Happy birthday Howdy 🎉 (or, how i accidentally became a package maintainer)

boltgolt
3 min readFeb 14, 2019

--

Exactly one year ago today i released the very first version of Howdy. Not only did Howdy grow immensely in the year that followed, my appreciation for open source maintainers grew just as fast.

At the start of 2018 i bought a new laptop that came with Windows Hello, and found out that my main OS, Ubuntu, did not support that at all yet. I love tinkering with python though, so with a bit of googling and learning i made a very rough and dirty implementation. It wasn’t fancy, it only supported a few cameras and it definitely wasn’t fast.

For some very tech savvy users that was more than enough. A few dozen people cloned my repository and found all sorts of bugs. With every issue reported and fixed Howdy became a little more robust. Just the fact that people actually cared about my half assed creation was immensely satisfying.

A big step for me was switching from simple “clone-and-install” distribution to a Personal Package Archive (PPA) in April. Suddenly every user would automatically install whatever update i pushed, a very big responsibility. If i pushed code that accidentally disabled all authentication for a user (which isn’t unthinkable for a package such as Howdy) all users would update to it without ever knowing the issue existed. My GPG key was all it took to infect thousands of machines. I definitely lost some sleep over this.

Packaging with a PPA had a lot of good sides as well though. All users would get the newest improvements and additional features automatically and installation became almost trivial.

In September the inevitable happened: The first (and, so far, last) serious security issue with Howdy was reported. Any attacker that requested a remote SSH session with a Howdy-enabled laptop would gain access to that laptop if the user was within facial recognition range. In this version no checks were done if an auth request was remote or not, so the camera simply turned on, recognized the user and marked the remote session login as valid. I pushed a high urgency fix within a couple of hours, but having issues like this with (at that time) hundreds of users was absolutely terrifying.

Other people started working on Howdy, without any prompt or incentive to do so. With some great work they managed to half authentication time and to implement several new recorders that broadened the range of supported webcams to almost all available laptops. 2 guys even made ports for Fedora and Arch, something i could never do myself.

The small community that formed around Howdy made it better than ever. I’m very thankful for all their work and guidance. I never planned to become a package maintainer, but the open source community has certainly welcomed me with open arms.

Howdy is available on Github.

--

--