Front Page

Nokia's funding for maemo.org is ending: call for donations

Council member, Joerg Reisenweber has announced a need for donations to keep all of maemo.org running as Nokia step back from support: "I have to inform all of you that we're approaching a critical date for all of us: Nokia is about to stop funding our infrastructure and board and council are busy to establish a new set of servers to run all the bits we need to continue with our daily maemo-life. First impact is on this very forum, which we need to either move to a new server until end of the year, or as a last resort find some 500 bucks to buy one more month of operation on the old one, until we established the move end of January then. There are other expenses the board is facing right now to ensure a smooth continuation of services like repositories, wiki, whatnot else."

Apologies for the delay, but there were several logistical aspects that had to be resolved…

Sorry for the chatter post, but if anybody has recommendations for a tool that can build for win, osx, and lin that would be great. The project is an autofools one, mainly coded in 100s of kloc of C++. Builds like a treat on a Fedora machine, can be beaten unto submission to build on osx, and I assume on a suitably tainted windows machine it will gcc into binaries too. At least it has built on those other platforms in the past.

I've had great success with OBS, but that was mainly for Linux packages. It seems OBS can do mingw too, but I've not walked the valley of darkness into building for the more closed platforms on OBS before.

The saucelabs looks pretty cool, but it seems targeted to web code if I am reading it correctly.

The initial plan is to get 24hr rolling packages for all platforms and have feedback as to which day a github commit has broken the package build. It might be nice to have it for each github commit, but I think it would be easy enough to bisect a break given a 24 hour window unless an armada of contributors rushes at the ship.

A separate build issue I've been tinkering with in my mind for a while is grabbing from a github repo and creating android packages. Different code base for this though, mainly some of my n9 apps, as such, preferably for a mixed C++/QML app. But I think for that project I'll wind up taking my chisel and hammer and coming back with a cron job.

Hey former Harmattan peeps. How about we do a little bit of this Jolla stuff after our hours and see where it goes? You never know, and neither have any of the technologies and improvements that we did for Nokia harmed us. It’s at #jollamobile on FreeNode. Btw. Ping me if you are going to FOSDEM. Maybe we can discuss how we can revive some of our Harmattan projects? Personally, I’m thinking about reducing the role of Tracker’s FS miner in Jolla by first refactoring libtracker-extract and adapting buteo to call for metadata extraction instead of letting miner-fs pick the newly added files up. Dead to file system monitoring on phones!

At the same time I’m also working with Calligra a lot lately. Which is by the way awesome stuff. Can’t choose.

Do you know how when you get sick you suddenly cannot remember anything about your life but being sick in the past? With almost every memory gone, all your life is reduced to a series of very similar events that form a parallel reality that, as someone once said, you only get to experience for a short time. WebKitGTK+ hackfests often feel a bit like this, the difference being that this is the kind of disease that you look forward to as a child in order to skip school and stay at home playing video games. A couple dozen hackers sitting in a bright clean room, safe from the rainy weather, programming for hours on end until they have to be literally kicked out of the place. Lots of coffee. A blackboard full of tasks. Tortilla and beers, or pulpo if you are the sort of person that would eat an animal that can predict the outcome of football matches. The parallel life we live for a few days every December, in Igalia‘s Coruña headquarters.

According to Cosimo Kroll (zehjotkah), long-time maemo.org community member and contributor, and Hildon Foundation treasurer, the Maemo Community has stepped up in a serious way, donating more than $1000.00 US in the first 24-hours of the call to support the community.

Thank you, everyone, for your support and dedication to this cause. The Maemo Community is one of the most incredible open source communities around — and, exactly why the Hildon Foundation was formed.

You are the best.

If you haven’t donated yet, please consider it. It is the only way that this community will survive. You may make a contribution (any amount helps) here:

http://hildonfoundation.org/support/

A new version of Billboard, the standby screen customizing app for the N9 has been released and is now available from Nokia Store. It brings some nifty features such as in-line color customization, a battery bar and a battery icon:


The full ChangeLog is available on the Billboard website.
Questions and feedback can be left in the support thread on TMO.

This post contains the meeting minutes for both the 2012-11-30 and the 2012-12-07 meetings. As the person responsible for preparing these minutes and posting them in a timely manner, I apologize to the community for falling behind on them these last two weeks. It is worth noting that since these meetings took place, there has been discussion on the TMO infrastructure topic, both internally and visibly to the community through Board posts, and probably to some extent forum discussion. So the bullets regarding TMO infrastructure issues do not necessarily reflect the latest information by any means.

We’d like to take a minute to unveil the new Hildon Foundation website:

http://hildonfoundation.org

As you’ll see, there is a fairly easy way to donate to the Hildon Foundation and the Maemo Community:

http://hildonfoundation.org/support/

This is the same method that’s being used here on tmo:

http://talk.maemo.org/showthread.php?p=1303767

 

Many IT systems are insecure, others are simply dangerous. Some people argue that this is because the vendors that develop them are ignorant. I think not. However, I do believe they like money. A quarterly report with great numbers is never wrong.

It costs 5-10% more to develop a secure system than a clumsy and insecure system. If the organisation making the system has never worked securely in the past the cost can be up to 25% more, but this rapidly decreases as the processes become embedded. Despite the cost, the investment is worthwhile because higher quality radically reduces downtime, successful hacker attacks and other ills. Not to mention fewer headaches.

When development is placed with an external provider, the problem is that you take the business risk while the supplier delivers to a specification. If security is not included in the specification, then security will not be delivered. Why would the supplier reduce their margins by 5-10%? If a provider includes security in the price when it hasn’t been requested, they may even lose the deal because the customer chooses a cheaper alternative.

There is only one solution. Include security requirements in the contract and follow them up. Believe me, you do not want software that does not meet at least the following:

1. The system should not have any of the SANS 25 programming errors and, if it is a web application, it should not have any security holes in the OWASP Top 10.
2. The supplier should specify which software components, including version numbers, are used to create the system.
3. The supplier should use only standard methods for encryption and signing. All security-related documentation should be available on request.
4. You should have the right to review the security system.
5. The supplier should provide documentation on how the system has been installed, with a minimum of access rights to the operating system and what network traffic is necessary for the system to work in the particular environment.
6. The supplier should indicate the update cycle.
7. The supplier should be able to demonstrate how security is integrated into the system lifecycle.
8. Depending on which comes first, the supplier should provide information on vulnerabilities detected in the system within thirty days or when an update is issued that resolves the problem.
9. The system should log all events and comply with SIEM standards.
10. The system should be able to identify and authenticate users and confirm eligibility. It should comply with open IAM standards.

Really, you should conduct a security analysis to ascertain the right level of security and cost framework. But the above points are a good start. Then you won’t be disappointed by system crashes or being pulverised by hackers. And you can happily throw the headache pills in the bin.

 

Share/Bookmark