Re: Unattended upgrade of grub failed

[Greg Wooledge]

On Sun, Oct 08, 2023 at 05:14:52PM +0200, Jesper Dybdal wrote:
> After the reboot, which went well, I noticed that the new kernel version was
> "held back".  An explicit install of the new kernel seemed to succeed, and
> everything seems to work ok now.

Note the differences among "apt upgrade", "apt-get upgrade",
"apt-get upgrade --with-new-pkgs" and "apt-get dist-upgrade.

"apt-get upgrade" will not install new packages.

"apt upgrade" will.

"apt-get upgrade --with-new-pkgs" also will.

"apt-get dist-upgrade" will install new packages, and potentially
remove packages, if the situation requires it.  For a simple point
release, it should be vanishingly rare that a package would be
removed, so this is hardly ever needed.  But "dist-" is a lot easier to
type and to remember than "--with-new-pkgs", so people tend to use it
as a synonym.

Re: Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA)

[Rainer Dorsch]

Am Sonntag, 8. Oktober 2023, 17:32:37 CEST schrieb Jeffrey Walton:
> On Sun, Oct 8, 2023 at 7:53 AM Rainer Dorsch  wrote:
> > I have one machine on which I see during upgrade messages like:
> > 
> > Setting up udev (252.17-1~deb12u1) ...
> > 🔐 Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA):
> > Setting up linux-image-6.1.0-13-armmp (6.1.55-1) ...
> > 
> > /etc/kernel/postinst.d/initramfs-tools:
> > update-initramfs: Generating /boot/initrd.img-6.1.0-13-armmp
> > 
> > Broadcast message from root@home (Sun 2023-10-08 13:45:07 CEST):
> > 
> > Password entry required for 'Enter passphrase for SSL/TLS keys for
> > 192.168.0.30:443 (RSA):' (PID 25235).
> > Please enter password with the systemd-tty-ask-password-agent tool.
> > 
> > Does anybody know where they (could) come from?
> 
> It looks like it comes from Apache via debian/ask-for-passphrase :
>  4ba3b8d1f7c/>. It looks like the message was changed recently.
> 
> It looks like the former message was "Apache needs to decrypt your SSL
> Keys for $sitename ($keytype)".

Many thanks. for the useful response.

For me the previous message would have been more useful :-/

Thanks again
Rainer

-- 
Rainer Dorsch
http://bokomoko.de/

Re: Need help with PGP signature verification

[Tom Browder]

On Sun, Oct 8, 2023 at 14:39 Thomas Schmitt  wrote:

> Hi,


Thanks, Thomas.

I did get the signers key fingeprints from their personal github pages. I
would go the full security route if it were only my use I'm concerned with,
but I'm working on a Raku module for others and I don't want them to be
held up by having to fumble with key trust before at least downloading the
files with a first order check with data I can provide.

I'll make sure to document exactly what I'm providing.

Best regards,

-Tom

Re: Need help with PGP signature verification

[debian-user]

"Thomas Schmitt"  wrote:
> Hi,
> 
> Tom Browder wrote:
> > I'm willing to trust published PGP key fingerprints for signers of
> > Rakudo downloadable files.  
> 
> Do i get it right that you talk about https://rakudo.org/downloads ?
> 
> > Question:  How can I get the fingerprint from the downloads? 
> > The products I download are (1) the file of interest, (2) a PGP
> > signed checksums file with various shaX hashes for the file, and
> > (3) a separate file containing a PGP signature.  
> 
> The "Verify" button at above web page leads to
>   https://rakudo.org/downloads/verifying
> which explains how to use sha256 and gpg2 for verification.
> Most importantly it lists the fingerprints of the four "Keys of the
> releasers". If gpg2 --verify reports any other fingerprint, then
> the .asc file cannot be trusted.
> 
> (It is not overly trustworthy that fingerprints and the signed files
> are offered on the same web site. Once the site is compromised, both
> can be manipulated by the attacker.)

That's why the page suggests that the developers' also list their
fingerprints on their github pages, I suspect. Which they do.

Re: Does the debian kernel sends the gratuitous arp ?

[debian-user]

Geert Stappers  wrote:
> On Fri, Oct 06, 2023 at 09:19:32PM +0200, Geert Stappers wrote:
> > On Fri, Oct 06, 2023 at 05:52:16PM +0530, Balaji G wrote:  
> > > Hi,
> > > I am using "Debian GNU/Linux 11 (bullseye)" with kernel
> > > version 5.16.12. When i do a link up/down i don't see any
> > > Gratuitous ARP being sent.  
> > 
> > ARP  
> 
> Address Resolution Protocol
> 
>   
> > > # echo 1 > /proc/sys/net/ipv4/conf/eno5np0/arp_notify  
> > 
> > Probably transmitted "I tried to enforce ARP notification"
> > 
> >   
> > > # ip link set down dev eno5np0
> > > # ip link set up dev eno5np0  
> > 
> > link  
> 
> As in "the link layer"
>   
>  
> > > Captured all the packets via tcpdump & the tcpdump is not showing
> > > any Gratuitous ARP packets.  
> > 
> > Why should it? (Yes, that is a serious question.)  
>  
> As opening question for further discussion.
> 
> Because I like the question
>   Does the Debian kernel sends the gratuitous ARP ?
> 
> I think the answer is   YES
> and I very curious when gratuitous ARP is ommitted.
> 
>   
> > > But, with the same commands i could see the Gratuitous ARP being
> > > sent in Red hat.9.0 (Plow).  
> > 
> > I think more factors have been change as kernel.  
>  
> As invitation for telling how the comparsion was done.
> 
> 
> > > So, please let me know if this is a specific scenario in Debian
> > > 11 ??  
> > 
> > I state that the OP, Original Poster, is the specific scenario.
> > Yeah, that is a blunt statement.  Now hear me out.
> > 
> > Gratuitous ARP is "linking" MAC-address and  IP-address.
> > 
> > During `ip link set down dev eno5np0` and `ip link set up dev
> > eno5np0` are NO IP-addresses involved.
> > 
> > So there is no need for ARP.
> > 
> > 
> > I do hope to see a follow-up message like:
> > 
> >Re-did the test with a static IP-address on the interface
> >and indeed see a gratuitous ARP
> > 
> > or some thing like
> > 
> >To reproduce the missing gratuitous ARP do ...
> > 
> > Yeah, that might reveal more information about dev eno5np0.
> > 
> >
> > > Thanks,
> > > Balaji  
> > 
> > Groeten
> > Geert Stappers  
> 
> Because in https://lists.debian.org/debian-user/2023/10/msg00212.html
> I wrote "Lets follow-up
> https://lists.debian.org/debian-user/2023/10/msg00181.html "

If you'll forgive me stepping in ...

I suspect neither Geert's nor Balaji's first language is English, and
independently notice that Geert writes in a somewhat terse style whilst
Balaji omits potentially useful information (such as the actual tcpdump
output). So I'll add my summary of what I understand:

Gert is pointing out that ARP packets are sent in connection with
resolving the IP address associated with a MAC address, and that
nothing that Balaji has posted suggests that an IP address has been
allocated yet, so there would be no reason for a Gratuitous ARP packet
to be sent.

So he is interested to learn how the IP address is set up on both the
Debian system and the Red Hat system (static or DHCP or something
else?) and I suspect would ideally like to see sufficient message logs
to demonstrate the truth of the answers.

Specifically, on the Debian system is the IP address set statically,
and are there any packets containing the IP address in the logs? Either
transmitted or received. Similarly for the Red Hat system but perhaps
less important.

> Groeten
> Geert Stappers

Re: Unattended upgrade of grub failed

[Jeffrey Walton]

On Sun, Oct 8, 2023 at 1:04 PM Jesper Dybdal  wrote:
>
> On 2023-10-08 12:07, Jesper Dybdal wrote:
> > On 2023-10-08 11:25, Marco M. wrote:
> >> Am 08.10.2023 um 11:09:53 Uhr schrieb Jesper Dybdal:
> >>
> >>> It seems to have a problem with "grub-pc".  But I thought that
> >>> grub-pc was only for BIOS boot, and that by installing the UEFI
> >>> version grub-pc would disappear or at least be disabled.
> >> Uninstall grub-pc if you are on an UEFI system.
> >> You can still have the .deb in /var/cache/apt, so you can reinstall it
> >> in a chroot environment of you fear.
> >>
> >
> > Can I simply do an apt-get remove grub-pc and expect that the grub-efi
> > installation is still intact and working?
> >
> > Would it make sense to do a grub-install after removing grub-pc, just
> > to ensure that it will work?
> I tried to simulate it with a "apt-get -s remove grub-pc".  It then said:
>
> The following packages will be REMOVED:
>grub-pc grub2
>
> Is removing grub2 not a problem?  If I do an "aptitude why grub2", it says:
>
> Manually installed, current version 2.06-3~deb11u6, priority optional
> No dependencies require to install grub2

Sometimes  packages need to be marked manual rather than auto to
ensure they are not auto-removed. For example, you need to perform
`apt-mark manual cryptsetup-initramfs` to ensure initramfs can mount
an encrypted root. See .

I'm not saying that's happening here. I'm only saying that it happens
on occasion.

Jeff

Re: Intermittent WiFi on Network Manager

[gene heskett]

On 10/8/23 07:43, Lee wrote:

On 10/7/23, Ottavio Caruso  wrote:

Am 07/10/2023 um 11:11 schrieb gene heskett:

Another possibility is a leaky microwave oven in the vicinity


This is an urban legend and an excuse I was using when I was in tech
support.


It's real.  Try it yourself - run iperf for 2 minutes, display the
bandwidth report every second and then start the microwave for 1
minute.

I get the thruput cut in half or or more when the microwave is on.
Which is an improvement on the previous microwave which used to kill a
wireless connection. (which was super annoying when the wife was doing
work-from-home & I wasn't allowed to use the microwave _at_all_ during
the day.  I suspect that's the reason she got a toaster oven)

Is it fairly well-known that microwave ovens interfere the most on channel 11?
I just tried linssid again and there's a bunch of APs on channel 1 &
6, one on channel 2 and two on channel 8.  Nothing on channel 11.

Lee


That, again probably, would be because the microwave does NOT transmit 
an SID, carrier strength would be a giveaway if the receiver could be 
heard, probably as a loud 120 or 100 hz(in 50 cycle nations) hum. High 
voltage caps are expen$ive so the HV supply that powers the magnetron is 
rarely filtered, just rectified.  The normal wifi modulation mode is 
FSK, often with a modified to an NRZ to balance the energy levels in 
each state. That I'd have to look it up and don't have a copy of that 
particular CFR rulebook to check.

.


Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA)

[Jeffrey Walton]

On Sun, Oct 8, 2023 at 7:53 AM Rainer Dorsch  wrote:
>
> I have one machine on which I see during upgrade messages like:
>
> Setting up udev (252.17-1~deb12u1) ...
> 🔐 Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA):
> Setting up linux-image-6.1.0-13-armmp (6.1.55-1) ...
>
> /etc/kernel/postinst.d/initramfs-tools:
> update-initramfs: Generating /boot/initrd.img-6.1.0-13-armmp
>
> Broadcast message from root@home (Sun 2023-10-08 13:45:07 CEST):
>
> Password entry required for 'Enter passphrase for SSL/TLS keys for
> 192.168.0.30:443 (RSA):' (PID 25235).
> Please enter password with the systemd-tty-ask-password-agent tool.
>
> Does anybody know where they (could) come from?

It looks like it comes from Apache via debian/ask-for-passphrase :
.
It looks like the message was changed recently.

It looks like the former message was "Apache needs to decrypt your SSL
Keys for $sitename ($keytype)".

Jeff

Re: Does the debian kernel sends the gratuitous arp ?

[Jeffrey Walton]

On Sun, Oct 8, 2023 at 4:58 AM Geert Stappers  wrote:
>
> On Sun, Oct 08, 2023 at 11:21:10AM +0530, Balaji G wrote:
> > On Sat, 7 Oct 2023 at 02:50, Jeffrey Walton wrote:
> > > On Fri, Oct 6, 2023 at 2:04 PM Balaji G wrote:
> > > >
> > > > Hi,
> > > >
> > > > I am using "Debian GNU/Linux 11 (bullseye)" with kernel version 5.16.12.
> > > > When i do a link up/down i don't see any Gratuitous ARP being sent.
> > > >
> > > > # echo 1 > /proc/sys/net/ipv4/conf/eno5np0/arp_notify
> > > > # ip link set down dev eno5np0
> > > > # ip link set up dev eno5np0
> > > >
> > > > Captured all the packets via tcpdump & the tcpdump is not showing any
> > > > Gratuitous ARP packets.
> > > >
> > > > But, with the same commands i could see the Gratuitous ARP being sent in
> > > > Red hat.9.0 (Plow).
> > > >
> > > > So, please let me know if this is a specific scenario in Debian 11 ??
> > >
> > > I think that's now Poettering:
> > >
> > > https://github.com/systemd/systemd/blob/main/src/libsystemd-network/sd-ipv4acd.c#L302
> > >
> >
> > Do you mean this is a known issue & will be fixed in the future releases ?
>
> Here not Jeff.  What I do understand from Jeff message is
> something like:  "I can bitch on systemd, so I do"
> Time will tell how much Jeff contributes in solving
> the interesting problem of the invisible gratuitous ARP.

Nope, not that.

I learned a long time ago to answer the question that was asked in the
body of the post.

You're welcome to complain about Systemd all you like. You won't get
any complaints from me. It's not a discussion I will engage in.

Jeff

Re: Unattended upgrade of grub failed

[Jesper Dybdal]

On 2023-10-08 11:25, Marco M. wrote:

Am 08.10.2023 um 11:09:53 Uhr schrieb Jesper Dybdal:


It seems to have a problem with "grub-pc".  But I thought that
grub-pc was only for BIOS boot, and that by installing the UEFI
version grub-pc would disappear or at least be disabled.

Uninstall grub-pc if you are on an UEFI system.
You can still have the .deb in /var/cache/apt, so you can reinstall it
in a chroot environment of you fear.

I did uninstall grub-pc (and grub2).  I then installed the new point 
release (11.8) before rebooting.


After the reboot, which went well, I noticed that the new kernel version 
was "held back".  An explicit install of the new kernel seemed to 
succeed, and everything seems to work ok now.


Thank you!!

--
Jesper Dybdal
https://www.dybdal.dk

Re: debian.org - broken Download link.

[Brad Rogers]

On Sun, 8 Oct 2023 21:20:04 +0700
Dmitry  wrote:

Hello Dmitry,

>https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.1.0-amd64-netinst.iso

Appears to have been updated/corrected.  Now works, d/l'ing Debian 12.2
after recent point release.

Transitional error, I suspect - Debian is a big web site with lots of
links to update.  I bet it's not done manually.  In any event, it takes
time to get everything updated correctly.

-- 
 Regards  _   "Valid sig separator is {dash}{dash}{space}"
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
Never much liked playing there anyway
Banned From The Roxy - Crass


pgpY7Z_xjrgpN.pgp
Description: OpenPGP digital signature

debian.org - broken Download link.

[Dmitry]

Hi!

At the main page https://www.debian.org/, the Download link with Debian 
logo at the right part of the page is broken.

https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.1.0-amd64-netinst.iso

Leads to "Not Found". The requested URL was not found on this server.

Apache/2.4.55 (Unix) Server at cdimage.debian.org Port 443

Re: Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA)

[Darac Marjal]

On 08/10/2023 12:53, Rainer Dorsch wrote:

Hello,

I have one machine on which I see during upgrade messages like:

Setting up udev (252.17-1~deb12u1) ...
🔐 Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA):
Setting up linux-image-6.1.0-13-armmp (6.1.55-1) ...

/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-6.1.0-13-armmp

Broadcast message from root@home (Sun 2023-10-08 13:45:07 CEST):

Password entry required for 'Enter passphrase for SSL/TLS keys for
192.168.0.30:443 (RSA):' (PID 25235).
Please enter password with the systemd-tty-ask-password-agent tool.

Does anybody know where they (could) come from?


Searching the internet for that exact phrase suggests it's Apache2 
asking that. Specifically, it's a program called "ask-for-passphase": 
https://sources.debian.org/src/apache2/2.4.57-3/debian/ask-for-passphrase/?hl=26#L26





Thanks
Rainer




OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Need help with PGP signature verification

[Thomas Schmitt]

Hi,

Tom Browder wrote:
> I found a usable answer. Run "gpg file.asc" and the output shows the two
> fingerprints: the primary key fingerprint and the subkey fingerprint.

Wow, that's surprising.

But indeed the man page says:

  COMMANDS
   ...
   gpg  may  be run with no commands, in which case it will perform a rea‐
   sonable action depending on the type of file it is given as  input  (an
   encrypted  message  is  decrypted, a signature is verified, a file con‐
   taining keys is listed).


Have a nice day :)

Thomas

Re: Unattended upgrade of grub failed

[Marco M.]

Am 08.10.2023 um 12:46:06 Uhr schrieb DdB:

> My understanding is, that it might be dangerous to uninstall grub-pc
> and its dependencies without further precautions.

If a system was installed in UEFI mode, no grub-pc is installed.
If a system is being migrated from BIOS boot to UEFI boot, care must be
taken.

Re: Understanding package dependencies

[Greg Wooledge]

On Sun, Oct 08, 2023 at 10:47:58AM +0200, Jörg-Volker Peetz wrote:
> Greg Wooledge wrote on 07/10/2023 20:45:
> > unicorn:~$ apt list '?provides(~nlsb-base)'
> > Listing... Error!
> > E: input:0-21: error: Unrecognized pattern '?provides'
> > ?provides(~nlsb-base)
> > ^
> > 
> How about
> 
>   apt list '?reverse-depends(?name(lsb-base))'

Reverse-depends isn't the same as Provides, though.

unicorn:~$ aptitude search '~Pmail-transport-agent'
p   courier-mta - Courier mail server - ESMTP daemon
p   courier-mta:i386- Courier mail server - ESMTP daemon
p   dma - lightweight mail transport agent  
p   dma:i386- lightweight mail transport agent  
[...]
unicorn:~$ apt list '?reverse-depends(~nmail-transport-agent)'
Listing... Done
unicorn:~$ 

The only way I know of, to get that list from apt, is by parsing it
out of the output of "apt-cache showpkg".

unicorn:~$ apt-cache showpkg mail-transport-agent | sed -n '/^Reverse 
Provides/,$p'
Reverse Provides: 
mta-local 1.0 (= )
exim4-daemon-light 4.96-15+deb12u2 (= )
exim4-daemon-heavy 4.96-15+deb12u2 (= )
dma:i386 0.13-1+b1 (= )
ssmtp 2.64-11 (= )
[...]

Which is... better than nothing, admittedly, but it still mystifies me
why this *one* feature is excluded from apt-patterns, when so many others
are included.

Re: Unattended upgrade of grub failed

[Marco M.]

Am 08.10.2023 um 13:37:45 Uhr schrieb Jesper Dybdal:

> I tried to simulate it with a "apt-get -s remove grub-pc".  It then
> said:
> 
> The following packages will be REMOVED:
>    grub-pc grub2
> 
> Is removing grub2 not a problem?  If I do an "aptitude why grub2", it
> says:

That is my EFI system, no package "grub2" installed.

m@ryz:~$ dpkg -l |grep grub
ii  grub-common
2.12~rc1-11  amd64GRand Unified
Bootloader (common files) ii  grub-efi-amd64
  2.12~rc1-11  amd64
GRand Unified Bootloader, version 2 (EFI-AMD64 version) ii
grub-efi-amd64-bin  2.12~rc1-11
 amd64GRand Unified Bootloader, version
2 (EFI-AMD64 modules) ii  grub-efi-amd64-signed
  1+2.12~rc1+11amd64GRand
Unified Bootloader, version 2 (amd64 UEFI signed by Debian) ii
grub2-common2.12~rc1-11
 amd64GRand Unified Bootloader (common
files for version 2) m@ryz:~$ 

The package description is also clear:
|Description: GRand Unified Bootloader, version 2 (dummy package)
|This is a dummy transitional package to handle GRUB 2 upgrades.  It
|can be safely removed.

So you can remove it.

Re: Need help with PGP signature verification

[Tom Browder]

On Sun, Oct 8, 2023 at 05:13 Tom Browder  wrote:

> On Sun, Oct 8, 2023 at 3:29 AM DdB
>  wrote:
> > Am 08.10.2023 um 01:16 schrieb Tom Browder:
> > > I'm willing to trust published PGP key fingerprints for signers of
> > > Rakudo downloadable files.
> > > Question:  How can I get the fingerprint from the downloads?


I found a usable answer. Run "gpg file.asc" and the output shows the two
fingerprints: the primary key fingerprint and the subkey fingerprint.

I wish there was a PGP cookbook around somewhere.

Thanks, all.

-Tom

Re: Need help with PGP signature verification

[Thomas Schmitt]

Hi,

maybe

  gpg --keyid-format long --verify signature_file.asc /some/dummy/file

this gives me the last 16 characters of the fingerprint. Like:

  gpg:using  key E9CBDFC0ABC0A854

with a matching payload file i get something like:

  Primary key fingerprint: 44BC 9FD0 D688 EB00 7C4D D029 E9CB DFC0 ABC0 A854


Have a nice day :)

Thomas

Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA)

[Rainer Dorsch]

Hello,

I have one machine on which I see during upgrade messages like:

Setting up udev (252.17-1~deb12u1) ...
🔐 Enter passphrase for SSL/TLS keys for 192.168.0.30:443 (RSA): 

Setting up linux-image-6.1.0-13-armmp (6.1.55-1) ...

/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-6.1.0-13-armmp

Broadcast message from root@home (Sun 2023-10-08 13:45:07 CEST):

Password entry required for 'Enter passphrase for SSL/TLS keys for 
192.168.0.30:443 (RSA):' (PID 25235).
Please enter password with the systemd-tty-ask-password-agent tool.

Does anybody know where they (could) come from?

Thanks
Rainer


-- 
Rainer Dorsch
http://bokomoko.de/

Re: Intermittent WiFi on Network Manager

[Lee]

On 10/7/23, Ottavio Caruso  wrote:
> Am 07/10/2023 um 11:11 schrieb gene heskett:
>> Another possibility is a leaky microwave oven in the vicinity
>
> This is an urban legend and an excuse I was using when I was in tech
> support.

It's real.  Try it yourself - run iperf for 2 minutes, display the
bandwidth report every second and then start the microwave for 1
minute.

I get the thruput cut in half or or more when the microwave is on.
Which is an improvement on the previous microwave which used to kill a
wireless connection. (which was super annoying when the wife was doing
work-from-home & I wasn't allowed to use the microwave _at_all_ during
the day.  I suspect that's the reason she got a toaster oven)

Is it fairly well-known that microwave ovens interfere the most on channel 11?
I just tried linssid again and there's a bunch of APs on channel 1 &
6, one on channel 2 and two on channel 8.  Nothing on channel 11.

Lee

Re: Unattended upgrade of grub failed

[Jesper Dybdal]

On 2023-10-08 12:07, Jesper Dybdal wrote:

On 2023-10-08 11:25, Marco M. wrote:

Am 08.10.2023 um 11:09:53 Uhr schrieb Jesper Dybdal:


It seems to have a problem with "grub-pc".  But I thought that
grub-pc was only for BIOS boot, and that by installing the UEFI
version grub-pc would disappear or at least be disabled.

Uninstall grub-pc if you are on an UEFI system.
You can still have the .deb in /var/cache/apt, so you can reinstall it
in a chroot environment of you fear.



Can I simply do an apt-get remove grub-pc and expect that the grub-efi 
installation is still intact and working?


Would it make sense to do a grub-install after removing grub-pc, just 
to ensure that it will work?

I tried to simulate it with a "apt-get -s remove grub-pc".  It then said:

The following packages will be REMOVED:
  grub-pc grub2

Is removing grub2 not a problem?  If I do an "aptitude why grub2", it says:

Manually installed, current version 2.06-3~deb11u6, priority optional
No dependencies require to install grub2

--
Jesper Dybdal
https://www.dybdal.dk

Re: Unattended upgrade of grub failed

[DdB]

Am 08.10.2023 um 12:46 schrieb DdB:
> OMG, this looks wrong to me.

Errata:
I apologize for spreading nonsense. My mistake was, that, although most
of my vm's are actually using UEFI, the one, i was testing was NOT.
Sorry for my confusion. Disregard my earlier statements ...

Re: Need help with PGP signature verification

[Dan Purgert]

On Oct 08, 2023, Tom Browder wrote:
> On Sun, Oct 8, 2023 at 3:29 AM DdB
>  wrote:
> > Am 08.10.2023 um 01:16 schrieb Tom Browder:
> > > I'm willing to trust published PGP key fingerprints for signers of
> > > Rakudo downloadable files.
> > > Question:  How can I get the fingerprint from the downloads?
> > There is more than just one way to archieve this, first result from
> 
> I should have been more specific. I have the following:
> 
> -BEGIN PGP SIGNATURE-
> 
> iHUEABYKAB0WIQTdpb2j9c3OmfntVsEsxulzgY84awUCZQ1GBgAKCRAsxulzgY84
> a+jhAQCZ0lLh1EnB1AwrgW0zPBp801OOeJ2QUiDBOGXBbrl/7QD/ZQe738sF2tCR
> 43SAvJOfT3b4YpGdfSUj9F7XNDoovQM=
> =mNqK
> -END PGP SIGNATURE-
> 
> I need the fingerprint from that to compare with the fingerprints I
> know from Github to see if it's from the same key.

No, you just need the key(s) from the developer(s).  Assuming you've not
accidentally tampered with the files, you'll be able to verify this
signature with a command like "gpg --verify shasum.txt.gpg shasum.txt".

You'll get a message to the effect of 

  Signature made [some-date-here]
  using RSA Key [fingerprint-here]
  Good signature from "Some Person's GPG Key Name"

NOTE -- you MAY also receive some lines to the effect of 

  WARNING: This key is not trusted, the authenticity of the signature
  cannot be verified.

As with checking a Debian ISO (or other Linux distro that uses this
style of verification), this is nothing to be worried about, it's just
GPG informing you that it doesn't have any information as to whether you
actually "trust" the key (either through you explicitly signing /
trusting the key, or trust being derived through the GPG Web of Trust).
It's roughly the GPG equivalent of a web browser going "WARNING - Self
Signed Certificate".


Anyway, once you're done with this; then you know the sha256 checksum
file is the one the developers intended you to get; and you can use it
to check the *iso file.  Probably something like "sha256sum
--ignore-missing -c sha256sum.txt"

HTH :)

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Unattended upgrade of grub failed

[DdB]

Am 08.10.2023 um 11:33 schrieb Marco M.:
> Specifying a block device for boot loader installation is only needed
> for BIOS boot and not for UEFI boot, so in case of an UEFI system,
> grub-pc isn't needed.
> 

OMG, this looks wrong to me. So i went to check in practice, using a
virtual machine, that is using UEFI booting.
If i try to remove grub-pc, it is issuing several warnings, among them
the question, if i REALLY want to remove grub2 from /boot/grub, which is
strange, because grub exists in the efisys partition (/dev/sda1 in my
case). But the list of dependencies contains - among other things -
every single kernel ever installed on the system, indicating, that
removing it would necessitate another boot manager to be installed
afterwards.
As mentionned, the VM uses UEFI, thus it is set up properly using grub2.
But apparently, both are present and somehow intertwined. I did refrain
from completing the purge.
Yes, my understanding also is, that grub-pc was the old way, but i did a
clean install of a buster system on UEFI and grub-pc got there without
me asking for it.
My understanding is, that it might be dangerous to uninstall grub-pc and
its dependencies without further precautions.

Re: Need help with PGP signature verification

[Tom Browder]

On Sun, Oct 8, 2023 at 3:29 AM DdB
 wrote:
> Am 08.10.2023 um 01:16 schrieb Tom Browder:
> > I'm willing to trust published PGP key fingerprints for signers of
> > Rakudo downloadable files.
> > Question:  How can I get the fingerprint from the downloads?
> There is more than just one way to archieve this, first result from

I should have been more specific. I have the following:

-BEGIN PGP SIGNATURE-

iHUEABYKAB0WIQTdpb2j9c3OmfntVsEsxulzgY84awUCZQ1GBgAKCRAsxulzgY84
a+jhAQCZ0lLh1EnB1AwrgW0zPBp801OOeJ2QUiDBOGXBbrl/7QD/ZQe738sF2tCR
43SAvJOfT3b4YpGdfSUj9F7XNDoovQM=
=mNqK
-END PGP SIGNATURE-

I need the fingerprint from that to compare with the fingerprints I
know from Github to see if it's from the same key.

I think using openssl might be the easiest, but all the tools seem to
have a huge number of options and a vocabulary that's very malleable.

Thanks.

-Tom

Re: Unattended upgrade of grub failed

[Jesper Dybdal]

On 2023-10-08 11:25, Marco M. wrote:

Am 08.10.2023 um 11:09:53 Uhr schrieb Jesper Dybdal:


It seems to have a problem with "grub-pc".  But I thought that
grub-pc was only for BIOS boot, and that by installing the UEFI
version grub-pc would disappear or at least be disabled.

Uninstall grub-pc if you are on an UEFI system.
You can still have the .deb in /var/cache/apt, so you can reinstall it
in a chroot environment of you fear.



Can I simply do an apt-get remove grub-pc and expect that the grub-efi 
installation is still intact and working?


Would it make sense to do a grub-install after removing grub-pc, just to 
ensure that it will work?


And many thanks to you and DdB for your responses.

--
Jesper Dybdal
https://www.dybdal.dk

Re: Unattended upgrade of grub failed

[Marco M.]

Am 08.10.2023 um 11:30:13 Uhr schrieb DdB:

> On issuing the update interactively, i could see, that grub was
> prompting for the place to write itself to, which needed interaction.
> After giving the info (like /dev/sda in my case), the upgrade
> succeded. Later, there came more updates, but this time, they could
> indeed install themselves automatically.

Specifying a block device for boot loader installation is only needed
for BIOS boot and not for UEFI boot, so in case of an UEFI system,
grub-pc isn't needed.

Re: Unattended upgrade of grub failed

[DdB]

Am 08.10.2023 um 11:09 schrieb Jesper Dybdal:
> This has worked fine since then, with unattended-upgrades succeeding in
> keeping it up-to-date, including kernel upgrades and reboots.
> 
> But this morning, unattended-upgrades failed:

Hi, i was having the same problem on several virtual machines, that i am
running. On issuing the update interactively, i could see, that grub was
prompting for the place to write itself to, which needed interaction.
After giving the info (like /dev/sda in my case), the upgrade succeded.
Later, there came more updates, but this time, they could indeed install
themselves automatically.
That is why i suggest updating interactively this one time for grub and
relateds to succeed...
HTH, DdB

Re: Unattended upgrade of grub failed

[Marco M.]

Am 08.10.2023 um 11:09:53 Uhr schrieb Jesper Dybdal:

> It seems to have a problem with "grub-pc".  But I thought that
> grub-pc was only for BIOS boot, and that by installing the UEFI
> version grub-pc would disappear or at least be disabled.

Uninstall grub-pc if you are on an UEFI system.
You can still have the .deb in /var/cache/apt, so you can reinstall it
in a chroot environment of you fear.

Unattended upgrade of grub failed

[Jesper Dybdal]

I run Bullseye on an UEFI boot machine.  The system originally ran on 
BIOS boot hardware, but this summer I moved it to an UEFI machine by 
installing the EFI version of grub.


This has worked fine since then, with unattended-upgrades succeeding in 
keeping it up-to-date, including kernel upgrades and reboots.


But this morning, unattended-upgrades failed:

Packages that attempted to upgrade:
  grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub-pc
  grub-pc-bin grub2 grub2-common

Packages with upgradable origin but kept back:
  Debian oldstable-security:
   grub2-common grub-common grub-pc-bin grub-efi-amd64-signed grub2
   grub-pc grub-efi-amd64-bin

(The entire mail from unattended-upgrades is quoted below.)

It seems to have a problem with "grub-pc".  But I thought that grub-pc 
was only for BIOS boot, and that by installing the UEFI version grub-pc 
would disappear or at least be disabled.


Do I need to do an uninstall of grub-pc? and will that not be dangerous 
for the EFI version?


I am now somewhat worried - can my system boot at all?  And I expect 
that the point release will be installed tonight - will that mess things 
up further?  Can I simply disable unattended-upgrades with systemctl in 
order to temporarily stop unattended upgrades?


This machine is also my router/firewall/server, so if it fails, 
everything becomes difficult.


Thanks for any help you can offer,
Jesper

The entire mail from unattended-upgrades:


Unattended upgrade result: All upgrades installed

Packages that attempted to upgrade:
  grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub-pc
  grub-pc-bin grub2 grub2-common

Packages with upgradable origin but kept back:
  Debian oldstable-security:
   grub2-common grub-common grub-pc-bin grub-efi-amd64-signed grub2
   grub-pc grub-efi-amd64-bin

Package installation log:
Log started: 2023-10-08  06:47:58
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
Preparing to unpack .../0-grub2_2.06-3~deb11u6_amd64.deb ...
Unpacking grub2 (2.06-3~deb11u6) over (2.06-3~deb11u5) ...
Preparing to unpack .../1-grub2-common_2.06-3~deb11u6_amd64.deb ...
Unpacking grub2-common (2.06-3~deb11u6) over (2.06-3~deb11u5) ...
Preparing to unpack .../2-grub-pc_2.06-3~deb11u6_amd64.deb ...
Unpacking grub-pc (2.06-3~deb11u6) over (2.06-3~deb11u5) ...
Preparing to unpack .../3-grub-pc-bin_2.06-3~deb11u6_amd64.deb ...
Unpacking grub-pc-bin (2.06-3~deb11u6) over (2.06-3~deb11u5) ...
Preparing to unpack .../4-grub-efi-amd64-bin_2.06-3~deb11u6_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.06-3~deb11u6) over (2.06-3~deb11u5) ...
Preparing to unpack .../5-grub-common_2.06-3~deb11u6_amd64.deb ...
Unpacking grub-common (2.06-3~deb11u6) over (2.06-3~deb11u5) ...
Setting up grub-common (2.06-3~deb11u6) ...
Setting up grub-efi-amd64-bin (2.06-3~deb11u6) ...
Setting up grub2-common (2.06-3~deb11u6) ...
Setting up grub-pc-bin (2.06-3~deb11u6) ...
Setting up grub-pc (2.06-3~deb11u6) ...
/dev/disk/by-id/ata-ST2000DM001-1ER164_W4Z216NL does not exist, so cannot 
grub-install to it!
You must correct your GRUB install devices before proceeding:

   DEBIAN_FRONTEND=dialog dpkg --configure grub-pc
   dpkg --configure -a
dpkg: error processing package grub-pc (--configure):
  installed grub-pc package post-installation script subprocess returned error 
exit status 1
dpkg: dependency problems prevent configuration of grub2:
  grub2 depends on grub-pc (= 2.06-3~deb11u6); however:
   Package grub-pc is not configured yet.

dpkg: error processing package grub2 (--configure):
  dependency problems - leaving unconfigured
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for install-info (6.7.0.dfsg.2-6) ...
Errors were encountered while processing:
  grub-pc
  grub2
needrestart is being skipped since dpkg has failed

Running kernel seems to be up-to-date.

The processor microcode seems to be up-to-date.

Restarting services...
  systemctl restart amavisd-milter.service

Service restarts being deferred:
  /etc/needrestart/restart.d/dbus.service
  systemctl restartgetty@tty1.service
  systemctl restart systemd-logind.service
  systemctl restart unattended-upgrades.service

No containers need to be restarted.

No user sessions are running outdated binaries.
E:Sub-process /usr/bin/dpkg returned an error code (1)
Log ended: 2023-10-08  06:48:20



Unattended-upgrades log:
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian, 
origin=Debian,codename=bullseye,label=Debian-Security, 
origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):
Packages that will be upgraded: grub-common grub-efi-amd64-bin 
grub-efi-amd64-signed grub-pc grub-pc-bin grub2 grub2-common
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Installing the upgrades failed!
error message: installArchives() failed
dpkg retu

Re: Does the debian kernel sends the gratuitous arp ?

[Geert Stappers]

On Fri, Oct 06, 2023 at 09:19:32PM +0200, Geert Stappers wrote:
> On Fri, Oct 06, 2023 at 05:52:16PM +0530, Balaji G wrote:
> > Hi,
> > I am using "Debian GNU/Linux 11 (bullseye)" with kernel version 5.16.12.
> > When i do a link up/down i don't see any Gratuitous ARP being sent.
> 
> ARP

Address Resolution Protocol

  
> > # echo 1 > /proc/sys/net/ipv4/conf/eno5np0/arp_notify
> 
> Probably transmitted "I tried to enforce ARP notification"
> 
> 
> > # ip link set down dev eno5np0
> > # ip link set up dev eno5np0
> 
> link

As in "the link layer"
  
 
> > Captured all the packets via tcpdump & the tcpdump is not showing any
> > Gratuitous ARP packets.
> 
> Why should it? (Yes, that is a serious question.)
 
As opening question for further discussion.

Because I like the question
  Does the Debian kernel sends the gratuitous ARP ?

I think the answer is   YES
and I very curious when gratuitous ARP is ommitted.

  
> > But, with the same commands i could see the Gratuitous ARP being sent in
> > Red hat.9.0 (Plow).
> 
> I think more factors have been change as kernel.
 
As invitation for telling how the comparsion was done.


> > So, please let me know if this is a specific scenario in Debian 11 ??
> 
> I state that the OP, Original Poster, is the specific scenario.
> Yeah, that is a blunt statement.  Now hear me out.
> 
> Gratuitous ARP is "linking" MAC-address and  IP-address.
> 
> During `ip link set down dev eno5np0` and `ip link set up dev eno5np0`
> are NO IP-addresses involved.
> 
> So there is no need for ARP.
> 
> 
> I do hope to see a follow-up message like:
> 
>Re-did the test with a static IP-address on the interface
>and indeed see a gratuitous ARP
> 
> or some thing like
> 
>To reproduce the missing gratuitous ARP do ...
> 
> Yeah, that might reveal more information about dev eno5np0.
> 
>  
> > Thanks,
> > Balaji
> 
> Groeten
> Geert Stappers

Because in https://lists.debian.org/debian-user/2023/10/msg00212.html I
wrote "Lets follow-up
https://lists.debian.org/debian-user/2023/10/msg00181.html "


Groeten
Geert Stappers
-- 
Silence is hard to parse

Re: Does the debian kernel sends the gratuitous arp ?

[Geert Stappers]

On Sun, Oct 08, 2023 at 11:21:10AM +0530, Balaji G wrote:
> On Sat, 7 Oct 2023 at 02:50, Jeffrey Walton wrote:
> > On Fri, Oct 6, 2023 at 2:04 PM Balaji G wrote:
> > >
> > > Hi,
> > >
> > > I am using "Debian GNU/Linux 11 (bullseye)" with kernel version 5.16.12.
> > > When i do a link up/down i don't see any Gratuitous ARP being sent.
> > >
> > > # echo 1 > /proc/sys/net/ipv4/conf/eno5np0/arp_notify
> > > # ip link set down dev eno5np0
> > > # ip link set up dev eno5np0
> > >
> > > Captured all the packets via tcpdump & the tcpdump is not showing any
> > > Gratuitous ARP packets.
> > >
> > > But, with the same commands i could see the Gratuitous ARP being sent in
> > > Red hat.9.0 (Plow).
> > >
> > > So, please let me know if this is a specific scenario in Debian 11 ??
> >
> > I think that's now Poettering:
> >
> > https://github.com/systemd/systemd/blob/main/src/libsystemd-network/sd-ipv4acd.c#L302
> >
> > Jeff
> >
> Hi Jeff,
> 
> Do you mean this is a known issue & will be fixed in the future releases ?
> 

Here not Jeff.  What I do understand from Jeff message is
something like:  "I can bitch on systemd, so I do"
Time will tell how much Jeff contributes in solving
the interesting problem of the invisible gratuitous ARP.

Meanwhile lets follow-up
on https://lists.debian.org/debian-user/2023/10/msg00181.html


> Thanks,
> Balaji

You might have an extra copy of this message.
Because I did this time "reply-to-all" insteadof "reply-to-list".

The good thing of "reply-to-list" is that it reveals who reads
mailinglist postings. Yes, I'm trying to tell that you
missed https://lists.debian.org/debian-user/2023/10/msg00181.html
 

Regards
Geert Stappers
-- 
Silence is hard to parse

Re: Understanding package dependencies

[Jörg-Volker Peetz]

Greg Wooledge wrote on 07/10/2023 20:45:

On Sat, Oct 07, 2023 at 08:27:11PM +0200, Sven Joachim wrote:

Yes, aptitude can do that.   Quoting the manual[1]:

,
| ?provides(pattern), ~Ppattern
|
| Matches package versions which provide a package that matches the
| pattern. For instance, “?provides(mail-transport-agent)” will match
| all the packages that provide “mail-transport-agent”.
`

In the current case, "aptitude search '~Plsb-base'" does the trick.


Why on EARTH was this not ported to apt-patterns(7)?

unicorn:~$ apt list '?conflicts(~nlsb-base)'
Listing... Done
sysvinit-utils/stable,now 3.06-4 amd64 [installed]
sysvinit-utils/stable 3.06-4 i386
unicorn:~$ apt list '?provides(~nlsb-base)'
Listing... Error!
E: input:0-21: error: Unrecognized pattern '?provides'
?provides(~nlsb-base)
^


How about

  apt list '?reverse-depends(?name(lsb-base))'

or

  apt list '~RDepends:~nlsb-base'

Regards,
Jörg.

Re: Need help with PGP signature verification

[Thomas Schmitt]

Hi,

Tom Browder wrote:
> I'm willing to trust published PGP key fingerprints for signers of Rakudo
> downloadable files.

Do i get it right that you talk about https://rakudo.org/downloads ?

> Question:  How can I get the fingerprint from the downloads? 
> The products I download are (1) the file of interest, (2) a PGP signed
> checksums file with various shaX hashes for the file, and (3) a separate
> file containing a PGP signature.

The "Verify" button at above web page leads to
  https://rakudo.org/downloads/verifying
which explains how to use sha256 and gpg2 for verification.
Most importantly it lists the fingerprints of the four "Keys of the
releasers". If gpg2 --verify reports any other fingerprint, then the .asc
file cannot be trusted.

(It is not overly trustworthy that fingerprints and the signed files
are offered on the same web site. Once the site is compromised, both can
be manipulated by the attacker.)


Have a nice day :)

Thomas