Skip to main content.

Tue, 10 Aug 2010

"Debian for Shy People": What's next

What do you do when you have a technical question that you're embarrassed to ask?

The first Sunday of Debconf, I led a birds of a feather (BoF) session called Debian for Shy People. The conference team scheduled it on "Debian Day," a pre-conference day that was open to the public and still had plenty of Debian Developers in attendance. I just uploaded the slides to the "Penta" page for the talk.

I led it because of my own experience. In 2004 or so, I saw Debian as the cool kids' club, that awesome project that I wished I could be a part of. By 2006, I managed to get over myself, read the New Maintainer's Guide, and find a way to get involved. As of mid 2009, I am a full-blown Debian Developer. I have real ultimate power. But I sometimes do still feel hesitation akin to "Imposter Syndrome".

(A bunch of people at Debconf didn't really believe I'm "shy," since I asked a lot of questions at the conference. At core, I don't naturally believe that the things I say are worth hearing, but I patch over this hesitation. Sometimes I speak too much, and then I feel ashamed of burdening everyone. But anyway, this is about Debconf not, me -- so moving on....)

In the past year of being a Developer, one thing I've seen is that other contributors ask me privately for help. Rather than blast the public lists like debian-mentors, they email or IRC private-message me, or SMS me, or find me at a Linux Users Group event. I'm lucky to know these people, and they're lucky to have me as a safe person to ask questions of. Moreover, Debian is better because these people could move past their confusion to make a technical contribution.

I began the BoF session by talking about when someone asked me for help. Then I asked, "How many of you have someone you can ask embarrassing questions of?" Of the forty people crammed into Schapiro 414, two people' raised their hands. One person put it plainly, "I don't know anyone else who does Debian." It reminded me of a fact that Karen discovered when she was doing market research for us at OpenHatch: the vast majority of free software programmers know zero other people who do free software. I had seen the figure; we even used it in a talk to try and convince venture capitalists to fund OpenHatch last year. But I didn't really feel it until I heard it from a room full of Debian contributors.

I structured the BoF in two parts: First, I talked in front of some slides to set the tone properly, and then we enjoyed open discussion. As I was preparing thoes slides, Daniel Morais asked me, "What's the point of having the session? Why not just come up with some ideas, implement them, and not bother also talking about it at the conference?" I had considered this; I decided I wasn't self-confident enough to start implementing ideas without talking to people to make sure I wasn't the only one who saw a problem. But I discovered another benefit of giving the talk: people who want to make Debian more welcoming knew to reach out to me.

So here are some thoughts that came from our discussion (and later discussions during the conference):

I set up an Etherpad document on cjb's OpenEtherpad.org. This is what we learned together:

One idea I had before the BoF was to create a discussion area that was safe for all questions, even if they seem silly. We talked for a while about what name that would take, if it were to become a new IRC channel. We reached something of a conclusion, but in the conference that followed Emmet Hickory offered to help make the debian-mentors IRC channel friendlyer. I think that's the best direction to take things, so the next step is for him and me to write up what we want and send a note to the debian-mentors email list explaining our vision.

In the Etherpad document, people discussed the idea of doing Debian discussion over XMPP (also known as Google Talk, also known as Jabber). We weren't sure how such a place would get critical mass; someone briefly mentioned the idea of an IRC/XMPP gateway. I actually think this discussion is along a very reeasonable path, namely discovering what discussion method(s) Debian contributors want to use. (That might explain why I'm now an admin on forums.debian.net.)

We also briefly discussed the idea of an anonymous question-answering service. I realize now that I'm not going to be able to have time to run that, but I still think it'd be a really cool idea.

Biella would remind me that Debian is already successful at bringing in new contributors. I agree! As a free software project, we have an enormous number of participants. This is a really good thing, and we're clearly doing something right. The purpose of this talk was to figure out how to make contributing to Debian less stressful for those who participate.

Truly, a "Debian for Shy People" effort isn't about shy people. It's about the moments of self-doubt we all have in which we don't know what to do and are too embarrassed to ask. I think that if the project more friendly, we can find more participants, make better use of our current ones, and see improvements to our diversity.

Whew, that was long. What do you think of all this?

[] permanent link and comments

Sun, 23 May 2010

Kat and Asheesh, on identity

Six months ago, I was talking with Kat. We were talking about talking.

On imperfection

Kat wrote:

<mindspillage> I think I have to be very very comfortable around someone to be able to be imperfect around them.
<mindspillage> (at least, without feeling horribly embarrassed about it)
<mindspillage> More so if what I'm doing is part of my identity.

It's safe to be bad at dancing, she explained; she doesn't consider herself a good dancer, so nothing's at risk.

On flames

I had recently written about diversity in free software. Kat showed me a piece she had written, but not yet published, on a similar topic. I thought she should simply publish the piece as-is. Instead, she worried:

<mindspillage> I feel like I have a hard time getting across what I think without coming across as antagonistic.

I've felt the same way. Years ago, I told my friend Venkatesh that had sent a flame to a mailing list we're both on. He retorted that my flames lack flame.

So then I thought about why I might feel I've written a flame, even when no one else felt that way. I wrote to Kat:

<paulproteus> Expressing oneself is a frustrating experience.
<paulproteus> It may seem like you're taking this out on other people.
<paulproteus> In fact, you're just frustrated.
<paulproteus> And fighting (successfully) your own urges to just be quiet.
<paulproteus> So at the end you'll feel like you fought a battle, and that seems like you wrote something that others would feel is antagonistic.

Maybe for Kat's writing and my "flames", there was some sort of antagonistic process in which we fought ourselves. That fight doesn't have a lot to do with the resulting text, so it's invisible to the reader.

I think this process might leave us vulnerable in another way: if our urges to stay quiet come from a sense of isolation, and we manage to stay quiet about that feeling, no one will sympathize with us. We'll appear to be healthy, active participants in a conversation where we express ourselves. Other people with a similar "process" for self-expression won't get a chance to empathize.

(This is why I'm interested in putting together a Debian for Shy People caucus. I hope my Debconf proposal for a Birds of a Feather session is accepted!)

On finding a way out

We concluded on a happy note:

<mindspillage> I haven't been answering Wikimedia mail for a while. Then I figured out that I don't have to use my real name, so I don't have to answer as someone with responsibility, I can just be some random volunteer.
<mindspillage> Most of it is silly and trivial. But sometimes I am really able to address someone's concern or change someone's mind, and I forget how good that feels.
<mindspillage> (There are some real jerks too.)
<mindspillage> I got someone who was being snarky to apologize for being so rude. That was kind of awesome. Sometimes it doesn't take very much to make me happy.

P.S. A note from the archives

Apparently, for me, speaking French is exempt from the above restrictions.

[] permanent link and comments

Fri, 30 Apr 2010

Mailing lists can wait

Most of my email comes to me via mailing lists. When someone asks a question or starts a discussion, I used to jump at the chance to be the first to reply with an answer. I don't want to unsubscribe; often, I know something that can move the conversation forward or help someone out. But I'm trying to allocate more time for myself away from computing these days.

So now I let these discussions mature a little before I see them. All mailing list messages are delivered to a folder called OneDayDelayed. Every night, my server moves those messages to my INBOX. If someone else has already contributed what I would have, perfect! If not, I still have a chance to participate.

Sometimes, if I have a long backlog of email, I disable that cron job, sometimes for up to two weeks.

Being able to turn the cron job on and off really helps; when I have time to deal with mailing lists, I do. Otherwise, I know the messages will be there when I do have time. Since this OneDayDelayed change, I've gained have a sense of calmness and distance from them. I like that.

(Note that if you add me to the CC: line of a mailing list thread, I will see your message immediately, for better or for worse.)

[] permanent link and comments

Mon, 12 Apr 2010

Let people help your project: Give them a button to click

This note goes out to the maintainers and contributors of Free and open source projects. (Cross-posted at the OpenHatch blog.)

I recently had the chance to look at Mozilla Quality Assurance's research into the people who help out with testing versions of Firefox. I saw numbers that really spoke to my experience as a volunteer.

On one hand, the vast majority of people put in three or fewer hours a week, most of whom put in one hour or fewer (such as zero).

On the other hand, a huge number wish they could put in a lot more:

Now imagine you're that one-hour-a-week contributor. You have all these other bits of your life tugging at your time. You want to make sure that when you sit down to work on free software, you're doing something that really helps out. Otherwise, not only will you feel bad that you aren't giving free software as much time as you wish, you'll feel bad that you're not even making a difference.

In my experience, even reading the project mailing list counts toward that time you're putting into the project. But that doesn't feel productive.

So fellow contributors, I have a request for you: Would you be willing to make it super easy for someone to stand waiting, on guard, for instructions from you? Imagine if all they had to do is click a button on your website, write a little bit of info about what they could do, and you would suggest something for them to work on. Maybe you can offer them a bitesize bug to fix, or maybe you need someone to download and test the latest version before you release it. If you're handing out assignments, then part-time contributors don't have to spend their time figuring out what they should do.

I want to tell you that I can give you such a button. It would look like this:

To get it, you just have to add a little snippet of HTML to your project website.

Just go to the OpenHatch project list. and find your project. If it's not there yet, search for it, and click the link to create it. Then find the box labeled "Have your own website?" and click.

Ta-da! HTML source code you can copy-paste. Since OpenHatch itself is an open source project, we added the button to our own "source code, etc." page.

When people click it, they appear in a list of "People willing to help" on your project's OpenHatch page. Like all the friendly faces on the Gwibber page.

Would you try it, too?

[] permanent link and comments

Thu, 01 Apr 2010

Cosmetic Carbon Copy on Slashdot

Two months ago, I explained how cosmetic carbon copy could allow you to list recipients in a message who never receive a copy.

Today, thanks to John Stumpo's writing talent and Wes Filardo's IETF-NG, an Internet-Draft informational document has been published.

IETF didn't like it enough to accept it as an April 1 RFC. (I do actually hope that one day someone will submit a modified version to IETF as a rest-of-the-year RFC.)

Slashdot took note!

In first visible comment, an Anonymous Coward writes:

Although it is an April Fool's...this would actually be useful.

Other highlights from the Slashdot discussion:

[] permanent link and comments

Sun, 21 Mar 2010

Speaking at Free Culture NYU: Come see me! 8 PM Monday 3/22

Dear New Yorkers,

I'm going to speak at Free Culture NYU about my current project, OpenHatch.

Please come out! To get there:

If you need help finding the place, call my cell phone. (Visit the freeculture.org contact page for that.)

[] permanent link and comments

Fri, 05 Mar 2010

What are you avoiding working on?

(Cross-posted from the OpenHatch blog.)

I remember working on my first big group programming project back in college. The project involved some web scraping work; I enthusiastically took charge of that part. But a few weeks in, my code just wasn’t working. I felt frustrated and helpless — I’m supposed to be the scraping expert, so why couldn’t I fix the problems? I retreated into hiding and didn’t want to think about the group of people or the project.

A week later, I feebly ran svn update to see how the project had progressed. “Oh!” I exclaimed to myself. “Someone made the data importer work!” I felt a rush of relief. (While writing this paragraph, I sighed again remembering it.)

When I talked to my teammate George, he mentioned off-handedly that he had fixed it. He didn’t feel any of the anguish I felt or assign me the blame I thought I deserved. I guess if I had just asked for help earlier, I could have skipped the feelings of inadequacy entirely and George would have just fixed the bug.

Half a decade later, I feel the same dread about the lack of Maildir support in Alpine. The bug is three years old! Ugh.

This time, I’m going to ask for help. So I listed the issue on the Alpine project page on OpenHatch. To put it there, here’s what I did:

  • Go to the OpenHatch projects list and enter your project’s name. That will take to your project page.
  • Answer the last question, “What is a bug or issue that you’ve been putting off, neglecting, or just plain avoiding?”
  • Hit submit! We’ll help you sign in with your Google account or other OpenID.

For those of you who work on Free Software projects, what are the issues that drain you the same way?

No bug tracker I’ve seen has a field that says, “I’m avoiding working on this, and that sucks.” To say that, list the issue on your project’s OpenHatch page.

So join in! What are the issues you don’t want to think about? Once you share them, maybe a fellow developer or a new contributor will come by and help you out.

Head to OpenHatch and let the world know.

P.S. Do you have any ideas about how we can make these project pages more useful? Let us know!

P.P.S. Dear Joey Hess and everyone else, sorry that Alpine still doesn’t have Maildir support.

[] permanent link and comments

Thu, 11 Feb 2010

Google and University email

Should universities switch away from hosting their own email and join the Google bandwagon?

Adi Kamdar wrote to the Students for Free Culture discussion mailing list linking us to a Yale Daily News article discussing an "almost-definite" switch for Yale to Google Apps for Education.

Adi asked for thoughts, so here are mine.

Privacy

One interesting thing about the Gmail option is that, when deployed for all students, students have no choice but to let Google read their official email.

Some students might take part in activism that they want to shield from Google, a corporation with its own interests, or the attackers that attempt to break into Google's systems (see the recent attacks from crafty pro-Chinese-government hacktivists). Before a switch to Gmail, each student could choose if Google was the kind of company they wanted to share their email with. After a switch to Google Apps, the choice is made for them.

But this highlights a different issue: Before a switch to Google, students have no choice but to let university administrators read their official email. That's not necessarily optimal, either. Others have pointed out in this thread that this option comes with legal advantages with regard to privacy law. At least that's some consolation.

It's still true that students can encrypt their email and make it difficult for any eavesdropper to figure out the bodies of their emails. But that's no use for hiding the identities of the people with whom they communicate -- no email crypto I know hides email addresses.

Software freedom and open standards

This is juxtaposed against another difficult situation: Matt Senate wrote about the sucky Squirrelmail system that Berkeley uses (used?) for webmail. The fact that SquirrelMail is Free Software is small consolation for Matt. From his perspective, because it's a hosted web application, he has no more freedom than he would have with Gmail.

At least Berkeley's IMAP server followed standards! That's more than we can say for the Gmail IMAP server, which is famous for basically supporting just enough IMAP for Microsoft Outlook to work.

But standards compliance is small consolation. If the university email server "properly" supports IMAP, but isn't fast or doesn't provide the new extensions that make threading or search speedy, it's not much relief to know that you can use any client you want to slowly read your email.

Internet history

Truth be told, University-hosted Internet services are based on what you might call the original Internet perspective. The Internet began as a network of networks. A University was a network island unto itself, running its own email, news, and Ethernet services. When inter-network connection was available, you can email people at other institutions. When it wasn't, well -- the Internet is a useful tool, but it's down right now. "Don't worry," the admins might tell you, "you can still read your email with PINE."

It used to be that inter-network connectivity was icing on top of the "real" network a person used.

Today, inter-network connectivity is the whole point of a network connection. How embarrassing for each individual network! To test if our connections are working, we skip right over the local content and point our web browsers at a search engine.

Users today aren't satisfied to read their email from imap.institution.edu and read USENET news-- they thirst for real-time access resources available beyond the university. Students weren't interested in the J-Stream service I helped set up at Johns Hopkins; instead they mostly posted and watched videos at YouTube. They don't really care if the the student-oriented wiki is based on campus or instead halfway across the globe (say, in Japan).

The original Internet was based on autonomous networks and opt-in routing. But eventually, all the networks opted in. Users drive everything, and when they don't get what they want, they vote with their feet. Companies like Facebook and Google stand ready and armed to provide shockingly-efficient services to millions of users who choose them. You could say that with today's network, the autonomy shifted from the network to the users.

The nice thing about University-run services is that students can organize and ask for changes, as Fred pointed out. And for people like me, there's something nice about knowing the person who runs your email system.

But if your busy university staff doesn't have time to investigate an email server with fast full-text indexing, you might wish for change. Having the university tear down its internal services is a progression toward seeing its network as simply transit.

Imagine the loss of pride. It used to be that the university personally ran a system for helping users get what they wanted. As it becomes simply transit, the staff are just greasing the cogs of a larger, invisible machine that's easy for users take for granted.

Some netizens like me hold email as sacred, a beautiful institution based on standards and a decision to interoperate. When your university switches to Gmail, I'll be sadder, but maybe what you'll get is professors who can spend more time with students and less time configuring desktop software.

Trade offs

Every university has a choice: Pay hundreds of thousands to millions of dollars a year for dedicated staff to run an in-house email system, or let Google do it. Think for a moment of what good could come from those dollars when put to use in other ways for students.

Your school could start a switch to all-organic food. It could start paying more of its employees a living wage. Imagine the travel funding for student activities that can come from hundreds of thousands a year well-spent. It could run a massive used textbook clearinghouse to help students avoid pouring their dollars into the textbook industry.

And now cry with me. What I've asked you do is to consider sacrificing institutional autonomy for cold, hard cash. That's to say nothing of the ecological benefits or the productivity increases possible from having Google's paid experts run this part of the computing system.

Conclusion

Is an official Google email system much different than the reality most students I know live, which is configuring their student email address to forward to gmail.com?

For those of us who would be sadder with one more push toward centralizing email with Google -- for those who see it as the behemoth whose size threatens the decentralization that used to be the core of the Internet -- I ask you to think positive. "See the profit from your loss."

I have no conclusions for you, just niggling questions.

[] permanent link and comments

Sun, 07 Feb 2010

Cosmetic carbon copy: The opposite of blind carbon copy

I propose a new feature for email software: Cosmetic carbon copy. CCC works very similarly to today's carbon copy feature: If you put an address in the CCC: list, when the recipients open the message, they can see the address. The one difference is that with "cosmetic" carbon copy, the CCC:d address never recieves the message.

An example might illustrate the situation. Let's say someone (Alice) wants to invite Bob to a movie but doesn't want Charlie to come. She might send this email: 

From: alice@example.com
To: bob@example.com
CCC: charlie@example.com
Subject: MOOOVIEEE!

Hey all my friends, join me for a movie tonight!

When Alice sends the email, Bob recives a copy. Bob thinks that Charlie received a copy, as he will be in the CC list. But Alice's mail software never sent Charlie a copy. So Alice can relax, knowing that Bob won't forward a copy to Charlie, since Bob thinks he already received it.

Alice and Bob will meet up without Charlie, and Alice will quietly sigh in relief.

How can this work?

Cosmetic carbon copy works on the same principle as blind carbon copy: the contents of the message are fundamentally independent from the recipients.

Saavy email users have used the "blind carbon copy" feature for years. When you place an address in the BCC list, that address will receive a copy of the email even though other recipients won't see the address listed. This allows for a form of privacy between the sender of the email and that hidden recipient.

This works because, like postal mail, email messages are delivered using an "envelope" that contains the actual recipients. When you compose a message in Alpine, Gmail, or Thunderbird, you are writing the contents of the envelope. When you hit send, the mail software looks for email addresses that should receive a copy. It creates one envelope per address, stuffs the letter inside, and sends the whole thing on its way through the Internet using a protocol called SMTP. When the recipient (Bob)'s email system receives it, the letter is pulled out of the envelope and placed in an inbox.

Which means the envelope is entirely invisible to Bob, the recipient. Most mail software puts information about the envelope in email headers. Since each email recipient gets a separate envelope, In the case of cosmetic carbon copy, Alice's letter claims that Charlie was on the CC: list. But Bob can never learn that Charlie's copy was never sent.

So to implement cosmetic carbon copy, Alice's mail program must understand this rule:

  • For each address in the CCC list, copy the message to the CC: list in the email message.
  • Create no new envelopes when sending the message.

Because of the last bullet point, this "carbon copying" is purely cosmetic rather than functional.

A possible privacy problem

You might wonder, what happens when Bob hits reply-all to say "Yes, I'm coming"? Then (oh no!) Charlie might see the invitation.

Not a problem: Most of my friends use Gmail, and Gmail users almost always hit Reply instead of Reply-All. Gmail used to have an experimental option called "Reply All by Default", but thankfully they removed that option.

A future version of this specification might suggest mangling the last "." in the BCC:d email addresses with the ONE DOT LEADER character, which looks like "." but isn't one. That way, even if Bob clicks "Reply all," Charlie's email address is subtly incorrect and will bounce.

Future work

The story I've told here is marginally simplified so it's understandable to a less-technical audience. Those who want a more technical version can request I submit an RFC. Perhaps in two months?

(File under "games to play with email.")


[] permanent link and comments

Fri, 01 Jan 2010

Detecting stale versions of WordPress

I run a personal server that hosts web space for a few friends. Probably the most popular thing to do with the space is to install WordPress and run a personal blog.

A few days ago, I discovered some attackers were abusing one of the sites. Once we upgraded the site to the latest version of WordPress, the attack went away. So I wrote a tool that, every night, emails me a report of the locations of old versions of WordPress. A sample email:

Current version of WordPress: 2.9

oldroommate has WordPress 2.5 in /home/oldroommate/web/oldroommate.com/

Eek! WordPress 2.5 is old!

How it works

Each time it runs, it looks at wordpress.org to see what the current version is. The code to do that is written in Python and uses lxml.html. It prints the current version in the report, and it uses it when analyzing WordPress installs.

To analyze WordPress installs, it executes locate readme.html, looking for WordPress's tell-tale documentation file. For every such readme.html, if it matches a simple regular expression suggesting it's a WordPress readme file, it performs the following analysis:

  • It does some simple seding and greping looking for the version of WordPress described by that file.
  • If the version detected is older (as calculated by dpkg --compare-versions), it creates a one-line report like the one above about oldroommate.

If it found any installs of old WordPress, it prints a report like the one blockquoted above to stdout.

How to use it

To get emails, I run it with cron. You can add a stanza like this to your crontab (edit it with crontab -e):

@daily cd find-out-of-date-wordpress; ./look.sh

Ta-da, nightly reports.

To get a copy

Do a git clone: 

git clone git://git.asheesh.org/find-out-of-date-wordpress.git

or browse its gitweb.

Feedback

I'm quite interested to hear what others do to avoid old web apps being attacked. If there's another bit of software that monitors web apps for needing upgrades, I'd love to hear about it! Obviously if you have feedback on this tidbit I wrote, let me know.

(To me, apt-get doesn't seem to be the answer. Web apps (especially PHP ones) don't usually seem to support keeping the code in one place with multiple different configuration files. And users get excited about the latest and greatest and don't want to wait for me to upgrade, and I can't blame them.)

If some of you don't like the Python dependency or anything else, I do welcome patches!

[] permanent link and comments