There are several challenges involved in moving the SWE3 code from its native distribution to Debian; this weekend we worked around some of the permissions problems.

On SWE3, the web server and most of the service daemons run as the user 'nobody'. This means that the web server can write out configuration files as the same user as everything else; it can also read the system log files. When the web interface needs to run a privileged action (like setting firewall rules), it sends a command to 'smoothd', which is a daemon running as root. (Admin ssh access is always directly as the root user.)

However, web servers in Debian tend to run as user 'www-data', which does not have permission to read log files. Similarly, writing out configuration files as that user would mean that any cgi script (not just ones in the swe3 package) could modify them. I would prefer to run the swe3 cgi scripts as a separate user, and grant this user permission to view logs etc. This debian-webapps thread makes it sound very easy, but if you want to do that with cgi scripts rather than fastcgi, I think you have to run a separate web server for each user.

On Sunday afternoon, in a dramatic display of corner-cutting, I gave up on that approach and added www-data to the 'adm' and 'proxy' groups in the postinst. Thomas heroically patched all the cgis to call the "config writers" via smoothd, although I'm wondering whether some careful use of the chgrp command in the postinst might be better than running that code as root.

Another hack: in order to actually start a firewall, we needed to know which network card is the "RED" interface, in SWE3 terms; i.e. which one is meant to be the public-facing network device. It's also nice to know which one is "GREEN". So two debconf questions and some hardcoded magic numbers later, we have a basic firewall init script. Lovely.

Oh, and at some point I removed the htaccess file, so any user on your network can mess with your firewall. Should probably fix that.

Today I started some awful scripts which use Simple-CDD to build an iso containing all the packages we want. We are going to need to extend the networking configuration in the installer to set up multiple network cards. Then we need to figure out a nicer way of assigning IP addresses to devices; unlike on the proprietary version of the product, there seems to be no web configuration of network settings in Express. I've not figured all of this out yet.

So, in summary: we are deliberately trading some technical debt in order to quickly produce an initial release that might interest people. (But please note the disclaimer of warranty in the README file in that directory.) And in other news, I've been working at Smoothwall Ltd. for just over one year. Hmm. So this is what they call 'experience'.

Unfortunately, the SmoothWall Express kernel is somewhat "stable", which leads to problems installing the distro on modern hardware. There is a new version of Express in the works, but I'm afraid SmoothWall Ltd. currently has a bit of a "code dump" mentality with respect to delivering updates to their community, because they don't recall seeing any significant contributions from outsiders.

At DebConf I created proof-of-concept Debian packages of two components of Express 3.0: the swe3 web interface, and the smoothd daemon which executes privileged commands. Currently these can show a basic web interface; some of the less complicated bits will even run, and I can shut down my laptop using the "shutdown" button via smoothd. (Note that I still need to add boring stuff like debian/copyright files, but I plan to release these as soon as I can.)

In the near future, hopefully I can implement some of the more important features (like, er, firewalling), and add some other components like the traffic shaping and IM filtering daemon. I'm working towards a demonstration Debian Pure Blend that can show off some of the advantages of working with a third-party distribution as a base.

If anyone would like to help me... send me patches. :) I expect I'll be blogging my progress occasionally.

Unfortunately I didn't sleep much on the flight home either. The British accents sounded quite unusual when we landed in Heathrow, and it was quite confusing not being able to find a Starbucks.

Once I was back home, I crashed, and woke up at 10pm. I spent last night clearing the pkg-perl review queue - gregoa is taking a short break after DebConf.

Then I went running at sunrise again. This is quite a different experience to Central Park - first, you have to run 2.5km just to get to Southampton Common, and secondly it is raining quite heavily. I dug out some winter gear that had turned out to be completely inappropriate for New York.

• I use zsh, but only in a fairly conservative manner, to emulate/mimic bash. All searches on the subject of zsh prompts seem to produce ugly behemoths from people who have just discovered that the feature exists. Here's my effort to copy Debian's normal bash prompt:

  PS1='%n@%m:%~$ '
  

  I also "setopt nohup", and copy some useful stuff like ls colour aliases from .bashrc.
• Most tutorials on configuring SMTP auth with Postfix are insane. If your mail provider's CA is in the ca-certificates package, you can postpone learning openssl yet again.
• I'm trying out an xmonad/gnome combination, having evaluated awesome (tricky to get all the details of the gnome integration working) and bluetile (tricky to get the single-pixel window decoration feel). So far it works well.

During the day I attended a few talks from the Java track. I had afternoon tea with Safir, and then chatted to a few people before the Cheese & Wine party this evening. My kettle and teapot were commandeered to provide Taiwanese tea.

The US supplies electricity at about half the voltage of the UK. So my US kettle has a power rating of a mere 1500W (compared to 3kW for my UK one) and takes twice as long to boil water. Also, if I took it home, it would probably blow a fuse, I guess. This is probably why everyone uses stove-top kettles here.

While walking back from the hacklab to Carman, there were some fireflies glowing yellow on the corner near where the Columbia flag flies. They didn't seem to be there on the way back from the party - maybe they only shine at dusk.

So I have purchased an electric kettle, and set it up in the Carman basement, for the moment. I have also splashed out on a teapot, and one mug. (So far I haven't found any other mugs in the place, so bear that in mind if you wish to join me - $2.49 from the homeware store across the street.) I have brought two boxes of Twinings tea from the UK, and in the unlikely event that it runs out there are some brand names I recognise in the Westfield Market.

In the spirit of US philanthropy, I intend to donate this equipment for the betterment of Columbia University when I leave.

I'm looking into packaging some Java libraries that use maven. Fun. I think I'll be attending some of the talks in the Java track, although I feel like I'm three years late to the party.

While trying to find a good example, I wanted to list all packages which reverse-build-depended on maven-debian-helper. This must be a common task? With some stuff stolen from lamby, I hacked together a shell alias:

rbuilddep() {
    grep-dctrl -sPackage -i -r -F Build-Depends,Build-Depends-Indep "\b$1\b" \
            /var/lib/apt/lists/*_Sources \
        | awk '{ print $2 }' \
        | sort \
        | uniq
}

But this surely can't be the last word on this. For one thing, it might also be useful to recursively find these reverse dependencies. I hope I've missed some obvious way of doing this.

I reckon my attention span has got really poor over the last couple of years. More running tomorrow morning. But first, ice cream, I think.

This morning I had breakfast at Nussbaum & Wu, because it seemed like a good name. Then I went to Duane Reade down the road (a pharmacy open 24 hours a day, which is quite impressive), and picked up some hand soap for a couple of dollars - none is provided in the bathrooms (and I didn't read the checklist about what to bring). And if anyone forgets/loses their wherever-to-US power socket adaptor, the Best Buy in Union Square has four left.

So far I've missed about three sponsored meals. In related news, if you ask for all the salad at Subway in the US, you seem to end up with something much hotter than in the UK.

We headed across Central Park and visited the Met, which is huge - and noted with some satisfaction all the things that came from England. When we left, it was raining, and we walked down Fifth Avenue in the downpour. After so much heat, it was a great relief - but it'll probably be straight sunshine for a few days now.

After a visit to a Barnes & Noble (which was a novelty, since I don't think they have a UK presence - I bought a book on JQuery), we went up the Empire State Building on a whim. Quite a view, and a cheesy but informative audio guide. Then after fetching our luggage back from the youth hostel, we went our separate ways to our respective accommodation.

For me, this meant finding Columbia University. I don't have a great track record with the whole "taking a note of where I'm meant to turn up" thing, and this time saw me wandering around the campus asking directions of people who couldn't understand me. For anyone else with the same habits: you want to find the corner of Broadway and 114th St. (you might get off the #1 subway at Broadway and 116th and walk south), and then proceed down 114th and through the first set of gates on the left. There's a green sign on the gates saying something about "Tech Campus". The Carman building is the first entrance immediately on the left after that. Alternatively you could go through the main campus entrance on Broadway opposite 115th St, and follow the path round the large building on your right until you get to just before the gates.

So then stumbling into all the DebConf people, we went for dinner at a local restaurant; and later out to a bar. Now I need to haul my ass outta bed (it's almost 12pm local time) and find the hacklab, or maybe breakfast.

It's really quite warm here. It's shorts and sandals weather (just like last year in Spain), and I'm tired of walking in sandals.

Interesting differences from the UK: the New York Times crossword is quite different from what we call crosswords. I think Monday's one is meant to be easiest, so perhaps starting with Saturday's was not a good plan. There are water fountains dotted around the city, which is awesome.

This morning I went running around Central Park. Except it's tougher than it looks - I'm not sure whether it was the humidity, or the inclines, or not eating anything before setting out... I ended up walking most of the second half, and it took half an hour more than I thought it would. I ran counter(anti-)clockwise - I think it would be better to go clockwise, because there's a hill in the corner with a steep side that I'd prefer to run down rather than up.