Lib packaging for your own repo

This is a note to self about the release procedure and distro packaging of a development library.

This instructions expect aptly and createrepo to be preinstalled on your repo server together with a valid GPG key.

Packaging a .deb

1. Checkout the release tag and build the deb according to README. Each build should be done on the same machine as the target distribution. If I am packaging for Centos 6 I am also building on Centos 6. If CMake and CPack are set up correctly it usually boils down to:

If the project is missing CMake, refuse to package it.

2. Check that deb info is correct:

3. Rename it to distro you are building on, then scp to your repo server

4. If aptly repo does not exist yet, create it

Ideally you only create the repo the first time, for future updates you create a snapshot of it, add a package, then switch the repo to new snapshot. See aptly docs for more.

Alternatively, you can just add more packages and update the repo with


5. Add package to repo

6. Publish repo

7. On target machine, add repo to /etc/apt/sources.list and fetch public key

8. Update and then check if package info is correct

9. If big mistakes were made

..and start over. Repeat for Debian 8 etc.

Packaging an .rpm

1. See the previous #1. The only difference is

2. Check that rpm info is correct

3. Rename it to distro you are building on, then scp to your repo server

4. Make sure you have .rpmmacros file in home dir with uid of gpg signing key (check out your keys with gpg –list-keys). If you don’t have one, generate it. Entry in the file should look like:

5. Sign rpm

4. Move to appropriate repo that was created by createrepo earlier (see createrepo docs)

5. Update repo metadata

6. Add your repo on the target machine

Since createrepo is pretty much just an http server you can simply delete an rpm and update the metadata in case things go south.

Repeat for Centos 6 etc.


Analysis of BNETD and Blizzard

This is a Lawmeme article posted by Ernest Miller in 2002 bringing a detailed look in the Blizzard v Bnetd case. Since the original website no longer exists on the web I decided to post it here for preservation. You can view the original on this link.


On February 17th, Vivendi sent a cease and desist letter to the ISP hosting the bnetd project (which had developed a emulator) for alleged copyright infringement of Blizzard‘s games as well as violations of section 1201 of the DMCA. Slashdot has run two stories on the case the first announcing it (Blizzard Rains on Bnetd Project) and the second looking at the responses from Blizzard and bnetd (Blizzard, Bnetd Respond on Bnetd Shutdown). The Kuro5hin community also discussed the case (DMCA used to shut down bnetd project).’s response has been posted on the web (Emulation FAQ). Anti-DMCA activist Tim Neu has written a Rebuttal to the FAQ. Chilling Effects, the cease and desist website, has the letter as well (Bnetd Project – Chilling Effects). Bnetd has posted its own Case FAQ.

UPDATE (28 Feb 2002): a few technical corrections


Blizzard and

Blizzard is currently a division of Vivendi Universal Games, the gaming component of multinational multimedia conglomerate Vivendi Universal Publishing. Game company legend Sierra Entertainment is also part of Vivendi as are such valuable franchises as The Mummy Returns and Lord of the Rings.

Blizzard’s first big success, WarCraft: Orcs and Humans, was released in late 1994 and was one of the pioneering games in a revolutionary new genre known as real time strategy. Real time strategy has since become one of the leading formats for games, especially in multiplayer gaming. In December 1995 the immensely popular sequel, WarCraft II, was released. WarCraft II allowed play by up to eight other people simultaneously via a local area network (LAN) using the IPX protocol. However, not many did because LANs were not readily available to most players. Internet play was not an option because the Internet uses TCP/IP protocols, not IPX. However, a shareware IPX emulator called Kali was available that allowed games with an IPX connection to be played via the Internet. Kali (which is now hosted by I-Lan Game) essentially fooled WarCraft II into thinking it was being played on a LAN when it was actually being played via the Internet.

Internet play via Kali was tremendously popular and Blizzard went so far as to release a patch called “War2kali.exe” to facilitate play via the Kali network, though no formal agreements were made between Kali and Blizzard. Indeed, Blizzard included a full copy of the freely distributable Kali shareware client in the WarCraft II: Battle Chest edition without asking permission from Kali (none was legally required). Since then, every subsequent Blizzard release has included LAN play and was supported by Kali, which has never received a cease and desist order. The success of multiplayer over the Internet obvious, Blizzard introduced with their next product, Diablo, in late November 1996. Like Kali, was a multiplayer meeting place that permitted players of Diablo to easily find opponents for Internet play. Use of was free for the purchasers of Diablo (and every subsequent Blizzard release).

The Bnetd Project

In February 1998, Blizzard published what many consider the best real time strategy game ever released, StarCraft. It was certainly popular, selling more copies than any other game in 1998. For a variety of reasons, in the Spring of 1998 Mark Baysinger, then a student at the University of California San Diego, begin reverse engineering the protocol StarCraft clients used when connecting to In April, Mr. Baysinger posted the first version of a emulator he called “Starhack.” One could not actually play StarCraft with this first version it merely had chat capability. One day after posting Starhack on the Internet, Mr. Baysinger received a cease and desist letter (Cease & Desist Letter) from the Software Publishers Association (now known as the Software & Information Industry Association). Although the SPA initiated the cease and desist demand, Blizzard was copied on the letter and presumably authorized it. Unimpressed, Mr. Baysinger asked the SPA to clarify their copyright concerns, but never received any clarification (SPA Cease and Desist Correspondence). In the face of Mr. Baysinger’s refusal to shut down his project on the SPA’s mere assertion, the SPA apparently dropped the issue. Slashdot noted the controversy at the time (Blizzard, SPA and StarHack site).

The Starhack project quickly became popular in the StarCraft community but, due to time limitations, Mr. Baysinger abandoned the project in December 1998. Starhack had been released under the GPL and, in a classic example of open source development, continued to be developed as the bnetd project (What is the history of bnetd? in the BNETD FAQ). As Newsforge reported (Open Source game server shut down by DMCA), bnetd was an example of a successful open source project, as “the bnetd project had 10 listed developers and was above the 95th percentile of activity at with a stable product.” The latest version of bnetd supported most functionality, including clients for StarCraft, StarCraft: Brood War, Diablo 1.05+, WarCraft II Edition and Diablo II. The only major functionality missing was the ability for Diablo II players to host “closed” realms where the server stored the characters created by players (How complete is bnetd right now?).


Diablo II was released to great acclaim in June of 2000 and its expansion set, Diablo II: Lord of Destruction, was published one year later. The next eagerly anticipated release from Blizzard is the third installment in the WarCraft dynasty WarCraft III: Reign of Chaos, which is expected to be released in June 2002. On February 7, 2002, Blizzard shipped out 5,000 beta copies of WarCraft III to selected individuals for playtesting and balancing (WarCraft III – Beta Information Center). Such extensive playtesting is necessary because of the complexities of properly balancing a multiplayer game that includes 4 different races with widely varying abilities (Rock, Paper and Scissors). WarCraft III will, like previous Blizzard games, include single player and LAN play options. However, for purposes of the beta test, only play was enabled in the shipped beta copies.

It wasn’t long (February 13th) before beta testers began to provide the bnetd project with packet dumps from the communications between WarCraft III beta client and (WarCraft III Dumps). This was, of course, so the developers could begin work on supporting WarCraft III on bnetd. However, some of the main developers were opposed to working on support while the client was in beta (Tim Jung – Re: WarCraft III Dumps). Consequently, as is occasionally the case in open source projects (Advantages of Open Source Software), a “forked” version of bnetd was developed. The developers of this new version of bnetd called themselves “Warforge.”

The Cease and Desist Letter

On February 19, not long after the Warforge WarCraft III beta compatible version of bnetd was released, the ISP hosting the bnetd project, Internet Gateway, Inc., received the cease and desist email. Action was also taken against Net-Games, also known as, which provided another emulator. Net-Games is based in Germany. Unable at this time to contest an expensive lawsuit against Vivendi, the bnetd development team removed the emulator files. Subsequently, and independently, Warforge removed their emulator files. Net-Games has also removed access to the objectionable files while they consider their legal options.

It should also be noted that sometime in 2001, in the late summer or early fall according to one source familiar with the issue, both GameSpy Arcade and Microsoft‘s MSN Gaming Zone, which had previously served as meeting places for Blizzard games similar to Kali or bnetd, ceased to do so with little publicity. Both had been asked, informally, to no longer support enabled games. As both have close business relationships with Blizzard (such as Gamespy’s websites devoted to Blizzard games such as PlanetDiablo and Orc Command “For ALL things WarCraft”), both complied with the request.

The Technology

Blizzard would not comment on the technologies used for, so the following description is based on conversations with members of the bnetd and Warforge development teams.

The protocol is a relatively simple one. is essentially a meeting place for gamers and does not actually host games it merely provides a forum for players to meet to set up a game, which is then hosted on one of the players’ own computers. This is known as peer-to-peer gaming and is very efficient as far as the meeting place is concerned since the bulk of the game traffic does not have to pass through or be processed by the meeting place’s servers (Salon published a story on the economics of in 1999 Online gaming’s store-shelf chains though I doubt ad revenues are as high as they were then). The partial exception to this on is the “closed” realms version of Diablo II, where characters and games are stored on servers. In addition to opponent finding and game launching, meeting places often offer chat, buddy lists, ladders (rankings of players) and other functions. Such meeting places are not particularly difficult to develop or run. In the gaming community there have been numerous implementations of meeting places, including ones already mentioned as well as such defunct examples as (now part of GameSpy), TEN, and HEAT.

The majority of the information sent from a enabled client (such as StarCraft) to is fairly standard for such games and, as such, was not terribly difficult to reverse engineer. The exception being, again, Diablo II closed realms, which is only partially a peer-to-peer game. Moreover, no significant change is required in the client program to enable the program to talk to an alternative bnetd server. All that is required is for the user to edit a configuration file in the Windows Registry. Users can edit the registry using a standard program included with Windows called regedit.exe. Regedit.exe can be difficult to use, and improper use can have serious consequences such as disabling a program or the entire computer. Thus, a small progam was developed that made it simple for users to edit the pertinent elements of the registry.

The non-encryption related elements of the WarCraft III beta are not terribly different from previous Blizzard games. There have been some minor changes to the protocol, but nothing significant. Thus, the developers of Warforge were able to make the appropriate modifications to their version of bnetd within a few days.

The Crypto

For most games there are at least three places in the protocol that are encrypted or hashed there may be more in some unknown fields, but they do not seem to affect functionality. These elements perform the following functions:

  1. CD-Key packets in newer clients,
  2. Client version authentication,
  3. Account creation, login, and changing passwords, and
  4. map authentication

Bnetd does not know how (1) and (4) works. Two (2) is a checksum challenge and (3) uses a pseudo-SHA-1 hash.

The CD-Key performs two functions for games. The first function is to prevent installation of the game from CD without the key. That is, when you attempt to install Diablo II the program will require the user to manually enter a CD-Key before installation will continue. Without the CD-Key the game cannot be installed. The second function takes place when a player attempts to connect to During the initiation sequence, the client will send an encrypted version of the CD-Key to the server which will determine whether the CD-Key is valid or not. If valid, the server will also determine whether another player is currently logged on with the same CD-Key. If the CD-Key is not valid, or another player is currently logged on with the same key, will reject the connection. Since each CD has a unique key, such a policy discourages piracy or the sharing of keys.

Note however, that pirated versions of Blizzard games can be installed with shared keys and that LAN play does not require CD-Key validation.

Bnetd’s emulation of does not validate keys. It simply ignores the encrypted packet containing the key. After all, users of bnetd would probably not be happy if bnetd did decrypt the packet, since that could be a means through which the unscrupulous “harvest” valid keys that could then be sold by pirates.

The WarCraft III beta works a little differently than previous Blizzard games. The CD-Key for WarCraft III seems to perform the same function as previous games, but with one addition. Having validated the CD-Key, the server will return an encrypted response to the client (challenge-response). Without this response the client will not function. Warforge surmounted this by creating a program that changed a single byte in one of WarCraft III’s Dynamic Linked Libraries (DLL) so that the client no longer expected a response.


The Cease and Desist Letter

The letter sent to Internet Gateway, Inc., the ISP hosting the bnetd project appears to invoke and meet the requirements of a section 512 letter under the Digital Millennium Copyright Act (“This letter is to notify you, pursuant to the provisions of the Digital
Millennium Copyright Act….in order for you to claim a safe harbor under the DMCA.”). At first glance, it seems to include all the information required for proper notification under section 512:

  • The name, address, and electronic signature of the complaining party [512(c)(3)(A)(i)]
  • The infringing materials and their Internet location [512(c)(3)(A)(ii-iii)]
  • Sufficient information to identify the copyrighted works [512(c)(3)(A)(iv)]
  • A statement by the owner that it has a good faith belief that there is no legal basis for the use of the materials complained of [512(c)(3)(A)(v)]
  • A statement of the accuracy of the notice and, under penalty of perjury, that the complaining party is authorized to act on the behalf of the owner. [512(c)(3)(A)(vi)]

On closer inspection, however, the letter is problematic on a number of fronts. First, section 512 is only applicable to infringements of copyright. It does not apply to violations of the DMCA. Vivendi claims that some of the offending material “bypasses anti-circumvention technology, thereby infringing upon Blizzard Entertainment copyrights.” Bypassing anti-circumvention technology may be a violation of section 1201 of the DMCA. However, violating section 1201 is not an infringement of copyright it is a violation of the DMCA. According to section 501 of the Copyright Act, copyright infringement is a violation of the copyright holder’s rights under sections 106-118 or 602, it does not include section 1201.

The letter also claims that software hosted by bnetd “modifies and/or alters Blizzard Entertainment copyrighted software … thereby infringing upon Blizzard Entertainment copyrights.” Problematically for Vivendi, no software provided by bnetd altered or modified any Blizzard software. At worst, bnetd provided instructions and a program for individuals to modify Windows registry configuration information. Moreover, it is not readily apparent that software which modifies or alters other software necessarily infringes copyright. Again, copyright infringement exists where rights under sections 106-118 or 602 are violated. Nowhere does the copyright law say that copyright holders have the exclusive right to ensure that their works are free from modification or alteration. In essence then, Vivendi has asserted infringement but has not claimed that any of its exclusive rights as a copyright holder have been violated. How can an ISP identify infringing material when there are no allegations of infringement, only an unsupported assertion? After all, section 512(c)(3)(A)(vi) requires a statement “that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.” But the letter does not identify any exclusive right being infringed.

Finally, the letter did not specifically identify any infringing files whatsoever. Although identifying every file is not always necessary, there is not even a listing of representative files that are to be removed. With the exception of the forum mailing lists, the bnetd website did not change excessively. There is no excuse for Vivendi not to have identified specific files or, at a minimum, representative files.

Does BNETD Violate Blizzard Copyrights?

Unlikely, although it must be stated that Vivendi/Blizzard has yet to claim which exclusive rights are infringed by which programs hosted by bnetd, so this analysis is based on speculation as to likely complaints.

In general, copyright infringement consists in copying or distributing another’s work without authorization. In this case, the bnetd server is the original work of its various developers (BNETD Project Credits). The developers have never had access to software, so it would be impossible for them to have copied it. As there is no copying there is no infringement. Indeed, Blizzard’s FAQ on the case admits as much since it is called the Emulation FAQ. In computer science, emulators are software designed to imitate the same function as another piece of software. They are not copies. If it was a copy, it would not be “imitating” the function of another piece of software, it would be the same software.

In order to create a emulator, the bnetd developers engaged in a combination of reverse and value engineering. Their method of reverse engineering did not require any decompiling or disassembly of the code of the client (again, they could not have deassembled or decompiled the code since they did not have access to it). It is decompiling of code that frequently gets reverse engineers in copyright trouble that is not a problem for bnetd since it was not required. Bnetd was able to reverse engineer by simply looking at the traffic between server ( and client (game player). For example, a player would start a game as one type of character on in Diablo II (e.g., a Necromancer) capture the packets, then start a game as a different character (e.g., a Barbarian) and capture the packets. By comparing the two packet dumps, one of the bnetd developers would be able to determine which packets identified specific elements of the game. The developer would then make changes to the bnetd server and check his work by performing the same test with client on the bnetd server. Through trial and error, the bnetd server improved.

To my knowledge there is no law that holds that reverse engineering a protocol through packet dumping implicates copyright in any way.

Vivendi might claim that special programs to assist users of bnetd to edit their Windows registry violated copyright. As mentioned above, the Windows registry consists of configuration files that can be modified by the user using regedit.exe which is part of every version of Windows. It is not at all clear how provision of a program to make editing certain portions of the registry easier would violate an exclusive right of the copyright holder. Moreover, it is not clear whether a user who alters the registry is violating copyright. They may be violating the EULA (more below), but that is not a violation of copyright.

Does BNETD Violate Section 1201 of the DMCA?

Unlikely, but the statute in question is quite complicated and the law has not yet been clarified by the courts. It must also be made clear that simply because something may facilitate piracy does not mean it violates section 1201 of the DMCA.

The first issue is whether or not the CD-Key authorization mechanism is an access control device under section 1201(a). Section 1201(a) states that a device controls access to a work, “if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” One significant question is access to what work? Bnetd does not facilitate unauthorized access to, it is a substitute. Bnetd does not facilitate access to the single player version of the game. Bnetd does not faciliate access to the LAN multiplayer aspects of the game. Bnetd does not facilitate access to Internet multiplayer, since that is accomplished through LAN emulators such as Kali. At worst, bnetd facilitates access to Internet multiplayer using the client’s interface. It is questionable whether access to a particular interface counts as “access to the work.” It is questionable whether enabling certain functionality is “access to the work.” Even granting that the interface or functionality is a work that can be improperly accessed, does accessing it require tha application of information, or a process or a treatment to gain such access? For every Blizzard game prior to the Warcraft III beta, clearly not. Bnetd servers don’t send any “access” information to a client, they simply do not bar a client from accessing them.

This is made clear by the definition of circumvention in 1201(a)(3)(B), which “means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” Bnetd does not descramble, decrypt, remove or deactivate anything. It does not avoid, bypass or impair, it ignores. Ignoring is not circumventing. Indeed, section 1201(c)(3) states that, “nothing in this section shall require that the design of, or design and selection of parts and components for, a consumer electronics, telecommunications, or computing product provide for a response to any particular technological measure.” The reason for this is to prevent copyright holders from forcing copy protection measures onto computer and consumer electronics manufacturers. An example would be a music publisher who releases a CD that has watermarking in the music. The watermark states, “do not rip into MP3 format.” There is no obligation for CD manufacturers to build in a system that can detect and obey that watermark.

Moreover, even bnetd did circumvent an access anti-circumvention measure, it would still be legal to distribute it so long as:

  • It was not primarily designed or produced for the purpose of circumvention. A very good case can be made that the primary purpose of producing bnetd was to provide an alternative to the drawbacks and limitations of (About the BNETD Project). One quote from a Review of Diablo II on will provide some idea of the frustrations many feel with regard to “Provided that Battlenet doesn’t make you want to pry your eyes out with a grapefruit spoon, you will find that you can go online and play your character in the Diablo Battlenet Realms.” Even Blizzard’s Senior Director, Bill Roper, admits that’s stability left something to be desired in an interview with Eurogamer, “There was certainly a period of time in the history of where the team was constantly playing catch-up. They work on stability, they work on how many people could be online, they work on access and bandwidth issues, they get all those things fixed, and then we get another 25,000 people online concurrently and all [the] new stuff will break.”
  • It has more than limited commercially significant purpose. Again, a very good case can be made that bnetd does have significant commercial purposes. Bnetd currently supports a number of features that does not, such as the ability to connect with IRC, create custom ladder games and tournaments, and send broadcast messages.
  • Is not marketed for use in circumventing a technological measure that effectively controls access to a work protected under this title. Although, as an open source project, bnetd has little control over how some individuals may promote it the bnetd and Warforge developers have never promoted piracy of Blizzard’s games. Indeed, the developers of bnetd are some of Blizzard’s biggest supporters and fans.

The next issue is whether bnetd violates section 1201(b) which prohibits distribution of devices which “effectively protects a right of a copyright owner under” the Copyright Act. To qualify as technological protection measure under section 1201(b), a device must in the ordinary course of its operation, prevent, restrict, or otherwise limit the exercise of a right of a copyright owner.” The only right at issue would seem to be the right to copy. But it is difficult to claim that bnetd undermines this as one must already have a copy of a Blizzard game (legitimate or illegitimate) in order to use bnetd. In other words, any copying occurs prior to use of bnetd. It may be that the availability of bnetd encourages some to make illicit copies who wouldn’t have without bnetd, but that is not a violation of the DMCA.

It is also strange to claim that the CD-Key system prevents copying since a valid CD-Key is not necessary to connect to and download the latest patches for a warez copy of the game. Using a warez copy one logs into Prior to CD-Key validation, Blizzard conveniently provides the latest patches for the warez copy. Patches are also available via public ftp ( It is hard to claim that the CD-Key system effectively prevents copying when Blizzard itself updates warez copies of its games to the latest version. Most bnetd servers are set up by owners of legitimate copies and the server ensures that those joining have the same version of the game. If Blizzard were truly concerned about piracy they would at least try to make it more difficult to get the latest patches.

Furthermore, under section 1201(f)(2):

Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure … for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.

It seems pretty clear that even if bnetd is a circumvention device, then it clearly falls under the exemption of 1201(f)(2), since any circumvention is only for the purpose of achieving interoperability between bnetd and the Blizzard game. Such interoperability does not constitute infringement, since it does not violate sections 106-118 or 602.


Bashmagic collection vol1

Keep only last X lines of a file (shrink).

Deploy maven artefact to a specific repo without specifying it in pom.xml (format repoId:default:repoUrl). Repo should be specified in your .m2 settings.xml with any necessary credentials.

One liner to set password for default PostgreSQL user after initial install.

Run command inside a screen and save all output to a file

Scroll around inside a screen.

Add 4GB swap on Centos 7 with a stroke of a copy-paste.

Standard tcpdump.

Show listening ports with corresponding executables.

Show systemd logs for a specific service.

Freshly installed nginx configured as reverse proxy on Centos 7 getting “Permission denied” when connecting to backend service

Convert a certificate stored in a Java keystore to a PEM cert and key (for example, Tomcat to Nginx transition).

Disable git SSL verification per-repo.

Disable git SSL verification at clone time.

Clear git username and password cache for a repo (in case of password change or similar).

Give user sudo privileges.

Git submodule is added to an existing repo and is not resolving for you locally.

Print all TCP connections of a Docker container.

Nmap portscan.

Force JVM to use /dev/urandom instead of /dev/random (sometimes needed in low entropy environments like Docker).

Debug print all network activities on JVM level.

Create .htpasswd file for Nginx



Watching beIN SPORTS Direct Spain from anywhere in the world

It’s 2017 and it is almost impossible for a regular human being to watch Champions League without being subscribed to cable or internet TV and pay exorbitant fees for hundreds of bundled channels you don’t really need or want.

beIN SPORTS Direct is 9.99€ a month in Spain which is a reasonable price. The problem is that it is geoblocked to Spain only. Here is a guide on how to overcome this.

  1. Register account

    Go to and insert your email and password. This will open up the following form:

    Nombre: your name
    Apellidos: surname
    Tipo documento: NIF
    NIF number: NIF is some kind of tax ID in Spain. It consists of 8 digits plus CRC character on the end. beIN sports has a validator on this number so it must be correct. Go to and insert random 8 digits, then copy the digits and the CRC.
    Teléfono móvil: This has to be a valid Spanish phone number. it starts with a 6 or 7 followed by 8 digits. You can put whatever valid number you like, there is no SMS confirmation or anything like that.
    Código postal: valid Spanish postal code. Pick whatever:

    Finish up by giving your credit card info.

  2. VPN

    You should now have an account but if you try to play any of the streams they will be black unless you already have a Spanish IP. All you need to do now is find a decently priced VPN that allows you to freely switch locations and has servers in Spain. For a quick test you can do it via TunneloVPN Chrome xtension which offers 1GB for free upon registration. In the extension choose Spain from the drop-down, turn it on and refresh your beIN SPORTS Direct page. Video should now start playing. You can verify that you have Spanish IP by going to any of the “what is my ip” websites.

And that’s it, you can now watch beIN SPORTS Direct for 9.99€ a month from any country. You’ll probably have to add 5€ to that monthly bill for a VPN but such is life. This is the cheapest way for a cord cutter to watch Champions League and La Liga online, at least known to me.

The only bad news is no HD streams which sucks.. but we’ll get to this in a few years hopefully.


Oh FileZilla…

I have encountered a weird problem when connecting to our FreeBSD server with FileZilla over SFTP. Either with password or key authentication I would get:

Error:    Server sent disconnect message
Error:    type 2 (protocol error):
Error:    “Too many authentication failures”

So let’s turn on debugging shall we?


Trace:    Pageant is running. Requesting keys.
Trace:    Pageant has 15 SSH-2 keys
Trace:    Successfully loaded 1 key pair from file
Trace:    Trying Pageant key #0
Trace:    Server refused our key
Trace:    Trying Pageant key #1
Trace:    Server refused our key
Trace:    Trying Pageant key #2
Trace:    Server refused our key
Trace:    Trying Pageant key #3
Trace:    Server refused our key
Trace:    Trying Pageant key #4
Trace:    Server refused our key
Trace:    Trying Pageant key #5
Trace:    Received disconnect message (protocol error)
Trace:    Disconnection message text: Too many authentication failures

So basically, I give Filezilla a specific keyfile but it tries all my keys anyway. Now let’s see what the bright minds on FileZilla issue tracker have to say about this bug. gives us a workaround:

which works nicely. A working workaround is a blessing if you really need to use someting that is essentially broken. The bug is marked as a duplicate of

This bug contains a brilliant comment by an apparent FileZilla developer:

This is by design, FileZilla uses the system’s SSH agent.

Just reconfigure the server to allow for more keys.

What the actual? The bug will apparently be solved via

which is marked as “fixed” and the comment 19 months ago says it will be in the “next version”. The latest version is 3.24.0 released on January 1st 2017 which is exactly what I have and guess what? Not fixed, after 7 years.


So at this point I’ll just safely assume that FileZilla might as well be the worst SFTP client in existence and just use something else. But guess what? There is more. The exact same problem exists in Gnome Files if you try to open an sftp:// location. The obvious reason is that Gnome Files does not ask you anything about keys or athenticaton type but just cycles through SSH keys to try and find the correct one. Why did nobody think about offering me a popup dialog to pick the correct key? Probably because Gnome likes to dumb down things, I can’t really find any other reason.


pgadmin4 on Fedora 25

You can now access the web interface at http://localhost:5050.

Unfortunately the standalone app does not currently work due to a bug in pgadmin4 package.

Fortunately the pgadmin4 standalone app is just a web wrapper so you are not missing much.


Keycloak OAuth endpoints for Postman/HTTP Clients

When testing REST services secured by Keycloak you need to retrieve access tokens via Postman or similar REST client. If you want to implement your own client that has to authenticate with a token you also need to know the Keycloak OpenID endpoints in order to retrieve the access token, refresh it or to end the session (logout).

Retreiving the tokens for a public client using username and password

Public client is typically used for web applications and other client side apps.

Method: POST
Body type: x-www-form-urlencoded
Form fields:
client_id <my-client-name>
grant_type password
username <username>
password <password>

Retreiving the tokens for a confidential client using client secret

Confidential client is typically used for secure apps on the back-end.

Method: POST
Body type: x-www-form-urlencoded
Form fields:
client_id <my-confidential-client-name>
grant_type client_credentials
client_secret <my-client-secret>

Retreive an access token with a refresh token

The first two methods will yield you an access token which you use in the Authorization HTTP header and a refresh token which you save for later. Refresh tokens have much longer expire time as access tokens. The idea is that when the access token expires you use the refresh token to get a new access token. This request also gives you a new refresh token so you can keep the session alive until maximum refresh token expire time is reached. Refresh token expire time equals the session expire time.

Method: POST
Body type: x-www-form-urlencoded
Form fields:
client_id <my-client-name>
grant_type refresh_token
refresh_token <my-refresh-token>

Logout the session

To logout and invalidate the session, call a /logout endpoint with your refresh token. The validity of the refresh token is essentially the validity of your entire session.

Method: POST
Body type: x-www-form-urlencoded
Form fields:
client_id <my-client-name>
refresh_token <my-refresh-token>

Fedora 25 on Lenoyo Y50

Everything except WiFi worked out of the box. To get the WiFi working:

Taken from here.

In your BIOS make sure you disable Secure Boot. Not UEFI, not Legacy mode, specifically the switch that disables secure boot and nothing else. After these steps, WiFi works. To enter BIOS on Y50, tap F2 after Lenovo splash screen.


Edit 7.2.2017: WiFi performance is unfortunately ABYSMAL. Will update this post if I find any solutions. Connection is super slow and constantly dropping.

Luckily, USB tethering from Android works like a charm so it’s not a deal breaker for now.

Edit 2: looks like blacklisting bcma driver makes things much much better:



Expose your dev machine to the public via reverse SSH tunnel

Scenario: you are creating a REST service which needs to be exposed to the public even in early stage of development due to an upstream provider which sends back feedback data from a webhook API.

You are also behind a NAT so you’d have to port forward yourself out but you can’t do that for whatever reason. Or maybe you are behind a firewall and 7 proxies.

All you need is an external server with a public IP. Then, on your machine:

ssh -R server_user@public_server_ip

In the above example, I used port 8080 which my REST service uses when I develop. On your public server, make sure you have

GatewayPorts yes

in /etc/ssh/sshd_config. If it is missing, add it.

And that’s it.. your local REST service is now publicly accessible via public_server_ip:8080.



OJDBC7 in a Docker container? Prepare for trouble

Scenario: A JDK8 Docker container using OJDBC7 to connect to the database. Sounds simple enough, what could go wrong?

Simptoms: Connecting to the database randomly takes several minutes, fails with a weird SqlRecoverableException: no more data to read from socket or just works fine as if there is no problem.

The same Docker image also works fine on some machine but fails consistently on other.

The reason is this. Docker is not good at /dev/random. Probably even more so if you run it in a VM, since it’s double isolated from actual entropy sources (my non scientific observation). For whatever reason, OJDBC defaults to /dev/random and this causes a block when connecting to the database due to high probability of /dev/random depletion.

Simple solution is to just mount /dev/urandom to /dev/random inside the Docker, in docker run command:

So.. if you ever want to use OJDBC inside Docker, remember this flag. It will save lives or at least spare you hours of useless debugging.