of it. (Whether they'll find anything worth keeping or even worth the trouble of looking is, of course, an open question.)

My home file server, a small Linux box called Nova, is backed up by simply copying (almost -- see below) its entire disk to an external hard drive every night. (It's done using rsync, which is efficient because it skips over everything that hasn't been changed since the last copy.) When the disk crashes (it's almost always the internal disk, because the external mirror is idle most of the time) I can (and have, several times) swap in the external drive, make it bootable, order a new drive for the mirror, and I'm done. Or, more likely, buy a new pair of drives that are twice as big for half the price, copy everthing, and archive the better of the old drives. Update it occasionally.

That's not very interesting, but it's not the whole story. I used to make incremental backups -- instead of the mirror drive being an exact copy of the main one, it's a sequence of snapshots (like Apple's Time Machine, for example). There were some problems with that, including the fact because of the way the snapshots were made (using cp -l to copy directories but leave hard links to the files that haven't changed) it takes more space than it needs to, and makes the backup disk very difficult -- not to mention slow -- to copy if it starts flaking out. There are ways of getting around those problems now, but I don't need them.

The classic solution is to keep copies offsite. But I can do better than that because I already have a web host, and I have Git. I need to back up a little.

I noticed that almost everything I was backing up fell into one of three categories:

  1. Files I keep under version control.
  2. Files (mostly large ones, like audio recordings) that never change after they've been created -- recordings of past concerts, my collection of ripped CDs, the masters for my CD, and so on. I accumulate more of them as time goes by, but most of the old ones stick around.
  3. Files I can reconstruct, or that are purely ephemeral -- my browser cache, build products like PDFs, executable code, downloaded install CDs, and of course entire OS, which I can re-install any time I need to in under an hour.

Git's biggest advantage for both version control and backups is that it's distributed -- each working directory has its own repository, and you can have shared repositories as well. In effect, every repository is a backup. In my case the shared repositories are in the cloud on Dreamhost, my web host. There are working trees on Nova (the file server) and on one or more laptops. A few of the more interesting ones have public copies on GitLab and/or GitHub as well. So that takes care of Group 1.

The main reason for using incremental backup or version control is so that you can go back to earlier versions of something if it gets messed up. But the files in group don't change, they just accumulate. So I put all of the files in Group 2 -- the big ones -- into the same directory tree as the Git working trees; the only difference is that they don't have an associated Git repo. I keep thinking I should set up git-annex to manage them, but it doesn't seem necessary. The workflow is very similar to the Git workflow: add something (typically on a laptop), then push it to a shared server. The Rsync commands are in a Makefile, so I don't have to remember them: I just make rsync. (Rsync doesn't copy anything that is already at the destination and hasn't changed since the previous run, and by default it ignores files on the destination that don't have corresponding source files. So I don't have to have a complete copy of my concert recordings (for example) on my laptop, just the one I just made.)

That leaves Group 3 -- the files that don't have to be backed up because they can be reconstructed from version-controlled sources. All of my working trees include a Makefile -- in most cases it's a link to MakeStuff/Makefile -- that builds and installs whatever that tree needs. Programs, web pages, songbooks, what have you. Initial setup of a new machine is done by a package called Honu (Hawaiian for the green sea turtle), which I described a little over a year ago in Sable and the turtles: laptop configuration made easy.

The end result is that "backups" are basically a side-effect of the way I normally work, with frequent small commits that are pushed almost immediately to a shared repo on Dreamhost. The workflow for large files, especially recording projects, is similar, working on my laptop and backing up with Rsync to the file server as I go along. When things are ready, they go up to the web host. Make targets push and rsync simplify the process. Going in the opposite direction, the pull-all command updates everything from the shared repos.

Your mileage may vary.

Resources and references

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2020-09-25 08:15 pm

Review: the Lenovo ThinkPad trackpoint Keyboard II

For some time now I've been eyeing Lenovo's ThinkPad Compact Bluetooth Keyboard with TrackPoint with a mixture of gadget lust and skepticism -- most of the reviews I saw said that the Bluetooth connection had a tendency to be laggy. Combined with the amount of trouble I've been having with Bluetooth on Linux Mint lately, and the lack of a USB connection, and the high price, it's been pretty far down on my list of things to buy.

Anyone who knows my fondness for addiction to Thinkpad keyboards can figure out what was going to happen when Lenovo came out with the ThinkPad TrackPoint Keyboard II, featuring both Bluetooth and a wireless USB dongle, but otherwise looking almost exactly like my wired KU-1255 keyboard and the keyboards on most of my Thinkpad laptops. I discussed that in "The Curmudgeon Contemplates Keyboards", a couple of weeks ago.

It arrived yesterday, much sooner than I'd expected. It's lovely, and just about what I expected. It's hard to go wrong with a Thinkpad keyboard.

Being nearly icon-blind it took me a while to puzzle out the switches, because the quick-start sheet had nothing but a few pictures to explain them. It didn't say anything at all about the "Android/Windows" switch. So I went looking on their tech support website and found nothing but a PDF of the quick-start. Not helpful. (After a day and a half I found a review that explained that it gives F9-F12 Android-specific functions, and indeed I was eventually able to make out the tiny markings above them on the beveled edge of the bezel.)

The website -- and most of the reviews -- also mentioned its support for "6-point entry for the visually impaired", but DDG and Google found nothing except references to this keyboard. Braille, maybe? Whatever. There's nothing about it on the tech-support site.

There are some things I really appreciate as a cat's minion. It's exactly the right size to sit on top of my laptop (Sable is a Thinkpad X230; the keyboards are almost identical) with the lid closed and an external monitor plugged in. If a cat shows signs of wanting to sit on it, I can set it aside (or close the lid), and pick it up later. (I broke the micro-USB connector on one of my wired Thinkpad keyboards, because I often flip it up behind the laptop with the keys away from me -- and the cat.) If a cat does sit on it, the on-off switch is easily reachable on the right-hand side. Much easier than unplugging the cable.

So let's sum up. On the positive side: the wireless USB, Bluetooth, the classic ThinkPad feel and layout, the TrackPoint nub, and two of the three buttons are exactly as I would expect. (The middle button is in the same plane as the two side buttons, and the raised dots are much lower and are no longer blue.) The charging connector is USB-C. I haven't used it long enough to evaluate battery life, but it's been on since yesterday and claims to be at 99%; Lenovo claims two months, so that's believable. It's just the right size to sit on an ultrabook like a Thinkpad X230 with the lid closed.

I'm not sure whether to count the low-contrast markings on the function keys as positive or negative. I've pretty-much abandoned my old emacs key-bindings for them, and some of the functions indicated by the icons are actually useful. I'll get out my label-maker, or label them with white-out.

On the negative side: the USB cable is just for charging. For goodness' sake, how much circuitry would it have taken for it to make that a third connection mode? The documentation is sketchy -- the QuickStart page is nothing but icons and arrows, and for an icon-impaired curmudgeon that's a bit of a problem. Nowhere in the documentation does it explain what the Android/Windows switch is for. There's nothing on Lenovo's tech support website, either. There's no backlight, and the function keys are labeled with low-contrast tiny letters. The dongle is, of course, incompatible with Logitech's, so it uses another USB port. (This is a minor quibble, because I had the slot I unplugged the old keyboard from.)

Some people would make the position of the Fn key, to the left of Ctrl, as a problem. They might also complain about the Page Up and Page Down keys' flanking the Up-Arrow in the inverted T arrangement. Since I've be using Thinkpads since sometime in the last Millennium, and the new page-up/page-down positions for 95% of the last decade, I don't have a problem with either of those -- they're exactly what I want. Some people would miss the trackpad and palm rest; I've been using a wired but otherwise identical keyboard for years, and don't miss them. Your mileage may vary.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2020-09-17 09:38 pm
Entry tags:

Setting Up Sable

Setting up a computer so that it can boot into one of several different Linux distributions is something of a challenge; I haven't done it in quite a long time, and of course hings have changed. You may remember the previous post in this series, in which I discuss the proposed partitioning scheme for Sable's new terrabyte SSD. So if that didn't interest you, this probably won't either. )

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

mdlbear: (technonerdmonster)
2020-09-04 10:07 pm

The Curmudgeon Thinks Out Loud

...about disk partitioning. Content warning: rather specialized geekness. If that's not something you're into, you might want to skip this.
tl;dr )

  Dreamwidth makes an excellent rubber duck -- thanks for listening.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.