Re: [DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices
On 7/26/22 14:17, Hector Gonzalez Jaime via Dng wrote:
On 7/26/22 10:00, Ken Dibble wrote:
On 7/25/22 09:29, Ken Dibble wrote:
This is the first time I have seen this with any package.
I have no idea whether it has happened with packages not installed
on my systems.
It is my understanding that best practice is noexec on /tmp and that
this is a Debian recommendation.
Here is the relevant line from /etc/fstab.
tmpfs /tmp tmpfs
defaults,noatime,mode=1777,nosuid,noexec,nodev 0 0
Here is the error message.
sudo apt-get dist-upgrade
.
.
Preconfiguring packages ...
Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178.
open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1
failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm
line 59.
.
.
The (apparent) recommendation from bug report 129289 in 2002 is to set
APT::ExtractTemplates::TempDir
in apt.conf to some directory which is mounted with exec
and
As of version 0.5.8, apt supports TMPDIR for determining where
apt-extracttemplates puts its temporary files. If you have a noexec
/tmp, use this or other documented means to make apt-extracttemplates
use a directory that does accept executables
As of 2018 Bug #887099, merged with sundry other bug reports of the
same type
Control: reassign -1 debconf 1.5.61
Control: forcemerge 566247 -1
This appears to be a generic issue in debconf, so I'm reassigning it to
debconf and merging it with the existing bugs tracking the same issue.
There doesn't seem to be any activity after that.
Is there a best practice for the method of selecting and setting
this directory?
Thanks,
Ken
Replying to my own message:
It appears that this problem with debconf has been around for 2
decades and
the maintainers are at odds with the debian position about "/tmp" and
noexec.
That being said I am going with
echo "APT::ExtractTemplates::TempDir \"/var/tmp\";"
>/etc/apt/apt.conf.d/50extracttemplates
unless someone has a better idea or a reason not to.
I am aware that Debian does not by default clean up /var/tmp and it
will be my responsibility to
check it for things left around.
This would just make /var/tmp the target for attacks instead of /tmp
if you protect /tmp with noexec, you should do the same with /var/tmp.
I think you could use any root writable dir, I don't see why it would
need to be writable by all users, if apt* is running as root.
If you think it's simpler, you can create a file, say
/etc/apt/apt.conf.d/99-remounttmp.conf with this:
DPkg {
// Auto re-mounting of a exec-only /tmp
Pre-Invoke { "mount -o remount,exec /tmp"; };
Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o
remount,noexec /tmp || true"; };
};
I don't remember where I found this, but have used it for a while.
Thank you very much. Here is the source for that:
https://wiki.debian.org/ReadonlyRoot
I looked forever in the wrong places using debconf as search criteria
since that is
where the issue is (IMO). There are some clues in the apt.conf
manpage, but no index
of allowable directives.
There appears to be an index of allowable directives at
https://github.com/szaydel/Rigel-Major/blob/master/config-files/apt.conf
Like most things you have to know where and how to ask.
The directives are also available with: apt-config dump.
The manpage for apt-config is less than helpful in this instance.
For dump it says: Just show the contents of the configuration space.
which is helpful if you know that the directives are in the contents of
the configuration space,
otherwise, not so much.
I guess that leaves me to create a new partition on each machine to use
as /var/tmp.
Thank you again.
Ken
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices
On 7/25/22 09:29, Ken Dibble wrote: This is the first time I have seen this with any package. I have no idea whether it has happened with packages not installed on my systems. It is my understanding that best practice is noexec on /tmp and that this is a Debian recommendation. Here is the relevant line from /etc/fstab. tmpfs /tmp tmpfs defaults,noatime,mode=1777,nosuid,noexec,nodev 0 0 Here is the error message. sudo apt-get dist-upgrade . . Preconfiguring packages ... Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. . . The (apparent) recommendation from bug report 129289 in 2002 is to set APT::ExtractTemplates::TempDir in apt.conf to some directory which is mounted with exec and As of version 0.5.8, apt supports TMPDIR for determining where apt-extracttemplates puts its temporary files. If you have a noexec /tmp, use this or other documented means to make apt-extracttemplates use a directory that does accept executables As of 2018 Bug #887099, merged with sundry other bug reports of the same type Control: reassign -1 debconf 1.5.61 Control: forcemerge 566247 -1 This appears to be a generic issue in debconf, so I'm reassigning it to debconf and merging it with the existing bugs tracking the same issue. There doesn't seem to be any activity after that. Is there a best practice for the method of selecting and setting this directory? Thanks, Ken Replying to my own message: It appears that this problem with debconf has been around for 2 decades and the maintainers are at odds with the debian position about "/tmp" and noexec. That being said I am going with echo "APT::ExtractTemplates::TempDir \"/var/tmp\";" >/etc/apt/apt.conf.d/50extracttemplates unless someone has a better idea or a reason not to. I am aware that Debian does not by default clean up /var/tmp and it will be my responsibility to check it for things left around. Thanks, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices
This is the first time I have seen this with any package. I have no idea whether it has happened with packages not installed on my systems. It is my understanding that best practice is noexec on /tmp and that this is a Debian recommendation. Here is the relevant line from /etc/fstab. tmpfs /tmp tmpfs defaults,noatime,mode=1777,nosuid,noexec,nodev 0 0 Here is the error message. sudo apt-get dist-upgrade . . Preconfiguring packages ... Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. . . The (apparent) recommendation from bug report 129289 in 2002 is to set APT::ExtractTemplates::TempDir in apt.conf to some directory which is mounted with exec and As of version 0.5.8, apt supports TMPDIR for determining where apt-extracttemplates puts its temporary files. If you have a noexec /tmp, use this or other documented means to make apt-extracttemplates use a directory that does accept executables As of 2018 Bug #887099, merged with sundry other bug reports of the same type Control: reassign -1 debconf 1.5.61 Control: forcemerge 566247 -1 This appears to be a generic issue in debconf, so I'm reassigning it to debconf and merging it with the existing bugs tracking the same issue. There doesn't seem to be any activity after that. Is there a best practice for the method of selecting and setting this directory? Thanks, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] PHP question
I don't know anything about php. The only thing I know about this is that I found it on Github. https://github.com/dimkr/nosystem Regards, Ken On 6/23/22 11:49, Curtis Maurand via Dng wrote: Hello, I've been running Devuan on my break even public facing webhosting system for several years. I've been using ISPConfig and the debian perfect server instructions with adjustments for Devuan. I'm up to Devuan Beowulf at the moment and trying to go to chimaera so that I can get PHP 7.4 support. I'm happy to build a new server and migrate sites from Beowulf to Chimaera except that PHP 7.4 goes end of life at the end of November of this year. The current versions PHP are 8.0 and 8.1. Using the instructions at packages.sury.org, I am able to add the other versions of PHP except for PHPN.n-fpm due to a (what seems to be a completely unnecessary) dependence upon systemd. I would love to keep running Devuan. It runs way better than anything systemd based. Is there a workaround for this limitation? I've tried installing the package from chimaera, but it's a couple of minor revisions behind sury.org. It also seems to need a version of libc6 greater than or equal to x.xx. As a web hoster I need to be able to deploy multiple versions of PHP and I don't see very advanced support for it in Devuan. Developers need to test PHP 8 as it's different enough to cause trouble for apps written intending to run on version 7.4 Trying not to install ubuntu, --Curtis ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] starting mysql in background ?
On 6/15/22 03:10, Radisson via Dng wrote: Hello list, i would like to start my mysqld 8.0 in background because it takes several minutes to start. Does someone have a solution ? re, pr ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Disclaimer: I know nothing about mysql and next to nothing about databases. I found the startup time rather intriguing as Postgres starts nearly instantaneously. I found this reply to a similiar post on stackexchange. >I have a large ibdata1 file (20GB) even with file per table activated >Turned out that mysql scan all the undo looking for uncommitted transactions. >Since I had a very large undo space in the ibdata, I moved to use undo tablespaces. Setting up the >undo truncate option keeps my undo tablespace very small. >Now my db opens in 2-3mn top! Now, why any database leaves uncommitted transactions around after shutdown is a question for another time. Hope this was of some value. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] NFS rookie mistake?
On 6/1/22 21:04, Ken Dibble wrote: Here is the story: I needed to do some server maintenance so I issued $init 1. After the maintenance was done I issued $init 5. Everything was fine except no nfs-server-kernel running. No problem. Issue $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd Not starting: portmapper is not running ... (warning). Problem to be investigated LATER. Issue $ /etc/init.d/rpcbind restart System response: Stopping RPC port mapper daemon: rpcbind. Starting RPC port mapper daemon: rpcbind. No problem. Try nfs server again. $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd mountd. no problem. So, Now it is LATER. So obviously when I went to runlevel 1, rpcbind was stopped and didn't come back up when I went back to runlevel 5. Investigate: /etc$ sudo find . -name *nfs-kernel-server ./rc2.d/S04nfs-kernel-server ./rc0.d/K01nfs-kernel-server ./rc1.d/K01nfs-kernel-server ./default/nfs-kernel-server ./init.d/nfs-kernel-server ./rc3.d/S04nfs-kernel-server ./rc4.d/S04nfs-kernel-server ./rc6.d/K01nfs-kernel-server ./rc5.d/S04nfs-kernel-server Observation: nfs-kernel-server gets killed at 0,1,6 and gets started at runlevels 2-5 /etc$ sudo find . -name *rpcbind ./rc0.d/K06rpcbind ./rc1.d/K06rpcbind ./rcS.d/S17rpcbind ./default/rpcbind ./init.d/rpcbind ./rc6.d/K06rpcbind ./insserv.conf.d/rpcbind Observation: The only time rpcbind is brought up is at system start. RUNLEVEL 1 kills it. Conclusion: So either rpcbind shouldn't be killed at runlevel 1 or it should be started prior to nfs-kernel-server on runlevels 2-5. OR . I have no clue about something here. Regards, Ken Reported to Devuan BTS, result follows: Re: bug#680: RPCBind incorrect or incomplete runlevels Control: tag -1 debian Ken, Thanks for this. On Fri, Jun 03, 2022 at 10:45:38AM -0400, Ken Dibble wrote: Package: rpcbind Version: 1.2.5-9 The only time rpcbind is brought up is at system start. RUNLEVEL 1 kills it. I don't know why the LSB header specifies that either. The oldest version in Debian[1] also has the same header wrt runlevels. src:rpcbind is not a forked package and Devuan uses Debian's packages directly without recompilation. Please report this to Debian's BTS to be addressed. Thanks Mark [1]https://deb.debian.org/debian/pool/main/r/rpcbind/rpcbind_0.2.3-0.6.dsc Reported to Debian BTS on June 7. Thanks for the help. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] NFS rookie mistake?
No nothing in the logs. That's why I decided to try and restart nfs manually, then discovered the reason it wouldn't start was rpcbind not running. Ken On 6/2/22 17:45, Rod Rodolico via Dng wrote: Is there anything in the logs? Rod On 6/2/22 09:03, Ken Dibble wrote: Thanks for the attempt, but I don't think the situations are related. I am on Chimaera, everything starts normally on reboot, just not on manual runlevel change. Thanks. Ken On 6/1/22 22:53, Rod Rodolico via Dng wrote: Sorry, I pushed the wrong button and did not reply to list. Apologize. Is this related to http://kb.unixservertech.com/start/debugging/linux? Summary: NFS would not start after upgrade to Devuan Beowulf. Appears to be an issue with Debian. Looking in the logs, I saw '/run/rpcbind not owned by root failed' Solution: echo 'PATH="$PATH:/usr/bin"' >> /etc/default/rpcbind Read the (short) article if you want links and a little more info (it is my notes). Rod On 6/1/22 20:04, Ken Dibble wrote: Here is the story: I needed to do some server maintenance so I issued $init 1. After the maintenance was done I issued $init 5. Everything was fine except no nfs-server-kernel running. No problem. Issue $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd Not starting: portmapper is not running ... (warning). Problem to be investigated LATER. Issue $ /etc/init.d/rpcbind restart System response: Stopping RPC port mapper daemon: rpcbind. Starting RPC port mapper daemon: rpcbind. No problem. Try nfs server again. $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd mountd. no problem. So, Now it is LATER. So obviously when I went to runlevel 1, rpcbind was stopped and didn't come back up when I went back to runlevel 5. Investigate: /etc$ sudo find . -name *nfs-kernel-server ./rc2.d/S04nfs-kernel-server ./rc0.d/K01nfs-kernel-server ./rc1.d/K01nfs-kernel-server ./default/nfs-kernel-server ./init.d/nfs-kernel-server ./rc3.d/S04nfs-kernel-server ./rc4.d/S04nfs-kernel-server ./rc6.d/K01nfs-kernel-server ./rc5.d/S04nfs-kernel-server Observation: nfs-kernel-server gets killed at 0,1,6 and gets started at runlevels 2-5 /etc$ sudo find . -name *rpcbind ./rc0.d/K06rpcbind ./rc1.d/K06rpcbind ./rcS.d/S17rpcbind ./default/rpcbind ./init.d/rpcbind ./rc6.d/K06rpcbind ./insserv.conf.d/rpcbind Observation: The only time rpcbind is brought up is at system start. RUNLEVEL 1 kills it. Conclusion: So either rpcbind shouldn't be killed at runlevel 1 or it should be started prior to nfs-kernel-server on runlevels 2-5. OR . I have no clue about something here. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] NFS rookie mistake?
Thanks for the attempt, but I don't think the situations are related. I am on Chimaera, everything starts normally on reboot, just not on manual runlevel change. Thanks. Ken On 6/1/22 22:53, Rod Rodolico via Dng wrote: Sorry, I pushed the wrong button and did not reply to list. Apologize. Is this related to http://kb.unixservertech.com/start/debugging/linux? Summary: NFS would not start after upgrade to Devuan Beowulf. Appears to be an issue with Debian. Looking in the logs, I saw '/run/rpcbind not owned by root failed' Solution: echo 'PATH="$PATH:/usr/bin"' >> /etc/default/rpcbind Read the (short) article if you want links and a little more info (it is my notes). Rod On 6/1/22 20:04, Ken Dibble wrote: Here is the story: I needed to do some server maintenance so I issued $init 1. After the maintenance was done I issued $init 5. Everything was fine except no nfs-server-kernel running. No problem. Issue $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd Not starting: portmapper is not running ... (warning). Problem to be investigated LATER. Issue $ /etc/init.d/rpcbind restart System response: Stopping RPC port mapper daemon: rpcbind. Starting RPC port mapper daemon: rpcbind. No problem. Try nfs server again. $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd mountd. no problem. So, Now it is LATER. So obviously when I went to runlevel 1, rpcbind was stopped and didn't come back up when I went back to runlevel 5. Investigate: /etc$ sudo find . -name *nfs-kernel-server ./rc2.d/S04nfs-kernel-server ./rc0.d/K01nfs-kernel-server ./rc1.d/K01nfs-kernel-server ./default/nfs-kernel-server ./init.d/nfs-kernel-server ./rc3.d/S04nfs-kernel-server ./rc4.d/S04nfs-kernel-server ./rc6.d/K01nfs-kernel-server ./rc5.d/S04nfs-kernel-server Observation: nfs-kernel-server gets killed at 0,1,6 and gets started at runlevels 2-5 /etc$ sudo find . -name *rpcbind ./rc0.d/K06rpcbind ./rc1.d/K06rpcbind ./rcS.d/S17rpcbind ./default/rpcbind ./init.d/rpcbind ./rc6.d/K06rpcbind ./insserv.conf.d/rpcbind Observation: The only time rpcbind is brought up is at system start. RUNLEVEL 1 kills it. Conclusion: So either rpcbind shouldn't be killed at runlevel 1 or it should be started prior to nfs-kernel-server on runlevels 2-5. OR . I have no clue about something here. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] NFS rookie mistake?
Here is the story: I needed to do some server maintenance so I issued $init 1. After the maintenance was done I issued $init 5. Everything was fine except no nfs-server-kernel running. No problem. Issue $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd Not starting: portmapper is not running ... (warning). Problem to be investigated LATER. Issue $ /etc/init.d/rpcbind restart System response: Stopping RPC port mapper daemon: rpcbind. Starting RPC port mapper daemon: rpcbind. No problem. Try nfs server again. $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd mountd. no problem. So, Now it is LATER. So obviously when I went to runlevel 1, rpcbind was stopped and didn't come back up when I went back to runlevel 5. Investigate: /etc$ sudo find . -name *nfs-kernel-server ./rc2.d/S04nfs-kernel-server ./rc0.d/K01nfs-kernel-server ./rc1.d/K01nfs-kernel-server ./default/nfs-kernel-server ./init.d/nfs-kernel-server ./rc3.d/S04nfs-kernel-server ./rc4.d/S04nfs-kernel-server ./rc6.d/K01nfs-kernel-server ./rc5.d/S04nfs-kernel-server Observation: nfs-kernel-server gets killed at 0,1,6 and gets started at runlevels 2-5 /etc$ sudo find . -name *rpcbind ./rc0.d/K06rpcbind ./rc1.d/K06rpcbind ./rcS.d/S17rpcbind ./default/rpcbind ./init.d/rpcbind ./rc6.d/K06rpcbind ./insserv.conf.d/rpcbind Observation: The only time rpcbind is brought up is at system start. RUNLEVEL 1 kills it. Conclusion: So either rpcbind shouldn't be killed at runlevel 1 or it should be started prior to nfs-kernel-server on runlevels 2-5. OR . I have no clue about something here. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Apparmor blocks Torbrowser downloads
On 4/9/22 14:59, Haines Brown wrote:
Torbrower no longer asks where to download even though that option is
enabled in its settings.
Torbrowser no longer can download a file to my home directory ("Could
not read the contents of ...)". I get impression that apparmor is
preventing a download to where I want. So I put the line:
owner "@{HOME/" rw,
into /etc/apparmor.d/torbrowser.Tor.tor . This has no effect.
I also ran to no effect:
$ sudo sh -c 'echo "owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw," >
/etc/apparmor.d/local/torbrowser.Browser.firefox ; apparmor_parser -r
/etc/apparmor.d/torbrowser.Browser.firefox'
The package apparmor-profile-torbrowser is not in Chimaera rspository.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Just a couple observations.
1) owner "@{HOME/" rw,
should be owner
"@{HOME}/" rw,
2) There does not seem to be any package named apparmor-profile-torbrowser
in Debian either as the profile is included in the browser package.
I know this probably doesn't help.
Regards,
Ken
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
On 3/10/22 04:29, Olaf Meeuwissen via Dng wrote: Hi, Ken Dibble writes: Well, a consequence of this investigation was that I was forced to double check some things. The thing I found is that the default /etc/apt/sources.list has chimaera-updates and chimaera-security commented out. Is this really well thought out? I would think that most people would want those enabled. The *-security entry is enabled by default, IIRC, *unless* the installer was not able to contact it. This *may* have happened if you used an installer while chimaera was not yet released. Obviously, if you installed without a network connection, it will be disabled. Your sources.list should have appropriate comments if the installer disabled it. Whether you want *-updates enabled is debatable. And while writing this up I suddenly seem to remember the installer asking me what to enable/disable. That may have been an advanced mode installation though. Hope this helps, -- Olaf MeeuwissenFSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng For a sanity check, I did a fresh install in a vm. Indeed, things are as you suggested they should be. I have to assume that I made the same mistake repeatedly, on multiple installs, choosing a wrong option somewhere, as all the devices had identical sources.list files and there were no comments in any of them about the network being unavailable (I rarely have network connectivity issues). The only choice that I can think of would have been during the install, declining additional sources, thinking that it only meant local physical media. Sorry for the noise, and thanks again. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] online purchasing (dunno - - - maybe OT)
On 3/9/22 11:11, o1bigtenor via Dng wrote: Greetings Wondering what others are noticing. I made a purchase from an online store - - - its a smaller entity that covers some interesting niches - - therefore the order. In doing the purchase - - - noticed, using uBlockOrigin and PrivacyBadger, that paypal 'only' has some 9 domains linked into the transaction. Hmmm - - - that's not all - - - that's what PrivacyBadger was picking up - - - uBlockOrigin noted that there were some 15 domains of which it blocked some 4. Still linked were crackbook and a bunch of ms googly's garbage. So I called the company to tell them that I found this concerning. I asked the person that I was talking to if they were into internet privacy and security - - - very much so was the answer. So I asked him why he needed all these domains connected. The long and short of it was that he got quite huffy and asked me to cancel my order (and without saying so) get lost. It is more important to him that everyone and his dog know about his transactions that it is for him to make transactions. I do wish there were a way of warning other customers - - - - his website is likely a magnet for web bottom feeders and he doesn't think its worth things about. Oh well - - - for me - - - once and not again. Its bloody hard not to purchase online - - - what are any of you seeing, think about this, doing about this? What can be done to minimize the negative effects of dealing with this kind of website? Hopefully not just adjudged as noise! TIA ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I am not sure what you mean by "domains linked in". Two of the things I am using for privacy are the Brave browser and dnsmasq with a continually updated list of of known domains of trackers and such. The lists are updated on my schedule but do require a little tweaking by the download script because of non-compliant host and domain naming (or ignoring the errors generated by dnsmasq). Mar 7 07:28:22 frank dnsmasq[32478]: read /etc/blacklist/hosts_blacklist - 1435580 addresses Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Kernel Vulnerabilities or who understands this mess
Well, a consequence of this investigation was that I was forced to double check some things. The thing I found is that the default /etc/apt/sources.list has chimaera-updates and chimaera-security commented out. Is this really well thought out? I would think that most people would want those enabled. Again, sorry for the noise. Ken On 3/8/22 07:15, Ludovic Bellière wrote: Hello Ken. Various things that people might find helpful: 1) BleepingComputer talks about CVE-2022-0847, not -0487 which is another unimportant issue. 2) If you want to be kept aware of security issues involving debian, you should subscribe to debian-security-annou...@lists.debian.org 3) To take a gander at the state of the linux kernel shipped with the various version of debian, there is this tracker: https://security-tracker.debian.org/tracker/source-package/linux You can see in the tracker that CVE-2022-0847 is resolved. See DSA-5092-1 and https://security-tracker.debian.org/tracker/CVE-2022-0847 As a rule of thumb, you should trust debian's various trackers to report the effective state of each package. Cheers, Ludovic On Mon, 07 Mar 2022, Ken Dibble wrote: Sorry for the noise, but the conflicting information, or possibly my misinterpretation of information, leaves me with some questions. BleepingComputer is reporting in an article dated 3-7-2022 that CVE-2022-0847 is being exploited and Max Kellerman says that all 5.8 and later kernels are affected. The article goes on and says that it is fixed in 5.16.11, 5.15.25, and 5.10.102. Debian says it is fixed in 5.10.92-2. There is no mention of the backported kernel branch 5.14 other than being "5.8 or later". Chimaera is still at 5.10.84-1. I have multiple machines running the 5.14.9-2~bpo11+1 kernel. Can someone help with a definitive answer on what kernels are and are not safe(fixed)? Thanks. Ken -- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Kernel Vulnerabilities or who understands this mess
Sorry for the noise, but the conflicting information, or possibly my misinterpretation of information, leaves me with some questions. BleepingComputer is reporting in an article dated 3-7-2022 that CVE-2022-0847 is being exploited and Max Kellerman says that all 5.8 and later kernels are affected. The article goes on and says that it is fixed in 5.16.11, 5.15.25, and 5.10.102. Debian says it is fixed in 5.10.92-2. There is no mention of the backported kernel branch 5.14 other than being "5.8 or later". Chimaera is still at 5.10.84-1. I have multiple machines running the 5.14.9-2~bpo11+1 kernel. Can someone help with a definitive answer on what kernels are and are not safe(fixed)? Thanks. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On 2/19/22 5:13 PM, Florian Zieboll via Dng wrote: On Sat, 19 Feb 2022 23:00:59 +0100 Florian Zieboll via Dng wrote: Popcorn florian@nulldevice:~$ cat .bashrc | grep tmp rm -rf ~/tmp/* Thanks for your attention - I hope you had fun ;-) cum salutis gallicis, Florian Glad I could help. You never know when an opportunity to learn will appear. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Popcorn (was: Re: [OT] files disappearing reproducibly)
On 2/19/22 5:00 PM, Florian Zieboll via Dng wrote: On Sat, 19 Feb 2022 21:59:59 +0100 Florian Zieboll via Dng wrote: root@nulldevice:~# ls -l /home/florian/tmp/test* -rw-r--r-- 1 florian florian 0 Feb 19 21:11 /home/florian/tmp/test_deletable -rw-r--r-- 1 rootroot0 Feb 19 21:19 /home/florian/tmp/test_root -rw-r--r-- 1 florian florian 0 Feb 19 21:09 /home/florian/tmp/test_undeletable root@nulldevice:~# lsattr /home/florian/tmp/test* --e--- /home/florian/tmp/test_deletable e--- /home/florian/tmp/test_root i-e--- /home/florian/tmp/test_undeletable (...) OTOH, all the files under '/home/florian/tmp/' are still there - at least 'test_deletable' should have been gone by now, if "the issue" still persisted... So I remain wondering (again [1]) if there's some galaxy brain posing with its superpowers by trampling through my tiny digital sandcastle here? (lol, get a life!) But seriously, for the future(tm): Where would this 'chattr +i'-induced "Operation not permitted" error be logged? Update: Now all but the immutable file are gone - and every new terminal windows I open greets me with: || rm: cannot remove '/home/florian/tmp/test_undeletable': Operation not permitted || florian@nulldevice:~$ florian@nulldevice:~$ ls -l ~/tmp/ total 0 -rw-r--r-- 1 florian florian 0 Feb 19 21:09 test_undeletable My bad, I missed to start auditd again, so I can't say, when it happened. Before I set up a clean device (bridge) to tcpdump the network traffic: What else could I check locally? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Since you get this in every terminal window, I would look at .bashrc and .profile, as well as any shortcut that you use to open a terminal. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On 2/19/22 2:42 PM, Florian Zieboll via Dng wrote: Hallo list, may I ask for help narrowing down a strange phenomenon? Any files in my personal '~/tmp/' directory just disappear after a couple of minutes. I was able to catch the event with 'auditd' - I seems to be executed in a bash within a qterminal, running as child of PID 1: The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first line, caught with # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1645279145.766:65): arch=c03e syscall=263 success=yes exit=0 a0=ff9c a1=5604372f44d0 a2=0 a3=f2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian" type=CWD msg=audit(1645279145.766:65): cwd="/home/florian" type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374 type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" And here the relevant snippet of 'ps axjf': PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 8287 8286 8286 ? -1 Rl 1001 0:01 /usr/bin/qterminal 8287 8290 8290 8290 pts/2 8358 Ss 1001 0:00 \_ /bin/bash As I suspect that I might have installed a routine that regularly deletes the content of ~/tmp, I checked for crontab entries, but neither of the two follwing commands return a result: # grep -re tmp /etc/cron* # grep -re tmp /var/spool/cron/ Besides that: Wouldn't a cronjob have 'crond' as parent? Thank you very much for any hints leading to more insight! Libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I don't know if this error will show up in the logs or not. If your filesystem supports extended attributes (i.e. not zfs) - $ touch cant_delete_me $ sudo chattr +i cant_delete_me $ rm cant_delete_me rm: cannot remove 'cant_delete_me' : Operation not permitted $ sudo rm cant_delete_me rm: cannot remove 'cant_delete_me' : Operation not permitted - See if the error message shows up in the logs. and then obviously $ sudo chattr -i cant_delete_me $ rm cant_delete_me Again, probably not helpful, but worth a try. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] files disappearing reproducibly
On 2/19/22 10:25 AM, Florian Zieboll via Dng wrote: Hallo list, may I ask for help narrowing down a strange phenomenon? Any files in my personal '~/tmp/' directory just disappear after a couple of minutes. I was able to catch the event with 'auditd' - I seems to be executed in a bash within a qterminal, running as child of PID 1: The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first line, caught with # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1645279145.766:65): arch=c03e syscall=263 success=yes exit=0 a0=ff9c a1=5604372f44d0 a2=0 a3=f2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian" type=CWD msg=audit(1645279145.766:65): cwd="/home/florian" type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374 type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" And here the relevant snippet of 'ps axjf': PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 8287 8286 8286 ? -1 Rl1001 0:01 /usr/bin/qterminal 8287 8290 8290 8290 pts/2 8358 Ss1001 0:00 \_ /bin/bash As I suspect that I might have installed a routine that regularly deletes the content of ~/tmp, I checked for crontab entries, but neither of the two follwing commands return a result: # grep -re tmp /etc/cron* # grep -re tmp /var/spool/cron/ Besides that: Wouldn't a cronjob have 'crond' as parent? Thank you very much for any hints leading to more insight! Libre Grüße, Florian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Probably not helpful but did you check anacrontab? Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Stability will be achieved when you spend all of your time reporting on the nothing you did.
On 2/7/22 9:30 AM, Antony Stone wrote: On Monday 07 February 2022 at 15:23:41, Ken Dibble wrote: Application: firefox 78.15.0esr URL: about:telemetry#home-tab Page contains statement: Telemetry is collecting release data and upload is disabled. URL :about:telemetry#histograms-tab Page contains seemingly endless amounts of collected data. If this data is supposedly not being uploaded by user preference, then why in the H,E,double hockey sticks is so much of it being collected? Sorry, but in what way is this a Devuan question rather than a Firefox one? Antony. I apologize. Except for this being the browser supplied under Chimaera, it probably isn't. I just thought the information was of value for Devuan users. I will try and find a Mozilla resource, sorry again for the noise. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Stability will be achieved when you spend all of your time reporting on the nothing you did.
Application: firefox 78.15.0esr URL: about:telemetry#home-tab Page contains statement: Telemetry is collecting release data and upload is disabled. URL :about:telemetry#histograms-tab Page contains seemingly endless amounts of collected data. If this data is supposedly not being uploaded by user preference, then why in the H,E,double hockey sticks is so much of it being collected? Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] software question
On 1/25/22 12:53 PM, Hendrik Boom wrote: On Tue, Jan 25, 2022 at 05:43:44AM -0600, o1bigtenor via Dng wrote: On Tue, Jan 25, 2022 at 3:02 AM Olaf Meeuwissen via Dng wrote: Hendrik Boom writes: On Sun, Jan 23, 2022 at 07:29:27PM +0100, Florian Zieboll via Dng wrote: On January 21, 2022 7:15:06 PM GMT+01:00, o1bigtenor via Dng wrote: Greetings For a non-profit - - - this is not bulk email for sales - - - - bulk email for connection. Is there a linux program (foss hopefully) that will allow me to do this? (Sending regualr emails to a group of people (from 15 to 50 recipients).) With LibreOffice you can send personalized bulk mail. IIRC it was quite annoying to set up, but once done, it worked. I just use /etc/aliases That was my first reaction too ;-) OK - - - I'm not a programmer in any shape way or form. My guess would be when using /etc/aliases - - - - that's some form of bash programming? using awk or ? Please advise? (purdy (sic) please. It's a list ot aliases. mom : al...@homeowners.ca tells that mail for mom is to be sent to al...@homowners.ca anglers: j...@fish.ca, al...@poisson.ca tells it that mail for anglers is to be sent to j...@fish.ca and also to al...@poisson.ca And that's about all there is to it. entries in a line of destinations can refer to other alias lines, but there's a onstraint as to which has to come first. Try it out. Just edit an /etc/aliases into existence, and you'll likely find it works if your system handles its own email. -- hendrik I just use the tools in the computering universe so far - - - have barely begun anything any deeper. (Starting with hardware - - - putting together stuff for control and now starting for sensors.) TIA ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng And, if you are like me and occasionally neglect to rtfm, don't forget to run newaliases every time you change /etc/aliases. Per man 8 newaliases. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Youtube is slow and advertisement laden: Was: Early Days at Bell Labs - Youtube, the systemd of video
On 1/19/22 9:44 AM, Andrew McGlashan via Dng wrote: On 17/1/22 1:54 pm, Ken Dibble wrote: Or just install tsp and submit the download commands to the queue. What is "tsp" ? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng for some reason the deb is named task-spooler once installed you invoke it by its' binary name tsp My fault for not being clearer. You can search the web for lots of examples of using it. Task spooler is a Unix batch system where the tasks spooled run one after the other. Each user in each system has his own job queue. The tasks are run in the correct context (that of enqueue) from any shell/process, and its output/results can be easily watched. It is very useful when you know that your commands depend on a lot of RAM, a lot of disk use, give a lot of output, or for whatever reason it's better not to run them at the same time. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Youtube is slow and advertisement laden: Was: Early Days at Bell Labs - Youtube, the systemd of video
On 1/16/22 4:06 PM, Steve Litt wrote: ael via Dng said on Sun, 16 Jan 2022 11:56:51 + On Sun, Jan 16, 2022 at 04:12:44AM -0500, Steve Litt wrote: This was discussed on the devuan-offtopic IRC channel, so I watched the video: https://www.youtube.com/watch?v=ECCr_KFl41E But youtube has become impossible to watch with hideous intrusive deviant advertisements... Impossible is lifting a Cadillac over your head with just your body's muscles. Annoying is Youtube advertisements. Youtube is still watchable. And, if you hate advertisements, you can just subscribe to Youtube Premium and not get them. And google seem to have found a way to make youtube-dl hopelessly slow. This throttling of youtube-dl is inconvenient but not life-altering. You can make a list of videos you want to download, put them all in a shellscript, and set it off just before you go to bed. The next day you'll have all the videos. Here's a tip: Be sure to use the --restrict-filenames option so you don't get hard to rename filenames. SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Or just install tsp and submit the download commands to the queue. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] merged /usr breakage
On 1/7/22 8:59 AM, Hendrik Boom wrote: On Fri, Jan 07, 2022 at 11:44:59AM +0100, Didier Kryn wrote: Le 07/01/2022 à 10:18, Didier Kryn a écrit : Le 06/01/2022 à 22:00, Bob Proulx via Dng a écrit : Didier Kryn wrote: Hendrik Boom a ecrit : software that isn't properly packaged as a .deb, but instead has an "installer" that needs to be run as root. Immediately I think of all of those script "installers" that request the user do this and similar to install their software as root this way. wget -O- http:/example.com/foo.sh | bash How many projects do this? Hundreds? Thousands? In real life I have encountered many CAD/EDA tool vendors with installation scripts that casually make system modifications not knowing what they do. I try to keep those contained. If I recall correctly, the manufacturer-supplied printer driver for the Brother HL 3170CDW laser printer does this. In real life I have encountered sysadmins who have casually modified modules, python in this case but it could have been other, in /usr/lib outside of the package manager or any tracking. Then later normal machine upgrades were broken because newer modules were broken by upgrading older ones. If those had been made into /usr/local instead it would have been both visible and would not have been broken by normal system upgrades. Being more than twice burned I am extremely shy now... If the installer must be run as root, it is precisely because it needs to install software in /usr. Or into /usr/local which now requires root. Back in the better days of Debian it used to be possible for a user of group staff to install into /usr/local without full superuser access. But that's gone from the installation now. https://bugs.debian.org/484841#62 Since that has been removed in favor of using full root for everything it removes a useful safety net layer. For example this statement. Russ Allbery writes in comment #77 in favor of using full root instead of a more limited group staff. I would prefer to drop the writeability of /usr/local by staff personally. I don't think it serves much useful purpose these days given the existence of tools like sudo, and where it does, I think we can work out a transition plan that will make it relatively easy for sites to recreate the concept. And the vote went against it. So it's gone now. It's root only. Sigh. On my systems I recreate the group staff concept and implementation. Because I do find it useful. My chimaera system says hendrik@midwinter:~$ ls /usr/local -l total 36 drwxrwsr-x 2 rootstaff 4096 Jun 1 2021 bin drwxrwsr-x 2 rootstaff 4096 Jul 9 2018 etc drwxrwsr-x 2 rootstaff 4096 Jul 9 2018 games drwxrwsr-x 2 rootstaff 4096 Jul 9 2018 include drwxrwsr-x 4 rootstaff 4096 Oct 5 08:27 lib lrwxrwxrwx 1 rootstaff9 Jul 9 2018 man -> share/man drwxr-sr-x 10 hendrik staff 4096 Jun 1 2021 racket drwxrwsr-x 2 rootstaff 4096 Jul 9 2018 sbin drwxrwsr-x 9 rootstaff 4096 Oct 5 08:21 share drwxrwsr-x 2 rootstaff 4096 Jul 9 2018 src so it looks as if 'staff' is still alive. I certainly didn't set up a 'staff' account myself. ... ... Just another data point. kdibble@thinkstation:~$ ls -l /usr/local total 32 drwxr-xr-x 2 root root 4096 Oct 14 08:23 bin drwxr-xr-x 2 root root 4096 Oct 14 08:23 etc drwxr-xr-x 2 root root 4096 Oct 14 08:23 games drwxr-xr-x 2 root root 4096 Oct 14 08:23 include drwxr-xr-x 3 root root 4096 Dec 4 18:59 lib lrwxrwxrwx 1 root root 9 Oct 14 08:23 man -> share/man drwxr-xr-x 2 root root 4096 Oct 14 08:23 sbin drwxr-xr-x 10 root root 4096 Oct 20 11:37 share drwxr-xr-x 2 root root 4096 Oct 14 08:23 src Concerning installation in /usr/local: -- My first investigations indicate that there is provision in Freedesktop.org to put icons and launchers under $HOME/.local, but nothing for /usr/local. Therefore the installation of an application in /usr/local could include executable, config files and manpages, but the icon and the launcher would be per user. Seems /usr/local is honoured by the base system (default PATH and default man search path) but is "deprecated" by Freedesktop. Concerning installation in user's space: As written above, Freedesktop enables icons, launchers and applications menu in ~/.local . Man will look also by default search ~/man if it exists, but, to my knowledge, there is no default user directory for executables; it is therefore up to the user to create this directory and specify it when installing, which makes uninstallation problematic. In this case, the installer might force the use of ~/bin and ~/man and create them if they don't exist. It is not unusual for a non-distro package, let's call it foo, to install *all* of its files in /usr/local/foo . Sometimes the installer for such a package is so kind as to as
Re: [DNG] xdg-desktop-portal
On 1/6/22 4:48 PM, Antony Stone wrote: On Thursday 06 January 2022 at 22:30:58, Ken Dibble wrote: Why is xdg-desktop-portal in a fresh install of Chimaera? I have a Chimaera machine here, freshly installed, without any graphical desktop environment - just a command-line network server - and xdg-desktop- portal is not installed. It can be safely uninstalled, as it no devuan packages in the base install require it, They may not REQUIRE it, but I wonder whether you are allowing packages to install RECOMMENDS as well? Try "aptitude why xdg-desktop-portal" and see whether something you do want to have on your machine has simply Recommended xdg-desktop-portal, and you ended up with it because you haven't told apt or aptitude not to do that sort of thing without your permission. I always put two files into /etc/apt/apt.conf.d before allowing much software to be installed: /etc/apt/apt.conf.d/norecommendationsplease APT::Install-Recommends "false"; APT::Get::Install-Recommends "false"; /etc/apt/apt.conf.d/nosuggestionsplease APT::Install-Suggests "false"; APT::Get::Install-Suggests "false"; That way nothing gets installed unless I explicitly ask for it, or it's essential for something I asked for. Antony. Thank you. The machine in question had a gui and it probably got pulled in with a suggestion. I was not aware of the apt configurability, so I got to learn something for free (except for your time). Thanks again. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] xdg-desktop-portal
At the risk of confirming that I am none too smart, I have the following question.\ Why is xdg-desktop-portal in a fresh install of Chimaera?\ It can be safely uninstalled, as it no devuan packages in the base install require it, and as far as I can tell it is only needed for snap and systemd type stuff. I only noticed it because it screws with df. Can someone enlighten me? Thanks. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Priter trouble again.
On 1/1/22 3:07 PM, Hendrik Boom wrote: I installed CUPS a part of the standard istall long ago. I had no trouble configuring it back the to talk sweet to me printer. Worked fine. Bu tnow it doesn't. The printer seems to hae changed its IP number. Now I can tell it explicitly what IP numder to use by entering stuff in its physical control panel. So all I should have to do is to set its IP number to whatever CUPS (now unsuccessfuly) uses to talk to it. What I don't know is how to get CUPS to tell me what IP number it currently thinks belongs to the printer. There should be some simple way of asking CUPS to tell me this. -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng If you go into the cups web control panel at http://localhost:631/printers/? if it is on the local machine or http://WHATEVER_THE_CUPS SERVER_NAME_IS:631/printers/? if it is on another machine THEN: select the appropriate printer and you should see a Connection socket://address which would be the address of the printer As an alternative you can try: sudo grep PRINTER_QUEUE_NAME /etc/cups/printers.conf on the machine running cups Hope this helps Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] system administration of non-systemd distros and releases
On 11/26/21 3:59 PM, d...@d404.nl wrote: On 26-11-2021 21:53, Dr. Nikolaus Klepp via Dng wrote: Anno domini 2021 Fri, 26 Nov 15:33:11 -0500 Ken Dibble scripsit: On 11/26/21 1:57 PM, d...@d404.nl wrote: On 26-11-2021 17:27, goli...@devuan.org wrote: On 2021-11-26 05:08, Peter Duffy wrote: It's a bit like the charlatans and fake doctors in past centuries. They'd invent an illness, and then claim to have a remedy for it: https://en.wiktionary.org/wiki/marthambles LOL! Isn't that exactly what big pharma is still doing with direct marketing to consumers of their latest "cure" for a newly discovered "disease"? golinux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Well, big pharma does do some research and sometimes come with new and useful medication. But it is true that they spend more on marketing than on research. Grtz Nick ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I am not trying to create problems of any type. I would honestly like the source of the claim that big pharma spends more on marketing than on research, before I repeat it, and am left without a defense. 5% R&D, 45% Marketing, 50% profit - at least these were the last published numbers. Sorry, I just have a source in german: https://www.amazon.de/Lizenz-Pl%C3%BCndern-multilaterale-Abkommen-Investitionen/dp/3434530177 This book ist not the newest, but it has valid numbers. And both authors have quite a name :) Nik Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng This is reasonable recent https://www.pharmacychecker.com/askpc/pharma-marketing-research-development/ Grtz Nick ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Thank You. That is both sad and scary. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] system administration of non-systemd distros and releases
On 11/26/21 1:57 PM, d...@d404.nl wrote: On 26-11-2021 17:27, goli...@devuan.org wrote: On 2021-11-26 05:08, Peter Duffy wrote: It's a bit like the charlatans and fake doctors in past centuries. They'd invent an illness, and then claim to have a remedy for it: https://en.wiktionary.org/wiki/marthambles LOL! Isn't that exactly what big pharma is still doing with direct marketing to consumers of their latest "cure" for a newly discovered "disease"? golinux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Well, big pharma does do some research and sometimes come with new and useful medication. But it is true that they spend more on marketing than on research. Grtz Nick ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I am not trying to create problems of any type. I would honestly like the source of the claim that big pharma spends more on marketing than on research, before I repeat it, and am left without a defense. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Globbing rsync != tar ?
In my never ending quest to cause myself headaches, I have been experimenting with different backup methods. What I am seeing is as follows: rsync using a .gitignore file and tar using a the same.gitignore file have different opinions about globbing. Here are the commands for reference rsync -a -r -t -p -o -g -s --exclude-from=.gitignore /home/kdibble /tmp/backup_test tar --exclude-vcs-ignores -c /home/kdibble > /tmp/kdibble.tar According to gnu.org tar 1.34 section 6.4 ‘--exclude-vcs-ignores’ Before archiving a directory, see if it contains any of the following files: ‘cvsignore’, ‘.gitignore’, ‘.bzrignore’, or ‘.hgignore’. If so, read ignore patterns from these files. The patterns are treated much as the corresponding VCS would treat them, i.e.: ‘.gitignore’ Contains shell-style globbing patterns. Applies to the directory where ‘.gitfile’ is located and all its subdirectories. Any line beginning with a ‘#’ is a comment. Backslash escapes the comment character. here is /home/kdibble/.gitignore #.gitignore for home directory # .* Downloads/ vmware/ # bin/checkhosts/etc_hosts bin/checkhosts/hosts !/.gitignore **/core **/*.o **/*.d **/*.class **/a.out **/binary_data **/perf_data **/quotient.txt After rsync: $ ls /tmp/backup_test | grep binary_data $ $ ls /tmp/backup_test | grep "o.d" $ After tar: $ tar tf /tmp/kdibble.tar | grep binary_data home/kdibble/NetBeansProjects/factor/binary_data $ tar tf /tmp/kdibble.tar | grep "o.d" home/kdibble/NetBeansProjects/Pell/build/Debug/GNU-Linux-x86/main.o.d home/kdibble/NetBeansProjects/PollardRho/build/Debug/GNU-Linux/main.o.d home/kdibble/NetBeansProjects/PollardRho/build/Debug/GNU-Linux-x86/main.o.d I understand that the documentation says "much as the corresponding VCS would treat them" but, IMHO, IF they are not going to work the same, don't make it sound as though they do work the same or name the command line switch like they do. Especially on utilities used for backing up data, where there is an expectation of being able to restore what you intended to back up. For reference the '**' glob was apparently introduced with Bash 4 in 2009, so it isn't something new. Then again, maybe I am missing something Hoping to be enlightened, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Chimaera Oddities
On 11/9/21 7:21 PM, Ken Dibble wrote: On 10/28/21 12:36 PM, Ken Dibble wrote: A couple of oddities. The uas driver does not like the JMicron Sata/USB 3 bridge. Bus 004 Device 003: ID 152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp. JMS567 SATA 6Gb/s bridge I updated to the 5.14 kernel from backports and the craziness with the disk being unreadable and not recognizing formats seems to have stopped. The I/O rate is horrible (35MB/s) with the JMicron Bridge and a 2.5 velociraptor which WD says gets up to 200MB/s sustained , although I have have only seen in the 140s. I have a Weme bridge ordered which claims to be linux compatible, should be here next week. We'll see what happens. The Weme bridge arrived. Linux compatible? Well, the ASM chip in it is listed in the kernel's built in blacklist. So, I would say no, but it seems to work without the uas driver. The underlying cause seems to be my USB 3 cards themselves. They use a Renasas uPD720200 chip, which I have been unable to update the firmware through Linux, Dos, or Windows. Unfortunately both of the machines in question had this card installed. I did however find a USB 3 card with a Renasas uPD720202 chip in my pile of expansion cards and both bridges appear to work even if on the kernel blacklist. So all of this stuff goes in the 'iffy' pile of hardware. I am not willing to trust it or a manufacturer whose definition of compatible is that the computer doesn't go up in flames when used. Tape is slow, but my hardware has never complained about working the midnight shift and tape has always been reliable for me. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Chimaera Oddities
On 10/28/21 12:36 PM, Ken Dibble wrote: A couple of oddities. The uas driver does not like the JMicron Sata/USB 3 bridge. Bus 004 Device 003: ID 152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp. JMS567 SATA 6Gb/s bridge I updated to the 5.14 kernel from backports and the craziness with the disk being unreadable and not recognizing formats seems to have stopped. The I/O rate is horrible (35MB/s) with the JMicron Bridge and a 2.5 velociraptor which WD says gets up to 200MB/s sustained , although I have have only seen in the 140s. I have a Weme bridge ordered which claims to be linux compatible, should be here next week. We'll see what happens. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Chimaera Oddities
On 10/30/21 7:36 AM, ael via Dng wrote: On Thu, Oct 28, 2021 at 12:36:19PM -0400, Ken Dibble wrote: A couple of oddities. The uas driver does not like the JMicron Sata/USB 3 bridge. Bus 004 Device 003: ID 152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp. JMS567 SATA 6Gb/s bridge Works here on debian testing: # lsusb -s 004:002 Bus 004 Device 002: ID 152d:0567 JMicron Technology Corp. / JMicron USA Technology Corp. JMS567 SATA 6Gb/s bridge # lsmod |grep uas uas32768 1 usb_storage81920 1 uas usbcore 331776 8 xhci_hcd,ehci_pci,usb_storage,uvcvideo,ehci_hcd,btusb,xhci_pci,uas scsi_mod 262144 6 sd_mod,usb_storage,uas,libata,sg,sr_mod # uname -srvm Linux 5.14.0-2-amd64 #1 SMP Debian 5.14.9-2 (2021-10-03) x86_64 Well, it kind of works on chimaera, but the i/o is limited to 6MB/s. Blacklisting it results in full speed 140MB/s +-. Are you getting normal i/o speeds? Thanks Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Chimaera Oddities
A couple of oddities. The uas driver does not like the JMicron Sata/USB 3 bridge. Bus 004 Device 003: ID 152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp. JMS567 SATA 6Gb/s bridge I blacklisted the the device as follows and all seems to work as expected. cat /etc/modprobe.d/blacklist_uas.conf options usb-storage quirks=174c:5136 There seems to be a problem with df. I have three machines running chimaera andthe oddity only happens on one. kdibble@anna:~$ apt list coreutils Listing... Done coreutils/stable,now 8.32-4+b1 amd64 [installed] kdibble@anna:~$ uname -a Linux anna 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux kdibble@anna:~$ cat /etc/issue Devuan GNU/Linux 4 \n \l kdibble@anna:~$ df df: /run/user/1000/doc: Operation not permitted Filesystem 1K-blocks Used Available Use% Mounted on udev 6094116 0 6094116 0% /dev tmpfs 1224600 1060 1223540 1% /run /dev/sda1 114792580 5642064 103273168 6% / tmpfs 5120 4 5116 1% /run/lock tmpfs 4965560 0 4965560 0% /dev/shm /dev/sdb6 239709796 53920084 173540320 24% /home tmpfs 1224596 12 1224584 1% /run/user/1000 There also seems to be a problem with the grub graphical display on the machine with /boot on a disk and / on a pci nvme card. Still trying to run down the details. Forcing it to a non graphical display makes the errors go away the machine boots either way, so it hasn't been a priority. Thanks. Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
