Bug#816063: emacs24: TLS certificate validation is silently broken

2016-02-26 Thread Nathaniel Smith 
Package: emacs24
Version: 24.5+1-6+b1
Severity: serious
Tags: security
Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt

Debian's emacs builds are linked against gnutls:

(gnutls-available-p)
t

By default, they aren't configured to validate TLS certificates,
leaving users open to trivial MITM attacks:

(require 'gnutls)
gnutls-verify-error
nil

(url-retrieve-synchronously "https://wrong.host.badssl.com;)
#
(url-retrieve-synchronously "https://self-signed.badssl.com;)
#

Okay, fine, but at least it is easy to turn this on:

(setq gnutls-verify-error t)

There are even some nice docs explaining how and why to do this:
   https://glyph.twistedmatrix.com/2015/11/editor-malware.html
(Short version: if you aren't using https for the package servers --
#797477 -- and haven't enabled TLS checking, and ever run
package-install over coffee-shop wifi, then congratulations, you've
just allowed anyone within wifi range to execute arbitrary code on
your user account.)

However, Debian's emacs24 somehow manages to be so broken that turning
on cert verification via (setq gnutls-verify-error t) *doesn't
work*. The docs say it should work, and explain in detail how to
configure finding the CA trust store (this is configured correctly
out-of-the-box on Debian). And sometimes I've even had it fail on
https://wrong.host.badssl.com after setting this (but not
always). However, it always happily loads
https://self-signed.badssl.com, which means it's providing no
protection at all against MITM attacks.

Bottom line: even if you configure everything correctly, Debian's
emacs will still happily execute whatever random code your barista
gives you.

The only way I've found to work around this and get a minimally-secure
setup is to add the following extremely simple and obvious incantation
to my .emacs:

;; Monkeypatch emacs so that it doesn't think gnutls is compiled in
(if (fboundp 'gnutls-available-p)
(fmakunbound 'gnutls-available-p))
;; Force emacs to use gnutls-cli *without* the --insecure flag it
;; defaults to. (Note that the --x509cafile argument here depends on
;; your distro; this is correct for Debian.)
(setq tls-program
  '("gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h"))
;; Not sure if this is necessary, but it certainly doesn't hurt
(setq tls-checktrust t)

and then doing 'apt install gnutls-bin'.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages emacs24 depends on:
ii  emacs24-bin-common 24.5+1-6+b1
ii  gconf-service  3.2.6-3
ii  libacl12.2.52-3
ii  libasound2 1.1.0-1
ii  libatk1.0-02.18.0-1
ii  libc6  2.21-9
ii  libcairo-gobject2  1.14.6-1
ii  libcairo2  1.14.6-1
ii  libdbus-1-31.10.6-1
ii  libfontconfig1 2.11.0-6.3
ii  libfreetype6   2.6.1-0.1
ii  libgconf-2-4   3.2.6-3
ii  libgdk-pixbuf2.0-0 2.32.3-1.2
ii  libgif75.1.2-0.2
ii  libglib2.0-0   2.46.2-3
ii  libgnutls303.4.9-2
ii  libgomp1   5.3.1-8
ii  libgpm21.20.4-6.1+b2
ii  libgtk-3-0 3.18.7-1
ii  libice62:1.0.9-1+b1
ii  libjpeg62-turbo1:1.4.2-2
ii  libm17n-0  1.7.0-3
ii  libmagickcore-6.q16-2  8:6.8.9.9-7+b1
ii  libmagickwand-6.q16-2  8:6.8.9.9-7+b1
ii  libotf00.9.13-3
ii  libpango-1.0-0 1.38.1-1
ii  libpangocairo-1.0-01.38.1-1
ii  libpng12-0 1.2.54-3
ii  librsvg2-2 2.40.11-2
ii  libselinux12.4-3
ii  libsm6 2:1.2.2-1+b1
ii  libtiff5   4.0.6-1
ii  libtinfo5  6.0+20151024-2
ii  libx11-6   2:1.6.3-1
ii  libxft22.3.2-1
ii  libxinerama1   2:1.1.3-1+b1
ii  libxml22.9.3+dfsg1-1
ii  libxpm41:3.5.11-1+b1
ii  libxrandr2 2:1.5.0-1
ii  libxrender11:0.9.9-2
ii  zlib1g 1:1.2.8.dfsg-2+b1

emacs24 recommends no packages.

Versions of packages emacs24 suggests:
pn  emacs24-common-non-dfsg  

-- no debconf information

Bug#769191: xorg: apt-get dist-upgrade somehow reconfigured my system to use the nvidia driver, even though I have no nvidia hardware

2014-11-22 Thread Nathaniel Smith 
-dev:amd64 (1.55.0+dfsg-1,
automatic), libboost-serialization1.55-dev:amd64 (1.55.0+dfsg-1,
automatic), libboost-atomic-dev:amd64 (1.55.0.2, automatic),
libboost-thread1.55-dev:amd64 (1.55.0+dfsg-1, automatic),
libboost-graph-parallel-dev:amd64 (1.55.0.2, automatic),
libboost-exception-dev:amd64 (1.55.0.2, automatic),
libboost-mpi1.55.0:amd64 (1.55.0+dfsg-1, automatic),
libboost-serialization-dev:amd64 (1.55.0.2, automatic),
libboost-locale-dev:amd64 (1.55.0.2, automatic)
End-Date: 2014-06-01  13:06:06

Pretty weird... I spent a few minutes trying to track down what the
relevant dependency chain might be, but ran out of time before I found
anything.

On Sat, Nov 22, 2014 at 1:02 PM, Simon McVittie s...@debian.org wrote:
 On Mon, 17 Nov 2014 at 21:47:12 +, Nathaniel Smith wrote:
 Here's my apt history files. history.log.1 has the big upgrade that
 caused the problem; history.log has the mucking about I did to fix it.

 OK, thanks.

 At the top of history.log.1 you have:

 Upgrade: ... nvidia-libopencl1:amd64 (340.46-1, 340.46-3) ...

 which results in the installation of a pile of nvidia stuff.

 I'm not sure why you would gain the other nvidia stuff at that point
 if you didn't have it already, because debdiff says
 nvidia-libopencl1_340.46-1_amd64.deb and nvidia-libopencl1_340.46-3_amd64.deb
 (from snapshot.debian.org) have identical metadata apart from version number
 and Installed-Size.

 however, nvidia-libopencl1_340.46-3_amd64.deb does have Recommends:
 nvidia-opencl-icd | opencl-icd so that would maybe explain it.
 Recursively following Depends and Recommends from nvidia-opencl-icd
 pulls in the whole nvidia stack.

 Next question, why did you have nvidia-opencl-icd in the first place?
 I suspect the answer is probably https://bugs.debian.org/739176
 which has already been fixed.

 S



-- 
Nathaniel J. Smith
Postdoctoral researcher - Informatics - University of Edinburgh
http://vorpus.org


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#769072: Bug#769191: xorg: apt-get dist-upgrade somehow reconfigured my system to use the nvidia driver, even though I have no nvidia hardware

2014-11-17 Thread Nathaniel Smith 
Here's my apt history files. history.log.1 has the big upgrade that
caused the problem; history.log has the mucking about I did to fix it.

Notice that the big upgrade got interrupted in the middle by libaudio2
failing to install (#768651), so there was some 'apt-get install -f'
and 'dpkg --configure -a' stuff in there before the dist-upgrade gets
restarted.

On Mon, Nov 17, 2014 at 9:26 PM, Simon McVittie s...@debian.org wrote:
 On Wed, 12 Nov 2014 at 02:08:34 +, Nathaniel J. Smith wrote:
 This evening I ran 'apt-get dist-upgrade' on my 'testing' system, rebooted, 
 and
 found the system unusable -- it just came up with gdm3's Oh no! Something 
 has
 gone wrong! screen.

 It turns out that the problem is that somehow, dist-upgrade reconfigured X to
 use the nvidia drivers for GLX -- e.g., from /var/log/messages:
 [...]
 Nov 12 01:47:35 branna gdm-Xorg-:0[4239]: (EE) Failed to initialize GLX
 extension (Compatible NVIDIA X driver not found)

 This sounds somewhat similar to #769072 (which is currently assigned to
 gnome-shell, and I only haven't reassigned it away because I'm not sure which
 nvidia-related package has the bug). The exact symptom is different,
 but the high-level situation (trying to use a mixture of Mesa and nVidia
 GL stuff after an upgrade) is similar. Perhaps they should be merged?

 Finding the offending upgrade in /var/log/apt would be useful;
 so would the details of the apt transaction(s) in which you removed
 the nvidia stuff.

 Michael, I assume you have out-of-band information that says #769481 is
 in fact the same as #769191? (I ask because you merged them, but it isn't
 obvious why from the bug log.)

 S



-- 
Nathaniel J. Smith
Postdoctoral researcher - Informatics - University of Edinburgh
http://vorpus.org


history.log.1
Description: Binary data

Start-Date: 2014-11-12  01:51:35
Commandline: apt-get remove xserver-xorg-video-nvidia
Remove: nvidia-driver:amd64 (340.46-3), xserver-xorg-video-nvidia:amd64 (340.46-3)
End-Date: 2014-11-12  01:51:41

Start-Date: 2014-11-12  01:52:49
Commandline: apt-get autoremove
Remove: libegl1-nvidia:amd64 (340.46-3), libgles2-nvidia:amd64 (340.46-3), libjansson4:amd64 (2.7-1), nvidia-settings:amd64 (340.46-2), libgl1-nvidia-glx:amd64 (340.46-3), libgles1-nvidia:amd64 (340.46-3), libnvidia-ml1:amd64 (340.46-3), libnvidia-eglcore:amd64 (340.46-3), libxnvctrl0:amd64 (340.46-2)
End-Date: 2014-11-12  01:52:57

Start-Date: 2014-11-13  18:40:54
Commandline: apt-get install vagrant
Install: ruby-i18n:amd64 (0.6.9-2, automatic), ruby-net-scp:amd64 (1.2.1-1, automatic), ruby-listen:amd64 (2.4.0-4, automatic), ruby-rb-inotify:amd64 (0.9.5-1, automatic), bsdtar:amd64 (3.1.2-9, automatic), ruby-dev:amd64 (2.1.0.4, automatic), ruby-timers:amd64 (1.1.0-2, automatic), ruby-childprocess:amd64 (0.5.5-1, automatic), vagrant:amd64 (1.6.5+dfsg1-2), ruby-net-ssh:amd64 (2.9.1-1, automatic), ruby-nokogiri:amd64 (1.6.3.1+ds-1, automatic), ruby2.1-dev:amd64 (2.1.4-1, automatic), ruby-erubis:amd64 (2.7.0-3, automatic), bundler:amd64 (1.7.4-1, automatic), ruby-celluloid:amd64 (0.15.2-2, automatic), ruby-log4r:amd64 (1.1.10-4, automatic), ruby-thor:amd64 (0.19.1-1, automatic), ruby-ffi:amd64 (1.9.6debian-2, automatic), ruby-net-http-persistent:amd64 (2.9-2, automatic)
End-Date: 2014-11-13  18:41:05

Start-Date: 2014-11-13  18:42:31
Commandline: apt-get install virtualbox virtualbox-guest-additions-iso
Install: virtualbox:amd64 (4.3.18-dfsg-1), virtualbox-dkms:amd64 (4.3.18-dfsg-1, automatic), virtualbox-guest-additions-iso:amd64 (4.3.18-1), virtualbox-qt:amd64 (4.3.18-dfsg-1, automatic), libvncserver0:amd64 (0.9.9+dfsg-6+b2, automatic), libgsoap5:amd64 (2.8.17-1, automatic)
End-Date: 2014-11-13  18:42:56

Start-Date: 2014-11-13  18:55:48
Commandline: apt-get install linux-headers-amd64
Install: linux-headers-3.16-3-common:amd64 (3.16.5-1, automatic), linux-kbuild-3.16:amd64 (3.16-2, automatic), linux-headers-3.16-3-amd64:amd64 (3.16.5-1, automatic), linux-compiler-gcc-4.8-x86:amd64 (3.16.5-1, automatic), linux-headers-amd64:amd64 (3.16+62)
End-Date: 2014-11-13  18:56:44

Start-Date: 2014-11-13  18:57:25
Commandline: apt-get install --reinstall virtualbox-dkms
Reinstall: virtualbox-dkms:amd64 (4.3.18-dfsg-1)
End-Date: 2014-11-13  18:58:12

Bug#468130: python-gobject-dbg: There is no convenient way to *use* the debugging pygobject library

2008-02-26 Thread Nathaniel Smith 
Package: python-gobject-dbg
Version: 2.14.1-1
Severity: grave
Justification: renders package unusable

Most -dbg packages are set up so that when running under gdb, the
debugging libraries are automatically used.  Not so for pygobject.
After flailing around for a while, the *only* way I could come up
with to cause the debugging-enabled .so to be loaded was by going
in and renaming
  /var/lib/python-support/python2.4/gtk-2.0/gobject/_gobject_d.so
to
  /var/lib/python-support/python2.4/gtk-2.0/gobject/_gobject.so
(overwriting the existing _gobject.so symlink that dpkg and friends
generated for the python-gobject package).

Requiring users to rearrange files installed by dpkg is just
awful.  Failing to document how to do so makes it even worse.
(Of course, perhaps there is some other way to magically get
at the debug version of the library.  If so, maybe it could be
more prominently documented?)

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#431123: aptitude: Initializing package states takes very much longer than before +b1

2007-07-05 Thread Nathaniel Smith 
On Tue, Jul 03, 2007 at 07:42:08AM -0700, Daniel Burrows wrote:
 On Mon, Jul 02, 2007 at 10:00:53PM -0700, Nathaniel Smith [EMAIL PROTECTED] 
 was heard to say:
  On Sun, Jul 01, 2007 at 06:12:11PM -0700, Daniel Burrows wrote:
 Does installing the version in experimental fix the problem for you?
  
  Yes, the aptitude in experimental (0.4.4-5~2, which appears to be
  linked against apt 0.6.46.4-0.1, which is no longer in unstable?)
  works fine.
 
   Eh?  I meant 0.4.5.3-1.  Maybe that's not available on your
 architecture?
   
   Anyway, I'm preparing an upload to unstable, which should fix these
 problems for everyone.

Ah, right, x86-64.  The version that went into unstable today seems to
be working fine.

-- Nathaniel

-- 
Of course, the entire effort is to put oneself
 Outside the ordinary range
 Of what are called statistics.
  -- Stephan Spender


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#431123: aptitude: Initializing package states takes very much longer than before +b1

2007-07-02 Thread Nathaniel Smith 
On Sun, Jul 01, 2007 at 06:12:11PM -0700, Daniel Burrows wrote:
   Does installing the version in experimental fix the problem for you?

Yes, the aptitude in experimental (0.4.4-5~2, which appears to be
linked against apt 0.6.46.4-0.1, which is no longer in unstable?)
works fine.

-- Nathaniel

-- 
Of course, the entire effort is to put oneself
 Outside the ordinary range
 Of what are called statistics.
  -- Stephan Spender


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#423947: lftp: postrm script fails if 'ftp' package is not installed

2007-05-14 Thread Nathaniel Smith 
Package: lftp
Version: 3.5.9-1
Severity: grave
Justification: renders package unusable


~$ sudo dpkg -i /var/cache/apt/archives/lftp_3.5.10-1_i386.deb 
(Reading database ... 109953 files and directories currently installed.)
Preparing to replace lftp 3.5.9-1 (using .../lftp_3.5.10-1_i386.deb) ...
Unpacking replacement lftp ...
No alternatives for ftp.
dpkg: warning - old post-removal script returned error exit status 1
dpkg - trying script from the new package instead ...
No alternatives for ftp.
dpkg: error processing /var/cache/apt/archives/lftp_3.5.10-1_i386.deb 
(--install):
 subprocess new post-removal script returned error exit status 1
No alternatives for ftp.
dpkg: error while cleaning up:
 subprocess post-removal script returned error exit status 1
Errors were encountered while processing:
 /var/cache/apt/archives/lftp_3.5.10-1_i386.deb

This also means that it cannot be removed by normal means, and
that apt refuses to work until the mess is cleaned up.

After forcing an install of the 'ftp' package, the 'lftp' package
again can be upgraded.  I suppose a simple fix would be to make
lftp Depend: or Pre-Depend: on ftp, but that does not seem like
the optimal solution.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lftp depends on:
ii  libc6 2.5-7  GNU C Library: Shared libraries
ii  libgcc1   1:4.1.2-6  GCC support library
ii  libgcrypt11   1.2.4-2LGPL Crypto library - runtime libr
ii  libgnutls13   1.6.2-2the GNU TLS library - runtime libr
ii  libgpg-error0 1.4-2  library for common error values an
ii  libncurses5   5.5-5  Shared libraries for terminal hand
ii  libreadline5  5.2-2  GNU readline and history libraries
ii  libtasn1-30.3.9-1Manage ASN.1 structures (runtime)
ii  netbase   4.29   Basic TCP/IP networking system
ii  zlib1g1:1.2.3-14 compression library - runtime

lftp recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#384565: [Monotone-devel] Re: Bug#384565: monotone - FTBFS: Build killed with signal 15

2006-11-22 Thread Nathaniel Smith 
On Wed, Nov 22, 2006 at 09:54:42AM -0700, Shaun Jackman wrote:
 On 11/22/06, Roman Zippel [EMAIL PROTECTED] wrote:
 ...
  1. Is this more likely a bug in Boost or a bug in monotone?
  2. Is it reasonable to workaround this bug by removing
  -DBOOST_SP_DISABLE_THREADS?
  3. Is it worth going to the extra effort to only define
  -DBOOST_SP_DISABLE_THREADS on the platforms for which it works? I'll
  consider this last option if it means a performance improvement of at
  least, say arbitrarily, a factor of two or so.
 
 I think this should include the boost maintainer, there has to be some way
 to safely select the proper compile flags. At least the Debian packages
 provide a threaded and non-threaded version, but the .so link points to
 the threaded version by default.
 If both versions are supposed to be usable equally for non-threaded
 application it suggest a bug in boost...
 Anyway, until there is some mechanism to select this safely, it's probably
 better to compile the application with the same flags as the library was.

Right -- I tracked down the official word on this, which says:

If your program is single-threaded and does not link to any
libraries that might have used shared_ptr in its default
configuration, you can #define the macro BOOST_SP_DISABLE_THREADS on a
project-wide basis to switch to ordinary non-atomic reference count
updates.

(Defining BOOST_SP_DISABLE_THREADS in some, but not all, translation
units is technically a violation of the One Definition Rule and
undefined behavior. Nevertheless, the implementation attempts to do
its best to accommodate the request to use non-atomic updates in those
translation units. No guarantees, though.)
  ( http://www.boost.org/libs/smart_ptr/shared_ptr.htm )

So basically, if a program uses boost::shared_ptr, and also uses
libraries that use boost::shared_ptr (including other boost
libraries), then your program and those libraries must be compiled
with the same BOOST_SP_DISABLE_THREADS setting.  Unless you get lucky.
(I guess it failing on less popular platforms in particular has
something to do with the workarounds they mention in the second
paragraph?)

 I'll probably make an upload today. So, to be sure, I'm going to
 remove -DBOOST_SP_DISABLE_THREADS, but leave -DBOOST_DISABLE_THREADS?
 Is that correct, or are both defines to be removed?

That sounds correct.  I suspect the reason _SP_ is split off as its
own thing is exactly this...

-- Nathaniel

-- 
The problem...is that sets have a very limited range of
activities -- they can't carry pianos, for example, nor drink
beer.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#384565: [Monotone-devel] Re: Bug#384565: monotone - FTBFS: Build killed with signal 15

2006-11-21 Thread Nathaniel Smith 
On Tue, Nov 21, 2006 at 02:04:07PM -0700, Shaun Jackman wrote:
 It appears the BOOST_SP_DISABLE_THREADS is the source of monotone's
 cross-platform issues on Debian. Namely, that monotone fails to run
 (deadlock) on s390, hppa, sparc, mips, and mipsel, but runs fine on
 i386, amd64, ia64, alpha and powerpc [1].
 
 [1] http://buildd.debian.org/build.php?pkg=monotone
 
 One suggested workaround (by Roman Zippel above) is to remove
 -DBOOST_SP_DISABLE_THREADS. The ChangeLog indicates that Nathaniel
 added this feature on 2005-09-30.

Right, makes sense.  Thanks, Roman, for tracking this down.

 So, my questions for the monotone mailing list are...
 
 1. Is this more likely a bug in Boost or a bug in monotone?

It is sort of an unfortunate fact of life.  But monotone is the
simplest place to work around it.

 2. Is it reasonable to workaround this bug by removing
 -DBOOST_SP_DISABLE_THREADS?

Yes, that should work fine, with only some slowdown.

 3. Is it worth going to the extra effort to only define
 -DBOOST_SP_DISABLE_THREADS on the platforms for which it works? I'll
 consider this last option if it means a performance improvement of at
 least, say arbitrarily, a factor of two or so.
 
 Debian's freeze and release of Etch is imminent, and I'd like to nail
 this bug before then. Otherwise, Etch will ship with the last bug-free
 version of monotone, which was 0.28.

I have not had a chance to run any benchmarks.  It's certainly less
than a factor of 2.  Shipping with 0.28 would not be the end of the
world (at least it's post-0.26, unlike IIRC latest ubuntu!), but I
would say go ahead and do it.

(If anyone wants to run some benchmarks of how monotone's speed
changes on some interesting operations with and without
-DBOOST_SP_DISABLE_THREADS, that would be cool; we added it as
something that would give _some_ win with no downside, so we've never
actually bothered to check whether the win is even measurable.)

-- Nathaniel

-- 
So let us espouse a less contested notion of truth and falsehood, even
if it is philosophically debatable (if we listen to philosophers, we
must debate everything, and there would be no end to the discussion).
  -- Serendipities, Umberto Eco


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#319149: Bug 319149

2005-07-27 Thread Nathaniel Smith 
This is indeed a Boost/gcc 4.0 incompatibility, but it only affects
code that monotone does not actually use; monotone 0.21's configure
checks for boost 1.32 and does some preprocessor kluging to work
around the problem.  So, monotone 0.21 should fix this.

-- Nathaniel

-- 
Civil rights were not compatible with European unification. But I'm much
happier now that all our strawberries are the same size.   -- dark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]