DebConf23

From Wiki

I attended DebConf24 at Kochi, Kerala, including the DebCamp before it. This is a dump of my notes taken during the conference (mostly on logseq on my phone). Might add more notes here after I catch up on talks that I missed.

There are people's names mentioned in this. Maybe I shouldn't be mentioning names, but I won't be able to remember names if I don't write them down.

  • Day 1 of DebCamp at DebConf23
    • Packaging CryptPad
    • Updated the list of dependencies of CryptPad 5.4.1
    • Retitled RFP to ITP for https://bugs.debian.org/932885
    • Run locally using Docker docker run -v /path/to/config.js:/cryptpad/config/config.js cryptpad/cryptpad:version-5.4.1. Debian’s docker.io package seems to be outdated.
    • See if running using Podman also works
    • Try the yarn-apt plugin to pull half the packages from yarn and the other half from Debian
    • Praveen says (Fasttrack + contrib) might be the winning combo for cryptpad
    • CryptPad currently supports only NGINX and not Apache.
    • npm install on cryptpad repo added 465 packages, and audited 466 packages in 3m
    • CryptPad is (cryptpad + onlyoffice + draw.io) in a trenchcoat.
    • CryptPad needs not just one domain, but a second sandbox domain which can reduce the attack surface in case of something like XSS.
  • Day 2 of DebCamp at DebConf23
    • TIL that CryptPad has teams, calendar and contacts. These features seem to be built-in. Not embedded like OnlyOffice or draw.io
    • CryptPad has version history!
    • Turns out I was analyzing the dependencies of the wrong package. The js_task_wiki page script literally took my package.json and looked up the dependencies of an npm package called package.json.
  • Day 3 of DebCamp at DebConf23
    • Fixed the CryptPad dependencies page to show the correct dependencies of v5.4.1
    • CryptPad depends on CKeditor 4, which isn’t being supported since July 30.
    • 225 packages out of 392 unique packages are available in Debian. 158 packages are available in Debian at the correct version.
    • 167 new packages must be added. 67 packages must be updated to the right version.
    • Trying out golang packaging since I’m impressed by how automated dh-golang-make is. Packaged mCaptcha Go.
    • Try to run CryptPad using Guix tomorrow. A whole alternative packaging system on top of Debian to run applications with a crazy number of packages like in JS and Rust.
  • Day 4 of DebCamp at DebConf23
    • DONE Check the failed pipeline https://salsa.debian.org/go-team/packages/golang-codeberg-gusted-mcaptcha/-/jobs/4660164
      Fixed by re-running the pipeline.
    • Guix SD container as an alternative to docker containers?
    • Guix SD seems like a lot of work too since it also has the same concept of “packages” that need to be uploaded somewhere.
    • To upload a debian package, use mentors.debian.net Sign the .changes file using your GPG key before uploading it using dput.
      debsign -k E2B40875B5F75DCEA3F810985398F00A2FA43C35 <filename>.changes
    • Fsck npm!
  • Day 5 of DebCamp at DebConf23

    • I have come to the conclusion that Debian is not great for packaging applications software, but only systems software. Will continue to search for alternatives that work well with the requirements of FreedomBox.

      I like how when packaging my Android app for F-Droid I packaged only the app itself and didn’t have to recursively package every dependency as well. Must find something equivalent to that for applications software in Debian.

      Also have to keep in mind security, privacy and the ability to deliver updates as quickly as possible. It should also be compatible with components like web servers and databases installed as Debian packages.

      https://discuss.freedombox.org/t/evaluation-of-alternative-packaging-systems-to-debian/2724

    • Continuing the Kiwix app for FreedomBox

  • Day 6 of DebCamp at DebConf23
    • Met a Guix developer - Efraim Flashner.
  • Day 7 of DebCamp at DebConf23
    • golang-codeberg-gusted-mcaptcha tasks
      • watch file is missing Maybe it is unable to generate a watch file for Codeberg, i.e. forgejo or gitea. Raise a feature request upstream?
      • source tarball’s md5sum is a mismatch with the source on Salsa
    • Read the usr-merge stuff in preparation for the BoF session.
  • Actual start day of the DebConf23
    • Met Kunal Mehta at breakfast
    • There’s a job fair after lunch, but I don’t have a resume of sorts. Of the people I’ve talked to so far, nobody’s work seems extremely interesting that I’d switch in an instant.
    • Interesting to know that the Software Heritage Archive uses content addressable storage and Merkle trees. They want to store everything just like the Internet Archive, but they only did FOSS so far. Proprietary software is coming up next.
    • Met a Tails developer called intrigeri
    • Attended a talk about OSTree. Fedora OSTree aka rpm-ostree uses libostree underneath. Nix and Guix. apt install –dir combined with direnv.
    • https://reproducible-builds.org/
    • For HPC on mobile phones https://www.open-mpi.org/
    • golang-codeberg-gusted-mcaptcha has the wrong checksums in the changes file. I can’t figure out why. Also, there’s no discernible watch file format for this repository.
  • Second day of DebConf23
    • TODO See Syncthing’s Golang package as an example to evaluate if Guix packages are easier to create than Debian packages.
      • Maybe a harmless binary such as lazygit can be installed on the local Guix system as an experiment. (Or Miniflux is a better thing to try, since it’s a server.)
      • Most Go packages from GitHub seem to have a vendor folder with the sources of all the dependencies.
    • Netplan unifies config across systemd-networkd and NetworkManager.
      • Used in Ubuntu since 2016.
      • Available on public clouds using cloud-init.
      • It is a unified network configuration renderer.
      • libnetplan.so and a Python CLI are available.
      • ifupdown is also on use in Debian. Very old, mostly in maintenance mode.
      • Netplan 1.0 coming out in 2024
    • ZFS - Zettabyte file system
      • Though started in 2001, OpenZFS was founded in 2013.
      • Self-healing
      • Encrypted but metadata like filenames can be read.
      • Copy-on-write and snapshots, just like in brtfs
      • ZFS can do encryption + compression with great performance.
      • Reads and writes are from memory. Read cache and write cache are possible on the disk as well.
      • Volume management allows virtual drives that can run other filesystems (such as NTFS) on top of ZFS.
      • ZFS Pools to hold data sets. Easy to configure NFS on a ZFS pool.
      • ZFS uses a lot of memory and is better for large storage systems. Usually uses a quarter of the available memory by default. More memory gets faster caching.
    • GNU Network Object Model Environment is GNOME
      • CHAOSS - Community Health Analytics for OSS
      • GNOME seems to be still using some proprietary software such as Slack for CHAOSS and has presence on surveillance capitalist social networks.
    • DPL’s talk
      • Debian needs to be registered as an organization
      • It’s 30 years old already
      • Red Hat’s market share is shrinking
      • Frankenstein kernels are a bad idea compared to stable kernels. But enterprises pay a lot for them.
    • FreedomBox talk about a deployment in Lododdi in Andhra Pradesh. I wasn't aware of this deployment until I came to DebConf.
      • Someone in the audience mentioned Kolibri
      . Kolibri seems to be an improvement over KALite from Khan Academy. Kiwix also has archives for Khan Academy, but not features like student/teacher logins and progress-saving.
  • Third day of DebConf23
    • The BoF is captured in this etherpad
      • Attending this BoF was a weird feeling. It was people from rich developed countries who already doomed the planet (well, not this crowd in particular) feeling guilty about the negligible amount of carbon emitted during their trips (see ghost flights) to DebConf23 on one hand, while people from the third world country of India were trying to prove that they can provide western standards of living in Kochi, India on the other.
      • We found no good solutions to anything, but I have enough trust in Debian to believe that they won’t take buying carbon offsets seriously.
      • An audience member raised the point of how hard it is to get visas to Europe. This goes against minimizing travel distance for attendees. DebConf must be held in various countries to strengthen the local communities in those countries.
    • unattended upgrades talk
      • Needrestart can automatically restart services based on the configuration
    • Consider adding “build arm” as a stage to the FreedomBox pipeline
      • There is an ARM builder available in Salsa CI (must be added separately). Base images are available for ARM32V5, ARM32V7 and ARM64.
  • Fourth day of DebConf23
    • Went on a houseboat trip. Read 10% of Cory Doctorow’s Red Team Blues on my way there. The houseboat trip was fine. Talked to Abhinav C K on my way back mostly about IT jobs, Kerala etc. It’s surprising how much class consciousness people have in Kerala even at a young age.
  • Fifth day of DebConf23
  • Sixth day of DebConf23
    • FIPS in Java. Required for federal contractors. Certified by NIST. Only FIPS approved algorithms can be used to get FIPS certification. Only binaries get certification, not source code. An application that only uses FIPS certified cryptography modules is said to be FIPS compliant.
      • Java Cryptography Extensions. OpenJDK doesn’t include any FIPS certified provider. The JRE itself needs to be FIPS compliant for the application to be compliant.
      • Java-only code needs certification but a pass-through library to a certified native library doesn’t need certification.
      • Ubuntu is using BouncyCastle as the provider. Or pass-through using OpenSSL.
  • Seventh day of DebConf23
    • SecureDrop needs to be its own distribution. It can’t be run as an app on FreedomBox. Powered by the Tor network.
      • https://demo.securedrop.org/
      • Encrypted in transit by TOR and by GPG after receiving it.
      • Currently replacing GPG with Sequoia PGP (a Rust library)
    • Docker.io in Debian - Docker, containerd and runc. Ubuntu is just providing the upstream packages using an SRU exception. Docker’s snap runs in a sandbox so some features are missing.
    • Chisel is a new tool to build distroless containers on Debian. Deals with Slices of packages. Slice definitions files are in the chisel-definitions repository. Pick and choose what JRE components you want. Can write mutation scripts using Starlark. jlink can shrink JRE11 even further. Chiseled images offer the advantages of both a distroless and distribution images.
  • Eighth day of DebConf23
    • Outreachy talk on yarn
      • node-yarnpkg is the package for yarn in Debian
      • npm is being replaced by corepack as the default package manager in Node.
      • js-team/yarn-plugin-apt on Salsa can install packages preferentially from Debian and the rest from NPM.
    • Debian Social BoF
      • Many services work with a Salsa login. I am currently interested only in PeerTube to start a FreedomBox channel.
      • Some discussion about starting a Disourse instance.
      • Suggested Castopod and Loomio. Also sneaked in CryptPad into the doc later.
    • DebConf23 group photo is out.
    • Lightning talks
      • The website now needs fewer clicks to get to the downloads.
      • Direct links to security announcements on the security information page.
      • FAI.me is a service for non system administrators. Seems like a great tool to make custom Debian images.
      • WKD for Debian
      • Debian External Repositories demo
        • extrepo example with vscodium:
          • sudo apt install extrepo
          • sudo extrepo enable vscodium
          • sudo apt update
          • sudo apt install vscodium
      • https://sxmo.org/ demo
      • Owncast demo with OBS integration and webhooks
      • Prav demo. The sign up process is just as easy as WhatsApp.
    • DebConf BoF
      • DebConf24 is in Haifa, Israel. City overview. Technion university could be the venue, still in talks.
      • Bids
        • Portugal
        • Heidelberg, Germany
        • Japan
        • Busan, South Korea
        • Cluj, Romania
Retrieved from "https://njoseph.me/mediawiki/index.php?title=DebConf23&oldid=613"