Runtux Blog

Update 2009-04-27: There is a new firmware: good support from beronet
Update 2009-04-10: I’ve written a config-utility for the device, available in my rsclib on sourceforge (in python)

I’m now experimenting with the Beronet bero*fos failover switch. I need this for a project where two redundant asterisks should be switched by the bero*fos.
To get the following into proportion: I’m a customer of Beronet and usually like their products. But selling a device for around 700.- Euro we should expect working firmware and working configuration software. Especially since the device sits at a crucial point from a safety point of view: it’s used in scenarios where we want failover capabilities for telephone equipment.
The config-software is open source, so we can work around it’s shortcomings. But there is a firmware bug, setting some configuration variables via web interface has side-effects on other configuration variables. (we can work around that by writing our own config program). So I’d really like a more open design here: I’m voting for open firmware and a hardware documentation. But that might lead to others building the device for less money…
I would also prefer a documentation of the parameter interface in addition to (or instead of) a configuration program. Integrating the device into other infrastructures where we don’t want a binary configuration program requires reverse-engineering. I’ve done that in the following.
In the following I’m referring to berofos Firmware 1.3.3 which is the latest on Beronets webpage and in my device. The berofos tools for Linux on the webpage were apparently last updated in December 2007 and don’t have a version number.
The device has four groups of 4 ports each, A, B, C, D. These can be switched in two scenarios, a fallback scenario, which can connect A-B or A-D and a bypass scenario which can connect A-B and C-D or A-D. The first scenario is useful if there are redundant devices where one device can replace another (e.g. as in our scenario with two asterisk boxes), the second scenario is useful when you have an asterisk connected in between the telephone network and an old PBX. In case the asterisk fails, the PBX can be directly connected to the telephone network.
I won’t rehash the features and documentation of the device here, the berofos docs and tools page has a link to the manual (and to the command-line tool for both, Linux and Windows).
The device has a web-interface and a command-line interface written in C under the GPL version 2 license without a version-upgrade clause. The individual source files refer to a LICENSE file which isn’t included in the distribution.
The web interface has several bugs, some changes of config variables will change variables in other configuration pages. A notable example is the defaults page. In this page the default state of the relais can be set. When changing anything on that page, the device will also change the scenario to bypass.
Worse, when changing the mailserver page (the device is able to notify you via email if something bad happens) the dhcp setting is reset. This means on next powerup the device probably won’t try to get it’s ip via dhcp but use whatever happens to be the currently configured IP address. I didn’t try to reboot the device in this state because I noticed (and was looking for) this side-effect because I was already searching for a pattern in the failures.
Getting the config is easy, it’s under the url http://fos/config.txt where fos is the device. The following text file is retrieved:

bnfos_confmap_magic=0.1
1_sz=0
4_mode=0
1_rm=checked
5_p0=0
1_p0=
5_p1=0
1_p1=
3_dn=
3_ip=10.23.5.100
3_nm=255.255.255.0
3_gw=10.23.5.254
3_dns=10.23.5.254
3_dhcp=checked
3_port=80
3_pwd=
2_mhost=0.0.0.0
2_mfrom=
2_mto=
3_log=
3_loghost=0.0.0.0
6_wen=0
2_wen=
6_wstate=0
2_wintv=60
2_as=checked
2_men=
0_wretv=0

Apparently all configuration variables that influence other variables are in the same group: They have the same number in front.
The bugs of the web interface are not browser-specific. In fact the command-line tools also use the http-interface of the device to set and get options:

% bnfos/bnfos --get scenario -h 10.23.5.100
scenario = 0
zsh: exit 167   bnfos/bnfos --get scenario -h 10.23.5.100
% bnfos/bnfos --set modedef=0 -h 10.23.5.100
Setting modedef succeeded!
% bnfos/bnfos --get scenario -h 10.23.5.100
scenario = 1
zsh: exit 167   bnfos/bnfos --get scenario -h 10.23.5.100

Exit-code of the bnfos tool when querying a variable is always 167. It also doesn’t follow the UNIX mantra for command-line tools: Be silent on success, noisy on error. But we also see here that the bug appears with the command-line tool too: changing the default relais mode also changed the scenario.
When looking with wireshark we see that for setting the variable with the command-line tool it just retrieved the URL /?cmd=1&rm=0 with a HTTP Get-request.
When using the --show switch, output is on stderr so piping the result needs special shell commands ( |& is a zsh shortcut for piping both, stdout and stderr):

% bnfos/bnfos --show -h 10.23.5.100 |& grep dhcp
 dhcp      = 1
zsh: exit 167   bnfos/bnfos --show -h 10.23.5.100 2>&1 |

Setting the mail parameters smtpserv, smtpfrom and smtpto is impossible via the command-line interface. We always the the cryptic error message:

% bnfos/bnfos --set smtpto='10.23.5.5' -h 10.23.5.100
Setting smtpto failed: Could not parse!
zsh: exit 1     bnfos/bnfos --set smtpto='10.23.5.5' -h 10.23.5.100

Studying the code of the config-tool reveals that there are two configuration tables, one in src/beronet/confmap_fos.h named bnfos_confmap which includes all info about the low-level device parameters:

static const struct {
  char *key;
  char type;
  int cmd;
  char *parm;
  char *macro;
} bnfos_confmap[BNFOS_MAX_KEYS] = {
  { "sz"     , 'b', 1, "sz=%s"    , "szenario(0)"},
  { "mode"   , 'b', 4, "mode=%s"  , "mode(0)"},
  { "rm"     , 'b', 1, "rm=%s"    , "config(1,1)"},

  { "p0"     , 'b', 5, "p=0&s=%s" , "pwrport(0,0)"},
  { "p0"     , 'b', 1, "p0=%s"    , "config(2,1)"},
  { "p1"     , 'b', 5, "p=1&s=%s" , "pwrport(0,1)"},
  { "p1"     , 'b', 1, "p1=%s"    , "config(3,1)"},

  { "dn"     , 'h', 3, "dn=%s"    , "hostname(1)"},
  { "ip"     , 'a', 3, "ip=%s"    , "netconf(0)"},
  { "nm"     , 'a', 3, "nm=%s"    , "netconf(1)"},
  { "gw"     , 'a', 3, "gw=%s"    , "netconf(2)"},
  { "dns"    , 'a', 3, "dns=%s"   , "netconf(3)"},
  { "dhcp"   , 'b', 3, "dhcp=%s"  , "config(4,1)"},
  { "port"   , 'p', 3, "port=%s"  , "netconf(6)"},
  { "pwd"    , 'b', 3, "pwd=%s"   , "config(5,1)"},
  { "apwd"   , 'd', 3, "apwd=%s"  , NULL},

  { "mhost"  , 's', 2, "mhost=%s" , "netconf(5)"},
  { "mfrom"  , 's', 2, "mfrom=%s" , "netconf(7)"},
  { "mto"    , 's', 2, "mto=%s"   , "netconf(8)"},
  { "XXXXX"  , 'n', 7, ""         , NULL},

  { "log"    , 'b', 3, "syslog=%s", "config(10,1)"},
  { "loghost", 'a', 3, "slgip=%s" , "netconf(9)"},
  { "logport", 'p', 3, "slgpt=%s" , "netconf(10)"},

  { "wen"    , 'b', 6, "wen=%s"   , "wdog(0)"},
  { "wen"    , 'b', 2, "wen=%s"   , "config(6,1)"},
  { "wstate" ,   0, 6, "wstate=%s", "wdog(0)"},
  { "wintv"  , 'p', 2, "wintv=%s" , "config(8,?)"},
  { "as"     , 'b', 2, "as=%s"    , "config(9,1)"},
  { "men"    , 'b', 2, "men=%s"   , "config(7,1)"},
  { "wretv"  ,   0, 0, NULL       , "wdog(2)"},
};

and one in bnfos/main.c that maps the high-level command-line paramters to the low-level http requests:

/* keyword description for --set / --get */
static struct {
  char *keyword;
  char *descr;
} keys[BNFOS_MAX_KEYS] = {
  {"scenario", "scenario (0=fallback; 1=bypass)"},

  {"mode", "relais mode (0=A--D; 1=A--B or A--B,C--D)"},
  {"modedef", "default relais mode (0=A--D; 1=A--B or A--B,C--D)"},

  {"power1", "state of powerport 1 (0=off; 1=on)"},
  {"power1def", "default state of powerport 1 (0=off; 1=on)"},
  {"power2", "state of powerport 2 (0=off; 1=on)"},
  {"power2def", "default state of powerport 2 (0=off; 1=on)"},

  {"hostname", "device hostname"},

  {"address", "ip address"},
  {"netmask", "netmask address"},
  {"gateway", "gateway address"},
  {"dns", "dns server address"},
  {"dhcp", "query dhcp server (0=off; 1=on)"},
  {"port", "http listen port"},
  {"pwd", "http password protection (0=off; 1=on)"},
  {"apwd", "admin password"},

  {"smtpserv", "smtp server"},
  {"smtpfrom", "smtp sender address"},
  {"smtpto", "smtp destination address"},
  {"smtptest", "trigger testmail"},

  {"syslog", "syslog logging (0=off; 1=on)"},
  {"slgip", "syslog server ip"},
  {"slgpt", "syslog server port"},
  {"wdog", "watchdog enable (0=off; 1=on)"},
  {"wdogdef", "default watchdog enable (0=off; 1=on)"},
  {"wdogstate", "watchdog state (0=off; 1=on; 2=failure)"},
  {"wdogitime", "watchdog intervall time"},
  {"wdogaudio", "watchdog audio alarm (0=off; 1=on)"},
  {"wdogmail", "watchdog alarm mails (0=off; 1=on)"},
  {"wdogrtime", "watchdog remaining time to failure"},
};

I haven’t found a mechanism that keeps these two tables in different source files in sync (they currently seem to be), looks like both tables need to have the matching options in the same place in both tables. The code for matching options to low-level commands just uses the same index to navigate in both tables.
The bnfos_confmap table has a s for the type of the smtp parameters. This type isn’t handled in the config-tool and leads to the cryptic error message above. Patching the table to specify the type h (there is a comment XXX check hostname for validy for that type this checking apparently isn’t done yet, so we can use the code there to parse normal strings) would work. After applying a patch to src/beronet/confmap_fos.h, the sources aren’t recompiled, seems that the Makefile is broken, too. So after a make clean ; make I’m finally able to set the smtp parameters via the command-line interface:

% bnfos/bnfos --set smtpserv='10.23.5.5' -h 10.23.5.100
Setting smtpserv succeeded!

Looking over this again, I prefer to do the following patch that adds support for the ’s’ type:

--- bntools/src/bnfos.c 2007-08-28 09:27:46.000000000 +0200
+++ bntools.hacked/src/bnfos.c  2009-04-09 12:10:46.000000000 +0200
@@ -379,6 +379,14 @@
     set->val = strdup(val);
     return BNFOS_RET_OK;

+  case 's':
+    /* Allow empty strings */
+    if (!val) {
+        val = "";
+    }
+    set->val = strdup(val);
+    return BNFOS_RET_OK;
+
   case 'p':
     {
       int v;

This is a cleaner way to make configuring the smtp parameters work. Turns out that setting the mail gw does not influence the dhcp setting. But in the web-interface, the mail gateway and the syslog server are combined in one page. so trying that:

% bnfos/bnfos --show -h 10.23.5.100 |& grep dhcp
 dhcp      = 1
zsh: exit 167   bnfos/bnfos --show -h 10.23.5.100 2>&1 |
zsh: done       grep dhcp
% bnfos/bnfos --set slgip='10.23.5.5' -h 10.23.5.100
Setting slgip succeeded!
% bnfos/bnfos --show -h 10.23.5.100 |& grep dhcp
 dhcp      = 0
zsh: exit 167   bnfos/bnfos --show -h 10.23.5.100 2>&1 |
zsh: done       grep dhcp

we see that changing the syslog server also changes the dhcp setting like in the web-interface. When looking more closely, we see that the dhcp and the syslog IP are in the same cmd group. Thats the number in column 3 of the bnfos_confmap and the number in from of each line in config.txt retrieved via the web interface.
So the workaround for the bug in the firmware is to write a config program that retrieves all variables in the same cmd group and, when setting one of the variables in that group, also send all the other current settings in the same get-request.
Fortunately the bnfos_confmap table has the command pattern for generating the get-request for each of the variables in column 4 (parm). So it shouldn’t be too hard to write a new config utility (and of course I won’t do that i C either) that works around the firmware bugs.
I already said that I would have preferred an open firmware to fix the bugs at the source, did I?

I’m currently preparing a technical college lecture. The slides for the lecture should become open source. To reduce my overhead I want to use existing source (mainly pictures) from wikipedia.

Open source licensing should really make it easier to re-use material in other open source projects. As far as I can tell the current mess with different documentation licenses does not achieve that goal.

Sad fact: To understand what is possible with the current licensing is nearly as time-consuming as re-creating the material from scratch. So I’ve chosen to document what I’ve learned here, so others may have a faster learning curve and can contribute their experience.

In addition I hope for comments from people involved in the licensing jungle to comment on my views here.

Typically wikipedia pictures come in three license variants, see the Wikipedia Copyrights page, the german version Wikipedia Lizenzbestimmungen has specific sections on picture use:

• Public domain. These can be used without restrictions.
• Gnu Free Documentation License (GFDL)
• Creative Commons Attribution ShareAlike (CC-BY-SA), typically version 2.5 is used by Wikipedia pictures

Some pictures are dual-licensed under GFDL and CC-BY-SA.

Since the GFDL typically is used with a version-upgrade clause, e.g., "Version 1.2 or any later version published by the Free Software Foundation", upgrade to a later version of the license by the user is possible. This is typically not the case with CC-BY-SA.

I’ve decided that CC-BY-SA version 3.0 best fits my license requirements. The GFDL with its front-cover, back-cover and invariant sections is too complicated and CC-BY-SA is much clearer concerning reuse and remix of the material.

One problem I’m having is that when "performing" my slides (thats the term CC-BY-SA is using for e.g. using the slides in a presentation) I want to use either my company logo or I’m forced to use the logo of the teaching institution I’m working for. So I’ve come up with the following addition to the pointer of the licensing terms:

When performing this work (e.g. teaching using these slides) you may use your company and/or teaching institution logo in the header of each slide without putting the logo under the license above. When distributing derived works, make sure you distribute the document without the company or teaching institution logo.

So I’m specifically allowing to use a logo in the header of each slide when performing. I hope this is compatible with the CC licensing terms.

The next problem I’m facing is reuse of pictures. Pictures licensed under a CC-BY-SA license (also earlier than 2.5) shouldn’t pose a problem, because CC-BY-SA explicitly distinguishes derivative work and collective work. Collective work is defined as (cited from version 2.5 of CC-BY-SA as that is the relevant version for most pictures on Wikipedia):

"Collective Work" means a work, such as a periodical issue, anthology or encyclopedia, in which the Work in its entirety in unmodified form, along with a number of other contributions, constituting separate and independent works in themselves, are assembled into a collective whole. A work that constitutes a Collective Work will not be considered a Derivative Work (as defined below) for the purposes of this License.

So I guess my use of the unmodified pictures in slides is collective work not derivative work. That means I can use CC-BY-SA pictures from wikipedia in a CC-BY-SA document that uses these pictures similar to the usage of pictures in Wikipedia articles, even if the version of the CC-BY-SA license is not the same.

The question if I can use pictures licensed unter GFDL in my slides licensed under CC-BY-SA is still not fully clear for me. Since the pictures typically contain the license-version upgrade clause mentioned above, I could use version 1.3 of the GFDL that includes permission to relicense the work under the CC-BY-SA license under specific circumstances — but my interpretation of that clause allows this only for Wikipedia, not for me as a user of the content on Wikipedia.

Putting my work under a dual-license (CC-BY-SA + GFDL) is also not a solution because this effectively constitutes relicensing of the used content.

So the question remains if I can use GFDL pictures in CC-BY-SA slides and if this is permitted by the GFDL. The GFDL has one paragraph (7) on "aggregation with independent works":

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works
of the Document.

So, hmm, are my slides a "compilation with other separate and independent documents or works" — probably yes. Are they in a "in or on a volume of a storage or distribution medium"? Hard to say. My "copyright resulting from the compilation [provided it is a compilation in the sense of GFDL] is not used to limit the legal rights of the compilation’s users beyond what the individual works permit". So I guess I can use these pictures without the GFDL applying to my document (I want to use the CC-BY-SA).

Thats my due diligence investigation before using this material.

But I’m not a lawyer.

Update 2009-03-31: provide signed archive with archive key, add udev rules, add /etc/modules entries, add amd64.
Update 2009-04-05: typos fixed

This is a short howto how I built the debian patches and how you can — as a user — install everything needed for mISDN version 2 and Linux Call Router (LCR) with asterisk chan_lcr running on debian lenny.

I’m providing debian packages for Kernel (v 2.6.28.5), an updated zaptel (debian lenny zaptel doesn’t compile with newer kernels and zaptel wctdm uses some settings for analogue phones that don’t work with german and austrian phone like the “R”-key or optional pulse dialling), finally I’m providing a slightly patched asterisk for larger buffer sizes when playing long tones, LCR and misdnv2user packages originally built by Joerg Dorchain. My misdnv2user is the same as Joergs. The lcr package contains my bug-fix for DTMF digits A-F (also in Joergs packages now) which don’t work in upstream LCR version 1.3 and an updated /etc/init.d/lcr for querying the status of lcr.

I’m also providing source packages, except for the kernel — the kernel is stock kernel.org 2.6.28.5 configured for use of mISDN. The kernel was built using debians make-kpkg from the kernel-package debian package. And the config used for building the kernel is in the binary package.

I hope I can contribute something in order to get mISDN V2 and LCR into debian… in the meantime others may want to uses these on debian stable.

Installation

apt-get install vim less ssh ntp
apt-get install python-dev openbsd-inetd postfix madplay

Add following lines to /etc/apt/sources.list:

deb http://project.runtux.com/asterisk/debian/ lenny main
deb-src http://project.runtux.com/asterisk/debian/ lenny main

If you want to avoid warnings about an untrusted archive key from apt, you should import the following archive key. Save the key to a file and then issue the command
apt-key add file

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)

mQENBEnREAIBCADM8+KpoC/HJUCEsx8KZhGgsX/G3ouR4/xkgIuIPgz+t6JoTisj
9QmymDZKUXSy04WmbLjU/088xD5A9ukOEYxoFCGqwWf1tPOKqN1oKpVCkjJb8Dht
vvebqOCzJSV0nfqmIfkpbX+6dUssx+9u0BiFK3aj/GilkEloZl2g+vIT6fveJtKE
qmxz19vL516TDhsbsv3/AKfNKc7QRpsgvPmnNE2IL0CTgQYs26WtnJASlu1MQpwo
Qfb1PrO7ufq9eO58HjEBdfbSNjalQjVj7vLvE4GQglHULO500H9UlfOm2zpO0Vzs
5lGGbwLJdTpAS3HIRhQAW0pueRsQ8zagMn5lABEBAAG0OFJhbGYgU2NobGF0dGVy
YmVjayAoRGViaWFuLVBhY2thZ2UtS2V5KSA8cnNjQHJ1bnR1eC5jb20+iQE2BBMB
AgAgBQJJ0RACAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ5CizCR9G97ah
pAf/eLRYtPVs1apI3+AVi//8y1/r6uL+IxI/Tlt53jCtX/dy3Q3FeAEJt/7fbvcW
TBDnP5K8vWaYUlHHaz+6lbcQyV/KAH4LKJEKkyoINc9ytG1qEG6z8NPfDmKiEluy
HksgLpAqUBrdZy46iWQhcg7f3fpcUIsHHcXrOd2Ip5G9DL2q4/UoRrhBhHC3GNX7
ERaeAKZTF1JRaVN6KSWPC2+yaNmuGn1yoSChG0Q/bBTgzv2fm9Jzvok546f9LE0q
k2q5PvjlUSMGHHojTzzR6tGhnbw5mOfyMUDDs5LuAN1aWbDatepJgiC+dYasprQ5
pZygpoCASqIhWjjCZd3XI5mAEIhGBBARAgAGBQJJ0nZlAAoJEIO0FkDz/lcw0xYA
njBSGef/4KhZpuspIh6WnLM7ORKNAKCw28et9bUoaGu4ESRpIwtwj4asQoicBBAB
AgAGBQJJ0ncuAAoJEJWCQpSoBzk1hpcD/2KXiuvE2Nm0oOi0jBVEjT/Tu/GGkG5m
lf97/I6TMcJxlMpeBlv9SiJD+/BBQo0MGMxmkCwU4t+eBCBsCVcr/bJnrlrKa4Ab
9SR9WQ8PGrSQ+AwMePCDKngqFd5EERz8bxz4sZKGCxn9JVRQOGp03eKSGDG/Yh0v
FY3v7nV0BUaE
=mPtt
-----END PGP PUBLIC KEY BLOCK-----

Then install:

apt-get update
apt-get install linux-headers-2.6.28.5-i686 linux-image-2.6.28.5-i686 \
    asterisk zaptel lcr zaptel-modules-2.6.28.5-i686

If you’re on the amd64 architecture, you should replace i686 in the packages above with amd64.

and optionally (for misdn_info):

apt-get install misdnv2user

Edit /etc/default/asterisk and set RUNASTERISK=yes. Then make several directories (should be done by a future version of the lcr package):

mkdir /var/run/lcr
chown asterisk.asterisk /var/run/lcr
mkdir /var/log/lcr
chown asterisk.asterisk /var/log/lcr

I’ve also made a start-script for lcr (for use as /etc/init.d/lcr) ,
downloadable at http://project.runtux.com/asterisk/init.d:lcr
this probably should also be part of the lcr package.

Config file examples used for lcr — these pass
everything to asterisk. File /etc/lcr/interface.conf:

[Ext1]
portnum 0
ptp
nodtmf

[Ext2]
portnum 1
ptp
nodtmf

[Int1]
portnum 2
nt
ptp
nodtmf

[Int2]
portnum 3
nt
ptp
nodtmf

I’m using a Beronet 4 port ISDN card, your config will probably differ: This system only expects incoming calls and needs to check on which line a call comes in. So I distinguish all external interfaces as separate interfaces of LCR. I also need to check an interface by calling out via that interface, you probably would want to make all external ports a trunk by grouping them into one LCR interface.

And the routing config needs to match your interface definition. This config will pass all calls — if asterisk is running — to asterisk. If asterisk isn’t running, I’m calling a test application (untested). The context in asterisk will be the interface name. Again, if you’re using a trunk here, be sure to match the routing config with your interface config. /etc/lcr/routing.conf:

[main]
remote=asterisk interface=Ext1 : remote application=asterisk
remote=asterisk interface=Ext2 : remote application=asterisk
remote=asterisk interface=Int1 : remote application=asterisk
remote=asterisk interface=Int2 : remote application=asterisk
default                        : efi

Update /etc/modules to include the following lines (the command appends the lines between cat and EOF):

cat >> /etc/modules << EOF
mISDN_core debug=0x0
mISDN_dsp debug=0x0 options=0x0
hfcmulti debug=0x0
EOF

Linux udev must be configured to correctly set the user for the isdn device(s):

cat > /etc/udev/rules.d/91-isdn.rules << EOF
ACTION!="add|change", GOTO="permissions_end"

KERNEL=="mISDN*",       GROUP="dialout"

LABEL="permissions_end"
EOF

After a reboot asterisk and lcr should be running.

Building

Getting kernel:

wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2
wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2.sign
wget http://kernel.org/pub/linux/kernel/v2.6/patch-2.6.28.5.gz
wget http://kernel.org/pub/linux/kernel/v2.6/patch-2.6.28.5.gz.sign

For compilation (zlib isn’t checked by make-kpkg!):

apt-get install kernel-package bzip2 libncurses5-dev zaptel-source \
    zlib1g-dev fakeroot

Compile Kernel:

tar xvf linux-2.6.28.tar.bz2
cd linux-2.6.28
zcat ../patch-2.6.28.5.gz | patch -N -p1 | less 2>&1
cp /boot/config-2.6.28.5-i686 .config
make oldconfig
make menuconfig # just to be sure

For amd64:

make-kpkg --append-to-version -amd64 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot binary > m.out 2> m.err

For i686:

make-kpkg --append-to-version -i686 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot binary > m.out 2> m.err

The following doesn’t seem to work although zaptel is installed:
probably need to unpack /usr/src/zaptel.tar.bz2 into
/usr/src/modules/zaptel (tar file contains modules directory!)
this would save us from the m-a a-i step below. amd64:

make-kpkg --append-to-version -amd64 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot modules > mo.out 2> mo.err
cd ..

For i686:

make-kpkg --append-to-version -i686 --revision 2.6.28.5.1.rsc --us \
    --uc --initrd --rootcmd fakeroot modules > mo.out 2> mo.err
cd ..

Make a debianized zaptel for new kernel:

apt-get install devscripts libnewt-dev quilt libusb-dev asciidoc
svn checkout http://svn.digium.com/svn/zaptel/branches/1.4 zaptel
apt-get source zaptel-source
cp zaptel/kernel/ztdummy.* zaptel-1.4.11~dfsg/kernel
cd zaptel-1.4.11~dfsg
# Add "Fix compilation for newer kernels"
dch -i
dpkg-buildpackage
cd ..
dpkg -i zaptel-source_1.4.11~dfsg-3.1_all.deb
m-a a-i zaptel

The following installs my patched asterisk, I’m modifying some buffer sizes because I want to play long tones (I’m generating a faked modem guard-tone that is needed in a project). You probably won’t need the patches asterisk, but it won’t hurt to install it. The create-patches script is available from
http://project.runtux.com/asterisk/create-patches

apt-get install libreadline5-dev libgsm1-dev libssl-dev libtonezone-dev \
    libvpb-dev autotools-dev libsqlite-dev libspeex-dev libspeexdsp-dev \
    graphviz libcurl4-openssl-dev doxygen libpopt-dev libopenh323-dev   \
    libiksemel-dev libradiusclient-ng-dev freetds-dev libvorbis-dev     \
    libsnmp-dev libc-client2007b-dev libcap2-dev libpq-dev unixodbc-dev \
    libpri-dev
apt-get source asterisk
scp ralf@bee:checkout/own/config/asterisk/create-patches .
cd asterisk-1.4.21.2~dfsg/
sh ../create-patches
# Hunk #1 succeeded at 25 (offset 3 lines).
# Add "runtux.com local buffer-size patches"
# and new version-number 1:1.4.21.2.1~dfsg-3
dch -i # add comment
dpkg-buildpackage -rfakeroot
cd ..

For mISDNuser and chan_lcr I’m using Joerg Dorchains packages with my added patches for DTMF codes A-F.

I’ve recently upgraded to debian lenny. Unfortunately after this upgrade my epson 3590 scanner stopped working. After some googling around I managed to find an rpm package with the binary firmware image. But the package converter alien would not let me convert the file, the message was

Unpacking of 'iscan-firmware-2.8.0.1-48.1.noarch.rpm' failed at /usr/share/perl5/Alien/Package/Rpm.pm line 155.

After some more searching I found debian bugs 518348 and 509444 of which the latter contains a workaround: Seems that the rpm format changed to a compressed format that can be unpacked with lzma. Now unpacking was possible — after all I was only interested in the firmware file — and now my scanner is working again… For the record, unpacking was done as follows:

mkdir iscan-firmware-2.8.0.1
rpm2cpio iscan-firmware-2.8.0.1-48.1.noarch.rpm \
| lzma -d | (cd iscan-firmware-2.8.0.1; \
cpio --extract --make-directories \
--no-absolute-filenames --preserve-modification-time)

Yesterday there was an interesting talk on e-voting @metalab by Goesta Smekal. In the discussion, the audience mostly agreed that e-voting shouldn’t be used because we can never be sure that a machine isn’t modified to do something different from correctly counting votes.

That there may be an incentive to win an election by cheating was pointed out by Bruce Schneier in “Stealing an election” in a 2004 Cryptogram newsletter. Now it’s an old hat that it is possible to hide rogue code that won’t be found by inspecting the source-code since in 1984 Ken Thompson published the computer science classic Reflections on Trusting Trust. Recently it has even been possible for researchers to build malicious hardware — with the budget of a university research lab. Open Source in this case is not an answer to the problem: We can’t be sure that the machine is running our software.

So the question is really: How can each voter be sure that the election is carried out correctly. For inspecting a voting machine — even if this would be theoretically possible and the papers cited above indicate that it’s probably not possible — we need an expert — who can be bribed. With paper ballots an untrained observer can convince himself that the election process is correct. Attacks on the system come at high costs and are detectable with a high probability. So let’s stick to the proven distributed algorithm of casting paper ballots.

Some time ago at linuxwochenende I’ve outlined my current state of reading on alternative money projects and implementations. Slides (mostly english) are online http://runtux.com/events.html and there is even a video of the talk (in german, see linuxwochenende link above for torrent or html download). The funny money in the title refers to a paper by Ted Lewis, “Why Funny Money Will Have the Last Laugh”, Computer, vol. 33, no. 5, pp. 112,110-111, May, 2000 (all citations on the web seem to disagree on the page numbers I’ll have to dig out my copy and see what the page numbers really are) which is probably not very exciting today but got me interested in the subject.

Now I’ve discovered some more interesting bits I want to document here.

I’ve recently discovered OpenCoin via the peer to peer foundations feed. OpenCoin seem to be among the first who tackle money with a scientific approach to money protocols *and* release their code as open source. They’ve started by formulating requirements which are referenced in two preliminary papers on existing crypto protocols:

• Preliminary Report on Chaum’s Online E-Cash Architecture
• Extensions to Chaum’s Blind Signature Scheme and OpenCoin Requirements

In these papers they outline the cryptography to use for their implementation and check these against their requirements. These reports are very preliminary (still contain serious typos for example I’m missing a “not” in section “2.2 Anonymity” in the report on Chaum’s Architecture that distorts the meaning of the whole sentence).

More serious may be that the don’t consider newer approaches to money protocols — this may be due to patent and security considerations: Chaums work is older than 20 years. Protocols that have withstood some time of not being broken might have a higher chance of not developing a serious failure in practice… but it may also be an indication that the field is very wide.

And another sad fact: The web-page of the project is not very lively — the last entries on the wiki are from march this year. Seems that they applied for funding from LGA (London Development Agency) and received that (as indicated on the main page) but never published anything after that. Or maybe they anticipated to receive a funding which never came.

Another interesting project — which actually produced software that is used in practice is Cyclos by the Dutch Social Trade Organisation STRO (used to be called Strohalm).

This is a more traditional approach to a system where a trusted organisation manages a local currency like LETS or barter systems. Also microcredit systems are managed with this system according to their web site.

I’ve recently discussed about money alternatives with Clifford — one thing we couldn’t agree on was if one needs the state as the central authority for issuing money. I argued that there are already many projects (some of the mentioned in the linuxwochenende talk above) doing this today. Cliffords answer was that they’re all backed by the existing money system. I’m undecided on this issue but tend to believe that a local community can agree on a currency without a state. It may even be possible to do something like Terra (a good intro to Terra is on p2pfoundation ). At least we can start now that the existing money system still works (Sort of. Or not. Maybe.).

I’ve now had some time to look more closely into my OpenMoko Neo. The first thing I did was upgrade the device to the new Firmware 2008.9

The needed dfu-util is a Debian lenny package, on my lenny-laptop just one apt-get away. The upgrade steps are well documented on the “Flashing the Neo” page.

I’ve also upgraded the bootloader because I wanted to try to install Debian (on the SD card) and the instructions say to upgrade the bootloader.

After booting into the new version I discovered that the “Settings” icon did nothing. The device would auto-suspend after about 30 seconds when not in use via the touch-screen. Fortunately I had experimented earlier how to get a SSH-connection to the device — I wouldn’t have found out in 30 seconds: The device would suspend and kill a running SSH-session.

The openmoko device comes up as network interface usb0 on the machine you connect the USB to. The IP is 192.168.0.202, you should configure your usb0 network interface to something like 192.168.0.200.

I’m using the Debian package ipmasq on my laptop, so NAT to my internal network for the openmoko was working immediately, I could ping machines on my internal network.

So I held the touch-screen with the left-hand thumb and configured the network: The device comes up with an empty /etc/resolv.conf, you should insert a nameserver line with the IP of a reachable nameserver.

After having a running network (remember I’m still preventing the device from suspending and killing my ssh session with one finger on the display) I installed the package illume-config which adds a little toolbox-icon to the window-manager. With this I was able to finally disable the suspend via the config. After that I did an opkg upgrade of the device and the “Settings” program magically started working.

The first experiment with a phone-call failed, because the called party could not hear me. I had to install alsamixer and turn on the microphone and capture devices. Now calling and being called works fine.

I haven’t experimented too much until now — one of the major roadblocks is a broken input method. The on-screen keyboard is not really suitable for entering commands into an xterm. One of the next steps will be to install Debian on the device.

I’ve recently set up routing for two uplink providers. The advanced routing howto is a good guide for getting routing via several providers running. I’ve observed two points worth mentioning, though.

• When using NAT and several different internal/DMZ networks the source address of packets (in my experiments) doesn’t work reliably for determining the routing table as in the example in the advanced routing howto. It is easier to tag connections with a connmark and copy this mark to the individual packets of the connection. This looks like the following (I’m using the naming from the advanced routing howto):
  
iptables -t mangle -A PREROUTING -i $IF1 -p tcp \
-mstate --state NEW -j CONNMARK --set-mark 1/1
iptables -t mangle -A PREROUTING -i $IF2 -p tcp \
-mstate --state NEW -j CONNMARK --set-mark 2/2
# mark packets with connection mark
# to be usable in routing
iptables -t mangle -A PREROUTING -p tcp \
-j CONNMARK --restore-mark --mask 0x0F

  Then we can reuse that mark to determine the routing table to use:
  
ip rule add fwmark 1 T1
ip rule add fwmark 2 T2

  This can also be reused for routing some services via one and other services via the other interface. Just apply the correct connmark to the connection.
• When using complex routing rules, source validation of the Linux Kernel can get into the way, thanks to Peter Holzer for pointing this out. There are special files in
  
/proc/sys/net/ipv4/conf/*/rp_filter

  one for each interface and some to apply global defaults. Some Linux distributions automagically set these all to “1″. I’m currently turning all of them to 0 and routing is working now. You know that you might have this problem when packets from an external interface are dropped after PREROUTING and are never seen in the FORWARD chain of iptables. The Linux-Kernel documentation in Documentation/networking/ip-sysctl.txt say this about rp_filter:

  rp_filter – BOOLEAN

  1 – do source validation by reversed path, as specified in RFC1812 Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes.

  0 – No source validation.

  conf/all/rp_filter must also be set to TRUE to do source validation on the interface