Fifth wedding anniversary, the RPG

By Christine Lemmer-Webber on Fri 30 May 2014

We had an awesome wedding anniversary today... 5 years! Morgan didn't know I had planned something ahead of time. I'm not good at surprises, but this time I managed to pull off a surprise, and I think with massive style.

So, some context. First of all, a number of my friends and I, and I guess me especially, have kind of become tabletop role playing game nerds over the last year. We've been playing a wide variety of games, especially in Fate (the basis of which is under a free culture license!), from space adventures to crime dramas to German-esque fairytale stories to some rather silly holiday adventures, to large scale inter-kingdom dramas. Though we have played some games in the style of $STANDARD_FANTASY games (what most people think of when they think of tabletop RPGs), most of the stuff we've been playing has been more narrative even then, and less about straight up monster-killing dungeon crawling.

We have played some games in the category of $STANDARD_FANTASY though, and one in particular has a character that my spouse Morgan plays in, a sort of "professor of magic history" (yeah, people who know Morgan may notice some overlaps) who uses jewelry to actually power up her abilities, but isn't particularly innately magically inclined. Morgan is not really one for fancy jewelry, but she does like the engagement ring that I got her, which is a bit fancy. When she plays as this character, she actually dresses up for it, and wears some matching earrings as well.

So anyway, today we played a game in that universe, and I GM'ed (my brother and his girlfriend also participated, they were awesome). Morgan was arriving in a somewhat swashbuckling'y type city, so I compelled her that she probably would have to remove her ring (the source of half her magic) until she figured out a way to get some sort of protection from thievery in the city. I figured this would piss off Morgan... I didn't realize how much. "I'm not playing a game with you if you take away my jewelry." She eventually accepted the compel after encouragement from other players, but she was pretty fuming'ly mad about it. "You're making me take off my engagement ring on our anniversary?" (Morgan had thought I had accidentally planned this game on our anniversary without realizing it. She didn't realize that for once in our lives, I was being smooth about things.)

It was a good game generally. There was an artifact delivered, etc etc. By the end of the game, an NPC said "Oh, thanks, I think I have a jewel that matches yours... I can't really use it because it's for fire magic users only. Now where did I put that?"

In real life I shuffled through some drawers looking and pulled out a small beat up looking urn. "Careful, this thing is hot. Only fire magic users seem to be able to open it with no problem."

Of course her character did, and of course she was able to bypass the "smoke" (white tissue paper) no problem. And what was inside? A pendant that perfectly matches her ring. ("Conflict-free" in real life, supposedly, to the extent those things are true. Also, aside from her engagement ring, this is the only piece of jewelry I have ever bought Morgan. We're not really that much of jewelry-presents type people, but I think an exception here was successful.) Oh yeah, and in-game the pendant gave her a fate-point-activated fire shield that can give her an offensive-defense against people trying to pickpocket her or doing melee attacks.

It was a stunt for sure, but it worked. It extra worked because usually I am such a doofus, and I did piss off Morgan by compelling her earlier, and it looked like there were a bunch of bits that turned out to be just me making stupid mistakes that then turned around and made the end reveal awesome.

Somehow I pulled off that stunt, all the players seemed to have a good time generally, I didn't give it away beforehand (usually I'm not so successfully sneaky), and yes, my intentional-though-appearing-accidental pissing-off maneuvers really did make the final result more fun for everyone. Success!

Anyway, so that's that. Morgan told me I'm the best, and nerdiest, husband ever, so I'll gladly take all of that.

Happy fifth anniversary, Morgan. Here's to many more.

A sweet and savory cabbage recipe

By Christine Lemmer-Webber on Sat 24 May 2014

There's plenty of interesting things to talk about lately, and I'll get to them soon. I'm on something I've titled "research-cation" where I'm still kind of working, but it's also kind of like vacation, but really I'm mostly working on doing research for MediaGoblin's future.

In the meanwhile, I'm back in diet mode, basically because the MediaGoblin campaign was hard on my health. But also, the tooling I had in orgmode was never that great, so I've revamped org-diet. I might write a separate post on this... there's a lot of reasons why I did the revamp (it's not in master yet, but in the date-tree branch). I'm now doing daily uploads of my current health status which you can view here (yes, org-diet now is super flexible about generating reports).

I'm not going into details on that in this post, but I did recently just re-make one of my favorite recipes of all time with a number of adjustments. I forgot just how good it is. Anyway, here it is:

Ingredients Calories Quantity Total
head cabbage 290 1 290
tbsp olive oil 119 1 119
Westsoy baked tofu square 90 4 360
medium onion 44 1 44
can kidney beans 385 1 385
apple 71 2 142
tbsp nutritional yeast 25 2 50
tbsp vegetarian bullion 0 1.5 0
tbsp tamari / braggs liquid aminos 0 2 0
tbsp cornstarch 30 1/3 10
clove garlic 4 4 16
Total   8 177

This recipe is cheap, healthy, and most importantly, delicious. It has very few calories (a mere 177 calories... that's nothing!) but tastes pretty amazing. I usually start some rice in the rice cooker before I kick this off<*ENTITY*>additional-char8230 put in two cups and that's a mere 120 calories on top of this. Only 297 calories! Despite that, it's quite filling. (Tasty, too!)

The nutritional yeast is optional, but I like it. You can use whatever bullion you like, but I like the Frontier Natural Products beef-ish tasting vegetarian bullion. Alternately, adding brewers yeast and a bit more salt is great.

You also don't have to use the westsoy baked tofu. You could use any other protein here. A lot of other kinds you have to fry up in advance though, and the westsoy stuff is already done and tastes great and I'm lazy. If you don't have tamari or liquid aminos, just up the bullion.

This makes 8 servings! It usually takes me about 50 minutes to make but I'm slow.

Okay, so! Here's my recipe. You're going to need a large pot, a large cutting board, and a large mixing bowl.

  • Get out a large cutting board and chop up cabbage. You want it in pieces probably, though if you prefer tiny ribbons that's fine. Set aside in mixing bowl.
  • Chop onions and, if you like, a couple cloves of garlic. Chop up the apples into chunks or wedges. Personally I like wedges.
  • Take your large pot, add the olive oil (or whatever oil really) and onion (also garlic if using). Saute that for a few minutes, until it starts to brown. Add apple and saute a bit longer, until the apple starts to brown a little.
  • Add a cup of water and stir around the ingredients for about two minutes.
  • Dump in the cabbage into the pot. It'll seem like a lot and like you'll never be able to stir this thing. (I told you to get a big pot!) Don't worry, it cooks down.
  • Add salt and pepper. Add some more water<*ENTITY*>additional-char8230 I think I usually add about 1 more cup at this point. Stir around the cabbage in and out of the water as best you can for a minute or so. Then cover the pot and let it cook down for five minutes.
  • While the cabbage is cooking, chop the baked tofu into cubes, or tear it apart with your fingers if you get grossed out by cubes of tofu.
  • Return to the pot. The cabbage should be a bit more cooked down now, but not quite there. Add bullion, nutritional yeast, and tamari/liquid aminos. Open the kidney beans and pour the excess liquid right into the pot. Add more salt and pepper if you like. Now stir that stuff. Get that cabbage in and out of the broth!
  • At this point you need to let the cabbage cook down. I usually let it cook down a little bit less than half way. Stir it occasionally.
  • Stir together the cornstarch in 1/4 cup of water. You're trying to make a small slurry that'll thicken the broth into a kind of gravy.
  • Open the pot and pour the cornstarch in and add the tofu. Time to start stirring again. Stir stir stir!
  • Give it a few minutes and the sauce should thicken. The cabbage should become tender but not totally mushy. When you hit that point, stop cooking.
  • Serve with rice or some kind of grain. I usually put a tablespoon of cheap parmesan cheese on top too, but whatever you like, go for it.

Enjoy!

Empathy for PHP + Shared Hosting (Which is Living in the Past, Dude)

By Christine Lemmer-Webber on Sun 30 March 2014

After I wrote my blogpost yesterday about deployment it generated quite a bit of discussion on the pumpiverse. Mike Linksvayer pointed out (and correctly) that "anti-PHP hate" is a poor excuse for why the rest of us are doing so bad, so I edited that bit out of my text.

After this though, maiki made a great series of posts, first asking "Should a homeless person be able to 'host' MediaGoblin?" and then talking about their own experiences. Go read it and then come back. It's well written and there's lots to think about. (Read the whole thread, in fact!) The sum of it though is that there's a large amount of tech privilege involved in installing a lot of modern web applications, but maiki posts their own experiences about why having access to free software with a lower barrier to entry was key to them making changes in their life, and ends with the phrase "aim lower". (By the way, maiki is actually a MediaGoblin community member and for a long time ran an instance.)

So, let's start out with the following set of assertions, of which I think maiki and I both agree:

  • Tech privilege is a big issue, and that lowering the barrier to entry is critical.
  • PHP + shared hosting is probably the lowest barrier to entry we have, assuming your application falls within certain constraints. This is something PHP does right! (Hence the "empathy for PHP" above.)
  • "Modern" web applications written in Python, Ruby, Node, etc, all require a too much tech privilege to run and maintain, and this is a problem.

So given all that, and given that I "fixed up" my previous post by removing the anti-PHP language, the title I chose for this blogpost probably seems pretty strange, or like it's undoing all that work. And it probably seems strange that given the above, I'll still argue that the choices around MediaGoblin were actively chosen to tackle tech privilege, and that tackling these issues head-on is critical, or free software network services will actually be in a worse place, especially in a tech privilege sense.

That's a lot to unpack, so let's step back.

I think there's an element of my discussion about web technology and even PHP that hasn't been well articulated, and that fault is my own... but it's hard to explain without going into detail. So first of all, apologies; I have been antagonistic towards PHP, and that's unfair to the language that currently powers some of the most important software on earth. That's lame of me, and I apologize.

So that's the empathy part of this title. Then, why would I include that line from my slides, that "PHP is Living in the past, Dude", in this blogpost? It seems to undo everything I'm writing. Well, I want to explain what I meant about the above language. It's not about "PHP sucks". And it does relate to free software's future, and also 5factors into conversations about tech privilege. (It also misleading in that I do not mean that modern web applications can't be written in PHP, or that their communities will be bad for such a choice, but that PHP + shared hosting as a deployment solution assumes constraints insufficient for the network freedom future I think we want.)

Consider the move to GNOME 3, the subject of Bradley's "living in the past" blogpost: during the move to GNOME 3, there were really two tech privilege issues at stake. One is that actually you're requiring newer technology with OpenGL support, and that's a tech privilege issue for people who can't afford that newer technology. (If you volunteered at a FreeGeek center, you'd probably hear this complaint, for example.) But the other one is that GNOME 3 was also trying to make the desktop easier for people, and in a direction of usability that people expect these days. That's also a tech privilege issue, and actually closer to the one we're discussing now: if the barrier to entry is that things are too technical and too foreign to what users know and expect, you're still building a privilege divide. I think GNOME made the right decision on addressing privilege, and I think it was a forward-facing one.

Thus, let me come back around to why, knowing that Python and friends are much harder, I decided to write MediaGoblin in Python anyway.

The first one is functionality. MediaGoblin probably could never be a good video hosting platform on shared hosting + PHP only; the celery component, though it makes it harder to deploy, is the whole reason MediaGoblin can process media in the background without timing out. So in MediaGoblin's case (where media types like video were always viewed as a critical part of the project), Celery does matter. More and more modern web applications are being written in ways that PHP + Shared Hosting just can't provide: they need websockets, they need external daemons which process things, and so on.

And let's not forget that web applications are not the only thing. PHP + shared hosting does not solve the email configuration problem, for example. More and more people are moving to GMail and friends; this is a huge problem for user freedom on the net. And as someone who maintains their own email server, I don't blame them. Configuring and running this stuff is just too hard. And it's not like it's a new technology... email is the oldest stable federated technology we have.

Not to mention that I've argued previously that shared hosting is not user freedom friendly. That's almost a separate conversation, though.

I also disagree that things like encryption certificates, which are also hard, don't matter. I think peoples' privacy does matter immensely, and I think we've only seen more and more reason to believe that this is an area we must work on over the last few years. (You might say that "SSL is doing it wrong" anyway, and I agree, though that's a separate conversation. Proably something that does things right will be just as hard to set up signing-wise if it's actually secure, though.)

Let's also come back to me being a Python programmer. Even given all the above, there are a lot of people out there like me who are just not interested in programming in PHP. This doesn't mean there aren't good PHP communities, clearly there are. But I do think more and more web applications are being written in non-PHP languages, and there's good reason for that. But yes, that means that these web applications are hard to deploy.

What's the answer to that? Assuming that lots of people want to write things in non-PHP languages, and that PHP + shared hosting is insufficient for a growing number of needs anyway, what do we do?

For the most of the non-PHP network services world, it has felt like the answer is to not worry about the end user side of things. Why bother, when you aren't releasing your end web application anyway? And so we've seen the rise of devops coincide with the rise of "release everything but your secret sauce" (and, whether you like it or not, with the decline of PHP + shared hosting).

I was fully aware of all of this when I decided MediaGoblin would be written in Python. Part of it is because I like Python, and well, I'm the one starting the project! But part of it is because the patterns I described above are not going away. In order for us to engage the future of the web, I think we need to tackle this direction head-on.

In the meanwhile, it's hard. It's hard in the way that installing and maintaining a free software desktop was super hard for me back in 2001, when I became involved in free software for the first time. But installers have gotten better, and the desktop has gotten better. The need for the installfest has gone away. I think that we are in a similar state with free network services, but I believe things can be improved. And that's why I wrote that piece yesterday about deployment, because I am trying to think about how to make things better. And I believe we need to, to build web applications that meet the needs of what people expect, to make free network services comparable to the devops-backed modern architected proprietary network services of today.

So, despite what it might appear at the moment, tech privilege has always been on my mind, but it's something that's forward-looking. That's hard to explain though when you're stuck in the present. I hope this blogpost helps.

Configuration Management for the People

By Christine Lemmer-Webber on Sat 29 March 2014

One of the things I've talked about in the talks I've been giving about MediaGoblin lately is the issue of deployment. Basically it boils down to the following points:

  • MediaGoblin is harder than we'd like to deploy, but it's probably easier than most other Python web applications. All modern web applications are currently hard to maintain and deploy.
  • We've worked to try to make it so you don't have to know how to be a $LANGUAGE developer (in this case, Python) to deploy MediaGoblin, but once things break you do have to be a $LANGUAGE developer, or know one. (We spend a lot of time answering these things in #mediagoblin. This can be improved if we get proper system packaging though (which is currently a work in progress, at least for Debian. I hope to see it soon...))
  • Even if you get system packaging, that's not enough. You need to do a mess of other things to set up web applications: configure the web server (Apache, Nginx), configure sending mail, configure a bunch of things. And let's not even talk about getting SSL set up right. Oy.
  • The reason people don't see that modern web applications are hard to deploy is because even though they are, there's a team of devops behind the scenes handling it for them.

We can do as good as we can to try to make MediaGoblin's docs easy to understand, but I'm convinced the solution needs to be a layer higher than MediaGoblin. That's probably one of two things:

  • A Platform as a Service solution like OpenShift. (Note, there are other proprietary ones out there, but if it's not free software, what's the point?) These solutions are kind of heavy, but they seem like a step in the right direction.
  • A configuration and deployment abstraction system, like Puppet/Chef/SaltStack/Ansible, etc.

The latter seems like the right solution to me, but it's not enough as-is. The configuration and deployment systems we presently have are too devops-focused. We can't free society by expecting everyone to join the world of devops... for one thing, these tools are way too hard to learn at present, and for second, a world where only the technically elite are free is a pretty nonfree world, really.

(I don't think things like Docker or virtual machine images are the answer. Aside from being pretty heavy, they don't solve the configuration issue.)

But these systems are pretty close. Close enough even! I think we can pull this off. Let's see what we need and what's missing:

  • Needs to have share'able recipes. (Yes yes, people currently do sad, sad things like dumping some recipes to code hosting platforms. That's not the same thing. I want something like an apt repository, but for recipes. (Note, juju might have this... I don't know much about it))
  • Recipes should be pretty simple... based on variables set by the user, or variables interpolated by user-specific settings (all these config management systems handle this, I think)... mostly I like what I've seen of how Salt handles this.
  • There should be an expectation that you should be able to mix and match recipes somewhat. This means some agreements higher up the chain on how we expect a mail server configuration is going to be described, etc. I'm not sure how the standards/governance around this could be best handled.
  • I think a layer on top of all this that's really needed is some kind of web UI for application install and configuration. If I install the MediaGoblin recipe, it may be that a lot of defaults can be set and guessed. But what if I want to turn on the video plugin, and I want to change my authentication system to using LDAP because that's what my company already uses, etc? I think this can be pretty minimal, we can have a specification that both describes config options as well as how to represent them in the web UI.
  • It shouldn't be tied to any one specific platform. Not to a wall wart, not to a VPS, not to a Raspberry Pi. It should be generic enough to work on all of these. Again, I see no reason this can't be pretty minimal.

I've been fielding this by people for a while, trying to quiz all the smarter-than-me-people I know about what they think, but I keep coming back to this. At a dinner at LibrePlanet, all the usual suspects were raised as possible solutions, and none of them seemed to fit. I was happy to hear Joey Hess say, "I think that Chris is right, we need the 'layer above apt' configuration solution." (If that wasn't some reassurance that I'm on the right track, I don't know what would be... if anyone would know it would be Joey...)

(Note: GNUToo suggested at FOSDEM that I should look at LuCI... LuCI always felt a bit clumsier than I'd like when I used it but maybe it does do these things. I don't know if it handling recipes like I said, but maybe? Worth looking into.)

Here's a rough plan on how I'd go about doing this, if I had time to do this (which I don't think I do, though I can help someone kick off the project, and I can make some contributions):

  • Start by investigating Salt (or Ansible?). It's a little bit heavy but not too heavy (the current python package appears to be 2.8mb...). Plan on using the master-less setup. Salt provides a lot of abstractions around installihng packages and a lot of these other things, so that may be a good start.
  • It might be that things need to be paired down to something even simpler, or that Salt is just too hard to build on top of. If so, start simple on recipes. I'd save a dependency graph system as something optional as a "milestone 2" type thing, personally.
  • You need some way to bundle a description of the variables to be provided but also how to represent them configuration-wise to the user. I think a Hy DSL might be the fastest way to start writing up variable descriptions including web represenation, but also embed code to retreive results in case a default is not provided.
  • At this point you should have a command-line tool that you can run, reads your currently installed recipes and your current settings, and executes them.
  • Build a web UI.
  • Figure out how to publish up a public repository of recipes. (May need to be distro specific.)

That's it I think. I think if we had something like this, it would simplify deployment greatly.

Are you interested in taking this on? We should talk! ;)

PS: We'd like to do further research and work into making MediaGoblin easier to deploy over the next year. Our capacity to do that largely depends on how much we're able to raise... consider donating to our campaign!

Edit: Mike Linksvayer makes strong points about previous language around PHP; removed. So, reverting language that makes PHP sounds like a problem, but I'll still argue that it's not actually a full solution (there are configuration issues not resolved by language choice)

Edit 2: I guess I didn't say this, so it's worth saying... a lot of difficulties in modern deployment are because people aren't using system packaging (this includes MediaGoblin's docs, which suggest the breaks-all-the-time-even-though-I-understand-why-but-our-users-don't world of Python packaging... we're waiting on Debian packaging. Real Soon Now, I hope!). Using system packaging certainly solves a lot of these headaches, but it doesn't solve nearly all of them. There's still the issues of configuring things, and there's really a lot... too much!... to configure: mail transfer agents, hooking your application up to the web server, SSL, so on and so on. That's something that hasn't been solved, especially not for non-devops people.

I've started cobbling together something that might solve things for non-devops people, and even devops people both! Maybe it'll see the light of day sometime. In the meanwhile, I'm really interested in other peoples' solutions to the problems described above.

MediaGoblin's campaign for federation and privacy

By Christine Lemmer-Webber on Wed 12 March 2014

The MediaGoblin campaign is live! Well okay... it's been live for a couple of weeks now. I think the video above explains everything we're trying to do pretty well, so maybe you should watch that first. (Better yet, watch it on the campaign page, and hopefully donate while you're at it!)

So our website and campaign page and video and etc try to explain why we think you should donate to the campaign. But I thought I'd write here, also... there's something different, I think, about a personal blog post... some things are more easily said. So let me ramble on a bit.

I guess the easiest thing to open with is the most obvious... it's been an interesting year as in terms of making it clear *why* MediaGoblin matters. The danger of Snowden revelations have made it obvious that a highly centralized internet is a problem.

But awareness alone won't fix the problem, we need to really build solutions. I think just how true this is became obvious to me earlier in the year, when I spoke to another prominent internet activist (I won't name names) who said to me more or less: "The centralized internet is a problem, but we don't actually think we can get people to change their habits, that's too hard. So instead we're focused on talking about the problem and writing up what rights users should have."

I've thought about this line of reasoning a lot. I agree that getting people to change their habits is really hard. And raising awareness and talking about rights are super important. And pushing for governmental reforms are important. But let's face it, the NSA snooping was already breaking laws and violating our rights, and there isn't any evidence that those programs are ending any time soon, especially when it's so easy to keep them going in the present technological environment. We need to build something better. We need to actually build tools and make them usable and even enjoyable so that people can switch away.

To put it another way: when even the most prominent internet activist campaigns are using Facebook, YouTube, and Twitter to complain about the centralization effects those very services help to perpetuate, it shows you how much we need ways to communicate that aren't part of the problem. And that's exactly what we're working on with MediaGoblin.

It's true that these are hard things to do. They take resources, they take time. But we have to do them. And we can do them.

unlock characters

We have an opportunity here with MediaGoblin. If we can hit 1.0 and get federation support into MediaGoblin (which is mostly the first goal of the fundraising campaign), that alone would be huge. But we'd like to do more than that... we'd like to invest resources into making adding federation support easier to python web applications generally, add privacy features, and a bunch more. We've laid out what those goals are specifically in the "Unlock More Features!" section of the campaign page.

MediaGoblin is more than that, too. MediaGoblin is also a vision for what we think the future of free software could be. We work on network freedom issues because in a networked age, without network freedom, there is no user freedom. We work on making the software beautiful because we believe beautiful free software web applications are the only way that free software can be adopted by the world. We support diversity initiatives because we think diversity is important on its own, and because we believe that a diverse project is a better project. We work on messaging and making messaging that tries to be as accessible to everyone as it can, both because free software is something that everyone should enjoy, and without clear explainations of why these things matter, free software will remain a privilege for a technical elite. We believe user freedom belongs to everyone.

If that resonates with you, I encourage you to support our campaign. And consider spreading the word. Anything you do really does make a huge difference.

Thanks, internet. We do it for you.

Life update: Late November 2013

By Christine Lemmer-Webber on Tue 26 November 2013

I thought I'd give a brief "life update" post. In some ways, this is a more me-centric version of a "state of the goblin" post. Life is pretty intertwined with that these days.

I gave my block o' conferencing reflections already, so we'll consider that out of the way. We're also about to put out a new release of MediaGoblin. Stay tuned to the MediaGoblin blog... it'll be an exciting one I think.

What can I say about this last year though? We're nearly at the end of it. For this last year, I ate, breathed and lived MediaGoblin. This has been simultaneously the greatest thing ever, and also super exhausting. I really have not had much as in terms of breaks, role-wise I have worn more hats than I thought I could fit on my head (among other things, this includes writing core architecture, code review, promoting and speaking about the project, plenty of behind the scenes communication, plenty of management and project administration, budgeting things, the project's "art identity", some system administration (though thankfully simonft is helping), grant writing, all the many roles that went into running the crowdfunding campaign and producing the associated video). I'm glad I was an Interdisciplinary Humanities major; it couldn't have been a more interdisciplinary year. I'm also glad I use Org-Mode; it will sound silly, but MediaGoblin could not exist without that program.

And as tiring as it may have been, I am hoping I can continue with it. The MediaGoblin community is... dare I say while admitting tons of bias... one of the best communities I have seen in free software. (Maybe even the best? Again, I am admitting bias! ;))

But Joar Wandborg summarized the situation well:

The challenge at the moment, at least from what I see, is time. MediaGoblin would greatly benefit from more resources, having either one or more funded MediaGoblin developers would greatly benefit the project, as it is now, we have a lot of separate volunteers contributing code, thus putting a lot of work on the lead developer to review code. If we could increase the throughput on reviewing by assigning more people to review it would make the lead developer able to concentrate on increasingly keeping the project coherent and flexible while moving forward.

Well said. :)

On that note, I am simultaneously working on trying to get more resources on board and growing MediaGoblin upward and outward. This is achievable, I believe, and if we can get enough resources in front of ourselves, I think MediaGoblin can easily be sustainable. But to get there, we need to split my role into multiple people. That's hard to do because splitting my role into multiple people requires more resources, but it's hard to do the work to get more resources in while I am the only full time person, even with the amazing, amazing community we have (which is, again, super amazing!). This is solvable, but as a friend of mine accurately described it over dinner, it's a "bootstrapping problem". In the meanwhile, I am also playing a role of trying to bootstrap things just so, but that means actively wearing another hat, one that the MediaGoblin community does not usually see. It's hard not to feel bad while I'm doing that kind of work, because I feel like I am neglecting other things I want to move forward. But it needs to be done. And I think we can and will get there.

On that note, we will be running another crowdfunding campaign. I won't go into details here, but I have elsewhere, and if you're interested, you can read a relevant IRC log. There will be more to say soon, and of course you will hear about it here.

Another way to summarize things: next year I want to wrap up the features we need to get MediaGoblin 1.0 out the door (and that includes federation work) and then work on pushing forward MediaGoblin adoption. Plans are moving ahead on those fronts, and I am feeling optimistic. (One way to advance those plans is, if you or an organization you are working with are interested in running an instance, do it! And even better, if you are interested in funding either us developing relevant features or helping you run an instance, by all means contact me!

By the way, have I mentioned XUDD? I don't get that much time to talk about it, but the very rare times I get to work on code that isn't MediaGoblin (sadly, it's pretty rare) I have been spending on XUDD. In short, I think the way we're writing a lot of asynchronous network applications is wrong, and I think we can massively improve the situation. XUDD is an attempt to show how I think that could happen through an implementation of the actor model in Python. The architecture is shaping up nicely, and I feel good about the ideas and directions of the project. It's too bad it's so hard to allocate time for it. As you may have guessed, this may tie back into MediaGoblin some day, but if it does it will be some time in the future.

Anyway, that's enough of me yammering on for now. I think we've got an exciting year head. Now, back to working on this release!

Block o' conferencing reflections

By Christine Lemmer-Webber on Tue 29 October 2013

So this last month and a half I've done much more conferencing than I normally do; first was GNU 30th where we ran a MediaGoblin hackathon, the Google Summer of Code Mentor Summit 2013 where I ran a federation session and helped Karen Sandler run the Outreach Program for Women session, and the Blender Conference where I gave a talk (which was recorded and uploaded to YouTube, which I suppose I should mirror to MediaGoblin when I get time, or something).

There were a lot of good things that came out of these conferences for me (though I am always worrying while at conferences whether or not I am making the best use of time as it is near impossible to do "normal" tasks there). Spreading news about MediaGoblin was good, and I think I was successful there. More importantly though, I queried a lot of people for advice. I pestered a lot of people to try to get a sense of what's ahead, and I'm grateful to everyone, but especially to Deb Nicholson (as always, as MediaGoblin co-conspirator), Aeva Palecek (who puts up with hearing me think through nearly everything), Karen Sandler, Mike Linksvayer, Bradley Kuhn, John Sullivan, Leslie Hawthorne, Asheesh Laroia, and Ton Roosendaal, who all sat down with me at some point and gave me useful perspectives on how to take various strategies forward for MediaGoblin and related things. Given I'm now nearing the end of MediaGoblin's year of paid work from the MediaGoblin campaign, this was really important for me to figure out how to move ahead with the next year. I feel like I have a good sense of direction now and a set of loose plans that will (hopefully!) work out, and that's really important. Thank you, all, and thanks also to the many people I didn't even list because it would be too long.

I already called them out, but it was really great on this trip especially to talk to and observe Karen Sandler and Ton Roosendaal on the way they organize and plan their respective organizations. Karen gave me a lot of personal advice that I will not repeat here but which gave me some confidence and sense of capability (thanks Karen). I also really admire both what Karen has done with the GNOME Foundation (especially in how it's been branching out to other things with Outreach Program for Women), and I also admire how much of a large universe of things Ton Roosendaal has helped cultivate with the Blender Foundation and Blender Institute. By the way (maybe it helps to know a bit about the Blender community?) I highly recommend watching Ton Roosendaal's "foundation feedback" talk. Maybe one of the most impressive things about Ton's approach to the Blender Foundation (which really is very minimal and just handles being a steward for the code side of things and etc) and the Blender Institute (which is much more ambitious, has a large studio, employs many developers, funds open movie and game projects, and does large and bold things). One thing he talks about is that as soon as the community takes over an activity, such as doing training, the Blender Institute hands it off to the community and stops doing it so it can focus on other things that are not being worked on as strongly. A bold move; many organizations seem to have a super difficult time letting go of something once it's in their domain. But it works well; the Blender Institute focuses on growing the community into new areas, but when those areas are well established to be sustainable externally, just let them be! It's a surprising and refreshing approach in a world where even nonprofits seem to want to establish empires. Additionally, other interesting things happened in that talk and Ton's keynote; UI conversations have been strong and while construtive, somewhat divisive in the community. Ton wrote an article (also discussed in the talk) called (Re)defining Blender and I think it does a good job of reframing the issue in a way that's constructive for everyone.

Related to that, there was quite a bit of racial diversity, but sadly not much gender diversity, at the Blender conference. Sadly I think Blender falls in the intersection of free software communities and 3d graphics, both of which really struggle with gender diversity. Nonetheless, the women who were there all were doing amazing, powerful, and well-respected things, from coding of important Blender tooling, to the authorship of amazing short films, to the use of Blender for fine art, to 3d printing, to anthropological reconstruction, to I am sure some more things from people I did not talk to. But one form of diversity that Aeva and I discussed that we were both impressed by was the large diversity of types of things people are doing; from heart surgery training to animation to games to programming to fine art, people were really all over the place in the things they were accomplishing. That felt really great to see.

Speaking of Blender, it was pretty incredible to hang out in the same room of some of my "childhood heroes"... and by that I mean, I really didn't have many of those since I didn't watch a lot of non-animated television and that seems to be where people pick up their majority of celebrity crushes, and so the age range at which some of my largest "heroes" developed was in late high school and early college, when I became obsessed with free software and especially the Blender community. I had befriended Bassam Kurdali some time ago, but it was also really great to hang out in the room as people such as Andy Goralczyk and Pablo Vaquez and both to talk to them and for them to seem to take me seriously. I told them that if it weren't for being inspired by their creaturey artwork maybe I wouldn't have been so encouraged to continue on with my own creaturey stuff... maybe MediaGoblin wouldn't have a goblin and would be named something else! They seemed appreciative when I showed them Liberated Pixel Cup, the style guide, and the thing I was trying to prove (partly in response to the Open Movie Projects that they had both participated in) that distributed free culture projects are indeed possible if you do enough of the work up front (relevant maybe now due to the nature of the newly announced Project Gooseberry which will be a lot more distributed than previous open movie projects). They both seemed excited and interested (we even talked about how a 3d version of the base could be done, even in the same style), and I felt really happy about that.

There are of course many more things that happened and plenty of other things I can go on about too; maybe one of the more memorable things about this stretch of time was the GNU 30th Hackathon. We had a good turnout:

GNU 30th hackathon turnout

And we were even lucky enough to have all Outreach Program for Women students attend!

OPW students!

I was really happy with this hackathon, and especially the opportunity to have everyone together. As we said goodbye to each person, I felt a little more sad, to the point where when saying goodbye to Jessica Tallon and I split off at the ticketing area at the airport, I was nearly in a funk.

And this leads into something else. At all of these conferences I was asked: will you be coming back? Will we see you next year? Will you come to this other conference our project is running? And there's a temptation to do so... the curse of the traveler raises its head, and I feel that I want to see these people again and that I will miss them when I'm gone (and I will).

But how much conferencing should I do, really? I think the time invested in these conferences was worth it, but I will be glad to be done conferencing for some time. Previously in the year I had been invited to a bunch of conferences and for half a year I avoided all of them because I wanted to get real work done. Let's face it: there's certain kinds of useful work that's done in making connections and establishing/revitalizing community that can be done by conference-going, but it's also quite difficult to do Real Work (TM). (A certain exception: many projects have a role where someone really should be attending more conferences and etc for the pupose of making connections; it should be worked into the expectations of the position that this kills one's capacity to do all sorts of other kinds of work though.)

One thing Ton said in his talk (I'm paraphrasing) was "Every other day I get invited to another conference, and I turn down every one of them. Every conference you go to takes away a week of work, and there's too much work to be done." Too true! While I think I did the right thing by this set of conference attendance, it's time to hole back up in my apartment and get stuff done.

Time to get back to work... and there's plenty to do!

emacslisten (an idea)

By Christine Lemmer-Webber on Fri 11 October 2013

An idea I've wanted to pursue for some time now but never really have had time to work on is some kind of voice-activated emacs interface. (I'm proposing the name emacslisten here partly as a tribute to the super amazing emacspeak, which is kind of the reverse of this accessibility project.) Unfortunately, several attempts of this have been tried, but as far as I know they all rely on Dragon Naturally Speaking. Given that this is nonfree, it's a non-starter for me (not to mention the fact that I neither want to use Windows nor Wine). What to do?

Here's a brief, and I mean really brief, sketch of how I think things maybe could work.

  • Write a python daemon using the gstreamer bindings for pythonsphinx and exposing a d-bus interface. (This tutorial worked for me by the way, though I did have to change gconfaudiosrc to pulsesrc... then it worked.) This will be where commands are actually "listened" from. It might, optionally, have an --interface mode with some kind of gtk dialog.
  • Write an emacs minor-mode to listen to those d-bus calls.
  • Probably, as for how it would work, it would be a bit more vi-style modal, but also contextually modal depending on what major-mode you're in in emacs (yes I know, confusing). So, you could jump in and out of write mode vs different kinds of command mode. Depending on what major mode you're in might affect the kind of commands you're restricted to; this might improve accuracy, since you could set pythonsphinx to a more limited subset of commands. (Presumably you could set up emacs to be able to speak to this process and switch out the command set also.)
  • Just like emacs does every keybinding bound to a lisp function, every vocal command is bound to a function.

Crazy? Probably. Crazy enough to work? Maybe.

I wish I had time to run this project. And admittedly, there's a common, unfortunate pattern amongst hackers that when they're having wrist problems, they're desparate to figure out some kind of voice activated editing software. But when their wrists are okay enough, they're too busy to actually care to invest that time in it.

I can't run this project myself, but I could help with it, if someone else would be willing to take the lead on it. Anyone interested?

EDIT: In case you're wondering, Tavis Rudd's "Using Python to Code By Voice" is definitely an inspiration. As far as I know he hasn't made a release of the software though (he did kindly offer to send me the source at one point, but I didn't want to get Dragon Naturally Speaking, so I never went through with it). It might be a great base though, and anyway, it's definitely a source of inspiration. I'd really love to see a public release of the code!

EDIT / UPDATE 2: I started working on this. Not much to see yet, but you can speak and words appear in the minibuffer. Get it here and help improve it!

Free software password manager roundup

By Christine Lemmer-Webber on Sun 06 October 2013

So, I've had a goofy system that I homerolled for storing randomly generated passwords that I keep encrypted. Let's just say that it's... not ideal and doesn't scale. Really I should be using something that other people have written. So I decided to look around at my options. Here seems to be the best survey of things I could find:

  • lastpass: Irony of putting this first is also the reason in some ways it's first: this is NOT an option, because it's proprietary. That's a non-starter for me already, but it should be an extra non-starter post PRISM. I don't care if the LastPass people say they haven't been contacted/forced to hand over stuff; there's good proof that they could be forced into it. See LavaBit. And if they were forced to do so, you're essentially handing over all your stuff. Also, there's every potential of user stuff all being leaked at once. That's not security.

    Still, people seem to really like the feature set, so this gets a double mention here: it's something that I think is unacceptable/worthless to use, but maybe could be a source of inspiration to free software packages. I've been shown the way the program looks, and it does look and seem to function nicely. That's something free software packages should try to live up to: browser integration with auto form-filling, and a nice, friendly looking UI.

  • FireFox Sync: FireFox Sync is a really cool project; a "least authority" approach to storing passwords, and the fact that you can set up server-side storage of your passwords and have all your machines sync together seems pretty neat, especially because Mozilla can't even read your data. That's pretty exciting.

    However, what advantage would I get of this over setting up my own password sync with something like git-annex? And does it really do much useful for non-browser-things? It's hard for me to tell.

    Still, even though I think it's not for me, I'm glad the project exists. I'm glad that Mozilla took the right way of doing the "even we can't see your data" thing, and I hope that post-PRISM they see the value of this work and keep it as-is!

  • spd: Let's face it, as a plaintext junkie, spd is more or less what I want in a sense... a simple single-file gpg-encrypted password manager. Seems perfect! I could just sync it across machines with git-annex. (And syncing with git-annex, actually, is probably how I want to sync across everything.) It's minimal, and what's extra cool is that it's a good fit for an organization that needs to share passwords; maybe the sysadmins can access X and Y, and the PR people can access Y and Z. spd handles that, and with a simple file format... I think that's pretty awesome. And check out the screenshot on the site. It's so cool and terminal'y, and I like that you can copy-pasta from a terminal, someone can be sitting behind you, and not see what your password... while it still being terminal based! Nice.

    There's just one problem: there's no browser integration. I've been coming to think that browser integration is probably pretty necessary these days to keep up with the massive number of passwords we have to have without reusing the same shitty ones over and over. So, there's that.

    Maybe a browser extension could be added; I don't have the time to write it sadly. Still, the format seems very simple, and probably this is the closest to the kind of system I want on a technical level.

  • pass: Okay so pass is similar to spd, simple, and probably a good solution if you're a command line nerd. I'm still sayin' it could use browser integration.

    It's also apparently written in bash, and just mostly wraps gpg, which I suppose makes it the "git porcelain" of password managers.

    And speaking of git, it does have nice integration with git, though committing passwords (even encrypted) seems a bit weird to me (git-annex seems to make more sense though I have a hard time explaining why I want to drop my history). Maybe more troublesome is if someone gets access to your repo, they can see where all your passwords are, since the usernames / places are just directories. But maybe you don't care about that part being leaked?

  • keepass / keepass2: keepass is free software, and it's had quite a bit of adoption. It seems well used, tested, and liked, and best of all, there's a few browser extensions available... keefox looking the nicest of all of them. Also, it has a single-file db extension system, so that makes it fairly appealing.

    So what's the downsides? It's written in C# for one. Okay, it's still free software, and Mono does work, shut up Chris Webber, don't be ridiculous. But it really feels very windows-y and out of place, not least of all because one of the major UI pieces says "Windows" on it and all of the UI components kind of look like they don't fit totally on my GNOME desktop. The UI also just feels very cumbersome/kludgey so far (it feels a bit like a GNOME 1 or Windows 95 "power user" UI application, if you get my drift), though admittedly I haven't given it much time. Still, of all of these, it probably has the closest to all of the features I've said I want / asked for.

  • KeePassX: KeePassX seems to be the crowd favorite amongst GNU/Linux users. It's much like KeePass but written in QT and C++. So I guesss that reduces my anti-C# bigotry. However, there's no browser extensions. Why not use spd at that point?

    The UI does feel much nicer in GNOME though (and certainly it would be in KDE too). Apparently there's an "autotype" feature, but it's based on the window's title... that seems like a hack... but better than nothing?

  • KeePassC / kppy: Okay, looks pretty cool, a curses based tool using the KeePass 1.X database scheme, Python 3 based, even has a server? No browser integration, but looks promising, as it does have a server... maybe one could be implemented from there.

    However there's some weird code smells in KeePassC, like changing directory to [/var/empty/]{.title-ref} even if it doesn't exist. There's also a kppy which KeePassC uses, which is a general purpose python library to edit such things.

    Maybe a decent base to build things from?

  • GNOME SeaHorse: So, GNOME provides integrated encryption support via a program called SeaHorse. I like GNOME integration, thus I think I'd like this. However, there's also no browser extensions here, and I have a hard time figuring out whether or not I could nicely sync things across machines via git-annex and friends, so... hm.

  • Encrypted plaintext files: Okay, plaintext files plus GPG. It works, right? Except, also no browser integration, and also anyone sitting behind you can read your passwords. Let's stop pretending this is an option.

  • Encrypted org-mode files: Several ways to do it and actually it is probably a little bit less terrible than a plaintext + gpg file: the expansion of sections means you can navigate a bit better, maybe not expose all at once.... hm, you could maybe even hide the passwords with some custom elisp + font locking!

    Okay, except wait, still no browser integration, and I need to stop building systems that work just for me and nobody else in the universe in Emacs + OrgMode. Heh.

There's other options too, but they all seem to have the same problems as the above, or worse.

It really looks like keepass2 + keefox is the best solution that exists yet, but let's be honest... it's not a good solution! It speaks totally to the traditional complaint of encryption tools in free software: they work, we know how to use them in theory, and yet wheen you try to bring them to the end user, they aren't a very pleasant UI experience.

That said, I'd be willing to take a pleasant experience that wasn't really good for everyone, a-la spd, if I could get browser integration... but that's probably admitting I'm not part of the general solution!

EDITS: Added KeePassC and pass. Toned down the KeePassC exuberance after I actually tried it.

EDIT AGAIN: After trying a bunch of things, I'm currently happy with something completely not on this list at all: assword. The name makes it hard to take seriously, but it's great and elegant. Bind "assword gui" to shift-ctrl-p, and it's the simplest system possible: give it a string, and it either makes a new password, which it pastes, or it pastes whatever string you had associated with that string. So. Great. And the technology couldn't be simpler.

Base64 UUIDs in Python

By Christine Lemmer-Webber on Tue 30 July 2013

Hardly even worth writing about, but maybe it's useful to someone. Ever want a base 64 encoded UUID4 in python? I ported the uuid.uuid4() code over for base64 encoding, with a slight cleanup function to make it URL safe.

UPDATE: Making this the most useless blogpost I've already

: written, there's already a urlsave_b64encode method (also, I thus removed the rest of the post above):

>>> base64.urlsafe_b64encode(uuid.uuid4().bytes).strip("=")