Nettoyage du spam : Mars 2017

[bernard . schoenacker]

Bonjour,

Comme nous sommes en Avril, il est désormais possible de
traiter les archives du mois de mars 2017 des listes francophones.

N'oubliez bien sûr pas d'ajouter votre nom à la liste des relecteurs
pour que nous sachions où nous en sommes.

Détails du processus de nettoyage du spam sur :

https://wiki.debian.org/I18n/FrenchSpamClean


merci de votre aimable attention

slt
bernard

Re: April's fool

[Dominik George]

>* It should be easy to make it working in some minutes (half an hour of
>configuration at most).
>* It should be harmless and reversible (of course)
>* It should last the whole day, people trying to figure that out.

# apt install sl
# ln -s /bin/ls /usr/local/bin/sl
# ln -s /usr/games/sl /usr/local/bin/ls

HTH,
Nik

April's fool

[Beco]

Hi guys,

I admin a server with some 80 users (students) and tomorrow is april's fool.

Now, help me out...

What is a "reversible" prank I could play?

* It should be easy to make it working in some minutes (half an hour of
configuration at most).
* It should be harmless and reversible (of course)
* It should last the whole day, people trying to figure that out.

As I am a professor, and the class just got a warning they were not
studying hard enough, I can say something like It was a punishment for
their laziness, so I have a "cover up" story that can scary them for sure.

What are your suggestions?

Thanks for playing.

My best,
Bèco.

PS. None of them are subscribed to this list! ;)



-- 
Dr Beco
A.I. researcher

"I know you think you understand what you thought I said but I'm not sure
you realize that what you heard is not what I meant" -- Alan Greenspan

GPG Key: https://pgp.mit.edu/pks/lookup?op=vindex=0x5A107A425102382A
Creation date: pgp.mit.edu ID as of 2014-11-09

MATE in /usr AND in /usr/local

[David Griffith]

I'm interested in tinkering with components of MATE and testing them while 
leaving the APT-installed versions alone. I've built and installed the 
components from the Github repos and installed them to /usr/local/. I 
can't figure out how to load applets from /usr/local. In particular, can 
someone tell me how to use the /usr/local version of the Workspace 
Switcher instead of /usr/?



--
David Griffith
d...@661.org

A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Firewall Builder firewall for a "pull" backup server

[David Christensen]

On 03/13/2017 08:58 PM, David Christensen wrote:
> With a "pull" arrangement (e.g. the server backs up all the
> workstations) -- if a workstation gets compromised, the backups should
> be safe (and might have clues about the intrusion).

On 03/17/2017 10:16 PM, David Christensen wrote:
> The backup server can be firewalled with no incoming ports and
> outgoing ports limited to SSH and other required ports.

I spent some time with my Debian 7.11 amd64 backup server and Firewall 
Builder today.



I had previously created a firewall using the Firewall Builder wizard 
and a template.  Trying again today, I see a "Create New Firewall" icon 
-> iptables, Linux 2.4/2.6, "Use preconfigured firewall templates", "Use 
standard template objects" -> "host fw template 1" (workstation with 
single interface, dynamic IP, incoming SSH allowed).  The created policy 
looks more sophisticated than what I obtained in the past.



Starting with my old, existing policy that gave me incoming firewalling, 
I tried adding outgoing firewalling.  After several edit/ compile/ test 
cycles, this is what I ended up with:


Group   0
Source  backup
Destination Any
Service Any
Interface   LAN
Direction   Inbound
Action  Deny
TimeAny
Options log
Comment anti spoofing rule

This policy denies incoming connections on the LAN interface that claim 
to come from the host IP.



Group   1
Source  backup
Destination Any
Service ICMP ping request, TCP ssh, UDP domain, UDP ntp
Interface   LAN
Direction   Outbound
Action  Accept
TimeAny
Options
Comment

This policy accepts outgoing ping, SSH, DNS, and NTP on the LAN 
interface coming from the host IP.



Group   2
Source  Any
Destination backup
Service ICMP ping request
Interface   LAN
Direction   Inbound
Action  Accept
TimeAny
Options
Comment

This policy accepts incoming ping on the LAN interface destined for the 
host IP.



Group   3
Source  Any
Destination Any
Service Any
Interface   loopback
Direction   Both
Action  Accept
TimeAny
Options
Comment

This policy accepts all connections on the loopback interface.


Group   4
Source  Any
Destination Any
Service Any
Interface   Any
Direction   Both
Action  Deny
TimeAny
Options log
Comment

This policy denies anything that doesn't match any of the above.


My backup server can now find other hosts (DNS), ping them, and pull 
backups via SSH/rsync.  My LAN hosts can ping the backup server, but 
nmap can find no open incoming ports:


2017-03-31 17:38:32 dpchrist@jesse ~
$ nmap -A -Pn backup

Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-31 17:38 PDT
Nmap scan report for backup ()
Host is up.
rDNS record for : backup.holgerdanske.com
All 1000 scanned ports on backup () are filtered

Service detection performed. Please report any incorrect results at 
http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 201.62 seconds



On 03/17/2017 10:16 PM, David Christensen wrote:
> I still need to figure out the "other required outgoing ports".

On 03/22/2017 03:35 AM, Dan Purgert wrote:
> Unfortunately, pretty much "all ephemeral ports", if the server is
> running things that initiate connections.  Some programs allow you to
> specify what ports they're connecting from, but not all.

On 03/22/2017 03:45 AM, to...@tuxteam.de wrote:
> That's what ESTABLISHED is for, in firewall jargon (you accept packets
> belonging to an established TCP connection).

The key is "stateless" vs. "stateful" firewalls:

https://en.wikipedia.org/wiki/Stateful_firewall


Linux/ iptables implements a stateful firewall.


Firewall Builder provides a "stateless" option (among others) for each 
policy.



Any suggestions or comments?


David

Re: OT: speaking of days (weeks, months, years, etc.)

[Lisi Reisz]

On Friday 31 March 2017 22:53:00 kAt wrote:
> As there is a domination of the
> industrial North and elitism against the dominated South.

Not here  The non-industrial white collar south-east dominates the 
industrial north economically.  The Northern Powerhub is so far a figment of 
the politicians' imaginations.  Banks trump factories.

Lisi

Re: OT: speaking of days (weeks, months, years, etc.)

[kAt]

Eike Lantzsch:

> it is e.g.:
> date -d thursday
> or:
> date -d next-thursday
> or:
> date --date='TZ="America/Asuncion" 09:00 next Thu'
> or
> calendar -w -t 20170406

TZ='London' date | grep "Universal Time"

Re: OT: speaking of days (weeks, months, years, etc.)

[kAt]

Curt:
> Trouble with you people is you don't get out on some of the other days
> of the week.

Us people who?

>> English is hilarious

It must be the only language in the world that you can adequately
communicate with a vocabulary of less than 400 words including
grammatical forms of the same root.  What is so poetic about it is that
you can hide so much behind this poverty of words and grammar.
Something that you can not do with scientifically structured languages
like German or Greek.  It is very hard to take back the content of a
statement in such languages, while in English you can always
misinterpret your own statements when you've gone too far!

Re: Matrox G550 mga driver hangs system

[Felix Miata]

Tony Stoneley composed on 2017-03-31 22:20 (UTC+0100):


Felix Miata wrote on Fri, 31 Mar 2017 02:22:10 -0400



It may be time for you to ask for help from the devs, using the
debian-devel mailing list or one of the freedesktop.org Xorg mailing
lists, or by filing a Debian bug.



Yes, perhaps, if I can pluck up enough courage...


The problem has returned here. Xorg.0.log keeps terminating with an empty 
backtrace, and nothing in dmesg unless adding drm.debug= to cmdline. C-A-D 
doesn't do anything. openSUSE Tumbleweed still works. Nothing I can think of has 
changed overnight. Maybe this is come kind of timing issue, consistently bad for 
your machine, occasionally OK for mine.


Last night and this AM before my last post here I was reliably getting into Xorg 
after a lot of trial & lockups. So, a bug filing is apparently needed. I'd like 
you to file it. You're using XFCE4, so presumably only standard repos, while I'm 
using Trinity, meaning non-standard repos, plus having a related issue you 
haven't mentioned. TDM is trying to start even though the target is multi-user, 
so ATM at least I can't get a chance to even try startx.


Once you've filed and shared a bug I'll subscribe and add comments. Bug filing 
instructions I just used for an installation problem are here:

https://www.debian.org/releases/stretch/i386/ch05s04.html.en

Main instructions seem to be different:
https://www.debian.org/Bugs/Reporting
--
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: OT: speaking of days (weeks, months, years, etc.)

[kAt]

Lisi Reisz:
> And let us clear up another misunderstanding while we are at it.  The other 
> side of the pond you appear to be under a delusion that there is such a thing 
> as British anything, including English.  Try telling that to the Welsh, the 
> Irish and the Scots! 

There is nevertheless an English domination in culture and
communication, on both sides of the pond, even though in N.America the
English (not British) identification as origin is way down on the list
of origins, in terms of numbers.  As there is a domination of the
industrial North and elitism against the dominated South.  As there is a
domination of European origin in South Africa, in NZ, and Australia,
among other places.  There are those who have put up one hell of a
struggle against domination and those who have done very little, and
those who were assimilated into the dominant group, which is what
dominators prefer best.  And we all know about the Irish, maybe a little
about the Scots too.  What was that other group?

Debian should not be an instrument of domination but should be equally
belonging to everyone.  This is why looking "down" at anybody should not
be tolerated.  Not in a Debian community at least!

> Lisi

>From .onion land have a good weekend

[1/2HS] Ubuntu Canonical dans le collimateur de la CE

[andre_debian]

Günther OETTINGER, Commissaire Européen à l'économie numérique
et société, a la firme  * Canonical-Ubuntu Linux *  à l'oeil.

"Il est inique que ses nombreux clients qui utilisent le système Ubuntu 
issu d'une société commerciale, ne s'acquittent pas d'une taxe, 
même si le produit est gratuit, alors qu'ils bénéficient d'un 
véritable service d'entreprise.

Cette gratuité est une anormalité, créant une difficulté concurrentielle 
des autres acteurs commerciaux de l'informatique, qui vendent leur 
produit, s'acquittant des taxes commerciales, dont la TVA.
Toutes les sociétés de la Communauté Européenne qui utilisent 
le système Ubuntu, firme commerciale, devront bientôt verser 
une compensation fiscale auprès de leur service des impôts 
(qui sera déterminée d'ici peu).

Les entreprises utilisatrices de systèmes d'exploitation issus de 
communautés associatives, seront absoutes de cette taxe, 
car le système est jugé moins fiable, avec un service souvent quasi 
inexistant, tel le SAV", 
indique le Commissaire Européen chargé du numérique.

Microsoft et Apple "se félicitent de cette décision", qui "permettra de 
rétablir un marché plus équitable", signalent leur service de 
communication et relation.

Rappel :
Proche de la chancelière Angela Merkel, Günther Oettinger, né en 1953 
à Stuttgart, fut commissaire à l'Énergie sous José Manuel Barroso. 
Expert-comptable de profession, il s'est fait l'avocat des intérêts 
industriels allemands à Bruxelles et a cherché à ménager la Russie 
suite à l'éclatement de la crise ukrainienne, afin d'assurer 
l'approvisionnement énergétique européen.
http://ec.europa.eu/archives/juncker-commission/docs/oettinger_en.pdf

Pour l'April et l'Aful, c'est encore un coup bas scandaleux, visant à briser 
un peu plus la communauté du Libre et Opensource 
(un communiqué sur leur site est en cours).

Pour les nombreuses entreprises qui ont des serveurs Ubuntu, 
c'est un coup de tonnerre !
(~50% des serveurs aujourd'hui sont sous le système Linux).

Re: Matrox G550 mga driver hangs system

[Tony Stoneley]

Felix Miata wrote on Fri, 31 Mar 2017 02:22:10 -0400
  

>Your goal is to boot without Plymouth and without framebuffer, in
>80x25 mode, to give Xorg the best possible chance to work as expect.
>If Plymouth is installed, purge it.
>
>To proceed, hit the e key when the Grub menu appears, then remove any
>line that says "load_video", and from any line that includes "video="
>or "vesa" or "vga=" or "quiet" or "splash", remove each whole such
>string. Optionally, if the string "text" appears, remove it too.
>
>If all the above doesn't help, repeat it, but append "iomem=relaxed" to the
>line
>that included video and/or vesa and/or vga.

OK, I did all that. More strictly I edited grub.cfg (I do have a
rescue CD, so not a disaster if I broke grub.cfg) to comment out two
calls of load_video, one in the menu entry for the boot and one in the
preamble. The grub dialogue duly came up in 80x25 mode, encouragingly,
but even with "iomem=relaxed" on the "linux" line I still had no joy
when it came to starting X, alas.

>Are you using a greeter, or logging in on a vtty and using startx or
>equivalent?

For this investigation I am using the latter, but normally I use
lightdm and its greeter. I dispensed with lightdm here to simplify
while trying to sort out what was going on.

>What are the permissions on your /usr/bin/Xorg?

-rwxr-xr-x


>Doing something like 'journalctl -b -1 | grep -i failed' might be
>useful. There is an awful lot of stuff making particular points of
>interest hard to identify in the journal.

It certainly is hard to find the needle in the haystack, even when as
in my case much of it is gobbledegook. I've tried the suggestion but
it didn't throw up anything very startling.

One thing I have found is that although ctrl-alt-Fn has no observable
effect when the xserver has jammed, ctrl-alt-del does provoke reboot,
and the shutdown is reasonably orderly, as seen later in journalctl,
so the underlying system is still flying.

Thanks for all the other helpful instruction, even if it hasn't solved
the problem.

>It may be time for you to ask for help from the devs, using the
>debian-devel mailing list or one of the freedesktop.org Xorg mailing
>lists, or by filing a Debian bug.

Yes, perhaps, if I can pluck up enough courage...

Tony

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

> On Fri, Mar 31, 2017 at 02:07:54PM +0200, Dominik George wrote:
> > That's how w^Hsomeone rooted Dreamhost.
> 
> Are you referring to the 2012 incident, or something more recent?
> 
> I thought the former was an issue with lax filesystem permissions.

(This is getting somewhat OT; if you want to discuss that further, maybe
choose private conversation or another mailing list… I only intended to
provide a scenario that was not made up.)

Something less recent, from late 2010.

The thing I described was reported only to the company themselves, who
still failed to fix the root issue for several years.

After their administrators and CEO (funnily enough, it was his
webhosting account that had the vulnerable PHP application I was talking
about…) had ignored the issue for more than a year, $someone dropped a
note in the Chaos Communication Congress' wiki. What exactly this note
was used for and what it was not used for is beyond my knowledge.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)

Re: Wan/Lan problem [SOLVED]

[Mike McClain]

On Thu, Mar 30, 2017 at 09:40:29PM -0400, Henning Follmann wrote:
> On March 30, 2017 8:27:54 PM EDT, Mike McClain  
> wrote:
> >On Thu, Mar 30, 2017 at 07:25:52AM -0400, Henning Follmann wrote:
> >> On March 28, 2017 7:46:02 PM EDT, Mike McClain
> > wrote:
> >
> >If I'm understanding you you're saying that ATT's router having an
> >address of 192.168.1.254 on eth0 while the Linux box(play), Win2k(s40)
> >and my router have addresses 192.168.1.1,2&3 on eth1 is the root of
> >the problem. Since ATT's router's address is immutable I either need
> >to reconfigure 2 computers and a router to a different net,
> >192.168.2.0 or 10.0.0.0, for instance or learn to build bridges.
> >
> >Is my understanding correct?
> >
> >Thanks,
> >Mike
>
>
> Yes,
> with your configuration both eth0 and eth1 are in 192.168.1.0/24. There is no 
> way tobfigure out which to use.
>
> However you have to provide more than just diferent subnets. The network 
> behind the firewall now needs dns and most likely also dhcp.
> You could install dnsmasq. It provides just this.
>
> However based on your initial understanding of networking I wonder if 
> something like pfsense makes more sense for you.
>
> Another way to set this up would be a transparent firewall. In that case you 
> bridge eth0 and eth1 without assigning an ip address at all. You might want 
> to have athird network interface for maintenance tho.
> Pfsense also privides that functionality.
>

My thanks to Mr. Follmann and all you others that helped.
As it turned out ATT's router having an address of 192.168.1.254 is
not immutable but subject to change by the user(me). Setting ATT's
router to 192.168.2.254 solved all my problems. With eth0 and eth1
both up, the  Linux box and the Win2K box can both browse the i'net
passing GRC.com's all ports scan and I can still mount the Win2K
shared partitions from Linux.
An extra thanks to you, Henning for pointing out the trouble spot.

Mike
--
People ain't any more interested in politics than they are in long
underwear. Both sides have lied to 'em so often that we don't look on
any candidate with admiration or with hate; we just pity 'em.
- Will Rogers

Re: strange problem with chromium

[Cindy-Sue Causey]

On 3/31/17, Dominik George  wrote:
> Hi,
>
>> […] on Ubuntu 14.04 […]
>
> Any chance you chose the wrong mailing list?


I missed that part when I skimmed the email. Am writing to say that I
am experiencing something similar *occasionally* on Debian Stretch.
Was seeing it on Jessie, too. I'll grab the message next time I see
it.

It doesn't occur 100% of the time for me. I haven't figured out what
the trigger is, either.

Apt-show-versions says I have 55.0.2883.75-6 with it being upgradeable
to 57.0.2987.98-1. Apt-get has had the chromium package on hold for
quite a few weeks now in Stretch.

Those are just observations. It is what it is, there are no
complaints. This has been occurring for me through several upgrades of
chromium. It's not anything new. It ebbs and flows in frequency and so
far is only a minor annoyance. :)

Cindy :)

-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with duct tape *

Re: Postfix Dovecot et SSL : SSL23: unknown protocol : RÉSOLU

[Thierry Bugier Pineau]

Voilà ce que j'ai pour mon serveur web dans la cipher suite 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Ca ne liste que des méthodes de chiffrement, le protocole est dans un
paramétrage à part, contrairement à ce que j'avais dans mon souvenir. 
En cherchant activement il semble que !SSLv3 !TLSv1.0 et !TLSv1.1
auraient mieux leur place dans ssl_protocols (qui devrait être sur la
ligne précédant ssl_cipher_list)
je pense que vous pouvez essayer d'ajouter !SSLv3 puis !TLSv1.0 et
!TLSv1.1 successivement en testant à chaque fois, et voir si des
problèmes apparaissent. Du moment que vous gardez une configuration qui
fonctionne au chaud, il n'y a pas de risque particulier.
En réponse à votre dernier mesage :
- Je remets le lien vers la page wikipédia : l'accent a été altéréhttps
://fr.wikipedia.org/wiki/Confidentialité_persistante
- un exemple de connection client avec openssl en forçant tls1 (testé
sur imap.gmail.com)openssl s_client -connect imap.server.com:993 -tls1
Je suis sous Debian Sid, et -ssl2 et -ssl3 ne sont apparemment plus
reconnus (bien qu'encore présents dans la documentation).  
Le vendredi 31 mars 2017 à 19:00 +0200, andre_deb...@numericable.fr a
écrit :
> On Friday 31 March 2017 14:22:31 Thierry Bugier Pineau wrote:
> > Ce serait intéressant de savoir ce que contenant la liste
> > ssl_cipher_list avant modification, et ce qu'elle contient
> maintenant.
> 
> Avant :
> ssl_cipher_list =
> ALL:!LOW:!SSLv2:!SSLv3:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:
> +HIGH:+MEDIUM
> 
> Maintenant :
> ssl_cipher_list = TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES
> @STRENGTH
> 
> > Je vous invite à utiliser un outil de test SSL / TLS en ligne : 
> 
> SSL/TLS est bien activé et l'outil de test est positif,
> openssl, testssl etc...
> 
> > pour affiner la configuration maintenant, car il y a un paquet 
> > de  choses à faire pour avoir un chiffrement pas trop fragile.
> 
> "Affiner et un paquet de  choses à faire" :
> que peut-on faire ?  Là je suis dépassé...
> 
> André
> 
> 
> 

Re: debugging TLS alert

[Brian]

On Fri 31 Mar 2017 at 11:53:27 -0600, Joe Pfeiffer wrote:

> I'm trying to use exim4 to send email to another site.  My host

Which site?

> connects, negotiates a TLS connection and sends what seems to be a
> reasonable amount of application data.

Exim sends something? What is "application data"?

> I then get an encrypted alert from the other host, the connection shuts
> down, and the email doesn't get delivered.  I don't get any errors in my
> exim4 log.

Does the log say the mail is delivered. An excerpt please.

> To the best of my knowledge, the other site is the only one I try to
> send email to that is having the problem, and mine is the only host
> having trouble sending to that site.

If you are the only host with the problem you are the one creating the
problem.

> So...  any words of wisdom on how to debug this?  I've trying turning
> all logging on in exim4, and didn't get anything helpful.  Is there a
> way to turn logging on in gnutls?

One word: swaks.

-- 
Brian.

Sound problems (mpd, mpv mainly)

[Sharon Kimble]

Since an upgrade on 2017-03-28 my debian Jessie system is continuously
dropping my soundcard such that mpd and mpv have no sound at all, but,
at this time qmmp and mplayer2 both have sound and work as they should.

My sound card is an on-board chip here -

--8<---cut here---start->8---
cat /proc/asound/cards
 0 [PCH]: HDA-Intel - HDA Intel PCH
  HDA Intel PCH at 0xf733 irq 50
 1 [NVidia ]: HDA-Intel - HDA NVidia
  HDA NVidia at 0xf708 irq 17

--8<---cut here---end--->8---

When I start or reboot this computer I do 'sudo alsactl init' to get
sound working, and then run alsamixer, do 'F6' to choose my soundcard
and choose option 0 in above list. Then I run mpd and can listen to my
music and online radio. But, now the sound card is being dropped so I
get zero sound from mpd and/or mpv when I want to watch a saved TV
programme.

On the 28th these were the programmes that were upgraded and installed -

--8<---cut here---start->8---
 Installed:
gtg:all 0.3.1-1
python-configobj:all 5.0.6-1
python-glade2:amd64 2.24.0-4
python-liblarch:all 2.1.0-2
python-simplejson:amd64 3.6.5-1
python-xdg:all 0.25-4
 
 Upgraded:
chromium:amd64 56.0.2924.76-1~deb8u1 => 57.0.2987.98-1~deb8u1
eject:amd64 2.1.5+deb1+cvs20081104-13.1 => 
2.1.5+deb1+cvs20081104-13.1+deb8u1
firefox-esr:amd64 45.7.0esr-1~deb8u1 => 45.8.0esr-1~deb8u1
gir1.2-gst-plugins-base-1.0:amd64 1.4.4-2 => 1.4.4-2+deb8u1
gir1.2-gstreamer-1.0:amd64 1.4.4-2 => 1.4.4-2+deb8u1
gstreamer1.0-plugins-bad:amd64 1.4.4-2.1+deb8u1 => 1.4.4-2.1+deb8u2
gstreamer1.0-plugins-base:amd64 1.4.4-2 => 1.4.4-2+deb8u1
gstreamer1.0-plugins-good:amd64 1.4.4-2+deb8u2 => 1.4.4-2+deb8u3
gstreamer1.0-plugins-ugly:amd64 1.4.4-2+b1 => 1.4.4-2+deb8u1
gstreamer1.0-x:amd64 1.4.4-2 => 1.4.4-2+deb8u1
iceweasel:all 45.7.0esr-1~deb8u1 => 45.8.0esr-1~deb8u1
libaudiofile1:amd64 0.3.6-2+deb8u1 => 0.3.6-2+deb8u2
libgstreamer-plugins-bad1.0-0:amd64 1.4.4-2.1+deb8u1 => 1.4.4-2.1+deb8u2
libgstreamer-plugins-base1.0-0:amd64 1.4.4-2 => 1.4.4-2+deb8u1
libgstreamer1.0-0:amd64 1.4.4-2 => 1.4.4-2+deb8u1
libjbig2dec0:amd64 0.11+20120125-1 => 0.13-4~deb8u1
libsmbclient:amd64 2:4.2.14+dfsg-0+deb8u2 => 2:4.2.14+dfsg-0+deb8u4
libwbclient0:amd64 2:4.2.14+dfsg-0+deb8u2 => 2:4.2.14+dfsg-0+deb8u4
samba-libs:amd64 2:4.2.14+dfsg-0+deb8u2 => 2:4.2.14+dfsg-0+deb8u4
tzdata-java:all 2016j-0+deb8u1 => 2017a-0+deb8u1
tzdata:all 2016j-0+deb8u1 => 2017a-0+deb8u1
virtualbox-5.0:amd64 5.0.32-112930~Debian~jessie => 
5.0.36-114008~Debian~jessie
vivaldi-stable:amd64 1.7.735.46-1 => 1.8.770.50-1
--8<---cut here---end--->8---

I have since removed virtualbox and Vivaldi-stable thinking that they
were the cause of the problem, but its made no difference.

The only way I have found to regain the sound for mpd/mpv is to reboot,
but its now beginning to happen several times a day and its impractical
to keep rebooting.

How can I get sound continuously with mpd and mpv without the card being
seemingly dropped please?

Thanks
Sharon.
-- 
A taste of linux = http://www.sharons.org.uk
TGmeds = http://www.tgmeds.org.uk
DrugFacts = https://www.drugfacts.org.uk  
Debian 8.6, fluxbox 1.3.5-2, emacs 25.1.1.1


signature.asc
Description: PGP signature

Re: strange problem with chromium

[Dominik George]

Hi,

> […] on Ubuntu 14.04 […]

Any chance you chose the wrong mailing list?

Cheers,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)

Re: Postfix Dovecot et SSL : SSL23: unknown protocol : RÉSOLU

[andre_debian]

On Friday 31 March 2017 20:07:37 Thierry Bugier Pineau wrote:
> De ce que je vois la nouvelle liste n'exclut pas explicitement SSLv3,
> TLSv1.0 et TLSv1.1. Ces trois méthodes de chiffrement sont désormais
> vulnérables.
> Je pense que vous devez inventorier les clients mail qui seront
> utilisés et rechercher pour chacun si ils supportent TLSv1.2. Si c'est
> le cas (ce qui est très probable) alors il faut a jouter !SSLv3,
> !TLSv1.0 et !TLSv1.1 . Je devine que vous avez pris votre liste quelque
> part sur une vieille source non maintenue (elles pulullent et ce mail
> sera obsolète dans quelques mois ou années). 
> En gros, SSL est complètement obsolète et seul TLSv1.2+ reste encore
> valable (de ce que je sais à ce jour).
> Pour tester si SSLv2, v2 et TLS v1.0, 1.1 sont permis, réutilisez la
> commande openssl s_client que j'ai donnée il y a quelques jours et
> ajoutez un argument qui force l'usage d'une méthode de chiffrement.
> Essayez successivement les arguments suivants:

> -ssl2-ssl3-tls1-tls1_1-tls1_2 :
Ou place t-on ces arguments ?

> (https://www.openssl.org/docs/man1.0.1/apps/s_client.html)
> Une bonne configuration fera en sorte que seul -tls1_2 aboutira à une
> connection réussie. Les autres doivent échouer.
> Après il y a le perfect forward secrecy à vérifier, je n'ai pas encore
> la connaissance suffisante à ce sujet mais c'est encore uen question de
> réglage sur le SSL/TLS. (introduction ici :

> https://fr.wikipedia.org/wiki/Confidentialit%C3%A9_persistante :
Erreur 404...

> Peut être que la cipher suite préférée pour mon serveur web sera
> intéressante; je la partage tout à l'heure :

Oui, je veux bien.

@+

André

Re: Postfix Dovecot et SSL : SSL23: unknown protocol : RÉSOLU

[Thierry Bugier Pineau]

Bonsoir
De ce que je vois la nouvelle liste n'exclut pas explicitement SSLv3,
TLSv1.0 et TLSv1.1. Ces trois méthodes de chiffrement sont désormais
vulnérables.
Je pense que vous devez inventorier les clients mail qui seront
utilisés et rechercher pour chacun si ils supportent TLSv1.2. Si c'est
le cas (ce qui est très probable) alors il faut a jouter !SSLv3,
!TLSv1.0 et !TLSv1.1 . Je devine que vous avez pris votre liste quelque
part sur une vieille source non maintenue (elles pulullent et ce mail
sera obsolète dans quelques mois ou années). 
En gros, SSL est complètement obsolète et seul TLSv1.2+ reste encore
valable (de ce que je sais à ce jour).
Pour tester si SSLv2, v2 et TLS v1.0, 1.1 sont permis, réutilisez la
commande openssl s_client que j'ai donnée il y a quelques jours et
ajoutez un argument qui force l'usage d'une méthode de chiffrement.
Essayez successivement les arguments suivants:
-ssl2-ssl3-tls1-tls1_1-tls1_2
(plus de détail ici https://www.openssl.org/docs/man1.0.1/apps/s_client
.html)
Une bonne configuration fera en sorte que seul -tls1_2 aboutira à une
connection réussie. Les autres doivent échouer.
Après il y a le perfect forward secrecy à vérifier, je n'ai pas encore
la connaissance suffisante à ce sujet mais c'est encore uen question de
réglage sur le SSL/TLS. (introduction ici https://fr.wikipedia.org/wiki
/Confidentialit%C3%A9_persistante)
Peut être que la cipher suite préférée pour mon serveur web sera
intéressante; je la partage tout à l'heure.
Le vendredi 31 mars 2017 à 19:00 +0200, andre_deb...@numericable.fr a
écrit :
> On Friday 31 March 2017 14:22:31 Thierry Bugier Pineau wrote:
> > Ce serait intéressant de savoir ce que contenant la liste
> > ssl_cipher_list avant modification, et ce qu'elle contient
> maintenant.
> 
> Avant :
> ssl_cipher_list =
> ALL:!LOW:!SSLv2:!SSLv3:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:
> +HIGH:+MEDIUM
> 
> Maintenant :
> ssl_cipher_list = TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES
> @STRENGTH
> 
> > Je vous invite à utiliser un outil de test SSL / TLS en ligne : 
> 
> SSL/TLS est bien activé et l'outil de test est positif,
> openssl, testssl etc...
> 
> > pour affiner la configuration maintenant, car il y a un paquet 
> > de  choses à faire pour avoir un chiffrement pas trop fragile.
> 
> "Affiner et un paquet de  choses à faire" :
> que peut-on faire ?  Là je suis dépassé...
> 
> André
> 
> 
> 

debugging TLS alert

[Joe Pfeiffer]

I'm trying to use exim4 to send email to another site.  My host
connects, negotiates a TLS connection and sends what seems to be a
reasonable amount of application data.

I then get an encrypted alert from the other host, the connection shuts
down, and the email doesn't get delivered.  I don't get any errors in my
exim4 log.

To the best of my knowledge, the other site is the only one I try to
send email to that is having the problem, and mine is the only host
having trouble sending to that site.

So...  any words of wisdom on how to debug this?  I've trying turning
all logging on in exim4, and didn't get anything helpful.  Is there a
way to turn logging on in gnutls?

Thanks,

Re: Deb-Installer: Possible to set IP using a boot parameter?

[Doug]

On 03/31/2017 07:20 AM, Ron Leach wrote:

On 28/03/2017 18:15, Brian wrote:


Any combination of preseed directives can be used
as boot parameters. For example: netcfg/get_ipaddress=192.168.1.42.


AFAIK, not on the website. You can generate all the preseed options for
yourself. Search the wiki for "preseed".




Brian, thanks for the reply.  I see that that would seem to work

In the end I veered towards the 'preseed' approach, partly because 
some guidelines I was following and which included the USB rewrite 
were based on that objective.  My first try has failed to produce a 
bootable USB, but I'll do a lot more testing and checking before 
perhaps asking for any more help.  I recall that there's recently been 
a long thread about preseeding which will be helpful, I think.


regards, Ron



Isn't the boot device set in the BIOS? Perhaps your BIOS doesn't include 
a USB device in its selections?


--doug

Re: Postfix Dovecot et SSL : SSL23: unknown protocol : RÉSOLU

[andre_debian]

On Friday 31 March 2017 14:22:31 Thierry Bugier Pineau wrote:
> Ce serait intéressant de savoir ce que contenant la liste
> ssl_cipher_list avant modification, et ce qu'elle contient maintenant.

Avant :
ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:
+HIGH:+MEDIUM

Maintenant :
ssl_cipher_list = TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH

> Je vous invite à utiliser un outil de test SSL / TLS en ligne : 

SSL/TLS est bien activé et l'outil de test est positif,
openssl, testssl etc...

> pour affiner la configuration maintenant, car il y a un paquet 
> de  choses à faire pour avoir un chiffrement pas trop fragile.

"Affiner et un paquet de  choses à faire" :
que peut-on faire ?  Là je suis dépassé...

André

strange problem with chromium

[Bernard]

Hi to Everyone,

Every time I start my newly installed Chromium (on Ubuntu 14.04), I get 
this warning message below. I have to cancel it twice before the app 
starts to work normally.


translated from French :
'Please type your password to unlock connection tool kit. The pasword 
you are using for the purpose of starting a session on this computer, no 
longer matches that of your connexion tool-kit'. Whichever paswords that 
may be relevant that I type or retype, are not reckognized.


in the maintime, this other warning displays : 'Impossible to read your 
preferences. Some functions may not be available, and your personal 
config may not be saved'


Every other software works OK on this system with no password problem. 
In fact, Chromium also seems to work OK, once I have cancelled twice the 
warning above, and whatever change I make is being recorded for next 
start, such as character size.


Thanks in advance for your advices

Bernard

Recording needed data from mate-search-tool - possible?

[Richard Owlett]

I am using Jessie with MATE desktop.
I search for a string within a filename OR folder name.
I must distinguish between files, folders and links to either.
"Applications->Accessories->Search for files" will DISPLAY the data.
*HOWEVER* attempting to record the data yields obfuscated data:


ITEM NOTE
[ 1] [1] 
/var/cache/apt/archives/wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u11_all.deb
[ 2] [2] /usr/share/wordpress/wp-content/themes/twentyfifteen
[ 3] [2] /var/lib/wordpress/wp-content/upgrade/twentyfifteen.tmp/twentyfifteen
[ 4] [2] /var/lib/wordpress/wp-content/upgrade/twentyfifteen.tmp
[ 5] [2] /usr/share/doc/wordpress-theme-twentyfifteen
[ 6] [3] /var/lib/wordpress/wp-content/themes/twentyfifteen
[ 7] [4] /usr/share/lintian/overrides/wordpress-theme-twentyfifteen
[ 8] [4] /var/lib/dpkg/info/wordpress-theme-twentyfifteen.list
[ 9] [1] /var/lib/dpkg/info/wordpress-theme-twentyfifteen.md5sums
[10] [1] 
/usr/share/wordpress/wp-content/themes/twentyfifteen/languages/twentyfifteen.pot
[11] [1] /home/richard/Downloads/twentyfifteen.1.7.zip


Notes:
1 a filename w extension
2 folder
3 link to folder
4 a filename w/o extension

NOTE BENE
Item 4 is a folder but resembels a filename w extension


Any suggestions?

Re: OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[Curt]

On 2017-03-31, Greg Wooledge  wrote:
>
> For whatever it's worth, here in Ohio, "next Thursday" would mean the
> Thursday that occurs in the next calendar week.  "This Thursday" means
> the Thursday that occurs (or occurred) in the current calendar week,
> though you'd need to use the past tense when saying it today, or people
> would get very confused.

Someone once taught me a song about Ohio. It went something like this:

Oh why oh why oh why oh,
Did I ever leave Ohio.

Never forgot that song.

> If you want to be clear, just include the numeric date.  Your meeting
> would be "Thursday, April 6th".

2018. 

Trouble with you people is you don't get out on some of the other days
of the week.

> English is hilarious.
>
>


-- 
"It might be a vision--of a shell, of a wheelbarrow, of a fairy kingdom on the
far side of the hedge; or it might be the glory of speed; no one knew." --Mrs.
Ramsay, speculating on why her little daughter might be dashing about, in "To
the Lighthouse," by Virginia Woolf.

Re: Una de hostapd en debian 7...

[luisededios]

On Fri, 31 Mar 2017 08:48:52 -0400, Antonio Trujillo Carmona  
 wrote:



El 31/03/17 a las 03:30, luisededios escribió:

On Thu, 30 Mar 2017 14:11:47 -0400, JAP   
wrote:


El 29/03/17 a las 15:43, luisededios escribió:

La mía se reduce a un portal cautivo ZeroShell, el cual podía
engañarse mediante un script en python, el cual se iniciaba desde
/etc/rc.local.

Me interesa ese tema, recuerdas cómo lo hacías desde rc.local, alguna
línea? :)

Bien.
Lo hice de dos maneras distintas.
Una, añadiendo el script de identificación en mi escritorio KDE, en  
"Arranque y

apagado", "Autoarranque".
De esa manera, se iniciaba sólo si yo iniciaba la sesión en KDE.
La contra, es que cualquier problemita del escritorio, me quedaba sin  
red.

Por ello, pasá a adicionar la siguiente línea en /etc/rc.local

/usr/bin/python /opt/ZeroShell/zeroshell-autologin.py

Esto lo saqué de https://code.google.com/archive/p/zeroshell-autologin/


El script en cuestión, con alguna ínfima modificación mía, es el que  
sigue:


=
#!/usr/bin/python

# ZeroShell autologin

# load python library

from urllib import urlencode
from urllib2 import urlopen
from HTMLParser import HTMLParser
from time import sleep

# login conf

USERNAME = 'MiUsuario'
PASSWORD = 'MiClaveMuyDificil'
REALM = 'ElDominio' => El dominio de tu ISP
SERVER = '192.168.1.1' ==> El servidor ZeroShell

# default params

PROTOCOL = 'http'
PORT = '12080'
SCRIPT = 'zscp'
ZSCPRedirect = '_:::_'

URL = PROTOCOL + '://' + SERVER + ':' + PORT + '/cgi-bin/' + SCRIPT
RENEW_INTERVAL = 40

# class to parse Captive Portal HTML

class ZSParser(HTMLParser):
def __init__(self):
HTMLParser.__init__(self)
self.params = {}
params = { 'U' : USERNAME , 'P' : PASSWORD , 'Realm' : REALM , 'Section'  
: 'CPAuth'

, 'Action' : 'Authenticate' , 'ZSCPRedirect' : '_:::_' }
http_req = urlopen(URL, urlencode(params))
html_content = http_req.read()
self.feed(html_content)

def get_authkey(self):
return self.params['Authenticator'] # after parse HTML return the  
authenticator

string

def handle_starttag(self, tag, attrs):
if tag == 'input' and attrs[0][1] == 'hidden': # parse only de html  
input and

hidden tags
self.params[attrs[1][1]] = attrs[2][1]

parser = ZSParser() # instantiate the class
authkey = parser.get_authkey() # get authenticator string

# http_request 1 - Section = CPGW

params = { 'U' : USERNAME , 'P' : PASSWORD , 'Realm' : REALM ,  
'Authenticator' :
authkey, 'Section' : 'CPGW' , 'Action' : 'Connect' , 'ZSCPRedirect' :  
'_:::_' }

urlopen(URL, urlencode(params))

# http_request 2 - Section = ClientCTRL

params = { 'U' : USERNAME , 'P' : PASSWORD , 'Realm' : REALM ,  
'Authenticator' :
authkey, 'Section' : 'ClientCTRL' , 'Action' : 'Connect' ,  
'ZSCPRedirect' : '_:::_'

}
urlopen(URL, urlencode(params))


while True:
sleep(RENEW_INTERVAL) # wait a time in seconds to renew the connection
params = { 'Authenticator' : authkey, 'Section' : 'CPGW' , 'Action' :  
'Renew' ,

'ZSCPRedirect' : '_:::_' }
urlopen(URL, urlencode(params))

=


Problemas conocidos:

A veces, ante un "lag" del sistema, el equipo se desconectaba de la red  
por

haber vencido la sesión. Eso, si usas un navegador común, es cuestión de
reiniciarlo, pero acá me quedaba el script corriendo.
Por lo que, como root, debía matar a python y reiniciar el script.
El BOFH que me tocó, le puso un temporizador al portal, de manera que si  
se me

caía la conexión, debía esperar 10 minutos para reintentar conectarlo.

# killall -s 9 python

# /etc/rc.local
ó
# /usr/bin/python /opt/ZeroShell/zeroshell-autologin.py &

JAP

Interesante la aplicación pero yo pensaba que los datos usuario y  
contraseña

podían pasarse en /etc/network/interfaces :)


Como dije no se mucho de portales cautivos, por apuntar algo, en mi  
trabajo para
rellenar un formulario web (que envía sms, no es lo mismo) usamos el  
wget para

enviar el usuario, la clave y el texto.
No se si te servirá, pues es de esperar que el portal use alguna técnica  
para
controlar cuanto tiempo esta abierta la cesión, con lo que el wget creo  
que no

te valdría, pues acabaría justo después de empezar.
Si consiguieras saber que portal captivo implementan podrías buscar por  
internet

como pasarlo.

Bueno, esa info es más difícil de conseguir pues no tengo acceso a los  
admin de ese sistema y pienso que tampoco me la brindarían, pero bueno,  
con probar nada se pierde  :)


--
Saludos,
Luis

unattended upgrades does not do anything

[Gregor Zattler]

Dear fellow debian users,

this is about a debian stable (=jessie) system and it does not
upgrade unattended and I have no clue how to debug this:

It's configured for jessie repositories:

# egrep -v "(^[[:space:]]*[#;\\])|^[[:space:]]*$" sources.list
deb http://ftp.de.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
deb http://ftp.de.debian.org/debian/ jessie-updates main


unattended-upgrades is installed:
# dpkg -l unattended-upgrades |grep ii
ii  unattended-upgrades 0.83.3.2+deb8u1 all  automatic installation of 
security upgrades


To me the apt config files look fine:

# egrep -v "(^[[:space:]]*[#;/])|^[[:space:]]*$" /etc/apt/apt.conf.d/02periodic
Dir "/";
Dir::Cache "var/cache/apt/";
Dir::Cache::Archives "archives/";
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Download-Upgradeable-Packages-Debdelta "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Verbose "2";

# egrep -v "(^[[:space:]]*[#;/])|^[[:space:]]*$" 
/etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

For some reasons there is obviously some dublification but I
don't think this is a problem.

I don't really know what the Origins-Pattern should look like but
I cannot remember to have messed with them:

# egrep -v "(^[[:space:]]*[#;/])|^[[:space:]]*$" 
/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Package-Blacklist {
};


Cron is installed...
# dpkg -l cron|grep ii
ii  cron   3.0pl1-127+deb8u1 i386 process scheduling daemon


... and running:


# ps fax|grep "[c]ron"
 1499 ?Ss 0:02 /usr/sbin/cron -f



to me the basic configuration looks fine:

# egrep -v "(^[[:space:]]*[#;/])|^[[:space:]]*$" /etc/default/cron
READ_ENV="yes"
# egrep -v "(^[[:space:]]*[#;/])|^[[:space:]]*$" /etc/default/anacron
ANACRON_RUN_ON_BATTERY_POWER=no


and the system is on corded power:
# acpi -a
Adapter 0: on-line




there are cron configuration files for apt:
# ls -l /etc/cron.daily/apt*
-rwxr-xr-x 1 root root 15333 Mär  2  2016 /etc/cron.daily/apt
-rwxr-xr-x 1 root root 15335 Aug 31  2015 /etc/cron.daily/apt~
-rwxr-xr-x 1 root root 15290 Feb 16  2015 /etc/cron.daily/apt.dpkg-old
-rwxr-xr-x 1 root root   314 Nov  5  2012 /etc/cron.daily/aptitude


The only change to the apt config file is:

# diff -Nur /etc/cron.daily/apt~ /etc/cron.daily/apt
--- /etc/cron.daily/apt~2015-08-31 15:51:57.063709255 +0200
+++ /etc/cron.daily/apt 2016-03-02 10:04:25.595379714 +0100
@@ -282,7 +282,7 @@
# (some code taken from cron-apt, thanks)
random_sleep()
{
-RandomSleep=1800
+RandomSleep=18
eval $(apt-config shell RandomSleep APT::Periodic::RandomSleep)
if [ $RandomSleep -eq 0 ]; then
return


... because this maschine used to be up only for round about an
hour a day, but this is not true any more, the system is now up
long enough for it to caught some security upgrade:
# uptime
 17:25:41 up 12 days, 22:06,  3 users,  load average: 0,00, 0,02, 0,00
 


but there is not much of an activity lately:

# ls -Altr /var/log/unattended-upgrades/|tail
-rw-r--r-- 1 root root  191 Jul 27  2015 
unattended-upgrades-dpkg_2015-07-27_10:50:00.414149.log.1.gz
-rw-r--r-- 1 root root  384 Jul 29  2015 
unattended-upgrades-dpkg_2015-07-29_18:20:11.584658.log.1.gz
-rw-r--r-- 1 root root  995 Aug  1  2015 unattended-upgrades.log.1.gz
-rw-r--r-- 1 root root0 Aug  1  2015 
unattended-upgrades-dpkg_2015-07-08_19:46:46.479193.log
-rw-r--r-- 1 root root0 Aug  1  2015 
unattended-upgrades-dpkg_2015-07-27_10:50:00.414149.log
-rw-r--r-- 1 root root0 Aug  1  2015 
unattended-upgrades-dpkg_2015-07-29_18:20:11.584658.log
-rw-r--r-- 1 root root 1058 Aug  4  2015 
unattended-upgrades-dpkg_2015-08-04_20:25:14.411794.log
-rw-r--r-- 1 root root 1418 Aug  7  2015 
unattended-upgrades-dpkg_2015-08-07_11:27:50.855330.log
-rw-r--r-- 1 root root  540 Aug 19  2015 
unattended-upgrades-dpkg_2015-08-19_10:53:36.820176.log
-rw-r--r-- 1 root root 9056 Mär  2  2016 unattended-upgrades.log


Does anybody have an idea how to investigate this and who to
enable unattended upgrades?

Thanks, Gregor

Re: OT: speaking of days (weeks, months, years, etc.)

[Peter Hillier-Brook]

On 31/03/17 14:34, Lisi Reisz wrote:
> On Friday 31 March 2017 14:04:03 rhkra...@gmail.com wrote:
>> To specify the Thursday before the last Thursday, use something like: "the
>> Thursday before last Thursday".
>>
>> To specify the Thursday after the coming Thursday, use something like: "the
>> Thursday after next Thursday".
> 
> Great - all fine in theory.  But you try announcing a meeting that way!!!  
> Here in England we debate it, meaning that I and my husband disagree.  When I 
> say "next Thursday", I mean the Thursday next week.  When he says next 
> Thursday he means the next Thursday to arrive, i.e. this Thursday.  We are 
> both English, but I Cockney-born and he Yorkshire.

By definition you're wrong| A Yorkshireman trumps anyone else. :-)

> And let us clear up another misunderstanding while we are at it.  The other 
> side of the pond you appear to be under a delusion that there is such a thing 
> as British anything, including English.  Try telling that to the Welsh, the 
> Irish and the Scots! 

Too right. English is the source of all the other dialects and it's
tautological to prepend 'British' when referring to the language used in
Great Britain.




signature.asc
Description: OpenPGP digital signature

Re: OT: speaking of days (weeks, months, years, etc.)

[Eike Lantzsch]

On Friday, 31 March 2017 10:43:50 -04 Stefan Monnier wrote:
> I tried "aptitude install Thursday" and that failed miserably.
> Then I tried with `apt-get`: same result.
> 
> The worst part is that I get the same kinds of failures when I try
> "aptitude install this Thursday" or "aptitude install next Thursday".
> 
> 
> Stefan "confused about this Debian thing"
> 
it is e.g.:
date -d thursday

or:
date -d next-thursday

or:
date --date='TZ="America/Asuncion" 09:00 next Thu'

or
calendar -w -t 20170406

glade3, no progress in making it work like glade2?

[Gene Heskett]

Greetings all;

There was at one time, quite an extensive list of video widgits for the 
glade2 environment, but when gtk2 went to gtk3, the only thing that was 
brought forward was the designer and a small list of mostly text 
oriented stuff, leaving out in glade-3.12.1, all the stuff needed to 
make it actually usable to a gui designer.

So we are now stuck with the tcl/tk toolkit and python to drive it. So we 
_can_ get the job done, but we're stuck with a text editor, writing most 
of the video stuff in xml.

But the stripping of 3/4ths of the graphics widgits from gtk3, has 
essentially made a steer out of what was a quite capable bull.

Cannot glade be drug, probably kicking and screaming, into the gtk3 
world?

Or are we stuck using pyvcp for this stuff forever? gtk3 has been out for 
what, 6 years now?

Thanks for any hints on how to bring glade back to life in todays 
environment.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: why??why?why??

[Reco]

On Fri, 31 Mar 2017 23:50:12 +1300
cbannis...@slingshot.co.nz wrote:

> On Sun, Mar 12, 2017 at 05:57:19PM +0900, Mark Fletcher wrote:
> > On Fri, Mar 10, 2017 at 02:09:22AM +, Shahryar Afifi wrote:
> 
> [some stuff]
> 
> > 
> > This is yet another of those threads where the OP never returns after 
> > dropping their troll bomb... the only why oh why here is why oh why do 
> > we collectively never learn not to feed the trolls...
> 
> Do you think it may possibly be that they are a first time poster and not
> subscribed and that noone cc's them and they think their post is being 
> ignored?

Message-ID: 22583362.2602479.1489111762...@mail.yahoo.com contains
X-Spam-Status header saying:

X-Spam-Status: No, score=-8.7 required=4.0 tests=DKIM_SIGNED,DKIM_VALID,

DKIM_VALID_AU,DKIM_VERIFIED,FREEMAIL_FROM,LDOSUBSCRIBER,LDO_WHITELIST,ONEWORD,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RCVD_IN_SORBS_SPAM,RP_MATCHES_RCVD
autolearn=unavailable autolearn_force=no version=3.4.0

LDOSUBSCRIBER means that the sender is subscribed to the list.

Does not mean that OP is still subscribed to this list of course.

Reco

Re: OT: speaking of days (weeks, months, years, etc.)

[Lisi Reisz]

On Friday 31 March 2017 15:43:50 Stefan Monnier wrote:
> I tried "aptitude install Thursday" and that failed miserably.
> Then I tried with `apt-get`: same result.
>
> The worst part is that I get the same kinds of failures when I try
> "aptitude install this Thursday" or "aptitude install next Thursday".
>
>
> Stefan "confused about this Debian thing"

:-)  Sorry.

One of the best tempered reasonable objections I recall seeing.

Lisi

Re: OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[Lisi Reisz]

On Friday 31 March 2017 15:15:46 rhkra...@gmail.com wrote:
> On Friday, March 31, 2017 09:34:26 AM Lisi Reisz wrote:
> > On Friday 31 March 2017 14:04:03 rhkra...@gmail.com wrote:
> > > To specify the Thursday before the last Thursday, use something like:
> > > "the Thursday before last Thursday".
> > >
> > > To specify the Thursday after the coming Thursday, use something like:
> > > "the Thursday after next Thursday".
> >
> > Great - all fine in theory.  But you try announcing a meeting that way!!!
> > Here in England we debate it, meaning that I and my husband disagree. 
> > When I say "next Thursday", I mean the Thursday next week.  When he says
> > next Thursday he means the next Thursday to arrive, i.e. this Thursday. 
> > We are both English, but I Cockney-born and he Yorkshire.
>
> And you're still married? ;-)
>
> > And let us clear up another misunderstanding while we are at it.  The
> > other side of the pond you appear to be under a delusion that there is
> > such a thing as British anything, including English.  Try telling that to
> > the Welsh, the Irish and the Scots!
>
> Similar to the situation on this side of the pond, for example north and
> south, or New England, California, Pennsylvania Dutch ("throw your father
> down the stairs his hat" ;-),  and other parts of the US (or Canada).

Not quite.  California and New England are, so far, part of the same nation.  
We are part of the same sovereign state, but 4 nations.

Lisi

Re: OT: speaking of days (weeks, months, years, etc.)

[Stefan Monnier]

I tried "aptitude install Thursday" and that failed miserably.
Then I tried with `apt-get`: same result.

The worst part is that I get the same kinds of failures when I try
"aptitude install this Thursday" or "aptitude install next Thursday".


Stefan "confused about this Debian thing"


> "rhkramer" == rhkramer   writes:

> On Friday, March 31, 2017 06:30:25 AM Terence wrote:
>> There is no ambiguity if (as I have always understood) "Thursday" means
>> "this (or the coming) Thursday" and "next Thursday" or "Thursday next"
>> means "a week on Thursday".
>> 
>> And having lived in Yorkshire for two very happy years, I would agree that
>> York is above London in so many ways...

> To me, all that has been discussed is (potentially) confusing and ambiguous.

> To me, I prefer the following--ohh, most of the examples assume that the 
> current day is not Thursday (but maybe that makes no difference):

> Thursday can refer either to the coming Thursday or the previous Thursday 
> based on the context, for example:

> On Thursday, we played baseball.  (obvious (to me) that was the (just) 
> previous Thursday)

> The paper is due on Thursday.  (obvious (to me) that is the (just) coming 
> Thursday)

> Last Thursday, we played baseball.  (clear to me, but the "last" is redundant 
> and may be ambiguous to some--might some mean the Thursday before the most 
> recent??)

> The paper is due next Thursday.   (clear to me, but the "next" is redundant 
> and is ambiguous to some--some seem to mean the Thursday after the coming / 
> really next Thursday)

> The paper is due Thursday next.  (clear to me, but the "next" is redundant 
> and 
> is ambiguous to some--some seem to mean the Thursday after the coming / 
> really 
> next Thursday--it might be a Briticism (to coin or mangle a word))

> To specify the Thursday before the last Thursday, use something like: "the 
> Thursday before last Thursday".

> To specify the Thursday after the coming Thursday, use something like: "the 
> Thursday after next Thursday".

> Use similar constructs for other days, weeks, months, years, millennia, 
> minutes, hours, etc., or better, specify a date, year, time, or similar.

> I'm not aware of whether the grammar lords have established a clear preferred 
> usage pattern--if they have, I'm sure it differs on the two sides of the 
> Atlantic.

> (Maybe this is my subconcious bid to become a grammar lord??  Uuh, I think 
> I'll shut up now, I'd hate to be tagged with that label.)

> Randy Kramer







 

Re: OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[Eike Lantzsch]

On Friday, 31 March 2017 10:18:24 -04 rhkra...@gmail.com wrote:
> On Friday, March 31, 2017 09:45:59 AM Greg Wooledge wrote:
> > On Fri, Mar 31, 2017 at 02:34:26PM +0100, Lisi Reisz wrote:
> > > Great - all fine in theory.  But you try announcing a meeting that
> > > way!!!
> > > Here in England we debate it, meaning that I and my husband disagree.
> > > When I say "next Thursday", I mean the Thursday next week.  When he says
> > > next Thursday he means the next Thursday to arrive, i.e. this Thursday.
> > > We are both English, but I Cockney-born and he Yorkshire.
> > 
> > For whatever it's worth, here in Ohio, "next Thursday" would mean the
> > Thursday that occurs in the next calendar week.  "This Thursday" means
> > the Thursday that occurs (or occurred) in the current calendar week,
> > though you'd need to use the past tense when saying it today, or people
> > would get very confused.
> 
> Interesting!  (I guess I've run into that meaning without really realizing
> it...)
> 
> > If you want to be clear, just include the numeric date.  Your meeting
> > would be "Thursday, April 6th".
> > 
> > English is hilarious.
> 
> +10

Ambiguity often is good and can be used to postpone fruitless discussions:
Coworker: "When will this be ready?"
Me: "On Thursday."
on closest Thursday ->
Coworker: "Hey, is XX ready?"
Me: "No."
Coworker: "You said it will be ready on Thursday."
Me: "Did I indicate which Thursday?"
Coworker: "!!" now starting fruitless discussion

Re: OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[rhkramer]

On Friday, March 31, 2017 09:45:59 AM Greg Wooledge wrote:
> On Fri, Mar 31, 2017 at 02:34:26PM +0100, Lisi Reisz wrote:
> > Great - all fine in theory.  But you try announcing a meeting that way!!!
> > Here in England we debate it, meaning that I and my husband disagree. 
> > When I say "next Thursday", I mean the Thursday next week.  When he says
> > next Thursday he means the next Thursday to arrive, i.e. this Thursday. 
> > We are both English, but I Cockney-born and he Yorkshire.
> 
> For whatever it's worth, here in Ohio, "next Thursday" would mean the
> Thursday that occurs in the next calendar week.  "This Thursday" means
> the Thursday that occurs (or occurred) in the current calendar week,
> though you'd need to use the past tense when saying it today, or people
> would get very confused.

Interesting!  (I guess I've run into that meaning without really realizing 
it...)

> If you want to be clear, just include the numeric date.  Your meeting
> would be "Thursday, April 6th".
> 
> English is hilarious.

+10

Re: OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[rhkramer]

On Friday, March 31, 2017 09:34:26 AM Lisi Reisz wrote:
> On Friday 31 March 2017 14:04:03 rhkra...@gmail.com wrote:
> > To specify the Thursday before the last Thursday, use something like:
> > "the Thursday before last Thursday".
> > 
> > To specify the Thursday after the coming Thursday, use something like:
> > "the Thursday after next Thursday".
> 
> Great - all fine in theory.  But you try announcing a meeting that way!!!
> Here in England we debate it, meaning that I and my husband disagree.  When
> I say "next Thursday", I mean the Thursday next week.  When he says next
> Thursday he means the next Thursday to arrive, i.e. this Thursday.  We are
> both English, but I Cockney-born and he Yorkshire.

And you're still married? ;-)

> 
> And let us clear up another misunderstanding while we are at it.  The other
> side of the pond you appear to be under a delusion that there is such a
> thing as British anything, including English.  Try telling that to the
> Welsh, the Irish and the Scots!

Similar to the situation on this side of the pond, for example north and 
south, or New England, California, Pennsylvania Dutch ("throw your father down 
the stairs his hat" ;-),  and other parts of the US (or Canada).

Re: OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[Greg Wooledge]

On Fri, Mar 31, 2017 at 02:34:26PM +0100, Lisi Reisz wrote:
> Great - all fine in theory.  But you try announcing a meeting that way!!!  
> Here in England we debate it, meaning that I and my husband disagree.  When I 
> say "next Thursday", I mean the Thursday next week.  When he says next 
> Thursday he means the next Thursday to arrive, i.e. this Thursday.  We are 
> both English, but I Cockney-born and he Yorkshire.

For whatever it's worth, here in Ohio, "next Thursday" would mean the
Thursday that occurs in the next calendar week.  "This Thursday" means
the Thursday that occurs (or occurred) in the current calendar week,
though you'd need to use the past tense when saying it today, or people
would get very confused.

If you want to be clear, just include the numeric date.  Your meeting
would be "Thursday, April 6th".

English is hilarious.

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

>Well, not without getting root first.
>
>And making something listen that spawns a shell usable to gain further
>access is a big win. Keeping uploading PHP code to some vulnerable
>webserver will at some point be noticed. Uploading something spawning a
>shell once probably not.
>

When $someone hacked $somebigamericanwebhoster some years ago, $they first 
found a CMS that allowed online editing of its PHP code. $they were able to use 
that to run arbitrary shell commands. However, that thing had an edit history, 
so keeping passing in new code produced a well-visible log each time (in 
retrospective, $they could just have patched that away, but well...).

Uploading and starting ajaxterm, however, cost $them only two edits, and as it 
went listening on its own port without a firewall logging, $they had an 
interactive shell that could be configured to keep no record of anything.

(Not of any interest here, but $they then found a misconfigured NFS share that 
mapped all UIDs to root, keeping suid bits... use your imagination for the 
rest. But $they would not have found that without an interactive shell.)

-nik

Re: ipv6 apt issue

[Andy Smith]

Hi,

On Tue, Mar 28, 2017 at 01:24:39PM -0500, Matt Zagrabelny wrote:
> I've got a dual stack host and when doing various apt-y things I attempt to
> connect to:
> 
> # apt update
> 0% [Connecting to ftp-chi.osuosl.org (2600:3402:200:227::2)
> 
> but it hangs and doesn't seem to complete its connection.

Well, there must be a connectivity issue between you and
2600:3402:200:227::2. These things happen.

> If I look at my sources lists:
> 
> % grep http /etc/apt/sources.list.d/*.list | sed -e 's/.*http:\/\///' | uniq
> ftp.us.debian.org/debian/ experimental main
> ftp.us.debian.org/debian/ jessie main contrib non-free
> ftp.us.debian.org/debian/ sid main contrib non-free
> ftp.us.debian.org/debian/ stretch main contrib non-free
> 
> I don't have an /etc/apt/sources.list file. To my observation, my host
> should only be connecting ftp.us.debian.org.

apt uses SRV records:

$ dig +short -t SRV _http._tcp.ftp.us.debian.org
0 2 80 ftp-nyc.osuosl.org.
0 1 80 debian.gtisc.gatech.edu.
0 1 80 ftp-chi.osuosl.org.

That's where you're getting the host name ftp-chi.osuosl.org from.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[Lisi Reisz]

On Friday 31 March 2017 14:04:03 rhkra...@gmail.com wrote:
> To specify the Thursday before the last Thursday, use something like: "the
> Thursday before last Thursday".
>
> To specify the Thursday after the coming Thursday, use something like: "the
> Thursday after next Thursday".

Great - all fine in theory.  But you try announcing a meeting that way!!!  
Here in England we debate it, meaning that I and my husband disagree.  When I 
say "next Thursday", I mean the Thursday next week.  When he says next 
Thursday he means the next Thursday to arrive, i.e. this Thursday.  We are 
both English, but I Cockney-born and he Yorkshire.

And let us clear up another misunderstanding while we are at it.  The other 
side of the pond you appear to be under a delusion that there is such a thing 
as British anything, including English.  Try telling that to the Welsh, the 
Irish and the Scots! 

Lisi

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

>If someone unauthorised is on your machine can they not just as well
>remove firewall rules?


Well, not without getting root first.

And making something listen that spawns a shell usable to gain further access 
is a big win. Keeping uploading PHP code to some vulnerable webserver will at 
some point be noticed. Uploading something spawning a shell once probably not.

-nik

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Mar 31, 2017 at 02:17:35PM +0100, Brian wrote:
> On Fri 31 Mar 2017 at 14:18:04 +0200, to...@tuxteam.de wrote:
> 
> > On Sat, Apr 01, 2017 at 01:00:45AM +1300, cbannis...@slingshot.co.nz wrote:
> > 
> > [...]
> > 
> > > My understanding is that if there are no services listening on a port then
> > > it cannot be accessed.
> > > 
> > > e.g.
> > > 
> > > http://serverfault.com/questions/733633/if-no-service-is-listening-on-a-port-can-a-system-still-be-accessed-using-that-p
> > > 
> > > An I missing something? 
> 
> I rather thought cbannister had the correct idea: nothing listening;
> therefore no access.
>  
> > As Dominik said: it's "defense in depth". If your PHP^H^H^H web application
> > has some code injection issue, your adversary might well install a C
> > server listening on that port, and work from there on (exfiltrate data,
> > try some privelege escalation, whatever).
> > 
> > Now there might be other avenues for that, but security is about closing
> > the avenue your adversary is going to use next ;-)
> 
> If someone unauthorised is on your machine can they not just as well
> remove firewall rules?

If they have done the privilege escalation bit, then yes. If they are
"just" running as the web server user (which hopefully ain't root) then
"not... yet". Unless you've set up sudo so that www-user can change
the firewall rules. But then you'd have to tell us more about that ;-D

Regards
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAljeWP0ACgkQBcgs9XrR2kb4OACfSM1gZZ6Ac2OlSHEBaGfEuM+p
EmMAn1kpsOY5vTMQQ3ou2hPRwsBAp72b
=s6iO
-END PGP SIGNATURE-

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Brian]

On Fri 31 Mar 2017 at 14:18:04 +0200, to...@tuxteam.de wrote:

> On Sat, Apr 01, 2017 at 01:00:45AM +1300, cbannis...@slingshot.co.nz wrote:
> 
> [...]
> 
> > My understanding is that if there are no services listening on a port then
> > it cannot be accessed.
> > 
> > e.g.
> > 
> > http://serverfault.com/questions/733633/if-no-service-is-listening-on-a-port-can-a-system-still-be-accessed-using-that-p
> > 
> > An I missing something? 

I rather thought cbannister had the correct idea: nothing listening;
therefore no access.
 
> As Dominik said: it's "defense in depth". If your PHP^H^H^H web application
> has some code injection issue, your adversary might well install a C
> server listening on that port, and work from there on (exfiltrate data,
> try some privelege escalation, whatever).
> 
> Now there might be other avenues for that, but security is about closing
> the avenue your adversary is going to use next ;-)

If someone unauthorised is on your machine can they not just as well
remove firewall rules?

-- 
Brian.

Re: Una de hostapd en debian 7...

[Antonio Trujillo Carmona]

  
  
El 31/03/17 a las 03:30, luisededios
  escribió:

On Thu, 30 Mar 2017 14:11:47 -0400, JAP
   wrote:
  
  
  El 29/03/17 a las 15:43, luisededios
escribió:


  La mía se reduce a un portal cautivo
ZeroShell, el cual podía

engañarse mediante un script en python, el cual se iniciaba
desde

/etc/rc.local.

  
  
  Me interesa ese tema, recuerdas cómo lo hacías desde rc.local,
  alguna
  
  línea?  :)
  


Bien.

Lo hice de dos maneras distintas.

Una, añadiendo el script de identificación en mi escritorio KDE,
en "Arranque y apagado", "Autoarranque".

De esa manera, se iniciaba sólo si yo iniciaba la sesión en KDE.

La contra, es que cualquier problemita del escritorio, me
quedaba sin red.

Por ello, pasá a adicionar la siguiente línea en /etc/rc.local


/usr/bin/python /opt/ZeroShell/zeroshell-autologin.py


Esto lo saqué de
https://code.google.com/archive/p/zeroshell-autologin/



El script en cuestión, con alguna ínfima modificación mía, es el
que sigue:


=

#!/usr/bin/python


# ZeroShell autologin


# load python library


from urllib import urlencode

from urllib2 import urlopen

from HTMLParser import HTMLParser

from time import sleep


# login conf


USERNAME = 'MiUsuario'

PASSWORD = 'MiClaveMuyDificil'

REALM = 'ElDominio' => El dominio de tu ISP

SERVER = '192.168.1.1' ==> El servidor ZeroShell


# default params


PROTOCOL = 'http'

PORT = '12080'

SCRIPT = 'zscp'

ZSCPRedirect = '_:::_'


URL = "" + '://' + SERVER + ':' + PORT + '/cgi-bin/' +
SCRIPT

RENEW_INTERVAL = 40


# class to parse Captive Portal HTML


class ZSParser(HTMLParser):

def __init__(self):

    HTMLParser.__init__(self)

    self.params = {}

    params = { 'U' : USERNAME , 'P' : PASSWORD , 'Realm' :
REALM , 'Section' : 'CPAuth' , 'Action' : 'Authenticate' ,
'ZSCPRedirect' : '_:::_' }

    http_req = urlopen(URL, urlencode(params))

    html_content = http_req.read()

    self.feed(html_content)



def get_authkey(self):

    return self.params['Authenticator'] # after parse
HTML return the authenticator string


def handle_starttag(self, tag, attrs):

    if tag == 'input' and attrs[0][1] == 'hidden': # parse
only de html input and hidden tags

    self.params[attrs[1][1]] = attrs[2][1]


parser = ZSParser() # instantiate the class

authkey = parser.get_authkey() # get authenticator string


# http_request 1 - Section = CPGW


params = { 'U' : USERNAME , 'P' : PASSWORD , 'Realm' : REALM ,
'Authenticator' : authkey, 'Section' : 'CPGW' , 'Action' :
'Connect' , 'ZSCPRedirect' : '_:::_' }

urlopen(URL, urlencode(params))


# http_request 2 - Section = ClientCTRL


params = { 'U' : USERNAME , 'P' : PASSWORD , 'Realm' : REALM ,
'Authenticator' : authkey, 'Section' : 'ClientCTRL' , 'Action' :
'Connect' , 'ZSCPRedirect' : '_:::_' }

urlopen(URL, urlencode(params))



while True:

sleep(RENEW_INTERVAL) # wait a time in seconds to renew the
connection

params = { 'Authenticator' : authkey, 'Section' : 'CPGW' ,
'Action' : 'Renew' , 'ZSCPRedirect' : '_:::_' }

urlopen(URL, urlencode(params))


=



Problemas conocidos:


A veces, ante un "lag" del sistema, el equipo se desconectaba de
la red por haber vencido la sesión. Eso, si usas un navegador
común, es cuestión de reiniciarlo, pero acá me quedaba el script

OT: speaking of days (weeks, months, years, etc.) (was: Re: Movie 'n Book recommendations by Curt)

[rhkramer]

On Friday, March 31, 2017 06:30:25 AM Terence wrote:
> There is no ambiguity if (as I have always understood) "Thursday" means
> "this (or the coming) Thursday" and "next Thursday" or "Thursday next"
> means "a week on Thursday".
> 
> And having lived in Yorkshire for two very happy years, I would agree that
> York is above London in so many ways...

To me, all that has been discussed is (potentially) confusing and ambiguous.

To me, I prefer the following--ohh, most of the examples assume that the 
current day is not Thursday (but maybe that makes no difference):

Thursday can refer either to the coming Thursday or the previous Thursday 
based on the context, for example:

On Thursday, we played baseball.  (obvious (to me) that was the (just) 
previous Thursday)

The paper is due on Thursday.  (obvious (to me) that is the (just) coming 
Thursday)

Last Thursday, we played baseball.  (clear to me, but the "last" is redundant 
and may be ambiguous to some--might some mean the Thursday before the most 
recent??)

The paper is due next Thursday.   (clear to me, but the "next" is redundant 
and is ambiguous to some--some seem to mean the Thursday after the coming / 
really next Thursday)

The paper is due Thursday next.  (clear to me, but the "next" is redundant and 
is ambiguous to some--some seem to mean the Thursday after the coming / really 
next Thursday--it might be a Briticism (to coin or mangle a word))

To specify the Thursday before the last Thursday, use something like: "the 
Thursday before last Thursday".

To specify the Thursday after the coming Thursday, use something like: "the 
Thursday after next Thursday".

Use similar constructs for other days, weeks, months, years, millennia, 
minutes, hours, etc., or better, specify a date, year, time, or similar.

I'm not aware of whether the grammar lords have established a clear preferred 
usage pattern--if they have, I'm sure it differs on the two sides of the 
Atlantic.

(Maybe this is my subconcious bid to become a grammar lord??  Uuh, I think 
I'll shut up now, I'd hate to be tagged with that label.)

Randy Kramer







 

Re: Postfix Dovecot et SSL : SSL23: unknown protocol : RÉSOLU

[Thierry Bugier Pineau]

Bonjour
Ce serait intéressant de savoir ce que contenant la lishe
ssl_cipher_list avant modification, et ce qu'elle contient maintenant.
A propos de /etc/hosts, il est clair que c'était pas le souci, mais
dans les essais fait il y a quelques jours, le serveur ne pouvait pas
résoudre son propre nom. Modifier /etc/hosts résout ce petit détail.
Je vous invite à utilsier un outil de test SSL / TLS en ligne pour
affiner la configuration maintenant, car il y a un paquet de choses à
faire pour avoir un chiffrement pas trop fragile.


Le vendredi 31 mars 2017 à 12:20 +0200, andre_deb...@numericable.fr a
écrit :
> On Thursday 30 March 2017 16:00:40 andre_deb...@numericable.fr wrote:
> > ça semble remarcher.
> 
> > # tail /var/log/mail.err
> > n'affiche plus d'erreur : "SSL23: unknown protocol",
> > mais toujours l'erreur :
> > "pop3-login : Error : ssl3_get_client_hello : no shared cipher"
> 
> Je n'ai plus de message d'erreur dans :
> /var/log/mail.err, ni /var/log/mail.log
> 
> Le problème venait de "cipher",
> /etc/dovecot/conf.d/10-ssl.conf" => ligne "ssl_cipher_list = "
> à adapter.
> 
> Bonne journée à tous,
> 
> André
> 
> 

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Apr 01, 2017 at 01:00:45AM +1300, cbannis...@slingshot.co.nz wrote:

[...]

> My understanding is that if there are no services listening on a port then
> it cannot be accessed.
> 
> e.g.
> 
> http://serverfault.com/questions/733633/if-no-service-is-listening-on-a-port-can-a-system-still-be-accessed-using-that-p
> 
> An I missing something? 

As Dominik said: it's "defense in depth". If your PHP^H^H^H web application
has some code injection issue, your adversary might well install a C
server listening on that port, and work from there on (exfiltrate data,
try some privelege escalation, whatever).

Now there might be other avenues for that, but security is about closing
the avenue your adversary is going to use next ;-)

regards
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEUEARECAAYFAljeSPwACgkQBcgs9XrR2kZccACSAtp4XjR4TifCMA1+Ip/j+oM0
wQCfe9snMu/5hvDCXb+5joez/4iPDQ4=
=5oco
-END PGP SIGNATURE-

Re: debian reinicio constante

[José María]

El 30/03/17 a las 17:32, franiortiz hotmail escribió:

No hay manera debían 8.6 también se reinicia, probé con el dvd nightly
build con lxde como entorno pero igual este tambien sufre reinicios ,
aunque durante instalación y en modo consola ninguno me ha dado
problemas, la ejecución de debían.dvd con lxde es la que cabe esperar,
pero en cuanto muevo ratón o tecleo algo, se apaga/reinicia.
Winxp sin embargo perfectamente desde hace 3-4 dias. Ya probé 4
instalaciones diferentes de debían y en todas apagados/reinicios
inesperados y no quiero probar con arch o ubuntu porque aunque saliera
bien,, yo quiero debian.
Saque un log con journalctl -xb creo recordar, que lei por encima, algún
error acpi recuerdo, pero me supera, lo adjunto en cuanto ponga cliente
correo en winxp, tss XD

El 29 de marzo de 2017 11:22:01 CEST, franiortiz hotmail
 escribió:



*De:* franiortiz hotmail 
*Enviado:* martes, 28 de marzo de 2017 13:14
*Para:* debian-user-spanish@lists.debian.org
*Asunto:* Re: debian reinicio constante



Bueno despues de pasar toda la mañana fuera, debian actualizado
seguia ahi, pero en cuanto he movido el raton, reinicio.

Ahora acabo de instalar debian-live-8.6.0-i386-standard.iso


y de momento todo va bien,estas lineas las escribo desde él con
lxde-core,lightdm, medit,htop y poco mas instalado.

voy a seguir instalando mis paquetes preferidos a ver como se
comporta,  pero todo indica que debian 8.7.1 no es apto para mi pc,
adjunto log, aunque no lo he hecho con:

journalctl -p3 -xb  o /var/log/boot.log /var/log/messenger dmesg

porque no tengo boot.log, no entendia paramentro "o", ni tengo
messenger.

Asi que he puesto esto y es el que os comparto:

tail -f /var/log/messages -f /var/log/syslog -f /var/log/auth.log -f
/var/log/dmesg -f /var/log/faillog -f /var/log/daemon.log >> lm55.log



*De:* Ernesto Escobedo 
*Enviado:* martes, 28 de marzo de 2017 7:55
*Para:* franiortiz hotmail
*Asunto:* Re: debian reinicio constante

Muy buenas noches

Si agregaras los logs de tu equipo

journalctl -p3 -xb  o /var/log/boot.log /var/log/messenger dmesg

de verdad nos ayudaria para un analisis.

gracias.



El 27 de marzo de 2017, 17:15, franiortiz hotmail
> escribió:

Hola a todos pues algo muy raro, sintoma : cuando arranco mi
particion
debian de 3 años de uso en lenovo m55, se apaga-reinicia
constantemente.
causa: en este orden cambios hechos :
1- instalar psensor
2- redimensionar y mover particion / (un disco, 2
particiones:xp+linux/)



Vale, tienes un Lenovo con 256 o 512 megas de ram seguramente

Que tiene un XP instalado y va bien

No tenías problemas antes con debian 8.6

Tu disco duro se supone que no está malo

Pues lo único que se me ocurre es que te hayas "comido" la swap y no la 
hayas creado de nuevo y que se te apague porque no tiene recursos el PC


Mínimo tendrás 3 particiones, o sea, una para XP, otra para el sistema 
de archivos de debian y la última para la swap, ¿verdad?




3- actualizar
Al ppio pense que seria por temperatura, asi que limpie bien el pc,
apenas sucio.
luego pense por discos o ram, asi que pase memtest,
satisfactoriamente,
los discos los miro con crystaldiskinfo y estan perfectos, por
cierto el
viejo xp y los livecd van perfecto, asi que descarto hardware.
4- supuse que al mover la particion (/) algo salio mal, algo que
ni fsck
encontro, que tambien probe. asi que reinstale
debian-live-8.7.1-i386-standard-non-free.iso con lxde-core,
lightdm y
nada mas, todo actualizado y sorpresa la mia se vuelve a
reiniciar solo
con apenas paquetes en version stable.
5- empiezo a pensar que el fallo fue actualizar, voy a probar con la
version

https://cdimage.debian.org/cdimage/archive/8.6.0-live/i386/iso-hybrid/debian-live-8.6.0-i386-standard.iso


, a ver si consigo instalarla sin actualizar y que no se
reinicie, pero
si es asi, me las veo mal sin poder actualizar.
6- Esto es un bug?
Alguna idea? necesito volver a tener mi debian en este pc, que
me estoy
viendo obligado a usar mocosoft
Gracias, un saludo



--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[Dominik George]

>My understanding is that if there are no services listening on a port
>then
>it cannot be accessed.

Well, if nothing is listening on a port, then something can start doing so 
unconditionally.

That's how w^Hsomeone rooted Dreamhost.

-nik

should I firewall an open port which isn't used? (was ... Re: Guide(s?) to backup philosophies)

[cbannister]

On Mon, Mar 13, 2017 at 08:58:15PM -0700, David Christensen wrote:
> On 03/13/2017 05:38 AM, Dan Purgert wrote:
> >Currently, the system here is
> >
> > - every PC has a cronjob backing up $HOME to a central "server" (read -
> >   repurposed PC with decent WD drives), just an rsync script that runs
> >   daily.
> 
> Don't forget security:
> 
> 1.  With a "push" arrangement (e.g. each workstation backs up itself to the
> server) -- if a workstation gets compromised, the backups are at risk.
> 
> 2.  With a "pull" arrangement (e.g. the server backs up all the
> workstations) -- if a workstation gets compromised, the backups should be
> safe (and might have clues about the intrusion).  Additionally, the backup
> server can be completely firewalled (e.g. no open ports).

My understanding is that if there are no services listening on a port then
it cannot be accessed.

e.g.

http://serverfault.com/questions/733633/if-no-service-is-listening-on-a-port-can-a-system-still-be-accessed-using-that-p

An I missing something? 

-- 
The media's the most powerful entity on earth. 
They have the power to make the innocent guilty 
and to make the guilty innocent, and that's power.
 -- Malcolm X

Re: Deb-Installer: Possible to set IP using a boot parameter?

[Ron Leach]

On 28/03/2017 18:15, Brian wrote:


Any combination of preseed directives can be used
as boot parameters. For example: netcfg/get_ipaddress=192.168.1.42.


AFAIK, not on the website. You can generate all the preseed options for
yourself. Search the wiki for "preseed".




Brian, thanks for the reply.  I see that that would seem to work

In the end I veered towards the 'preseed' approach, partly because 
some guidelines I was following and which included the USB rewrite 
were based on that objective.  My first try has failed to produce a 
bootable USB, but I'll do a lot more testing and checking before 
perhaps asking for any more help.  I recall that there's recently been 
a long thread about preseeding which will be helpful, I think.


regards, Ron

Re: why??why?why??

[cbannister]

On Sun, Mar 12, 2017 at 05:57:19PM +0900, Mark Fletcher wrote:
> On Fri, Mar 10, 2017 at 02:09:22AM +, Shahryar Afifi wrote:

[some stuff]

> 
> This is yet another of those threads where the OP never returns after 
> dropping their troll bomb... the only why oh why here is why oh why do 
> we collectively never learn not to feed the trolls...

Do you think it may possibly be that they are a first time poster and not
subscribed and that noone cc's them and they think their post is being 
ignored?

I have seen some genuine calls for help from a poster who seems like a first
time poster, and none of the replies are CC's and the OP doesn't reply
to any of them. They probably feel like their cry for help is being ignored.

-- 
The media's the most powerful entity on earth. 
They have the power to make the innocent guilty 
and to make the guilty innocent, and that's power.
 -- Malcolm X

Re: Movie 'n Book recommendations by Curt

[Terence]

There is no ambiguity if (as I have always understood) "Thursday" means
"this (or the coming) Thursday" and "next Thursday" or "Thursday next"
means "a week on Thursday".

And having lived in Yorkshire for two very happy years, I would agree that
York is above London in so many ways...

Terence

On 31 March 2017 at 08:43, Jonathan Dowland  wrote:

> On Thu, Mar 30, 2017 at 08:56:25PM +0100, Terence wrote:
> > Lisi asks "And is London "up" or "down"from York?"
> >
> > London is "up". "Up trains" were those travelling to London terminii,
> "Down
> > trains" departed from London terminii to other parts of the rail network.
>
> That's an interesting, if historical, explanation. These days York is
> definitely
> up from London.
>
> (Writing from Newcastle, up from London and York.)
>
> --
> ⢀⣴⠾⠻⢶⣦⠀
> ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
> ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
> ⠈⠳⣄ Please do not CC me, I am subscribed to the list.
>

Re: Postfix Dovecot et SSL : SSL23: unknown protocol : RÉSOLU

[andre_debian]

On Thursday 30 March 2017 16:00:40 andre_deb...@numericable.fr wrote:
> ça semble remarcher.

> # tail /var/log/mail.err
> n'affiche plus d'erreur : "SSL23: unknown protocol",
> mais toujours l'erreur :
> "pop3-login : Error : ssl3_get_client_hello : no shared cipher"

Je n'ai plus de message d'erreur dans :
/var/log/mail.err, ni /var/log/mail.log

Le problème venait de "cipher",
/etc/dovecot/conf.d/10-ssl.conf" => ligne "ssl_cipher_list = "
à adapter.

Bonne journée à tous,

André

Re: HP Printer (OfficeJet 8730) Installation

[Curt]

On 2017-03-30, Peter Hillier-Brook  wrote:
>
> I'm connected via Ethernet so all my computers can use the device. Call
> me old fashioned: I've been using Ethernet since the '80s and I trust
> the security of wires rather more than wireless.
>

This may be of little interest to anyone but that has never stopped me in
the past. 

I recently configured cups to share my usb connected Brother HL-2030 (no
ethernet port) with my spouse's (funny word, that--mon épouse) windows
laptop via IPP. No samba, simple as pie.

Local lan sharing.

https://wiki.archlinux.org/index.php/CUPS/Printer_sharing#Between_GNU.2FLinux

Actually I'm ashamed to say configured because all I did was check
"Share printers connected to this system" in the Cups adminstration web
interface tab and add a printer to the windows (10) machine (shared
printer by name) whose location is:

http://192.168.0.26:631/printers/HL-2030-series

Yes, I always have the same internal lan ip address.

-- 
"It might be a vision--of a shell, of a wheelbarrow, of a fairy kingdom on the
far side of the hedge; or it might be the glory of speed; no one knew." --Mrs.
Ramsay, speculating on why her little daughter might be dashing about, in "To
the Lighthouse," by Virginia Woolf.

Re: Matrox G550 mga driver hangs system

[Felix Miata]

Felix Miata composed on 2017-03-31 02:22 (UTC-0400):

[xserver-xorg-video-mga is a user-space graphics driver]
...

If all the above doesn't help, repeat it, but append "iomem=relaxed" to the line
that included video and/or vesa and/or vga...

This showed up on vtty when I did dist-upgrade from jessie to stretch:

apt-listchanges: News
...
linux-latest (76) unstable; urgency=medium

  * From Linux 4.8, several changes have been made in the kernel
configuration to 'harden' the system, i.e. to mitigate security bugs.
Some changes may cause legitimate applications to fail, and can be
reverted by run-time configuration:
- On most architectures, the /dev/mem device can no longer be used to
  access devices that also have a kernel driver.  This breaks dosemu
  and some old user-space graphics drivers.  To allow this, set the
  kernel parameter: iomem=relaxed

xorg-server (2:1.17.3-1) unstable; urgency=medium

  The Xorg server is no longer setuid root by default.  This change reduces the
  risk of privilege escalation due to X server bugs, but has some side effects:

  * it relies on logind and libpam-systemd
  * it relies on a kernel video driver (so the userspace component doesn't
touch the hardware directly)
  * it needs X to run on the virtual console (VT) it was started from
  * it changes the location for storing the Xorg log from /var/log/ to
~/.local/share/xorg/

  On systems where those are not available, the new xserver-xorg-legacy package
  is needed to allow X to run with elevated privileges. See the
  Xwrapper.conf(5) manual page for configuration details.
--
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: Movie 'n Book recommendations by Curt

[Jonathan Dowland]

On Thu, Mar 30, 2017 at 08:56:25PM +0100, Terence wrote:
> Lisi asks "And is London "up" or "down"from York?"
> 
> London is "up". "Up trains" were those travelling to London terminii, "Down
> trains" departed from London terminii to other parts of the rail network.

That's an interesting, if historical, explanation. These days York is definitely
up from London.

(Writing from Newcastle, up from London and York.)

-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.


signature.asc
Description: Digital signature

Re: Matrox G550 mga driver hangs system

[Felix Miata]

Tony Stoneley composed on 2017-03-30 17:12 (UTC+0100):


Felix Miata wrote on Wed, 29 Mar 2017 16:44:01 -0400



https://lists.debian.org/debian-user/2017/03/msg00895.html



Did you try other things suggested in that thread or the openSUSE bug
referenced there
https://bugzilla.opensuse.org/show_bug.cgi?id=1004453 ?



To be honest, I'm way out of my depth in all that. I would be happy to
try a particular experiment, given instructions...



e.g. disabling framebuffer?



Er, how? xserver-xorg-video-fbdev isn't installed, nor for that matter
xserver-xorg-video-modesetting. As I said, I'm out of my depth.


A framebuffer is historically how the boot messages get displayed on vtty1 by 
the kernel in other than 80x25 text mode. Plymouth can be and often is used to 
convert that process to a graphical mode. By disabling framebuffer I mean to 
ensure that you are booting in 80x25 mode. Matrox doesn't support all the usual 
standard VESA modes, so getting back to the most basic video output can be key 
to video problem solutions.


Your goal is to boot without Plymouth and without framebuffer, in 80x25 mode, to 
give Xorg the best possible chance to work as expect. If Plymouth is installed, 
purge it.


To proceed, hit the e key when the Grub menu appears, then remove any line that 
says "load_video", and from any line that includes "video=" or "vesa" or "vga=" 
or "quiet" or "splash", remove each whole such string. Optionally, if the string 
"text" appears, remove it too.


If all the above doesn't help, repeat it, but append "iomem=relaxed" to the line 
that included video and/or vesa and/or vga. If this works, and Grub2 is what you 
are using, then /etc/default/grub needs to be modified to match whatever worked, 
followed by running update-grub. If still using Grub, simply update menu.lst to 
match what worked.



Which is yours PCIe, or AGP?



Ah! One I can answer:  AGP


That's what I have.


Which WM/DE(s) is/are you trying to use?



xfce4 and all that goes with it, but I don't think it's getting that
far. As previously remarked, that stuff does all work with the vesa
driver (achieved by tweaking xorg.conf).


FBDEV and VESA Xorg drivers are creepy-crawly slow!!!

Are you using a greeter, or logging in on a vtty and using startx or equivalent?

What are the permissions on your /usr/bin/Xorg?


Can you see any other clues than Xorg.0.log shows by running
'journalctl -b -1'?



Nope, though I might possibly not recognise a clue...


Doing something like 'journalctl -b -1 | grep -i failed' might be useful. There 
is an awful lot of stuff making particular points of interest hard to identify 
in the journal.



Apologies for uselessness (and also btw for wrecking the thread
structure with a completely inadvertent small subject change, the
genesis of which is a complete mystery to me).


Don't be confused by the fact that some common video terms have multiple 
contexts. Using the VESA driver in Xorg has nothing directly to do with VESA 
modes being used by the kernel or the BIOS. Same goes for modesetting or KMS. 
Matrox gfxchips are not supported by KMS, so the modesetting Xorg driver is not 
an option for Matrox users. xserver-xorg-video-modesetting is appropriate only 
for Intel, ATI and NVidia hardware that is several years newer than your Matrox. 
xserver-xorg-video-fbdev would probably not work as well as xserver-xorg-video-vesa.


Lack of active Matrox support since KMS was introduced into the kernel around 8 
years ago is why were are going through this troubleshooting process. Devs are 
no longer Matrox users, so must rely on users who have problems reporting them 
with enough details that fixes can be implemented by devs who have no matching 
hardware to test on. It may be time for you to ask for help from the devs, using 
the debian-devel mailing list or one of the freedesktop.org Xorg mailing lists, 
or by filing a Debian bug.

--
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/