Re: Bug#990086: apt-key is deprecated in bullseye, how to manage keys instead

[Andrei POPESCU]

On Du, 20 iun 21, 10:20:42, Andrei POPESCU wrote:
> Package: release-notes
> X-Debbugs-Cc: debian-user@lists.debian.org, a...@packages.debian.org
> 
> On Sb, 19 iun 21, 22:07:35, Marco Möller wrote:
> > 
> > Command apt-key and its man page say that apt-key is deprecated, but do not
> > suggest an instead recommended tool. It is only mentioned that keys would
> > now be organized in /etc/apt/trusted.gpg.d/  . But how should I manage the
> > keys saved there, for instance how to update them, or what tool of the
> > Debian distribution is managing them there for the apt functionality of the
> > Debian OS?
> 
> As far as I understand it's as simple as dropping the keys in there. 
> 
> When a key changes/expires/etc. replace it with the new one (if provided 
> by the respective repository).
> 
> > Guiding me to a properly up-to-date documentation about this topic would be
> > welcome!
> 
> Indeed the documentation on this is a bit scarce, probably worth a 
> mention in the Release Notes.

Which already exists, under "Deprecated components for bullseye".

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Wiping an unencrypted SSD in preparation for encryption

[deloptes]

rhkra...@gmail.com wrote:

> Darn, please ignore the previous message -- didn't mean to send, was
> working on a draft, meant to save as a draft instead of send.
> 
> (Of course, if you want to reply, feel free.)

.

Re: recherche solution pour un compte à rebours

[Yves Rutschle]

On Sun, Jun 20, 2021 at 09:50:51PM +0200, Bernard Schoenacker wrote:
> désolé pour le coup, c'est trop fort par rapport à mes besoins ...
> 
> Je recherche un minuteur décrémental pour me donner le compte à 
> rebours d'un temps de cuisson ...

Alors un simple:

for i in `seq 120 -1 0`; do echo $i; sleep 1; done

pour compter, par exemple, 120 secondes.

C'est pas "exact", car ça va exécuter 120 fois sleep 1, et
donc les temps d'exécution du script autour de ça vont
augmenter le temps total, mais pour cuire des pâtes, ça
suffit.

Y.

Debian 11 and Clementine music player

[Georgi Naplatanov]

Hi all,

I use Debian 11 (which is still testing) and I have installed Clementine
music player version 1.4 rc2.

The problem is that when I try to listen particular stream I get this
error message "Your GStreamer installation is missing a plug-in."

With Debian 10 I had no such issue, the stream was playable.

I couldn't guess which plugin is missing on Debian 11. This is the list
with installed gstream packages:

gir1.2-gstreamer-1.0:amd64
gstreamer1.0-fdkaac:amd64
gstreamer1.0-gl:amd64
gstreamer1.0-gtk3:amd64
gstreamer1.0-libav:amd64
gstreamer1.0-nice:amd64
gstreamer1.0-plugins-bad:amd64
gstreamer1.0-plugins-bad-apps
gstreamer1.0-plugins-base:amd64
gstreamer1.0-plugins-good:amd64
gstreamer1.0-plugins-ugly:amd64
gstreamer1.0-pulseaudio:amd64
gstreamer1.0-qt5:amd64
gstreamer1.0-rtsp:amd64
gstreamer1.0-tools
gstreamer1.0-x:amd64
libgstreamer-gl1.0-0:amd64
libgstreamer-plugins-bad1.0-0:amd64
libgstreamer-plugins-base1.0-0:amd64
libgstreamer1.0-0:amd64


and the stream is :

https://bss.neterra.tv/rtplive/veselinaradio_live.stream/chunklist.m3u8

so my questions are :
 - why isn't this stream playable on Debian 11?
 - do I have to install additional packages and which?
 - or is this a bug in Clementine?

By the way, the stream is playable with MPV video player on Debian 11.

Kind regards
Georgi

Re: recherche solution pour un compte à rebours

[Bernard Schoenacker]

- Mail original - 

> De: "Basile Starynkevitch" 
> À: "Bernard Schoenacker" 
> Cc: "Debian user french" 
> Envoyé: Dimanche 20 Juin 2021 20:28:58
> Objet: Re: recherche solution pour un compte à rebours

> On 20/06/2021 20:07, Bernard Schoenacker wrote:
> --
> Basile Starynkevitch  (only mine opinions /
> les opinions sont miennes uniquement)
> 92340 Bourg-la-Reine, France
> web page: starynkevitch.net/Basile/

Bonjour Basile,

désolé pour le coup, c'est trop fort par rapport à mes besoins ...

Je recherche un minuteur décrémental pour me donner le compte à 
rebours d'un temps de cuisson ...

Merci

@+

Bernard

Re: apt-key says deprecated, but not saying what else to use

[Dan Ritter]

Greg Wooledge wrote: 
> On Sun, Jun 20, 2021 at 03:00:20PM -0400, Dan Ritter wrote:
> > The directory can just be created, and then the perms need to be
> > 
> > chmod 600 ~/.ssh
> 
> 700, sir.

Thank you.

-dsr-

Re: apt-key says deprecated, but not saying what else to use

[Greg Wooledge]

On Sun, Jun 20, 2021 at 03:00:20PM -0400, Dan Ritter wrote:
> The directory can just be created, and then the perms need to be
> 
> chmod 600 ~/.ssh

700, sir.

Re: apt-key says deprecated, but not saying what else to use

[Dan Ritter]

Gene Heskett wrote: 
> On Sunday 20 June 2021 10:21:52 Dan Ritter wrote:
> 
> > Gene Heskett wrote:
> > > I'd like to pleaed for a new apt-key, one that would survey the
> > > existing list, and on finding a key that is expired or is no longer
> > > associated, offer the option of removing it, or refreshiing it.
> > >
> > > I have up to 7 machines on my local network, usually accessed by
> > > some ssh/sshfs variation, but my current keyring since I'm first
> > > user, probably has 30 some keys, many of which are useless as the
> > > target machine has been changed by a new machine and a new bare
> > > metal install.
> >
> > This is ssh key management, not apt key management. apt key
> > things are for trusting package repositories.
> 
> okay, but
> >
> > Here's what you should do:
> >
> > 1. create a new ssh keypair on your main machine:
> > ssh-keygen -t rsa -b 4096 -f gene2021
> 
> Done. generated /home/gene/gene2021 and /home/gene/gene2021.pub
> 
> > 2. for each $targetmachine in your 7 machines, do this:
> > - ssh $targetmachine
> > - mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys_old
> 
> 4 of the 6 machines have no .ssh directory in /home/gene. ssh may have 
> had to be installed after the bare metal install of debian 10 using the 
> linuxcnc install cd. sshfs and its deps sure had to be after the first 
> reboot. I'll go bug the LinuxCNC install spinners, been meaning to do it 
> for months.
> 
> Is it sufficient to create that directory, and 
> touch .ssh/authorized_keys?

The directory can just be created, and then the perms need to be

chmod 600 ~/.ssh

authorized_keys will be created by ssh-copy-id.

> Also, the main machine, this one is still on stretch. With 310 gb used of 

All of these commands work on stretch and later.

-dsr-

Re: recherche solution pour un compte à rebours

[Basile Starynkevitch]

On 20/06/2021 20:07, Bernard Schoenacker wrote:

Bonjour,

je recherche à réaliser un décompte sur mon ordi pour "surveiller"
un processus physique (chronomètre countdown) ...

Quelle est la bonne solution ?

Solution trouvée pour l'instant :

https://www.linuxquestions.org/questions/linux-newbie-8/countdown-timer-for-linux-949463/page2.html

Merci

@+

Bernard



En C, sont pertinentes les fonctions poll(2) 
, select(2) 
, timer_create(2) 
, 
timerfd_create(2) 
, 
setitimer(2) 


voir aussi time(7) 

--
Basile Starynkevitch  
(only mine opinions / les opinions sont miennes uniquement)
92340 Bourg-la-Reine, France
web page: starynkevitch.net/Basile/

recherche solution pour un compte à rebours

[Bernard Schoenacker]

Bonjour,

je recherche à réaliser un décompte sur mon ordi pour "surveiller" 
un processus physique (chronomètre countdown) ...

Quelle est la bonne solution ?

Solution trouvée pour l'instant :

https://www.linuxquestions.org/questions/linux-newbie-8/countdown-timer-for-linux-949463/page2.html

Merci 

@+

Bernard

Debain 11 Release Candidate - Screen Freeze (NVidia)

[Spongebob Schwammkopf]

Dear Support Team,

as soon as I manually switch off my 4K LG OLED 48C1 Monitor (HDMI)
connected to my NVidia GTX 1650 grafics card and on again the screen is
frozen. This means no mouse or keyboard is working. Also a console terminal
is frozen but a running compilation seems to still process in background.

The actual NVidia driver is the 460.73.01 and was installed per

apt-get install firmware-linux nvidia-driver nvidia-detect nvidia-settings
nvidia-xconfig
nvidia-xconfig

What looks a bit strange but maybe could be normal is the fact that none of
the following services is installed nor could be enabled:

sudo systemctl enable nvidia-suspend.service
sudo systemctl enable nvidia-hibernate.service
sudo systemctl enable nvidia-resume.service

Any solutions for this problem?

Best regards

Re: apt-key says deprecated, but not saying what else to use

[tomas]

On Sun, Jun 20, 2021 at 12:57:10PM -0400, Gene Heskett wrote:

[...]

> Is it sufficient to create that directory, and 
> touch .ssh/authorized_keys?

Creating the directory should be enough: ssh-copy-id will
take care of making (or overwriting) the file.

You'll want to make sure the SSH server package is installed:
openssh-server.

Cheers
 - t


signature.asc
Description: Digital signature

Re: apt-key says deprecated, but not saying what else to use

[Gene Heskett]

On Sunday 20 June 2021 10:21:52 Dan Ritter wrote:

> Gene Heskett wrote:
> > I'd like to pleaed for a new apt-key, one that would survey the
> > existing list, and on finding a key that is expired or is no longer
> > associated, offer the option of removing it, or refreshiing it.
> >
> > I have up to 7 machines on my local network, usually accessed by
> > some ssh/sshfs variation, but my current keyring since I'm first
> > user, probably has 30 some keys, many of which are useless as the
> > target machine has been changed by a new machine and a new bare
> > metal install.
>
> This is ssh key management, not apt key management. apt key
> things are for trusting package repositories.

okay, but
>
> Here's what you should do:
>
> 1. create a new ssh keypair on your main machine:
> ssh-keygen -t rsa -b 4096 -f gene2021

Done. generated /home/gene/gene2021 and /home/gene/gene2021.pub

> 2. for each $targetmachine in your 7 machines, do this:
> - ssh $targetmachine
> - mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys_old

4 of the 6 machines have no .ssh directory in /home/gene. ssh may have 
had to be installed after the bare metal install of debian 10 using the 
linuxcnc install cd. sshfs and its deps sure had to be after the first 
reboot. I'll go bug the LinuxCNC install spinners, been meaning to do it 
for months.

Is it sufficient to create that directory, and 
touch .ssh/authorized_keys?

Also, the main machine, this one is still on stretch. With 310 gb used of 
a 2T spinning rust drive as /. I have a 500 gb samsung SSD, but haven't 
found a round-tuit cuz I'd probably wear out the SSD until I get at 
least a 1T SSD I can afford.  Thats getting closer though. But it will 
not happen when I am in the middle of designing and building a new, 
smaller harmonic drive for one of my cnc machines.

> - don't close that terminal
> - open a new terminal and make sure you can ssh in by
>   password, then
> - ssh-copy-id gene2021 $targetmachine
> - make sure you can ssh in with the gene2021 key:
>   ssh -i gene2021 $targetmachine
> - if it's good, close both terminals and go on to the next
>   $targetmachine
>
> 3. clean up: remove keys in ~/.ssh/  that aren't gene2021 and
>aren't useful otherwise.
>
> Now you have one known good keypair that lets you in to all
> seven machines without a password, and you can use a password as
> fallback.
>
> -dsr-


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: apt-key says deprecated, but not saying what else to use

[Brad Rogers]

On Sat, 19 Jun 2021 22:07:35 +0200
Marco Möller  wrote:

Hello Marco,

>Command apt-key and its man page say that apt-key is deprecated, but do 

Coincidentally, I recently got notification of a pertinent blog post by
Julian Andres Klode.  See;
https://blog.jak-linux.org/2021/06/20/migrating-away-apt-key/

I'm sure it'll prove useful to you.  It expands on (some of) what's
already been said in this thread.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
My body's an oasis to drink from as you please
Mirage - Siouxsie & The Banshees


pgpe4_np0aazj.pgp
Description: OpenPGP digital signature

Re: apt-key says deprecated, but not saying what else to use

[Gene Heskett]

On Sunday 20 June 2021 10:21:52 Dan Ritter wrote:

> Gene Heskett wrote:
> > I'd like to pleaed for a new apt-key, one that would survey the
> > existing list, and on finding a key that is expired or is no longer
> > associated, offer the option of removing it, or refreshiing it.
> >
> > I have up to 7 machines on my local network, usually accessed by
> > some ssh/sshfs variation, but my current keyring since I'm first
> > user, probably has 30 some keys, many of which are useless as the
> > target machine has been changed by a new machine and a new bare
> > metal install.
>
> This is ssh key management, not apt key management. apt key
> things are for trusting package repositories.
>
> > I consider those "dead" keys to be security risks. But at present,
> > there is not a means to identify and remove them that I am aware of.
> >
> > So I would plead for an apt-key replacement that would automate that
> > process. At the present state, my connection scripts to
> > re-establlish my local network after a reboot or power failure
> > recovery, are all blocked because of machine replacements/reinstalls
> > using the same ip address yadda yadda, so I must answer yes, then
> > supply my first user password for that machine because I do want to
> > continue connecting to that machine. That can rapidly turn into a
> > PITA.
>
> Here's what you should do:
>
> 1. create a new ssh keypair on your main machine:
> ssh-keygen -t rsa -b 4096 -f gene2021
>
> 2. for each $targetmachine in your 7 machines, do this:
> - ssh $targetmachine
> - mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys_old
> - don't close that terminal
> - open a new terminal and make sure you can ssh in by
>   password, then
> - ssh-copy-id gene2021 $targetmachine
> - make sure you can ssh in with the gene2021 key:
>   ssh -i gene2021 $targetmachine
> - if it's good, close both terminals and go on to the next
>   $targetmachine
>
> 3. clean up: remove keys in ~/.ssh/  that aren't gene2021 and
>aren't useful otherwise.
>
> Now you have one known good keypair that lets you in to all
> seven machines without a password, and you can use a password as
> fallback.
>
> Now, it sounds like you also have a problem with machines
> getting randomly assigned IP addresses. In a network of size 7,
> I would strongly advise you to stop using DHCP and just put in
> static IP assignments for each machine in
> /etc/network/interfaces.
>
> -dsr-
I haven't used dhcp in 23 years, don't even run a server in my dd-wrt 
router.  Used a hosts file on my first install in 1998, never saw an 
advantage to changing.

Sometimes a new machine gets added while the old one is still live and 
eventually gets renamed/readdressed when the old one has supplied its 
data to the new one and is turned off for good, but those keys remain.

Case in point, demoing side effects, I had a pair of ark shoeboxes 
running cnc machines in the garage and they started to fail a year ago 
so I bought 4 off-lease dell 7010's with 4 core i5's and 4 gigs of ram 
as thats a great plenty to run LinuxCNC. No drives, no winders licence. 
Cheap that way.

The old ark's with d525mw mobos were so noisy I had to be within 10 feet 
of the garage door motor to run it with a pocket pad.  After replacing 
the old arks with the dells, all with SSD's now, I found my pocket pad 
could run it from 80+ feet away.  The Dells were that much quieter. But 
they run 24/7 and I am seeing a rise in my electric bill from all those 
old i5's. But one got dedicated to running a 3d printer so got its dram 
filled up and its been shut down and rebooted a couple hundred times 
since with no problems in its SDD so I may start shutting them down but 
then when do I turn amanda loose to back them up? She doesn't like her 
schedule to be disturbed.

If I live long enough, I'm 86 now, I may convert them all to being run 
with rpi4's. Draws about 25 watts with its monitor, but runs a 4kw 
machine when LinuxCNC is running as the machines power is 100% 
controlled by LinuxCNC. And the rpi4 has more than enough giddyup to run 
LinuxCNC well. An rpi3 can do it too, but its being pushed. Part of that 
holdup is the cost of the interfacing to the pi's, over $200 a copy. 4 
mesa cards involved per copy.

Thanks for the instructs Dan, recipe printed, I'll see about doing the 
cleanup one machine at a time.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: apt-key says deprecated, but not saying what else to use

[Charles Curley]

On Sun, 20 Jun 2021 10:21:52 -0400
Dan Ritter  wrote:

> Now, it sounds like you also have a problem with machines
> getting randomly assigned IP addresses. In a network of size 7,
> I would strongly advise you to stop using DHCP and just put in 
> static IP assignments for each machine in
> /etc/network/interfaces.

That certainly will work. Since Gene already has dhcp up and running,
he can also use it to assign fixed ip addresses, e.g.:

host orca   # Lenovo T61

{
   option host-name "orca";
   hardware ethernet 00:13:8E:BA:7E:59;
   fixed-address 192.168.101.18;
   ddns-hostname orca;
}


-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re : dia .vsd .jpeg

[nicolas . patrois]

Le 20/06/2021 16:12:48, Frederic Zulian a écrit :

> J'ai une série de schémas en .vsd et .jpeg à réactualiser.
> L'utilisation de Dia ne me semble pas pratique dans ce cas.

> Des idées ?

inkscape pour les .vsd ?
Pour les images matricielles, tout dépend de ce que tu as à faire.
Peut-être pinta ou inkscape après les avoir vectorisées ?

nicolas patrois : pts noir asocial
-- 
RÉALISME

M : Qu'est-ce qu'il nous faudrait pour qu'on nous considère comme des humains ? 
Un cerveau plus gros ?
P : Non... Une carte bleue suffirait...

Re: apt-key says deprecated, but not saying what else to use

[Dan Ritter]

Gene Heskett wrote: 
> I'd like to pleaed for a new apt-key, one that would survey the existing 
> list, and on finding a key that is expired or is no longer associated, 
> offer the option of removing it, or refreshiing it.
> 
> I have up to 7 machines on my local network, usually accessed by some 
> ssh/sshfs variation, but my current keyring since I'm first user, 
> probably has 30 some keys, many of which are useless as the target 
> machine has been changed by a new machine and a new bare metal install.

This is ssh key management, not apt key management. apt key
things are for trusting package repositories.

> I consider those "dead" keys to be security risks. But at present, there 
> is not a means to identify and remove them that I am aware of.
> 
> So I would plead for an apt-key replacement that would automate that 
> process. At the present state, my connection scripts to re-establlish my 
> local network after a reboot or power failure recovery, are all blocked 
> because of machine replacements/reinstalls using the same ip address 
> yadda yadda, so I must answer yes, then supply my first user password 
> for that machine because I do want to continue connecting to that 
> machine. That can rapidly turn into a PITA.

Here's what you should do:

1. create a new ssh keypair on your main machine:
ssh-keygen -t rsa -b 4096 -f gene2021

2. for each $targetmachine in your 7 machines, do this:
- ssh $targetmachine
- mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys_old
- don't close that terminal 
- open a new terminal and make sure you can ssh in by
  password, then
- ssh-copy-id gene2021 $targetmachine
- make sure you can ssh in with the gene2021 key:
  ssh -i gene2021 $targetmachine
- if it's good, close both terminals and go on to the next
  $targetmachine

3. clean up: remove keys in ~/.ssh/  that aren't gene2021 and
   aren't useful otherwise.

Now you have one known good keypair that lets you in to all
seven machines without a password, and you can use a password as
fallback.

Now, it sounds like you also have a problem with machines
getting randomly assigned IP addresses. In a network of size 7,
I would strongly advise you to stop using DHCP and just put in 
static IP assignments for each machine in
/etc/network/interfaces.

-dsr-

dia .vsd .jpeg

[Frederic Zulian]

Bonjour,

J'ai une série de schémas en .vsd et .jpeg à réactualiser.
L'utilisation de Dia ne me semble pas pratique dans ce cas.

Des idées ?

Frédéric ZULIAN

Re: Re : Re: Re : Changement de noyau sur rPI 3

[BERTRAND Joël]

Hugues Larrive a écrit :
> Bonjour,
> 
>> J'ai ceci :
>>
>> root@abel:/etc/apt# cat sources.list
>>
>> deb http://deb-multimedia.org stable main non-free
>>
>> deb http://deb-multimedia.org testing main non-free
>>
>> deb http://deb-multimedia.org unstable main non-free
>>
>> deb http://deb.debian.org/debian stable main contrib non-free
>>
>> deb http://deb.debian.org/debian testing main contrib non-free
>>
>> deb http://deb.debian.org/debian unstable main contrib non-free
>>
> Bizarre, avec ça tu devrais être en debian 10 (stable) ou 11 
> (testing/unstable).
> 
> Tu as surement un "pinning" dans /etc/apt/preferences qui te bloque en debian 
> 9.
> Que donne :
> $ apt-cache policy base-files

bertrand@abel:~ $ apt-cache policy base-files
base-files:
  Installé : 11.1+rpi1
  Candidat : 11.1+rpi1
 Table de version :
 *** 11.1+rpi1 990
990 http://mirrordirector.raspbian.org/raspbian testing/main
armhf Packages
100 /var/lib/dpkg/status
 11.1 990
990 http://deb.debian.org/debian testing/main armhf Packages
500 http://deb.debian.org/debian unstable/main armhf Packages
 10.3+rpi1+deb10u9 500
500 http://mirrordirector.raspbian.org/raspbian stable/main
armhf Packages
 10.3+deb10u9 500
500 http://deb.debian.org/debian stable/main armhf Packages
bertrand@abel:~ $

> Normalement pour debian stable il te faut aussi un dépot pour les 
> mises-à-jour de sécurité :
> deb http://security.debian.org/ stable/updates main contrib non-free
> 
> Mais je ne sais pas si c'est une bonne idée d'utiliser debian directement sur 
> raspberri pi.
> 
>> root@abel:/etc/apt# cat sources.list.d/raspi.list
>>
>> #deb http://archive.raspberrypi.org/debian/ jessie main ui
>>
> ...
>> Pas moyen de mettre à jour raspberrypi-kernel.
>>
> Normal, la ligne est commentée.

Que celle ligne soit commentée ou non, le résultat est le même. Il
faudrait peut-être :

deb http://archive.raspberrypi.org/debian/ stable main ui
deb http://archive.raspberrypi.org/debian/ testing main ui
deb http://archive.raspberrypi.org/debian/ unstable main ui

J'avoue ne pas avoir testé plus que cela, l'urgent étant de remettre en
place la wifi.

> Au final il semble que ton système soit un hybride entre raspbian 8 et debian 
> 10 et 11... pas terrible pour la stabilité lors des mises à jour !
> 
> Je te donne les sources.list d'origine de raspbian 10 :
> root@pi3:~# cat /etc/apt/sources.list
> deb http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi
> # Uncomment line below then 'apt-get update' to enable 'apt-get source'
> #deb-src http://raspbian.raspberrypi.org/raspbian/ buster main contrib 
> non-free rpi
> 
> root@pi3:~# cat /etc/apt/sources.list.d/raspi.list
> deb http://archive.raspberrypi.org/debian/ buster main
> # Uncomment line below then 'apt-get update' to enable 'apt-get source'
> #deb-src http://archive.raspberrypi.org/debian/ buster main
> 
> Voir si tu as d'autres choses qui trainent dans /etc/apt/sources.list.d/.

Rien d'autre.

> S'il n'y a pas de pinning et que tu as des paquets en testing/unstable à 
> downgrader, tu peux créer _temporairement_ un /etc/apt/preferences avec :
> Package: *
> Pin: release n=buster
> Pin-Priority: 1001
> 
> La priorité suppérieur à 1000 force le downgrade.
> 
> Si tu veux ajouter le dépot debian multimedia dans /etc/apt/sources.list:
> deb http://deb-multimedia.org buster main non-free
> 
> Attention : soit tu fais tout avec les noms d'archives (stable, testing, 
> unstable), soit tu fais tout avec les noms de code (buster, bullseye, sid), 
> il ne faut pas mélanger les deux.
> 
> Si tu veux juste installer le noyau 5.10 de raspbian (raspberrypi-kernel) et 
> le bootloader qui va avec (raspberrypi-bootloader), il te faut simplement 
> décommenter la ligne dans /etc/apt/sources.list.d/raspi.list et remplacer 
> "jessie" par "stable", mais il vaudrait probablement mieux remettre tout le 
> système au propre...
Très honnêtement, le système me semble propre, il n'y a que le noyau
qui n'a pas suivi.

Merci de t'être penché sur le problème,

JKB

Re: apt-key says deprecated, but not saying what else to use

[Gene Heskett]

On Sunday 20 June 2021 08:11:45 Darac Marjal wrote:

> On 19/06/2021 21:07, Marco Möller wrote:
> > Hello,
> > Command apt-key and its man page say that apt-key is deprecated, but
> > do not suggest an instead recommended tool. It is only mentioned
> > that keys would now be organized in /etc/apt/trusted.gpg.d/  . But
> > how should I manage the keys saved there, for instance how to update
> > them, or what tool of the Debian distribution is managing them there
> > for the apt functionality of the Debian OS?
> > Guiding me to a properly up-to-date documentation about this topic
> > would be welcome!
> > Marco.
>
> For some time, I've been using /etc/apt/trusted.gpg.d rather than
> using apt-key. As I understand it, keys in apt-key are trusted to sign
> *any* repository you pull from. That is, if you add a suspicious
> repository and somehow they were able to push packages signed with
> their key to the main debian repo servers, then you'd not be able to
> distinguish between "signed by Debian" and "signed by attacker".
>
> Instead, the preferred method is to put binary GPG keys into
> /etc/apt/trusted.gpg.d (that is, you might need to run "gpg --dearmor"
> if you download an ascii-armoured key). Files there can have any name
> it's purely up to the system administrator what the names are, but it
> makes sense that they indicate the repository they sign. Then, in
> /etc/apt/sources.list.d/*.list, you need to write:
>
> deb [signed-by=/etc/apt/trusted.gpg.d/somekey.gpg]
> https://repo.attacker.com/ stable main
>
> Now, only this repository trusts that key. If packages there are
> signed by another key, verification fails. Similarly, if packages in
> another repository are signed by that key, verification fails.
>
> You ask about updating them. There is, as far as I know, no automatic
> method for updating these keys, nor for automatically adding them
> right now. That's because it's generally considered good practice to
> add the key manually. You need to actively state that you trust this
> repository on your system. So, for most repositories, that involves a
> web page somewhere that says "This is our 'deb ... ' line and this is
> a link to our public key." The key will usually be valid for several
> years, but if it does start to fail, apt tools *will* tell you that
> the key has expired, and that's time to go back and revisit the
> original site, and see if they have a new key available.

I'd like to pleaed for a new apt-key, one that would survey the existing 
list, and on finding a key that is expired or is no longer associated, 
offer the option of removing it, or refreshiing it.

I have up to 7 machines on my local network, usually accessed by some 
ssh/sshfs variation, but my current keyring since I'm first user, 
probably has 30 some keys, many of which are useless as the target 
machine has been changed by a new machine and a new bare metal install.

I consider those "dead" keys to be security risks. But at present, there 
is not a means to identify and remove them that I am aware of.

So I would plead for an apt-key replacement that would automate that 
process. At the present state, my connection scripts to re-establlish my 
local network after a reboot or power failure recovery, are all blocked 
because of machine replacements/reinstalls using the same ip address 
yadda yadda, so I must answer yes, then supply my first user password 
for that machine because I do want to continue connecting to that 
machine. That can rapidly turn into a PITA.

Thanks for this thread.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: apt-key says deprecated, but not saying what else to use

[Darac Marjal]

On 19/06/2021 21:07, Marco Möller wrote:
>
> Hello,
> Command apt-key and its man page say that apt-key is deprecated, but
> do not suggest an instead recommended tool. It is only mentioned that
> keys would now be organized in /etc/apt/trusted.gpg.d/  . But how
> should I manage the keys saved there, for instance how to update them,
> or what tool of the Debian distribution is managing them there for the
> apt functionality of the Debian OS?
> Guiding me to a properly up-to-date documentation about this topic
> would be welcome!
> Marco.

For some time, I've been using /etc/apt/trusted.gpg.d rather than using
apt-key. As I understand it, keys in apt-key are trusted to sign *any*
repository you pull from. That is, if you add a suspicious repository
and somehow they were able to push packages signed with their key to the
main debian repo servers, then you'd not be able to distinguish between
"signed by Debian" and "signed by attacker".

Instead, the preferred method is to put binary GPG keys into
/etc/apt/trusted.gpg.d (that is, you might need to run "gpg --dearmor"
if you download an ascii-armoured key). Files there can have any name
it's purely up to the system administrator what the names are, but it
makes sense that they indicate the repository they sign. Then, in
/etc/apt/sources.list.d/*.list, you need to write:

deb [signed-by=/etc/apt/trusted.gpg.d/somekey.gpg]
https://repo.attacker.com/ stable main

Now, only this repository trusts that key. If packages there are signed
by another key, verification fails. Similarly, if packages in another
repository are signed by that key, verification fails.

You ask about updating them. There is, as far as I know, no automatic
method for updating these keys, nor for automatically adding them right
now. That's because it's generally considered good practice to add the
key manually. You need to actively state that you trust this repository
on your system. So, for most repositories, that involves a web page
somewhere that says "This is our 'deb ... ' line and this is a link to
our public key." The key will usually be valid for several years, but if
it does start to fail, apt tools *will* tell you that the key has
expired, and that's time to go back and revisit the original site, and
see if they have a new key available.





OpenPGP_signature
Description: OpenPGP digital signature

Re: How can I force "fsck -y" of a removable usb drive before mounting it?

[Anders Andersson]

On Sun, Jun 20, 2021 at 11:09 AM Ottavio Caruso
 wrote:
>
> I have a removable mp3 player that gets auto-magically mounted as:
>
> $ mount |grep sdb
> /dev/sdb1 on /media/oc/PHILIPS type vfat
> (rw,nosuid,nodev,relatime,uid=1000,gid=1000,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,showexec,utf8,flush,errors=remount-ro,uhelper=udisks2
>
>
> Every time I plug it in, I get this message in dmesg:
>
>
> [47212.945001] FAT-fs (sdb1): Volume was not properly unmounted. Some
> data may be corrupt. Please run fsck.
>
> Whatever way I umount this drive (either manually via terminal or
> right-clicking the icon on the desktop), I get the above message when I
> re-mount it.
>
> Is there a way to tell Debian to perform a "fsck -y"
> on the drive before mounting it? For example, an entry in /etc/fstab or
> some trickery somewhere in systemd?

This should be a one-time thing, so if you unmount it from the
terminal and run fsck, it should work next time.

I don't think running fsck automatically is a good idea when you don't
have a way to check the output...

Re: Re : Changement de noyau sur rPI 3

[BERTRAND Joël]

Hugues Larrive a écrit :
> Bonjour,

Bonjour,

> Le noyau 4.9 correspond à raspbian 8, sur raspbian 9.13 tu devrais avoir un 
> noyau 4.19. Un upgrade vers raspbian 10 te donnerait un noyau 5.10.
> 
> Les noyaux raspbian sont installés par le package raspberrypi-kernel depuis 
> le dépot http://archive.raspberrypi.org/debian/ définit dans 
> /etc/apt/sources.list.d/raspi.list.
> 
> Si tu as un noyau 4.9 sur stretch, tu as probablement une incohérence entre 
> /etc/apt/sources.list (stretch) et /etc/apt/sources.list.d/raspi.list 
> (jessie).

J'ai ceci :

root@abel:/etc/apt# cat sources.list
deb http://deb-multimedia.org stable main non-free
deb http://deb-multimedia.org testing main non-free
deb http://deb-multimedia.org unstable main non-free
deb http://deb.debian.org/debian stable main contrib non-free
deb http://deb.debian.org/debian testing main contrib non-free
deb http://deb.debian.org/debian unstable main contrib non-free

root@abel:/etc/apt# cat sources.list.d/raspi.list
#deb http://archive.raspberrypi.org/debian/ jessie main ui
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspberrypi.org/debian/ jessie main ui
root@abel:/etc/apt# dpkg-query -l | grep raspberrypi-kernel
ii  raspberrypi-kernel1.20170703-1
 armhfRaspberry Pi bootloader
ii  raspberrypi-kernel-headers1.20170703-1
 armhfHeader files for the Raspberry Pi Linux kernel

Pas moyen de mettre à jour raspberrypi-kernel.

>> Est-ce que quelqu'un a déjà réussi à faire booter sur un rPI une zImage
> 
> RPI3 sous raspbian 10 :
> # file /boot/kernel*
> /boot/kernel7.img:  Linux kernel ARM boot executable zImage (little-endian)
> /boot/kernel7l.img: Linux kernel ARM boot executable zImage (little-endian)
> /boot/kernel8.img:  gzip compressed data, was "Image", last modified: Thu May 
> 27 13:01:44 2021, from Unix, original size 21035520
> /boot/kernel.img:   Linux kernel ARM boot executable zImage (little-endian)
> 
> RPI1 sous raspbian 9 :
> # file /boot/kernel*
> /boot/kernel7.img: Linux kernel ARM boot executable zImage (little-endian)
> /boot/kernel.img:  Linux kernel ARM boot executable zImage (little-endian)
> 
> Ce sont les noyaux raspberrypi-kernel.

Noyau fournis par debian :

root@abel:/boot# file vmlinuz-5.10.0-7-armmp
vmlinuz-5.10.0-7-armmp: Linux kernel ARM boot executable zImage
(little-endian)
-> pas bootable avec le bootloader d'origine (écran multicolor de la mort).

J'en ai essayé d'autres en désespoir de cause avec le même résultat. Un
paquet de firmware crée bien un kernel7.img, mais il n'est pas dans /boot.

Noyau compilé depuis les sources :

root@abel:/boot# file kernel7.img
kernel7.img: ARM OpenFirmware FORTH Dictionary, Text length: -509607936
bytes, Data length: -509607936 bytes, Text Relocation Table length:
-369098747 bytes, Data Relocation Table length: 24061976 bytes, Entry
Point: 0x, BSS length: 6339600 bytes

Je n'ai pas réussi à faire booter un noyau zImage même en le renommant
kernel7.img. Je suppose donc que le bootloader (au moins le mien), sait
lire un ARM OpenFirmware FORTH Dictionary et pas une zImage.

Je n'ai pas le temps de tester avec le nouveau bootloader si par hasard
il supporterait un zImage (la compilation du noyau depuis les sources
m'a créé un tas de fichiers nécessaires au bootloader).

Bien cordialement,

JKB

Bug#990086: apt-key is deprecated in bullseye, how to manage keys instead

[Andrei POPESCU]

Package: release-notes
X-Debbugs-Cc: debian-user@lists.debian.org, a...@packages.debian.org

On Sb, 19 iun 21, 22:07:35, Marco Möller wrote:
> 
> Command apt-key and its man page say that apt-key is deprecated, but do not
> suggest an instead recommended tool. It is only mentioned that keys would
> now be organized in /etc/apt/trusted.gpg.d/  . But how should I manage the
> keys saved there, for instance how to update them, or what tool of the
> Debian distribution is managing them there for the apt functionality of the
> Debian OS?

As far as I understand it's as simple as dropping the keys in there. 

When a key changes/expires/etc. replace it with the new one (if provided 
by the respective repository).

> Guiding me to a properly up-to-date documentation about this topic would be
> welcome!

Indeed the documentation on this is a bit scarce, probably worth a 
mention in the Release Notes.

Dear APT maintainers,

The short version appears to be this note to the 'add' command from 
apt-key(8):

Note: Instead of using this command a keyring should be placed 
directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive 
name and either "gpg" or "asc" as file extension.

where .gpg files are of type created with 'gpg --export' and .asc with
'gpg --armor --export'.


Your confirmation (or even better, proposes wording) would be much 
appreciated.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Re : Problème avec pulseaudio

[steve]

Le 19-06-2021, à 23:44:44 +, Hugues Larrive a écrit :


Bonjour,


Une idée?


Peut-être :
# usermod -a -G  pulse-access ton-utilisateur


Merci, mon utilisateur n'était pas dans ce groupe.

J'ai redémarré et il semble que l'erreur ait disparu. A voir.

Re: A Proposal: Each of Online Debian Man pages could have a wiki (Main page / Talk Page, etc.) at its bottom, with only Example Code Lines ...

[Andrei POPESCU]

On Vi, 18 iun 21, 17:40:34, Michael Grant wrote:
> 
> It's a little odd for Debian to host a documentation wiki for upstream
> tools.  The package maintainers would need to look after the wiki page
> that corresponds to the package they are maintaining.  Not everyone is
> going to be happy with more work.  Even if they are not the ones
> writing it, they will need to be aware of it and if things change,
> tweak it.

Agreed.
 
> It feels like you should try to start a sort of "unixepedia" thing
> like wikipedia and then one by one try to get people to create pages
> for their tools.  Then, eventually people will put links into their
> man pages pointing at this global resource.  That's my best opinion
> after reading all your posts.

Agreed, except for the "get people to create pages for their tools". The 
upstream maintainers have enough work actually developing the software. 
I'm fairly certain the Arch wiki (praised here again and again) is 
written by the users.

The Arch wiki is GFDL 1.3 (or later), so the initial content could just 
be copied from there (with appropriate attribution and whatever else the 
license requires, of course), with small tweaks to remove the 
Arch-specific parts.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: A Proposal: Each of Online Debian Man pages could have a wiki (Main page / Talk Page, etc.) at its bottom, with only Example Code Lines ...

[Andrei POPESCU]

On Sb, 19 iun 21, 05:23:04, The Wanderer wrote:
> On 2021-06-19 at 02:51, Richard Hector wrote:
> 
> > On 19/06/21 2:28 pm, Susmita/Rajib wrote:
> > 
> >> Aren't the ML members aware that Debian already has a Man Wiki
> >> pages repository? Debian Man Wiki Pages are available at: 
> >> https://manpages.debian.org/
> > 
> > I'm pretty sure that's not a wiki.
> > 
> > It looks like a set of automatically generated static pages.
> 
> In particular, I suspect that it is automatically generated from the
> exact same data set as the man pages themselves (if not *from* the man
> pages themselves), and therefore will by definition have the exact same
> content as those man pages.

This is correct as far as I know, by design, and it's been very useful 
to be able to the manpage from other online documentation (the wiki, 
Release Notes, etc.).

> Tweaks and adjustments, beyond the purely
> mechanical sort involved in converting the formatting to HTML etc., are
> almost certainly either A: not possible or B: excluded from the scope.

It surely would be possible to somehow attach a wiki-like editable part 
at the bottom. Whether that actually makes sense has already been 
addressed.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature