Re: ipv6 maybe has arrived.

[gene heskett]

On 2/8/23 19:16, jeremy ardley wrote:


On 9/2/23 06:39, gene heskett wrote:

On 2/8/23 16:29, jeremy ardley wrote:


On 9/2/23 04:54, gene heskett wrote:



My several machine home net is behind a dd-wrt install, NAT'ed so 
that any machine here has access to the net via the ipv4 address my 
router obtains from them. That legally is a dynamic address but 
hasn't changed in the decade and a half since I last switched isp's 
to one that just worked courtesy of cloning the mac from one router 
to its backup.


So now my question is, can I maintain the same level of security if 
I start using an ipv6 address in my router?


And if so, how do I maintain the NAT, & how would I do it? Or am I 
better off to not kick this sleeping dog called ipv6?




Thanks Jeremy. but in the back of my mind is the need for a firewall. 
I've not setup a new one since bullseye moved in a year plus ago. 
dd-wrt reflashing my now elderly buffalo router handles all that.


Lets look at the different cases.

First, you have IPv4 and NAT. Your firewall will allow (and NAT) any 
outbound trafffic, and will accept any incoming trafic related to 
outgoing traffic and inverse NAT it and send to the internal host. You 
are relatively safe in this scenario as external baddies can't scan your 
LAN and can't make unsolicited connections to your LAN devices.


In the case of adding IPv6 without NAT, then without a firewall, 
external baddies can connect unsolicited to your internal devices. Some 
of your devices will have their own personal firewalls already, e.g. any 
windows machine. Some won't, e.g. a printer. In the printer case it 
would be unfortunate if your printer suddenly started printing out 
obscenites.. You get the picture.


Net result is with IPv6 you need a firewall on your internet connection 
to disallow any unsolicited connections to internal devices. It's really 
easy in ip6tables. It is probably very easy in dd-wrt. It is certain to 
be in any off-the shelf dual-stack modem/router.


The other option of NAT for your IPv6 is frowned on

Another problem is internal names. As with IPv4 you need a directory 
service to say what devices are at what IPv4 or IPv6 addresses in your 
LAN. In my case I run a DNS server linked to my DHCP server for the IPv4 
and IPv6 addresses. It uses a combination of DHCP registration data, and 
static records to give IPv4 and IPv6 addresses internally to the LAN.


Of note, in my LAN which runs IPv4 and IPv6, most traffic between 
devices is IPv6 because modern Debian/Linux applications default to IPv6 
and only fall back to IPv4 as necessary.


Jeremy


Where you run a dns of sorts, I don't, resolv.conf says check host 
first, then query the router which forwards it to the nameserver at my 
isp. That has worked very well since redhat 5.0 in 1998.  The only thing 
I do is a chattr +i on resolv.conf so network mangler can't putz with 
it. And network mangler has had sense enough to stfu about it not being 
writable for close to 15 years now.  The host file is identical and 
accounts for all the local machines.  Until ipv4 stops working, I'm 
inclined to leave it be.


Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Web page management.

[Brad Rogers]

On Wed, 8 Feb 2023 14:18:31 -0500
Dan Ritter  wrote:

Hello Dan,

>Sure. The thing you're looking at is the uBlock Origin widget,

Are you sure?  Looks more like uMatrix to me.  Note the icon in the
toolbar.

-- 
 Regards  _   "Valid sig separator is {dash}{dash}{space}"
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
Does she always shout at you, does she tell you what to do
Family Life - Sham 69


pgpvo3DTS_omc.pgp
Description: OpenPGP digital signature

Re: ipv6 maybe has arrived.

[tomas]

On Wed, Feb 08, 2023 at 03:54:54PM -0500, gene heskett wrote:
> This machine is on bullseye, and when I installed, I noted that networking
> worked over ipv4 but have noted jst now that responses to the ipv6 versions
> of both ping6 and traceroute6 have changed.
> ping6 and traceroute6 can now resolve yahoo.com's ipv6 address where
> previously the was no resolution.
> 
> But traceroute6 now says:
> traceroute to yahoo.com (2001:4998:44:3507::8001), 30 hops max, 80 byte
> packets
> connect: Network is unreachable

This would suggest that the  record for yahoo is available, but the
v6 connectivity is not.

Show us the result of 'ip addr list'  on your box...

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: Web page management.

[tomas]

On Wed, Feb 08, 2023 at 09:15:23PM +, debian-u...@howorth.org.uk wrote:

[...]

> It all seems fairly typical. The annoying bit is figuring out which
> domains you need to allow to make the site function whilst preserving
> as much privacy as possible.

I try to go the other route: use a profile with Javascript disabled
(no browser add ons: rather take-offs) by default. On sites which
don't work, I ask myself whether it's worth setting up a profile for
them. Mostly I go "nah".

So I'm playing the same trick marketing tries to play on me backwards:
I call it strict opt-in.

It's a bit harsh, but works for me :)

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: Web page management.

[tomas]

On Wed, Feb 08, 2023 at 03:53:46PM -0500, Dan Ritter wrote:

[...]

> The HTML file will contain references to each of the URLs,
> directing the browser to go fetch things from them and execute
> or display them as appropriate.

Except those hidden away in some more or less obfuscated
Javascript (yes, those sleaz-os do that). But I'd expect
uBlock to catch those at access time.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: Web page management.

[tomas]

On Wed, Feb 08, 2023 at 04:25:25PM -0500, Stefan Monnier wrote:
> > The HTML file will contain references to each of the URLs,
> > directing the browser to go fetch things from them and execute
> > or display them as appropriate.
> 
> FWIW, that HTML page does not include "gstatic" in its source text (but
> apparently some other pages fetched from `canada.ca` do).
> OTOH, it contains a weird:
> 
>  src="//assets.adobedtm.com/be5dfd287373/abb618326704/launch-3eac5e076135.min.js">
> 
> what's this "//"?  Do web browsers automatically add a "http(s):" in
> front nowadays, or does it end up referring to a copy on the
> CRA's server.

Yes: that means "keep the URL scheme" -- practically http or https.
It's in the RFCs [1], although the quote itself is funny:

  "A relative reference that begins with two slash characters
   is termed a network-path reference; such references are
   rarely used."

Plus ça change... :-)

Cheers

[1] https://www.rfc-editor.org/rfc/rfc3986#section-4.2

-- 
t


signature.asc
Description: PGP signature

Re: ipv6 maybe has arrived.

[jeremy ardley]

On 9/2/23 06:39, gene heskett wrote:

On 2/8/23 16:29, jeremy ardley wrote:


On 9/2/23 04:54, gene heskett wrote:



My several machine home net is behind a dd-wrt install, NAT'ed so 
that any machine here has access to the net via the ipv4 address my 
router obtains from them. That legally is a dynamic address but 
hasn't changed in the decade and a half since I last switched isp's 
to one that just worked courtesy of cloning the mac from one router 
to its backup.


So now my question is, can I maintain the same level of security if 
I start using an ipv6 address in my router?


And if so, how do I maintain the NAT, & how would I do it? Or am I 
better off to not kick this sleeping dog called ipv6?




Thanks Jeremy. but in the back of my mind is the need for a firewall. 
I've not setup a new one since bullseye moved in a year plus ago. 
dd-wrt reflashing my now elderly buffalo router handles all that.


Lets look at the different cases.

First, you have IPv4 and NAT. Your firewall will allow (and NAT) any 
outbound trafffic, and will accept any incoming trafic related to 
outgoing traffic and inverse NAT it and send to the internal host. You 
are relatively safe in this scenario as external baddies can't scan your 
LAN and can't make unsolicited connections to your LAN devices.


In the case of adding IPv6 without NAT, then without a firewall, 
external baddies can connect unsolicited to your internal devices. Some 
of your devices will have their own personal firewalls already, e.g. any 
windows machine. Some won't, e.g. a printer. In the printer case it 
would be unfortunate if your printer suddenly started printing out 
obscenites.. You get the picture.


Net result is with IPv6 you need a firewall on your internet connection 
to disallow any unsolicited connections to internal devices. It's really 
easy in ip6tables. It is probably very easy in dd-wrt. It is certain to 
be in any off-the shelf dual-stack modem/router.


The other option of NAT for your IPv6 is frowned on

Another problem is internal names. As with IPv4 you need a directory 
service to say what devices are at what IPv4 or IPv6 addresses in your 
LAN. In my case I run a DNS server linked to my DHCP server for the IPv4 
and IPv6 addresses. It uses a combination of DHCP registration data, and 
static records to give IPv4 and IPv6 addresses internally to the LAN.


Of note, in my LAN which runs IPv4 and IPv6, most traffic between 
devices is IPv6 because modern Debian/Linux applications default to IPv6 
and only fall back to IPv4 as necessary.


Jeremy

Re: ipv6 maybe has arrived.

[gene heskett]

On 2/8/23 16:29, jeremy ardley wrote:


On 9/2/23 04:54, gene heskett wrote:



My several machine home net is behind a dd-wrt install, NAT'ed so that 
any machine here has access to the net via the ipv4 address my router 
obtains from them. That legally is a dynamic address but hasn't 
changed in the decade and a half since I last switched isp's to one 
that just worked courtesy of cloning the mac from one router to its 
backup.


So now my question is, can I maintain the same level of security if I 
start using an ipv6 address in my router?


And if so, how do I maintain the NAT, & how would I do it? Or am I 
better off to not kick this sleeping dog called ipv6?


You have three options.

1. Eradicate IPv6 completely and carry on with your IPv4

2. Go all-in and use IPv6 without NAT (but still keep IPv4 with NAT), 
but with the necessary firewall protections


3. Use IPv6 (and IPv4) with NAT and some firewall

Personally I use (2) - which is likely the case for most domestic users 
of Internet with access to dual stack IPv4 and IPv6.


I don't know dd-wrt. In my case I use an Armbian based firewall/router 
using iptables with rulesets for IPv4 (NAT) and IPv6 (native).


I find that the large majority of my web traffic is IPv6

I should also note that many internet routers these days support dual 
stack IPv6 IPv4 and are generally 'safe' for domestic use. My fallbacks 
if my Armbian firewall/router fails include simply giving in and putting 
in a modern router/modem.



Jeremy

Thanks Jeremy. but in the back of my mind is the need for a firewall. 
I've not setup a new one since bullseye moved in a year plus ago. dd-wrt 
reflashing my now elderly buffalo router handles all that.

.


Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: No USB with qemu+macOS+USB+iPads

[Charles Curley]

On Wed, 8 Feb 2023 21:03:39 +0100
peze  wrote:

> Am 08.02.23 um 19:30 schrieb Charles Curley:
>  [...]  
> 
> If your host is linux, can you show me your qemu-parameters?
> TIA
> 

I was afraid you were going to ask me that. I run qemu via libvirt. So
I will do a bit of detective work.  Here goes.

The XML for libvirt is:

--

  



  
  
  

--

You would have to modify the vendor, product, bus, and device IDs to
suit your device.

The command (imported not wrapped, but possibly wrapped in transport)
line is:

--
root@hawk:/etc/new.virtual# ps aux | grep -i dti386
libvirt+   62108  1.9  3.4 2958008 555240 ?  Sl   Jan27 345:08 
/usr/bin/qemu-system-x86_64 -name guest=dti386,debug-threads=on -S -object 
secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-6-dti386/master-key.aes
 -machine 
pc-q35-5.2,accel=kvm,usb=off,vmport=off,dump-guest-core=off,memory-backend=pc.ram
 -cpu pentium2 -m 1024 -object memory-backend-ram,id=pc.ram,size=1073741824 
-overcommit mem-lock=off -smp 2,sockets=2,cores=1,threads=1 -uuid 
0f0b9d2c-d741-47f0-842b-336fbbc64c12 -no-user-config -nodefaults -chardev 
socket,id=charmonitor,fd=40,server,nowait -mon 
chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global 
kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global 
ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot menu=on,strict=on 
-device 
pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2
 -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 
-device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 
-device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 
-device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 
-device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 
-device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 
-device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.2,addr=0x0 -device 
virtio-scsi-pci,id=scsi0,bus=pci.4,addr=0x0 -device 
virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 -blockdev 
{"driver":"file","filename":"/var/lib/libvirt/images/firmware-testing-i386-netinst.iso","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}
 -blockdev 
{"node-name":"libvirt-2-format","read-only":true,"driver":"raw","file":"libvirt-2-storage"}
 -device ide-cd,bus=ide.0,drive=libvirt-2-format,id=sata0-0-0,bootindex=2 
-blockdev 
{"driver":"file","filename":"/var/lib/libvirt/images/dti386.qcow2","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}
 -blockdev 
{"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage","backing":null}
 -device ide-hd,bus=ide.1,drive=libvirt-1-format,id=sata0-0-1,bootindex=1 
-netdev tap,fd=45,id=hostnet0,vhost=on,vhostfd=46 -device 
virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:6f:aa:6a,bus=pci.1,addr=0x0 
-chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 
-chardev socket,id=charchannel0,fd=47,server,nowait -device 
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0
 -chardev spicevmc,id=charchannel1,name=vdagent -device 
virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0
 -device usb-tablet,id=input0,bus=usb.0,port=1 -spice 
port=5902,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on
 -device 
qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pcie.0,addr=0x1
 -device ich9-intel-hda,id=sound0,bus=pcie.0,addr=0x1b -device 
hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev 
spicevmc,id=charredir0,name=usbredir -device 
usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev 
spicevmc,id=charredir1,name=usbredir -device 
usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -device 
usb-host,hostdevice=/dev/bus/usb/002/006,id=hostdev0,bus=usb.0,port=4 -device 
virtio-balloon-pci,id=balloon0,bus=pci.5,addr=0x0 -object 
rng-random,id=objrng0,filename=/dev/urandom -device 
virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.6,addr=0x0 -sandbox 
on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg 
timestamp=on
charles   124050  0.0  0.0  12232  2396 pts/6S+   Jan28   0:00 ssh 
root@dti386.virtual
root  209851  0.0  0.0  12104  1928 pts/32   Ss+  Jan30   0:00 ssh -o 
ControlMaster=auto -o ControlPath=tramp.%C -o ControlPersist=no -e none 
dti386.virtual
charles   507969  0.0  0.0  12108  6684 pts/38   Ss+  15:04   0:00 ssh -o 
ControlMaster=auto -o ControlPath=tramp.%C -o ControlPersist=no -e none 
dti386.virtual
charles   508029  0.0  0.0  12108  6784 pts/39   Ss+  15:06   0:00 ssh -l root 
-o ControlMaster=auto -o 

Re: ipv6 maybe has arrived.

[jeremy ardley]

On 9/2/23 04:54, gene heskett wrote:



My several machine home net is behind a dd-wrt install, NAT'ed so that 
any machine here has access to the net via the ipv4 address my router 
obtains from them. That legally is a dynamic address but hasn't 
changed in the decade and a half since I last switched isp's to one 
that just worked courtesy of cloning the mac from one router to its 
backup.


So now my question is, can I maintain the same level of security if I 
start using an ipv6 address in my router?


And if so, how do I maintain the NAT, & how would I do it? Or am I 
better off to not kick this sleeping dog called ipv6?


You have three options.

1. Eradicate IPv6 completely and carry on with your IPv4

2. Go all-in and use IPv6 without NAT (but still keep IPv4 with NAT), 
but with the necessary firewall protections


3. Use IPv6 (and IPv4) with NAT and some firewall

Personally I use (2) - which is likely the case for most domestic users 
of Internet with access to dual stack IPv4 and IPv6.


I don't know dd-wrt. In my case I use an Armbian based firewall/router 
using iptables with rulesets for IPv4 (NAT) and IPv6 (native).


I find that the large majority of my web traffic is IPv6

I should also note that many internet routers these days support dual 
stack IPv6 IPv4 and are generally 'safe' for domestic use. My fallbacks 
if my Armbian firewall/router fails include simply giving in and putting 
in a modern router/modem.



Jeremy

Re: Web page management.

[Stefan Monnier]

> The HTML file will contain references to each of the URLs,
> directing the browser to go fetch things from them and execute
> or display them as appropriate.

FWIW, that HTML page does not include "gstatic" in its source text (but
apparently some other pages fetched from `canada.ca` do).
OTOH, it contains a weird:



what's this "//"?  Do web browsers automatically add a "http(s):" in
front nowadays, or does it end up referring to a copy on the
CRA's server.


Stefan

Re: Web page management.

[Dan Ritter]

Peter Easthope wrote: 
> In-reply-to: <20230208191831.x6zp7ybzizmbq...@randomstring.org>
> References: 
> 
> <20230208191831.x6zp7ybzizmbq...@randomstring.org>
> 
> From: Dan Ritter 
> Date: Wed, 8 Feb 2023 14:18:31 -0500
> > The thing you're looking at is the uBlock Origin widget,
> > and it shows things that your browser is being told to retrieve
> > by the code of the website that it is looking at.
> 
> Thanks.  Ie. the claim by CRA tech support is false.  =8~/
> 
> Without studying the source of Firefox, how can you be sure it isn't
> initiating the request to gstatic.com or omtrdc.net?

Ask Firefox to show you the source of the webpage, which you can
verify from any other browser or with wget or curl.

Right-click, View Page Source will do.

The HTML file will contain references to each of the URLs,
directing the browser to go fetch things from them and execute
or display them as appropriate.

-dsr-

ipv6 maybe has arrived.

[gene heskett]

This machine is on bullseye, and when I installed, I noted that 
networking worked over ipv4 but have noted jst now that responses to the 
ipv6 versions of both ping6 and traceroute6 have changed.
ping6 and traceroute6 can now resolve yahoo.com's ipv6 address where 
previously the was no resolution.


But traceroute6 now says:
traceroute to yahoo.com (2001:4998:44:3507::8001), 30 hops max, 80 byte 
packets

connect: Network is unreachable

Given that the closest real dns is at my providers site, it would appear 
to indicate that my fwded dns requests for a valid ipv6 address for 
yahoo.com is now working.


My several machine home net is behind a dd-wrt install, NAT'ed so that 
any machine here has access to the net via the ipv4 address my router 
obtains from them. That legally is a dynamic address but hasn't changed 
in the decade and a half since I last switched isp's to one that just 
worked courtesy of cloning the mac from one router to its backup.


So now my question is, can I maintain the same level of security if I 
start using an ipv6 address in my router?


And if so, how do I maintain the NAT, & how would I do it? Or am I 
better off to not kick this sleeping dog called ipv6?


Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Web page management.

[Peter Easthope]

In-reply-to: <20230208191831.x6zp7ybzizmbq...@randomstring.org>
References: 
<20230208191831.x6zp7ybzizmbq...@randomstring.org>

From: Dan Ritter 
Date: Wed, 8 Feb 2023 14:18:31 -0500
> The thing you're looking at is the uBlock Origin widget,
> and it shows things that your browser is being told to retrieve
> by the code of the website that it is looking at.

Thanks.  Ie. the claim by CRA tech support is false.  =8~/

Without studying the source of Firefox, how can you be sure it isn't
initiating the request to gstatic.com or omtrdc.net?

Thx,   ... P.

Re: No USB with qemu+macOS+USB+iPads

[peze]

Am 08.02.23 um 19:30 schrieb Charles Curley:

Yes. I can hand a USB memory stick to a Debian guest, Debian installer,
bullseye and bookworm. Host is bullseye. One must still mount it on the
guest.


If your host is linux, can you show me your qemu-parameters?
TIA

Re: Web page management.

[Stefan Monnier]

> Just going to https://www.canada.ca/en/revenue-agency.html
>
> shows me this:
>
> canada.ca
> www.canada.ca
> adobedtm.com
> ajax.googleapis.com
> akamaiedge.net
> botframework.com
> demdex.net
> duckduckgo.com
> go-mpulse.net
> gstatic.com
> omtrdc.net
> v0cdn.net

Looking for these sites in the actual HTML text of the page suggests
many of them are only requested indirectly.  Accessing this page while
using uMatrix tells me it requested (besides stuff from canada.ca): CSS from
fonts.gstatic.com and scripts from adobedtm.com, botframework.com,
ajax.googleapis.com, and go-mpulse.net.

Funnily, the HTML code also includes references to facebook, instagram,
linkedin, and youtube, but nothing is directly requested from these sites.


Stefan

Re: [HS] Re: Re : Re: quel espace laisser à Windows

[Dethegeek]

Bonsoir

L'intérêt principal selon moi d'avoir un ISO d'installation est d'avoir une
solution de secours si une restauration doit échouer. Que ce soit par
clonezilla ou autre.

Conserver un windows sur un volume reste plutôt risqué. Un disque peut
tomber en panne, une erreur de manipulation, un grub cassé et mal réparé,
un virus (même si c'est rare avec linux) et le windows peut être corrompu
ou cassé.

Ce serait dommage de compromettre la cession de l'ordinateur pour un coup
de malchance.

Enfin je reviens sur la taille de 40Go que j'ai donnée. Elle doit permettre
à windows de booter, le temps d'agrandir le volume de nouveau. Il faut bien
penser à nettoyer le volume de tous les fichiers temporaires avant la
réduction du volume (surtout les installateurs de correctifs qui
s'accumulent : aujourd'hui j'ai vu un pc avec presque 2Go de ces fichiers).
40Go doivent suffir pour faire "hiberner" windows. 60Go ça me paraît plutôt
être le grand minimum fonctionnel.

Le mer. 8 févr. 2023 à 18:48, didier gaumet  a
écrit :

> Le 08/02/2023 à 17:27, benoit a écrit :
> > Le jeudi 2 février 2023 à 10:37, Dethegeek  a
> écrit :
> [...]
> >> Petit conseil. J'ai vu il y a quelques jours que Microsoft va cesser
> >> la distribution de Windows 10. Les images ISO ne seront plus en ligne
> >> également.
> [...]
> > Je partage cet avis,
> [...]
>
> [Très Hors-Sujet]
>
> Je pense que Microsoft finira effectivement un jour par retirer de son
> site de téléchargement les images ISO Windows 10, c'est ce qu'il a fait
> par le passé pour Windows 7.
>
> Mais les images Windows 10 sont toujours dispo (date de fin de support
> (EOL) 14 octobre 2025):
> https://www.microsoft.com/fr-fr/software-download/windows10ISO
>
> Même les images Windows 8.1 sont encore dispo (date de fin de support:
> on vient juste de la passer: 10 janvier 2023)
> https://www.microsoft.com/fr-fr/software-download/windows8ISO
>
> et c'est assez logique: ce n'est pas forcément parce que le produit
> n'est plus disponible à la vente que l'entreprise qui le produit en
> cesse toute diffusion: pensez par exemple aux clients qui ont acheté une
> édition boîte avec une licence mais dont le DVD est devenu illisible
> (rayé, cassé...), ils n'ont pas besoin de racheter une édition de
> Windows. C'est un changement de politique de Microsoft par rapport à un
> passé plus lointain, où un client qui perdait ses diskettes/CD/DVD
> devait effectivement racheter le truc (de mémoire, je ne veux pas non
> plus dénigrer Microsoft juste pour le plaisir)
>
>

Re: No USB with qemu+macOS+USB+iPads

[Charles Curley]

On Wed, 8 Feb 2023 11:23:04 -0700
Charles Curley  wrote:

> Yes. I can hand a USB memory stick to a Debian guest, Debian
> installer, bullseye and bookworm. Host is bullseye. One must still
> mount it on the guest.

And do not mount it on the host.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: No USB with qemu+macOS+USB+iPads

[Charles Curley]

On Wed, 8 Feb 2023 22:07:37 +0700
Max Nikulin  wrote:

> Does it work if you pass a USB device to a Linux 
> guest (e.g. boot some live image)?

Yes. I can hand a USB memory stick to a Debian guest, Debian installer,
bullseye and bookworm. Host is bullseye. One must still mount it on the
guest.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

[HS] Re: Re : Re: quel espace laisser à Windows

[didier gaumet]

Le 08/02/2023 à 17:27, benoit a écrit :

Le jeudi 2 février 2023 à 10:37, Dethegeek  a écrit :

[...]
Petit conseil. J'ai vu il y a quelques jours que Microsoft va cesser 
la distribution de Windows 10. Les images ISO ne seront plus en ligne 
également.

[...]

Je partage cet avis,

[...]

[Très Hors-Sujet]

Je pense que Microsoft finira effectivement un jour par retirer de son 
site de téléchargement les images ISO Windows 10, c'est ce qu'il a fait 
par le passé pour Windows 7.


Mais les images Windows 10 sont toujours dispo (date de fin de support 
(EOL) 14 octobre 2025):

https://www.microsoft.com/fr-fr/software-download/windows10ISO

Même les images Windows 8.1 sont encore dispo (date de fin de support: 
on vient juste de la passer: 10 janvier 2023)

https://www.microsoft.com/fr-fr/software-download/windows8ISO

et c'est assez logique: ce n'est pas forcément parce que le produit 
n'est plus disponible à la vente que l'entreprise qui le produit en 
cesse toute diffusion: pensez par exemple aux clients qui ont acheté une 
édition boîte avec une licence mais dont le DVD est devenu illisible 
(rayé, cassé...), ils n'ont pas besoin de racheter une édition de 
Windows. C'est un changement de politique de Microsoft par rapport à un 
passé plus lointain, où un client qui perdait ses diskettes/CD/DVD 
devait effectivement racheter le truc (de mémoire, je ne veux pas non 
plus dénigrer Microsoft juste pour le plaisir)

Re : Re: quel espace laisser à Windows

[benoit]

Envoyé avec la messagerie sécurisée [Proton Mail](https://proton.me/).

--- Original Message ---
Le jeudi 2 février 2023 à 10:37, Dethegeek  a écrit :

> Bonjour,
>
> Compte 40Go pour windows seul sans aucun logiciel.
>
> Tu peux aussi envisager de créer des disques de restauration.
>
> Petit conseil. J'ai vu il y a quelques jours que Microsoft va cesser la 
> distribution de Windows 10. Les images ISO ne seront plus en ligne également. 
> Je te conseille donc aussi de télécharger l'ISO correspondant à ta version, 
> et le sauvegarder sur un disque, une clé USB ou un DVD. En cas de souci avec 
> tes disques de restauration, ça te fera une solution de secours.
>
> Pour créer des disques de restauration, tu peux lire cette ressource par 
> exemple. https://www.malekal.com/creer-une-image-systeme-windows-10/

Je partage cet avis, si vous ne voulez pas utiliser Windows, mais que vous 
voulez uniquement le garder pour une personne qui vous succède, il suffit de 
faire comme indiqué ci-dessus ou une image disque sur un disque externe avec 
[Clonezilla](https://clonezilla.org/).
Il y a un tuto su le même site :
https://www.malekal.com/clonezilla-tutoriel-clonage-de-disque/

Re: support for ASUS AC1200 USB-AC53 Nano wifi dongle

[Gary Dale]

On 2023-02-08 09:07, Gary Dale wrote:

On 2023-02-08 00:55, Alexander V. Makartsev wrote:

On 08.02.2023 09:07, Gary Dale wrote:


I thought this would be easier than it's turned out to be. There are 
Internet posts going back years about support for this device but 
nothing recent - including a 5 year old Ubuntu post saying it works. 
Other wifi devices seem to be recognized out of the box or with a 
simple install of non-free firmware but not this one - at least not 
in Bullseye or Bookworm.


The adapter itself seems to be quite popular so I'm hoping someone 
can provide some clues on how to make it work


Thanks.

Your device should be based on "RTL8822B" chip from Realtek, so you 
need to install "firmware-realtek" package.
If after doing that you still didn't get a functioning network wifi 
adapter you might need to build driver kernel module. [1]
This is what I had to do to get USB Bluetooth adapter from Asus to 
work without issues, even though it is supported by kernel in "bullseye".


It is always the best to include extra information about your setup 
when you asking for help.

At least output from these commands would be a start:
    $ uname -a
    $ lsusb -v -t
    # journalctl -b 0 --no-pager | grep -iE "rtl|rtk_|firmware"

If the output is long you can use "paste" service [2] and send us a link.


[1] 
https://www.asus.com/ca-en/networking-iot-servers/adapters/all-series/usb-ac53-nano/helpdesk_download/?model2Name=USB-AC53-Nano

[2] https://paste.debian.net/
--
Thanks Alexander, but installing firmware-realtek doesn't work. It was 
the first thing I tried. Secondly, the ASUS driver fails to compile 
under Bullseye & later. It throws an error:


1.5_33902.20190604_COEX20180928-6a6a/include/rtw_security.h:255:8: 
error: redefinition of ‘struct sha256_state’

  255 | struct sha256_state {
  |    ^~~~

This is the same error I find in various drivers from GitHub. They all 
seem to be for older kernels and no longer compile. The fact that 
drivers have existed for so long was one reason I thought the device 
should be reasonably supported by now.


I had considered posting the output of lsusb but it simply shows that 
the device is recognized. Making it verbose returns a lot of 
capabilities information but not much else. Here it is:


/:  Bus 06.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 5000M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
/:  Bus 05.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
    |__ Port 1: Dev 3, If 0, Class=Vendor Specific Class, Driver=, 480M
    ID 0b05:184c ASUSTek Computer, Inc.
/:  Bus 04.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/2p, 1M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
    |__ Port 2: Dev 2, If 0, Class=Mass Storage, Driver=uas, 5000M
    ID 0080:a001 Unknown JMS578 based SATA bridge
/:  Bus 03.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/2p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/8p, 1M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/14p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
    |__ Port 13: Dev 2, If 0, Class=Mass Storage, Driver=usb-storage, 480M
    ID 058f:6366 Alcor Micro Corp. Multi Flash Reader

The journalctl command returns nothing.

Found a github repository that compiles on Bullseye at 
https://github.com/morrownr/88x2bu. Then it's a matter of doing the 
following as root


git clone https://github.com/morrownr/88x2bu
cd 88x2bu-20210702 ## date string may different
make clean
make
make install

then rebooting. The wifi dongle now shows in "ip addr".

Re: SOLVED Re: Cannot rum multiple command on remote machine via SSH

[Greg Wooledge]

On Wed, Feb 08, 2023 at 04:03:04PM +0100, to...@tuxteam.de wrote:
> On Wed, Feb 08, 2023 at 09:31:00AM -0500, Stefan Monnier wrote:
> > >> $ cat opt/bin/hibernate.sh
> > >> mate-screensaver-command -l  # Activates screensaver and locks
> > >>   the screen
> > >> sudo systemctl hybrid-sleep  # Hibernate and suspend the system. This
> > >>   will trigger activation of
> > >>   the special target unit
> > >>   hybrid-sleep.target.
> > [...]
> > > So it's not clear which command is causing the ssh client to hang.
> > 
> > Maybe it's simply that `hybrid-sleep` is fast enough to stop the network
> > before the SSH command completes?

Ooof.  If that's the case, then the race conditions are in the exact
opposite direction of where I was looking.  This is where having input
from people with laptop experience is priceless.

It's not trivial to fix, either, because the command in question is
being done with sudo.  We don't know how the sudo authentication is
being done (because we weren't TOLD).  If it's reading a password from
the keyboard, then the whole sudo can't be backgrounded.  But maybe
something like this would suffice:

sudo sh -c '(sleep 1; systemctl hybrid-sleep) >>"$1" 2>&1 &' x "$log"

or

sudo sh -c '(sleep 1; systemctl hybrid-sleep) >/dev/null 2>&1 &'

Of course, the sleep duration may need to be adjusted.

> Or perhaps it is synchronous and waits until successful ;-)

Can't rule it out, but the man page is VERY emphatic about that not
being true.  That would be a pretty major bug (deviation from documented
behavior).

Re: No USB with qemu+macOS+USB+iPads

[Max Nikulin]

On 08/02/2023 01:15, stand...@gmx.net wrote:

Max Nikulin schrieb am Montag, 6. Februar 2023 um 13:30:06 UTC+1:

sudo -A setfacl -m u:`id -un`:rw /dev/bus/usb/002/007


I think running as root doesn't requirte this change, or?


Then I have no idea. Does it work if you pass a USB device to a Linux 
guest (e.g. boot some live image)?

Re: SOLVED Re: Cannot rum multiple command on remote machine via SSH

[tomas]

On Wed, Feb 08, 2023 at 09:31:00AM -0500, Stefan Monnier wrote:
> >> $ cat opt/bin/hibernate.sh
> >> mate-screensaver-command -l# Activates screensaver and locks
> >>   the screen
> >> sudo systemctl hybrid-sleep# Hibernate and suspend the system. This
> >>   will trigger activation of
> >>   the special target unit
> >>   hybrid-sleep.target.
> [...]
> > So it's not clear which command is causing the ssh client to hang.
> 
> Maybe it's simply that `hybrid-sleep` is fast enough to stop the network
> before the SSH command completes?

Or perhaps it is synchronous and waits until successful ;-)

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: SOLVED Re: Cannot rum multiple command on remote machine via SSH

[Stefan Monnier]

>> $ cat opt/bin/hibernate.sh
>> mate-screensaver-command -l  # Activates screensaver and locks
>>   the screen
>> sudo systemctl hybrid-sleep  # Hibernate and suspend the system. This
>>   will trigger activation of
>>   the special target unit
>>   hybrid-sleep.target.
[...]
> So it's not clear which command is causing the ssh client to hang.

Maybe it's simply that `hybrid-sleep` is fast enough to stop the network
before the SSH command completes?


Stefan

Re: support for ASUS AC1200 USB-AC53 Nano wifi dongle

[Gary Dale]

On 2023-02-08 00:55, Alexander V. Makartsev wrote:

On 08.02.2023 09:07, Gary Dale wrote:


I thought this would be easier than it's turned out to be. There are 
Internet posts going back years about support for this device but 
nothing recent - including a 5 year old Ubuntu post saying it works. 
Other wifi devices seem to be recognized out of the box or with a 
simple install of non-free firmware but not this one - at least not 
in Bullseye or Bookworm.


The adapter itself seems to be quite popular so I'm hoping someone 
can provide some clues on how to make it work


Thanks.

Your device should be based on "RTL8822B" chip from Realtek, so you 
need to install "firmware-realtek" package.
If after doing that you still didn't get a functioning network wifi 
adapter you might need to build driver kernel module. [1]
This is what I had to do to get USB Bluetooth adapter from Asus to 
work without issues, even though it is supported by kernel in "bullseye".


It is always the best to include extra information about your setup 
when you asking for help.

At least output from these commands would be a start:
    $ uname -a
    $ lsusb -v -t
    # journalctl -b 0 --no-pager | grep -iE "rtl|rtk_|firmware"

If the output is long you can use "paste" service [2] and send us a link.


[1] 
https://www.asus.com/ca-en/networking-iot-servers/adapters/all-series/usb-ac53-nano/helpdesk_download/?model2Name=USB-AC53-Nano

[2] https://paste.debian.net/
--
Thanks Alexander, but installing firmware-realtek doesn't work. It was 
the first thing I tried. Secondly, the ASUS driver fails to compile 
under Bullseye & later. It throws an error:


1.5_33902.20190604_COEX20180928-6a6a/include/rtw_security.h:255:8: 
error: redefinition of ‘struct sha256_state’

  255 | struct sha256_state {
  |    ^~~~

This is the same error I find in various drivers from GitHub. They all 
seem to be for older kernels and no longer compile. The fact that 
drivers have existed for so long was one reason I thought the device 
should be reasonably supported by now.


I had considered posting the output of lsusb but it simply shows that 
the device is recognized. Making it verbose returns a lot of 
capabilities information but not much else. Here it is:


/:  Bus 06.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 5000M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
/:  Bus 05.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
    |__ Port 1: Dev 3, If 0, Class=Vendor Specific Class, Driver=, 480M
    ID 0b05:184c ASUSTek Computer, Inc.
/:  Bus 04.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/2p, 1M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
    |__ Port 2: Dev 2, If 0, Class=Mass Storage, Driver=uas, 5000M
    ID 0080:a001 Unknown JMS578 based SATA bridge
/:  Bus 03.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/2p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/8p, 1M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/14p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
    |__ Port 13: Dev 2, If 0, Class=Mass Storage, Driver=usb-storage, 480M
    ID 058f:6366 Alcor Micro Corp. Multi Flash Reader

The journalctl command returns nothing.

Re: SOLVED Re: Cannot rum multiple command on remote machine via SSH

[Greg Wooledge]

On Wed, Feb 08, 2023 at 12:00:13PM +, Ottavio Caruso wrote:
> $ cat opt/bin/hibernate.sh
> mate-screensaver-command -l   # Activates screensaver and locks
>   the screen
> sudo systemctl hybrid-sleep   # Hibernate and suspend the system. This
>   will trigger activation of
>   the special target unit
>   hybrid-sleep.target.

1) Missing the shebang.

2) The online man page for mate-screensaver-command says it:
   "Tells the running screensaver process to lock the screen immediately"
   Unfortunately, it doesn't say what happens if there's no running
   mate-screensaver process.  Does it start one as a foreground child
   or something?

3) systemctl(1) says that hybrid-sleep "is asynchronous, and will return
   after the hybrid sleep operation is successfully enqueued. It will not
   wait for the sleep/wake-up cycle to complete."

So it's not clear which command is causing the ssh client to hang.
My instinct says it's more likely to be mate-screensaver-command, but
I have zero experience with it.

Maybe you could try something like this:

==
#!/bin/sh
log=~/.cache/hibernate.log
mkdir -p ~/.cache
test -f "$log" || touch "$log"

tail -n0 -f "$log" & pid=$!

# Activate screensaver and lock the screen.
mate-screensaver-command -l >>"$log" 2>&1

# Hibernate and suspend the system.
# This triggers the special unit hybrid-sleep.target.
sudo systemctl hybrid-sleep >>"$log" 2>&1

sleep 3
kill "$pid"
wait
==

Feel free to adjust the sleep time as you see fit.  I've tried hard to
minimize race conditions, but they're not completely avoidable here.
If it takes more than 3 seconds for mate-screensaver-command and
systemctl to do their things, then you may have to sleep a bit longer.

If this hangs the ssh client, then we'll need to know which command
is still running.  That would typically mean logging in with a
second ssh command, finding out which tty the script is running on
(e.g. ps -ef | grep hibernate), then seeing what commands are running
on that tty (e.g. ps -ft pts/2).  At least, that's where I would start.

Don't feed the troll [was: FSF is not really free software (?)]

[tomas]

On Wed, Feb 08, 2023 at 07:11:45AM -0500, Jeremy Hendricks wrote:
> I’d recommend contacting FSF for FSF questions, not Debian.

And I'd recommend against feeding trolls.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: FSF is not really free software (?)

[Jeremy Hendricks]

I’d recommend contacting FSF for FSF questions, not Debian.

On Wed, Feb 8, 2023 at 7:08 AM philip pocock 
wrote:

> "While many groups and individuals have contributed to Linux, the largest
> single contributor is still the Free Software Foundation, which created not
> only most of the tools used in Linux, but also the philosophy and the
> community that made Linux possible."
> -- https://www.debian.org/releases/buster/amd64/ch01s02.en.html
>
> Is there a link to the FSF contributions? I am told that FSF is centered
> on promoting proprietary software packages and assuring million $ salaries
> for Mozilla top execs for example. And therefore FSF is a capitalist
> utility above all.
>
> Stallman seems desperate for attention as it was Europe not the USA that
> birthed Linux into our online world. It bothers me to read praise of
> FSFwhen it is not praiseworthy unless one reveres money over all.
>
>
> --
> prof philip pocock
>
>
>

FSF is not really free software (?)

[philip pocock]

"While many groups and individuals have contributed to Linux, the largest
single contributor is still the Free Software Foundation, which created not
only most of the tools used in Linux, but also the philosophy and the
community that made Linux possible."
-- https://www.debian.org/releases/buster/amd64/ch01s02.en.html

Is there a link to the FSF contributions? I am told that FSF is centered on
promoting proprietary software packages and assuring million $ salaries for
Mozilla top execs for example. And therefore FSF is a capitalist utility
above all.

Stallman seems desperate for attention as it was Europe not the USA that
birthed Linux into our online world. It bothers me to read praise of
FSFwhen it is not praiseworthy unless one reveres money over all.

-- 
prof philip pocock

Re: Need help to install gnucobol

[Richmond]

Amine Derk  writes:

> Hello,
>
> I'm trying to use debian for the first time. and I'm not able to
> install Gnucobol.
>
> aderkaoua@LAPTOP-6B841S0M:~$ sudo apt-get install gnucobol
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> E: Unable to locate package gnucobol
>
> please advise?
>
> Amine. 
> Cobol Developer 
> 571 234 9827

I compiled gnu-cobol and have it working. I obtained:

gnucobol-3.1.2.tar.xz

tar axvf gnucobol-3.1.2.tar.xz
cd gnucobol-3.1.2
./configure
make

Probably there were errors which I fixed by installing things. See how
far you get.