Installing ancient Debian (Sarge) on a modern Virtualbox

Here are some steps I had to do to install an old Debian Sarge (3.1) using Virtualbox:

  • Find the actual CDROM ISOs (debian.archive.org does not contain all versions, so I downloaded the CD images from http://mirror.debianforum.de/debian-iso-archive/);
  • Setting Virtualbox to use an IDE hard disk instead of the default SATA, to avoid the "No partitionable media were found" error (as indicated here).
  • Prevent apt-get from connecting to the network (e.g. by disconnecting the VirtualBox "cable"), or rejecting the use of security-updates; otherwise, you will end up with unsatisfiable dependencies which will prevent even basic tools such as sudo from being installed:

In text form, here's what you see when trying to install the sudo package after accepting security-updates:
Source package: sudo
--\ Depends
  --- libc6 (>= 2.11) (UNAVAILABLE)
  --- libpam0g (>= (UNSATISFIED)
  --- libpam-modules

While this is probably done for security reasons, anyone wanting to install such an old Debian in 2015 should know it has more security holes than a Swiss cheese skimmer, and so it should not be publicly accessible. But for those of us who just need it for local usage, this makes no sense.

Here's what you get when you reject APT's security-updates:

This time, it simply works.

  • You have to manually add each ISO image so that apt knows which programs may be installed from them; if you have not done it during the installation, you can use apt-cdrom add for each CD image.
The main inconvenient of this method is that you often need to change the ISO image in the CD drive to be able to install new packages. But at least it works.


Geotagging with digiKam - a UX mistake, from interface to documentation

digiKam is a very nice piece of open source software, but they made a major blunder regarding their UX and their documentation, with respect to geolocation.

I wanted to geotag some pictures, so I installed digiKam (using apt-get install digikam) and then tried to follow one of a few websites which explain how to add geo-location data to a picture.

First major error: the interface does NOT correspond to the one described in their referenced website. This is what I get after selecting an image and then clicking the Image menu:

Wait, what? Their website clearly says "Image -> Geo-location" on the second line of the tutorial. Well, maybe this has changed since version 2.0? Ok, let me look for anything related to Geolocation... such as the globe icon on the left, which leads me to this:

I can zoom in, find the location I want, and then try to add it to the picture... except that I can no longer see my files here. If I click on the Albums icon to return to my files, then I can no longer see the globe. Oh, wait, there's a "Geolocation" button on the right-hand side toolbar, so this is the right one, right? Wrong again.

This globe is even worse than the first one: it is static and does not allow you to move it. You can try dragging a filename to it, as suggested in the tutorial, but it won't work.

You know what actually does work? Divination! This would enable you to guess that you actually need a plug-in (GPSSync) that is not necessarily installed with digiKam, neither mentioned anywhere in the tutorial.

Simply doing apt-get install kipi-plugins (a set of plug-ins which include, among others, GPSSync, responsible for adding geo-location data to a picture which has none) was enough to solve the problem and make the mysterious Geo-location menu item appear. However, due to outdated documentation and the absolute lack of clues in the user interface, one needs some luck to find out about the existence and necessity of this plug-in.

Also unfortunate is the fact that the original post by Dmitri Popov contains a visitor comment asking about the geotagging facility, and an answer mentioning the GPSSync plug-in. It's not ideal, since many readers do not actually bother to check the comments section, but when things do not work they might actually do it and find the solution. However, the KDE UserBase Wiki hosting the "official" geo-tagging tutorial for digiKam transcribed the content of the blog without the comments, therefore making it impossible for a reader to find out about it. They also did not include a link to the original blog.

For an open source project with one feature which is quite rare among image editors (the possibility of easily adding geo-location via a graphical interface), it's very unfortunate that this feature, which undoubtedly attracts many new users (including me), does not work as indicated in the documentation and, what's worse, has several misleading geolocation-related icons and views in the user interface. This is very frustrating for casual users, which have already spent some time installing the tool and trying to find out why the functionality seems missing.


lighttpd cgi_mod error when running shell scripts

I've had some issues when trying to run some Bash scripts using lighttpd's cgi_mod: my scripts would not run, and this is what I had in /var/log/lighttpd/error.log:

(mod_cgi.c.1319) cleaning up CGI: process died with signal 6 

Adding server.breakagelog = "/var/log/lighttpd/breakage.log" to /etc/lighttpd/lighttpd.conf did not provide much more information, the log only contained the following line:

mod_cgi.c.1057: aborted

By the way, my cgi.assign variable was defined as in one of the examples in the documentation:

cgi.assign = ( ".sh" => "" )

Anyway, the issue was that my scripts did not have the first line defining which command to run:


Adding this line to each script solved the issue for me. So much for laziness...


Dark pattern ("arnaque subtile") à La Poste

Les dark patterns, ou "patrons obscurs", sont des décisions de design (notamment Web) couramment utilisés par les développeurs sans scrupules pour cacher des arnaques, exploiter les utilisateurs, ou toute sorte d'escroquerie que vous pouvez imaginer.

Jusqu'à récemment, on pouvait remarquer une application classique de ces patrons présente sur plusieurs sites d'achats en ligne : après choisir un produit, il y avait tout un tas d'options cochées par défaut (assurances inutiles, accessoires non souhaités, etc.) qui rentraient dans le panier de l'utilisateur. S'il ne faisait pas attention, il finissait par payer pour des choses qu'il n'avait jamais demandées explicitement. Les Numériques en donnent plus de détails sur la "loi Hamon" qui a mis fin à ces patrons obscurs.

Cependant, il y a encore d'innombrables patrons qui se trouvent dans la nature, comme le fameux "cochez ici pour NE PAS vous faire spammer", caché dans un long texte avec de petites lettres que personne (ainsi l'espèrent les concepteurs-cochons) ne remarquera.

Or, je m'attends à ce type de technique de la part de ces nombreux sites mineurs qui n'ont presque aucune réputation mise en jeu, mais... de La Poste ?

Regardez ici ce qu'on trouve à la fin d'une page de La Poste proposant un service payant (oui, on paie déjà pour le service, en plus on se fait spammer) de réexpédition de courrier :

Voici la partie obscure, entourée en rouge :

Après 4 lignes de texte à caractère purement informationnel, voici qu'ils rajoutent, sans même pas une fin de ligne ou début de paragraphe pour le séparer du reste du texte :

"Vos coordonnées sont susceptibles d'être utilisées à des fins de prospection commerciale ou de mise à jour de fichiers d'adresses par la Poste ou des partenaires liés contractuellement à la Poste (entreprises, associations, commerces, administrations, etc) sauf opposition de votre part en cochant la case ci-contre."

Je remets en gras le message important: sauf opposition de votre part en cochant la case ci-contre. "On se permet de vous arnaquer, Madame, Monsieur, sauf opposition explicite de votre part". Exemple parfait d'un "patron obscur", digne des plus sordides sites aux publicités intempestives et moralité douteuse.

Enfin, c'est toujours utile d'avoir ce type d'exemples pour l'éducation des débutants sur Internet. On peut leur montrer que même des institutions autrement respectables finissent par retomber dans ce type de comportement égoïste et nocif pour l'utilisateur, et ceci même quand l'utilisateur est déjà en train de payer pour un service !


Unsubscribing from LinkedIn (without having ever subscribed)

LinkedIn is going down, and one of the symptoms of its despair is the fact that it's spamming people which are not even its users.

This is known for quite a while, but well, since they bothered me, why not restate the fact that they suck in terms of respect of the users?

Note: real names and addresses have been modified, but everything else is legitimately LinkedIn®.

I've received this message a few times, ignoring it at first, but they kept annoying me:

John Doe souhaite rejoindre votre réseau sur LinkedIn. Que souhaitez-vous répondre [John Doe wishes to join your network on LinkedIn. What do you want to reply]?

John Doe
Employee at Example

Ok, so a typical message (in French) asking me to add John Doe to my LinkedIn account. But wait, the e-mail address in question is not in my LinkedIn account! So LinkedIn actually wants to "convert" me. Notice the tone: John Doe wants and not LinkedIn wants. This would be mostly OK, except that... they keep spamming me again and again, every week!

If John Doe really wanted to join my network, he would at least know that I have one, right? Nice way to blame the user there.

If I click on the link, they take me to the registration page:

A nice touch here: the Email field is readonly, which means you cannot change your mind and put another e-mail. Why? Well, they confirmed the e-mail exists when you clicked on the link anyway, so they are just making sure you don't change your mind... but without disabling the field, if you just happen to prefer another address (say, Professional.Full.Name.email@example.com), you spend your time trying to understand why Backspace and Delete suddenly stopped working. Nothing in the UI indicates it is read-only.

So, I suppose I'm fair game since someone just sent my e-mail address to LinkedIn. Notice the small text below the message:

Vous recevez des e-mails de rappel concernant vos invitations en attente. Se désabonner. [You receive e-mail reminders about pending invitations. Unsubscribe.]

Oh, cool, so I can unsubscribe. But wait, I never actually subscribed to anything in the first place! So all it takes is a random user to add me to LinkedIn's server, and voila, they just triggered a spam machine which will either force me to admit "OK, I'm weak, I admit this e-mail address is actually being read by a human being by clicking on your Unsubscribe link for something I never subscribed", or I have to actively treat their messages as spam. Either way, it surely looks like LinkedIn is so desperate they are resorting to spammy ways... but this is not new anyway, so why am I complaining...?

This is what the unsubscription page looks like:

They are honest here, but still blaming the user: you are receiving these emails because a [bastard evil goddamn] LinkedIn member invited you....
No, wait, I'm receiving it because you want to spam me and just found a stupid justification to do so. Don't blame the user, LinkedIn, he didn't spend his time writing and sending me the e-mail, you did it!

Bonus points for those who find the e-mails of LinkedIn's CEO's family members and spam invite them to join their network! Maybe that way they'll actually realize the crappy way it works...


Flashblock and Vimeo

A long time ago, Vimeo started having problems with Flashblock... as indicated in this thread.

The solution? To whitelist their domain on Flashblock.

I know that Vimeo developers already have many things to do, and managing how an external plug-in deals with their code is probably not how they want to spend their time.

But still, other players usually don't have this problem. And it only started happening after some code has been modified on Vimeo.

Now, it's very unlikely someone will be able to inject Flash malware using Vimeo's website and profit from the whitelist. And I didn't see any Flash ads on their website, which might make them earn money. So the most probable cause is indeed just an accident. Unfortunately, most security problems come from such inoffensive accidents...

I wonder how the next generations will look to the past and judge these mistakes. That is, if they can actually find out when things have actually happened. Without Carbon-14 or physical evidence, they'll have to rely on timestamps. Luckily, these are much more precise and foolproof than some ancient technology...


Google synonyms a bit too far off

For quite some time, Google has been using synonyms and variants (e.g. singular versus plural) in search results to help the user.

But recently, it's been going a bit too far in its "inferences" about what constitutes a synonym.

The double-quotes operator used to mean exact match, but either Google Scholar ignores it completely, or Google is simply ignoring the user:

I looked for flexibility, but is only matches results with angioplasty, as if it were a synonym. I put "flexibility" between quotes for an exact match, but it didn't work.

If Google Scholar couldn't find anything with "flexibility", it should at least say so, as it usually does in Google Search: no matches found for term X, searching with Y instead.

This is completely unintuitive and provides a bad user experience. Let's hope Google fixes this soon.