The roads I take...
Displaying recent entries tagged with "FOSDEM". Back to all recent entries
February 21st, 2017
The video from the talk is now online at the details page of the talk (including downloadable versions if you want them), my slides are available as well.
The gist of it is that I found out that using a standard authentication protocol in my website/CMS systems instead of storing passwords with the websites is a good idea, but I also didn't want to report who is logging into which website at what point to a third party that I don't completely trust privacy-wise (like Facebook or Google). My way to deal with that was to operate my own OAuth2 login server, preferably with open code that I can understand myself.
As the language I know best is PHP (and I can write pretty clean and good quality code in that language), I looked for existing solutions there but couldn't find a finished one that I could just install, adapt branding-wise and operate.
I found a good library for OAuth2 (and by extension OpenID Connect) in oauth2-server-php, but the management of actual login processes and creating the various end points that call the library still had to be added, and so I set out to do just that. For storing passwords, I investigated what solutions would be good and in the end settled for using PHP's builtin password_hash function including its auto-upgrade-on-login functionalities, right now that means using bcrypt (which is decent but not fully ideal), with PHP 7.2, it will move to Argon2 (which is probably the best available option right now). That said, I wrote some code to add an on-disk random value to the passwords so that hacking the database alone will be insufficient for an offline brute-force attack on the hashes. In general, I tried to use a lot of advice from Mozilla's secure coding guidelines for websites, and also made sure my server passes with A+ score on Mozilla Observatory as well as SSL Labs, and put the changes for that in the code as much as possible, or example server configurations in the repository otherwise, so that other installations can profit from this as well.
For sending emails and building up HTML as DOM doucuments, I'm using helper classes from my own php-utility-classes and for some of the database access, esp. schema upgrades, I ended up including doctrine DBAL. Optionally, the code is there to monitor traffic via Piwik.
The code for all this is now available at https://github.com/KaiRo-at/authserver.
It should be relatively easy to install on a Linux system with Apache and MySQL - other web servers and databases should not be hard to add but are untested so far. The main README has some rudimentary documentation, but help is needed to improve on that. Also, all testing is done by trying logins with the two OAuth2 implementations I have done in my own projects, I need help in getting a real test suite set up for the system.
Right now, all the system supports is the OAuth2 "Authorization Code" flow, it would be great to extend it to support OIDC as well, which php-server-php can handle but the support code for it needs to be written.
Branding can easily be adapted for the operator running the service via the skin support (my own branding on my installation builds on that as well), and right now US English and German are supported by the service but more can easily be added if someone contributes them.
And last but not least, it's all under the MPL2 license, which I hope enables people easily to contribute - I hope including yourself!
December 23rd, 2016
That talk is a followup on my earlier post on the login systems question, which I ended up solving by writing my own OAuth2 login server based on oauth2-server-php. While that library provides the actual functionality for OAuth2, I had to build a system around it that handles the actual registration and login and the API for retrieving an email address for the logged in user.
I would like to open up the code for that server to the public at FOSDEM!
For that, I need someone (hopefully multiple people) to review the code to be sane security-wise (an in-depth audit is probably not needed yet, but review for sanity for sure), as I have it deployed myself and don't want the open code to be a risk for me, and also I want it to be fine for people to deploy and depend their own (small) websites on this system for login.
It's basically all PHP code, but it's not too much, the PHP files of the project itself are just about 900 lines long altogether, though it uses the document and email classes from my php-utility-classes as well as oauth2-server-php and a bit of doctrine DBAL, though I don't think the latter two need any review for sanity. The JS is minimal and the CSS no issue for security sanity.
I have one Mozillian who has volunteered and should look into the code soon, but I'd like to have two or three people to take a look, if possible.
If you can help, please let me know with a reply on this post (leave your email, as I'll contact you there), Telegram, Diaspora*, or email and tell me why/how you are qualified to review this code.
Thanks and Happy Holidays!
August 22nd, 2014
That said, one major part of my recent vacation was the Star Trek Las Vegas Convention, which I attended the second time after last year. Since back then, I wanted to blog about some interesting parallels I found between that event (I can't compare to other conventions, as I've never been to any of those) and some Free, Libre and Open Source Software (FLOSS) conferences I've been to, most notably FOSDEM, but also the larger Mozilla events.
Of course, there's the big events in the big rooms and the official schedule - on the conferences it's the keynotes and presentations of developers about what's new in their software, what they learned or where we should go, on the convention it's actors and other guests talking about their experiences, what's new in their lives, and entertaining the crowd - both with questions from the audience. Of course, the topics are wildly different. And there's booths at both, also quite a bit different, as it's autograph and sales booths on one side, and mainly info booths on the other, though there are geeky T-shirts sold at both types of events.
The largest parallels I found, though, are about the mass of people that are there:
For one thing, the "hallway track" of talking to and meeting other attendees is definitely a main attraction and big piece of the life of the events on both "sides" there. Old friendships are being revived, new found, and the somewhat geeky commonalities are being celebrated and lead to tons of fun and involved conversations - not just the old fun bickering between vi and emacs or Kirk and Picard fans (or different desktop environments / different series and movies).
For the other, I learned that both types of events are in the end more about the "regular" attendees than the speakers, even if the latter end up being featured at both. Especially the recurring attendees go there because they want to meet and interact with all the other people going there, with the official schedule being the icing on the cake, really. Not that it would be unimportant or unneeded, but it's not as much the main attraction as people on the outside, and possibly even the organizers, might think. Also, going there means you do for a few days not have to hide your "geekiness" from your surroundings and can actively show and celebrate it. There's also some amount of a "do good" atmosphere in both those communities.
And both events, esp. the Trek and Mozilla ones, tend to have a very inclusive atmosphere of embracing everyone else, no matter what their physical appearance, gender or other social components. And actually, given how deeply that inclusive spirit has been anchored into the Star Trek productions by Gene Roddenberry himself, this might even run deeper in the fans there than it is in the FLOSS world. Notably, I saw a much larger amount of women and of colored people on the Star Trek Conventions than I see on FLOSS conferences - my guess is that at least a third of the Trek fans in Las Vegas were female, for example. I guess we need some more role models in they style of Nichelle Nichols and others in the FLOSS scene.
All in all, there's a lot of similarities and still quite some differences, but quite a twist on an alternate universe like it's depicted in Mirror, Mirror and other episodes - here it's a different crowd with a similar spirit and not the same people with different mindsets and behaviors.
As a very social person, I love attending and immersing myself in both types of events, and I somewhat wonder if and how we should have some more cross-pollination between those communities.
I for sure will be seen on more FLOSS and Mozilla events as well as more Star Trek conventions!
January 26th, 2010
So, to not needing to explain it in detail to everyone out there, here is why:
Unfortunately, a good friend's 30-year birthday party and the Super Bowl with the first time "my" team (New Orleans Saints) playing in that game (I somehow felt all along that it would happen this time) are the two reasons I already told publicly, but there's more behind it:
At the time when I needed to make the call if I go, I felt very tense and knew I need to get less busy and more rested while still more productive, while the conference does not serve any of that, unfortunately. While meeting all those people and discussing is surely a positive experience by itself, it usually doesn't make me more relaxed and I already felt that with the reduced amount of invitations, the SeaMonkey crowd would significantly decrease and I could get more work for us done when I'm not there.
I'm feeling better right now and can get some things done at the moment, but I still think the decision was for the best, even if it also has its downsides.
I hope there will be other possibilities to meet up with a number of Mozilla people this year (e.g. I heard rumors of another Summit and I'm sure there will be other events in Europe as well), so I hope things work out alright. And next year, I might make it to FOSDEM again as well.
April 29th, 2009
Originally, I only wanted to get a few photos up fast but that ended up taking me a few hours today, esp. in adding photo descriptions, and then some OpenStreetMap updates regarding the places I've been...
In any case, I finally found the time and made selections of photos of a number of travels and events to put online (I only post selections because I often have hundreds of photos of those travels and it can probably get rather boring to view them all - but then, it takes some time to select and put up photo descriptions).
As most of those events are somehow related to Mozilla, you might be interested in some parts of them, even though the parts about conferences are usually rather small, I tend to chat more there than take photos, after all. Though, you might just like all the other pics as well...
Those galleries are newly available now:
- FOSDEM 2007, Brussels
- FOSDEM 2008, Brussels
- Canada/USA - July/August 2008
- MozCamp Barcelona 2008
- FOSDEM 2009, Brussels
- Lift09, Geneva
This list totals 337 photos, all with tags and descriptions.
(Even though this still misses MAOW Berlin 2009, from which I haven't made a selection yet, I hope I come around to that soon.)
February 10th, 2009
- Build System:
My patch for faster builds got approval and is now in 1.9.1 as well, I hope depend builds are really faster again now.
- Website Work:
I did some work to finally get the download pages on www.mozilla.org redirect to the project list. This has been a long-going story and it's nice to see it finally resolved.
Most of the time time week was occupied with work for FOSDEM, be it creating the slides for my talk, or the traveling to Brussels and actually attending the conference there - including its usual overloaded network.
- SeaMonkey L10n:
Argentinian Spanish could be added as the 23rd language to SeaMonkey trunk.
- Various Discussions:
Tabmail, session (re)store, feed preview, release schedules, FOSDEM, SeaMonkey vision, toolbar customization, Vista theming, etc.
The FOSDEM weekend went well despite the cold I caught right before traveling there, my talk wasn't too well-attended but probably that had to do with the fact that it was at 9am after a Mozilla dinner the night before. There weren't many reactions to the new SeaMonkey vision, which I count as a sign that it's basically what most people expect of us. I got to know a number of new people, met again with a number of folks I've met a few times already, had some fun and some very interesting talks about Mozilla, SeaMonkey and a few other things. I hope the results of those talks will be visible in some way, and I'm looking forward to the next FOSDEM!
February 7th, 2009
You know, this is just a free and open source developer meeting, not that anyone here would be dependent on the Internet, right?
December 15th, 2008
As an IRC talk mentioned looking for speakers for a possible Mozilla event in Berlin, I was reminded of my previous post on 2009 talks and figured I shouldn't only contact the travel agency for booking a flight and hotel for FOSDEM (which is early in February this time!), but also make my talk plans more concrete.
I just just signed up on the FOSDEM 2009 session proposal with a talk title of "SeaMonkey 2 and the vision beyond", and I'm planning on not only presenting what SeaMonkey 2.0 has to offer, but also where the project is headed in the longer term, I hope to have a public version of the SeaMonkey vision by then.
For Linuxwochen in Vienna (April 2009), I'm planning to go more general and talk about something like "The Open Internet and Mozilla" or so (anyone having a better idea for the title?), presenting mainly on what we understand as the open Internet, why it is important, what our goals are, what we are doing ourselves to move all this forward, and what others can do for the open Internet. This includes the Mozilla Manifesto and probably the 2010 goals in some way, as well as some small peeks on our products and some way of challenges for the audience to be part of the movement. Maybe some ideas of the great Clay Shirky talk from the Web 2.0 Expo in April 2008 could help there as well.
This second talk is quite different from all I've ever done before, as it's not just about the work I've been in all the time, but I think I know all the topics quite well and it's what we really need to get out to the public, to those who are not yet in our community.
Any suggestions, tips, comments?
November 20th, 2008
Additionally, I have received a first call for papers (CfP) for the "Linuxwochen 2009" event here in Vienna, which will be in April. There's even more time for planning something there, the deadline for that CfP is in February, but I'm thinking hard about possibly giving a talk there this time, which would be my first time doing this at an event around here. The talk could be 45, 20, or 10 minutes, and I'm also wondering what the more general audience there would be most interested in. SeaMonkey 2 functionality? What the SeaMonkey project is? Organizing and coordinating a volunteer open source project? The Mozilla vision? The wonderful choice of different products from Mozilla? Mozilla-based software development?
What I'm pretty sure I won't be doing is Firefox tricks or such, I'll leave that to people using that browser in their daily lives - though it would be really nice to have someone from Mozilla at this event, as we've never been present at an Austrian event before.
Any ideas for those talks from you, dear blog/planet reader, would be highly appreciated!
April 22nd, 2008
(Oh, and yes, I'm back from California, it was a great trip, with some talk about SeaMonkey and a good amount of vacation in between, I'm currently trying to work the backlog of those two weeks and get up to speed with what's going on. You'll hear more from me soon right here.)