Re: Preparando para atualizar o Debian 8 para o 9

[Henrique de Moraes Holschuh]

On Tue, 20 Jun 2017, Thiago C. F. wrote:
> Que nada mais é arquivos do repositório "ftp.deb-mutimedia.org", que achei
> visualizando pelo Synaptic.

Em geral, esse repositório causa problemas para atualizações.  As
versões de pacote nem sempre são compatíveis, e não tem garantias que o
procedimento de atualização vai fazer algo esperado.

Tudo vai depender do que você instalou do deb-multimedia.org.  Se foi só
pacote que não existe no debian oficial, menos mal.  FAÇA BACKUP, copie
os nomes do que vai remover, "purge" neles (remoção total), e depois que
atualizar tudo, veja se vai querer reinstalar (supondo que
deb-multimedia.org já tenha stretch).

Agora, se você atualizou pacotes existentes para versões não oficiais do
deb-multimedia.org, pode causar problemas na atualização, sim.  Boa
sorte :-(

> Como eu não sei remover todos estes arquivos em uma única vez através do
> terminal, consigo pelo Synaptic, mas me veio uma dúvida: Posso apagar estes
> arquivos marcando para "remoção completa" ou devo marcar apenas para
> remoção? Pergunto porque alguns arquivos destes pacotes, como no caso do
> libaacplus2 mostra outros pacotes a serem removidos, como o cheese,
> empathy, gimp, gnome-contacts, gnome-photos, gnome control-center, etc. e
> por isso fiquei com receio de fazer uma remoção completa.

Argh.  Sugiro que faça backup de todos os seus dados.  E que considere a
possibilidade de instalar do zero o stretch, porque esse nó aí pode ter
ficado demasiado complicado de desfazer para quem não tem muita
experiência :-(

Aliás, vi outros Debian Developers recomendando exatamente isso hoje no
IRC... se a mistureba com deb-multimedia.org for grande, dá mais futuro
instalar do zero.

-- 
  Henrique Holschuh

Preparando para atualizar o Debian 8 para o 9

[Thiago C. F.]

Olá.

Estou com uma pequena dúvida. Em nota de lançamento:
https://www.debian.org/releases/stretch/i386/release-notes/ch-upgrading.pt-br.html#obsolete
em 4.2 diz que para uma maior confiabilidade do processo de atualização,
você pode remover pacotes de terceiros do seu sistema antes de começar a
atualização.
Digitei o comando # apt-forktracer | sort e não funcionou, mas o comando
#aptitude search '~i(!~ODebian)' deu certo, e me mostou o seguinte
resultado:

root@Kamila:~# aptitude search '~i(!~ODebian)'
i   deb-multimedia-keyring  - GnuPG archive key of the
deb-multimedia re
i   gstreamer0.10-plugins-really-ba - GStreamer plugins from the "bad"
set
i   handbrake-gtk   - Versatile DVD ripper and video
transcoder
i A libaacplus2 - AAC+ encoding library - runtime
files
i   libdvdcss-dev   - Simple foundation for reading DVDs -
devel
i   libdvdcss2  - Simple foundation for reading DVDs -
runti
i A libfdk-aac1 - Fraunhofer FDK AAC codec
library.
i A libswresample1  - FFmpeg audio rescaling
library
i A libutvideo15- Ut Video Codec Suite
library
i A libx264-146 - x264 video coding
library
i A libx265-51  - x265 video coding library

Que nada mais é arquivos do repositório "ftp.deb-mutimedia.org", que achei
visualizando pelo Synaptic.

Como eu não sei remover todos estes arquivos em uma única vez através do
terminal, consigo pelo Synaptic, mas me veio uma dúvida: Posso apagar estes
arquivos marcando para "remoção completa" ou devo marcar apenas para
remoção? Pergunto porque alguns arquivos destes pacotes, como no caso do
libaacplus2 mostra outros pacotes a serem removidos, como o cheese,
empathy, gimp, gnome-contacts, gnome-photos, gnome control-center, etc. e
por isso fiquei com receio de fazer uma remoção completa.

Uma outra coisa também é que neste repositório tem mais arquivos do que
mostrado no resultado do comando acima. Terei que apagar todos deste
repositório ou somente os que foram mostrados no resultado do comando acima?


Thiago C. F.

Re: Debian 9 - Stretch has been released!

[Jimmy Johnson]

On 06/19/2017 05:21 AM, Greg Wooledge wrote:

On Sat, Jun 17, 2017 at 08:42:54PM -0700, Jimmy Johnson wrote:

 https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/


Don't use live images for installations.


I agree, the current live DVD's are great for checking out the 
distribution, you can update apt and install packages too. But you may 
have problems if you try to do an install from the live DVD.



Use install images for installations.


The Net-Install images work great! If you need firmware here's the link: 
https://cdimage.debian.org/mirror/cdimage/unofficial/non-free/cd-including-firmware/ 




For example, if you go to  there is a shiny
green inset link which will download the amd64 netinst ISO image.
Currently, that URL has the substring 9.0.0 in it, so I won't bother
linking it here, as it may expire by the time people reading the
mailing list archives see this.

So, just go to  instead, and follow the
download links from there.


Cheers,
--
Jimmy Johnson

Debian Buster - Plasma Version 5.8.6 - EXT4 at sda17
Registered Linux User #380263

Re: Debian 9 - Stretch has been released!

[Jimmy Johnson]

On 06/18/2017 04:28 AM, RavenLX wrote:

On 06/17/2017 11:42 PM, Jimmy Johnson wrote:

  https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/

Cheers!


I was there in the IRC chat channels while they were working on it and
when they released it. It was the first time in YEARS I been in IRC.
Great folks there and they worked really hard! It was so cool to watch
those final moments unfold.

And they got it released just in time. I think it was a bit after 11 pm
or 11:30 pm (Eastern USA time) before it got out finally. I downloaded
an iso overnight so I'll be ready when I get my own stuff prepared on my
end (still working on that).


Yes, it's fun and exciting to feel apart of the Debian release! My last 
Stretch install was Friday RC5 for testing.  Are you ready to start the 
next release? Buster got fed it's first 65 package upgrades today, 
hopefully the next two years will not be too bumpy a ride and full of 
lots of fun, technology and learning.



A *huge* thank you to the Debian team!


+1

Cheers,
--
Jimmy Johnson

Debian Buster - Plasma Version 5.8.6 - EXT4 at sda17
Registered Linux User #380263

Re: [Stretch] startx: /bin/sh: 0: Can't open /usr/bin/X; xinit: unable to connect to X server: Connection refused

[Felix Miata]

Greg Wooledge composed on 2017-06-19 11:05 (UTC-0400):

> On Mon, Jun 19, 2017 at 11:00:32AM -0400, Felix Miata wrote:
.
>> I have a dozen machines with Stretch installed, most with Jessie and/or Sid 
>> as
>> well. Only Stretch on host big41 produces the subject problem.
.
> According to a previous message in this thread, it could be triggered
> by a specific kernel boot parameter.  Can you show us "cat /proc/cmdline"
> from big41?
.
Current boot, not exactly the same as the default Grub stanza, but virtually the
same as my other Stretch installations that work as expected:
ro root=LABEL=debian9sv5 net.ifnames=0 ipv6.disable=1 noresume plymouth.enable=0
vga=791 video=1440x900@60 3
-- 
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Thank you Debian!

[Jimmy Johnson]

Another release is done! I want to think all involved for keeping as 
much legacy as you have done, good job! Keeping files and file systems 
safe and sound can be a difficult job but a necessary job. Special 
thanks to the KDE team for keeping the legacy oxygen theme, root user 
konqueror filemanagement, kdf, quick launch, etc. I hope that Legacy KDE 
will always be an important part of our future and Debian 10, Buster 
will become the best Linux Distro to ever be installed on a computer. 
Thanks again Debian!


Cheers,
--
Jimmy Johnson

Debian Buster - Plasma Version 5.8.6 - EXT4 at sda17
Registered Linux User #380263

Re: Stretch--how to launch WICD, which isn't in the menu

[Rick Thomas]

On 06/19/17 05:14, Brian wrote:


The advice at

  https://wiki.debian.org/WiFi/HowToUse#Wicd

... Outdated? Incorrect?



At the least, it hasn't been updated for systemd.

Rick

Re: where to submit low security vulnerability in .profile?

[Ansgar Burchardt]

Greg Wooledge writes:
> On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote:
>> Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
>> > That said, no, it is not usually considered a security vulnerability,
>> > because NOT using the full path to run commands such as "su" and "sudo"
>> > in the first place IS considered gross negligence.
>> 
>> If your account has been compromised so much that an attacker was able
>> to add something in ~/bin/, then using the full path of the commands
>> does not bring any extra security.
>
> Henrique, I believe, was describing an attack that works like this:
>
> 1) Login.
> 2) PATH=~/bin:$PATH
> 3) vi ~/bin/su  (insert malicious code); chmod 755 ~/bin/su
> 4) Call the system administrator, and get him/her to come to your desk.
> 5) Get the sysadmin to run "su -c something" for you at your desk.
>This runs your password-capturing program, which records the root
>password somewhere you can retrieve it after the sysadmin leaves.

Typing /bin/su instead doesn't help against this attack, for example zsh
allows:

  $ alias /bin/su="echo Hallo"
  $ /bin/su
  Hallo

Or one could just present something that looks and behaves like the
normal shell except when /bin/su is called.  Or use the DEBUG trap in
bash.  Or...

In short, it is never safe to run `su` and enter a password from an
untrusted account.  And one should regard all accounts one uses `su`
from as equivalent to root (for misuse; the password just helps
against breaking some things by accident).

Ansgar

Stretch installer: cannot encrypt /home

[Ken Heard]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I want to encrypt my /home directory but the Stretch installer will
not let be do it.  I got so far as to create a RAID1 and then lvm2 to
create several logical volumes, but I could not encrypt the logical
volume for the /home directory.

In the overview of my partitions the one for my home directory reads
as follows:

LVM VG SOL1, LV home 2.0 TB lINUX device-mapper  (linear)
#1  2.0 TBK crypto (SOL1-home_crypt)
Encrypted volume (SOL1-home_crypt) - 2.0 TB Linux device-mapper (crypt)
#1  2.0 TBK   lvm

What I think I should be able to do now is to select the last line
above so I can enter the file system. the password and the mount point
/home.  When I select that line nothing happens,

If I select "configure encrypted volumes", I am asked to save my
partitioning scheme, After doing so another window appears with two
choices, "Finish" and "Create encrypted volumes".  Selecting the
latter asks me to select the devices to encrypt, but the one I want to
encrypt does not appear there.

Either way installer will not let me go any further.

Have others had this problem?  If anyone found a solution I would
appreciate knowing how you did it.

Regards, Ken Heard





-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAllIXiUACgkQlNlJzOkJmTft3ACdGhTQ0iWyx3g1FKQCenD4Hz3W
hTAAn1tnH16y78wlc19PpvsMhTwQdvXN
=VR1d
-END PGP SIGNATURE-

Re: Lançado o Debian 9 "Stretch"

[Thiago C. F.]

Maravilha! Estava no aguardo a muito tempo!

Vi também que voltará o Thunderbird 45.8 como padrão, é isso? Eu uso o
Evolution, mas não tem problema se ele for substituído.


Thiago C. F.

2017-06-18 5:50 GMT-04:00 Marcelo Santana :

> Em 18/06/17, às 06:28 -0300, Marcelo Santana 
> escreveu:
>
> [...]
>
> > O Debian 9 é dedicado [3] ao fundador do projeto, Ian Murdock, que
> > faleceu em 28 de dezembro de 2015.
> >
> > 3: http://ftp.debian.org/debian/doc/dedication/dedication-9.0.txt
>
> Desculpem, na correria, eu me esqueci de usar o link da versão pt_BR:
>
> http://ftp.debian.org/debian/doc/dedication/dedication-9.0.pt_BR.txt
>
>
> []'s
>
> --
> Marcelo Santana (aka msantana) 
> 4096R/5B76053D: 8E9B 1014 4019 3526 C1C6  B0AC A3C0 DA1E 5B76 053D
>

Re: Why does no one care that Brad Spengler of GRSecurity is blatantly violating the intention of the rightsholders to the Linux Kernel?

[deloptes]

Richard Stallman wrote:

> I am not trying to study the GRsecurity case because (0) it's
> complicated, and it would take a lot of time to think about, (1) the
> FSF has no say in the matter (it is about Linux) and (2) I don't think
> the copany would heed whatever I might say.

Could you explain why it should be complicated? GPL states the rights
obtained should be passed to the recipient, so the recipient should be
allowed to redistribute the code (IMO) even if he/she is paying for
improvements.

It would be really nice if GRSec could help improve the kernel security in
some way acceptable by and for the benefit of all. I don't think someone
wants to punish them for what they are doing. It would be better to have
mutual benefit if possible as the GPL does not prohibit modifying and
redistributing the code and demanding a fee, it however does guarantee the
right to redistribute is passed to the recipient, which is not the case
here.

regards

Re: Record audio streaming?

[Bruce Gates]

Hello,


Just adding my 2 cents here...


Can you use Audacity to record the audio as it's playing through your computer? 
Just use the "stereo mix" input...


That is, assuming more sophisticated fixes don't do the trick...


Good luck!



From: david...@freevolt.org 
Sent: Monday, June 19, 2017 1:48 PM
To: debian-user@lists.debian.org
Subject: Re: Record audio streaming?

On Sun, 18 Jun 2017, Rodolfo Medina wrote:

> Hi all.
>
> Here:
>
> http://www.radio3.rai.it/dl/portaleRadio/media/ContentItem-ee5e755e-200b-4133-9a9b-da491982bf01.html
[http://www.rai.it/resizegd/640x-/dl/img/2017/06/1497624792426Liszt_sign.JPG]

Ascolta le musiche della lezione del 
17/06/2017
www.radio3.rai.it
Franz Liszt, Ballata n.2, Eli Perrotta, pianoforte; registrazione del 4/4/1966


>
> you listen to a Liszt's ballad.  I wonder if and how it is possible to 
> download
> it and/or copy it to a file.  Any hint...?

In this particular case, in that web page's source, if you search for
"audioUrl =" then you will find a promising url on the resulting line.

Download the file at that promising url using wget, or curl, or
whatever tool you prefer for that sort of thing.

> Thanks,
>
> Rodolfo
>
>

Re: Debian 8.8 a debian 9 problemes amb nou nucli 4.9.0-3-amd64

[Joan]

M'esteu treient les ganes d'actualitzar...

De fet, per prudència sempre penso que és millor esperar uns dies, un
mes... perquè quan es llença la nova versió, els testadors deuen passar
a ser moltíssims i potser és més fàcil que arreglin coses d'aquestes...

Joan

El Sun, 18 Jun 2017 19:12:41 +0200
Josep Lladonosa  va escriure:

> 2017-06-18 17:32 GMT+02:00 Jaume Barceló :
> 
> > Després de l'actualització (*) el nucli 4.9.0-3-amd64 no em llista
> > els usuaris. Em queda amb un fons de pantalla i no puc fer res.
> > Reiniciant i triant el nucli antic 3.16.0-4-amd64 puc entrar. Tinc
> > arrencada dual win10/debian EFI/grub
> >
> 
> A mi m'ha passat, en Ubuntu, però, que determinades versions de nuclis
> tenen errades amb temes gràfics i aleshores no s'inicialitzen bé i,
> bé no apareix entorn gràfic (sobretot entorns amb nvidia), bé els
> gràfics es tornen lents apareixent errors de coredump al dmesg.
> Efectivament passant a una altra compilació de nucli es resol el
> tema...
> 
> Salutacions,
> Josep
> 
> 
> 
> 
> >
> > Algun suggeriment?
> >
> 
> Reportar el bug i esperar a una següent versió de nucli? :-/
> 
> 
> >
> > (*) http://nerea.cat/gnu/debian9.txt
> >
> > --
> > Salut i força!
> >
> 
> 
> 



-- 
Joan Cervan i Andreu
http://personal.calbasi.net

"El meu paper no és transformar el món ni l'home sinó, potser, el de
ser útil, des del meu lloc, als pocs valors sense els quals un món no
val la pena viure'l" A. Camus

i pels que teniu fe:
"Déu no és la Veritat, la Veritat és Déu"
Gandhi

Re: Instal·lar Debian 9 de cero... Es recomanable encriptar les particions?

[Lluís Gili]

jo el que he fet és xifrar (amb luks, cryptsetup) un sol directori i posar-hi 
tot el sensible allà, enllaçant-ho des d'on toqui, posant la mateixa 
contrasenya al xifrat i a l'usuari pots fer que es munti automàticament quan 
inicies sessió a l'entorn gràfic (amb libpam-mount)
així tens el que vols xifrat sense necessitat de posar una contrasenya extra 
ni penalitzar el rendiment


El dilluns, 19 de juny de 2017, a les 10:32:18 CEST, Sergi Blanch-Torné va 
escriure:
> Hola,
> 
> Els xifrats en disc depenen de què vulguis protegir (el threat model).
> 
> Com be comenta el Narcís, xifrar el disc dur deixa la partició boot
> sense xifrar. Es necessària per poder carregar el kernel i que aquest et
> demani la frase de pas per poder accedir al volum xifrat. Cas que sigui
> sense frase de pas perquè el boot està en un stick, un ha de guardar-los
> separats quan l'ordinador estar apagat.
> 
> Un xifrat a nivell de disc dur protegeix davant la situació d'ordinador
> parar. Únicament. Estaries protegint la modificació dels binaris. Però
> compte amb l'exposició del kernel.
> 
> En l'altre escenari en que algú fa una incursió des de xarxa, ho fa amb
> l'ordinador engegat i per tant amb la partició xifrada montada.
> 
> De forma no excloent, però que té implicacions de performance, és
> utilitzat eCryptfs per xifrar el home de cada usuari. Aquí estaries
> protegint-ne les dades de cada usuari (que ho utilitzés). Però s'ha de
> tenir present que root, tot i que no pot montar el teu home, si que hi
> pot accedir si l'usuari ha fet login.
> 
> Després hi ha una tercera via, útil per exemple per discs durs externs,
> que serien eines com encfs, en les que hom monta una estructura de
> directoris sota demanda. Té els seus pros i contres també.
> 
> /Sergi.
> 
> Ps: Jordi, no existeix la ignorància quan el que fas és preguntar per
> aprendre...
> 
> On 19/06/17 09:31, Narcis Garcia wrote:
> > La manera en què jo ho he vist fer és deixar connectada la memòria USB
> > durant la instal·lació, i allotjar-hi allà la partició de /boot sense
> > encriptar.
> > D'aquesta manera, el disc intern pot estar encriptat tot sencer, i cal
> > la memòria USB per arrencar-ne, que és la que demana contrasenya per
> > seguir l'inici del sistema. Això si, convé que la memòria USB romangui
> > connectada per a que sigui coherent amb les actualitzacions de nucli i
> > gestor d'arrencada.
> > 
> > De tota manera, aquesta externalització de l'arrencada és una mesura més
> > aviat orientada a evitar una vulnerabilitat molt i molt específica:
> > Que algú volgués manipular l'arrencada de l'ordinador per després deixar
> > que tu el tornis a fer servir i que es desi la contrasenya que escrius,
> > i així en un «següent robatori» recuperar aquesta dada.
> > Si no necessites protegir-te d'aquest cas concret, pots prescindir de
> > memòria USB i col·locar el /boot al mateix disc dur.
> > 
> > 
> > __
> > I'm using this express-made address because personal addresses aren't
> > masked enough at this list's archives. Mailing lists service
> > administrator should fix this.
> > 
> > El 19/06/17 a les 01:37, Pedro ha escrit:
> >> Josep,
> >> 
> >> tens alguna guia que recomanis o sabries explicar breument com fer lo
> >> de entrar xifrar disc i desbloquejar-lo amb el llapis USB?
> >> 
> >> podríem considerar que el punt de partida més habitual és una debian
> >> instal·lada amb el xifrat de disc com suggereix l'instal·lador.
> >> 
> >> Gràcies!
> >> 
> >> 2017-06-18 21:11 GMT+02:00 Josep Lladonosa :
> >>> 2017-06-18 19:47 GMT+02:00 Jordi Boixader :
>  Hola,
>  
>  Vull reinstal·lar la Debian 9 des de cero i em pregunto si és
>  recomanable
>  encriptar les particions. Tant al Portàtil com al Sobretaula.
>  
>  - Només és per si em roben el Disc Dur que no hi puguin accedir?
> >>> 
> >>> Efectivament. Cada cop que iniciïs el sistema hauràs d'entrar
> >>> contrasenya (o un llapis usb amb una clau) per iniciar sistema.
> >>> 
>  - O també si un Hacker m'entra des d'Internet al trobar-ho tot
>  encriptat
>  no podrà fer res?
> >>> 
> >>> Quan inicies el sistema i entres la clau secreta per poder desencriptar
> >>> el
> >>> sistema de fitxer estàs fent que sistema operatiu i programes tinguin ja
> >>> accés directe als fitxers. Així doncs, si un hacker entrés al sistema ho
> >>> fa
> >>> gràcies a alguna vulnerabilitat bé de sistema bé d'aplicació, pel que
> >>> l'intrús mantindria l'accés a tot el sistema de fitxers que sistema
> >>> operatiu/aplicacions tenien...
> >>> 
>  Perdoneu la meva ignorància...
>  
>  Salut
> >>> 
> >>> --
> >>> --
> >>> Salutacions...Josep
> >>> --

Re: Why does no one care that Brad Spengler of GRSecurity is blatantly violating the intention of the rightsholders to the Linux Kernel?

[Bruce Perens]

I think I'll be able to write something to inform present and potential
customers of the lawsuit risk and their position as contributory
infringers. This is more effective than writing to the company.

Thanks

Bruce

On Mon, Jun 19, 2017 at 11:41 AM, Richard Stallman  wrote:

> [[[ To any NSA and FBI agents reading my email: please consider]]]
> [[[ whether defending the US Constitution against all enemies, ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
> I am not trying to study the GRsecurity case because (0) it's
> complicated, and it would take a lot of time to think about, (1) the
> FSF has no say in the matter (it is about Linux) and (2) I don't think
> the copany would heed whatever I might say.
>
> --
> Dr Richard Stallman
> President, Free Software Foundation (gnu.org, fsf.org)
> Internet Hall-of-Famer (internethalloffame.org)
> Skype: No way! See stallman.org/skype.html.
>
>

Re: Why does no one care that Brad Spengler of GRSecurity is blatantly violating the intention of the rightsholders to the Linux Kernel?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

I am not trying to study the GRsecurity case because (0) it's
complicated, and it would take a lot of time to think about, (1) the
FSF has no say in the matter (it is about Linux) and (2) I don't think
the copany would heed whatever I might say.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: problems with _apt user privileges in upgrading from Jessie to Stretch [solved?]

[Sven Joachim]

On 2017-06-19 11:03 -0700, Jim McCloskey wrote:

> Sven Joachim (svenj...@gmx.de) wrote:
>
> |>  On my system, only /var/lib/apt/lists/partial is owned by
> |>  the  _apt   user,  and it's not world-readable:
>  
>|>  All the regular files in /var/lib/apt/lists are owned by 
>|>  root:root and have standard 0644 permissions
>
> Thank you. How strange. I just reverted my own earlier change so that
> the  ownerships and permissions are as you describe in your
> reply. /var/lib/apt/lists/ and the files within it are owned by
> root:root and:
>
>  # ls -ld /var/lib/apt/lists/partial
>   drwx-- 2 _apt root 20480
> Jun15:52 /var/lib/apt/lists/partial
>
> and the warning/issue immediately returned:
>
>   Reading package lists... Done
>   W: Download is performed unsandboxed as root as file
> '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_stretch_InRelease'   
> couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission   
> denied)

Are /var/lib/apt/lists/ and its parent directories world-readable and
world-executable?

Cheers,
   Sven

Re: Re: problems with _apt user privileges in upgrading from Jessie to Stretch [solved?]

[Jim McCloskey]

Sven Joachim (svenj...@gmx.de) wrote:

|>  On my system, only /var/lib/apt/lists/partial is owned by
|>  the  _apt   user,  and it's not world-readable:
 
   |>  All the regular files in /var/lib/apt/lists are owned by 
   |>  root:root and have standard 0644 permissions

Thank you. How strange. I just reverted my own earlier change so that
the  ownerships and permissions are as you describe in your
reply. /var/lib/apt/lists/ and the files within it are owned by
root:root and:

 # ls -ld /var/lib/apt/lists/partial
  drwx-- 2 _apt root 20480
Jun15:52 /var/lib/apt/lists/partial

and the warning/issue immediately returned:

  Reading package lists... Done
  W: Download is performed unsandboxed as root as file
'/var/lib/apt/lists/partial/deb.debian.org_debian_dists_stretch_InRelease'   
couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission   denied)

Is there detailed documentation somewhere? The man-page and the
material in /usr/share/doc/{apt/apt-doc} are sort of minimal --
about this aspect of things anyway.

Jim

Re: Can't install Debian 9, missing liblzo2

[Brian]

On Mon 19 Jun 2017 at 12:37:45 -0300, Henrique de Moraes Holschuh wrote:

> On Mon, 19 Jun 2017, Wellington Terumi Uemura wrote:
> > I'm trying to install Debian 9 from a Live version with no success, I'm
> 
> Plese don't.  Please install from an install image.

I would give the same advice. My reasons would be

1. People here have more experience of a netinst image (say), so help
   is more readily available.

2. The netinst and DVD images have probably undergone more testing.

3. Why play? Just get on with it and install Debian. You know it makes
   sense.

4. Enjoy the freedom given by the mini ISO. A few MB compared with a GB
   download; no contest. Everything spot-on and up-to-date.

5. I have never used a live image to install; I do not see the point.
   (That doesn't mean I am saying it should not be done).

6. Live images support only two architectures.

7. Play and test. Disk space is cheap and USB sticks are two-a-penny.
   Install with a netinst and be done with it.
 
> the Live images will get fixed, but it is always safer to use them only
> for testing things or playing with Debian, and using an *install* image
> to install for real...

That is a damning indictment of a live image. What is unsafe about
installing from it? Is d-i unable to operate reliably within a live
environment? The analysis could form the basis of Reason 8.

Re: where to submit low security vulnerability in .profile?

[Henrique de Moraes Holschuh]

On Mon, 19 Jun 2017, The Wanderer wrote:
> On 2017-06-19 at 11:59, Henrique de Moraes Holschuh wrote:
> > On Mon, 19 Jun 2017, Greg Wooledge wrote:
> >> You appear to be claiming that putting ~/bin in PATH is somehow
> >> inherently unsafe.  I don't agree.  Under what conditions would
> >> this result in any kind of privilege escalation?
> > 
> > The OP was complaining that ~/bin was being *prepended* to PATH,
> > instead of appended.
> > 
> > When you prepend ~/bin to PATH, it allows one to have a shell script
> > such as ~/bin/sudo that will be run instead of the system's sudo.
> > Then, some use of social engineering might get an admin or some other
> > user to type in a password to run a command using su or sudo.
> > 
> > That said, no, it is not usually considered a security
> > vulnerability, because NOT using the full path to run commands such
> > as "su" and "sudo" in the first place IS considered gross
> > negligence.
> > 
> > So, train your fingers!  There is no "su", it *is* /bin/su.  And
> > there is no "sudo", it *is* /usr/bin/sudo.  Never trust aliases,
> > PATH, or anything of the like for this stuff.
> 
> Wouldn't that seem to be an argument against installing the real su,
> sudo, and so forth, _anywhere_ in $PATH? If running them in any other
> way than with the full explicit path is such bad security practice, then
> why do we install them in such a way as to facilitate doing so?

It would.  I don't know of anyone that does that, though, because it is
too painful to be worth it.

The fact is, if we remove them, we will get a lot of complains, and it
will break someone's scripts for sure (note: if these scripts set PATH
to something trusted, they're *not* unsafe).

Besides, it is valid for anything that will ask for passwords or
sensitive data.

One also has to pay attention to not ever "help the logged-in user"
under a terminal tap, rogue screen/tmux session, "script", etc...

-- 
  Henrique Holschuh

Re: Stretch, WIFI connection failed with aborting authentication with ... by local choice (Reason: 3=DEAUTH_LEAVING)

[Yann Cohen]

Hello,

Le samedi 10 juin 2017 à 10:21 -0500, Richard Owlett a écrit :
> On 06/10/2017 08:04 AM, Yann Cohen wrote:
> > Hello,
> > 
> 
[...]
> 
> > Last week, I reinstalled my laptop (lenovo YOGA 13) with Debian
> > Stretch  and network-manager.
> > 
> > Linux yogayan 4.9.0-3-amd64 #1 SMP Debian 4.9.30-1 (2017-06-04)
> > x86_64
> > GNU/Linux
> > 
> > Bus 001 Device 004: ID 0bda:1724 Realtek Semiconductor Corp.
> > RTL8723AU
> > 802.11n WLAN Adapter
> 
> That is likely your problem.
> See thread beginning at
> .
> Cindy-Sue Causey pointed to
> 
> 
> See also comment by Pascal Hambourg at
> 
> 
> HTH
> 

Well,

I summarize the situation :
 * the WIFI interface embedded on my laptop has been working fine for
   three with debian jessie
 * on stretch, I installed realtek non-free firmware 
 * at boot time, in dmesg, I can see the successful loading of the
   firmware
[   11.811782] usb 1-1.4: firmware: direct-loading firmware
rtlwifi/rtl8723aufw_B_NoBT.bin
[   11.811794] usb 1-1.4: Firmware revision 31.0 (signature 0x2302)
 * the connection failed "by local choice (Reason: 3=DEAUTH_LEAVING)"
 * I got 2 usb WIFI dongle (which work fine on my raspberry pi
   -raspbian jessie-). For each the same message appears in the log...
 * I tried to use this dongles on too other stretch workstation with
   the same negative result.
 * I have an other laptop with an PCI WIFI (Qualcomm Atheros QCA9565 /
   AR9565) interface which works fine with debian stretch...


>From my point of view, I did everything right, at least like the Jessie
configuration.
But obviously it seems not !
and I can't find where !
I look more and more like a dog trying to catch his tail !

So, with the publication of Stretch as stable few days ago, maybe  I
would no be the only to have this issue...

Re: Record audio streaming?

[davidson]

On Sun, 18 Jun 2017, Rodolfo Medina wrote:


Hi all.

Here:

http://www.radio3.rai.it/dl/portaleRadio/media/ContentItem-ee5e755e-200b-4133-9a9b-da491982bf01.html

you listen to a Liszt's ballad.  I wonder if and how it is possible to download
it and/or copy it to a file.  Any hint...?


In this particular case, in that web page's source, if you search for
"audioUrl =" then you will find a promising url on the resulting line.

Download the file at that promising url using wget, or curl, or
whatever tool you prefer for that sort of thing.


Thanks,

Rodolfo

Re: Debian 9 - Stretch has been released!

[Dalios]

On 06/19/2017 03:21 PM, Greg Wooledge wrote:
> On Sat, Jun 17, 2017 at 08:42:54PM -0700, Jimmy Johnson wrote:
>>  https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
> 
> Don't use live images for installations.
> 
> Use install images for installations.
> 
> For example, if you go to  there is a shiny
> green inset link which will download the amd64 netinst ISO image.
> Currently, that URL has the substring 9.0.0 in it, so I won't bother
> linking it here, as it may expire by the time people reading the
> mailing list archives see this.
> 
> So, just go to  instead, and follow the
> download links from there.
> 
> 

As far as I can remember, Stretch is the first Debian version where the
official site states it is possible to install from a live media: "A
"live install" image contains a Debian system that can boot without
modifying any files on the hard drive and also allows installation of
Debian from the contents of the image." [1].

So Debian has "installation images" available from which one can install
(see for example [2]) and it also has live media which can be used to
"Try Debian live before installing" and also to install.

I suppose that the difference is only some more extra space on the
CD/DVD/whatever for more packages ready to be installed (but I don't
really know).


[1] https://www.debian.org/CD/live/
[2] https://www.debian.org/distrib/netinst#smallcd



Dalios

Re: hacker tracking

[Joe]

On Mon, 19 Jun 2017 08:00:30 -0700
Mike McClain  wrote:

> On Sun, Jun 18, 2017 at 08:05:41PM -0500, John Hasler wrote:
> > The hits are coming from bots running on cracked computers.  The
> > botnet operators control them through several layers of indirection.
> >
> > I suspect that a majority of the Windows boxes in the world may be
> > under the control of botnets.
> > --
> > John Hasler
> > jhas...@newsguy.com
> > Elmwood, WI USA  
> 
> Hi John,
> If I understand correctly you're saying that for someone with my
> limited knowledge and abilities, this is an exercise in futility since
> most IP addresses I collect will not be those of hackers but rather
> of those already hacked.

I don't think your abilities matter, nobody can look at an IP address
and divine the real origin of the problem. Almost all (you should hope
'all') of these probes will be coming from dumb software running on the
hacked machines, and occasionally reporting back to base.

> Since you've brought that idea to my attention it makes sense to
> me but is somewhat depressing.

But even a basic firewall will keep out the rubbish. As long as you're
not a high-profile target, you can expect not to come to the attention
of any real hackers.

I used to keep a log of this stuff, with a simple script to count the
port accesses per day, just out of curiosity. A sudden increase in
connections to a port usually meant a new vulnerability found in one of
the applications which used it. But my current router seems to have no
logging and definitely no syslog ability, so I haven't been doing it
for a while.

On the whole, unwanted visitors are invited in these days, with offers
or appeals to human wants. Also, poorly defended web servers can have
dangerous links embedded in the pages. And more recently, the Internet
of Things has been spreading rudimentary web servers with poor security
all around the world... just stay alert.

-- 
Joe

Re: Debian 9

[Dan Ritter]

On Mon, Jun 19, 2017 at 08:01:19AM -0400, Terry Henderson wrote:
> Hi,
> 
> In Parallels Desktop For Mac, The Parallels Tools .iso Mounts As Read Only, 
> Therefore The Parallels Tools Will NOT Install !!!
> 
> Any Help Out There ??
> 

yES. yOU sHOULD tRY
http://www.parallels.com/products/desktop/support/

aND sTOP cAPITALIZING eVERY wORD.

-dsr-

stretch

[Glenn English]

An install with the apt-get method left XFCE with no screensaver and
no screensaver module in the settings. That was a problem because
somebody thought there was and tried to turn it on. The screen went
black and I had to reboot the machine to get video back. Installing
xscreensaver seems to have fixed that.

Stretch is a mixed blessing and is going to take some getting used to
-- lots of things don't work anymore. But some have improved.

SSH has gone completely odd. The Wifi dongle is now called
wlxe84e0629c8e0. My iptables script doesn't work anymore. Etc.

--
Glenn English

Re: where to submit low security vulnerability in .profile?

[Nicolas George]

Le primidi 1er messidor, an CCXXV, Greg Wooledge a écrit :
> Henrique, I believe, was describing an attack that works like this:
> 
> 2) PATH=~/bin:$PATH
> 3) vi ~/bin/su  (insert malicious code); chmod 755 ~/bin/su
> 4) Call the system administrator, and get him/her to come to your desk.

I do not think so, as the default value set in the distribution has no
relevance for that kind of attack.

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: Stretch upgrade: lost PHP features?

[davidson]

On Mon, 19 Jun 2017, Carl Fink wrote:


Having upgraded my virtual server to Stretch, I discovered that tt-rss
was broken because the upgrade automatically switched me to PHP 7.0,
but did not auto-install MySQL support or php-mbstring support for
that version. Is this a bug, expected behavior, or did I miss something
when upgrading?


TLDR: You are hijacking another OP's thread. Start your own thread by
composing a new message, containing your question/info, and address it
to the list. (ie, replying to some message and changing its Subject
field does not begin a new thread.)

Whether or not you intended to do so, you replied to a message in the
thread whose original post Subject was "Stretch: FontAwesome not
properly installed [...]"

This means that subscribers who use a threading mail client will only
encounter your message in case they happen to find the OP's topic of
improperly installed "FontAwesome on Stretch" intriguing, and then
examine that thread.

Even worse, in case someone does reply to you in this thread, they
might totally (and understandably) misconstrue the context of your
question, and fail to see what you are seeking help with.

See, for example, the chain of follow-ups to this hijacker:

 https://lists.debian.org/debian-user/2017/06/msg00292.html

and the punch line:

 https://lists.debian.org/debian-user/2017/06/msg00307.html



It wasn't hard to fix, but slightly surprising.

Carl

Re:

[Dixan Rivas]

El 19/06/17 a las 14:27, JAP escribió:
> El 19/06/17 a las 10:04, Miguel Matos escribió:
>> Según leo en este portal web[1] al ponerme al corriente de las
>> noticias del área tecnológica y tecnocrática, "Debian lanza la nueva
>> versión estable de su distribución: ‘Stretch’". Sin temor a cometer un
>> #sopileralert, el artículo inicia diciendo
>> "Tras 26 meses de desarrollo, los responsables del proyecto Debian han
>> anunciado que la versión 9 o ‘Stretch’ de su distribución Linux ya ha
>> superado la fase de pruebas y pasa a estar disponible para su descarga
>> como nueva versión estable y lista, por tanto, para su uso en entornos
>> de producción. "
>>
>> Pues hasta ahora me he acostumbrado demasiado en usar la versión
>> "testing", de modo que al hacer update&, a prepararse a
>> bajar cientos de megas de la nueva actualización de testing... por eso
>> prefiero mejor hacerlo de noche antes de dormir... para que cuando me
>> levante la terminal esté esperando respuesta de mi parte tras bajarse
>> esos megas. "¿Y por qué?" se preguntarán. Cuando estén navegando a
>> 120kbps lo sabrán mejor.
>>
>> 1[http://www.ticbeat.com/tecnologias/debian-lanza-la-nueva-version-estable-de-su-distribucion-stretch/]
>>
>>
>
> https://www.debian.org/News/2017/20170617
>
La versión testing codename Stretch pasa a ser Buster, los que usan
stable ahora actualizaran a Stretch (nuevo estable) y los paquetes que
se agreguen nuevos a testing pertenecen al futuro release Buster (nuevo
testing) si ya usas testing y lo tienes actualizado no tienes que
descargar nada. Y con respecto a tu ancho de banda no seria mala idea un
script con debmirror que te hiciera un espejo local del repositorio y lo
actualice diario.


Saludos



signature.asc
Description: OpenPGP digital signature

Re: where to submit low security vulnerability in .profile?

[The Wanderer]

On 2017-06-19 at 11:59, Henrique de Moraes Holschuh wrote:

> On Mon, 19 Jun 2017, Greg Wooledge wrote:
> 
>> You appear to be claiming that putting ~/bin in PATH is somehow
>> inherently unsafe.  I don't agree.  Under what conditions would
>> this result in any kind of privilege escalation?
> 
> The OP was complaining that ~/bin was being *prepended* to PATH,
> instead of appended.
> 
> When you prepend ~/bin to PATH, it allows one to have a shell script
> such as ~/bin/sudo that will be run instead of the system's sudo.
> Then, some use of social engineering might get an admin or some other
> user to type in a password to run a command using su or sudo.
> 
> That said, no, it is not usually considered a security
> vulnerability, because NOT using the full path to run commands such
> as "su" and "sudo" in the first place IS considered gross
> negligence.
> 
> So, train your fingers!  There is no "su", it *is* /bin/su.  And
> there is no "sudo", it *is* /usr/bin/sudo.  Never trust aliases,
> PATH, or anything of the like for this stuff.

Wouldn't that seem to be an argument against installing the real su,
sudo, and so forth, _anywhere_ in $PATH? If running them in any other
way than with the full explicit path is such bad security practice, then
why do we install them in such a way as to facilitate doing so?

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: where to submit low security vulnerability in .profile?

[Greg Wooledge]

On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote:
> Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
> > That said, no, it is not usually considered a security vulnerability,
> > because NOT using the full path to run commands such as "su" and "sudo"
> > in the first place IS considered gross negligence.
> 
> If your account has been compromised so much that an attacker was able
> to add something in ~/bin/, then using the full path of the commands
> does not bring any extra security.

Henrique, I believe, was describing an attack that works like this:

1) Login.
2) PATH=~/bin:$PATH
3) vi ~/bin/su  (insert malicious code); chmod 755 ~/bin/su
4) Call the system administrator, and get him/her to come to your desk.
5) Get the sysadmin to run "su -c something" for you at your desk.
   This runs your password-capturing program, which records the root
   password somewhere you can retrieve it after the sysadmin leaves.

This is not an attack vector I had previously considered, so thanks
to Henrique for pointing it out.  Nevertheless, I don't think this
justifies any requests to change the default PATH in /etc/skel/.profile.
The attack can be carried out as described above regardless of what
Debian does in /etc/skel/.

Re: where to submit low security vulnerability in .profile?

[Nicolas George]

Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
> That said, no, it is not usually considered a security vulnerability,
> because NOT using the full path to run commands such as "su" and "sudo"
> in the first place IS considered gross negligence.

If your account has been compromised so much that an attacker was able
to add something in ~/bin/, then using the full path of the commands
does not bring any extra security.

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: where to submit low security vulnerability in .profile?

[Henrique de Moraes Holschuh]

On Mon, 19 Jun 2017, Greg Wooledge wrote:
> You appear to be claiming that putting ~/bin in PATH is somehow inherently
> unsafe.  I don't agree.  Under what conditions would this result in any
> kind of privilege escalation?

The OP was complaining that ~/bin was being *prepended* to PATH, instead
of appended.

When you prepend ~/bin to PATH, it allows one to have a shell script
such as ~/bin/sudo that will be run instead of the system's sudo.  Then,
some use of social engineering might get an admin or some other user to
type in a password to run a command using su or sudo.

That said, no, it is not usually considered a security vulnerability,
because NOT using the full path to run commands such as "su" and "sudo"
in the first place IS considered gross negligence.

So, train your fingers!  There is no "su", it *is* /bin/su.  And there
is no "sudo", it *is* /usr/bin/sudo.  Never trust aliases, PATH, or
anything of the like for this stuff.

Still, IMHO it would be much better if we *appended* ~/bin to PATH,
instead.  I just checked, and "bash" in stretch seems to do the wrong
thing...

> What does "'su' power" mean, anyway?  That the end user has been given
> the root password?  If you've given someone the root password, they
> already have whatever power they want.

This is usually coupled to some social engineering to get someone else
that has the password to think (s)he is running the system su/sudo and
type it.

-- 
  Henrique Holschuh

Re: [Stretch] startx: /bin/sh: 0: Can't open /usr/bin/X; xinit: unable to connect to X server: Connection refused

[Henrique de Moraes Holschuh]

On Mon, 19 Jun 2017, Brian wrote:
> The same experience as yours on tty1 to tty6. Except a couple of days
> ago when I used nouveau.modeset=0 on GRUB's linux line and got what is
> in the subject header.

Kernel modeset must be enabled non-root X to work, as you found out...

-- 
  Henrique Holschuh

Re: Can't install Debian 9, missing liblzo2

[Henrique de Moraes Holschuh]

On Mon, 19 Jun 2017, Wellington Terumi Uemura wrote:
> I'm trying to install Debian 9 from a Live version with no success, I'm

Plese don't.  Please install from an install image.

the Live images will get fixed, but it is always safer to use them only
for testing things or playing with Debian, and using an *install* image
to install for real...

-- 
  Henrique Holschuh

Re: hacker tracking

[Mike McClain]

On Sun, Jun 18, 2017 at 07:26:01PM -0700, John Conover wrote:
> Hi Mike. You are running stateful NAT, (stateful Network Address
> Translation on your modem/router,) right?  Also, your modem/router
> should not be responding to ping(1)/icmp/ident packets since you do
> not allow remote/external access. Might try:

I'm not up on the term but my firewall drops packets from anyone with
whom I didn't initiate the connection. Is that 'stateful NAT'?

> https://www.grc.com/x/ne.dll?bh0bkyd2

I've been checking my firewall with grc.com ever since I felt the need
for a firewall and grc.com says I'm fully stealthed.

> for starters to find out, (or better, nmap(1) if you have access to an
> external shell account.)

Nope no such account but thanks for sharing your ideas.

> John
> --
> John Conover, cono...@rahul.net, http://www.johncon.com/

Mike
--
"Why fit in when you can stand out?"
- Dr. Seuss

Re: hacker tracking

[Mike McClain]

On Sun, Jun 18, 2017 at 08:05:41PM -0500, John Hasler wrote:
> The hits are coming from bots running on cracked computers.  The botnet
> operators control them through several layers of indirection.
>
> I suspect that a majority of the Windows boxes in the world may be under
> the control of botnets.
> --
> John Hasler
> jhas...@newsguy.com
> Elmwood, WI USA

Hi John,
If I understand correctly you're saying that for someone with my
limited knowledge and abilities, this is an exercise in futility since
most IP addresses I collect will not be those of hackers but rather
of those already hacked.
Since you've brought that idea to my attention it makes sense to
me but is somewhat depressing.
Oh well, knowledge is power.
Thank you for enlightening me.
Mike
--
"Why fit in when you can stand out?"
- Dr. Seuss

Re: gstreamer1.0-libav - necessary for browsers to play videos?

[Jape Person]

On 06/19/2017 09:10 AM, Brian wrote:

On Sun 18 Jun 2017 at 13:47:32 -0400, Jape Person wrote:

So you don't even install recommends normally? I would have supposed (from
reading various descriptions of recommends) that this would result in
significant functional compromise in most packages. Not usually so?


An occasional problem is not unknown but it can usually be sorted.
I do not do it on all machines and certainly would not advise others
to follow my example unless it is necessary (1G of flash memory, for
example!) Using recommended packages should be the norm.



Ah, I understand.


In the initial mail Jape Person also wrote this:



...



Worthy of a bug report?


Not from my experiences. You are using Stretch. The situation is that
firefox-esr does not recommend gstreamer1.0-libav as it does on Jessie.
Nothing else uses it, so deborphan lists it for removal. I agree with
you up 'til there.

The other issue is no sound or video played by a browser. Youtube is
still ok for me with firefox on stretch (gstreamer1.0-libav installed
or not).



Interesting. I'll just see what happens as things get sorted out in the 
new testing. I haven't seen any upgrades available yet since the freeze. 
I know it generally takes a few days.


Once again, Brian, thank you for your help.

Re: [Stretch] startx: /bin/sh: 0: Can't open /usr/bin/X; xinit: unable to connect to X server: Connection refused

[Greg Wooledge]

On Mon, Jun 19, 2017 at 11:00:32AM -0400, Felix Miata wrote:
> I have a dozen machines with Stretch installed, most with Jessie and/or Sid as
> well. Only Stretch on host big41 produces the subject problem.

According to a previous message in this thread, it could be triggered
by a specific kernel boot parameter.  Can you show us "cat /proc/cmdline"
from big41?

> # inxi -c0 -v4
> System:Host: big41 Kernel: 4.9.0-3-amd64 x86_64 (64 bit gcc: 6.3.0) 
> Console:
> tty 3
>Distro: Debian GNU/Linux 9
> Machine:   Mobo: TAR model: T41 HD v: ' ' Bios: American Megatrends v: 080015
> date: 09/22/2009
> CPU:   Dual core Intel Core2 Duo E7600 (-MCP-) cache: 3072 KB
>flags: (lm nx sse sse2 sse3 sse4_1 ssse3 vmx) bmips: 12237
>clock speeds: max: 3066 MHz 1: 1603 MHz 2: 1603 MHz
> Graphics:  Card: Intel 4 Series Integrated Graphics Controller bus-ID: 00:02.0
>Display Server: X.org 1.19.2 drivers: (unloaded: fbdev,vesa)
>tty size: 180x56 Advanced Data: N/A for root out of X
[snip]

Re: Stretch: FontAwesome not properly installed / not working?

[Henrique de Moraes Holschuh]

On Mon, 19 Jun 2017, Matthias Herrmann wrote:
> When I visit the font-awesome cheat sheet [1] and copy-paste a character

...

> (like , or  fa-envelope []) into gnome-shell or into another
> program, e.g. gedit, or thunderbird, it shows up as another character or
> the box with the hexvalues in them.

AFAIK, nothing based on the gnome terminal handling libs will work.

> What could be the issue?

AFAIK, GNOME's limited handling of fonts (libvte braindamage).

> What else could I check?
https://github.com/tonsky/FiraCode

Look towards the end of the FiraCode README, on the works/doesn't work
tables.

-- 
  Henrique Holschuh

Re: [Stretch] startx: /bin/sh: 0: Can't open /usr/bin/X; xinit: unable to connect to X server: Connection refused

[Felix Miata]

Greg Wooledge composed on 2017-06-19 09:29 (UTC-0400):
.
> On Sun, Jun 18, 2017 at 05:53:43PM -0400, Felix Miata wrote:
.
>> When I try as ordinary user (on host big41), I get the subject message. 
>> Anyone
>> know how to get startx to work in Stretch, either on :0, :1 or :2, with or
>> without a greeter running (multi-user.targer vs. graphical.target)?
.
> I've been using startx on stretch for a couple months, with no problems.
> I login as my non-root user on tty1, and run 'startx', and it just works.
.
> This is on two different machines, both using Intel graphics.  Here's one
> of them:
.
I have a dozen machines with Stretch installed, most with Jessie and/or Sid as
well. Only Stretch on host big41 produces the subject problem. It has Intel
Eagle Lake X4500 video attached via HDMI. It's Jessie works as expected, while
its Sid halts at an initramfs prompt. Big41 with kernel 4.9.0-3-amd64 works as
expected for root only. Ordinary users produce subject errors only by attempting
startx. Login from TDM greeter works as expected for all users.
.
> wooledg:~$ uname -a
> Linux wooledg 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2 (2017-06-12) x86_64 
> GNU/Linux
> 
> wooledg:~$ lspci -nn | grep VGA
> 00:02.0 VGA compatible controller [0300]: Intel Corporation HD Graphics 530 
> [8086:1912] (rev 06)
> 
> wooledg:~$ sudo dmesg | grep firmware
> [3.796473] [drm] GuC firmware load skipped
> [3.802454] i915 :00:02.0: firmware: direct-loading firmware 
> i915/skl_dmc_ver1_26.bin
.
# inxi -c0 -v4
System:Host: big41 Kernel: 4.9.0-3-amd64 x86_64 (64 bit gcc: 6.3.0) Console:
tty 3
   Distro: Debian GNU/Linux 9
Machine:   Mobo: TAR model: T41 HD v: ' ' Bios: American Megatrends v: 080015
date: 09/22/2009
CPU:   Dual core Intel Core2 Duo E7600 (-MCP-) cache: 3072 KB
   flags: (lm nx sse sse2 sse3 sse4_1 ssse3 vmx) bmips: 12237
   clock speeds: max: 3066 MHz 1: 1603 MHz 2: 1603 MHz
Graphics:  Card: Intel 4 Series Integrated Graphics Controller bus-ID: 00:02.0
   Display Server: X.org 1.19.2 drivers: (unloaded: fbdev,vesa)
   tty size: 180x56 Advanced Data: N/A for root out of X
Network:   Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet 
Controller
   driver: r8169 v: 2.3LK-NAPI port: d800 bus-ID: 01:00.0
   IF: eth0 state: up speed: 1000 Mbps duplex: full mac: 
00:30:67:3a:a0:06
Drives:HDD Total Size: 500.1GB (7.4% used) ID-1: /dev/sda model: ST3500411SV
size: 500.1GB
Partition: ID-1: / size: 5.4G used: 3.5G (67%) fs: ext3 dev: /dev/sda27
   ID-2: /home size: 4.3G used: 810M (19%) fs: ext3 dev: /dev/sda9
   ID-3: swap-1 size: 1.57GB used: 0.00GB (0%) fs: swap dev: /dev/sda5
Info:  Processes: 139 Uptime: 28 min Memory: 161.8/3731.4MB Init: systemd
runlevel: 5 Gcc sys: 6.3.0
   Client: Shell (bash 4.4.121) inxi: 2.2.28
-- 
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: [Stretch] startx: /bin/sh: 0: Can't open /usr/bin/X; xinit: unable to connect to X server: Connection refused

[Brian]

On Mon 19 Jun 2017 at 09:29:40 -0400, Greg Wooledge wrote:

> On Sun, Jun 18, 2017 at 05:53:43PM -0400, Felix Miata wrote:
> > When I try as ordinary user (on host big41), I get the subject message. 
> > Anyone
> > know how to get startx to work in Stretch, either on :0, :1 or :2, with or
> > without a greeter running (multi-user.targer vs. graphical.target)?
> 
> I've been using startx on stretch for a couple months, with no problems.
> I login as my non-root user on tty1, and run 'startx', and it just works.

The same experience as yours on tty1 to tty6. Except a couple of days
ago when I used nouveau.modeset=0 on GRUB's linux line and got what is
in the subject header.

Re: Wheezy: Firefox ESR update failed "half installed"--what do I do now?

[Patrick Bartek]

On Mon, 19 Jun 2017 07:53:13 -0400 rhkra...@gmail.com wrote:

> Today, on Wheezy, I got a notification from apper that an update was
> available (as I fairly often get).  
> 
> It was for firefox-esr, and, when I went to allow the update, I got a
> notice that libjsonpp0 (not sure the blurb included the pp0) also
> needed to be updated.
> 
> For the first time (in probably 2+ years of using Wheezy, maybe much
> longer) (and subject to the vagaries of my selective and failing
> memory), the update failed.  A portion of the dpkg log is shown below.
> 
> From the log, it seems some things are half installed.
> 
> I have three questions:
> 
>* is my machine in trouble--I mean, if I shut down Firefox and try
> to restart it, will I have a problem?
>
>* what is the best way to resolve the issue--perhaps wait a few
> days, don't (intentionally) shut down Firefox, and hope that a new
> update becomes available in a few days?
>
>* I guess I should also ask: should I report this somewhere?
> 
> 
>  [snip]

On my Wheezy system, I got the notification after apt-get update that
firefox-esr was being "held back."  So, I didn't do an apt-get upgrade,
but dist-upgrade instead.  And the new firefox as well as libjs-whatever
were installed.  And all is well.

B

Re: Can't install Debian 9, missing liblzo2

[Dejan Jocic]

On 19-06-17, Wellington Terumi Uemura wrote:
> Hello,
> 
> I'm trying to install Debian 9 from a Live version with no success, I'm
> using the "debian-live-9.0.0-amd64-gnome+nonfree.iso" MD5SUM
> "baf4371d63bccaed58714891626de1e2" (match with the official release).
> 
> The installation stops when it will start to mount and detect the CDROM with
> an error that it can't copy files from the disc, the syslog show this
> errors:
> 
> Jun 19 11:50:36 main-menu[559]: INFO: Menu item 'cdrom-detect' selected
> Jun 19 11:50:36 cdrom-detect: Detected CD with 'stable' (stretch)
> distribution
> Jun 19 11:50:36 main-menu[559]: INFO: Restoring default debconf priority
> 'high'
> Jun 19 11:50:36 debconf: Setting debconf/priority to high
> Jun 19 11:50:36 main-menu[559]: DEBUG: resolver (libgcc1): package doesn't
> exist (ignored)
> Jun 19 11:50:36 main-menu[559]: INFO: Falling back to the package
> description for brltty-udeb
> Jun 19 11:50:36 main-menu[559]: INFO: Falling back to the package
> description for brltty-udeb
> Jun 19 11:50:36 main-menu[559]: INFO: Menu item 'load-cdrom' selected
> Jun 19 11:50:36 anna[3385]: DEBUG: retrieving liblzo2-2-udeb 2.08-1.2+b2
> Jun 19 11:50:36 cdrom-retriever: error: Unable to find 
> '/w/work/nonfree/gnomepool/main/libl/liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb'.
> Jun 19 11:50:36 anna[3385]: WARNING **: package retrieval failed
> Jun 19 11:50:38 cdrom-retriever: error: Unable to find 
> '/w/work/nonfree/gnomepool/main/libl/liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb'.
> Jun 19 11:50:44 main-menu[559]: WARNING **: Configuring 'load-cdrom' failed
> with error code 6
> Jun 19 11:50:44 main-menu[559]: WARNING **: Menu item 'load-cdrom' failed.
> 
> Checking the disc, there is no
> "liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb" under that path.
> 
> The "debian-live-9.0.0-amd64-gnome.iso" also fails to install for the same
> reason.
> 
> The other issue I have is that the installer can't verify the media, it say
> that is not a official Debian Release. But the log shows it is:
> 
> Jun 19 11:37:14 cdrom-detect: Searching for Debian installation media...
> Jun 19 11:37:14 cdrom-detect: Devices: '/dev/sr0'
> Jun 19 11:37:14 cdrom-detect: CD-ROM mount succeeded: device=/dev/sr0
> fstype=iso9660
> Jun 19 11:37:14 kernel: [   40.386418] ISO 9660 Extensions: RRIP_1991A
> Jun 19 11:37:14 cdrom-detect: Detected CD 'Official Debian GNU/Linux Live
> 9.0.0 gnome 2017-06-17T17:41'
> Jun 19 11:37:15 cdrom-detect: Detected CD with 'stable' (stretch)
> distribution
> Jun 19 11:37:15 anna-install: Queueing udeb eject-udeb for later
> installation
> Jun 19 11:37:15 anna-install: Queueing udeb apt-mirror-setup for later
> installation
> Jun 19 11:37:15 cdrom-detect: Base system not installable from CD,
> requesting choose-mirror
> Jun 19 11:37:15 anna-install: Queueing udeb choose-mirror for later
> installation
> Jun 19 11:37:15 main-menu[559]: DEBUG: resolver (libgcc1): package doesn't
> exist (ignored)
> Jun 19 11:37:15 main-menu[559]: INFO: Falling back to the package
> description for brltty-udeb
> Jun 19 11:37:15 main-menu[559]: INFO: Falling back to the package
> description for brltty-udeb
> Jun 19 11:37:15 main-menu[559]: INFO: Menu item 'load-cdrom' selected
> Jun 19 11:37:15 anna[2384]: DEBUG: retrieving liblzo2-2-udeb 2.08-1.2+b2
> Jun 19 11:37:15 cdrom-retriever: error: Unable to find 
> '/w/work/nonfree/gnomepool/main/libl/liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb'.
> Jun 19 11:37:15 anna[2384]: WARNING **: package retrieval failed
> 
> Thanks.
> 

You are not alone in that, all live images are borked. There is forum
topic about it here http://forums.debian.net/viewtopic.php?f=17=133474
and there is bug report about it with Steve McIntyre working on fix here
https://lists.debian.org/debian-boot/2017/06/msg00240.html.

Re: [Stretch] startx: /bin/sh: 0: Can't open /usr/bin/X; xinit: unable to connect to X server: Connection refused

[Greg Wooledge]

On Sun, Jun 18, 2017 at 05:53:43PM -0400, Felix Miata wrote:
> When I try as ordinary user (on host big41), I get the subject message. Anyone
> know how to get startx to work in Stretch, either on :0, :1 or :2, with or
> without a greeter running (multi-user.targer vs. graphical.target)?

I've been using startx on stretch for a couple months, with no problems.
I login as my non-root user on tty1, and run 'startx', and it just works.

This is on two different machines, both using Intel graphics.  Here's one
of them:

wooledg:~$ uname -a
Linux wooledg 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2 (2017-06-12) x86_64 GNU/Linux

wooledg:~$ lspci -nn | grep VGA
00:02.0 VGA compatible controller [0300]: Intel Corporation HD Graphics 530 
[8086:1912] (rev 06)

wooledg:~$ sudo dmesg | grep firmware
[3.796473] [drm] GuC firmware load skipped
[3.802454] i915 :00:02.0: firmware: direct-loading firmware 
i915/skl_dmc_ver1_26.bin

Re:

[JAP]

El 19/06/17 a las 10:04, Miguel Matos escribió:

Según leo en este portal web[1] al ponerme al corriente de las
noticias del área tecnológica y tecnocrática, "Debian lanza la nueva
versión estable de su distribución: ‘Stretch’". Sin temor a cometer un
#sopileralert, el artículo inicia diciendo
"Tras 26 meses de desarrollo, los responsables del proyecto Debian han
anunciado que la versión 9 o ‘Stretch’ de su distribución Linux ya ha
superado la fase de pruebas y pasa a estar disponible para su descarga
como nueva versión estable y lista, por tanto, para su uso en entornos
de producción. "

Pues hasta ahora me he acostumbrado demasiado en usar la versión
"testing", de modo que al hacer update&, a prepararse a
bajar cientos de megas de la nueva actualización de testing... por eso
prefiero mejor hacerlo de noche antes de dormir... para que cuando me
levante la terminal esté esperando respuesta de mi parte tras bajarse
esos megas. "¿Y por qué?" se preguntarán. Cuando estén navegando a
120kbps lo sabrán mejor.

1[http://www.ticbeat.com/tecnologias/debian-lanza-la-nueva-version-estable-de-su-distribucion-stretch/]



https://www.debian.org/News/2017/20170617

Can't install Debian 9, missing liblzo2

[Wellington Terumi Uemura]

Hello,

I'm trying to install Debian 9 from a Live version with no success, I'm 
using the "debian-live-9.0.0-amd64-gnome+nonfree.iso" MD5SUM 
"baf4371d63bccaed58714891626de1e2" (match with the official release).


The installation stops when it will start to mount and detect the CDROM 
with an error that it can't copy files from the disc, the syslog show 
this errors:


Jun 19 11:50:36 main-menu[559]: INFO: Menu item 'cdrom-detect' selected
Jun 19 11:50:36 cdrom-detect: Detected CD with 'stable' (stretch) 
distribution
Jun 19 11:50:36 main-menu[559]: INFO: Restoring default debconf priority 
'high'

Jun 19 11:50:36 debconf: Setting debconf/priority to high
Jun 19 11:50:36 main-menu[559]: DEBUG: resolver (libgcc1): package 
doesn't exist (ignored)
Jun 19 11:50:36 main-menu[559]: INFO: Falling back to the package 
description for brltty-udeb
Jun 19 11:50:36 main-menu[559]: INFO: Falling back to the package 
description for brltty-udeb

Jun 19 11:50:36 main-menu[559]: INFO: Menu item 'load-cdrom' selected
Jun 19 11:50:36 anna[3385]: DEBUG: retrieving liblzo2-2-udeb 2.08-1.2+b2
Jun 19 11:50:36 cdrom-retriever: error: Unable to find 
'/w/work/nonfree/gnomepool/main/libl/liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb'.

Jun 19 11:50:36 anna[3385]: WARNING **: package retrieval failed
Jun 19 11:50:38 cdrom-retriever: error: Unable to find 
'/w/work/nonfree/gnomepool/main/libl/liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb'.
Jun 19 11:50:44 main-menu[559]: WARNING **: Configuring 'load-cdrom' 
failed with error code 6

Jun 19 11:50:44 main-menu[559]: WARNING **: Menu item 'load-cdrom' failed.

Checking the disc, there is no 
"liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb" under that path.


The "debian-live-9.0.0-amd64-gnome.iso" also fails to install for the 
same reason.


The other issue I have is that the installer can't verify the media, it 
say that is not a official Debian Release. But the log shows it is:


Jun 19 11:37:14 cdrom-detect: Searching for Debian installation media...
Jun 19 11:37:14 cdrom-detect: Devices: '/dev/sr0'
Jun 19 11:37:14 cdrom-detect: CD-ROM mount succeeded: device=/dev/sr0 
fstype=iso9660

Jun 19 11:37:14 kernel: [   40.386418] ISO 9660 Extensions: RRIP_1991A
Jun 19 11:37:14 cdrom-detect: Detected CD 'Official Debian GNU/Linux 
Live 9.0.0 gnome 2017-06-17T17:41'
Jun 19 11:37:15 cdrom-detect: Detected CD with 'stable' (stretch) 
distribution
Jun 19 11:37:15 anna-install: Queueing udeb eject-udeb for later 
installation
Jun 19 11:37:15 anna-install: Queueing udeb apt-mirror-setup for later 
installation
Jun 19 11:37:15 cdrom-detect: Base system not installable from CD, 
requesting choose-mirror
Jun 19 11:37:15 anna-install: Queueing udeb choose-mirror for later 
installation
Jun 19 11:37:15 main-menu[559]: DEBUG: resolver (libgcc1): package 
doesn't exist (ignored)
Jun 19 11:37:15 main-menu[559]: INFO: Falling back to the package 
description for brltty-udeb
Jun 19 11:37:15 main-menu[559]: INFO: Falling back to the package 
description for brltty-udeb

Jun 19 11:37:15 main-menu[559]: INFO: Menu item 'load-cdrom' selected
Jun 19 11:37:15 anna[2384]: DEBUG: retrieving liblzo2-2-udeb 2.08-1.2+b2
Jun 19 11:37:15 cdrom-retriever: error: Unable to find 
'/w/work/nonfree/gnomepool/main/libl/liblzo2-2-udeb/liblzo2-2-udeb_2.08-1.2+b2_amd64.udeb'.

Jun 19 11:37:15 anna[2384]: WARNING **: package retrieval failed

Thanks.

Re: what partitions to mount during upgrade ?

[Joe]

On Mon, 19 Jun 2017 10:44:23 +
"Blair, Charles E III"  wrote:

>I am an unsophisticated user who has finally gotten
> around to upgrading a desktop from wheezy to jessie.  I am
> trying to follow the instructions in the "release notes,"
> but don't really know what I'm doing.
> 
>My current question is to clarify the instructions about
> mounting partitions at the beginning of section 4.4.  I
> think I am supposed to issue as superuser the commands
> 
> mount -o remount,rw /
> mount -o remount,rw /usr
> 
> Are there any other mount commands to issue before
> apt-get upgrade ?  How do I find out?  I don't think
> it matters, but this is a dual-boot using grub with
> windows as the other system.
> 

As an aside, do you have a separate partition for /usr? Most previous
Debian installers suggested doing so as an option, but jessie after
upgrade will be based on systemd and really isn't happy about a
separate /usr.

/usr is really required for boot nowadays, certainly with systemd. If
your /usr is a separate partition, you can rebuild the initrd file to
include /usr mounting instructions. Alternatively, you can merge /usr
into /, which may be difficult if you previously went with the
suggested few hundred MB size for / where /usr, /var and /home are on
separate partitions. The voice of experience...

As to mounting, the original purpose of /usr was to hold application
code, which was never written to except for upgrade, and was shared by
all users. Under those circumstances, it could be mounted read-only
during normal use, to prevent accidental damage to it, or one user
modifying something without realising that other users would be
affected. If you're an 'unsophisticated user', you are unlikely to have
set up the system in that way. Also, / may be mounted read-only after a
serious boot error, so this is a warning to anyone who has a dodgy or
exotic system to make absolutely sure that both / and /usr are mounted
with writing enabled. You do also need /var and /home mounted, if they
are separate to /, but if they were not mounted properly you would know
about it already. I would guess also that it is possible to try an
upgrade of a dead system using chroot, and again, you should check to
make sure you know what's going on. A chroot is a meld of two systems,
and it is relatively easy to make changes to the wrong one.

Any package upgrade will require read-write mounting, and any problem
here will be obvious very quickly. If you're upgrading a working,
running system, than you can safely assume that the right things are
mounted already. It's not a big risk, because one of the upgrade
preliminaries is to make sure that your existing system is fully
upgraded before the version upgrade is attempted, and any mounting
problems would show up at that stage, long before anything irrevocable
has happened.

I suspect this warning exists because someone once had a mounting
problem, and the upgrade did not follow the expected path, and they
complained that the release notes did not take account of this
possibility. Now they do.

-- 
Joe

Re: gstreamer1.0-libav - necessary for browsers to play videos?

[Brian]

On Sun 18 Jun 2017 at 13:47:32 -0400, Jape Person wrote:

> On 06/18/2017 07:54 AM, Brian wrote:
> >
> >My main Jessie machine does not install recommended packages; it
> >plays youtube clips within firefox-esr.
> 
> So you don't even install recommends normally? I would have supposed (from
> reading various descriptions of recommends) that this would result in
> significant functional compromise in most packages. Not usually so?

An occasional problem is not unknown but it can usually be sorted.
I do not do it on all machines and certainly would not advise others
to follow my example unless it is necessary (1G of flash memory, for
example!) Using recommended packages should be the norm.
 
> I think it's odd that I always install Recommends but not Suggests, and that
> my browsers won't play video without this particular Suggested package.

In the initial mail Jape Person also wrote this:

> >>Following re-installation of gstreamer1.0-libav all browsers were
> >>once again able to play videos.
> >>
> >>I would have thought that aptitude why might have given me a hint
> >>about the browsers requiring this package. I've looked to be sure
> >>the browsers do, indeed, have all of their depends and recommends
> >>installed, and they do. (I do not install suggests as a rule, and I
> >>don't use any kind of proprietary codecs or player software. So I
> >>am dependent upon the DFSG-compliant software available in the
> >>Debian repositories to play any video or audio I'm going to use on
> >>these systems.)
> >>
> >>This is, obviously, not a very serious problem, but it's an
> >>interesting one that might bite others as unwary as I. Maybe it's
> >>implicated somehow in some of the odd reports we see from
> >>time-to-time of someone who can't get a browser to play videos.
> >>
> >>Worthy of a bug report?

Not from my experiences. You are using Stretch. The situation is that
firefox-esr does not recommend gstreamer1.0-libav as it does on Jessie.
Nothing else uses it, so deborphan lists it for removal. I agree with
you up 'til there.

The other issue is no sound or video played by a browser. Youtube is
still ok for me with firefox on stretch (gstreamer1.0-libav installed
or not).

-- 
Brian.

[no subject]

[Miguel Matos]

Según leo en este portal web[1] al ponerme al corriente de las
noticias del área tecnológica y tecnocrática, "Debian lanza la nueva
versión estable de su distribución: ‘Stretch’". Sin temor a cometer un
#sopileralert, el artículo inicia diciendo
"Tras 26 meses de desarrollo, los responsables del proyecto Debian han
anunciado que la versión 9 o ‘Stretch’ de su distribución Linux ya ha
superado la fase de pruebas y pasa a estar disponible para su descarga
como nueva versión estable y lista, por tanto, para su uso en entornos
de producción. "

Pues hasta ahora me he acostumbrado demasiado en usar la versión
"testing", de modo que al hacer update&, a prepararse a
bajar cientos de megas de la nueva actualización de testing... por eso
prefiero mejor hacerlo de noche antes de dormir... para que cuando me
levante la terminal esté esperando respuesta de mi parte tras bajarse
esos megas. "¿Y por qué?" se preguntarán. Cuando estén navegando a
120kbps lo sabrán mejor.

1[http://www.ticbeat.com/tecnologias/debian-lanza-la-nueva-version-estable-de-su-distribucion-stretch/]
-- 

Ayuda para hacer preguntas inteligentes: http://is.gd/NJIwRz

[SOLUCIONADO] Re: No puedo hacer "tapping" en Debian 9

[divagante]

Joya! a usar Debian!

 Acordate de colocar al asunto si se soluciona lo siguente por delante 
del asunto: [SOLUCIONADO].


Ya lo hice yo ahora, para la proxima es tu turno. Saludos.


El 18/06/17 a las 20:31, Alan escribió:

El 18/06/17 a las 16:33, divagante escribió:


El 18/06/17 a las 16:23, Alan escribió:

Saludos a todos. Hoy instalé Debian 9 en mi laptop y lo estoy
configurando. El único inconveniente que tengo hasta ahora es que no
puedo activar la función "tap to click" de mi touchpad, así como el
desplazamiento en el borde.
Las soluciones que encontré en internet no funcionaron, hablando casi
todas ellas de editar /etc/x11/xorg.conf-d/synaptics.conf
Es por eso que recurro a la lista, a ver si alguien me puede dar una
mano.
Estoy usando Xfce como entorno de escritorio y el modelo de touchpad
es "ETPS/2 Elantech Touchpad".
Muchas gracias de antemano.

Hola alan! me sucedio lo mismo. Lo que hay que hacer es esto:

edita el archivo de configuracion como root:


nano /usr/share/X11/xorg.conf.d/40-libinput.conf (en vez de nano tu
editor favorto)

En la seccion agregar la linea: Option  "Tapping" "on". !uedando asi:

Section "InputClass"
 Identifier "libinput touchpad catchall"
 MatchIsTouchpad "on"
 MatchDevicePath "/dev/input/event*"
 Option  "Tapping" "on"
 Driver "libinput"
EndSection


Reinicia las Xs y guala!! Saludos

Fuente y mas info: https://wiki.archlinux.org/index.php/Libinput


Muchas gracias por tu ayuda. Hice lo que me dijiste y funcionó perfecto.
Además revisé el enlace que dejaste, que me resultó muy útil para hacer
otros cambios.

Saludos

Re: Setting LD_LIBRARY_PATH on a per-user basis during login

[Greg Wooledge]

On Sun, Jun 18, 2017 at 01:52:05PM +0200, Martin R. Neuhaeusser wrote:
> it should be enough to set the environment variable in $HOME/.profile.
> 
> And this really works flawlessly for non-graphical logins.

For graphical (display manager) logins, see
.

> The first
> bad thing that I had to realize is that for graphical logins, .profile
> is just not read. As it seems, one has to source .profile in a (Debian-
> specific) file which is called $HOME/.xsessionrc to ensure that
> .profile is read during graphical logins.

~/.xsessionrc does not exist by default, so it may or may not dot in
~/.profile.  Depends on what you put in it when you create it.

> Is it really expected behaviour that by default, all setting in
> .profile are ignored for graphical logins whereas they are evaluated
> for non-grahical ones?

Yup.

> Once I source $HOME/.profile from $HOME/.xsessionrc and login
> graphically, all variables that I define within $HOME/.profile are set
> as expected _except_ LD_LIBRARY_PATH. It seems that someone clears
> exactly this variable (on purpose?) without caring at all about its
> content.

Sounds like a desktop environment thing.  They are highly intrusive.
Just a few weeks ago, someone was trying to set their locale variables
at login, and GNOME was clobbering them.

> After some hours of trial-and-error, I finally gave up.

Which desktop environment are you using?  How attached to it are you?

Perhaps your DE has some mechanism for allowing "dangerous" variables
like LD_LIBRARY_PATH to be set by the end user.  Or perhaps it simply
"knows better" than you, and you will have to scrap it entirely to
achieve your goals.  Who knows?  Certainly not I.

Re: Peculiar problem with root login

[Harry Putnam]

Tom Dial  writes:

[...]

>From Harry's settings:


>> LoginGraceTime 120
>> PermitRootLogin without-password

Tom D wrote:

> This will prevent root login using a password. Only other methods, such
> as RSA authentication are to be permitted.

That turned out to be exactly the problem.

Somewhere amongst my fiddling, weeks ago now. I must have uncommented
that or something like.

[...]

>From Harry's settings:

>> PermitRootLogin yes

> This may or may not be effective owing the the above setting of
> "PermitRootLogin without-password" depending on how sshd treats
> duplicate setting. My (jessie) man page does not say whether the first
> or last setting will be effective.

I guess we may assume it goes by the first since

'PermitRootLogin yes'

was the very last line of my config.

[...]

David Christensen  writes:

[...]

>> ChallengeResponseAuthentication no
>> PasswordAuthentication yes
>
> I use:
>
> PasswordAuthentication no
>
>
> This requires all users to have their remote user public keys entered
> into their authorized_keys files to log in from those remote hosts.
>
>
>> X11Forwarding yes
>> X11DisplayOffset 10
>> PrintMotd no
>> PrintLastLog yes
>> TCPKeepAlive yes
>> AcceptEnv LANG LC_*
>> Subsystem sftp /usr/lib/openssh/sftp-server
>> UsePAM yes
>> PermitRootLogin yes
>
> This conflicts with the above setting (which is what I use):
>
> PermitRootLogin without-password

Yup, that was the problem

Thank you both for the excellent input.. (snipped in this response but
kept on hand for future reference..)

Re: where to submit low security vulnerability in .profile?

[Greg Wooledge]

On Sun, Jun 18, 2017 at 06:56:07AM +0200, David Bunch wrote:
> I'm not sure where or how or even if i should submit a bug small security 
> vulnerability in the default .profile that is created in each users home 
> directory. 

That file comes from /etc/skel/.profile which is in the package...

wooledg:~$ dpkg -S /etc/skel/.profile 
bash: /etc/skel/.profile

... package "bash".

> .profile searches for a ~/bin directory and if it finds it prepends it to
> PATH like so: PATH='$HOME/bin':$PATH

This is not true in stretch:

wooledg:~$ tail -4 /etc/skel/.profile
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi

There are double quotes, not single quotes.  The $HOME variable is
correctly expanded.

> A safer configuration would be PATH=$PATH:'$HOME/bin'.

That would be wrong, too.  There must be double quotes, not single quotes.

> This could be a potential security vulnerability because if the user account
> of a uesr with 'su' power, an attacker could place a malicious 'su', 'ls', 
> and 'which' in their ~/bin directory which could give an attacker the root
> password when the user runs the 'su' command.  

You appear to be claiming that putting ~/bin in PATH is somehow inherently
unsafe.  I don't agree.  Under what conditions would this result in any
kind of privilege escalation?

What does "'su' power" mean, anyway?  That the end user has been given
the root password?  If you've given someone the root password, they
already have whatever power they want.

Everyone with any sense puts ~/bin in $PATH.  This is how you as the user
override the stupid crap that your local sysadmin (or your OS vendor)
did, that you don't want, at the external command level.  (Sometimes a
shell function is a better override, but having ~/bin at the start of
PATH gives you both options.)

If you don't like this for some reason, you are free to edit the
/etc/skel/.profile on your computer.  Now you're the local sysadmin
doing stupid crap, and your users can override you by editing their
~/.profile.  Thank goodness the Unix designers put in so many ways for
users to reclaim their power from those who would try to suppress it.

Re: Debian 9 - Stretch has been released!

[Greg Wooledge]

On Sat, Jun 17, 2017 at 08:42:54PM -0700, Jimmy Johnson wrote:
>  https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/

Don't use live images for installations.

Use install images for installations.

For example, if you go to  there is a shiny
green inset link which will download the amd64 netinst ISO image.
Currently, that URL has the substring 9.0.0 in it, so I won't bother
linking it here, as it may expire by the time people reading the
mailing list archives see this.

So, just go to  instead, and follow the
download links from there.

Re: Stretch--how to launch WICD, which isn't in the menu

[Brian]

On Mon 19 Jun 2017 at 13:00:05 +0100, Lisi Reisz wrote:

> On Monday 19 June 2017 12:09:59 Brian wrote:
> > On Mon 19 Jun 2017 at 11:38:28 +0100, Lisi Reisz wrote:
> > > On Monday 19 June 2017 00:24:52 pplaw wrote:
> > > > Hi,
> > > >
> > > > In Stretch, I'd like to use WICD to manage network interfaces,
> > > > but when I go through what had been my usual menu with Jessie
> > > > (Programs > Applications > network > Monitoring > WICD), there's
> > > > no Monitoring > WICD.
> > > >
> > > > How do I access and, thus, launch WICD?
> > >
> > > You don't say what Desktop Environment you are using, but on many, alt-F2
> > > will bring up a launcher.  You then type wicd and press enter. 
> > > Alternatively, open a terminal and type wicd.
> > >
> > > You do know that you have got WICD?  I always have to install it
> > > separately (having removed NM).
> >
> > If wicd is installed, wouldn't the daemon be running? wicd-gtk,
> > wicd-curses or wicd-cli would be typed?
> 
> I just type wicd in the launcher - YMMV.  (Bad habits, old dogs .. I'm sure 
> lots of them apply. :-(  )

The advice at

  https://wiki.debian.org/WiFi/HowToUse#Wicd

differs. Outdated? Incorrect?

Re: Debian 9, Wine och Firefox

[Andreas Ronnquist]

On Mon, 19 Jun 2017 10:49:01 +0100 (CET),
Peter Krefting wrote:

>Hej!
>
>Efter att jag uppgraderat till Debian 9 på en av mina datorer kan inte
>min Wine-Firefox (version 53, 54 startar inte alls) inte längre
>ansluta till webben. Det hjälper inte att byta til Wine 2.0
>(wine-development).
>
>Jag kör Firefox i Wine för att kunna använda Windows-versionen av
>Flash, eftersom den stöder en DRM-metod en strömningstjänst jag
>använder kräver, vilket inte Linux-Flash gör. Det har fungerat fint
>fram till nu i Debian 8.
>
>Är det någon som har testat och fått det att fungera?
>

Jag har för mig att jag hade samma problem med Wine från
Debian-förråden, och kör istället framgångsrikt paketet winehq-stable
(vilket för närvarande är Wine 2.0.1) från Wines eget förråd:

https://wiki.winehq.org/Debian

Detta på Stretch, linux 4.9.0 (standardkärnan för Stretch), Firefox ESR
52.2.0 (32-bitars) för Windows.

Flash och strömning med min TV-tjänst fungerar fin-fint.

-- Andreas Rönnquist
mailingli...@gusnan.se
gus...@openmailbox.org

Debian 9

[Terry Henderson]

Hi,

In Parallels Desktop For Mac, The Parallels Tools .iso Mounts As Read Only, 
Therefore The Parallels Tools Will NOT Install !!!

Any Help Out There ??

Thanks,

Terry Henderson

Re: what partitions to mount during upgrade ?

[Brian]

On Mon 19 Jun 2017 at 10:44:23 +, Blair, Charles E III wrote:

>I am an unsophisticated user who has finally gotten
> around to upgrading a desktop from wheezy to jessie.  I am
> trying to follow the instructions in the "release notes,"
> but don't really know what I'm doing.
> 
>My current question is to clarify the instructions about
> mounting partitions at the beginning of section 4.4.  I
> think I am supposed to issue as superuser the commands
> 
> mount -o remount,rw /
> mount -o remount,rw /usr
> 
> Are there any other mount commands to issue before
> apt-get upgrade ?  How do I find out?  I don't think
> it matters, but this is a dual-boot using grub with
> windows as the other system.

Issue the command 'mount' as a user. For / I get

  /dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro,data=ordered)

so the beginning of section 4.4 would not apply to any upgrade I did.

Re: Stretch--how to launch WICD, which isn't in the menu

[Lisi Reisz]

On Monday 19 June 2017 12:09:59 Brian wrote:
> On Mon 19 Jun 2017 at 11:38:28 +0100, Lisi Reisz wrote:
> > On Monday 19 June 2017 00:24:52 pplaw wrote:
> > > Hi,
> > >
> > > In Stretch, I'd like to use WICD to manage network interfaces,
> > > but when I go through what had been my usual menu with Jessie
> > > (Programs > Applications > network > Monitoring > WICD), there's
> > > no Monitoring > WICD.
> > >
> > > How do I access and, thus, launch WICD?
> >
> > You don't say what Desktop Environment you are using, but on many, alt-F2
> > will bring up a launcher.  You then type wicd and press enter. 
> > Alternatively, open a terminal and type wicd.
> >
> > You do know that you have got WICD?  I always have to install it
> > separately (having removed NM).
>
> If wicd is installed, wouldn't the daemon be running? wicd-gtk,
> wicd-curses or wicd-cli would be typed?

I just type wicd in the launcher - YMMV.  (Bad habits, old dogs .. I'm sure 
lots of them apply. :-(  )

Lisi

Wheezy: Firefox ESR update failed "half installed"--what do I do now?

[rhkramer]

Today, on Wheezy, I got a notification from apper that an update was available 
(as I fairly often get).  

It was for firefox-esr, and, when I went to allow the update, I got a notice 
that libjsonpp0 (not sure the blurb included the pp0) also needed to be 
updated.

For the first time (in probably 2+ years of using Wheezy, maybe much longer) 
(and subject to the vagaries of my selective and failing memory), the update 
failed.  A portion of the dpkg log is shown below.

From the log, it seems some things are half installed.

I have three questions:

   * is my machine in trouble--I mean, if I shut down Firefox and try to 
restart it, will I have a problem?
   
   * what is the best way to resolve the issue--perhaps wait a few days, don't 
(intentionally) shut down Firefox, and hope that a new update becomes 
available in a few days?
   
   * I guess I should also ask: should I report this somewhere?


`=
2017-06-19 07:14:08 startup archives unpack
2017-06-19 07:14:08 upgrade libexpat1:amd64 2.1.0-1+deb7u4 2.1.0-1+deb7u5
2017-06-19 07:14:08 status half-configured libexpat1:amd64 2.1.0-1+deb7u4
2017-06-19 07:14:08 status unpacked libexpat1:amd64 2.1.0-1+deb7u4
2017-06-19 07:14:08 status half-installed libexpat1:amd64 2.1.0-1+deb7u4
2017-06-19 07:14:08 status half-installed libexpat1:amd64 2.1.0-1+deb7u4
2017-06-19 07:14:08 status unpacked libexpat1:amd64 2.1.0-1+deb7u5
2017-06-19 07:14:08 status unpacked libexpat1:amd64 2.1.0-1+deb7u5
2017-06-19 07:14:08 install libjsoncpp0:amd64  0.6.0~rc2-3
2017-06-19 07:14:08 status half-installed libjsoncpp0:amd64 0.6.0~rc2-3
2017-06-19 07:14:08 status unpacked libjsoncpp0:amd64 0.6.0~rc2-3
2017-06-19 07:14:08 status unpacked libjsoncpp0:amd64 0.6.0~rc2-3
2017-06-19 07:14:08 upgrade firefox-esr:amd64 45.9.0esr-1~deb7u1 
52.2.0esr-1~deb7u1
2017-06-19 07:14:08 status half-configured firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:08 status unpacked firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:08 status half-installed firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:10 status triggers-pending mime-support:all 3.52-1+deb7u1
2017-06-19 07:14:10 status half-installed firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:10 status triggers-pending man-db:amd64 2.6.2-1
2017-06-19 07:14:10 status half-installed firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:10 status triggers-pending desktop-file-utils:amd64 0.20-0.1
2017-06-19 07:14:10 status half-installed firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status triggers-pending hicolor-icon-theme:all 0.12-1
2017-06-19 07:14:11 status half-installed firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status half-installed firefox-esr:amd64 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status unpacked firefox-esr:amd64 52.2.0esr-1~deb7u1
2017-06-19 07:14:11 status unpacked firefox-esr:amd64 52.2.0esr-1~deb7u1
2017-06-19 07:14:11 upgrade iceweasel:all 45.9.0esr-1~deb7u1 
52.2.0esr-1~deb7u1
2017-06-19 07:14:11 status half-configured iceweasel:all 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status unpacked iceweasel:all 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status half-installed iceweasel:all 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status half-installed iceweasel:all 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status half-installed iceweasel:all 45.9.0esr-1~deb7u1
2017-06-19 07:14:11 status unpacked iceweasel:all 52.2.0esr-1~deb7u1
2017-06-19 07:14:11 status unpacked iceweasel:all 52.2.0esr-1~deb7u1
2017-06-19 07:14:11 trigproc mime-support:all 3.52-1+deb7u1 3.52-1+deb7u1
2017-06-19 07:14:11 status half-configured mime-support:all 3.52-1+deb7u1
2017-06-19 07:14:11 status installed mime-support:all 3.52-1+deb7u1
2017-06-19 07:14:11 trigproc man-db:amd64 2.6.2-1 2.6.2-1
2017-06-19 07:14:11 status half-configured man-db:amd64 2.6.2-1
2017-06-19 07:14:11 trigproc desktop-file-utils:amd64 0.20-0.1 0.20-0.1
2017-06-19 07:14:11 status half-configured desktop-file-utils:amd64 0.20-0.1
='

Re: Debian 9, Wine och Firefox

[Staffan Melin (Oscillator)]

Tyvärr, inget tips där. Chrome löser tydligen bara Netflix-problemet
(https://www.howtogeek.com/240636/everything-you-need-to-know-about-watching-drmd-media-on-linux/).

Den 19 juni 2017 13:40 skrev Peter Krefting :
> Jepp. WWE Network - http://network.wwe.com/
>
> Det fungerade i Firefox på Linux fram till och med slutet av 2015, då var
> jag tvungen att gå över till Wine. Så här skrev jag om det då:
> http://www.softwolves.com/wolfblog/2015/11/18/watching-the-wwe-network-on-linux/
>
> --
> \\// Peter - http://www.softwolves.pp.se/
>



-- 
Staffan Melin
Oscillator - ord bild form
Kryssdäcket 1
SE-413 27 GÖTEBORG
SVERIGE/SWEDEN
www.oscillator.se
staffan.me...@oscillator.se
+46 (0)70-4876 250

Re: Debian 9, Wine och Firefox

[Peter Krefting]

Staffan Melin (Oscillator):


Men detta gäller kanske en annan tjänst?


Jepp. WWE Network - http://network.wwe.com/

Det fungerade i Firefox på Linux fram till och med slutet av 2015, då 
var jag tvungen att gå över till Wine. Så här skrev jag om det då: 
http://www.softwolves.com/wolfblog/2015/11/18/watching-the-wwe-network-on-linux/


--
\\// Peter - http://www.softwolves.pp.se/

what partitions to mount during upgrade ?

[Blair, Charles E III]

   I am an unsophisticated user who has finally gotten
around to upgrading a desktop from wheezy to jessie.  I am
trying to follow the instructions in the "release notes,"
but don't really know what I'm doing.

   My current question is to clarify the instructions about
mounting partitions at the beginning of section 4.4.  I
think I am supposed to issue as superuser the commands

mount -o remount,rw /
mount -o remount,rw /usr

Are there any other mount commands to issue before
apt-get upgrade ?  How do I find out?  I don't think
it matters, but this is a dual-boot using grub with
windows as the other system.

Re: Stretch--how to launch WICD, which isn't in the menu

[Brian]

On Mon 19 Jun 2017 at 11:38:28 +0100, Lisi Reisz wrote:

> On Monday 19 June 2017 00:24:52 pplaw wrote:
> > Hi,
> >
> > In Stretch, I'd like to use WICD to manage network interfaces,
> > but when I go through what had been my usual menu with Jessie
> > (Programs > Applications > network > Monitoring > WICD), there's
> > no Monitoring > WICD.
> >
> > How do I access and, thus, launch WICD?
> 
> You don't say what Desktop Environment you are using, but on many, alt-F2 
> will 
> bring up a launcher.  You then type wicd and press enter.  Alternatively, 
> open a terminal and type wicd.
> 
> You do know that you have got WICD?  I always have to install it separately 
> (having removed NM).

If wicd is installed, wouldn't the daemon be running? wicd-gtk,
wicd-curses or wicd-cli would be typed?

Stretch upgrade: lost PHP features?

[Carl Fink]

Having upgraded my virtual server to Stretch, I discovered that tt-rss
was broken because the upgrade automatically switched me to PHP 7.0,
but did not auto-install MySQL support or php-mbstring support for
that version. Is this a bug, expected behavior, or did I miss something
when upgrading?

It wasn't hard to fix, but slightly surprising.

Carl

Re: Stretch--how to launch WICD, which isn't in the menu

[Lisi Reisz]

On Monday 19 June 2017 00:24:52 pplaw wrote:
> Hi,
>
> In Stretch, I'd like to use WICD to manage network interfaces,
> but when I go through what had been my usual menu with Jessie
> (Programs > Applications > network > Monitoring > WICD), there's
> no Monitoring > WICD.
>
> How do I access and, thus, launch WICD?

You don't say what Desktop Environment you are using, but on many, alt-F2 will 
bring up a launcher.  You then type wicd and press enter.  Alternatively, 
open a terminal and type wicd.

You do know that you have got WICD?  I always have to install it separately 
(having removed NM).

Lisi

Re: sed

[Daniel Caillibaud]

Le 19/06/17 à 11:17, Francois Lafont  a écrit :
FL> Hello,
FL> 
FL> On 06/19/2017 10:05 AM, Daniel Caillibaud wrote:
FL> 
FL> > ???
FL> > Un truc m'échappe, tu peux détailler la différence de résultat entre les 
deux ?
FL> 
FL> Pas de souci. Bon... toutes mes excuses par avance si c'est
FL> moi qui ai mal compris au final. ;)
FL> 
FL> Sauf erreur donc, le PO il voulait remplacer ça (chaîne brute
FL> où le \ n'a pas de signification spéciale) :

PO ?

FL> class=\"fma\"
FL> 
FL> par du vide.

Dans ce cas c'est moi qui ai mal compris, je pensais qu'il échappait le 
guillemet et voulais
remplacer toutes les chaînes `class="fma"` (et aussi par habitude du html, 
class= étant suivi
normalement d'un guillement), et ensuite j'ai lu un peu vite et pensais que le 
double
échappement était là à cause des doubles quotes mais revenait à un échappement 
du guillemet dans
l'expression à virer (alors que c'était bien l'échappement de \ qui était 
voulu).

Bref, j'avais rien compris et ma réponse était à coté du pb.

-- 
Daniel

Mieux vaut préter à sourire que donner a refléchir.

Debian 9, Wine och Firefox

[Peter Krefting]

Hej!

Efter att jag uppgraderat till Debian 9 på en av mina datorer kan inte 
min Wine-Firefox (version 53, 54 startar inte alls) inte längre 
ansluta till webben. Det hjälper inte att byta til Wine 2.0 
(wine-development).


Jag kör Firefox i Wine för att kunna använda Windows-versionen av 
Flash, eftersom den stöder en DRM-metod en strömningstjänst jag 
använder kräver, vilket inte Linux-Flash gör. Det har fungerat 
fint fram till nu i Debian 8.


Är det någon som har testat och fått det att fungera?

--
\\// Peter - http://www.softwolves.pp.se/

(deb-cat) Fwd: Debian 9 'Stretch' released

[Narcis Garcia]

He fet un esborrany de comunicat públic a partir de la versió anterior:

http://wiki.gilug.org/index.php/Alliberament_de_Debian_9

Extraient novetats destacables:
- Que millora la seguretat de la sessió gràfica.
- Que millora la verificació del programari original, i es modernitza el
programari de xifratge (GPG), especialment útil a les comunicacions.
- Que millora la compatibilitat amb ordinadors antics (UEFI-32)
- Que s'inclou la nova versió de molt programari conegut, com per
exemple LibreOffice 5 o PHP 7.



 Missatge reenviat 
Assumpte: Debian 9 "Stretch" released
Reenviat-Data: Sun, 18 Jun 2017 06:26:39 + (UTC)
Reenviat-De: debian-annou...@lists.debian.org
Data: Sat, 17 Jun 2017 20:22:36 -1000
De: Ana Guerrero Lopez 
A: debian-annou...@lists.debian.org


The Debian Project   https://www.debian.org/
Debian 9 "Stretch" released pr...@debian.org
June 17th, 2017https://www.debian.org/News/2017/20170617



After 26 months of development the Debian project is proud to present
its new stable version 9 (code name "Stretch"), which will be supported
for the next 5 years thanks to the combined work of the Debian Security
team [1] and of the Debian Long Term Support [2] team.

1: https://security-team.debian.org/
2: https://wiki.debian.org/LTS

Debian 9 is dedicated [3] to the project's founder Ian Murdock, who
passed away on 28 December 2015.

3: http://ftp.debian.org/debian/doc/dedication/dedication-9.0.txt

In "Stretch", the default MySQL variant is now MariaDB. The replacement
of packages for MySQL 5.5 or 5.6 by the MariaDB 10.1 variant will happen
automatically upon upgrade.

Firefox and Thunderbird return to Debian with the release of "Stretch",
and replace their debranded versions Iceweasel and Icedove, which were
present in the archive for more than 10 years.

Thanks to the Reproducible Builds project, over 90% of the source
packages included in Debian 9 will build bit-for-bit identical binary
packages. This is an important verification feature which protects users
from malicious attempts to tamper with compilers and build networks.
Future Debian releases will include tools and metadata so that end-users
can validate the provenance of packages within the archive.

Administrators and those in security-sensitive environments can be
comforted in the knowledge that the X display system no longer requires
"root" privileges to run.

The "Stretch" release is the first version of Debian to feature the
"modern" branch of GnuPG in the "gnupg" package. This brings with it
elliptic curve cryptography, better defaults, a more modular
architecture, and improved smartcard support. We will continue to supply
the "classic" branch of GnuPG as gnupg1 for people who need it, but it
is now deprecated.

Debug packages are easier to obtain and use in Debian 9 "Stretch". A new
"dbg-sym" repository can be added to the APT source list to provide
debug symbols automatically for many packages.

The UEFI ("Unified Extensible Firmware Interface") support first
introduced in "Wheezy" continues to be greatly improved in "Stretch",
and also supports installing on 32-bit UEFI firmware with a 64-bit
kernel. The Debian live images now include support for UEFI booting as a
new feature, too.

This release includes numerous updated software packages, such as:

  * Apache 2.4.25
  * Asterisk 13.14.1
  * Chromium 59.0.3071.86
  * Firefox 45.9 (in the firefox-esr package)
  * GIMP 2.8.18
  * an updated version of the GNOME desktop environment 3.22
  * GNU Compiler Collection 6.3
  * GnuPG 2.1
  * Golang 1.7
  * KDE Frameworks 5.28, KDE Plasma 5.8, and KDE Applications 16.08 and
16.04 for PIM components
  * LibreOffice 5.2
  * Linux 4.9
  * MariaDB 10.1
  * MATE 1.16
  * OpenJDK 8
  * Perl 5.24
  * PHP 7.0
  * PostgreSQL 9.6
  * Python 2.7.13 and 3.5.3
  * Ruby 2.3
  * Samba 4.5
  * systemd 232
  * Thunderbird 45.8
  * Tomcat 8.5
  * Xen Hypervisor
  * the Xfce 4.12 desktop environment
  * more than 51,000 other ready-to-use software packages, built from a
bit more of 25,000 source packages.

With this broad selection of packages and its traditional wide
architecture support, Debian once again stays true to its goal of being
the universal operating system. It is suitable for many different use
cases: from desktop systems to netbooks; from development servers to
cluster systems; and for database, web, or storage servers. At the same
time, additional quality assurance efforts like automatic installation
and upgrade tests for all packages in Debian's archive ensure that
"Stretch" fulfills the high expectations that users have of a stable
Debian release.

A total of ten architectures are supported: 64-bit PC / Intel EM64T /
x86-64 (amd64), 32-bit PC / Intel IA-32 (i386), 64-bit 

Re: The canonical way of making a local modification to a package.

[Darac Marjal]

On Mon, Jun 19, 2017 at 01:03:53AM +0200, Anders Wegge Keller wrote:

Hi Debian User!

I write to you, because it's that time again. You know, we've gotten a
brand new release, and I have to spend yet a day or two in frustration over
why python isn't enabled in the inn2 package.

This time, however, I want to ask beforehand, what the proper way of doing
such a local modification is. Strictly speaking, I need to add a single line
to debian/rules, and for good measure, add to the version string (so I know
that it's my own problem), and for good measure, throw in a snide comment in
the changelog about deficient distro defaults. The ideal solution would be
something that can be scripted to happen automatically, each time the
package in Stretch change version.

Can anyone give me the ELI5 instructions for the above?


There is, as far as I'm aware, no automatic system for local patches
(apt-build seems close, but I don't *think* it supports patches). So,
instead, try something like the following:

apt-get source mypackage
apt-get build-dep mypackage
cd mypackage-*
editor debian/rules
dch -i
debuild -uc -us
dpkg -i ../mypackage_*.deb

(dch and debuild are in the pacakge devscripts)

This may not work in every instance, but check for any errors that
debuild gives you (for instance, you may be required to do "dpkg-source
--commit" before building)



--
//Wegge



--
For more information, please reread.


signature.asc
Description: PGP signature

Re: Stretch: FontAwesome not properly installed / not working?

[Johann Spies]

On 19 June 2017 at 00:14, Matthias Herrmann  wrote:
> Hello
>
> I've got the following issue:
> When I visit the font-awesome cheat sheet [1] and copy-paste a character
> (like , or  fa-envelope []) into gnome-shell or into another
> program, e.g. gedit, or thunderbird, it shows up as another character or
> the box with the hexvalues in them.

I have copied the whole cheat sheet into emacs and everything seems OK.

I do not use Gnome. The rest of your tests of the installed fonts
seems to correspond with what I have.

Regards
Johann.


-- 
Because experiencing your loyal love is better than life itself,
my lips will praise you.  (Psalm 63:3)

Re: sed

[Francois Lafont]

Hello,

On 06/19/2017 10:05 AM, Daniel Caillibaud wrote:

> ???
> Un truc m'échappe, tu peux détailler la différence de résultat entre les deux 
> ?

Pas de souci. Bon... toutes mes excuses par avance si c'est
moi qui ai mal compris au final. ;)

Sauf erreur donc, le PO il voulait remplacer ça (chaîne brute
où le \ n'a pas de signification spéciale) :

class=\"fma\"

par du vide.

La proposition de Steve Fouchet fait le job :

~$ printf '...[%s]...\n' 'class=\"fma\"' | sed 's/class=\\"fma\\"//g' 
...[]...

Ta proposition ne fonctionne pas car les \ ne sont pas pris
en compte :

~$ printf '...[%s]...\n' 'class=\"fma\"' | sed 's/class="fma"//g'
...[class=\"fma\"]...

Par ailleurs, quand bien même il y a eu méprise sur la demande
initiale du PO, tu indiquais dans ton message que ta proposition
de sed était « plus lisible » que celle de Steeve, ce qui
sous-entendait implicitement qu'elle restait équivalente (que
c'était juste une amélioration de lisibilité). Force est de
constater que les deux sed ne sont pas équivalents.

-- 
François Lafont

Re: Debian 9 "Stretch" released

[Johann Spies]

On 18 June 2017 at 13:46, RavenLX  wrote:
> On 06/18/2017 02:22 AM, Ana Guerrero Lopez wrote:

> A *huge* thank you to the Debian team! You guys rock!

+1

Johann

Re: Debian 9 "Stretch" released

[Bret Busby]

On Sat, 17 Jun 2017, Ana Guerrero Lopez wrote:


Date: Sun, 18 Jun 2017 14:22:36
From: Ana Guerrero Lopez 
To: debian-annou...@lists.debian.org
Subject: Debian 9 "Stretch" released


The Debian Project   https://www.debian.org/
Debian 9 "Stretch" released pr...@debian.org
June 17th, 2017https://www.debian.org/News/2017/20170617






Does Debian 9 support the Intel Haskell architecture, and the nVIDIA 
Optimus (?) system, allowing external monitors to be run via the nVIDIA 
GEForce graphics things?


--
Bret Busby
Armadale
West Australia
..

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
  Chapter 28 of Book 1 of
  "The Hitchhiker's Guide to the Galaxy:
  A Trilogy In Four Parts",
  written by Douglas Adams,
  published by Pan Books, 1992

Re: Instal·lar Debian 9 de cero... Es recomanable encriptar les particions?

[Narcis Garcia]

Vull fer notar que, amb això de l'arrencada externa, en Sergi t'està
diferenciant entre: que la contrassenya es demani per al teclat, o que
la contrassenya estigui emmagatzemada a l'arrencada externa, ambdós
casos compatibles amb iniciar d'una memòria USB.

Tot això es perquè el (preguntador &) desbloquejador del disc dur ha de
ser programari sense encriptar encara.



__
I'm using this express-made address because personal addresses aren't
masked enough at this list's archives. Mailing lists service
administrator should fix this.
El 19/06/17 a les 10:32, Sergi Blanch-Torné ha escrit:
> Hola,
> 
> Els xifrats en disc depenen de què vulguis protegir (el threat model).
> 
> Com be comenta el Narcís, xifrar el disc dur deixa la partició boot
> sense xifrar. Es necessària per poder carregar el kernel i que aquest et
> demani la frase de pas per poder accedir al volum xifrat. Cas que sigui
> sense frase de pas perquè el boot està en un stick, un ha de guardar-los
> separats quan l'ordinador estar apagat.
> 
> Un xifrat a nivell de disc dur protegeix davant la situació d'ordinador
> parar. Únicament. Estaries protegint la modificació dels binaris. Però
> compte amb l'exposició del kernel.
> 
> En l'altre escenari en que algú fa una incursió des de xarxa, ho fa amb
> l'ordinador engegat i per tant amb la partició xifrada montada.
> 
> De forma no excloent, però que té implicacions de performance, és
> utilitzat eCryptfs per xifrar el home de cada usuari. Aquí estaries
> protegint-ne les dades de cada usuari (que ho utilitzés). Però s'ha de
> tenir present que root, tot i que no pot montar el teu home, si que hi
> pot accedir si l'usuari ha fet login.
> 
> Després hi ha una tercera via, útil per exemple per discs durs externs,
> que serien eines com encfs, en les que hom monta una estructura de
> directoris sota demanda. Té els seus pros i contres també.
> 
> /Sergi.
> 
> Ps: Jordi, no existeix la ignorància quan el que fas és preguntar per
> aprendre...
> 
> On 19/06/17 09:31, Narcis Garcia wrote:
>> La manera en què jo ho he vist fer és deixar connectada la memòria USB
>> durant la instal·lació, i allotjar-hi allà la partició de /boot sense
>> encriptar.
>> D'aquesta manera, el disc intern pot estar encriptat tot sencer, i cal
>> la memòria USB per arrencar-ne, que és la que demana contrasenya per
>> seguir l'inici del sistema. Això si, convé que la memòria USB romangui
>> connectada per a que sigui coherent amb les actualitzacions de nucli i
>> gestor d'arrencada.
>>
>> De tota manera, aquesta externalització de l'arrencada és una mesura més
>> aviat orientada a evitar una vulnerabilitat molt i molt específica:
>> Que algú volgués manipular l'arrencada de l'ordinador per després deixar
>> que tu el tornis a fer servir i que es desi la contrasenya que escrius,
>> i així en un «següent robatori» recuperar aquesta dada.
>> Si no necessites protegir-te d'aquest cas concret, pots prescindir de
>> memòria USB i col·locar el /boot al mateix disc dur.
>>
>>
>> __
>> I'm using this express-made address because personal addresses aren't
>> masked enough at this list's archives. Mailing lists service
>> administrator should fix this.
>> El 19/06/17 a les 01:37, Pedro ha escrit:
>>> Josep,
>>>
>>> tens alguna guia que recomanis o sabries explicar breument com fer lo
>>> de entrar xifrar disc i desbloquejar-lo amb el llapis USB?
>>>
>>> podríem considerar que el punt de partida més habitual és una debian
>>> instal·lada amb el xifrat de disc com suggereix l'instal·lador.
>>>
>>> Gràcies!
>>>
>>> 2017-06-18 21:11 GMT+02:00 Josep Lladonosa :


 2017-06-18 19:47 GMT+02:00 Jordi Boixader :
>
> Hola,
>
> Vull reinstal·lar la Debian 9 des de cero i em pregunto si és recomanable
> encriptar les particions. Tant al Portàtil com al Sobretaula.
>
> - Només és per si em roben el Disc Dur que no hi puguin accedir?


 Efectivament. Cada cop que iniciïs el sistema hauràs d'entrar contrasenya 
 (o
 un llapis usb amb una clau) per iniciar sistema.


>
> - O també si un Hacker m'entra des d'Internet al trobar-ho tot encriptat
> no podrà fer res?


 Quan inicies el sistema i entres la clau secreta per poder desencriptar el
 sistema de fitxer estàs fent que sistema operatiu i programes tinguin ja
 accés directe als fitxers. Així doncs, si un hacker entrés al sistema ho fa
 gràcies a alguna vulnerabilitat bé de sistema bé d'aplicació, pel que
 l'intrús mantindria l'accés a tot el sistema de fitxers que sistema
 operatiu/aplicacions tenien...

>
>
> Perdoneu la meva ignorància...
>
> Salut




 --
 --
 Salutacions...Josep
 --
>>>
>>
> 

Re: Instal·lar Debian 9 de cero... Es recomanable encriptar les particions?

[Sergi Blanch-Torné]

Hola,

Els xifrats en disc depenen de què vulguis protegir (el threat model).

Com be comenta el Narcís, xifrar el disc dur deixa la partició boot
sense xifrar. Es necessària per poder carregar el kernel i que aquest et
demani la frase de pas per poder accedir al volum xifrat. Cas que sigui
sense frase de pas perquè el boot està en un stick, un ha de guardar-los
separats quan l'ordinador estar apagat.

Un xifrat a nivell de disc dur protegeix davant la situació d'ordinador
parar. Únicament. Estaries protegint la modificació dels binaris. Però
compte amb l'exposició del kernel.

En l'altre escenari en que algú fa una incursió des de xarxa, ho fa amb
l'ordinador engegat i per tant amb la partició xifrada montada.

De forma no excloent, però que té implicacions de performance, és
utilitzat eCryptfs per xifrar el home de cada usuari. Aquí estaries
protegint-ne les dades de cada usuari (que ho utilitzés). Però s'ha de
tenir present que root, tot i que no pot montar el teu home, si que hi
pot accedir si l'usuari ha fet login.

Després hi ha una tercera via, útil per exemple per discs durs externs,
que serien eines com encfs, en les que hom monta una estructura de
directoris sota demanda. Té els seus pros i contres també.

/Sergi.

Ps: Jordi, no existeix la ignorància quan el que fas és preguntar per
aprendre...

On 19/06/17 09:31, Narcis Garcia wrote:
> La manera en què jo ho he vist fer és deixar connectada la memòria USB
> durant la instal·lació, i allotjar-hi allà la partició de /boot sense
> encriptar.
> D'aquesta manera, el disc intern pot estar encriptat tot sencer, i cal
> la memòria USB per arrencar-ne, que és la que demana contrasenya per
> seguir l'inici del sistema. Això si, convé que la memòria USB romangui
> connectada per a que sigui coherent amb les actualitzacions de nucli i
> gestor d'arrencada.
> 
> De tota manera, aquesta externalització de l'arrencada és una mesura més
> aviat orientada a evitar una vulnerabilitat molt i molt específica:
> Que algú volgués manipular l'arrencada de l'ordinador per després deixar
> que tu el tornis a fer servir i que es desi la contrasenya que escrius,
> i així en un «següent robatori» recuperar aquesta dada.
> Si no necessites protegir-te d'aquest cas concret, pots prescindir de
> memòria USB i col·locar el /boot al mateix disc dur.
> 
> 
> __
> I'm using this express-made address because personal addresses aren't
> masked enough at this list's archives. Mailing lists service
> administrator should fix this.
> El 19/06/17 a les 01:37, Pedro ha escrit:
>> Josep,
>>
>> tens alguna guia que recomanis o sabries explicar breument com fer lo
>> de entrar xifrar disc i desbloquejar-lo amb el llapis USB?
>>
>> podríem considerar que el punt de partida més habitual és una debian
>> instal·lada amb el xifrat de disc com suggereix l'instal·lador.
>>
>> Gràcies!
>>
>> 2017-06-18 21:11 GMT+02:00 Josep Lladonosa :
>>>
>>>
>>> 2017-06-18 19:47 GMT+02:00 Jordi Boixader :

 Hola,

 Vull reinstal·lar la Debian 9 des de cero i em pregunto si és recomanable
 encriptar les particions. Tant al Portàtil com al Sobretaula.

 - Només és per si em roben el Disc Dur que no hi puguin accedir?
>>>
>>>
>>> Efectivament. Cada cop que iniciïs el sistema hauràs d'entrar contrasenya (o
>>> un llapis usb amb una clau) per iniciar sistema.
>>>
>>>

 - O també si un Hacker m'entra des d'Internet al trobar-ho tot encriptat
 no podrà fer res?
>>>
>>>
>>> Quan inicies el sistema i entres la clau secreta per poder desencriptar el
>>> sistema de fitxer estàs fent que sistema operatiu i programes tinguin ja
>>> accés directe als fitxers. Així doncs, si un hacker entrés al sistema ho fa
>>> gràcies a alguna vulnerabilitat bé de sistema bé d'aplicació, pel que
>>> l'intrús mantindria l'accés a tot el sistema de fitxers que sistema
>>> operatiu/aplicacions tenien...
>>>


 Perdoneu la meva ignorància...

 Salut
>>>
>>>
>>>
>>>
>>> --
>>> --
>>> Salutacions...Josep
>>> --
>>
> 



signature.asc
Description: OpenPGP digital signature

Re: Debian 9.0 DVD-1.iso: No Release file

[Dejan Jocic]

On 19-06-17, Alan Reding wrote:
> Hi,
> 
> I downloaded the first DVD of Debian Stretch and installed the OS onto my 
> machine.
> 
> After I typed
> 
> sudo apt-get update
> 
> The following error message appeared:
> 
> W: The repository "cdrom://[Debian GNU/Linux 9.0.0 _Stretch_ - Official amd64 
> DVD Binary-1 20170617-13:08] Stretch Release" does not have a Release file.
> N: Data from such a repository can't be authenticated and is therefore 
> potentially dangerous to use.
> N: See apt-secure(8) manpage for repository creation and user configuration
> 
> I have been using Debian since Wheezy (7.0) and this is the first time I have 
> received such a warning.
> 
> Should I inform the Debian Release team? Is it aware of the omission of the 
> Release file?
> 
> Regards.
> 
> Alan
> 


It is actually quite normal thing and all you need to do is to comment
out/delete lines in your sources.list for cdrom.

Re: sed

[Daniel Caillibaud]

Le 15/06/17 à 12:47, Francois Lafont  a écrit :
FL> On 06/15/2017 11:32 AM, Daniel Caillibaud wrote:
FL> 
FL> > SF> sed -i 's/class=\\"fma\\"//g' fichier
FL> > 
FL> > sed -i -e 's/class="fma"//g' fichier
FL> > 
FL> > me parait plus lisible
FL> 
FL> C'est plus lisible mais ça ne fait pas la même chose et ça ne résout plus
FL> le problème du PO. ;)

???
Un truc m'échappe, tu peux détailler la différence de résultat entre les deux ?

-- 
Daniel

Ce n'est pas n'importe qui qui peut-être quiconque.
Pierre Dac

Re: Administración centralizada de usuarios con Web FrontEnd

[Antonio Trujillo Carmona]

El 16/06/17 a las 23:07, Esteban Monge escribió:
> Estimados:
>
> Quería saber si conocen de algún sistema que permita administrar
> usuarios de manera centralizada, pero no sea un LDAP, Active Directory o
> similar.
>
> IBM tiene un software que se llama ISIM, uno configura el servidor y a
> los clientes sólo se les configura un usuario administrador, con sudo,
> ese usuario se encarga de crear los demás usuarios en el sistema
> operativo, es decir agrega una entrada en /etc/passwd, /etc/shadow y
> /etc/groups
>
> Busco algo así pero sea libre.
>
>

Para la gestión centralizada de usuarios y recursos es para lo que se
invento los LDAP.

También puedes recurrir al antiguo NIS de Unix,(no lo conozco).

Cuando hayas decidido que sistema centralizado usar, en el servidor
donde lo instales, instala algún gestor web del sistema,

por ejemplo si desides usar ldap, en un equipo instala el slapd y podrás
administrarlo con el webmin instalado en ese equipo.

-- 

*Antonio Trujillo Carmona*

*Técnico de redes y sistemas.*

*Subdirección de Tecnologías de la Información y Comunicaciones*

Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía

_antonio.trujillo.sspa@juntadeandalucia.es_

Tel. +34 670947670 747670)

Re: Instal·lar Debian 9 de cero... Es recomanable encriptar les particions?

[Narcis Garcia]

La manera en què jo ho he vist fer és deixar connectada la memòria USB
durant la instal·lació, i allotjar-hi allà la partició de /boot sense
encriptar.
D'aquesta manera, el disc intern pot estar encriptat tot sencer, i cal
la memòria USB per arrencar-ne, que és la que demana contrasenya per
seguir l'inici del sistema. Això si, convé que la memòria USB romangui
connectada per a que sigui coherent amb les actualitzacions de nucli i
gestor d'arrencada.

De tota manera, aquesta externalització de l'arrencada és una mesura més
aviat orientada a evitar una vulnerabilitat molt i molt específica:
Que algú volgués manipular l'arrencada de l'ordinador per després deixar
que tu el tornis a fer servir i que es desi la contrasenya que escrius,
i així en un «següent robatori» recuperar aquesta dada.
Si no necessites protegir-te d'aquest cas concret, pots prescindir de
memòria USB i col·locar el /boot al mateix disc dur.


__
I'm using this express-made address because personal addresses aren't
masked enough at this list's archives. Mailing lists service
administrator should fix this.
El 19/06/17 a les 01:37, Pedro ha escrit:
> Josep,
> 
> tens alguna guia que recomanis o sabries explicar breument com fer lo
> de entrar xifrar disc i desbloquejar-lo amb el llapis USB?
> 
> podríem considerar que el punt de partida més habitual és una debian
> instal·lada amb el xifrat de disc com suggereix l'instal·lador.
> 
> Gràcies!
> 
> 2017-06-18 21:11 GMT+02:00 Josep Lladonosa :
>>
>>
>> 2017-06-18 19:47 GMT+02:00 Jordi Boixader :
>>>
>>> Hola,
>>>
>>> Vull reinstal·lar la Debian 9 des de cero i em pregunto si és recomanable
>>> encriptar les particions. Tant al Portàtil com al Sobretaula.
>>>
>>> - Només és per si em roben el Disc Dur que no hi puguin accedir?
>>
>>
>> Efectivament. Cada cop que iniciïs el sistema hauràs d'entrar contrasenya (o
>> un llapis usb amb una clau) per iniciar sistema.
>>
>>
>>>
>>> - O també si un Hacker m'entra des d'Internet al trobar-ho tot encriptat
>>> no podrà fer res?
>>
>>
>> Quan inicies el sistema i entres la clau secreta per poder desencriptar el
>> sistema de fitxer estàs fent que sistema operatiu i programes tinguin ja
>> accés directe als fitxers. Així doncs, si un hacker entrés al sistema ho fa
>> gràcies a alguna vulnerabilitat bé de sistema bé d'aplicació, pel que
>> l'intrús mantindria l'accés a tot el sistema de fitxers que sistema
>> operatiu/aplicacions tenien...
>>
>>>
>>>
>>> Perdoneu la meva ignorància...
>>>
>>> Salut
>>
>>
>>
>>
>> --
>> --
>> Salutacions...Josep
>> --
> 

Re: Peculiar problem with root login

[David Christensen]

On 06/18/17 23:08, David Christensen wrote:
...

You should see host2's ECDSA key fingerprint the first time you log in.
Verify it against the note card.


Correction:  You should see host1's ECDSA key fingerprint ...


David

Re: Peculiar problem with root login

[David Christensen]

On 06/18/17 08:57, Harry Putnam wrote:
...

root # cat /etc/debian_version
8.8

root # uname -a
Linux d2 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux

root # dpkg-query --show openssh-server
openssh-server  1:6.7p1-5+deb8u3

root # dpkg-query --show openssh-client
openssh-client  1:6.7p1-5+deb8u3

root # ls -1 /etc/ssh/*ssh*
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/sshd_config~
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub

root # egrep -v '^.*#' /etc/ssh/sshd_config | grep .
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes


I use:

PasswordAuthentication no


This requires all users to have their remote user public keys entered 
into their authorized_keys files to log in from those remote hosts.




X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin yes


This conflicts with the above setting (which is what I use):

PermitRootLogin without-password


Delete "PermitRootLogin yes".



root # ssh localhost
root@localhost's password:
Permission denied, please try again.
root@localhost's password:

  Could not login  -ed Harry

root # tail /var/log/auth.log
Jun 18 11:43:17 d2 sshd[1894]: Accepted password for reader from 192.168.1.42 
port 40945 ssh2
Jun 18 11:43:17 d2 sshd[1894]: pam_unix(sshd:session): session opened for user 
reader by (uid=0)
Jun 18 11:43:17 d2 systemd-logind[477]: New session 185 of user reader.
Jun 18 11:43:17 d2 sshd[1897]: Setting tty modes failed: Invalid argument
Jun 18 11:43:59 d2 su[1917]: Successful su for root by reader
Jun 18 11:43:59 d2 su[1917]: + /dev/pts/4 reader:root
Jun 18 11:43:59 d2 su[1917]: pam_unix(su:session): session opened for user root 
by reader(uid=1000)
Jun 18 11:45:56 d2 sshd[1963]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=d.local.lan  user=root
Jun 18 11:45:58 d2 sshd[1963]: Failed password for root from 127.0.0.1 port 
54526 ssh2
Jun 18 11:46:03 d2 sshd[1963]: Connection closed by 127.0.0.1 [preauth]





On 06/18/17 13:48, Harry Putnam wrote:
...
> root # ls -la .ssh
> total 12
> drwx-- 2 root root 4096 May 30 21:44 .
> drwx-- 6 root root 4096 Jun 18 11:35 ..
> -rw-r--r-- 1 root root  666 May 30 22:17 known_hosts


I'd delete known_hosts, to be safe.


I have AT U-verse residential DSL service, which implements DNS hijacking:

https://en.wikipedia.org/wiki/DNS_hijacking


Beware of using SSH directly:

$ ssh remotehost


If remotehost doesn't resolve, instead of a "host not found" error 
message, AT directs SSH to a hijacker host; so I can enter my 
passphrase (like a sucker).



You need to create SSH keys for root on this machine:

2017-06-01 20:44:39 root@jesse ~
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:



Be sure to enter a strong passphrase.


Then copy your public key to the authorized_keys file:

2017-06-01 20:46:17 root@jesse ~
# cp .ssh/id_rsa.pub .ssh/authorized_keys


You don't want to type your passphrases into remote hosts, especially if 
you have to do it over and over (I use CVS over SSH, so this gets 
tedious very quickly.)  You want to use ssh-agent(1) and ssh-add(1), so 
you can type your passphrase(s) once per key per terminal session into 
your local machine and ssh-agent will manage your decrypted private 
key(s) whenever you log in to remote hosts:


2017-06-01 20:46:37 root@jesse ~
# ssh-agent bash -l

2017-06-01 20:46:54 root@jesse ~
# ssh-add
Enter passphrase for /root/.ssh/id_rsa: 
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)


Now you should be able to login from root to root@localhost:

2017-06-01 20:47:05 root@jesse ~
# ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is 
Are you sure you want to continue connecting