Re: linphone and address books

[Jonas Smedegaard]

Quoting Mario Marietto (2023-06-02 10:27:29)
> Does anyone know if on the market there is a phisycal phone (made with
> hardware components) which allows to place calls and to send sms only using
> the VOIP technology ? Would be an interesting product to buy and try in my
> opinion.

Yes, so-called "SIP hardphones" exist.  Try a web search for those
terms, or if you are lazy you can use this as a starting point:
https://www.asteriskguru.com/tutorials/asterisk_hardphone.html

An "hard" alternative is to use a so-called "SIP ATA" (Analogue Phone
Adapter) to connect a classic old POTS (Plain Old Telephny Standard)
phone with a SIP account.


 - Jones

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Re: Consultation on license documents

[Jonas Smedegaard]

Quoting 刘涛 (2023-03-18 03:49:34)
> Oh my god, I'm so sorry. I originally wanted to say that every software 
> package in Debian will have a "copyright" document, but the input method was 
> mistakenly typed as copyleft. Because I found that every package in Debian 
> will have a "copyright" document, but not every package has a "license.txt" 
> document. So I want to confirm that we users want to know the license usage 
> of the software package, which document should prevail. In addition, when the 
> license information declared in the two documents is inconsistent, how should 
> we deal with it, and which document shall prevail.

Some projects include a file intended to cover the whole project
(typically located in the root folder) containing only a general license
and nothing else (no copyright statements).
Such a file has no legal effect over other files from simply being
present in the project.  To have effect over other files the project
need to have its copyright holders *grant* a license.

Some projects include a file intended to cover the whole project
(typically located in the root folder) where someone claims to hold
copyright and state that they as copyright holder *grant* certain
license over all or some portion of the project.  This affects those
other files that the statement is about.  If multiple copyright claims
and/or multiple license granting statements, then only the licensing
granted by the copyright holder has effect - i.e. if same copyright
holder grants multiple licenses then possibly (depending on wording)
*either* of those licenses apply, free of choice for each user, but
since only a copyright holder has the right to grant a license, if
someone claims copyright over a whole project but parts of the project
in reality was relicensed from someone else then only that someone else
had the right to license their parts.

If unclear who owns what and/or who granted what, then beware that legal
rules are different from math and logic: In the end copyright and
licensing statements are *intents* and their legal effect is only
certain when tried in a courtroom (and even then may be tried again with
potentially different legal interpretation in another courtroom for same
or another legal jurisdiction).

Common rule of thumb is that the most narrow statements have effect.

So if you have a code project with a bunch of code files, and one file
LICENSE.txt containing the GPLv3 licensing text and nothing else, and
another file COPYING.txt that says the equivalent o "I, Jonas, claim
to be the owner of creative works within this code project, and I grant
anyone the rights to use and copy and modify what I control the rights
over, by the legal principles of the Apache-2.0 general public license"
then that project is licensed as Apache-2.0 and *not* as GPL-3.

But if that same project, in addition to those two text files, also
within each code file contains a statement that I, Jonas, am copyright
holder and grants the rights of BSD-3, then those files are licensed as
BSD-3.  If nothing else in the project is copyright-protectable, then 
the project is dual-licensed as *either* BSD-3 *or* Apache-2.0 (but
still as GPL-3 because that license only *exist* but nothing in the
project has been *granted* those rules that it represents).

If instead, in addition to my copyright claim and Apache-licensing of
the project as a whole, the copyright holder of each and every
copyright-protecable file within the project was someone else, then my
claim had no effect over those files, and in reality the project would
be licensed as BSD-3 (not as Apache-2.0).

Standard disclaimer: I am not a lawyer, so only use my input here as
inspiration but seek a lawyer if you want legal certainty.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Greg,

> > How do I get in contact with somebody who can fix the problem in
> > Debian Buser and/ or the official Debian Buster arm32v7 Docker image?
>
> Looks a bit like 
> to me.

Thanks a lot! Yes, this looks a lot like my problem. Also their
workaround of running "c_rehash" works. :)

The only difference I was able to spot is that my build process does
not give the "qemu: Unsupported syscall: 382" error message. It stays
completely silent.

https://gitlab.com/toertel/docker-image-tls-https-broken/-/jobs/534935085#L317

317 Setting up ca-certificates (20190110) ...
318 Updating certificates in /etc/ssl/certs...
319 128 added, 0 removed; done.
320 Setting up libgssapi-krb5-2:armhf (1.17-3) ...
321 Setting up libcurl4:armhf (7.64.0-4+deb10u1) ...
322 Setting up curl (7.64.0-4+deb10u1) ...
323 Processing triggers for libc-bin (2.28-10) ...
324 Processing triggers for ca-certificates (20190110) ...
325 Updating certificates in /etc/ssl/certs...
326 0 added, 0 removed; done.
327 Running hooks in /etc/ca-certificates/update.d...
328 done.

I implemented the workaround and it also works in GitLab CI.

https://gitlab.com/toertel/docker-image-tls-https-broken/pipelines/142869786

Greetings,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Reco,

> > Yes, I have my own Dockerfile and I can add to it whatever I want. But
> > "dpkg-reconfigure ca-certificates" asks a lot of questions. And that
> > list from 1 to 128 might eventually change. So I am puzzled how to
> > automate that without human intervention.
>
> dpkg-reconfigure --default-priority ca-certificates

Yes, now it does not ask questions. But the workaround so far is to
run dpkg-reconfigure once to remove all certificates and then once
again to re-add all of them. I do not know what "dpkg-reconfigure
--default-priority ca-certificates" does.

Thanks for your help,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Greg,

> You... *think* it's there?  Why not actually look?
>
> unicorn:~$ ls -l /etc/ssl/certs/4a6481c9.0
> lrwxrwxrwx 1 root root 27 Jul 14  2018 /etc/ssl/certs/4a6481c9.0 -> 
> GlobalSign_Root_CA_-_R2.pem
>
> It takes a few seconds, and then you can remove all doubt.

Correct, the file is not there. But there are a lot of other links in
/etc/ssl/certs. But those links have real names, not just sequences of
numbers.

# ls -l /etc/ssl/certs/4a6481c9.0
ls: cannot access '/etc/ssl/certs/4a6481c9.0': No such file or directory

What is the difference between the numbered links and the ones with
human readable names?

I *think* that the problem is that these numbered links are missing.

How do I get in contact with somebody who can fix the problem in
Debian Buser and/ or the official Debian Buster arm32v7 Docker image?

Regards,
Mark

# ls -l /etc/ssl/certs/
total 580
lrwxrwxrwx 1 root root 48 May  1 13:06  ACCVRAIZ1.pem ->
/usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt
lrwxrwxrwx 1 root root 55 May  1 13:06  AC_RAIZ_FNMT-RCM.pem ->
/usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt
lrwxrwxrwx 1 root root 69 May  1 13:06
Actalis_Authentication_Root_CA.pem ->
/usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
lrwxrwxrwx 1 root root 61 May  1 13:06  AddTrust_External_Root.pem
-> /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
lrwxrwxrwx 1 root root 61 May  1 13:06  AffirmTrust_Commercial.pem
-> /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
lrwxrwxrwx 1 root root 61 May  1 13:06  AffirmTrust_Networking.pem
-> /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt
lrwxrwxrwx 1 root root 58 May  1 13:06  AffirmTrust_Premium.pem ->
/usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt
lrwxrwxrwx 1 root root 62 May  1 13:06
AffirmTrust_Premium_ECC.pem ->
/usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt
lrwxrwxrwx 1 root root 55 May  1 13:06  Amazon_Root_CA_1.pem ->
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt
lrwxrwxrwx 1 root root 55 May  1 13:06  Amazon_Root_CA_2.pem ->
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_2.crt
lrwxrwxrwx 1 root root 55 May  1 13:06  Amazon_Root_CA_3.pem ->
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_3.crt
lrwxrwxrwx 1 root root 55 May  1 13:06  Amazon_Root_CA_4.pem ->
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_4.crt
lrwxrwxrwx 1 root root 60 May  1 13:06  Atos_TrustedRoot_2011.pem
-> /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
lrwxrwxrwx 1 root root 96 May  1 13:06
Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem ->
/usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
lrwxrwxrwx 1 root root 64 May  1 13:06
Baltimore_CyberTrust_Root.pem ->
/usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
lrwxrwxrwx 1 root root 62 May  1 13:06
Buypass_Class_2_Root_CA.pem ->
/usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
lrwxrwxrwx 1 root root 62 May  1 13:06
Buypass_Class_3_Root_CA.pem ->
/usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
lrwxrwxrwx 1 root root 55 May  1 13:06  CA_Disig_Root_R2.pem ->
/usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt
lrwxrwxrwx 1 root root 51 May  1 13:06  CFCA_EV_ROOT.pem ->
/usr/share/ca-certificates/mozilla/CFCA_EV_ROOT.crt
lrwxrwxrwx 1 root root 69 May  1 13:06
COMODO_Certification_Authority.pem ->
/usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
lrwxrwxrwx 1 root root 73 May  1 13:06
COMODO_ECC_Certification_Authority.pem ->
/usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
lrwxrwxrwx 1 root root 73 May  1 13:06
COMODO_RSA_Certification_Authority.pem ->
/usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root 47 May  1 13:06  Certigna.pem ->
/usr/share/ca-certificates/mozilla/Certigna.crt
lrwxrwxrwx 1 root root 59 May  1 13:06  Certinomis_-_Root_CA.pem
-> /usr/share/ca-certificates/mozilla/Certinomis_-_Root_CA.crt
lrwxrwxrwx 1 root root 66 May  1 13:06
Certplus_Class_2_Primary_CA.pem ->
/usr/share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt
lrwxrwxrwx 1 root root 64 May  1 13:06
Certum_Trusted_Network_CA.pem ->
/usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
lrwxrwxrwx 1 root root 66 May  1 13:06
Certum_Trusted_Network_CA_2.pem ->
/usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
lrwxrwxrwx 1 root root 71 May  1 13:06
Chambers_of_Commerce_Root_-_2008.pem ->
/usr/share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
lrwxrwxrwx 1 root root 63 May  1 13:06
Comodo_AAA_Services_root.pem ->
/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
lrwxrwxrwx 1 root root 61 May  1 13:06  Cybertrust_Global_Root.pem
-> /usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

e/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
-rw-r--r-- 1 root root 200061 May  5 13:57  ca-certificates.crt
lrwxrwxrwx 1 root root 55 May  1 13:06  certSIGN_ROOT_CA.pem ->
/usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
lrwxrwxrwx 1 root root 72 May  1 13:06
ePKI_Root_Certification_Authority.pem ->
/usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root 61 May  1 13:06  thawte_Primary_Root_CA.pem
-> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
lrwxrwxrwx 1 root root 66 May  1 13:06
thawte_Primary_Root_CA_-_G2.pem ->
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt
lrwxrwxrwx 1 root root 66 May  1 13:06
thawte_Primary_Root_CA_-_G3.pem ->
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt

Greetings,
Mark

On Tue, May 5, 2020 at 9:10 AM Michael Howard  wrote:
>
> On 05/05/2020 07:44, Mark Jonas wrote:
>
> Hi Reco,
>
> What now? How do I get this fixed in Debian and/ or the official
> container image?
>
> I was under the impression that you're creating your own docker
> container anyway.
> Add it to docker build file or whatever it's called.
>
> Yes, I have my own Dockerfile and I can add to it whatever I want. But
> "dpkg-reconfigure ca-certificates" asks a lot of questions. And that
> list from 1 to 128 might eventually change. So I am puzzled how to
> automate that without human intervention.
>
>
>
> Does 'update-ca-certificates' not work? Doesn't need interaction. Apologies 
> if I missed something, haven't read the whole thread.
>
> --
> Michael Howard

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Reco,

> > What now? How do I get this fixed in Debian and/ or the official
> > container image?
>
> I was under the impression that you're creating your own docker
> container anyway.
> Add it to docker build file or whatever it's called.

Yes, I have my own Dockerfile and I can add to it whatever I want. But
"dpkg-reconfigure ca-certificates" asks a lot of questions. And that
list from 1 to 128 might eventually change. So I am puzzled how to
automate that without human intervention.

I am also very much interested in getting the attention of the right
person to fix the official Debian Docker base image. Do you have an
idea whom I shall contact?

Greetings,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Reco,

> > 1613  stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No
> > such file or directory)
>
> Presumably ca-certificates postinst script haven't run, because these
> symlinks missing ain't normal.

Ubuntu 18.04 on my PC gives more or less the same errors but succeeds.
So I have some doubt. I think the symlinks are there.

openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 6
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6
stat("/etc/ssl/certs/99bdd351.0", 0x7ffc3c886370) = -1 ENOENT (No such
file or directory)

> So, start with "dpkg-reconfigure ca-certificates", and if it does not
> fix it - "apt-get install --reinstall ca-certificates".

This does not work either. But the following works. And this is super confusing.

1. Run "dpkg-reconfigure ca-certificates"
   Trust new certificates from certificate authorities? 1 (yes)
   Certificates to activate: (empty list)
   Updating certificates in /etc/ssl/certs...
   0 added, 128 removed; done.

2. Run "dpkg-reconfigure ca-certificates"
   Trust new certificates from certificate authorities? 1 (yes)
   Certificates to activate: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
125 126 127 128
   Updating certificates in /etc/ssl/certs...
   128 added, 0 removed; done.

3. "curl https://www.google.com";  now succeeds.

What now? How do I get this fixed in Debian and/ or the official
container image?

Is there a way to automate the above so I can do it as a workaround in
the container creation?

Greetings,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Reco,

> > I used the identical image to run the container on an amhf host
> > (Raspberry Pi 3). So there is now no QEMU in the way.
>
> Curious. Just tested it with curl at Marvell Armada 385 (runs Debian 10,
> armhf), works as supposed to.
> I could also test it on Exynos 5422 (also runs Debian 10, armhf), but
> it'll be the same.

Do you want to try the Docker image on one of these? Maybe the problem
is not Debian itself but only the official Debian Docker image?

> > curl https://www.google.com still fails on the armhf host. So QEMU is
> > out of the game.
>
> Ok. Is it possible to run curl via strace from inside the docker?
> Something like this would be perfect (-o designates an output file):
>
> strace -o /tmp/curl -e trace=file curl https://www.google.com

Please have a look at the reply I send to Tomas. There is the complete
strace output.

> Specifically, it should try to open a symlink to
> /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem.
> Here it's called /etc/ssl/certs/4a6481c9.0, may be machine-specific.

Yes, it tries to open something like that and fails. But on my PC,
where curl works, the trace shows similar failures.

Raspberry Pi Docker host, armhf Docker container snippet:

1613  openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 4
1613  stat64("/etc/ssl/certs/99bdd351.0", 0x7ec95160) = -1 ENOENT (No
such file or directory)
1613  openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
1613  stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No
such file or directory)
1613  stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No
such file or directory)
1613  +++ exited with 60 +++

PC strace snippet:

5524  openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = 4
5524  openat(AT_FDCWD, "/dev/random", O_RDONLY) = 5
5524  openat(AT_FDCWD, "/dev/srandom", O_RDONLY) = -1 ENOENT (No such
file or directory)
5524  openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 6
5524  openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6
5524  stat("/etc/ssl/certs/99bdd351.0", 0x760b7060) = -1 ENOENT
(No such file or directory)
5524  openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 6
5524  +++ exited with 0 +++

Greetings,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Tomas,

> > Yes, "curl -k https:/www.google.com" succeeds.
>
> Then it's quite probable that the problem lies with certificate
> resolution. Either it doesn't find a trusted root cert to validate
> the server against, or the validation fails.
>
> You might try curl's -v option (with and without -k) to see whether
> it sheds some light.

# curl -v https://www.google.com
* Expire in 0 ms for 6 (transfer 0x109d880)
* Expire in 1 ms for 1 (transfer 0x109d880)
* Expire in 0 ms for 1 (transfer 0x109d880)
* Expire in 2 ms for 1 (transfer 0x109d880)
* Expire in 0 ms for 1 (transfer 0x109d880)
* Expire in 0 ms for 1 (transfer 0x109d880)
* Expire in 2 ms for 1 (transfer 0x109d880)
* Expire in 1 ms for 1 (transfer 0x109d880)
* Expire in 1 ms for 1 (transfer 0x109d880)
* Expire in 4 ms for 1 (transfer 0x109d880)
* Expire in 2 ms for 1 (transfer 0x109d880)
* Expire in 2 ms for 1 (transfer 0x109d880)
* Expire in 4 ms for 1 (transfer 0x109d880)
* Expire in 3 ms for 1 (transfer 0x109d880)
* Expire in 3 ms for 1 (transfer 0x109d880)
* Expire in 4 ms for 1 (transfer 0x109d880)
* Expire in 3 ms for 1 (transfer 0x109d880)
* Expire in 4 ms for 1 (transfer 0x109d880)
* Expire in 4 ms for 1 (transfer 0x109d880)
* Expire in 4 ms for 1 (transfer 0x109d880)
* Expire in 4 ms for 1 (transfer 0x109d880)
* Expire in 5 ms for 1 (transfer 0x109d880)
*   Trying 216.58.207.164...
* TCP_NODELAY set
* Expire in 149991 ms for 3 (transfer 0x109d880)
* Expire in 200 ms for 4 (transfer 0x109d880)
* Connected to www.google.com (216.58.207.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

# curl -vk https://www.google.com
* Expire in 0 ms for 6 (transfer 0x133a880)
* Expire in 1 ms for 1 (transfer 0x133a880)
[.. skipping 46 more or less identical lines ..]
* Expire in 4 ms for 1 (transfer 0x133a880)
*   Trying 216.58.207.164...
* TCP_NODELAY set
* Expire in 149993 ms for 3 (transfer 0x133a880)
* Expire in 200 ms for 4 (transfer 0x133a880)
* Connected to www.google.com (216.58.207.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC;
CN=www.google.com
*  start date: Apr  7 09:49:21 2020 GMT
*  expire date: Jun 30 09:49:21 2020 GMT
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify result: unable to get local issuer
certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x133a880)
> GET / HTTP/2
> Host: www.google.com
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Mon, 04 May 2020 17:57:40 GMT
< expires: -1
< cache-control: private, max-age=0
< content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< server: gws
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: 1P_JAR=2020-05-04-17; expires=Wed, 03-Jun-2020 17:57:40
GMT; path=/; domain=.google.com; Secure
< set-cookie: 
NID=203=NJeeaDepuErdSOKYdHIR6vtnByU05gHO2DzxoRS3puHM4AsMlNZ5J2aksbNJrJQxfuGuBx_OaG3uyPuuF5tRqJEa4mGmreZ2F9ilyqksUryBh5z7N5y1_QDbDzCvkme1XonAIo_V7rw99ejIfqk8U1nL_tOw5OUSrBZffdLHchA;
expires=Tue, 03-Nov-2020 17:57:40 GMT; path=/; domain=.google.com;
HttpOnly
< alt-svc: h3-Q050=":443"; ma=2592000,h3-Q049=":443";
ma=2592000,h3-Q048="

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Thomas,

> > curl https://www.google.com still fails on the armhf host. So QEMU is
> > out of the game.
>
> Someone hinted at ca_certificates. To verify that, you could try with
> the option "-k" for curl. Then the server certificate isn't checked.

Yes, "curl -k https:/www.google.com" succeeds.

I am 100% sure that the ca-certificates package is installed.

# dpkg --get-selections | grep ca-certificates
ca-certificatesinstall

> Of course this may be a bad idea for a permanent "solution", but would
> allow you to bisect the problem.

I do not understand how that helps.

In my real use case the Logitech Media Server shows the same problem
as curl. I am just using curl here because it is a Debian supported
package and the problem is way easier to reproduce.

Greetings,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Reco,

> > > Ok. Can you run tcpdump while you're running curl?
> > > Specifically,
> > >
> > > tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443
> >
> > I tried to dump from within the running container but failed.
>
> It's way too complicated. Docker is basically a one big NAT, so please
> run tcpdump on a host instead.

I used the identical image to run the container on an amhf host
(Raspberry Pi 3). So there is now no QEMU in the way.

> But this hiccup gave me an idea - maybe libssl on armhf is perfectly
> fine, but it's qemu which fails to emulate certain CPU instruction.

curl https://www.google.com still fails on the armhf host. So QEMU is
out of the game.

Packet capturing now also worked. For capturing QEMU was the problem.
I also captured aria2c (succeeds with warning) and wget (silently
succeeds). You can download the capture files from
https://fil.email/pzzgUgVp . The link is good for one week and is from
filemail.com.

Thanks for your help,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Reco,

>> >> curl: (60) SSL certificate problem: unable to get local issuer certificate
>> >>
>> >> Does that mean a TLS library does not feature all required protocols on 
>> >> armhf?
>> >
>> > TLS library that curl uses (openssl) is perfectly fine, but it cannot
>> > validate any certificate unless you provide it with root CA
>> > certificates.
>> > So it likely means you haven't installed "ca-certificates" package.
>>
>> This is what it looks like. But actually I installed ca-certificates.
>
> Ok. Can you run tcpdump while you're running curl?
> Specifically,
>
> tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443

I tried to dump from within the running container but failed.

# tcpdump -s0 -pnni any -w /tmp/curl-certificate-problem.pcap tcp port 443
Unsupported setsockopt level=263 optname=8
getsockopt level=263 optname=11 not yet supported
tcpdump: WARNING: can't get TPACKET_V3 header len on packet socket:
Operation not supported
Warning: Kernel filter failed: Bad file descriptor
Unsupported setsockopt level=1 optname=27
tcpdump: can't remove kernel filter: Protocol not available

The container was started as follows on an amd64 host running qemu-arm-static:

$ docker run -it --rm toertel/test-tls-https-broken:arm32v7-buster-latest

I gave it a try with a stripped down command and it did not work either.

# tcpdump -w /tmp/curl-certificate-problem.pcap port 443
Unknown host QEMU_IFLA type: 50
Unknown host QEMU_IFLA type: 51
Unknown host QEMU_IFLA type: 50
Unknown host QEMU_IFLA type: 51
Unsupported ioctl: cmd=0x8946
Unsupported ioctl: cmd=0x8946
Unsupported ioctl: cmd=0x8946
Unsupported ioctl: cmd=0x8946
Unsupported ioctl: cmd=0x8946
Unsupported ioctl: cmd=0x8946
Unsupported setsockopt level=263 optname=8
getsockopt level=263 optname=11 not yet supported
tcpdump: Can't open netlink socket 96:Protocol family not supported

Thanks for your help,
Mark

Re: armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi Reco,

>> curl: (60) SSL certificate problem: unable to get local issuer certificate
>>
>> Does that mean a TLS library does not feature all required protocols on 
>> armhf?
>
> TLS library that curl uses (openssl) is perfectly fine, but it cannot
> validate any certificate unless you provide it with root CA
> certificates.
> So it likely means you haven't installed "ca-certificates" package.

This is what it looks like. But actually I installed ca-certificates.

This is an excerpt of the relevant part of the the Dockerfile [1]
where the packages are installed:

RUN apt-get update && \
  apt-get -y --no-install-recommends install \
curl \
ca-certificates \
tzdata \
&& \
  apt-get clean && \
  rm -rf /var/lib/apt/lists/*

I also think that wget would not work or at least give a warning in
case there were no certificates at all.

Last but not least, the identical Dockerfile produces images for amd64
and arm64 where curl and aria2 work without hiccups. And it works
flawlessly on Stretch using the same Dockerfile.

Greetings,
Mark


[1]: 
https://gitlab.com/toertel/docker-image-tls-https-broken/-/blob/master/Dockerfile.j2

armhf: buster: TLS / HTTPS partly broken

[Mark Jonas]

Hi,

I am building Docker images for amd64, armhf, and arm64. I have a very
simple container based on debian:buster where curl works fine on amd64
and arm64 but fails on armhf [1]. This makes it very easy to reproduce
the problem.

# curl --version
curl 7.64.0 (arm-unknown-linux-gnueabihf) libcurl/7.64.0
OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2
(+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

# curl https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The error occurs on a real armhf target (Raspberry Pi 3) as well as
with QEMU (tested with
3.1.0-2 and v4.2.0-7).

The error cannot be reproduced with debian:stretch. [2]

The error cannot be reproduced with ubuntu:bionic or ubuntu:focal. [3]

With wget it works fine. None the less, I doubt that curl itself it
the source of the problem. The Logitech Media Server package [4] (not
an official Debian package) shows the problem as well. LMS is written
using Perl (mainly) and does not use curl.

I also gave aria2 a try. It downloads but gives a warning on armhf.

# aria2c https://www.google.com
[..]
05/03 12:32:37 [WARN] aria2c had to connect to the other side using an
unknown TLS protocol. The integrity and confidentiality of the
connection might be compromised.
Peer: www.google.com (216.58.207.164:443)

Does that mean a TLS library does not feature all required protocols on armhf?

Does anybody have an idea what the problem might be? Who can / should
tackle the problem?

I did not report the problem using reportbug because I have no clue
which package is causing the problem.

Greetings,
Mark

[1] https://gitlab.com/toertel/docker-image-tls-https-broken
[2] https://gitlab.com/toertel/docker-image-tls-https-broken/pipelines/141798495
[3] https://gitlab.com/toertel/docker-image-tls-https-broken/pipelines/141820625
[4] http://downloads.slimdevices.com/LogitechMediaServer_v7.9.2/

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting Emanuel Berg (2020-03-11 17:15:08)
> Jonas Smedegaard wrote:
> 
> > Try check if the audio stream of that movie is AC-3, and if
> > so then try use mpv with the option --ad-lavc-ac3drc (read
> > the man page for valid values).
> 
> OK, I'll try this...
> 
> > If you experience similarly expanded dynamic range also for
> > differently encoded audio sources then more likely there's
> > a problem in how your system downmixes multi-channel audio
> > (like deloptes is getting at).
> 
> I experience this all the time, before "Ford v Ferrari" it was
> "Battle Angle Alita" which is an mp4, not mkv, file.

Maybe your system simply treats multi-channel audio wrongly.

A simpler alternative to recoding audio with fine-tuned values could be 
something like this to force use only stereo:

  mpv --audio-channels=stereo ...


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting Emanuel Berg (2020-03-12 03:07:23)
> Reco wrote:
> 
> > FL = FL + 0.707 * FC + 0.707 * BL
> 
> With mediainfo(1) as recommended by Mr. Smedegaard, I got
> this
> 
> $ mediainfo ford-v-ferrari-2019.mkv | grep -i channel
> Channel(s)   : 6 channels
> Channel layout   : L R C LFE Ls Rs
> Channel(s)   : 6 channels
> Channel layout   : L R C LFE Ls Rs

You could also do this:

  mediainfo --Inform="Audio;%Channel(s)%: %ChannelLayout%" 
ford-v-ferrari-2019.mkv


> L = left, R = right, C = center?
> 
> LEF = low-frequency effects? [1]
> 
> Ls, Rs = left and right subwoofers?

Left/right _surround_.

5.1 means 5 discrete channels + subwoofer

...because low-frequency audio is difficult for humans to locate so a 
single mono channel is adequate for that.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting Emanuel Berg (2020-03-11 17:15:08)
> Jonas Smedegaard wrote:
> 
> > Try check if the audio stream of that movie is AC-3, and if
> > so then try use mpv with the option --ad-lavc-ac3drc (read
> > the man page for valid values).
> 
> OK, I'll try this...
> 
> > If you experience similarly expanded dynamic range also for
> > differently encoded audio sources then more likely there's
> > a problem in how your system downmixes multi-channel audio
> > (like deloptes is getting at).
> 
> I experience this all the time, before "Ford v Ferrari" it was
> "Battle Angle Alita" which is an mp4, not mkv, file.

Container format is not relevant (for this, it is for sync issues).

Try check if your copy of Battle Angle Alita was AC-3 encoded too.


> I have a command to output multimedia properties,

I recommend mediainfo for that.


> $ movie-meta baa-2019.mp4 | grep -i codec
> ID_VIDEO_CODEC=ffh264
> ID_AUDIO_CODEC=ffaac

Ah, so not AC-3 but AAC.


> > NB! Consider switching to mpv in general, it is a successor to 
> > mplayer with many improvements.
> 
> I did and it seems better in general, but its the same with
> this particular issue.

Right I did not expect it to magically solve this issue specifically.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting Emanuel Berg (2020-03-10 09:54:07)
> deloptes wrote:
> 
> > but my question here is - why the subject with mp4s - do only
> > they suffer this problem or it is just a case among others?
> 
> It is probably a case among others, at least when I wrote it the
> intention was to raise this issue in general.
> 
> Today I saw "Ford v Ferrari" from last year, an .mkv file.
> When they were talking, it was impossible or very difficult to
> make out more than occasional words. When they drove their cars,
> I had to adjust the volume as it was just rumbling out of
> the speakers.

Perhaps the issue is specific to AC-3 decoded audio?

Try check if the audio stream of that movie is AC-3, and if so then try 
use mpv with the option --ad-lavc-ac3drc (read the man page for valid 
values).

If you experience similarly expanded dynamic range also for differently 
encoded audio sources then more likely there's a problem in how your 
system downmixes multi-channel audio (like deloptes is getting at).

NB! Consider switching to mpv in general, it is a successor to mplayer 
with many improvements.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting ghe (2020-03-09 21:23:54)
> 
> > Please note that the subject of this conversation is mp4 (not mp3).
> 
> It's claimed that sox will handle mp4:
> 
> https://stackoverflow.com/questions/2666425/how-to-i-configure-sox-to-work-on-mp4
> 
> (You do have to install LAME.)

In Debian, install libsox-fmt-mp3 (which links to liblame).


> > If you only process uncompressed audio then sox is fine.
> 
> It will do the mp's and flac. That I know of -- there may be others.

Yes, sox supports _some_ compression formats.  Far less than ffmpeg, and 
only audio, not video, and ffmpeg supports all those formats and many 
more.

So you only process audio and only in a format supported by sox, then 
sox is fine too.

If you don't want to fiddle with figuring out if your particular format 
is supported by sox, then use ffmpeg.

Shorter version of above: Use sox for uncompressed audio, ffmpeg for 
compressed audio and video.

It might be that sox has some support for AAC encoded m4a streams in an 
MPEG4 container.  I would however be quite surprised (even by that but 
also) if sox supported leaving other streams in such MPEG4 container 
alone, and supported reencoding to AAC and putting it back into the 
container, with audio-video sync intact.

The OP talked about normalizing music videos.  I assume that the OP 
wanted to to not only _listen_ to normalized music videos but also watch 
them.

My assumption might be totally wrong, in which case sox is a fine tool 
for the task.


> It normalizes things too. I do that in flac. I don't know if it 
> normalizes mp's.

Sox is a nice tool, for what it can do.

I was under the impression that it was unsuitable for the needs of the 
OP.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting David Wright (2020-03-09 19:08:26)
> On Mon 09 Mar 2020 at 12:26:53 (+0100), Jonas Smedegaard wrote:
> > So if high-quality normalization is not important (and you don't 
> > want to try play with stripping my script), then directly use 
> > ffmpeg, or use any other of the many many many ffmpeg-based tools 
> > available.
> > 
> > ...or use sox (but still use ffmpeg to extract audio part of mp4 
> > files).

Please note that the subject of this conversation is mp4 (not mp3).

Please also note that above quote was a continuation of this:

> If you only process uncompressed audio then sox is fine.


> I shall take a look at your script. But, thinking about the
> problem overall, I think there might be several reasons why
> I haven't personally felt the need for video companding:

No need to explain why you don't have same/similar needs as the OP :-)

If you neither have a need for audio-in-movie nor for EBU R-128, then I 
doubt you'll be excited about melt or my script (even it it also 
supports modes where it bypasses melt and runs ffmpeg directly).

All that said, you are of course quite welcome to look at my script, and 
even critisize it if you like (no doubt there are things in there worthy 
of pointing fingers at).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting David Wright (2020-03-09 04:15:41)
> On Sat 07 Mar 2020 at 12:12:18 (+0100), Jonas Smedegaard wrote:
> > Quoting David Wright (2020-03-07 04:56:05)
> > > On Fri 06 Mar 2020 at 20:33:48 (+0100), Emanuel Berg wrote:
> > > > how can I normalize the audio in mp4 video files? both WRT not 
> > > > having to lower the volume when there's a firefight and raise it 
> > > > when they start talking again, _and_ WRT playing several files, 
> > > > e.g. music videos, and having them have basically the same 
> > > > volume?
> > > > 
> > > > if need be, I can set volume modifications to each file, 
> > > > manually if I knew how to do it. this wouldn't work for 
> > > > firefight/talk movies tho.
> > > 
> > > I use the compand and gain effects in sox,
> > [...]
> > > The critical lines (embedded in a load of shell) are
> > >   ffmpeg -hide_banner -y -i "$1" -ar 44100 -ac 2 
> > > "$Unique0/$Filenumber.wav"
> > > where the $Filenumbers are 1+ sequence numbers so they collate,
> > >   sox "$Unique0"/1*.wav -t wav -r 44100 -b 16 -c 2 "$Unique0/0.wav" 
> > > compand 0.3,1 6:-70,-60,-20 -15 -90 0.2 gain -n -0.01;
> > > where the companding parameters are reasonably aggressive and the
> > > normalisation is "turned up to ten", and
> > >   lame -b "${Fixedbitrate:-128}" "$Unique0/0.wav" "$Unique0/0.mp3"
> > > is for fairly unendowed MP3 players.
> > [...]
> > > I would be interested if someone worked out how to do splitting, sox, 
> > > and recombining reliably enough to preserve the synchronisation. 
> > > (Automatic, but not on the fly.)
> > 
> > ffmpeg should be able to do the whole processing, if you want peak 
> > or RMS normalization.  If you want EBU R128 normalization then you 
> > need e.g. melt (which uses ffmpeg internally and adds aditional 
> > plugins).
> > 
> > Here is a good explanation on the difference between "peak", "RMS", 
> > and "EBU R-128": https://www.learndigitalaudio.com/normalize-audio
> > 
> > Hhere are some example of using ffmpeg: 
> > https://superuser.com/questions/323119/how-can-i-normalize-audio-using-ffmpeg
> 
> I don't think normalisation, on its own, would be of much help to me.
> Many digital recordings are mixed for perfect listening conditions,
> and that's often just not possible, so some degree of dynamic range
> compression is necessary *within* each track. And where the tracks
> segue on a CD, that necessitates concatenation, as least with my
> technique, making for longer tracks.

Agreed, you need more than (strictly speaking) normalization alone.

When OP wrote "how can I normalize" I read it to more casually imply 
possibly more parts than (striclty speaking) normalization alone.

That's why I wrote "the whole processing" above.

sox can (compress and) normalize audio.

ffmpeg can do (almost) same as sox, also embedded in video.

melt can do (almost) same as ffmpeg, and can do some parts better.


> I don't know whether/how movies are segmented (I've seen reference to 
> "chapters" but don't know what they are). But it sounds as if the OP 
> needs similar DR compression between or even within scenes.

Just like audio-in-music can be high dynamic range (one tune a flute 
solo, another an orchestra), so can audio-in-movie (one scene the sounds 
of bed sheets, another a car explosion): Audio is audio, it is dynamic.

Both audio-in-music and audio-in-movie can to change dynamic range per 
tune/scene or within them.  Depends on how it was composed, performed, 
recorded, and mixed.

Both audio-in-music and audio-in-movice can already be compressed.  
Depends on how it was mastered (i.e. post-processed).



The OP asked about 
normalization of audio, including audio embedded in video.


> > I use melt because I can then handle video as well - either do 
> > various compression of that as well, or "just" pass-through (which 
> > still involves the challenge of keeping audio and video in sync - 
> > which is more or less reliable depending on the container format of 
> > each video).
> 
> I'm not sure what type of video compression you mean: file size or 
> something else? We have one TV which can darken dark scenes and 
> brighten bright ones. Perhaps you need the opposite for watching 
> movies in the back seats of a car?

I meant file size.  Yes, not only dynamic range of audio but also color 
spaces can be compressed, but please let's limit this conversation to 
_audio_

Re: downgrade ghostscript to get convert etc working

[Jonas Smedegaard]

Quoting Marco Möller (2020-03-08 13:26:25)
> If the newer version (currently v9.50 in bullseye (testing)) would 
> solve the problem, then you may want to ask if someone could place 
> this newer version from bullseye into the buster-backports repository. 
> Afterwards you could install the backported version 9.50 from there 
> without hassle. This would be the Debian way to follow first. Only if 
> not succeeding this way, then think about tinkering.
> 
> More information on this concept can be found here:
> https://backports.debian.org/
> The corresponding mailing list is this one:
> https://lists.debian.org/debian-backports/

Above advice is sensible in general.

For this particular issue, look into upgrading _other_ parts of the 
command chain than Ghostscript, however (as per my previous post).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: downgrade ghostscript to get convert etc working

[Jonas Smedegaard]

Quoting Emanuel Berg (2020-03-07 23:07:16)
> It seems convert doesn't work on Debian Buster, I get an error for
> this command
> 
>   convert -composite $bg $fg -gravity center comp.png
>   
> namely this message: "convert-im6.q16: no images defined `comp.png'
> @ error/convert.c/ConvertImageCommand/3258."
> 
> I heard the solution is downgrade ghostscript but
> 'aptitude versions' only shows one version, 9.27 (or
> 9.27~dfsg-2+deb10u3).
> 
> Do I need to add additional sources or how do
> I downgrade to a version that doesn't have the bug?

The solution is *not* to downgrade: It is a security-related change.

The solution is therefore to fix the Postscript code.

That said, if you insist on doing a potentially dangerous _workaround_ 
then there's https://snapshot.debian.org/


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting David Wright (2020-03-07 04:56:05)
> On Fri 06 Mar 2020 at 20:33:48 (+0100), Emanuel Berg wrote:
> > how can I normalize the audio in mp4 video files? both WRT not
> > having to lower the volume when there's a firefight and raise it
> > when they start talking again, _and_ WRT playing several files, e.g.
> > music videos, and having them have basically the same volume?
> > 
> > if need be, I can set volume modifications to each file, manually if
> > I knew how to do it. this wouldn't work for firefight/talk
> > movies tho.
> 
> I use the compand and gain effects in sox,
[...]
> The critical lines (embedded in a load of shell) are
>   ffmpeg -hide_banner -y -i "$1" -ar 44100 -ac 2 "$Unique0/$Filenumber.wav"
> where the $Filenumbers are 1+ sequence numbers so they collate,
>   sox "$Unique0"/1*.wav -t wav -r 44100 -b 16 -c 2 "$Unique0/0.wav" compand 
> 0.3,1 6:-70,-60,-20 -15 -90 0.2 gain -n -0.01;
> where the companding parameters are reasonably aggressive and the
> normalisation is "turned up to ten", and
>   lame -b "${Fixedbitrate:-128}" "$Unique0/0.wav" "$Unique0/0.mp3"
> is for fairly unendowed MP3 players.
[...]
> I would be interested if someone worked out how to do splitting, sox, 
> and recombining reliably enough to preserve the synchronisation. 
> (Automatic, but not on the fly.)

ffmpeg should be able to do the whole processing, if you want peak or 
RMS normalization.  If you want EBU R128 normalization then you need 
e.g. melt (which uses ffmpeg internally and adds aditional plugins).

Here is a good explanation on the difference between "peak", "RMS", and 
"EBU R-128": https://www.learndigitalaudio.com/normalize-audio

Hhere are some example of using ffmpeg: 
https://superuser.com/questions/323119/how-can-i-normalize-audio-using-ffmpeg

I use melt because I can then handle video as well - either do various 
compression of that as well, or "just" pass-through (which still 
involves the challenge of keeping audio and video in sync - which is 
more or less reliable depending on the container format of each video).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: normalize audio in mp4s

[Jonas Smedegaard]

Quoting David Christensen (2020-03-07 03:41:22)
> On 2020-03-06 18:05, Emanuel Berg wrote:
> 
> 
> 
> > Well, it sounds advanced... Yes, its a stereo alright, that much
> > I know.
> > 
> > I tried this but it sounds so bad I even had to put a warning in
> > a comment:
> > 
> > # first do:
> > # $ pip install ffmpeg-normalize
> > #
> > # but... don't use, at least not with music, sounds terrible :(
> > get-mp3-normalized () {
> >  local -a files
> >  files=($@)
> > 
> >  local dB=-10 # db/LUFS
> > 
> >  for f in $files; do
> >  ffmpeg-normalize -f -c:a libmp3lame -t $dB -ext mp3 $f
> >  done
> > } # [1]
> > 
> > 
> > [1] https://dataswamp.org/~incal/conf/.zsh/audio-convert
> 
> It is going to be difficult or impossible to get good results across 
> many different mp4 files by feeding them all through a command-line tool 
> with the same set of options.  It might be possible to script a solution 
> that uses command-line tools to analyze each file and tune the options, 
> but I dunno...
> 
> 
> The most direct path to good results would be to use an interactive 
> audio editor.  Then it's up to your skills as an audio engineer.  As, 
> Audacity only does audio files, the workflow would be to use a video 
> tool to extract the audio tracks, rework the audio with Audacity, and 
> then use a video tool to replace the old audio with the new audio.
> 
> 
> Be sure you backup your original files before you start messing with them.

If you want something you can throw into a script, I recommend to look 
at melt and use its "loudness" filter.

You will want to run it in two-pass mode, so that it knows ahead the 
dynamics of each "tune" (or movie).

It can be tricky to capture the output from first pass and feed it into 
second pass (because the main use for the MLT framework is not the 
command-line tool melt but instead XML-based linkage to GUI tools).

Maybe this script is useful for inspiration: 
http://source.jones.dk/bin.git/tree/localvideowebencode


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: don't hijack a thread

[Jonas Smedegaard]

Quoting Gene Heskett (2020-03-05 19:13:54)
> off topic, but

Please change subject line when, well, changing subject.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: cannot view Trash?

[Jonas Smedegaard]

Quoting kaye n (2020-03-05 18:02:45)
> I'm going to assume that none of you saw or received my email earlier, 
> so here it is again.

No, that is not how this mailinglist works.

If you are in doubt that your message was processed, you can check if it 
appears in the public archive at https://lists.debian.org/debian-user/


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: ASUSTek Computer, Inc. USB-N13 802.11n Network Adapter (rev. B1) [Realtek RTL8192CU]

[Jonas Smedegaard]

[ replying via list, assuming off-list reply was accidental ]

Quoting deloptes (2020-03-04 19:31:06)
> Jonas Smedegaard wrote:
> 
> > Quoting Charles Curley (2020-03-04 18:01:50)
> >> Mar  4 09:53:22 chaffee kernel: [2078550.601134] CPU: 0 PID: 20521 Comm:
> >> kworker/0:0 Tainted: G        W         4.19.0-8-686 #1 Debian 4.19.98-1
> >> Mar  4 09:53:22 chaffee kernel: [2078550.614861] Hardware name: CompuLab
> >> AMD "CM-iGLX" Geode LX/CS5536 /CM-iGLX Platform, BIOS Version 5.2
> >> 09/02/2007
> > 
> > Not sure, but it looks like your CPU is one of those no longer 
> > supported by Debian.
> > 
> > If true, then depending on exactly how it no longer fits it might 
> > lead to _sometimes_ working but not always, and it might be that the 
> > wireless driver hits one of those areas not working?
> 
> I have geode gx2, but it has only USB1 interface.

Ah ok, it was the "Geode LX" in the log that got me worried.


> It might be that 686 supports it. I compile the kernel anyway myself. 
> Support is there and all works pretty well.

Sounds irrelevant here, so just for others stumbling upon this: 
Compiling the kernel yourself ensures that the _kernel_ supports the 
baseline you manage to configure/patch it to support, but the rest of 
system (likely including wifi, although not the kernel modules) may 
still have a different baseline (unless you recompile everything, but 
then please don't call it Debian).


Enjoy,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: ASUSTek Computer, Inc. USB-N13 802.11n Network Adapter (rev. B1) [Realtek RTL8192CU]

[Jonas Smedegaard]

Quoting Charles Curley (2020-03-04 18:01:50)
> Mar  4 09:53:22 chaffee kernel: [2078550.601134] CPU: 0 PID: 20521 Comm: 
> kworker/0:0 Tainted: GW 4.19.0-8-686 #1 Debian 4.19.98-1
> Mar  4 09:53:22 chaffee kernel: [2078550.614861] Hardware name: CompuLab AMD 
> "CM-iGLX" Geode LX/CS5536 /CM-iGLX Platform, BIOS Version 5.2 09/02/2007

Not sure, but it looks like your CPU is one of those no longer supported 
by Debian.

If true, then depending on exactly how it no longer fits it might lead 
to _sometimes_ working but not always, and it might be that the wireless 
driver hits one of those areas not working?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: HPLIP - upgrade to 3.20.0 and can no longer print.

[Jonas Smedegaard]

Quoting Brad Rogers (2020-03-04 16:04:07)
> On Wed, 04 Mar 2020 15:47:45 +0100
> Jonas Smedegaard  wrote:
> 
> >Thanks for clarifying.  Yes, the two bugs filed today relates only to
> 
> I was too wrapped up in details to see the blindingly obvious
> 
> >unstable, and your explicitly omitting details about suppressed 
> >recommended packages must mean that you have none of that.
> 
> I don't routinely install recommended packages.  AFAICS, the 
> recommends for hplip relate mostly to scanning, rather than printing 
> so probably not relevant.  Of course, I'm no expert.

When you routinely ignore recommendations from those developing your 
system, then I find it all too likely that your system is too broken in 
too many surprising ways.

Feel free to insist that ignoring recommendations works fine for you 
(others before you have insisted on that), just please mention 
explicitly that practice of yours when seeking help, so that those 
believing in the sanity of following recommendations can avoid getting 
frustrated figuring out which not-broken-by-another-definition breakage 
might have caused your issue.


> Should I still go ahead and file a report?

I don't know.

Good luck with your system.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: HPLIP - upgrade to 3.20.0 and can no longer print.

[Jonas Smedegaard]

Quoting Brad Rogers (2020-03-04 15:18:47)
> On Wed, 04 Mar 2020 09:03:04 -0500
> The Wanderer  wrote:
> >I wonder whether this might therefore be the result of a change in 
> >cups, rather than in hplip.
> 
> Thanks for the pointer.  Frankly, I have no idea what the change in 
> CUPS means.  That is, what are the implications WRT to hplip?
> 
> Should I be removing hplip, for example?

I recommend to file a bugreport, which also means you get feedback from 
those maintaining the package.

I recommend to file the issue against the package where you experienced 
it - hplip - it is easy later reassign as needed.

It is nice, however, that you mention in the bugreport how you've been 
suggested this possible relationship with CUPS.


> If yes, that would be a pity, since hplip has some features I find 
> useful, though not essential.  I can, for example, simply walk to the 
> printer to find out about ink levels, but it's nice to be able to do 
> that job without moving from the desk.

Share your concerns with those who can actually act on this: The Debian 
maintainers of the package you are concerned about: I.e. consider file a 
(low severity) bugreport against cups raising your concerns about 
weakened user experience.  Phrase is constructively and friendly - if it 
is perceived as "whining" (regardless of whether that was your 
intention) then there's obviously a higher risk that the bugreport will 
be dismissed without proper reflection.


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: HPLIP - upgrade to 3.20.0 and can no longer print.

[Jonas Smedegaard]

Quoting Brad Rogers (2020-03-04 15:20:00)
> On Wed, 04 Mar 2020 15:00:39 +0100
> Jonas Smedegaard  wrote:
> >Please mention when you use testing/unstable.
> I'm on testing, and there are no reports at Debian's hplip page.  Nor 
> can I find reports at the HP hplip support site.

Thanks for clarifying.  Yes, the two bugs filed today relates only to 
unstable, and your explicitly omitting details about suppressed 
recommended packages must mean that you have none of that.

This seems an excellent case of an issue that needs reporting.

Please do file this as a bug in Debian.

Thanks for bringing it up here first.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: HPLIP - upgrade to 3.20.0 and can no longer print.

[Jonas Smedegaard]

Hi Brad,

Quoting Brad Rogers (2020-03-04 14:44:55)
> Is anybody else having issues with hplip 3.20.0?

Please mention when you use testing/unstable.

When you do use testing/unstable then please check yourself for reported 
bugs before asking here.

Also, please mention if you have suppressed installation of recommended 
packages.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: [SOLVED] Can I run dnsmasq as boot server in my environment

[Jonas Smedegaard]

Quoting deloptes (2020-03-03 21:07:44)
> David wrote:
> 
> > [...]
> > 
> >> But the codes, alas, are not interpretable according to the
> >> ref given. An exercise for the reader :)
> >>
> >> [1] https://en.wikipedia.org/wiki/DHCP#Options
> > 
> > My guess (untested) would be per Section 8.4 in
> > https://tools.ietf.org/html/rfc2132
> > with the leading Code=43 and Len=n
> > octets possibly prepended by the software.
> > 
> > And a bit of idle searching [1] suggests that perhaps (untested)
> > only the trailing "Raspberry Pi Boot" string is required.
> > 
> > Also I notice that 50:58:45 spells "PXE".
> > 
> > [1] https://www.raspberrypi.org/forums/viewtopic.php?t=209247#p1294345
> 
> Hi, I read the DHCP documentation, but it does not specify how those options
> are encapsulated. The string "Raspberry Pi Boot" was not sufficient to do
> the work. I guess it is important to code the whole structure incl. this
> PXE (50:58:45) 
> 
> https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcp-options#VENDOR%20ENCAPSULATED%20OPTIONS

Many years ago I messed with PXE booting, and found the official ISC 
documentation insufficient for me to grasp it.  Maybe you and others 
find my old config snippets - and the comments in them - enlightening 
for your present use case - especially this one: 
http://source.jones.dk/local-COMMON.git/tree/dhcp3/dhcpd.pxe


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Music players that save (different) volume settings for each song (was: Re: mplayer with -loop 0 but w/o volume reset?

[Jonas Smedegaard]

Quoting rhkra...@gmail.com (2020-03-03 13:22:49)
> (I'm not the OP.)  I wonder if there are any music players that can 
> save a (play)list along with a selected volume for each song on the 
> playlist?  (Or use a database of songs with volume setting, and then 
> access the database as the playlist calls for a song?)
> 
> (I'm aware of things (not sure that any are implemented in LInux music 
> players) that try to "normalize" the audio by either reviewing the 
> content of the entire song or some portion of it and and adjust the 
> volume to be similar to the volume of other songs on the playlist, but 
> those don't always work as well as I would like.  Something that 
> allowed you to set a volume for each song (and maybe even store a list 
> of volume changes for songs that had large changes in volume) would be 
> nice.)

I would use ID3 tags as "database", like this:

 2. Load all tunes into Picard, compute ReplayGain, and apply tags
 3. Use a player which respects ReplayGain tags to normalize volume
 4. Where some ReplayGain values are "wrong", manually adjust tags

Personally I would use Picard for tagging and ReplayGain computing 
(hint: configure it to enable module "ReplayGain"), and I would use MPD 
+ mpd-sima + ncmpcpp as player, but there are many many many options and 
most of them follows same general flow described above.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Zoom conferencing

[Jonas Smedegaard]

[ replying only where I am subscribed ]

Quoting Joel Rees (2020-03-01 06:08:27)
> (I hope no one gets upset about double posting debian and ubuntu users
> lists.)
> 
> Questions about zoom -- www.zoom.us
> 
> Anyone using it?
> 
> Issues?
> 
> Known reasons they don't put it in the general repositories?

Zoom is non-free.

You might find relevant some of my notes on voice/video chat tools and 
services here: 
https://source.redpill.dk/media-stream-hosting.git/tree/README.md


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: set gnome locales to C.UTF-8

[Jonas Smedegaard]

Quoting Ted Baker (2020-02-28 22:41:27)
> Thanks, I was referring to john doe's earlier comment "In other words, 
> one language needs to be selected in order to be able to choose 'none' 
> (use none if you access the host through SSH) or 'C.UTF-8."
> 
> And the fact that in dpkg-reconfigure locales, I didn't see the option 
> for C.UTF-8.

You are asked first which locales to generate, then which to use per 
default.

There's nothing to _generate_ for C.UTF-8 so you won't find it in first 
dialog, only in second.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: new, not nice web bots disposal

[Jonas Smedegaard]

Quoting Gene Heskett (2020-02-26 09:57:51)
> over the last 90 days or so, we seem to have been plauged with a new 
> breed of bots scanning our web pages, and they are not just indexing 
> our web pages I don't mind that, but they are ignoring our robots.txt 
> and are mirroring anything apache2 can reach, including stuff thats 
> there but not reachable by a normal browser just looking around and 
> clicking on links.  Its annoying as hell and when you're out in the 
> pucker-brush on a 10 megabit ADSL, eats up ones available upload 
> bandwidth of about 275kbytes/s.

Download "eating" upload on ADSL might be due to bufferbloat: 
https://www.bufferbloat.net/projects/bloat/wiki/What_can_I_do_about_Bufferbloat/


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: One more thing about slim: It may no longer be a Maintained Package

[Jonas Smedegaard]

Quoting Kenneth Parker (2020-02-25 02:03:28)
> Based on another Thread, I decided to try out the slim Package on a new,
> Text-Only Debian Buster system (on USB).I got the same issue, about not
> getting into Graphics.
> 
> But the reason for this Thread?  The Package slim may not even be a good
> Package to use anymore.
> 
> According to an Arch Wiki article on it [1], "the SLiM Project has been
> Abandoned (last Release was 2013...)"
> 
> Perhaps, that changes things in the other Thread?

Please then file a bugreport,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Local search broken for documentation of numpy, matplotlib

[Jonas Smedegaard]

[ replying via mailinglist, assuming private reply was accidental ]

Quoting Raj Kiran Grandhi (2020-02-24 15:33:26)
> On Mon, Feb 24, 2020 at 1:02 PM Jonas Smedegaard  
> wrote:
> >
> > Sounds like a bug, probably in one of the packages suggested by 
> > doc-base:
> >
> > $ apt-cache show doc-base | grep ^Suggests Suggests: dhelp | dwww | 
> > doc-central | yelp | khelpcenter, rarian-compat
> >
> > Please, besides looking for ways to work around this issue, report 
> > it as a bug: https://www.debian.org/Bugs/Reporting
> >
> 
> When trying to file a bug report for python-matplotlib-doc, reportbug 
> suggested installing the latest version from sid. Installing the sid 
> version of the python-matplotlib-doc has fixed the search problem. 
> Same for python-numpy-doc and python-scipy-doc. I have not continued 
> with filing the bug report as the bugs seem to have been fixed. Do you 
> think I should file it anyway?
> 
> The only minor quirk is that the versions of the *-doc packages don't 
> match with the actual library version. I can live with that :-)

I suggest to check the changelogs (upstream and Debian-specific, 
whichever applies to the delta between the version you had before and 
the version you now installed from sid) to see if the issue is 
_knowingly_ fixed - becaue if not then it might reappear later.  In 
other words, I recommend filing as a bug if it seems the issue was 
solved without anyone noticing it.

Worst thing I can imagine happening if you file a bugreport is that you 
receice an angry email saying something like "you idiot, you have wasted 
2 minutes of my life writing this bug-closing email because I don't care 
as much about this code as you do and therefore want it to _look_ well 
maintained and users obviously cannot possibly know better than me what 
that means" - which you can then simply ignore: You did you best!


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Local search broken for documentation of numpy, matplotlib

[Jonas Smedegaard]

Hi Raj,

Quoting Raj Kiran Grandhi (2020-02-24 03:41:00)
> Since upgrading to Buster, the search functionality for some packages 
> like python-numpy-doc and python-matplotlib-doc is no longer working. 
> The search page just displays the progress indicator graphic without 
> generating any results. This is an issue for me as my primary work 
> computer has no internet access. Google search indicates it could be 
> an issue with the document generation tool, sphinx, that is used to 
> generate the documentation.
> 
> Is there any workaround to get the search functionality back?

Sounds like a bug, probably in one of the packages suggested by 
doc-base:

$ apt-cache show doc-base | grep ^Suggests
Suggests: dhelp | dwww | doc-central | yelp | khelpcenter, rarian-compat

Please, besides looking for ways to work around this issue, report it as 
a bug: https://www.debian.org/Bugs/Reporting


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Installing chromium uninstalls runit-init

[Jonas Smedegaard]

Quoting Mark Raynsford (2020-02-22 17:38:20)
> 'Ello.
> 
> On 2020-02-22T17:32:59 +0100
> Jonas Smedegaard  wrote:
> >
> > Maybe you have... held broken packages?
> > 
> > If you use aptitude instead of apt, then you can step through more 
> > options, including options involving downgrading (which is 
> > unsupported by Debian, but since your system is already broken I 
> > guess you prefer "cheating" over reinstalling from scratch).
> 
> I haven't held any packages. This install is a few hours old and I've 
> barely touched any of the default settings... What gave you the 
> impression my system is broken?
> 
> I'm happy to try aptitude. I've been using apt elsewhere, but for no 
> particular reason.

What gave me the impression was the error message that you snipped.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Installing chromium uninstalls runit-init

[Jonas Smedegaard]

Hi Mark,

Quoting Mark Raynsford (2020-02-22 17:24:01)
> On 2020-02-22T17:08:48 +0100
>  wrote:
> > I had a similar situation with firefox wanting to install systemd.
> > 
> > Just for kicks, try
> > 
> >   apt install chromium sysvinit-core
> > 
> > If that works, you'd perhaps want to adapt your apt-preferences
> > (either pushing sysvinit-core or lowering systemd).
> > 
> > Cheers
> > -- tomás
> 
> No such luck, unfortunately:
> 
> # apt install chromium sysvinit-core
> Reading package lists... Done
> Building dependency tree   
> Reading state information... Done
> Some packages could not be installed. This may mean that you have
> requested an impossible situation or if you are using the unstable
> distribution that some required packages have not yet been created
> or been moved out of Incoming.
> The following information may help to resolve the situation:
> 
> The following packages have unmet dependencies:
>  chromium : Depends: libgtk-3-0 (>= 3.9.10) but it is not going to be
> installed E: Unable to correct problems, you have held broken packages.

Maybe you have... held broken packages?

If you use aptitude instead of apt, then you can step through more 
options, including options involving downgrading (which is unsupported 
by Debian, but since your system is already broken I guess you prefer 
"cheating" over reinstalling from scratch).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Choice of "mailname" for mail server: suggestions welcome

[Jonas Smedegaard]

Quoting Tom Browder (2020-02-21 13:17:52)
> On Fri, Feb 21, 2020 at 06:00 Jonas Smedegaard  wrote:
> 
> > Hi tom,
> >
> ...
> 
> > > Does anyone have strong reasons to use one over another, or any other
> >
> > choice?
> >
> ...
> 
> > Depends on the purpose of the name(s).
> 
> ...
> 
> Thanks, Jonas, that makes good sense. Based on that I should use 
> "mail" and maybe "mail2" for my backup mail server.

Only if by "backup" you mean mirror of mail services generally - i.e. 
also for your users to connect to for fetching their mail when the 
primary server is down.

Otherwise, if you mean MX backup then I would use "mx2" for the backup 
host (and I would then consider naming the primary host _both_ "mail" 
and "mx1" so that I can use "mx1" and "mx2" for MX records.


> One of the reasons I asked was I know Gmail used to use something like 
> " smtp.gmail.com" for its smtp server and thought that might be 
> popular among sysadmins with such servers.

Lots of names are popular for various reasons.

Google has numerous hosts serving specifc services, likely with failover 
so that one hostname is even used for multiple hosts behind the scenes.

So if your setup is complex, then name each service, and number it too.

...but if you want simplicity, then beware that for each hostname you 
may (now or later) need to fumble with TLS certificates and/or DNSSEC 
signing keys.

...and beware that your users are not helped by hosts named by services 
but will likely find it geeky that they need to use "smpt2" to send and 
"pop3" to receive (unless of course they are all geeks, where they might 
prefer hosts named by characters in Tolkien books or Star Wars).


As Michael also mentioned, some mail clients blindly assume the world 
uses specific names for user-facing incoming and outgoing services, and 
probe those names before asking the user.  Personally I have found it 
least confusing for my users to tell them that "the server is 
mail-dot-our-domain for all user-facing services - both incoming and 
outgoing", and I then setup hints for those mail clients that wants to 
auto-configure.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Choice of "mailname" for mail server: suggestions welcome

[Jonas Smedegaard]

Hi tom,

Quoting Tom Browder (2020-02-21 12:09:47)
> I am preparing servers to use with OpenSMTPD and Sympa to provide mail 
> and mailing list service.
> 
> I need to settle on names to define as the "mailname" for each the two 
> servers I will designate for the DNS MX records for all my 
> mail-enabled domains. The mailnames should be "fully qualified domain 
> names" (FQDNs) so they will have names like:
> 
> + mail.example.com
> + smtp.example.com
> + mx.example.com
> 
> Does anyone have strong reasons to use one over another, or any other 
> choice?

Depends on the purpose of the name(s).

If you run everything on a single host, then mail.example.com.

If you need to distinguish mail routing from other tasks (e.g. when 
running a spam filter on a different host and you want to tell other 
smtp servers to deliver to that instead of directly to your main mail 
server), then mx.example.com (or mx1.example.com) for that.

Similar for other names: Use protocol or other special name to emphasize 
that service, otherwise it is more confusing than helping.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: Debian GNU/Linux 9 (stretch) was broken after upgraded from stretch-backports.

[Jonas Smedegaard]

Quoting Nektarios Katakis (2020-02-19 12:16:20)
> Interesting I thought you could downgrade with the package manager. 
> from the looks of it you end up with an unstable system. I had removed 
> repos in the past and the packages were removed automatically but I 
> guess I was lucky!

You _can_ downgrade with apt-based package managers, but it is 
unsupported, so indeed when it works you should feel lucky :-)


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: iwlwifi problem with Debian kernel 5.4.0-4-amd64

[Jonas Smedegaard]

Quoting Stefan Pietsch (2020-02-14 22:36:39)
> iwlwifi has a problem with the latest Debian unstable kernel package 
> (5.4.0-4-amd64).
> The wifi interface is not usable.
> 
> 5.4.0-3-amd64 works fine instead.
> 
> Is anyone experiencing the same problem?

Best way to find out is to check if anyone has filed a bugreport.

...and to file a bugreport if noone has done so already, so that others 
can find _your_ experience same way.

In short: Please file bugreports when you experience regressions!


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: PAM Configuration

[Jonas Smedegaard]

Hi Christoph.

Quoting Christoph Pleger (2020-02-14 13:25:24)
> I created a PAM configuration with the goal to make it possible that a 
> user can either login by inserting a smartcard into a card reader and 
> entering the correct PIN, or by entering the traditional UNIX 
> password. This is what my /etc/pam.d/common-auth looks like:

[...]

> auth[success=2 default=ignore]  pam_p11.so 
> /usr/local/lib/libcvP11.so

[...]

> This works nearly exactly as desired, "nearly" because though the 
> login with unix password works, the application shows "Login failed" 
> for a short time. Is there something I can change in the above file to 
> avoid this message?

I don't know what local library it is you used, but I encourage you to 
consider the use of Debian packages libpam-p11 libpam-pkcs11 and 
libpam-poldi - or if you already considered those then share why you 
rejected them.

...and then I suggest check their documentation - perhaps they already 
cover the combination use case that you are exploring.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Getting started with mmdebstrap / chroot Operation not permitted.

[Jonas Smedegaard]

Quoting Linux-Fan (2020-02-13 21:40:13)
> Jonas Smedegaard writes:
> 
> > Quoting Linux-Fan (2020-02-13 20:29:47)
> > > having seen this recently on the mailing list, I am interested to 
> > > try out `mmdebstrap` (as a replacement for `debootstrap`). The 
> > > ultimate goal of my use of these utilities is to arrive at an 
> > > image suitable for booting an armhf SBC (Banana Pi M2+ EDU). 
> > > Existing (overly complicated and not debian-only)

[...]

> > Beware that this is more of a development question than a user 
> > question. Yes, developers are users too - my point is that those 
> > following this mailinglist are less likely to be able to help with 
> > issues of "splitting atoms" of an operating system than with 
> > adjusting configfiles of an officially installed one.
> 
> Thanks. I saw that there are some bug-reports and that development is 
> active. Maybe it makes sense to do a bug-report, because from my point 
> of view it is easy to reproduce (no need to bother with ARM yet, I 
> just tried the "basic" invocation to create a stable chroot for my 
> "native" amd64 architecture).
> 
> Being such a simple invocation, I thought I must have made some rather 
> obvious mistake, because my command very much follows the manpage. I 
> had thought that the complex part would only come afterwards :)

I dearly recommend you to file bugreports: From your approach it sounds 
like if nothing else then you have found bugs in the documentation!

As you might have noticed as well, Johannes (author of mmdebstrap) is 
excellent not only in writing code but also in bug hunting!  I really 
admire his attention to detail!


> > I recommend to read section "MODES" in man page for mmdebstrap, 
> > which nicely lays out how different approaches complicates matters 
> > in different ways.
> 
> I saw it. For now, the "root" mode works. Before I think it 
> automatically went with "fakechroot" and failed... maybe I should 
> investigate this "unshare" mode?

Pleay around with different modes, but don't settle with working around 
possibly buggy code or documentation: Please contribute by sharing the 
(possible) flaws you stumble upon in your exploration of this novel 
tool.


> I arrived at what seems to be a suitable image (not near the hardware 
> to test at the moment...) in just a few hours -- back when I did it 
> with debootstrap there was much more waiting involved and a lot of 
> fiddling with qemu-user-static etc. which took me more than a day just 
> for the filesystem tree.

Sounds like you could also help by sharing what you have found works for 
you so far: Create a page at wiki.debian.org and/or blog about it!


> > One way to simplify things is to build on ARM.
> 
> The problem is: I have that board and it is usually "in use" 
> (currently on oldstable). I can turn it off temporarily for testing, 
> but it is not so much a "development system". Besides, I get the 
> impression that even if the emulation is not really "faster" (?), it 
> is less a stain on the hardware when I run the compute-intensive part 
> on amd64 (usually a little server, currently a "sturdy enough" laptop 
> :) ) than on the single board computer.

I recognize the dilemma.  You can postpone, but the obvious solution to 
that issue of yours is to buy a few more boards so you have some to play 
with.  And sure, AMD64 is faster than 32-bit ARM - but what I was 
thinking was to use your shiny new 64-bit Olimex Teres-1 laptop that you 
go buy right after reading this email :-D


> And then, running oldstable and a non-Debian kernel, I would not 
> consider it a good "development machine" from the software side 
> either?

Your _development_ environment would not be oldstable but testing: Even 
if your target system is oldstable, you still want to develop on a 
system which includes mmdebstrap ;-)


> For me it is one of the points to "take home" from buying a cheap ARM 
> SBC: Software support can be difficult. So maybe next time I will be 
> smarter to acquire something "amd64" or something well-supported like 
> the "omnipresent" Raspberry Pi (although some recent list posts seemed 
> to suggest that a "pure" Debian does not run on their newest 
> incarnation yet...). On the other hand, this little Banana Pi M2+EDU 
> despite being very little supported from the software side, seems to 
> run just well 24/7 for prolonged amounts of time (it had more than 300 
> days of uptime, but as of now, everything is offline for maintenance).

I certainly don't recommend RPi.  I recommend OSHW-certified boards like 
the Olimex LIME2 - quite similar to 

Re: Mac El Capitan Dual Boot

[Jonas Smedegaard]

Quoting Charles Curley (2020-02-13 19:56:31)
> On Thu, 13 Feb 2020 12:03:20 -0500
> Kenneth Parker  wrote:
> 
> > I am helping a friend install Debian on an older MacBook, running OS 
> > X 10.11 (El Capitan).
> 
> How old? The current version of Mac OS is Catalina, 10.15.3. This on a 
> Macbook Air made in mid-2012. ( -> About this Mac)

More info here: https://wiki.debian.org/InstallingDebianOn/Apple


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Getting started with mmdebstrap / chroot Operation not permitted.

[Jonas Smedegaard]

 /var/cache/apt/archives//bash_5.0-4_amd64.deb 
> /var/cache/apt/archives//grep_3.3-1_amd64.deb 
> /var/cache/apt/archives//libacl1_2.2.53-4_amd64.deb 
> /var/cache/apt/archives//debianutils_4.8.6.1_amd64.deb 
> /var/cache/apt/archives//libpam-modules_1.3.1-5_amd64.deb failed
> I: removing tempdir /tmp/mmdebstrap.r10cMA6wAV...
> ~~~
> 
> When I run the same command as root, it proceeds without error. However, I  
> wanted to try out this nice possibility of creating chroots without root and  
> so far, it does not seem to work. How can I get to work mmdebstrap without
> being root?
> 
> OS: Debian 10 (buster/stable) amd64.
> /tmp resides on the root filesystem (ext4).

Beware that this is more of a development question than a user question.  
Yes, developers are users too - my point is that those following this 
mailinglist are less likely to be able to help with issues of "splitting 
atoms" of an operating system than with adjusting configfiles of an 
officially installed one.

I recommend to read section "MODES" in man page for mmdebstrap, which 
nicely lays out how different approaches complicates matters in 
different ways.

One way to simplify things is to build on ARM.

Another is to generate not a filesystem but a tarball (and then use 
different approach to turn that into a bootable image).

Yet another is (likely) to target bullseye instead of buster.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Mac El Capitan Dual Boot

[Jonas Smedegaard]

Quoting Kenneth Parker (2020-02-13 18:03:20)
> I am helping a friend install Debian on an older MacBook, running OS X
> 10.11 (El Capitan).  It currently has a single 300G HFS Plus (Journaled)
> Partition, with lots of free space.
> 
> He wants to keep OS X, and use Buster (or Sid, leading to the next Stable
> Release).
> 
> He wants to shrink the Mac Partition, create a couple more for this.  (I
> explained the need for two, including a Swap Partition to him).
> 
> He thinks that Debian should be able to work on the same HFS Plus Disk
> format.  Has anyone tried this?
> 
> This is all preliminary now, as I am trying to talk him into ext4 for the
> Debian Partition and, if he needs a place to share files, put a small,
> fourth vfat Partition in for that.

Debian (and Linux in general) supports read-write access to HFS+ 
partitions, but it is unreliable.  I would expect it to be difficult to 
setup and the result would be unreliable (either because you would end 
up depending on the unreliable HFS+ write access, or because you would 
end up having a too complex to reliably maintain stack of hacks to work 
around the unreliable HFS+ write access).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: buster: low audio level

[Jonas Smedegaard]

Quoting D. R. Evans (2020-02-13 17:15:47)
> D. R. Evans wrote on 2/12/20 4:58 PM:
> 
> > For what it's worth, "aplay -l" says, for the port I'm using:
> > 
> > card 0: PCH [HDA Intel PCH], device 0: ALC888-VD Analog [ALC888-VD Analog]
> >   Subdevices: 0/1
> >   Subdevice #0: subdevice #0
> > 
> 
> I'm wondering if there's a problem with the sound driver that the system is
> using, and therefore:
>   1. How to determine which driver I'm using?
>   2. How to switch to a different driver, if one is available?

Try look here: https://wiki.debian.org/ALSA

...and here: https://alsa.opensrc.org/Sound_Cards:_Introduction

...and lastly here: https://www.alsa-project.org/wiki/Main_Page


Enjoy!

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: buster: low audio level

[Jonas Smedegaard]

Quoting Doug McGarrett (2020-02-13 01:15:57)
> 
> 
> On 2/12/20 6:39 PM, Jonas Smedegaard wrote:
> > Quoting D. R. Evans (2020-02-12 23:54:16)
> >> Jonas Smedegaard wrote on 2/12/20 3:19 PM:
> >>
> /snip/
> 
> > is more resource heave in my experience.  An area righ in bikeshedding.
> > 
> What on earth is bikeshedding? That's a new one on me!

That's when you ask something in a large community that is easy to have 
an opinion on and with many possible opinions - e.g. asking "which color 
should we paint our bikeshed?" or "what disk format is best" or "which 
computer should I buy?"

https://en.wikipedia.org/wiki/Law_of_triviality


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: buster: low audio level

[Jonas Smedegaard]

Quoting D. R. Evans (2020-02-12 23:54:16)
> Jonas Smedegaard wrote on 2/12/20 3:19 PM:
> 
> > Another thing you might try is go "below" Pulseaudio and mess 
> > directly with ALSA settings:
> > 
> > Install the package alsa-utils and run (in a terminal) the tool 
> > alsamixer
> > 
> > By default it will probably show a single volume control for a 
> > virtual audio card called Pulseaudio - switch to your real 
> > underlying audio card by hitting F6 and select it.  Try play around 
> > with that...
> 
> All the outputs are set to 100. Lowering them does make things (even) 
> quieter; but that's not very helpful, of course.

I recommend to play with other tunables than the volume controls alone - 
but if your audio card is simple then possibly there are none.

I also suggest that you try test audio levels of other programs than the 
ones you normally use - to rule out eventual presets in those 
applications.  My favorite general audio/video player is mpv.  Others 
swear to mplayer (which predates mpv) or VLC (which each too much 
resources in my experience) or various GStreamer based tools which again 
is more resource heave in my experience.  An area righ in bikeshedding.

Next layer is the system configuration of ALSA.  Look at /etc/alsa/* and 
/usr/share/alsa/* and read the documentation and engage in chat forums.

Next layer after that is the kernel modules. Look at /etc/modprobe.d/* 
and /etc/modules-load.d/* and /etc/modules and 
/etc/initramfs-tools/modules and read various documentation etc.

Or buy an audio card.  Which one to pick depends on several factors, and 
has plenty of room for bikeshedding.  Personally I would buy either a 
dirt cheap no-name USB card or one specific one which is not really 
cheap nor very featureful except one feature that I have looked high and 
low for: a single minijack plug (not two separate ones) for both audio 
in and out following the CTIA wiring standard same as non-chinese-market 
smartphones (so that I can easily use it for video conferencing): 
https://en.wikipedia.org/wiki/Phone_connector_(audio)#TRRS_standards - 
the only audio card I have found supporting that standard is the "Sound 
BlasterX G1" from Creative.

My help stops here...

Good luck,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: buster: low audio level

[Jonas Smedegaard]

Quoting elvis (2020-02-12 22:53:36)
> 
> On 13/2/20 3:34 am, D. R. Evans wrote:
> > I just installed buster on a new (to me) machine, and the audio level is 
> > very
> > low. With all the mixer controls and the physical volume control on the
> > speakers turned up, I can hear audio, but even then it is unpleasantly 
> > quiet,
> > certainly nothing one would want to listen to.
> >
> > Any suggestions as to how to fix this, or even how to go about investigating
> > it sensibly, would be gratefully received.
> >
> >Doc
> 
> I'm not sure if this may help. In my KDE system settings, multimedia, I 
> can turn the master volume up past 100%. It makes my laptop usable, 
> other it would be too quiet as well.

I would recommend to first try locate possible places where volume is 
turned down, and only as a last option (for this setup, before giving up 
and buying another card) artificially amplify the weak audio - because 
that will undoubtedly lead to bad audio quality, and has the risk of 
playing too loud if at some point the dampening place decides to no 
longer dampen.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: buster: low audio level

[Jonas Smedegaard]

Quoting D. R. Evans (2020-02-12 22:50:28)
> Jonas Smedegaard wrote on 2/12/20 1:26 PM:
> > Quoting D. R. Evans (2020-02-12 19:05:40)
> >> Jonas Smedegaard wrote on 2/12/20 10:43 AM:
> >>> Quoting D. R. Evans (2020-02-12 18:34:27)
> >>>> I just installed buster on a new (to me) machine, and the audio 
> >>>> level is very low. With all the mixer controls and the physical 
> >>>> volume control on the speakers turned up, I can hear audio, but 
> >>>> even then it is unpleasantly quiet, certainly nothing one would 
> >>>> want to listen to.
> >>>>
> >>>> Any suggestions as to how to fix this, or even how to go about 
> >>>> investigating it sensibly, would be gratefully received.
> >>>
> >>> Maybe you missed some mixer controls?  Desktop environments 
> >>> nowadays commonly use (not only ALSA but also) Pulseaudio, and a 
> >>> common mistake is to only play with the knobs tied to ALSA.
> >>>
> >>> One relatively userfriendly interface to Pulseaudio that I know of 
> >>> is pavucontrol, available in the Debian package of the same name.  
> >>> You can run it as a self-contained graphical tool, or if you want 
> >>> it handy accesible then additionally install pasystray.
> >>>
> >>
> >> OK; I installed that, but it doesn't seem to do anything more than 
> >> the desktop mixer program.
> >>
> >> It says that Analog Stereo Output is 100%, as does the mixer 
> >> program. Moving that slider does make the volume even lower, so it 
> >> is having an effect, but only to make the audio even harder to 
> >> hear.
> > 
> > That sounds like you have looked at _one_ of the volume controls. 
> > When I open pavucontrol (on my Debian unstable system, but should be 
> > similar e.g. on Debian buster), there are 5 tabs:
> > 
> >  * Playback
> >+ one control per source (e.g. "System sounds", mpv, and 
> >  microphone)
> 
> "System Sounds" is the only one. It's at 100%
> 
> >  * Recording
> >+ one control per recorder (irrelevant for _playing_ audio)
> >  * Output Devices
> >+ one control per audio device (incl. virtual ones if enabled)
> 
> One slider, at 100%.
> 
> >  * Input Devices
> >+ one control per audio device (irrelevant for _playing_ audio)
> >  * Configuration
> >+ switch to select routing mode (e.g. use HDMI instead of analog)
> 
> It's set to "Analog Stereo Output"; since my speakers are plugged into 
> the green jack at the back, it seems like that should be the correct 
> selection.
> 
> > 
> > Make sure that you check both application level volume (for the 
> > application you want to test - while it is running) and output 
> > device volume.
> 
> At this point I've tried with several programs that I've used (on 
> other systems) for a long time. On all of them, even with the volume 
> set to 100%, the sound is audible but too quiet.
> 
> The same applications playing the same files on my debian 9 system 
> produces output that is too loud for comfort.

Good.  Now it is clear to me that you've tried all (directly) options 
available in that Pulseaudio.  That was not clear to me previously.


> > Also, try available routing modes - they depend on your audio 
> > device(s) so I cannot tell what is correct or optimal on your 
> > system.
> 
> I don't know what "routing modes" means, nor where to control them.

Don't worry, that probably just means your audo card is simple with only 
a single routing mode (and also, "routing mode" is not a technical term, 
just my sloppy description of it).


Another thing you might try is go "below" Pulseaudio and mess directly 
with ALSA settings:

Install the package alsa-utils and run (in a terminal) the tool 
alsamixer

By default it will probably show a single volume control for a virtual 
audio card called Pulseaudio - switch to your real underlying audio card 
by hitting F6 and select it.  Try play around with that...


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: buster: low audio level

[Jonas Smedegaard]

Quoting D. R. Evans (2020-02-12 19:05:40)
> Jonas Smedegaard wrote on 2/12/20 10:43 AM:
> > Quoting D. R. Evans (2020-02-12 18:34:27)
> >> I just installed buster on a new (to me) machine, and the audio 
> >> level is very low. With all the mixer controls and the physical 
> >> volume control on the speakers turned up, I can hear audio, but 
> >> even then it is unpleasantly quiet, certainly nothing one would 
> >> want to listen to.
> >>
> >> Any suggestions as to how to fix this, or even how to go about 
> >> investigating it sensibly, would be gratefully received.
> > 
> > Maybe you missed some mixer controls?  Desktop environments nowadays 
> > commonly use (not only ALSA but also) Pulseaudio, and a common 
> > mistake is to only play with the knobs tied to ALSA.
> > 
> > One relatively userfriendly interface to Pulseaudio that I know of 
> > is pavucontrol, available in the Debian package of the same name.  
> > You can run it as a self-contained graphical tool, or if you want it 
> > handy accesible then additionally install pasystray.
> > 
> 
> OK; I installed that, but it doesn't seem to do anything more than the 
> desktop mixer program.
> 
> It says that Analog Stereo Output is 100%, as does the mixer program. 
> Moving that slider does make the volume even lower, so it is having an 
> effect, but only to make the audio even harder to hear.

That sounds like you have looked at _one_ of the volume controls.

When I open pavucontrol (on my Debian unstable system, but should be 
similar e.g. on Debian buster), there are 5 tabs:

 * Playback
   + one control per source (e.g. "System sounds", mpv, and microphone)
 * Recording
   + one control per recorder (irrelevant for _playing_ audio)
 * Output Devices
   + one control per audio device (incl. virtual ones if enabled)
 * Input Devices
   + one control per audio device (irrelevant for _playing_ audio)
 * Configuration
   + switch to select routing mode (e.g. use HDMI instead of analog)

Make sure that you check both application level volume (for the 
application you want to test - while it is running) and output device 
volume.  Also, try available routing modes - they depend on your audio 
device(s) so I cannot tell what is correct or optimal on your system.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Install OpenSMTPD from source or use the Debian packages?

[Jonas Smedegaard]

Quoting Tom Browder (2020-02-12 18:53:09)
> I started looking in to use of OpenSMPTD for a mail server and have 
> installed it from Debian packages.
> 
> In the process of reading a blog article by the current developer I 
> discovered the upstream is now at version 6.6.2p1+ after some serious 
> security issues were discovered by SSL Labs (Qualys). Note that Debian 
> 10 is only at version 6.0.3p1!  See the source at:
> 
>   https://github.com/OpenSMTPD/OpenSMTPD
> 
> I would like to install from source but I wonder if that is such a 
> smart move, especially when we now use systemd and the source is set 
> up with the traditional GNU automake system and I don't see any 
> provision for systemd.  I don't grok systemd very well and usually 
> rely on others for the proper setup.
> 
> I have asked for help on the OpenSMTPD mailing list, but I suggested 
> my first effort would be to use the systemd setup used by the Debian 
> installation (with appropriate renaming). I haven't received an answer 
> yet.

Please beware that Debian backports bugfixes for stable releases, so it 
is not enough to look at version numbers to know if a package is 
vulnerable or not, you need to also inspect which patches has been 
applied.

That said, feel free to try do a better job than Debian.  If you like 
such work, then please do consider joining Debian so that others can 
benefit from the refinements that you make for yourself - that's why 
most if not all of us Debian developers do what we do: maintain and 
distribute our refinements as a coherent whole :-)


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: buster: low audio level

[Jonas Smedegaard]

Quoting D. R. Evans (2020-02-12 18:34:27)
> I just installed buster on a new (to me) machine, and the audio level 
> is very low. With all the mixer controls and the physical volume 
> control on the speakers turned up, I can hear audio, but even then it 
> is unpleasantly quiet, certainly nothing one would want to listen to.
> 
> Any suggestions as to how to fix this, or even how to go about 
> investigating it sensibly, would be gratefully received.

Maybe you missed some mixer controls?  Desktop environments nowadays 
commonly use (not only ALSA but also) Pulseaudio, and a common mistake 
is to only play with the knobs tied to ALSA.

One relatively userfriendly interface to Pulseaudio that I know of is 
pavucontrol, available in the Debian package of the same name.  You can 
run it as a self-contained graphical tool, or if you want it handy 
accesible then additionally install pasystray.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Cross debootstrap without root rights

[Jonas Smedegaard]

[ sent again, without 8bit headers to please Debian MTAs ]

Hi Christoph,

Quoting Christoph Müllner (2020-02-09 12:54:56)
> I'd like to run the second stage of debootstrap without root rights, 
> but for another architecture (host is x86_64 and target is arm64).
> 
> I know how to do all that with root rights (i.e qemu-aarch64-static 
> works perfectly here, also, I can recommend using qemu-debootstrap), 
> but I can't figure out a way how to do that without root rights.
> 
> I was expecting that fakechroot and fakeroot will do the necessary 
> "magic" to make chroot work for my use-case, but that's not the case 
> (I need to have libfakeroot.so and libfakechroot.so in the target 
> rootfs, but I could not find a reliable way to get them in).
> 
> I found some emails in the archives about similar use cases (from ~10 
> years ago). But I failed to identify the solution in those cases.
> 
> Therefore I'd like to ask if anyone has a solution for my use case or 
> some hints/pointers.

Have a look at mmdebstrap!

The author of that tool - Johannes Schauer - has long fought for ways to 
eliminate the need for being root to bootstrap Debian, and mmdebstrap is 
as I understand it the state of the art of that!


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Does "apt-get install" follow "recommends" links recursively?

[Jonas Smedegaard]

Quoting Rich Morin (2020-02-06 01:02:07)
> Debian's "apt-get install" command is documented as following 
> "recommends" links by default. It also follows "depends" links, 
> presumably in a recursive fashion. However, I haven't been able to 
> find out if it also follows recommends links recursively.
> 
> For example, let's say that I run "apt-get install foo" and that foo 
> depends on or recommends bar. I would expect apt-get to install bar 
> and all of its dependencies. However, I don't know whether it would 
> also install bar's recommended packages, etc. Can someone please 
> clarify this?

Should be simple to test yourself:

Try install package ghostscript, which transitively recommends 
fonts-droid-fallback, which recommends fonts-noto-mono.

Or try install package junior-games-net, which recommends minetest, 
which tranisitvely recommends fonts-droid-fallback, which recommends 
fonts-noto-mono.

Or try install package games-all, which recommends games-finest, which 
recommends minetest, which tranisitvely recommends fonts-droid-fallback, 
which recommends fonts-noto-mono.


In all cases, you need not actually install, but can check the 
information from apt/apt-get/aptitude about what they intent to install 
- but cancel the actual install.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Can't find a way to preseed keyboard layout for all d-i questions

[Jonas Smedegaard]

Quoting john doe (2020-01-31 20:54:09)
> On 1/31/2020 8:37 PM, Yvan Masson wrote:
> > Le 31/01/2020 à 16:50, john doe a écrit :
> >> On 1/31/2020 10:36 AM, Yvan Masson wrote:
> >>> Le 29/01/2020 à 18:16, MAS Jean-Louis a écrit :
> >>>> Le 29/01/2020 à 14:50, Yvan Masson a écrit :
> >>>>
> >>>>> However, before loading preseed.cfg, installer asks for computer
> >>>>> name: I
> >>>>> would like this question to be asked in French and more importantly to
> >>>>> have the keyboard layout configured in French.
> >>>>>
> >>>>> I have tried many boot parameters (layout=fr, layout=fr(latin9),
> >>>>> language=fr, language=fr_FR.UTF-8…) but could not find anything
> >>>>> working.
> >>>>>
> >>>>> After answering this question, preseed.cfg is loaded so language and
> >>>>> keyboard layout are properly applied.
> >>>>
> >>>> It's a well known bug unfortunately
> >>>>
> >>>> I have asked the same question some time ago on the French debian-user
> >>>> list, and frederic boiteux gave me some interesting clues.
> >>>>
> >>>> You may search for this thread :
> >>>>
> >>>> "Configurer un clavier français via preseed"
> >>>>
> >>>> A similar bug was reported with an Hungarian keyboard, without any
> >>>> fixes
> >>>> so far.
> >>>>
> >>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931368
> >>>>
> >>>> Regards
> >>>
> >>> Thanks for the information. However I just checked by doing a fresh
> >>> installation with BIOS PXE boot, di-netboot-assistant and a preseed file
> >>> served by TFTP: locale and keyboard layout are properly applied:
> >>> - during install once preseed.cfg is loaded
> >>> - after reboot
> >>
> >> Yes, because this is delayed after the preseed file is fetched! :)
> >>
> >> But if I'm not mistaking, you want to be able to specify the hostname
> >> manually because you have no control over the dhcp server?
> >>
> > Exactly, so I want to preseed most of the question but:
> > - hostname
> > - user password
> >
> > As the hostname and domain are asked before preseed file is fetched, I
> > tried to use boot options to set the domain (it works) and the locale
> > (which does not work).
> >
> > Maybe preseeding has not been designed to use both file and command line
> > options… I will submit a bug report, please tell me if you think I
> > shouldn't.
> >
> 
> Note that the debian-boot mailing list is responsible for the Debian
> installer, before filing a bugreport I would first seak advice there.
> 
> Maybe (1) could help you getting what you want.
> 
> Actually, what you want, as kernel boot parameter could be 'install '.
> 
> 1)
> https://wiki.debian.org/DebianInstaller/Preseed#Adding_the_preseed_file_to_the_installer.27s_initrd.gz

Well, there is indeed the option of cranking open the install media and 
hack its guts - I consider that less of a user option and more of 
development related.  But sure...


It struck me, however, that perhaps it really isn't locale which is 
missing, but instead keyboard setup.  Perhaps something like this 
(passed as kernel option, so it is applied early enough!) helps: 
https://superuser.com/questions/724294/set-keyboard-layout-in-debian-wheezy-with-preseed


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Can't find a way to preseed keyboard layout for all d-i questions

[Jonas Smedegaard]

Quoting Yvan Masson (2020-01-31 20:37:29)
> Le 31/01/2020 à 16:50, john doe a écrit :
> > On 1/31/2020 10:36 AM, Yvan Masson wrote:
> >> Le 29/01/2020 à 18:16, MAS Jean-Louis a écrit :
> >>> Le 29/01/2020 à 14:50, Yvan Masson a écrit :
> >>>
> >>>> However, before loading preseed.cfg, installer asks for computer name: I
> >>>> would like this question to be asked in French and more importantly to
> >>>> have the keyboard layout configured in French.
> >>>>
> >>>> I have tried many boot parameters (layout=fr, layout=fr(latin9),
> >>>> language=fr, language=fr_FR.UTF-8…) but could not find anything working.
> >>>>
> >>>> After answering this question, preseed.cfg is loaded so language and
> >>>> keyboard layout are properly applied.
> >>>
> >>> It's a well known bug unfortunately
> >>>
> >>> I have asked the same question some time ago on the French debian-user
> >>> list, and frederic boiteux gave me some interesting clues.
> >>>
> >>> You may search for this thread :
> >>>
> >>> "Configurer un clavier français via preseed"
> >>>
> >>> A similar bug was reported with an Hungarian keyboard, without any fixes
> >>> so far.
> >>>
> >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931368
> >>>
> >>> Regards
> >>
> >> Thanks for the information. However I just checked by doing a fresh
> >> installation with BIOS PXE boot, di-netboot-assistant and a preseed file
> >> served by TFTP: locale and keyboard layout are properly applied:
> >> - during install once preseed.cfg is loaded
> >> - after reboot
> > 
> > Yes, because this is delayed after the preseed file is fetched! :)
> > 
> > But if I'm not mistaking, you want to be able to specify the hostname
> > manually because you have no control over the dhcp server?
> > 
> Exactly, so I want to preseed most of the question but:
> - hostname
> - user password
> 
> As the hostname and domain are asked before preseed file is fetched, I 
> tried to use boot options to set the domain (it works) and the locale 
> (which does not work).
> 
> Maybe preseeding has not been designed to use both file and command line 
> options… I will submit a bug report, please tell me if you think I 
> shouldn't.

I certainly think you should file this as a bugreport!

Even if this turns out to not be a bug in the code, it seems to be that 
at least it is arguably a bug in the documentation.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Can't find a way to preseed keyboard layout for all d-i questions

[Jonas Smedegaard]

Quoting Yvan Masson (2020-01-29 18:09:30)
> Le 29/01/2020 à 15:10, Jonas Smedegaard a écrit :
> > Quoting Yvan Masson (2020-01-29 14:50:26)
> >> I am automating Buster installations with a preseed file. To do 
> >> this, I boot the installer successfully with parameters `auto=true 
> >> url=tftp://my_server domain=mydomain`.
> >>
> >> However, before loading preseed.cfg, installer asks for computer 
> >> name: I would like this question to be asked in French and more 
> >> importantly to have the keyboard layout configured in French.
> >>
> >> I have tried many boot parameters (layout=fr, layout=fr(latin9), 
> >> language=fr, language=fr_FR.UTF-8…) but could not find anything 
> >> working.
> >>
> >> After answering this question, preseed.cfg is loaded so language 
> >> and keyboard layout are properly applied.
> >>
> >> Any idea?
> > 
> > Not sure the exact answer to your question is there, but I recommend 
> > to look throught the (old but full of clever insights some still 
> > relevant) "hands-off" codebase: http://git.hands.com/hands-off
> 
> Thanks for the link, but I am not able to find any solution there…

When you preseed from tftp, then you need network configured _before_ 
preseeding.

Either...

  a) suppress the network-related question  (as john doe suggests)
  b) preseed the answers to network questions in custom early_script
 (see hands-off for examples of doing complex stuff early)
  c) preseed the answers to network questions at kernel cmdline


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Can't find a way to preseed keyboard layout for all d-i questions

[Jonas Smedegaard]

Quoting Yvan Masson (2020-01-29 14:50:26)
> I am automating Buster installations with a preseed file. To do this, 
> I boot the installer successfully with parameters `auto=true 
> url=tftp://my_server domain=mydomain`.
> 
> However, before loading preseed.cfg, installer asks for computer name: 
> I would like this question to be asked in French and more importantly 
> to have the keyboard layout configured in French.
> 
> I have tried many boot parameters (layout=fr, layout=fr(latin9), 
> language=fr, language=fr_FR.UTF-8…) but could not find anything 
> working.
> 
> After answering this question, preseed.cfg is loaded so language and 
> keyboard layout are properly applied.
> 
> Any idea?

Not sure the exact answer to your question is there, but I recommend to 
look throught the (old but full of clever insights some still relevant) 
"hands-off" codebase: http://git.hands.com/hands-off

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Planning a Debian NAS

[Jonas Smedegaard]

Quoting deloptes (2020-01-27 21:42:40)
> basti wrote:
> 
> > Yes a rpi can run software raid with mdadm. In this case I would use 
> > a rpi4b with USB3 and USB to SATA adapter but be aware that the rpi 
> > is at the moment not fully supportet by debian 
> > (https://github.com/lategoodbye/rpi-zero/issues/43). If raspian is 
> > good enough for your needs it would be an option. With the 
> > restrictions I explained before.
> > 
> 
> I tried many years ago SATA adapter with USB2 and the performance was 
> very poor. Might be better with USB3 though, but I am still not 
> convinced.
> 
> I saw some time ago there was extention board with SATA 2 or 4, which 
> was promising. Interesting to know if someone have used such thing 
> with debian.

Either you care about performance or you use RPi - not both.

USB3 only helps if the data pipeline can handle the load.

A quite cheap (but not too cheap like RPi) option is Olimex LIME2 with 
native SATA port: 
https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXino-LIME2/

A more powerful option with native SATA is Helios64 at kobol.io - but 
beware that (like Pine* devices, but unlike Olimex) they are built only 
in batches as enough orders come in, so you have a higher risk that the 
product you buy might go out of business even before it gets supported 
in Debian - as seemingly happened with their previous Helios4 device.

(one nice feature of the seemingly abandoned Helios4 was that it used 
ECC memory - cheapest device that I know of doing that!)

I am a happy LIME2 user since some years.  I don't use RAID though.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Sudo

[Jonas Smedegaard]

Re-posting as it seems you didn't receive/notice it first.

Additional comments based on other subthreads below the quote...

Quoting Jonas Smedegaard (2020-01-25 18:28:20)
> Hi Harold,
> 
> Quoting Harold Hartley (2020-01-25 17:39:28)
> > I did a net-install and installed with no problems.
> > The only problem I’m having is when I want to check for updates or install 
> > a file, it tells me that I’m not in the sudoers file.
> > I’m not sure what’s going on, but I’m the only one on the system and should 
> > have admin access anyways.
> > Hope someone has an answer for this problem.
> 
> During install you were asked for a root password.
> 
> If you _didn't_ provide a root password, then sudo will get installed, 
> and the initial user account was added to the "sudo" group.
> 
> If you _did_ provide a root password, then sudo will _not_ get installed 
> (unless you chose to install something which pulled in sudo), and the 
> initial user account was _not_ added to the "sudo" group.
> 
> If you just want root access, then use this command:
> 
>   su --login
> 
> If you want your user account to have root access via sudo, then (as 
> root, so do the above and) use this command:
> 
>   adduser YOUR_ACCOUNT_NAME sudo


Beware that command syntax for su and sudo is not the same:


  sudo apt update

  su -c "apt update"

Also, beware that the system group your account needs to be added to is 
"sudo" (which is different from e.g. Ubuntu where the group is (or was, 
at some point) "sudoers).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Sudo

[Jonas Smedegaard]

Hi Harold,

Quoting Harold Hartley (2020-01-25 17:39:28)
> I did a net-install and installed with no problems.
> The only problem I’m having is when I want to check for updates or install a 
> file, it tells me that I’m not in the sudoers file.
> I’m not sure what’s going on, but I’m the only one on the system and should 
> have admin access anyways.
> Hope someone has an answer for this problem.

During install you were asked for a root password.

If you _didn't_ provide a root password, then sudo will get installed, 
and the initial user account was added to the "sudo" group.

If you _did_ provide a root password, then sudo will _not_ get installed 
(unless you chose to install something which pulled in sudo), and the 
initial user account was _not_ added to the "sudo" group.

If you just want root access, then use this command:

  su --login

If you want your user account to have root access via sudo, then (as 
root, so do the above and) use this command:

  adduser YOUR_ACCOUNT_NAME sudo


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: [solved] passphrase feedback when unlocking disk at boot

[Jonas Smedegaard]

Quoting David Wright (2020-01-23 20:51:13)
> On Thu 23 Jan 2020 at 10:32:44 (-0800), Mike Kupfer wrote:
> > Andrei POPESCU wrote:
> > > On Jo, 23 ian 20, 07:49:01, Mike Kupfer wrote:
> > > > With the first system, when I enter the passphrase at the 
> > > > "please unlock disk" prompt, there is no visual feedback.  With 
> > > > the second system, I get a "*" for each character that I type.
> > > > 
> > > > Is there some configuration option I can change on the first 
> > > > system so that it behaves like the second one?
> > > 
> > > The package plymouth might be the difference.
> > 
> > Yes, that was it.  I installed plymouth on the first system and 
> > rebooted, and now it prints a "*" for each character in the 
> > passphrase.
> 
> It would be interesting to know why installing plymouth made any 
> difference. My system prints asterisks even though plymouth is not 
> installed.
> 
> Were there any other packages installed along with plymouth?

Seems it is part of systemd to switch behaviour when plymouth is 
available: 
https://bugs.launchpad.net/ubuntu/+source/plymouth/+bug/1432265/comments/9


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Wiki software.

[Jonas Smedegaard]

Quoting Cindy Sue Causey (2020-01-23 18:33:48)
> Found something called Sputnik. I like the sound of that word, always did.
> 
> The package sounds.. "robust", possibly maybe even a little too much.
> Implementation and some incidental screenshots are the only way to
> really find out.

Beware that Sputnik was last updated in 2012:

  https://tracker.debian.org/pkg/sputnik

Also seems to not be a static website compiler - one of the upstream 
pages look like it is puking Lua code today: 
http://sputnik.freewisdom.org/en/Sandbox

Possibly the Debian package works better than the upstream website so it 
does not puke Lua (yet...), but personally I would prefer a tool where 
when it grows old and no longer is maintained then eventually only 
_editing_ breaks but pages continue to be viewable for as long as the 
disk is readable.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Wiki software.

[Jonas Smedegaard]

Quoting Peter Easthope (2020-01-23 17:22:49)
> A friend asked about setting up a wiki for development of a relatively 
> simple document.  Mostly text.  Possibly a few illustrations.  Running 
> on a personal machine or a hosting service; not determined yet. 
> Authenticated access to a large group of people; not public.
> 
> MediaWiki is an obvious possibility.  Too complex?  MoinMoin as used
> for wiki.debian.org isn't so visually appealing; just a configuration
> choice?  Many others.
> https://en.wikipedia.org/wiki/Comparison_of_wiki_software


There are lots of options.  Right one depends on many factors.

Rich expressivity of character placement - e.g. ability to express 
mathematical equations or specific kerning (i.e. character spacing)?

Rich expressivity of content layout - e.g. placement or coloring or size 
of all or specific headlines or footers?

Conformity of content layout - e.g. that 4 classes of document each 
follow a unique layout, and only two of them may contain custom 
deviations?

Reuse of content - e.g. maintaining a footer common across all pages, 
adding a sidebar to all blog entries, another sidebar to the bio page, 
and no sidebar on frontpage?

Administration - I agree with Dan that if your friend should not only 
edit content but also _maintain_ the service, then you want something 
not only easy to _use_, and a simple rule of thumb is then to steer 
clear of solutions requiring a database backend.

Security - if the service is public accessible and your friend is not a 
skilled admin, then (unlike Dan) I consider Docuwiki a bad choice 
because it executes code based on what each visitor requests, and the 
code executed is PHP which has a bad track record of security flaws.  
Maybe when only a closed group gets access it is ok, but I would still 
be worried...

I recommend to first consider solutions that generates a static website 
each time content is edited.  One of the first to do that was Ikiwiki.  
It is old and its default style is boring, and its user editing 
interface can feel clunky - but style can be easily changed to something 
more fancy (my partner and I made e.g. http://bsg.biks.dk/ ), and most 
other static web compilers lack the web-based editing interface included 
with Ikiwiki which I find important for projects where some of the 
content editors are not comfortable using a console-based interface.

If you want to edit locally but push to a cloud service, you can do that 
with Ikiwiki and https://www.branchable.com/ or and popular alternatives 
like hugo, jekyll, and nanoc.

For more technical "groupware" things mabe consider fossil or redmine.

Personally I've used MoinMoin in the past (and introduced it to Debian 
many many years ago) but nowadays _only_ use static web compilers - 
mostly¹ Ikiwiki.  If I could live without the web-based editing 
interface then I would first consider hakyll (for its powerful content 
parser based on Pandoc), and then hugo (for being extremely fast).


 - Jonas

¹ Where I don't use Ikiwiki I instead use a Makefile and pandoc, or 
mkdocs.

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: default umask in actual debian?

[Jonas Smedegaard]

Hi Hans,

Quoting Hans (2020-01-07 14:44:55)
> it is now a long time, since I needed to make a fresh install of 
> debian (see, how fine it is working!)
> 
> Just a question: What is actual the default umask in debian? I 
> believe, it is 022, and people should change this to 027 (like the 
> manual says).

You make that sound like a contradiction.

Which manual are you referring to?


> Is this still so?

What makes you think that something has changed?

I mean, if you above implied that it was wrong before, then I suppose 
you shold file it as a bugreport and then the closure of that would get 
you your answer, so that cannot be it, right?


> If it is still 022 by default, shouldn't it be 027 
> by default, just for better security?

Security of what?

Shouldn't it have networking disabled by default, just for better 
security?

There are many options, and many securities, some contradicting each 
other: Seems the default is to secure some degree of collaboration 
across accounts.


> Well, might be , that some application then could not read the 
> personal configuration in ~/user, but this would be rather seldom.

I don't know.  Sounds like you do.


> Thanks for thinking of it and any answers.

Thanks for being open also to "answers" in the form of counter-questions 
:-)


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: MUA CLI IMAP and SMTP without ncurses interface

[Jonas Smedegaard]

Quoting Jonas Smedegaard (2020-01-06 08:14:46)
> I appreciate this thread - for me Steve's lumail was new info worth a 
> closer look!
> 
> I currently use "afew" - a notmuch frontend ising Urwid to draw.

Whoops, correction: The MUA I currently ue is "alot".

Thanks to Curt for (indirectly) bringing that typo to my attention.

"afew" is interesting as well for Notmuch users, but is not an MUA: It 
is a "rerouting" or "filtering" tool to adjust tagging of (especially) 
freshly incoming emails.

Personally I saw afew long before it entered Debian and ended up writing 
my own crude filtering as a shell script, inspired by afew, and haven't 
yet taken the time to try switch to the real thing.  And now that I have 
moved to interimap I want to move away from Notmuch and instead do 
standards-based tagging in IMAP instead - but I am unaware of any tools 
existing for that yet...


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: how to create debian live usb

[Jonas Smedegaard]

Quoting kaye n (2020-01-07 04:41:58)
> Hi friends, just wanted to let you guys know that I've successfully 
> installed:
> 
> debian-live-10.2.0-amd64-xfce+nonfree.iso
> 
> on my laptop computer.

Great.  Thanks for sharing (not only your trouble but also) when 
succeeding. Much appreciated.


> I think I used fdisk to format the flash drive, then I used the cp command
> to write the isohybrid to flash drive.

For the record (and to repeat what others already pointed out), the 
*only* thing you effectively did was the cp command.

partitioning a disk device is *irrelevant* if you then overwrite that 
same disk partition with an image containing its own partitioning 
scheme.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: MUA CLI IMAP and SMTP without ncurses interface

[Jonas Smedegaard]

Hi John,

Quoting john doe (2020-01-07 09:07:06)
> On 1/6/2020 4:26 PM, Jonas Smedegaard wrote:
> > Quoting john doe (2020-01-06 15:55:12)
> >> - Why would one need dovecot-imap if you can use 
> >> interimap/oflineimap
> >
> > interimap syncronizes between imap accounts - it does not store on 
> > its own.  That's different from offlineimap and similar which 
> > syncronizes between imap and a local Maildir storage.
> >
> 
> What about dovecot-imap, when/where should I use it (with interimap)?

General understanding of interimap is much better explained by Guilhem, 
the author of interimap (and also a Debian developer and personal friend 
of mine): https://guilhem.org/interimap/

Hint: Above URL is Homepage field in the output of apt info interimap, 
in case you need to locate it again.

Tell me if you still want more details about my personal setup - I don't 
mind doing that, but as it is more complex (I track multiple accounts 
including my own mail service hosted at my DSL connection at home) that 
might confuse more than it helps.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: MUA CLI IMAP and SMTP without ncurses interface

[Jonas Smedegaard]

Quoting Greg Wooledge (2020-01-06 18:50:30)
> On Mon, Jan 06, 2020 at 09:43:40AM -0700, Charles Curley wrote:
> > On Mon, 6 Jan 2020 07:54:44 +0100
> > john doe  wrote:
> > 
> > > Yes there is, I connect to a VM using SSH and my Windows 
> > > screenreader does not like curses interface and maybe .other 
> > > interface(s) as well
> > 
> > Since there are plenty of programs out there that use curses or 
> > ncurses, perhaps a more elegant solution would be to find an SSH 
> > client and screenreader that support ncurses. I haven't used Windows 
> > extensively since 1999, but I hear tell PUTTY does a good job.
> 
> It's really not clear what the OP wants to do, but I would imagine the 
> primary issue with screen readers and full-screen terminal programs 
> (whether they use ncurses or slang or their own home-brewed terminal 
> interface code) is that the cursor gets shoved around the screen 
> willy-nilly using terminal escape sequences, and the screen reader 
> doesn't know what's a pronuncible word, or when to say it.
> 
> If the goal is to READ MAIL, then perhaps one of the more primitive 
> interfaces like mailx(1) will suffice.  I might suggest "less $MAIL", 
> but with today's email, there are SO many headers, HUGE headers 
> You might want to write something that strips out the vast majority of 
> the headers, and then pipe that through less (or whatever the screen 
> reader equivalent is).

Related to above (but I guess only trims content, not headers) is the 
Debian package t-prot - a tool written for mutt but according to the 
package description should also be usable with mailx.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: MUA CLI IMAP and SMTP without ncurses interface

[Jonas Smedegaard]

Quoting john doe (2020-01-06 15:55:12)
> On 1/6/2020 8:14 AM, Jonas Smedegaard wrote:
> > I appreciate this thread - for me Steve's lumail was new info worth 
> > a closer look!
> >
> > I currently use "afew" - a notmuch frontend ising Urwid to draw.
> >
> > On my laptops I use interimap - a more efficient alternative to 
> > offlineimap (only available in unstable and testing currently).
> >
> > As MTA I use msmtp on laptops, and postfix, dovecot-imap, 
> > dovecot-sieve and spamassassin on reliably connected hosts.
> >
> >
> 
> Quick questions, if I may:
> - Why would one need postfix if you can use msmtp and msmtp-mta (or 
> are they simply alternative)

As others have mentioned as well, msmtp and other lightweight MTAs are 
less reliable than postfix (and, some will argue, exim as well).

Only on systems which I use interactively do I dare use a lightweight 
MTA: At those systems I accept the risk that when firing off the email 
it may fail and I may then *LOOSE* the email (if the MUA used at the 
time did not happen to preserve a copy that I can simply resend).


> - Why would one need dovecot-imap if you can use interimap/oflineimap

interimap syncronizes between imap accounts - it does not store on its 
own.  That's different from offlineimap and similar which syncronizes 
between imap and a local Maildir storage.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: MUA CLI IMAP and SMTP without ncurses interface

[Jonas Smedegaard]

Quoting john doe (2020-01-06 07:54:44)
> On 1/4/2020 6:12 PM, Steve Kemp wrote:
> >> As far as I can tell, Mutt uses the ncurses interface
> >
> >   Yes.
> >
> >> Can I use Mutt without ncurses?
> >
> >   No.
> >
> >> If no, is my only alternative Sup/Notmuch?
> >
> >   https://aerc-mail.org/ is new, and golang-based.  No ncurses.
> >
> >   Though it has to be said it seems like an odd-requirement,
> >  is there a specific reason to avoid ncurses?
> >
> >> If I use Sup or Notmuch I also need to configure IMAP and SMTP access,
> >> is there a MUA which does IMAP SMTP that does not rely on ncurses?
> >
> >   On that I have no idea; I wrote a console-based mail-client,
> >  inspired by mutt but using Lua for UI/scripting, but I just
> >  exec "/usr/sbin/sendmail .." for outgoing mail, and that's a
> >  pretty common approach.   <https://github.com/lumail/lumail/>
> >
> 
> Yes there is, I connect to a VM using SSH and my Windows screenreader
> does not like curses interface and maybe .other interface(s) as well
> 
> Regarding Alpine/re-alpine, it is somewhat better accessible then Mutt
> but far from usable at first glance.
> 
> Regarding gnus, is only for emax, if I'm not mistaking and I'm a vim
> user! :)
> 
> Regarding "mail", I'll look into that, thanks to...@tuxteam.de.
> 
> My goal in all of this is to move away from Enigmail/Thunderbird for the
> following reasons:
> - Thunderbird moving from enigmail to use his own GPG implementation
> - Using GPG with multiple signing subkies
> 
> 
> Sendmail/msmtp could do what I want, I'll look into that.
> 
> Thanks to Jonathan Dowland  for Mutt and 'slang'.
> 
> Thanks to Reco  for his input.
> 
> 
> Thanks to anyone else for their input.

I appreciate this thread - for me Steve's lumail was new info worth a 
closer look!

I currently use "afew" - a notmuch frontend ising Urwid to draw.

On my laptops I use interimap - a more efficient alternative to 
offlineimap (only available in unstable and testing currently).

As MTA I use msmtp on laptops, and postfix, dovecot-imap, dovecot-sieve 
and spamassassin on reliably connected hosts.


Enjoy the many options :-)

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Any Bluetooth 5 adapter Debian compatible

[Jonas Smedegaard]

Quoting André Rodier (2020-01-05 13:38:03)
> On Sun, 2020-01-05 at 12:24 +0100, deloptes wrote:
> > André Rodier wrote:
> > > I am looking for a USB / Bluetooth 5 adapter, natively compatible 
> > > with Debian.

> > most of them are
> > 
> > I use ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle 
> > (HCI mode)
> > 
> > Double check if adapter (newer once) are LE - there were issues with 
> > them.
> > 
> > I would just pick up one and see if the chipset is supported in 
> > linux and what is the experience with that chip.
> > 
> > regards
> > 
> 
> Thanks for your answer. I have this one, but I could not manage to 
> have it working. The usual hciconfig command fails, with an error 
> message "not supported". The interface is marked as down.
> 
> The device appears on Windows, but neither works.
> 
> I don't mind (too much) a non-free firmware for now.

Ah, if non-free is acceptable for you then I apologize for my unhelpful 
and wrong guess in my previous response, and can maybe hepl a bit:

Try this:

  sudo apt install firmware-linux firmware-brcm80211 firmware-atheros 
firmware-realtek

...and then reboot.

Good luck!

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Any Bluetooth 5 adapter Debian compatible

[Jonas Smedegaard]

Quoting deloptes (2020-01-05 12:24:55)
> André Rodier wrote:
> 
> > Hello,
> > 
> > I am looking for a USB / Bluetooth 5 adapter, natively compatible with
> > Debian.
> > 
> > Thanks,
> > André
> 
> most of them are
> 
> I use ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
> 
> Double check if adapter (newer once) are LE - there were issues with them.
> 
> I would just pick up one and see if the chipset is supported in linux and
> what is the experience with that chip.

I suspect you are talking about slightly different things.

Few bluetooth adapters work with Debian alone.

Most bluetooth adapters work when adding nonfree blobs to the mix.

(so seems one of you talk about Debian-the-project, and the other talks 
about Debian-the-main-product-by-Debian-the-project).

Sorry, I don't have a list of Bluetooth dongles not needing non-free 
runtime-loaded firmware.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: realtime kernel on ARM hardware

[Jonas Smedegaard]

Quoting Gene Heskett (2019-12-30 23:05:07)
> On Monday 30 December 2019 16:49:14 Jonas Smedegaard wrote:
> 
> > Quoting Gene Heskett (2019-12-30 21:00:55)
> >
> > > If debian was serious about supporting the "arm's" that would have 
> > > been fixed several years ago by moving that list and its contents 
> > > to "debian-arm-devel", and instituting a new "debian-arm-users" 
> > > list.
> >
> > Ahhh.  We have struggled for ages in Debian with the lack of 
> > manpower. Turns out we simply need mailinglists named accurately - 
> > that'll make them magically populated with knowledgable and helpful 
> > Debian experts.
> 
> I detect a smidgeon of tongue in cheek, ;-) but I think it would also 
> help by drawing in those that do have experience in that hdwe.

True.  Sorry I forgot to accompany it with a smiley.  Here it is: :-)

> Cheers, Gene Heskett

Cheers!

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: realtime kernel on ARM hardware

[Jonas Smedegaard]

Quoting Gene Heskett (2019-12-30 21:00:55)
> If debian was serious about supporting the "arm's" that would have 
> been fixed several years ago by moving that list and its contents to 
> "debian-arm-devel", and instituting a new "debian-arm-users" list.

Ahhh.  We have struggled for ages in Debian with the lack of manpower. 
Turns out we simply need mailinglists named accurately - that'll make 
them magically populated with knowledgable and helpful Debian experts.

Thanks for your wisdom, Gene.  And a great 2020 to you as well.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: No security support for binutils and libqt5webkit5, what to do?

[Jonas Smedegaard]

Quoting Mark Allums (2019-12-30 18:29:07)
> 
> On 12/29/2019 8:44 PM, Andreas wrote:
> > I was supposing that Mark's answer implied that (against general 
> > policies of debian and for reasons unknown to me) in this case 
> > security changes of upstream would be passed on to debian, even if 
> > binutils is "not covered by security support". If this is 
> > (probably?) not the case, the fact that binutils is supported by 
> > upstream of course is of no help.
> 
> My answer was the naive one, that assumes that the upstream even 
> cares.  Of course Debian adds its own patches and "spin", and upstream 
> doesn't care about that.  Everyone may recall the random number 
> debacle...

Some upstream care about Debian handling integration into Debian of 
their project.  Others think they know better how to integrate their 
project into Debian than Debian does.  And others do not care about 
their project being well integrated with Debian at all.

When Debian declares a project unsupported, it means the user is on 
their own - i.e. cannot rely on Debian to aid in continued maintenance 
for the integration of that project into Debian.

I think your answer does a disservice to someone asking if there is 
reason for concern: They want to know if they should do something, and 
your respons can easily me misunderstood as no action is needed which is 
plain wrong.

YES there is reason for concern EXACTLY because for those projects the 
USER needs to make sure to investigate if that project is one where 
upstream offers some alternative maintenance path, or it is a project 
where upstream expects you to run a less stable (a.k.a. more 
modern/fresh/shiny) system, or however they expect their project to work 
reliable, and then the USER needs to act accordingly.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: realtime kernel on ARM hardware

[Jonas Smedegaard]

Quoting Gene Heskett (2019-12-30 18:37:34)
> On Monday 30 December 2019 11:05:15 Jonas Smedegaard wrote:
> 
> > Quoting Gene Heskett (2019-12-30 16:48:20)
> >
> > > On Monday 30 December 2019 10:01:59 Jonas Smedegaard wrote:
> > > > Quoting Gene Heskett (2019-12-30 15:39:20)
> > > >
> > > > > This one has to do with building a pre-empt-rt kernel for 
> > > > > armhf, which allows linuxcnc to run in uspace. But subjectwise 
> > > > > it wanders badly but I'd like to show one full chain of recent 
> > > > > events:
> > > >
> > > > [ Raspbian details snipped ]
> > > >
> > > > How do Debian with linux-image-rt-* perform on that hardware?
> > > >
> > > > https://packages.debian.org/search?keywords=linux-image-rt
> > >
> > > I can't directly answer that, Jonas, as I shifted my attention to 
> > > raspbian when I tried a netinstall of the buster original image 
> > > and found it was arm64.
> >
> > I fully understand how running 32bit has its use even for hardware 
> > supporting 64bit.  But if I understand you correctly that you tried 
> > only the arm64 image before giving up and moving to a different 
> > distribution, then I don't understand why - Buster support both 
> > armhf and arm64: https://www.debian.org/CD/netinst/

> I must have come to a page similar, but to not recall previously 
> seeing all the choices showing on that page linked above. I saw one 
> choice only for the netinstall at the time I downloaded the iso. ISTR 
> it was about a week after buster was announced.
> 
> Would it have made a difference when asking about a realtime kernel 
> for it?

I don't understand your question - yes, I guess that if you had seen 
(not some other misleading page but) the official Debian page listing 
both armhf and arm64 options then you would have tried the armhf option 
before looking outside of Debian, which I guess would have affected how 
you would then have phrased questions here related to your (then 
different) journey.

...but I suspect I misunderstood and your question above is another.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: realtime kernel on ARM hardware

[Jonas Smedegaard]

Quoting Gene Heskett (2019-12-30 16:48:20)
> On Monday 30 December 2019 10:01:59 Jonas Smedegaard wrote:
> 
> > Quoting Gene Heskett (2019-12-30 15:39:20)
> >
> > > This one has to do with building a pre-empt-rt kernel for armhf, 
> > > which allows linuxcnc to run in uspace. But subjectwise it wanders 
> > > badly but I'd like to show one full chain of recent events:
> >
> > [ Raspbian details snipped ]
> >
> > How do Debian with linux-image-rt-* perform on that hardware?
> >
> > https://packages.debian.org/search?keywords=linux-image-rt
> >
> I can't directly answer that, Jonas, as I shifted my attention to 
> raspbian when I tried a netinstall of the buster original image and 
> found it was arm64.

I fully understand how running 32bit has its use even for hardware 
supporting 64bit.  But if I understand you correctly that you tried only 
the arm64 image before giving up and moving to a different distribution, 
then I don't understand why - Buster support both armhf and arm64: 
https://www.debian.org/CD/netinst/

[ Armbian details snipped ]


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: realtime kernel on ARM hardware

[Jonas Smedegaard]

Quoting Gene Heskett (2019-12-30 15:39:20)
> This one has to do with building a pre-empt-rt kernel for armhf, which 
> allows linuxcnc to run in uspace. But subjectwise it wanders badly but 
> I'd like to show one full chain of recent events:

[ Raspbian details snipped ]

How do Debian with linux-image-rt-* perform on that hardware?

https://packages.debian.org/search?keywords=linux-image-rt


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Re: Re: No security support for binutils and libqt5webkit5, what to do?

[Jonas Smedegaard]

Quoting Andreas (2019-12-30 03:44:43)
> > > > Binutils is supported upstream
> > >
> > > that's reassuring. But were is Debian communicating this important 
> > > bit of information?
> 
> > I am not so sure that it is reassuring.
> 
> > Question is not if upstream supports their own (continuously changing) 
> > code, but if the stable code distributed with Debian is supported.
> 
> I was supposing that Mark's answer implied that (against general 
> policies of debian and for reasons unknown to me) in this case 
> security changes of upstream would be passed on to debian, even if 
> binutils is "not covered by security support". If this is (probably?) 
> not the case, the fact that binutils is supported by upstream of 
> course is of no help.
> 
> It's difficult to swallow that in *stable* debian should leave its 
> users alone as to the security of such a central peace of software as 
> binutils. So I'm still hoping to find out that security updates for 
> binutils in debian stable are in some (maybe unconventional way) 
> secured.

If it was secured, then command "check-support-status" in package 
debian-security-support would not list it as "Not covered by security 
support".

If you are still not convinced, then I recommend that you ask Debian 
security team for further clarification rather than your fellow Debian 
users here.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Re: No security support for binutils and libqt5webkit5, what to do?

[Jonas Smedegaard]

Quoting Andreas (2019-12-30 00:49:10)
> > Binutils is supported upstream
> 
> Thanks,
> 
> that's reassuring. But were is Debian communicating this important bit
> of information?

I am not so sure that it is reassuring.

Question is not if upstream supports their own (continuously changing) 
code, but if the stable code distributed with Debian is supported.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: systemdq

[Jonas Smedegaard]

Quoting Andrei POPESCU (2019-12-29 14:21:30)
> On Sb, 28 dec 19, 12:06:25, Gene Heskett wrote:
> > On Saturday 28 December 2019 11:08:20 ghe wrote:
> > 
> > > On 12/27/19 5:02 PM, Nektarios Katakis wrote:
> > > > Have you tried removing openssh-server package and reinstalling it?
> > >
> > > Another hopefully good suggestion. Thanks, and I'll try it.
> > >
> > > > If you re using any version of Debian
> > >
> > > Raspian Buster.
> > 
> > One problem, raspian buster is armhf, debian is arm64.
> 
> Debian also has an armhf port[1].
> 
> Raspbian (note the 'B') was created because Debian's armhf port requires 
> an ARMv7 processor, whereas the original Raspberry Pi (Raspberry Pi 1 
> model B) is ARMv6.

Thanks a lot for mentioning loudly which system is used.

Raspbian is not Debian.  Please discuss Raspbian-specific issues in 
Raspbian forums.

Feel free to discuss issues here which are same on Debian and 
derivatives of Debian, but as soon as that is suspected to not be the 
case - as is the case here - check that the issue is repeatable with 
Debian, or stop discuss it further here.

Reason for that is that it is super confusing and leads to a lot of 
noise and wrong assumptions to discuss partly incompatible systems.

"armel" and "armhf" and "arm64" are *Debian* names for their ports.

Raspbian ports are *different* from Debian but possibly use same names. 
Super confusing at a low level, causing those unaware of the low level 
differences to clutter further discussions with confusing potentially 
wrong or misleading suggestions and assumptions.

Please don't.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: looking for a replacement for debian since systemd

[Jonas Smedegaard]

Quoting Jimmy Johnson (2019-12-16 02:13:08)
> On 12/14/19 5:29 AM, Jonas Smedegaard wrote:
> > Hi Alessandro,
> > 
> > Quoting Alessandro Vesely (2019-12-14 13:23:14)
> >> On Sat 14/Dec/2019 03:18:39 +0100 Kenneth Parker wrote:
> >>>
> >>> I use Devuan, especially on older hardware.   Works well.
> >>
> >>
> >> Good to know.  For the time being, I see SysV is working.  I'm on 
> >> old-stable Debian.  As, in a few months, it will be time to 
> >> migrate, I'll have to decide on Devuan (current) vs. Buster.  Any 
> >> recommendation on that?  Will the voted resolution shred any light 
> >> on migration strategies?
> > 
> > Since this is a Debian list, I recommend to discuss Debian here, and 
> > consult Devuan mailinglist for details of what they can offer.
> > 
> > The vote currently in Debian will affect _future_ releases of 
> > Debian, not the current stable release, Buster.
> > 
> > For Debian Buster (regardless of the outcome of the vote) SysV is a 
> > supported init system: Please do report any flaws you may encounter!
> 
> Kde5 on buster without systemd don't work,

True, and also what I wrote (and even mentioned KDE explicitly): Depends 
on which kind of system you need and how much of systemd must be gone.

In case you missed, here it is again:

> Beware in discussions here and elsewhere to distinguish between these:
>
>  a) running a system with SysV as init system
>  b) running a system without systemd installed
>  c) running a system without libsystemd0 installed
>
> If you need a), then quite likely Debian Buster is fine for you.
>
> If you need b) and don't need a complex¹ X11/Wayland desktop
> environment, then Debian Buster is likely fine as well.
>
> If you need c) and/or a complex¹ X11/Wayland desktop environment, then 
> Debian Buster is most likely no fun for you - might be possible, but 
> you will feel alone and bugreports will be harder to debug due to your 
> complex setup (in particular your suppressing package 
> recommendations).
>
> ¹ In this context, "complex" desktop environments include GNOME, KDE, 
> Cinnamon, MATE and more - as a rule of thumb anything which directly 
> or indirectly recommends dbus-user-session.


Kind regards

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: apparent change in hostnames on LAN without admin intervention

[Jonas Smedegaard]

Quoting john doe (2019-12-14 15:54:20)
> On 12/14/2019 2:36 PM, Curt wrote:
> > On 2019-12-14, David Wright  wrote:
> >> On Fri 13 Dec 2019 at 19:33:51 (-0500), Jape Person wrote:
> >>> Hi folks. Did I miss something?
> >>
> >> Perhaps a couple of references: 
> >> https://features.icann.org/addressing-new-gtld-program-applications-corp-home-and-mail
> >>  
> >> which points out that any of .home, .mail and .corp are ideal for 
> >> the domain name of a home LAN, and RFC 6762 on Multicast DNS which 
> >> explains why .local is not a good choice.
> >>
> >
> > I'm trying to fathom why .home would remain ideal for home LAN users 
> > in light of RFC 8375, which replaces the previously advised '.home' 
> > with 'home.arpa' as the default domain name for homenets, the former 
> > being known to often leak out to the root name servers.
> >
> > https://tools.ietf.org/html/rfc8375
> >
> > Or does RFC 8378 only apply to toasters and the like (what will they 
> > think of next)?
> >
> 
> It only applies to devices useing the HNCP protocol.

...and .home applies to devices abusing protocols: It's unofficial.

"home.arpa" is usable not only with Homenet (a.k.a. HNCP) protocol, but 
equally well without it.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: looking for a replacement for debian since systemd

[Jonas Smedegaard]

Hi Alessandro,

Quoting Alessandro Vesely (2019-12-14 13:23:14)
> On Sat 14/Dec/2019 03:18:39 +0100 Kenneth Parker wrote:
> > 
> > I use Devuan, especially on older hardware.   Works well. 
> 
> 
> Good to know.  For the time being, I see SysV is working.  I'm on 
> old-stable Debian.  As, in a few months, it will be time to migrate, 
> I'll have to decide on Devuan (current) vs. Buster.  Any 
> recommendation on that?  Will the voted resolution shred any light on 
> migration strategies?

Since this is a Debian list, I recommend to discuss Debian here, and 
consult Devuan mailinglist for details of what they can offer.

The vote currently in Debian will affect _future_ releases of Debian, 
not the current stable release, Buster.

For Debian Buster (regardless of the outcome of the vote) SysV is a 
supported init system: Please do report any flaws you may encounter!

Beware in discussions here and elsewhere to distinguish between these:

 a) running a system with SysV as init system
 b) running a system without systemd installed
 c) running a system without libsystemd0 installed

If you need a), then quite likely Debian Buster is fine for you.

If you need b) and don't need a complex¹ X11/Wayland desktop 
environment, then Debian Buster is likely fine as well.

If you need c) and/or a complex¹ X11/Wayland desktop environment, then 
Debian Buster is most likely no fun for you - might be possible, but you 
will feel alone and bugreports will be harder to debug due to your 
complex setup (in particular your suppressing package recommendations).

¹ In this context, "complex" desktop environments include GNOME, KDE, 
Cinnamon, MATE and more - as a rule of thumb anything which directly or 
indirectly recommends dbus-user-session.


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: dropbox security situation

[Jonas Smedegaard]

Quoting John Hasler (2019-12-09 21:17:39)
>  Jonas Smedegaard writes:
> > I dislike APG because it generates passwords difficult to remember - 
> > without aiding in how to deal with that, which has a high risk of 
> > passwords getting stored on physical notes in the top drawer...
> 
> Bruce Schneier recommends writing passwords down and then keeping the 
> document containing them secure.

Yes, and that's what the tool "pass" helps you do.

(among others, and you can choose to debate all options to death here if 
you really reay want).

Even better is to reduce the use of passwords, e.g. using monkeysphere - 
but that's a whole new discussion.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: dropbox security situation

[Jonas Smedegaard]

Quoting John Hasler (2019-12-09 20:40:06)
>  Charles Curley writes:
> > There is a handy password generator available on Debian, called APG
> > (Automated Password Generator), which will generate passwords for you.
> > The default settings yield a fairly strong password, but you can
> > modify those to make the results even stronger.
> 
> Considering the comments in the package description pwgen might be a
> better choice.

Agreed.  And xkcdpass even better.

Please read my previous post, where I link to an article documenting in 
detail why.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: dropbox security situation

[Jonas Smedegaard]

Quoting Charles Curley (2019-12-09 15:56:26)
> On Sun, 8 Dec 2019 18:55:12 +0100 (CET)
>  wrote:
> 
> > Usual advice : use strong passwords (i.e. long enough with high
> > entropy => generated&stored in a dedicated password manager) AND 1
> > different per service, never the same.
> 
> There is a handy password generator available on Debian, called APG
> (Automated Password Generator), which will generate passwords for you.
> The default settings yield a fairly strong password, but you can modify
> those to make the results even stronger.

I dislike APG because it generates passwords difficult to remember - 
without aiding in how to deal with that, which has a high risk of 
passwords getting stored on physical notes in the top drawer...

For strong yet rememberable passwords, I recommend this:

  xkcdpass

More information: https://lwn.net/Articles/713806/

(yes, above aricle also references the XKCD cartoon!)

For non-rememberable passwords, I recommend this:

  pass

More information: https://lwn.net/Articles/714473/

There are several other tools similar to the above.  I recommend to read 
above referenced articles if in doubt!


  - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: Help with --regex in locate

[Jonas Smedegaard]

Quoting Brian (2019-12-03 14:39:28)
> On Tue 03 Dec 2019 at 08:07:16 -0500, rhkra...@gmail.com wrote:
> 
> > On Tuesday, December 03, 2019 07:16:22 AM Andrei POPESCU wrote:
> > > With 'find' instead of 'locate'.
> > > 
> > > find dir_with_repos -type d -name .git
> > > 
> > > or
> > > 
> > > find dir_with_repos -type d -name "*.git"
> > > 
> > > if you also have git bare clones ('-name' expects a shell pattern).
> > 
> > It took me a minute (well, a trial) to realize that dir_with_repos 
> > is a metaname (right word?).  I prefer a syntax like:
> > 
> > find  -type d -name .git
> 
> I prefer that syntax too but many users (particularly new ones) end up 
> typing the angle brackets, which, of course, leads to a failed 
> command. A second mail is then needed to clear up the confusion. I've 
> taken to doing what Andrei does or giving an instruction as to what to 
> type.

I agree that angle brackets has a real risk of wreaking havoc for less 
experienced users following instructions "to the letter".  I did so 
myself back in 1998 when moving from MacOS 8 to Linux :-)

What I have so far settled on is to distinguish "variables" in capital 
letters, and explicitly hint that it should be changed, like this:

With 'find' instead of 'locate' (adapt dir):

  find DIR_WITH_REPOS -type d -name .git


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: WiFi connection failure with octopi

[Jonas Smedegaard]

Quoting Thomas George (2019-11-30 21:11:44)
> OK, if wifi connectivity is in the Raspbian kernel I'll ask for their 
> help.

The way to figure out if it is a Raspbian issue is to use Debian and 
then if the Debian install has the issue _then_ try solve it with Debian 
peers.

Enjoy, no matter which system you use - enjoy it with your peers :-)


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Re: WiFi connection failure with octopi

[Jonas Smedegaard]

Quoting Thomas George (2019-11-30 18:53:50)
> There are two years of posts of this problem to the Octopi users group. 
> I have read many and tried various solutions without success.
> 
> The solution should be easy. With the headless octopi-buster-lite-0.17.0 
> as the operating system installed in raspberrypi 3 B+ I find:
> 
> iwlist wlan0 scan finds a strong signal, 70/70, with netgear70 for the ssid.
> 
> wpa-supplicant.com contains the netgear70 ssid together with its password.
> 
> The two just need to talk to each other.
> 
> For a check:
> 
> The pc is a raspberrypi 3 B+.  With an sd card burned with 
> Raspbian-Stretch the WiFi connection is made on boot up. As I remember 
> upon the initial boot up WiFi was not connected but clicking on the icon 
> gave a selection of nearby routers by their ssid's. I chose netgear70, 
> entered the password and that was it.

You talk about Raspbian and "octopi".

I guess by "octopi" you mean https://github.com/guysoft/OctoPi - which 
(from a quick glance) is a derivative of Raspbian, which itself is a 
derivative of Debian.


> Any advice?

My advice would be to use Debian.  And then share on this mailinglist 
more details on how - on Debian - the issues you experience.

Or alternatively that you discuss your Raspbian issues on Raspbian fora.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature