Short Tip: Mount directories via SSH

Other computers are often accessed via ssh. That is very easy and comes along with a lot of possibilities. However, working on files which are saved on the server is not that simple all the time. KDE offers the fish:// KIO for these cases, but this just works for KDE apps, and has to be called for each app individually.

In such cases it makes more sense to actually mount the server directories locally: sshfs let you mount any given server directory locally. And since it works on top of FUSE it does not require root interaction at all (given that the local user is a member of the fuse group).

All you have to do is:

sshfs -o idmap=user ~/sshDir

The idmap=user option translates the server side uid to the client side uid and is therefore an often used and also needed option to avoid permission problems.

Of course the given directories have to exist on the used machines. Also, as already mentioned, make sure that the user who tries to use sshfs is a member of the fuse group! Last but not least the server must have a running ssh server, and the program sshfs has to be installed on the client machine. On Fedora, the package is called fuse-sshfs and is part of the main repositories. I guess it is similar on the other, bigger distributions as well.

Since every sshfs directory is a regular fuse directory, the umount is done via:

fusermount -u ~/sshDir

This can even be embedded into /etc/fstab and also understands typical ssh configuration options like other ports or the very handy key authorization.


NetworkManager enterprise encryption (Eduroam style) works again

NetworkManager was recently updated in Fedora 8. The newest version now works well again with a specific but widely used enterprise encryption method.

One of the major regressions in Fedora 8 was that the new NetworkManager was not working with a specific encryption method used by the European Eduroam (wlan) project. This network uses a certificate based TKIP-TTLS-PAP encryption system to allow or deny access to wireless university networks across Europe and is therefore at home at almost all larger universities in Europe (and Australia, btw.).

The proper solution to handle that situation was to configure wpa_supplicant manually or to run other tools or home-made scripts.

Two days ago, after more than two months, an update of libnl required a rebuild of NetworkManager and libdhcp as well. And with these updates, the login works again without any further problem.

It is not entirely clear why the bug is now fixed but it looks like the libnl package had some serious problems which might have caused the problem. I hope that NetworkManager soon reaches a state were all promised 0.7-features are available – and where I have a KDE gui to configure them 🙂

While the issue is solved the bug itself raises some valid questions: If the bug hit all Eduroam users, which are mostly students or academic people which have a high percentage of Linux users, why did so few people care? Is it because most European users don’t use Fedora but Opensuse, Mandriva or Ubuntu which all did not ship that specific NetwokManager version?
Or did the system work for most people and failed only for some odd reason for me and a couple of others? Strange in any case.

[Howto] Using newest flash in Konqueror in Fedora

Using newest flash in Konqueror in Fedora
Recent flash plugins didn’t work with newer Konqueror versions. But now the Fedora-KDE team released new KDE packages with support for the newest flash in Konqueror.

For quite some time now the newer flash plugins didn’t work with Konqueror: they required direct Xembed support which was not provided by Konqueror. As a result most Konqueror users sticked to the latest flash plugin that still supported the old-style Window passing. Some newer features were missing, but the rest worked.

However, recently several problems and vulnerabilities were found in the old flash plugin versions – some of them quite serious. As a result the flash plugin had to be updated or deactivated in Konqueror.

In the meantime the KDE project reacted and update the nspluginviewer library to support direct Xembed. The support is not perfect yet but works. And now the KDE-Fedora team took that code and patched the current kdebase and kdelibs: Konqueror can now use the newest flash plugins.

The updates are still in testing and therefore must be installed via

yum --enablerepo=updates-testing update kdebase kdelibs

But: keep in mind that this is still non-perfect code! There are reports that 86_64 could run into trouble of some kind. But you can help improving the packages by simply testing them and report all problems in the corresponding bug report.

Wuala: store data online, and share them if you want

store data online, and share them if you want
Wuala is a mixture of a classical online storage solution and a file sharing application: you can share your data with logged in users or entire groups while all your data are uploaded to a p2p net – even when you’re not connected. The program was now released as a Linux version.

Technical Background

The interesting advantage of Wuala compared to usual file sharing applications is the fact that every user can first define which user or group is allowed to see which content, and that you don’t have to be connected to the net to offer your friends the option to download your stuff. When you mark your data for upload they are splitt into small parts, encrypted and afterwards uploaded to the other clients of the network (including some big servers of the company behind the project). All data is saved redundant so that you most likely always have the possibility to download your data from everywhere else as long as the Wuala network has no major breakdown.

Currently the amount of data you are allowed to upload is 1 GB. However, if you provide some space for other people’s files on your hard disk you also get more space on the network – given that your network connection allows incoming connections and that your computer is online most of the day. In this regard the approach reminds a bit of Freenet which also defines your upload space by the space you provide to the network afaik. You can also “earn” additional space by inviting other users, and I guess in future you might be able to buy additional storage.

According to the web page, your data are encrypted locally and therefore cannot be viewed by other clients as long as you don’t allow it:

All files you store are encrypted such that only you and those authorized by you can access them. All encryption and decryption is performed locally and your password is never sent to us – so not even we can access your files.

Unfortunately, the program is closed source (also see below) and there are no further details on that matter. Therefore it is hard to say how strong the encryption really is. I would really prefer especially such a program to be open source, or at least open source in all important bits like encryption.

The graphical interface

Wuala itself comes along with a graphical Java client interface for Linux, MacOS and Windows. The Linux client is provided as a package and at the moment still has to be copied to a local folder. There is no package or installation routine, but the Linux client is in an Alpha stage anyway.

The main window shows all shared files and directories and marks them with different colours for different restrictions: yellow ones are the folders which are not shared with anyone, red are the ones shared with friends and/or groups and blue ones are accessible by everyone of the network.

Wuala - Main screen

The folders themselves can be removed, downloaded, recommended, marked as favourite, etc.:

Wuala - Right Click

You can of course also alter the access rights everytime. And the rights are quite fine grained: they allow you to choose specific users and/or groups to see content and therefore remind me even a bit of ACLs.

Wuala - Access Rights

As mentioned above there is also the option to make content available for everyone. As a user of Wuala you can of course also allow others to search that content:

Wuala - Search

Of course it is debatable how useful it is to provide data on Wuala which are readable by everyone – there are similar services on the web where you don’t need the extra client, and Wuala is not the place to provide illegal content worldwide. But some people indeed seem to use the function, and I could imagine that CC content could find a place there.
Anyway, if you pay closer attention to the bottom right you see “Related Products”. This is a link to Amazon products. I guess this helps Wuala to keep the business running. In the current version you can turn off that function, the question remains if that option will still be there in the future.

Besides the main window and the world/search window there are also windows for your groups and users. There you can also start a chat with other users – however, that failed for me due to a Java error. I’m not sure if that is a problem of the Linux client, IcedTea or something else. On the other side, the project is still in Alpha/Beta testing and maybe the function is not tested enough yet or simply not implemented right now.

Another feature I dind’t test at all yet is the possibility to use portmap to have a look at for example video files while they are still not fully downloaded:

Wuala creates a network drive to which your operating system can connect. […] Wuala has a built-in NFS server and tries to mount a NFS share in the folder named ‘direct’. For this to succeed, portmap and nfs-common must be installed.

Besides the graphical interface there is also a command line application which can be used to set up storage nodes. Since Wuala depends on computers which are online most of the time such a command line client makes a lot of sense for example for 24/7 servers without X.

Closing thoughts

Wuala is an interesting approach to provide online storage for everyone. It has nothing revolutionary new but combines several known techniques to an interesting, nice looking and working product. Still, as already said I would feel much, much better if at least the encryption part would be Open Source and documented so that users could verify that their content is really safe. In this regard the FAQ has an interesting point:

Do you plan to open the source code?
We are considering to open the source code in future. However, this is a decision that has to be thought out well as it cannot be undone. It also takes some effort to successfully implement a good open-source strategy.

I’m looking forward to the future development of Wuala – especially plans like Web access and of course to Open Source the code are very interesting.

As a last note: currently Wuala is in an early stage and does not allow new users. However, existing users have a set of invitations, so in case you would like to have an invitation, send me a short private note.

Fedora 8 RC 3

fedora-logo-bubbleFedora 8 RC 3 was released three days ago. This RC shows what users can expect from the upcoming Fedora 8. It comes along with a huge list of new features and bug features. Among them are a KDE 3.5.8, a new NetworkManager core, PolicyKit, PulseAudio and RandR 1.2 support for the open ATI drivers.

The Fedora 8 Feature List was already known for several months, therefore this release does not come along with any surprising additions. Also, many of the feature are more or less designed for GNOME and do not directly apply to KDE users. Well, Fedora is a GNOME distribution through and through.
Nevertheless some of the features are cross-desktop features and are therefore usable for me as well.


First of all Fedora 8 ships with KDE 3.5.8. For me this means that I can again use Konqueror to edit my WordPress posts because a really annoying bug was finally fixed. Btw., it says a lot about Fedora and KDE when a bug report with patch isn’t even answered in 5 months.
And, of course, because this is real life, I cannot really enjoy WordPress at the moment because my personal bug #1 hits me hard right now. :/ I really, really hope that this bug will be fixes with KDE 4. It would also be wiling to offer solid money if that means the bug gets fixed.
Fedora’s KDE version now also ships with the Enterprise branch of the KDE PIM suite which is said to be more stable.

Konqueror now also works again with the newest Flash player. The bug was automatically resolved by the update of the GTK packages since this was a GTK bug.
It doesn’t, I mixed it up.


Fedora 8 ships with a pre-release of NetworkManager 0.7 which introduces a wealth of new features. However, it also introduces new APIs so that client tools have to be rewritten. KNetworkManager isn’t available yet so even the KDE version of Fedora 8 ships with the GNOME applet. As soon as knetworkmanager works with the new NetworkManager again it will be shipped through an update.
But for me the GNOME applet didn’t work either, it is still beta software after all.


PolicyKit is described as “a framework for defining policy for system-wide components and for desktop pieces to configure it. It is used by HAL.”. Fedora’s feature page has a list of use cases for PolicyKit which might give a better impression:

  1. David wants to format his USB stick. When he activates the corresponding item from the context menu, the system presents a dialog asking him for the root password.
  2. Matt needs to adjust the clock of his computer. The context menu of the panel clock lets him do this without asking for passwords. (Or, depending on the policy, allows him to authenticate with his own password like sudo or Mac OS X.)
  3. When Ray shuts down his system, gdm asks him if he really wants to shut down while his girlfriend has a session running on the system. When he is the only user on the system, gdm shuts down without further questions.
  4. David administrates his familys desktop system. He wants to allow every family member to format removable media without giving them the root password. He achieves this by editing the xml file that defines the policy for PolicyKit.

In short PolicyKit helps to set end establish certain rights in the time of HAL and other, system wide available services and possibilities used on a multi user computer. Currently there is work done to integrate PolicyKit with GNOME. I haven’t heard of any work currently done to integrate PolicyKit with KDE, but this might come in the future. There is also work underway to create a KDE GUI for PolicyKit.


PulseAudio is a sound server which is shipped with Fedora 8 by default and will be shipped with other distributions ins the future. It is supposed to be a drop-in replacement for GNOME’s ESD but is at the moment still desktop neutral (so could be used by KDE as well).

The role PulseAudio plays in comparison for example to GStreamer is best explained with X and GUI toolkits like GTK and Qt: PulseAudio is X, GStreamer or Xine are GTK or Qt. PulseAudio therefore won’t replace current existing solutions like Gstreamer or Xine but will sit between these and ALSA to improve the handling of sound streams at that point.

PulseAudio will pave the way for intelligent audio hotplugging functionality—making it possible for the system to automatically redirect VoIP program audio streams when users plug in or remove USB headsets, for instance. PulseAudio’s support for network transparency will also facilitate some impressive functionality.
PulseAudio would make it possible for a VoIP program to automatically reduce the volume of music programs when a call starts. The software could also be used to automatically reduce the audio volume of all windows that aren’t in the foreground so that if you are playing two movies simultaneously, for instance, the movie in the active window would have higher volume

This however reminds me of some feature KDE’s Phonon is supposed to offer. I wonder how well it will work when two Audio related programs/layers will try to reduce the music audio output because a VoIP call is coming in.

But in case of KDE the discussion isn’t that interesting anyway: Phonon clears the way for every development which might come up. Even if PulseAudio suddenly is extended and tries to replace Gstreamer one day (which is unlikely) KDE 4 could still use it. Thanks, Phonon.

Nevertheless I still have problems with the word “Sound Server”. KDE once had a sound server and while it was a masterpiece at its time it was the source for multiple problems at the end of its lifetime. While there are lengthy mails about all possible problems of PulseAudio I’m still not convinced that the introduced latency will not have any impact on my experience watching Flash movies or talking via Skype. I would like to see some benchmarks or tests or something on standard hardware (!) in that regard.

RandR 1.2 and free ATI drivers

Fedora 8 finally ships with free ATI drives which support RandR 1.2. And it works indeed: the resolution and the ouput of the screens can be altered at the fly. A simple

xrandr --output LVDS --off --output VGA-0 --mode 1680x1050

turns off the Laptop screen and sets the external monitor to 1680×1050. There is no restart or additional xorg.conf configuration necessary. There is still a GUI missing thought, but I’m pretty sure that one will be shipped with Fedora 9.

So, finally I can use hotplug with my external monitor.

Other improvements

Fedora 8 comes along with various other improvements. There is for example a new firewall configuration application which is simple but covers the important parts. Also, the bootup is notably faster, and there is of course a new Kernel.

For KDE enthusiasts the next version of Fedora might be more interesting though because that one will most likely ship with KDE 4. Currently there are just the development libraries available in Fedora 8.

RandR 1.3 and other future X.Org development

A month ago the X Developer Summit took place. Now notes about most of the talks are available and show where X development heads to. Among the information are a feature list for RandR 1.3, for the Intel driver and for X.Org 7.4/7.5.

The X Developer Summit took place from 10th to 12th September and got quite some attention when AMD used the Summit to announce their release of hardware SPECS without any NDA. But there were of course other talks dealing with other, not less interesting topics and the notes about these talks are now available.

RandR 1.3

RandR 1.2 is nowadays shipped with all recent distributions and is supported by most of the current drivers (it is really a twist of fate that my hardware is no yet supported…). It makes live much easier if you have a mobile system or need device hotplugging elsewhere.

The next version however will feature GPU object support. According to a discussion about that topic the GPU object support will enable RandR to combine different a set of X screens with a different number of hardware GPUs:

Right now, with RandR 1.2, you get multiple X screens, one per-GPU, each of which can have multiple monitors connected.

With this feature several GPUs could be merged into one X screen similar to the classical Xinerama setup.

Intel driver

Keith Packard reported about the Intel driver development. Intel graphics hardware still has the best graphics drivers for Linux, but that might change soon due to AMD’s new efforts.
Anyway, the Intel driver itself is in a pretty good state: all current X.Org features like RandR 1.2 and even TV out are fully supported. The next version will feature OpenGL 2.1 support, MPEG hardware decoding, HDMI, improved power savings and output scaling. The driver can be expected around January 2008.

Also, it is interesting to know that the Intel driver developers have a test environment containing at least one of each chipset – this should be normal for every hardware driver development group, but unfortunately isn’t yet for Linux driver developers. The support of hardware vendors still isn’t in such a state (yet) and sometimes the developers depend on donated hardware.

X.Org 7.4/7.5

The X Access Control Extension (XACE) will be ready for SELinux and Solaris Trusted Extensions with X.Org 7.4. This will improve the security model of the X.Org server.
Also, the Distributed Multihead X (DMX) feature which can combine several different backend X servers (think of separated hardware here) into a single virtual X server will be able to use Device Independent X (DIX) as an input module (but to be honest I’m not sure which direct effect this will have for average users).
The notes also say that we can expect Glucose in 7.4 or 7.5: it would fill the gap between Xgl (rendering everything but with a second X server) and AIGLX (rendering without a second server, but not rendering everything).

But there is also a feature delay: as it looks like the multi pointer support for X, MPX, will not be ready for X.Org 7.4. Instead it will be shipped with X.Org 7.5.

Other news

In other news Vedran Rodic made clear that OpenGL performance on Linux sucks and has to be improved – and he is right! He mentioned that regular tests should be done and should be compared to Windows results to determine what and where the problems are.
I hope that in one day there will be entire test labs dedicated to just testing drivers and driver performance on different machines and setups for Linux. But we might have to wait years for that to come true…

Also Michael Dales introduced the new driver “nivo”: network in, video out. The idea is to push VGA and input data through the network thus creating ultra thin clients. While this can be done already via Xvnc Dales is developing an extra driver for better performance. This driver is unique in the X.Org driver collection: all drivers are for output OR input, but “nivo” is for both. 🙂
While I do not have any personal need for nivo it could push the Linux adoption even further since it makes it even cheaper (and more power saving) to create thin clients. Nice.

Thoughts about Captchas: Today animated GIFs, tomorrow Flash videos?

Today I came across a new type of captcha: animated gifs. The animation makes it more difficult to read the characters, however this is just another level of spam-prevention. The next level could be flash-video streams.

Rant about today’s solutions

I hate captchas – I really do. On the one hand they only hinder Spammers, but they don’t block them totally. It is simply a war of steadily evolving technologies against each other. And the side which looses in the end are average humans because at some point the captcha will be to difficult to read for humans while the spam bots will still be able to read them. Btw., on average I need two attempts already to get a captcha right.

On the other hand this technology is something I never really got. Why use captchas? Why not use standard spam prevention software? It should be pretty easy to change spamassassin to work together with WordPress. Or Dspam or one of the other available spam filters. I mean the rules should be pretty easy: if it includes an URL it gets some minus points, if it has more than one URL and even clusters them it gets even more minus points. Akismet uses such filters and these filters are pretty good. Also, such a way of filtering comments would make it possible again for blind people to post comments to blogs.

Tomorrow’s solution (which will be crap as well)

Anyway, enough rant about current captchas, forward to the future. I’d like to predict that we will see pretty soon the first video-stream captchas. These flash-embedded video will make it even harder for bots to read the captchas but are still quite easy to generate and read for humans. The trick would be to have an animation which would show floating objects which would transform in to other objects all the time. At a random time the new objects would be readable characters for a short moment. This stream could be like 10 seconds and would be repeated all the time. The important parts are the fact that you cannot predict when it will exactly show the characters and that also there are information all the time. If you want to use a spam bot against such a stream you have to analyze its entire data stream which would result in quite some CPU load – and that would make it yet again a bit harder for the spam bots. Not impossible though, but maybe hard enough.

Still, this solution is not usable from a blind person’s point of view, and again the simple spam filter tool looks more effective to me.