Re: ain't it time to fix #790955 (couldn't find any console keymaps)?

[Jochen Spieker]

Harald Dunkel:
> 
> trying to change console keymaps using standard localectl I
> stumbled over https://bugs.debian.org/790955 and the
> recommendation on
> 
> https://www.claudiokuenzler.com/blog/1257/how-to-fix-missing-keymaps-debian-ubuntu-localectl-failed-read-list
> 
> to install the missing keymaps using upstreams tgz file.
> 
> Wouldn't you agree fixing #790955 would be a good thing? Its
> been ignored for >9 years.

Who are you addressing? Anybody, including you, can provide a fix. Any
maintainer (as far as I know) can do an upload.

You will most probably not reach the package maintainer here.

Regards,
Jochen
-- 
My drug of choice is self-pity.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: solution to / full

[Jochen Spieker]

lina:
> 
> My / is almost full.
> 
> # df -h
> Filesystem  Size  Used Avail Use% Mounted on
> udev126G 0  126G   0% /dev
> tmpfs26G  2.3M   26G   1% /run
> /dev/nvme0n1p2   23G   21G  966M  96% /
> tmpfs   126G   15M  126G   1% /dev/shm
> tmpfs   5.0M  4.0K  5.0M   1% /run/lock
> /dev/nvme0n1p6  267M   83M  166M  34% /boot
> /dev/nvme0n1p1  511M  5.8M  506M   2% /boot/efi
> /dev/nvme0n1p3  9.1G  3.2G  5.5G  37% /var
> /dev/nvme0n1p5  1.8G   14M  1.7G   1% /tmp
> /dev/nvme0n1p7  630G  116G  482G  20% /home

This is a good example why it often makes sense to use LVM even on a
private system. With LVM you could have allocated only 20% of space
where you actually need it and resize filesystems on-demand (and
online). But that does not help you now, sorry.

> I have done some purging already.
> :/usr# du -sh *
> 742M bin
> 4.0K games
> 260M include
> 8.1G lib
> 36M lib32
> 4.0K lib64
> 140M libexec
> 33M libx32
> 3.4G local
> 53M sbin
> 4.6G share
> 215M src

/usr/local might be worth a look. You probably have some stuff there
that you put in manually.

The program dpigs from the package debian-goodies can help you find the
biggest debian packages you have installed. Of course you need to check
yourself whether you need them.

J.
-- 
I frequently find myself at the top of the stairs with absolutely
nothing happening in my brain.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: LUKS encryption help

[Jochen Spieker]

detr...@tuta.io:
> 
> Around May I installed Debian 10 on my (external) hard drive in BIOS
> (not UEFI) mode for backup purposes. In the end of June I took the
> drive out of the drawer and tried to boot into it but to my surprise
> my LUKS encryption password does not work anymore.  I'm very sure I am
> typing it right because I had written it into a piece of paper.

Are you completely sure that you wrote that password down correctly and
that you are reading it correctly? Can you distinguish l and 1, O and 0
etc? Is there any invisible whitespace? Did you intentionally leave
something out because you feared somebody could find that piece of
paper?

> Please help. I have many important documents and pictures inside that
> drive.

Please use your current fear as impetus for setting up a proper backup
solution. Hardware dies, software is buggy, humans make mistakes,
catastrophes happen.

J.
-- 
I am worried that my dreams pale in comparison beside TV docu-soaps.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: bullseye: systemd-networkd-wait-online timeouts

[Jochen Spieker]

Jochen Spieker:
> 
> Aug 18 10:59:20 h2907737 systemd-networkd-wait-online[936688]: Event loop 
> failed: Connection timed out
> Aug 18 10:59:20 h2907737 apt-helper[936686]: E: Sub-process 
> /lib/systemd/systemd-networkd-wait-online returned an error code (1)

I was able to at least work around this problem by editing the file
/etc/apt/apt.conf.d/50unattended-upgrades:

| // Download and install upgrades only on non-metered connection
| // (i.e. skip or gracefully stop updates on a metered connection)
| Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";

This way I still get the errors in the logs, but apt continues fetching
updates as intended. Since this is a VPS there is no risk that the
system will suddenly start using a metered connection.

J.
-- 
If I was Mark Chapman I would have shot John Lennon with a water pistol.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: PGP signature

Re: bullseye: systemd-networkd-wait-online timeouts

[Jochen Spieker]

Andy Smith:
> On Wed, Aug 18, 2021 at 09:36:30PM +0200, Jochen Spieker wrote:
>
>> Aug 18 10:59:20 h2907737 systemd-networkd-wait-online[936688]: Event loop 
>> failed: Connection timed out
>> Aug 18 10:59:20 h2907737 apt-helper[936686]: E: Sub-process 
>> /lib/systemd/systemd-networkd-wait-online returned an error code (1)
>> 
>> For some reason systemd does not (fully?) recognize that the system is
>> online.
> 
> I don't know yet about bullseye but in buster systemd does assume
> that you are online when using ifupdown unless you enable the
> "ifupdown-wait-online" service, which actually waits for every
> interface marked auto be be ready before allowing "network-online"
> target to be reached.
> 
> Is that service enabled? If you disable it, what happens? I expect
> systemd to assume it is online.

Sounds like a good idea! But:

# systemctl status ifupdown-wait-online.service
● ifupdown-wait-online.service - Wait for network to be configured by ifupdown
 Loaded: loaded (/lib/systemd/system/ifupdown-wait-online.service; enabled; 
vendor preset: enabled)
 Active: active (exited) since Sun 2021-08-15 00:16:58 CEST; 5 days ago
   Main PID: 79 (code=exited, status=0/SUCCESS)
  Tasks: 0 (limit: 105)
 Memory: 0B
 CGroup: /system.slice/ifupdown-wait-online.service

Aug 15 00:16:58 .stratoserver.net systemd[1]: Finished Wait for network 
to be configured by ifupdown.
Warning: journal has been rotated since unit was started, output may be 
incomplete.

# systemctl disable --now ifupdown-wait-online.service 
Removed 
/etc/systemd/system/network-online.target.wants/ifupdown-wait-online.service.

# /lib/systemd/systemd-networkd-wait-online  --timeout=2 --any
Event loop failed: Connection timed out


> Also are you absolutely sure that you aren't using systemd-networkd
> and/or NetworkManager and there isn't any .link files for systemd
> anywhere, that it's purely ifupdown?

The package network-manager is not installed, /etc/systemd/network is
empty and /etc/systemd/networkd.conf only contains comments, so I think
I am sure.

> May be worth asking your hosting provider as well because uf they
> are mandating how your /etc/network/interfaces looks (and its use)
> then they need to know how to make it play nice with systemd in
> Debian 11.

That is probable the right approach. Thanks for your suggestions!

J.
-- 
No-one appears to be able to help me.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>



signature.asc
Description: PGP signature

Re: bullseye: systemd-networkd-wait-online timeouts

[Jochen Spieker]

Charles Curley:
> On Wed, 18 Aug 2021 21:36:30 +0200
> Jochen Spieker  wrote:
> 
>> Is there anything I can do about this without changing
>> /etc/network/interfaces? As far as I understand, I cannot switch to
>> systemd network configuration as long as the interfaces file exists.
> 
> Can you get anywhere by editing the template?

I do not have access to the template. It does not exist on my VM and I
assume it only exists in the hosting provider's infrastructure.

> Also, this interfaces file assigns address 127.0.0.1 to the interface
> venet0. Since that block (127.0.0.0/8, I believe) is reserved for the
> loopback device (interface lo), and is assigned automatically to lo,
> this setup is assigning 127.0.0.1 to both lo and venet:0. And that
> strikes me as a recipe for problems.

I totally agree and I have no idea why they are doing it this way. I
still would like to know why systemd does not recognize that the
interface configuration using ifupdown was successful and the the system
actually is online.

J.
-- 
Tony Blair is a hypnotised self-seeking scarecrow just like all the
rest.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: PGP signature

Re: nvme SSD and poor performance

[Jochen Spieker]

Pierre Willaime:
> 
> Using fstrim seems to restore speed. There are always many GiB which are
> reduced :
> 
>   #  fstrim -v /
>   / : 236,7 GiB (254122389504 octets) réduits

This is probably the total amount of unused space on that SSD. The first
fstrim run after a reboot always trims all free space, as far as I
understand. After that, only space that was freed since the last fstrim
run will be trimmed.

> then, directly after :
> 
>   #  fstrim -v /
>   / : 0 B (0 octets) réduits

See above, this is expected.

> but few minutes later, there are already 1.2 Gib to trim again :
> 
>   #  fstrim -v /
>   / : 1,2 GiB (1235369984 octets) réduits

It is odd that something wrote and deleted 1.2 GB in "a few minutes". I
would run iotop to see what process is responsible.

> /Is it a good idea to trim, if yes how (and how often)?/

See the other answers. Usually once per week is enough, but that assumes
that the free space is not overwritten and freed again several times
each day.

On the other hand, personally I have never felt a difference in
performance before and after an fstrim run.

> Some people use fstrim as a cron job, some other add "discard" option to the
> /etc/fstab / line. I do not know what is the best if any. I also read
> triming frequently could reduce the ssd life.

Stay away from the "discard" option and do not worry about SSD life.
Even with heavy usage you should not exceed the expected lifetime
writes. Do worry about data loss in general and create a viable backup
strategy, independent of the storage medium (or service) that you are
using.

> I also noticed many I/O access from jbd2 and kworker such as :
> 
>   # iotop -bktoqqq -d .5
>   11:11:16 364 be/3 root0.00 K/s7.69 K/s  0.00 % 23.64 %
> [jbd2/nvme0n1p2-]
>   11:11:16   8 be/4 root0.00 K/s0.00 K/s  0.00 % 25.52 %
> [kworker/u32:0-flush-259:0]

jbd2 is the journalling service of the filesystem and makes sure that
your filesystem does not become corrupt in case of power failures. 

kworkers are general purpose kernel threads doing kernel stuff, for
example disk I/O. Seeing these is not a problem in itself.

> 

-- 
I spend money without thinking on products and clothes that I believe
will enhance my social standing.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

bullseye: systemd-networkd-wait-online timeouts

[Jochen Spieker]

Hi,

I upgraded my virtual server to bullseye already and I found one issue
in the logs:

Aug 18 10:59:20 h2907737 systemd-networkd-wait-online[936688]: Event loop 
failed: Connection timed out
Aug 18 10:59:20 h2907737 apt-helper[936686]: E: Sub-process 
/lib/systemd/systemd-networkd-wait-online returned an error code (1)

For some reason systemd does not (fully?) recognize that the system is
online. The network is still configured using ifupdown with this
interfaces(5) file. I know it looks weird, but I have no control over it
on this system. The file is provided by my hosting provider:


| # This configuration file is auto-generated.
| # WARNING: Do not edit this file, otherwise your changes will be lost.
| # Please edit template /etc/network/interfaces.template instead.
| 
| auto lo
| iface lo inet loopback
| 
| # Auto generated venet0 interfaces
| auto venet0
| iface venet0 inet static
| address 127.0.0.1
| netmask 255.255.255.255
| broadcast 0.0.0.0
| up route add default dev venet0
| auto venet0:0
| iface venet0:0 inet static
| address 85.x.y.z
| netmask 255.255.255.255
| 
| 
| iface venet0 inet6 static
| address 2a01:dead:beef:dead:beef:dead:beef:dead/128
| up ip -6 r a default dev venet0


Systemd thinks the devices (even lo) are in state "pending":

# networkctl status -a
● 1: lo
 Link File: n/a
  Network File: n/a
  Type: loopback
 State: carrier (pending)
HW Address: 00:00:00:00:00:00
   MTU: 65536
 QDisc: noqueue
  IPv6 Address Generation Mode: eui64
  Queue Length (Tx/Rx): 1/1
   Address: 127.0.0.1
::1

● 2: venet0
 Link File: n/a
  Network File: n/a
  Type: void
 State: routable (pending)
   MTU: 1500
 QDisc: noqueue
  IPv6 Address Generation Mode: eui64
  Queue Length (Tx/Rx): 1/1
  Auto negotiation: no
 Speed: 10Gbps
Duplex: full
  Port: tp
   Address: 85.x.y.z
127.0.0.1
2a01:dead:beef:dead:beef:dead:beef:dead


Is there anything I can do about this without changing
/etc/network/interfaces? As far as I understand, I cannot switch to
systemd network configuration as long as the interfaces file exists.

Regards,
Jochen
-- 
If nightclub doormen recognised me I would be more fulfilled.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Whole Disk Encryption + SSD

[Jochen Spieker]

piorunz:
> 
> I have question regarding whole disk encryption. What technology should
> I use, to have encryption of everything, or at least /home, but preserve
> free blocks and have TRIM?

The canonical answer is "LUKS". You can configure it during installation
if you want to. I always use LVM as well. It is up to you whether you
want to use LVM on LUKS or the other way round.

I am not sure how well full-disk encrpytion is supported nowadays. For
common scenarios (like loss or simple theft of the storage medium, no
state-level attackers) you do not need it, in my opinion.

Oh, the buster release notes mention that encrypted /boot is not
supported, everything else may be encrypted, even the root filesystem.

https://www.debian.org/releases/buster/amd64/ch06s03.en.html#partman-crypto

If you think you need protection against somebody tampering with your
boot loader and/or kernel, you need to configure Secure Boot which I
have never really looked at. I guess this is overkill for now.

> I don't want encryption to use entire drive
> as "full" blob, I want to preserve SSDs life.

I am not sure what this means and whether there is any relation between
"full blob" and life-preserving measures. But let me assure you that
your SSD will be fine, not matter how you are setting up encryption. You
can set up both LUKS and LVM to pass through the "discard" command which
you need for TRIM to work and this is more of a performance measure than
a method to reliably lengthen the lifespan of your SSD.

How long do you think you will need your SSD? I recently removed an
Intel X25m from an old system. It was more than ten years old and was
first used heavily in a laptop and later on ran 24/7 for several years
as OS drive in a NAS system. And that SSD didn't even support TRIM!

Do not worry about the lifetime of your SSD.  Worry about backups.

You use LUKS by telling it which disk partition it should encrypt. You
then get a new logical block device which you can treat like any "real"
partition. Most importantly, you can create a regular filesystem on it
(or an LVM physical volume) which is encrypted before anything is
written to the physical disk. The amount of free space in your
filesystem is not dependent on having a LUKS container beneath it.

> What solutions should I
> use? Thanks!

Get familiar with LUKS and possibly LVM. There are options like ecryptfs
which work on regular filesystem and encrypt individual files as well as
their names. But those are 

-- 
When standing at the top of beachy head I find the rocks below very
attractive.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

systemd failed to create user.slice

[Jochen Spieker]

Hi,

the short version of my problem is this, happening on a fairly fresh
stable system:

# systemctl start user@1000.service
Job for user@1000.service failed because the service did not take the steps 
required by its unit configuration.
See "systemctl status user@1000.service" and "journalctl -xe" for details.
# systemctl status user@1000.service
● user@1000.service - User Manager for UID 1000
   Loaded: loaded (/lib/systemd/system/user@.service; static; vendor preset: 
enabled)
   Active: failed (Result: protocol) since Fri 2021-04-23 00:38:59 CEST; 9s ago
 Docs: man:user@.service(5)
  Process: 20895 ExecStart=/lib/systemd/systemd --user (code=exited, 
status=1/FAILURE)
 Main PID: 20895 (code=exited, status=1/FAILURE)

Apr 23 00:38:59 example.com systemd[1]: Starting User Manager for UID 1000...
Apr 23 00:38:59 example.com systemd[20895]: pam_unix(systemd-user:session): 
session opened for user jrspieker by (uid=0)
Apr 23 00:38:59 example.com systemd[20895]: Failed to create 
/user.slice/user-1000.slice/user@1000.service/init.scope control group: 
Permission denied
Apr 23 00:38:59 example.com systemd[20895]: Failed to allocate manager object: 
Permission denied
Apr 23 00:38:59 example.com systemd[1]: user@1000.service: Failed with result 
'protocol'.
Apr 23 00:38:59 example.com systemd[1]: Failed to start User Manager for UID 
1000.


This happens during login via SSH for UID 1000 as well as other user
IDs. I do not see any bad effect except the log spam. I straced this and
think here is the root of the problem:

16971 stat("/sys/fs/cgroup/systemd/user.slice/user-112.slice/user@112.service", 
0x7ffd5f215640) = -1 EACCES (Permission denied)

This is due to:

# ls -ld /sys/fs/cgroup/systemd/
drwx-- 5 root root 0 Mar 21 23:58 /sys/fs/cgroup/systemd/


I have a different buster system where this directory is mode 555 (yes,
not writable by anybody) and that systemd does bot exhibit the behavior
above.

It appears to be working if I just chmod the directory. What/who is
responsible for the proper permissions of that sysfs directory?

J.
-- 
I wear a lot of leather but would never wear fur.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Access to PPA's

[Jochen Spieker]

Gary L. Roach:
> 
> Some of my most useful software is only available through Ubuntu PPA's . I
> can no longer access PPA's since Debian changed their security policies.
> When trying to access a PPA I get the following:
> 
>  The repository
> 'http://ppa.launchpad.net/elmer-csc-ubuntu/elmer-csc-ppa/ubuntu hirsute
> Release' does not have a Release file.
> N: Updating from such a repository can't be done securely, and is therefore
> disabled by default.
> N: See apt-secure(8) manpage for repository creation and user configuration
> details.
> 
> 
> The man page alludes to a couple of different ways to bypass the system but
> really sketchy about how to apply them. There is at least a half dozen files
> that could be involved.

I do not find that confusing or sketchy:

| You can force all APT clients to raise only warnings by setting the
| configuration option Acquire::AllowInsecureRepositories to true.
| Individual repositories can also be allowed to be insecure via the
| sources.list(5) option allow-insecure=yes.

You can set Acquire::AllowInsecureRepositories in, for example,
/etc/apt/apt-conf.d/local. This is a standard apt configuration
mechanism, see apt.conf(5). For individual repositories you are referred
to sources.list(5) which mentions this format:

|  deb [ option1=value1 option2=value2 ] uri suite [component1] [component2] […]

So you can just add allow-insecure=yes after the "deb" keyword (and the
following whitespace) like so:

deb [allow-insecure=yes] http://deb.debian.org/debian/ buster main

Do you understand the implications of this? It basically means that apt
will be unable to protect you from installing manipulated packages.
Without a Release file, there is no crpytographic signature that could
ensure that the packages you are installing contain what the PPA author
intends them to contain.

> Further, there is a note that basically says that
> all of the methods will be discontinued in the future.  This would
> essentially  preclude the use of Ubuntu PPA's.

Using packages compiled for a different distribution is always a bad
choice. I understand you are saying it is your only choice, but it is
still bad and has a high chance of leading to problems. You might be
better off using the targeted distribution instead. Not necessarily on
bare metal, maybe a VM, a chroot or a container image serve your
purposes better.

J.
-- 
There is no justice in road accidents.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: fsck error on boot: /dev/sda1: UNEXPECTED INCONSISTENCY and Partition 1 does not start on physical sector boundary

[Jochen Spieker]

Alexander V. Makartsev:
> On 19.03.2021 21:23, Jochen Spieker wrote:
>>> Note : Linux installed on sdb (ext4) and sda is a NTFS file system and
>>> 
>>> I don't want my SSD or HDD died suddenly
>> But I am afraid that is exactly what is happening.
> 
> You can't be so sure, not until OP reports back with testing results.

?

There are pending sectors, there were filesystem errors. One of the
disks is obviously damaged.

You are right that the disk could still be useful for quite some time
without additional damage. But unless you are tight on money, my advice
would still be to shell out the €50-100 for a new drive to avoid the
risk and effort to deal with more damage. Especially if the OP is like
many/most people and does /not/ have a proper backup.

J.
-- 
When you put a gun to my head you aren't fooling anyone.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: PGP signature

Re: fsck error on boot: /dev/sda1: UNEXPECTED INCONSISTENCY and Partition 1 does not start on physical sector boundary

[Jochen Spieker]

Robbi Nespu:
> 
> I worried I might missing some package for hdd and sdd maintainance (coz I
> doing minimal install previously)

There is no maintenance that needs to be done for hard disks or solid
state disks to increase longevity. It often makes sense to setup
smartmontools which can monitor things like bad blocks for you, but this
can only inform you about potential problems, not prevent them.

> Note : Linux installed on sdb (ext4) and sda is a NTFS file system and
> 
> I don't want my SSD or HDD died suddenly

But I am afraid that is exactly what is happening.

I would not worry about the alignment issues at all. The problem is that
one of your disks is having bad sectors which still need to be
reallocated. That means you may already have data loss. Chances are that
the number of bad sectors is going to increase over time which is going
to lead to more data loss.

My personal advice would be to replace the failing disk with a new one
and restore from a known-good backup. If you lack money, you can try to
find a used disk, but I would only pay for something which I have
checked with smartcl beforehand. If you lack a backup, you can only hope
that you have lost nothing of value and get a new disk as fast as
possible.

J.
-- 
Quite often I wonder why I am not more famous and/or more wealthy.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Archivemail

[Jochen Spieker]

Keith Bainbridge:
> 
> To answer the question about MH, yes. It is the default for Sylpheed &
> Claws.

Thanks!

J.
-- 
I eat meat and am concerned about bugs which are resistant to
antibiotics.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Archivemail

[Jochen Spieker]

Mark Fletcher:
> On Sun, Jan 24, 2021 at 12:17:55AM +0100, Jochen Spieker wrote:
>> 
>> The main problem is that one has to replace a few modules/functions,
>> mostly the long-obsolete rfc822. I think I can get away with throwing
>> away the get_filename function completely, which was a little
>> problematic due to the dependencies. I guess I have only "solved" the
>> easy problems for now, but I still think the conversion should be
>> doable.
> 
> On digging around prompted by Brian's earlier input I found a 
> conversation between a couple of other people and they seemed to start 
> that process and then give up on the basis that it was a lot harder than 
> they thought...

:-)

Yes, I was hoping that one could more or less blindly do a few simple
substitutions and get that code running again. But I guess if it was
that easy, somebody else would have already done that.

> I'm probably going to just write a python3 script of my own to handle my 
> use-case, which is just to sift through /var/mail/ to delete mails 
> older than a month. I've found the python3 "mailbox" library which 
> includes support for mbox type mail files,

Yes, I am trying to use that for archivemail as well.

> which is what I think /var/mail/ is.  

Yes, as others have already confirmed, those mailboxes are simple
mboxes.

> Looking at the API it doesn't look that hard, and I 
> have to assume the complexity of porting archivemail comes either from 
> the paradigm it operates in or from functionality it provides other than 
> simply deleting old mail.

The problem is mostly that it was written for Python 2.3 using
deprecated modules that are not available anymore for Python3. But, I
have to day, email.utils and friend do provide a lot of drop-in
replacements for stuff from the old rfc822 module, at least according to
the docstrings.

> On my travels today I discovered mutt can do the job I want for me with 
> a simple command, but I don't want to have to run mutt to do it

I was already wondering whether I should suggest this, but I assumed
that the requirement for interaction makes this a bad approach. It is
probably even possible to script this using mutt, but that would be a
hackish approach.

>> But well, first me or somebody else has to fix those failing tests.
>> 
> 
> Despite my decision to have a crack at writing something local for my 
> own usecase, I do think it would be good if archivemail made a comeback, 
> so I wish you well in that endeavour. I'd offer to help test but as I've 
> illustrated, my usecase is very simple...
> 
> (still, happy to test that usecase if it would be helpful)

I might get back to you about this, if I don't lose interest very
quickly.

Is anybody still using MH mailboxes?

J.
-- 
If I had to live on a desert island I would take a mobile phone,
preferably a Nokia 8810.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: PGP signature

Re: Archivemail

[Jochen Spieker]

Mark Fletcher:
> 
> OK deciphering the above for anyone who might follow after me: 
> archivemail is dependent on Python2 which, it appears, is getting 
> removed from bullseye (although as of right now it's not gone yet, it's 
> installed on my system and I didn't ask for it, so something is clearly 
> still dependent on it)

Thank you for pointing out that archivemail will be gone soon. Since I
am using it as well, I took a quick look at it ("how hard can it be??")
and tried a quick conversion to Python3:
https://github.com/solexx/archivemail

Luckily there is a test suite and only about two thirds of the tests are
failing, otherwise I might have thought it should work. ;-)

The main problem is that one has to replace a few modules/functions,
mostly the long-obsolete rfc822. I think I can get away with throwing
away the get_filename function completely, which was a little
problematic due to the dependencies. I guess I have only "solved" the
easy problems for now, but I still think the conversion should be
doable.

I have no idea whether or when I will be able to finish this, because I
am severly time-constrained due to the pandemic (daycare in the morning,
regular work in the afternoon until late at night). I am also aware that
it is probably too late for bullseye, but archivemail can be dropped to
~/bin/ easily.

But well, first me or somebody else has to fix those failing tests.

J.
-- 
If all my friends had Playstations I would buy a Nintendo to prove my
individuality.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Encrypted swap fails in initramfs

[Jochen Spieker]

Hi,

this week I installed Debiana bullseye using the current debian
installer and then upgraded to sid. Now I get a lot of warnings in the
beginning of the boot process which are ugly and delay the boot process.
When booting has finished, the encrypted swap is available as intended.
The problem is restricted to the initramfs phase, it seems.

Manual transcription of the error message:

| Failed to find logical volume "vg0-arpeggi/swap-enc_crypt"
| cryptsetup: WARNING: vg0--arpeggi-swap--enc_crypt: couldn't determine device 
type, assuming default (plain)
| cryptsetup: Waiting for encrypted source device 
/dev/mapper/vg0--arpeggi-swap--enc...

In d-i I chose manual partitioning and set up encrypted swap on an LVM
volume.  The setup looks like this and I think I did not change it after
the installation process:

# lvs -a | grep swap
  swap-enc vg0-arpeggi -wi-ao   <4.66g

# lsblk  | grep -B1 SWAP
  ├─vg0--arpeggi-swap--enc 254:10   4.7G  0 lvm   
  │ └─vg0--arpeggi-swap--enc_crypt 254:30   4.7G  0 crypt [SWAP]

# grep swap /etc/crypttab 
vg0--arpeggi-swap--enc_crypt /dev/mapper/vg0--arpeggi-swap--enc
/dev/urandom cipher=aes-xts-plain64,size=256,swap,discard

# grep swap /etc/fstab
/dev/mapper/vg0--arpeggi-swap--enc_crypt noneswapsw 
 0   0


It looks like cryptsetup is started before LVM. That probably makes
sense in other setups, but not mine. How do I change this?

As a sidenote: I contemplated replacing the /dev/mapper path in
/etc/crypttab with a UUID, but, to my surprise, the underlying LVM
volume does not have a UUID. Other LVM volumes (one unencrypted /, one
LUKS container for /home) do have UUIDs. Why is that?

Regards,
Jochen.
-- 
If politics is the blind leading the blind, entertainment is the fucked-
up leading the hypnotised.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: scp overwriting precaution?

[Jochen Spieker]

Greg Marks:
>
> When using scp to copy files from my server to my laptop (both running
> Debian 10 and both with the same directory tree), I like to back up
> the files in case I discover that I've overwritten a newer version of
> a file with an older version.

Fully in the spirit of not actually answering the question you asked,
you may want to take a brief moment, step back and think about what you
are actually doing.

Do you often copy files between one or more systems? Would you like to
keep a set of (smallish) files in sync? Would you like to selectively
have access to a subset of files from a bigger set of large files on
your server, which unfortunately does not fit completely on your laptop?

If so, it might be advantageous to look into a version control system
like git, or its descendant git-annex, or something easier like unison.

Also, you should be able to restore important files from your backup at
any time. If you cannot do this, for whatever reason, that should be
your top priority (wrt to computers :)).

Regards,
Jochen.
-- 
TFI Friday makes me feel very alone.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: unsubscibe from mailing list

[Jochen Spieker]

[Posted & mailed]

Robert:
>
> Is it posible to unsubscibe me fromthe mailind list?

Yes, send an e-mail to debian-user-requ...@lists.debian.org with the
subject "unsubscribe". Make sure to use the same e-mail address that you
used for subscribing.

J.
-- 
When I am at nightclubs I enjoy looking at other people and assessing
their imagined problems.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Snort IDS

[Jochen Spieker]

Mattia:
> 
> I have some problems with snort on debian that are already been reported but
> the current maintainer seems not active.
> For what I found online it seems that snort is the most used IDS, so I find
> it quite odd that it's not maintained in Debian.

Looking at popcon data[1] it appears that far less than 1% of Debian
installations have Snort installed, so I would not say that it is a very
high profile package. Additionally, the popularity of a package does not
necessarily translate into the quality of package maintenance in Debian.

In the end someone needs to step up and take over maintenance. Debian as
a project has no way to enforce that.

> Is this still true? Do you
> guys use it? Or it's better to move to other software?
> Can somebody please point me to an external source that has an up to date
> snort debian package? I've found a lot of documentation online but it's
> either quite old or provides instructions to build it from source.

I don't know much about Debian packaging, but I would think it should
not be too hard to package the most recent version (2.9.14.1) for
Debian. The version in Debian is 2.9.7.0.5 (from oldstable to sid …).

J.
-- 
If I had to live on a desert island I would take a mobile phone,
preferably a Nokia 8810.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Debian 10 (Buster) and Swappiness

[Jochen Spieker]

Reco:
> On Thu, Aug 22, 2019 at 03:53:55PM +0300, Andrei POPESCU wrote:
>> On Jo, 22 aug 19, 09:21:31, Gustavo - Emar wrote:
>>>
>>> After upgrading from Debian Stretch to Buster (10), we realize that it is
>>> not managing memory as before.
>>> First, even with Swappiness = 0 and having 32 Ram, (16 Gb using) it starts
>>> using Swap
>> 
>> 
>> If you don't want it using swap you should just disable it.
>> 
> 
> A bad joke, if we're talking a server here ;)

I am not so sure. You could also argue that a system that is actually
using swap is so slow that it might just as well fire the OOM handler
and let it kill random processes. Monitoring will trigger an appropriate
response.

In any case, no system becomes slow or crashes just because it is using
"some" swap. Linux is swapping preemptively. Just because a little swap
space is occupied, that does not mean that the memory content is not
also in RAM. So your system does not necessarily become slower just
because of swap usage.

If a system is actually using swap heavily, with or without swappinness
set to zero, there are most probably runaway processes (or the kernel)
that actually request this much memory. It is possible that different
Linux versions behave differently in such a situations, but in order to
solve this issue I would look for the root cause first.

J.
-- 
If I could have anything in the world it would have to be more money.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Upgrading to Buster but keeping Postgresql-9.6

[Jochen Spieker]

Phil Endecott:
> 
> Does anyone have any advice about the possibility of upgrading
> systems from Stretch to Buster, but keeping Postgresql-9.6 for
> the time being?

With previous Debian releases you always had to migrate your cluster to
the new Postgres version manually. The new packages are installed, but
the old ones stay around and you can pg_upgradecluster when you are
ready.

J.
-- 
I frequently find myself at the top of the stairs with absolutely
nothing happening in my brain.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: System on a chip - performance relative size and setup (how can the (Debian) setup make a difference?)

[Jochen Spieker]

Erik Josefsson:
> 
> As far as I understand, it is quite recent that SD cards are fast and large
> enough to be able to carry and run an entire Debian instance.

The capacity is not a problem for quite some time, depending on your
space requirements. You can still run a minimal Debian on way less than
1GB. The same is true for the speed. SD cards tend to be used with and
optimized for large(ish) files like photos and videos. Reading and
writing these files should be quite fast, but I would not expect great
performance for random I/O on small files.

> If this is the case, maybe there is only theory available regarding whether
> you can make a computer "run faster" on a 64GB SD card than on a 32GB SD
> card when cards are otherwise identical.

I don't know.

> I don't really know how swap works on a standard computer, even less how it
> works when the whole computer runs from/on a SD card.

The same as with other storage. Swap means using persistent, slow and
cheap storage as RAM. It is exactly that, cheap and painfully slow.
Under normal circumstances you should avoid swapping like the plague.
(Yes, the Linux kernel tends to make use of swap in the background "just
in case". It does not need necessarily to worry you if free(1) or top(1)
report swap usage.)

> Swap is supposed to be make your computer pretend that you have more RAM
> than it actually has, but if the whole computer is running from/on RAM (or
> is it?), then what does swap mean?

What do you mean, running from RAM? I do not see a connection of this
sentence with your previous questions about SD cards. In any case,
swapping to SD card may be even worse than swapping to traditional hard
disks.

> On Teres-I with redpill RC2 (now there is a RC3 that I have not yet
> installed) an unfortunate website with pop up commercials (like dn.se) can
> eat all performance there is and freeze the mouse for hours. I would guess
> that could have been fixed on a normal computer with "more RAM", i.e., "more
> swap"? But is the same true for e.g. Teres-I?

I don't know that hardware except for what I was able to google quickly.
But "more RAM" and "more swap" are very different things. Swap does not
help your computer to perform better. It helps your computer to do
things very, very slowly that it otherwise would not be able to do at
all.

> Second question is if it is meaningful to buy a "super duper blazing fast"
> SD card for the task to run a whole Debian system?
> 
> There is a very expensive 64GB SD card from SanDisk that is called Extreme
> Pro that costs twice as much as same size Extreme Plus. Specs say it is
> "super duper blazing fast" for video in "Ultra HD 4K", but would Pro also be
> faster than Plus for the task of running Thunderbird and Firefox at the same
> time?

Not necessarily. I would try to look for benchmarks that also test
random I/O. Also, it sounds more like your system is memory-constrained
and even the fastest SD cards will not help you with that, see above.

J.
-- 
I think the environment will be okay.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Can any setting be changed after an "install Buster from scratch"-procedure?

[Jochen Spieker]

Erik Josefsson:
> 
> Can every setting made with an "install Buster from scratch"-procedure (like
> the one for [Teres-I DIY laptop] available at box.redpill.dk) be changed
> after the install procedure is completed?
> 
> I mean, can some settings be "hard-coded" by an install procedure?
>
> Or in other words, which settings need to be set correctly during install?

I didn't bother to look up the howto you mention, but everything that
you decide during a Debian installation (however it is done) can be
changed afterwards.  Changing the partition layout can be quite tricky
(and might require another hard disk temporarily), but other that that
you will find most of the settings in /etc.

> This is my sequence of commands that brought me here:
> 
> 1.Prepare image on SD card (done on another fully functional machine):
> 1.1.  wget http://box.redpill.dk/nonfree/nonfree-teres1-buster-1.0rc2.img.gz
> 1.2.  gunzip nonfree-teres1-buster-1.0rc2.img.gz
> 1.3.  sudo cp nonfree-teres1-buster-1.0rc2.img /dev/sda
> 2. Move SD card to Teres-I, connect ethernet-via-USB-cable, turn on machine
> and follow instructions on screen:
> 2.1.  sudo box-finalize
> 2.1.1.  Dialog
> 2.1.2.  high
> 2.1.2.  install language support - yes
> 2.1.2.  Select default language code (none to skip) - none

If you want Swedish, why not select it here?

> To me it now looks like I have a fully functional laptop, but as I wrote
> above, I need to tinker with it to get it to behave like it is a Swedish
> laptop.

sudo dpkg-reconfigure locales

Check sv_SE.UTF-8 (using the space bar) in addition to the already
selected locales, press Tab to highlight "Ok" and press Enter to
confirm.

For your user session I recommend
https://wiki.debian.org/ChangeLanguage. Do not change the whole system's
language. This would make it harder for you to search the web and debug
error messages.

J.
-- 
I can tell a Whopper™ from a BigMac™ and Coke™ from Pepsi™.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: mutt imap_headers [solved]

[Jochen Spieker]

Nick:
> On 2019-03-31 17:07 BST, Nick wrote:
>> 
>> The not so good: no marker appears until I open messages.  I
>> had expected that my imap_headers setting would cause the marker to
>> appear on all the qualifying messages in the index.  How can I make
>> that happen?
> 
> Solved: close mutt, delete .hcache files under ~/.mutt/cache, reopen
> mutt.  Thanks to kevin8t8 in freenode #mutt.

Thanks! Now that you mention it, I think I was bitten by this earlier in
a similar context.

J.
-- 
The news at ten makes me peevish but animal hospital makes me cry.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Status of PHP support in stretch

[Jochen Spieker]

Hi,

I noticed that PHP 7.0 is unsupported by upstream since the beginning of
2019:

https://secure.php.net/supported-versions.php

The most recent PHP version in stretch is, as of now, 7.0.33-0+deb9u1.
As far as I can tell, this is (roughly) the same as upstream 7.0.33 and
not a relabeled later upstream version and it does not contain
significant backports from later upstream versions.

Do I need to assume that PHP 7.0 in Debian is now only
security-supported by Debian alone? Is any DD close enough to upstream
to be able to at least backport new fixes from 7.1 and later if
necessary?

I found https://deb.sury.org/ which appears to be run by a DD[1]. But I
noticed that this version of PHP pulls in a different version of openssl
which rang some alarm bells with me. I would very much prefer something
more official, e.g. backpors.debian.org.

So, what do you do with your stretch servers running PHP now? Pray for
good support in Debian, upgrade to 3rd party packages? Upgrade to buster
already?

Regards,
Jochen.

[1] FWIW, the PGP key used for the repository (AC0E47584A7A714D) is
signed by Ondřej Surý (0C99B70EF4FCBB07) which, in turn, is
signed by 184 keys fro debian-keyring. The WoT probably does not get
better than that.

-- 
My memories gild my life with rare transcendance.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: taming lsblk command

[Jochen Spieker]

Jude DaShiell:
> what works over here:
> lsblk -n < /usr/bin/sort

This command feeds the content of the file /usr/bin/sort into stdin of
lsblk. That does not make sense and I guess lsblk is just ignoring this
input.

J.
-- 
I enjoy shopping, eating, sex and doing jigsaw puzzles of idealised
landscapes.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: heads up: timidity causes pulseaudio to not find sound cards

[Jochen Spieker]

Eric S Fraga:
> 
> I recently did an 'apt update; apt upgrade' on my desktop which is
> running testing (aka buster).  Doing so led to my losing sound through
> any application that relies on pulseaudio, e.g. firefox.  I could still
> use console based tools (e.g. mocp) to listen to music but pulseaudio
> could not find my default built-in sound card, only the nvidia card
> which provides sound through HDMI.

I had a similar issue, but in my case it was just the order of the audio
devices that was shuffled around:

$ cat /proc/asound/cards
 0 [HDMI   ]: HDA-Intel - HDA Intel HDMI
  HDA Intel HDMI at 0xe063 irq 48
 1 [PCH]: HDA-Intel - HDA Intel PCH
  HDA Intel PCH at 0xe0634000 irq 46

I can only assume that previously the PCH device was 0 and the HDMI
device was 1. In any case, alsamixer did not show any volume controls
anymore and applications like mplayer, which produce sensible error
output, reported that they failed to find a proper audio device.

The solution was simple:

$ grep snd_ /etc/modprobe.d/local.conf
options snd_hda_intel index=0
options snd_hda_codec_hdmi index=1

That and a reboot fixed it.

J.
-- 
I eat meat and am concerned about bugs which are resistant to
antibiotics.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: I may volunteer to be a package maintainer

[Jochen Spieker]

Robert Arkiletian:
>
> https://tracker.debian.org/pkg/pyfltk
> 
> I noticed that Debian and hence Ubuntu have dropped the "python-fltk" package.
> 
> If I volunteer to be the maintainer of the package is there
> documentation I can read to learn how to become a package maintainer?

You already received the relevant link for that.

> Also, if this package is maintained in Debian will it also need a
> maintainer in Ubuntu or will I also have to do that too. If yes, then
> can I just maintain it for Ubuntu?

If you maintain it in Debian, chances are that Ubuntu will just pick up
automatically. I do not know the exact processes behind that. If you
only maintain it in Ubuntu, Debian will most certainly not include it
because you need a maintainer in Debian in any case.

Be it as may, Debian does not require any contributor to also contribute
directly to Ubuntu. Ubuntu just uses a lot of work that was originally
done for Debian. (I do not mean that as an insult, that's the way free
software works.)

> The main reason I ask that is I know Debian supports many
> architectures, which I don't have access to. I was mainly just
> interested in maintaining the AMD64 arch. Is this possible?

I do not think that you have to worry much about that. I expect most
package maintainers only have direct access to one or two architectures
and the main one being AMD64.  The Debian build infrastructure will do
most of the work and I think if you need access to a machine of a
different architecture for debugging you can always ask the maintainers
of that architecture.

J.
-- 
I wish I had been aware enough to enjoy my time as a toddler.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Getting packages from stable again instead of unstable

[Jochen Spieker]

Rick Macdonald:
> 
> Now that I have removed unstable form sources.list and preferences
> (pinning), won't my packages from unstable eventually be upgraded from
> stable as the stable versions become newer than the unstable packages that I
> currently have installed?

Yes, "eventually". At some unknown time in the future. Probably. That
point in time will most probably coincide with a new stable release.
Stable does not change very often, as the name implies.

> Or might I hit some dependency problems along the way?

That is a possibility.

> Should I instead do the downgrades now by pinning stable to priority
> 1001 (with I'm guessing is a one-time thing to do, and then remove the
> pinning)?

I would try to force this downgrade (if it is for a very limited set of
packages as in your case) using '-t stable' or 'package=. If that doesn't work, remove and reinstall. But your approach
appears to work as well. I am not surprised that apt wants to remove a
seemingly unrelated package. Just let it do that and reinstall that
package.

Generally, downgrades are not supported. And generally, mixing packages
from different releases is neither supported nor a great idea.

J.
-- 
Ultimately, the Millenium Dome is a spectacular monument of the
doublethink of our times.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: An introduction to Debian's topology/structure/???

[Jochen Spieker]

Richard Owlett:
> 
> That leads to asking two related questions:
>  1. How can I get a list of packages tagged as required?

Aptitude is great for answering questions like this:

$ aptitude search '?priority(required) ?archive(stable)'

https://www.debian.org/doc/manuals/aptitude/ch02s04s05.en.html

>  2. What section of the installer installs packages tagged as required?
> I assume the answer will, in part, be a referral to some developer
> oriented documentation. [My motivation is personal education rather
> that creating the next "killer app].

You may want to ask this question in debian-boot (surprisingly, this
list appears to be the place to discuss d-i).

J.
-- 
I often play sports / do exercise.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Buster and apt wanting to remove tons of packages...

[Jochen Spieker]

Nicholas Geovanis:
> On Tue, Jul 10, 2018 at 3:01 PM Jochen Spieker  wrote:
>> 
>> There should not be that many changes, but I generally would only
>> upgrade to a newer release when the current system is up-to-date with
>> regards to its current version.
> 
> I'm trying to understand your recommendation. It seems you advise to
> bring the system to the most
> recent update in the current release, FOLLOWED BY the upgrade to the
> new release. Richtig? Correct?

Correct.

J.
-- 
Scientists know what they are talking about.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: PGP signature

Re: Buster and apt wanting to remove tons of packages...

[Jochen Spieker]

sgarrulo:
>
> I had an installation of debian stable (stretch) which was fully upgraded 
> something
> like a couple of months ago. Then I passed it to testing (buster).

There should not be that many changes, but I generally would only
upgrade to a newer release when the current system is up-to-date with
regards to its current version.

> If I do a normal upgrade, 676 packages are to be upgraded, but only the 
> gtk/qt unrelated ones
> (for example, apache2-doc but none of the apache2 *real* packages, or 
> vim-addon-manager and vim-doc
> but none of the vim *real* packages, and so on)

I would start with that, if only to get these packages out of the way.

> And if I try to upgrade, let's say, vim-* packages, it wants to remove a ton 
> of seemingly unrelated
> packages, like calibre, evolution, gir1.2-*, gstreamer things, kid3, 
> libqt5-*, pidgin, vlc-*, etc etc...
> 
> This happens when I try to upgrade or install apparently *anything* related 
> to GUI programs (GTK/Qt related).

You can use aptitude's TUI to investigate these things. It should at
least help explain why this happens. It is very possible (or likely),
that testing is just in bad shape for this upgrade right now.

(And no, reporting this as a bug is of no help here because the Debian
release process is not designed to support what you are trying to do at
a random point in time.)

> I am worried to make an upgrade like that.

Rightly so.

> What can I do to debug this situation and try to understand which package(s) 
> is/are breaking everything?

Aptitude. I do not like how it behaves and how you control it, but for
this kind of investigation it is without alternative. Instead of the TUI
you can also use 'aptitude why' and 'aptitude why-not'.

J.
-- 
People talking a foreign language are romantic and mysterious.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: A Major Success Story, Using Debian 9.4

[Jochen Spieker]

Kenneth Parker:
> One more thing.  I'm now learning, quickly, about recent changes, such as
> the net-tools to iproute2 transition which, as I look at my other running
> systems, has been going for a while,

It has been going on since at least 2008, so calling these changes
"recent" uses a quite flexible definition of that word. :)

J.
-- 
If I was Mark Chapman I would have shot John Lennon with a water pistol.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: I wish put another Debian, and with its command line.

[Jochen Spieker]

m...@neidorff.com:
> 
> What is your goal in doing another install?  If you want a text interface, 
> then open a terminal window and make it full screen.  Poof!  Best of both 
> worlds.

True. And for more isolation but without the requirement for reboots
(and a separate kernel) you can use chroots.

J.
-- 
Scientists know what they are talking about.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: I wish put another Debian, and with its command line.

[Jochen Spieker]

Gdsi:
>
> On my disk is a little free space at which I wish put another Debian,
> and with its command line.

How much is "little free space"?

> A few times I tried doing it but always there was a excess , as the
> installer don't say exactly what is into minimal inst-ion, and I'm
> afraid there's kernel only.  If I shall not be setting check marks for
> additional components, will be there: 'apt', man pages and some
> editor?

You can be sure that you will have a "usable" system even when not
selecting any extra packages. There will always be apt, a shell (bash),
some editor (nano and vim-tiny) and man pages for core utilities.

A "standard" Debian installation contains all packages with Priority
"required", "important" and "standard". You can view a list (from a
running Debian) using aptitude:

aptitude search ~pstandard ~prequired ~pimportant -F%p

That includes 119 packages on my (unstable/sid) system. I don't know
what the installed size of these packages is, but I guess you need way
less than 1GB.

J.
-- 
I wish I could do more to put the sparkle back into my marriage.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Not receiving emails

[Jochen Spieker]

to...@tuxteam.de:
> On Thu, Apr 19, 2018 at 02:11:24PM +0200, fmn...@gmail.com wrote:
>> I apologize for the seemingly useless email, but I have re-subscribed
>> to the list but I haven't been receiving new messages.
> 
> (sending to you, CC list, just in case)
> 
> According to your mail's headers, as they arrive here, the list thinks
> you are subscribed:
> 
>   X-Spam-Status: No, score=-10.6 required=4.0 tests=DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,DKIM_VERIFIED,FREEMAIL_FROM,LDOSUBSCRIBER,LDO_WHITELIST,
>   ^

Interesting! But from that string I guess this only means the sender is
subscribed to at least one list on lists.debian.org. Doesn't have to be
debian-user.

J.
-- 
I worry about people thinking I have lost direction.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Causes, cures and prevention of orphaned inodes?

[Jochen Spieker]

Stephen P. Molnar:
> 
> I installed memtest86+ and ran it with all of the defaults.  It took
> over an hour, but no errors were reported.

That's not long enough. From what I have read you should let it run for
a day or so and even then you cannot be sure that there are no memory
errors.

> I am rather hesitant about updating the BIOS/UFEI.  In fact I can't
> seem to find an upgrade for the FX-8320 on the AMD web site.

You need a UEFI update for your mainboard, not the CPU.

> Also, I'm rather hesitant about installing the amd64-package.

Do it (installing the amd64-microcode package). Henrique knows about
this stuff better than most people. Also, there is comparatively little
risk involved since the microcode is loaded during boot. You can always
boot from another medium and remove the package if it doesn't work.

J.
-- 
In this bunker there are women and children. There are no weapons.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Question on CVE-2017-5754 on Debian 8.9

[Jochen Spieker]

Greg Wooledge:
> 
> To use a package from experimental, you must download it directly, and
> install it directly.  You don't use apt or its cousins, unless it's
> to backfill dependencies (apt-get -f install) from your actual release.

Everything you wrote is correct but this paragraph.

You can use apt or aptitude for packages in experimental and I see no
reason against doing that. You do not even need to pin experimental.
Packages from experimental are automatically assigned priority 1, except
upgrades for packages that you installed from experimental.

That means you can add experimental to your sources.list and apt will
not automatically upgrade your packages from testing/sid to the versions
from experimental. But when you manually select a version from
experimental (using '-t experimantal'), apt will automatically upgrade
to newer versions available from experimental. And when testing/sid
contains a newer version, the one from experimental will be replaced by
that one.

J.
-- 
I am on the payroll of a company to whom I owe my undying gratitude.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: After upgrade jessie -> stretch : munin/perl

[Jochen Spieker]

Markus Grunwald:
> 
> I learned that the apache configuration of munin is now included in the
> package. So I adjusted the settings in /etc/apache:
> 
> ./conf-enabled/munin.conf
> ./conf.d/munin
> Now I have a working www.the-grue.de/munin again :)
> But: With this config, /all/ of my sites show munin as well :( like:
> 
> www.maennerchor-kirchseeon.de/munin

Disable the munin.conf above (using a2disconf) and copy-paste its
content ir Include the file in the VirtualHost that you want to show
munin graphs.

J.
-- 
If I could have anything in the world it would have to be more money.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Debian 8 and Debian 9 Dual Boot

[Jochen Spieker]

Dan Norton:
> On 11/13/2017 03:53 AM, Jochen Spieker wrote:
>> Dan Norton:
>> 
>>> LVM reports as follows:
>>> 
>>> dan@debian:/$ sudo vgdisplay -C
>>>VG   #PV #LV #SN AttrVSize  VFree
>>>debian-vg   1 5 0wz--n- 976.56g 938.20g
>>
>> You can vgreduce debian-vg easily to make room for your planned
>> debian9-vg.
> 
> So this must mean that VFree above is bound to debian-vg currently. I had
> not recognized the need to vgreduce. Thanks.

Good that you didn't, because I just noticed I was wrong. :) vgreduce is
only for removing physical volumes from a volume group.

It never occured to me before, but I think each physical volume can only
belong to exactly one volume group. That means if you want to use
separate volume groups you would need to pvresize (shrink) the physical
volume. I have never actually done this (only enlarged PVs).

I would probably accept that this is not easily possible with the
current layout and just use one VG. You do not gain much by separate
volume groups anyway.

J.
-- 
If I could travel in time I would show my minidisc to the Romans and
become Caesar until the batteries ran out.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: PGP signature

Re: Debian 8 and Debian 9 Dual Boot

[Jochen Spieker]

Dan Norton:
henny|i
> My first Linux install was about one year ago. After some missteps, I have
> used Debian 8 in reasonable satisfaction on the desktop during that year.
> Now I want to leave 8 in place and do a network install for Debian 9 on the
> same disk and switch back and forth at boot time.

Your disk setup allows to do this comparably easy, but I would think
twice whether that is actually what I want to do. You end up with two
systems which you have to maintain and, most importantly, you cannot
properly share your /home. Most programs that save their settings to
$HOME will automatically upgrade their configuration files on first
start with a new version and after that you have to assume that the
older version cannot read it anymore. I realize that this is part of
your disk space calculation but I want to stress that the result is
probably not something that you will want to use for an extended period
of time.

> LVM reports as follows:
> 
> dan@debian:/$ sudo vgdisplay -C
>   VG   #PV #LV #SN AttrVSize  VFree
>   debian-vg   1 5 0wz--n- 976.56g 938.20g

You can vgreduce debian-vg easily to make room for your planned
debian9-vg.

> So there is plenty of disk space for the two Debians and more besides. The
> question is how to prepare to install 9? My guess is to define another
> volume group called debian9-vg perhaps but how will this be recognized
> during network install?

Yes, it will. It should also be possible to vgreduce debian.vg and
vgcreate debian9-vg inside the installer, but I would be more
comfortable doing that from the running system, using the regular tools.

During installation, you just have to make sure that all LVs in
debian-vg are marked as "Do not use".

> I've clobbered stuff before during installs and I'm
> gun shy. Maybe there is a better way. Any thoughts on this will be
> appreciated.

It happens to everybody. The only things that help are a good plan and
concentration on the task at hand. :)

J.
-- 
I like my Toyota RAV4 because of the commanding view of the traffic
jams.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Another Devuan annoyance: CLI default apps

[Jochen Spieker]

deloptes:
> 
> Indeed, thanks for the hint, however OP wanted to edit crontab, which needs
> root access.

'crontab -e' works for all users.

J.
-- 
I am getting worse rather than better.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: when do I get a browsere that will do internet purchases?

[Jochen Spieker]

Gene Heskett:
> 
> What do I do next?  This is wheezy, fully uptodate.

What to do next? -Upgrade to some thing more recent than oldoldstable.
You cannot expect Mozilla to support the most recent Firefox on a Debian
release that was superseded 2,5 years ago.

J.
-- 
I enjoy shopping, eating, sex and doing jigsaw puzzles of idealised
landscapes.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: rsnapshot

[Jochen Spieker]

Pol Hallen:
> 
> well, does "delta" keeps my backup for 10 years?

For your configuration: yes, I think so. I am still using rsnapshot's
old days/weeks/months method, so I do not have own experience with the
alpa/beta/gamma/delta thing.

J.
-- 
I am on the payroll of a company to whom I owe my undying gratitude.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: rsnapshot

[Jochen Spieker]

Pol Hallen:
> 
> cat /etc/rsnapshot.conf
> [...]
> 
> retain  alpha   1
> retain  beta7
> retain  gamma   12
> retain  delta   10

alpha = daily
beta = weekly
gamma = monthly
delta = yearly?

> cat /etc/cron.d/rsnapshot
> 
> 00 01 * * *   root/usr/bin/rsnapshot alpha
> 30 3  * * *   root/usr/bin/rsnapshot beta

alpha will be run daily at 01:00 am and beta daily at 03:30 am. Is this
what you want?

> 0  3  * * 1   root/usr/bin/rsnapshot gamma

This will be run every Monday at 03:00 ("weekly").

> 30 2  1 * *   root/usr/bin/rsnapshot delta

This will be run on every first day of the month at 02:30 am.

You probably need something like this:

# Daily at 01:00 am
00 01 * * *   root/usr/bin/rsnapshot alpha
# Weekly on every Monday at 03:30 am
30 3  * * 1   root/usr/bin/rsnapshot beta
# Monthly on every first day of the month at 03:00 am
0  3  1 * *   root/usr/bin/rsnapshot gamma
# Yearly on January 1st at 02:30
30 2  1 1 *   root/usr/bin/rsnapshot delta

You might want to tweak the times. You could also use sync_first which
makes this a little bit easier.

J.
-- 
Tony Blair is a hypnotised self-seeking scarecrow just like all the
rest.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: how to automatically reload a firefox page

[Jochen Spieker]

Steve Kleene:
> On Mon, 24 Jul 2017 08:55:42 -0400, I wrote:
> 
>> How about making a local web page reloadpage.html where you include the
>> command to reload evert 234 seconds
>> 
>> and make a table which includes the webpage you want to stay active on within
>> your local page.
> 
> Thanks for the nice idea, but I haven't quite succeeded in executing it.  The
> "refresh" line does indeed get the base page to reload automatically.  But
> all I've been able to put into a table is a link to the URL I really want to
> be refreshed.

You need an iframe:

https://www.w3schools.com/tags/tag_iframe.asp

But beware that sites can tell browsers not to load themselves into
iframes on foreign domains (using an X-Frame-Options header). All recent
browsers adhere to this. If the page you are trying to load returns such
a header, you are out of luck.

You should also be aware that any interaction with the page may be
interrupted by the automatic reload of the parent frame. This approach
is probably only usable for pages you only want to look at. You will
probably even lose your scrolling position inside the iframe when the
parent gets reloaded.

J.
-- 
Whenever I hear the word 'art' I reach for my visa card.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Audio CD Ripper: Best which use multicore for encoding?

[Jochen Spieker]

Anonymous:
> TIA

Unless you have a very, very old multicore/multi-CPU system, the
bottleneck in CD ripping is reading from the disc. Encoding MP3s (or
whatever) should be considerably faster on any system from the past ten
(or so) years. Even my trusty D510 Atom CPU can encode faster than the
system can read from the CD. It always has some waiting time between
tracks when encoding to both Ogg Vorbis and FLAC at the same time. I use
abcde for that.

J.
-- 
Looking into my eyes is the only way you'll know I'm telling the truth.
[Agree]   [Disagree]
 


signature.asc
Description: PGP signature

Re: Problem with offlineimap

[Jochen Spieker]

marcelol...@gmail.com:
> 
> ~$ openssl s_client -connect imap.ufvjm.edu.br:993
> ---
> Certificate chain
>  0 s:/C=BR/CN=imap.ufvjm.edu.br
>i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom
> Class 1 DV Server CA
>  1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom
> Class 1 DV Server CA
>i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
> Certification Authority
>  2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
> Certification Authority
>i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
> Certification Authority

Looks good to me. The final certificate is self-signed but that is
expected for a root certificate of a CA, but …

> Verification error: self signed certificate in certificate chain

… apparently OpenSSL doesn't like that. I don't know why this happens.
In any case, you cannot change anything wrt to this certificate chain
unless you are (or can influence) the administrator of
imap.ufvjm.edu.br.

> offlineimap returns
> 
> ERROR: Unknown SSL protocol connecting to host 'imap.ufvjm.edu.br' for
> repository 'X-Remote'. OpenSSL responded:
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Same issue here (probably because offlineimap uses OpenSSL).
Offlineimap's manpage suggests that by default it doesn't check
certificates at all (at least on jessie), but apparently it still does.

You could either try to add the CA certificate into /etc/ssl/certs or
add the certificate of the remote endpoint into your offlineimap
remote configuration using "cert_fingerprint" as suggested here:
https://github.com/OfflineIMAP/offlineimap/issues/322

Unfortunately, I cannot tell you exactly how to do either.

J.
-- 
Hell will have perfume.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: converting my local site to be https only access

[Jochen Spieker]

Gene Heskett:
> On Saturday 29 April 2017 04:05:01 Felix Dietrich wrote:
>> Gene Heskett  writes:
>> 
>>> Where can I find a tut that is a complete instruction set to have it
>>> do an auto-redirect to itself, but using the "s" stuff regardless of
>>> the accessing client as long as the client can handle the https
>>> stuff this conversion will return to the client?

What you want to do requires that you understand the basics of Apache's
configuration mechanism. You should really start with that.

http://httpd.apache.org/docs/2.4/en/getting-started.html
http://httpd.apache.org/docs/2.4/en/bind.html
http://httpd.apache.org/docs/2.4/en/configuring.html 
http://httpd.apache.org/docs/2.4/en/urlmapping.html
http://httpd.apache.org/docs/2.4/en/vhosts/

That's really just the basics so you know where to put random things you
find on the internet. For your use case, these should also be helpful:

http://httpd.apache.org/docs/2.4/en/ssl/
http://httpd.apache.org/docs/2.4/en/rewrite/

What the upstream Apache documentation does not mention (or care about)
is that Debian has its own way of splitting up Apache configuration
files. If a random (not Debian- or Ubuntu-specific) tutorial tells you
to change your httpd.conf then this is most certainly not the way to do
it in Debian.

>>> I tried putting those 3 lines quoted numerous times at the bottom of
>>> the httpd/conf/httpd.conf, but that killed local access so I assume
>>> it also killed external access too.  And its failure did not
>>> generate an error.log entry.

The bottom of your httpd.conf might be the wrong place to put it. It
really depends on your local configuration which we do not know. Do you
have a plain Debian installation that you did yourself or do you use an
image from a hoster or any other company? What changes have you done to
your configuration?

What Debian expects most admins to do is drop their own virtual host
definitions into /etc/apache2/sites-available/ and use a2ensite to
enable them. Global configuration directives can be placed in
conf-available/ (use a2enconf).

>>> Something was said about the AllowRedirect settings in httpd.conf,
>>> but it did not specify what to change it to.

Don't touch httpd.conf, it will probably not do what you want to
achieve. Instead, edit the virtual host you are using.

> Chuckle, point taken, used your search string and got smarter hits for 
> apache2.  Since my domain registrar is namecheap, I'm reading this link:
> 

Your domain registrar is irrelevant here. Look for
Debian/Ubuntu-specific tutorials after reading up on the basics.

> Syntax error on line 71 of /etc/apache2/mods-enabled/ssl.conf:
> Invalid command 'Header', perhaps misspelled or defined by a module not 
> included in the server configuration
> Action 'start' failed.

Apparently the header module is not enabled in your configuration. You
can do so by running "a2enmod headers".

> If you install the ssl-cert package, a self-signed certificate will be
> automatically created using the hostname currently configured on your 
> computer.

If your machine is publicly available, there is really no reason anymore
to use self-signed certificates -- except for testing, probably. If your
configuration works with your self-signed certificate, you should
consider using Let's Encrypt.

> So in internal name and the one in the sig don't match?
> So which name will it use if I run the above cert generator command?

Nowadays you can run more than one VirtualHosts even with only one IP
address. You just set up regular virtual hosts which use their own
certificates.

I cannot comment on the other errors you are getting, but (just in case
I didn't stress it enough :)) I think your life will become a lot easier
once you master the basics of Apache. The creation of SSL certificates
actually becomes a lot easier with Let's Encrypt.

J.
-- 
In this bunker there are women and children. There are no weapons.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: BUG or OPERATOR error? - was [Re: Measuring aggregate internet useage?]

[Jochen Spieker]

Richard Owlett:
> 
> I did an install using expert mode, not selecting any GUI.
> At several points during the install I did Alt-F2 to bring up a terminal to
> attempt running ifconfig.
> 
> "Command not found" was the uniform response.
> I booted the new install and attempted as root to run ifconfig.
> I again got "Command not found".
> That seemed odd.

Did you check whether /sbin/ was in your $PATH at that time or did you
try to run it as /sbin/ifconfig? The problem may simply be that the
executable was not found in your $PATH although the executable was where
it should be.

(Apart from that I thought that ifconfig and friends were not really
necessary anymore since they were replaced by the "ip" tool. I think the
priority of this package was demoted from important to optional but I
cannot check at the moment. Maybe net-tools just isn't part of a
standard install anymore. If you want ifconfig, you need to install
net-tools.)

J.
-- 
Whenever I hear the word 'art' I reach for my visa card.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Spam on Debian lists (was: Actually)

[Jochen Spieker]

fc:
>
> Actually -- does anyone monitor this list for this type of stuff?

You have no idea *how much* spam is blocked by the work of the list
masters. But it's not that anybody monitors all of the almost 300 Debian
lists¹ with thousands of posts each day.

> I see these types of things come through periodically -- and 1 delete on the
> front end could prevent a lot of woe.

Your help is appreciated:
https://wiki.debian.org/Teams/ListMaster/ListArchiveSpam

Obviously, this only affects the archive after all subscribers already
received the spam message. Moderating all Debian lists is not a job that
anybody wants to do (and it wouldn't even be appreciated).

> *Even more so* -- it seems like unauthorized users can email this list?
> 
> Why not just restrict it to people who have subscribed?

Because this excludes use cases that are deemed valid by the list
masters.

J.
-- 
I wish I had been aware enough to enjoy my time as a toddler.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: System broken after yesterday's upgrade

[Jochen Spieker]

solitone:
> On Wednesday, 12 April 2017 19:55:12 CEST Jochen Spieker wrote:
>> I'd write a bug report. Your e-mail is a pretty good start.
> 
> To Debian BTS? Related to the kernel package? I have no clues as to what 
> component might be actually involved.

I'd use reportbug againt the kernel package.

J.
-- 
I think of my genitals more often than my hands, but use them far less.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: System broken after yesterday's upgrade

[Jochen Spieker]

solitone:
>
> Hi, something really weird is going on today on my system--debian stretch on 
> an Apple MacBookPro 12,1.

If googling doesn't turn up something helpful (and maybe even then) I'd
write a bug report. Your e-mail is a pretty good start.

Regards,
Jochen.
-- 
If politics is the blind leading the blind, entertainment is the fucked-
up leading the hypnotised.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: When specifying path to file - confused about ./ and ~/

[Jochen Spieker]

Richard Owlett:
> On 03/27/2017 07:38 AM, The Wanderer wrote:
>> 
>> Can you explain what your question is?
> 
> No, not even after having having had an explanation that alleviated the
> problem.

I think you could have posed your question as simply:

"What do ./ and ~/ mean? What is the difference between the two?"

J.
-- 
I like my Toyota RAV4 because of the commanding view of the traffic
jams.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: repairing damage to package manager

[Jochen Spieker]

songbird:
> Chuck Hallenbeck wrote:
>> 
>> One more O.T. observation: Debian let me do a truly dumb thing, but I
>> wouldn't have it any other way.
> 
>   who here hasn't done an erroneous rm or some
> other fumble fingered thing?
> 
>   a few weeks ago i was working on tagging some
> pictures and didn't notice that i had selected 
> 9000 of them instead of the few i intended.  then
> i deleted the tags.  there is no way to interrupt
> this.  oops.  i had to go find the backup files 
> and restore the database which held the tags.

Good point. I cannot stress the need for backups enough. Every couple of
months someone approaches me because they have important data on a dying
disk. Right now it hit my best man who should really know better.

(No, uninstalling apt would not be covered by my backups either. But as
we have seen, you can recover from issues like this easily in many
cases. :))

J.
-- 
Watching television is more hip than actually speaking to anyone.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: repairing damage to package manager

[Jochen Spieker]

Chuck Hallenbeck:
> 
> One more O.T. observation: Debian let me do a truly dumb thing, but I
> wouldn't have it any other way.

That's the spirit!

J.
-- 
If I am asked 'How are you' more than a million times in my life I
promise to explode.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: repairing damage to package manager

[Jochen Spieker]

Chuck Hallenbeck:
> 
> # apt-get remove upgrade-system apt

Nice one! This brightens my day a little as it reminds me how I found
out the relationship betweent the commands available on MSDOS 5.0 and
the contents of the C:\DOS directory. :) I don't know how many times I
had deleted stuff from there until it finally hit me.

Anyway, it's great of you not to be too embarassed to ask this and it is
even better that you could get help so quickly. It was more difficult
with MSDOS and no internet back then.

J.
-- 
I am getting worse rather than better.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: IPv6 connection problem with https://www.flickr.com/

[Jochen Spieker]

Vincent Lefevre:
>
> On my Debian/unstable machine at home, IPv6 connection to
> https://www.flickr.com/ freezes most of the time:

I do not have this problem with native IPv6 at home (Debian sid ad
well).

Does OpenSSL have this problem as well? Does it maybe report something
with respect to a TLS problem?

openssl s_client -connect www.flickr.com:443

J.
-- 
My drug of choice is self-pity.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: What file system to use?

[Jochen Spieker]

Dennis Wicks:
>
> I am going to install some more disks and I was wondering which file system
> to use.

Use ext4 unless you have special requirements. I would always use LVM as
well because it makes partitioning a lot easier.

> I have several ext? and a few with Reiserfs. Is there a better choice than
> Reiser now?

Probably every filesystem which is merged into the mainline kernel. I
would (still) stay away from BTRFS with jessie.

> Also, is there any way to convert from my existing fs to the
> recommended one?

Sorry, don't know that. You can always copy/rsync, of course.

J.
-- 
I hate myself but have no clear idea why.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Problem with offlineimap

[Jochen Spieker]

Leandro Noferini:
> 
> from yesterday I cannot fetch my mail with offlineimap because I get this 
> error:
> 
> OfflineIMAP 7.0.12
>   Licensed under the GNU GPL v2 or any later version (with an OpenSSL 
> exception)
> Account sync BBs:
>  *** Processing account BBs
>  Establishing connection to bbs.cybervalley.org:993 (RemotoBBs)
>  ERROR: Unknown SSL protocol connecting to host 'bbs.cybervalley.org' for 
> repository 'RemotoBBs'. OpenSSL responded:
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

It appears to me that the server's certificate has expired:

$ openssl s_client -connect bbs.cybervalley.org:993
[…]
subject=/C=IT/ST=TO/L=Firenze/O=CyberValley/OU=Automatically-generated
IMAP SSL
key/CN=bbs.cybervalley.org/emailAddress=lnofe...@cybervalley.org
issuer=/C=IT/ST=TO/L=Firenze/O=CyberValley/OU=Automatically-generated
IMAP SSL
key/CN=bbs.cybervalley.org/emailAddress=lnofe...@cybervalley.org
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2902 bytes and written 494 bytes
Verification error: certificate has expired

> Since offlineimap and server side nothing changed I think the problem would be
> in python but I don't know it and I cannot even file a bug report.

The problem is that the server's certificate _needs_ to be changed.
Maybe it is also possible do disable certificate validation but I
recommend against that.

J.
-- 
I wear a lot of leather but would never wear fur.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: debian NETINST installer problem - Nonsense error messages that don't indicate real problem

[Jochen Spieker]

Peter Bradstreet:
> Package: installer 
> Version:  8.7.1
> 
> This isn’t a ‘package’ per say… not sure what group it goes to

There's a "debian-installer" pseudo package that you can use to report
bugs.

J.
-- 
It is not in my power to change anything.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Jessie or stretch for server

[Jochen Spieker]

Dan:
> 
> In a few months the Stretch Debian installation will automatically
> become "stable". Is that correct?

If you use "stretch" in the sources.list (instead of "testing"), then
yes, your stretch installation will stay at stretch.

> If I install Jessie I'll have to update very soon.

Jessie is going to have security support for about a year after the
release of stretch:

https://www.debian.org/security/faq#lifespan

J.
-- 
I see weapons of mass destruction as shameful but necessary.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: kworker eats 45% from first cpu

[Jochen Spieker]

Jochen Spieker:
> deloptes:
>> 
>> I moved my system to an SSD two days ago. I applied recommendation to
>> use "discard"
> 
> What do you mean by that? If you are talking about the mount
> option, discard it. (Sorry for the pun.) Use a weekly cron job with
> 'fstrim -a' instead. If you are using LVM, set issue_discards=1 in
> /etc/lvm/lvm.conf.

BTW, mount(8):

 discard
Disable/enable  the  discard mount option.  The discard function issues
frequent commands to let the block device reclaim space  freed  by  the
filesystem.   This  is  useful for SSD devices, thinly provisioned LUNs
and virtual machine images, but  may  have  a  significant  performance
impact.   (The fstrim command is also available to initiate batch trims
from userspace.)

J.
-- 
Every year I wonder what a tinsel-making machine looks like. And what it
does in summer.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: kworker eats 45% from first cpu

[Jochen Spieker]

deloptes:
>
> I moved my system to an SSD two days ago. I applied recommendation to
> use "discard"

What do you mean by that? If you are talking about the mount
option, discard it. (Sorry for the pun.) Use a weekly cron job with
'fstrim -a' instead. If you are using LVM, set issue_discards=1 in
/etc/lvm/lvm.conf.

J.
-- 
Whenever I hear the word 'art' I reach for my visa card.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: probable broken tomcat6 package on wheezy

[Jochen Spieker]

John Naggets:
> 
> By installing the previous package version from the apt cache archive
> as you mention I managed to find out that it is the libtomcat6-java
> package which is broken. You just need to downgrade that package back
> to deb7u3 and Tomcat will start again.
> 
> Thanks for the hint and hopefully this package will be quickly fixed.

Nobody is is going to fix this if there is no appropriate bug report.

J.
-- 
I frequently find myself at the top of the stairs with absolutely
nothing happening in my brain.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: {Debian (>=Jessie)} AND { MultiMediaCard, SD Memory Card, etc}

[Jochen Spieker]

Richard Owlett:
> On 12/3/2016 7:05 AM, Jochen Spieker wrote:
>> 
>> https://forums.lenovo.com/t5/ThinkPad-T61-and-prior-T-series/Boot-T61p-from-SD-card/m-p/261121/highlight/true#M41072
>> looks like you are out of luck.
>> 
> 
> Maybe. May be not. I suspect most of what I was thinking of by having
> Grub/LILO/??? reside on the HDD. The behind the scenes motivation is create
> a "project" that will serve as a learning experience.

Oh, sorry, in that case you should be able to simply install to your SD
cards. You just have to make sure not to confuse your boot loader,
especially when the configuration is automatically recreated while the
SD card is absent.

J.
-- 
I often blame my shortcomings on my upbringing.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: {Debian (>=Jessie)} AND { MultiMediaCard, SD Memory Card, etc}

[Jochen Spieker]

Pascal Hambourg:
> Le 03/12/2016 à 13:59, Jochen Spieker a écrit :
>> 
>> CF cards were much more clever from the beginning compared to cheaper
>> alternatives (like SSD or MMC cards). I would expect them to have better
>> wear levelling than a common SD card.
> 
> I would be surprised that a CF card be more clever than a SSD.

Sure. I meant to write "SD or MMC cards".

J.
-- 
It is not in my power to change anything.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: {Debian (>=Jessie)} AND { MultiMediaCard, SD Memory Card, etc}

[Jochen Spieker]

Richard Owlett:
> On 12/2/2016 4:21 PM, Jochen Spieker wrote:
>> 
>> Beware that this might slightly increase power usage / reduce battery
>> life. That's at least my observation from a couple of years ago.
>> Depenging on the hardware, an SD card can keep a bus alive that could be
>> put to sleep otherwise. But if I would have to guess this is not an
>> issue for your use case.
> 
> No problem for medium term. It will sit on my desk next to my "regular"
> machine.

That's what I thought.

>>>   2. Can Debian itself reside on that medium?
>>>  I'm thinking in terms of changing look/feel/function/capabilities/...
>>>  of the machine by swapping media before "power up".
>>>  [The BIOS *DOES* have some capability to specify precedence of boot
>>> devices.]
>> 
>> Debian doesn't really care, but you would have to test whether your BIOS
>> can really boot from SD cards.
> 
> If it "looks" the same as a USB flash device, there should be no problem.

For Linux the bus doesn't really matter. But again, for your BIOS it
does. As far as I understand, that's hardware specific. Some card
readers are internally wired to USB which gives you a good chance to
boot from it. As far as I can see on the ThinkWiki
(http://www.thinkwiki.org/wiki/Category:R61 pointing to
http://www.thinkwiki.org/wiki/Ricoh_R5C843), the R61 is different.

https://forums.lenovo.com/t5/ThinkPad-T61-and-prior-T-series/Boot-T61p-from-SD-card/m-p/261121/highlight/true#M41072
looks like you are out of luck.

J.
-- 
If I could have anything in the world it would have to be more money.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: {Debian (>=Jessie)} AND { MultiMediaCard, SD Memory Card, etc}

[Jochen Spieker]

deloptes:
> Steven Mainor wrote:
> 
>> I don't know if this helps answer #3 or not. I have ran Debian from a
>> microSD flash card before but the card reader was attached via USB.
>> 
>> It didn't last very long before the flash card degraded. I think running
>> an operating system on flash used up the read/write cycles too quickly.
>> I eventually decided to find another solution. But it may not be an
>> issue for your use case.
>> 
> I don't think so. I have a low power industrial pc used as firewall. It runs
> on Compact Flash card for >6y now. I recall there were at least 10
> write cycles per sector and self diagnostic, so I would suspect something
> else would be the problem.

CF cards were much more clever from the beginning compared to cheaper
alternatives (like SSD or MMC cards). I would expect them to have better
wear levelling than a common SD card.

J.
-- 
When I get home from the supermarket I don't know what to do with all the
plastic.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: {Debian (>=Jessie)} AND { MultiMediaCard, SD Memory Card, etc}

[Jochen Spieker]

Richard Owlett:
> I have a well used Lenovo R61 Thinkpad whose sole raison d'etre is to serve
> as a test platform for experiments which may spectacularly fail.
> 
> To quote a product description, it has:
>   Card Reader
> 4 in 1 card reader
> Supported Flash Memory
> Memory Stick PRO, MultiMediaCard, SD Memory Card, xD-Picture Card
> 
> My local supplier has 32GB cards in stock. Not sure which of the above
> flavors, as I just asked him what he had available that were compatible with
> my hardware.

He probably has SD cards. All other options in your list have come out
of fashion.

> I'm pondering an application that could be accomplished with USB flash
> drives.
> It would be much "NICER" if that x GB were physically "inside" the laptop's
> profile.

Beware that this might slightly increase power usage / reduce battery
life. That's at least my observation from a couple of years ago.
Depenging on the hardware, an SD card can keep a bus alive that could be
put to sleep otherwise. But if I would have to guess this is not an
issue for your use case.

> My questions:
>   1. Can Debian (and to what extent) make use of that storage?

Debian (the linux kernel) can use SD cards just like USB thumb drives or
other types of removable (and rewritable) storage. It's simply a block
device.

>   2. Can Debian itself reside on that medium?
>  I'm thinking in terms of changing look/feel/function/capabilities/...
>  of the machine by swapping media before "power up".
>  [The BIOS *DOES* have some capability to specify precedence of boot
> devices.]

Debian doesn't really care, but you would have to test whether your BIOS
can really boot from SD cards.

>   3. Any Debian people using this capability who would care to comment?
>  ["off list" replies fine]

I would like to see replies here. :)

J.
-- 
All participation is a myth.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: apt-get changelog is unsuccessful, but changelog exists

[Jochen Spieker]

Brian:
> 
> It's quite amazing what people expect to be supported on this list.
> Wheezy is an unsupported distribution, just like hamm, etch, potato etc.

That's not entirely true:

https://www.debian.org/releases/wheezy/

Wheezy is still in LTS support until end of May 2018. I don't know
whether it solves the OP's problem but I think
https://wiki.debian.org/LTS is worth a look in any case.

J.
-- 
I am not scared of death but terrified of people in Tommy Hilfiger
sweatshirts.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Permissions for an entire PARTITION

[Jochen Spieker]

Richard Owlett:
> 
> My original question had (apparently incorrectly assume that partitions
> handled user/group/world permissions in the same manner as file systems.

Even if you found a solution to your problem, this sentence does not
make much sense and I still assume you are confused about a few basics.

Hard disks / SSDs are usualy split into one or more partitions. A
partition is nothing more than a slice of a disk with a given size. It
does not have any permissions except for the permissions of the block
device in /dev that represents it (e.g. /dev/sda1).

Filesystems organize storage space into files and directories. They are
often (but not necessarily) created inside partitions. Since there is
usually a 1:1 relation between partitions and filesystems, many people
use both terms interchangeably but that is technically wrong. You cannot
mount a partition, only a filesystem (which, again, may or may not be
inside a partition).

J.
-- 
Every year I wonder what a tinsel-making machine looks like. And what it
does in summer.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Permissions for an entire PARTITION

[Jochen Spieker]

Richard Owlett:
> On 10/25/2016 10:40 AM, Greg Wooledge wrote:
>> 
>> The simplest way would be to synchronize your UID across all your
>> installed operating systems.  If your UID is, let's say, 1000 on every
>> system, and the files on the partition are owned by user 1000, then
>> user 1000 (you) will have ownership of the files whenever you mount
>> the partition.
> 
> That sounds like what I want.
> I had previously created a ext2 partition on /dev/sda10 and a label of
> jessie-dvds .
> How do I inform the "WORLD" that it belongs to UID 1000?

chown -R 1000 /

But that is a stupid idea that will probably break your system. Don't do
it.

As far as I understand, you want to be able to read/write/execute files
from one installation in another installation. This is easy as long as
you use the root account. For your regular user (usually UID 1000), this
doesn't make sense on a single installation and doesn't make sense
across several installations on one computer.

> Right now when I attempt to mount it, I am asked for root password.
> Not acceptable.

What a user can mount is controlled by the option "user" in /etc/fstab.
Even if a user can mount a filesystem that doesn't mean she can read or
write any files in it after mounting. That is controlled by the
permissions in the filesystem.

> tomas' reply confused me ;/

I think that is because you have a misunderstanding that makes you want
to solve your problem the wrong way. Maybe it helps to restate what
exactly you want to do.

If all you want is to exchange a few files (office documents, music,
videos etc.) between separate OS installations the easiest way is to
format one partition as FAT filesystem. That way you won't have to worry
about permissions.

J.
-- 
When I am at nightclubs I enjoy looking at other people and assessing
their imagined problems.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: rsnapshot advice

[Jochen Spieker]

Pol Hallen:
>
> PPS: main backup of each server will be /etc/

For /etc you can also install etckeeper on all servers and just git+ssh
pull from a remote location.

J.
-- 
Television advertisements are the apothesis of twentieth century culture.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: imapsync and Debian

[Jochen Spieker]

Daniel Bareiro:
> On 14/10/16 16:30, Jochen Spieker wrote:
> 
>>> I am planning to migrate about 200 e-mail accounts from a mail server
>>> using Dovecot to a mail server running Cyrus.
> 
>> Sounds weird! I though most people migrate _to_ Dovecot nowadays (if
>> they haven't already). Care to elaborate the reasons? I don't want to
>> discuss it, I am just curious.
> 
> […]
> 
> So that is a not minor matter that we have to consider to be sure that
> this site will work with the PHP version of Jessie. I think both options
> (upgrade to Jessie from the current state, such as migrating to a new
> host with Jessie) take a lot of work, but I think the second alternative
> will be less painful and allow me to have a better control over
> migration as well as divide it into several phases. Anyway, all comments
> are welcome :-)

Sounds reasonable, if the machine running Cyrus already exists and you
are as familiar with Cyrus as with Dovecot. Running mail and web on
different machines is probably generally a good idea anyway.

J.
-- 
I like my Toyota RAV4 because of the commanding view of the traffic
jams.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: imapsync and Debian

[Jochen Spieker]

Daniel Bareiro:
> 
> I am planning to migrate about 200 e-mail accounts from a mail server
> using Dovecot to a mail server running Cyrus.

Sounds weird! I though most people migrate _to_ Dovecot nowadays (if
they haven't already). Care to elaborate the reasons? I don't want to
discuss it, I am just curious.

> The idea is to migrate emails maintaining the status read, unread, etc,
> and also synchronize Draft, Sent and Trash folders in each mailbox.
> 
> I think the best will be make it through IMAP. This would also be
> agnostic to the storage mechanism used (MAILDIR, system users accounts,
> etc) in the source and destination servers. Following this course of
> action, I found this [1] interesting article written by Falko Timme in
> HowtoForge.

Offlineimap can also do IMAP to IMAP synchronization. The author of
imapsync mentions it on [4] as well.

> [4] https://imapsync.lamiral.info

J.

-- 
My medicine shelf is my altar.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Mutt and monthly delete old messages

[Jochen Spieker]

Mark Fletcher:
> 
> So I was thinking of implementing a policy of deleting messages from 
> this mail folder on my PC (the one Mutt is looking at) on a say monthly 
> basis.

If you prefer a mutt-only solution (without archivemail) you could also
use a hook to mark all mails older than 30 days for deletion whenever
you open the corresponding mailbox.

Untested, adapt "debian" to match your mailbox name:

folder-hook =debian  'push  " ~d>30d\n"'

Mutt will then mark older messages for deletion when you enter the
mailbox and ask for confirmation when you quit mutt, change to a
different mailbox or press '$'.

J.
-- 
I am not scared of death but terrified of people in Tommy Hilfiger
sweatshirts.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Errors when doing a update

[Jochen Spieker]

Brian LaPlante:
>
> Please find attached a copy of my sources.list and results of doing an 
> update. Any corrections that need to be made would be greatly appreciated. 
> Thanks in advance!

If you want to solve your problem by editing your sources.list, you need
to remove deb-multimedia.org from it. If you also accept other
solutions, you could simply import the appropriate key into the apt-key
database.

J.
-- 
When standing at the top of beachy head I find the rocks below very
attractive.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: system monitor

[Jochen Spieker]

roman_ca...@mail.md:
> 
> Take time and look attentive to both cpu cores and to both ram and swap
> graph and compare them

Please elaborate what you think is wrong. The CPU graph in the taskbar
probably only shows one CPU. The two colors you are seeing most probably
to nice/usr/sys/iowait. I have no idea what you think is wrong with the
memory graphs.

J.
-- 
I feel yawning hollowness whilst talking to people at parties.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: system monitor

[Jochen Spieker]

roman_ca...@mail.md:
> hi users i need an advice in what bug category to place these:
> https://postimg.org/image/yj08o66rh/
> 
> do you see that cpu and memory usage in system monitor window and in message
> tray are different?

No, I don't see any significant difference. All graphs hover around
40-50%.

J.
-- 
Atrocities committed in Rwanda pervade my mind when I am discussing
mundanities with acquaintances.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Getting fqdn, postfix, Comcast to all play nice together

[Jochen Spieker]

John T. Haggerty:
>
> I have the following issue (seems to be common although my details seem to
> differ):
> 
> 1. I recently registered a new domain as WWW.whatever.org or whatever.

Please use example.com when you do not want to disclose your real domain
name. The domain whatever.org does not belong to you.

> 6. In the core wiki for Postfix I have the MX record of my server updated
> from the registrar to mail.whatever.org (pita since it's dynamic and not
> static).

You will not be happy with such a setup.

For receiving mails, you would have to update the MX record for your
domain whenever your IP address changes. And you always risk losing mail
to random strangers who happen to use any of your old IP addresses.

For sending e-mails you will notice that *a lot* of receiving systems
will refuse talking to systems on dynamic IP addresses. Also, you can
only expect to send mails from your mail server using e-mail addresses
in your own domain. If you try to deliver an e-mail with a gmail sender
address to gmail's servers, gmail will treat it as spam. The same
probably holds for most other major e-mail providers.

> 7. I want to avoid using gmail's smtp and comcast's servers since I'd love
> to host this on my own.

Then do what I do: rent a small VPS with a static IP address and run
Postfix there. You can configure Postfix to deliver mails of senders
from its own domain directly and use an appropriate relay host for
specific senders / sender domains.

> How can this be accomplished in Debian (not Ubuntu, or something else)? (I
> get irritated at Ubuntu specific explanations {which usually don't work}
> getting all the search results)
> 
> Any help would be appreciated as I spent ~3 days of work and wiping the
> entire OS in case I went wrong somewhere.

There's really no better way than spending even more time (and some
money). Read the Postfix documentation. Postfix will not do what you
want it to do unless you understats its configuration files.

http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/SASL_README.html
…

J.
-- 
In this bunker there are women and children. There are no weapons.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: OK to upgrade to 8.5?

[Jochen Spieker]

Lisi Reisz:
> On Thursday 28 July 2016 15:43:43 Jochen Spieker wrote:
>> (Please don't top-post. Trim the quotes and reply below the quote you
>> are referring to. Thanks.)
> 
> Jochem - Steve is blind.  Many (Most?  All??)blind people find bottom posting 
> and trimming very difficult.

Thanks for that information. Sometimes I wish there were standardized
e-mail headers to indicate such special needs. But then again I wouldn't
want to run around and advertize my own constraints either.

J.
-- 
If you do not move for long enough, you might see a rat.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: wicd trouble -- continued

[Jochen Spieker]

Glenn English:
> > On Jul 28, 2016, at 7:35 AM, Mike McGinn 
> > wrote:
> > 
> > I had some trouble with wicd which I cured by making sure that
> > network manager was not running. Make sure NM is stopped and does
> > not start.
> 
> Don't think so. NM, IIRC, implies Gnome, […]

NACK

I run NM without any of the big desktop environments.

J.
-- 
Driving behind lorries carrying hazardous chemicals makes me wish for a
simpler life.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: OK to upgrade to 8.5?

[Jochen Spieker]

(Please don't top-post. Trim the quotes and reply below the quote you
are referring to. Thanks.)

Steve Matzura:

> I am running 8.0; 8.5 is out. Came out on June 24.

You are right. I missed that the point release was labelled 8.5.

As Lisi said: you do not need to do anything special to upgrade from 8.0
to 8.5. Keep your sources.list as it is and just run 'apt-get update &&
apt-get upgrade'. It might also be necessary to do an 'apt-get
dist-upgrade'.

J.
-- 
Thy lyrics in pop songs seem to describe my life uncannily accurately.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: OK to upgrade to 8.5?

[Jochen Spieker]

Steve Matzura:
>
> Should I follow the standard procedure--edit sources.list to include
> the DVD drive (if it's not there already), then 'apt-get upgrade'
> followed by 'apt-get full-upgrade'?

What do you mean with "8.5"? Debian jessie is version 8, Debian stretch
ussupposed to be version 9, I think. Either way, it isn't stable yet so
technically the latest Debian version is 8.

In any case, the canonical answer to "How do I upgrade to the latest
Debian release?" is to go through the release notes of your current
release+1 until you have reached the desired version.

Example: if you have installed Debian squeeze (version 6) you would
first follow this (I have picked amd64 randomly):
https://www.debian.org/releases/wheezy/amd64/release-notes/

and then this:
https://www.debian.org/releases/jessie/amd64/release-notes/

J.
-- 
In public I try to remain calm and to appear perceptive.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: openssl too old and what to do about it

[Jochen Spieker]

ng0:
> 
> I am in the position where I have to run at least one Debian
> stable based server, and with the recent upgrade of a search
> engine, I can no longer use its proxy functionality.
> This would require a version of OpenSSL which is not available in
> Debian stable at this point.

Which version? Erwan mentioned backports. That includes 1.0.2h (as
opposed 1.0.1t from stable). If the backports version is recent enough
that is the best way to proceed.

J.
-- 
I think of my genitals more often than my hands, but use them far less.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: jessie won't install/boot on a Dell Poweredge R815

[Jochen Spieker]

deloptes:
> 
> Upgrade usually is done by
> 
> apt-get update
> apt-get upgrade
> apt-get dist-upgrade

No. You upgrade to a new stable release by reading and following the
release notes.

J.
-- 
I am heading for the loony bin.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: How to download over https

[Jochen Spieker]

Dan Ritter:
> On Fri, Jun 17, 2016 at 09:50:15PM +0200, Jochen Spieker wrote:
>> 
>> Admittedly, one of the main issues with HTTPS is the number of
>> handshakes your hardware can do per second. That probably isn't a
>> problem for the CD image download server that we are discussing here.
>> But for (non-distributed) sites that serve a huge number of requests
>> (think tens of thousands of requests per second) and (unlike Google) use
>> off-the-shelf hardware and software that's a different issue.  I am
>> working on such a site and our customer has to spend big bucks for our
>> load balancers (F5 BIG IP) which terminate SSL connections in our
>> environment.
> 
> In my experience, the majority of people buying F5's load balancers
> are doing so because they don't have the expertise on staff to do
> configuration management of commodity Linux boxes running either an ipvs
> based system like ldirector or a user-mode loadbalancer like haproxy.

That may very well be the case. I don't work for the hosting provider, I
am in development. ;-)

J.
-- 
Scientists know what they are talking about.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: How to download over https

[Jochen Spieker]

Pascal Hambourg:
> Le 16/06/2016 22:13, Dan Purgert a écrit :
> 
>> as well as making the overall amount of data
>> transmitted somewhat larger.  This is because encrypted blocks have
>> specific size requirements (...)
>> 
>> Remeber that a single packet can only carry 1460 bytes, before
>> accounting for services that specify MTUs <1500 .  If you're using
>> something like 64-byte blocks for the encryption scheme (which is fairly
>> common, so I'm going with that from here on out), you're limited to only
>> sending 1408 bytes / packet of actual data, assuming zero overhead.  For
>> the 660 602 880 bytes of "cd1" from the debian installer suite, this
>> means you're transmitting 469,178 fully loaded packets, plus 1 partial
>> (approx 315 bytes) ... or a total transmission of 689 691 975 bytes.
> 
> Hmm. I don't know how SSL works, but HTTPS runs on top of TCP so I doubt
> that it cares about IP packet size. The task of splitting the TCP payload
> stream into IP packets is done by the TCP layer.

Sure, but if your encryption scheme wastes payload in yout packets you
have more overhead for TCP/IP headers in each packet. I have yet to
actually meet someone who optimizes on that level but at Google scale
these things obviously matter.

J.
-- 
Whenever I hear the word 'art' I reach for my visa card.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: How to download over https

[Jochen Spieker]

Jörg-Volker Peetz:
> Jörg-Volker Peetz wrote on 06/16/16 15:12:
>> Did you take a look here: https://www.debian.org/CD/verify , "Verifying
>> authenticity of Debian CDs"?
>> 
>> The https protocol would add quite some overhead to the download of the
>> iso-files which are already big by them self.
>> 
> This statement has to be corrected: the overhead of https is hardly 
> perceptible
> on "modern" hardware. (See, e.g.,
> https://www.keycdn.com/blog/https-performance-overhead/ ,
> https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html )

It really depends on what you are looking at. Clients have no reason to
care about that but if you are running a busy site that's a whole
different issue.

The first link of yours doesn't really discuss the server-side
implications. The second one is from 2010 and talks about how Google
prefers RC4 for its speed but RC4 is almost completely dead today (see
RfC 7465).  Incidentally, Google switched off RC4 for Gmail just
yesterday:

http://news.softpedia.com/news/google-drops-sslv3-and-rc4-support-in-gmail-504176.shtml

Admittedly, one of the main issues with HTTPS is the number of
handshakes your hardware can do per second. That probably isn't a
problem for the CD image download server that we are discussing here.
But for (non-distributed) sites that serve a huge number of requests
(think tens of thousands of requests per second) and (unlike Google) use
off-the-shelf hardware and software that's a different issue.  I am
working on such a site and our customer has to spend big bucks for our
load balancers (F5 BIG IP) which terminate SSL connections in our
environment.

J.
-- 
In this bunker there are women and children. There are no weapons.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Upgrading from Backports

[Jochen Spieker]

Patrick Bartek:
> Need to upgrade claws-mail installed from regular repo to a newer
> version in wheezy-backports.  I don't want to end up with two installed
> versions.  Have done research, but have found nothing specific about
> this particular procedure.  Would
> 
>apt-get install -t wheezy-backports claws-mail=
> 
> upgrade the old version or just install the new version along side the
> old.

A Debian package can only ever be installed in one version at a time on
one machine. The package is defined by its name. In your example,
claws-mail is the package name and if it is already installed then it
will be upgraded. You can most probably leave out the version number
behind the package name. I would be surprised if wheezy-backports
contained more than one version of claws-mail. And even if that was the
case, apt-get would then pick the most recent version.

> Or would it be easier to "remove" the old version keeping all the
> configs, etc., and install the new one from backports?  I did this with
> LibreOffice a few years ago.  Worked fine.

Doesn't really make a difference. The state of your system should be the
same after either 'remove && install' or a simple 'install'.

J.
-- 
If I was Mark Chapman I would have shot John Lennon with a water pistol.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: RANT: Virtual filesystems are getting out of control

[Jochen Spieker]

Albin Otterhaell:
> 
> $ lsblk
> 
> should be clean and structured.

Nice! How didn't I know about that? It helps especially with complex
device structures involving LVM and LUKS.

J.
-- 
When I am at nightclubs I enjoy looking at other people and assessing
their imagined problems.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Google Authenticator

[Jochen Spieker]

Laurens Blankers:
> 
> Two days ago an article was posted on Linux.com about setting up
> 2-factor authentication using the libpam-google-authenticator package [1].
> 
> Looking at the Debian package [2] I noticed it was last updated August
> 2013, however the source at GitHub has been updated as recently as 2
> days ago. Browsing through the commit log [3] indicates lots of issues
> related to memcpy, malloc, and SIGSEGV have been fixed since 2013.
> 
> How do I determine whether whether this package is safe to use?

You already have all the information. Since the package was not updated
in Debian since 2013 even though upstream published significant changes,
you should consider it abandoned. I am not completely sure, but I think
somebody should file an RC bug so that it doesn't become part of the
next Debian stable unless a new upstream version is uploaded.

See also bug #771140 from 18 months ago.

J.
-- 
After the millenium I will shoot to kill.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: configuring softwarecollections.org repository on debian jessie

[Jochen Spieker]

soko.tica:
> 
> I need to install a package (php54) on a VM running debian jessie (Here is
> why https://www.virtualmin.com/documentation/web/multiplephp ).

That doesn't explain why you want to install software from 2012 without
upstream support on Debian while the software is packaged for a
completely different distribution. Do you really know what you are
doing?

Sorry for being so blunt, but what you are doing is generally a very bad
idea. Describe what you want to achieve, maybe somebody can help.
"Running insecure, deprecated PHP for CentOS on Debian" is probably not
what you actually want to do.

J.
-- 
I wear a lot of leather but would never wear fur.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: on-demand mounting of filesystems via Systemd (e.g. /backup)

[Jochen Spieker]

Jochen Spieker:
> Jonathan Dowland:
>> 
>> I just wrote a blog post about how to use Systemd to configure 
>> mount-on-demand
>> filesystems, e.g. /backup (in my case). This was triggered by recent news in
>> the UK that a major hosting provider had deleted all their customer VMs by
>> accident by issuing something like "rm -rf" - but they *also* got all their
>> backups because their backup volume was mounted too.
> 
> That was a marketing hoax

Did you edit your blog post afterwards or did I just skim over your own
rebuttal of the story? :)

J.
-- 
I cannot comprehend the idea of chemical and biological weapons.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature

Re: on-demand mounting of filesystems via Systemd (e.g. /backup)

[Jochen Spieker]

Jonathan Dowland:
> 
> I just wrote a blog post about how to use Systemd to configure mount-on-demand
> filesystems, e.g. /backup (in my case). This was triggered by recent news in
> the UK that a major hosting provider had deleted all their customer VMs by
> accident by issuing something like "rm -rf" - but they *also* got all their
> backups because their backup volume was mounted too.

That was a marketing hoax (which I didn't even find really credible
because Linux' rm doesn't operate recursively on / without the option
--no-preserve-root for some years now).

> Anyway, in the past I've read some useful tips for using Systemd on this
> list, so here's the blog post should it be of any interest:
> 
> https://jmtd.net/log/mount_on_demand_backups/

Thanks! I think we need to share more examples on how to use systemd
properly. A lot of the criticism stems from the simple fact that people
just need to learn what the new tools can do for them.

J.
-- 
If I had to live on a desert island I would take a mobile phone,
preferably a Nokia 8810.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Installing tt-rss

[Jochen Spieker]

Rainer Dorsch:
> Hi,
> 
> I tried to install tt-rss on a stretch system. During the configuration of tt-
> rss, debconf asks for a username and a password confirmation for the tt-rss 
> database ... but it never asked for the password itself.
> 
> /usr/share/doc/tt-rss/README.* does also not give more insight.
> 
> Did anybody manage to setup tt-rss using the debconf and dbconfig-common ?

I am running the Git version, but used the Debian package previously as
well. I think what you are looking for can be found in
/etc/tt-rss*/database.php. Why debconf didn't ask for it in the first
place, I don't know. You can retry using 'dpkg-reconfigure tt-rss'.

J.
-- 
All participation is a myth.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: [ A little off topic] Best e-mail client for Android

[Jochen Spieker]

David Baron:
> 
> Microsoft's Outlook (not the Windows Outlook or Express!) is a decent 
> lightweight contender and integrates calendar and contacts functions as well. 

If you are talking about the app¹ you should know that it routes your
e-mails and access credentials through its own servers. See their
privacy policy:

https://www.acompli.com/privacy-policy/

J.

¹ 
https://play.google.com/store/apps/details?id=com.microsoft.office.outlook&hl=en
-- 
My medicine shelf is my altar.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: unattended aptitude

[Jochen Spieker]

Pierre Frenkiel:
> On Mon, 4 Apr 2016, Jochen Spieker wrote:
> 
>> aptitude | yes n
> 
>   I imagine you want to say
> 
> yes n | aptitude

Correct! But I guess Brian's suggestion is better.

J.
-- 
I eat meat and am concerned about bugs which are resistant to
antibiotics.
[Agree]   [Disagree]
 <http://archive.slowlydownward.com/NODATA/data_enter2.html>


signature.asc
Description: Digital signature