Re: le réseau pour les nuls ?

[raphael . broussier]

Merci à tous pour vos réponses et vos liens !



J'ai un peu de mal avec l'anglais ... mais j'ai tellement envie que ça marche 
que je vais me forcer un peu :)



Y'à pu qu'à potasser tout ça et faire des tests


Bonne journée à tous,

David



De : François LE GAD 
À : debian-user-french@lists.debian.org
Sujet : Re: le réseau pour les nuls ?
Date : 02/02/2021 11:37:01 Europe/Paris

Le 02/02/2021 à 08:28, david...@mailo.com a écrit :
> Je suis novice (nul ?) en réseaux domestiques, mais j'aimerais que 
> n'importe quel ordinateur puisse partager de fichiers avec les autres, 
> imprimer sur l'imprimante réseau et qu'on puisse regarder des dvd à 
> partir du lecteur-dvd-réseau.

Si ta box le permet, tu y branches :
- un disque dur ou une clé USB en partage Samba
- l'imprimante (USB, ethernet ou wifi). Normalement, Cups doit la 
détecter à l'installation.
- Pour le lecteur DVD, je ne sais pas. Un partage Samba peut-être ?

-- 
François

[SOLVED} Re: "Run fsck manually"..?

[hobie of RMN]

> On Wed, Feb 03, 2021 at 01:41:54AM +, Andy Smith wrote:
>> On Tue, Feb 02, 2021 at 07:13:16PM -0500, hobie of RMN wrote:
>> > He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
>> > identifying it's version, and nothing else.
>>
>> There can be issues trying to run fsck on a mounted filesystem. What
>> happens if you do:
>>
>> # touch /forcefsck
>
> Oh, sorry, I missed your mention of (initramfs) prompt. So your
> filesystem is too damaged to allow boot to complete and you won't be
> able to do that "touch /forcefsck" thing.
>
> If fsck is just printing its version it may think it doesn't need to
> be run. You can force it to do a check/repair with "-f", so:
>
> (initramfs) fsck.ext4 -vf /dev/sda1
>
> If it find things that it wants to fix it will ask yuo and you'll
> have to press 'y' each time. If you're certain that you always want
> to answer 'y' then you can ctrl-c that and try again with -y:
>
> (initramfs) fsck.ext4 -yvf /dev/sda1
>
> If you want to see what it would do without it actually doing it you
> can use -n instead of -y.
>
> Cheers,
> Andy

Thanks, Andy and everyone. :)  From the (initramfs) prompt, fsck -y
/dev/sda1 did the job. :) My brother finally realized he'd entered an
extra character originally, causing fsck to fail on his original attempt -
he had entered "./dev/sda1" instead of "/dev/sda1" - so removing that '.'
was part of solving this.  Like so many these days, he spends mos or all
of his time in the GUI rather than at the command line.

--hobie

Re: AMD GPU + HDMI + vlc = lockup

[Felix Miata]

Kamil Jońca composed on 2021-02-02 21:37 (UTC+0100):
...
> kjonca@alfa:~%uname -a
> Linux alfa 5.10.0-2-amd64 #1 SMP Debian 5.10.9-1 (2021-01-20) x86_64 GNU/Linux
> kjonca@alfa:~%cat /etc/debian_version 
> bullseye/sid
 
> This is sid upgraded ~ weekly.

How quickly after video start does this happen, right away, or only after a 
while?

I tried with Bullseye, and it seems OK still after playing 20+ minutes out of 58
of satellite source recording of CBS' main high bitrate MPEG-4 stream, with VLC
on the VGA 1680x1050 in fullscreen mode. Switching to the HDMI 1920x1200 it's 
still
working, with top showing vlc around 320% CPU:

# inxi -C
CPU:
  Info: Quad Core model: AMD Phenom II X4 965 bits: 64 type: MCP  L2 cache: 2 
MiB
  Speed: 3400 MHz min/max: 800/3400 MHz Core speeds (MHz): 1: 3400 2: 3400  3: 
3400 4: 3400
# inxi -GISay
System:
  Host: ga970 Kernel: 5.10.0-2-amd64 x86_64 bits: 64...
  Desktop: Trinity R14.0.10 tk: Qt 3.5.0 info: kicker wm: Twin 3.0 dm: TDM
  Distro: Debian GNU/Linux bullseye/sid
Graphics:
  Device-1: AMD Cedar [Radeon HD 5000/6000/7350/8350 Series]
  vendor: PC Partner Limited driver: radeon v: kernel bus ID: 01:00.0
  chip ID: 1002:68f9 class ID: 0300
  Display: x11 server: X.Org 1.20.10 driver: loaded: modesetting
  display ID: :0 screens: 1
  Screen-1: 0 s-res: 3600x1200 s-dpi: 108 s-size: 846x282mm (33.3x11.1")
  s-diag: 892mm (35.1")
  Monitor-1: HDMI-1 res: 1920x1200 hz: 60 dpi: 94 size: 519x324mm (20.4x12.8")
  diag: 612mm (24.1")
  Monitor-2: VGA-1 res: 1680x1050 hz: 60 dpi: 90 size: 474x296mm (18.7x11.7")
  diag: 559mm (22")
  OpenGL: renderer: llvmpipe (LLVM 11.0.1 128 bits) v: 4.5 Mesa 20.3.3
  compat-v: 3.1 direct render: Yes
Info:...Shell: Bash v: 5.1.4 running in: konsole inxi: 3.3.00
# dmesg | grep adeon
[   38.052237] [drm] radeon kernel modesetting enabled.
[   38.387770] fb0: switching to radeondrmfb from VESA VGA
[   38.388095] radeon :01:00.0: vgaarb: deactivate vga console
[   38.389555] radeon :01:00.0: VRAM: 1024M 0x - 
0x3FFF (1024M used)
[   38.389561] radeon :01:00.0: GTT: 1024M 0x4000 - 
0x7FFF
[   38.389820] [drm] radeon: 1024M of VRAM memory ready
[   38.389824] [drm] radeon: 1024M of GTT memory ready.
[   38.926339] radeon :01:00.0: firmware: direct-loading firmware 
radeon/CEDAR_pfp.bin
[   39.013160] radeon :01:00.0: firmware: direct-loading firmware 
radeon/CEDAR_me.bin
[   39.07] radeon :01:00.0: firmware: direct-loading firmware 
radeon/CEDAR_rlc.bin
[   39.526315] radeon :01:00.0: firmware: direct-loading firmware 
radeon/CEDAR_smc.bin
[   39.554674] [drm] radeon: dpm initialized
[   39.774437] radeon :01:00.0: firmware: direct-loading firmware 
radeon/CYPRESS_uvd.bin
[   39.778359] [drm] enabling PCIE gen 2 link speeds, disable with 
radeon.pcie_gen2=0
[   39.794951] radeon :01:00.0: WB enabled
[   39.794958] radeon :01:00.0: fence driver on ring 0 use gpu addr 
0x4c00
[   39.794963] radeon :01:00.0: fence driver on ring 3 use gpu addr 
0x4c0c
[   39.795338] radeon :01:00.0: fence driver on ring 5 use gpu addr 
0x0005c418
[   39.795763] radeon :01:00.0: radeon: MSI limited to 32-bit
[   39.795872] radeon :01:00.0: radeon: using MSI.
[   39.795914] [drm] radeon: irq initialized.
[   40.686752] [drm] Radeon Display Connectors
[   40.794401] fbcon: radeondrmfb (fb0) is primary device
[   40.894386] radeon :01:00.0: [drm] fb0: radeondrmfb frame buffer device
[   40.917823] [drm] Initialized radeon 2.50.0 20080528 for :01:00.0 on 
minor 0
-- 
Evolution as taught in public schools, like religion,
is based on faith, not on science.

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: Firefox problem

[Charles Curley]

On Tue, 2 Feb 2021 23:12:52 - (UTC)
Frank Miles  wrote:

> With the most recent Firefox update, some of the widgets on a 
> Bibliocommons (library) website cease working.  They still work
> either using the Epiphany browser, or my android phone.
> 
> Any recommendations on how I might debug this?

Sometimes Firefox loses its marbles. To check on this, shut Firefox
down, move ~/.mozilla aside (rename it), then start Firefox up again.

If that solves the problem, you have some re-installing to do. If that
doesn't solve the problem, reverse the above.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: "Run fsck manually"..?

[David Wright]

On Wed 03 Feb 2021 at 01:41:54 (+), Andy Smith wrote:
> 
> On Tue, Feb 02, 2021 at 07:13:16PM -0500, hobie of RMN wrote:
> > My brother's Debian system suddenly says on attempt to boot, "/dev/sda1:
> > UNEXPECTED INCONSISTENCY:Runfsck manually", and, "inodes that were part of
> > a corrupted orphan linked list found."
> > 
> > He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
> > identifying it's version, and nothing else.
> 
> There can be issues trying to run fsck on a mounted filesystem. What
> happens if you do:
> 
> # touch /forcefsck

I think this is somewhat out of date, is it not.

I force fsck by adding   forcefsck   in grub, ie press e in
the grub menu, move the cursor to the end of the linux line,
type forcefsck and press Ctrl-X or F10 to boot. For example,

  linux /boot/vmlinuz-4.19.0-14-amd64 root=LABEL=toto04 ro 
systemd.show_status=true quiet forcefsck

> That will force the system to do a fsck on boot, before the
> filesystem is mounted for use. If that doesn't help I think you will
> indeed have to try this from a live or rescue environment. The
> Debian install media can boot into a rescue mode for tasks like
> this.

Cheers,
David.

Re: Firefox problem

[Georgi Naplatanov]

On 2/3/21 1:12 AM, Frank Miles wrote:
> With the most recent Firefox update, some of the widgets on a 
> Bibliocommons (library) website cease working.  They still work
> either using the Epiphany browser, or my android phone.
> 
> Any recommendations on how I might debug this?
> 
> Running DebianAmd64 'Buster'.
> 


Hi Frank,

you can try to reproduce the issue with most recent version of Firefox.
Just download Firefox archive (from mozilla.org) somewhere under your
home folder, unpack it and start it. If the issue is not reproducible
then you can to open bug report for regression.

Kind regards
Georgi

Re: "Run fsck manually"..?

[Andy Smith]

On Wed, Feb 03, 2021 at 01:41:54AM +, Andy Smith wrote:
> On Tue, Feb 02, 2021 at 07:13:16PM -0500, hobie of RMN wrote:
> > He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
> > identifying it's version, and nothing else.
> 
> There can be issues trying to run fsck on a mounted filesystem. What
> happens if you do:
> 
> # touch /forcefsck

Oh, sorry, I missed your mention of (initramfs) prompt. So your
filesystem is too damaged to allow boot to complete and you won't be
able to do that "touch /forcefsck" thing.

If fsck is just printing its version it may think it doesn't need to
be run. You can force it to do a check/repair with "-f", so:

(initramfs) fsck.ext4 -vf /dev/sda1

If it find things that it wants to fix it will ask yuo and you'll
have to press 'y' each time. If you're certain that you always want
to answer 'y' then you can ctrl-c that and try again with -y:

(initramfs) fsck.ext4 -yvf /dev/sda1

If you want to see what it would do without it actually doing it you
can use -n instead of -y.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Rey Paderna]

I think the most obvious method is to go to 
https://lists.debian.org/debian-user/, put your email and then 
unsubscribe.  Unfortunately this method does not work.

Re: "Run fsck manually"..?

[hobie of RMN]

> You might have to boot from a recovery CD image, such as a Debian live
> install image, or GParted Live. You can't actually run fsck on a drive
> while said drive is mounted.

Thank, Jeremy.  But - is /dev/sda1 mounted at this point?  Isn't it being
indicated to us that it can't be successfully mounted? (Thinking of the
Busybox appearance and (intramfs) reference.)


> On Tue, 2 Feb 2021 at 19:24, Stefan Monnier 
> wrote:
>
>> >> My brother's Debian system suddenly says on attempt to boot,
>> "/dev/sda1:
>> >> UNEXPECTED INCONSISTENCY:Runfsck manually", and, "inodes that were
>> part
>> of
>> >> a corrupted orphan linked list found."
>> >>
>> >> He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
>> >> identifying it's version, and nothing else.  Tha appears to take
>> place
>> >> from (initramfs) and Busybox.  An attempt to reboot just starts the
>> >> problem all over again.
>> >>
>> >> We'd be grateful for help with this.  Thanks.
>> >>
>> > hello,
>> >
>> > fsck -fy /dev/sda1 is probably what you want
>>
>> Then again, after the "UNEXPECTED INCONSISTENCY", the `-f` flag to
>> `fsck` shouldn't be needed.  This is weird.
>>
>>
>> Stefan
>>
>>
>

Re: "Run fsck manually"..?

[Andy Smith]

Hi,

On Tue, Feb 02, 2021 at 07:13:16PM -0500, hobie of RMN wrote:
> My brother's Debian system suddenly says on attempt to boot, "/dev/sda1:
> UNEXPECTED INCONSISTENCY:Runfsck manually", and, "inodes that were part of
> a corrupted orphan linked list found."
> 
> He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
> identifying it's version, and nothing else.

There can be issues trying to run fsck on a mounted filesystem. What
happens if you do:

# touch /forcefsck
# reboot

?

That will force the system to do a fsck on boot, before the
filesystem is mounted for use. If that doesn't help I think you will
indeed have to try this from a live or rescue environment. The
Debian install media can boot into a rescue mode for tasks like
this.

The only time I've had something like this was when I created an
ext4 filesystem in Debian buster and then used it as a root
filesystem for CentOS 7.

The ext code in buster used a new filesystem feature that isn't
present in the ext4 driver in CentOS 7, so when CentOS 7 tried to
mount its root filesystem it said there were "inconsistencies" every
time. Yet doing a fsck in CentOS or trying the /forcefsck strategy I
mentioned above just said the filesystem was fine, and the
filesystem seemed fine in everyday use.

This was because the fsck in CentOS also could not understand the
new filesystem feature.

In the end I had to fsck it from Debian buster and then remove the
feature with tune2fs. CentOS 7 was happy with it then.

I am not saying this is what has happened to you. I'm just giving an
example of one weird set of circumstances that can lead to something
like this.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: debian stable kernel not updating on one machine

[Andy Smith]

Hi,

On Tue, Feb 02, 2021 at 04:13:36PM -0700, D. R. Evans wrote:
> I see that synaptic lists 4.19.0-14-amd64 as being available in
> the repository; and, indeed, on another machine I updated earlier
> in the day the kernel was updated from -13 to -14.
> 
> How might I be able to diagnose why the files relating to the -14 kernel are
> not selected when I hit synaptic's "Mark All Upgrades" button?

I don't know about synaptic as I don't use it. What does:

$ dpkg -l | grep linux-image

say?

Perhaps you do not have the virtual package "linux-image-amd64" for
some reason. That package depends upon the latest actual kernel
package, so causes you to see upgrades.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: "Run fsck manually"..?

[Jeremy Andrews]

You might have to boot from a recovery CD image, such as a Debian live
install image, or GParted Live. You can't actually run fsck on a drive
while said drive is mounted.

On Tue, 2 Feb 2021 at 19:24, Stefan Monnier 
wrote:

> >> My brother's Debian system suddenly says on attempt to boot, "/dev/sda1:
> >> UNEXPECTED INCONSISTENCY:Runfsck manually", and, "inodes that were part
> of
> >> a corrupted orphan linked list found."
> >>
> >> He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
> >> identifying it's version, and nothing else.  Tha appears to take place
> >> from (initramfs) and Busybox.  An attempt to reboot just starts the
> >> problem all over again.
> >>
> >> We'd be grateful for help with this.  Thanks.
> >>
> > hello,
> >
> > fsck -fy /dev/sda1 is probably what you want
>
> Then again, after the "UNEXPECTED INCONSISTENCY", the `-f` flag to
> `fsck` shouldn't be needed.  This is weird.
>
>
> Stefan
>
>

Re: "Run fsck manually"..?

[Stefan Monnier]

>> My brother's Debian system suddenly says on attempt to boot, "/dev/sda1:
>> UNEXPECTED INCONSISTENCY:Runfsck manually", and, "inodes that were part of
>> a corrupted orphan linked list found."
>>
>> He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
>> identifying it's version, and nothing else.  Tha appears to take place
>> from (initramfs) and Busybox.  An attempt to reboot just starts the
>> problem all over again.
>>
>> We'd be grateful for help with this.  Thanks.
>>
> hello,
>
> fsck -fy /dev/sda1 is probably what you want

Then again, after the "UNEXPECTED INCONSISTENCY", the `-f` flag to
`fsck` shouldn't be needed.  This is weird.


Stefan

Re: "Run fsck manually"..?

[Jessica Litwin]

On 2/2/21 19:13, hobie of RMN wrote:

My brother's Debian system suddenly says on attempt to boot, "/dev/sda1:
UNEXPECTED INCONSISTENCY:Runfsck manually", and, "inodes that were part of
a corrupted orphan linked list found."

He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
identifying it's version, and nothing else.  Tha appears to take place
from (initramfs) and Busybox.  An attempt to reboot just starts the
problem all over again.

We'd be grateful for help with this.  Thanks.


hello,

fsck -fy /dev/sda1 is probably what you want

"Run fsck manually"..?

[hobie of RMN]

My brother's Debian system suddenly says on attempt to boot, "/dev/sda1:
UNEXPECTED INCONSISTENCY:Runfsck manually", and, "inodes that were part of
a corrupted orphan linked list found."

He enters "fsck" or "fsck /dev/sda1", and in a short while gets fsck
identifying it's version, and nothing else.  Tha appears to take place
from (initramfs) and Busybox.  An attempt to reboot just starts the
problem all over again.

We'd be grateful for help with this.  Thanks.

Firefox problem

[Frank Miles]

With the most recent Firefox update, some of the widgets on a 
Bibliocommons (library) website cease working.  They still work
either using the Epiphany browser, or my android phone.

Any recommendations on how I might debug this?

Running DebianAmd64 'Buster'.

Thanks for any suggestions!
  -Frank

Re: debian stable kernel not updating on one machine

[Jeremy Andrews]

Possibly a dependency conflict of some kind. Maybe try updating from the
terminal to see if it works or at least gives a useful error message
sudo apt update && sudo apt upgrade && sudo apt full-upgrade

You could also check the contents of the /boot directory to see if the
kernel is actually there. If the kernel is there on the drive but not being
used to boot, then you could try running "sudo update-grub" and then
rebooting.

On Tue, 2 Feb 2021 at 18:14, D. R. Evans  wrote:

> I went to update one of my machines running debian stable today, using (as
> usual) synaptic [which I think is basically a wrapper for various apt
> functions]. The machine is running:
>
> 
>
> [Z:~] uname -a
> Linux zserver 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
> GNU/Linux
> [Z:~]
>
> 
>
> But I see that synaptic lists 4.19.0-14-amd64 as being available in the
> repository; and, indeed, on another machine I updated earlier in the day
> the
> kernel was updated from -13 to -14.
>
> How might I be able to diagnose why the files relating to the -14 kernel
> are
> not selected when I hit synaptic's "Mark All Upgrades" button?
>
>Doc
>
> --
> Web:  http://enginehousebooks.com/drevans
>
>

debian stable kernel not updating on one machine

[D. R. Evans]

I went to update one of my machines running debian stable today, using (as 
usual) synaptic [which I think is basically a wrapper for various apt 
functions]. The machine is running:




[Z:~] uname -a
Linux zserver 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 
GNU/Linux

[Z:~]



But I see that synaptic lists 4.19.0-14-amd64 as being available in the 
repository; and, indeed, on another machine I updated earlier in the day the 
kernel was updated from -13 to -14.


How might I be able to diagnose why the files relating to the -14 kernel are 
not selected when I hit synaptic's "Mark All Upgrades" button?


  Doc

--
Web:  http://enginehousebooks.com/drevans

Re: debian-user list info and guidelines (FAQ) - posted monthly

[RP]

Your domain is wrong.  Should be @lists.debian.org

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Dan Ritter]

RP wrote: 
> Your domain is wrong.  Should be @lists.debian.org

Thank you, I've never been corrected so politely before.

-dsr-

Re: number of bugs affecting a package version

[Andrei POPESCU]

On Ma, 02 feb 21, 14:23:05, kamaraju kusumanchi wrote:
> Is there a way to get the number of bugs filed against a package that
> affect a specific version of a package? The closest I was able to
> achieve is
> 
>  % querybts -u text -b libc6-dev 2> /dev/null | wc -l
> 38
> 
> which shows all bugs filed on libc6-dev. But it does not, for example,
> show me the number of bugs currently affecting 2.28-10 (the version in
> stable) or 2.31-9 (the version in testing).

Considering querybts is meant to be used by reportbug this seems like it 
would be out of scope for it.

Your use case seems more appropriate for 'bts' (in package devscripts), 
though on a quick read of the manpage it seems to support this for the 
'show' command, but not for the 'select' command.

It might be possible to hack something together by setting BROWSER to a 
text browser, but it's probably easier to just use BTS URLs directly, 
e.g. something like:

https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=testing;package=libc6-dev


UDD might also be worth looking into.

https://wiki.debian.org/UltimateDebianDatabase

Hope this helps,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: AMD GPU + HDMI + vlc = lockup

[Kamil Jońca]

Felix Miata  writes:

> Kamil Jońca composed on 2021-01-28 17:58 (UTC+0100):
>
>> When I back to DVI monitor everthing work without errors.
>
> Did you find a solution?

No. I back to my old DVI monitor. :(

>
> Which Debian? I too have a PC with HD 5450 Radeon. I could try to reproduce if
> knowing what to boot is what I have installed.

kjonca@alfa:~%uname -a
Linux alfa 5.10.0-2-amd64 #1 SMP Debian 5.10.9-1 (2021-01-20) x86_64 GNU/Linux
kjonca@alfa:~%cat /etc/debian_version 
bullseye/sid

This is sid upgraded ~ weekly.
KJ


-- 
http://wolnelektury.pl/wesprzyj/teraz/

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Brian]

On Tue 02 Feb 2021 at 13:14:35 -0700, Charles Curley wrote:

> On Tue, 2 Feb 2021 12:01:40 -0800
> Michael Turner  wrote:
> 
> > How do I unsubscribe?
> 
> Hmmm, is this becoming a FAQ?
> 
> In the headers of emails sent from many list servers you will find a

Users do not read email headers. Many do not even know they exist.

-- 
Brian.

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Charles Curley]

On Tue, 2 Feb 2021 12:01:40 -0800
Michael Turner  wrote:

> How do I unsubscribe?

Hmmm, is this becoming a FAQ?

In the headers of emails sent from many list servers you will find a
heading something like:

List-Unsubscribe: 


Most mail readers will show you the headers with control-h.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: AMD GPU + HDMI + vlc = lockup

[Felix Miata]

Kamil Jońca composed on 2021-01-28 17:58 (UTC+0100):

> When I back to DVI monitor everthing work without errors.

Did you find a solution?

Which Debian? I too have a PC with HD 5450 Radeon. I could try to reproduce if
knowing what to boot is what I have installed.
-- 
Evolution as taught in public schools, like religion,
is based on faith, not on science.

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Brian]

On Tue 02 Feb 2021 at 12:01:40 -0800, Michael Turner wrote:

>  How do I unsubscribe?

You are capable of using a search engine? Search for

  unsubscribe "debian-user"

I think Greg Wooledg has made his point.

-- 
Brian.

Re: debian-user list info and guidelines (FAQ) - posted monthly

[tomas]

On Tue, Feb 02, 2021 at 12:01:40PM -0800, Michael Turner wrote:
>  How do I unsubscribe?

Look at the headers of a mail you get from the mailing list.

Among them, there's one roughly looking like this:

  List-Unsubscribe: 


It's telling you to send a mail to

  debian-user-requ...@lists.debian.org

with the subject 'unsubscribe' (without the quotes).

You'll receive a confirmation request mail. Follow the instructions.

This works for most mailing lists.

Cheers
-- tomás


signature.asc
Description: Digital signature

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Dan Ritter]

Michael Turner wrote: 
>  How do I unsubscribe?
> 

The headers of this and every other message on the list include:

List-Id: 
List-URL: 
List-Post: 
List-Help: 
List-Subscribe: 
List-Unsubscribe: 


So you should send a message to
debian-user-requ...@list.debian.org
with the subject line
unsubscribe

-dsr-

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Michael Turner]

 How do I unsubscribe?

On Tue, Feb 2, 2021 at 4:49 AM Greg Wooledge  wrote:

> On Mon, Feb 01, 2021 at 09:43:50PM +, Andrew M.A. Cater wrote:
> > debian-user is a mailing list provided for support for Debian users,
> > and to facilitate discussion on relevant topics.
> >
> > Some guidelines which may help explain how the list works:
> [...]
>
> May I suggest a few additions?  Feel free to word them how you like.
>
>  * I received some spam from the list.  What do I do with it?
>
>  * How do I unsubscribe?
>
>

Re: Default webbrowser voor XFCE terminal

[henk van ballegooijen]

De XFCE terminal pakt volgens mij de standaardtoepassing
voor het openen van URLs.
Deze is in te stellen in het Instellingen menu *(**xfce4*-settings-manager):
Instellingen>Instellingen- en 
systeeembeheerder>Standaardtoepassingen>Internet
Eventueel zijn standaardtoepassingen voor verschillende MIME-types aan 
te passen in:
Instellingen>Instellingen- en 
systeeembeheerder>Standaardtoepassingen>Overige


Groet,
Henk van Ballegooijen

Op 02-02-2021 om 18:46 schreef Geert Stappers:

Hoi,

In XFCE terminal worden URLs als URLs herkent
en zijn die aan te klikken.
Er wordt dan een webbrowser (tabblad) geopend.

Op welke configuratieplaats staat
welke webbrowser gebruikt moet worden?



Eerder was het Firefox en dat vond ik wel goed.
Nu is het per ongeluk[1] Chromium geworden.
Hoe nu weer terug naar goed?


Groeten
Geert Stappers
[1] een foutje van mij, weet niet welke actie het was.

LXC / Netplan / Bridge-vpn

[Daniel]

Hola a tothom

tinc la següent infraestructura,

 * Ubuntu 20.04 amb contenidors lxc 4
 * Servidor a un datacenter amb 2 IPs Públiques (en el futur N)
 * X bridges interns, comunicant amb altres datacenter via openvpn (amb
   els rangs 10.20.xx)
 * Tinc que redireccionar una de les IPs públiques cap a un contenidor
   intern, però em perdo pel camí. Abans tenia una estructura similar
   amb ubuntu 14, pero amb el canvi del network/interfaces a netplan em
   falta informació.
   Ho he intentat configurant al host la IP i amb el shorewall
   redireccionant els ports cap als contenidors i ara configurant la
   segona IP directament al contenidor, però tinc algun error que no
   detecto i no m'arriben els paquets.

La configuració que tinc ara al contenidor es aquesta:

# IP interna cap la resta de servidors.
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = vmbr0
lxc.net.0.name = eth0
lxc.net.0.veth.pair = veth-contenidor
#lxc.net.0.ipv4.gateway = 10.20.30.8
lxc.net.0.ipv4.address = 10.20.30.196/24

# IP Publica
lxc.net.1.type = veth
lxc.net.1.flags = up
lxc.net.1.link = lxcbr0
lxc.net.1.name = eth1
lxc.net.1.veth.pair = veth-s07
lxc.net.1.ipv4.gateway = GWdeldatacenter
lxc.net.1.ipv4.address = IPpublica/32

Ara ja no se en quin punt m'he perdut, alguna pista?

Daniel

number of bugs affecting a package version

[kamaraju kusumanchi]

Is there a way to get the number of bugs filed against a package that
affect a specific version of a package? The closest I was able to
achieve is

 % querybts -u text -b libc6-dev 2> /dev/null | wc -l
38

which shows all bugs filed on libc6-dev. But it does not, for example,
show me the number of bugs currently affecting 2.28-10 (the version in
stable) or 2.31-9 (the version in testing).

thanks
raju
-- 
Kamaraju S Kusumanchi | http://www.kamaraju.xyz/dk/blog

Default webbrowser voor XFCE terminal

[Geert Stappers]

Hoi,

In XFCE terminal worden URLs als URLs herkent
en zijn die aan te klikken.
Er wordt dan een webbrowser (tabblad) geopend.

Op welke configuratieplaats staat
welke webbrowser gebruikt moet worden?



Eerder was het Firefox en dat vond ik wel goed.
Nu is het per ongeluk[1] Chromium geworden.
Hoe nu weer terug naar goed?


Groeten
Geert Stappers
[1] een foutje van mij, weet niet welke actie het was.
-- 
Silence is hard to parse

Nettoyage du spam : janvier 2021

[Jean-Pierre Giraud]

Bonjour,
Comme nous sommes en février, il est désormais possible de
traiter les archives du mois de janvier 2021 des listes francophones.

N'oubliez bien sûr pas d'ajouter votre nom à la liste des relecteurs
pour que nous sachions où nous en sommes.

Détails du processus de nettoyage du spam sur :

https://wiki.debian.org/I18n/FrenchSpamClean

I have new ideas - interested?

[Itamar Gero]

Hey,

Quick intro, I’m Itamar and I founded SEOReseller.com
 over 8 years ago. We’re an SEO platform for
entrepreneurs and agencies.

Your website has caught my attention, I believe we can contribute something
that will be more useful to your audience than our readers at SEOReseller.

You might be interested in pieces about SEO and digital marketing. Some of
our materials that came to mind are:

*Topic:*

- Why SEO is a Must for Small Businesses and How to Get Started
- How SEO Can Solve 5 Challenges Hindering Small Business Growth
- 3 Effective Small Business Tips To Improve Search Rankings
- Best SEO Tools of 2021: Free and Paid
- Why Businesses Should Invest in SEO Services for 2021?
- On-page SEO Checklist: Your Guide To Fixing Website Problems

These will be helpful to your audience who are looking to power-up their
online businesses in the coming years.

It would be great if any of these can be shared on your website.
Alternatively, if you want to cooperate on a different piece of content,
I’m open to that as well and can pitch in more ideas.

Let me know your thoughts?

[image: photograph]

*Itamar Gero*Founder, CEO
*Email:* itamar.g...@seoreseller.com
*Website:* www.seoreseller.com
[image: facebook icon]  [image:
twitter icon]  [image: linkedin icon]

Re: FOSDEM & RefPerSys

[Stephane Bortzmeyer]

On Tue, Feb 02, 2021 at 09:39:31AM +0100,
 Basile Starynkevitch  wrote 
 a message of 126 lines which said:

> Que me conseillez vous de faire très concrètement?
> 
> Des slides LaTeX Beamer?

Bon, évidemment, chacun ses goûts mais, oui, pour le FOSDEM, j'ai fait
mes supports avec LaTeX/Beamer et, dans la vidéo (pour les
présentations formelles, le FOSDEM demandait des vidéos faites à
l'avance), j'ai fait quelques démos avec un xterm et avec Emacs.

Re : Re : Caractères étrangers

[nicolas . patrois]

Le 02/02/2021 15:14:47, Jean-Michel OLTRA a écrit :

> J'ai, chez moi, un fichier .xmodmaprc (dans mon /home), dans lequel
> j'ai la seule ligne

> keycode 135 = Multi_key

> Ma touche compose c'est celle qui est à gauche du Ctrl de droite.

Le mien contient plein de bazar, dont cette ligne :
keycode 134 = Multi_key Multi_key Multi_key Multi_key Multi_key Multi_key

C’est la touche Windows à droite, coincée entre AltGr et la touche Menu (qui ne 
me sert pas).

nicolas patrois : pts noir asocial
-- 
RÉALISME

M : Qu'est-ce qu'il nous faudrait pour qu'on nous considère comme des humains ? 
Un cerveau plus gros ?
P : Non... Une carte bleue suffirait...

Re: Re : Caractères étrangers

[Jean-Michel OLTRA]

Bonjour,


Le lundi 01 février 2021, Jean-Philippe MENGUAL a écrit...


> Clairement, mais chez moi ca ne marche pas. Tu as une configuration
> particulière dans tes paramètres clavier?

J'ai, chez moi, un fichier .xmodmaprc (dans mon /home), dans lequel j'ai la
seule ligne

keycode 135 = Multi_key

Ma touche compose c'est celle qui est à gauche du Ctrl de droite.

-- 
jm

[1/2HS] preg_match php

[ajh-valmer]

Bonjour,

Je souhaite autoriser ces caractères :

^ 0 à 9 , + - * / .

if  (preg_match("#[^^\-9*+-/().$]#", $v)) {


Ça ne marche pas :
l'accent circonflexe (^) marque le début d'une chaîne, 
et se confond avec l'accent ^ autorisé

Comment présenter la bonne syntaxe de preg_match pour le faire ?

Merci,

André Valmer

Re: debian-user list info and guidelines (FAQ) - posted monthly

[Greg Wooledge]

On Mon, Feb 01, 2021 at 09:43:50PM +, Andrew M.A. Cater wrote:
> debian-user is a mailing list provided for support for Debian users,
> and to facilitate discussion on relevant topics. 
> 
> Some guidelines which may help explain how the list works:
[...]

May I suggest a few additions?  Feel free to word them how you like.

 * I received some spam from the list.  What do I do with it?

 * How do I unsubscribe?

Re: Re : Caractères étrangers

[Michel MOUNIER]

et plein d'autres possibilités fort utiles :

compose 1 2 --> ½
  "    "  1 3 --> ⅓
  "    "  1 4 --> ¼
  "    "  1 5 --> ⅕    chez moi ce sont les chiffres du clavier 
alphanumérique qui donnent ces résultats uniquement avec 1 au 
numérateur, rien avec le pavé numérique.


Debian 5.9.15-1~bpo10+1 (2020-12-31) x86_64 GNU/Linux

Bons essais

Abraçaõ !

Michel


Le 02/02/2021 à 11:46, François LE GAD a écrit :

Le 01/02/2021 à 22:10, nicolas.patr...@gmail.com a écrit :

Avec la touche compose (Windows à droite chez moi) ?
Compose ' o donne ó.
Compose n ~ donne ñ.
C’est très intuitif.


On appuie successivement (et pas simultanément) sur les touches 
compose, lettre, et accent.

On obtient aussi æ, œ,
ou encore … (compose point point)


--

Michel Mounier
44°55'37"N 004°53'51"E

"Arion IV"
47°10'12"N 003°37'22"E

arionavigue.legtux.org

Re: website permissions and ownership

[Kenneth Parker]

On Tue, Feb 2, 2021, 2:10 AM Richard Hector  wrote:

> Hi all,
>
> I'm reviewing how I set up websites (mostly Wordpress at the moment),
> and would like other opinions on what I'm planning is sane.
>
> My plan is to have a user eg "mysite" that owns all/most of the standard
> files and directories.
>
> The webserver (actually php-fpm) would run as "mysite-run".
>
> Group ownership of the files would then be mysite-run, but group-write
> permission would not be granted except where required, eg the 'uploads'
> and 'cache' directories.
>
> Files in those directories, created by the php-fpm process, would
> obviously be owned by mysite-run.
>
> Alternatively the group ownership of most of the directories could
> remain with mysite, and but the uploads and cache directories
> group-owned (and group-writeable) by mysite-run.
>
> The objective of course is that site code can't write to anything it
> shouldn't. I know that means that I'll have to install upgrades, plugins
> etc with the wp cli tool.
>
> I earlier had thoughts of improving this with ACLs, but a) this got
> really complicated and b) it didn't seem to solve some of the problems I
> was trying to solve.
>
> I wanted to be able to allow other users (those who might need to update
> sites) to be able to log in as themselves and make changes, but IIRC
> nothing (other than sudo or setuid tools) will allow them to set the
> ownership back to 'mysite', which is what I want it to be. I'm aware of
> bindfs, which allows fuse mounting of filesystems with permission
> translation, but as far as I can tell, it doesn't allow mapping of
> userids. Tools could help, but I'd rather some of these users had SFTP
> access only, which would prevent them being used.
>
> Any thoughts?
>

I like some of the ideas, mentioned by others, including SELinux issues.

But, for a High Security Website, I prefer Lighttpd over Apache2 and,
especially WordPress.

Am I mostly on the right track?
>

Mostly.

>
> Thanks,
> Richard
>

Kenneth Parker

Re: Re : Caractères étrangers

[François LE GAD]

Le 01/02/2021 à 22:10, nicolas.patr...@gmail.com a écrit :

Avec la touche compose (Windows à droite chez moi) ?
Compose ' o donne ó.
Compose n ~ donne ñ.
C’est très intuitif.


On appuie successivement (et pas simultanément) sur les touches compose, 
lettre, et accent.

On obtient aussi æ, œ,
ou encore … (compose point point)
--
François

Re: Re : Caractères étrangers

[François LE GAD]

Le 02/02/2021 à 01:43, Michel MOUNIER a écrit :
Tu choisis ta touche "compose" dans les paramètres claviers /clavier - 
disposition - touche composée /puis ça roule.


Ou, en root ou sudo :
dpkg-reconfigure keyboard-configuration
et tu définis la touche compose parmi les choix proposés

--
François

Re: le réseau pour les nuls ?

[François LE GAD]

Le 02/02/2021 à 08:28, david...@mailo.com a écrit :
Je suis novice (nul ?) en réseaux domestiques, mais j'aimerais que 
n'importe quel ordinateur puisse partager de fichiers avec les autres, 
imprimer sur l'imprimante réseau et qu'on puisse regarder des dvd à 
partir du lecteur-dvd-réseau.


Si ta box le permet, tu y branches :
- un disque dur ou une clé USB en partage Samba
- l'imprimante (USB, ethernet ou wifi). Normalement, Cups doit la 
détecter à l'installation.

- Pour le lecteur DVD, je ne sais pas. Un partage Samba peut-être ?

--
François

Re: website permissions and ownership

[Richard Hector]

On 2/02/21 10:42 pm, Jeremy Ardley wrote:


On 2/2/21 5:32 pm, Jeremy Ardley wrote:


On 2/2/21 4:55 pm, Richard Hector wrote:


What you are doing sounds pretty O.K. Though I personally also use 
SELinux for web facing services.


Thanks.

I haven't looked in to SELinux. I looked at AppArmor, but it appears 
that it won't work as expected in an LXC container, which is where I 
run this. Would SELinux work there? SELinux, from what I can see, 
seems more complex to learn than AppArmor.


SELinux is quite hard to get right, but when it's done properly it's 
very hard to exploit. Basically if it's not explicitly permitted it's 
forbidden.


SELinux has the advantage that it by default enforces rules that you 
should probably already have in place. So for example it will 
automatically stop writes to web content by the web server. You have 
to explicitly allow the web server to make modifications to specific 
files or directories. SELinux makes you think about what is important 
to you and what you think should be alterable on your website.


Getting back to my staging scenario, you start with default SELinux 
rules completely restricting web server write access to content. You'd 
have another set of SELinux rules that allow some other process to 
make changes to the content. You may even have a set of SELinux rules 
allowing the web server to write to an upload directory - but likely 
not read from it.




Further to this, web servers can interact not only with disk content, 
but databases, content back-ends (e.g. php-fpm) and even with hardware 
and communication devices. SELinux blocks all this until such time as 
you do the analysis and decide that particular interactions should be 
allowed.


It's a pain to get right, but compared to the pain of your server being 
exploited, not so much.


You've reminded me that of course nginx (in my case) as well as php-fpm 
needs read access to a bunch of stuff (not php ... unless it's a site 
that publishes php scripts ...), but no write to anything. So I'll need 
to revise my model for that, at least :-(


Though I guess that can be covered by 'other' permissions (with nginx 
config to prevent serving php and other files that it shouldn't).


I think I'm leaving SELinux in the 'too hard' basket for the time being; 
it looks like it would need changes to a bunch of other stuff as well 
(eg postfix ...)


Thanks,
Richard

Re: website permissions and ownership

[Jeremy Ardley]

On 2/2/21 5:32 pm, Jeremy Ardley wrote:


On 2/2/21 4:55 pm, Richard Hector wrote:


What you are doing sounds pretty O.K. Though I personally also use 
SELinux for web facing services.


Thanks.

I haven't looked in to SELinux. I looked at AppArmor, but it appears 
that it won't work as expected in an LXC container, which is where I 
run this. Would SELinux work there? SELinux, from what I can see, 
seems more complex to learn than AppArmor.


SELinux is quite hard to get right, but when it's done properly it's 
very hard to exploit. Basically if it's not explicitly permitted it's 
forbidden.


SELinux has the advantage that it by default enforces rules that you 
should probably already have in place. So for example it will 
automatically stop writes to web content by the web server. You have 
to explicitly allow the web server to make modifications to specific 
files or directories. SELinux makes you think about what is important 
to you and what you think should be alterable on your website.


Getting back to my staging scenario, you start with default SELinux 
rules completely restricting web server write access to content. You'd 
have another set of SELinux rules that allow some other process to 
make changes to the content. You may even have a set of SELinux rules 
allowing the web server to write to an upload directory - but likely 
not read from it.




Further to this, web servers can interact not only with disk content, 
but databases, content back-ends (e.g. php-fpm) and even with hardware 
and communication devices. SELinux blocks all this until such time as 
you do the analysis and decide that particular interactions should be 
allowed.


It's a pain to get right, but compared to the pain of your server being 
exploited, not so much.



--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: website permissions and ownership

[Richard Hector]

On 2/02/21 10:37 pm, john doe wrote:

On 2/2/2021 9:55 AM, Richard Hector wrote:

On 2/02/21 9:11 pm, Jeremy Ardley wrote:


On 2/2/21 3:09 pm, Richard Hector wrote:

Hi all,

I'm reviewing how I set up websites (mostly Wordpress at the moment),
and would like other opinions on what I'm planning is sane.

My plan is to have a user eg "mysite" that owns all/most of the
standard files and directories.

The webserver (actually php-fpm) would run as "mysite-run".

Group ownership of the files would then be mysite-run, but
group-write permission would not be granted except where required, eg
the 'uploads' and 'cache' directories.

Files in those directories, created by the php-fpm process, would
obviously be owned by mysite-run.

Alternatively the group ownership of most of the directories could
remain with mysite, and but the uploads and cache directories
group-owned (and group-writeable) by mysite-run.

The objective of course is that site code can't write to anything it
shouldn't. I know that means that I'll have to install upgrades,
plugins etc with the wp cli tool.

I earlier had thoughts of improving this with ACLs, but a) this got
really complicated and b) it didn't seem to solve some of the
problems I was trying to solve.

I wanted to be able to allow other users (those who might need to
update sites) to be able to log in as themselves and make changes,
but IIRC nothing (other than sudo or setuid tools) will allow them to
set the ownership back to 'mysite', which is what I want it to be.
I'm aware of bindfs, which allows fuse mounting of filesystems with
permission translation, but as far as I can tell, it doesn't allow
mapping of userids. Tools could help, but I'd rather some of these
users had SFTP access only, which would prevent them being used.

Any thoughts?
Am I mostly on the right track?

Thanks,
Richard



What you are doing sounds pretty O.K. Though I personally also use
SELinux for web facing services.


Thanks.

I haven't looked in to SELinux. I looked at AppArmor, but it appears
that it won't work as expected in an LXC container, which is where I run
this. Would SELinux work there? SELinux, from what I can see, seems more
complex to learn than AppArmor.


To accomodate other users I suggest you set up staging areas where
they can upload content that you periodically sync to the website
using a privileged process. This means you don't have to give any
rights to users other than access to the staging areas.


Yes. I can foresee difficulties with my clients not being able to see
their changes immediately.

Inotify could be of interest there by monitoring the staging area.


1)  https://man7.org/linux/man-pages/man7/inotify.7.html


Agreed. Worth bearing in mind, thanks. Though IIRC it's quite a pain to 
keep watch on an entire directory tree; you have to maintain the list of 
watched directories rather than just watching the top.


Cheers,
Richard

Re: Caractères étrangers

[François Patte]

Le 01/02/2021 à 21:31, Jean-Philippe MENGUAL a écrit :
> Bonjour,
> 
> Vous avez une asutce pour saisir des caractères espagnols (accents et
> tildes) facilement sous Libreoffice voire sous X en général? J'hésite
> entre le setxkbcomp un peu moche et la macro, ou le raccourci ibus.
> Qu'en pensez-vous?

Personnellement j'utilise ibus pour saisir les écritures exotiques. m17n
offre une palanquée de "claviers" qui couvre une grande partie des
écritures du monde.


-- 
François Patte
UFR de mathématiques et informatique
Laboratoire CNRS MAP5, UMR 8145
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)6 7892 5822
http://www.math-info.univ-paris5.fr/~patte



signature.asc
Description: OpenPGP digital signature

Re: website permissions and ownership

[john doe]

On 2/2/2021 9:55 AM, Richard Hector wrote:

On 2/02/21 9:11 pm, Jeremy Ardley wrote:


On 2/2/21 3:09 pm, Richard Hector wrote:

Hi all,

I'm reviewing how I set up websites (mostly Wordpress at the moment),
and would like other opinions on what I'm planning is sane.

My plan is to have a user eg "mysite" that owns all/most of the
standard files and directories.

The webserver (actually php-fpm) would run as "mysite-run".

Group ownership of the files would then be mysite-run, but
group-write permission would not be granted except where required, eg
the 'uploads' and 'cache' directories.

Files in those directories, created by the php-fpm process, would
obviously be owned by mysite-run.

Alternatively the group ownership of most of the directories could
remain with mysite, and but the uploads and cache directories
group-owned (and group-writeable) by mysite-run.

The objective of course is that site code can't write to anything it
shouldn't. I know that means that I'll have to install upgrades,
plugins etc with the wp cli tool.

I earlier had thoughts of improving this with ACLs, but a) this got
really complicated and b) it didn't seem to solve some of the
problems I was trying to solve.

I wanted to be able to allow other users (those who might need to
update sites) to be able to log in as themselves and make changes,
but IIRC nothing (other than sudo or setuid tools) will allow them to
set the ownership back to 'mysite', which is what I want it to be.
I'm aware of bindfs, which allows fuse mounting of filesystems with
permission translation, but as far as I can tell, it doesn't allow
mapping of userids. Tools could help, but I'd rather some of these
users had SFTP access only, which would prevent them being used.

Any thoughts?
Am I mostly on the right track?

Thanks,
Richard



What you are doing sounds pretty O.K. Though I personally also use
SELinux for web facing services.


Thanks.

I haven't looked in to SELinux. I looked at AppArmor, but it appears
that it won't work as expected in an LXC container, which is where I run
this. Would SELinux work there? SELinux, from what I can see, seems more
complex to learn than AppArmor.


To accomodate other users I suggest you set up staging areas where
they can upload content that you periodically sync to the website
using a privileged process. This means you don't have to give any
rights to users other than access to the staging areas.


Yes. I can foresee difficulties with my clients not being able to see
their changes immediately.

Inotify could be of interest there by monitoring the staging area.


1)  https://man7.org/linux/man-pages/man7/inotify.7.html

--
John Doe

Re: website permissions and ownership

[Jeremy Ardley]

On 2/2/21 4:55 pm, Richard Hector wrote:


What you are doing sounds pretty O.K. Though I personally also use 
SELinux for web facing services.


Thanks.

I haven't looked in to SELinux. I looked at AppArmor, but it appears 
that it won't work as expected in an LXC container, which is where I 
run this. Would SELinux work there? SELinux, from what I can see, 
seems more complex to learn than AppArmor.


SELinux is quite hard to get right, but when it's done properly it's 
very hard to exploit. Basically if it's not explicitly permitted it's 
forbidden.


SELinux has the advantage that it by default enforces rules that you 
should probably already have in place. So for example it will 
automatically stop writes to web content by the web server. You have to 
explicitly allow the web server to make modifications to specific files 
or directories. SELinux makes you think about what is important to you 
and what you think should be alterable on your website.


Getting back to my staging scenario, you start with default SELinux 
rules completely restricting web server write access to content. You'd 
have another set of SELinux rules that allow some other process to make 
changes to the content. You may even have a set of SELinux rules 
allowing the web server to write to an upload directory - but likely not 
read from it.


--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: Depot stretch

[David Martin]

Salut, oui j'ai apt-key
unauthenticated... j'ai pas trop envie c'est un de mes serveurs de
production.
Par contre j'ai une piste coté réseau.
Merci à toi de ta réponse


Le mar. 2 févr. 2021 à 10:11, Bernard Schoenacker <
bernard.schoenac...@free.fr> a écrit :

>
> - Mail original -
>
> > De: "David Martin" 
> > À: "debian-user-french@lists.debian.org French"
> > 
> > Envoyé: Mardi 2 Février 2021 08:49:57
> > Objet: Depot stretch
>
> > Bonjour,
>
> > J'ai une machine qui est sous strech, j'ai changé les dépots, fait un
> > update... mais j'ai un message qui m'annonce :
>
> > data from such a repository can't be authenticated and .
>
> > avez vous une idée ?
>
> > --
>
> > david martin
>
> Bonjour David,
>
>
> voici ce que je propose de faire comme instruction (root):
>
> rm -rf /var/lib/apt/lists/*
> apt-get update --allow-unauthenticated
>
>
> origine de l'information :
>
> https://askubuntu.com/questions/995484/data-from-such-a-repository-cant-be-authenticated
>
> question:
>
> est-il encore possible d'installer apt-key sous stretch ?
>
> merci pour ton aimable attention
>
> bien à toi
> Bernard
>


-- 
david martin

Re: Depot stretch

[Bernard Schoenacker]

- Mail original - 

> De: "David Martin" 
> À: "debian-user-french@lists.debian.org French"
> 
> Envoyé: Mardi 2 Février 2021 08:49:57
> Objet: Depot stretch

> Bonjour,

> J'ai une machine qui est sous strech, j'ai changé les dépots, fait un
> update... mais j'ai un message qui m'annonce :

> data from such a repository can't be authenticated and .

> avez vous une idée ?

> --

> david martin

Bonjour David,


voici ce que je propose de faire comme instruction (root):

rm -rf /var/lib/apt/lists/*
apt-get update --allow-unauthenticated


origine de l'information :
https://askubuntu.com/questions/995484/data-from-such-a-repository-cant-be-authenticated

question: 

est-il encore possible d'installer apt-key sous stretch ?

merci pour ton aimable attention

bien à toi
Bernard

Re: website permissions and ownership

[Richard Hector]

On 2/02/21 9:11 pm, Jeremy Ardley wrote:


On 2/2/21 3:09 pm, Richard Hector wrote:

Hi all,

I'm reviewing how I set up websites (mostly Wordpress at the moment), 
and would like other opinions on what I'm planning is sane.


My plan is to have a user eg "mysite" that owns all/most of the 
standard files and directories.


The webserver (actually php-fpm) would run as "mysite-run".

Group ownership of the files would then be mysite-run, but group-write 
permission would not be granted except where required, eg the 
'uploads' and 'cache' directories.


Files in those directories, created by the php-fpm process, would 
obviously be owned by mysite-run.


Alternatively the group ownership of most of the directories could 
remain with mysite, and but the uploads and cache directories 
group-owned (and group-writeable) by mysite-run.


The objective of course is that site code can't write to anything it 
shouldn't. I know that means that I'll have to install upgrades, 
plugins etc with the wp cli tool.


I earlier had thoughts of improving this with ACLs, but a) this got 
really complicated and b) it didn't seem to solve some of the problems 
I was trying to solve.


I wanted to be able to allow other users (those who might need to 
update sites) to be able to log in as themselves and make changes, but 
IIRC nothing (other than sudo or setuid tools) will allow them to set 
the ownership back to 'mysite', which is what I want it to be. I'm 
aware of bindfs, which allows fuse mounting of filesystems with 
permission translation, but as far as I can tell, it doesn't allow 
mapping of userids. Tools could help, but I'd rather some of these 
users had SFTP access only, which would prevent them being used.


Any thoughts?
Am I mostly on the right track?

Thanks,
Richard



What you are doing sounds pretty O.K. Though I personally also use 
SELinux for web facing services.


Thanks.

I haven't looked in to SELinux. I looked at AppArmor, but it appears 
that it won't work as expected in an LXC container, which is where I run 
this. Would SELinux work there? SELinux, from what I can see, seems more 
complex to learn than AppArmor.


To accomodate other users I suggest you set up staging areas where they 
can upload content that you periodically sync to the website using a 
privileged process. This means you don't have to give any rights to 
users other than access to the staging areas.


Yes. I can foresee difficulties with my clients not being able to see 
their changes immediately. I could also probably use a git hook to 
deploy a suitably tagged branch, but then I also probably need to help 
my clients use git :-) Or if I had some kind of web portal for them, I 
could give them a deploy button, but I'm not ready to do that yet.


This also helps in disaster recovery as you can set up and maintain the 
entire static site from staging areas. Ideally you should be able to 
fire up a virtual server and load it from the staging area whenever you 
want. If it goes down, fire up another one.


Your only issue is database records for which you'll need to set up a 
different recovery process.


Useful points too.

Thanks,
Richard

FOSDEM & RefPerSys

[Basile Starynkevitch]

Bonjour,


Avec d'autres, je développe /RefPerSys/ sur mon temps libre (un logiciel 
libre d'intelligence artificielle symbolique pour Linux). Voir 
http://refpersys.org/ et pour le code 
https://github.com/RefPerSys/RefPerSys ...



RefPerSys est inspiré des travaux de Jacques Pitrat 
 (né en 1934, mort en 
octobre 2019, il a présidé mon jury de thèse de doctorat, soutenue en 
1990). Lire son blog encore en ligne en 
http://bootstrappingartificialintelligence.fr/WordPress3/


Voir aussi les présentations en 
https://afia.asso.fr/journee-hommage-j-pitrat/


Je présente RefPerSys à FOSDEM 2021  
virtuellement: https://fosdem.org/2021/schedule/event/refpersys_welcome/



J'ai une webcam à la maison, sur un portable sous Debian (ou un desktop 
Ubuntu 20.04)



J'ai pris mon vendredi 5 février 2021 pour préparer la présentation.


Que me conseillez vous de faire très concrètement?

Des slides LaTeX Beamer?

L'espoir étant d'attirer l'attention sur RefPerSys, dans le rêve d'avoir 
des contributeurs ou testeurs/testeuses supplémentaires!



Cordialement



--
Basile Starynkevitch  
(only mine opinions / les opinions sont miennes uniquement)
92340 Bourg-la-Reine, France
web page: starynkevitch.net/Basile/

Re: le réseau pour les nuls ?

[Samuel Cifuentes]

Bonjour

si tu es "novice" je te conseillerais plutôt de modifier un tout petit 
peu ton architecture pressentie et te tourner du coté d'un "serveur"


celui-ci - qui n'a vraiment pas besoin d’être puissant - pourrait 
accueillir tous les dossiers/fichiers partagés (un de tes pc fixes fera 
sûrement l'affaire)


tu peux sans probleme monter ça à partir d'une Debian de base mais il y 
a plus simple :


regarde du coté de OpenMediaVault

c'est du Debian, ça marche bien, c'est facile à administrer

https://fr.wikipedia.org/wiki/OpenMediaVault

il y beaucoup d'autres solutions (TrueNas, etc.. ) fais le tour et 
choisis, mais pour débuter OMV est très bien.


attend d'autres avis




Le 02/02/2021 à 09:01, Basile Starynkevitch a écrit :



On 2/2/21 8:28 AM, david...@mailo.com wrote:

Bonjour,

Chez moi, j'ai :
- plusieurs ordinateurs fixes et portables en debian-10 (RJ45 et Wifi)
- une free-box crystal (uniquement internet, pas de boitier tv)
- une imprimante avec une carte réseau
- 1 lecteur de dvd avec une prise réseau au dos

Je suis novice (nul ?) en réseaux domestiques, mais j'aimerais que 
n'importe quel ordinateur puisse partager de fichiers avec les 
autres, imprimer sur l'imprimante réseau et qu'on puisse regarder des 
dvd à partir du lecteur-dvd-réseau.



https://tldp.org/HOWTO/Networking-HOWTO 




Sinon regarder aussi mount(8) 
, fstab(5) 
, nfs(5) 
,hosts(5) 



--
Basile Starynkevitch
(only mine opinions / les opinions sont miennes uniquement)
92340 Bourg-la-Reine, France
web page: starynkevitch.net/Basile/

Re: website permissions and ownership

[Jeremy Ardley]

On 2/2/21 3:09 pm, Richard Hector wrote:

Hi all,

I'm reviewing how I set up websites (mostly Wordpress at the moment), 
and would like other opinions on what I'm planning is sane.


My plan is to have a user eg "mysite" that owns all/most of the 
standard files and directories.


The webserver (actually php-fpm) would run as "mysite-run".

Group ownership of the files would then be mysite-run, but group-write 
permission would not be granted except where required, eg the 
'uploads' and 'cache' directories.


Files in those directories, created by the php-fpm process, would 
obviously be owned by mysite-run.


Alternatively the group ownership of most of the directories could 
remain with mysite, and but the uploads and cache directories 
group-owned (and group-writeable) by mysite-run.


The objective of course is that site code can't write to anything it 
shouldn't. I know that means that I'll have to install upgrades, 
plugins etc with the wp cli tool.


I earlier had thoughts of improving this with ACLs, but a) this got 
really complicated and b) it didn't seem to solve some of the problems 
I was trying to solve.


I wanted to be able to allow other users (those who might need to 
update sites) to be able to log in as themselves and make changes, but 
IIRC nothing (other than sudo or setuid tools) will allow them to set 
the ownership back to 'mysite', which is what I want it to be. I'm 
aware of bindfs, which allows fuse mounting of filesystems with 
permission translation, but as far as I can tell, it doesn't allow 
mapping of userids. Tools could help, but I'd rather some of these 
users had SFTP access only, which would prevent them being used.


Any thoughts?
Am I mostly on the right track?

Thanks,
Richard



What you are doing sounds pretty O.K. Though I personally also use 
SELinux for web facing services.


To accomodate other users I suggest you set up staging areas where they 
can upload content that you periodically sync to the website using a 
privileged process. This means you don't have to give any rights to 
users other than access to the staging areas.


This also helps in disaster recovery as you can set up and maintain the 
entire static site from staging areas. Ideally you should be able to 
fire up a virtual server and load it from the staging area whenever you 
want. If it goes down, fire up another one.


Your only issue is database records for which you'll need to set up a 
different recovery process.


--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: le réseau pour les nuls ?

[Basile Starynkevitch]

On 2/2/21 8:28 AM, david...@mailo.com wrote:

Bonjour,

Chez moi, j'ai :
- plusieurs ordinateurs fixes et portables en debian-10 (RJ45 et Wifi)
- une free-box crystal (uniquement internet, pas de boitier tv)
- une imprimante avec une carte réseau
- 1 lecteur de dvd avec une prise réseau au dos

Je suis novice (nul ?) en réseaux domestiques, mais j'aimerais que 
n'importe quel ordinateur puisse partager de fichiers avec les autres, 
imprimer sur l'imprimante réseau et qu'on puisse regarder des dvd à 
partir du lecteur-dvd-réseau.



https://tldp.org/HOWTO/Networking-HOWTO


Sinon regarder aussi mount(8) 
, fstab(5) 
, nfs(5) 
,hosts(5) 



--
Basile Starynkevitch  
(only mine opinions / les opinions sont miennes uniquement)
92340 Bourg-la-Reine, France
web page: starynkevitch.net/Basile/