njr 3.0

I’m going to be at Apple’s Worldwide Developers Conference next month, and hope to get a chance to meet all of my friends who have moved California-ward, as well as some people I have only known online. The only other WWDC I’ve been to was in 1999. Things have changed just a bit since the days of Mac OS X DP1 and the just-introduced bronze keyboard PowerBook G3s Apple gave away at the time. Not sure who I’ll be staying with yet, but I’ll be in California from August 5 to 13.

If you have an Intel Mac and are interested in testing the Intel version of ICeCoffEE (and aren’t already in the testing group), please email icecoffee at sabi.net. I’ll work on getting the installer ready this week; if nobody reports any problems, it should be ready to release by the weekend.

3:11 PM | Administrivia, Computing, macOS
1 Comment

Comment spam really is annoying, though it’s getting a run for its money from random Unicode glyph-abusing Brazilians I don’t know asking me to be their friend on Orkut. But four requests in one day!?

It seems WP-Cache was causing the weird blank-page-until-reload issues with WordPress 1.5, which translated into no-page-at-all issues in WordPress 2. Since TextDrive finally seems to have a handle on the server-crashing and performance issues (this server has been up for over 31 days), the caching plugin isn’t as imperative as it used to be, though I do like to be nice about using shared server resources where I can.

Quick WordPress 2 review: AJAXification is good. I don’t like the new admin color scheme; looks too much like a bad ripoff of Slashdot. From time to time gigantic fonts appear, for no apparent reason; being on a 1024×768 display, this sucks. The new WYSIWYG editor isn’t perfect (it turned a paragraph break into a line break the first time I posted this message), but it’s a lot better than most I’ve seen. The dynamic resizability of this editing window is especially slick—alternately, you could say we should have had this kind of stuff on the Web 10 years ago :-)

Still, I think I’ll be going back to MarsEdit as soon as I can; hopefully it’ll get some attention in the form of WebKit content-editable support soon. I’m already very addicted to NetNewsWire 2.1’s syncing, even with the known problems, it works well 99% of the time. When RSS feeds get messed up on iTunes, I end up with tens of old podcasting episodes, which is a lot of data to needlessly download. It’d be cool if I could tell it “don’t accept any posts with dates earlier than the newest (or even oldest) preexisting item in the feed”.

If you notice any site flakiness, please let me know. I realize some of the old posts from the PyCS and (especially) Radio sites still have formatting issues; fixing this is on my to-do list, just rather far down it.

7:27 AM | Administrivia, Computing, Web
No Comments

Paper submitted, and now on to the 8000 things I’ve put off after it. Unfortunately fixing bugs such as the above (which happens when using ICeCoffEE with recent development WebKit versions) may come behind such things as getting my car serviced, and cleaning the apartment. But I’ll try to get to it “soon”.

Update: ICeCoffEE 1.4.3d1 (final release coming in a few weeks) fixes the ICeCoffEE/WebKit incompatibility.

11:15 PM | Administrivia
No Comments

Time to put on my curmudgeon hat for a second.

Glyph Lefkowitz presents a font choice as a foregone conclusion: we like the second, antialiased, version better. Some of us don’t—I’ve been using Adobe’s Helvetica, Courier and Times bitmaps since 1986 or so and don’t really see what is so wrong with them. Antialiased versions would be OK, I guess, if you like that kind of stuff, but there’s no reason to use different default fonts to the rest of the planet just because. FreeSans looks enough like Helvetica to pass at a glance, but the others don’t even come close.

I’m not saying people have to set their default Web browser fonts to Times, Helvetica and Courier—I’ve got mine set to Goudy, Univers and Screen, for example—but I’m just saying the standard fonts make more appropriate defaults, since they’ve been that way since Netscape 0.x. (I seem to remember Mosaic used a sans-serif font as the default, but my memory is a bit hazy.) One of the more irritating things about Safari’s font choices is that Lucida Grande has no italic/oblique version, so italic Lucida Grande ends up being forced Helvetica, which is quite a bit smaller. Firefox/Camino algorithmically italicize (slant) Lucida Grande, which ends up looking worse, mainly because they get the metrics wrong in the first place; a properly laid out, slanted Lucida Grande is actually not bad looking at small sizes.

Oh yeah, about all that Mac and hiptop programming I’ve been wanting to do in my “spare time”—it’s not happening any time soon. I’ve got a significant deadline at the beginning of March, and it’ll take every spare cycle I’ve got to finish on time. Luckily the research is finally stuff I’m really enjoying, and as long as I remember to take my allergy medication so I can avoid painful, headache-filled days like today, I should be all set. It might be something people outside my research area care about, too—wouldn’t that be nice? :-)

11:11 PM | Administrivia, Computing
1 Comment

Evening at Adler was smaller and more intimate than I expected; the few photos I took are on Flickr. The last week has been rather busy, but in a good way—I’m getting work done. Paper revision is about 99% done, hopefully will be finished today, and I got Abe Fettig’s new Twisted book yesterday, which looks good so far. The annoying DSL outages at my parents’ place that started last week appear to be resolved, though it was an excuse to clean up my Nagios configuration, and get Cacti and Smokeping set up for some additional monitoring. Smokeping is extremely cool and easy to set up on Debian; I’m not sure why I hadn’t heard of it before.

Like many people, I run a bunch of private services for family, and we have our own certificate authority (CA) for SSL access to Web sites, mail, and so forth. When I’m home at Thanksgiving, as part of a larger transition to Mac OS X Server, I’ll probably move at least mail to Kerberos, which doesn’t require all the PKI stuff, but has its own problems.

Every year when Nagios starts bugging me that certificates are about to expire, I end up spending hours tracking down the right way to create a CA, sign certificates, install them, and so forth; for tools that are as widely used as they are, openssl and friends are not particularly user-friendly or flexible.

So, in an effort to save time next year, here’s what I came up with. Before doing the first few steps, you should edit /etc/ssl/openssl.cnf to include sane defaults appropriate to your site.

• Create a new CA:

  # cd /etc/ssl
  # /usr/lib/ssl/misc/CA.sh -newca
  Accept defaults, except: 
  Organizational Unit Name (eg, section) []:Certificate Authority
  Common Name (eg, YOUR name) [mail.rileys.us]:Rileys CA
  Email Address []:ca@rileys.us
  # mv demoCA rileysCA
  

• Create and sign a certificate request:

  # /usr/lib/ssl/misc/CA.sh -newreq
  Accept defaults, except:
  Email Address []:postmaster@rileys.us
  # /usr/lib/ssl/misc/CA.sh -signreq
  # install -m 644 newcert.pem /etc/apache/ssl.crt/mail-server.crt
  

• Remove the passphrase on the certificate; extract the private key

  # openssl rsa -in newreq.pem -out /etc/apache/ssl.key/mail-server.key
  

• Restart Apache (note that “restart” won’t pull in the new certificate)

  # /etc/init.d/apache stop
  # /etc/init.d/apache start
  

• Remove the CSR, it’s no longer needed

  # rm newreq.pem
  

• Copy the CA cert to rileys.us

  # scp /etc/ssl/rileysCA/cacert.pem nicholas@arnold:/var/www/rileys.us
  # ssh nicholas@arnold chmod 644 /var/www/rileys.us/cacert.pem
  

• Add the CA cert to the Macs

  % curl -O http://rileys.us/cacert.pem
  

  On Tiger:

  % sudo certtool i cacert.pem v k=/System/Library/Keychains/X509Anchors
  

  On Leopard, the above command returns a warning and is ineffective. Instead use:

  % sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain cacert.pem
  

• Add the CA cert to the Debian machines (OpenSSL)

  # cd /etc/ssl/certs
  # wget -O rileys-ca.pem http://rileys.us/cacert.pem
  # chmod 644 rileys-ca.pem
  # update-ca-certificates
  

Update, February 2007:: Recent versions of Gecko-based browsers (and Thunderbird, etc.) give you a very confusing error message claiming that there’s a duplicate serial number, even if the certificate has only expired. (Since I create a new CA certificate every time, I don’t think this is giving me the right answer). So, you do need to remove the old certificate from the browser’s certificate store before adding the new one.

3:35 PM | Administrivia, Computing, macOS
No Comments