Re: Firefox complaint

[Jeffrey Walton]

On Fri, Oct 4, 2024 at 11:01 AM Joe  wrote:
>
> [...]
> I had the site not work in FF with No-Script nor in Opera with no
> restrictions. But we are not getting to the web page at all, so
> JavaScript is not involved. It's a filtering proxy, and We Are Not
> Welcome.

> Now [sic], as far as I can see, that anyone outside the US has any
> use for the site.

Isn't that true of most sites on the internet? Most sites could
disappear and no one would care. Location does not matter much.

Jeff

Re: Color shifted desktop in testing with LXQt desktop

[Jeffrey Walton]

On Thu, Sep 26, 2024 at 7:33 PM James Bielefeldt  wrote:
>
> Looks like dependency hell is the problem. There are over 800 packages
> being held back from testing. Its likely some dependency of pcmanfm-qt
> was upgraded but there are others blocking pcmanfm-qt from upgrading.
> Way to many upgrades to do by hand and trying in synaptic removes a ton
> of packages.

You might try to use Aptitude from the command line. I find aptitude
has the best solver among the package managers.

Maybe something like:

aptitude update && aptitude safe-upgrade

safe-upgrade will upgrade as many packages as it can upgrade without
removing existing packages.

Jeff

Re: old kernel appears more stable than latest

[Jeffrey Walton]

On Tue, Sep 24, 2024 at 10:38 PM hlyg  wrote:
>
> it seems to be caused by wrong usb configuration
>
> kernel msg during boot: "usb 1-3: device descriptor read/64, error -71"
>
> if usb hub is connected to wrong usb port, after running about 12 hours,
> 12.7 fails while 12.5 is OK
>
> connecting to correct usb port can fix it
>
> i get clue from freebsd, its installer refuse to work if wrongly connected

That is a very interesting finding. I thought the external hubs would
auto-configure to the highest version provided by the host. I would
not expect the machine to hang or crash in that particular
configuration. Do you think it is due to cheap hardware?

I should read the USB spec to try to understand what is happening, but
I am too lazy at the moment...

Jeff

Re: Is the CPU microcode updated?

[Jeffrey Walton]

On Tue, Sep 24, 2024 at 6:38 PM Franco Martelli  wrote:
>
> Hi everyone,
>
> In the latest Debian's minor update (12.7) it was updated the
> "amd64-microcode" package, during the update process a message that it
> said: "The cpu microcode will be updated at the next reboot" was showed.
>
> The issue is that I'm running an homemade Kernel image that it had the
> CONFIG_MICROCODE_AMD item disabled by me mistakenly, so I'm not sure
> that the microcode of my CPU was updated. Of course I've rebuild and
> installed a new kernel with that item enabled before rebooting.
>
> I've read the lscpu's man-page but I didn't find anything about the CPU
> microcode version, the following command shows:
>
> $ cat /proc/cpuinfo | grep microcode | head -1
> microcode   : 0x6000822
>
> the value returned is from an updated microcode? How can I verify that
> the microcode was updated or not?

I think the microcode can be updated at three different times in the
boot sequence. See
.

Jeff

Re: SSL/TLS debugging on MariaDB

[Jeffrey Walton]

On Mon, Sep 23, 2024 at 7:13 PM Andrew Wood  wrote:
>
> Is there a way to get  MariaDB on Bookworm to log verbosely everything
> to do with connection attempts in order to try and debug why a client
> keeps getting error  2026 SSL connection error: protocol version mismatch?

I typically use OpenSSL's s_client to connect to the server. It is an
excellent debugging tool for times like this. Something like:

openssl s_client -connect db.example.com:443 -servername db.example.com

You can also use -tls1_2 and -tls1_3 if you want to nail down a
particular version of the protocol. See
 for more
options.

I suspect (and it is just a guess) that the mismatch is due to a plain
text error page being returned to the TLS client rather than a TLS
protocol message with a well formed version. That usually means a TLS
server is _not_ listening on the port you are connecting to. Rather,
just a regular server is listening (without TLS).

> There is currently nothing being logged on the server other than:
>
>   [Warning] Aborted connection 332 to db: 'unconnected' user:
> 'unauthenticated' host: '192.168.253.231' (This connection closed
> normally without authentication)
>
> SHOW GLOBAL VARIABLES LIKE 'tls_version'; gives TLSv1.1,TLSv1.2,TLSv1.3
> and the client is based on a relatively recent version of libmysqlclient
> so Im struggling to understand what is going wrong without some more
> detailed logging. I cant find anything in the MariaDB manual.

Jeff

Re: How to generate a certificate for an HP printer?

[Jeffrey Walton]

On Sun, Sep 22, 2024 at 10:03 PM Charles Curley
 wrote:
>
> On Sun, 22 Sep 2024 13:02:26 -0600
> Charles Curley  wrote:
>
> > If I print over the USB
> > interface, I hear it spin its wheels, but nothing is printed. I tried
> > deleting and re-installing it. No go.
>
> I finally solved that one. I changed the driver for the printer. It
> used to work correctly.
>
> In other news, I finally got printing from another machine running.
> I use IPP to the desktop (which has the printer on a USB cable). This
> involved opening both IPP and IPP-client in the firewalls of both the
> server and the client. The two printers that magically appear thanks to
> Avahi/Bonjour are still useless.

I disable most print services, like Bonjour and 9100 printing. I run
my own DNS locally, and it is the source of truth for my network. In
fact, I remove the packages that provide services like Bonjour and
mDNS (when I can). Here's what my Network Config page looks like:
.

> None of these solutions involve using the cert. That does affect the
> embedded web server. Since it is self-signed, I still have to jump
> through a hoop to get to it. Sigh.

You can install a self-signed certificate in your browser's
certificate store, and you will not have to deal with the prompts.

Jeff

Re: How to generate a certificate for an HP printer?

[Jeffrey Walton]

On Sun, Sep 22, 2024 at 3:02 PM Charles Curley
 wrote:
>
> On Sun, 22 Sep 2024 18:02:30 +0200
> john doe  wrote:
>
> > >> Even if you upgrade the FW?
> > >
> > > I tried upgrading the firmware. I have the latest available,
> > > 20201215.
> >
> > I also have a HP.
> > After entering credentials it allows me to access the advance
> > capabilities of my printer.
> > It allows me among other things to renew the selfsigned cert!
> >
> > To me, this is build-in! ;^)
>
> I did finally find it.
>
> Networking -> Certificates -> Configure

Interesting. Previously you said, "Nope. There is no certificate
generator on the printer [web admin page],.."

> That gives me several options. I then selected "Create a New
> Self-Signed Certificate". That updated the certificate. I now cannot
> print on that printer, even after cycling power. If I print over the USB
> interface, I hear it spin its wheels, but nothing is printed. I tried
> deleting and re-installing it. No go.

Use IPP printing. The connection on your workstation will be something
like .

> Or I could select "Create a Certificate Request" and hit Next. I filled
> in the details, hit Next. No complaints from the printer. I then used
> copy and paste to save off the cert request. This is a good thing,
> because when I hit "Save" I got several requests for Username and
> Password in a row. I gave up after the 5th such request.

Jeff

Re: How to generate a certificate for an HP printer?

[Jeffrey Walton]

On Sat, Sep 21, 2024 at 5:26 PM Charles Curley
 wrote:
>
> I have an HP LaserJet MFP M234sdw printer. I am getting error messages
> from CUPS that say something like "cups-pki expired". The certificate
> on the printer expired recently.
>
> How do I generate a signed certificate to use in the printer?
>
> There is no mechanism to do so in the printer's firmware.

You install certificates from the printer's web administration page.
.

If you want to run your own PKI, then checkout Dogtag,
.

Jeff

Re: old kernel appears more stable than latest

[Jeffrey Walton]

On Fri, Sep 13, 2024 at 11:33 PM hlyg  wrote:
>
> i have installed latest 12.7, after running about 10 hours, it doesn't
> respond to my keyboard pressing, power LED on front panel of pc case
> become red, i have to reboot
>
> i run journalctl, i am not sure if msg below are related to my problem
>
> Sep 13 18:06:54 debian kernel: INFO: task RTW_CMD_THREAD:561 blocked for
> more than 604 seconds.
> Sep 13 18:06:54 debian kernel:   Tainted: G C 6.1.0-25-amd64
> #1 Debian 6.1.106-3
> Sep 13 18:06:54 debian kernel: "echo 0 >
> /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> Sep 13 18:06:54 debian kernel: task:RTW_CMD_THREAD  state:D stack:0
> pid:561   ppid:2  flags:0x4000
> Sep 13 18:06:54 debian kernel: Call Trace:
> Sep 13 18:06:54 debian kernel:  
> Sep 13 18:06:54 debian kernel:  __schedule+0x34d/0x9e0
> Sep 13 18:06:54 debian kernel:  schedule+0x5a/0xd0
> Sep 13 18:06:54 debian kernel:  schedule_timeout+0x118/0x150
> Sep 13 18:06:54 debian kernel:  wait_for_completion+0x86/0x160
> Sep 13 18:06:54 debian kernel:  ?
> rtw_setassocsta_cmdrsp_callback+0x80/0x80 [r8188eu]
> Sep 13 18:06:54 debian kernel:  rtw_cmd_thread+0x3f/0x180 [r8188eu]
> Sep 13 18:06:54 debian kernel:  kthread+0xda/0x100
> Sep 13 18:06:54 debian kernel:  ? kthread_complete_and_exit+0x20/0x20
> Sep 13 18:06:54 debian kernel:  ret_from_fork+0x22/0x30
> Sep 13 18:06:54 debian kernel:  
>
> 12.5 which use vmlinuz-6.1.0-18-amd64 appears more stable
> 12.7 use vmlinuz-6.1.0-25-amd64

When I experience weird power related problems (and problems with
reboot), I go right to the BIOS or UEFI and ensure the firmware is the
latest. UEFI is where the ACPI tables are located, and that affects
all power behavior. So I think your first step is to ensure the
firmware is up to date.

I also disable S3 and S4 sleep states in the firmware. In this case, I
don't want both the firmware and OS to try to control power states.

Jeff

Re: Disk drive zero-fill benchmarks for various synchronization methods and block sizes

[Jeffrey Walton]

On Fri, Sep 13, 2024 at 8:00 AM Anssi Saari
 wrote:
>
> David Wright  writes:
>
> > On Tue 10 Sep 2024 at 11:56:25 (+0300), Anssi Saari wrote:
>
> >> Why do you think that? Which part of the fsync manpage explicitly covers
> >> fsync's effect on device files? Share share, it's fair.
>
> >  “fsync() transfers ("flushes") all modified in-core data of (i.e.,
> >   modified buffer cache pages for) the file referred to by the file
> >   descriptor fd to the disk device (or other permanent storage device)
> >   so that all changed information can be retrieved even after the
> >   system crashed or was rebooted. This includes writing through or
> >   flushing a disk cache if present. The call blocks until the device
> >   reports that the transfer has completed. It also flushes metadata
> >   information associated with the file (see stat(2)).”

> You just parroted a man page I had already read. Why did you think
> that'd be helpful? I asked the questions because the man page didn't
> answer my questions. As you are apparemntly unable I found for example
> https://unix.stackexchange.com/questions/473854/block-device-cache-v-s-a-filesystem
> and so arrived to the conclusion that the final close(2) call on a block
> device already flushes all buffers before returning. So the answer to
> the question "is running sync needed after dd to block device" is
> no. Someone else posted that too on this list recently, in another
> thread.

To add a datapoint...

My daily driver workstation is really fast with lots of RAM. It has
3.4 GHz cpu and 64 GB of RAM. I also set swappiness to a low value to
avoid spilling out of RAM.

I use a lot of SBC's/dev boards for testing. They usually use a
SDcard. The SDcard is really slow. The card can only provide 10 MB/s
or 30 MB/s write speeds. Some cards I use are so cheap they are even
slower.

If I dd an image from the workstation to the SDcard, it happens in
under a second. dd exits, and closes its file descriptors. Something
is obviously wrong since the image is 1 or 2 GB, and the SDcard write
speed is 10 MB/s or 30 MB/s.

The file system cache is still holding the writes. If I remove the
SDcard and try to use it, the image is corrupt. When I say "remove", I
mean pop the card out of the card reader since the write has
supposedly finished.

What I found is, I have to manually call sync to ensure the image is
written from cache to the SDcard. When I call `dd if=... of=/dev/sdd
&& sync`, the command takes 30 seconds or so to complete. The time is
spent in sync, not dd.

Based on my experience with lots of RAM and slow media, you have to
call sync to get the cache manager to write back to the disk.

Jeff

Re: Problems with Chrome

[Jeffrey Walton]

On Fri, Sep 6, 2024 at 8:22 AM Mick Ab  wrote:
>
> I am trying to use Chrome on a bullseye desktop.
>
> Chrome   version 127.0.6533.88 (Official Build) (64-bit)
>
> The three dots at the top right for the menu have never worked when clicked 
> on - there would just be a flash and nothing would come up, so the menu isn't 
> useable..
>
> Also Chrome keeps seizing up and not responding.
>
> Can anyone help, please ?

Fix Chrome if it crashes or won't open,
.

Re: Usage: "debian ... amd64-netinst.iso"

[Jeffrey Walton]

On Thu, Sep 5, 2024 at 10:51 PM Max Nikulin  wrote:
>
> On 05/09/2024 16:25, Thomas Schmitt wrote:
> > I let xorriso-dd-target use
> >bs=1M oflag=dsync
>
> May too small bs value cause write multiplication if internal flash
> erasure block size is much larger? I have seen claims that it can be
> e.g. 12M
> 
> I have an impression that actual value is not exposed, so it is unknown
> to kernel. My concern is wearing, I have no idea if firmware may perform
> partial overwrites without apparent impact on speed.

I've run into this situation (more than once)... `dd` fails to write a
bootable image with a block size of 1M. But using a block size of 512
results in a bootable image. It used to happen regularly on arm dev
boards, like BeagleBoards and CubieTrucks and Wandboards. I don't
recall it happening lately.

I prefer the larger block size because the image writes faster. But if
the board fails to boot, I drop back to 512 to (re)write the image.

And I always finish the `dd` command with a `&& sync`.

> Are you against "sync" command because it syncs all drives, not the
> specific one (besides smooth progress report)? If USB mass storage
> driver does not allow to turn port power off before write completion
> then it might be a workaround. From my point of view, simple cp
> suggested by the install guide is quite reasonable in comparison to dd.
>
> Another my question is concerning reading of media and -x argument of
> isosize. Is it really necessary? I can not figure out what corner cases
> are not covered by "head -c BYTES /dev/sdc".

Jeff

Re: MAC filter

[Jeffrey Walton]

On Mon, Sep 2, 2024 at 3:45 AM John Conover  wrote:
>
>
> The MAC filter needs a local filter for the two 16 X dual hex, (23
> total,) digits.
>
> The MAC is router usually aligned internally by the router, and
> contains unique hex digits.
>
> Does any anyone recall how to query the digits to the display?

Nowadays I think you [can] use the `ip` command to determine the MAC
or link address of an interface:

$ ip link
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s20f0u3c2:  mtu 1500 qdisc fq_codel mast
er virbr0 state UP mode DEFAULT group default qlen 1000
   link/ether 20:7b:d2:8c:55:d4 brd ff:ff:ff:ff:ff:ff
3: wlo1:  mtu 1500 qdisc noqueue state DOWN m
ode DORMANT group default qlen 1000
   link/ether 76:2f:01:0c:b6:98 brd ff:ff:ff:ff:ff:ff permaddr 00:41:0e:67:0e:7
b
   altname wlp87s0
4: virbr0:  mtu 1500 qdisc noqueue state UP mod
e DEFAULT group default qlen 1000
   link/ether 20:7b:d2:8c:55:d4 brd ff:ff:ff:ff:ff:ff

Jeff

Re: Cross-platform contacts program/app recommendations?

[Jeffrey Walton]

On Sat, Aug 31, 2024 at 9:06 AM Tom Browder  wrote:
> [...]
>
> I’m too lazy at the moment to self-host. Anyone suggest a provider that is in 
> the US?

Ionos is reasonable. A machine with 2 cpu cores and 4 GB RAM costs
about % US. But you have to pay monthly, which means they keep your
credit card and ccv on file.

I recently switched to Hostinger. They are also reasonable, and allow
me to pay three years at a time. They are European, but they have US
data centers. And they have the best selection of VPSes I have seen.
VPS images include Debian and Fedora.

Jeff

Re: printer replacement

[Jeffrey Walton]

On Thu, Aug 29, 2024 at 6:28 PM Gerard ROBIN  wrote:
>
> my old hp ptotosmart printer died. It worked fine with HPLIP. Now I have to
> buy a new one but they all use "HP Smart" for Windows exclusively. I would
> like to know if these printers are still compatible with HPLIP. The printer
> I want to buy is the "HP OfficeJet Pro 8134e All-ine-One" which is linux
> compatible according to the specifications but which is configurable with
> "HP Smart" under Windows. Will HPLIP be valid for this printer also under
> linux ? Otherwise how can it be configured ?

Somewhat related, avoid the all-in-ones. If you want a printer, then
buy a printer. If you want a scanner, then buy a scanner.

My current setup is a HP Color LaserJet Pro M252dw printer with a HP
ScanJet Pro 4500 scanner. Both are business-class devices, and both
hang off my home network via built-in ethernet. I bought the setup
after Epson stopped me from using an all-in-one scanner because of
third party ink. (I still don't know what ink has to do with
scanning).

At the moment, HP does not forbid you from using non-HP toner in its
business-class printers. I understand that may not be the case for the
consumer-line printers, like the DeskJets. HP does provide a warning
in the printer's local webpage:

A non-HP supply has been installed. If you believe you purchased a
genuine HP supply, visit us at www.hp.com/go/anticounterfeit. Any
printer repair required as a result of using non-HP cartridges is not
covered under warranty.

And for the Color LaserJet, I installed the HPLIP package and use PCL
5 and 6 drivers, and the IPP printing protocol.

Jeff

Re: Bridging Network Connections with libvirt are unreliable

[Jeffrey Walton]

On Wed, Aug 28, 2024 at 4:06 AM Rainer Dorsch  wrote:
>
> Hello,
>
> I have a (for me) weird problem on a bookworm system
>
> rd@h370:~$ inxi -S
> System:
>   Host: h370 Kernel: 6.1.0-23-amd64 arch: x86_64 bits: 64 Desktop: KDE Plasma
> v: 5.27.5 Distro: Debian GNU/Linux 12 (bookworm)
> rd@h370:~$
>
> It uses bridging network connections with libvirt work unreliable.
>
> I have in /etc/network/interface bridging networks e.g.
>
> iface eno1.2 inet manual
>
> # libvirt VM
> auto br2
> iface br2 inet dhcp
> # Use the MAC address identified above.
> hwaddress ether 18:31:bf:52:1b:1c
> bridge_ports eno1.2
> # If you want to turn on Spanning Tree Protocol, ask your hosting
> # provider first as it may conflict with their network.
> bridge_stp off
> # If STP is off, set to 0. If STP is on, set to 2 (or greater).
> bridge_fd 0
>
> to make the interface available for libvirt.
>
> In addition there are non-bridging networks, e.g.
>
> allow-hotplug eno1.4
> iface eno1.4 inet dhcp
>
> All of them share the same physical network but defined separate VLANs.
>
> The full /etc/network/interface file of the machine is here https://
> bokomoko.de/~rd/Debian/interfaces
>
> That works well for many hours or even days, but at some point in time the
> network is suddenly gone, and all network services die.
>
> root@h370:~# ifdown br2
>
> and
>
> root@h370:~# ifup br2
>
> heals the issue immediately. The non-bridging networks don't see the problem.
> The problem occurs independently of libvirt running or not.
>
> In the systemd log, the first entry indicating network problems is that the 
> DNS
> server switches to another interface. But it could easily be a consequence and
> not the cause of the issue:
>
> Aug 28 06:57:54 h370 dhclient[1195]: DHCPREQUEST for 192.168.4.203 on eno1.4
> to 192.168.4.1 port 67
> Aug 28 06:57:54 h370 dhclient[1195]: DHCPACK of 192.168.4.203 from 192.168.4.1
> Aug 28 06:57:54 h370 dnsmasq[2386]: reading /etc/resolv.conf
> Aug 28 06:57:54 h370 dnsmasq[2386]: using nameserver 192.168.4.1#53
> Aug 28 06:57:54 h370 dhclient[1195]: bound to 192.168.4.203 -- renewal in
> 18265 seconds.
>
> As a workaround I could probably write a small script, which pings another
> network host and restarts the br interfaces, but I would prefer to understand
> why the problem occurs at the first place.
>
> Any idea or hint is welcome.

Do you know if MAC Address Randomization is happening on your interfaces?

Jeff

Re: Which tool for upgrade in commandline?

[Jeffrey Walton]

On Tue, Aug 27, 2024 at 5:36 PM Hans  wrote:
>
> Dear list,
>
> over the many years we got different tools for upgrading debian in the
> commandline. These tools behave differently and also we get different results,
> when eecuting.
>
> First, we have the oldest, whcih is apt-get.
> apt-get update, apt-get upgrade or apt-get full-upgrade does a good job.
>
> However, we also have aptitude, but
> aptitude update, aptitude upgrade and aptitude full-upgrade are doing also a
> good job, but not the same as apt-get does. Also it looks, aptitude update
> loads its own list and is not using the list from apt-get (otherwise it could
> not explain, why aptitude and apt-get every time reloads the new list, when
> one of the other was eecuted before). Also the dependencies in both tools are
> handled different.
>
> And at last, we have apt, which (as far as I now), soemtimes is calling apt-
> get, and sometimes is calling aptitude.
>
> This is somehow rather irritating!
>
> So, my question is: Which one is recommended, when updating and upgrading is
> used in a script, so that it causes as little as possible pain?
>
> It means: When the script is not eecuted daily, but let us say, every two
> weeks, and we have lots of packages.
>
> At the moment I am using aptitude, this works great in short periods, but
> after al longer time, it crashes, because some dependencies could not resolve.
>
> Independent of my personal use: Which one is recommended?

.

Jeff

Re: DEBIAN documentation: which 64 bit processors run current release?

[Jeffrey Walton]

On Tue, Aug 27, 2024 at 11:16 AM Richard Owlett  wrote:
>
> I'm looking for for where *Debian* documents which processors support
> current Debian release.



> I have three machines whose processors are 64 bit capable.
> Processors identified by running lscpu:
>
> Machine 1:
> Architecture:   i686
> Model name: Intel(R) Core(TM) i5 CPU   M 540  @ 2.53GHz
>
> Machine 2:
> Architecture:   x86_64
> Model name: Intel(R) Core(TM)2 Duo CPU T7300  @ 2.00GHz
>
> Machine 3:
> Architecture:   i686
> Model name: Pentium(R) Dual-Core  CPU  E5300  @ 2.60GHz
>
> Will the OS linked to by https://www.debian.org/ run on all three?
> [For historical reasons I currently run 32 bit on all.]

Jeff

Re: internal keyboard does not work

[Jeffrey Walton]

On Fri, Aug 23, 2024 at 1:35 PM Nilesh Patra  wrote:
>
> Quoting Nicolas George:
> > lina (12024-08-22):
> > > however, the internal keyboard does not work
> > Sorry to ear it. Did it been laid off? Is it eligible for unemployment
> > benefits?
> >
> > More seriously, start by explaining your problem with more accuracy than
> > “does not work”.
>
> What drives such a hostile and uncalled-for reply?

It was a fair statement by Nicolas.

I did not feel it was "hostile." If asking for a good problem
statement is considered hostile, then there's no way most people can
be helped without offending them.

> Please do note that you're required to behave properly on Debian Mailing 
> lists.
>
> https://www.debian.org/code_of_conduct

Whatever... If you want folks to take it seriously, you should at
least cite a particular violation and defend your claim.

Jeff

Re: do we have KDE expertise among us?

[Jeffrey Walton]

On Thu, Aug 22, 2024 at 4:26 PM DdB
 wrote:
>
> Beloved debian users,
>
>  After years of using GNOME (even back in my Ubuntu-days), i got fed up
> with the ever changing behavior, which came on top of "development
> politics". And since i was/am still on buster, i decided to move forward
> to bookworm-KDE. But i am old and slow. It really took me a month to get
> a sort of minimal version up and running. I call this step:
> proof-of-concept. Now comes the harder part: to really take control of
> this desktop, not like a developer, but as a user. (I am currently
> evaluating to make use of ansible and redo the whole setup, but in a
> reproducible way.)
>
>  Several issues are bugging me:
> 1. I can't get Window rules to work, neither for wayland nor for x11, i
> seem to be doing those wrong.
> 2. I would really like to have a clickable menu only with my own
> commands/scripts in it, preferably in one single file, not spread out
> over many. Is such a thing available?
> 3. Some applications are not listed by wmctrl -l as if they were not
> managed by the window manager, therefore i cannot move them around in my
> scripts (and windows rules ... i told ya)
> 4. True story: after just one day of living in the new environment, it
> crashed hard, all the open applications were gone. Could be a strange
> are incident, in buster, i had such a thing happen to me only about 4
> times per year!
>
> Apart from the huge UI change, i also changed the root filesystem (it is
> zfs now, i used to have my data in it before, but this time, it is
> more). To achieve this, i went with zbm (zfsbootmanager) instead of
> grub. tbh: currently, i still use both, switching at least twice per day.
>
> And i got my VPN client working in KDE, only the iptable rules to
> protect me from acidental leaks (kill switch) need to be reinstalled
> after every boot. How to make them permanent the right way?
>
> That's it for today, any comment/hint/suggestion warmly welcome, DdB

Answering your titular question. There are debian-kde and
debian-qt-kde mailing lists. See
.

Jeff

Re: What tool(s) reports OS buss width, which processor present?

[Jeffrey Walton]

On Wed, Aug 21, 2024 at 10:41 AM Richard Owlett  wrote:
>
> I know I've asked this before, but couldn't thread.
> /etc/debian_version reports release active, but I need to know 32 or 64 bit.

Which bus width do you want to know? Address, data, pci, agp, something else?

Jeff

Re: UEFI multiboot (was: Re: Default partition mounts [ "Installation Guide" lacks index ])

[Jeffrey Walton]

On Tue, Aug 20, 2024 at 11:51 AM Nicolas George  wrote:
>
> [...]
> > EFI files are signed
> > for Secure Boot, so vendor paths can not be easily adjusted.
>
> Secure boot is a joke when it comes to security, its only “merit” is to
> prevent lusers from installing software with disabled DRM.

Speaking of Secure Boot, this just made my radar:
.

Jeff

Re: upgrade to bookworm causes breakage

[Jeffrey Walton]

On Mon, Aug 19, 2024 at 9:56 PM Bob Mroczka  wrote:
>
> Hello,
>
> I attempted to upgrade my system from debian 11 to 12 following the 
> instructions provided at 
> https://www.cyberciti.biz/faq/update-upgrade-debian-11-to-debian-12-bookworm.

In the future, you should probably follow a Debian guide, like
.

> I got to the point of executing the command at step 6 to do sudo apt 
> full-upgrade.  At this point my system is in a state where I'm having 
> difficulty recovering from.  Dpkg is unable to install any packages and 
> terminates with the following error on any package and then segfaults.  The 
> system has network access and apt is able to pull packages.  I just need to 
> get dpkg working again.
>
> dpkg -i gzip_1.12-1_amd64.deb
> tar: This does not look like a tar archive
> tar: Exiting with failure status due to previous errors
> dpkg-deb: error: tar subprocess returned error exit status 2
> dpkg: error processing archive gzip_1.12-1_amd64.deb (--install):
>  dpkg-deb --control subprocess returned error exit status 2
> Segmentation fault
>
> I attempted to run reportbug from the system but it segfaults after showing 
> the list of related bugs.
>
> I am unable to get a backtrace from gdb since gdb segfaults.
>
> I am able to get a strace off of the command but nothing stands out in the 
> output.
>
> I then attempted to use dpkg -D7 -i gzip_1.12-1_amd64.deb but it doesn't 
> show much more than the above:
>
> /var/cache/apt/archives# dpkg -D7 -i gzip_1.12-1_amd64.deb
> D01: root= admindir=/var/lib/dpkg
> D01: ensure_diversions: new, (re)loading
> D01: ensure_statoverrides: new, (re)loading
> D10: path_remove_tree '/var/lib/dpkg/tmp.ci'
> tar: This does not look like a tar archive
> tar: Exiting with failure status due to previous errors
> dpkg-deb: error: tar subprocess returned error exit status 2
> dpkg: error processing archive gzip_1.12-1_amd64.deb (--install):
>  dpkg-deb --control subprocess returned error exit status 2
> D10: path_remove_tree '/var/lib/dpkg/tmp.ci'
> D10: path_remove_tree '/var/lib/dpkg/reassemble.deb'
> D01: trigproc_run_deferred
> Segmentation fault
>
> Do you have any suggestions for further identifying the cause of this and/or 
> resolving this without recovering from back up?  Thanks.

Restore from backup, and then try again. This time, follow a Debian guide.

Jeff

Re: Issue with Fan Control on Gigabyte G5 MF Laptops

[Jeffrey Walton]

On Mon, Aug 19, 2024 at 7:09 AM hamomo hamomo
 wrote:
>
> Dear Debian Community Team,
>
> I hope this message finds you well.
>
> I am writing to seek further assistance regarding an issue we are 
> experiencing with several laptops in our company, specifically the Gigabyte 
> G5 MF model (E2DE333SD). The primary concern is the inability to control the 
> laptop fans, which is leading to significant overheating.
>
> ### Issue Description:
> - **Fan Control:** The fans on these devices are operating at a very low 
> speed by default, and there is no option to control or adjust their speed 
> through the BIOS.
> - **Overheating:** As a result, the CPU temperature frequently rises above 
> 90°C, even during moderate tasks, forcing us to halt operations to prevent 
> potential damage to the hardware.
> - **Business Impact:** We have had to suspend work on these devices for some 
> time, resulting in financial losses for the company.
> - **Software Solutions Attempted:** We have attempted to use several software 
> solutions, including **lm-sensors**, to monitor and control fan speeds. 
> However, **lm-sensors** does not detect the fans, and none of the other 
> programs we tried have been successful in resolving the issue.
>
> Given that this issue affects multiple devices, we are concerned about the 
> long-term impact on the hardware and the viability of continued use under 
> these conditions.
>
> ### Request:
> Could you please provide any additional steps or solutions we should 
> consider? We are looking for a prompt resolution to this issue to prevent 
> further disruption to our operations. If there are any logs or configurations 
> you need for a deeper analysis, I would be happy to provide them.
>
> Thank you for your attention to this matter. We look forward to your guidance.

Ensure the latest firmware is installed. Fan control happens through
the ACPI tables, and that is part of the UEFI.

It looks like the latest is FB10 from February 2024. You can check
your version of firmware using dmidecode. Below is from my Dell XPS
8930 (which I am typing on):

   $ sudo dmidecode
   ...
   BIOS Information
Vendor: Dell Inc.
Version: 1.1.31
Release Date: 11/21/2023

Once the firmware is up-to-date, you can move on to [remaining]
problems in the OS and desktop manager.

Jeff

Re: Why is Firefox crashing so much lately?

[Jeffrey Walton]

On Sat, Aug 17, 2024 at 9:07 PM Gary Dale  wrote:
> [...]
> Out of frustration with this and another problem, I did a complete fresh
> install yesterday - first to Bookworm then a full-upgrade to Trixie. I
> started with a new profile for Firefox then synced it to restore my
> passwords and bookmarks.
>
> Firefox ESR is still crashing intermittently. Again, I can trigger it
> fairly consistently just by visiting some pages (usually ones that try
> to generate a PDF, for example). At other times it just crashes for no
> apparent reason.

This thread is kind of long, and I did not read through all the responses.

Did you disable hardware acceleration and observe the crashes? See
.

Jeff

Re: Kali w4sp wireshark

[Jeffrey Walton]

On Sat, Aug 10, 2024 at 7:25 AM alejo  wrote:
>
> I can't install w4sp-lab on Kali because when I type python w4sp_webapp.py it 
> gives an error and when I fix it and type python w4sp_webapp.py again I get 
> more errors. Can someone help me please?

Re: Authenticator apps

[Jeffrey Walton]

On Wed, Aug 7, 2024 at 10:22 PM Max Nikulin  wrote:
>
> On 07/08/2024 11:40, to...@tuxteam.de wrote:
> > In my threat model, if I already have an application running under
> > my own user ID, I call XKCD 1200 [1] on it.
>
> Browser JavaScript API allows to read and write clipboard. It is
> protected to some extent by user prompts. On the other hand in ChromeOS
> most of applications are running in browser, so I will not be surprised
> if policy becomes more permissive some day despite developers are aware
> of related security issues.

++. I find the W3C's clipboard API and event API very dangerous.

The event api is the one that responds to keypresses. Webapps use it
to egress all sorts of information. I had a large hotel chain egress
my email address on a form I did _not_ submit. Then the spam began.

One of the takeaways is, we need a "one shot copy/paste" that stops
sniffing and clears the clipboard after the users pastes the data so
that webapps that sniff the clipboard have no information to gather.
Another takeaway is, you should never allow JavaScript on login pages.

Jeff

Re: nouveau OK for GTX 970?

[Jeffrey Walton]

On Tue, Aug 6, 2024 at 9:05 PM  wrote:
>
> On 8/6/24 16:39, Felix Miata wrote:
> > e...@gmx.us composed on 2024-08-06 16:29 (UTC-0400):
> >
> >> Sven Joachim wrote:
> >
> >>> You could run "sudo dmesg| grep -E '(drm|nouveau)'" and show us the
> >>> results.
> >>
> >> [0.801515] ACPI: bus type drm_connector registered
> ...
>
> > He meant run the command with the GTX installed.
>
> Ah, my bad.  My tendency to be overly literal bites me in the butt again.
> That'll take some doing, as I don't have a non-X mail client.  Gimme a bit.
>
> > Which i5 do you have? Recent ones could be faster than a 10 year old
> > GTX.
>
> It's not recent.  "head /proc/cpuinfo" says

$ sudo lspci | grep -i vga
00:02.0 VGA compatible controller: Intel Corporation Raptor Lake-P [Iris Xe Grap
hics] (rev 04)

or

$ sudo lshw -C video
 *-display
  description: VGA compatible controller
  product: Raptor Lake-P [Iris Xe Graphics]
  vendor: Intel Corporation
  physical id: 2
  bus info: pci@:00:02.0
  version: 04
  width: 64 bits
  clock: 33MHz
  capabilities: pciexpress msi pm vga_controller bus_master cap_list rom
  configuration: driver=i915 latency=0
  resources: iomemory:600-5ff iomemory:400-3ff irq:155 memory:601c00-60
1cff memory:40-400fff ioport:4000(size=64) memory:c-d me
mory:401000-4016ff memory:402000-40

Jeff

Re: Authenticator apps

[Jeffrey Walton]

On Tue, Aug 6, 2024 at 4:25 AM Kevin Price  wrote:
>
> [...]
>
> 2FA is intended to raise the bar of stealing your login from just one
> leaked known secret (username/passphrase) to two _strictly_ separate
> bars. The latter must not be yet another secret, but might be physical
> custody of some given device. In that way, a merely leaked passphrase
> won't give immediate access to your login, neither would that device, if
> only that was stolen.

The three security properties of a second factor are:

   1. entropy
   2. replay resistance
   3. phishing resistance

Jeff

Re: Authenticator apps

[Jeffrey Walton]

On Sun, Aug 4, 2024 at 3:50 PM Mick Ab  wrote:
>
> I have a Debian Bullseye desktop PC.
>
> I am looking for a 2fa authenticator that works on my desktop, without using 
> a smartphone or tablet.
> [...]
> Can anyone help please ?

$ apt search totp
Sorting... Done
Full Text Search... Done
glewlwyd/stable 2.7.5-3+deb12u1 amd64
 Experimental Single-Sign-On server with multiple factor authentication

glewlwyd-common/stable 2.7.5-3+deb12u1 all
 Experimental Single-Sign-On server - common files

golang-github-pquerna-otp-dev/stable 1.3.0-1 all
 Google Authenticator compatible one time passwords for Go

golang-github-xlzd-gotp-dev/stable 0.0~git20181030.c8557ba-3 all
 Golang OTP (One-Time Password) Library

libauth-googleauth-perl/stable 1.03-1 all
 Google Authenticator TOTP Abstraction

libauthen-oath-perl/stable 2.0.1-2 all
 Perl module for OATH One Time Passwords

libcotp-dev/stable 1.2.8-1 amd64
 C library that generates TOTP and HOTP (development)

libcotp12/stable 1.2.8-1 amd64
 C library that generates TOTP and HOTP

liboath-dev/stable 2.6.7-3.1 amd64
 Development files for the OATH Toolkit Liboath library

liboath0/stable 2.6.7-3.1 amd64
 OATH Toolkit Liboath library

libpam-google-authenticator/stable 20191231-2 amd64
 Two-step verification

libpam-oath/stable 2.6.7-3.1 amd64
 OATH Toolkit libpam_oath PAM module

libpass-otp-perl/stable 1.5-2 all
 Perl implementation of HOTP / TOTP algorithms

libpskc-dev/stable 2.6.7-3.1 amd64
 Development files for the OATH Toolkit Libpskc library

libpskc0/stable,now 2.6.7-3.1 amd64 [installed,automatic]
 OATH Toolkit Libpskc library

librust-totp-rs-dev/stable 3.0.1-2 amd64
 RFC-compliant TOTP implementation with ease of use as a goal and additionnal Q
oL features - Rust source code

nitrokey-authenticator/stable 1.2.4-2 amd64
 TOTP authenticator app that's using Nitrokey Pro2 and/or LibremKey

numberstation/stable 1.3.0-1 all
 TOTP Authenticator application

oathtool/stable 2.6.7-3.1 amd64
 OATH Toolkit oathtool command line tool

otpclient/stable 3.1.4-1 amd64
 Simple GTK+ software to generate OTPs (TOTP and HOTP)

php-christianriesen-otp/stable 1.4.3-2 all
 PHP library to check HOTP and TOTP one time passwords

pskctool/stable 2.6.7-3.1 amd64
 OATH Toolkit pskctool command line tool

python-django-otp-doc/stable 1.1.3-1 all
 pluggable framework for two-factor authentication (Documentation)

python-yubico-tools/stable 1.3.3-0.3 all
 Tools for Yubico YubiKeys

python3-django-otp/stable 1.1.3-1 all
 pluggable framework for two-factor authentication (Python3 version)

python3-onetimepass/stable 1.0.1-2 all
 Module for generating and validating HOTP and TOTP tokens

ruby-devise-two-factor/stable 4.0.2-1 all
 Barebones two-factor authentication with Devise

ruby-rotp/stable 6.2.0-2 all
 Ruby library for generating and verifying one time passwords

texlive-latex-extra/stable 2022.20230122-4 all
 TeX Live: LaTeX additional packages

yubioath-desktop/stable 5.1.0-1 amd64
 Graphical interface for displaying OATH codes with a Yubikey

$ apt search hotp
Sorting... Done
Full Text Search... Done
atmel-firmware/now 1.3-7 all [installed,local]
 Firmware for Atmel at76c50x wireless networking chips.

biometric-auth/stable 0.9.71-1+b1 amd64
 Biometric Authentication Service

driverctl/stable 0.111-1 all
 Device driver control utility for Linux

fxload/stable 0.0.20081013-2 amd64
 Firmware download to EZ-USB devices

glewlwyd/stable 2.7.5-3+deb12u1 amd64
 Experimental Single-Sign-On server with multiple factor authentication

glewlwyd-common/stable 2.7.5-3+deb12u1 all
 Experimental Single-Sign-On server - common files

golang-github-pquerna-otp-dev/stable 1.3.0-1 all
 Google Authenticator compatible one time passwords for Go

golang-github-xlzd-gotp-dev/stable 0.0~git20181030.c8557ba-3 all
 Golang OTP (One-Time Password) Library

kanshi/stable 1.3.1-1 amd64
 Define output profiles that are automatically enabled and disabled on hotplug

kscreen/stable,now 4:5.27.5-2 amd64 [installed,automatic]
 KDE monitor hotplug and screen handling

libauth-googleauth-perl/stable 1.03-1 all
 Google Authenticator TOTP Abstraction

libauthen-oath-perl/stable 2.0.1-2 all
 Perl module for OATH One Time Passwords

libcotp-dev/stable 1.2.8-1 amd64
 C library that generates TOTP and HOTP (development)

libcotp12/stable 1.2.8-1 amd64
 C library that generates TOTP and HOTP

libnet-inet6glue-perl/stable 0.604-1 all
 glue module to make perl modules IPv6 ready

liboath-dev/stable 2.6.7-3.1 amd64
 Development files for the OATH Toolkit Liboath library

liboath0/stable 2.6.7-3.1 amd64
 OATH Toolkit Liboath library

libpam-barada/stable 0.5-3.2+b1 amd64
 PAM module to provide two-factor authentication based on HOTP

libpam-google-authenticator/stable 20191231-2 amd64
 Two-step verification

libpam-oath/stable 2.6.7-3.1 amd64
 OATH Toolkit libpam_oath PAM module

libpass-otp-perl/stable 1.5-2 all
 Perl implementation of HOTP / TOTP algorithms

libpskc-dev/stable 2.6.7-3.1 amd64
 Development files for the OATH 

Re: nsswitch what should come first

[Jeffrey Walton]

On Fri, Aug 2, 2024 at 10:35 PM Lee  wrote:
>
> On Fri, Aug 2, 2024 at 7:29 PM Dan Ritter wrote:
> >
> > Lee wrote:
> > > On Thu, Aug 1, 2024 at 10:40 PM Jeffrey Walton wrote:
> > > >
> > > > I personally remove mDNS and Bonjour from my machines. mDNS is not the
> > > > source of truth on my networks. Rather, DNS is the source of truth in
> > > > my networks ...
> > >
> > > Do you have any network printers?  That work without having mDNS enabled?
> >
> > I do. If you assign an IP and a DNS name to the IP, all the
> > network printers I am aware of will work just fine. (They don't
> > care about the DNS name, either, but it's more convenient if you
> > don't want to remember the IP.)
>
> Yep, a static IP address is assigned via DHCP and the name exists in
> DNS.  Now what?
>
> if it's not obvious, I know appx. zip about linux administration, so
> hints about what to do after assigning a name and address would be
> appreciated.

As far as DNS goes, the only hosts that require a static IP address
are your DNS servers. Just about everything else can get an address
from DHCP, including file servers, mail servers and print servers.

When I was an admin at the Social Security Administration, the SSA ran
in that configuration. SSA had about 120,000 hosts on the network at
the time, and the agency had no problems in the configuration. They
used a private Class A network with 10.*.*.* addresses. I think SSA
also used static IP addresses for gateways, but I can't recall for
certain. And gateways were always .1 or .2 by convention on the
network segment.

At the time, I _think_ SSA had the second-largest network in the world
- only IBM was larger. SSA also used a token ring network up until
about 2001 or 2002. The agency did not cutover to ethernet until about
2002 or 2003.

If you are interested in some good reading on Unix & Linux networking,
then pick up a copy of W. Richard Stevens' TCP/IP Illustrated, Volume
I: The Protocols (<https://www.amazon.com/dp/0201633469>). It is a
great book to learn from. Stevens gives you plenty of command line
examples to demonstrate concepts.

Jeff

Re: nsswitch what should come first

[Jeffrey Walton]

On Fri, Aug 2, 2024 at 5:13 PM Lee  wrote:
>
> On Thu, Aug 1, 2024 at 10:40 PM Jeffrey Walton wrote:
> >
> > I personally remove mDNS and Bonjour from my machines. mDNS is not the
> > source of truth on my networks. Rather, DNS is the source of truth in
> > my networks ...
>
> Do you have any network printers?  That work without having mDNS enabled?

Yes.

I enable SLP, LPD and IPP only. I use CUPS Postscript drivers. And I
believe I use PCL-5, and not PCL-6.

I disable AirPrint, Bonjour, WS-Discovery, WS-Print, Telnet printing,
TFTP printing and 9100-Printing.

> Originally I had an /etc/nsswitch.conf with a cut down hosts: line
>   hosts:  files dns
> and no matter what I did I could not print to the network-attached printer.
>  ... which, to be fair, could just be my ignorance wrt to printing.
> But switch back to an /etc/nsswitch.conf with
>   hosts:  files mdns4_minimal [NOTFOUND=return] dns
> and I could print.

Jeff

Re: Large Zone Transfers Failing in Latest Buster Update

[Jeffrey Walton]

On Fri, Aug 2, 2024 at 10:37 AM Roberto C. Sánchez  wrote:
>
> On Fri, Aug 02, 2024 at 10:16:51AM -0400, Jeffrey Walton wrote:
> > On Fri, Aug 2, 2024 at 9:13 AM Brian  wrote:
> > >
> > > We just ran the latest updates for Debian Buster on one of our DNS 
> > > servers running bind9 and one of the slave domains is failing with this 
> > > message:
> > >
> > > Aug  2 07:05:20  named[76759]: transfer of '/IN' 
> > > from #53: Transfer status: too many records
> > >
> > > There are about 1,400 records in that domain which has never posed a 
> > > problem in the past.
> > >
> > > We have tried force transfers, purging journal files and nothing seems to 
> > > work.
> > >
> > > We rolled back the update to one performed earlier in the month and now 
> > > everything is working.
> > >
> > > Anybody have any idea what is going on with this latest update?
> >
> > I think this might be "bind9 update 9.16.50 -- too many record" from
> > the debian-security mailing list at
> > <https://lists.debian.org/debian-security/2024/07/msg3.html>.
> >
> Which seems unlikely on a system running buster.

Maybe I am mis-parsing things, but the backporting to older Debian
versions is discussed, starting with the question, "Would you be
willing to backport the configuration of 9.20 so that companies using
larger record number per name can still use bind9 with security
update?" The first answer appears at
<https://lists.debian.org/debian-security/2024/07/msg4.html>.

My apologies if I am mis-parsing things.

Jeff

Re: Large Zone Transfers Failing in Latest Buster Update

[Jeffrey Walton]

On Fri, Aug 2, 2024 at 9:13 AM Brian  wrote:
>
> We just ran the latest updates for Debian Buster on one of our DNS servers 
> running bind9 and one of the slave domains is failing with this message:
>
> Aug  2 07:05:20  named[76759]: transfer of '/IN' from 
> #53: Transfer status: too many records
>
> There are about 1,400 records in that domain which has never posed a problem 
> in the past.
>
> We have tried force transfers, purging journal files and nothing seems to 
> work.
>
> We rolled back the update to one performed earlier in the month and now 
> everything is working.
>
> Anybody have any idea what is going on with this latest update?

I think this might be "bind9 update 9.16.50 -- too many record" from
the debian-security mailing list at
.

Jeff

Re: switch users and still use display

[Jeffrey Walton]

On Fri, Aug 2, 2024 at 7:21 AM Greg Wooledge  wrote:
>
> On Fri, Aug 02, 2024 at 11:35:58 +0200, Florent Rougon wrote:
> > Which I am inclined to believe, although I'm reluctant to try 'su -p'
> > for fear of creating a mess in my normal user setup:
> >
> >   ~ % su -p
> >   Password:
> >   zsh compinit: insecure directories and files, run compaudit for list.
> >   Ignore insecure directories and files and continue [y] or abort compinit 
> > [n]? ^C
>
> I don't use zsh, so I don't quite understand what "compinit" means.
> But, just looking at the su(1) man page:
>
>-m, -p, --preserve-environment
>Preserve the entire environment, i.e., do not set HOME, SHELL, USER
>or LOGNAME. This option is ignored if the option --login is
>specified.
>
> The main issue here is likely to be the HOME variable.  If you're running
> a shell as root, but with HOME=/home/florent or whatever, then some of
> the programs you start may create new dot files inside /home/florent/.
> These files will be owned by root (because the programs are running as
> root).  Then, at some point in the future, if you run those same programs
> as florent, you won't be able to change the contents of the dot files.
> (You would, however, be able to remove them.)
>
> That's not a security hole or anything like that, but it might cause some
> surprises.

emacs is notorious for that. In fact, if you install a new system, and
`sudo emacs `, then emacs will create its own config
directory (.emacs/) in your home directory owned by root. I quickly
learned to run emacs as myself before making adjustments to config
files on a fresh install.

> A secondary issue might be the mismatch between the effective UID (0)
> of the programs you run, and the LOGNAME/USER variables (florent).  Some
> programs may act upon one, and some may act upon the other.  Some may
> even create a strange mixture of both.  I don't have any specific examples
> of this.

See Chen, Wagner and Dean's Setuid Demystified,
.

> Realistically, what one *wants* from su is for it to override the HOME,
> PATH, USER and LOGNAME variables.  The version of su in Debian prior to
> buster used to do that, and everything was peachy.  The version of su in
> buster and beyond no longer sets PATH by default.  However, you can fix
> that!  All you have to do is create a one-line configuration file:
>
> hobbit:~$ cat /etc/default/su
> ALWAYS_SET_PATH yes
>
> Then the buster+ version of su will behave sensibly, changing the PATH
> variable to a standard one which includes /usr/sbin and so on when you
> become root.

Jeff

Re: systemd may silently break your system!

[Jeffrey Walton]

On Thu, Aug 1, 2024 at 12:57 PM Dan Ritter  wrote:
>
> Andy Smith wrote:
> > This whole thing just seems like the normal process of developing
> > and packaging a distribution. Poor interactions are found, reported,
> > hopefully will be fixed. But once again there's people trying to use
> > this as a daily driver and having weird expectations. And then some
> > sort of triggering around anything involving systemd.
> >
> > I feel like we see it more and more, these expectations about sid,
> > and I don't understand why.
>
> There are people who have become invested in the idea that sid
> is "stable enough" and have been told that it is comparable to a
> rolling release model.
>
> They have been misinformed but seem resistant to correction.

A good reference that explains Stable, Testing, Unstable and
Experimental is in the debian-reference at
.
>From p 42 (of 245), the closest thing to rolling releases appears to
be Testing. The purpose of Testing is described as:

Dynamic testing release after decent checks and short waits

The reference also says:

Only pure stable release with security updates provides the best
stability. Running mostly stable release mixed with some packages from
testing or unstable release is riskier than running pure unstable
release for library version mismatch etc. If you really need the latest
version of some programs under stable release, please use packages from
stable-updates and backports (see Section 2.7.4) services. These
services must be used with extra care.

(I'm just pointing out the reference. It is not for the benefit of
folks like AS and DSR. They already know these things).

Jeff

Re: nsswitch what should come first

[Jeffrey Walton]

On Thu, Aug 1, 2024 at 9:45 PM George at Clug  wrote:
>
> On Friday, 02-08-2024 at 00:48 David Wright wrote:
> > On Thu 01 Aug 2024 at 10:32:27 (-0400), Greg Wooledge wrote:
> > > [...]
> > > I have no comment on mdns4_minimal because I don't really know what that
> > > is.
> >
> > AIUI mdns4_minimal is for devices that configure themselves using
> > multicast DNS on .local. If you put dns first, then the names of any
> > .local devices will be leaked out of your LAN and on to the Internet's
> > DNS servers. [NOTFOUND=return] is what prevent that happening IF you
> > leave the order alone.
>
> > (BTW don't use .local for your LAN domain name.)
>
> Why is that? (recently I was starting to believe I should stop using the 
> domain names I had chosen, and start using (what I thought was) the standard 
> of .local)
>
> Is it your personal preference, or a technical necessity?
>
> What is best practice for a local LAN prefix? (I have never found conclusive 
> instruction).
>
> It is my belief that .local is a MS idea originating from the configuration 
> of their servers. Is this correct?

.local is a multicast DNS (mDNS) thing. See
 and
.

I personally remove mDNS and Bonjour from my machines. mDNS is not the
source of truth on my networks. Rather, DNS is the source of truth in
my networks, ao I use home.arpa from RFC 8375,
.

Jeff

Re: nginx or apache for php?

[Jeffrey Walton]

On Thu, Aug 1, 2024 at 10:40 AM Walt E  wrote:
>
> I have been using apache2 + php for years under debian.
> But I heard people says nginx + php has better performance.
> Do you have experience on both of setup and share a bit with me?

Related, Nginx is generally considered more secure than Apache. Nginx
has approximately 220 CVEs, while Apache and friends has roughly 2700
CVEs. Confer, 
and .

I think it was Jon Bentley who said, if it does not have to be
correct, then I can make it as fast as you want it to be. Quickly
arriving at an incorrect result is not a good outcome.

Jeff

Re: BUG in Debian SID

[Jeffrey Walton]

On Tue, Jul 30, 2024 at 7:00 PM Łukasz Kalamłacki  wrote:
>
>
> I detected and issue with Debian SID and DHCP for IPv6.
>
> In my network I use DHCPv6 server which works fine on stable versions of
> Debian or Trixie but when I add to sources.list sid source and do update
> and upgrade I get and error that:
>
> "Link local ipv6 for interface is not configured" in syslog and
> systemctl is reporting failed networking service and only ipv4
> addressing is available.
>
>
> configuration in /etc/network/interfaces
>
> auto enp0s3
>
> iface enp0s3 inet dhcp
>
> iface enp0s3 inet6 dhcp

Maybe you need another option with dhcp for IPv6, like request_prefix
or accept_ra. See .

> What is interesting when the system is already running I can do:
>
> dhclient -6 enp0s3
>
> and I get ipv6 address correctly
>
> The problem is reproducible on Virtualbox: just install testing Debian
> and add sid to source.list and do update/upgrade in apt.
>
> The issue is very strange because during upgrade to SID I do not see
> installation of any networking packages.
>
> What do you think?

Jeff

Re: Where is the user community? (Was Re: Strange behavior of ifupdown package)

[Jeffrey Walton]

On Mon, Jul 29, 2024 at 1:53 AM Brad Rogers  wrote:
>
> On Sun, 28 Jul 2024 21:04:30 -0500
> Nate Bargmann  wrote:
>
> Hello Nate,
>
> >Discourse and Discord are two different technologies, AIUI
>
> Discourse also does this;
>
> Unfortunately, your browser is unsupported. Please switch to a supported
> browser to view rich content, log in and reply.
>
>
> Whilst it's not impossible to use their shite, err, site, with a niche
> browser, they do their best to try and stop one.  Of course, they're not
> the only organisation that use such tactics.  :-

One of the bigger problems (I find) with the social media and
community sites that want to replace a mailing list is, some sites
don't allow search engines to crawl their sites. So you don't even
know where to go to get a question answered. You have to start at the
site and search at the site.

I personally don't buy into the theres-an-app-for-that-mailing-list
mentality. I don't participate in the social networking experiments. I
refuse to be the product.

Jeff

KVM/QEMU/libvirt, and automatically release mouse pointer in Debian guest

[Jeffrey Walton]

Hi Everyone,

I have KVM/QEMU/libvirt installed to manage my VMs. I have a Debian 12
guest, x86_64, fully patched. The Debian guest has qemu-guest-agent
installed. The qemu-guest-agent service is running on the Debian
guest.

The problem is, the Debian guest does not automatically release the
mouse. I have to tap the right CTRL key.

My question is, what else needs to be done to automatically release
the mouse pointer in the Debian guest?

-

$ sudo systemctl start qemu-guest-agent
$ sudo systemctl status qemu-guest-agent
● qemu-guest-agent.service - QEMU Guest Agent
Loaded: loaded (/lib/systemd/system/qemu-guest-agent.service; static)
Active: active (running) since Mon 2024-07-29 00:01:39 EDT; 9min ago
  Main PID: 574 (qemu-ga)
 Tasks: 2 (limit: 4589)
Memory: 1.2M
   CPU: 2ms
CGroup: /system.slice/qemu-guest-agent.service
└─574 /usr/sbin/qemu-ga

Jul 29 00:01:39 debian12-x64 systemd[1]: Started qemu-guest-agent.service ...

-

Thanks in advance,

Jeff

Re: bash history

[Jeffrey Walton]

On Sun, Jul 28, 2024 at 12:25 AM Mike Castle  wrote:
>
> On Sat, Jul 27, 2024 at 2:50 PM mick.crane  wrote:
> > Is this something that can be changed so history is shared between
> > virtual terminals?
>
> [...]
> For me, I see up bash with the following features:
> * Unbounded history
> * History is immediately saved to disk after each command finishes
> * I keep history under source control (currently git) and regularly
> (well, for some definition of "regularly"), merge them across machines

This is an unusual use case (to me). Why do you save history in a
version control system?

> [...]
> For the record, I deal with the expected conflicts when merging
> history files across machines by using a simple python program that
> parses the history file (that includes the timestamps), discards the
> conflict markers, orders by timestamps, and writes it back out.  It is
> by no means perfect, but "good enough for me".
>
> For those worried about the unbounded history, I started doing that
> about ten years ago and my work history is currently just shy of
> 180,000 commands.  It would likely be less if I turned on the
> "erasedups" feature, but I like to keep the context.  And I've seen
> comments about folks who have multiple decades of shell history.  On
> modern machines, it simply isn't an issue.

Out of curiosity, do you scrub the file regularly for credentials,
like usernames and passwords, and remove entries?

Jeff

Re: systemd may silently break your system!

[Jeffrey Walton]

On Fri, Jul 26, 2024 at 10:00 AM Vincent Lefevre  wrote:
>
> The /etc/sysctl.d/99-sysctl.conf symlink has been removed
> (currently in unstable) *without any announcement*, so that
> the /etc/sysctl.conf file (which is still documented, BTW)
> is no longer read.
>
> So, be careful if you have important settings there (security...).

I had to laugh when I saw the title:

   systemd may silently break your system!

So what's new in the world according to Poettering?

Jeff

Re: browsers crashing.

[Jeffrey Walton]

On Wed, Jul 24, 2024 at 3:10 PM Christopher Judd  wrote:
>
> Since a recent upgrade, Opera and Chrome crash with error messages like the 
> following:
>
> [5913:5913:0724/111632.892713:ERROR:url_pattern_set.cc(287)] Invalid url 
> pattern: chrome://startpage/*
> [5913:5913:0724/111632.893319:ERROR:url_pattern_set.cc(287)] Invalid url 
> pattern: chrome://startpage/*
> [5913:5913:0724/111632.893340:ERROR:url_pattern_set.cc(287)] Invalid url 
> pattern: chrome://startpage/*
> [5913:5913:0724/111632.949431:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111634.570938:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111634.797936:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111634.885915:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111634.964606:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111635.061134:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111635.097287:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111635.123620:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111635.152647:ERROR:gpu_process_host.cc(1003)] GPU process 
> exited unexpectedly: exit_code=11
> [5913:5913:0724/111635.152668:FATAL:gpu_data_manager_impl_private.cc(449)] 
> GPU process isn't usable. Goodbye.
> [0724/111635.170732:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [0724/111635.170943:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [0724/111635.171043:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [0724/111635.172561:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [0724/111635.174294:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [0724/111635.179795:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [0724/111635.179899:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [0724/111635.180664:ERROR:elf_dynamic_array_reader.h(64)] tag not found
> [5959:5963:0724/111635.235886:ERROR:ssl_client_socket_impl.cc(881)] handshake 
> failed; returned -1, SSL error code 1, n
> et_error -3
>
> Firefox works fine. I don't even know which package is at fault here.  Any 
> suggestions?

Try starting Chrome from the command line with `--disable-gpu`.

Jeff

Re: Debian Sid. General questions.

[Jeffrey Walton]

On Mon, Jul 22, 2024 at 5:41 PM Andy Smith  wrote:
>
> On Mon, Jul 22, 2024 at 01:38:07PM +0500, 타토카 wrote:
> > [...]
> > 4. As I know Debian Sid does not have some packages like Arch, why? They
> > have rolling releases? I mean packages, for example, hyprland.
>
> Debian sid is not a rolling release. Debian does not have a rolling
> release. Additionally, Debian sid isn't a release of any
> description.
>
> You should not be using Debian sid.

I wish Debian had a rolling release. Years between releases means
software will get stale and accumulate bugs that will lead to
vulnerable and exploitable hosts on the network.

A perfect case on point is "TTY1 layer bug",
.
Folks thought it was benign, and did not patch it or port existing
patches. It was one of those accumulated bugs that would get cleared
at the next major release. Then, years after it was disclosed, someone
figured out it was exploitable.

A rolling release of 6 months would have cleared the bug close to the
time it became known. It would not have festered for years.

Fixing a bug close to when it becomes known is evidence of a [more]
secure system. That's because most compromises happen three or six
months after the bug was disclosed and patches were available. And the
compromises continue for years afterwards. Confer,
.

Jeff

Re: /var/run disappear after reboot

[Jeffrey Walton]

On Mon, Jul 22, 2024 at 11:10 AM George at Clug  wrote:
>
> On Monday, 22-07-2024 at 22:15 Henning Follmann wrote:
> >
> > > On Jul 22, 2024, at 08:08, cor...@free.fr wrote:
> > >
> > > I found that after I rebooted the system, the dir /var/run/*** 
> > > disappeared.
> >
> > Yes,
> > /var/run
> > is a symlink to /run
> > And /run is a tmpfs
> >
> > > I put my app's web sessions under /var/run. so they got lost.
> >
> > Well that was a bad idea if you wanted to have persistent session ids.
>
> Would it be appropriate to use the /opt directory?

For my Apache LAMP installation, I use /var/lib/php/tmp for temporary
files (like uploads) and /var/lib/php/sessions for session data. Then
I set this in php.ini: `open_basedir="/var/www/html/:/var/lib/php/"`.

> https://eitca.org/cybersecurity/eitc-is-lsa-linux-system-administration/linux-filesystem/filesystem-layout-continued/examination-review-filesystem-layout-continued/what-is-the-significance-of-the-opt-directory-in-the-linux-filesystem-layout/

You should read the Filesystem Hierarchy Standard,
.

> To summarize, the "/opt" directory holds significant importance in the Linux 
> filesystem layout. It provides a designated location for optional software 
> installations, separating them from the core operating system components. 
> This separation enhances system management, security, and integrity.
>
> https://linuxhandbook.com/linux-directory-structure/
> /opt – Optional software
> Traditionally, the /opt directory is used for installing/storing the files of 
> third-party applications that are not available from the distribution’s 
> repository.
> The normal practice is to keep the software code in opt and then link the 
> binary file in the /bin directory so that all the users can run it.

Jeff

Re: /var/run disappear after reboot

[Jeffrey Walton]

On Mon, Jul 22, 2024 at 10:12 AM Charles Curley
 wrote:
>
> On Mon, 22 Jul 2024 20:07:38 +0800
> cor...@free.fr wrote:
>
> > I found that after I rebooted the system, the dir /var/run/***
> > disappeared.
>
> As others have pointed out, stuff in /var/run is supposed to disappear
> on reboot.
>
> > I put my app's web sessions under /var/run. so they got lost.
> > Is there an effective tool to manage /var/run dirs?
>
> Given the above, a more fruitful question might be, where should I put
> my session data?

++.

For coreyh, here is the link to Linux Filesystem Hierarchy, v3:
. And here
is Wikipedia's page digesting it:
. The
documents discuss where various bits should go, including 11 pieces
for various /var locations.

> To which I would reply, what's wrong with where your
> web server put them before you changed it?

++.

Jeff

Re: CrowdStrike and drivers (was Re: why reliable linux hasn't gained more market share?)

[Jeffrey Walton]

On Sun, Jul 21, 2024 at 12:19 PM Hans  wrote:
>
> I do not agree to this. Updates should be installed as soon as they are
> available. Especially security updates. It shows , that within 24 hours after
> the release of an update, an exploit is available for this security hole.

I think you may be conflating two different updates. The first is the
OS or application's updates for a vulnerability, and second is the
antivirus updates to detect an attack using the vulnerability.

The science tells us that most compromised servers happen long after
an exploit is disclosed and patched. The majority of compromises
happen after 90 days, and continue for years afterwards. Confer,
.

So a Patch Management program that tests the OS or application
vendor's updates within about two weeks is usually going to be Ok.
Since it is the OS vendor or application vendor, it might be Ok to be
very aggressive in applying the updates since the OS or application
vendor are the experts for their product. That covers the first case -
OS or application updates for a vulnerability.

The second case is trickier - detecting an attack using the
vulnerability. This is where antivirus comes into play. In my mind's
eye, antivirus companies are an externality/third party, and their
work needs to be tested even more than the OS or application. The
testing needs to be more thorough because the third party does not
have specialized knowledge of the organization or the OS or
application. Yet the third party will likely run with highest of
privileges, and violate a number of the tenets laid out by Saltzer and
Schroeder. Confer,
.

> But you should do it corrdectly, like some hospitals did: First check with a
> canary (a testserver or some unimportant server), then, when everything is
> working without any problems, roll it out to the rest of the servers.

Are the hospitals checking the OS or application updates; or are they
checking the antivirus updates?

> Waiting for some days is a very very bad idea!
>
> I admit, that many people do not so, because they are comfortable and this
> requires more work. But it is the correct way!
>
> And really: This is not a new knowledge, this practice is standard since years
> (or should be everywhere).
>
> If one think, he must not do it and rely on the manufacturer, well his
> decision. If it breaks, i have no pity for him.

Jeff

Re: CrowdStrike and drivers (was Re: why reliable linux hasn't gained more market share?)

[Jeffrey Walton]

On Sun, Jul 21, 2024 at 2:15 AM Andy Smith  wrote:
>
> On Sun, Jul 21, 2024 at 10:28:28AM +0800, Bret Busby wrote:
> > Crowdstrike did not strike at Linux or BSD UNIX systems - only MS Windows
> > systems.
>
> Except that time just a few months ago when it *did* happen to
> Crowdstrike+Linux?
>
> https://news.ycombinator.com/item?id=41005936

This is alarming (to me) from the YC post:

"we push software to your machines any time we want,
whether or not it's urgent, without testing it" seems to be
core to the model...

Updates need to be tested inside an organization's lab, and then
tested with a sampling of the organization's computers. Then, an
organization is free to release the update to all machines. All of
that has to happen in two weeks to 30 days.

> Nothing in this story would be different if it was Linux deployed on
> those machines. And nothing would be different if Crowdstrike didn't
> exist, as some other equally useless vendor would be involved.
>
> There is a need to examine why companies are putting high privilege
> junk software on their machines. It's got nothing to do with Linux
> vs Windows.

Jeff

Re: CrowdStrike and drivers (was Re: why reliable linux hasn't gained more market share?)

[Jeffrey Walton]

On Sat, Jul 20, 2024 at 9:46 PM The Wanderer  wrote:
>
> On 2024-07-20 at 09:19, jeremy ardley wrote:
>
> > On 20/7/24 18:35, George at Clug wrote:
> > [...]
> > The problem was not CrowdStrike as such. It happens in the best of
> > operations.
> >
> > The problem is the Windows Systems Administrators who contracted for
> > / allowed unattended remote updates of kernel drivers on live
> > hardware systems. This is the height of folly and there is no
> > recovery if it causes a BSOD.
> [...]
>
> All the sysadmins involved did is agree to let an antivirus-equivalent
> utility update itself, and its definitions. I would be surprised if this
> could not have easily happened with *any* antivirus-type utility which
> has self-update capability; I'm fairly sure all modern broad-spectrum
> antivirus-etc. suites on Windows do kernel-level access in similar
> fashion. CrowdStrike just happens to be the company involved when it
> *did* happen.

I was around when Symantec Antivirus did about the same to about half
the workstations at the Social Security Administration. A definition
file update blue screened about half the Windows NT 4.0 and Windows
2000 hosts. That was about 50,000 machines, if I recall correctly.

> That the sysadmins decided to deploy CrowdStrike does not make it
> reasonable to fault them for this consequence, any more than e.g. if a
> gamer decided to install a game, and then the game required a patch to
> let them keep playing, and that patch silently included new/updated DRM
> which installed a driver which broke the system (as I recall some past
> DRM implementations have reportedly done), it would then be reasonable
> to fault the gamer. In neither case was the consequence foreseeable from
> the decision.

Sysadmins don't make that decision in the Enterprise. That decision
was made above the lowly sysadmin's pay grade.

> > The situation is recoverable if all the windows machines are virtual
> > with a good backup/restore plan. The situation is not recoverable if
> > the kernel updates are on raw iron running Windows.
>
> The situation is trivially recoverable if you can get access to the
> machine in a way which lets you either boot to safe mode and get
> local-administrator access, or lets you boot an alternative environment
> (e.g. live-boot media) from which you can read and write to the hard
> drive.

I don't think it's trivial for some enterprises due to the sheer
number of machines and the remote workforce. I'm guessing the company
I work for will spend the next week or month sorting things out. And
the company is a medium size enterprise with about 30,000 employees.
Imagine how bad it's going to be for an enterprise with 100,000
employees.

> I've spent a fair chunk of my workday today going around to affected
> computers and performing a variant of the latter process.
>
> Once you've done that, the fix is simple: delete, or move out of the
> way, a single file whose name claims that it's a driver. With that file
> gone, you can reboot, and Windows will come up normally without the
> bluescreen.

Unfortunately, I don't see this as scalable. It works fine for a small
business with 100 employees, but not an enterprise.

> > Heads should roll but obviously won't
>
> What good would decapitation do, here?

I think it's a figure of speech; not a literal.

> At most, CrowdStrike's people are
> guilty of rolling out an insufficiently-tested update, or of designing a
> system such that it's too easy for an update to break things in this
> way, or that it's possible to break things in this way not with an
> actual new client version (which goes through a release cascade, with
> each organization deciding which of the most recent three versions each
> of their computers will get) but just with a data-files update (which,
> as we have seen here, appears to go out to all clients regardless of
> version).

At minimum, it is negligence.

> The first would be poor institutional practice; the others would be
> potentially-questionable software design, although it's hard to know
> without seeing the internal architecture of the software in question and
> understanding *why* it's designed that way.
>
> In either case, it's not obvious to me why decapitating a few scapegoats
> would *improve* the situation going forward, unless it can be determined
> that specific people were actually negligent.

The incident affected the company's share price. Shares were down $10
or $15. If the potential issues were not detailed in company
literature and prospectus, then the Securities and Exchange Commission
might get involved for misrepresenting risk and liabilities. There
could be big fines, and that will cost the shareholders more money.

All this points to an incompetent board. If someone's head is going to
be taken (figuratively), then it should start with the CEO and other
executives.

Jeff

Re: Running 32-bit static exeutable on 64-bit Debian

[Jeffrey Walton]

On Sat, Jul 20, 2024 at 5:50 AM Thomas Schmitt  wrote:
>
> Van Snyder wrote:
> > And there's still the mystery why a statically-linked executable wants to
> > load a shared object library.
>
> I doubt that it is possible to make a purely statical binary with no
> references to .any so libraries.
> (If it were generally possible, why then exist Flatpack and Snap ?)
>
> Check by program "ldd" which dynamic dependencies the binary has:
>
>   ldd ./LinuxSusser

You might want to use `libtree , `readelf -d  | grep
NEEDED` or `objdump -p  | grep NEEDED` instead. They do not
suffer ldd shortcomings. Also see CVE-2009-5064, and
.

Jeff

Re: VirtualBox (VB) and Windows on Debian

[Jeffrey Walton]

On Thu, Jul 18, 2024 at 8:33 PM  wrote:
>
> On Wednesday, 17 July 2024 21:31:00 BST Jeffrey Walton wrote:
> > On Tue, Jul 16, 2024 at 1:35 PM jeremy ardley 
> wrote:
> > > On 16/7/24 19:31, Tom Browder wrote:
> > > > [...]
> > > There are alternatives that include:
> > >
> > > - KVM/QEMU
> > >
> > > - VMWare Workstation Pro (which is now free for private use)
> > >
> > > In my experience KVM/QEMU is fairly stable. The VMWare product not so
> > > much.
> > >
> > > Given everything is virtual you can easily try all options in an hour or
> > > two.
> >
> > Add a "mee too" for KVM/QEMU/libvirt. The components are managed by
> > the kernel, so there are usually no technical problems, like unsigned
> > modules. Virt Manager takes a little getting used to, but everything
> > you need is there.
> >
> > The only downside to KVM/QEMU/libvirt is networking in some cases.
> > Configuring a VM to use your local DHCP server is a pain because you
> > have to setup and configure the bridging yourself. And the
> > documentation to do it does not exist.
>
> Out of interest, how is one supposed to do it now? I set mine up ages ago via
> /etc/network/interfaces - eg..
>
> auto br0
> iface br0 inet dhcp
> bridge_portsenp4s0
> bridge_stp  off
> bridge_fd   0
> bridge_maxwait  0
>
> ..but I have no idea how to do it now. Manpage says 'brctl' is obsolete and
> points to 'bridge' which I've never used.

Yeah, I have an old server that was setup using the old commands, like
brctl. It has been so long I don't recall the steps I used to
configure it.

For a modern install on Debian with Systemd and Network Manager (and
not systemd-network), here are the rough steps I follow.

1. Ignore anything from `sudo -E virsh net-edit default`. You don't
use the default NAT. You use virbr0 instead.

2. Install nmtui.

3. `sudo nmtui`, then 'Edit a connection." Select bridge virbr0.

* Under slaves, add Ethernet Connection 1. Check Automatically
Connect and Available to All Users.

* Under IPv4, select Automatic. Remove addresses and friends.

* Under IPv6, select Disabled. I don't run IPv6 internally.

4. Reboot the machine.

5. After reboot and login, you should see ethernet UP, vbridge UP, and
the host has a DHCP address via the bridge.

$ ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s20f0u3c2:  mtu 1500 qdisc fq_codel mast
er virbr0 state UP mode DEFAULT group default qlen 1000
   link/ether 20:7b:d2:8c:55:d4 brd ff:ff:ff:ff:ff:ff
3: wlo1:  mtu 1500 qdisc noqueue state DOWN m
ode DORMANT group default qlen 1000
   link/ether 9a:28:0e:bd:f4:ee brd ff:ff:ff:ff:ff:ff permaddr 00:41:0e:67:0e:7
b
   altname wlp87s0
4: virbr0:  mtu 1500 qdisc noqueue state UP mod
e DEFAULT group default qlen 1000
   link/ether 20:7b:d2:8c:55:d4 brd ff:ff:ff:ff:ff:ff

And:

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group defaul
t qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
  valid_lft forever preferred_lft forever
2: enp0s20f0u3c2:  mtu 1500 qdisc fq_codel mast
er virbr0 state UP group default qlen 1000
   link/ether 20:7b:d2:8c:55:d4 brd ff:ff:ff:ff:ff:ff
3: wlo1:  mtu 1500 qdisc noqueue state DOWN g
roup default qlen 1000
   link/ether 9e:8e:8a:6f:35:5e brd ff:ff:ff:ff:ff:ff permaddr 00:41:0e:67:0e:7
b
   altname wlp87s0
4: virbr0:  mtu 1500 qdisc noqueue state UP gro
up default qlen 1000
   link/ether 20:7b:d2:8c:55:d4 brd ff:ff:ff:ff:ff:ff
   inet 172.16.2.15/12 brd 172.31.255.255 scope global dynamic noprefixroute vi
rbr0
  valid_lft 6293sec preferred_lft 6293sec

6. In Virtual Machine Manager, select a VM, select NIC, choose Bridge
device... and select virbr0.

7. Start the VM. The VM will get an IP address from your local DHCP server.

You might find these commands useful if you don't (yet) have a bridge:
<https://wiki.archlinux.org/title/Network_bridge> and maybe this
discussion: <https://bbs.archlinux.org/viewtopic.php?id=253232>.

Jeff

Re: web site displays blank page

[Jeffrey Walton]

On Thu, Jul 18, 2024 at 10:06 AM Dan Ritter  wrote:
>
> e...@gmx.us wrote:
> > On 7/18/24 02:06, Russell L. Harris wrote:
> > > My ISP is RTA.  I am in a rural area near Austinn, Texas, and have a > 
> > > 10/1 microwave link.  Could the problem be with RTA?
> >
> > It's probably a routing issue between you and them. Or maybe "delivery
> > content network" (That's what it's called, right?  A company with fat pipes
> > in several places that rents out their bandwidth.) got temporarily
> > misconfigured.  their I've had instances where one or more sites become
> > inaccessible for minutes or hours, then work again.
>
>
> Content delivery network -- in this case, Akamai, which I used
> to work for 20 years ago.
>
> The 429 error indicates either that the local node is
> overwhelmed (unlikely) or that the client has asked for a limit
> on traffic to prevent a giant bill.

I think the company is currently in a downward spiral. Saving money
sounds like a plausible reason for the problems with its website.
Confer, 
.

Jeff

Re: VirtualBox (VB) and Windows on Debian

[Jeffrey Walton]

On Tue, Jul 16, 2024 at 1:35 PM jeremy ardley  wrote:
>
> On 16/7/24 19:31, Tom Browder wrote:
> > I haven't looked at VB in a long time, but I have a real need for a
> > Windows host
> > to port some Linux libraries to Windows in order to support the Raku
> > language.
> >
> > I now have lots of memory and disk space which was always a significant
> > issue when I used it before, and my use case is much different. Then I
> > was trying to show Windows users how they could run Linux, now I want to
> > help Windows folks to use a new programming language that was developed
> > on *nix systems.
> >
> > Thus my question is: Has anyone use a recent version of VB to run
> > Windows with satisfactory results? (Note I still have a legal copy of
> > Win 10 on a CD as well as a portable DVD player with a USB connector.)
> >
> > Thank you my fellow Debian users!
>
> VirtualBox is not supported on Debian 12.
>
> There are alternatives that include:
>
> - KVM/QEMU
>
> - VMWare Workstation Pro (which is now free for private use)
>
> In my experience KVM/QEMU is fairly stable. The VMWare product not so much.
>
> Given everything is virtual you can easily try all options in an hour or
> two.

Add a "mee too" for KVM/QEMU/libvirt. The components are managed by
the kernel, so there are usually no technical problems, like unsigned
modules. Virt Manager takes a little getting used to, but everything
you need is there.

The only downside to KVM/QEMU/libvirt is networking in some cases.
Configuring a VM to use your local DHCP server is a pain because you
have to setup and configure the bridging yourself. And the
documentation to do it does not exist.

Jeff

Re: umask - default user settings?

[Jeffrey Walton]

On Tue, Jul 16, 2024 at 1:45 PM  wrote:
>[...]
>
> (The most probable outcome though is even less rosy: everything'll run in
> the browser, and Secure Boot will make sure that your hardware refuses to
> run anything else, because the chips are sponsored by the Ad Industry.

Lol...

Re: umask - default user settings?

[Jeffrey Walton]

On Mon, Jul 15, 2024 at 9:34 PM Greg Wooledge  wrote:
>
> On Tue, Jul 16, 2024 at 08:02:45 +0700, Max Nikulin wrote:
> [...]
> > systemd.exec(5)
> >
> > > UMask=
> > > Controls the file mode creation mask. Takes an access mode in octal
> > > notation. See umask(2) for details. Defaults to 0022 for system units.
> > > For user units the default value is inherited from the per-user service
> > > manager (whose default is in turn inherited from the system service
> > > manager, and thus typically also is 0022 — unless overridden by a PAM
> > > module). In order to change the per-user mask for all user services,
> > > consider setting the UMask= setting of the user's user@.service system
> > > service instance. The per-user umask may also be set via the umask field
> > > of a user's JSON User Record[5] (for users managed by
> > > systemd-homed.service(8) this field may be controlled via homectl
> > > --umask=). It may also be set via a PAM module, such as pam_umask(8).
>
> [5] refers to .
>
> I defy any human being to read that web page and tell me WHAT FILE TO
> EDIT, and WHAT TO PUT IN IT, to effect a change to your environment.

++

When I read that, I tried it myself:

root@raptor:~# grep -IR 'jwalton@.service' /etc
root@raptor:~# grep -IR 'jwalton@.service' /lib
root@raptor:~#

> I can't find anything concrete in there.  Just a bunch of jabber.

Welcome to the world according to Pottering.

> The only filename I could find by skimming that thing was ~/.identity,
> and that's buried *deep* inside the page.  Is that the file you're
> supposed to create and/or edit?  What do you put in it to make your
> programs have a umask of your choosing?  Is there an example?

Jeff

Re: umask - default user settings?

[Jeffrey Walton]

On Mon, Jul 15, 2024 at 12:06 PM Eduardo M KALINOWSKI
 wrote:
>
> On 14/07/2024 14:09, Hans wrote:
> > Dear list,
> >
> > I am wondering, why on a multiuser system like debian the rights for a 
> > normal
> > user are "rw- r-- r--", (owner: user and ownergroup: usergroup)
> >
> > Of course there is a reason for this, but it is not understandable for me.
> >
> >
> > First two are clear: rw for myself, and readable for all users, i am 
> > allowing
> > into my own grou.
> >
> > The last one is not clear for me. Why should I allow the rest of the world
> > read my personal documents? These are private and no one else should be able
> > to read them!
> >
> > So I would have expected a setting of "rw- r-- ---" for any files.
> >
> > Before someone argues, "you can change this by editing umask", yes, I know 
> > of
> > this of course.
> >
> > But it is not clear for me, why it is set that way by default and not as I
> > would have expected as described above.
> >
> > Sure, there is a reason for this, so I will be happy, if someone could
> > enlighten me.
>
> I kind of agree with that in principle, and I've always used an umask
> 077 myself.
>
> On the other hand, I'm the only user in my system, so it doesn't really
> matter. I expect that is the case for most users.
>
> I'm not sure if the Debian default should be changed, though.

Debian is a multi-user operating system. Decisions should be made accordingly.

I suppose umask is a moot point on phones and tablets, where
single-user is often the use case.

Jeff

Re: How to find suitable mailing list or USENET group

[Jeffrey Walton]

On Tue, Jul 9, 2024 at 12:51 PM Richard Owlett  wrote:
>
> My particular problem is finding an active user oriented list/group for
> KDE's Kate editor. All I found is a developers' list.
>
> In general, how does one find a suitable mailing list or USENET group?
> Others must have the same general problem.

Michel Verdier provided a good suggestion with
.

Reddit communities are another source of support. r/kde looks like it
has Kate related discussions.

I prefer Reddit over Stack Exchange. I find the Stack Exchange is
mostly full of low quality crap.

Jeff

Re: Creating PDF/A from LaTeX source and from existing PDF

[Jeffrey Walton]

On Mon, Jul 8, 2024 at 5:56 PM Ceppo  wrote:
>
> On Wed, Jul 03, 2024 at 06:38:51PM GMT, Richard wrote:
> > From LaTeX, this is quite simple, there's a package for that - as for pretty
> > much everything in the LaTeX world. Googling for just like 10 sec could have
> > given you this great guide: https://webpages.tuni.fi/latex/pdfa-guide.pdf
>
> I did my research and found the document you linked. In fact it's what pointed
> me to the pdfx LaTeX package, but I couldn't make it work. I acknowledge I
> missed its reference to veraPDF, though.
>
> > gs -dQUIET -dUseCIEColor -sProcessColorModel=DeviceCMYK -sDEVICE=pdfwrite
> > -dPDFACompatibilityPolicy=1 -dCompressFonts=true -dSubsetFonts=true
> > -sFONTPATH=/usr/share/fonts/ -o  
>
> The output isn't accepted by veraPDF, either. I will try to understand
> something more about ghostscript.

Have a look at . It discusses
some of the finer points of PDF/A conversion in the comments, like
color spaces.

Jeff

Re: Creating PDF/A from LaTeX source and from existing PDF

[Jeffrey Walton]

On Wed, Jul 3, 2024 at 12:13 PM Ceppo  wrote:
>
> I wrote a report with LaTeX, and afterwards discovered it must be
> PDF/A-compliant - which wasn't. I found the pdfx LaTeX package and followed 
> its
> instructions, thus obtaining a file that should be PDF/A and pdfinfo 
> identifies
> as such, but my employer's upload form thinks isn't. Is pdfinfo reliable 
> enough
> that I can tell my employer his form is broken? If not, how can I make sure
> that pdflatex's output is actually PDF/A-compliant?

The pdf-linter I use to verify a pdf document is qpdf,
. It is available on most distributions,
including Debian, Fedora and Red Hat.

The command to check the document is `qpdf --check `.

> I will also probably have to upload under the same requirement some 
> third-party
> PDF, which is not PDF/A, without access to an editable version. Is there a way
> to convert them to PDF/A? I know that converting from an editable version 
> would
> be the correct way for this, but I have no real way to get it.

qpdf may provide this functionality, but I have never used it. From
the project's description: "qpdf is a command-line tool and C++
library that performs content-preserving transformations on PDF files.
It supports linearization, encryption, and numerous other features. It
can also be used for splitting and merging files, creating PDF files
(but you have to supply all the content yourself), and inspecting
files for study or analysis."

Another tool I would look at is GhostScript. It looks like it can
convert to PDF/A: .

> A requirement of any solution is that it doesn't rely on non-DFSG-compliant
> software, including online conversion tools.

Jeff

Re: usb => serial port converter

[Jeffrey Walton]

On Mon, Jul 8, 2024 at 11:56 AM Lee  wrote:
>
> On Sun, Jul 7, 2024 at 8:51 PM Andy Smith wrote:
> >
> > On Sun, Jul 07, 2024 at 06:02:18PM -0400, Lee wrote:
> > > I tried plugging the dongle into my debian laptop but it didn't
> > > recognize it :(
> >
> > In my experience USB serial gadgets on Linux tend to just work or
> > will never work.
>
> It worked this time!
> Other than plugging it into a windows machine that had the proper
> drivers first, I don't know what changed.
>
> > > And what program are you using to talk to something over the serial
> > > link?  pterm or something else?
> >
> > I use either minicom or GNU Screen. You'll need to know the baud
> > rate that the device expects, though you can just try a few common
> > ones and see what works. e.g.
> >
> > # screen /dev/ttyUSB0 115200
>
> Great!  I had to add myself to the dialout group to be able to talk to
> the device, but
> screen /dev/ttyUSB0 38400
> works.

You should also add TIOCEXCL on the file descriptor to ensure
exclusive access to the device. Otherwise, other programs will try to
open the modem and probe it by sending commands to it. It will screw
up your reads on the fd.

/* NetworkManager and ModemManager will try to open our device */
/* on occasion. Set TIOCEXCL to ensure we get exclusive access */
if (ioctl(fd, TIOCEXCL, NULL) == -1) {
log_warn("Failed to set TIOCEXCL on device: %s\n", strerror(errno));
}

Jeff

Re: small font

[Jeffrey Walton]

On Thu, Jul 4, 2024 at 2:58 PM Richard  wrote:
>
> Right, because 4x = 10x. Jesus, stop being so ridiculous. Also, there's some 
> magic trick called compression.

Compression is a security hole. It leaks information. It should be
disabled. Infact, TLS v1.3 removed it from the protocol. Also see
 and
.

> Human readable text is especially easy to compress, basically negating all 
> those effects. So just stick to reality, everything else is just embarrassing.

Jeff

> On Thu, Jul 4, 2024, 16:48 Greg Wooledge  wrote:
>>
>> The HTML part is more than double the size of the plain text part, and
>> when you include all of the MIME metadata needed to set up the multipart
>> message, the overall size of the body is about 4x what it would have been
>> if you'd only sent plain text (0.5k -> 2.0k).
>>
>> Granted, this is not the 10x increase that Michel predicted, but it's
>> easy to see how a *different* HTML message, with a lot more markup,
>> could certainly reach that threshold.

Re: small font

[Jeffrey Walton]

On Thu, Jul 4, 2024 at 9:58 AM jeremy ardley  wrote:
>
> On 4/7/24 17:13, Roger Price wrote:
> >
> > The Debian mailing list Code of Conduct at
> > https://www.debian.org/MailingLists/
> > is clear:
> >
> > « Please don't send your messages in HTML; use plain text instead »
>
> I presume there is some compelling reason that the mailing list doesn't
> filter html emails and only resend the text only version?

Yeah, the policy should be enforced at the list server if it is an
important policy. As an example, Vger will reject HTML messages since
the kernel folks feel HTML emails are a characteristic of spam. See
.

If it is not an important policy, then it should probably be removed
from the FAQ.

Jeff

Re: This is a testmail!

[Jeffrey Walton]

On Thu, Jul 4, 2024 at 4:55 PM Detlef Vollmann  wrote:
>
> Isn't this the usual DKIM problem with lists?
> The From: has @loop.de, but the sender and DKIM signature
> is from lists.debian.org.
>
> That's why most lists these days rewrite the From: header.

One small nit: rewriting headers is not approved in the RFCs, so some
(many?) mail servers don't do it. I know the folks who run the Claws
Mail mailing list refuse to do it.

Also see Tolerating Mailing-List Modifications,
.

Jeff

Re: how2 format a flash drive

[Jeffrey Walton]

On Tue, Jul 2, 2024 at 3:53 AM George at Clug  wrote:
>
> Is telemetry evil?  Are guns evil?  Philosophical questions?
>
> I find it objectionable when people gather "telemetry" about "me" and not 
> just the causes of the "blue screens of death".
>
> I find it objectionable when people gather personal "telemetry" and then on 
> sell that information to others for whatever purposes, whether it is to 
> target me with ads, or political analysts like Cambridge Analytica, or to 
> alter my "Social Credit Score", or to be used to cancel my Credit Cards, or 
> for whatever other purpose.

For those interested in reading more, pick up a copy of Shoshana
Zuboff's book The Age of Surveillance Capitalism: The Fight for a
Human Future at the New Frontier of Power
( and
).

Jeff

Re: How to use Wine, How to get Gecko to install and work

[Jeffrey Walton]

On Mon, Jul 1, 2024 at 6:33 PM George at Clug  wrote:
>
> To all who replied, Thanks.
>
> Sadly after further testing I still have very little success with Wine.
>
> When I installed WineHQ's Wine Installation, Gecko and Mono were able to be 
> installed. I noticed a rpcss.exe (from memory) in Taskmgr. This at least 
> allowed me to display the initial web page in Wine's Iexplore. But sadly it 
> did not help me in successfully  installing the current Windows versions of 
> Firefox or Chrome, or other programs I was having challenges with.
>
> I also tried PlayOnLinux without any success.
>
> The "Time vs ROI" for this endeavour suggests to me, that for now, I should 
> just use Linux native programs.

I think this is probably wandering off-topic, but I'll toss it out there...

When in Rome, do as the Romans do. That means you run Windows programs
on WIndows VMs, and Linux programs on Linux VMs. Don't try to use Wine
to run Windows programs on Linux; and don't try to use a POSIX
subsystem to run Linux programs on WIndows. Mixing and matching is not
worth the aggravation.

You never stated what problem you are trying to solve. I'm guessing
there's a native Linux replacement for it so you don't need to wine
and iexplore.

Jeff

Re: how2 format a flash drive

[Jeffrey Walton]

On Sat, Jun 29, 2024 at 4:13 PM Lee  wrote:
>
> On Tue, Jun 25, 2024 at 7:26 PM George wrote:
> > [...]
> > If you have any grips or difficulties, please mention them.
>
> My gripes and difficulties are the same thing. [...]
> something equivalent to notepad++,

You might give Notepadqq a spin. I've used it in the past, and it has
a comparable look and feel to Notepad++.

.

If TAB works kind of funny, then see this bug report and fix:
.
(I don't know if it was merged).

Jeff

Re: Browser traffic interception/inspection (was: how2 format a flash drive)

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 9:46 PM Jeffrey Walton  wrote:
>
> On Sun, Jun 30, 2024 at 9:35 PM Lee  wrote:
> >[...]
> >   ... which is the downside of free software.  Technically, yes, I'm
> > free to build the software with whatever I want enabled, with whatever
> > changes I want added/deleted.
> > In practice, my ability to build Firefox is .. lacking :(
>
> Yeah, trying to build some of these projects is the pits.

One way out of this may be to make a Request for Packaging,
<https://wiki.debian.org/RFP>. Ask for debug builds of Firefox.

Since Debian is now supplying release builds in their release channel,
it might make sense for Debian to provide debug builds for web
developers. Web developers can install firefox-debug as a www-browser
alternative, and do things like debug protocol issues. Regular users
would still get the release version of Firefox, so regular users would
be protected from some of the security problems associated with the
debug build.

And you still might try the nightly build of Firefox, and see if it
provides the features that you are looking for. If the nightly build
has what you need, then you won't have to spend time on the RFP.

Jeff

Re: Browser traffic interception/inspection (was: how2 format a flash drive)

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 9:35 PM Lee  wrote:
>
> On Sat, Jun 29, 2024 at 4:45 PM Jeffrey Walton wrote:
> >
> > On Sat, Jun 29, 2024 at 4:13 PM Lee wrote:
> > >
> > > [...] Debian firefox does NOT allow one to do
> > > TLS intercept - ie. this does not work:
> > > C:\UTIL>cat firefox-tlsdecode.bat
> > > set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
> > > start C:\"Program Files\Firefox\Firefox.exe"
> > >
> > > @rem wireshark:
> > > @rem   edit / preferences
> > > @rem   protocols / tls  (v2.6: protocols / ssl)
> > > @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
> > > filename (was SSL debug file entry)
> >
> > I'm not sure who your complaint is against -- Debian, Firefox or
> > Linux. I'm also not sure that it is a valid complaint.
>
> It is 100% a valid complaint.  And it's a complaint against Debian
> because they're the ones that turned off that functionality.
> They have , I disagree, I'm free to build Firefox for myself,
> get somebody else to doit for me, or get it somewhere else.

It looks like the change is due to NSS (Network Security Services),
not Firefox: <https://bugzilla.mozilla.org/show_bug.cgi?id=908046> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=1183318>. I think the
3318 bug is most relevant, but I may be mistaken.

If I am parsing the various bug reports properly, it looks like
SSLKEYLOGFILE was disabled by default for release builds. It looks
like you might have to perform your own debug build to gain access
again. Or maybe the nightly builds of Firefox will have it.

>   ... which is the downside of free software.  Technically, yes, I'm
> free to build the software with whatever I want enabled, with whatever
> changes I want added/deleted.
> In practice, my ability to build Firefox is .. lacking :(

Yeah, trying to build some of these projects is the pits.

Jeff

Re: sendmail and starttls failing

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 6:13 PM Greg Wooledge  wrote:
>
> On Sun, Jun 30, 2024 at 23:08:01 +0100, Tim Woodall wrote:
> > According to this
> > https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
> >
> > bare CRs aren't allowed in emails but this has always worked.
> >
> > I'm only likely to have cron generating emails like this.
> >
> > Strange that this would have been changed in a stable release. It
> > doesn't seem to have been a security update.
>
> It looks like it's coming from this change:
>
> https://metadata.ftp-master.debian.org/changelogs//main/s/sendmail/sendmail_8.17.1.9-2+deb12u2_changelog
>
>   * Fix CVE-2023-51765 (Closes: #1059386):
> sendmail allowed SMTP smuggling in certain configurations.
> Remote attackers can use a published exploitation
> technique to inject e-mail messages with a spoofed
> MAIL FROM address, allowing bypass of an SPF protection
> mechanism. This occurs because sendmail supports
> . but some other popular e-mail servers
> do not. This is resolved with 'o' in srv_features.
>
> I don't know the details of how this leads to a security hole.

Take a look at the blog at
.

Jeff

Re: sendmail and starttls failing

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 6:08 PM Tim Woodall  wrote:
>
> On Sun, 30 Jun 2024, Tim Woodall wrote:
>
> > On Sun, 30 Jun 2024, Michael Grant wrote:
> >
> >> After an update today, sendmail is refusing to accept mail.  I'm
> >> seeing this in the logs:
> >>
> >
> > Hmmm, this update seems to have done a lot of odd things.
> >
>
> root@dirac:~# mail root
> Cc:
> Subject: test cr
> this
> is^Ma test
> .
> root@dirac:~# mailq
> MSP Queue status...
>  /var/spool/mqueue-client (1 request)
> -Q-ID- --Size-- -Q-Time- 
> Sender/Recipient---
> 45ULV1xk014043   15 Sun Jun 30 22:31 r...@dirac.home.woodall.me.uk
>   (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
>   root
>  Total requests: 1
> MTA Queue status...
> /var/spool/mqueue is empty
>  Total requests: 0
>
> According to this
> https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
>
> bare CRs aren't allowed in emails but this has always worked.
>
> I'm only likely to have cron generating emails like this.
>
> Strange that this would have been changed in a stable release. It
> doesn't seem to have been a security update.

New SMTP smuggling attack,
.

The short of it is, non-conforming emails and sloppy parsing have led
to a litany of problems including mail spoofing. It has been going on
for years, but now things are changing.

Jeff

Re: Browser traffic interception/inspection

[Jeffrey Walton]

On Sat, Jun 29, 2024 at 9:37 PM Max Nikulin  wrote:
>
> On 30/06/2024 03:45, Jeffrey Walton wrote:
> > On Sat, Jun 29, 2024 at 4:13 PM Lee wrote:
> >>
> >> [...] Debian firefox does NOT allow one to do
> >> TLS intercept - ie. this does not work:
> >> C:\UTIL>cat firefox-tlsdecode.bat
> >> set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
> >> start C:\"Program Files\Firefox\Firefox.exe"
> [...]
> > I'm not sure who your complaint is against -- Debian, Firefox or
> > Linux. I'm also not sure that it is a valid complaint.
>
> I do not mind to see a link stating that the appropriate logger is
> really disabled. Certainly dumping of TLS session keys may be disabled
> through a compile time flag similar to enforcing signatures for add-ons.
> It may be default Firefox configuration for release builds or some line
> in Debian build rules. It still might be some mistake during attempts to
> enable the logger. I have read about this approach but I have never
> tried it in action.
>
> > Firefox uses its own certificate store.
>
> It is relevant to active traffic interception you described (a proxy).
> Lee prefers passive traffic sniffing and it requires cooperation from a
> peer to get session keys. Each case has its own advantages.

As far as I know, the browsers support active interception. That is,
"interception is a valid use case" for the browsers to support
Dataloss Prevention (DLP) programs. The browsers do that through the
use of interception proxies and root CA's used in the DLP program.

Browsers do not support the passive capture/replay that OP wants. That
is, they don't support exporting the premaster secret or the derived
master secret.

The browsers use tortured logic to arrive at "interception is a valid
use case". They hang it off of the W3C's Design Principles and
Priorities of Constituencies. The browser's argument goes as such: if
a user did not want to be intercepted, then the CA certificate used
for interception would not be present in the certificate store. Since
the proxy's interception certificate is present in the store, the user
wants to be intercepted. (You can't make this shit up).

A corollary to "interception is a valid use case" is, webapps can
never be sure they have a secure channel. Therefore, webapps can only
handle low value data. Higher value data should be handled by hybrid
and native apps.

> At first it was not clear to me that having TLS private key (copied from
> the server) is not enough for passive traffic decryption. Diffie-Hellman
> key exchange scheme allows to generate secret keys even over public
> channel...

Correct. You also need ClientHello.random and ServerHello.random since
the master secret is computed from
(https://datatracker.ietf.org/doc/html/rfc5246#section-8.1):

  master_secret = PRF(pre_master_secret, "master secret",
  ClientHello.random + ServerHello.random)
  [0..47];

Something some folks don't realize is, ClientHello.random and
ServerHello.random are also used for key transport schemes like RSA,
when the client encrypts the premaster secret and sends it to the
server. The ClientHello.random and ServerHello.random are present to
ensure both sides contribute to the master secret. Otherwise, only the
client would contribute to the master secret in a key transport
scheme.

> The main purpose of TLS certificates (public keys in the
> browser or system store) is to confirm that there is no attacker in
> between that blocks packets from the client and establishes its own
> connection to the server.

No, not quite. Interception is a valid use case under the browser's
security model.

You can achieve what you are getting at, but you need to use hybrid
and native apps that practice host public key pinning. You need hybrid
and native apps because they can usually obtain the host's public key.
But the browsers don't expose the host public key to the webapp. So
webapps have no way to perform pinning. You can't even get the public
key from a WebSocket.

> Encryption of email messages using a public
> key is a different case. Session keys are required to debug TLS
> applications.

Email transport security is an absolute mess due to opportunistic
encryption and smart hosts. About the best you can do is, encrypt and
sign the message, and send it over an insecure channel.

Jeff

Browser traffic interception/inspection (was: how2 format a flash drive)

[Jeffrey Walton]

On Sat, Jun 29, 2024 at 4:13 PM Lee  wrote:
>
> [...] Debian firefox does NOT allow one to do
> TLS intercept - ie. this does not work:
> C:\UTIL>cat firefox-tlsdecode.bat
> set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
> start C:\"Program Files\Firefox\Firefox.exe"
>
> @rem wireshark:
> @rem   edit / preferences
> @rem   protocols / tls  (v2.6: protocols / ssl)
> @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
> filename (was SSL debug file entry)

I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.

Firefox uses its own certificate store. If you want to proxy your
traffic, then the proxy's root cert needs to be in Mozilla's
certificate store. See
.

Chrome is different. Chrome uses the Windows store by default, but
also has its own certificate store. For Chrome, your Windows admin can
make a change with a Group Policy, and Chrome will pick it up through
the Windows certificate store. Or you can manually install the proxy's
root cert. See 
.

Debian is not concerned about TLS interception in this case. But for
completeness, Debian has its own store at /etc/ssl/certs. You get the
certificates by installing the ca-certificates package. You can
install certificates into the store by dropping the root cert on the
filesystem at /usr/local/share/ca-certificates, and then running
update-ca-certificates. See
 and
.

When you are intercepting/inspecting traffic, you typically setup your
proxy, and then proxy Firefox and Chrome traffic through your proxy.
The proxy can run on your local machine, like 127.0.0.1. Your proxy's
root certificate should be in the browser's store (as described
above).

Jeff

Re: balenaEtcher

[Jeffrey Walton]

On Fri, Jun 28, 2024 at 5:16 PM Stefan Monnier  wrote:
>
> > I’ve been tryed to boot a flash usb of 4Gb with
> > balenaEtcher-1.19.-21-x64.AppImage and Parrot-home-4.4_i386.iso and gives
> > me the Error:(0, h.requestMetadata) is not a function
>
> Who/what gives you this error?  When does it give you this error?
>
> Have you tried to ask your favorite search engine about
> "Error:(0, h.requestMetadata) is not a function"?

It looks like a question about Parrot OS.

Maybe it is more appropriate for .

Jeff

Re: About dash as sh

[Jeffrey Walton]

On Mon, Jun 24, 2024 at 2:16 AM Nicolas George  wrote:
>
> Stefan Monnier (12024-06-21):
> > And if it's not a tty, you get some kind of Undefined Behavior?
>
> Knowing that “undefined behavior” is just an expression invented by C
> standards authors to make “we make no guarantee about it, use it at your
> own risk” sound more scary, I do not think it is a severe problem.

Do shells suffer UB? I always thought that was a C thing.

When I encounter UB in C, I drop into inline assembler since asm does
not suffer C's undefined behavior.

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Fri, Jun 21, 2024 at 12:18 AM David Wright  wrote:
> [...]
> Well, that's a mouthful. And what am I to call the time that a system
> issues using that system default time zone?

The kernel clock counts ticks. The ticks are relative to Epoch, which
is UTC. Ticks are what you see in the output of dmesg. So maybe call
it UTC, GMT or Zulu?

> If I boot up two computers
> and they display different times, what term is appropriate in your
> opinion to describe the time displayed?

The NTP folks call them timekeepers when they are correct, and
falsetickers when they are incorrect. But "them" are timeservers
participating in the NTP protocol. See
 and RFC 5905,
.

If the OS is not keeping accurate time, then I would call it a falseticker.

If you only boot two computers, then you cannot be sure which computer
is the falseticker. You need three or more time sources to determine
which is the falseticker. As the saying goes, a person with a watch
knows what time it is. A person with two watches is never sure.

Jeff

Re: mounting external hard drive from rescue mode shell?

[Jeffrey Walton]

On Sat, Jun 22, 2024 at 10:48 AM Richard Owlett  wrote:
> [...]
> Thank you for reminding me of live images just now. Perfect timing.
> I have an i386 machine with some atypical constraints.
> https://www.debian.org/CD/live/ states only amd64 images are currently
> available.
>
> Questions:
>1. What is latest i386 live image available in some archive?
>2. I have a working machine that will take a current full install
>   of an i386 system. Can an average user create his own i386 live
>   install image?

According to :

We don't store/serve the full set of ISO images for all
architectures, to reduce the amount of space taken up on the mirrors.
You can use the jigdo tool to recreate the missing ISO images instead.

The link provided for the jigdo tool is
.

Jeff

Re: Modifying Desktop Icons

[Jeffrey Walton]

On Tue, Jun 18, 2024 at 12:23 AM Gareth Evans  wrote:
>
> On 17 Jun 2024, at 20:45, Pranjal Singh  wrote:
>
> I am trying to modify the Firefox desktop icon so that it opens
> an incognito window by default.
> ...
>
> - Exec=firefox %u
> + Exec=firefox -private-window %u
>
> Assuming that's not a typo, please try:
>
> --private-window
>
> (NB two hyphens at the beginning)
>
> This works for me on Mate.

According to Mozilla documentation at
, it is one
hyphen, not two.

Jeff

Re: suggestion of upgrade to 12

[Jeffrey Walton]

On Thu, Jun 20, 2024 at 10:08 AM Richard  wrote:
>
> The question with Linux isn't if there's a need to update to the latest 
> version (of the distro) like on Windows, but rather what's keeping you from 
> updating? If there's no urgent reason to stick to 11, update. 11 is now 
> oldstable and will become oldoldstable mid next year. Thus, it currently 
> becomes fewer updates - no idea how the situation is with security updates 
> compared to stable. 10 reaches end of life in about a month or so. So that's 
> the timetable you'll need to keep in mind. Of course, right now there isn't 
> anything forcing you to update, you merely need to update within the next two 
> years to keep getting updates. But chances are very low with more 
> conservative distros like Debian that upgrading will have more drawbacks than 
> benefits. Of course it can always be a smart choice to wait for the first one 
> or two dot releases, as they will fix issues previously unnoticed or where 
> the fix wasn't ready on time. But that's all.

One additional data point to consider... there are folks who have
exploits written for vulnerabilities that the community does not know
about.

Generally speaking, the older the software, the more exploits are
available. Developers generally don't work on old versions of their
software. Instead, they fix some things, release a new version and
move on. The only chance to fix the vulnerability is move to a newer
version of the software by building it yourself or using the latest
distro release.

Folks who deal in vulnerabilities and exploits adore the old software
because nothing gets fixed, so their exploits continue to work on old
versions of software. As Greg Kroah-Hartman noted: [1]

We have a very bad history of keeping bugs alive for a long time.
Somebody did a check of it, most known bugs live for five years in
systems. These are things that people know and know how to exploit.
They’re not closed. That’s a problem in our infrastructure...

CVE tracking is not the answer because that assumes every exploitable
bug is tagged with a CVE. There are lots of bugs out there that are
not tracked with a CVE, yet are exploitable. See, for example, the
TTY1 layer bug discussed in [1]. It took over 3 years to figure out it
was exploitable and for the patches to be backported.

(I have first hand knowledge of how one firm operates. The firm sells
their exploits to Northrop Grumman Electronic Warfare Division.)

[1] 
https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/

Jeff

> Am Do., 20. Juni 2024 um 09:58 Uhr schrieb Jeff Peng :
>>
>> I am running a small mailserver with debian 11 for many years. It's
>> quite solid.
>> Though I have read this article:
>> https://www.cherryservers.com/blog/debian-12-bookworm-release
>> do you think there is any need for me to upgrade from 11 to 12?
>> just for the newer software like postfix, dovecot?
>>
>> Thanks.

Re: UEFI secure boot issue

[Jeffrey Walton]

On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V  wrote:
>
> I generated a pr/pk pair and the kernel is signed. Placed them in the
> kernel tree and compiled the kernel.

I don't think you are supposed to check-in/compile-in the private key.
It is usually supposed to stay private.

> Could someone tell me what am I doing wrong please ?
>
> Below is the status (I am using loader.efi from linuxfoundation)
> When i boot debian stock kernel signed, i see that the secure boot
> gets enabled (hence bios and everything else seems to be fine with the
> same UEFI loader).
> However, when I boot the compiled kernel I get
>
> $ dmesg | grep -i secure
> [0.007085] Secure boot could not be determined
>
>
> $ sbverify --list bootx64.efi
> warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
> signature 1
> image signature issuers:
>  - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Corporation UEFI CA 2011
> image signature certificates:
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
>issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation Third Party Marketplace Root
> $ sbverify  --list ./loader.efi
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> $ sbverify  --list ../../linux/k.bcv
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv


Have a look at , and the use of
the Machine Owner Key (MOK).

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Thu, Jun 20, 2024 at 12:52 AM  wrote:
>
> On Wed, Jun 19, 2024 at 01:01:44PM -0400, Jeffrey Walton wrote:
> > On Wed, Jun 19, 2024 at 7:09 AM Greg Wooledge  wrote:
>
> [...]
>
> > > I strongly disagree.  The system clock is kept on "epoch time", which
> > > is the number of seconds since midnight, January 1, 1970 UTC.
> > >
> > > The system clock doesn't have a time zone of its own.  It just gets
> > > converted to a time and date within any given time zone on demand.
> >
> > ++.
> >
> > The sharp edge is how the RTC clock is set - UTC or localtime. Also
> > see <https://wiki.debian.org/DateTime>.
>
> Please don't mix those three things, that makes them just more confusing.
>
> The original topic was the system's time zone. This hasn't anything
> to do with the RTC clock, and only peripherally with "the system's
> time zone" (of which some, me included, say "there's no such thing",
> and others disagree :)
>
> You have
>
>  - the RTC clock. This is *only* looked at at boot time, to init
>the system clock (and when you, as an admin, do "hwclock").
>During those operations, it's important to know which timezone
>the RTC is in, since this one /is/ in "human format. It was
>intended to be read and set by humans, like your kitchen clock,
>back then.
>
>  - the system clock: it boringly counts seconds. Since Epoch.
>Since it has't hours or minutes, let alone weeks or months,
>time zones don't even make sense to it. Sometimes it does
>a leap second, but experts are torn on whether this was a
>good idea at all. Have a look at [1] for an entrance to yet
>another deep time rabbit hole.
>
>  - timezones and stuff: those happen whenever you want to convert
>the system clock to hours, minutes, days, and other human
>related stuff and back.
>
> (if you have good net connectivity, reading the RTC at boot can
> be shunned completely, you don't need it anymore).

Don't forget boottime and the delta between boottime and the monotonic
clock. You'll need them to explain this:

$ TZ=America/New_York dmesg -T | head -1
[Wed Jun 19 01:50:14 2024] Linux version 6.9.4-200.fc40.x86_64 (mockbuild@d372fa
1a67e347178b7bd422ead09b96) (gcc (GCC) 14.1.1 20240607 (Red Hat 14.1.1-5), GNU l
d version 2.41-37.fc40) #1 SMP PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024

$ TZ=America/California dmesg -T | head -1
[Wed Jun 19 05:50:14 2024] Linux version 6.9.4-200.fc40.x86_64 (mockbuild@d372fa
1a67e347178b7bd422ead09b96) (gcc (GCC) 14.1.1 20240607 (Red Hat 14.1.1-5), GNU l
d version 2.41-37.fc40) #1 SMP PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024

> Please, keep those three at a safe distance

I'm not sure how you can disgorge them given they contribute to a
human readable time.

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Wed, Jun 19, 2024 at 7:09 AM Greg Wooledge  wrote:
>
> On Tue, Jun 18, 2024 at 23:09:04 -0500, David Wright wrote:
> > On Tue 18 Jun 2024 at 07:07:36 (-0400), Greg Wooledge wrote:
> > > On Mon, Jun 17, 2024 at 23:54:03 -0500, David Wright wrote:
> > > > What should I call the timezone of my computer when it's booted up and
> > > > no users are logged in?
> > >
> > > Daemons will almost always use the system's default time zone (the one
> > > specified by /etc/localtime or /etc/timezone).
> > >
> > > It's *theoretically* possible for some daemons to be configured to use
> > > a different time zone, or to be hard-coded to use UTC.  I've never seen
> > > this, but it could be done.
> >
> > In view of that, I think it's reasonable to drop the "default",
> > and go with "system time zone", ie the time zone that the system
> > clock it set to.
>
> I strongly disagree.  The system clock is kept on "epoch time", which
> is the number of seconds since midnight, January 1, 1970 UTC.
>
> The system clock doesn't have a time zone of its own.  It just gets
> converted to a time and date within any given time zone on demand.

++.

The sharp edge is how the RTC clock is set - UTC or localtime. Also
see .

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Tue, Jun 18, 2024 at 4:05 AM  wrote:
> On Mon, Jun 17, 2024 at 11:54:03PM -0500, David Wright wrote:
> > [...]
> >   $ date; timedatectl status
> >   Mon Jun 17 23:51:43 CDT 2024
> >  Local time: Tue 2024-06-18 04:51:43 UTC
> >  Universal time: Tue 2024-06-18 04:51:43 UTC
> >RTC time: Tue 2024-06-18 04:51:43
> >   Time zone: Etc/UTC (UTC, +)
> >   System clock synchronized: yes
> > NTP service: active
> > RTC in local TZ: no
> >   $
> >
> > I notice that   man timedatectl   says:
> >
> >set-timezone [TIMEZONE]
> >Set the system time zone to the specified value.
> >Available timezones can be listed with list-timezones.
> >If the RTC is configured to be in the local time, this
> >will also update the RTC time. This call will alter
> >the /etc/localtime symlink. See localtime(5) for more
> >information.
>
> I cringe a bit when I see that.

Yeah.. on Linux, it is recommended to keep the RTC clock in UTC.
Unless Windows has contaminated the machine. See
.

Jeff

Re: Upgrading Buster LTS (10) to Bookworm (current stable) concerns

[Jeffrey Walton]

On Mon, Jun 17, 2024 at 3:38 AM Nick Sal  wrote:
>
> I plan to upgrade a server running Buster to Bookworm.
> Server is running: {web,mail} servers, mysql and postregre, docker, ssh, 
> ldap, ferm (firewall), and few other non-critical services.
>
> I'd like to appeal to your experience for a couple concerns:
>
> 1) Should I upgrade in two steps from Buster to Bullseye (oldstable), and 
> then to Bookworm? Or should I go directly from Buster to Bookworm in one step?
> The upgrade will be done by changing sources.list

If I recall correctly, simply changing sources.list is not
recommended. That's because there are post-upgrade scripts that should
be run to finalize a configuration on occasion.

You should follow
,

and friends.

> 2) To the best of your knowledge, do docker images break between such 
> upgrades? Unfortunately, I don't have many details on docker because it was 
> set-up by a previous admin.
>
> If any big break/incompatibility comes to mind for the above services, please 
> don't hesitate to share your story :)

Jeff

Re: Bluetooth/SSH issue

[Jeffrey Walton]

On Sun, Jun 16, 2024 at 10:33 PM George at Clug  wrote:
>
> Rayan,
>
> On Monday, 17-06-2024 at 09:18 Ryan Nowakowski wrote:
> > On Sun, Jun 16, 2024 at 02:30:32PM -0600, Charles Curley wrote:
> > > On one of my machines, I have some interesting interference. Bluetooth
> > > works just fine, and so does networking. Bluetooth is normally disabled.
> > > However, when I have Bluetooth turned on (and after I turn it off), SSH
> > > is *slow*.
> > > Is there some sort of cross-talk issue?
> >
> > Sometimes Bluetooth and Wi-Fi share the same radio.  Are you running ssh 
> > over Wi-Fi?  Try running ssh over Ethernet while using Bluetooth.  Is ssh 
> > still slow?
>
> What do you mean by "Bluetooth and Wi-Fi share the same radio" ?
>
> In the early days of Windows 8 Tablet and laptop devices, I noticed that the 
> bluetooth mouse would move jerkily while a large download was happening over 
> Wi-Fi. Many people had this issue, and it was so annoying it lead me to tell 
> people not to use bluetooth mice.
>
> You comment might explain why this problem existed, though I am still not 
> sure what "share the same radio" actually means?

Both Wifi and Bluetooth use the globally unlicensed Industrial,
Scientific and Medical (ISM) 2.4 GHz short-range radio frequency band.

You can buy combo chips for the application. See, for example,
Qualcomm's QCA9377,
.

Jeff

Re: Package libllvm12:i386 does not exists on Debian ?

[Jeffrey Walton]

On Sun, Jun 16, 2024 at 12:48 PM Mario Marietto  wrote:
>
> Hello to everyone.
>
> I'm trying to compile wine-tkg from this repo :
>
> https://github.com/Frogging-Family/wine-tkg-git
>
> This is what I did,according with the short tutorial :
>
> root@debian-now:/home/marietto/Scaricati/wine-tkg-git/wine-tkg-git# 
> ./non-makepkg-build.sh
>
> => Installing package: libllvm12:i386 | Using apt
> E: Can't find package libllvm12:i386
> ==> WARNING: Failed to install package: libllvm12:i386
> => Installing apt-smart | Using pip
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 
> of breaking your Python installation or OS, by passing 
> --break-system-packages.
> hint: See PEP 668 for the detailed specification.
>
> ==> WARNING: Failed to install apt-smart, cannot update mirror.
> => Installing apt-smart | Using pip| Attempt: 2/3
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 
> of breaking your Python installation or OS, by passing 
> --break-system-packages.
> hint: See PEP 668 for the detailed specification.
>
> ==> WARNING: Failed to install apt-smart, cannot update mirror.
> => Installing apt-smart | Using pip| Attempt: 3/3
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
>
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 
> of breaking your Python installation or OS, by passing 
> --break-system-packages.
> hint: See PEP 668 for the detailed specification.
> ==> WARNING: Failed to install apt-smart, cannot update mirror.
> ===> ERROR: Failed to update mirror after 3 attempts.
> => Installing package: libllvm12:i386 | Using apt| Attempt: 2/3
> E: Can't find package libllvm12:i386
> ==> WARNING: Failed to install package: libllvm12:i386
> => Installing apt-smart | Using pip
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 

Re: can't connect to server from outside LAN

[Jeffrey Walton]

On Wed, Jun 12, 2024 at 10:33 PM Greg Marks  wrote:
>
> I'm running a Debian server from my home with a static IP address,
> with ssh configured to use key-based authentication rather than
> password-based.  As of a couple weeks ago, I have been unable to ssh to
> my server from external locations.  When I ssh from a laptop connected
> to the wireless network on the same router as my home server, I do
> successfully connect to the server.  But when I ssh from an external
> location, I get this error:
>
>[...]
> The problem began a couple weeks ago; previously (and for many years)
> I had been able to ssh to my server without issue.  The first time it
> failed, I was using free wireless at an airport; I was able to ssh to my
> server from the hotel that morning, and maybe, the first time I tried,
> from the airport, but then subsequent ssh attempts from the airport
> failed to connect.  I mention this only because nothing had changed in
> my server's configuration when this problem began.
>
> This is a real problem for me, as a lot of my work involves sending
> files via scp between work and home.  Any suggestions about how to
> troubleshoot and hopefully fix the problem will be greatly appreciated.

In the past, I experienced similar breakages. In my case, my ISP
(Verizon) provided router updates that blew away my router config. So
I lost port forwarding to my internal servers.

I personally don't make port 22 available at the router. Instead, I
use port 1522 (first server), port 1523 (second server), etc. Then
port 1522 is forwarded to the first server on port 22, port 1523 is
forwarded to the second server on port 22, etc.

Jeff

Re: Please help me identify package so I can report an important bug

[Jeffrey Walton]

On Wed, Jun 12, 2024 at 10:33 AM Richard  wrote:
>
> Question is, does it make that much sense to report it to Debian directly? 
> Are you encountering this issue on Debian itself or 
> Armbian/Raspbian/whatever? You reported this to the Raspberry Pi GitHub, so 
> I'd expect them to take this up with the upstream devs themselves, so by the 
> time Trixie is being released, it may already be included.
>
> But besides that, what you describe in the first link sounds to me not like a 
> bug, but as a well thought-through decision. Network adapter names like eth0 
> have been dropped with Debian 11 (I think, maybe even 10). So don't get your 
> hopes up too high to ever see this coming back. But also, just searching the 
> web for this topic, you should have come across this answering your 
> questions: https://wiki.debian.org/NetworkInterfaceNames

The random MAC address discussed in the bug report (with mention of
Network Manager) could be
.

Jeff

Re: [SOLVED] Re: Debian bookworm fails to install

[Jeffrey Walton]

On Fri, Jun 7, 2024 at 1:48 PM Hans  wrote:
>
> Got it! Found the reason and a fix for it.
>
> Just not easy to find. It is an dependency-problem!
>
> What happened?
>
> Well, in ~config/mylist.list.chroot I added the package "bootcd", which shoul 
> exist in my live-system. During build this made no problems and all 
> dependencies are ok. But - during install it appears, that there is a 
> dependency conflict with the installer as bootcd needs grub-efi-amd64-bin.
>
> However, when bootcd wants to install, this package will be installed, too as 
> it is dependent. So far, so well.
>
> BUT - grub-efi-amd64-bin conflicts with grub-efi-amd64-bin-signed
>
> and forces it to deinstall,
>
> which, you guess it, the debian-installer needs.
>
> And so the grub-installer crashes!
>
> Now the question, who should be asked for help? Maintainers of bootcd? 
> Maintainers of debian-installer? Or Maintainers of packages?
>
> I do not know, and as long as I do not know, I can not file a bugreport as 
> none of them (and this is fully correct and understandable) is responsible 
> from his sight on.
>
> However, the problem can easily be reproduced.

Forgive my ignorance... How does this translate into an intermittent
problem? It seems like you would never encounter it, or always
encounter it. What makes the problem come and go?

Jeff

Re: Debian bookworm fails to install

[Jeffrey Walton]

On Fri, Jun 7, 2024 at 3:08 PM Hans  wrote:
>
> Hi folks,
>
> I am running into an issue, I can not explain.
>
> Let me please shortly describe:
>
> For my own purposes I am building a live-debian ISO with installer. As I am
> finetuning some things (not related to the system itself), I am building
> several ISOs a day.
>
> The live-build is set to bookworm (not bullseye, as lb config does).
>
> However, everything is going fine., the live-system is booting well.
>
> But: When I want to install it, the installer always breaks, when it wants to
> install grub. (grub-installer fails).
>
> As I am doing always a fresh install with completely formatting the harddrive,
> it can not be explained, why this happens.
>
> And more strange: When I build one version, it is working well. Changing
> nothing, and building again, suddenly the installer crashes at grub
> installation and then it will never work again.
>
> To declare: I can build several times, and every installation is working well,
> and suddenly without any reason, it breakes. Doing then using one version
> before (the last one, which worked well), it is still working, but the next
> build is crashing.
>
> Ok, I think you understood, what I meant. Well, one reason I could imagine,
> that the debian mirror, I add during installation process is changing. I am
> using "deb.debian.org", but when using another mirror in my near, I am running
> into the same issue.
>
> I also tried to install grub manually in the console during installation
> process, using "grub-installer /target", but this did neither work nor show
> much usefull information.
>
> Any idea, why this is happening? I saw similar messages in some forums, but
> they are all related to Debian 10, which is rather old (and I suppose, these
> bugs are fixed).

You might have a look at grub2 bugs in Bookworm, and see if any look
like they apply to you:
.

Jeff

Re: No login with Debian 12 ssh client, ssh-rsa key, Debian 8 sshd

[Jeffrey Walton]

On Fri, May 31, 2024 at 7:08 PM Thomas Schmitt  wrote:
>
> i still have network access to a Debian 8 system, to which i logged in
> from Debian 11 via ssh and a ssh-rsa key. After the upgrade to Debian 12
> ssh fails with this public key authentication.
> The probably relevant messages from a run of ssh -vvv are:
>
>   debug1: Offering public key: /home/.../.ssh/id_rsa RSA SHA256:...
>   debug1: send_pubkey_test: no mutual signature algorithm
>
> To my luck, the old sshd already supports ssh-ed25519 and i was able to
> add the content of the Debian 12 id_ed25519.pub to the Debian 8 file
> .ssh/authorized_keys2 . Now ssh to the Debian 8 machine works again.
>
> But i find this error message "no mutual signature algorithm" strange.
> The Debian 12 ssh client is obviously willing to try ssh-rsa.
> The Debian 8 sshd accepted that key from Debian 11. Why not from 12 ?
>
> In
>   https://www.openssh.com/releasenotes.html
> i find for 9.2 or older only a RequiredRSASize directive of which
> man sshd_config says the default is 1024.
> The ssh-rsa key was generated by Debian 10. man ssh-keygen of buster
> says the default of option -b with RSA was 2048.
> (Does anybody know how to analyze a key file in regard to such
> parameters ?)

If I am not mistaken, the problem you are experiencing is due to using
RSA/SHA-1 on the old machine. The RSA modulus is large enough, but the
hash is weak. That change happened at OpenSSH 8.9.

`ssh -vvv` should show the ciphers offered by the server and client.
It should look something like:

debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,e
cdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-
sha...@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha25
6,ext-info-c,kex-strict-c-...@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-...@openssh.com,ecdsa-sha2
-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,
ecdsa-sha2-nistp521-cert-...@openssh.com,sk-ssh-ed25519-cert-v01@openssh
.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,rsa-sha2-512-cert-v01@o
penssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-ed25519,ecdsa-sha2-nist
p256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25...@openssh.com,
sk-ecdsa-sha2-nistp...@openssh.com,rsa-sha2-512,rsa-sha2-256

Jeff

Re: What DE to replace GNOME with?

[Jeffrey Walton]

On Fri, May 31, 2024 at 10:03 AM DdB
 wrote:
>
> while being on old-old-stable still (buster) and preparing for an
> upgrade to bookworm, i noticed, that GNOME once again lost compatibility
> to my preferred extensions, giving me a hard choice to either go on with
> my outdated system as long as possible, or find a replacement and change
> my ways of working.
>
> What i did like with GNOME was the ease of use for a handicapped person
> (like me). But i disliked the overwhelming intrusion into the os, that
> suppresses many choices and freedom.
>
> But as i am still feeling like a noob, i would like to collect some
> suggestions and comments from you guys:
> Eventually there is an alternative to the so called
> "quick-toggler-extension", that i used/exploited to generate a kind of
> personal menu, easily configured in one go with a json config file, an
> alternative on another desktop?
>
> And the other miss is the "Windows-corner-preview-extension", that is no
> longer maintained or functional, that i was using all over the place for
> many different use cases and purposes. That one also suffers from
> changes inside GNOME, that basically kill volunteers work (repeatedly!)
>
> Now is the time to plan ahead for years to come and i don't know, what i
> should do.

It looks like you have at least ten choices of desktop environments:
. I don't know if your
extensions are compatible with any of them.

MATE provides an experience similar to GNOME 2.

Jeff

Re: Anybody Skype users here?

[Jeffrey Walton]

On Thu, May 30, 2024 at 10:53 PM George at Clug  wrote:
>
>  [...]
>
> I am guessing you have tried 'Skype for Web' ?  How did you find it? If it 
> does not suite your purposes, I would like to know why, as 'Skype for Web' 
> might be a solution for myself if it works enough.
>
> https://support.microsoft.com/en-us/skype/skype-for-web-preview-your-most-asked-questions-9c4836e4-5cdb-4261-ae46-d919b974af8a
> Skype for Web (Preview) - your most asked questions
>
> I want to try the Skype for Web (Preview) experience. How do I do that?
> Please go to https://preview.web.skype.com and sign into Skype.

Skype for Web looks like it could be a good alternative for OP. It has
been around since 2019. Cf.,
.

Both the Linux app from the *.deb and the browser-based app (and other
package formats, like MSI) likely use the web security model, so you
are f**k'd with either one. There's probably no benefit to using one
over the other. Neither can provide a secure channel, and both will
happily allow interception of your calls.

Skype also points people to their community for questions:
. Maybe someone in the community
can answer the OP's questions, like what it's like to use the snap
version of the app.

Jeff

Re: "Repeaters", etc. - FRITZ!Box 7490

[Jeffrey Walton]

On Tue, May 28, 2024 at 10:43 AM Paul M Foster  wrote:
>
> On Tue, May 28, 2024 at 04:43:38AM -0400, Michael Grant wrote:
>[...]
> > To be clear, the wifi is the part that is at your property.  There are
> > some providers termed WISPs (wireless internet service providers) that
> > use wifi (not 4G/5G) to connect you to the internet.  Just being clear
> > here that even if they do this, we're not talking about extending that
> > wifi signal.  That signal (whether it's really wifi or 4G or 5G or
> > even adsl or fibre or cable), it gets terminated at or just before
> > your router in your house.  So I'm not talking about that side of your
> > connection at all.
>
> I've heard of 5G internet providers, but I'd rather avoid them. There's
> only one of those in the area we're moving to.

You also have Starlink if you are too rural to get traditional
broadband service. Starlink sends you the satellite dish and the wifi
router. Also see .

Amazon is getting ready to launch satellites for Project Kuiper, which
will compete with Starlink.

> > So if I understand properly, you have some devices around your home
> > that don't have built-in wifi and you are not going to string ethernet
> > to them.
>
> To the contrary, I *do* plan to string cat 5/6 to those devices, just not
> all the way to the modem/router, which will likely be in the garage.

This is probably a mistake. You want "home runs" back to the router or
modem. Since you only need two wireless base stations, take the time
to pull the drops for ethernet backhauls. Or hire someone to do it.
(Your on-prem cable service is most likely already pulled this way).

If you use wireless backhauls, then that robs you of bandwidth for
device data since it is being used for the backhaul.

And one other comment based on my experience... don't use the service
providers wifi modem. Disable the wifi in the service provider's modem
or router, and use two base stations that you purchase. The base
stations that you purchase will perform much better, and give you
better coverage on your site.

Jeff

Re: "Repeaters", etc. - FRITZ!Box 7490

[Jeffrey Walton]

On Tue, May 28, 2024 at 2:18 AM Paul M Foster  wrote:
>
> On Tue, May 28, 2024 at 12:43:14PM +1000, George at Clug wrote:
> [...]
> > If you had the money, I would get a cable installer to do a proper job of
> > running cables. I used to be an Electrician, hence I am familiar with
> > running wires, so in my own home I ran Ethernet cable where ever needed
> > (and we have a cavity ceiling). I am guessing this option is not possible
> > for your situation.
>
> Coincidentally, I used to be an electrician too, but we almost never ran
> low voltage except for doorbells.
>
> The house in question appears to have a generous attic, but they've blown
> in two feet of insulation I'd rather not disturb. And that much insulation
> makes the headers of walls very hard to find. Also, I'm not in my 20s
> anymore, and crawling around in attics is difficult.
>
> In the house I'm living in now, I did go into the attic years ago with cat
> 5e and wired up the living room.
>
> FWIW, in the house we're buying, I need internet (wired) in the living
> room, bedroom 2 and bedroom 4. Also, it's concrete block construction
> (outer walls).

You can also run cat5 or cat6 (or rg-6) behind baseboards:
.

Jeff

Re: "Repeaters", etc.

[Jeffrey Walton]

On Mon, May 27, 2024 at 8:13 PM Paul M Foster  wrote:
>
> At some point this year, I'm moving into a new house, and it is not wired
> for internet (WHY aren't new houses wired with Cat5/6/7?).

Your contract did not specify the house to be wired. You should have
called it out, if you wanted it.

> The local
> internet provider will likely provide a wireless router, as they all do. My
> idea is to put a device which receives wireless signal from the
> router/modem, and has an RJ45 jack in it in each room. So each room would
> have one of these, and the devices in it would be hooked to that device via
> cat 5e. I hope that's clear.
>
> I'd like to shop for such a device, but I don't know what it's called. Can
> anyone provide advice, and possibly preferred brand names? I'd appreciate

If you want to use ethernet, then you want a switch. Each room gets
wired for ethernet, and each room needs an ethernet cable. All cables
are backhauled to the switch, and the switch is plugged into the
telecom modem or router.

If you want to use wifi, then get a couple of 802.11 AC (or above)
routers. 802.11 AC provides "wifi roaming." Backhaul the wifi base
stations using ethernet to the telecom provider's modem. In this case,
you only need two ethernet cables - one for each backhaul.

802.11 AC was the first to provide wifi roaming. 802.11 AC was branded
Wifi 5. You can also use 802.11 AX, which is Wifi 6. Most (all?) of
your devices should support 802.11 AC/Wifi 5. You should check if they
support 802.11 AX, so you can learn if you can provide the 802.11
AX/Wifi 6 network.

Now, to go from the telecom company's modem or router to the telecom
company's network takes an interface device. Nowadays, that is an ONT
or Optical Network Terminal. The telecom gives (sells?) you the ONT,
too.

The ONT is the equivalent to the old twisted pair NID or Network
Interface Device. Everything inside up to the ONT or the NID is CPE or
Customer Premise Equipment. The subscriber is responsible for the CPE.
The ONT and NID outward is the responsibility of the telecom provider.

The ONT is the bridge from the house's network to the telecom's
network. The ONT can often provide both Ethernet and RG-6 cable to the
modem or router.

Jeff

Re: Address 127.0.1.1

[Jeffrey Walton]

On Fri, May 24, 2024 at 1:46 PM Greg Wooledge  wrote:
>
> On Fri, May 24, 2024 at 01:40:38PM -0400, Jeffrey Walton wrote:
> > On Fri, May 24, 2024 at 11:13 AM Paul M Foster  
> > wrote:
> > > 192.168.254.30  yosemite.mars.lan   yosemite
>
> > 127.0.1.1 is traditionally used for the fully qualified domain name
> > (fqdn). So I would expect to see 'yosemite.mars.lan', but not
> > 'yosemite'.
>
> I don't know why you would expect that.  What purpose would that serve?

Sorry I was not clear. I would expect that because 127.0.1.1 is
traditionally used for a fully qualified domain name, not a hostname.

> The goal here is for programs to be able to look up "the IP address"
> that belongs to $HOSTNAME.
>
> If the hostname is "yosemite", then "yosemite" must appear in the
> /etc/hosts file as an alias for whatever made-up FQDN is being used.
>
> This is what Paul has.  What Paul has looks quite reasonable to me.
> If 192.168.254.30 is in fact bound to an ethernet interface by a
> static configuration (e.g. /etc/network/interfaces) then I would also
> say it looks correct.
>
> > Also, fqdn's end in dot '.' to denote the top of the dns tree.
>
> Not in the /etc/hosts file, they don't.  You may be thinking of BIND
> configuration files.
>
> I've never IN MY LIFE seen trailing dots on hostnames in /etc/hosts.

Jeff

Re: Address 127.0.1.1

[Jeffrey Walton]

On Fri, May 24, 2024 at 11:13 AM Paul M Foster  wrote:
>
> Folks:
>
> In my /etc/hosts file, there's a line:
>
> 127.0.1.1 yosemite.mars.lan yosemite
>
> I think Debian put it there.
>
> Later in the file, I've got:
>
> 192.168.254.30  yosemite.mars.lan   yosemite
>
> So there are two entries for the same (my) machine. Is this a problem?
> Specifically, could it cause problems with email (Exim4 or OpenSMTPD)?

127.0.1.1 is traditionally used for the fully qualified domain name
(fqdn). So I would expect to see 'yosemite.mars.lan', but not
'yosemite'.

Also, fqdn's end in dot '.' to denote the top of the dns tree. So I
would expect to see 'yosemite.mars.lan.' (note the trailing dot), and
not 'yosemite.mars.lan' (note the lack of the trailing dot). What can
happen with 'yosemite.mars.lan' is, search domains can be added to it.
So if dhcp says 'isp.com' is a search domain, then your network stack
might make requests for 'yosemite.mars.lan.isp.com'.

Jeff

Re: OpenSMTPD can't parse smarthost

[Jeffrey Walton]

On Thu, May 23, 2024 at 2:54 PM  wrote:
>
> On Thu, May 23, 2024 at 01:50:21PM -0400, Jeffrey Walton wrote:
> > On Thu, May 23, 2024 at 12:08 PM Paul M Foster  
> > wrote:
> > >
> > > On Thu, May 23, 2024 at 12:54:31AM -0400, Jeffrey Walton wrote:
> > >[...]
> > > > Also, I think you should be using *.home.arpa, and not *.lan.
> > > > home.arpa is reserved for private use by ICANN and the IETF. I suspect
> > > > *.lan is not reserved for private use.
> > >
> > > On a LAN, you can use anything you like. I've used .mars.lan for decades
> > > with no difficulty.
> >
> > Citation, please.
>
> No need. It just works. Of course, if you have domain names
> in your LAN which also is "out there", you won't "see" both.

Perhaps that's why you _can't_ use anything you like; and that's why
you should use domains reserved for private use.

Related reading is Brand TLDs (a/k/a/ Vanity Domains) at
<https://icannwiki.org/Brand_TLD>.

> If your LAN is isolated, you can basically do whatever you
> want.

And then act surprised when networking breaks :)

> And then there are "special" TLDs (.local, I'm looking at
> you) where you'll get lots of fun effects should you decide
> to use them (zeroconf, I'm looking at you :-)

I _think_ .local is reserved for mDNS. See
<https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml>.

It looks like .internal and possibly .private are coming soon. See
<https://www.icann.org/en/public-comment/proceeding/proposed-top-level-domain-string-for-private-use-24-01-2024>
and <https://www.theregister.com/2024/01/29/icann_internal_tld/>.

Jeff

Re: OpenSMTPD can't parse smarthost

[Jeffrey Walton]

On Thu, May 23, 2024 at 12:08 PM Paul M Foster  wrote:
>
> On Thu, May 23, 2024 at 12:54:31AM -0400, Jeffrey Walton wrote:
>[...]
> > Also, I think you should be using *.home.arpa, and not *.lan.
> > home.arpa is reserved for private use by ICANN and the IETF. I suspect
> > *.lan is not reserved for private use.
>
> On a LAN, you can use anything you like. I've used .mars.lan for decades
> with no difficulty.

Citation, please.

Jeff