Winning the Google Open Source Lottery

I don't know about you, but I frequently get mails announcing that I was picked as the lucky winner of a lottery, compensation program or simply as "business associate". Obvious Spam of course, that never happens in reality. Just like my personal "favorite" at the moment: Mails notifying me of inheritance from a previously (more or less) unknown relative. Its just that this is what has happend basically a few weeks ago in reality to me (over the phone through) – and I am still dealing with the bureaucracy required of teaching everyone that I had absolutely no contact in the last two decades with the person for which I am supposed to be one of the legal successors now, regardless of how close the family relation is on paper… but that might be the topic of another day.

On the 1st March a mail titled "Google Open Source Peer Bonus Program" looked at first as if it would fall into this lottery spam class. It didn't exactly help that the mail was multipart HTML and text, but the text really only the text, not mentioning the embedded links used in the HTML part. It even included a prominent and obvious red flag: "Please fill out the form". 20% Bayes score didn't come from nothing. Still, for better or worse the words "Open Source" made it unlikely to be spam similar to how the word PGP indicates authenticity. So it happened, another spam message became true for me. I wonder which one will be next…

You have probably figured out by now that I didn't know that program before. Kinda embarrassing for a previous Google Summer of Code student (GSoC is run by the same office), but the idea behind it is simple: Google employees can nominate contributors to open source stuff for a small monetary "thank you!" gift card. Earlier this week winners for this round were announced – 52 contributors including yours truly. You might be surprised, but the rational given behind my name is APT (I got a private mail with the full rational from my "patron", just in case you wonder if at least I would know more).

It is funny how a guy who was taken aback by the prospect of needing a package manager like YaST to use Linux contributed just months later the first patch to apt and has roughly 8 years later amassed more than 2400 commits. It's birthday season in my family with e.g. mine just a few days ago, so its seems natural that apt has its own birthday today just as if it would be part of my family: 19th years this little bundle of bugs joy is now! In more sober moments I wonder sometimes how apt and I would have turned out if we hadn't meet. Would apt have met someone else? Would I? Given that I am still the newest team member and only recently joined Debian as DD at all…

APT has some strange ways of showing that it loves you: It e.g. helps users compose mails which end in a dilemma to give a recent example. Perhaps you need to be a special kind of crazy1 to consider this good, but as I see it apt has a big enough userbase that regardless of what your patch is doing, someone will like it. That drastically increases the chances that someone will also like it enough to say so in public – offsetting complains from all those who don't like the (effects of the) patch which are omnipresent. And twice in a blue moon some of those will even step forward and thank you explicitly. Not that it would be necessary, but it is nice anyhow. So, thanks for the love supercow, Google & apt users! 🙂︎

Or in other words: APT might very well be one of the most friendly (package manager related) project to contribute to as the language-specific managers have smaller userbases and hence a smaller chance of having someone liking your work (in public)… so contribute a patch or two and be loved, too! 💖︎

Disclaimer: I get no bonus for posting this nor are any other strings attached. Birthdays are just a good time to reflect. In terms of what I do with my new found riches (in case I really receive them – I haven't yet so that could still be an elaborate scam…): APT is a very humble program, but even it is thinking about moving away from a dev-box with less than 4 GB of RAM and no SSD, so it is happily accepting the gift and expects me to upgrade sooner now. What kind of precedence this sets for the two decades milestone next year? If APT isn't obsolete by then… We will see.


  1. which even ended up topping Hacker News around New Year's Eve… who would have thought that apt and reproducibility bugs are top news ;) 

SPF, DKIM and DMARC

I sign all my mails with GPG for a few years now. Beside the huge hypothetical boner and the moral highground this provides it is also nice to get some minor benefits like a ham bonus on Debian mailinglists (even if we all know how that is implemented).

It is hard to belief sometimes, but I don't sent mails to Debian only through. Sometimes I get questions what that strange attachment is nobody can open. Its okay through, I don't blame them.

What I can't tolerate through is mails from me ending up in Spam because I don't sent mails from one of the big (free) mail providers (and to a bunch of people all at once). There are a bunch of options available to make my mails look a bit more legit even for those mailservers which don't understand gpg in the form of SPF, DKIM and DMARC. The bonus they provide isn't huge (if not non-existent) and there are problems and shortcoming involved I don't have to deal with with gpg signing but the things you do to avoid having to hear a "lets all just use a facebook/whatsapp/whatever group for communication"…

[note that I have added most of this to kalnischkies.de, but the setup was initially setup for and tested on an other domain – I will just say example.org here to not have you confused by blogpost vs. reality]

SPF

Easy to do if you have just one place you sent mails from – which in my case is true as I sent mails by letting msmtp connect to the SMTP of my hoster, which for rough emergencies also has a webfrontend so all I had to do is add a TXT record in DNS: "v=spf1 mx -all".

And as I have subdomains (for mailinglists mainly) which sent mails, too, add for all these subdomains "v=spf1 mx:example.org -all" as well. Additionally, if you have subdomains which do not sent mails, you can say that they all should fail spf unconditionally: "v=spf1 -all" (You can set this also for subdomains you don't have, but spammers use anyhow).

DKIM

Is a bit harder. My hosts SMTP doesn't support it (they are equally dubious of its usefulness as I am), but don't fear: I can add a DKIM signature locally before passing it on the hosts SMTP! Arch user 2ion has documented his setup and mine is rather similar, just that I installed python3-dkim, took dkimsign.py from git (changing interpreter to python3) and adapted my already existent sendmail wrapper [= a forgot to attach attachement detection script] to use that python script.

Of course, I had to generate some private keys for this exercise. I used "opendkim-genkey -b 2048 -d example.org -s mail" for that (the default keylength is 1024 – the spec seems to suggest that implementations are required to support up to 2048, so if I have to do it, lets do it big). The "-s mail" part is freely choosable by the way for keyrollovers and stuff. Beside the private key that command also generates a textfile which contains what has to be added as another TXT record in DNS.

DMARC

That's easy again: Yet another TXT record in DNS: "v=DMARC1; p=none". I think I will eventually use more stricter settings and might even explore the report facilities but for now that seems to work okayish.

Testing

Sending mails to a Google Mail account (as they make use of those features and add results to mail headers) can tell you if its working. Mail-Tester is also a nice service to test your setup (even through it targets mostly at newsletter creators) which tests various details, presents it friendly and even gives some tips (if it works that is, sometimes it seems to have problems).

Summary

A bit of busy work and I see how that could be oh so much more complex if I would have a different setup, but in the one I have it seems to have a very slight net-benefit, even if I would like to not need it in the first place…

On the upside, it gives me another bunch of ham bonuspoints on Debian mailinglists, which means I can probably spam quite a bit now… 😉︎

I just hope I also get enough bonus points on setups I was setting this up for…

This blog has no centralized comment section. Feel free to comment on it in your own blog, some other page or channel you are on to discuss stuff and/or contact me by mail. I am happy to add pointers and updates as needed.