blog

Firefox[edit]

Firefox is our choice of web-browser here at Organic Design, and this article lists the extensions and configurations we like to include with it. Note that browsers are inherently risky by the fact that any site you may visit can contain malicious code, and you are also trusting all your installed extensions. For this reason it's a very good idea to install FireJail which gives you super easy sandboxing capability. See below for more detail.

Mumble[edit]

This article or section is a stub. Stubs are articles that have not yet received substantial attention from the authors. They are short or insufficient pieces of information and require additions to further increase the article's usefulness. The project values stubs as useful first steps toward complete articles. See Wiki workflow and Wikipedia:Stub for more details on this process. See all the stubs in Category:Stubs

Mumble is a VOIP system composed of a client package and a server package that provides channels for groups to do voice communications together. It's designed to work very clearly with very low latency and can also work in very low bandwidth conditions if necessary. I've installed this on our server so we have a means of doing voice chat together without needing Skype which is not private and has also degraded a lot in quality having very high latency and breaks up a lot.

Installation[edit]

Installation was very simple on Debian involving an installation of the mumble-server package on the server side and the mumble package on the client side (on Ubuntu you'll need to add-apt-repository ppa:mumble/release and update before installing the mumble package). The server required practically no configuration (I pointed it to our web-server SSL certificates and kept everything else as default), and the client required only minimal configuration to calibrate the microphone and bandwidth conditions and to add our server to the list of available connections.

See also[edit]

• Mumble wiki on Sourceforge

Bitmessage[edit]

Legacy: This article describes a concept that has been superseded in the course of ongoing development on the Organic Design wiki. Please do not develop this any further or base work on this concept, this is only useful for a historic record of work done. You may find a link to the currently used concept or function in this article, if not you can contact the author to find out what has taken the place of this legacy item.

Bitmessage is a peer-to-peer communications protocol based on the Bitcoin crypto-currency used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide "non-content" data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs. If Bitmessage is completely new to you, you may wish to start by reading Setting up and using Bitmessage by CryptoJunky, or you could go straight to the whitepaper.

Installation[edit]

Installation is very simple on modern GNU/Linux based operating systems. You may need to install python-qt4 first, then simply git clone it as shown here. And create a desktop launcher for it as shown in our GNOME article.

Using Bitmessage from the command line[edit]

For use on servers or for testing local applications that use the Bitmessage via its API you can install the PyBitmessage-Daemon which can just be unpacked into the same location as PyBitmessage. When the PyBitmessage-Daemon/daemon.py script is run it will connect to the local Bitmessage service using the API use and password found in the key.dat file of the Bitmessage's configuration. Note that the key file is found by checking the home directory's .config/PyBitmessage location so if you run Bitmessage under an unprivileged user you'll need to use the sudo command to run the script first. Also for some reason they've used "python-2.7.x" in the shebang statement at the start of the script so you can't run the script directly, you need to call it via python2.7. For example if we're running as the unprivileged user bmuser we would run it as follows:

sudo -u bmuser python2.7 /home/bmuser/PyBitmessage-Daemon/daemon.py

You can then type the command apiTest to see if the connection to the local Bitmessage is working properly, and if so, do help to see a list of available commands you can issue.

Use your mail client as the UI with bmwrapper[edit]

Brilliant little script that sets up a basic POP3 and SMTP server on localhost to give Bitmessage an email interface for example that Thunderbird can connect to. This means the messages can be organised in a local folder structure or easily coped to your IMAP structure.

• First enable the Bitmessage API in your local keys.dat configuration file.
• Install the PyBitmessage-Daemon script into your home folder (I used git clone for easy update) and run it with python daemon.py.
• Install the bmwrapper into your home (I used git clone again)
• Set up an account on your mail client to localhost, POP3 on 12344 and SMTP on 12345 as shown here.
• Create a .desktop file that runs a launcher shell script
• Create your launcher script that runs another separate launch script for each of the three e.g.

#!/bin/sh
cd ~/PyBitmessage
./bm1.sh & ./bm2.sh & ./bm3.sh

• Create each of the three launchers one to run each of the scripts with python2.7, for example the first of mine is:

python2.7 ~/PyBitmessage/src/bitmessagemain.py

• Ensure all the launchers have executable permission. This complicated procedure is required because each one is a daemon that doesn't return and won't run in the background using the ampersand.
• You can check if they're running with netstat -nlp and check you have apps listening on 8442, 12344 and 12345, e.g.

tcp   0   0   127.0.0.1:12344   0.0.0.0:*   LISTEN   3575/python2.7  
tcp   0   0   127.0.0.1:12345   0.0.0.0:*   LISTEN   3575/python2.7  
tcp   0   0   127.0.0.1:8442    0.0.0.0:*   LISTEN   3577/python2.7  
tcp   0   0   0.0.0.0:8444      0.0.0.0:*   LISTEN   3577/python2.7

Bitmessage + Open Transactions[edit]

A very interesting thread started in BitcoinTalk here about joining Bitmessage with Open Transactions to produce a completely p2p anonymous transaction system far superior to Bitcoin or Ripple in terms of security, anonymity and the power of financial instruments it provides. See more on the Open Transactions article.

Bitmessage gateway[edit]

I've been finding Bitmessage difficult to run especially as our net connection can be very low bandwidth, so often I won't run it for days at a time and then miss out on messages. When I do run it I have to wait a long time before messages will arrive. So I've decided to run it on the server as a daemon (using these settings to start it automatically as a service), and then integrate it with Exim so that I can receive the messages in my usual inbox. This is quite secure because both sending and receiving is done over encrypted channel to our own server.

I've made a couple of Python scripts, bm-gateway/in.py and bm-gateway/out.py which utilise the functionality of bmwrapper on hosts that already have a running mail server and acts as a gateway between the local Bitmessage instance and the mail server without starting up an additional SMTP and POP server.

Incoming Bitmessage messages are now sent to a local email address, actually any email address would do, but if it's not local, then the security of using Bitmessage would be compromised. The email address that correspond to each Bitmessage address in the "addresses" section of the gateway configuration file in the form foo@bar.baz = BM-xxxxxxx. If an incoming Bitmessage's address does not match any of the email addresses then the first is used as a "catch all".

Outgoing messages are sent to a local user account that is configured to forward the messages to Bitmessage. The email address of this account is defined in the "settings" section of the configuration. For example using Exim a filter can be set up in the local user's .forward file that uses the pipe command to send the message to this script for forwarding to Bitmessage. This user account is also the user under which Bitmessage should be running, and all them (PyBitmessage, PyBitmessage-Daemon, bmwrapper and bm-gateway) should be located in this account's home directory.

Installation[edit]

First set up an unprivileged user account to run Bitmessage and all the scripts under. Install Bitmessage, Bitmessage-Daemon, bmwrapper and bm-gateway into this user's home directory. Ensure that daemon and API are enabled in your .config/PyBitmessage/keys.dat configuration file for Bitmessage. Set up a .config file in the bm-gateway directory containing a "settings" and a "addresses" section. The first section contains a "gateway" value with the email address of the user running the scripts, and the second section contains mappings of each of your email addresses to Bitmessage addresses, including the address of the account through which all outgoing messages will be sent, e.g.

[settings]
gateway = bitmessage@foo.com

[addresses]
bar@foo.com = BM-2D8WUhjPbRABrRdZqQeYZUAJdpvxDfjej4
baz@foo.com = BM-2D7F9ILxyeVXqrMsfyRcPZuhzhDXjMtkbQ

Set up an email account for this gateway user which will be the generic account through which all outgoing Bitmessage messages will sent, in the example configuration above, this email address is assumed to be "bitmessage@foo.com". You'll need to set up a way for the emails to be sent to the bm-gateway/out.py script instead of to standard delivery. For Exim this can be done by using a filter in a .forward file in the user's home directory that uses the pipe command. Here's an example filter which uses a condition to check that it's a Bitmessage recipient incase the user also has normal mail delivered too.

# Exim filter
if
   $header_to matches "^BM-"
then
   pipe "$home/bm-gateway/out.py"
endif

The bm-gateway/in.py script will need to be called on a regular basis to check for new incoming Bitmessage messages and forward them to the appropriate local email account. You can add something similar to the following to your crontab to achieve this:

*/5 * * * * bitmessage /home/bitmessage/bm-gateway/in.py > /dev/null

Usage[edit]

Nothing needs to be done to receive or reply to messages, they just arrive in the inbox and can be replied to in to in the normal way. Sending messages to Bitmessage addresses that isn't a reply is done by using the following format for the To field:

BM-2D7F9ILxyeABCD1234xyzfPZuhzhD <bitmessage&#64;foo.com>

where the name portion is the recipient Bitmessage address, and the email address portion is the address of the account that was set up to receive all the messages for the gateway to forward to Bitmessage - in our example above, bitmessage@foo.com

Note that users on the same gateway cannot sent messages to each other via the Bitmessage network, because Bitmessage doesn't allow a user to send to one of their own addresses, and in the case of the gateway, all the local user's addresses are on the same Bitmessage instance. If this is attempted, the script will raise an exception, and in the case of Exim the message and the exception details will be returned to the sender.

See also[edit]

• Bitmessage home page
• Namecoin and Bitmessage project proposal - using Namecoin to make Bitmessage addresses human-readable
• Bitmessage merges with Namecoin
• Bitcoin
• Bitgroup
• Privacy
• Peer-to-peer

Debian[edit]

In June 2013 we decided to change from Ubuntu to Debian for our workstations as well since Ubuntu is increasingly becoming the "microsoft of the free software world" with pay software and services at every corner and compulsory spyware riddled throughout system, see Debian legacy issues for notes about various issues and solutions encountered back then. But then in early 2014 we changed to Linux Mint for our workstation machines, mainly due to the fact that they're very up to date with their choice of Linux kernel version which allowed me to use my touch-screen on my Samsung ATIV Smart PC Pro (XE700T1C) and fixed a long-standing bug on Beth's Lenovo Ideapad S10-3 which prevented it from resuming from standby. As of mid 2019 we've moved back to Debian again because Mint's Cinnamon desktop is stuck on an insecure path through its dependence on Xorg whereas most desktop managers are now moving to the more secure and slim Wayland display server. With the recent release of Debian 10, I decided to move back and give it a try!

Gnome3 extensions and addons[edit]

• install the gnome icon color packages via apt
• install the following Gnome extensions:
  • Dash to Panel - makes a proper panel with favourite and loaded apps
  • Gno Menu - adds a good menu to the panel
  • KStatusNotifierItem/AppIndicator Support - adds the familar background app status icons to the panel
  • Remove Dropdown Arrows - removes ugly dropdown menu arrows from the panel
  • Status Horizonal Spacing - removes excessive spacing between icons in the panel
  • Screenshot Tool - adds screenshot tool to panel
• gTile - a good window tiling extension
• use the Tweaks utility to change icon colours, add an applications menu and window buttons and configure extensions, remove extensions here.

Keyboard shortcuts[edit]

I like to add some keyboard shortcuts for simple window management. The gTile extension is required and must be set to simple 2x2 grid. This will allow the super with left or right keys to move the currently focused window to occupy the left or right half of the screen, and then using super with up or down will move it to the top of bottom half vertically.

• View split on left: Super+Left
• View split on right: Super+Right
• Global move window up (in gTile prefs): Super+Up
• Global move window down (in gTile prefs): Super+Down
• Move window one monitor to the left: Shift+Super+Left
• Move window one monitor to the right: Shift+Super+Right

Packages[edit]

apt install python3-pip gnupg2 git openvpn network-manager-openvpn network-manager-openvpn-gnome flatpak gnome-software-plugin-flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
pip install youtube-dl

Issues & gotchas I've had before[edit]

• root's default paths are missing, so either add e.g. export PATH=$PATH:/usr/sbin to root's .bashrc, or /usr/sbin/usermod -a -G sudo user and use sudo instead of su
• I need to restart and enter my drive-unlock password twice for every damn update! Don't know if this is Debian or Gnome3, but it's discussed here and here. GNOME software comes with Software & Updates. Software & Updates can be removed and replaced with GNOME Package Updater.
• Gnome3 has changed the touchpad default behaviour, now to do a right-click you tap with two fingers, you can revert to the old area-based behaviour using Tweaks
• My internal Atheros bluetooth device suddenly disappeared, it came back after I enable non-free contribs in the software manager and then installed firmware-atheros
• Possible missing firmware /lib/firmware/i915

See also[edit]

• Debian legacy issues
• Install a new desktop - our procedure for what to install and configure on a local workstation after the bare OS is installed
• Gnome page on Debian wiki
• Etch release delayed by financial arguments
• Tails - Debian with onion, takeaway style!
• Permissions problems mounting NTFS devices
• ZDnet on Debian Buster
• Top 20 Gnome extensions

Linux kernel[edit]

The name "Linux" comes from the Linux kernel, originally written in 1991 by Linus Torvalds. The system's utilities and libraries usually come from the GNU Operating System, announced in 1983 by Richard Stallman. The GNU contribution is the basis for the alternative (and more correct) name GNU/Linux.

At Organic Design, we use two different GNU/Linux distributions, Debian on our servers and Ubuntu on our workstations.

See also[edit]

• Linux kernel home page
• Excellent article on why people use Linux

GNewSense[edit]

Free software is software that respects your freedom. You can use it without restrictive licenses, make copies for your friends, school or business. To use free software is to make a political and ethical choice asserting your rights to learn and to share what you learn with others. It is built by people across the globe who work together as a community and sponsored by the Free software foundation (FSF).

We've decided to test out if gNewSense is going to work well on our laptops as a replacement for Ubuntu after the made the awful decision to begin disrespecting their user's freedom and rights by including spyware and corporate DRM software in their distribution.

See also[edit]

• Install a new desktop - post installation checklist
• Linux migration checklist
• GNOMEWarning: Display title "blog" overrides earlier display title "Libre software (blog)".

MariaDB[edit]

It's fair to say that MySQL creator Michael "Monty" Widenius is not a fan of Oracle. When the company announced in April 2009 that it was purchasing Sun, Widenius saw a bleak future ahead for the (still) wildly popular open source database, which Sun had snapped up in 2008.

The day the Sun purchase was announced, Widenius responded in the tried and true open source fashion — he forked MySQL, launching MariaDB, and took a swathe of MySQL developers with him.

By Widenius' estimates there are now 1 million MariaDB installations, and the decision by RedHat's Fedora and SUSE's Open SUSE Linux distributions to include the newer database by default will bring this install base close to 10 million by the end of the year. Slackware announced on 23 March that it was ditching MySQL in favour of MariaDB.

	Many of the original MySQL core developers, including me, didn't believe that Oracle would be a good owner of MySQL and we wanted to ensure that the MySQL code base would be free forever
	— Michael "Monty" Widenius

Organic Design move to MariaDB[edit]

We moved to MariaDB on 4 April 2013 when we upgraded to the new German server. Our 2GB of MySQL 5.1 database export imported into Maria without a hitch and has been running smoothly for a couple of weeks at the time of writing this.

Note: you should now you php5-mysqlnd instead of the usual php5-mysql package since the latter uses the old Oracle license and is hard-coded for older MySQL headers which can produce warning messages in some cases.

Documentation[edit]

• Server system variables

See also[edit]

• Interview with "Monty" about the creation of MariaDB
• Oracle's nemesis MariaDB releases sleekest seal yet to beta
• MySQL
• HeidiSQL - see and edit data and structures from MariaDB, MySQL, Microsoft SQL or PostgreSQL databases
• Adminer - web based database management in a single PHP file

Nginx[edit]

Nginx uses an asynchronous event-driven approach to handling requests, instead of the Apache model that defaults to a threaded or process-oriented approach. Nginx's event-driven approach can provide more predictable performance under high loads.

Another reason we're moving over to Nginx is due to the recent interest in Perfect forward secrecy (PFS) coming from articles such as this. PFS is an obscure feature of SSL/TLS and requires at least OpenSSL version 1 and Apache version 2.3.3, but Nginx has supported it for quite some time now.

	Apache is like Microsoft Word, it has a million options but you only need six. Nginx does those six things, and it does five of them 50 times faster than Apache.
	— Chris Lea

Installation[edit]

All our local installation documentation is in the install a new server procedure. The selecting a good set of ciphers section covers more detail about the perfect forward secrecy issues and installation. Note that the cgi.fix_pathinfo directive which used to be a critical security patch for Nginx has been redundant since about PHP version 5.3.

Our URL rewriting rules[edit]

The OD server uses a rather complicated URL-rewriting system that allows all the wikis under all domains to run from a singe "catch-all" server block - or actually two, one for plain and one for SSL. This was quite difficult to replicate on Nginx such that it could work in exactly the same way and thereby be "web server agnostic".

The catch-all wiki rewrite rules apply if no other domain-based patterns have matched such as requests with an svn or webmail sub-domain prefix. Our configuration is rather "if" heavy which is strongly discouraged by Nginx gurus, but they're ok as long as they're not inside location context or contain only rewrite last directives or other non-content-handling operations such as set. Our ones here that are inside location context contain only set directives which should be safe. See this article for more detail about how the "if" directive works and why it can be so tricky to use in practice.

This first block sets variable called $wiki which will be used by other following conditions and location blocks (note that even if the .php block is included prior to these settings in the file, they are actually evaluated after them as these blocks are all outside of location scope. $wiki is the directory in which the wiki's file structure resides, i.e. one of the symlinks in /var/www/domains which are named to match the domain of the request. It is used in the following rules in the main scope and also by the nginx.php.conf include for setting the fastcgi_params. Note that this condition always applies and sets $wiki.

if ($host ~* ^(www\.|wiki\.)?(.+)$) {
     set $wiki /$2;
}

Then our first rewrite rule matches the root request with no path or file specified which gets rewritten to the wiki Main Page.

rewrite ^/$ $wiki/wiki/index.php?title=Main_Page&redirect=no last;

Next we need to check if the request is for an image thumbnail with dynamic sizing and if so, route the requests to the thumb.php script. This is simpler than on Apache because Nginx doesn't have the ampersand bug that requires an extra rule for dealing with thumbnails for filenames containing the ampersand symbol.

rewrite ^/files/thumb/./../(.+?)/(\d+)px- $wiki/wiki/thumb.php?w=$2&f=$1 last;

Otherwise if the uri points to an existing file we use that, or as an overall default we treat the request as a friendly URL by rewriting to the script with the URI in the title query-string item. (we used to use the PATH_INFO form, but this fails for article that end in .php).

try_files $wiki$uri $wiki$uri $wiki/wiki/index.php$request_uri;

Stand-alone and local wikis[edit]

For wikis that have their own code-base directory instead of using the shared code-bases of the wiki farm can use a block similar to the following example to do their friendly URL's.

server {
    listen 80;
    server_name foo.bar;
    include /var/www/conf/nginx.php.conf;
    root /var/www/foo
    rewrite ^/$ /wiki/index.php?title=Main_Page&redirect=no last;
    rewrite ^/wiki/images/thumb/./../(.+?)/(\d+)px- /wiki/thumb.php?w=$2&f=$1 last;
    try_files $uri $uri /wiki/index.php$request_uri;
}

Block processing order[edit]

• try_files only does a redirect for the last parameter so others cannot be *.php as the php location won't be processed
• Only one location block will match and be processed
• The first exact match (using =) will return immediately
• Next strings will be matched, the most specific match being chosen
• Then regex matches will be chosen the first match overriding any string matches (strings can use ^~ to block the regex tests after a match)
• Rewrites at server level are evaluated before the location directives are evaluated
• Rewrites within location blocks are then evaluated
• If rewrites within a location block change the URI, then the location directives are evaluated again

See also[edit]

• 1 July 2013 - our move over to Nginx
• SSL - setting up SSL on Nginx, including generating a self-signed certificate and enabling perfect-forward-secrecy
• Enabling math markup#Nginx - there can be some difficulty getting math to render, a workable solution is here
• Nginx best practices
• Nginx pitfalls
• Configuring Nginx HTTPS servers
• More Nginx SSL advice
• Directive index
• Nginx variables
• The "location" directive
• Conditions and their operators
• Nginx rewrite module
• Nginx's "if" directive explained in detail
• StartSSL & Nginx
• Dealing with 400 Bad Request errors
• About 502 Bad Gateway errors
• How to set up PFS for Nginx
• Russian Police Raided NGINX Moscow Office, Detained Co-Founders

Byzantium[edit]

See also[edit]

• Mesh
• Project Byzantium
• ad-hoc wireless
• mesh network
• Platform
• Project 2.0

Video[edit]

• Project Byzantium: Zero To Ad-Hoc Mesh Network In 60 Seconds

Fossil[edit]

This article or section is a stub. Stubs are articles that have not yet received substantial attention from the authors. They are short or insufficient pieces of information and require additions to further increase the article's usefulness. The project values stubs as useful first steps toward complete articles. See Wiki workflow and Wikipedia:Stub for more details on this process. See all the stubs in Category:Stubs

Migrating a repository from Subversion to Fossil[edit]

Fossil is able to import and export from Git so first we migrate our subversion repository to Git.

svn2git is a tiny utility for migrating projects from Subversion to Git while keeping the trunk, branches and tags where they should be. It uses git-svn to clone an svn repository and does some clean-up to make sure branches and tags are imported in a meaningful way, and that the code checked into master ends up being what's currently in your svn trunk rather than whichever svn branch your last commit was in.

First we install svn2git as follows:

apt-get install git-core git-svn ruby rubygems

gem install svn2git

Next migrate the repos - ours at OD are not standard layout as they have no trunk, branches, or tags at the root level of the repo, the root level of the OD repos are equivalent to the trunk and there are no tags or branches. So we use the --rootistrunk switch in our Git import command as follows:

svn2git svn+ssh://svn.organicdesign.co.nz/svn/tools --rootistrunk

Then import the Git repository into Fossil,

git fast-export --all | fossil import --git tools.fossil