Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Chris Lamb wrote: > Jamie Strandboge wrote: > > > Again, I'm biased, but ufw supports IPv6. It's also been on the default > > server > > and desktop install of Ubuntu for 9+ years. ufw functions well for bastion > > hosts, less so for routers (though it has some facility there). > > It also has a first-class Ansible module which (given a flood of > firewall options around when I needed to pick something in haste > around the time of the stretch release…) was actually the deciding > factor for me: > > https://docs.ansible.com/ansible/latest/modules/ufw_module.html Oh, nice! I should probably collect the various projects that integrate with ufw and list them somewhere... (I've added that to my todo). Related, I have some improvements for fail2ban I've been meaning to upstream as well that make it work a lot better, esp wrt IPv6. On that note and to anyone participating in this thread or just coming across it some time in the future, if there are things that would make ufw better in Debian (particularly wrt bastion use cases), I'm happy to make improvements regardless of if it is a candidate as the default or not (please file bugs :). -- Email: ja...@strandboge.com IRC: jdstrand
Re: xTuple Postbooks license change
On Thu, Jul 18, 2019 at 1:12 AM Seth McClain wrote: > xTuple recently took most of their git repos off of github and is > changing the license to much of the code moving forward. > > https://xtuple.com/blog/ned/free-software > > Debian currently offers builds of Postbooks. > > https://salsa.debian.org/xtuple-maintainers-team I'd encourage you to file a bug against the postbooks package to discuss this with the Debian xTuple maintainers team. > It would be a shame for the FOSS community to lose this CPAL licensed > software. > > Which directions might the Debian community take regarding Postbooks? When Redis changed the license of some modules recently, the Debian and Fedora package maintainers forked the affected modules from the commits prior to the license changes under a new organisation called GoodFORM. Since Postbooks is distributed in Debian (and derivatives) as well as Fedora/EPEL, the same process could be done for Postbooks. https://goodformcode.com/ https://repology.org/project/postbooks/packages -- bye, pabs https://wiki.debian.org/PaulWise
Re: default firewall utility changes for Debian 11 bullseye
Jamie Strandboge wrote: > Again, I'm biased, but ufw supports IPv6. It's also been on the default server > and desktop install of Ubuntu for 9+ years. ufw functions well for bastion > hosts, less so for routers (though it has some facility there). It also has a first-class Ansible module which (given a flood of firewall options around when I needed to pick something in haste around the time of the stretch release…) was actually the deciding factor for me: https://docs.ansible.com/ansible/latest/modules/ufw_module.html Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Jamie Strandboge wrote: > On Tue, 16 Jul 2019, Raphael Hertzog wrote: > > > > 2) introduce firewalld as the default firewalling wrapper in Debian, at > > > least in > > > desktop related tasksel tasks. > > > > No objection. I think it's high time we have some default firewall > > installed in particular with IPv6 getting more widely deployed... > > > > The other desktop firewall that I know is "ufw" but it doesn't seem to > > have any momentum behind it. > > Again, I'm biased, but ufw supports IPv6. It's also been on the default server > and desktop install of Ubuntu for 9+ years. ufw functions well for bastion > hosts, less so for routers (though it has some facility there). Perhaps the > perceived 'lack of momentum' has to do with a lack of feature development, but > for the primary bastion host case, I haven't deemed this necessary. Oh, I forgot to mention. I've never actually considered ufw as a "desktop" firewall. I've considered it a decent "bastion" firewall with a CLI experience (desktop or server). The ufw projects lacks a GUI frontend which may be desirable for a "desktop" firewall (see my previous comment re firewalld and network-manager; there are various GUIs written for ufw, but not associated with the project). -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Chris Lamb wrote: > Raphael Hertzog wrote: > > > The other desktop firewall that I know is "ufw" but it doesn't seem to > > have any momentum behind it. > > It is curious you mention a lack of momentum; in my experience, it is > the most commonly recommended firewall on various support-adjacent > sites around the internet. (Perhaps due to it's Ubuntu/Canonical > associations and authorship.) > FYI, I'm not aware of any distributions other than Ubuntu where it is in the default install, but based on bug reports, I know it is in quite a few distributions. I've always been pleasantly surprised at how much it is used, and written about. :) -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
On Tue, 16 Jul 2019, Ben Hutchings wrote: > On Tue, 2019-07-16 at 11:57 +0200, Raphael Hertzog wrote: > [...] > > The other desktop firewall that I know is "ufw" but it doesn't seem to > > have any momentum behind it. > > Also, while its syntax is obviously intended to be simple, it's quite > irregular and the syntax error messages aren't very helpful. FYI, the simple syntax is meant to be, well, simple and the extended syntax is supposed to resemble OpenBSD's PF. That may not be everyone's cup of tea of course... :) As for syntax error messages, please file bugs in the BTS or upstream. I'd be happy to take a look. -- Email: ja...@strandboge.com IRC: jdstrand signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, 17 Jul 2019, Stephan Seitz wrote: > On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote: > > On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote: > > > as you may know, Debian 10 buster includes the iptables-nft utility by > > > default, which is an iptables flavor that uses the nf_tables kernel > > > subsystem. Is intended to help people migrate from iptables to nftables. > > Yeah, this was a great way to migrate, thanks! > > What is the problem with using iptables-nft compared to the new nft syntax? > > According to the documentation nft seems quite more complex. > What would be the replacement for a simple single line like > iptables -I INPUT -j DROP -s -p tcp –dport 587 ? > > What about other packages like fail2ban? Does it „hurt” if different > programs are using iptables-nft or nft? > The thing you want to avoid is mixing nft with iptables-legacy. iptables-nft and nft should be fine. -- Email: ja...@strandboge.com IRC: jdstrand signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Tue, 16 Jul 2019, Raphael Hertzog wrote: > > 2) introduce firewalld as the default firewalling wrapper in Debian, at > > least in > > desktop related tasksel tasks. > > No objection. I think it's high time we have some default firewall > installed in particular with IPv6 getting more widely deployed... > > The other desktop firewall that I know is "ufw" but it doesn't seem to > have any momentum behind it. Again, I'm biased, but ufw supports IPv6. It's also been on the default server and desktop install of Ubuntu for 9+ years. ufw functions well for bastion hosts, less so for routers (though it has some facility there). Perhaps the perceived 'lack of momentum' has to do with a lack of feature development, but for the primary bastion host case, I haven't deemed this necessary. -- Email: ja...@strandboge.com IRC: jdstrand
Re: default firewall utility changes for Debian 11 bullseye
On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote: > Hi there, > > as you may know, Debian 10 buster includes the iptables-nft utility by > default, > which is an iptables flavor that uses the nf_tables kernel subsystem. > Is intended to help people migrate from iptables to nftables. > > For the next release cycle I propose we move this default event further. > As of this email, iptables [0] is Priority: important and nftables [1] is > Priority: optional in both buster and bullseye. The important value means the > package gets installed by default in every Debian install. As the upstream ufw developer, this makes since to me. > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. > There are plenty of system services that integrate with firewalld anyway [3]. > By the way, firewalld is using (or should be using) nftables by default at > this > point. > > This email contains 2 changes/proposals for Debian 11 bullseye: > > 1) switch priority values for iptables/nftables, i.e, make nftables Priority: > important and iptables Priority: optional Makes sense. > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. I'm obviously biased, but anecdotally I have had quite a few people say disparaging things about firewalld, particularly from server admins. I'm not really in a position for people to sing firewalld's praises to me, so take that for what it is worth. IIRC, network-manager has a fair frontend for firewalld that could be nice for desktop users if Debian wants that tight integration. That said, I can say that the ufw packaging makes it so it stays out of the way for people who want to use other firewall applications. I encourage Debian in whatever choice is made to make sure that the experience degrades gracefully if someone chooses something other than the default. -- Email: ja...@strandboge.com IRC: jdstrand
Bug#932330: ITP: python-zipp -- pathlib-compatible Zipfile object wrapper
Package: wnpp Severity: wishlist Owner: Ondřej Nový * Package name: python-zipp Version : 0.5.2 Upstream Author : Jason R. Coombs * URL : https://github.com/jaraco/zipp * License : Expat Programming Lang: Python Description : pathlib-compatible Zipfile object wrapper A backport of the Path object. I'm going to maintain this inside DPMT team.
xTuple Postbooks license change
Hello, xTuple recently took most of their git repos off of github and is changing the license to much of the code moving forward. https://xtuple.com/blog/ned/free-software Debian currently offers builds of Postbooks. https://salsa.debian.org/xtuple-maintainers-team It would be a shame for the FOSS community to lose this CPAL licensed software. Which directions might the Debian community take regarding Postbooks? (Some users and some xTuple staff do idle in #xtuple on FreeNode.) Seth McClain
Bug#932316: ITP: lua5.4 -- lightweight, embeddable scripting language
Package: wnpp Severity: wishlist Owner: Sergei Golovan * Package name: lua5.4 Version : 5.4.0-alpha Upstream Author : Lua Team * URL : https://www.lua.org/ * License : Expat Programming Lang: C Description : lightweight, embeddable scripting language It's the next major release of Lua. Currently only alpha version is released upstream, so I intend to keep it in experimental for a while. The maintenance will take place under the Lua Team umbrella. -- Sergei Golovan
Bug#932315: ITP: battery-plug-notifier -- A simple notifier to hopefully extend battery life.
Package: wnpp Severity: wishlist Owner: Marco Villegas * Package name: battery-plug-notifier Version : 0.1.0 Upstream Author : Marco Villegas * URL : https://gitlab.com/marvil07/battery-plug-notifier * License : GPL Programming Lang: Shell Description : A simple notifier to hopefully extend battery life. A lot laptop batteries use [Lithium-ion batteries](https://en.wikipedia.org/wiki/Lithium-ion_battery). There is a simple technique to help extend battery life, by keeping the charge not so high, and not so low. Some laptops already include a feature to help with this, namely thinkpads with [tp_smapi](https://www.thinkwiki.org/wiki/Tp_smapi), but most do not have that feature. A work-around not having kernel level access to start/stop charging is to do it manually, but as humans it is hard to remember to monitor the percentage. This notifier helps with the task by sending notifications at those moments.
Re: default firewall utility changes for Debian 11 bullseye
On Jul 17, Paul Wise wrote: > To me, something like opensnitch seems like a better option for a > desktop firewall once it becomes more mature and enters Debian. This project is a "personal firewall", which is a quite different thing from what is being discussed here. -- ciao, Marco signature.asc Description: PGP signature
Re: default firewall utility changes for Debian 11 bullseye
On Wed, Jul 17, 2019 at 7:05 PM Helmut Grohne wrote: > If you want to make firewalld the desktop default To me, something like opensnitch seems like a better option for a desktop firewall once it becomes more mature and enters Debian. https://github.com/evilsocket/opensnitch/ https://bugs.debian.org/909567 -- bye, pabs https://wiki.debian.org/PaulWise
Bug#932309: ITP: python-importlib-metadata -- library to access the metadata for a Python package
Package: wnpp Severity: wishlist Owner: Ondřej Nový * Package name: python-importlib-metadata Version : 0.18 Upstream Author : Jason R. Coombs, Barry Warsaw * URL : https://gitlab.com/python-devs/importlib_metadata * License : Apache-2 Programming Lang: Python Description : library to access the metadata for a Python package Provides an API for accessing an installed package’s metadata, such as its entry points or its top-level name. This functionality intends to replace most uses of pkg_resources entry point API and metadata API. I'm going to maintain it inside DPMT.
Re: default firewall utility changes for Debian 11 bullseye
Raphael Hertzog wrote: > The other desktop firewall that I know is "ufw" but it doesn't seem to > have any momentum behind it. It is curious you mention a lack of momentum; in my experience, it is the most commonly recommended firewall on various support-adjacent sites around the internet. (Perhaps due to it's Ubuntu/Canonical associations and authorship.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Re: default firewall utility changes for Debian 11 bullseye
On Mi, Jul 17, 2019 at 12:32:31 +0100, Thomas Pircher wrote: # iptables-translate -A INPUT -s 1.2.3.4 -p tcp --dport 587 -j DROP nft add rule ip filter INPUT ip saddr 1.2.3.4 tcp dport 587 counter drop Ah, thank you very much! Stephan -- | Public Keys: http://fsing.rootsland.net/~stse/keys.html | smime.p7s Description: S/MIME cryptographic signature
Re: default firewall utility changes for Debian 11 bullseye
Stephan Seitz wrote: > What would be the replacement for a simple single line like > iptables -I INPUT -j DROP -s -p tcp –dport 587 ? You can use the iptables-translate. It is not foolproof and does not always git the best results, but it can give you a good starting point for your optimisations: # iptables-translate -A INPUT -s 1.2.3.4 -p tcp --dport 587 -j DROP nft add rule ip filter INPUT ip saddr 1.2.3.4 tcp dport 587 counter drop Thomas
Re: default firewall utility changes for Debian 11 bullseye
Am 17.07.19 um 13:16 schrieb Michael Biebl: > Am 17.07.19 um 13:04 schrieb Helmut Grohne: >> On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote: >>> Also, I believe the days of using a low level tool for directly configuring >>> the >>> firewall may be gone, at least for desktop use cases. It seems the industry >>> more >>> or less agreed on using firewalld [2] as a wrapper for the system firewall. >>> There are plenty of system services that integrate with firewalld anyway >>> [3]. >>> By the way, firewalld is using (or should be using) nftables by default at >>> this >>> point. >> >> The current firewalld package in unstable depends on iptables, which >> means that it does use nftables under the hood unless one fiddles with >> alternatives. >> >> apt-file search /usr/bin/firewalld suggests that at present, two >> packages (freedombox and glusterfs-common) integrate with firewalld. For >> comparison, 17 packages integrate with ufw. >> > > That list appears to be incomplete. You should also search for > org.fedoraproject.FirewallD1, i.e. software using the D-Bus interface of > firewalld: > https://codesearch.debian.net/search?q=org.fedoraproject.FirewallD1 Also forgot to mention: I assume what you meant with "integrate with ufw" is packages shipping a service description in /etc/ufw/applications.d/, say samba: /etc/ufw/applications.d/samba firewalld ships a lot of such service descriptions itself. If you take the above example of samba: firewalld: /usr/lib/firewalld/services/samba-client.xml firewalld: /usr/lib/firewalld/services/samba-dc.xml firewalld: /usr/lib/firewalld/services/samba.xml $ apt-file list firewalld | grep /usr/lib/firewalld/services/ | wc -l 168 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: default firewall utility changes for Debian 11 bullseye
On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote: On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote: as you may know, Debian 10 buster includes the iptables-nft utility by default, which is an iptables flavor that uses the nf_tables kernel subsystem. Is intended to help people migrate from iptables to nftables. Yeah, this was a great way to migrate, thanks! What is the problem with using iptables-nft compared to the new nft syntax? According to the documentation nft seems quite more complex. What would be the replacement for a simple single line like iptables -I INPUT -j DROP -s -p tcp –dport 587 ? What about other packages like fail2ban? Does it „hurt” if different programs are using iptables-nft or nft? Shade and sweet water! Stephan -- | Public Keys: http://fsing.rootsland.net/~stse/keys.html | smime.p7s Description: S/MIME cryptographic signature
Re: default firewall utility changes for Debian 11 bullseye
Am 17.07.19 um 13:04 schrieb Helmut Grohne: > On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote: >> Also, I believe the days of using a low level tool for directly configuring >> the >> firewall may be gone, at least for desktop use cases. It seems the industry >> more >> or less agreed on using firewalld [2] as a wrapper for the system firewall. >> There are plenty of system services that integrate with firewalld anyway [3]. >> By the way, firewalld is using (or should be using) nftables by default at >> this >> point. > > The current firewalld package in unstable depends on iptables, which > means that it does use nftables under the hood unless one fiddles with > alternatives. > > apt-file search /usr/bin/firewalld suggests that at present, two > packages (freedombox and glusterfs-common) integrate with firewalld. For > comparison, 17 packages integrate with ufw. > That list appears to be incomplete. You should also search for org.fedoraproject.FirewallD1, i.e. software using the D-Bus interface of firewalld: https://codesearch.debian.net/search?q=org.fedoraproject.FirewallD1 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: default firewall utility changes for Debian 11 bullseye
On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote: > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. > There are plenty of system services that integrate with firewalld anyway [3]. > By the way, firewalld is using (or should be using) nftables by default at > this > point. The current firewalld package in unstable depends on iptables, which means that it does use nftables under the hood unless one fiddles with alternatives. apt-file search /usr/bin/firewalld suggests that at present, two packages (freedombox and glusterfs-common) integrate with firewalld. For comparison, 17 packages integrate with ufw. Disclaimer: This is not an endorsement of ufw. I merely researched the situation and am summarizing my findings. Still I am drawing the conclsuion that "the industry more or less agreed on using firewalld" seems wrong to me. If you want to make firewalld the desktop default, I encourage you to look back at how apparmor was made the default. I remember that as a very good process. You raise the issue at a very good time. Helmut
Bug#932266: ITP: dragon -- Drag and drop source/target for X
Package: wnpp Severity: wishlist Owner: Keian Rao * Package name: dragon Version : 1.1.0 Upstream Author : Michael Homer * URL : https://github.com/mwh/dragon * License : GPL Programming Lang: C Description : Drag and drop source/target for X Many programs, particularly web applications, expect files to be dragged into them now. If you don't habitually use a file manager that is a problem. dragon is a lightweight drag-and-drop source for X where you can run: `dragon file.tar.gz` to get a window with just that file in it, ready to be dragged where you need it. - Hello Debian maintainers, I stumbled upon this program after finding a need to drag-and-drop a file into Mozilla Firefox from my Debian installation without a file manager. - The program itself is a single file of C, with a single dependency on GTK 3. It does not receive much updates at all, but upstream is still aware of it, having added a small update 11 days before time of writing. I successfully compiled the program on first try in Debian stretch, with gcc 4:6.3.904 and libgtk-3-dev 3.22.11-1. - I would prefer another maintainer maintain this, as I have no experience working with GTK, but I would not mind maintaining it, as it is a small package, and I'd like to gain some experience being a Debian maintainer. - There is a package with similar (greater, rather) functionality, named 'dragbox'. It was available only in jessie, having been dropped in stretch seemingly without notice (The only critical bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475448 , was fixed). - I have not contacted the upstream author before filing this. If this moves forward, I will contact them for their permission, etc.
