date:20200929

David Christensen wrote: 
> On 2020-09-28 09:26, discsupp...@seagate.com wrote:
> > Hello David Christensen,
> > 
> I have asked three times that you make a binary image of Seagate SeaTools
> Bootable available, and have received delay, diversionary, and denial
> tactics in response.  I will ask no more.
> 
> 
> Free Software Foundation -- Please investigate and respond.
> 
> 
> United States Department of Justice -- Please investigate and respond.

I'm pretty sure that even if Seagate claimed that SeaTools
Bootable is distributed under the terms of GPLv2, they don't
have a responsibility to send you a binary image of it -- only
to make the source code available.

The US DoJ is unlikely to be interested unless you have an
actual theory of antitrust violation and damages to go along
with that. For the next month or four, it would also have to 
be personally offensive to a member of the President's family.
You might want to try again in February.

FSF might be interested, if any of their assigned software is
being used; if busybox is being used, you should talk to the
Software Freedom Conservancy.

The essence of the BSD license(s) is "go use it and change it"
with a side-order of "and publish this copyright notice". They
are unlikely to be overly concerned.

-dsr-

Re: Regarding case number 10724899 [ ref:_00D00hhzl._5004V11emZL:ref ]

2020-09-29 Thread David Christensen

On 2020-09-28 09:26, discsupp...@seagate.com wrote:

Hello David Christensen,

Welcome to Seagate Support, my name is Jairo and I'm glad to assist you today
about SeaTools and its source code licenced under GPL. We will work together to
find a solution.

SeaTools Booteable uses free libraries from the Opensea project
,
that can be found in GitHub .
SeaTools is also a mix of proprietary source code and open source code, as TinyCore. The
core of SeaTools is SeaChest and
the full code can be found in GitHub
also.
Our only available file to record SeaTools Cooteable in a USB is the .zip file
available in the SeaTools support page
.

We await for your reply with either this support was useful or more assistance
is required.

Regards,
Jairo
Seagate Support

ref:_00D00hhzl._5004V11emZL:ref

I have asked three times that you make a binary image of Seagate
SeaTools Bootable available, and have received delay, diversionary, and
denial tactics in response. I will ask no more.

Free Software Foundation -- Please investigate and respond.

United States Department of Justice -- Please investigate and respond.

Sincerely yours,

David Christensen
Tracy, California, USA
dpchr...@holgerdanske.com

cc: debian-user@lists.debian.org
freebsd-questi...@freebsd.org
license-violat...@fsf.org
antitrust.complai...@usdoj.gov

p.s. freebsd and debian mailing list readers -- this is not spam. This
is follow-up to many discussions on the mailing lists regarding
vendor-supplied diagnostic tools, including Seagate SeaTools:

https://lists.debian.org/cgi-bin/search?P=seatools=or=Gdebian-user=0=100

http://freebsd.1045724.x6.nabble.com/template/NamlServlet.jtp?macro=search_page=3696945=seatools=3556680

Re: GNU Guix

2020-09-29 Thread Nate Bargmann

I tried GNU Guix a few years back.  I did not find a compelling reason
other than package roll back to leave Debian for it.  Bullseye has the
nix-bin package available for those wanting to try it without leaving
Debian, I guess.

- Nate

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Web: https://www.n0nb.us
Projects: https://github.com/N0NB
GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819



signature.asc
Description: PGP signature

[SOLVED] Re: Riddling activity on encrypted and mounted partition

2020-09-29 Thread Thomas Schmitt

Hi,

Andy Smith wrote:
> your reply doesn't make it clear to me whether the
> lazy init was the cause of your writes or not.

It seems so.

The disk is mounted without i/o being counted in /sys/block/sda/sda2/stat .

If only half of the 733702 write ops of mkfs.ext4 were due to lazy_*=0,
then they would keep with lazy_*=1 the disk busy for more than 6 hours at
16 ops per second. This matches my initial observation that it lasted for
at least one hour.

But in the end i can only say for sure that the drive LED behaves like
before i mounted the lazily created ext4 in its encrypted partition.
I had ext4 before. So my suspicions were rather directed towards the
encryption, which is new for me. Now the whole story matches lazy ext4
creation, regardless of encryption.

Have a nice day :)

Thomas

Re: Where is spamassassin's bayes database?

Dan Ritter wrote:
> Victor Sudakov wrote: 
> > F*ck!
> > 
> > I wonder why it is trying to create it as nobody:nogroup...
> > 
> >  spamd[32333]: plugin: eval failed: bayes: (in learn) locker: safe_lock: 
> > cannot create tmp lockfile 
> > /var/lib/spamassassin/.spamassassin/bayes.lock.ip-172-31-37-150.us-west-2.compute.internal.32333
> >  for /var/lib/spamassassin/.spamassassin/bayes.lock: Permission denied
> > 
> > At least I have something to go on with.
> 
> At some point Debian started creating debian-spamd user with
> /var/lib/spamassassin as $HOME. 
> 
> dpkg --reconfigure spamd   maybe?

Nope, just https://wiki.debian.org/DebianSpamAssassin needs to be fixed.
It suggests for Exim "spam = nobody" or "spam = nobody:true", while it
should be "spam = debian-spamd" or "spam = debian-spamd:true" of course.

The example is correct for Postfix but incorrect for Exim.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/


signature.asc
Description: PGP signature

Re: Where is spamassassin's bayes database?

Victor Sudakov wrote: 
> F*ck!
> 
> I wonder why it is trying to create it as nobody:nogroup...
> 
>  spamd[32333]: plugin: eval failed: bayes: (in learn) locker: safe_lock: 
> cannot create tmp lockfile 
> /var/lib/spamassassin/.spamassassin/bayes.lock.ip-172-31-37-150.us-west-2.compute.internal.32333
>  for /var/lib/spamassassin/.spamassassin/bayes.lock: Permission denied
> 
> At least I have something to go on with.

At some point Debian started creating debian-spamd user with
/var/lib/spamassassin as $HOME. 

dpkg --reconfigure spamd   maybe?

-dsr-

Re: Where is spamassassin's bayes database?

Victor Sudakov wrote:
> Dan Ritter wrote:
> > Victor Sudakov wrote: 
> > > Dear Colleagues,
> > > 
> > > Is anyone running Debian's default SpamAssassin package together with
> > > some MTA (exim, postfix etc)?
> > > 
> > > My question is, when SpamAssassin is accessed over the network
> > > (127.0.0.1:783), where does it keep its Bayesian database? 
> > > 
> > > A command like
> > > spamc -u nobody -L ham  < mail.txt
> > > 
> > > returns that "Message was already un/learned", but for the life of me,
> > > where is the database kept?
> > > 
> > > I've even tried setting bayes_path in local.cf, to no avail. Beats me.
> > 
> > /var/lib/spamassassin/.spamassassin
> > 
> 
> I thought as much, but this directory contains only sa-compile.cache.
> 
> Even if I set "bayes_path /var/lib/spamassassin/.spamassassin/bayes"
> in local.cf, the database does not appear there.

F*ck!

I wonder why it is trying to create it as nobody:nogroup...

 spamd[32333]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot 
create tmp lockfile 
/var/lib/spamassassin/.spamassassin/bayes.lock.ip-172-31-37-150.us-west-2.compute.internal.32333
 for /var/lib/spamassassin/.spamassassin/bayes.lock: Permission denied

At least I have something to go on with.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/


signature.asc
Description: PGP signature

Re: Where is spamassassin's bayes database?

Victor Sudakov wrote: 
> Dan Ritter wrote:
> > Victor Sudakov wrote: 
> > > Dear Colleagues,
> > > 
> > > Is anyone running Debian's default SpamAssassin package together with
> > > some MTA (exim, postfix etc)?
> > > 
> > > My question is, when SpamAssassin is accessed over the network
> > > (127.0.0.1:783), where does it keep its Bayesian database? 
> > > 
> > > A command like
> > > spamc -u nobody -L ham  < mail.txt
> > > 
> > > returns that "Message was already un/learned", but for the life of me,
> > > where is the database kept?
> > > 
> > > I've even tried setting bayes_path in local.cf, to no avail. Beats me.
> > 
> > /var/lib/spamassassin/.spamassassin
> > 
> 
> I thought as much, but this directory contains only sa-compile.cache.
> 
> Even if I set "bayes_path /var/lib/spamassassin/.spamassassin/bayes"
> in local.cf, the database does not appear there.
> 

dsr@tao:/var/lib/spamassassin/.spamassassin
$ ls -al
total 29480
drwx-- 3 debian-spamd debian-spamd 4096 Sep 29 10:45 .
drwxr-xr-x 9 debian-spamd debian-spamd 4096 Sep 28 07:33 ..
-rw--- 1 debian-spamd debian-spamd65280 Sep 29 11:59 bayes_journal
-rw--- 1 debian-spamd debian-spamd 40267776 Sep 27 14:29 bayes_seen
-rw--- 1 debian-spamd debian-spamd  5324800 Sep 29 10:45 bayes_toks
drwxr-xr-x 2 debian-spamd debian-spamd 4096 Sep 25  2018 sa-compile.cache
-rw-r--r-- 1 debian-spamd debian-spamd 1869 Oct 10  2013 user_prefs


dsr@tao:/etc/spamassassin
$ grep -R bayes *
local.cf:# use_bayes 1
local.cf:# bayes_auto_learn 1
local.cf:# bayes_ignore_header X-Bogosity
local.cf:bayes_ignore_header X-Spam-Flag
local.cf:bayes_ignore_header X-Spam-Status
local.cf:#   and a well-trained bayes DB can save running rules, too
v320.pre:# and create a header containing ASN data for bayes
tokenization.


from /etc/default/spamassassin
OPTIONS="--create-prefs --max-children 5 --helper-home-dir 
--socketpath=/var/lib/spamassassin/socket --port 783 "

That's all I can think of that would be relevant.

-dsr-

Re: [SOLVED] Re: Riddling activity on encrypted and mounted partition

2020-09-29 Thread Andy Smith

On Tue, Sep 29, 2020 at 01:02:35PM +0200, Thomas Schmitt wrote:
> Andy Smith wrote:
> > Create with:
> >mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0
> 
> This lasts significantly longer than my first mkfs run.
> The drive makes ~ 1950 write operations per second. So i estimate that
> the job would have lasted hours with ~ 16 writes per second.
> In the end mkfs.ext4 caused 733702 write ops on the 3.6 TB partition.
> 
> Ok. New UUID into fstab ... mount ... mkdir ... touch ... Yay !
> 
> The i/o is still lazy (no wonder with 32 GB RAM), but after about a minute
> i see no newly counted writes.
> 
> Thanks a lot !

No problem, but your reply doesn't make it clear to me whether the
lazy init was the cause of your writes or not. Maybe I just lack the
reading comprehension.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Where is spamassassin's bayes database?

Dan Ritter wrote:
> Victor Sudakov wrote: 
> > Dear Colleagues,
> > 
> > Is anyone running Debian's default SpamAssassin package together with
> > some MTA (exim, postfix etc)?
> > 
> > My question is, when SpamAssassin is accessed over the network
> > (127.0.0.1:783), where does it keep its Bayesian database? 
> > 
> > A command like
> > spamc -u nobody -L ham  < mail.txt
> > 
> > returns that "Message was already un/learned", but for the life of me,
> > where is the database kept?
> > 
> > I've even tried setting bayes_path in local.cf, to no avail. Beats me.
> 
> /var/lib/spamassassin/.spamassassin
> 

I thought as much, but this directory contains only sa-compile.cache.

Even if I set "bayes_path /var/lib/spamassassin/.spamassassin/bayes"
in local.cf, the database does not appear there.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/


signature.asc
Description: PGP signature

Re: "ps -o %mem" and free memory in Linux

to...@tuxteam.de wrote:
> 
> > Those are kind of virtual things, as far as I understand. If not %mem, then
> > what `ps` parameter can show me how many php-fpm workers I can safely start
> > before RAM is exhausted?
> 
> This is a seemingly easy question with a surprisingly difficult answer.
> 
> I don't have a good reference ready for you, but I poked a bit the
> Intertubes and this [1] at least might give you a rough impression
> of what kinds of things are involved.
> 
> Cheers
> 
> [1] 
> https://stackoverflow.com/questions/131303/how-can-i-measure-the-actual-memory-usage-of-an-application-or-process
> 

Thank you, a very helpful, and about /proc/*/spams too.



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/


signature.asc
Description: PGP signature

Re: "ps -o %mem" and free memory in Linux

Klaus Singvogel wrote:
> Victor Sudakov wrote:
> > > Perhaps because the php-fpm workers were forked from the same parent
> > > and so a lot of theie 'physical' RAM is actually the same RAM as each
> > > other, because it's not been modified?
> > 
> > I see your point, but ps(1) talks about real physical RAM:
> > 
> > %mem%MEM  ratio of the process's resident set size  to the 
> > physical memory on the machine, expressed as a percentage.  (alias pmem).
> > 
> > If those php-fpm workers share a lot of virtual (?) memory between one
> > another, shouldn't `ps` show it as such?
> 
> You sum up this:
> 
> < php-fpm individual 1><   php-fpm      shared  >
> < php-fpm individual 2><   php-fpm      shared  >
> ...
> < php-fpm individual n><   php-fpm      shared  >
> 
> You summed up with awk: indivual[1..n] + n * shared

I summed up with awk the values of %mem, which are supposed to be "ratio
of the process's resident set size  to the physical memory", correct?

In my understanding, the value of %mem should indicate how much physical
memory is spent on the "individual" part of the process, otherwise the
parameter is either useless or misdocumented.

> 
> But the real memory sum is:  indivual[1..n] + 1 * shared
> 
> Do you see the difference?

I see your point but still don't understand how that comes from the
definition of "%mem" in the man page.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/


signature.asc
Description: PGP signature

Re: Where is spamassassin's bayes database?

Victor Sudakov wrote: 
> Dear Colleagues,
> 
> Is anyone running Debian's default SpamAssassin package together with
> some MTA (exim, postfix etc)?
> 
> My question is, when SpamAssassin is accessed over the network
> (127.0.0.1:783), where does it keep its Bayesian database? 
> 
> A command like
> spamc -u nobody -L ham  < mail.txt
> 
> returns that "Message was already un/learned", but for the life of me,
> where is the database kept?
> 
> I've even tried setting bayes_path in local.cf, to no avail. Beats me.

/var/lib/spamassassin/.spamassassin

-dsr-

Where is spamassassin's bayes database?

Dear Colleagues,

Is anyone running Debian's default SpamAssassin package together with
some MTA (exim, postfix etc)?

My question is, when SpamAssassin is accessed over the network
(127.0.0.1:783), where does it keep its Bayesian database? 

A command like
spamc -u nobody -L ham  < mail.txt

returns that "Message was already un/learned", but for the life of me,
where is the database kept?

I've even tried setting bayes_path in local.cf, to no avail. Beats me.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/


signature.asc
Description: PGP signature

Re: "ps -o %mem" and free memory in Linux

2020-09-29 Thread Klaus Singvogel

Victor Sudakov wrote:
> > Perhaps because the php-fpm workers were forked from the same parent
> > and so a lot of theie 'physical' RAM is actually the same RAM as each
> > other, because it's not been modified?
> 
> I see your point, but ps(1) talks about real physical RAM:
> 
> %mem%MEM  ratio of the process's resident set size  to the 
> physical memory on the machine, expressed as a percentage.  (alias pmem).
> 
> If those php-fpm workers share a lot of virtual (?) memory between one
> another, shouldn't `ps` show it as such?

You sum up this:

< php-fpm individual 1><   php-fpm      shared  >
< php-fpm individual 2><   php-fpm      shared  >
...
< php-fpm individual n><   php-fpm      shared  >

You summed up with awk: indivual[1..n] + n * shared

But the real memory sum is:  indivual[1..n] + 1 * shared

Do you see the difference?
 
Regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: "ps -o %mem" and free memory in Linux

On Tue, Sep 29, 2020 at 10:19:17PM +0700, Victor Sudakov wrote:

[...]

> Those are kind of virtual things, as far as I understand. If not %mem, then
> what `ps` parameter can show me how many php-fpm workers I can safely start
> before RAM is exhausted?

This is a seemingly easy question with a surprisingly difficult answer.

I don't have a good reference ready for you, but I poked a bit the
Intertubes and this [1] at least might give you a rough impression
of what kinds of things are involved.

Cheers

[1] 
https://stackoverflow.com/questions/131303/how-can-i-measure-the-actual-memory-usage-of-an-application-or-process

 - t

signature.asc
Description: Digital signature

Re: ssh session times out annoyingly fast, why?


On Tue, Sep 29, 2020 at 11:13:59AM -0400, Stefan Monnier wrote:

In general it's kind of dumb on modern hardware to expire sessions
that are still exchanging TCP keepalives unless you're under extreme
pressure from a DoS attack or somesuch.


Indeed, I'd be *very* surprised if a connection was dropped despite
exchange of TCP keepalives.  It seems much more likely that the
keepalives aren't used by the application (quite common and normal) or
that they get filtered somewhere.


Nope, it's reasonably common on the internet and a complete PITA.


But people rarely get to choose the other end's firewall
configuration, so enter kludges like the ssh protocol keepalives.


According to `man ssh(d)_config` one reason to use SSH's `Clientalive` or
`ServerAlive` is that, contrary to TCP keepalives, it can't be spoofed.


The issue with spoofing is potentially *too much* keeping alive, and if 
you read further that can be relevant if you for some reason need to 
know that an ssh connection has died but (e.g.) a malicious third party 
is using TCP keepalives to prevent ssh from knowing that the other end 
is down. If the problem you're trying to solve is not enough keeping 
alive (that is, your ssh connection is dying) rather than too much 
keeping alive, this reason is irrelevant. The protocol keepalives 
*also* fix the problem of firewalls timing out connections with TCP
keepalives. I don't know why the man page doesn't just say that, maybe 
ideological opposition to accomodating firewall stupidity.

Re: "ps -o %mem" and free memory in Linux

to...@tuxteam.de wrote:
> On Tue, Sep 29, 2020 at 10:24:35AM +0700, Victor Sudakov wrote:
> > Dear Colleagues,
> > 
> > Could you please clarify for me how the following is possible. `ps` shows
> > that the php-fpm workers have occupied 62% of physical memory, while
> > `free` shows that only 1.3Gi (which is 17% of total RAM) is used:
> > 
> > $ ps axww -o cmd,%mem |awk '/php-fpm/{sum+=$NF}END{print sum}'
> 
> Ah, but you're adding the resident set sizes of many processes here,
> right?

Indeed, as written in the man page:

%mem%MEM  ratio of the process's resident set size  to the physical
memory on the machine, expressed as a percentage.  (alias pmem).

And it is even not mine, but Zabbix' idea, but that's another story.

> 
> Remember that they do share quite a bit of that set: libraries, binaries,
> and so on: you are counting that shared stuff more than once.

Those are kind of virtual things, as far as I understand. If not %mem, then
what `ps` parameter can show me how many php-fpm workers I can safely start
before RAM is exhausted?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

signature.asc
Description: PGP signature

Re: "ps -o %mem" and free memory in Linux

Tixy wrote:
> > 
> > Could you please clarify for me how the following is possible. `ps` shows
> > that the php-fpm workers have occupied 62% of physical memory, while
> > `free` shows that only 1.3Gi (which is 17% of total RAM) is used:
> > 
> > $ ps axww -o cmd,%mem |awk '/php-fpm/{sum+=$NF}END{print sum}'
> > 62.1
> > $ free -h
> >   totalusedfree  shared  buff/cache 
> > available
> > Mem:  7.5Gi   1.3Gi   4.4Gi   113Mi   1.8Gi
> > 5.8Gi
> > Swap:0B  0B  0B
> > $ 
> 
> Perhaps because the php-fpm workers were forked from the same parent
> and so a lot of theie 'physical' RAM is actually the same RAM as each
> other, because it's not been modified?

I see your point, but ps(1) talks about real physical RAM:

%mem%MEM  ratio of the process's resident set size  to the physical 
memory on the machine, expressed as a percentage.  (alias pmem).

If those php-fpm workers share a lot of virtual (?) memory between one
another, shouldn't `ps` show it as such?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/


signature.asc
Description: PGP signature

Re: ssh session times out annoyingly fast, why?

2020-09-29 Thread Stefan Monnier

> In general it's kind of dumb on modern hardware to expire sessions
> that are still exchanging TCP keepalives unless you're under extreme
> pressure from a DoS attack or somesuch.

Indeed, I'd be *very* surprised if a connection was dropped despite
exchange of TCP keepalives.  It seems much more likely that the
keepalives aren't used by the application (quite common and normal) or
that they get filtered somewhere.

> But people rarely get to choose the other end's firewall
> configuration, so enter kludges like the ssh protocol keepalives. 

According to `man ssh(d)_config` one reason to use SSH's `Clientalive` or
`ServerAlive` is that, contrary to TCP keepalives, it can't be spoofed.


Stefan

Re: ssh session times out annoyingly fast, why?

On Tue, Sep 29, 2020 at 10:44:13AM -0400, Michael Stone wrote:
> On Tue, Sep 29, 2020 at 04:34:06PM +0200, to...@tuxteam.de wrote:
> >Setting the socket option to keep alive "fixed" that.
> 
> You were lucky. ssh does that by default, so if ssh sessions are
> getting killed these days it's because the firewall ignores tcp
> keepalives when calculating timeouts. If you're in such an
> environment and can't fix the firewall, then every application needs
> to be written to explicitly
> exchange data when idle to keep connections alive.

It wasn't ssh in this case. It was a (Perl DBI) database connection,
which, by default, is silent on inactivity. So after one hour, the
NAT dropped it.

To set the keepalive option, I had to convince the application
provider to update its (then already paleontological) Perl version
to one in which setting the keepalive socket option was possible.

In the end, that helped.

(I first tried to talk the customer into hitting their data centre
provider with a Thick Ethernet cable, but wasn't successful, alas).

This was anoter long story on its own :)

If the above NAT is killing entries which send keepalives then
a Thick Ethernet cable probably won't help either. That's downright
malicious.

Cheers
 - t

signature.asc
Description: Digital signature

Re: crc not installed but rsync using it? ...

David Wright wrote: 
> On Tue 29 Sep 2020 at 15:50:35 (+0200), Albretch Mueller wrote:
> > On 9/24/20, Reco  wrote:
> > > On Thu, Sep 24, 2020 at 05:50:16PM +0200, Albretch Mueller wrote:
> > >> >> How do I get all packages to be locally installed using dpkg from a
> > >> >> public Windows machine?
> > >> >
> > >> > I'm not sure I understand this question or how it relates to the
> > >> > previous one.
> > >>
> > >>  How do I get the deb files in order to install locally (via dpkg
> > >> --install) the necessary utilities to run CRC32 and/or CRC64
> > >
> > > Typical Debian install has perl already, so you don't have to install
> > > anything - [1].
> > >
> > > [1] http://billauer.co.il/blog/2011/05/perl-crc32-crc-xs-module/
> > 
> >  But I don't see anything when I go:
> > 
> >  which crc, crc32, crc64 ...
> 
> Imagine you did find an executable called crc32. What would you do
> with it?
> 
> You find some data that's in an archive file called foo.zap. The
> program zap claims to include a crc32 check within the archive.
> Do you expect to type   crc32 --check foo.zap   and get some
> meaningful output, or what?

Would it be useful to suggest Reflections on Trusting Trust?
https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html

-dsr-

Re: crc not installed but rsync using it? ...

2020-09-29 Thread David Wright

On Tue 29 Sep 2020 at 15:50:35 (+0200), Albretch Mueller wrote:
> On 9/24/20, Reco  wrote:
> > On Thu, Sep 24, 2020 at 05:50:16PM +0200, Albretch Mueller wrote:
> >> >> How do I get all packages to be locally installed using dpkg from a
> >> >> public Windows machine?
> >> >
> >> > I'm not sure I understand this question or how it relates to the
> >> > previous one.
> >>
> >>  How do I get the deb files in order to install locally (via dpkg
> >> --install) the necessary utilities to run CRC32 and/or CRC64
> >
> > Typical Debian install has perl already, so you don't have to install
> > anything - [1].
> >
> > [1] http://billauer.co.il/blog/2011/05/perl-crc32-crc-xs-module/
> 
>  But I don't see anything when I go:
> 
>  which crc, crc32, crc64 ...

Imagine you did find an executable called crc32. What would you do
with it?

You find some data that's in an archive file called foo.zap. The
program zap claims to include a crc32 check within the archive.
Do you expect to type   crc32 --check foo.zap   and get some
meaningful output, or what?

On Tue 29 Sep 2020 at 15:48:09 (+0200), Albretch Mueller wrote:
> On 9/26/20, Michael Stone  wrote:
> > On Sat, Sep 26, 2020 at 02:11:30PM +0200, Albretch Mueller wrote:
> >>On 9/25/20, Michael Stone  wrote:
> >>> Just one would be good enough (pick the sha256sum). What you're doing is
> >>> a waste of time. If you want to future proof then use sha3, via the
> >>> rhash package.
> >>
> >> Something that I have noticed is that texts are too close to people's
> >>hearts to expect for people to just be technical about them. I use
> >>those three algorithms because some people "understand", md5 and not
> >>sha###sum. I mean, you may get some legacy data with their md5sum but
> >>the maintainers of the data may not be around. Once I found an rsync
> >>log that included the CRC signatures, that is why I include these
> >>kinds fo algorithms.
> >
> > Sorry, still makes no sense and is a waste of time. You're creating new
> > hashes right now, it doesn't matter if someone else might have made some
> > other hash some other time.
> 
>  But how could you have some assurance that that data relates to what
> their users thought of to be?

You can't. That's not what CRCs are for. They're not cryptographic,
so they are useless for any type of assurance that the data is intact.
Anyone modifying the data merely has to recalculate a new CRC and
substitute is for the original.

CRCs are a quick check on data segments when you're transmitting
segments of a file. If a CRC doesn't agree with its segment, you
ask for its retransmission. At the end of the transfer, you might
do a final CRC check on the whole file, for speed, but it would
be pointless to keep the number, as compared with checking the
file's MD5/SHAnnn digest if that had been archived. That's why
md5sum and shaNNNsum have a -c option.

Cheers,
David.

Re: crc not installed but rsync using it? ...

2020-09-29 Thread Reco

Hi.

On Tue, Sep 29, 2020 at 03:50:35PM +0200, Albretch Mueller wrote:
> On 9/24/20, Reco  wrote:
> > On Thu, Sep 24, 2020 at 05:50:16PM +0200, Albretch Mueller wrote:
> >> >> How do I get all packages to be locally installed using dpkg from a
> >> >> public Windows machine?
> >> >
> >> > I'm not sure I understand this question or how it relates to the
> >> > previous one.
> >>
> >>  How do I get the deb files in order to install locally (via dpkg
> >> --install) the necessary utilities to run CRC32 and/or CRC64
> >
> > Typical Debian install has perl already, so you don't have to install
> > anything - [1].
> >
> > [1] http://billauer.co.il/blog/2011/05/perl-crc32-crc-xs-module/
> 
>  But I don't see anything when I go:
> 
>  which crc, crc32, crc64 ...

What I meant is it's trivial to implement these in perl, as [1] shows
us.

Reco

Re: ssh session times out annoyingly fast, why?


On Tue, Sep 29, 2020 at 04:34:06PM +0200, to...@tuxteam.de wrote:

Setting the socket option to keep alive "fixed" that.


You were lucky. ssh does that by default, so if ssh sessions are getting 
killed these days it's because the firewall ignores tcp keepalives when 
calculating timeouts. If you're in such an environment and can't fix the 
firewall, then every application needs to be written to explicitly

exchange data when idle to keep connections alive.

Re: ssh session times out annoyingly fast, why?

On Tue, Sep 29, 2020 at 04:22:32PM +0200, to...@tuxteam.de wrote:

On Tue, Sep 29, 2020 at 08:18:54AM -0400, Michael Stone wrote:

On Wed, Sep 23, 2020 at 03:48:56PM -0400, Greg Wooledge wrote:
>The normal reason people need to use ServerAlive or ClientAlive is NAT.
>If your connection from ssh client to ssh server goes through a NAT
>router, the router may keep track of activity on that connection, and
>drop the translation when it goes idle for 5 minutes or so.  Forcing the
>*Alive packets to happen every few minutes prevents a NAT timeout.

This is a stateful firewall thing, not a NAT thing

That depends on what Greg means by "activity". NAT has to keep a
map of (internal IP, internal local port) to external local port
to do the translation (the so-called "translation table"). Since
it'd grow without bounds whenever one side drops the connection,
it's customary to let NAT table entries to expire after some
inactivity (typical: 1h, but network admins are known to be a
capricious species ;-)

So Greg is probably right. NAT is, in its own way, stateful.

NAT is a special case of a stateful firewall. You can get rid of NAT but 
basically the entire modern internet has stateful firewalls so getting 
rid of NAT won't make the problem at hand go away. The basic connection 
state tables and NAT state tables track basically the same information 
using the same algorithms for session start & stop, have the same issues 
with potentially leaking entries if hosts disappear, and have the same 
strategy of expiring inactive entries. 

In general it's kind of dumb on modern hardware to expire sessions that 
are still exchanging TCP keepalives unless you're under extreme pressure 
from a DoS attack or somesuch. (Modern devices just don't have the 
memory constraints that were an issue 20 years ago and don't need to 
aggressively prune sessions that are actively advertising that they're 
alive.) But people rarely get to choose the other end's firewall 
configuration, so enter kludges like the ssh protocol keepalives.

Re: ssh session times out annoyingly fast, why?

On Tue, Sep 29, 2020 at 04:22:32PM +0200, to...@tuxteam.de wrote:

Following up on myself: I had exactly this case with an (outsourced)
data centre: they had NATs between different realms (you might ask
"why, oh, why?" and you'd be right). The application server and the
database server were separated by a NAT. To add insult to injury,
ICMP "not reachable" packets were filtered. The database connection
NAT entry timed out from time to time. It took a timeout of several
minutes for the application to notice that and to reconnect.

Lots of hilarity ensued.

Setting the socket option to keep alive "fixed" that.

Cheers
 - t




signature.asc
Description: Digital signature

Re: ssh session times out annoyingly fast, why?

On Tue, Sep 29, 2020 at 08:18:54AM -0400, Michael Stone wrote:
> On Wed, Sep 23, 2020 at 03:48:56PM -0400, Greg Wooledge wrote:
> >The normal reason people need to use ServerAlive or ClientAlive is NAT.
> >If your connection from ssh client to ssh server goes through a NAT
> >router, the router may keep track of activity on that connection, and
> >drop the translation when it goes idle for 5 minutes or so.  Forcing the
> >*Alive packets to happen every few minutes prevents a NAT timeout.
> 
> This is a stateful firewall thing, not a NAT thing

That depends on what Greg means by "activity". NAT has to keep a
map of (internal IP, internal local port) to external local port
to do the translation (the so-called "translation table"). Since
it'd grow without bounds whenever one side drops the connection,
it's customary to let NAT table entries to expire after some
inactivity (typical: 1h, but network admins are known to be a
capricious species ;-)

So Greg is probably right. NAT is, in its own way, stateful.

Cheers
 - t

signature.asc
Description: Digital signature

Re: crc not installed but rsync using it? ...

> If you want to defend against on-disk corruption, use ZFS.

> If you want to be alerted to every change to a set of files, use
> tripwire or aide. Both are packaged for Debian.

> ...

 Really?!? Well, I would say that is only part of the story and not
even the most interesting one. I am amazed to notice at times
technical people talking like it is all so obvious that if you don't
see things that way it is because "you are 'too' paranoid".

> Your paranoia is excessive ...

 Or maybe your normalcy bias is? or both?

On 9/25/20, Michael Stone  wrote:
> On Fri, Sep 25, 2020 at 09:01:26AM -0400, Gene Heskett wrote:
>>Your paranoia is excessive. I have 5 machines online ATM, but they are
>>all on a local network in the 1902.168.xx.xx block, which is NOT
>>routable from the internet but are NAT'd to my net address by having
>>such a setup in a router running dd-wrt. In nearly 2 decades, no one has
>>come into my systems from the internet that I didn't give the
>>credentials to do so.
>
> You post this all the time, but it's irrelevant at best and misleading
> at worst. On a default debian system these days an external firewall is
> basically a noop because there are no services listening. The attack
> vector in modern environments is much more likely to be client exploits
> (e.g., web browser) and a perimeter firewall adds zero protection from
> that threat.
>
> And, honestly, most people who are compromised have no clue that they
> are unless someone tells them.

 Thank you! This I am relating may be considered to be totally off
topic in the Debian Linux mailing list by most people or maybe not. In
my case I have constantly noticed how they use js to own my box, from
blocking access to certain sites, to multiversing real time the sites
I go to. Just to cite an example, you google your crush or go to her
pages and what you get are pages with people with bruises on their
faces, pictures of bed bugs, bed bugs' bites on people's skin, ...
They also make single individuals and a bunch of "social
responsibility committee" kinds of people scratch their body around in
quite theatrical ways when you are on the streets:

https://theintercept.com/2016/04/09/fbis-shared-responsibility-committees-to-identify-radicalized-muslims-raises-alarms/

 You could figure out what would happen next and who could possibly
horizontally and vertically orchestrate, coordinate, pay and legally
protect the perpetrators doing such things.

 I don't know of a single "secure"/"private" OS, software stack or any
such approaches being taken seriously. Do you?

 To me those concepts are a joke when it comes to computers. IT
companies tell people: "we care about your privacy" and "We the
people" don't even realize what a callous joke that is on so many
levels. If they care about "one's own privacy" (as they say) that
tacitly means you have no privacy whatsoever! Maybe I am too old, too
romantic. It is my understanding of that thing they used to call
"privacy", it was something only one could possibly take care of by
oneself. The only "private"/"secure" way to own you computer to me (as
I heard Linus Torvalds once say making all kinds of faces) is never
connecting it to the Internet

On 9/29/20, Albretch Mueller  wrote:
> On 9/25/20, Jonathan Dowland  wrote:
>> On Thu, Sep 24, 2020 at 05:58:49PM -0500, David Wright wrote:
>>>I can't believe the answer is as simple as visiting
>>>https://packages.debian.org/index
>>>and downloading the packages you want (in binary mode).
>>
>> Plus (possibly several) iterations of downloading the dependencies,
>> and their dependencies, etc., cross-referencing against your installed
>> package list (if you have it) to trim down the list.
>
>  OK, you are talking right there about what I need:
>
>  Is there such a thing as a java program (which could be used also on
> WIndows or a mac) which you could tell which Debian package you need
> and your Debian Release and it would download all pacakges you need
> and even tell you the sequence in which  you have to install htem?
>
>>
>>
>> --
>> Please do not CC me, I am subscribed to the list.
>>
>>    Jonathan Dowland
>> ✎ j...@debian.org
>> https://jmtd.net
>>
>>
>

Re: crc not installed but rsync using it? ...

On 9/25/20, Jonathan Dowland  wrote:
> On Thu, Sep 24, 2020 at 05:58:49PM -0500, David Wright wrote:
>>I can't believe the answer is as simple as visiting
>>https://packages.debian.org/index
>>and downloading the packages you want (in binary mode).
>
> Plus (possibly several) iterations of downloading the dependencies,
> and their dependencies, etc., cross-referencing against your installed
> package list (if you have it) to trim down the list.

 OK, you are talking right there about what I need:

 Is there such a thing as a java program (which could be used also on
WIndows or a mac) which you could tell which Debian package you need
and your Debian Release and it would download all pacakges you need
and even tell you the sequence in which  you have to install htem?

>
>
> --
> Please do not CC me, I am subscribed to the list.
>
> Jonathan Dowland
> ✎  j...@debian.org
>  https://jmtd.net
>
>

Re: crc not installed but rsync using it? ...

On 9/24/20, Reco  wrote:
> On Thu, Sep 24, 2020 at 05:50:16PM +0200, Albretch Mueller wrote:
>> >> How do I get all packages to be locally installed using dpkg from a
>> >> public Windows machine?
>> >
>> > I'm not sure I understand this question or how it relates to the
>> > previous one.
>>
>>  How do I get the deb files in order to install locally (via dpkg
>> --install) the necessary utilities to run CRC32 and/or CRC64
>
> Typical Debian install has perl already, so you don't have to install
> anything - [1].
>
> Reco
>
> [1] http://billauer.co.il/blog/2011/05/perl-crc32-crc-xs-module/

 But I don't see anything when I go:

 which crc, crc32, crc64 ...

Re: crc not installed but rsync using it? ...

On 9/26/20, Michael Stone  wrote:
> On Sat, Sep 26, 2020 at 02:11:30PM +0200, Albretch Mueller wrote:
>>On 9/25/20, Michael Stone  wrote:
>>> Just one would be good enough (pick the sha256sum). What you're doing is
>>> a waste of time. If you want to future proof then use sha3, via the
>>> rhash package.
>>
>> Something that I have noticed is that texts are too close to people's
>>hearts to expect for people to just be technical about them. I use
>>those three algorithms because some people "understand", md5 and not
>>sha###sum. I mean, you may get some legacy data with their md5sum but
>>the maintainers of the data may not be around. Once I found an rsync
>>log that included the CRC signatures, that is why I include these
>>kinds fo algorithms.
>
> Sorry, still makes no sense and is a waste of time. You're creating new
> hashes right now, it doesn't matter if someone else might have made some
> other hash some other time.

 But how could you have some assurance that that data relates to what
their users thought of to be?

Re: ssh session times out annoyingly fast, why?


On Tue, Sep 29, 2020 at 08:44:18AM -0400, Gene Heskett wrote:

This is likely quite true Michael, but it also is only a hint as to how
to fix it for the OP.


It was already fixed, serveraliveinterval/clientaliveinterval is the 
right answer. I guess I can review: these options simply have the client 
& server exchange an encrypted "are you here" message every N seconds to 
prevent the firewall from timing out the connection. tcpkeepalives won't 
do that, as the firewall can see that there is no actual data being 
transferred and may still timeout idle connections.


All that aside, it's important to be precise about what functionality is 
related to NAT and what functionality is related to firewalling. 
Imprecision about these concepts leads to all sorts of (wrong) ideas 
like "you need NAT to be secure".

Re: ssh session times out annoyingly fast, why?

2020-09-29 Thread Gene Heskett

On Tuesday 29 September 2020 08:18:54 Michael Stone wrote:

> On Wed, Sep 23, 2020 at 03:48:56PM -0400, Greg Wooledge wrote:
> >The normal reason people need to use ServerAlive or ClientAlive is
> > NAT. If your connection from ssh client to ssh server goes through a
> > NAT router, the router may keep track of activity on that
> > connection, and drop the translation when it goes idle for 5 minutes
> > or so.  Forcing the *Alive packets to happen every few minutes
> > prevents a NAT timeout.
>
> This is a stateful firewall thing, not a NAT thing

This is likely quite true Michael, but it also is only a hint as to how 
to fix it for the OP. I  maintain 8 to 12 such ssh connections here to 
my othermachines, establishing them at boot time, but all are local 
192.168.xx.xx addresses so not NAT'd going either direction, so I am not 
affected. I would be upset if I was.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page

Re: ssh session times out annoyingly fast, why?


On Wed, Sep 23, 2020 at 03:48:56PM -0400, Greg Wooledge wrote:

The normal reason people need to use ServerAlive or ClientAlive is NAT.
If your connection from ssh client to ssh server goes through a NAT
router, the router may keep track of activity on that connection, and
drop the translation when it goes idle for 5 minutes or so.  Forcing the
*Alive packets to happen every few minutes prevents a NAT timeout.


This is a stateful firewall thing, not a NAT thing

Re: Possible bug in mediawiki package (1.27.7-1~deb9u4)

2020-09-29 Thread Roberto C . Sánchez

On Tue, Sep 29, 2020 at 11:48:40AM +0200, MAS Jean-Louis wrote:
> Le 28/09/2020 à 13:57, Roberto C. Sánchez a écrit :
> 
> > Note that the mediawiki package is handled by the LTS team.  It is not
> > incorrect to discuss issues like this on debian-user, but a better place
> > is the debian-lts list.  Many LTS users and all of the LTS maintainers
> > monitor that list.
> 
> Got it
> 
> > As to your specific issue ...
> 
> > This is definitely a newly introduced defect.  I am in the process of
> > preparing an update to correct this.  It should be available later on
> > today (US/Eastern time).
> 
> OK, thanks for replying and for fixing the bug so quickly.
> 
> I just updated the new mediawiki packages on one of our mediawiki
> servers and all went fine.
> The others ones will be updated during the night (UTC+0200).
> 
Thanks very much for following up to report that everything is now in
order and thank you also for you patience with the defective update.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: problème ouverture image debian AMD64

2020-09-29 Thread Bernard Schoenacker




- Mail original -
> De: "Sihol" 
> À: debian-user-french@lists.debian.org
> Envoyé: Mardi 29 Septembre 2020 02:36:54
> Objet: problème ouverture image debian AMD64
> 
> Bonjour,
> 
> j’ai un macbook Air 2015 version 10.15.7 1,6 Ghz intel i5 8Go Ram.
> apres avoir télécharger l’image stable
> debian-10.6.0-amd64-xfce-CD-1.ISO, j’ai essayer de l’ouvrir et à
> chaque fois que je tente de l’ouvrir ou d’ouvrir un autre j’ai une
> fenêtre « avertissement » qui s’ouvre et qui me donne le message «
> aucun système de fichiers montables »
> Comment je peux  régler se problème et ouvrir cet image dans le
> VirtualBox ?
> 
> Merci
> Lohiss T


bonjour,

en premier il faut télécharger l'image ISO et la vérifier (cf script en mp)

attention à la syntaxe BSD pour SHA256

ensuite, la doc est précise :

 https://docs.oracle.com/cd/E26217_01/E35193/html/qs-create-vm.html


cordialement

Bernard

GNU Guix

2020-09-29 Thread Cuckoo's Calling

Hello All,

I came across an amazing project called GNU Guix.

So, I made an animation to introduce the novel concepts of this project.

Here is the link for the video,
https://gnuguix-drive.mycozy.cloud/public?sharecode=YvERPGX14g5S

Please leave me a feedback on your experience.

Cheers,
Cuckoo's Calling.

Re: Problema con bluetooth en Buster

2020-09-29 Thread Camaleón

El 2020-09-29 a las 10:05 +0200, Josu Lazkano escribió:

> He instalado Debian Buster un mini PC (
> https://www.ecs.com.tw/ECSWebSite/Product/Product_LIVA/ES/LIVA), pero me da
> problemas el bluetooth:
> 
> [4.859123] Bluetooth: hci0: BCM: chip id 84
> [4.859634] Bluetooth: hci0: BCM: features 0x0f
> [4.860790] Bluetooth: hci0: BCM4324B3
> [4.860797] Bluetooth: hci0: BCM4324B3 (002.004.006) build 
> [4.876567] bluetooth hci0: firmware: failed to load brcm/BCM4324B3.hcd
> (-2)

(...)

> Creo que he metido bien el firmware, ¿me podéis ayudar con esto?

Revisa este bug de Ubuntu, y verifica que hayas cargado el firmware 
correcto y en la ubicación adecuada:

Broadcom Bluetooth brcm/BCM.hcd firmware not found 
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1743336

Saludos,

-- 
Camaleón

[SOLVED] Re: Riddling activity on encrypted and mounted partition

2020-09-29 Thread Thomas Schmitt

Hi,

Andy Smith wrote:
> Could it possibly be the lazy init feature of ext4, which is enabled
> by default and can sometimes result in several minutes of background
> writes to a newly-created fs?

Well, the blinking went on for at least an hour.

> Create with:
>mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0

This lasts significantly longer than my first mkfs run.
The drive makes ~ 1950 write operations per second. So i estimate that
the job would have lasted hours with ~ 16 writes per second.
In the end mkfs.ext4 caused 733702 write ops on the 3.6 TB partition.

Ok. New UUID into fstab ... mount ... mkdir ... touch ... Yay !

The i/o is still lazy (no wonder with 32 GB RAM), but after about a minute
i see no newly counted writes.

Thanks a lot !

Have a nice day :)

Thomas

Re: Riddling activity on encrypted and mounted partition

2020-09-29 Thread Andy Smith

Hello,

On Tue, Sep 29, 2020 at 10:24:44AM +0200, Thomas Schmitt wrote:
> i have encrypted my HDD's (*) data partition. Now the disk access LED is
> blinking rapidly as soon as i mount it.

Could it possibly be the lazy init feature of ext4, which is enabled
by default and can sometimes result in several minutes of background
writes to a newly-created fs?


https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bfff68738f1cb5c93dab1114634cea02aae9e7ba
https://www.thomas-krenn.com/en/wiki/Ext4_Filesystem#Lazy_Initialization

Create with:

mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 …

to avoid this sort of thing.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Possible bug in mediawiki package (1.27.7-1~deb9u4)

2020-09-29 Thread MAS Jean-Louis

Le 28/09/2020 à 13:57, Roberto C. Sánchez a écrit :

> Note that the mediawiki package is handled by the LTS team.  It is not
> incorrect to discuss issues like this on debian-user, but a better place
> is the debian-lts list.  Many LTS users and all of the LTS maintainers
> monitor that list.

Got it

> As to your specific issue ...

> This is definitely a newly introduced defect.  I am in the process of
> preparing an update to correct this.  It should be available later on
> today (US/Eastern time).

OK, thanks for replying and for fixing the bug so quickly.

I just updated the new mediawiki packages on one of our mediawiki
servers and all went fine.
The others ones will be updated during the night (UTC+0200).

Regards


-- 
Jean Louis Mas



smime.p7s
Description: Signature cryptographique S/MIME

Re: "ps -o %mem" and free memory in Linux