I was sure that I’d blogged this before. The problem: you want to run your Android App connected to an actual WiFi network, where there is mDNS and IPv6, and the like, but the stupid emulator gives you only reverse NAT44’ed networking. Why in 2026, even, do they still do this? It’s so hostile to making apps work with IPv6.

The emulator is perfectly capable of connecting it’s wifi to a tap device. The “-net-tap” argument is right there! Read the help on it:

obiwan-[~/P](2.6.6) mcr 10082 %/corp/projects/android/Sdk/emulator/emulator -help-net-tap

by default, the emulator uses user mode networking which does address
translation of all network traffic. Use -net-tap <tap interface> to switch
to TAP network mode where Android will use a TAP interface to connect to
the host network directly. Android will attempt to configure the TAP
network using DHCP for IPv4 and SLAAC for IPv6. To be able to access the
network that the host is connected to the TAP interface should be bridged
with another network interface on the host.

<tap interface> is the name of a TAP network interface such as tap0. It
is NOT the path to the TAP device, just the name of the device.

NOTE: Using this disables other options such as net-speed, net-delay,
    -dns-server, -http-proxy, -tcpdump, and -shared-net-id

I did not find a way in the AVD manager to add this argument. (Note interesting “-tcpdump” argument)

When I blogged this in 2020, the above -net-tap just did not work. When I last tried this in 2012, there were missing bits that did not pass the options through properly, and I found the missing few lines through to the qemu. I tried to fix that with a Gerrit submission, which never got merged.

What’s below works on Linux, not on MacOS or Windows. I doubt it can ever work on Windows, but if you reading this and running Windows, feel free to hire me to help you switch to a useful operating system.

To make this all work, one needs a virtual adapter, a tap device, and it does not need root. This can be done with tunctl program, which is in both the “uml-utilities” and “vde2” package (as vde_tunctl).

Just find the emu-lauch-params.txt in your ~/.android/avd/Pixel_API_27.avd/ (or whatever your image is called), and add:

-net-tap
5x

Where “5x” is the name of the tap device that I have created. Okay, I first made this at a time when the Pixel 5 was current.

If your emulator is running, stop it.

How do you make this tap device, and how to do make sure that your userid can open it?

I do the following in my /etc/network/interfaces.

# LAN behind router
auto lan
iface lan inet manual
    bridge_ports shglan0 5x
   	    pre-up /sandel/bin/tunctl -b -u mcr -t shglan0
    pre-up /sandel/bin/tunctl -b -u mcr -t 5x
    up sysctl -w net.ipv6.conf.lan.accept_ra_defrtr=0
    up sysctl -w net.ipv6.conf.lan.accept_ra=2

You can use tunctl from a number of different places. Historically, I used the one that I had compiled from the user-mode-linux source. You can also use /usr/sbin/vde_tunctl from the vde2 debian package.

You can apparently, also now just do:

pre-up ip tuntap add dev 5x mode tap user mcr

although I haven’t tried this yet.

I make a bridge that is called “lan”, and I create two ports on this. I mark them both as being owned by my userid, “mcr”, and then I change the bridge properties in two ways:

a) I do not accept an IPv6 default route on from that network.
b) I *do* accept the router advertisements from that interface, even though I have IPv6 forwarding enabled on my desktop.

I do (b) so that I can ssh into the router using the IPv6 ULAs that the router emits. You might prefer, instead, to put that entire bridge into it’s own network namespace, in which case your desktop will never directly see it.

On the “shglan0” virtual interface, I happen to run a KVM containing the openwrt image that I wish to debug my android App against. (The app is for controlling the router). That’s pretty specific to me.

Alternatives: bring up a macvlan interface of you eth0, and bridge that so that Android is on your desktop’s LAN.

Or, as I do, I always put my eth0 into a bridge anyway with:

# The primary network interface
auto trusted
iface trusted inet static
	bridge_ports eth0
    address 172.30.2.21
    netmask 255.255.255.0

then I can just pop 5x into the “trusted” interface, if I really want the phone on my trusted LAN. Or, back again to the private LAN.

If you live on a laptop, then you likely don’t want to do static IPs, so change “static” to “dhcp”. Doing the same thing for your wifi probably is better done with some NetworkManager magic, which I don’t know.

Messages says: Wrong type argument: “Wrong type argument”, “listp 0” tramp-error: Wrong type argument: “listp 0”

Yeah, it works with “emacs -Q”, and list some other posters, a run through debugging one’s init results in it also working.

Even more interesting, it will work with a newly started emacs with my regular init files. Then at some point fail. I have seen this with emacs versions 26,27,28,29,30. On Debian 8,9,10,11,12,13, Devuan,Ubuntu 20,22,24 (LTS).

My conclusion is that there is some symbol, probably a function, which tramp relies upon, or even maybe it provides, and some other package also uses/provides, and that at some point both elisp packages get loaded. I looked, and I looked, and I didn’t find it until today.

The clue was in the backtrace:

signal(wrong-type-argument ("listp 0"))
tramp-error((tramp-file-name "ssh" nil nil "herring.sandelman.ca" nil "/ssw/projects/trentonio" nil) wrong-type-argument "listp 0")
tramp-signal-hook-function(wrong-type-argument (listp 0))
nth(0 0)
(* (nth 0 time) 65536.0)
(+ (* (nth 0 time) 65536.0) (nth 1 time) (/ (nth 2 time) 1000000.0))
(let ((time (or time (current-time)))) (+ (* (nth 0 time) 65536.0) (nth 1 time) (/ (nth 2 time) 1000000.0)))
time-seconds(0)
...

I think last time, I spent my time looking at nth. This time, I looked at the time-seconds…. and I found one in my private elisp directory. In make-regexp.el. Why do I have this? Required by an ancient bison-mode, and autoloading on certain cases. Goes back to 2006.

I nuked that file, and restarted emacs, and it was all well.

Einaguzi spoke. Here is a link: Parliament Hill T&R event (I wish I had a non-youtube link. I asked aptn.ca for one)

Einaguzi was sent to a “day school” at age six, and it took him a year to figure out who “Richard Kistabish” was, and that it was him. Because that wasn’t his name. It is now. It’s his legal name. Changing names is hard and annoying, and yet in a digital age, it should not be. Fundamentally, this is because governments and institutions still live in the 1980s: computerized, but not actually compute clueful.

Meanwhile there are other people who would like to “repatriate” control over their name. To control their identity, their pronounces, and what details they reveal to whom. (PS: “Identity theft” is nonsense. It’s the banks blaming the victim for their own incompetence around inability to compute)

The UK and some parts of Europe now have byzantine age verification rules, which place the onus on private companies to verify their customers, but then do not hold them responsible for doing it wrong. And the governments and regulators don’t seem to help them get it right. Canada now thinks we have to do the same thing in order to regulate gambling.

Well, we kinda, almost got it right when it came to the vaccine proofs. Canada/US went for the JSON form of verified credential, while Europe went for the CBOR form (which is smaller). Neither quite got the selective disclosure part right. Nobody should care what your name, age or birthdate is: only if you are vaccinated. The bouncer at the club also doesn’t care who you are, only if you are over 18. (or 21. Or..)

Banks shouldn’t even care what your name is. What they should care about is what your tax identity is, so they can report to the tax authority about how much money you have. They don’t actually even need to know your tax identity itself, they need to know that you have one, and that when they report to the government, that’s it’s legit. Think about that: Canadians (SIN) and Americas (SSN) worry about having their numbers disclosed because it means that someone else can use that with another bank to commit fraud. (Again, that’s the other banks’ problem). Why should we give a shit? That’s other banks’ problem.

What do I suggest? Every Canadian should be (at their option: this needs to be a gradual, incremental process, not that CRA ever listens) issued a Verified Credential (not a blockchain thing, btw) by the Government of Canada. We will need significant experience since many people will lose access to the private key that is endorsed. That’s why it has to be done slowly. Better to have your private key inaccessible and/or accidentially destroyed, than disclosed: we have the technology to do this.

The credential, an SD-CWT if I have my way (see https://datatracker.ietf.org/doc/draft-ietf-spice-sd-cwt/, but coming to an RFC soon), is a selective disclosure credential. That means that the holder of the credential can decide what details to disclose on a transaction by transaction basis. It also should mean that they can use the credential to make up as many additional pseudonymous credentials as they wish, signing them with their main credential. A blinding service would also be necessary, as that signature otherwise reveals who it really is, but this would be part of the service from gc.ca.

But for many things, the blinding is not important. Einaguzi would use his government issued “Richard Kistabish” credential to sign a new credential giving his name as Einaguzi. That would immediately satisfy banks, online systems, email systems, etc.

No more “blue verified badge” nonsense. If you want to be identified online, you can be.

At some point, a government (including a tribal council, etc.) would acknowledge the change (if Einaguzi desires it), and then would issue a new credential, and the chain of signatures would be reversed. Instead of Einaguzi, legally known as Richard Kistabish, it would now become legally Einaguzi, (formerly known as Richard Kistabish).

If someone is transitioning, they would do something similar. This time they might want a blinded credential as well as a sub-credential. Most of the time, they would use a blinded credential with their chosen gender and pronouns. However, if trying to cross the border into some intolerant/fascist country, they might decide to use their original (deadname) credential, if it seemed safer to present that way. (Not my place to decide: there are many complicated tradeoffs here) When going into a bank for the first time after, they might want the non-blinded credential to prove their (new) identity is replacing their old identity.

Could the Canadian government do this? I think with the right management it could be done.

Do I think that today’s government (“Shared Services” or CBSA or CRA or Aboriginal Affairs) can manage it? Not with current leadership.

Could the PM get on board with this? I bet he could.

They sound almost identical, and I insert the abstracts for further thought:

Abstract (RFC9345)

The organizational separation between operators of TLS and DTLS endpoints and the certification authority can create limitations. For example, the lifetime of certificates, how they may be used, and the algorithms they support are ultimately determined by the Certification Authority (CA). This document describes a mechanism to overcome some of these limitations by enabling operators to delegate their own credentials for use in TLS and DTLS without breaking compatibility with peers that do not support this specification.

Abstract (RFC9060)

The Secure Telephone Identity Revisited (STIR) certificate profile provides a way to attest authority over telephone numbers and related identifiers for the purpose of preventing telephone number spoofing. This specification details how that authority can be delegated from a parent certificate to a subordinate certificate. This supports a number of use cases, including those where service providers grant credentials to enterprises or other customers capable of signing calls with STIR.

Discussion

While RFC9060 tries to restrict its applicability to telephony systems with the Telephony Number (TN) Authorization List. Fundamentally, other ecosystems could use this. RFC9060 essentially allows an End-Entity that has a certificate with the cA = true Key Usage bit set to delegate an identical Subject (and SubjectAltName) to another entity. No change may be made the Subject. In secure telephon as described by STIR, this allows use cases such as allowing a doctor’s smartphone to initiate a (voice) call using the doctor’s office telephone number.

RFC9345 specifies a (D)TLS specific mechanism that is primarily focused on difficulties within Content Distribution Networks that try to keep all nodes serving content up to date in the face of (very) short-lived certificates. It internalizes the problem of keeping all servers up to date, removing what has proven to be a brittle dependancy upon external CAs. This is accute for very short-lived certificates which might be shorter and need to be reliably renewed over a long-weekend. Longer certificates (even the proposed 100 day lifetime) can more easily tolerate an operational or network outage that lasts for a few days.

RFC9345 assumes the client will indicate support for the delegated credential. If it does not then the server in question will need to use a different mechanism such as live network access to signatures as described (dammit: where is that reference).

The RFC9345 is a non-ASN.1 certificate delegation: it’s a signed TLS-format object. It requires new code in the client, while RFC9060 might only require some subtle relaxation of constraints in client PKIX certificate evaluation code. Some client libraries might need no change at all.

As both mechanism ultimately transmit the End-Entity Certificate to the client, the client can look at the properties of all certificates in the chain. In the case of RFC9060 (Certificate Delegation), the entire subordinate certificate would contain all relevant extensions as the parent. In the case of RFC9345, the original End-Entity certificate is transmitted along with a statement from that EE that the signature found in the TLS exchange is to be trusted.

I looked a lot at other options. As I whine about on Friday, the KDE/libqt stuff is just so incredibly ugly, and I’m known for Angry Fruit Salad UIs… and it wastes so much screen space. I had upgraded my old klunker laptop (dooku) to Ubuntu 22 before, and I hated the “new” gnome3 that didn’t let me stack my workspaces vertically. (On a dual monitor desktop, horizoncal desktops make sense. On my laptop… no.)

There is a plugin called V-Shell, which lets you get vertical back. Alas, it needs ubuntu 23 at a minimum, I learnt… but that was okay, as it this lack that was preventing me from upgrading.. Two weeks ago I went to 22, and Thursday I went to 24. But, today was the first time I rebooted.

Lenovo replaced my battery in Feb. I had paid for the 3yr warantee on battery (and the rest of the system, and onsite service). The replacement was, in my opinion, a dud. It was 8hr when new, and was down to ~2h when I asked to replace it. The replacement was… 3h. It went up to 4.5h after a BIOS update. This is one reason I chose to run Ubuntu, because they ship bios firmware and utilities to upgrade it as part of the normal software management process. But, still 4h compared to 8h.

After a LOT of emails with Lenovo, where they tried to claim that my battery was no longer under warantee, they finally agreed as a “one-time” thing that they’d replace my battery. As far as I was concerned, their warantee repair just didn’t work, and the replacement should have some warantee. Yes, it took me 2 trips to be sure that it was really not working. When the laptop was new, I’d do 8h IETF meetings … leaving my charger in my room. No more.

They wanted me to ship the laptop to their service center for ~14 days… but I paid almost $4K for this laptop with all the on-site warantees because I didn’t want to do that. The finally agreed as I started to complain that they were not honoring their warantee, and I started to ask to for a refund of my warantee money. I don’t know if my credit card would be willing to get involved (it’s been 30 months), but the threat seemed to help.

So they repair guy with the IBM badge showed up this morning, a bit unannounced, and I left him to do the repair at the kitchen table, and returned to an IETF virtual interim meeting. I returned to find my laptop apart, and him gone… was he in the bathroom? Nope, my son. He was outside blowing the dust out of the CPU fan… and then returned to re-install it and re-apply the CPU heat paste. Very very nice.

I booted the laptop, and battery was at 27% (it was new). Two hours later, I went to leave for lunch, and it said I had 9:41h of time!!!

I had noticed the login screen seemed to take awhile to become active. Weird. Configured V-shell, got vertical workspaces… tweaked some other stuff. Nice.

Got to lunch, and started to do stuff… I open a Terminal… and I get a Blah is not responding, ForceQuit/Wait. WTF? I try chrome. Dies. The terminal finally opens, and I start chrome. CORE DUMP. WTF? Librewolf starts, but also super slowly.

When in doubt, blame apparmor. Biggest disaster ever. It is just stupidly hard to configure, debug, adjust. Just a terrible thing. I really want it to work,… but it doesn’t. A sysctl like FreeBSD’s net.inet.ip.portrange.reservedhigh=0 would probably do much more to help security, allowing many daemons to run on servers with ever having root. Of course, the systemd re-invents inetd (poorly), is supposed to take care of that.

Yes, apparmor is complaining about userns denied. I wander through some askubuntu and the like. Apparmor can’t even be turned off with systemctl properly, you need kernel cmdline arguments. WTF. It was bad enough that policies did not get unloaded when you stopped it…

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

and guess what… chrome starts now. I haven’t rebooted with the apparmor=0 on my kernel yet. I don’t understand why this is killing performance. I was concerned… maybe the 9h battery time is accomplished now by having the CPU run at some ridiculous low megahertz? Could still be the problem.

Opening new applications still is taking awhile, but I haven’t rebooted laptop yet. I’m trying to save-as in “image-viewer” to move the 9h screenshot to my “public_html” so I can link to it above, and that’s not going well. You can’t switch applications from the mouse when the Force Quit dialog is up, or the app is broken. ALT-TAB works.

So is it solved? I don’t know for sure yet. I guess I’ll update this blog entry when I find out. UserNS seems like a really good thing, particularly for browsers. okay, I rebooted. I poked around .Xsession-errors, saw “has_option” was not found. What’s up with that… apt-file says no such program. Xsession says it is sourced, so maybe it’s a shell function. Maybe because I tried this other desktops, and started using lightdm rather than gdm3. I switch back… it’s better… but still not ideal.

Switching tabs in the Terminal seems to definitely invoke the not responding dialogue. Chrome works fine. Most applications do not. The not responding dialogue goes away after a few (10?) seconds. I still suspect CPU heat issues. Two desktops ago, a 4-core i5 that could run fanless, seemed to do something similar. I thought I was just running low on RAM, because browser. But, it turned out my CPU fan had died, and the CPU was just always heat restricting.

I installed lm-sensors, and my (16) CPUs are less than 40C. They seem to run between 400Mhz and 2.5Ghz, which seems right.

My first IETF meeting was in 1996, in LA. It was IETF35, and I’ve physically been to about 2/3 of the meetings since. That’s about 60 meetings in total. I started a list to keep track of how many in-person, and how many remote.

I used to even have a log of how many flights I’d ever been on in my life, and the number was not small. The list fell apart in 2001… In 2000/2001, I was turned into from a lead software architecture at Solidum into a Sales Engineer. There was just one of me, because hiring good people was hard, and I had three sales people that I supported. For about 9 months, I travelled almost every week, mostly North American short-haul flights. I learnt that the “day-trip” to Boston would have turned into a three day trip by the time I landed as the other sales people allocated my time for sales meetings.

There was a point when I thought of number of flights as a status symbol, and I have colleagues who have gamified the collection of frequent flyer points. I even have a brother who has perfected the art of arbitrage among loyalty programs to get free travel and stays. See, for instance https://estrategiafinancas.com/?p=4503

There are also interesting youtubes about how airlines are really weird kind of banks, as their loyalty programs are often worth more than the airline.

In Spring of 2019, I was asked to go to RIPE78 in Iceland to talk about a project I was working on. The logistics were too late, and then WOW Airline collapsed, and many people were also affected. So I was scheduled to present remotely, but we ran out of time, so I went to RIPE79 in the fall in Rotterdam, and to DESCON in Serbia before that. This was probably not the first combined trip I did, but maybe it was the most impactfal, as I took the poorly regarded train from Belgrade to Zagreb, and then overnight to Berlin, and then after 3 days there, to Rotterdam. (That was also the trip that introduced me properly to Berlin, and my desire to relocate there)

Since then, I’ve tried to combine as many trips as possible, substituting trains for short-haul flights. In November 2022, I combined RIPE85+IETF115 as well as NoTimeToWait. (I couldn’t get to/from Serbia this time without airplanes, because the trains were killed by Pandemic) In November 2023, it was IETF118+RIPE87 and RustConf, but over 5 weeks.

In November 2024, I attended 4 events over 4 weeks. Two flights across the Atlantic, 22 trains and 2 ferries. Let me detail things before I review how it went.

1. Fly Ottawa to Paris on the direct flight. AF started this in 2023, previously I would have taken the train to Montreal and KLM to Schipol.
2. RER to Gare-du-Nord, followed by Eurostar to London. I find it funny that I enter Europe for approximately 2 hours. I attended the IoTsecurityfoundation.org’s conference.
3. On Saturday, Eurostar to Brussells, then DB to Berlin. Two nights in Berlin, including hashing there.
4. Monday morning, DB to Prague, arriving by noon for RIPE89. RIPE’s Monday morning is tutorials.
5. Thursday evening, European Sleeper from Prague to Brussels. Then Eurostar to London. Then Avanti-West to Hollyhead. Then a Ferry to Dublin. Plan to arrive Friday just before midnight. IETF121 is in Dublin, preceeded by the Hackathon.
6. Saturday after IETF121, Ferry from Dublin to Hollyhead, and then Avanti-West to London. Monday/Tuesday/Wednesday I attended a British Interplanetary Space event.
7. Thursday, I take Eurostar back to Paris, then RER to CDG for the 13:30 flight back to Ottawa.
8. For the first time, I was able to take the Ottawa LRT from the airport to home.

So how did it go?

The AF flight from Ottawa lands at CGD at 6am, and one can generally count on getting through immigration, and baggage claim, and then the endless walk across CDG-2 to get to the train station by about 7:30am. The RER is often an express to Gare-du-Nord, and that went fine, although the ticket scenario for the airport is still confused. Getting the ticket with the airport fee is the part that seems to take the longest.

I have to remember when exiting the metro at Gare du Nord to always go ALL THE WAY south and go up the escalators to the main level. If you turn early, then you wind up in a passageway that crosses under all the tracks, and one winds up on the west side of the station, where the taxis are, and it’s an annoying walk on cobbles back to the station. I think that I made this mistake on this trip again.

So it’s now 8am-ish, and I’m in the line for the Eurostar for the 9am train. A slight later train, such as a 9:30am train is perhaps a more certain choice. Stupid BREXIT means that there are three lineups: one to exit Europe (I do this on my Canadian passport), one to enter the UK (I do this on my UK passport), and then the airport-style-security theatre, because what if Sein Fein/IRA still has sleeper cells in Paris? All of this went well, but I’ve done this a few times now, including a number of times from Amsterdam airport.

Yes, I’m a UK-born Canadian, I have dual citizenship, and until Jan.31, 2020, European citizenship. Now gone, alas.

Getting to London, St.Pancras, I exit and walk down Woburn Pl. I have booked at The President Hotel, one of six hotels in the area owned by the same family. I got a good rate at The President Hotel, but in subsequent travel, it returned to being the most expensive in the grouping, and two weeks later, I was at a different hotel.

When I started taking the Eurostar to/from London, I realized that I was almost always on the 6am or 7am Eurostar, and I decided to optimize for that 4am walk to St.Pancras.

I attended meetings, went hash running on Tuesday and Thursday evenings. I had one meeting the Tuesday in Zurich, which I would have liked to attend in person, but the logistics of doing that and then being in London for the IoTSF meeting on Wednesday was too much. A late night flight from Zurich, and arriving at a hotel at 1am, and not really sleeping much. So I was remote for that meeting, from my hotel room.

In 2023, I had travelled from London to Prague, when the IETF meeting was in Prague. DB track work broke the connection in Munich (they told me weeks in advance), suggesting an alternate route involving regional trains. That alternative failed, and I wound up going to Munich on the original ticket, and having to stay there. I got to that IETF hackathon at 1pm.

So for the 2024 trip, since I had more time, if I couldn’t make it in one hop, I’d strand myself somewhere that I preferred, and that was Berlin. So Saturday, I took the 8:16AM Eurostar to Brussels. I would connect to a DB train there to Frankfurt, and another train from there to Berlin, with a scheduled arrival at 8pm. I had booked at the Amano Group hotel right near the Berlin Hauptbahnhof, because train arrival departure times.

(PS: Both the Imperial Hotel chain in London, and the Amano Group have bespoke reservations systems which create non-compliant emails which Tripit is unable to scrape. Explaining the mix of Latin-1 and UTF-8 to them, and the HTML in the text/plain part is impossible. I hope they will learn from the results of the IETF SML WG)

Everything on the Eurostar went well, I seem to book the Eurostar Standard Premium, in order to get a single seat. Advanced booked, it’s only a few dollars more. The breakfast is not fantastic, but the coffee+tea is appreciated. The most annoying part is that I want the tray to go away so I can return to laptop. The wifi is terrible from London to the Chunnel, when one ought to be above ground. The wifi through the Chunnel is actually good. The wifi on the France and Belgium side is just fine.

Eurostar has X-ray screening as you arrive at St.Pancras. This one women three people ahead of me, thinking she was very posh, couldn’t understand that there are four places to undress into the X-ray trays. I tried to explain to her, but she was offended… “So rude!” she said. So I pushed around her and did my thing while she waited for the spot she thought was for her. Well, holding up the line like that is, for me, very rude. Learn to queue.

Then the UK exit stamp on my UK passport. Then the French/Europe entrance stamp on my Canadian passport. I could certainly enter Europe on my UK passport, but I decided in 2022 that I’d stick to the Canadian one so that nobody would accuse me of trying to get around the 90-day visa limit. I am obligated to enter Canada on my Canadian passport, and to enter the UK on the UK passport. I didn’t know until 2012ish, that this was required, and had used my Canadian to enter the UK before.

I made friends with the people around me, learning that both families were also going to Berlin. About 20 minutes from Brussells MIDI (the main train station), the train stopped. A few minutes later, an announcement told us that there was a security problem on the tracks ahead and trains had to stop.

Translation: someone jumped in front of a train. Note to people trying this, apparently, it’s very very traumatic for the train engineer, screws up the train system a lot. And… it’s not actually fatal as often as people think. So if you are thinking about ending your life this way, pick a more considerate way. You’ll probably just wind up a parapalegic rather than dead.

We sat for just over an hour, and the 1.5 hour transfer time at Brussells for our connecting train was disappearing. The Eurostar train moved, and we got to the terminal. Those of us transfering were anxious, and I offered to help one of the families, but after some discussion, we decided I would run, and try to delay the connecting train. It’s an annoying path from Eurostar to DB, but I made it across, and up the stairs, and got onto the first carriage I found, which was off-by-one for mine, but I stood in the doorway until I saw the other families arrive. Found my seat as the train was leaving the station.

Back to wifi and work. We get to Koln in Germany. The train station with the huge gothic church next to it. One time I’ll schedule a day or two there. I’ve heard Koln is the second best city for Klub Kulture (raves). We sit there. And sit there. WTF.

A rumour spreads that we are sitting there before… ANOTHER JUMPER. Someone else explained that this part of Germany (to the French border) was very economically distressed, and it was the suicide capital of Germany. Damn.

Finally, we leave and there are some other traffic delays, and it does not look like we are going to make the connection in Frankfurt Hauptbahnhof. Then just before we arrive at the Frankfurt Airport station, an announcement tells us that “Diese Zug Endet Hier” The train will not be crossing the bridge into the city, because we missed our slot. The bridge across the river is apparently undergoing repairs, the first major repair it’s had since 1946, and it’s at like 20% of it’s normal capacity. Damn. People ending at Frankfurt could just get an S-Bahn home.

My primitive German overhears hints from other passengers, and I follow them at a run up the escalator, and across to a track where a train is sitting. It’s the MILK RUN to Berlin from the Airport. I remember seeing it listed when I booked the ticket. It was ten minutes slower. I get on. I haven’t got a reserved seat, but my ticket is otherwise good for it. I had booked 1st class the entire way, so I quickly poked the DB app, and for 5EU got another reservation on it, basically the seat I was already in. That train went, and we were not late to Berlin at all.

The next day, Sunday, I went to the Berlin Hash, and then I did my laundry at a place I knew. And I got on the train to Prague in the morning. At the Prague train station, Google Maps tried to tell me to take a regional train from the main station to the station near where RIPE was, but doing this seemed broken: the train was not on the schedule, getting a ticket seemed impossible. I got on the metro, taking two metros out to the Clarion where the meeting was.

Some days at RIPE. Then, on Thursday around 4pm, at the nearest break, I retrieved my luggage and got on the metro back to the train station. This was the third time I’ve left Prague on a Thursday by overnight train. The other times were in the 2000s, on DB trains, headed to Italy. This time was European Sleeper to Brussels. The train was at 6pm, and I got there around 5pm.

The Prague train station has many nice modern renovations, but a sensible offering of seating is not one of them. Is it, like the Ottawa LRT stations, optimized against homeless people, rather than people who use it? The information panels, when they finally showed my train, showed that it was delayed.

Informational panels without enough space really annoy me. I understand that sometimes they just don’t know what platform the train will use. I also understand that they also don’t want to tell people to go to the wrong place, or to go someplace and crowd up that space. Airports have the same problem, notably Heathrow, but at least you know you are in the right concourse. Unless your flight is cancelled at the very last minute, but if there is some larger structural problem, they won’t let you checkin. Not really the case for train stations.

My train said it was ~10~ minutes delayed, rolling forward by ten minutes each time. In the end, it was delayed an hour. I could waited entirely somewhere else had I known. Found a place to settle down with my laptop. Delays ought to result in easier access to lounges. So the train would leave around 7pm, which everyone learnt around 6:45. There was a rush to platform. If there was any information about which wagon would be where, it wasn’t communicated or it was outright wrong. My wagon, which I think was 18, was at one end of the train, and I got on, and found my room.

I was alone in the room when the train left the station. So a 1hr delay at the beginning of the trip, when the train had sat all day in a yard. Whatever mechanical/maintenance problem there was that caused this delay obviously was not found very early, or it took all day and then some, to resolve. My room had no outlet power, the sink did not work, and the toilets at the end of the wagon were not functional. Fortunately, the next car’s toilet was fine. European Sleeper has not been able to invest enough to fix what I see are significant problems.

The trip went well, with two new people joining my room in Germany, before Berlin, I think. I had been assigned the top bunk I think. It often has slightly more leg room (I’m 182cm… 6’) and the reading light (which did work) is better. Still, I fear losing glasses, phone, and falling out when trying to get down to pee.

We were to arrive in Brussells at 9:27, with the Eurostar to London at 10:23. Just enough time. Only we left an hour late, and despite many many sections where I’m sure we could have gone 10% faster, and station stops that could have been 5min shorter, we only made up 40 minutes. Nobody got out at Breda (south Netherlands), but we still stopped there. Had there been anyone that needed to go to Breda, they should have been told to get out at Rotterdamn and given an NS ticket. Breda is 10min away.

There were perhaps a dozen people running off the European Sleeper for the Eurostar. We got there just before 10am. They would not let us board, since they had to do their security theatre and passport control. Nobody in line. All X-ray machines running. The one man who had a first class ticket was allowed through. The rest of us were bumped to the 2:30pm train. Oops, there goes my connecting trains in London, and my 8pm Ferry. I wasn’t the only one with connecting trains.

I’ve spent too much time in Brussells-Midi train station between trains it seems, as I know it way too well. I took a walk around outside, but it was grey and too much construction. I re-entered, got a waffle, and then settled at Starbucks (the most comfortable spot) to work. I reached out to the Ferry, and they rebooked me from the 8pm Ferry to Dublin to the 1am sailing (I can’t recall the exact time now). I looked at my connecting train tickets. One was “This train only”, and the second and third legs were completely open.

When I arrived, I walked from St.Pancras over to Euston. It was 4pm-ish. I spoke to an agent, and rebooked me. Cost 20GBP. I didn’t know/think I could take my European Sleeper “late” excuse to London, but other people told me that I should have been able to do that. I asked for the latest train possible, because I had previously spent time in Holyhead in the night, and there is really nothing there. One is lucky if the leave the lights on. I found a pub, ordered some drinks and food, and settled down. It was Friday Nov. 1, so Halloween was still in full swing. There was promotion for free tequila. Nice.

I took the train up to Crewe, caught the shuttle to Chester, and got on the train to Holyhead. I think that train starts in Liverpool and it was just short of midnight. My car was full of youths, barely 20, coming from a costume party. They are drunk, stoned, loud, but pleasant and curious. I talk to them. One is bleeding on their arm, a very minor wound that they haven’t a clue how they did. “Does someone have a plaster?” one of the two 19yr old twins dressed as Playboy Bunnys. (Well. Undressed) “Yes!”, I think… thrilled that I could translate plaster to bandaid, and thinking I had one. Only it wasn’t actually that… it was a Breath-Right nose strip that I had. Oops. I realized as they opened it. “What the fuck is that?” they giggle. I explain. “Oh!” says one of the Bunnys, handing it to her boyfriend. “You are wearing this tonight! You always snore when you are drunk”. HA. So useful afterall. They alight before Holyhead, and we pass through a few other small towns, and I’m curious what rent is there…. yeah, still 1000GBP/month for a one-bedroom!

Get to Holyhead, a ferry has just come in, and there are people. The convenience store is just about to close as I manage to buy some milk. I find a corner near an outlet, no seats, and sit on the floor. There are other people charging phones. Would a few tables kill them? Sure, bolt them down. More than a dozen people milling around. Finally, 90minutes later, boarding starts. More fake security as we pass through stuff to another room where we wait a few minutes. No announcement, people just start disappearing out the door. Unlike the time I took it in 2018, they had an actual bus to take us onboard organized. The Ferry does not board there (anymore?) but on the other side of the inlet, and the bus drives for 10 minutes through dockyards and car-parks and hundreds of lorries. (I remember seeing trains get on the Saint-John/Digby Ferry in NB, before they punched a Four Lane Trans-Canada through the Westchester mountains in NS)

On the Ferry, I found a spot in the Stena Plus Lounge. It’s really not much of an added expense, I’m surprised so few people use it. I’d also think that they ought to just randomly upgrade people to it as a promotion whenever it’s less than 30% full. Like that night, there was perhaps 10 people in a space that accomodated at least 200. I found a spot at the front, and outlets, and charged stuff, and tried to watch netflix on my tablet. I could only tell that we’d sailed because GPS told me, there was no sense of motion in the dark. I fell asleep. I woke in the dark to an announcement that we’d arrive soon. We arrived 5:30am ish, and there was another annoying bus to take us off the Ferry.

Gangplanks are not a thing for many of the Ferries. That tells you how many people use train+ferry, despite some promotion. How many drive, but most fly now. By chance more than planning, I and many others found “the” bus into Dublin Center. It was not, it seems, actually a city bus. I was confused. I think I couldn’t find a way to pay, and the driver, who seemed to be running late and at the end of his shift didn’t care. We went right past my hotel, but no stop there, and I was deposited 500m further downtown at the Connoly Train Station. I walked the 500m back to The Samuel, where I was staying. It was just 6am. I had emailed ahead, and paid for the night I had missed (I was supposed to arrive just before midnight). So my room was waiting, and I went up, and I slept until 10am, at which point I went to the IETF121 Hackathon.

There is more: the trip back to London, and then back to Canada, but I’ll make another post.

Bind9 (what happened to bind10?) versions 9.16 upwards have lots of goodness. I’m running bind 9.19.2-0… debian11.

I have a configuration where all zone files live in /etc/domain, in subdirectories, with Makefiles to update the serial number in place. I edit zone files with vi, or more often now, remotely with Emacs and Tramp mode. (M-x compile is smart enough to invoke make on the remote system…) Some group permissions mean that nothing is root owned, and rndc reload has group permissions to read the key. My login is in the “bind” group.

I use etckeeper for audit logs.

At first i thought I could just use “update-policy local”, and “dnssec-policy default” and magic would happen. Yes, it was magical as bind9 followed my instructions, and obsoleted my type 5 (RSASHA1) keys, generated type 13 (ECDSAP256SHA256) and expected them to be used.

Oops. Of course, it’s not obvious at first when your zone goes invalid, but at least 8.8.8.8 validates DNSSEC, and that’s good, and you should be testing that way. Lots of places do not validate DNSSEC, so they don’t care. I did a mix or scrambling to put my keys back in place for some zones, and for other zones, I went to bash my registrar with the new DS records.

There is a way to write a better policy that won’t screw you up, but I don’t know how to do that, and it was mostly a forcing function for me. Also, permissions become a problem, because bind wants the keys private, the directories accessible and it wants to rewrite your zone files.

For many zones, I backed out of the dnssec-policy default and update-policy local, and went back to what I knew: edit zone files with vi, sign them, and load signed zones. Make sure to do this weekly, at least monthly.

My /etc/domain/sandelman.ca/Makefile looks like this:

FLAGS=-algorithm ECDSAP256SHA256
all:	db.sandelman.ca.signed db.sandelman.ottawa.on.ca.signed     \
        db.16_28.249.87.209.in-addr.arpa.signed db.acme.sandelman.ca.signed
   rndc reload

db.sandelman.ca.signed: db.sandelman.ca hosts.onsite hosts.sandelman ../stamp acme.sandelman
    dnssec-signzone -S -z -N date -o sandelman.ca db.sandelman.ca

db.16_28.249.87.209.in-addr.arpa.signed: db.16_28.249.87.209.in-addr.arpa ../stamp
    dnssec-signzone -S -z -N date -o 16_28.249.87.209.in-addr.arpa \
           db.16_28.249.87.209.in-addr.arpa

This produces files like:

-rw-rw-r-- 1 bind bind   2244 Feb 12 17:32 db.sandelman.ca
-rw-r--r-- 1 mcr  bind 150455 Feb 13 17:48 db.sandelman.ca.signed

(there are many $INCLUDES in that file, btw, in case the size difference is surprising)

and you just load the signed files:

zone "sandelman.ca" {
    zone-statistics yes; type master;
    file "/etc/domain/sandelman.ca/db.sandelman.ca.signed";
    //update-policy local;
    //key-directory "/etc/domain/sandelman.ca";
};

Really, this is exactly what I did before, but I’ll note that the -S -z -N date flags to dnssec-signzone do a fair bit of other thinking about the keys.

-N date uses the date for the SOA serialnumber.
-S is the smart signing option
-z is about the KSK, and probably should get turned off.

When you start, and you aren’t sure what’s upstream, and when things should rotate, probably leave off the -S flag.

As an example of a zone which I allow bind9 to completely maintain. For this zone, “dasblinkenled.org”, everything in the zone is dynamically updated via nsupdate. I never edit thie file with vi.

zone "dasblinkenled.org" {
   type master;
   file "/etc/domain/dasblinkenled.org/db.dasblinkenled.org";

   key-directory "/etc/domain/dasblinkenled.org";
   inline-signing yes;
   #	auto-dnssec maintain;
   dnssec-policy default;

   update-policy {
      grant highway. subdomain r.dasblinkenled.org. ANY;
      ...
   	   };

};

I haven’t turned on auto-dnssec maintain yet, because I don’t think that I have any connection to my registrar to update things, and I don’t think the dot.org people do CDS yet.

But, what about in between? How do that The answer is inline DNSSEC signing.

In theory, that means having a stealth primary DNS server with your zone unsigned in editable form as you have done since 1987. Then another DNS server acts as a secondary, sucks the zone over, signs it, and then serves it.

In practice, you can do this all with view.

I started by putting an extra IPv6 on my loopback… but you could use 127.1.1.1 or whatever:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default inet6 2607:f0b0:f::babe:311/128 scope global valid_lft forever preferred_lft forever

inet6 2607:f0b0:f::babe:f00d/128 scope global
   valid_lft forever preferred_lft forever

2607:f0b0:f::babe:f00d is the IPv6 that I use to answer queries, and I have a /128 route for it. 2607:f0b0:f::babe:311 is my new address.

I edited my /etc/bind/named.conf to move everything I used to have into a view “authoritative” and I created a new view “unsigned”:

include "/etc/bind/named.conf.options";

 view "authoritative" {
    // This should match our internal networks.
    match-destinations { 2607:f0b0:f:3::190/128; 2607:f0b0:f::babe:f00d/128; 209.87.249.18/32; 172.30.3.190/32; };

    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
 };

 view "unsigned" {
    // This is a special IP which serves unsigned zones
    match-destinations { 2607:f0b0:f::babe:311e/128; };
    match-clients { 2607:f0b0:f::/56; };

    notify-source-v6   2607:f0b0:f::babe:311e;
    transfer-source-v6 2607:f0b0:f::babe:311e;
    also-notify { 2607:f0b0:f:3::190; };

    include "/etc/bind/named.conf.unsigned";

};

I included match-clients to allow my local machines to be able to do diagnostics, but probably not necessary. 2607:f0b0:f:3::190; is the public IPv6 of the machine.

In my named.conf.local, I configure brski.org as a secondary

zone "brski.org" {
 zone-statistics yes;
 file "/etc/domain/brski.org/signed/db.brski.org";
 type secondary; masters { 2607:f0b0:f::babe:311e; };
 key-directory "/etc/domain/brski.org/signed";
 dnssec-policy default;
};

I use an explicit key-directory because I need to turn the directory over to bind. It does stuff with the directory. I have several ones in that directory.

% ls -ld /etc/domain/brski.org/signed
drwxr-sr-x 2 bind bind 4096 Feb 14 00:21 /etc/domain/brski.org/signed/

tilapia-[/etc/bind] mcr 10027 %ls -l /etc/domain/brski.org/signed
total 200
-rw-r--r-- 1 bind bind  399 Jul  6  2022 Kbrski.org.+013+25798.key
-rw------- 1 bind bind  215 Jul  6  2022 Kbrski.org.+013+25798.private
-rw-r--r-- 1 bind bind  651 Jul  6  2022 Kbrski.org.+013+25798.state
-rw-r--r-- 1 bind bind  505 Jul  6  2022 Kbrski.org.+013+54683.key
-rw------- 1 bind bind  263 Jul  6  2022 Kbrski.org.+013+54683.private
-rw-r--r-- 1 bind bind  736 Jul  6  2022 Kbrski.org.+013+54683.state
-rw-r--r-- 1 bind bind  403 May 17  2022 Krfc8990.org.+013+36433.key
-rw------- 1 bind bind  215 May 17  2022 Krfc8990.org.+013+36433.private
-rw-r--r-- 1 bind bind  653 May 17  2022 Krfc8990.org.+013+36433.state
-rw-r--r-- 1 bind bind  403 May 17  2022 Krfc8994.org.+013+55582.key
-rw------- 1 bind bind  215 May 17  2022 Krfc8994.org.+013+55582.private
-rw-r--r-- 1 bind bind  653 May 17  2022 Krfc8994.org.+013+55582.state
-rw-r--r-- 1 bind bind  402 May 17  2022 Krfc8995.org.+013+07016.key
-rw------- 1 bind bind  215 May 17  2022 Krfc8995.org.+013+07016.private
-rw-r--r-- 1 bind bind  652 May 17  2022 Krfc8995.org.+013+07016.state
-rw-r--r-- 1 bind bind 4282 Jul  5  2022 db-5OdbL0tB
-rw-r--r-- 1 bind bind 4334 May 17  2022 db-83c4tcE9
-rw-r--r-- 1 bind bind 4315 May 17  2022 db-b9O02zWO
-rw-r--r-- 1 bind bind 4334 May 17  2022 db-y37K1Ddm
-rw-r--r-- 1 bind bind  635 Aug 18 20:21 db.brski.org
-rw-r--r-- 1 bind bind  684 Aug 18 20:21 db.brski.org.jnl
-rw-r--r-- 1 bind bind 3494 Feb 10 06:44 db.brski.org.signed
-rw-r--r-- 1 bind bind 1944 Feb 10 06:44 db.brski.org.signed.jnl
-rw-r--r-- 1 bind bind  704 Aug 18 18:16 db.rfc8990.org
-rw-r--r-- 1 bind bind  512 Jul  6  2022 db.rfc8990.org.jbk
-rw-r--r-- 1 bind bind  692 Aug 18 18:16 db.rfc8990.org.jnl
-rw-r--r-- 1 bind bind 3789 Feb 11 18:36 db.rfc8990.org.signed
-rw-r--r-- 1 bind bind 3472 Feb 11 18:36 db.rfc8990.org.signed.jnl
-rw-r--r-- 1 bind bind  659 Aug 18 17:09 db.rfc8994.org
-rw-r--r-- 1 bind bind  512 Jul  6  2022 db.rfc8994.org.jbk
-rw-r--r-- 1 bind bind  692 Aug 18 17:09 db.rfc8994.org.jnl
-rw-r--r-- 1 bind bind 3610 Feb 13 06:49 db.rfc8994.org.signed
-rw-r--r-- 1 bind bind 5856 Feb 13 06:38 db.rfc8994.org.signed.jnl
-rw-r--r-- 1 bind bind  659 Aug 18 17:19 db.rfc8995.org
-rw-r--r-- 1 bind bind  512 Jul  6  2022 db.rfc8995.org.jbk
-rw-r--r-- 1 bind bind  692 Aug 18 17:19 db.rfc8995.org.jnl
-rw-r--r-- 1 bind bind 3610 Feb 14 00:21 db.rfc8995.org.signed
-rw-r--r-- 1 bind bind 4700 Feb 14 00:07 db.rfc8995.org.signed.jnl
-rw-r--r-- 1 bind bind 5612 May 17  2022 jn-ESV2pai7
-rw-r--r-- 1 bind bind 2904 May 17  2022 jn-J2BO2X8Z
-rw-r--r-- 1 bind bind 2904 May 17  2022 jn-f3fDZzat
-rw-r--r-- 1 bind bind 5444 Jul  5  2022 jn-oQ4OX5Wi

Now, in the newly created /etc/bind/named.conf.unsigned, I have:

zone "brski.org" {
 zone-statistics yes; type master;
 file "/etc/domain/brski.org/db.brski.org";
};

Just totally ordinary. Edit with vi/tramp, have a Makefile update the serial, rndc reload. It’s a bit weird to have the bind9 process secondary from itself, but it works. Some people would turn to containers or the like to make it all work, and that might be simpler for some people.

I’m on the way to IETF113, in Vienna Austria. I decided to fly direct from Montreal. In general, I prefer to take a shorter KLM/AirFrance flight Montreal to Schipol (AMS) and then take a (fast) train. I think that short-haul flights are unethical waste of fuel.

I made the decision to fly direct because the rules and regulations around COVID seemed to be changing a lot, becoming inconsistent even between European countries at times. I read of some group who flew into Schipol, and the regulations changed while they were in the air. Schipol was alas, unprepared to quarantine the people on the plane when they arrived.

I figured, flying direct meant that I only had to deal with one departure airport, entry to one country,etc. But this meant flying Air Canada partner, Austrian Airline. I won’t fly Air Canada: they have screwed me over too many times. Like United (a partner…) they don’t actually sell tickets, all tickets are effectively “standby”, subject to overbooking, and without any thought to whether people have connecting flights, or other situations. (I’m not against selling lower cost tickets: I’m against mis-labelling them)

I took bus 51, to Tunnys Pasture, and then the Ottawa LRT to the Tremblay train station. I took VIA Rail to Dorval, which is the former name of the Montreal airport. Now it’s been renamed after our former Prime Minister Pierre Elliot Trudeau. The trip on the train (business class) was on the refurbished business class equipment, so I had a single seat facing backwards. A plug, a side table, and a meal. The meal was cheese and some fruit. Coffee. Beer.

The power on the train was perhaps a bit unstable, as I was down to 57% before it finally kicked in when we actually left the station and power went on. Charging up again the laptop was slow.

A VIA/Indigo provided shuttle from the train station to the airport. About 10 minutes. Annoying that they aren’t connected: there is some plan for a people mover, but really, I would be quite happy with moving walkways. The shuttle was a bit full, as some grandparents had many suitcases full of presents for their grand-kids.

Across the departure area to find the Austrian check in, part of the Air Canada klutch. They asked to see my vaccination status. They did not ask for the PCR test that I got “just in case”, and for which I was quite anxious about. I’m told they start boarding in fifteen minutes, but boarding will take close to an hour I think. It’s 6:10pm, and the flight does not leave until 19:35. I hate having to hurry up and wait. That’s why I always bring a paper book with me.

Through security, which was unbusy. Some man in front of me thinks he can take his phone through the scanner. Like… has he not been in an airport in the past twenty years?

Down the hallways (the concourse) to gate 57. I’ve taken off many times from gate 57. I get a preztel on the way, but where to eat it… I sit in another places tables where I feel it’s okay to take off my mask. I use the washroom, I take my insulin shot, and I change my mask. I spilt coffee on it on the train. I find the water fountain, and I fill my running water bottles with water. Always bring an empty water bottle to fill after security.

Now to the flight. I’m group 4, back of the plane. I see no reason to rush the counter to get on. I don’t even hear them call group 4, but they go on the group 5, and the line is short. I board. There is a flight attendant handing out FFP2 masks to people who have medical masks which aren’t even N95. I got a stack of FFP2 masks (KN94) from South Korean maker goodmannermasks.com a few months ago… I got way too many of them.

I find my seat. Aisle K, window, row 37. Not quite the very back, but very close. A man in front of me, one behind me. Nobody beside me so far. My knees don’t bang the seat. The man in front of me, he is on the phone. I look for an opportunity make my deal: I won’t kick his seat if he won’t bounce his seat back without warning. But, just after the flight door closes he moves to another seat. Awesome.

I try to plug my phone in to the USB port. Nothing. Maybe the unit isn’t on? It won’t let me do anything while the promo is running. Annoying. My headphone (my running ear buds) fits in, but is a bit loose. Later on I notice that the USB jack is actually busted. I try the one on the seat next to me, and yes, there is power.

No AC power under the seat, no volume control buttons. The selection of movies is okay. It has an option to star things I like. I can display the entire catalog at once, so I can go through the list and highlight stuff I like. The scrolling is AWFUL. The plane is still taxiing, imagine when it’s bumping around, would I even be able to control it? I can’t tell if it’s Windows ME or Android. Doesn’t look like Android to me. If it crashes, I guess we’ll see when they reboot the system.

I start watching Fast Saga 9. Not that great. I abandon it to watch Matrix Revolutions. I wonder if it will remember my place in Fast Saga 9. I bet not.

It makes me watch an ad from a watch store. I can’t even remember which one. I have to watch it again when I switch movies. Look, the only good point here, in favour of the store (which sold Cartier, Rolex and Bulvari… I remember that part) is that I don’t remember the name of the store, so I can’t hate it a lot and write the name in this blog entry.

I gotta wonder what my eyeballs are worth to Austrian Air for shoving that ad at me. I can’t afford business class, but I can afford small upgrades (not that Austrian had any really, not like KLM). I’m not sensitive to +- $100, and I don’t shop for price that way. I’m writing this because airlines keep racing to the bottom, and the service suffers.

I’ll see if I can actually report the USB port damaged… Yes, I was able to. I was sufficiently annoyed by the controls that I actually got my laptop out (there was space! Amazing actually) and burnt 20% of my battery writing this blog entry.

Oh, yeah, Wagner is the name of this jewelery store. Ads all over Wien airport too. I doubt I’m the right demographic. Maybe if they sold gold-plated Garmin watches? Or earings with BT headsets.

Sometimes, one can PGP sign the PDF and send that. But, the PDF standard contains the ability to embed signatures.

So the opportunity to do this occured, and I thought I’d figure out what to do. LibreOffice has this ability for awhile, but my experiences trying with LO/OO 6.x was poor. I have just installed LibreOffice 7.3. I wish they had a proper apt-get’able repository, btw.

I started by opening the document:

%soffice Sandelman-NCCoE-IoT-CN22-0049.pdf

I reviewed the document to make sure it was okay. I then went to File->Digital Signatures->Sign Existing PDF It then opened again, with the note: “This PDF is open in read-only mode to allow signing the existing file”, and it had a button “Sign Document”, but there is no private key connected yet.

So, to connect to a certificate store that has a private key, use the Tools menu. Select Options, and then under the LibreOffice menu, open Security.

At this point select the “Certificates” button, and you’ll get a list of NSS modules from your system and firefox profiles.

Select the one that you want. I have quite a few firefox profiles. I picked one the one with my CACert Client certificate loaded. If you don’t have one, then you need to get one! See ../../blog/2022-03-02-cacert-client.

I found that if I just clicked on “Save” that it would remove the signatures. I didn’t try Save-As, but Export Directly to PDF does work.

/app/fountain # bin/rails console
Loading production environment (Rails 5.2.2.1)
bin/rails: No such file or directory - infocmp
Traceback (most recent call last):
...
1: from /usr/local/bundle/gems/rb-readline-0.5.5/lib/rbreadline.rb:2027:in `_rl_init_terminal_io'
   .../lib/rbreadline.rb:1815:in `get_term_capabilities': undefined method `split' for nil:NilCla

when I start “rails console” in a container with a distroless ruby. This is because rails console wants to try to do colourization, etc, and the termcap database is probably not present.

Do: export TERM=dumb rails console

Or even put:

ENV TERM=dumb

in your Dockerfile. This will turn off all terminal controls. That includes emacs/vi-style line editing and history. If you want to restore this, you can put a few terminfo files, I don’t have a minimal set yet, as many of the files in /usr/share/terminfo depend upon other files. There is a way to store some of this into environment variables (or there was in the days of TERMCAP), but I’m not sure of the details yet.