Daniel Lange's blog

I have just noted that the Wikimedia Foundation has extended the deadline for the fundraiser from 22. December 2007 to 03. January 2008. Here's the diff from the Fundraising FAQ.

The funds are currently coming in at just above 12,000$ a day and have so far reached 1.24m$, a huge sum sufficient to cover half of the technology budget Wikimedia proposed for it's fiscal year 2007/2008. That includes unspecified salaries, so may be the funds will be sufficient to operate Wikipedia a year. But obviously the total grants fall expectedly short of the total 4.61m$ planned for spending.

SSH with chroot patch has been working fine for a number of years. Since PAM v0.99 things have broken though, if users are chrooted with the "/home/username/./" syntax as their homedir.

SSH sessions will just terminate immediately after successful logon. Doh.

Two solutions exist:

1. Put UsePAM no into /etc/ssh/sshd_config and use the chroot patch and /./ in users homedirs
2. Keep UsePAM yes. Emerge sys-auth/pam_chroot and add session required pam_chroot.so to /etc/pamd.d/sshd setup /etc/security/chroot.conf or add a chroot_dir=/home/username/ to the pam_chroot.so line.
   This will currently not work for amd64 though as the Gentoo bug regarding pam_chroot has not cought any attention from the arch testers. Since July...

Bugging the arch testers in #Gentoo-amd64 didn't help either:

Continue reading "SSHd chroot and PAM"

The Wikimedia Foundation has changed their donation web pages again. Now they cut off the "Recent contributions" at 400 pages of (max.) 25 donors each. Thus the commands I gave in the Wikimedia Fundraiser analysis article can't be repeated to give the full picture anymore. You can now only get a view of the last 9-10 days.

The implementation has obviously been done quite hastily. If you select the "Filter" to show only one page of results, you'll still get the (now hard-coded) 0 .. 400 pages selector at the bottom.

I've been pointed at two other resources on the recent fund raiser for information:

• There is an IRC Channel that lists donations (irc://irc.freenode.net/#wikimedia-donations). Running it a few minutes, it showed far fewer donations coming in than the better known web page though.
• There are a few threads in the Wikipedia Review Forum that deal with the fund raiser. The discussions there are very Statler and Waldorf style but these folks also did the math.

Updates

09.11.07: Casey Abell has added http://donate.wikimedia.org/en/node/22 to the comments which lists a daily report of the funds collected. Thanks Casey! The numbers match very well with my analysis. Wikimedia currently reports $27,97 average donation. I measured $27,85 six days ago. That seems stable. Interim conclusion:There are still major individual donations required to get anywhere above $2m.

10.11.07: Casey generates a nice graph of the daily funds collected here.

The Wikimedia foundation has just changed the progress meter to track the number of donors.

Now every icon seems to represent a 5,000 people increment. So the 100,000 donors target looks still set. Well, actually 95,001 would now fill the last icon on the meter.

To achieve this Wikimedia still needs to accelerate the donors/day according to my analysis from yesterday. At the current 1,000 donors/day, they'll "only" receive around 60,500 individual donations. The running total donors figure is now displayed in text. This is pretty advantageous as the graphical representation need to be updated only once another 5,000 people have contributed. The new meter is also language neutral, so it does not need to be updated for each language individually anymore. The Text below the meter ("You can help Wikimedia change the world!") is HTML too, so this can be easily localized. All in all, well done!

This is what it looks like on the English Wikimedia home page now:

The German version of Wikipedia currently still displays the old graph:

There is also a change in the individual donations listing visible:

The people contributing $0.01 seem to have vanished. Perhaps the interface to Paypal and Moneybookers has a minimum set to $1.00 now. This will shift the average donation upwards, but will also account for fewer donors. The trolls at least were good to be counted...

The Wikimedia Foundation, the organisation behind Wikipedia, is running their annual fund raiser since October 22nd. There have been numerous complaints that the Wikimedia Foundation did not name a target sum to be achieved or is in other way acting intransparent. There may be good reasons for that:

• The last fund raiser was "tough" to get through already and raised about one million dollars with $20 average contribution as to what Bruno Giussani reported from Lift '07.
• The foundation grew from $56,666 turn-over in it's fiscal year 2003/2004 to $283,487 (2004/2005) and $1,066,785 (2005/2006). The 2006/2007 figures are still not reported, but it's safe to estimate that the 4x increase of the previous year has slowed down a bit.(see Updates section below) See http://wikimediafoundation.org/wiki/Finance_report for the scarce details.
• The budget planning for fiscal year 2007/2008 totals $4.611m. The break-down is very rough and little effort is spent to explain the figures to the general public.
• The suggested donations have been set high at $200 to $40 with marketdroid speak to sell that:
  "If you and 99 other people donate .. $200 – We can ...".
• It's not very likely a target in the range of the planned budget can be achieved from Joe, Dick and Harry's contributions. Wikimedia may need Larry, Sergey or Mark here. (I'll leave that without links for you to think about )

So - to make the best of this - and continue being unnecessarily intransparent, Wikimedia (cough Jimmy Wales, cough) has decided to only list the number of donors as the "progress report".

Their "meter" currently looks like this:

You can easily analyse the scale to find that Wikimedia hopes 100.000 people will contribute.

Continue reading "Wikimedia Fundraiser Analysis"

For a few weeks SEO types now moan, argue, analyse or celebrate (please submit links in comments section ) Google apparently reducing the pagerank (tm Google) of their sites. I guess creating unique content is a too labourous option. Whatever, if you were Ryan Stewart you could even spit out some epicaricacy.

So with all this fuss, I wanted to find out the pagerank (which previously never had any relevance to me) of some (of my) sites. I would not want to install the Google toolbar because I'm not into software that does "something" to my PCs, so I looked around for other options. Wading through masses of pages that offer Javascript to be embedded into your pages to show a pagerank image inline (no thank you), I found two viable options:

• http://seopen.com/seopen-tools/pagerank.php
  SEOpen allows you to check the pagerank of a single URL
• http://www.iwebtool.com/visual_pagerank
  iWebTool can fix up any webpage for you so that it'll show the pagerank next to every link on the page

Give it a go. Some interpretation help: Pagerank 10 is the max., 7-9 is quite good, 4-5 means Google knows you, new pages start off at PR0.

The Livesearch (Javascript iterative search) plugin to Serendipity (s9y) currently does not work with the Bulletproof template active.

Matthias Mees (YellowLed) and Don(ald) Chambers are looking at it.

I just learned yesterday again, what I knew a few years ago, but since had forgotten:

You cannot put multiple SSL-enabled virtual Apache hosts onto the same IP and port.

Apache cannot identify which VirtualHost to serve a request from because the payload is encrypted in its entirety. So a

Host: servertwo.tld

header cannot be parsed until the encryption has been removed. Which requires the key, which is listed in the VHost section that could not be identified in the first place... So a name-based VirtualHost-configuration like this won't work:

It will just serve any request out of the first VirtualHost (serverone.tld) regardless of the hostname in the request headers.

There is some light at the end of this tunnel though: RFC4366 describes an optional field to the TLS (Transport Layer Security) client request called "Server Name Indication" (SNI). With this the client just includes a list of ServerNames (usually one) that it's trying to contact. Apache can easily match the supplied name from the client against a ServerName (or ServerAlias) directive from it's configuration files.

SNI will be supported with OpenSSL v0.9.9 in mod_ssl. Sometime in the future. There is a backport to v0.9.8 available from Steven Henson linked here. Or you can use mod_gnutls as described by George Notaras in a recent blog entry.

In either cases the above configuration snippet will "just work" once SNI is understood by Apache.

Currently Internet Explorer 7 (on Vista only, wanna upgrade ), Mozilla Firefox 2+, Opera 7.6+, KDE Konqueror 3.5+ support sending the SNI. You can test your browser at Kaspar Brand's SNI testpage. He also has a patch available to make Apache 2.2 mod_ssl SNI capable when compiled against a CVS-version of OpenSSL.

I'm rather sure that spreading SNI capable hosts will also provide new hacking opportunities: Let's assume a system serves both Intranet and Internet traffic. A client contacts the Internet IP with SSL but specifies the Intranet Hostname in it's TLS SNI entry. Guess what will happen? Yup.

Update

02.09.2009: Gee, after two years people still read this blog entry. So I'll point you to a few updates. 2009 is not 2007 SNI has made some slow progress since the original article. But major steps forward only came this summer: Apache has official support for SNI since 2.2.12 (tracking bug). Gentoo has been early to support SNI and Tobias Scheerbaum has written a blog entry on Apache, SSL und SNI in Gentoo (in German) summarizing how it works out of the box. Support for SNI has also been added to Debian (tracking bug) but for now the default config files don't reflect SNI capability yet. Ubuntu will see SNI in Karmic Koala, the release scheduled for next month i.e. "9.10" (tracking bug). Fedora has a SNI enabled Apache from httpd-2.2.13-1.fc11 onwards (tracking bug). Tobias also states that SP3 for Windows XP enables IE6 to send the SNI (SP2 is not sufficient).

Since a baselayout update Apache fails to start on Gentoo at (re-)boot of a server if that server has unused ethernet interfaces.

The symptom is that Apache fails to start on boot although it has been added to the runlevel with
rc-update add apache default

This is caused by recent baselayouts not working properly with more than one eth and not all of them being up.

Thus changing depend() { need net ... } into
depend() { need net.eth0 ... } at the top of /etc/init.d/apache2 will help.

While you're at it you could also add an nice after urandom to the existing depend () construct
and make sure apr and apache are emerged with flag urandom set. Reading from /dev/random to initialize the digest authentication mechanism (or SSL for that matter) might cause apache to block otherwise if there is not enough entropy in the random pool.