Re: [Debconf-discuss] US laptop ban and DebConf
martin f krafft writes: > … at least not while we're flying in airplanes where toys with bluetooth > are taken off children (just happened…). Since the aircraft can be > disturbed with Bluetooth, I think we have a slew of other issues anyway, > so it's hard to see the tree in all that forest. Note that the second sentence doesn't really follow from the first. The idea that this stuff interferes with airplane navigation equipment is mostly nonsense. (I only say mostly because there have been some *remarkable* security flaws in airplane software.) Unfortunately, air transportation safety in the last thirty years or so has entered some bizarre zero-fact zone where the public statements from the people responsible for safety protocols are completely unbelievable nonsense, like the idea that a cell phone might interfere with airplane navigation, or like the idea that 95% of the stuff confiscated at checkpoints has anything whatsoever to do with aircraft safety. In some cases, these policies may be hiding real security threat models. I suspect there are more legitimate threat models underlying this crap than we're giving them credit for. But because nearly all of the public statements are such total absurdity, and because at least in the US the screeners are so maniphestly incompetent given even their own internal testing, they've burned their credibility so completely that it almost doesn't matter any more. We're in this weird state where actual legitimate policy may or may not be buried under a layer of unjustified ass-covering, but all one can actually see is the ass-covering and blame-shifting. Airline safety has been a completely bipartisan failure in the United States. The last three administrations have been equally bad, regardless of political affiliation. The FAA and the TSA just pile new rule on top of new rule with no defensible public justification other than furious flag-waving and vicious attacks on anyone who questions them. It's sad; the TSA was never any better than marginal, but I used to have real respect for the FAA as a fact-based, thoughtful, methodical investigative body grounded in real science. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] US laptop ban and DebConf
martin f krafft writes: > Here's an alternative thought about this laptop ban: > http://m.nzherald.co.nz/world/news/article.cfm?c_id=2&objectid=11823052 > Basically it says this is retaliation against Gulf airlines, because > apparently, US airlines are exempt from the laptop ban. If that's the > case — I did not verify — then an obvious solution (which may not be the > cheapest again) is to fly on US carriers. No US carriers fly to the affected airports, which is why US carriers aren't affected. The UK appears to also be going along with and instituting the same ban, with a slightly different selection of airports, so whatever is going on here, it doesn't seem to be a purely US thing. That said, I concur with the advice to just avoid flying through the US right now when that isn't your destination. It's probably not worth the uncertainty and risk. FWIW, it's being met with a great deal of dubiousness; the travel expert the local news radio station interviewed this morning actually came right out and said the ban was bullshit that does nothing to improve airline safety, which is remarkable -- usually the experts are more measured in their disapproval of stuff like this. It's very difficult to figure out the threat model under which moving electronics, containing lithium-ion batteries no less, from the passenger cabin to the cargo hold makes the plane safer. And of course no one who knows is saying anything at all useful. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] "Do not photograph" checkbox in registration
Avi writes: > It is common practice that the presenter should repeat any question > before answering it. As long as this speaking protocol is followed, I > don't see any understanding issues arrising from only recording the > presenter. This is fine for presentations and questions, but multiple sessions that I attended at DebConf turned into general discussion at the end, with people in the audience speaking at some length and not just asking questions of the presenter. There really isn't a viable way for that sort of a discussion to be handled by expecting the presenter to repeat all of it. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] "Do not photograph" checkbox in registration
Steve Langasek writes: > On Fri, Sep 12, 2014 at 01:23:29PM +0200, Gaudenz Steinlin wrote: >> I might be wrong on this, but I expect those that don't mind to be >> filmed to vastly outnumber those that oppose to it. So to me it seems >> enough to make it clear that talk rooms are filmed and to have a space >> for those that don't want to be filmed but still want to attend the >> talk. > The registration data supports this conclusion. Only a handful of > people checked the box to say they didn't want their picture taken > without permission. The rest either don't have a problem with it, or it > wasn't important enough to them to find this information on the > registration form (arguably, the same thing). Just data-pointing here, but when I went to my first DebConf in Edinburgh, I remember being really taken aback and a little spooked at the amount that I was photographed, and at people running around the conference taking tons of photographs of everything without so much as a by-your-leave. At the time, I'd been attending technical conferences regularly for a while, mostly LISA, and I'd never encountered that aggressive of photography before. I thought about it and made the conscious choice that I didn't particularly care if my image was available on-line, in part because I'm rather privileged in various ways that mean there's no risk for me in that. And while I personally am mostly uninterested in pictures of events I've attended, I know people in the community care a lot, and since I have no strong opinion, I feel like it's a gift that I can give them. Also, I'm very impressed at how well DebConf does for remote attendees, and I think that's important. So I've never checked the "don't photograph me" checkbox. But I have to admit that I've thought about it a few times, just because the constant photography is so disconcerting and still weirds me out a little. And I have a lot of sympathy for the folks who are more sensitive to it than I am. I do think DebConf is a significant outlier here compared to other professional conferences, in a way that's likely to make at least some people quite uncomfortable. I'm not sure how much this is a generational thing. I don't have a Facebook profile either, and didn't grow up with digital cameras, and maybe I have a different relationship with photos than people who are twenty years younger than I am. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] "Do not photograph" checkbox in registration
Clint Adams writes: > What would be better is to have a small "film" area up near the speaker, > and allow those who wish to be filmed show their explicit consent by > moving into it to ask their questions on camera, and to not force anyone > to be in that area if they do not want to be. I've actually often wondered why DebConf doesn't do what was routine at Usenix, LISA, etc., which was to have a mike for questions and a camera dedicated to that and have people queue to ask questions. Although I suspect it's just lack of space, given that a lot of the rooms we tend to use are rather small and that requires a real aisle. We did that for the Linus Q&A, and I thought that worked much better. And then people who don't want to be filmed will have a clearer idea of what part of the audience will be filmed and can avoid sitting close to the mike, and we could potentially formalize that. I don't know if we can be sure we'll have large enough rooms, and a structure (some teams really like having "sit in a circle" meetings, but still want them filmed) that would let that work. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] DebConf conference policy on profanity
alberto fuentes writes: > [...] > [0] Do not use foul language; besides, some people receive the lists > via packet radio, where swearing is illegal. > [...] > Please refrain from using those words in here. Use poo and m'kay instead[1] > [0] https://www.debian.org/MailingLists/#codeofconduct > [1] nsfw?: https://www.youtube.com/watch?v=DWkiWtqgOWc This provision has been ignored on our mailing lists for as long as I've been a member of the project. There was some recent discussion of the packet radio reference that concluded that this justification was rather dubious. I wonder if we should take it out of that document as well, although this is not the right place to talk about that. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
[Debconf-discuss] DebConf conference policy on profanity
I should preface this by saying that I personally don't feel that strongly about this one way or the other. But it came up in another forum that isn't the right place to talk about it, and I've been trying to make a point of doing my part to move some of those conversations to a better location. I was mildly surprised during registration by the inclusion of expletives as something that was ruled out by the conference code of conduct. My (not particularly well-researched) impression is that use of non-gendered expletives in English is something that's become somewhat generational. Using four-letter words was considered very impolite and unacceptable in professional public venues in my parents' generation, but appears to hardly be noticable in the generation in college now, with a change point somewhere around my generation. To be specific about what words I'm talking about, I have seen people use both "shit" and "fuck" in a professional HR presentation context with basically no reaction (although the latter is much less common). Several speakers used those or similar words during various presentations; often they were immediately apologetic, but the audience appeared not to take this part of the code of conduct particularly seriously. Now, it's quite possible that I'm rather privileged here and am just unaware of the issues. I am *not* asking for this to be changed, at least at this point. However, I am curious as to what was the intent for including that rule in the code of conduct. Specifically, I'm wondering if this posed a concern for any of the attendees, or if it was just something that seemed like it would be appropriate to have in the code of conduct. I should be clear here that I'm only talking about words that either never had or that are used outside of any sexual meaning, and are not used in a way that implies any sexual meaning. I am specifically *not* talking about gendered expletives or sexual innuendo, and would support continuing to rule out such things in the code of conduct. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Code of Conduct violations handling process
Zenaan Harkness writes: > More facts trickle out. Thank you for stepping up to the plate. > Any chance someone could crush an egg shell already and just post a link > to the brouhaha? Or summarise the events? > Are we that timid, that dominated by the almighty COC, that facts are no > longer politically correct? > I happen to think facts are a useful foundation to a conversation. I don't think the conversation about the specific event that happened is a useful conversation to have here, and I think it has a very high chance of creating huge amounts of heat and smoke to no constructive effect. I realize that the curiousity of bystanders has been piqued (and it would have been nice if we'd been able to have a conversation without doing that, although that's a lot to ask), but honestly I think it would be more rubbernecking than any foundation for constructive debate. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] So long, and thanks for all the fish
Sam Hartman writes: > And so did this debconf! I love the new schedule, and it was great to > be there with everyone. +1 Thank you very much for the new schedule. Usually conferences for me are an exercise in social energy management, and I was expecting this year to be spectacularly bad because I came into the conference with a deficit. But having a relaxed schedule and large-sized chunks without talks let me retreat and recover and meant that I'm going to be leaving the conference more relaxed than I came. And it looks like people are finding plenty of social things to do during those ours if they don't have my limitations around continuous social interaction. :) It's a great setup. I approve. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
[Debconf-discuss] Travel backgammon board
I won't be able to make it to the day trip tomorrow (a friend is coming down from Seattle and we're going to spend the day at Powell's), but I brought a travel backgammon board with me and I know there was some interest from folks in playing backgammon. I left the board with the front desk, and anyone who would like to bring it along on the day trip tomorrow can pick it up from there. The front desk will be closing this evening at about 20:00 or 20:30, and will not be open tomorrow, so please stop by and pick it up before then if you're interested in bringing it with you tomorrow, or at least reply to this message and see if someone can bring it to you tomorrow. Feel free to hang on to it as long as you're using it, and just drop it off at the front desk and send me a note when you're done with it (or give it to me in person if you see me, but doing this through the front desk is less hit or miss). -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] "Anonymous donation" to Debconf 13
Ian Jackson writes: > Russ Allbery writes: >> That seems to be exactly what happened. > No. My reading of Moray's message is that some members of the Debconf > teams used the existence of the donation as an argument in favour of > selecting Le Camp as the site. At least for some period of time, assuming that the 46K refers to this donation, I can see where you're seeing that. However, Holger has already said directly that this was not conclusive and has stated a number of other reasons for favoring Le Camp, which seems like the important part. > Moray writes: > Certainly at the time many people within the DebConf team were > uncomfortable that this "anonymous donation" was used to argue > that we didn't need to worry about the high prices at Le Camp, and > to argue that we should definitely choose Le Camp since this money > was only available if we went there. > I read Moray's "used to argue" as referring to arguments from people > within Debian or Debconf. Obviously it would be entirely inappropriate > for anyone within Debian or Debconf's decisionmaking structures to argue > that we should make a particular decision because an anonymous donor > makes it a condition that we do so. Which is why, when the situation became clear, everyone stopped, no? What remedy or action are you looking for here? I don't think breaking the anonymity of a donation that never happened really makes sense. Are you looking for site selection to be re-opened? Further reassurance that the selection of the site was not influenced by the donation that didn't happen? I guess I'm still not seeing the correctable impropriety. I understand that you're unhappy that this donation was ever used as an argument, but to me that seems like a solved problem going forward, and we've already had some reassurance that the site selection decision was not influenced by that donation even though it temporarily surfaced as an argument in favor of Le Camp. Do you want more reassurance on that score? Given the fallout and the understanding shared among the DebConf committee expressed here, it seems very likely to me that people will be even more sensitive about this sort of donation in the future. I guess the other possibility is that people might be concerned someone involved in governance arranged this whole thing in a deliberately manipulative way and has not been uncovered, and therefore may continue to do so in the future. Certainly, that would prompt a high level of concern. But I'm not really seeing signs of that in the discussion so far. Also, at least from the outside, that strikes me as much less plausible than most alternative explanations. It would require assuming a lot of malice in a situation that can be adequately explained by well-intentioned but misguided offers by excited people. I guess where I'm coming from here is that at some point one has to trust the process. I've been in governance situations with conflicts of interest before, and they're very hard to avoid entirely. That's *why* there's a process so that there are lots of checks and balances along the way. Please note: as difficult as this sort of discussion is, I actually agree with Ian that this sort of discussion is valuable and helps keep a volunteer organization healthy. Ethics are hard. They're tricky and complicated, and they can always, *always*, be handled better. There's no perfect way of handling situations, and always possible improvements, and the way that one works out those improvements is through public discussion. Having this sort of public discussion of one's decisions is really painful, since it can feel personal and feel like an attack on one's honor, but I really don't think it is. Rather, it's an acknowledgement that this stuff is really hard, and lots of brains together are sometimes required to find the best ways of handling various situations, particularly unprecedented ones. That said, the flipside of that observation is that it's almost impossible to achieve a perfect decision-making process. Every process is going to have some flaws in retrospect, but that doesn't mean the process is invalid. That's exactly why it's so important to have a process with a variety of steps that tend to fail independently. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] "Anonymous donation" to Debconf 13
raordinary evidence in order to entertain it. > As a substitute, if the sponsor is a private individual who wants to > remain private, I would personally be happy for this to be documented by > some independent third party who will then answer Ian's question for the > public benefit. Asking that rejected donations be monitored to this degree is highly unusual. I don't know of any organization that would perform that kind of scrutiny on something that *never happened*. > The answers to these questions don't prevent a DebConf at Le Camp. In > fact, if DebConf goes ahead at Le Camp, then transparency about this > issue is more important than ever. Just imagine if there is a deficit > for Debian or some bigger disaster in 6 months - do we want people to be > speculating about the role this "sponsor" played in bringing Debian to > Le Camp? This argument seems circular. I'm unimpressed by attempts to raise concerns and then simultaneously using that raising of concerns as an argument that the concerns are important. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] "Anonymous donation" to Debconf 13
Ian Jackson writes: > According to Moray this proposed strings-attached donation was used as > an argument by some members of the Debconf team in favour of making the > decision favoured by the donor. That is wholly unacceptable. It > amounts exactly to the donors buying influence. > The fact that the money didn't change hands in the end doesn't help very > much if at all (and indeed in some ways it makes it worse - if we're > going to be bribed we should at least get to keep the money!) The part that I'm missing here is what you felt should have been done differently. Let's assume that Debian has no control over the offering of the donation (or loan) in the first place. I think that's a reasonable assumption. What I would then expect is for the team to discuss the offer (since no decision is ever going to be made out of hand), and then reject the offer as being insufficiently transparent and posing other problems with oversight and possible undue influence. That seems to be exactly what happened. So unless I'm missing something, the reaction indicated seems to be "well done, thank you for handling this ethically and professionally." I'm not inclined to blame people for temporarily discussing something, or even temporarily using it as an argument, before thinking it through further. Asking people to not do that seems to be an impossibly high standard to which to hold people. One of the ways that high-functioning groups develop and maintain ethical standards is to discuss ethical quandries in public. I'm not seeing any evidence on this thread (and, indeed, directly contrary assertions from people I think we all have reason to trust) that the withdrawn offer had any material effect on the choice of venue. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] [Debconf-announce] Proceedings from the 11th Debian Developers Conference are out!
Holger Levsen writes: > On Sonntag, 15. August 2010, Yaroslav Halchenko wrote: >> Those seems needing some TLC to look proper at many places > Gee... I don't know what TLC means... "Tender loving care." In this sort of context, usually used to mean manual tweaking and polishing. In a Debian packaging context, for example, TLC would be fixing Lintian warnings, updating Standards-Version, writing man pages for rarely-used binaries, etc. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Virtualization?
John Goerzen writes: > One topic of interest to me is virtualization. We've been using Xen for > awhile, and have had some issues with its state in squeeze, and are > looking at KVM. There was a big discussion on -devel about this a few > months back. I'd be interested in hearing what others are doing with > virtualization and where we see it heading in Debian. Is anyone > knowledgeable about these things here, and willing to share? I'm definitely interested in talking about it, although about the only information I have to share is our (not great) experience with VMWare ESXi. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] double rooms with two network plugs
Holger Levsen writes: > if you happen to be in a double room and one of the two network plugs > doesnt work, search for a second outlet in the wall. It seems to be > normal here that while the outlet has two plugs, one will not work, > instead there is a second outlet with two plugs, where also only one > works... Ah, standard US university network wiring. :) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] More questions regarding what to bring for DebConf10 (and other stuff)
David Smith writes: > No, not really.. Though I'll admit my knowledge of NYC is limited, I > have been tricked into giving people money in the streets before.. Some > guy convinced me he was a Taxi driver on a smoke (pointed down the > street to a Taxi waiting) and said I could buy a Metro Card off of him > and take me wherever I needed to go... I had just came out of Penn > Station with a backpack and pulling my luggage.. Plenty of people around > and they didn't seem to pay any attention to him or me so it seemed > pretty normal.. So yea, he took my money for a Metro card, walked over > to where the Taxi was but then I saw he wasn't the driver.. He then > hopped in and took the ride out of there himself and waved from the > window.. Kind of funny in retrospect, but yea, I tend to be more > cautious because things like that tend to find me pretty easily... This kind of scam is common everywhere I've travelled, enough so that airports often have announcements about it. In general: don't accept transportation from someone who approaches you offering transportation. Go to the dedicated taxi area if there is one to catch a taxi, or approach a clearly labelled and licensed taxi (the license is generally in the window) if you're on the street. (Or call the taxi company and request a cab.) And taxi drivers will not ask to be paid in advance. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] More questions regarding what to bring for DebConf10 (and other stuff)
John Goerzen writes: > More laptops have B plugs these days, FWIW. True. All of my chargers for things like portable music players or cell phones still have A plugs, though, even for things I've bought in the past year. > Incidentally I would be shocked if any visitor to the USA encounters an > A socket. Yes some old A sockets exist, but are exceptionally rare due > to the number of devices that require a B socket. I'd be certain that > all the outlets in the Columbia dorms are B sockets; after all, Columbia > students are probably bringing PCs or monitors, both of which usually > require a B socket. The only reason why I would be cautious here is that universities are notorious for having older buildings. Most of the places where I still see A sockets are in old university buildings or old apartment complexes. I agree that it's basically certain the dorms will have B sockets, but there's some minor chance that if you're in one of the venue buildings or some other university building and just want to sit down in the hall and plug in, you'll only have an A socket available there. This is all from someone who's never actually been at Columbia, though, so locals can of course provide much better information. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] More questions regarding what to bring for DebConf10 (and other stuff)
David Smith writes: > Just about all computers here in the USA with the exception of (some) > battery chargers use B-Plugs.. You can plug A-Plugs into B Sockets.. > It's a safe bet that all the dorm rooms will have at least one B-Plug, > but it would be good to get a confirmation and whether or not there are > any guarantees in regards to that... The additional prong on a B plug is ground, which is mostly unnecessary with US wiring for most devices. It's common for US laptop power supplies to have an A plug. You can't be absolutely guaranteed to have a B plug available, so if you have the choice and you're talking about a laptop and not something like a hair drier, I would go with an A plug. That being said, any building whose electrical wiring has been built or rennovated in about the last forty years probably has B sockets. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Yet Another Cheese Party
Jimmy Kaplowitz writes: > On Fri, Jul 09, 2010 at 05:23:56PM -0700, Russ Allbery wrote: >> I don't know whether this is reflected in the import regulations, but >> the US FDA (Food and Drug Administration) requirement for cheese is >> that any cheese aged for less than six months must be made from >> pasteurized milk. > My understanding of the rule you're referring to is that the threshold > is 60 days, not 6 months. That sounds a lot more plausible. I bet I'm misremembering. > (It's also possible to circumvent in both legal and illegal ways, though > the legal ones require not crossing US state or international borders, > so can't be done before arrival.) Yes. > And, as Christian suggested, I couldn't find a trace of it in the import > regulations, though I don't claim to be an expert in those. Yeah, me either. I've never looked at all at the import side of things. I just happen to know about the FDA regulation since I have some passing interest in cooking and like cheese. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Yet Another Cheese Party
Christian PERRIER writes: > From investigations we made up to now, importation of cheese in USA is > not strictly forbidden but sometimes restricted for some varieties of > cheese. The most accurate indication we could find was about cured and > half cured cheese being allowed while non cured cheese (such as cottage > cheese) being prohibited. > Apparently, in en_US, "half-cured" means something along the line of > French camembert and cured is meant for about any cheese that's > "hard". So, it's not really about age, but about "hardness". > Official documents we found (thanks to Jimmy Kaplowitz who did some > investigation) didn't mention whether "pasteurized/unpasteurized" status > is important or not. Of course, pasteurized cheese is a sin but I'd > recommend having the word printed on the cheese box, in order to be > sure. I don't know whether this is reflected in the import regulations, but the US FDA (Food and Drug Administration) requirement for cheese is that any cheese aged for less than six months must be made from pasteurized milk. It sounds like the import restrictions are a bit different given that you mentioned above that it's about hardness rather than age, but that may help on at least drawing a line around which cheeses might cause problems in customs. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] GPG keysigning?
Giacomo Catenazzi writes: > A naive question: why does not FSF check identity of contributors? > They must sign a copyright assignment (or disclaimer), send this > document to FSF, but I see no identity check on FSF side. > > They do this for legal reasons! > > For FSF copyright assignment is more important than identity check. > For us seems the contrary, but AFAIK FSF work closely with lawyer then > us! This may appear counterintuitive, but I believe the FSF is at significant less legal risk for the sorts of problems we're discussing than Debian is. This is because the FSF doesn't distribute binaries and doesn't provide automated updates to systems. You could potentially do a lot of damage by sneaking a back door into FSF-provided code, but it would take a long time for that to make its way into running computer systems. It's a possible attack, but it's an attack that's easier to discover in some respects and much slower to take effect than a Debian Developer uploading a package with a back door (which in most cases would also be automatically synchronized to Ubuntu). This would not necessarily apply to the FSF-sponsored distributions, but I believe none of those are anywhere near as widely used as Debian. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] GPG keysigning?
martin f krafft writes: > also sprach Steve Langasek [2009.06.25.0703 +0200]: >> The government IDs are relevant because when we're collaborating on >> an OS where there's minimal code review of the work done by >> maintainers and a well-chosen malicious package could cause millions >> or billions of dollars in damage to our users, we[1] want to be able >> to hold someone accountable in the real world. Not an "identity", >> but a physical person that we can prosecute and send to jail. > I challenged this and have not heard anything else. How exactly do you > think Debian would sue me, assuming I am in Switzerland, or let's say > Russia, Korea, or Senegal? Debian isn't going to sue you itself. Debian has no legal existence to sue anyone. Debian would hold the hypothetical malicious you accountable, by which I mean that when the police come to a Debian delegate wanting to know how a Trojan horse was introduced into thousands of computers around the world, that delegate would point to the physical person who did the upload and say "go talk to them about it," after which point the normal legal processes for criminal activity that crosses national borders would work their way out. There have been successful prosecutions and multi-government sting operations on some rings of computer criminals. Not a lot, because it's a hard problem, but it does happen. And, almost equally importantly, if Debian can identify a specific responsible person, that means that Debian can identify a thousand people who *aren't* responsible, namely all the rest of us. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
martin f krafft writes: > I will always challenge the "government-issued ID" due to the vastly > differing standards across the globe, but "travel document" is > actually a term that someone uttered earlier, which raises the bar a > lot higher. For example, I think US drivers' licenses are only verifiable by someone who's lived in that state or otherwise seen drivers' licenses from that state. I really dislike seeing people use them at key signings and would rather see people use passports. I suspect you're going to see a ton of them in the 2010 Debconf key signing, though, since a lot of people in the US simply never bother to get a passport. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] GPG keysigning?
Manoj Srivastava writes: > On Mon, Jun 22 2009, Russ Allbery wrote: >> Going back to the previous discussion in debian-devel about signing a >> key for which the only IDs are pseudonyms, I personally would do >> that, but only if I knew the person personally and knew they were the >> person who used that pseudonym. Which means that in the event of >> smiting being necessary, I would personally be able to trace that key >> to a person. > The key signing then works for you to keep a marker that you > know the person behind the key, but it does not help the Debian project > at large, since you know where to deliver the smite, the current or > future officers of the project may not (especially if you have lost > interest and moved on to better things, as happen to people). For me, there are different levels of reproducibility required in signing a PGP key and in welcoming that person as a Debian Developer. I'm comfortable signing a key for a pseudonym under some circumstances, but I would be a lot more leery of accepting a Debian Developer only known to the project under a pseudonym, even if I knew who the person was personally. I could see it, but the circumstances would have to be fairly exceptional. > The thing is, your identification scheme fails the > reproducibility test; there is no way that the person with the pseudo > (i.e. lie [0]) name can't reproduce the identification challenge > with, say, me, or any wider test authority that does not belong to > the small subset of the people who know the person behind the key > well enough to make the smiting a viable deterrent, Right, this is something that I don't think is necessary for signing a key but which I would be more concerned with in adding someone as a Debian Developer. I sign role keys as well, which to me is a similar situation, but I wouldn't want someone to be able to upload to the repository using a role key. > The set of people familiar with the travel documents is likely > to be larger, and there are back channels to the authoritative > distributors which can be used to deliver the smite to, independent of > personal shared history with the aforementioned individual. For many Debian developers, I have no idea what country they're even from, and some names are quite common and not particularly useful as unique identifiers. I'm unlikely to remember the details of the government-issued ID that I saw when signing their key. I'm much more likely to be able to track down someone who would meet my standard for signing a key under a pseudonym than someone who I met at a key-signing party and checked via government ID. It is, however, a lot harder to write simple and straightforward rules around how one would do that sort of verification than it is to write the rules for a key-signing party using government ID. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] GPG keysigning?
Manoj Srivastava writes: > However, if you want to tie that key owner to a real person, to > somehow (my speculation) bring down the wrath on the community on > someone who does something nasty or subverts the DMUP or causes the FSM > to weep, well, you need the meet and greet and key signing > stuff. Smiting evil dooers seems to be the major cause that justifies > this exerciser, since otherwise the person can just dump their key, > change their email, and get away scot free. Hard to smite them then. I think this is the key point, plus just a general sort of raising the effort required for someone to subvert the system as Manoj also mentions. > So while signing keys is not about governments, as Russ said, it > is about establishing identity, and government issued identity > documents are better proxies for establishing that than I can be > bothered to do myself. Particularly given that if one does need to smite, the process of smiting is likely to be done via a goverment, presumably the one that issued the identity papers in the first place. So there is a reasonable connection. Security is always a tradeoff -- it's just about where you want to put the tradeoff between verification work and convenience. There are a lot of things that we could do that other organizations do, like hire private investigators to do background checks (which seems to be coming routine for employment in the US, at least in a cursory way). Or we could sign keys based on e-mail interactions. Meeting in person and exchanging government ID or something that looks good enough to fool people is a compromise position, but I do think there's a general feeling that it's close to a sweet spot in that tradeoff for what we want out of our web of trust. Going back to the previous discussion in debian-devel about signing a key for which the only IDs are pseudonyms, I personally would do that, but only if I knew the person personally and knew they were the person who used that pseudonym. Which means that in the event of smiting being necessary, I would personally be able to trace that key to a person. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] Regarding vaccinations and stuff like that
Margarita Manterola <[EMAIL PROTECTED]> writes: > What the page says about vaccinations, basically is: > > "The health service of the Foreign Office recommends a vaccinated > against tetanus, diphtheria and hepatitis A, long-term stay of 4 weeks > or special exposure also hepatitis B, rabies and typhoid." > > None of these are endemic in Argentina. They are just the list of some > vaccinations that people usually take around here. You don't need to > take any of these in order to come and return from Argentina healthy. > Hepatitis vaccination might be a good idea in any country, anyway. Tetanus and diphtheria are part of the standard set of vaccinations strongly recommended for everyone in the United States as well; if you're coming from the US and you've had a recent Tdap vaccine, you're covered for tetanus and diphtheria. If you haven't, it's recommended anyway. The US recommends Hep A vaccines for travel to Argentina, as well as almost the entire rest of the world except for Canada, western Europe, and Australia. Argentina isn't considered a risk for Hep B. See: http://wwwn.cdc.gov/travel/yellowBookCh4-HepA.aspx http://wwwn.cdc.gov/travel/yellowBookCh4-HepB.aspx For the US recommended immunization schedule for adults, see: http://www.cdc.gov/vaccines/recs/schedules/adult-schedule.htm -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
Re: [Debconf-discuss] lintian BOF?
Russ Allbery <[EMAIL PROTECTED]> writes: > Colin, Jeroen, and I talked briefly this morning about the idea of a > lintian BOF. If you'd be interested in attending, drop me a note, and > if it seems like we have enough interest, I'll try to figure out how to > get something scheduled. > If you have any preferences on times, feel free to include that > information, although no guarantees as the schedule is already rather > full. The lintian BOF is now scheduled for Saturday, 14:00, in the lower BOF room. Thank you to Neil McGovern for the quick scheduling! Hope to see people there. I don't have a prepared talk, but I can go over the current state of lintian and talk about future development that I'd like to see happen, including the multi-dimensional tag classification mentioned in a few of the Debian mailing lists. We may also have things to discussion around the interaction between lintian and the new Policy team. Bring your wishes, annoyances, and feelings about lintian! -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
[Debconf-discuss] lintian BOF?
Colin, Jeroen, and I talked briefly this morning about the idea of a lintian BOF. If you'd be interested in attending, drop me a note, and if it seems like we have enough interest, I'll try to figure out how to get something scheduled. If you have any preferences on times, feel free to include that information, although no guarantees as the schedule is already rather full. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ___ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss