Earlier this month, I attended 2018 conference in Bengaluru, KA, India. It was sort of culmination of a cohesive team play that began for me at DevConf.czΒ 2018 in Brno, CZ. I say sort of because the team is already gearingΒ  up for 2019. πŸ™‚ In Brno, while conversing withΒ Chris Ward, he asked me if I knew when was happening in summer and if we could announce the dates?Β had announced dates and opened their CFP. I had not a slightest clue about happening, let alone making an announcement. From experience of organising FUDCon, my first reaction was, in summer(ie. May)? NO! Three months is way short time for organisers to go from opening CFP to hosting an international conference. I started talking to other delegates who had come from India to see if they knew anything and finally pinged Rupali. She confirmed it was to be in Aug 2018, not May.

DevConf, Developer’s Conference, offers a platform for open source and free software developers and contributors to come together, share ideas and plan future course of development of upstream projects.

Once back from, organising team started taking shape, quite dispersed, majority were new faces(to me) and a few were old friends. We quickly swung into action; Some reached out to potential venues and some began discussions about CFP process and various tracks for the conference. Few others helped to set-up infrastructure like conference website, setting up recurring status meetings along with various communication channels like mailing list and Telegram groups.Β  It is important to note, when the team is spread across multiple cities and 1000 km away from one another, communication becomes the bedrock of your efforts; It is the strongest glue that holds the team together. Actually communication is key even if team is in the same office and on the same floor. More often we see two people sit across from each-other,Β  but fail to connect as they fail to communicate. Better the communication, better the connection.

Soon the dates & venue was finalised, tracks were decided and CFP was announced. As the talk proposals started pouring in, track captains were selected to curate the content for each track. I became captain for the Security track and was also assigned responsibility to scout for the keynote speakers. I went through my list of usual suspects for the keynote speaker and sent out emails to them. My list includes Linus Torvalds, Greg Kroah-Hartman, Jonathan Corbet(LWN), Jon Masters, Rick Wheeler, Sarah Sharp, Kees Cook et. al. Apart from their tall stature in the community, I think they are all excellent speakers. And local community here would certainly benefit from meeting and interacting with them. There’s also a personal motive of me wanting to meet them. πŸ˜‰ Similarly others had their own wish list of keynote speakers. It is a time consuming task. Not so much in terms of work, but the whole process of reaching out and confirming their availability takes long. You can not send invites to all at the same time, you’ve to do it in batches. There is always a risk of speakers not responding in time and/or many of them saying yes, which would be tricky, because you don’t want to say no to anyone. Also, at times for various reasons, speakers have preferences for a keynote slot, which adds to the complexity. In short, the sooner you start this process, the better it is.

As days progressed and attendee registrations swelled, there came usual hysteria around logistics. It includes chasing speakers to book tickets, apply for visa & invitation letters in case of international speakers, their hotel accommodation, checking arrangements at the venue, Wi-Fi and audio-visual set-up, registration process, managing on ground volunteers, etc. thousand different things crop up simultaneously. But the respective captains handled it all with grace,Β big kudos to them all! Meanwhile, I got occupied with preparing swag for the Fedora booth at the venue. We made Fedora stickers, pens and some sipper bottles. Sadly I couldn’t spend much time at the booth and interact with the audience. As on the first day I did a session on “Introduction to SystemTap” and on the second day, I was at the Security track which had quite an interesting lineup of talks and discussion.

  • BlueBorne: Beware of Bluetooth!
  • Security Compliance with OpenSCAP
  • Certificate Generation & Checks
  • SSH with short lived keys
  • The dark side of internet of things
  • Understanding Hardware Vulnerabilities
Looking back, I see a few areas wherein we need to improve processes, ex. to make session videos and slides available without delays, etc. Overall I enjoyed being part of the organising team and happy that I could contribute despite being placed remotely. Team
I’d love to hear about your experience and/or any inputs you may have. Thank you. πŸ™‚

Fedora APAC budget FAD

Hello, Last week I attended the Fedora APAC budget planning FAD for FY’18. Ie. planning for Fedora activities that we expect to conduct between Mar 2017 – Feb 2018 and requisite budget for the same. Last year with reforms, we adopted a new approach to regional budget planning with an aim to increase transparency […]

FAD Singapore 2015

Hello, Last weekend I participated in the FAD Singapore 2015. Apart from the annual review of the last year’s expenses and budget planning for the coming year, the most important agenda for this meeting was – To develop a strategy for the Fedora community growth across APAC region. Fedora Ambassadors came from various countries(Singapore, India, […]

GNU Pem: an amazing tool

Dear PEM developer,

First of all, thank you for this amazing tool!
I use it every day for my personal income/expense tracking, and it is
really easy to use. I really like it: a simple tool for a simple task.

Thank you again for this amazing tool!

I received this yesterday via GNU Pem mailing list. It is always encouraging to receive acknowledgement for your work; But it is truly inspiring when they go all the way to learn a new language(Perl), just to write a patch for your program.

Thank you so much Matthieu! I appreciate it!!

GNU Pem is a handy tool to help you keep track of your personal income and expenses. It is portable across all platforms GNU Linux, MS Windows, Apple OS X, FreeBSD, you name it. On Fedora it’s

        # dnf install pem

Give it a try if you want to know your monthly expenses. πŸ™‚

FUDCon APAC 2015 – a Memoir


This post has been long overdue. In fact a post here has been long overdue. Much has happened since the last time I wrote here. There are new DNS patches to be merged, the Docker & DNSSEC resolver interconnect, kernel & Qemu issues I’ve been analysing, Fedora Security Team(FST), huh..each would need a separate post. Anyway, it’s good to be back here.

It was this time last year that we began to have lunch table discussions about hosting FUDCon in India. The last time we did was in 2011. A lot had changed since 2011; Old-timers had moved on, new ones had joined hands, many of them with a distant view of the open source, Fedora and FUDCon. But what was still same was the excitement to participate and to host FUDCon. What started as a fond activity for me, had quite a thrilling climax wherein I ended up calling the India’s Ambassador to China in Beijing. πŸ™‚

We began with scouting for a venue, as the bidding process required us to have confirmed venue & budget arrangements in place. Though FUDCon is a get-together for Fedora contributors, we wanted local community to benefit from this gathering. So a college or university campus was our preferred choice for the venue. All of the campuses we visited were more than welcoming; In fact they wanted us to setup ongoing programs for their students and teachers alike. My observation is, people are convinced of the power of Open Source principles and methodology, but they have no idea about how to participate and take advantage of it. After much deliberations we settled on the MIT College of Engineering for our venue and the bid was proposed.

Shortly after the bid was accepted, I left the city of Pune – the ground zero of FUDCon APAC 2015. And thus began the spell of weekly calls, meetings and updates. As soon as the bid was accepted, we sent out a call for volunteers. We broadly defined the tasks(travel, talks selection & scheduling, marketing, video recording, catering, FUDPub et. al.) and volunteers assumed their responsibilities. I picked to help the delegates with their travel requirements, amongst various other things. When I moved out, I half expected to have diminishing responsibilities towards FUDCon. But in retrospect, it’s intriguing how actively I was involved. I think the first step towards active participation in open source communities is to connect, to join the call, say hello and listen. In my case it was conference calls, but one could just as easily connect over email/IRC/twitter/hangout, either means of communication.

Through these weekly calls and meetings we assessed overall progress on each task, discussed and devised alternative solutions for issues, listened to individual inputs, argued and fought over it, pulled each-other’s legs and had fun all the way. Of course a huge team of volunteers were working relentlessly on ground zero to ensure that all the needed pieces(banners, recording gear, transport, accommodation, vendor billing,…) are put together at the right time. Before I knew, five months had passed and I was on my way to attend ‘FUDCon APAC 2015’. πŸ™‚ Excited to meet old friends, colleagues, and everybody that I’d been communicating with for the past few months. Meanwhile it had almost slipped my mind that I was to present a talk about – Local DNSSEC resolver: F23 Feature.

At FUDCon surroundings were brimming with a familiar energy. It started right at the hotel as delegates arrived from around the world. The peculiar excitement in the hotel lobby when delegates bump into each other is uniquely rewarding. On day one, I was to attend the registration desk and distribute swags. After the first half of doing that, I moved about different sessions catching glimpses at each. Day two was little easier, there was no mad rush of day one. I hitched a ride with a friend to the venue, found a corner in the speaker’s lounge and resorted to prepare for my talk. As the day concluded, it was time for the super electric FUDPub. πŸ™‚ Day three was of workshops, I jumped through couple of sessions and talks and was back again at the front desk to work with the volunteers as they were preparing to wrap-up. Three days went by so fast, before I knew, it was time for the concluding keynote and the vote of thanks. As the delegates bid their good byes, they made plans to catch-up again at the next conference. πŸ™‚

FUDCon APAC 2015 album:

Going to FUDCon APAC 2015

It’s less than 72 hours to go for the much awaited FUDCon APAC 2015 kick off. International delegates are boarding flights as we speak, while others are packing bags and preparing for the take off. The organising team on ground zero is running full throttle and leaving no stones unturned to ensure smooth sailing. πŸ™‚

I’m packing my bags and gearing up for my talk “Introduction to DNSSEC – F22 feature“. Do drop in and join the conversation.

See you there…!!! πŸ™‚

Report – FAD 1 Nov 2014 – theme security


Last weekend I participated in a Fedora Activity Day(FAD) aimed at introducing participants to the Fedora Security Team, its mission and activities. This post is a retrospective review of the day and lessons learned.

Day began with me introducing the participants to the Fedora Security Team, the current security features offered by Fedora and why we need to do much more to make sure that Fedora users are secure by default.

    See ->

This introductory talk was followed by triaging of open security bugs; There are more than 500 of them. Security bugs are marked by Keywords: Security. It means the said bug might have security implications and could facilitate unauthorised/undue access to users. I started triaging with the oldest bugs to figure out why were they open. This in turn leads us to see possible lapses which allow such bugs to remain unattended for longer than they should be.

Why do security bugs stay open and unattended…?

  • Appropriate fixes are unavailable, ie. patches do not exist at all. BZ#864897
  • Appropriate fixes are available, but the maintainer does not know. BZ#782620, BZ#851773, BZ#887451
  • Appropriate fixes are available, but the package is due its retirement, thus ignored BZ#838162. The package is _not_ retired.

These bugs were unattended for more than 2 years and have severe implications like Man in The Middle (MiTM) attack, Arbitrary Code Execution(ACE) and Denial of Service(DoS).

How do we address these lapses…?

The 2’nd and 3’rd case above, wherein the due patches are available, I think we can address them by hounding the maintainers with periodic ‘[NEEDINFO]’ pings till the time they push an update. It won’t be as easy as it sounds, but is an option nonetheless.

It is the 1st case, wherein the due patches are not available, that intrigues and interests me more. So, why aren’t these patches made available? One of the comment BZ#864897#c12 says the fix requires a functionality from OpenSSL 1.1 to be back ported to currently used versions – OpenSSL 1.0.1i. I opened a bug against OpenSSL BZ#1160172, but it was closed(deferred) saying it is not likely to happen any time soon. So the only option is for application to do the TLS certificate validation by itself, which the package maintainer is unable to do. This leads me to an another _grave_ concern that has been cropping up in recent times ie. – dwindling contributor base for some of the widely used & deployed FOSS projects.

This was discussed at Linuxcon last year or the year before; As the average age of subsystem maintainers is rising towards late 30s. At this stage they are likely to be occupied with families and other things in life and hence are unable to spend as much time on their projects. Siddhesh recently mentioned that becoming a parent could drop your productive time by as much as 30%. In yet another conversation I heard this applies to OpenSSL too. Upstream OpenSSL maintainers are well in their 40s and are a close-knit group, which is not welcoming enough to the new entrants(reminds me of Mr drepper and glibc few years ago).

It is high time that we(Fedora) start taking measures towards grooming new contributors and package maintainers. In corporate parlance it is known as succession planning. It should be done by each individual project leader. As for the bugs and tasks that I come across, I have started posting them to the dgplug students list

    See ->

It has a lesser hit ratio, but I hope it improves going forward. If not, we’ll keep dousing the same fire again and again.

    See -> Cybersecurity experts discover lapses in Heartbleed bug fix.

Fedora Activity Day – 1 Nov 2014 – theme Security


    See ->

On 1’st Nov 2014, we plan to host a Fedora Activity Day(FAD) focused at assessing the state of Security in Fedora distribution. The day would start with a brief introduction to Fedora security and progress towards collective security bug triage and other activities. If you are in Pune(India) or plan to be here on 1st Nov, please feel free to drop in and join the action. Note:- we have limited capacity(=~25) for participants, please do register on the wiki page above.

Not too long ago, the Fedora Security Team came to be with the sole intention to improve the state of security in Fedora distribution. Primary goal was to help triage the security bugs and spread awareness.

    See ->

But in the light of the recent upheavals caused by the deadly and the viral security dynamite of the Heartbleed, the Shellshock, and the POODLE[1] flaws, it is only logical to brace ourselves and work towards greater efforts to make Fedora _secure_ by default. Many distributions have taken focused efforts towards this end for decades now,

    Ex ->

Idea is to increase the number of eye balls looking at the Fedora security so that the flaws become shallow. And your poodle’s hearts are saved from bleeding caused by the shocks that are still hidden in the future.

Hope to see you there. πŸ™‚


Tools update


Recently I pushed these packages to various Fedora repositories. Some of them were not in EPEL, some were missing from EPEL-7, one was not built since long time.

  • GNU Pem:- GNU Personal Expenses Manager
  • Is an extremely simple, yet powerful tool to help you track your income and expenses for next 100 years.

  • LZ4:- Extremely fast compression algorithm
  • Is a widely used fast compression algorithm providing compression speed at 400 MB/s per core and is scalable with multi-cores CPU.

  • PDFCrack:- PDF password recovery tool
  • Is a lightweight tool to recover password and content from PDF files. It comes with no dependencies.

  • Ptrash:- move file(s) to ~/.trash directory
  • Is a handy and competent replacement for ‘rm(1)’ command. I wrote it after accidentally deleting few important files.

  • Python-Unidecode:- ASCII transliterations of Unicode text
  • Is a simple Python module used to transliterate Unicode characters to their ASCII representation.

  • Whereami:- display work location
  • Is a handy tool to know your current work location like host name, working directory, IP address etc.

Please let me know if you face any difficulties. Hope you find them useful. πŸ™‚