Re: password manager

[Max Nikulin]

On 09/10/2024 06:11, fxkl4...@protonmail.com wrote:

what are y'alls recommendations for a password manager


Have you had a look into mailing list archives? E.g.

Password managers. Thu, 9 Nov 2023 11:05:53 -0500

Re: Stuck with linux 6.1.0.17-amd64

[Max Nikulin]

On 09/10/2024 16:30, Alexis Grigoriou wrote:

root@architect:~# apt-cache policy linux-image-amd64
linux-image-amd64:
   Installed: (none)


Install this package and it will pull latest kernel. Perhaps you need to 
fix nvidia issues as well.

Re: Firefox pausing network activity during vt-switch / screenlock

[Max Nikulin]

On 07/10/2024 08:35, Raj Kiran Grandhi wrote:

In this case, the network state is not changing. Other applications,
including wget, continue uninterrupted across vt-switches (Screen lock
or User switching or Ctrl+Alt+Fn). Sometimes, the firefox gui is also
a bit sluggish after returning from a vt-swtich, almost as if it were
resumed from an earlier CTRL-Z.


I have been bitten by an issue with a similar symptom. I was curious to 
which degree a USB3 stick is slow. To my surprise, f3write was suspended 
when I switched to another user.


Network is not involved and it is not a disk-related issue. The process 
was waiting for stdout: write(1, "...") accordingly to strace. You may 
try just


i=0; while : ; do
  printf '\010\010\010\010\010\010\010\010\010\010%10d' "$((++i))" ;
done

the bash process is suspended on VT switch if it is running in konsole 
(KDE, confirmed by "top"). xterm is not affected. Adding rw ACL for 
/dev/dri/card0 and /dev/dri/renderD128 does not help to resume a process 
running in konsole.

Re: Firefox pausing network activity during vt-switch / screenlock

[Max Nikulin]

On 09/10/2024 10:52, Mike Castle wrote:

Another option is the web app catching up on a backlog of messages
suddenly streaming in.  At least, if it has been a few hours (e.g.,
overnight or away from the computer).


You may enable timestamps in Firefox dev tools and may try to correlate 
events with various entries from "journalctl" output. Besides "online" 
and "offline", there are more events like document "visibilitychange".


By the way,

"Firefox hangs after switching between virtual terminals (Linux)"

Ok, so I followed the recommendations from this page and disabled
hardware acceleration. It seems to fix the problem. 


systemd-logind revokes permissions to /dev/dri/* on change of active user.

I have no idea if your security model allows to add users to the "video" 
groups, but as a side effect, I would expect higher probability of 
crashes due to bugs in graphics drivers.

Re: Firefox codecs

[Max Nikulin]

On 07/10/2024 23:47, Bruno Schneider wrote:

On Sat, Oct 5, 2024 at 11:46 PM Max Nikulin wrote:


Do you have libfdk-aac2 or gstreamer1.0-fdkaac (non-free) installed? It
may depend on whether PipeWire or PulseAudio is used.


Now I'm writing from a computer where Firefox supports AAC that has
neither of those packages installed, just to make sure that such
support does not come from these packages.


I am a bit lazy to uninstall a package to see if it would cause issues 
with available codecs.


You may compare prefs.js files from profile directories. It may be 
something with "media." settings. I noticed that at least values related 
to graphics hardware acceleration may be cached from previous sessions, 
so installed packages may have no immediate effect. To change values 
either use about:config or edit the file when browser is not running.

qt5ct and environment variables (was: Re: password manager)

[Max Nikulin]

On 09/10/2024 07:38, e...@gmx.us wrote:


Huh.  If I run it from a terminal emulator it looks fine, but if XFCE
launches it the text is tiny.  Looks like QT_QPA_PLATFORMTHEME isn't being
set.  Which means something is running a not-login shell, something between
startx and xfwm.  It's defined in ~/.profile.  Any ideas?



But...

- "Qt5ct will only be active on environments other than Plasma."
  Sounds like it should be enabled by default (I do not have it installed)
- startx means that ~/.profile should be applied.

Re: Debian 12: User calls synaptic: Unable to authenticate root

[Max Nikulin]

On 06/10/2024 16:47, Joe wrote:

My graphical menu calls synaptic-pkexec, and it definitely wants the
root password, and it says so explicitly.


My impression is that polkit dialog appearance depends on desktop 
environment. In KDE it is more confusing since it contains no hint if 
user or root password is requested.


The result may depend on group membership, see
/usr/share/polkit-1/rules.d/50-default.rules
than adds the "sudo" group to admins.

Re: Firefox pausing network activity during vt-switch / screenlock

[Max Nikulin]

On 07/10/2024 08:35, Raj Kiran Grandhi wrote:

On Sun, Oct 6, 2024 at 8:32 AM Max Nikulin wrote:

Firefox generates events in response to connection changes in
NetworkManager:
<https://developer.mozilla.org/en-US/docs/Web/API/Navigator/onLine>


In this case, the network state is not changing. Other applications,
including wget, continue uninterrupted across vt-switches (Screen lock
or User switching or Ctrl+Alt+Fn).


The question is if Firefox for some reason believes that network state 
is changed. A simple test (unrelated to downloads though) is to try in 
dev tools console


window.addEventListener("online", e=>console.log("online", e))
window.addEventListener("offline", e=>console.log("offline", e))

and if events are logged then you may compare timestamps with user 
switching. Mike wrote that in his case there is some delay.



Sometimes, the firefox gui is also
a bit sluggish after returning from a vt-swtich, almost as if it were
resumed from an earlier CTRL-Z.


Swap?

Browsers throttle JS running in inactive tabs, but it unlikely affects 
the current tab or downloads.


You may try to ask on <https://support.mozilla.org/> or to search in 
Firefox bugs. Behavior might depend on desktop environment.

Re: setting keymap codes

[Max Nikulin]

On 05/10/2024 17:06, Hans wrote:


As this keyboard differs in the layout cpompared to the old one, some keys are
mapped other (i.e. page-up / down in the original needs the function key =
second layer, in th enew one it is just page-up /down without any Function).


[Fn] modifier perhaps requires support in firmware.

I have the following link in my notes, but I have never tried the recipe:

Linux keymapping with udev hwdb
8 Dec, 2017

It suggests creating a /etc/udev/hwdb.d/*.hwdb file.

Re: Firefox pausing network activity during vt-switch / screenlock

[Max Nikulin]

On 06/10/2024 03:04, Mike Castle wrote:

For me, the biggest signal is GMail and similar apps will go into a
"You are not online" state.


Web applications may intentionally use various tricks to detect idle 
even though the following API is unavailable in Firefox



Paused downloads is a more apparent symptom, however I have not tried to 
reproduce it (I prefer wget that sets file modification time accordingly 
to Last-Modified header).


Firefox generates events in response to connection changes in 
NetworkManager:

Re: Firefox codecs

[Max Nikulin]

On 05/10/2024 01:18, Bruno Schneider wrote:

I noticed that
about:support#media  shows "AAC SW" at the working machine and shows
nothing related to AAC at the faulty one.


Do you have libfdk-aac2 or gstreamer1.0-fdkaac (non-free) installed? It 
may depend on whether PipeWire or PulseAudio is used.


Another thread from August, 2024, however AAC was not the main topic there:

"Re: Firefox doesn't want to see Pulseaudio"

Re: Reading an old HDD

[Max Nikulin]

On 05/10/2024 11:15, Will Mengarini wrote:

* Max Nikulin [24-10/05=Sat 10:48 +0700]:


Try to connect the enclosure without the disk.  It may appear
in lsusb output and may generate some journalctl logs.


That's a clever idea, but it will be a while before I
can carefully unscrew the disk from the enclosure to try
it.  First I need to try to restore from older backups.


I have no idea what steps you may try without disassembling the 
enclosure. Perhaps the issue is either data or power connectors inside.


HDD should generate specific noise when spinning up, then there should 
be something like clanks due to heads unloading/loading. Do you hear it?

Re: Virtualization of Windows XP

[Max Nikulin]

On 04/10/2024 20:56, Gary Dale wrote:
I found another issue on one of the machines - spice was no longer 
supported either


I still use spice (remote-viewer from virt-viewer) for Linux guests on 
bookworm, but I start qemu directly with "-display spice-app,gl=on". I 
have seen notices that it is deprecated though.

Re: Reading an old HDD

[Max Nikulin]

On 04/10/2024 14:19, Will Mengarini wrote:

* Ash Joubert [24-10/04=Fri 16:38 +1300]:

- Do you see anything in "journalctl -f" when you plug in the USB enclosure?


No output when I unplug it and replug it.


Do you start "journalctl -f" as root (e.g. sudo)? It is rather strange 
that nothing is logged at all. I would expect at least some errors. It 
may be some issue with cables.


Have you tried other USB ports? USB3/USB2, some ports may provide higher 
current.


Save output of of the following command to files when the enclosure is 
disconnected and connected and compare results


lsusb -vt | tee /tmp/disconnected.txt
lsusb -vt | tee /tmp/port1.txt

Try to connect the enclosure without the disk. It may appear in lsusb 
output and may generate some journalctl logs.

Re: Firefox pausing network activity during vt-switch / screenlock

[Max Nikulin]

On 02/10/2024 10:13, Raj Kiran Grandhi wrote:


Firefox (and thunderbird, as well) seems to be pausing all network
activity when doing a vt-switch or user-switching or locking the
screen.

[...]

Chromium, on the other hand appears not to suffer from this issue and
the download progresses during screen lock / vt-switch.


Likely it is better to search on sites more specific to mozilla and ask 
there.


I hope, you tried Chromium on the same machine. E.g. NetworkManager has 
an option "All users may connect to this network".


The symptom sounds like expected behavior for audio, but not for network 
(uaccess feature of udev and systemd-logind).


Are there suspicious error or log messages 
()? In addition Mozilla has its 
own "console" [Ctrl+Shift+J].

Re: I can't setup my LG-HBS-XL7 bluetooth headset with "headset" used for both output and input

[Max Nikulin]

On 03/10/2024 03:55, tom arnall wrote:
I can't setup my LG-HBS-XL7 bluetooth headset with "headset" used for 
both output and input.


It was working a week ago:

On 25/09/2024 02:27, tom arnall wrote:

When I set output to headset and then set input to headset, the output
setting immediately changes to handsfree, which produces only a hum in mono


Mono is expected for handsfree (HSP and HFP profiles).

What Bluetooth profile and codec you expect to get working for 
bidirectional audio?

Re: Virtualization of Windows XP

[Max Nikulin]

On 03/10/2024 07:14, Gary Dale wrote:
host does not support domain type kvm with machine "pc-0.12' for 
virtualization type 'hvm' with architecture 'x86_64'

[...]

I haven't tried using the Windows XP VMs in years,


I have never tried virt-manager, so I have no idea what 'hvm' may mean.

Support of pc-0.12 might be dropped some time ago. At least it is not 
listed in


qemu-system-x86_64 -machine help

I would check qemu release notes and would try another machine type 
(with a copy of the image file).

Re: boot Debian Gnome, Debian KDE, and Mate, XFCE

[Max Nikulin]

On 28/09/2024 22:04, George at Clug wrote:

To get the earlier installations to discover the later installed
installations, I ran grub-mkconfig


I have never tried it, but my impression is that in the case of UEFI 
boot, rEFInd may detect installed OSes dynamically without explicit 
configuration.

Re: boot Debian Gnome, Debian KDE, and Mate, XFCE

[Max Nikulin]

On 27/09/2024 18:53, George at Clug wrote:

3) I am not confident that constant switching between display manager,
e.g. LightDM, SLiM, XDM, GDM, SDDM, KDM, Ly will not cause issues.
Besides the frustration of changing the configuration each time you want
  to jump into another DE.


Is it really necessary to switch DM to start another DE? OK, when I 
tried GNOME last time ~3 years ago on Ubuntu, there was vendor lock-in 
to GDM due to usage of some API outside of XDG specs. I faced some 
issues with GDM (so I am avoiding it), but it was possible to use 
another session type. LightDM and SDDM have menus to select session type 
as well.


I would avoid using the same home directory for running different 
versions of some application (different distributions or 
stable/unstable), but I do not expect much issues after logging in with 
different session type from the same installation.


Certainly "clean" GNOME and KDE installs and a mixed case may reveal 
different bugs. An intermediate approach is to create a user per DE.



4) Logging into different DEs does not provide for Windows/Arch
Linux/Ubuntu/Linux Mint/Manjaro multiboot scenario.


I just expect that more corner cases might arise for booting multiple 
variants of specific distribution than for different distributions.



Booting into completely different installations on different disk drives
  works very well,


I am completely confused. From my point of view it is in contradiction with


I have often wanted to boot several Linux distributions, but have failed
to dual or multi boot from multiple Linux installations.


Does it mean that you physically replace drives instead of configuring 
UEFI or Grub menu?

Re: can't get the sound settings stable for my headset

[Max Nikulin]

On 27/09/2024 06:47, tom arnall wrote:
the hardware is a bluetooth headset  LG-HBS-XL7. thanks for getting back 
to me.

___
Hopefully Kamala Harris will be a president whom all of us end up both 
respecting and loving. If God-centered people are working for her, the 
chances of that happening will increase. https://events.democrats.org 


Looking at the proportion of given input, I am in doubts what I am 
supposed to search for at first: what decisions Kamala Harris made in 
the past (besides I am not a US citizen, see


Monthly FAQ for Debian-user mailing lists) or what codecs are supported 
by some headset that I have no plans to buy.

Re: Change file picker in browsers

[Max Nikulin]

On 27/09/2024 21:01, J wrote:


So, is there a way to change the file picker in browsers?

Recently i have switched from Gnome Files (Nautilus) to Thunar.


I expect that to use thunar as a file picker it should provide file 
picker desktop-portal D-Bus interface and DE should allow alternative 
desktop-portal implementations. There are some packages for KDE, GNOME, 
etc. Just a data point: Chromium from Debian repositories uses KDE file 
picker out of the box.


The idea behind desktop-portal is to make some files accessible for 
sandboxed applications (flatpak, snap) that has no direct access to 
whole filesystem. Likely bind mount to a temporary path under /run/user 
is used before an application may use system calls to read/write a file.


As to configuration, I may add nothing to the message by Geoff.


|$ xdg-mime query default inode/directory thunar.desktop|


Perhaps for Firefox it affects "Show in Folder" for downloads.

Re: Re： Is there any way to STD in Debian?

[Max Nikulin]

On 26/09/2024 21:36, YOYO wrote:
The Debian 12 is running in VirtulBox 7.0.20. And I only assigned 2048 
MB RAM to it.

[...]

All I can do is to fouce power-off and re-start it, just to found all running 
tasks gone.
Have you read logs from the previous boot ("journalctl -b -1" as root)? 
Are you sure that Debian was not running? I would arrange port 
forwarding and would try to connect to VM using ssh to confirm that it 
is not a GUI issue.


I have no idea if some stuff like virtualbox guest additions might be 
involved.

Re: boot Debian Gnome, Debian KDE, and Mate, XFCE

[Max Nikulin]

On 26/09/2024 04:19, George at Clug wrote:

Grub did not find other existing Linux distributions. Found Windows, but not 
other linux distributions.


The following has been discussed on debian-user:

"GRUB no longer runs os-prober by default"
However I have no ideas since Windows is added to *grub* menu.


I did not try hard to determine the reason. I decided if it did not work, don't 
pursue the issue.


Then there is nothing to discuss.


I do not expect serious issues with multiple Linux flavors. Perhaps
installer should be switched to expert mode to adjust some defaults.


I do use expert mode when installing Debian.


Have you managed to disable ESP and to avoid updating NVRAM (assuming 
UEFI, not BIOS)?

Re: can't get the sound settings stable for my headset

[Max Nikulin]

On 25/09/2024 14:24, Anssi Saari wrote:

Max Nikulin writes:


On 25/09/2024 02:27, tom arnall wrote:

immediately changes to handsfree, which produces only a hum in mono


Is it a Bluetooth headset? That case see Debian wiki for limitations.


Which part of the wiki? There seem to be a bunch of bluetooth pages in
the wiki but searching for bluetooth limitation doesn't seem to return
anything relevant.


https://wiki.debian.org/BluetoothUser/a2dp

I admit, page name is a bit confusing in the context of headset.

Specific device may support only speech-grade bidirectional codecs. 
There may be issues with support of specific codec in PulseAudio or in 
PipeWire. However GNOME has hard dependency on PipeWire and in bookworm 
it supports more codecs than PulseAudio. LC3 requires adjustment of 
bluez configuration.


I am unaware of a tool that may report all codecs supported by device. 
pactl shows only codecs supported by pipewire/pulseaudio.


However we still do not know if it is USB, Bluetooth, or a dumb headset 
with audio jack.

Re: can't get the sound settings stable for my headset

[Max Nikulin]

On 25/09/2024 02:27, tom arnall wrote:

immediately changes to handsfree, which produces only a hum in mono


Is it a Bluetooth headset? That case see Debian wiki for limitations.

boot Debian Gnome, Debian KDE, and Mate, XFCE (was: Re: Finding/creating Debian documentation for an unserved audience)

[Max Nikulin]

On 25/09/2024 04:52, George at Clug wrote:

An other example would be to boot Debian Gnome, Debian KDE, and Debian Mate, 
Debian XFCE.


What issues you have faced trying to install multiple desktop 
environment to the same Debian installation? Display managers allow to 
select session type before login (but some can not remember per-user 
preferences).


I do not expect serious issues with multiple Linux flavors. Perhaps 
installer should be switched to expert mode to adjust some defaults.


If you still prefer to have independent Debian installations then in the 
case of UEFI and shim-signed+grub-efi-amd64 (for Secure Boot) on the 
same ESP partition see


[SUMMARY] Re: UEFI multiboot. Sat, 14 Sep 2024 10:59:29 +0700

You need grub 2.12 from bookworm-backports and custom GRUB_DISTRIBUTOR 
in /etc/default/grub.


Despite in that thread I was trying to concentrate on selecting OS from 
UEFI firmware menu, Felix Miata repeatedly insisted on using grub menu 
for this purpose. In your case grub menu may be easier to maintain. 
Perhaps Felix may provide more details now to do it conveniently.

Re: How to generate a certificate for an HP printer?

[Max Nikulin]

On 23/09/2024 02:02, Charles Curley wrote:

Networking -> Certificates -> Configure

That gives me several options. I then selected "Create a New
Self-Signed Certificate". That updated the certificate. I now cannot
print on that printer,


It is expected. Why your system should trust some new (and thus unknown) 
certificate having unclear origin?



Or I could select "Create a Certificate Request" and hit Next.


This option is for admins running local Certificate Authority. 
Certificate request must be signed by some Certificate Authority and you 
need to have the root certificate of that Certificate Authority 
installed on your machine.



I'm rather frustrated and annoyed.


Seek for CUPS docs how to install a self-signed certificate that you may 
obtain from your printer.


For system-wide certificate management see
/usr/share/doc/ca-certificates/README.Debian

Perhaps you might disable TLS in your printer configuration, but I have 
no idea what degree of security you wish to have.

Re: Chrome OS Flex on ThinkPad Edge E530

[Max Nikulin]

On 21/09/2024 16:35, Roberto Catanuto wrote:

Hi, the truth is I use Chrome OS Flex on TP Edge E530.

[...]
Even when the good old laptop is connected to the power supply, the 
battery begins discharging after about one hour.

[...]

Do any of you have suggestions about solving this mystery ?


If google allows it, try

grep '' /sys/class/power_supply/*/*

to see some numbers related to the battery an perhaps to the AC power 
supply. Otherwise boot a Linux live image (e.g. from USB) and try the 
same command and a one that may present battery state in a more readable 
form:


upower --dump


The charger is fine when used in another laptop.


Another laptop may be power hungry in less degree. It is better to try 
another power supply with this laptop in addition.


My experience is that if AC adapter is put into a bag twice a day then 
it has to be replaced or repaired after a couple of years due to cable 
wearing. Additional resistance of about ~1 Ohm due to broken wires at a 
bending point is enough to cause issues under some CPU load. In my case 
first symptom was some noise on an external monitor connected by a VGA 
cable, so I suspected a more severe problem.

[SUMMARY] Re: UEFI multiboot

[Max Nikulin]

Avoid setting non-standard GRUB_DISTRIBUTOR in /etc/default/grub if you 
use Debian 12 bookworm with enabled Secure Boot and signed grub image 
from Debian. Alternatively install grub-2.12 from backports.



On 23/08/2024 11:39, Felix Miata wrote:

I don't know what vexing secure boot might introduce, but without it,
GRUB_DISTRIBUTOR= was used by grub-install in Trixie here to produce
results I expected:


There is significant difference in patches for grub-2.12 in trixie and 
for 2.06 in bookworm. In the case of Secure Boot, grub-install copies 
signed grubx64.efi instead of generation of an image specific to the 
machine.


On 30/08/2024 23:09, Max Nikulin wrote:
I have tried some variants of full shim+grub signed configurations on 

[...]
grubx64.efi (v2.06) from Debian bookworm has no problem with reading 
grub.cfg placed in the same directory and directory name does not matter.


grubx64.efi (v2.06) from Ubuntu 20.04 focal reads config file strictly 
from EFI/ubuntu/grub.cfg.


If there is EFI/debian/grub.cfg then it has higher priority than the 
file from the directory from where grubx64.efi is loaded. Loading config 
file from a custom directory looks like an unintentional behavior.


I have not figured out what specific patch causes the difference. A lot 
of lines are changed. I do not think it is a security measure.


The difference of grub-2.06 behavior between Ubuntu and Debian are 
caused by build script, not by patches. It is a result of an attempt to 
fix issues with Unicode characters. Relevant changes:


grub2 (2.06-14) experimental; urgency=medium

* Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary

 -- Julian Andres Klode   Mon, 19 Jun 2023 17:26:49 +0200

grub2 (2.06-6) unstable; urgency=medium

* Include fonts in the memdisk build for EFI images.
  Closes: #1024395, #1025352, #1024447

 -- Steve McIntyre <93...@debian.org>  Sun, 04 Dec 2022 20:42:23 +

Bookworm currently have 2.06-13 and in 2.06-14 config should be loaded 
strictly from EFI/debian/grub.cfg.


The script written for booting from CD or a similar media
<https://sources.debian.org/src/grub2/2.06-13%2Bdeb12u1/debian/build-efi-images/#L64>
accidentally got bundled into regular images
<https://sources.debian.org/src/grub2/2.06-13%2Bdeb12u1/debian/build-efi-images/#L240>
Since 2.06-14 a dedicated squashfs image has been provided for fonts, so 
the config search script is not a part of prebuilt images.



Perhaps something is broken in attempts to improve booting from network.


I wrote "broken" describing Ubuntu-20.4 behavior where custom 
GRUB_DISTRIBUTOR may cause failure to boot. I consider 2.06 broken in 
Debian now. However patches making it possible in 2.12 are really 
related to network

<https://lists.nongnu.org/archive/html/grub-devel/2023-01/msg00012.html>
A one setting fw_path and
<https://sources.debian.org/patches/grub2/2.12-5/network/try-prefixes-for-tftp-config-file.patch/>

They have not been included into the upstream repository. Debian 
changelog entry is


* Port UEFI based network stack to 2.12 (LP: #2039081)


A couple of problems that I have noticed in bookworm:

1. When /usr/lib/shim/BOOTX64.CSV is installed, bootloader id in it is 
not adjusted. As a result if additional removable path EFI/BOOT is used 
then there is a chance that fbx64.efi will create "debian" boot entry, 
not the name specified in GRUB_DISTRIBUTOR


2. It is not apparent that after modifying GRUB_DISTRIBUTOR it is 
necessary to create the directory with matched name in /boot/efi/EFI. 
Otherwise "dpkg-reconfigure grub-efi-amd64" does not run grub-install. I 
would prefer to have an explicit setting instead of relying on presence 
of a directory.


3. EFI/debian/grub.cfg has highest priority, so if bookworm is installed 
in parallel with another Debian then neither must have 
GRUB_DISTRIBUTOR=debian. Moreover grub.cfg likely may be found on some 
other disk (e.g. a USB pendrive) having .disk/info. The version from 
backports should help.


I believed fixed .cfg path is a UEFI 
limitation or at best an inherent grub limitation.


I have realized that shim can not work if it can not load grub from the 
same directory. Perhaps it really happens in some cases.


<https://www.gnu.org/software/grub/manual/grub/html_node/cmdpath.html>
in Special environment variables

15.1.4 cmdpath
The location from which core.img was loaded as an absolute directory
name (see File name syntax). This is set by GRUB at startup based on
information returned by platform firmware. Not every platform provides
this information and some may return only device without path name.


For EFI platform the required function is implemented (for many other 
platforms it is not), however there are enough code paths when it may 
return without providing a usable value.


At first glance shim really loads files using relative paths while grub 
tries to obtain absolute path

Re: [fixed]Re: startx returns "Xf86EnableIO: failed to enable I/O ports 0000-03ff"

[Max Nikulin]

On 13/09/2024 21:09, Pierre Willaime wrote:
I do not think it was related to non-free-firmware repository (Here is 
my sources.list below)


deb http://deb.debian.org/debian bookworm main contrib non-free 
non-free-firmware


It seems repositories are properly configured. In general however "apt 
policy" (with no package names) is a more reliable way to inspect actual 
configuration.


In bookworm, i915 firmware is in firmware-misc-nonfree, later the 
package has been split into several parts. If everything is working fine 
then it should be installed. update-initramfs, e.g. during installing of 
kernel update, warns if some firmware files are missed. drivers may warn 
concerning firmware issues during boot as well.

KDE, switching users (was: Re: Circumventing keyboard problem on Lenovo R64)

[Max Nikulin]

On 12/09/2024 21:54, Hans wrote:
If someone might also confirm of this little bug I mentioned here and 
knows better than me, he may just file a little bugreport to the 
developers of KDE. Maybe he also nows a little workaround???


[Ctrl+Alt+F8], [Ctrl+Alt+F7] work fine for me to switch between user 
sessions (minimal KDE, LightDM, amdgpu). I usually start new sessions 
using "dm-tool switch-to-user USER", sometimes I do it from KDE screen 
locker. I have not noticed any issue with unlocking user session from 
kscreenlocker password prompt or from lightlocker for fluxbox.


However what is broken in bookworm is unlocking user session from DM 
login prompt. Sometimes existing session is terminated and I have to 
login again. I have seen it with LightDM and SDDM, in qemu and without 
virtualization. A workaround is to leave DM greeter running after logout 
and to switch to another session using [Ctrl+Alt+F].


On my old laptop LightDM greeter reliably switches to the plasma session 
started for the selected user and unlocks that session. Currently 
Kubuntu-20.04 is installed and I do not remember any problem with 18.04 
or 16.04.

Re: startx returns "Xf86EnableIO: failed to enable I/O ports 0000-03ff"

[Max Nikulin]

On 11/09/2024 22:22, Greg Wooledge wrote:

On Wed, Sep 11, 2024 at 17:16:37 +0200, Pierre Willaime wrote:

systemctl status dbus.service  shows dbus is not active ("failed") and I have 
this message

Failed to start message bus: Circular inclusion of file 
'/etc/dbus-1/system.conf'



hobbit:~$ grep -r -F system.conf /etc/dbus-1
hobbit:~$


grep -r system.conf /usr/share/dbus-1/
/usr/share/dbus-1/system.conf:  ignore_missing="yes">/etc/dbus-1/system.conf


I do not have this file as well. I suggest Pierre to compare config 
files of live and installed environments.


I recommend to read

and the similar document for bullseye. My guess is that the 
non-free-firmware repository may be missed on this machine and it may 
have impact on issues with Xorg.

Re: startx returns "Xf86EnableIO: failed to enable I/O ports 0000-03ff"

[Max Nikulin]

On 09/09/2024 03:48, Pierre Willaime wrote:

Thanks. My user was *not* member of the 'input' group.

I made the change but it does not fix my issue (startx returns still an 
error, see my other email).


Have you tried to boot from a live media? It should help to determine if 
your problem is caused by unsupported upgrade path. Are there any 
errors, warnings, or suspicious messages in "journalctl -b" output 
(executed as root)?


My expectation that udev and systemd-logind "uaccess" feature should 
grant necessary permissions to the current user.

Re: BASH reference for those who are "learning by doing"?

[Max Nikulin]

On 08/09/2024 04:22, Richard Owlett wrote:


[My examples are from my experiments with re-formatting
text at https://ebible.org/engkjvcpb/ for comfortable reading by fellow 
tri-focal wearing senior citizens - that I want to minimize the number 
of HTML tags & eliminating all CSS usage annoys some HTML5 purists ;]


Instead of BASH and regular expression use some programming language 
where a reliable HTML parser is available. E.g. in python you may use 
lxml.html.html5parser, lxml.etree.HTMLParser, BeautifulSoup.


Calibre aggressively strips CSS and some markup during conversion of 
HTML pages to various ebook formats.

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 06/09/2024 14:53, Thomas Schmitt wrote:

i wrote:

I let xorriso-dd-target use
bs=1M oflag=dsync


Max Nikulin wrote:

May too small bs value cause write multiplication if internal flash erasure
block size is much larger? [...] My concern is wearing,


Is there evidence that sync size a smaller than such an internal size
is harmful ?


It is no more than my guess. My expectation that some flash firmware may 
respect explicit syncs.



Sequential writing by dd would well fit into such a caching strategy.


...unless explicit syncs force writing received data. Sequential writing 
with frequent syncs should not be an issue (besides some buggy devices) 
if the drive has been fully erased in advance. I am unaware how to erase 
a USB pendrive or a SD card. Perhaps some vendors provide special tools.


My hypothesis is that writing to 8MiB erase block in 1MiB chunks over 
old data may result in

- erasure or next free segment
- write 0 new data, 1-7 old data
- erasure or next free segment
- write 0-1 new data, 2-7 old data
...
- erasure or next free segment
- write 0-6 new data, 7 old data
- erasure or next free segment
- write 0-7 new data
Of course, firmware may react on syncs in a different way.


Max Nikulin wrote:

I have no idea if firmware may perform
partial overwrites without apparent impact on speed.


Is there evidence ?


No.


I know from own experiments that very small sizes like bs=512 cause slow
copying with and without oflag=dsync. Also very large sizes yielded less
throughput than bs=1M. (My sample set of USB sticks used is small.)


I have only a few USB sticks and SD cards as well and I use some of them 
for backup, some are rather old. That is why I asking questions rather 
than making statements.


Are there confirmed cases when dd with fixed bs works faster (or more 
reliable) than cp built-in strategy? Of course, it better to have some 
evidence that dd bs=1M may cause negative impact as well.


Due to my preference to non-destructive way of making bootable media, I 
unlikely will be a source of data points. I noticed that people were 
arguing concerning oflag=sync so I expected that they may provide more info.



 From my point of view, simple cp suggested by the install guide
is quite reasonable in comparison to dd.


cp is not suitable for erasing the last block of the USB stick where the
header of the backup GPT may reside, if the stick was GPT partitioned.


It is a perfectly valid case of dd usage. However I do not expect that 
many users have GPT partition table on USB pendrives, so cp should be 
suitable for the install guide. On the other hand, some may forget about 
their experiments, so the additional measure is suitable for scripts and 
for troubleshooting docs.

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 06/09/2024 14:53, Thomas Schmitt wrote:

Jeff wrote:

I've run into this situation (more than once)... `dd` fails to write a
bootable image with a block size of 1M. But using a block size of 512
results in a bootable image. It used to happen regularly on arm dev
boards, like BeagleBoards and CubieTrucks and Wandboards.

I would be interested in more details (error messages ? no booting ?).


My expectation is that "boot" is not really relevant here. Verification 
of written data should fail. The question if it is an issue with flash 
firmware or with a board where dd was running. Comparison of original 
image and data read back may reveal some pattern of corrupted bytes. 
Another variant that flash firmware could not tell the host to wait till 
a portion of data was actually written.


I would be really surprised if reading resulted in exactly same data, 
attempt to boot from the device failed.

Re: Why are module parameters under /etc/modprobe.d not respected?

[Max Nikulin]

On 03/09/2024 22:51, ael wrote:


I have /etc/modprobe.d/snd-hda.conf
which specifies:
options snd_hda_intel id=[HDMI,PCH] index=1,0

[...]

Maybe there are some release notes that I have failed to read? Can
anyone point me in the right direction? (If the direction is Devuan,
I have already moved on other boxes...)


Have you read log messages reported by journalctl? There is a systemd 
unit to load modules, but I expect that this one should be autoloaded in 
response to an udev event.


Recently there was a long thread with rant on sysctl and an old 
configuration file. I have not idea if a similar issue may happen with 
modules configuration and dropping legacy config files.

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 05/09/2024 16:25, Thomas Schmitt wrote:

I let xorriso-dd-target use
   bs=1M oflag=dsync


May too small bs value cause write multiplication if internal flash 
erasure block size is much larger? I have seen claims that it can be 
e.g. 12M


I have an impression that actual value is not exposed, so it is unknown 
to kernel. My concern is wearing, I have no idea if firmware may perform 
partial overwrites without apparent impact on speed.


Are you against "sync" command because it syncs all drives, not the 
specific one (besides smooth progress report)? If USB mass storage 
driver does not allow to turn port power off before write completion 
then it might be a workaround. From my point of view, simple cp 
suggested by the install guide is quite reasonable in comparison to dd.


Another my question is concerning reading of media and -x argument of 
isosize. Is it really necessary? I can not figure out what corner cases 
are not covered by "head -c BYTES /dev/sdc".

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 03/09/2024 00:11, The Wanderer wrote:

On 2024-09-02 at 12:51, Lee wrote:

On Mon, Sep 2, 2024 at 5:25 AM Thomas Schmitt wrote:


MS-Windows can eject a stick ?

[...]

(Sorry i could not refrain from this nonsense :))


but it isn't nonsense.  Welcome to the world of Windowz, where one
'ejects' a USB stick and then gets a pop-up saying something about
safe to remove the hardware now.

[...]

My understanding is that when you tell Windows to "eject" removable
media, it does whatever is necessary to prepare that media for clean
removal.


GNOME uses "eject" as well:

So users should be familiar with the word in this particular context.


I have always treated the *nix equivalent to "eject", for the purpose of
a USB flash drive, as being 'umount /path/to/mount/location' - which, if
I'm not mistaken, does include an implicit sync operation.


Dolphin (KDE) "Safely remove" additionally switches off power on the USB 
port. In the case of CLI it is


udisksctl power-off -b /dev/sdb

(or uhubctl, direct writing to /sys/bus/usb/devices/**/power, etc.)

I find it a reasonable measure in the case of a spinning external HDD to 
ensure that it is stopped. Another rule is to unplug it from the laptop 
USB port at first (without touching HDD) and only then detach the cable 
from the HDD case.

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 04/09/2024 15:17, Thomas Schmitt wrote:

I tried "*" for bullet list. But it works only for a single line,
not for a multi-line text paragraph as on
   https://www.debian.org/CD/faq/#verify


I do not see anything special there. I have tried to convert to a bullet 
a random paragraph from the new page and I do not see any issue with 
generated HTML (in preview):


 * To verify the downloaded ISO image file, compute the checksum of the
 ISO image files by a tool such as "sha512sum" and "sha256sum".
 A successful verification looks like the following program run.
 (The $-sign is shown as example of the shell prompt, which might look
 different on your system.):
 {{{
 $ grep ' debian-12.7.0-amd64-netinst.iso$' SHA512SUMS | sha512sum -c -
 debian-12.7.0-amd64-netinst.iso: OK
 }}}

 Another paragraph


I now sent a proposal to debian...@lists.debian.org :
  https://lists.debian.org/debian-cd/2024/09/msg00011.html


From my point of view, the proposed variant is too long for that huge 
enough page.


Perhaps check_debian_iso should be put into a VCS.

"shellcheck -e SC2006" (to silence complains concerning ``) suggests 
double quotes around "$file"


In /tmp/check_debian_iso line 153:
sum_from_file=`dd if=$file bs=2048 count=$blocks | $checksummer | head 
-1 | awk '{print $1}'`
 ^---^ SC2086 (info): Double quote to prevent 
globbing and word splitting.


On 03/09/2024 23:45, Thomas Schmitt wrote:

Interested people are invited to proof-read it


$ computed=$(dd if=/dev/sdc count=323072 bs=2048 | sha512sum | awk 
'{print $1}')


Should the command line be prefixed with "#" instead since regular user 
can not do it?


dd: failed to open '/dev/sdb': Permission denied

ls -l /dev/sdb
brw-rw 1 root disk 8, 16 Sep  4 17:27 /dev/sdb

On the other hand

$ sudo mount "$path_to_image_or_usb_device" "$mountpoint"

can be done as a regular user (an alternative is pmount)

udisksctl mount -b /dev/sdb1

or

udisksctl loop-setup -r --file debian-live-12.7.0-amd64-kde.iso
Mapped file debian-live-12.7.0-amd64-kde.iso as /dev/loop0.

udisksctl mount -b /dev/loop0p1

"d-live 12.7.0 kd amd64" is a bit weird from my point of view for the 
mountpoint, but unfortunately udisksd logic is hardcoded.


udisksctl unmount -b /dev/loop0p1
udisksctl loop-delete -b /dev/loop0

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 03/09/2024 23:45, Thomas Schmitt wrote:

due to popular resistence i created a new wiki page
   https://wiki.debian.org/VerifyISOImage

[...]

Regrettably i was unable to mimick the bullet list paragraphs of the FAQ


Do you mean something like
?
At first glance

 * Item
 {{{
 code
 }}}

results in proper HTML structure while

with

 * Item
 . {{{
  code
 }}}

renders the code as a separate  element.

Unfortunately it is not covered in .

I assume you were not trying to create

FAQ sections.


until a decision is made at debian-cd.


Please, drop a note here in the case of some progress.

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 03/09/2024 03:32, Thomas Schmitt wrote:

Franco Martelli wrote:

consider to move that to a new wiki page with a title that
sounds like: "Verify authenticity of a Debian downloaded ISO image".

[...]

But i think there are some issues to address:

- How to generally advertise this page ?


Link it from articles having similar content or linking 
: JigdoOnLive, XorrisoDdTarget, 
DebianLive, CreateUSBMedia. The last one is referenced in the Debian 
install guide, so search engines should discover the new page.



- How to name it ?


ISOImageVerification, VerifyISOImage, maybe 
DebianInstaller/ISOImageVerification. I do not see a kind of portal for 
"debian-cd" or images.



- How to address all the stuff which is in
 https://www.debian.org/CD/faq/#verify


Do not try to cover everything exhaustively from the beginning. Just 
move the section from XorrisoDdTarget as a starting point.



So wouldn't it be better to start a petition at debian-cd mailing list
for an augmented https://www.debian.org/CD/faq/#verify ?


I do not read debian-cd, perhaps you know better if it should be done in 
advance of after creation of the draft. I think, 
, , and wiki 
articles should have mutual cross-links and wiki pages should be most 
detailed documents. E.g. primary value of 
 is fingerprints that can not be 
edited by community, however step by step guide is more suitable for wiki.


I recall there was a quite detailed post on debian-user last couple of 
years, but I am unsure I can find it. Perhaps


Thomas Schmitt to debian-user. Re: No Public Key. Mon, 14 Nov 2022 
09:19:29 +0100.



Another candidate is more brief:
Gökşin Akdeniz to debian-user. Re: No Public Key. Sun, 13 Nov 2022 
23:46:22 +0300.

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 31/08/2024 14:07, Thomas Schmitt wrote:

https://wiki.debian.org/XorrisoDdTarget


Disclaimer: I prefer non-destructive way of making bootable media. For 
UEFI it is just copying files, for BIOS it requires some commands like 
syslinux and editing of grub configuration. Perhaps I just have not 
faced cases when it is not enough. That is why I do not expect that I 
will become a regular user of xorriso-dd-target.


If you prefer to keep the wiki page isolated, it is up to you. More 
people may discover it if e.g. CategoryDebianInstaller is added. Perhaps 
there is a better category.


On 02/09/2024 13:30, Thomas Schmitt wrote:

Thomas, are you intentionally linking raw man page instead of a
formatted > one [[DebianMan:xorriso-dd-target|xorriso-dd-target(1)]]?


Once it was intentional, when the package was only in Debian Testing
and no Debian online man page existed.


<http://manpages.debian.org/testing/xorriso-dd-target>
[[DebianMan:testing/xorriso-dd-target]]


where can learn about the style of a "Debian official" block or a
"See also" section ?


<https://wiki.debian.org/DebianWiki/EditorGuide#Debian_.22official_material.22_banner>

My point is that the purpose of your script is to enhance the recipe 
given in

<https://www.debian.org/releases/bookworm/amd64/ch04s03.en.html>
so this link is suitable to give more context

In my opinion, when a user asks a question similar to the one started 
this thread then a link to "Debian GNU/Linux Installation Guide" should 
be first answer. This time the XorrisoDdTarget wiki page was posted 
earlier, so a link to the installation guide will increase a chance to 
make users aware of this document.


On 02/09/2024 15:07, Thomas Schmitt wrote:

Max Nikulin wrote:

Is there a reason why the page is not cross-linked with
<https://wiki.debian.org/DebianInstaller/CreateUSBMedia>?

[...]

But i have few idea how i should motivate a link from XorrisoDdTarget,


My opinion is that simple "See also" section at the end is enough for 
curious users to discover alternatives. I do not consider CreateUSBMedia 
as a perfect article, but it has some value. More users notice it means 
more chances that it will be improved.


On 02/09/2024 18:01, Thomas Schmitt wrote:


i added a new section
   https://wiki.debian.org/XorrisoDdTarget#How_to_verify_the_result
instead of a mere link because i deem the Debian instructions too
scattered for being suitable for already puzzled and stressed users.


Notice that you have a mention of .sig files in the beginning.

Step by step instruction how to verify a downloaded image is valuable. 
Some time ago I was surprised that there is no one in Debian manual and 
wiki. However it does not specific to xorriso-dd-target, I would 
consider moving content to another article.


Another part is mostly troubleshooting for the case of firmware writing 
to EFI/. I can not imagine a case when it may provide something useful 
if actual issue is namely writing to a USB block device. Is there an 
article on debugging of installer images?


I do not insist on any changes. If you do not like linking to the pages 
I asked about, just ignore it.

Re: need help killing screen blanker

[Max Nikulin]

On 28/08/2024 01:58, gene heskett wrote:
wakeup time is 5 + seconds by which time a sleeve caught on a chuck jaw 
has already tried to rip an arm off.


Taking into account your approach to configure applications


so sudo chmod 644 /etc/xdp/autostart/xscreensaver.desktop


You need a larger red hardware button works independently of power 
saving and screen locking applications.

Re: Usage: "debian ... amd64-netinst.iso"

[Max Nikulin]

On 31/08/2024 14:07, Thomas Schmitt wrote:

i add my two cents:

   https://wiki.debian.org/XorrisoDdTarget


Thomas, are you intentionally linking raw man page instead of a 
formatted one

[[DebianMan:xorriso-dd-target|xorriso-dd-target(1)]]?
Is there a reason why the page is not cross-linked with
?

From my point of view this kind of pages should have links to the 
Debian install manual and to the Debian CD FAQ in either "Debian 
official" block or at least in the "See also" section".

Re: hunspell-gl does not match the description

[Max Nikulin]

On 31/08/2024 07:47, piorunz wrote:

On 31/08/2024 01:17, John E Petersen wrote:

I hand install my debian packages, and have an offline repository,
because garbage like this tends to slip onto my machine. This package
slipped in through firefox somehow,


No, Firefox did not do that. It cannot install packages in your system.


apt show firefox-esr-l10n-gl
...
Recommends: hunspell-gl-es | hunspell-gl

My guess is that either firefox-esr-l10n-gl was installed to improve GL 
support or the package was pulled by firefox-esr-l10n-all.

Re: UEFI multiboot

[Max Nikulin]

On 30/08/2024 23:42, Felix Miata wrote:

Max Nikulin composed on 2024-08-30 23:09 (UTC+0700):


How does grubx64.efi find where grub.cfg is located?


I don't know what doc might report this, but in a file viewer I see a string 
like
(,gpt7)/boot/grub) embedded in a vast sea of nulls 98% of the way into the file.


Does UEFI secure boot allows modification of some part of a signed .efi 
binary without invalidating its signature?


/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed is copied verbatim to 
EFI/*/grubx64.efi. I still believe there is a reason why 
"(,gpt7)/boot/grub" is written to EFI/*/grub.cfg when secure boot is used.

Re: UEFI multiboot

[Max Nikulin]

On 23/08/2024 11:39, Felix Miata wrote:

I don't know what vexing secure boot might introduce, but without it,
GRUB_DISTRIBUTOR= was used by grub-install in Trixie here to produce
results I expected:

[...]

# grep TOR /etc/default/grub
GRUB_DISTRIBUTOR="debian13"

[...]

├── debian13
│   └── grubx64.efi
├── opensuse


How does grubx64.efi find where grub.cfg is located? Is it compatible 
with Secure Boot? It is the reason why your experiment is not convincing.


I have tried some variants of full shim+grub signed configurations on 
the laptop with buggy firmware where I experienced troubles several 
years ago. The results have surprised me and they are the same as for 
qemu with OVMF instance.


grubx64.efi (v2.06) from Debian bookworm has no problem with reading 
grub.cfg placed in the same directory and directory name does not matter.


grubx64.efi (v2.06) from Ubuntu 20.04 focal reads config file strictly 
from EFI/ubuntu/grub.cfg.


I have not figured out what specific patch causes the difference. A lot 
of lines are changed. I do not think it is a security measure. Perhaps 
something is broken in attempts to improve booting from network.


There was a similar issue with Debian
https://bugs.debian.org/932966
and devuan still used EFI/debian when bootloader id "devuan" is used,
patches have not dropped (but perhaps just to avoid issues with existing 
installations).


A couple of problems that I have noticed in bookworm:

1. When /usr/lib/shim/BOOTX64.CSV is installed, bootloader id in it is 
not adjusted. As a result if additional removable path EFI/BOOT is used 
then there is a chance that fbx64.efi will create "debian" boot entry, 
not the name specified in GRUB_DISTRIBUTOR


2. It is not apparent that after modifying GRUB_DISTRIBUTOR it is 
necessary to create the directory with matched name in /boot/efi/EFI. 
Otherwise "dpkg-reconfigure grub-efi-amd64" does not run grub-install. I 
would prefer to have an explicit setting instead of relying on presence 
of a directory.


The main point is that I did not expect that Debian and Ubuntu may 
diverge in so subtle way. I believed fixed .cfg path is a UEFI 
limitation or at best an inherent grub limitation.

Re: emacs service and session start

[Max Nikulin]

Erwan, maybe you forgot to do disable/enable cycle after adjusting 
"[Install]" section of the unit configuration.


systemctl --user list-dependencies --reverse emacs.service

On 30/08/2024 19:19, Greg Wooledge wrote:

It's amazing how badly the systemd folks managed to break *everything*.

I'm pretty old-fashioned.  I use startx from a console login, and I
configure it with a ~/.xsession file which overrides the Debian stuff.


I have no idea if it is intentional, but emacs.service is not specific 
to graphical sessions. By default (when enabled) it is started even in 
the case of e.g. ssh login. So you may use single emacs daemon instance 
having multiple simultaneous logins. It is stopped on last logout. 
ssh-agent may be started after emacs and it is possible to notify emacs 
where is current agent socket.


Concerning graphical sessions, when you click in a browser on a link to 
download a document that should be opened in LibreOffice, should it 
inherit environment from browser or should it be started with clean 
session environment? What if the browser is running in a highly isolated 
sandbox and there is no LibreOffice in the accessible part of its 
filesystem? So some intermediate instance that can handle requests to 
launch other applications becomes necessary. Of course, new 
possibilities add some complexity.

Re: emacs service and session start

[Max Nikulin]

On 30/08/2024 18:45, Erwan David wrote:

On Thu, Aug 29, 2024 at 05:14:06PM CEST, Max Nikulin  said:


[Unit]
After=dbus.service ssh-agent.service
Wants=dbus.service ssh-agent.service
[Install]
WantedBy=
WantedBy=graphical-session-pre.target

[...]

The after/wants does not work (starnge since ssh-agent.service seems
to see the SSH_AUTH_SOCK variable.


Have you checked that emacs.service is started at proper moment 
(journalctl --user)? At first I did not add empty WantedBy and it caused 
earlier start of ssh-agent.service instead of delay of emacs.service.


It might be reasonable to start emacs from default.target, e.g. for ssh 
logins (however emacs.socket to start it on demand might be better) and 
updating environment using "emacsclient --eval" sounds viable.


Notice that other KDE-specific configuration (~/.config/plasma-localerc, 
~/.config/plasma-workspace/env) or ~/.profile sourced by SDDM may be 
ignored by emacs in the case of early start.

Re: emacs service and session start

[Max Nikulin]

On 29/08/2024 12:56, Erwan David wrote:

On Mon, Aug 26, 2024 at 06:13:23PM CEST, Max Nikulin said:

On 23/08/2024 23:30, Max Nikulin wrote:

It is started by /etc/X11/Xsession.d/90x11-common_ssh-agent


[Unit]
After=dbus.service ssh-agent.service
Wants=dbus.service ssh-agent.service
[Install]
WantedBy=
WantedBy=graphical-session-pre.target


After some investigations :

[...]

In the sourced snippets is /etc/X11/Xsession.d/90x11-common_ssh-agent

The effect is that if /etc/Xsession.options sets use-ssh-agent, it
starts plasma with the ssh-agent startplasmax11 command. Thus, systemd
is given the SSH_AUTH_SOCK variable (and the sock is at a random place
under /tmp)


I have had a look into startplasma sources. It pushes environment to 
systemd *before* initiating plasma-workspace-x11.target. (My additional 
interest was the following: If some variable is set in both ~/.profile 
and environment.d, what value wins?)



Setting no-use-ssh-agent in /etc/X11/Xsession.option is a no go : it
is also tested by ssh-agent.service


It seems /usr/lib/openssh/agent-launch checks /etc/X11/Xsession.options, 
but not /etc/X11/Xsession.options.d. However it would be a rather 
fragile hack.



Only solutions I see would imply modifying
/etc/X11/Xsession.d/90x11-common_ssh-agent, but is it a configuration
file ?


Ask "dpkg -s PKG" or dpkg-query with some options.

Do you really need emacs as a part of default.target and 
graphical-session.target is too late for you? The override for 
emacs.service, I posted earlier, should work otherwise.


As an alternative I would consider configuring either ssh-agent.service 
or a dedicated unit to execute in addition 'emacsclient --eval "(putenv 
...)"'. See emacsclient-mailto.desktop how escape argument for Emacs-28.

Re: Laptop keeps powering off

[Max Nikulin]

On 28/08/2024 07:52, Joe B wrote:

Here is journalctl -b -1

https://termbin.com/q6uw


It would be helpful if you describe specific of this boot.

If it is complete log then it looks like abrupt lost of power after 20 
min of working on battery. It may be battery failure of bad contact.


Were you monitoring battery charge level during this boot?

What was battery charge level immediately after next boot (assuming that 
the AC adapter was connected just before booting)?


Is the laptop able to boot without connecting of AC adapter after 
similar events? What is charge level and how long the laptop may run 
till next failure?

Re: need help killing screen blanker

[Max Nikulin]

On 27/08/2024 01:46, Thomas Schmitt wrote:

In these modern times, home office slave workers need ways to simulate
relentless activity. Google "mouse jiggler", "auto clicker".
There are mechanical mouse platforms, pseudo-mouse USB devices, and even
software emulated mice.


This case it would be enough to the mouse on the lathe. Its vibration 
should be enough.


I hope, xfce uses standard interfaces.

busctl --user introspect org.freedesktop.ScreenSaver \
  /org/freedesktop/ScreenSaver

org.freedesktop.ScreenSaver interface - --
.Inhibitmethodssu-
.SimulateUserActivity   method- --

Inhibit is active only while a process invoked it is alive, but there 
are off the shelf tools.


light-locker-command --inhibit \
--application-name "inhibit-dialog" --reason "User action" \
-- env WINDOWID= \
zenity --warning --title "Screen lock inhibited" \
--text "Activation of screen lock is suppressed"

As to monitor settings, perhaps they may be changed from its menu. If 
your are lucky then they are exposed to DDC control tools.

Re: Subscribing to bug updates.

[Max Nikulin]

On 27/08/2024 00:08, Tim Woodall wrote:

The emails
to control and to the bugs themselves all worked, it's only the emails
to the subscribe address that seem to have vanished.


It precisely describes my experience as well.

Re: Laptop keeps powering off

[Max Nikulin]

On 26/08/2024 00:37, Joe B wrote:

root@debian:~# journalctl -b --grep="acpi MSFT0101"
Aug 25 10:28:38 debian kernel: acpi MSFT0101:00: platform device
creation failed: -16


My impression is that some ACPI errors are not rare. I have no idea 
concerning severity of this one.


My question was if the laptop performs proper shutdown on battery. 
Perhaps a reason of shutdown is logged before.



temp1:+34.0°C
Package id 0:  +33.0°C  (high = +100.0°C, crit = +100.0°C)
Core 0:+32.0°C  (high = +100.0°C, crit = +100.0°C)
Core 1:+31.0°C  (high = +100.0°C, crit = +100.0°C)


No sign of overheating at this moment.


in0:  11.99 V
curr1:   650.00 mA

I did this all while the battery was unplugged and i hope it can shed
light on something


Voltage and current on battery is more interesting.

If the battery is detachable, are its contacts clean (no dust, deposit)? 
A guess is that "ranodm" power off may happen when you hold the laptop 
in some specific way and case bending causes bad contact.

Re: emacs service and session start

[Max Nikulin]

On 26/08/2024 18:37, Erwan David wrote:

On 23/08/2024 23:30, Max Nikulin wrote:


It is started by /etc/X11/Xsession.d/90x11-common_ssh-agent
The question is why emacs.service is started before
/usr/lib/openssh/agent-launch or plasma copies SSH_AUTH_SOCKET value to
systemd environment.

[...]

Alas it does not work.


Sounds like a race between code that copies environment and starting 
emacs. Have you tried to disable ssh-agent in Xsession to start it from 
systemd? Without it I am not sure that the following is really reliable:


[Unit]
After=dbus.service ssh-agent.service
Wants=dbus.service ssh-agent.service
[Install]
WantedBy=
WantedBy=graphical-session-pre.target

Re: nvidia package 340xx

[Max Nikulin]

On 23/08/2024 18:51, Hans wrote:


2. Enter the line for sid into your /etc/apt/sources.list

deb http://deb.debian.org/debian/ sid main contrib non-free non-free-firmware

[...]
5. Do NOT upgrade any other files! Do NOT aot upgrade or aptitude 
upgrade now although it will install many other packages. Ignore that! 
It will break your system!!


It is rather fragile and so rather dangerous.

Use apt pinning to decrease priority of packages from sid, see 
apt_preferences(5). Notice that APT::Default-Release is deprecated, set 
Pin-Priority instead.

Re: Laptop keeps powering off

[Max Nikulin]

On 25/08/2024 13:16, Joe B wrote:


root@debian:~# upower --dump

[...]

energy-full: 57.0714 Wh
energy-full-design: 61.32 Wh


So the battery has degraded a bit but capacity is still high enough. I 
hope it is reported correctly. There is no apparent sign of failure.


[...]

joe@debian:~$ grep '' /sys/class/power_supply/BAT1/*

[...]

/sys/class/power_supply/BAT1/uevent:POWER_SUPPLY_VOLTAGE_MIN_DESIGN=1095
/sys/class/power_supply/BAT1/uevent:POWER_SUPPLY_VOLTAGE_NOW=12469000


You may compare voltage to value when AC adapter is disconnected.

Another data point is charge level after failure and following boot with 
the AC adapter connected.



I boot this laptop everyday so there are a lot of entires for
journactl --list-boots
Any idea ?


You sent first message at Fri, 23 Aug 2024 15:11:36 -0700. Perhaps it 
was soon after failure. You may try to guess comparing time of first and 
last messages.


As to temperature, you may try "sensors" from the lm-sensors package. 
For hard drives "smartclt -x" may give even some history.

Re: Replying to a conversation (Thread)

[Max Nikulin]

On 25/08/2024 12:39, Joe B wrote:

On 25/08/2024 04:36, Joe B wrote:


IF i see a thread i want to jump into to help out how can i be part of
the conversation?

[...]

I gave up and now using K-9 mail and it seems to be working fine.


I use Thunderbird and IMAP for gmail. Perhaps I stressed too much on 
various issues. Threading works properly almost always.


There is a number of annoying bugs in Thunderbird, but I expect to face 
more inconveniences in other mailers.

Re: emacs service and session start

[Max Nikulin]

On 23/08/2024 23:30, Max Nikulin wrote:

On 23/08/2024 23:09, Erwan David wrote:
Ok, it could work, ilf only ssh-agent was not started with a random 
socket name...


And I do not see what starts it (I see the process ssh-agent 
/usr/bin/startplasma-x11 but I did not find which service starts it)


It is started by /etc/X11/Xsession.d/90x11-common_ssh-agent
The question is why emacs.service is started before 
/usr/lib/openssh/agent-launch or plasma copies SSH_AUTH_SOCKET value to 
systemd environment.


Looking into "journalctl --user -b" and checking environment of 
processes started before and after "Started dbus.service - D-Bus User 
Message Bus.", it should be enough to add a drop-in for emacs.service with


After=dbus.service
Wants=dbus.service

or Requires instead of Wants.

emacs.service may be started lazily by adding emacs.socket. However unit 
dependency should be explicitly set anyway.

Re: Replying to a conversation (Thread)

[Max Nikulin]

On 25/08/2024 04:36, Joe B wrote:


IF i see a thread i want to jump into to help out how can i be part of
the conversation?


If you are using gmail web UI and replying to a message from a mailbox 
then it should work, just use a proper button so send response to the 
mailing list, not a personal mail.


If you are using gmail web UI and trying to jump into a thread from an 
archive page, e.g.


then "reply to list" links would not work. Gmail ignores In-Reply-To 
query parameter of the link. Most of desktop mail clients should respect it.


Perhaps https://groups.google.com/g/linux.debian.user is a better 
alternative for web UI, but I have not tried it.


When replying from inbox, Gmail resets In-Reply-To and References 
threading headers when users edit subject field.



I noticed on the list there is a message id. is it possible to copy
the message id to the email so the chain just keeps going ?


My impression is that it is impossible in gmail web UI.

Be careful with setting In-Reply-To and References from Thunderbird. 
There is a bug in the 115 ESR version. If you desperately need it then 
save a draft message to a file, edit the file, open edited file from 
Thunderbird.

Re: Laptop keeps powering off

[Max Nikulin]

On 25/08/2024 02:31, Joe B wrote:

I will take the power cable off probably tomorrow or later on tonight.
When it happens i will run those commands and will report back to this
list


You can run that commands while AC power adapter is connected. It should 
allow to estimate if battery is still healthy.


For "journalctl -b -1" try different numbers (-2, -3, etc.) to find a 
boot log when the issue happened.

Re: Laptop keeps powering off

[Max Nikulin]

On 24/08/2024 05:11, Joe B wrote:


i've been having an issue where my laptop powers off randomly when
not connected to power. This has been happening since stable and
currently i'm on unstable. I would like to use my laptop without
power.


It is unclear what actually happens, so it may vary from hardware 
failure to intended behavior (shutdown after some timeout if battery 
level is too low). Did it happen before bookworm (current stable)? Is it 
proper shutdown or abrupt termination? Inspect last messages of


journalctl -b -1

executed as root.

You have not provided any details concerning battery state

upower --dump

or something like

grep '' /sys/class/power_supply/BAT0/*

Compare "design" values with full/max ones.

Re: emacs service and session start

[Max Nikulin]

On 23/08/2024 23:09, Erwan David wrote:
Ok, it could work, ilf only ssh-agent was not started with a random 
socket name...


And I do not see what starts it (I see the process ssh-agent 
/usr/bin/startplasma-x11 but I did not find which service starts it)


It is started by /etc/X11/Xsession.d/90x11-common_ssh-agent
The question is why emacs.service is started before 
/usr/lib/openssh/agent-launch or plasma copies SSH_AUTH_SOCKET value to 
systemd environment. You may try to suppress starting of ssh-agent 
through Xsession and use either ssh-agent.service or


systemctl --user list-sockets '*ssh*'
LISTEN   UNIT ACTIVATES
/run/user/1000/gnupg/S.gpg-agent.ssh gpg-agent-ssh.socket gpg-agent.service

[SUMMARY] Re: UEFI multiboot

[Max Nikulin]

On 22/08/2024 16:44, Felix Miata wrote:

That is written by any process that
reads GRUB_DISTRIBUTOR= to determine where to do its writing on the ESP.


To avoid confusion of those who may notice this thread in search engine 
results:


In Debian GRUB_DISTRIBUTOR value is *not* passed to "grub-install 
--bootloader-id" by postinst package scripts:




Notice

case $bootloader_id in
kubuntu) bootloader_id=ubuntu ;;
esac


that was added to prevent a secure boot issue.

Behavior of SUSE may be different.

I believe, a robust way would be to add grub-install option that reports 
path withing EFI partition configured at compile time, so heuristics 
based on GRUB_DISTRIBUTOR from /etc/default/grub would not confuse users.


*Signed* grub*.efi reads its config from EFI/debian/grub.cfg (that loads 
/boot/grub/grub.cfg) that is fixed when the binary is signed.

Re: UEFI multiboot

[Max Nikulin]

On 22/08/2024 16:44, Felix Miata wrote:

# ls -gG/boot/efi/EFI/opensusetw/
total 148
-rwxr-xr-x 1 151552 Aug 21 16:08 grubx64.efi


Am I right that you either do not use Secure Boot or generated a local 
key instead of/in addition to Microsoft and SUSE ones?


In the case of default or almost default install with a Debian key 
(mokutil --list-enrolled)


ls -gG /boot/efi/EFI/debian/
total 5960
-rwx-- 1 108 Oct  9  2023 BOOTX64.CSV
-rwx-- 1   87328 Oct  9  2023 fbx64.efi
-rwx-- 1 112 Oct  9  2023 grub.cfg
-rwx-- 1 4199872 Oct  9  2023 grubx64.efi
-rwx-- 1  849616 Oct  9  2023 mmx64.efi
-rwx-- 1  948768 Oct  9  2023 shimx64.efi

Shim and grub are shipped signed, so install-grub can not embed location 
of /boot/grub2/grub.cfg (search.fs_uuid) into grubx64.efi. So grub.cfg 
specifying a partition with /boot is written to EFI/debian/grub.cfg:


search.fs_uuid 12345678-90ab-4cde-f012-34567890abcd root
set prefix=($root)'/grub'
configfile $prefix/grub.cfg

I have found an upstream bug:


bug #57381: EFI image with wrong prefix when bootload-id is specified

that confirms that "debian" is fixed in the EFI/debian/grub.cfg path 
when grubx64.efi is taken from grub-efi-amd64-signed. I have no idea if 
EFI binaries can determine their own location to implement relative path 
for the configuration file. Depending on that hardcoded .cfg path is 
either grub or UEFI limitation.

Re: UEFI multiboot

[Max Nikulin]

On 22/08/2024 05:21, Felix Miata wrote:

My BBS menu contains 4 entries corresponding to output from efibootmgr,
with the highlight on the one beginning "opensusetw", as configured via
GRUB_DISTRIBUTOR=.


Or it just coincides with the configured value. My expectation is that 
EFI/opensusetw/grub.cfg is still hardcoded in your grubx64.efi. I tried 
earlier "install-grub --bootloader-id", but there was a pitfall in the 
case of enabled SecureBoot: grubx64.efi and grub.cfg were taken from 
different ESP directories that is not apparent in some cases.



My custom.cfg is 100% managed by me.

[...]

This is KISS applied to multibooting with UEFI.


Sorry, but this time I would prefer to leave aside grub configuration 
unrelated to UEFI. I have never had intention to dispute that it is 
possible to configure multiboot using grub. Multiboot using UEFI 
facilities directly is a bit different beast.



printf "GRUB_DISTRIBUTOR=%s\n" mydeb \
 >/etc/default/grub.d/distributor.cfg
update-grub
grep --count mydeb /boot/grub/grub.cfg
8


Do we know that the update-grub command normally writes to /boot/efi/EFI/,
and NVRAM (optional?)?


Actually I tried dpkg-reconfigure for grub and shim packages and your 
message made me thinking that you may correct me and may provide proper 
commands to configure *UEFI* boot menu.


From my old notes:

Re: UEFI multiboot

[Max Nikulin]

On 21/08/2024 11:25, Felix Miata wrote:

Max Nikulin composed on 2024-08-21 10:54 (UTC+0700):


I was experimenting trying to get 2
entries from the same vendor in the UEFI (firmware) boot menu and found
it tricky and inconvenient.


How so? I found it quite simple to edit /etc/default/grub and replace the 
default
value of GRUB_DISTRIBUTOR= to some unique string, e.g. "trixie" or "debian12",
then update Grub before doing second installation. What else did you find 
necessary?


Have I missed something or GRUB_DISTRIBUTOR affects *grub* menu, but not 
*UEFI* boot menu?


printf "GRUB_DISTRIBUTOR=%s\n" mydeb \
   >/etc/default/grub.d/distributor.cfg
update-grub
grep --count mydeb /boot/grub/grub.cfg
8

So the added option has been applied. However I have not noticed any 
effect related to UEFI configuration


efibootmgr -v | grep --count mydeb
0

iconv -f UCS-2 /boot/efi/EFI/debian/BOOTX64.CSV
shimx64.efi,debian,,This is the boot entry for debian

/boot/efi/EFI/debian remained as it was earlier.

My expectations for "UEFI/GPT were designed to support multi-boot" in 
the context of discussion of 2 Debian installations are the following:


- It is possible to create either EFI/mydeb or EFI/debian/mydeb on the 
ESP partition so that grubx64.efi from this directory may load grub.cfg 
from the *same* directory (path relative to the .efi binary). Currently 
.cfg path is a compile-time setting (EFI/debian/grubx64.cfg) for the 
sake of secure boot.

- boot menu entry with customized name is created (efibootmgr)
- name in BOOTX64.CSV is changed accordingly. This file is used by 
fallback fbx64.efi to create EFI boot variable when it is missed during 
boot. Currently it is not a configuration file and copied from 
/usr/lib/shim/BOOTX64.CSV (shim-unsigned).


I have not tried to dispute that it is possible to configure grub for 2 
Debian systems. I do not mind that UEFI allows to put boot files for 
different architectures and (besides removable media EFI/BOOT path) from 
different vendors. I still suspect it is a UEFI+SecureBoot design 
shortcoming that it is not possible to install the same loader (the same 
vendor) on the same ESP twice with different configurations.

Re: UEFI multiboot

[Max Nikulin]

On 20/08/2024 22:50, Nicolas George wrote:

Max Nikulin (12024-08-20):

Single EFI System Partition may contain loaders from different vendors, but
not 2 Debian systems installed on different partitions.


This is not true. The only problem you will have with this setup is that
you will need to install and/or configure the bootloader manually.


Do you mean 3rd party bootloader (e.g. grub)? I was responding to "AIUI 
UEFI/GPT were designed to support multi-boot". Custom configuration of 
grub (earlier lilo) was possible before UEFI and GPT.


Erwan posted directory tree for debian+ubuntu ESP, but it is a case of 
different vendors. Richard wants 2 variants of Debian (however UEFI may 
be irrelevant to that machine). I was experimenting trying to get 2 
entries from the same vendor in the UEFI (firmware) boot menu and found 
it tricky and inconvenient.


On 20/08/2024 23:28, Jeffrey Walton wrote:

Speaking of Secure Boot, this just made my radar:
<https://www.schneier.com/blog/archives/2024/07/compromising-the-secure-boot-process.html>.


When I noticed that news, I was curious if there is an alternative 
command to "efi-readvar -v PK" since I do not have the tool installed. It is


efi-readvar -v PK

I found it in
<https://github.com/fwupd/fwupd/issues/2695>
"Add test for detecting the "AMI Test PK" in the HSI"
opened 2020-12-18T19:23:10Z

The issue that is rather similar at first glance was filed 3.5 years 
before the latest discovery.

Re: configuring tigervnc-standalone-server to listen on LAN

[Max Nikulin]

On 21/08/2024 03:42, Gary Dale wrote:

$ systemctl status tigervncserver@:1.service
○ tigervncserver@:1.service - Remote desktop service (VNC)
  Loaded: loaded (/usr/lib/systemd/system/tigervncserver@.service; 
enabled; preset: enabled)
  Active: inactive (dead) since Tue 2024-08-20 15:52:31 EDT; 1min 4s 
ago

[...]

However I can run vncviewer localhost:5901 and connect as my user.


I hope you have tried "systemctl status" after vncviewer to be sure that 
systemd socket activation is not involved. I suspected that it is 
systemd, not any tigervnc binary that accepts client connection.


I have no idea if "/usr/libexec/tigervncsession-start :1" allows to 
create instance-specific configuration files.


You can override instance-specific systemd parameters in 
/etc/systemd/system/tigervncserver@:1.service.d/*.conf files (I hope :1 
does not need escaping).


It is better to query systemd runtime configuration than to rely on 
"find" or "dpkg -L". The following commands might help to figure out 
which way tigervnc is started


systemctl list-sockets '*vnc*'
systemctl list-units '*vnc*'
systemd-cgls
ps axuwf

and of course (as root)

journalctl -b

I am in doubts if some executable may explicitly call "systemctl start 
tigervncserver@:1.service"


Nowadays I do not see advantages of crontab @reboot over a systemd unit.

UEFI multiboot (was: Re: Default partition mounts [ "Installation Guide" lacks index ])

[Max Nikulin]

On 20/08/2024 11:27, David Christensen wrote:

AIUI UEFI/GPT were designed to support multi-boot


Single EFI System Partition may contain loaders from different vendors, 
but not 2 Debian systems installed on different partitions. EFI files 
are signed for Secure Boot, so vendor paths can not be easily adjusted. 
I have no idea how much trouble may cause multiple ESP on the same 
drive. I tried ESP on different drives and it works (HP firmware on a 
decade-old laptop is quite buggy in respect to boot configuration). 
Actually GRUB menu to load system from alternative partition is more 
convenient than firmware boot menu in my case.

Re: LXDE startlxde is resetting XDG_DATA_DIRS on Debian 12! (was Re: customize Debian 11 evironment in lightdm...)

[Max Nikulin]

On 19/08/2024 22:20, Giovanni Biscuolo wrote:

OK, so after this short recap to provide some context, this is the
head of the /usr/bin/startlxde script that starts an lxsession [3]:

[...]

export 
XDG_DATA_DIRS="/usr/local/share/:/usr/share/:/usr/share/gdm/:/var/lib/menu-xdg/"

[...]

Actually a Debian bug for this issue in package openbox-lxde-session
(that provides /usr/bin/startlxde) has been already filed on 2018-08-16,
so I'm not going to duplicate it:

[...]

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906288


You may inspect Debian patches for lxde-common or upstream sources to 
figure out the origin of that line and to report issue to upstream 
developers if it is not Debian-specific. However I am not sure that LXDE 
is actively maintained, so you may start to looking around for a 
replacement.


P.S. I have dropped guix from Cc.

Re: configuring tigervnc-standalone-server to listen on LAN

[Max Nikulin]

On 20/08/2024 05:15, Gary Dale wrote:
tigervnc-server has a command line option to listen to the LAN but the 
Debian systemd service configuration doesn't invoke the server program 
directly, so I'm not sure how to get the option to the vnc server.

[...]> This is the .service file:
[...]

ExecStart=/usr/libexec/tigervncsession-start %i


Try "systemctl cat" for the corresponding .socket file.

Re: Firefox doesn't want to see Pulseaudio

[Max Nikulin]

On 15/08/2024 20:51, Stefan Monnier wrote:


I do have it installed.  I also tried to install `libavcodec-extra` at
some point (when I saw that `mp4a-latm` 🙂), but it made no difference
of course.


You do not have AAC in the list of supported codecs and I am unsure if 
it is due to alsa backend or due to a missed package (libfdk-aac2, 
gstreamer1.0-fdkaac?).



Firefox exposes some codec info in about:support#media


Thanks.  When I "disable sandboxing" (by setting the three vars
I mentioned in my answer to Tomas) it says:


I would revert these settings to defaults unless you have confirmed that 
they are really necessary.



 Audio Backend: alsa


I have pulse-rust here. If you still have motivation to debug i386 vs. 
amd64 issue, have you tried to start firefox with a clean profile 
(--profile /some/dir)? Firefox may save at least some parameters related 
to video hardware (prefs.js, about:config). I have no idea if 
pipewire/pulse works reliably in mixed amd64/i386 environment.



[Child 13905, MediaDecoderStateMachine #1] WARNING: Decoder=7fe181797300 Decode 
error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - Error no decoder found for 
video/avc: file ./dom/media/MediaDecoderStateMachineBase.cpp:164


I would check if there are earlier messages related to audio backend, 
maybe during firefox startup. Perhaps verbosity of some component should 
be increased


https://firefox-source-docs.mozilla.org/xpcom/logging.html

usermod video,audio (was: Re: nvidia driver for GTX 970)

[Max Nikulin]

On 16/08/2024 06:15, George at Clug wrote:

usermod -a -G video,audio [myusername]


It should not be necessary. Udev and systemd-logind "uaccess" feature 
grants permissions to the current active user through ACLs.

Re: Firefox doesn't want to see Pulseaudio

[Max Nikulin]

On 15/08/2024 18:46, Stefan Monnier wrote:

Error no decoder found for audio/mp4a-latm

It relies on non-free AAC codec that you likely do not have installed.


That's a side-issue: the web page I pointed to has various videos in
various formats and none of them work (hence the error messages
mentioning other "decoder not found" mime types).


If you have libavcodec installed (from "Recommends") then it might be 
some testing issue. There is no problem in bookworm. Firefox exposes 
some codec info in about:support#media

Re: Firefox doesn't want to see Pulseaudio

[Max Nikulin]

On 15/08/2024 02:32, Stefan Monnier wrote:

Error no decoder found for audio/mp4a-latm


It relies on non-free AAC codec that you likely do not have installed. 
Perhaps chromium has a built-in implementation.

Re: Little typo bug - package unknown, kernel version unknown

[Max Nikulin]

On 08/08/2024 23:21, Hans wrote:

Although I owe several Samsung devices, they are all different models. So the
kernel will recognize each different.


lsusb reports vendor ID. If 2 devices have same number, but different 
manufacturer strings then "Sasmsung" is a device vendor bug (a fake?).


You may found USB ports in "lsusb -t" output and compare
/sys/bus/usb/devices/*/manufacturer
/sys/bus/usb/devices/*/idVendor
from different devices.

Re: Authenticator apps

[Max Nikulin]

On 08/08/2024 11:58, Jeffrey Walton wrote:


++. I find the W3C's clipboard API and event API very dangerous.


"clipboardchange" event is not supported making enough people unhappy. 
Reading/writing is protected by either user gesture context or by 
permissions. However a chance of unwanted access still exists.



One of the takeaways is, we need a "one shot copy/paste" that stops
sniffing and clears the clipboard after the users pastes the data so
that webapps that sniff the clipboard have no information to gather.


xclip has -loops, xsel has --selectionTimeout, you may choose any, but 
not both at the same time. I would still prefer direct insert into input 
field, something similar to on screen keyboard that types code. In the 
case of web forms browser extensions can do it.



Another takeaway is, you should never allow JavaScript on login pages.


I think, enough login pages would not work with disabled JS. Some of 
them have scripts making paste or password managers hardly usable.


Actually in respect to clipboard sniffing I am more afraid of *regular* 
pages. Some site may be compromised, some may accidentally allow script 
injection from user content.

Re: nouveau OK for GTX 970?

[Max Nikulin]

On 07/08/2024 23:19, e...@gmx.us wrote:

On 8/6/24 21:20, Jeffrey Walton wrote:


$ sudo lspci | grep -i vga


01:00.0 VGA compatible controller: NVIDIA Corporation GM204 [GeForce GTX
970] (rev a1)


The following command reports vendor ID and product ID pair

lspci -nn | grep -i vga

Using it you may try to find reports on 
https://linux-hardware.org/?view=search Logs may give some hints what 
driver should work (if there is any).

Re: Authenticator apps

[Max Nikulin]

On 07/08/2024 11:40, to...@tuxteam.de wrote:

In my threat model, if I already have an application running under
my own user ID, I call XKCD 1200 [1] on it.


Browser JavaScript API allows to read and write clipboard. It is 
protected to some extent by user prompts. On the other hand in ChromeOS 
most of applications are running in browser, so I will not be surprised 
if policy becomes more permissive some day despite developers are aware 
of related security issues.


Are you sure that you have never accidentally granted clipboard read 
permission to some frequently used web site?


So a threat may be outside of "traditional" local processes.

As to X11 protocol, it allows to grab focus, e.g. xterm supports it. 
Several years ago GNOME designers decided that their password prompt 
must be full screen modal dialogue that does not allow even mouse 
interaction with other applications (e.g. 3rd party password managers). 
On the other hand it does not protect against xinput debug tools running 
at lower level.

Re: Corsair mouse and UPower

[Max Nikulin]

On 08/08/2024 03:37, Celejar wrote:

Is the mouse simply not reporting power info via standard protocols, or
am I missing something? The mouse also supports Bluetooth, so I suppose
I could try that instead of 2.4GHz and see if it makes a difference.


In the case of bluetooth headsets, battery level may require 
experimental features in bluez

https://wiki.debian.org/BluetoothUser#Experimental_Features

A general recommendation for troubleshooting is to check "journalctl -b" 
output (as root).

Re: Authenticator apps

[Max Nikulin]

On 06/08/2024 23:37, to...@tuxteam.de wrote:

On Tue, Aug 06, 2024 at 11:07:14PM +0700, Max Nikulin wrote:

On 06/08/2024 11:37, to...@tuxteam.de wrote:

TOTP is a standard (rfc6238 [1]) so it actually/should/  give the same
numbers regardless of the application.


It is mostly true, however authenticator applications may use
vendor-specific protocols that relies on network connection instead of
displaying TimeOTP code to confirm login. The worst case is when TOTP is
disabled for specific service and alternative applications can not be used.


I just today set up one more: it /was/ TOTP, after all.


You are lucky. I faced a configuration when TOTP was available (despite 
the option was not apparent) for office365 web login, but VPN allowed 
just some Microsoft Authenticator proprietary protocol and SMS, but not 
TOTP. It took some time to make Thunderbird getting mail from Exchange 
server, generation of application-specific passwords was broken.



The instructions,
of course didn't say so, but talked a lot about scanning the QR code with
your smartphone (there is the TOTP key beneath this ready for c&p, but no
mention of it).


QR code with a URL containing TOTP secret is de-facto standard way to 
copy the secret to a phone. An option to copy the secret as clear text 
may be available as well.



That's what I call nudging.


Educating people is quite expensive. If a company anyway stores mail on 
Microsoft servers then they have no reason to not trust to Microsoft 
Authenticator. Brief instruction allows to avoid malware published as 
2FA applications on user devices.


Developing an application for TOTP requires enough care. It should 
resist tracing/debugging, secrets should not appear in swappable memory 
and should be properly wiped from RAM after usage. Hardware vault may 
help to protect secrets from unauthorized copy. Should backup be 
available? So it is not a so simple app under the hood. (The thread 
started from: "I simply need to run a simple 2FA TOTP authenticator".)


https://lists.debian.org/msgid-search/zrbudbr0nuozn...@tuxteam.de
On 05/08/2024 11:26, to...@tuxteam.de wrote:

On Sun, Aug 04, 2024 at 09:19:33PM +0200, Detlef Vollmann wrote:

gpg --decrypt --quiet key.asc | oathtool -b --totp -

[...]

The xclip part just saves me the clickery.


Ideally clipboard should be avoided to avoid exposure codes to sniffers. 
Some kind of input method might be better. X11 XTest extension allows to 
send key events to applications (see xdotool and xvkbd), but it is 
considered as an insecure feature per se and may be disabled.

Re: Authenticator apps

[Max Nikulin]

On 06/08/2024 11:37, to...@tuxteam.de wrote:

TOTP is a standard (rfc6238 [1]) so it actually/should/  give the same
numbers regardless of the application.

(This is what miffs me most: those marketing departments always sell you
some unspecified snake oil -- "authenticator app", "2FA" -- instead of
telling you what's technically behind it.


It is mostly true, however authenticator applications may use 
vendor-specific protocols that relies on network connection instead of 
displaying TimeOTP code to confirm login. The worst case is when TOTP is 
disabled for specific service and alternative applications can not be used.


While passwords are salted and hashed to make it harder to steal them 
from servers, the same approach is not applicable for TimeOTP. The same 
secret must be available on client and server to derive a code valid for 
the current (half of) minute.


I am not recommending against TOTP. Just be aware that enabling and 
using it may require more efforts than for application specific to 
particular vendor.

VM, wifi, NAT (was: Re: Internet facing Firewalls mDNS UPnP SMB)

[Max Nikulin]

On 05/08/2024 17:50, George at Clug wrote:

I am also a bit concerned about the statement "table ip nat", I do not
want [e.g. need] any Network Address Translation occurring.



Re: VirtualBox (VB) and Windows on Debian
On 19/07/2024 11:11, George at Clug wrote:

And I gave up on setting up Bridges on Wireless network interfaces as I
think each wireless connection is treated as a new network interface.


NAT allows to create a network for virtual machines in the case of 
outgoing WiFi connection.

Avoid APT::Default-Release (was: Re: nvidia vs nouveau driver and initrd.* size)

[Max Nikulin]

On 04/08/2024 06:24, Van Snyder wrote:
Then, to avoid sucking anything more from unstable, I added 
/etc/apt/apt.conf.d/my-default containing


APT::Default-Release "stable";




It prevents installing security updates by apt upgrade, so avoid it.

Re: switch users and still use display

[Max Nikulin]

On 02/08/2024 20:30, Jeffrey Walton wrote:

On Fri, Aug 2, 2024 at 7:21 AM Greg Wooledge wrote:

On Fri, Aug 02, 2024 at 11:35:58 +0200, Florent Rougon wrote:

Which I am inclined to believe, although I'm reluctant to try 'su -p'
for fear of creating a mess in my normal user setup:

   ~ % su -p

[...]

The main issue here is likely to be the HOME variable.  If you're running
a shell as root, but with HOME=/home/florent or whatever, then some of
the programs you start may create new dot files inside /home/florent/.
These files will be owned by root (because the programs are running as
root).  Then, at some point in the future, if you run those same programs
as florent, you won't be able to change the contents of the dot files.

[...]

emacs is notorious for that. In fact, if you install a new system, and
`sudo emacs `, then emacs will create its own config
directory (.emacs/) in your home directory owned by root.


I expect that emacs way to edit system files is TRAMP, something like 
/sudo:...


In the past I spent some time trying to figure out why bash history did 
not work. ~/.bash_history owner was root. I prefer "sudo -i" or "su -" 
since that accident. Sometimes I add --whitelist-environment for 
specific variables.

Re: Tool to store on IMAP server

[Max Nikulin]

On 30/07/2024 15:24, Tim Woodall wrote:

On Mon, 29 Jul 2024, mick.crane wrote:
I was concerned the 
'1722260402.M755015P70320.xx,S=17279,W=17606:2,S'

numbers might get mixed up with new ones but didn't seem to matter.

[...]

Yes, I use unison to keep some imap servers in sync.

Maildir file names include keywords.

I suspect, there is a chance of discrepancy of keyword mapping across 
servers unless your perform sync when IMAP servers are stopped and files 
containing mapping are copied as well.


https://doc.dovecot.org/admin_manual/mailbox_formats/maildir/

Re: Upgrading systemd may silently break your Unstable/Sid system!; was: systemd may silently break your system!

[Max Nikulin]

On 28/07/2024 20:08, Erwan David wrote:

I also have a 99-systcl.conf which is a copy of the former /etc/sysctl.conf


When you are going to replace a file provided by a package, check if it 
is a configuration file at first (e.g. dpkg -s). Despite most of files 
in /etc/ are marked as configuration files, some are not.


I juste renamed it. But in my view it is a bug to remove something else 
than the symlink even with the same name


On the other hand it makes recovery after a fault easier. Dpkg does not 
track types of files, have a look into /var/lib/dpkg/info/systemd.list

Re: Debian Sid. General questions.

[Max Nikulin]

On 29/07/2024 02:57, 타토카 wrote:
Is it enough to have usb Debian live (for example XFCE) and use Debian 
Sid? I mean I don't have another one computer, if the main computer will 
be "broken".


Since you are asking this question, likely it is not enough.

If your hardware allows it then consider installing stable and trying to 
tun unstable in a virtual machine at first.

Re: bash history

[Max Nikulin]

On 28/07/2024 08:01, mick.crane wrote:
Sometimes I forget where I was after closing a virtual terminal  and it 
would be handy to see the history

in a new terminal, where I "cd'd" to for example.


help history
less ~/.bash_history

Re: info is not dead

[Max Nikulin]

On 27/07/2024 20:00, Nate Bargmann wrote:


Texinfo is from a time when GNU documentation was only man pages or flat
text files and something "better" was desired for moving through a
manual in what is now known as a hypertext format.  It also includes a
lot of semantic markup rather than the basics forms of emphasis included
in HTML.  It is actually a rather capable format it's just that the info
format and the info utility intended for terminal display throw nearly
all of that away.


Certainly viewers for texinfo docs have usability issues. tkinfo or 
emacs are more friendly than the info(1) "browser".


On the other hand, texinfo is, unlike man, is hypertext to much more 
degree. Heuristic in debiman (manpages.debian.org) is better than in 
other tools in respect to guessing what part of text should be rendered 
as links, but it is still limited.


There is no convention concerning "active" links to specific anchor in a 
man page and it is an issue in the case of long manuals. I think, e.g. 
Emacs manual would be unusable as a man page.


There are issues with cross-document texinfo links. Desktop environments 
provide help tools that may render info docs, but "(bash) Bash 
Variables" would not work there and "copy link" may be missed. I would 
like to have something like sphinx index files that contains list of 
anchors in documents.


Texinfo semantic markup is really a feature. Full support is not trivial 
though since images and equations are allowed. It is an obstacle on the 
way toward better tools.


I do not mind to have info.debian.org. However single page variant leads 
to excessively large documents. Existing tools have no intermediate 
level, the only other supported mode is an HTML page per texinfo node. 
It is inconvenient to walk through many single paragraph or menu only 
pages. Search in whole document is another issue with granular texinfo 
documents published on web sites.


Something more advanced than man pages is necessary, but texinfo is not 
unambiguously better in its current form.


P.S. The following is from "emacs --help". From my point of view there 
are too many steps to reach specific mode to call it convenient. It is 
for Emacs that may be named a native tool to read info docs.



Run M-x info RET m emacs RET m emacs invocation RET inside Emacs to
read the main documentation for these command-line arguments.

Re: switch users and still use display

[Max Nikulin]

On 27/07/2024 23:06, Greg Wooledge wrote:

Yes, but the other ways are *far* more complicated, especially when
neither user1 nor user2 is root.  The issue is that in order to
authenticate yourself to the X server, you present a token, known as
a "magic cookie".


in some cases

xhost +si:localuser:greg

may help to give access to the X11 socket to all processes running by 
another user.


It may be more tricky to arrange permissions for GPU, audio devices, and 
other hardware. By default udev and systemd-logind "uaccess" feature 
dynamically grants access to currently active user through ACLs. Adding 
another user to a number of groups may give it *permanent* access to 
that devices.


The actual question is if applications running by different users should 
appear on the same X11 display or switching between user sessions (using 
Ctrl+Alt+F*, desktop environment menu, CLI commands) is acceptable or 
even desired.


In the case of the same display another user may sniff selection 
(clipboard), key press events.

Re: Alternative to Authy

[Max Nikulin]

On 23/07/2024 09:16, jeremy ardley wrote:

I use Google Authenticator as an option in pam to secure ssh connections.

[...]
NB. Google Authenticator does not use any Google cloud services. It is 
purely a local application on your machine.


Do you mean rfc6238 Time-based One-time Password (TOTP) that is 
implemented in a number of applications besides Google Authenticator or 
some other protocol?

Re: combine two commands via pipe

[Max Nikulin]

On 26/07/2024 09:25, Andy Smith wrote:

On Fri, Jul 26, 2024 at 10:00:48AM +0800, cor...@free.fr wrote:

$ sudo ls -ltr "/tmp/$(ls /tmp |grep apache)"

[...]

So what is wrong with just using a glob as suggested?


Not all people are realizing how many pitfalls they may face using 
shell. (I admit my example with findmnt likely has a shortcoming as well.)


I am realizing that the following pages describe dealing with lists 
while single directory is expected in the current case, but still


https://mywiki.wooledge.org/ParsingLs
Why you shouldn't parse the output of ls(1)

https://mywiki.wooledge.org/BashPitfalls#for_f_in_.24.28ls_.2A.mp3.29
for f in $(ls *.mp3)
No 1 in Bash Pitfalls

Re: combine two commands via pipe

[Max Nikulin]

On 26/07/2024 06:59, cor...@free.fr wrote:


My actual requirement is that I want to 'ls -ltr' into a subdir in /tmp. 
that subdir is apache's tmp dir. but the name of the subdir is too long 
(hard to copy&paste), so I am looking for a easier way.


Use glob if it is acceptable

sudo ls -ltr /tmp/*-apache2.service-*

If you need a private tmp directory of a specific systemd service then 
try to find proper tools to query it


service="bluetooth.service"
pid="$(systemctl show --property MainPID --value "$service")"
tmp="$(findmnt --task "$pid" --target /tmp --noheading --output FSROOT 
--raw)"

ls -ltr "$tmp"

Re: Trouble when editing a Debian wiki page

[Max Nikulin]

On 25/07/2024 19:11, Greg Wooledge wrote:

On Thu, Jul 25, 2024 at 18:54:38 +0700, Max Nikulin wrote:

https://wiki.debian.org/EnvironmentVariables?action=recall&rev=32

[...]

I can't quite guess what "text has no left margin" means here.


Firefox-115, see the attachment. Notice that "General", unlike table of 
contents, is not separated from window border by 52px margin.

Re: Trouble when editing a Debian wiki page

[Max Nikulin]

On 25/07/2024 10:42, Greg Wooledge wrote:

On Thu, Jul 25, 2024 at 09:50:43 +0700, Max Nikulin wrote:

https://wiki.debian.org/EnvironmentVariables?action=raw&rev=33

has one empty line after "<>" while rev=22 has 2 empty
lines and it may be more significant than a space before  "<<".


I assume you mean "while rev=32".  I removed the extra blank line at
the same time I removed the leading space.  The leading space causes
indentation, but a blank line should just be ignored when rendering
the HTML.  It has no significance in the final appearance.


A space before " <>" combined with 2 empty lines 
after cause extra "" closing  before following 
text. So most of article text has no left margin.


https://wiki.debian.org/WikiSandBox?action=recall&rev=144
https://wiki.debian.org/EnvironmentVariables?action=recall&rev=32


The Permissions article has an extra space in the translations line causing
extra indentation due to rather weird markup

   


I don't touch the translation stuff.


I just compared markup of 2 pages and generated HTML. Firefox highlights 
invalid elements in view-source:. I have realized that a space may be a 
red herring here. Permissions explicitly adds table while 
EnvironmentVariables uses just small text.

Re: Trouble when editing a Debian wiki page

[Max Nikulin]

On 25/07/2024 02:05, Franco Martelli wrote:

I'm using firefox-esr version: 115.13.0esr-1~deb12u1

Here I see the TOC not indented (no space before << tag):
https://wiki.debian.org/EnvironmentVariables?action=raw

Here instead I see the TOC indented (a space before << tag):
https://wiki.debian.org/Permissions?action=raw

Both pages have the text indented correctly in the browser, thus it 
looked strange to me that removing the leading space before the << tag 
fixed the issue. Am I missing something else?


https://wiki.debian.org/EnvironmentVariables?action=raw&rev=33

has one empty line after "<>" while rev=22 has 2 
empty lines and it may be more significant than a space before  "<<".


The Permissions article has an extra space in the translations line 
causing extra indentation due to rather weird markup


  

Another MoinMoin issue that it renders "= Header =" as . 
EnvironmentVariables minimal header level is 2 while Permissions has 
multiple  elements


https://developer.mozilla.org/en-US/docs/Web/HTML/Element/Heading_Elements#avoid_using_multiple_h1_elements_on_one_page

Re: Maybe off topic: Where is bash gesture ${X=Y} described ?

[Max Nikulin]

On 24/07/2024 20:50, Greg Wooledge wrote:

Everyone skips over the sentence that begins with "Omitting the colon".

Every time we try to tell Chet, "Hey, man, please add examples that
show BOTH syntaxes", he blows us off, because this is the way POSIX
documents it.  If it's good enough for POSIX, then it must be good
enough for bash, right?[1]


For a long time I was believing that ${X=Y} is just an obsolete and less 
strict form of ${X:=Y} due to the way it is documented in BASH. Once I 
needed to distinguish empty an unset values. First hits in search engine 
results gave me impression that people just did not care. Fortunately I 
spotted  with both variants (a 
quote from POSIX). I agree that colon vs. no colon should be documented 
in a more prominent way.