Re: Debian versions

[Dominik George]

Hi,

> Outside Debian there are companies producing operating systems based on
> Debian and providing commercial support for those operating systems,
> probably the biggest example is Ubuntu provided by Canonical:
>
> https://ubuntu.com/
> https://canonical.com/

Yet, if at all possible, you should avoid Ubuntu.

It is, as explained above, a copy of Debian, with little to no added value, but 
with quite a lot of bugs and issues added on top.

In addition, Canonical is a hostile company working against and exploiting the 
community, e.g. by persecuting people who criticise Ubuntu online or provide 
derivatives of Ubuntu themselves. Their most recent hostile move is grabbing 
security updates from Debian and putting them behind a paywall.

Hence, there's a simple recommendation: If you need your Debian support 
contractor to have the name Canonical, so much that you are willing to pay 
ransom for security updates provided by Debian for free, then use Ubuntu. If 
not, use Debian, and hire a benevolent consultant.

-nik

Re: Teamviewer and Wyland on Debian Buster Gnome desktop

[Dominik George]

>Excuse me, but I am drawing a Blank, when searching for information on a
>Package called "Wyland".   Are you, by any chance referring to Wayland, the
>alternative to Xorg?

Congratulations.

Not even I am that obsessed with pointing out the mistakes of others.

-nik

Re: Teamviewer and Wyland on Debian Buster Gnome desktop

[Dominik George]

Hi,

>Thank you - how do I let Gnome run in X11 session? I am afraid the user
>would stick to Gnome. 
>

Set UseWayland=false in /etc/gdm3/*.conf

-nik

Re: Zoom- best practice?

[Dominik George]

>> Family is using Zoom, International.
>> They will use Zoom, and I need to participate.
>
>Seems straightforward. Just get on with it.

Don't. Zoom is not necessary to stay in touch with family. If you cannot get 
another video conferencing provider, use a phone. But do not prove to providers 
such as Zoom that you need them for your most intimate needs — it fuels their 
wrong-doing.

Also, I had the impression that this were a technical support mailing list, not 
a family therapist forum.

-nik

Re: FOSS-compatible smartwatch?

[Dominik George]

Hi,

>Is there such a thing as a Free Software API for smartwatches/personal 
>fitness devices? With maybe a FOSS app, and a way to use them with a 
>Linux-based PC?

At FOSDEM, I learned about Bangle.JS.

-nik

Re: pass simple readline frontend

[Dominik George]

Hi,

>I want to use the pass password urtility on Linux, in my Emacs eterm.
>
>The TERM environment variable seems to be ignored, the ncurses utility 
>starts and this is totally unusable.
>Is there any option, beside recompiling the software to have it working

pass does not have an ncurses frontend.

What you see is probably pinentry (from gpg).

https://superuser.com/questions/520980/how-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords

Cheers,
Nik

Re: pdftk

[Dominik George]

Hi,

>is there a simple commandline command to get pdftk so kind to merge a
>couple of pdf-files?

look at pdfjoin.

-nik

Re: A followup on github discussion

[Dominik George]

>Export regulations do not apply to Open Source software (Debian is an
>example).

Source?

-nik

Re: please stop breaking threads (was: Problem Installing DiscoveryStudio2019 in Buster

[Dominik George]

>What's the idea behind references and in-reply-to?  Which or both are
>the 
>right way to go?
>
>Found this old link, sounds complicated.
>http://www.ii.com/internet/messaging/pine/changing_from/
>
>In the meantime, tell Markos @
>https://lists.debian.org/debian-user/2019/07/msg00573.html
>about bugs 842422, 835553 ok?

Normally, it's sufficient to use a decent mailer instead of a toy or ancient 
Greek fax machine.

-nik

Re: please do *never* use GitHub for free software, was Re: Salsa vs Github

[Dominik George]

>Yes, it does.  Despite what others have said, there is a beneficial
>patent
>exhaustion effect.   If software with patented algorithms is
>distributed by the
>patent owner, for example by Microsoft via GitHub, the patent is
>exhausted.
>https://fosdem.org/2019/schedule/event/patent_exhaustion/

Yeah, ok, no idea. Such a stupid thing as software patents does not exist where 
I live.

-nik

Re: please do *never* use GitHub for free software, was Re: Salsa vs Github

[Dominik George]

Hi,

>Why do these restrictions exist?  The reason most social media services
>use an
>age limit of 13 or over is in part because of a law in the USA. The
>COPPA law
>or Children’s Online Privacy Protection Act states that any
>organisations or
>people operating online services (including social media services) are
>not
>allowed to collect the personal information of anyone under the age of
>13
> without parental permission.

Thanks for the explanations, although all of them are known.

You (and others elaborating on unrelated legal explanations) might have missed 
that I spent weeks of discussion with GitHub's legal department on that, and 
they explicitly stated the one reason why they have to adhere to COPPA (see 
previous mail).

-nik

Re: please do *never* use GitHub for free software, was Re: Salsa vs Github

[Dominik George]

No. I, for one, do not care much who owns GitHub.

Most of what's wrong there can be explained by stupidity or lack of care rather 
than being evil.

And most companies seem to make one common mistake when it comes to diversity: 
They mistake diversity for caring for certain groups of people, often women, 
trans people, or the disabled. They don't get that choosing a set of people to 
include, instead of removing *all* barriers, is discrimination rather than 
inclusion. 

-nik

Re: please do *never* use GitHub for free software, was Re: Salsa vs Github

[Dominik George]

>Can you give sources for your claim about their discrimination?  That
>one is new to me.

I did. Please read my mails in this thread.

-nik

Re: please do *never* use GitHub for free software, was Re: Salsa vs Github

[Dominik George]

>Does putting software on GitHub give them any kind of claim on the 
>intellectual property of the software?

No.

Re: please do *never* use GitHub for free software, was Re: Salsa vs Github

[Dominik George]

>> please do*never*  use GitHub for free software
>
>Please explain, in detail, why.

If discrimination against parts of the community is not enough for you, here's 
why:

https://mako.cc/writing/hill-free_tools.html

https://www.adamhyde.net/another-good-reason-not-to-use-github/

https://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm

-nik

Re: Age Ranges for contributors was: Salsa vs Github

[Dominik George]

Hi,

>Further to the comments by nik on the Salsa vs Github thread. 
>
>Am I right in thinking that you can be _any_ age to contribute to
>projects hosted on Salsa and contribute to the Debian project in
>general?

Yes. This results from the fact that in Debian, noone cares whether you are 
old, young, male, female, trans,...,... No questions ask, as long as you abide 
by the rules.

>
>Granted there is probably a minimal age for practicality reasons.

As head of Teckids, the heade of the free software (and Debian centric) youth 
organisation, I can say that we have seen and worked with contributors as young 
as 10.

Thank you for taking this topic serious :)!

-nik

Re: Salsa vs Github

[Dominik George]

Hi,

>I am creating levels for the Rocks and Diamonds game (
>https://www.artsoft.org/ ) these are being uploaded to my project
>repository on salsa
>
>https://salsa.debian.org/zleap-guest/rocksndiamondslevels
>
>I am in the process of updating the README.md files so, hopefully
>others
>can also be part of this project.
>
>Questions:
>
>is it possible to
>1. Fork a project between github -> salsa or between salsa -> github ?
>
>2 As above but issue pull / merge requests between the two?

first off, please do *never* use GitHub for free software.

Especially not in a project that might be used by one of the groups GitHub 
discriminates against (potential contributors under 16 years of age in that 
case).

That said:

Forking on either platform is nothing more than git clone; git remote add 
origin; git push. So yes, you can fork any repository to anywhere else.

If you want GitHub users to also be able to use the issue tracker, etc., 
EduGit.org might be an option for a game as well.

-nik

Re: Stop insulting users

[Dominik George]

>The OP posted to each and every user PLUS the list. That is a huge no 
>no. Consider yourself advised that us old timers don't go for that and 
>never have. Ric

I never saw a mail where they did that. Plonk.

Stop insulting users (was: Re: APT candidate does not match package on Debian repo)

[Dominik George]

Den 16. januar 2019 23:43:04 CET, skrev Ric Moore :
>On 1/16/19 5:04 AM, plataleas plataleas wrote:
>> Indeed the mirror was not updated correctly. Sorry for that.
>
>PLEASE stop spamming me and the entire list, who you have CC'd to 
>everyone personally. Jerk


Please get yourself removed from Debian lists instead of insulting users with 
legitimate threads, using false claims of misbehaviour.

formorer, please consider sending a warning to Ric Moore, or better, just 
remove them.

-nik

Re: APT candidate does not match package on Debian repo

[Dominik George]

Hi,

> With rmadison we can see that 4.9.144 is available on the mirrors, but not
> yet „active“ in the stable
> distribution:
> 
> $ rmadison linux-image-4.9.0-8-amd64
> linux-image-4.9.0-8-amd64 | 4.9.130-2 | stable   | amd64
> linux-image-4.9.0-8-amd64 | 4.9.144-1 | proposed-updates | amd64
> 
> You specified that this information is stored in Packages.xz. However I
> could find only 4.9.0-7 Kernel:
> 
> […]
> 
> Did we miss something?

Yes - probably updating your mirror ;):

nik@portux:~$ wget -q -O- 
http://ftp.de.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | 
xzgrep linux-image-4.9.0-8-amd64 | grep Filename
Filename: pool/main/l/linux/linux-image-4.9.0-8-amd64_4.9.130-2_amd64.deb
Filename: pool/main/l/linux/linux-image-4.9.0-8-amd64-dbg_4.9.130-2_amd64.deb

-nik


signature.asc
Description: PGP signature

Re: APT candidate does not match package on Debian repo

[Dominik George]

Hi,

> Thanks for your reply. Is it possible to extract this information from the
> mirror server (CentOS based)?
> 
> Where the information is stored on the repository server specifying a
> package as stable?

http://ftp.de.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

-nik


signature.asc
Description: PGP signature

Re: APT candidate does not match package on Debian repo

[Dominik George]

Hi,

On Mon, Jan 14, 2019 at 11:18:55AM +0100, plataleas plataleas wrote:
> Hello,
> 
> We are upgrading our Debian servers (AMD64). We found that the following
> kernels are available on public Debian mirrors:
> 
> kernel-image-4.9.0-8-amd64-di_4.9.130-2_amd64.udeb
> 
> 28-Oct-2018 05:46
> 4522628kernel-image-4.9.0-8-amd64-di_4.9.144-1_amd64.udeb
> 
> 04-Jan-2019 05:31 4529754
> 
> URL: http://ftp.cl.debian.org/debian/pool/main/l/linux/
> 
> We would expect that the latest 4.9.144-1 kernel would be the candidate.
> However only 4.9.130-2 is listed as candidate:

4.9.144 is available on the mirrors, but not yet „active“ in the stable
distribution:

$ rmadison linux-image-4.9.0-8-amd64
linux-image-4.9.0-8-amd64 | 4.9.130-2 | stable   | amd64
linux-image-4.9.0-8-amd64 | 4.9.144-1 | proposed-updates | amd64

It will be moved to the stable distribution with the next point release.

-nik


signature.asc
Description: PGP signature

Re: internet outages

[Dominik George]

>
>Here is a script that you can run from a cron job which will log
>Internet status and store 
>the results into a file  in your home folder called net-test.txt:
>
>#! /bin/bash
>
>date >> ~/net-test.txt
>ping -c 1 google.com >> ~/net-test.txt
>
>#end of file

smokeping is a tool made for this.

-nik

Re: Malicious command and Ubuntu Forums

[Dominik George]

> [...]
So, this is not an Ubuntu mailing list, right?

>[quote] Ubuntu Forums has a strict zero-tolerance policy when it comes
>to
>posting dangerous commands.

Oh... Aren't that the people who have

$ sudo chmod 777 /etc/passwd; gedit /etc/passwd

all over their Wiki :D?

-nik

Re: basilisk-browser

[Dominik George]

>> > [1] https://github.com/jasperla/openbsd-wip/issues/86

Seriously? They forbid linking against libraries if their code is not shipped 
with their sources?

That also seems like a security nightmare in the making.

Mozilla themselves weren't even *that* ridiculous, were they?

-nik

Re: WPA error: TLS Alert write:fatal:protocol version

[Dominik George]

Hi,

>I tried to add "phase1="tls_disable_tlsv1_2=1"" (see below the complete
>wpa_supplicant configuration.

That leaves you with only TLS 1.3, then ;).

You probably want to set tls_disable_tlsv1_1=0 instead, but I did not try 
(because please update the RADIUS server).

Cheers,
Nik

Re: WPA error: TLS Alert write:fatal:protocol version

[Dominik George]

Hi,

On Tue, Oct 02, 2018 at 04:08:41PM +0200, Pétùr wrote:
> On debian sid, I have the following error when trying to connect to a WPA2 
> Entreprise network (PEAP + MSCHAPv2) with :
> 
> Tue Oct  2 14:07:43 2018 : Error: TLS Alert write:fatal:protocol version
> Tue Oct  2 14:07:43 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL 
> routines:SSL3_GET_RECORD:wrong version number
> Tue Oct  2 14:07:43 2018 : Error: SSL: SSL_read failed in a system call (-1), 
> TLS session fails.
> Tue Oct  2 14:07:43 2018 : Auth: Login incorrect (TLS Alert 
> write:fatal:protocol version): [lo...@myuniversity.com]

OpenSSL 1.1.1, and pretty much everything using it, is now disabling TLS 1.1
by default. That's probably what you see here, and it means that your RADIUS
server supports only deprecated TLS versions.

You can enable TLS 1.1 in your wpa_supplicant config, but the real fix is to
enable TLS 1.2 on your RADIUS server. That has been enabled by default in
freeradius in Debian since at least jessie, to give you an idea of how
outdated the setup is ;).

-nik


signature.asc
Description: PGP signature

Re: Can't install Debian without dedicated /boot partition

[Dominik George]

> AFAICS you did not write anything about /boot/grub.

I did not mention it by name, I only said there are two parts and I do not
see why the mere installation to the MBR or to the EFI area should fail ;).

> > Can you explain why this fails on installation, where /boot/grub can be 
> > written?
> 
> grub-install must hardcode the location of /boot/grub into the core image. I
> guess it sees that /boot/grub is encrypted but encryption is not enabled for
> GRUB.

Oh ok. If that's true, probably a reasonable error message would be helpful
☺.

-nik


signature.asc
Description: PGP signature

Re: Can't install Debian without dedicated /boot partition

[Dominik George]

>*cough*
>You should get some information about how GRUB is installed and works.
>GRUB comes in two main parts :
>- the core image in various locations (+ boot image in some boot sector
>
>for GRUB BIOS)
>- the /boot/grub directory

Yep. I basically said that (in paragraphs you removed from the quote :)).

Can you explain why this fails on installation, where /boot/grub can be 
written? I'd expect it to fail booting, but not installing.

-nik

Re: Can't install Debian without dedicated /boot partition

[Dominik George]

Hi,

> I'm trying to install Debian Stretch with full disk encryption
> (LVM-on-LUKS). But when the installer is trying to install Grub in crashes
> with the following error message:
> 
> ```
> Unable to install GRUB in dummy
> Executing 'grub-install dummy' failed.
> 
> This is a fatal error.
> ```
> 
> […]
>
> I'm able to install NixOS with GRUB without needing an separate /boot
> partition. So I believe it isn't a limitation in GRUB. Can't find any
> information in the documentation that says that a separate /boot partition
> is mandatory.

This message does not have to do anything with a /boot partition - where
your OS is isntalled does not matter for grub-install, grub-install only
intalls the bootloader part, either to MBR or to the EFI ESP partition. What
could happen if GRUB does not find your kernel image in /boot is that it
does not generate a GRUB record for it during update-grub, but it will not
cause the installation to fail.

That said, have you made sure to mount the EFI ESP partition as /boot/efi?

There are quite a few mentions of this error spread over all kinds of
distributions (just try asking your search engine of choice for
debian "grubd-install dummy"). E.g.:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865417

Cheers,
Nik


signature.asc
Description: PGP signature

Re: Getting rid of Wilber

[Dominik George]

> Maybe I'm overly sensitive, but that creepy critter constantly peeping
> at me grates on my nerves.

Good thing it's not a boggart[0]!

-nik

[0] https://www.pottermore.com/writing-by-jk-rowling/boggart


signature.asc
Description: PGP signature

Re: Losing video output when hibernating with HDMI plugged

[Dominik George]

Hi,

> I've got a Dell Latitude E6220 (with "Intel Corporation 2nd Generation
> Core Processor Family Integrated Graphics Controller (rev 09)"
> according to lspci) running Debian stretch, with the Xfce4 desktop.
> After a fresh boot, when I plug an external monitor into its HDMI
> port, the internal display flickers for a moment then both screens
> show a mirrored image. Originally Xfce4 would automatically start
> `xfce4-display-settings -m` in that situation, and I could click to
> disable the internal screen etc. Problem is when I hibernate before
> unplugging the external monitor, after resume the laptop will neither
> show any video to the external screen nor the internal one.

I can reproduce this issue with current sid, on a Lenovo Thinkpad T470s
(00:02.0 VGA compatible controller: Intel Corporation HD Graphics 620 (rev
02)), with KDE.

-nik


signature.asc
Description: PGP signature

Re: Webmail?

[Dominik George]

Hi,

On Fri, Jun 29, 2018 at 09:04:16PM +0100, Joe wrote:
> Anyone know of a webmail that works on stretch?
> 
> I've just spent half an afternoon trying first roundcube then prayer.
> 
> Roundcube works (allegedly) with apache. I'm not an expert on apache2,
> but as far as I can see, there is an apache2.conf existing and enabled
> for roundcube, and it leads via an alias to a real index.php in the
> right place. I just get a 404, and I've tried with and without a
> trailing slash and a final index.php. Yes, I've restarted apache2,
> several times, and my other php stuff on the server works.

So, Roundcube works like a charm here.

Are you willing to get down to „I seem unable to set it up“ rather than
„webmail in Debian is shit“?  If so, we could certainly proceed to finding
out why you fail setting it up .

Cheers,
Nik


signature.asc
Description: PGP signature

Re: Mirror not responding (was: getting too old for this)

[Dominik George]

Hi,

On Tue, Apr 17, 2018 at 04:27:31PM +0100, mick crane wrote:
> apt update seems to have stopped working
> #
> 
> # apt update
> Err:1 http://debian.heanet.ie/debian buster InRelease
>   Could not connect to debian.heanet.ie:80 (193.1.193.65). - connect (111:
> Connection refused) Cannot initiate the connection to debian.heanet.ie:80
>
> […]
>
> Is it something daft I've done ?

No, there's simply no webserver running there.

Why not use httpredir.debian.org?

Cheers,
Nik


signature.asc
Description: PGP signature

Re: how do you send mail to another user on a local debian machine

[Dominik George]

Hi,

>So . . . if you want to send mail to another user on your box, and
>you do not want it to get bounced around on the internet but only
>to go into some spool queue somewhere strictly on your local machine,
>how do you do it?

Sounds very much like an emacs anti-feature.

$ mail -s Spammedyspam jdoe <<<"Bacon eggs without the spam"

works perfectly on stretch and buster/sid.

Can you try that and also mutt?

-nik

Re: Debian 9 rocks, really

[Dominik George]

On Sat, Mar 24, 2018 at 10:31:11PM +, Andre Rodier wrote:
> […]

Yeah! I've not come such a long way yet, considering I am only 27 years
old, but I have been using Linux systems for 14 years now. Started with
SuSE 7.2 (with a short visit to 5.3 for fun), switched to Ubuntu later
and the nto Gentoo for a few years, until arriving at Debian many years
ago.

Watching Debian's development (and contributing to it) is a great joy -
while some time ago there were valid reasons for creating Ubuntu, and
users had reasons to consider Debian outdated and complicated, all that
is gone now. Take a Debian 9 installer (in some cases, maybe the
non-free firmware version), and it installs on the most awkward of
hardware without complaining. If it doesn't, just fix it, because it
gives you everything you need to do so.

Most important, Debian is the distribution that kept me satisfied for
long enough that I am now a developer (keyring update pending ;)). I
lost track of becoming one with Gentoo, because they were cool but did
not have good quality assurance, and I los ttrack at SuSE because they
had great quality but the community was questionnable (that changed by
now, mind you) - Debian has the best of both worlds, a great community,
great tools, and QA anddevelopment tools that make it fun to work with
and still get respected in enterprise environments.

So thank you, Debian!

Cheers,
Nik


signature.asc
Description: PGP signature

Re: Debian 9 sucks really badly

[Dominik George]

Hi,

> I guess its one of those brain fucked idiots

Although I realy agree with you, I don't think your tone is by any means
better, and you should instead lead by example and not insult anyone on
a Debian mailing list even if you are angry.

Cheers,
Nik


signature.asc
Description: PGP signature

Re: Debian 9 sucks really badly

[Dominik George]

> In the Free Software world, the response to something not
> working is generally:
> 1)If you know how, fix it and send the fix to the project so
> it helps everyone, or,
> 2)If you don't know how to fix it, report the problem in a
> useful way, so someone else can fix it and help everyone.

I think the main problem here is that the user considers himself too
much of an expert and stops seeing the easy things, like the step in the
installer asking explicitly for the desktop environment to install. It's
right there, but they are too l33t to simply open their eyes.

Sometimes I make that mistake myself, actually ;).

-nik


signature.asc
Description: PGP signature

Re: OT: dovecot with letsencrypt, K9 mail fails?

[Dominik George]

Hi,

>Today, though - which may be unrelated - it prompted me to check the
>certificate, which weirdly seemed to belong to my VPS provider; it
>wasn't the one configured in dovecot.
>
>Has anyone else seen either of these issues? My VPS provider hasn't
>come
>up with any ideas yet.

They have a very clear idea - they are snooping on your TLS, and that doesn't 
happen by accident.

It might be a sad accident with a firewall, but they should fix that in no 
time. If not, you are best off finding a new provider.

-nik

Re: flame,troll,spam was : ... for cracking a wireless password

[Dominik George]

> > Stop abusing children as an “example” for stupidity!
> >
> > Thanks.
> >
> ?
> what do you mean ?
> - that children must not follow the "example" of wilco (speaking about
> that you do not know/have is a troll lol) : 90% of idiots thinks that the
> others are idiots but not themselves ? is it a point of view of an "adult"
> , mature & educated ?
> - is it about my topic or the sentence 'kid point of view ' (troll) ?
> will you please clarify these point ?
> i do not understand your reaction, i am not the author of the "example".
> i repeat : only kids think that the others are stupid ('kid' is a polite
> term) it is the sens of the example (wilco).

What YOU say is something YOU say.

And what I mean is: Comparisons work both ways. If you say that a stupid
view is comparable to the general views of a child, then you are saying
that children generally have stupid views.

This is discrimination and apart from that, not true.

Same goes for „slow like a disabled person“, „autistic reaction“, and
the like. It reflects negative aspects on a (often minor or weaker)
group of people and discriminates against them.

I do not want to see such comparisons that discredit any group of people
fo rthe sake of argument on a Debian mailing list.

-nik


signature.asc
Description: PGP signature

Re: flame,troll,spam was : ... for cracking a wireless password

[Dominik George]

> (> as 90 percent ... .)
> it is a kid point of view (troll).

Stop abusing children as an “example” for stupidity!

Thanks.


signature.asc
Description: PGP signature

Re: Sync two disks and hot swap

[Dominik George]

> what is the goal in having an identical copy of the disk?

It's not even so much that.

It's that the person who will be changing the disks will be hardly
capable of just that, and will not get anything close to root access to
the machine.

And I am afraid that all that complexity around automounting the
different filesystems, autounmounting, and automatically ensuring the
filesystem is clean and unmounted at the time the disk is to be swapped
could be quite unreliable.

-nik

Re: Sync two disks and hot swap

[Dominik George]

Hi,

> Instead, if you just want a disk that has a readable copy of the files, you
> may find that rsync is more straightforward and can be a lot faster after
> the first time if the volume of changes is a small percentage of the total.

Yes, of course. But that would not lead to an identical copy of the
disk, only the files in its filesystem.

I will choose that way if nothing else comes up in this thread.

-nik

Sync two disks and hot swap

[Dominik George]

Hi,

I have the following scenario:

 * A server with two hard drives in removable cases
 * A backup process writes data to both disks, making up a live backup server
 * A third disk is to be kept off-site
 * On a ergular basis, I want to hot-swap one of the disks, as in, remove
   one of the two synced disks and replace it with the stale off-site copy,
   and put the now recent copy off-site

I figure that a simple software RAID 1 would do the trick, but it is not
really made for it and would need some complex manual intervention in
order to not break the state on the removed disk.

Any ideas on how to achieve this, or arguments that RAID 1 would indeed
be a good solution?

Cheers,
Nik



signature.asc
Description: PGP signature

Re: on non-running OS find all installed pkgs

[Dominik George]

> # chroot /path/to/mount dpkg -l

Even…

# dpkg --root=/path/to/mount -l

…that one exists.

-ingrid

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Phone: +49 228 92934581 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature

Re: on non-running OS find all installed pkgs

[Dominik George]

i,

> The hosts in this query are both on vbox vms.  One not running but
> with OS disk mounted on a different host.
> 
> How can I get a list of all debian pkgs installed on the OS that is
> not running? That is, when I have the debian OS disk mounted on a
> different HOST.

# chroot /path/to/mount dpkg -l

;)?

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Phone: +49 228 92934581 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature

Re: Q: systemd is restarting demons?

[Dominik George]

Hi,

>I am wondering, if it is normal, that systemd is restarting a service,
>which I as root did 
>stop. In may case it is laptools-mode. 
>
>See the output of syslog:
>Jul 20 12:16:47 localhost laptop-mode: enabled, not active 
>
>
>I know, I can force systemd, not to start demons at boot, but this
>behaviour is looking 
>strange. Strange philosophy, I mean.
>
>Maybe it is a bug?

Most likely not.

Like you said, you stopped it, but you didn't disable it.

There are many reasons why systemd might start a service:

 * connection on a socket
 * user session start
 * a timer
 * an ACPI event

In your case, it seems like it was a user session starting up.

-nik

Re: so much for your ascii only emails and 80 char lines :)

[Dominik George]

it? Thanks!
topic and stop
gone horribly off-
that this thread has
all just agree
So, can we
Sent from my very colourful mailer which encodes as it pleases.

Re: Debian Developers Have Been Listening!

[Dominik George]

Hi,

>​If this is true and it is a doddle to convert an ordinary debian
>install
>with systemd running on it to the old sysvinit format then why is there
>all
>this sturm und drang and spam on this subject...??

Because DDs are listening, but users aren't :D.

-nik

Re: Debian Developers Have Been Listening!

[Dominik George]

Hi,

>A while ago, I initiated the "If Linux Is About Choice ..." thread
>about why there is no choice of inits during an initial install.
>
>Since that time, I've tested several systemd-less distros[1] as well as
>Stretch as replacements for my aging Wheezy system.  With Stretch my
>plan was to see if I could replace systemd as the init without removing
>it just leaving its components (some or all as necessary) to meet
>dependencies without it breaking the system  That way there would be no
>need for third party repos or jumping through hoops to keep a
>systemd-less working. I figured it would be a somewhat difficult, time
>consuming process. However, I made a discovery during these tests: The
>Debian developers had already done it for me.  They made switching from
>systemd as the init to sysvinit or runit easy just by issuing a couple
>commands.

Thanks for sharing your experiences!

Don't get me wrong, but the interesting part is that this has already been the 
exact case long before your thread, and it is what you were told several times 
throughout the discussion ;).

Long story short, not so many reasons for all the excitement :).

-nik

Re: Update Notifier

[Dominik George]

> Why doesn't Debian 8 Cinnamon notify when updates are ready to install
> after all these years Debian has existed? Don't tell me there is one,
> because after installing Debian I waited a long time to see if a
> notification would pop up. It never did. I know about doing apt-get
> update && apt-get upgrade,but why should we have to use a command
> line? It makes me wonder about Debian security. Would you please put
> an update notifier in all your versions of Debian.

$ apt install gnome-packagekit

If you think it should be part of the desktop task or
cinnamon-desktop-environment, please file a wishlist bug (in a more
helpful tone).

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Phone: +49 228 92934581 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature

Re: MATE in /usr AND in /usr/local

[Dominik George]

>I'm interested in tinkering with components of MATE and testing them
>while 
>leaving the APT-installed versions alone. I've built and installed the 
>components from the Github repos and installed them to /usr/local/. I 
>can't figure out how to load applets from /usr/local. In particular,
>can 
>someone tell me how to use the /usr/local version of the Workspace 
>Switcher instead of /usr/?

You do want to use chroot for that.

-nik

Re: April's fool

[Dominik George]

>* It should be easy to make it working in some minutes (half an hour of
>configuration at most).
>* It should be harmless and reversible (of course)
>* It should last the whole day, people trying to figure that out.

# apt install sl
# ln -s /bin/ls /usr/local/bin/sl
# ln -s /usr/games/sl /usr/local/bin/ls

HTH,
Nik

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

> On Fri, Mar 31, 2017 at 02:07:54PM +0200, Dominik George wrote:
> > That's how w^Hsomeone rooted Dreamhost.
> 
> Are you referring to the 2012 incident, or something more recent?
> 
> I thought the former was an issue with lax filesystem permissions.

(This is getting somewhat OT; if you want to discuss that further, maybe
choose private conversation or another mailing list… I only intended to
provide a scenario that was not made up.)

Something less recent, from late 2010.

The thing I described was reported only to the company themselves, who
still failed to fix the root issue for several years.

After their administrators and CEO (funnily enough, it was his
webhosting account that had the vulnerable PHP application I was talking
about…) had ignored the issue for more than a year, $someone dropped a
note in the Chaos Communication Congress' wiki. What exactly this note
was used for and what it was not used for is beyond my knowledge.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)

Re: strange problem with chromium

[Dominik George]

Hi,

> […] on Ubuntu 14.04 […]

Any chance you chose the wrong mailing list?

Cheers,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

>Well, not without getting root first.
>
>And making something listen that spawns a shell usable to gain further
>access is a big win. Keeping uploading PHP code to some vulnerable
>webserver will at some point be noticed. Uploading something spawning a
>shell once probably not.
>

When $someone hacked $somebigamericanwebhoster some years ago, $they first 
found a CMS that allowed online editing of its PHP code. $they were able to use 
that to run arbitrary shell commands. However, that thing had an edit history, 
so keeping passing in new code produced a well-visible log each time (in 
retrospective, $they could just have patched that away, but well...).

Uploading and starting ajaxterm, however, cost $them only two edits, and as it 
went listening on its own port without a firewall logging, $they had an 
interactive shell that could be configured to keep no record of anything.

(Not of any interest here, but $they then found a misconfigured NFS share that 
mapped all UIDs to root, keeping suid bits... use your imagination for the 
rest. But $they would not have found that without an interactive shell.)

-nik

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

>If someone unauthorised is on your machine can they not just as well
>remove firewall rules?


Well, not without getting root first.

And making something listen that spawns a shell usable to gain further access 
is a big win. Keeping uploading PHP code to some vulnerable webserver will at 
some point be noticed. Uploading something spawning a shell once probably not.

-nik

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

>My understanding is that if there are no services listening on a port
>then
>it cannot be accessed.

Well, if nothing is listening on a port, then something can start doing so 
unconditionally.

That's how w^Hsomeone rooted Dreamhost.

-nik

Re: aptitude is dangerous - any replacement?

[Dominik George]

>> apt also uses apt-listbugs...
>
>Yes, but one can't exclude a package listed by apt-listbugs.
>With aptitude, one just goes to the package and hits ":".

Sure. Just press h on the package.

-nik

Re: aptitude is dangerous - any replacement?

[Dominik George]

>1. When I want to exclude some buggy packages. I often do this with
>   aptitude, where major bugs can be reported by apt-listbugs.

apt also uses apt-listbugs...

-nik

Re: aptitude is dangerous - any replacement?

[Dominik George]

>I meant a replacement with a text UI.

I never had any situation where this would have helped me instead of being 
clumsy and painful within 12 years of systems administration.

What's your use case?

-nik

Re: aptitude is dangerous - any replacement?

[Dominik George]

>Is there any replacement?

Yes, apt.

-nik

Re: TTL expired in transit to qemu virtual machine.

[Dominik George]

Hi,

> >iptables -L FORWARD -nv
>Chain FORWARD (policy DROP 0 packets, 0 bytes)
>pkts bytes target prot opt in out source  
>destination
>XX ACCEPT all  --  br0br0 0.0.0.0/0   
>0.0.0.0/0

What is that supposed to do?

Forwarding on the IP layer, by definition, happens between different interfaces.

Although this rule is most likely a no-op, you should remove it to reduce 
confusion.

-nik

Re: programmatically determining the desktop environment of a system

[Dominik George]

Hi,

>Is there a programmatic way that a piece of software can learn what
>desktop environment it is executing in?

Short answer: No.

Long answer:

http://unix.stackexchange.com/questions/116539/how-to-detect-the-desktop-environment-in-a-bash-script

Cheers,
Nik

Re: How do you disable / enable services from starting in systemd

[Dominik George]

>http://lmgtfy.com/?q=How+do+you+disable+%2F+enable+services+from+starting+in+systemd%3F

Well, the most exciting thing about this kind of questions is that you can 
actually just go on using update-rc.d...

-nik

Re: [Clarification?] Re: Testing CDs for GNOME3, KDE and LXDE are missing from the download page

[Dominik George]

>I hope that applies only to pre-release versions.
>I am bandwidth limited and depend on purchased DVD sets of 
>released versions.
>TIA

The different *CD* sets are vanishing, not the general *DVD* sets.

-nik

Re: BIOS Settings for Fake-RAID

[Dominik George]

>So my question: If I don't want to use the BIOS's Fake RAID, and want
>to
>use only the Linux kernel's software RAID, do I want to turn RAID off
>in
>the BIOS

Yes.

Also, always prefer dmraid over some fake RAID.

-nik

Re: wlan0 hw address changes

[Dominik George]

Hi,

> How do I check the systemd-networkd thing?

ps aux… ;)

The MAC changing would also have to be configured in
/etc/systemd/network .

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature

Re: wlan0 hw address changes

[Dominik George]

> I need to tell a network admin the hardware address of my wlan0
> interface, so that he gives me access to the wifi network. The problem
> is that the hw address is changing everytime I use the wlan0 hardware
> switch...

So, first of all, use this as another argument to explain to your admin
that MAC filters are not a security measure, but a PITA noone needs.

> ether b2:ad:31:c5:86:36  txqueuelen 1000  (Ethernet) ...
> ether c0:cb:38:4c:56:8f  txqueuelen 1000  (Ethernet) ...
> ether aa:c3:d0:e1:43:cb  txqueuelen 1000  (Ethernet) ...

What strikes me as odd is that the whole address changes, so it's
probably not the firmware, as a vendor randomising the vendor part of
their hardware addresses on their own would probably not get their stuff
through FCC or whatever regulations apply.

So, I assume it is your system either setting a random address, or
preventing the firmware from setting the real address.

Assuming you do not have macchanger or something like that installed
(guessing you wouldn't be asking if you had taken such measures ;)), I
only know of systemd-networkd having such a feature.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature

Re: confusion in /etc/network/interfaces

[Dominik George]

>> "ifconfig" can not handle multiple IPv4 addresses on one interface
>and
>> needs this kind of crutch.
>> 
>> The far more modern command "ip" has no such limitations.
> 
>I've found my own brain to have a similar limitation, and find
>interface
>aliases useful for clarity even when I have ip(8) available.

OTOH, it is important to be aware of the addresses being on the same interface, 
e.g. when it comes to firewall rules and ARP and the like. There are a few 
pitfalls in having more than one address on one interface which need to be 
taken into account. So I kind of like iproute2 making this clearer.

-nik

Re: confusion in /etc/network/interfaces

[Dominik George]

Hi,

>I need to know that what is the difference b/w eth1.0101 and eth:1.
>actually i need to know what is the main difference in "." and ":".
>any suggestion will be highly appreciated.

: denotes an alias (second address on same interface), . denotes a VLAN, and 
eth:1 is nonsense.

Cheers,
Nik

Re: CD Audio - sometimes provided as vfs by the kernel?

[Dominik George]

Hi Tomás,

> Another possibility (apart from those mentioned in the thread) would
> be that it passes through a different set of udev rules depending on
> the USB port?
> 
> You might watch udev doing its thing with udevadm (not much recent
> experience here, sorry).

ok, I might try that.

Right now, I suspect something else: The USB drive might have some
processor for that of its own that is only activated on USB 3.0,
probably due to drawing more power, or something.

I will sure find out the real cause ☺.

Thanks,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature

Re: CD Audio - sometimes provided as vfs by the kernel?

[Dominik George]

Hi Ric,

> You might check your user manual to see if one side is USB 2.0 and the
> other USB 3.0. That might make a difference. Ric

that's indeed the case.

Now, why does the USB 2.0 port lead to that WAV file thing, while the
USB 3.0 port does CDDA?

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature

CD Audio - sometimes provided as vfs by the kernel?

[Dominik George]

Hi,

I just tried to tip an audio CD, like I did hundreds of times before. I
tried to run ripit, and it complained that there was no audio CD
inserted.

Taking a closer look, I found that the drive was unexpectedly provided
as a USB mass storage device as /dev/sdc, with a partition containing a
FAT filesystem and RIFF audio / WAV files.

Now, I am using a USB CD-ROM drive, and eventually found out that, usng
the USB port on the *right* hand side of my laptop, I get thie virtual
mass storage device, and using the USB port on the *left* hand side, I
get a /dev/sr0 device I can read CDDA from, as usual.

I am running Debian sid with kernel 4.9.0-2 on amd64.

I never saw the Linux kernel do something like this. Does anyone know
since when, and under what circumstances, it does that, how I can
control it, and why it depends on the USB port used?

Cheers,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)


signature.asc
Description: PGP signature