Amarok Blog

Entries from December 2009

Tuesday, December 22. 2009

Happy Hackmas! Posted by Mark Kretschmann in markey at 08:19

Comments (14)
Trackbacks (0)

Happy Hackmas!

Nice holidays and a happy Hackmas to all of our users, developers, and basically to everyone else too

Cookie Image (TM), Made For The Upcoming Amarok 2.2.2 Release

PS:
There are two easter eggs hidden in this xmas blog article. If you can spot them, you deserve one extra "Happy Hackmas" from me

Thursday, December 10. 2009

The Malware Problem (and a solution) Posted by Mark Kretschmann in markey at 19:17

Comments (40)
Trackbacks (0)

The Malware Problem (and a solution)

Some of you might have heard about the Malware incident that recently has hit our friends from gnome-look.org. While some of you might chuckle about it because it hit the competition, there really is nothing to chuckle about, because the next target could easily be us. In fact someone might be uploading a Malware component at this very moment. Noone could tell until it's too late.

So, there have been some discussions about possible solutions for this issue. Some have proposed that we add a review process to all of this, so that anything that gets uploaded gets a security check from some KDE developers. That's a neat idea on paper. But only there. This couldn't possibly work out, for two reasons: 1) Manpower - We simply don't have enough of that. 2) Responsibility - Who wants to be responsible for letting Malware slip through your fingers? This can happen to anyone, and it would be pretty embarrassing. I certainly wouldn't want to be responsible for anything.

Back when we designed the scripting system for Amarok 2 (QtScript, in-process), Ian Monroe and I realized that there isn't really any way to make it secure on a technical level. Sandboxing, automatic malware detection, flying cars - all this works somehow in theory, but in reality it requires some Bruce Schneier to do it, which we don't have (there is only only one Schneier, I guess). So basically we realized that the system would be unsafe, and that we would have to live with it. Amarok is very vulnerable to Malware scripts, because scripts can access most of Amarok, and Qt, and whatnot. Any Joe Schmoe could hack up a two-liner script that deletes your $HOME. So we accepted that reality, and tried to think of some other methods for making it all safer. What we came up with is this:

Mandatory Version Control

Basically our idea was that all Amarok scripts (and the same could help with other download components) would have to be hosted in a public version control system (VCS). This system could for instance be SVN, simply because it's relatively easy to learn, and we could use a central server for it. These are the three advantages that we'd expect from the proposed system:

Malware. With a VCS, it's very easy to tell who inserted Malware, and when this person did this. This fact alone would provide some accountability, and I think it might prevent a good deal of attempts of messing around with the code. And even if it happened anyway, it would be trivial to revert the change, and we would just ban the person who did this from ever committing to this repository again. Another positive effect is the sheer number of developer eyes on this code, which could catch many issues before they become a problem. Currently we have this #kde-commits channel on IRC, and some developers are watching it (if only to kill some time). I think something similar could work with this system.

Abandonware. One of the major issues we had with Amarok 1.x scripts was the sheer amount of forks. Developer A created script A1, then developer B came along, forked the same thing (in other words, copied the code), enhanced it a bit, and released it as B1. This left us with a huge amount of varieties of the same script, and noone could really tell which version was maintained at all. With a VCS, developer B could simply take over maintainership of script A1, if for some reason developer A stopped maintaing it (which happens all the time).

Crapware. Learning the VCS means an extra hurdle for contributors. This can be seen both as a disadvantage, or as an advantage, depending on the point of view. That's because learning something like SVN is pretty simple, and yet it would prevent very unexperienced programmers (who are also missing motivation) from starting the project, in the first place. But it's easy enough that it probably wouldn't prevent someone from doing it who really is motivated, which is probably for the better. So it might just work out in reality.

As an addendum, I should say that this system could only work if we enforce it, making it mandatory for all scripts and any kind of program code that is reachable via GHNS. Making this system optional wouldn't solve anything, because then a Malware person could still merrily go ahead with his/her evil intentions.

To sum it up, I think that this approach could really help us, and all that's missing is a practical implementation. We would have to work together with the kde-apps.org people (mainly Frank Karlitschek), and the GHNS developers, and then set up an official VCS repository (maybe KDE SVN, maybe something else). I'd be interested in hearing your opinions about this proposal, so please leave a comment if you have an opinion on it

Tuesday, December 8. 2009

ColdStorage - A Backup Tool Using ... Posted by Mark Kretschmann in markey at 10:18

Comments (19)
Trackbacks (0)

ColdStorage - A Backup Tool Using Git At Its Core

Short article about a new project we started:

ColdStorage

What is ColdStorage? Well, basically it used to be a Vaporware project, started about two weeks ago, which is now no longer Vaporware. It started out with some of us KDE folks getting fed up with existing solutions for using Git as a backup tool (for backing up $HOME, etc). There are a number of existing projects that try to do the same, but I found none of them working, either not working at all, or not fully working.

So we thought, hey, let's give it a try by doing it ourselves. What we started with was a basic idea, a cool name, a Git repository, an IRC channel (#coldstorage on Freenode), two developers, and a bunch of code stubs. Thanks to Thomas Zander, we now actually have some code. Thomas managed to create some initial code for it basically on a Sunday evening.

Now, the project is still in very early stages, but in the FOSS spirit I wanted to announce it anyway, since my feeling is that the more people know about it, the more contributors we might attract, and the faster we can get it done. After all, what we want is a tool that just works, as quickly as possible.

Here's some more info about ColdStorage:

ColdStorage is a backup tool using Git at its core.

Written in C++, with QtCore.

GPL v3 licensed.

Multi-platform (in so far as Git is multi-platform, not sure how far the Windows support is).

Still in its very early stages of development, but the core functionality is there.

If you are interested in helping out, come join us sometime on IRC

Tuesday, December 8. 2009

spreading some Free Culture love Posted by Lydia Pintscher in Nightrose at 09:29

Comment (1)
Trackbacks (0)

spreading some Free Culture love

Thanks to Sven I stumbled upon a rather cute and very well done Free movie/musical called Sita Sings The Blues. Excellent (greatest?) love and break-up story with great music and cats. Watch it!

Please share links to other great Free (short-)movies in the comments.

(image by Nina Paley)

Monday, December 7. 2009

Let?s take it to the next level! Posted by Lydia Pintscher in Nightrose at 23:20

Comments (0)
Trackbacks (0)

Let?s take it to the next level!

2 weeks ago I asked people to help with getting our Junior Jobs list above 100. That worked out nicely. We’re at 140 right now and reached 148 at some point in the last week \o/ 200 in 2 weeks from now?

Keep adding Junior Jobs. As some people were unsure how to do it, here’s a screenshot:

Interested in getting involved in KDE by writing code? There are 140 bugs waiting for you

Sunday, December 6. 2009

Anecdotes (Or: Meeting Important People) Posted by Mark Kretschmann in markey at 05:37

Comment (1)
Trackbacks (0)

Anecdotes (Or: Meeting Important People)

Today I'd like to write about a topic that has interested me for a while, and at the same time tell an anecdote, about an event that I found fascinating. You might find it interesting, or not, but I guess some might like it.

To make a start, let's make a jump back in time, about one year ago. Back then, I had never met a real "VIP" in person. I had met a few "Internet-famous" people, among them Matthias Ettrich, and Alan Cox, but let's be honest here: While some of us FOSS people are well known in our Free Software circles, ask Joe Sixpack in a bar about them (or really just some guy in the non-FOSS IT area), chances are slim that they'll know them.

At this time I got an interesting offer for a software project, the nature of which is irrelevant to this story, so I won't disclose it. What I can disclose is that it had to do with Gibson Guitar Corporation, and I (along with two co-workers) was invited to a meeting in Berlin, for a presentation of the project, with the the boss himself, Henry Juszkiewicz (on this photo he was meeting Steve Wozniak). You may have never heard of Henry himself, but you sure have heard of Gibson, because it's basically a given that some of the artists you listen to are playing a Gibson guitar. Gibson is one of the biggest musical instrument manufacturers in the world, and if you like guitar music, you'll probably know that most guitarists either play a Fender, or a Gibson, or possibly both (many guitarists use multiple different guitars, depending on the thing they are writing).

Being a big music fan, I realized that I was about to meet the man who made the guitars played by Mike Oldfield, Pink Floyd, U2, you name it. I don't know about you, but this made me very excited (and nervous). I was wondering, how could such a person be in real life? Would he a be a chair-throwing tyrant like Ballmer, or arrogant and preachy, and would he talk to me at all (a lowly FOSS coder)? As it turned out, I didn't have to be nervous at all. Because the man is completely different from what I had expected.

What I met was a calm person, considerate, quiet, and very friendly. Henry knew all our names, he knew exactly what we did (he had used Amarok before), and he talked to us just like you would talk to any other person. It boggled my mind when the guy shook my hand, and said something like "Hey Mark, thank you for coming here! It's nice to meet a developer of Amarok, I really like this software." Bahm. Just like that. After a few seconds of disorientation, I started to talk to him, and realized that there was no need to be nervous at all. I wasn't talking to some VIP (although he is that), but to a normal guy, intelligent, witty and friendly.

Fast forwarding a bit in the meeting, I learned to know another side of Henry, no less fascinating: He was given a presentation of some audio gear, and evaluated the speakers. At the same table, there were three audio experts in speaker technology. Henry listened to the speakers for a few seconds, then went like: "Stop. Ok guys, these speakers here are... something. They aren't good though. What I want, is the best. Get me XY on the phone ASAP, he's the best guy for this job, I've worked with him before." Bahm. You should have seen the faces of the "experts" at the table. It's hard to describe the exact look, it was something like flabbergasted.

To sum it up, I've often found that really important people (not those who pretend to be) have the following qualities:

They are in that position for a reason.

They know exactly what they want.

They don't have to be arrogant, because that gets you nowhere. They prefer getting things done.

Hope you enjoyed this little anecdote