Looking for a European alternative to GitHub? Look no further than Git itself

Here's the step-by-step guide.

Change directory to your local git repository that you want to share with friends and colleagues and do a bare clone git clone --bare . /tmp/repo.git You just created a copy of the .git folder without all the checked out files.

Upload /tmp/repo.git to your linux server over ssh. Don't have one? Just order a tiny cloud server from Hetzner. You can place your git repository anywhere, but the best way is to put it in a separate folder, e.g. /var/git. The command would look like with scp -r /tmp/repo.git me@server:/var/git/.

To share the repository with others, create a group, e.g. groupadd --users me git You will be able to add more users to the group with groupmod.

Your git repository is now writable only by me. To make it writable by the git group, you have to change the group on all files in the repository to git with chgrp -R git /var/repo.git and enable the group write bit on them with chmod -R g+w /var/repo.git.

This fixes the shared access for existing files. For new files, we have to make sure the group write bit is always on by changing UMASK from 022 to 002 in /etc/login.defs.

There is one more trick. For now on, all new files and folders in /var/git will be created with the user's primary group. We could change users to have git as the primary group.

Tags: 

The Hobbyist Internet is the Amateur Radio of XXI century

Amateur radio strives as a niche hobby. Clubs are actives and while the average age of radio amateurs is well over 60, there is a steady stream of newcomers. States and international organizations recognize the importance of nourishing amateur radio communities and there are endless possibilities to excel in this space.

In contrast, none yet cares about the possible demise of the hobbyist internet. It all started with phasing out HTTP in favour of HTTPS for good reasons: ISPs and network providers in some places of the world were injecting ads into HTTP pages. Big content providers and the general public wanted to stop that. They could have gone the legislative route but a technical solution to force all websites to use HTTPS was easier to implement. It was enough for Google to hint that it will penalize HTTP websites over HTTPS in search results, and everyone started to happily switch over to HTTPS.

Things did not stop there, though.

Browsers show content served over HTTP as not secure, making HTTPS the "default" and HTTP the visibly dangerous option, they limit many web APIs to sites served over HTTPS, they block or upgrade mixed-content by default (HTTPS sites cannot request HTTP-only resources anymore), they require HTTPS for HTTP/2 and HTTP/3, they increasingly attempt HTTPS to a site first even if linked or typed as HTTP, they warn about downloads over HTTP, and they're continuing to ratchet up such measures over time.

Lately, WhatsApp completely stopped opening HTTP urls.

This is an old fart's rant but it is none the less true.

Tags: 

European IT industry can be revived only via regulation

Case in point: euro-stack.eu that promotes European software using... wait a minute...

  1. A wordpress.com based website hosted in California by the US company Auttomatic
  2. Fronted by Cloudflare, a US monopoly (this is probably part of wordpress.com paid subscription)
  3. Edits its letter to EU Commission asking to support European IT industry in Microsoft Word.
  4. Converts it to PDF with Adobe software

For all steps of the process, there are either Free or European alternatives, it just requires some extra work to find them and get used to them. European techies crave to get rid of US dominance and will help for free if only asked politely.

Tags: 

The pointless churn of SHA1 deprecation

In a recent interview, Linus Torvalds expressed regret about the pointless churn of SHA1 deprecation and this immediately reminded me of a similar, although much smaller pointless churn.

There was once a company-wide ban on SHA1, so a developer replaced SHA1 with SHA256 in a Hashcash implementation in one of the projects... without thinking of the negative side effects:

  1. Hashcash became ~1.5..2 times slower
  2. Third-party tooling could not be used anymore

The project uses this broken Hashcash even today.

P.S. In case it is not clear, SHA1 was "broken" by generating two PDFs with identical SHA1 hashes but different content by adding random binary data to it. This is why the "attackers" used PDF and not C or Java code in the first place. And when they say broken, they mean that the SHA1 collision was generated 100,000 times faster that it should be, but it still took quite a lot of computing and coding.

Where there have been better SHA1 attacks since Google's, they are mostly impractical due to collision detection built into git for a long time already.

There will be no "European Cloud" as you understand it

Europe needs a paradigm shift, not an ethical Amazon Web Services replica.

One rare topic where I strongly disagree with Bert Hubert is the need for a European Cloud.

One does not win by copying the incumbent

Whatever European clones of AWS may come to existence, they will be worse than AWS. Look at Azure and Google Cloud. These are essentially clones of AWS, each of them have own strengths and weaknesses, but on average, AWS is a clear winner.

I'd argue that the same pattern applies to many situations, and the history of S3 and Google Docs come to mind as the obvious examples.

S3 over POSIX-compatible file systems

For years, businesses tried to have POSIX-capable filesystems seamlessly scale in size and in availability. I remember the hassle of setting up Glusterfs and Ceph for a small business. It was undoubtfully a daunting task to sell POSIX-compatible filesystems as a service until Amazon rolled out a simpler alternative that, by having a smaller set of features, enabled so much sought properties of distributed file systems in an efficient and commercially viable way.

Google Docs over Microsoft Office

Open Source and businesses tried to make a Microsoft Office competitor by mimicking Microsoft Office. Naturally, all clones were worse than the original. Until Google changed the paradigm and rolled out Google Docs that had a unique feature of online collaboration. Then was the turn of Microsoft to mimic collaboration features of Google Docs in Microsoft Office and be worse at it almost by definition

Tags: 

Structured communication for every minute

One thing about Peppol is how worryingly complex it is. I really hope it will be lobbied out in favor of a simpler solution.

As a reminder... remember the structured communication in your Belgian bank transfers? The one with triple pluses at the beginning and at the end? Like +++250/4171/01095+++.

The below shell script generates a unique one from today's year, month, day, hour and minute.

Things should not be more complex that they need be.'

DATE=date  +"%y%m%d%H%M"
CHECKSUM=printf "%02d" $((DATE%97?DATE%97:97))
echo $DATE$CHECKSUM |\
  sed -e 's#\([0-9]\{3\}\)\([0-9]\{4\}\)\([0-9]\{5\}\)#+++\1/\2/\3+++#'

Did I say that the validation of the Belgian National Number is easy?

I was wrong.

Semi-official and unofficial open source code is often hilariously bad, although the format is quite well documented in Wikipedia.

One thing that people seem to misunderstand is that it tries to disambiguate between two possible birth dates spaced by 100 years. That is, the national number of someone who was born on April, 16 1925 will be 25.04.16-123-47 and for someone who was born on April, 16 2025 that would be 25.04.16-123-76.

Here it goes in Java:

What about the Belgian Digital Sovereignty?

Bert Hubert wrote at length and more openly about EU dependance on US software since the election of Trump. Not that engineers did not know about all that, but European IT is not run by engineers to the same extent as in US.

The situation is slightly different in Belgium:

  1. We have our own government cloud. It runs on US software, but we are pretty much in control of it.
  2. We have our own authentication service, but large parts of it run on COTS software from US.
  3. We forgot how to host our own email, even the Ministry of Foreign Affairs and the Cabinet of the Prime Minister use M365.
  4. We voluntarily gave up control over Belgian Certificate Authority to the US-based conglomerate DigiCert.

I guess things have to be fixed in the reverse order:

  1. Take back control of Belgium Root CA
  2. Host our own email
  3. Own government auth
  4. Migrate government cloud off Broadcom and IBM (anyway we need to migrate off Broadcom for money reasons)

That's a nice task list and luckily we already have an IT czar

P.S and Disclaimer: I indirectly work for the government, but everything above is public knowledge, for instance:

2FA or not 2FA

A few weeks ago I received an unsolicited email from the Belgian Center for Cyber Security. It starts with the statement that 80% of cyber attacks could be avoided if 2FA was active and then says literally that If you only use a username and password for your remote logins, you're a sitting duck.

This is not true, username and password are no less secure than 2FA. In a way, they are more secure. I know this is controversial, but please bear with me, and I will explain CCB assumptions, my assumptions, and how it all makes sense.

CCB assumes that people can not be trusted with passwords. Over the years, the most popular passwords have been 123456 and password, closely followed by 12345678 and qwerty. Research has proven time and again that we use weak passwords whenever possible.

But hold on. These same people behave reasonably and optimally. Whenever they start using a new website or app, its value is close to zero, so it it an optimal strategy to use a weak password. More often than not, the interaction is unique or spaced in time so much that it makes no sense to save the password at all. When I visit a website I have not visited for years, my old password usually does not work anymore, and I have to reset it.

I have a workflow for auto-generating passwords and storing them in a password manager, but it is totally reasonable to expect other strategies for occasional users:

Pages