Re: Wiping an unencrypted SSD in preparation for encryption

[David Wright]

On Thu 10 Jun 2021 at 23:43:12 (-0700), David Christensen wrote:
> On 6/10/21 9:31 PM, David Wright wrote:
> > I'm about to install buster or bullseye on a newly acquired laptop
> > with an SSD (a first for me). I'm intending to clean (zero or
> > randomise) the entire drive with dd before I start, and am
> > interested in any pitfalls with that.
> > 
> > I will also encrypt the new /home partition, but for the remaining
> > partitions I need to decide whether to add mount's discard option,
> > or use a weekly systemd trim, or leave it entirely up to the garbage
> > collection in the SSD device itself (which is an nvme THNSN5512GPUK
> > TOSHIBA, presumably an OEM model supplied for this HP Spectre).
> > 
> > The machine has 16GB of memory, so I wasn't intending to use swap.
> > (It won't have to hibernate, and if push came to shove, there's
> > always the possibility of setting up a swapfile or a ramdisk.)
> > 
> > Background:
> > 
> > The July 2017 system was pre-installed with Windows 10.
> > 
> > I have copied the entire disk to external spinning rust, and can
> > mount partitions from this image. It's difficult to foresee my ever
> > wanting to reload and run this Windows system.
> > 
> > The drive has unencrypted information on it, either in existing files,
> > or in deleted/overwritten/whatever ones (though I think that is
> > irrelevant to the method for erasing them).
> > 
> > I don't work for the CIA, so "basic" erasure methods are sufficient,
> > ie so-called logical and digital sanitisation, but not analogue
> > sanitisation/purging. I'm just encrypting stuff like personal bank
> > records etc, and not looking for anything like plausible deniability.
> 
> You want to command the SSD controller to do a "secure erase".  The
> manufacturer should provide a utility for this, but it will likely
> require Windows.  In years past I have found Linux CLI utilities to do
> secure erase.  STFW for details.

Yes, I guess the difficulty with using Windows would be that I don't
think it can erase itself while running the program.

Others' suggestions:

  Jeremy: the referenced article seems to apply to SSDs that are SATA,
  whereas this one is NVMe.

  Glenn: the same article warns that DBAN is not designed for SSDs.

  songbird, Andrew: the pre-existing data is not all ours, so it
  might include others' personal data (mainly education, but could
  be personnel material, given in confidence), so I feel the moral
  need to erase it with at least a best attempt.
  I need to investigate what's talked about in
  StorageUtilities311_Manual_ENG.pdf that Toshiba can allegedly
  supply as bootable media.

  Polyna-Maude: You *seem* to be suggesting that I encrypt on a
  file-by-file basis rather than the whole of /home. That can't
  work because you don't know a priori whether an incoming file
  is sensitive or not … and you'd always being having to make
  decisions.
  Either that, or you're overinterpreting what I wrote: I don't
  encrypt partitions other than /home and swap. Home, obviously,
  and swap because you have no control over what gets put there.
  Besides, if swap gets used (beyond certain static uses that
  I've read about, but never experienced), speed is already up
  the spout. I either kill browsers, or the OOM killer might
  do some culling.

> I would then make a decision between BIOS/MBR or UEFI/GPT.  I prefer
> the former so that I can boot system images in the older machines in
> my SOHO LAN.  Eventually we will all be using the latter.

I've already made that switch to GPT (with one exception for an
ancient, hardly used now, laptop. However, I don't burn my bridges,
and always leave a BIOS Boot partition (unformatted) in place:
con: 3MB wasted; pro: alignments of 4MB throughout the drive.

But in any case, I'm not sure about booting Grub on an SSD from the
BIOS, because AIUI Grub uses sector addresses to find its core.img,
and AIUI sectors get shuffled around by the SSD controller. OTOH,
booting with UEFI is carried out entirely through files found via
their filesystems, and the sector-shuffling doesn't affect that.

> I would then install Debian using the Debian Installer, choose manual
> partitioning, and partition the SSD as follows:
> 
> 1.  Create a 1 GB unencrypted partition with ext4 and mount it at /boot.
> 
> 2.  Create at least a 1 GB encrypted (dm-crypt) swap partition.  I
> experimented with no swap in the past and found that the systems were
> unstable when free memory was low.

I don't encrypt root, so I don't bother with (1).

I think I will create (2), but leave it unused for the time being.
I actually use the trick described here to LABEL my random-key
swap with a tiny filesystem on my other machines:
https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption

> 3.  Create a small (I use 13 GB) encrypted (LUKS) ext4 partition and
> mount it at / (root).

I'm more generous, at 29GB.

> Once Debian is installed, I would take a raw binary image of the
> system drive for 

Re: Server setup

[David Wright]

On Tue 15 Jun 2021 at 07:21:33 (+0300), Andrei POPESCU wrote:
> On Lu, 14 iun 21, 16:39:11, Polyna-Maude Racicot-Summerside wrote:

> > This is the first time I have to install a system using GPT with BIOS so
> > I'm not sure how does it work with the BIOS boot partition.
> 
> What is a "BIOS boot partition"?

BIOS booting needs¹ a BIOS­Boot partition on a GPT disk.
It's not a BIOS boot­partition, because people use the
term boot­partition to mean a partition/filesystem that's
mounted at /boot.

I have just posted what it's for, so I won't repeat here.

> On BIOS systems grub must be installed in the MBR of the boot device,

I think Felix disputed "should", let alone "must", just last Friday.

> special partitions are needed for UEFI.

UEFI booting needs to find an ESP somewhere. Which other special
partitions are required?

¹ There are risky ways of avoiding it, like putting the core image in
  a filesystem and praying that it doesn't ever get moved.

Cheers,
David.

Re: Server setup

[David Wright]

On Mon 14 Jun 2021 at 12:31:08 (-0400), Polyna-Maude Racicot-Summerside wrote:
> On 2021-06-14 11:21 a.m., David Wright wrote:
> > On Sun 13 Jun 2021 at 13:57:33 (-0400), Polyna-Maude Racicot-Summerside 
> > wrote:
> > 
> >> You must also have a huge need to answer question without reading what
> >> they are.
> >>
> >> I ain't using the Debian installer because I don't have access to the
> >> KVM (Keyboard, Mouse, etc).
> >>
> >> So if you read back my message.
> >> I boot using a rescue system over the network.
> >> I do my partition.
> >> I make the filesystem.
> >> I mount.
> >> I use debootstrap.
> >> And after I need to configure boot, this is where it blocks.
> >>
> >> Got it now ?
> >>
> >> So how useful is your answer to use "the wizard in the installer ?".
> >> And no there's no configuration helper (said it for the 3rd time now).
> >>
> >> If you can't help... Just a hint, do same as I do, you let other people
> >> answer.
> > 
> > I don't know whether I can be of any help, but I can ask a few questions.
> > 
> > You wrote "The machine doesn't seem to use EFI (like most server)"
> > 
> The machine doesn't use EFI, like most server it's BIOS based. I know
> this one for sure, there's a BIOS boot partition.

No, you've made an educated guess. The evidence would be in the next
two lines:

> > You really need to know. What does /sys/firmware/ contain, in particular,
> > /sys/firmware/efi… ?
> > 
> >   "and I only see the following partition using the automatic installer."
> > 
> 
> The server provider (one-provider/OVH) offer a choice of OS (include
> Debian Buster) but there's no configuration from the user. So it just
> build a huge partition. I have 3 x 2 Tb disk and it makes them in RAID-0
> (mirror).

I was under the impression that RAID-0 is striping, not mirroring.

> > Did you mean disk, rather than partition? What's in /sys/block/ ?
> > 
> > You wrote 'The "standard" installation give me one partition in RAID
> > mirror ( 3 x 2 To). So I get only a big root partition and nothing else'
> > 
> > Does that mean that the partitioning was done on your behalf?
> > "I do my partition. I make the filesystem." seems to contradict that.
> > Do you know what the 3rd and 4th partitions are intended for?
> > 
> 
> Because the installation does the partition on my behalf, I preferred to
> do another way. That is, boot the system into rescue mode, that's a
> Linux system over the network. There I can partition my own disk, and
> after use debootstrap.

You can repartition the disk? Oh, OK.

> >   "But I get a bit lost when it's time to use grub to setup my machine by 
> > remote."
> > 
> > Did the "standard" installation give you any hints about setting up
> > booting on the machine, or is that why standard is in scare quotes.
> > (Or is it unusual for a standard install method to make any mention
> > of such important matters.)
> > 
> Now what I did was to install the machine using the "helper" given by
> the provider (OVH/OneProvider). This way I can dissect the working
> system and see how the configuration is done.

That seems reasonable. But you've left me confused. Was the
partitioning in your OP the result of the helper's installation,
or the result of your own repartitioning. It certainly looks
very odd.

BTW, AFAICT the only one of my questions that you (partially) answered
was about the partitiong. The OP asks for clues about booting with
Grub. Today's post appears to have shifted to systemd and networking.
It all looks like a blog of your activities.

Cheers,
David.

Re: Server setup

[David Wright]

On Mon 14 Jun 2021 at 16:39:11 (-0400), Polyna-Maude Racicot-Summerside wrote:
> I can understand the idea of cutting out part of the messages when I
> answer. But this is now forcing me to repeat many times...

The idea is to cut out the water that's passed under the bridge, so to
speak. You don't need to keep repeating yourself: it's all either in
people's mailbox or on the web, should they wish to revisit it.

> On 2021-06-14 3:50 p.m., Andy Smith wrote:
> > Hi Polyna-Maude,
> > 
> > On Mon, Jun 14, 2021 at 12:31:08PM -0400, Polyna-Maude Racicot-Summerside 
> > wrote:
> >> Now what I did was to install the machine using the "helper" given by
> >> the provider (OVH/OneProvider). This way I can dissect the working
> >> system and see how the configuration is done.
> > 
> > So what does it look like after that, and what do you want to
> > change?
> > 
> Like I already said, the "helper" that setup the whole system has the
> same skeleton for every type of hardware installation (not so good).
> 
> So it will install my system on one partition (/) and by using a RAID-0
> (Mirroring) over my 3 disk ( 3 x 2 TB).
> 
> > Maybe you can make the desired changes without reinstalling by
> > debootstrap. But if that's necessary, at least we'll understand what
> > it is that you want to achieve with that.
> 
> I would like to have my system running on different partition for home,
> usr, var, tmp, etc... This is a safe route to prevent some problem (such
> as filling up a partition that risk trashing the system).
> 
> Even if there would be a solution without doing my own re-install, I
> want to be able to do so myself. That is, install a system by mounting
> the partition, doing a debootstrap and chroot after, plus installing GRUB.

Because you didn't answer my question about partitions 3 and 4 (in
your OP), I can't tell whether repartitioning is a still just a wish,
or something you've already tried out.

> This is the first time I have to install a system using GPT with BIOS so
> I'm not sure how does it work with the BIOS boot partition.
> Do I simply create this partition and GRUB will detect it ?
> If not, how do I tell GRUB ?

If Grub is being asked to configure itself for BIOS booting, then
you've already told it, by virtue of the partition type: BIOS Boot.
You merely create this partition and leave it untouched. (It doesn't
matter if you do touch it: Grub will overwrite it whatever you do.)
Its sole purpose is to provide some undisturbed sectors for Grub
to write its core image on a GPT disk, substituting for the so-called
"MBR gap", a precarious area on an MBR disk between the partition
table and the start of the first partition.

> Also, does simply running debootstrap is enough to have my *initrd*
> created ? I presume I must install a kernel "post" chroot...

I think deloptes posted the answer to this already, in their recipe.

> Regarding the network configuration, I'm a bit lost with systemd
> 
> Hope this give you more information on what I'm trying to achieve.

Cheers,
David.

Re: Server setup

[Andrei POPESCU]

On Lu, 14 iun 21, 16:39:11, Polyna-Maude Racicot-Summerside wrote:
> 
> Like I already said, the "helper" that setup the whole system has the
> same skeleton for every type of hardware installation (not so good).

As most of us are probably not customers of your hosting provider we 
have no idea what "helper" you mean above.
 
> So it will install my system on one partition (/) and by using a RAID-0
> (Mirroring) over my 3 disk ( 3 x 2 TB).

I'm guessing you meant RAID-1 here, since RAID-0 is striping.

https://en.wikipedia.org/wiki/Standard_RAID_levels

At a minimum you could provide the output of `fdisk -l`.
 
[...]

> This is the first time I have to install a system using GPT with BIOS so
> I'm not sure how does it work with the BIOS boot partition.

What is a "BIOS boot partition"? On BIOS systems grub must be installed 
in the MBR of the boot device, special partitions are needed for UEFI.

> Do I simply create this partition and GRUB will detect it ?
> If not, how do I tell GRUB ?
> 
> Also, does simply running debootstrap is enough to have my *initrd*
> created ? I presume I must install a kernel "post" chroot...

Indeed, kernel images are 'Priority: optional', since debootstrap is 
also used for chroots. You should probably install linux-image-amd64, 
because it depends on the newest kernel.

> Regarding the network configuration, I'm a bit lost with systemd

The Debian specific ifupdown is still supported and installed by 
default, so you can put your config in /etc/network/interfaces as usual.

The systemd components systemd-networkd and systemd-resolved are 
optional and disabled by default of Debian (see 
/usr/share/doc/systemd/README.Debian).


Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: cannot mount smartphone anymore

[Andrei POPESCU]

On Lu, 14 iun 21, 09:46:02, Emanuel Berg wrote:
> Andrei POPESCU wrote:
> >> 
> >> If so I don't remember why :)
> >
> > But aptitude might know:
> >
> > aptitude why usbguard
> 
> OK:
> 
> i   gnome-online-accounts Recommends gnome-control-center (>= 3.6.1)
> i A gnome-control-center  Dependsgnome-settings-daemon (>= 3.37)
> i A gnome-settings-daemon Suggests   usbguard   
> 
> Not really a GNOME user so again don't know what that means...

This suggests (no pun intended) it was installed manually
(`apt list usbguard` would confirm this), as Suggests are not installed 
by default.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Thunderbird problems

[Frank McCormick]

On 6/14/21 9:46 PM, Robbi Nespu wrote:

On 6/15/21 6:24 AM, Frank McCormick wrote:
The latest version of Thunderbird which was updated recently is giving 
me problems connecting to gmail.


How can I downgrade Thunderbird on this machine? I am running
Bullseye





Let me guess, you unable to connect imap and smtp right? I having that 
kind of issue.


$ apt-cache policy thunderbird
thunderbird:
   Installed: 1:78.11.0-1
   Candidate: 1:78.11.0-1
   Version table:
  *** 1:78.11.0-1 500
     500 http://ftp.jp.debian.org/debian bullseye/main amd64 Packages
     100 /var/lib/dpkg/status


with setting up few thing below, I can see it said unable to connect to 
imap..


$ export MOZ_LOG=IMAP:5,timestamp
$ export MOZ_LOG_FILE=/tmp/imap_thunderbird.log
$ thunderbird
$ tail -f /tmp/imap_thunderbird.log # on separate terminal

I give up to check further so, I clear up the account (keep data) and 
re-add the account and sync from start again. Now I can use...to connect 
and see my email, but failure when sending out email. it have smtp issue 
too (change MOZ_LOG=SMTP:5,timestamp).. the remove the account and 
resync for second time, look resolve my issues


what waste of bandwidth for today




  I downloaded he generic 64 bit version of Thunderbird from the 
Mozilla website and set it up in my home directory. Works fines, 
connects everywhere so obviously the problem is with the Debian build of 
Thunderbird.

I filed a bug report with Mozilla. Perhaps I should do the same with Debian?


--
Frank McCormick

Re: Debian Installer Bullseye RC 2 release

[Cyril Brulebois]

Charles Curley  (2021-06-14):
> On Mon, 14 Jun 2021 23:26:22 +0200
> Cyril Brulebois  wrote:
> 
> > See the errata[2] for details and a full list of known issues.
> 
> You might want to include 980271 in the errata. See
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980271#15 for the
> gist of it.

Reply-To was set to debian-boot@ (re-added), why mail debian-user@ and
myself instead? Anyway, rather than putting more burden on translators,
I've just pinged the package maintainer informally instead.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: Debian Installer Bullseye RC 2 release

[Charles Curley]

On Mon, 14 Jun 2021 23:26:22 +0200
Cyril Brulebois  wrote:

> See the errata[2] for details and a full list of known issues.

You might want to include 980271 in the errata. See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980271#15 for the
gist of it.

Thanks!

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/


pgpaR2o8qbVa4.pgp
Description: OpenPGP digital signature

Re: Thunderbird problems

[Robbi Nespu]

On 6/15/21 6:24 AM, Frank McCormick wrote:
The latest version of Thunderbird which was updated recently is giving 
me problems connecting to gmail.


How can I downgrade Thunderbird on this machine? I am running
Bullseye





Let me guess, you unable to connect imap and smtp right? I having that 
kind of issue.


$ apt-cache policy thunderbird
thunderbird:
  Installed: 1:78.11.0-1
  Candidate: 1:78.11.0-1
  Version table:
 *** 1:78.11.0-1 500
500 http://ftp.jp.debian.org/debian bullseye/main amd64 Packages
100 /var/lib/dpkg/status


with setting up few thing below, I can see it said unable to connect to 
imap..


$ export MOZ_LOG=IMAP:5,timestamp
$ export MOZ_LOG_FILE=/tmp/imap_thunderbird.log
$ thunderbird
$ tail -f /tmp/imap_thunderbird.log # on separate terminal

I give up to check further so, I clear up the account (keep data) and 
re-add the account and sync from start again. Now I can use...to connect 
and see my email, but failure when sending out email. it have smtp issue 
too (change MOZ_LOG=SMTP:5,timestamp).. the remove the account and 
resync for second time, look resolve my issues


what waste of bandwidth for today

--
Robbi Nespu 
D311 B5FF EEE6 0BE8 9C91 FA9E 0C81 FA30 3B3A 80BA
https://robbinespu.gitlab.io | https://mstdn.social/@robbinespu

Re: Server setup

[Richard Hector]

On 15/06/21 9:26 am, Greg Wooledge wrote:

On Mon, Jun 14, 2021 at 04:39:11PM -0400, Polyna-Maude Racicot-Summerside wrote:

I would like to have my system running on different partition for home,
usr, var, tmp, etc... This is a safe route to prevent some problem (such
as filling up a partition that risk trashing the system).


"etc."?  As in, that's NOT EVEN THE ENTIRE LIST ?!?

Come on.  Get real here.


Or /etc, which might be worse ...

Richard

Thunderbird problems

[Frank McCormick]

The latest version of Thunderbird which was updated recently is giving 
me problems connecting to gmail.


How can I downgrade Thunderbird on this machine? I am running
Bullseye


--
Frank McCormick

Re: Server setup

[Dan Ritter]

Greg Wooledge wrote: 
> On Mon, Jun 14, 2021 at 04:39:11PM -0400, Polyna-Maude Racicot-Summerside 
> wrote:
> > I would like to have my system running on different partition for home,
> > usr, var, tmp, etc... This is a safe route to prevent some problem (such
> > as filling up a partition that risk trashing the system).
> 
> "etc."?  As in, that's NOT EVEN THE ENTIRE LIST ?!?
> 
> Come on.  Get real here.

This is a pretty good case for ZFS. zfs volumes sharing a zpool
can be quota'd so that they each have allocations; setting the
total quota to less than the zpool capacity (80% would be a good
percentage) means that there should be lots of time between the
event daemon telling you that a filesystem is running out of
room and you having to do anything significant about it.

Bonuses: snapshots, compression, and better-than-rsync backups.

All of Greg's concerns are valid.

-dsr-

Re: Find packages from a specific maintainer

[Jonathan Dowland]

On Sat, Jun 12, 2021 at 08:33:19PM +0200, Rasmus MK wrote:

Is it possible to search in the maintainer field with apt? If not, can
I lookup this information somewhere else?


The Debian QA site can provide you with a list.

For Debian XMPP Maintainers:


You can tweak the options below the big table to change filtering and
presentation to suit.


--
Please do not CC me, I am subscribed to the list.

  Jonathan Dowland
✎j...@debian.org
   https://jmtd.net

Re: Emphasis notation in plain-text mail (was Re: Server setup)

[Jonathan Dowland]

On Sun, Jun 13, 2021 at 05:36:39PM -0400, The Wanderer wrote:

If I'm not mistaken, if anything it's actually more of an ancestor;


That's right. Quoting the original Markdown page[1]:


the single biggest source of inspiration for Markdown’s syntax is the
format of plain text email.


[1] https://daringfireball.net/projects/markdown/


--
Please do not CC me, I am subscribed to the list.

  Jonathan Dowland
✎j...@debian.org
   https://jmtd.net

Re: Server setup

[Greg Wooledge]

On Mon, Jun 14, 2021 at 04:39:11PM -0400, Polyna-Maude Racicot-Summerside wrote:
> I would like to have my system running on different partition for home,
> usr, var, tmp, etc... This is a safe route to prevent some problem (such
> as filling up a partition that risk trashing the system).

"etc."?  As in, that's NOT EVEN THE ENTIRE LIST ?!?

Come on.  Get real here.

You say in the subject that this is a "server".  Therefore /home is not
an issue.  There aren't any end users filling up their home directories
to worry about.

Separate /usr is basically no longer a supported configuration.  The
usrmerge stuff, and so on... well, I won't drone on about it.

Separate /tmp is a whole can of worms all by itself.  You might just
want to make that a RAM-based file system.  There are a few varieties
of that.

Out of the partitions you listed, pretty much the only one that makes
sense to separate on certain kinds of servers is /var.  And even then,
you might be better off separating some *subdirectory* (or multiple
subdirectories) of /var instead.  It depends on what this "server" is
supposed to do.  Is it a mail server?  Then the mail queue might be
something you separate.  A database server?  Then perhaps the directory
where the database files live could be separated.

But really, it sounds like you're just blindly following some *massively*
outdated and deprecated advice which serves no real purpose in your
actual situation.

You said that you have the ability to boot the server in rescue mode
remotely.  If you can do that and *shrink* the root file system, you
could reallocate some of the disk space to a separate /var, but that's
going to be a pain in the ass to do, and you shouldn't even bother unless
there's an actual justification for it.

Re: Server setup

[Andy Smith]

Hello,

On Mon, Jun 14, 2021 at 04:39:11PM -0400, Polyna-Maude Racicot-Summerside wrote:
> I can understand the idea of cutting out part of the messages when I
> answer. But this is now forcing me to repeat many times...

You're being asked direct questions because your rambling style has
no real information about what exactly you're trying to achieve.

Instead of answering the direct questions you provide rude responses
berating the people that are trying to help you. You are what is
known as a support vampire and as a rule I do not participate in
that. Good luck.

Andy

Re: HS: postfix relay denied en ipv6

[NoSpam]

Le 14/06/2021 à 22:55, Jérémy Prego a écrit :

Le 14/06/2021 à 22:51, NoSpam a écrit :

Bonjour,

Question subsidiaire: pourquoi postfix montre dans les logs

connect from unknown  alors qu'il les connait ?


ça, c'est parce que les adresses n'ont pas de PTR. tout simplement.


Noté, merci.

--

Daniel

Re: HS: postfix relay denied en ipv6

[Jérémy Prego]

Le 14/06/2021 à 22:51, NoSpam a écrit :
> Bonjour,
>
> Question subsidiaire: pourquoi postfix montre dans les logs
>
> connect from unknown  alors qu'il les connait ?
>

ça, c'est parce que les adresses n'ont pas de PTR. tout simplement.

> Si une bonne âme avait une idée ... ;)
>

Jerem

HS: postfix relay denied en ipv6

[NoSpam]

Bonjour,

depuis quelques temps j'ai un soucis entre 2 postfix sous Debian Buster. 
L'un est le smarthost de l'autre, ipv4 et ipv6 activé sur les deux.


J'utilise php-mail sur le client (dolibarr) afin d'envoyer les documents 
par courriel: lorsque le serveur maître réceptionne avec l'adresse ipv4, 
aucun soucis. Lorsque ce sont les adresse ipv6, relay access denied est 
systématique.


Extrait du main.cf du maitre:

mynetworks = hash:/etc/postfix/allowed-networks
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination,
reject_unlisted_recipient,
reject_invalid_hostname, reject_non_fqdn_hostname,
check_sender_access hash:/etc/postfix/sender_access
check_recipient_access hash:/etc/postfix
/accessbefore_RBL_and_Greylisting,
reject_rbl_client zen.spamhaus.org, reject_rbl_client
korea.services.net

J'ai rajouté

smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination

Rien n'y change. allowed-networks du serveur maître contient pourtant 
les adresses du serveur postfix client comme


192.168.10.254 ok
aaa.bbb.ccc.ddd ok
[fd53:ac59:337:8b38::/64] ok
[2001:db8:b1:932c:212::1] ok

mais rien n'y fait.

Question subsidiaire: pourquoi postfix montre dans les logs

connect from unknown  alors qu'il les connait ?

Si une bonne âme avait une idée ... ;)

--
Daniel

Re: Server setup

[Polyna-Maude Racicot-Summerside]

Hi,
I can understand the idea of cutting out part of the messages when I
answer. But this is now forcing me to repeat many times...

On 2021-06-14 3:50 p.m., Andy Smith wrote:
> Hi Polyna-Maude,
> 
> On Mon, Jun 14, 2021 at 12:31:08PM -0400, Polyna-Maude Racicot-Summerside 
> wrote:
>> Now what I did was to install the machine using the "helper" given by
>> the provider (OVH/OneProvider). This way I can dissect the working
>> system and see how the configuration is done.
> 
> So what does it look like after that, and what do you want to
> change?
> 
Like I already said, the "helper" that setup the whole system has the
same skeleton for every type of hardware installation (not so good).

So it will install my system on one partition (/) and by using a RAID-0
(Mirroring) over my 3 disk ( 3 x 2 TB).

> Maybe you can make the desired changes without reinstalling by
> debootstrap. But if that's necessary, at least we'll understand what
> it is that you want to achieve with that.

I would like to have my system running on different partition for home,
usr, var, tmp, etc... This is a safe route to prevent some problem (such
as filling up a partition that risk trashing the system).

Even if there would be a solution without doing my own re-install, I
want to be able to do so myself. That is, install a system by mounting
the partition, doing a debootstrap and chroot after, plus installing GRUB.

This is the first time I have to install a system using GPT with BIOS so
I'm not sure how does it work with the BIOS boot partition.
Do I simply create this partition and GRUB will detect it ?
If not, how do I tell GRUB ?

Also, does simply running debootstrap is enough to have my *initrd*
created ? I presume I must install a kernel "post" chroot...

Regarding the network configuration, I'm a bit lost with systemd
> 
> Cheers,
> Andy
> 

Hope this give you more information on what I'm trying to achieve.


-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: Server setup

[Andy Smith]

Hi Polyna-Maude,

On Mon, Jun 14, 2021 at 12:31:08PM -0400, Polyna-Maude Racicot-Summerside wrote:
> Now what I did was to install the machine using the "helper" given by
> the provider (OVH/OneProvider). This way I can dissect the working
> system and see how the configuration is done.

So what does it look like after that, and what do you want to
change?

Maybe you can make the desired changes without reinstalling by
debootstrap. But if that's necessary, at least we'll understand what
it is that you want to achieve with that.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Headset Bluetooth no Debian

[Daniel Lenharo]

OLá

Em 14/06/2021 11:36, China escreveu:

Bom dia.

Estou apanhando para configurar o headset bluetooth no notebook com
Debian. Consegui fazer a parte de fone de ouvido funcionar e consigo
ouvir o áudio, mas não consegui fazer o microfone funcionar ainda.

segui os passos que estão no link
https://wiki.debian.org/BluetoothUser/a2dp mas me confundi quando o
tutorial fala do pipewire em substituição ao pulseaudio, que veio
instalado por padrão no debian 10 stable.

Vocês conseguiram fazer funcionar headsets com microfone no Debian?
Podem me ajudar com isso?



Eu consigo utilizar o meu normalmente.

O unico porém, que se for utilizar o microfone, o Fone não funciona me 
modo estério.


Eu faço uso do gnome3.38 com debian sid.
Meu fone é um Edifier W830BT.

[]'s


--
Daniel Lenharo
Curitiba - BR


OpenPGP_0xFB0E132DDB0AA5B1.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Server setup

[Polyna-Maude Racicot-Summerside]

Hi,

On 2021-06-14 11:21 a.m., David Wright wrote:
> On Sun 13 Jun 2021 at 13:57:33 (-0400), Polyna-Maude Racicot-Summerside wrote:
> 
>> You must also have a huge need to answer question without reading what
>> they are.
>>
>> I ain't using the Debian installer because I don't have access to the
>> KVM (Keyboard, Mouse, etc).
>>
>> So if you read back my message.
>> I boot using a rescue system over the network.
>> I do my partition.
>> I make the filesystem.
>> I mount.
>> I use debootstrap.
>> And after I need to configure boot, this is where it blocks.
>>
>> Got it now ?
>>
>> So how useful is your answer to use "the wizard in the installer ?".
>> And no there's no configuration helper (said it for the 3rd time now).
>>
>> If you can't help... Just a hint, do same as I do, you let other people
>> answer.
> 
> I don't know whether I can be of any help, but I can ask a few questions.
> 
> You wrote "The machine doesn't seem to use EFI (like most server)"
> 
The machine doesn't use EFI, like most server it's BIOS based. I know
this one for sure, there's a BIOS boot partition.

> You really need to know. What does /sys/firmware/ contain, in particular,
> /sys/firmware/efi… ?
> 
>   "and I only see the following partition using the automatic installer."
> 

The server provider (one-provider/OVH) offer a choice of OS (include
Debian Buster) but there's no configuration from the user. So it just
build a huge partition. I have 3 x 2 Tb disk and it makes them in RAID-0
(mirror).

> Did you mean disk, rather than partition? What's in /sys/block/ ?
> 
> You wrote 'The "standard" installation give me one partition in RAID
> mirror ( 3 x 2 To). So I get only a big root partition and nothing else'
> 
> Does that mean that the partitioning was done on your behalf?
> "I do my partition. I make the filesystem." seems to contradict that.
> Do you know what the 3rd and 4th partitions are intended for?
> 

Because the installation does the partition on my behalf, I preferred to
do another way. That is, boot the system into rescue mode, that's a
Linux system over the network. There I can partition my own disk, and
after use debootstrap.


>   "But I get a bit lost when it's time to use grub to setup my machine by 
> remote."
> 
> Did the "standard" installation give you any hints about setting up
> booting on the machine, or is that why standard is in scare quotes.
> (Or is it unusual for a standard install method to make any mention
> of such important matters.)
> 
Now what I did was to install the machine using the "helper" given by
the provider (OVH/OneProvider). This way I can dissect the working
system and see how the configuration is done.


> Cheers,
> David.
> 

Thanks,

-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: Server setup

[David Wright]

On Sun 13 Jun 2021 at 13:57:33 (-0400), Polyna-Maude Racicot-Summerside wrote:

> You must also have a huge need to answer question without reading what
> they are.
> 
> I ain't using the Debian installer because I don't have access to the
> KVM (Keyboard, Mouse, etc).
> 
> So if you read back my message.
> I boot using a rescue system over the network.
> I do my partition.
> I make the filesystem.
> I mount.
> I use debootstrap.
> And after I need to configure boot, this is where it blocks.
> 
> Got it now ?
> 
> So how useful is your answer to use "the wizard in the installer ?".
> And no there's no configuration helper (said it for the 3rd time now).
> 
> If you can't help... Just a hint, do same as I do, you let other people
> answer.

I don't know whether I can be of any help, but I can ask a few questions.

You wrote "The machine doesn't seem to use EFI (like most server)"

You really need to know. What does /sys/firmware/ contain, in particular,
/sys/firmware/efi… ?

  "and I only see the following partition using the automatic installer."

Did you mean disk, rather than partition? What's in /sys/block/ ?

You wrote 'The "standard" installation give me one partition in RAID
mirror ( 3 x 2 To). So I get only a big root partition and nothing else'

Does that mean that the partitioning was done on your behalf?
"I do my partition. I make the filesystem." seems to contradict that.
Do you know what the 3rd and 4th partitions are intended for?

  "But I get a bit lost when it's time to use grub to setup my machine by 
remote."

Did the "standard" installation give you any hints about setting up
booting on the machine, or is that why standard is in scare quotes.
(Or is it unusual for a standard install method to make any mention
of such important matters.)

Cheers,
David.

Re: Archiver mails

[steve]

Le 14-06-2021, à 16:13:24 +0200, Stephane Bortzmeyer a écrit :


On Mon, Jun 14, 2021 at 01:15:04PM +0200,
steve  wrote
a message of 9 lines which said:


Comment faites-vous pour archiver vos messages ?


Un petit script Python lancé par cron tous les mois qui renomme les
boites par exemple debian/french -> debian/french-2021-06.


Serait-ce possible de le partager ou est-ce secret défense ? 

Re: Headset Bluetooth no Debian

[Yuri Musachio]

China, bom dia!

Anteriormente eu estava usando um AirDots S (modelo 2020) e funcionava super de 
boa. Claro que a qualidade de audio do mic de fone bluetooth não é as mil 
maravilhas, mas funcionava. Hoje to usando um SoundCore Life P2 da Anker, e com 
ele eu não consigo usar o mic, mas acho que no caso dele seria por conta dos 
codecs.
Não cheguei a me inteirar tanto assim nesse caso do da Anker porque fiquei 
frustrado com a qualidade dos mics dos fones bluetooths... E ai o que eu faço é 
escutar o som pelo fone e deixar o mic captando do próprio laptop.
Antes disso tudo, ainda usando o AirDots, eu tive um problema em que o fone não 
se conectava, mas isso foi após instalar o drive da Nvidia... Ai eu tive que 
seguir esse tuto do link que você enviou e resolveu meu problema. Mas admito 
que foi bateção de cabeça até chegar nesse resultado.

Best,
On Jun 14 2021, at 11:36 am, China  wrote:
> Bom dia.
>
> Estou apanhando para configurar o headset bluetooth no notebook com
> Debian. Consegui fazer a parte de fone de ouvido funcionar e consigo
> ouvir o áudio, mas não consegui fazer o microfone funcionar ainda.
>
> segui os passos que estão no link
> https://wiki.debian.org/BluetoothUser/a2dp mas me confundi quando o
> tutorial fala do pipewire em substituição ao pulseaudio, que veio
> instalado por padrão no debian 10 stable.
>
> Vocês conseguiram fazer funcionar headsets com microfone no Debian?
> Podem me ajudar com isso?
>
> --
> Enviado de um dispositivo móvel
>

Headset Bluetooth no Debian

[China]

Bom dia.

Estou apanhando para configurar o headset bluetooth no notebook com
Debian. Consegui fazer a parte de fone de ouvido funcionar e consigo
ouvir o áudio, mas não consegui fazer o microfone funcionar ainda.

segui os passos que estão no link
https://wiki.debian.org/BluetoothUser/a2dp mas me confundi quando o
tutorial fala do pipewire em substituição ao pulseaudio, que veio
instalado por padrão no debian 10 stable.

Vocês conseguiram fazer funcionar headsets com microfone no Debian?
Podem me ajudar com isso?

--
Enviado de um dispositivo móvel

Re: Archiver mails

[Stephane Bortzmeyer]

On Mon, Jun 14, 2021 at 01:15:04PM +0200,
 steve  wrote 
 a message of 9 lines which said:

> Comment faites-vous pour archiver vos messages ?

Un petit script Python lancé par cron tous les mois qui renomme les
boites par exemple debian/french -> debian/french-2021-06.

Re: Archiver mails

[Marc Chantreux]

> > pour ceux qui ne connaissent pas archivemail: c'est quoi ton cas
> > d'usage?
> Bah, rien de particulier. Il scanne ton maildir et selon certaines
> conditions (ancienneté, etc…) crée un .gz et le déplace ailleurs. Tout
> ça piloté par une tâche cron.

pour ma part je tente de passer le plus de temps possible offline et
je veux pouvoir préparer/lire mes messages sans avoir besoin d'internet

j'utilise depuis des années les paquets suivants

isync   # synchronisation des boites mail
awk+mblaze+dash # ventilation dans les boites
maildir-utils   # indexation et recherche
mutt# one UI to rule them all
opensmtpd   # sendmail

je n'utilise pas de tarball:
* tout ce qui fait l'objet d'une archive externe (listes de diff…) est
  supprimé.
* les messages importants sont classés (je pourrais effectivement
  utiliser tar pour ces boites)
* autres sont supprimés au bout de quelques temps.

j'espère que ca te donne des idées.


marc

Re: Archiver mails

[steve]

Salut William,

Merci pour le long descriptif de ta solution qui passe par un serveur
Imap en local. J'ai toujours voulu éviter ça car les quelques fois où
j'ai essayé d'en installer un, il y a déjà plus d'une décennie, je
trouvais que c'était vraiment compliqué à faire marcher correctement. Je
me suis donc rabattu sur une solution plus légère qui est de rapatrier
les messages directement dans une arborescence maildir et les consulter avec
mutt.

J'ai besoin de digérer tout ça et peut-être que je ferais comme toi.

Encore merci et très belle journée

Steve

Re: cannot mount smartphone anymore

[Emanuel Berg]

Andrei POPESCU wrote:

> Removing usbguard is maybe a drastic decision, isn't?
> Or maybe you don't want this package anymore for
> other reasons?

 No, why do I need it for?
>>>
>>> He probably assumed you installed it intentionally, and so
>>> for a reason, as it appears to be an optional package.
>> 
>> If so I don't remember why :)
>
> But aptitude might know:
>
> aptitude why usbguard

OK:

i   gnome-online-accounts Recommends gnome-control-center (>= 3.6.1)
i A gnome-control-center  Dependsgnome-settings-daemon (>= 3.37)
i A gnome-settings-daemon Suggests   usbguard   

Not really a GNOME user so again don't know what that means...

-- 
underground experts united
https://dataswamp.org/~incal

Re: Secure Boot in QEMU (was Re: debian installation issue)

[Andrew M.A. Cater]

On Mon, Jun 14, 2021 at 06:07:50AM -0400, Kenneth Parker wrote:
> Okay.  I am running Debian Bullseye (selected earlier, during its testing
> phase, because I needed its level of QEMU to import a VM from Mint 20's
> QEMU:  Buster's QEMU refused).  My computer is an HP EliteDesk 705 G1-SFF.
> 
> I have a special requirement to run a Licenced version of Windows 10 Pro as
> a QEMU/KVM Guest.  I have already set up QEMU GCOW2 files as gpt and
> partitioned them with UEFI environments, but only with Linux guests so far,
> as well as (in one instance) Refind.
> 
> Does QEMU/KVM support setting up Secure Boot, in a way that passes
> Microsoft Muster?
> 
> Okay, I may be finding my own answers, via a Super User web page on this,
> using Manjaro and ovmf:
> 
> https://superuser.com/questions/1389103/windows-10-uefi-physical-to-kvm-libvirt-virtual
> 
> And now I see that Bullseye has ovmf available as a package.
> 
> So this will be my next Project.  I guess I am asking if anyone on this
> list has been successful with a virtualized Secure Boot that Microsoft
> likes?
> 
> Have a nice day :)
> >
> > Thomas
> >
> 
> Many thanks!
> 
> Kenneth Parker

Hi Kenneth,

Install OVMF. I tend to use Virtual Machine Manager just because it's
easier for me. Essentially, you do get the choice to use Secure Boot and
there are two options - one for Microsoft and one generic, I think.

Andy C.

Re: Archiver mails

[William Bonnet]

Bonjour,

Comment faites-vous pour archiver vos messages ?

Il peut y avoir des tas de facons de faire mais là plus part sont liées
je pense à l'usage que tu veux en faire et comment et pourquoi tu voudra
consulter ces archives. Ton use case donc :)


Personellement je me suis monté un serveur Imap (doveceat chez moi).
Tous mes emails vont dedans, je l'ai couplé avec fetch mail mais c'est
mon choix. Je garde dedans plus de 10 ans d'email, bien sur il est
sauvgardé redondé etc.  et je le consulte / recherche avec thunder bird
ou un web mail locale. Donc toutes les données sont sur mes serveurs
perso chez moi, les mails que je recois restent quelques minutes chez
mes fournisseurs de mail. Pas tant par crainte ou paranoia m ais j ai
fait le choix de gérer mon Imap pour le volume ma confidentialité la
recherc etc. Chacun ses critères.


L'archivage je le fait au travers de folder Imap que je gère avec mes
règles soir via TB soit à la mains.


Je couple cela avec des filtres sieve sur fetchmail qui me pé tri les
emails et les mettent dans les bon folders avec les bon marqueurs selo
l'expéfiteur (administratif factures etc ou par mailing list.


L'archivage se construit au fil de l'eau avec ces règles apres c'est
surtout une question de sauvegardes. Mais cela on y coupe pas :)


Et en tant qu'indep des mails class"s et sauvegardés c'est vital dans
mon cas


my two cents..


@+W.

-- 
kind regards,
William   https://forum.armwizard.org

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁   wbonnet@(armwizard|firmwaretoolkit|neuralnet-studio).org
 ⢿⡄⠘⠷⠚⠋⠀ GPG fingerprint: 7189 DC8E 15B9 B3E4 EA3E 902B 8EAC F0B9 25A5 9D48
 ⠈⠳⣄




OpenPGP_signature
Description: OpenPGP digital signature

Re: Plantages Xorg (i915, context reset due to GPU hang)

[Daniel Caillibaud]

Bonsoir,

Le 11/06/21 à 23:30, Étienne Mollier  a écrit :
> J'ai pris un peu de temps pour faire le tour du web avec un
> moteur de recherche, et quelque mots clés avec ces symptômes.
> J'ai vu ici[1] ou là[2] que désactiver l'iommu avait aidé dans
> des cas à vue de nez à peu près similaires à stabiliser la
> machine.

Merci bcp pour avoir pris ce temps pour chercher/trouver/expliquer.

J'avais cherché à partir de gpu hang, sans rien trouver qui me semblait 
pertinent, probablement
parce que ces histoires de hardware me dépassent un peu (et j'ai du mal à m'y 
intéresser pour
apprendre).

> Dans le cas de l'iommu, il y a plusieurs options :
> 
>   - soit la désactiver au niveau de la configuration "Bios" de
> la carte mère ;
>   - soit au démarrage, en passant l'argument intel_iommu=off au
> noyau linux dans grub ;
>   - ou faire sauter CONFIG_INTEL_IOMMU, en restant dans les
> options exposées par le .config.

Merci bcp !

Je teste ça et je vous dis dans qq j si ça a réglé le pb.

Au cas où d'autres auraient le pb et verraient ce thread dans les archives, 
j'ai choisi
l'option grub (la plus rapide à tester) avec

- ajouter l'option dans la variable GRUB_CMDLINE_LINUX de /etc/default/grub, 
dans mon cas j'ai
  remplacé
GRUB_CMDLINE_LINUX=""
  par
GRUB_CMDLINE_LINUX="intel_iommu=off"
  (mais si y'avait déjà les options xxx et yyy ça donnerait 
GRUB_CMDLINE_LINUX="xxx yyy intel_iommu=off")
- relancer un `update-grub`
- vérifier que ça donne ce que l'on voulait avec `grep mmu /boot/grub/grub.cfg` 
(qui doit 
  retourner cette option pour chaque entrée de grub)


-- 
Daniel

Il y a quelqu'un sans qui tout ce que j'ai fait
jusqu'à présent n'aurait pas été possible: MOI.
Philippe Geluck, Le chat

Re: Archiver mails

[steve]

Le lundi 14 juin 2021, didier gaumet a écrit :


peut-être regarder du côté de chewmail, ça a l'air de gérer Maildir


Dernier commit il y a 7 ans. Mais je vais quand même y jeter un œil.

Sinon, peut-être que mon approche n'est pas la bonne. 


Comment faites-vous pour archiver vos messages ?

Re: Comment déboguer une application web (Firefox 89, Debian)

[Daniel Caillibaud]

Le 11/06/21 à 22:13, kaliderus  a écrit :
> Bonsoir,
> 
> C'est un peu hors sujet, quand je faisais du développement web (au
> siècle dernier) était apparu sélénium, un plugin firefox qui permet
> d'automatiser pas mal de manipulations.
> Le produit existe toujours, et il ne serait pas surprenant que de
> nouvelles fonctionnalités soient apparues et qu'il soit utilisable et
> facilement intégrable avec des outils de dev récents/modernes.

Selenium existe toujours, mais je l'ai trouvé
- usine à gaz
- pas très fiable (souvent un test plante, on relance et ça plante plus, donc 
faut un wrapper
  de selenium qui recommence une 2e fois quand ça plante et passe à la suite si 
le 2e test
  passe, ou râle si ça plante 2×)

et j'utilise depuis un moment https://playwright.dev/ que je trouve
- bcp plus facile à utiliser (tests bien plus rapides à écrire, plus simples à 
relire et donc
  bien plus faciles à maintenir)
- plus fiable
- rien à installer en dehors d'un `npm install playwright' (avec selenium faut 
pas mal de monde
  pour que tout puisse fonctionner)

Mais pour ceux qui utilisent le plugin firefox pour générer le code de test, si 
ça fonctionne
pour eux c'est un vrai plus (dans mon cas fallait toujours reprendre le code 
généré, finalement
je vais plus vite à coder from scratch un test playwright)

Mes 2cts

-- 
Daniel

Cette femme qui prétend que je suis dyslexique,
jamais je ne l'ai interviewée !
Georges W. Bush (15/09/2000)

Re: [Off topic thoughts] Re: debian installation issue

[Joe]

On Mon, 14 Jun 2021 11:41:37 +0200
 wrote:


>  "Any sufficiently advanced malice is indistinguishable from
> stupidity"
> 
> (some call that "plausible deniability").
> 
>
"People would rather appear stupid than evil".

-- 
Joe

Re: Emphasis notation in plain-text mail (was Re: Server setup)

[Richard Owlett]

On 06/13/2021 04:36 PM, The Wanderer wrote:

On 2021-06-13 at 17:30, Polyna-Maude Racicot-Summerside wrote:
...


Regarding the asterisks, I used them in many text to make emphasis,
including in some text that go out in printed form. Started doing so
when I was still in university and transcribing my notes after the
day.


Certainly better than the current apparent trend of using quotation
marks to do so...



Those of us who learned to read and write in the 50's may interpret a 
word surrounded by quotation marks as having a different, or even 
contrary, meaning compared to a dictionary's entry.

Re: Server setup

[Richard Owlett]

On 06/13/2021 05:23 PM, deloptes wrote:

Polyna-Maude Racicot-Summerside wrote:


So if you read back my message.
I boot using a rescue system over the network.
I do my partition.
I make the filesystem.
I mount.
I use debootstrap.
And after I need to configure boot, this is where it blocks.

Got it now ?



At least now I understood the problem.

After dbootstrap you should chroot and execute grub-install and update-grub
or vice versa. Of course it could be necessary to update some
configurations.

I attach here my installation notes I applied to USB-Stick. It should apply
to your use case as well (I hope)

Ah and if you find some pieces to improve, let me know.

regards


Between Polyna-Maude's outline above of the installation process and 
deloptes' "Debootstrap_Into_USB-Stick" I think I understand why I was 
unsuccessful using debootstrap when I first encountered Debian a decade ago.


I think I also see a common theme between this thread and my old 
problem. There is a difference of "world view" between Debian experts 
and non-experts which causes a breakdown in communication, the same 
sentence conveying quite different information to the two groups.

Re: Acentos ñ en xfce

[Luis Miguel R.]

El domingo, 13 junio del 2021 a las 03:47:11, Ricardo Delgado escribi�:
> 
> Tengo inconvenientes con mi interfaz, cuando recibo un archivo con acentos y 
> ñ siempre me da un error.
> 

Despu�s de 25 a�os con Linux, aun siguen saliendo problemas con los acentos, 
increible no, lo siguiente...

Secure Boot in QEMU (was Re: debian installation issue)

[Kenneth Parker]

On Mon, Jun 14, 2021 at 4:45 AM Thomas Schmitt  wrote:

> Hi,
>
> Greg Wooledge wrote:
> > > > Secure Boot (Microsoft's attempt to stop you from using Linux)
>
> Andrei POPESCU wrote:
> > > While I'm not a fan of Microsoft:
> > > https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3
> > > "Microsoft act as a Certification Authority (CA) for SB, and they will
> > > sign programs on behalf of other trusted organisations so that their
> > > programs will also run."
>
> to...@tuxteam.de wrote:
> >  - do you know any other alternative CA besides Microsoft
> >  - is there any internationally legal binding of Microsoft
>
> Actually it is the mainboard producers and possibly the CPU producers who
> decide who is in charge as CA.
> Further they decide whether the firmware offers the possibility to disable
> Secure Boot or to become your own CA.
>
>
> https://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot
> shows how it should be in an ideal world. Of course this is still expert's
> work.
>
> I myself would see few reason not to disable Secure Boot on my own machines
> if necessary. But currently it does not even hamper kernel experiments.
> (Dunno whether this is intended by Debian and kernel source code or
> whether my test machine is just not as secure as its EFI pretends to be.
> My experiments happen in kernel modules like sr, cdrom, isofs. Maybe a
> change in the kernel's core would meet more distrust.)
>
> I agree with Andrei POPESCU that Secure Boot is not really for the purpose
> of hampering free operating systems, although it causes extra workload on
> those who intend to support this boot procedure.
> Secure Boot is rather the modern attempt to make systems safe against
> simple hardware manipulations. The old way was to seal the USB ports by a
> hot glue gun and to use security screws at the side plates of the box.
>
> It is unfortunate that Intel and Microsoft could not bring themselves to
> create an independent institution which authorizes the legitimate
> boot programs which are acceptable by default.
>
> 
> As we are already off topic:
>
> I agree to Greg Wooledge's overview of x86 boot firmware, as far as
> Debian installation is concerned.
>
> I have some nitpicking on technical details, though, which i did not post
> because it would not be relevant to the initial topic.
>
> Greg Wooledge wrote:
> > UEFI booting requires a GPT disk label (partition table type),
>
> No. UEFI specifies the formats of both, MBR partition table and GPT.
> In both partition table types it specifies an identifier for the EFI
> partition. (Type 0xEF for MBR partition table,
> Type GUID C12A7328-F81F-11D2-BA4B-00A0C93EC93B for GPT.)
>
> There exist some few UEFI firmware implementations which do not obey
> the specs and ignore MBR partition tables.
>
>
> > and one of the partitions on the disk must be an EFI partition.
>
> Actually there is no UEFI implementation known which would not peek into
> any recognized partition with a FAT filesystem, whether there is \EFI\BOOT
> with the matching BOOT*.EFI file.
> This seems to be a quirk which is protected by Microsoft Inc.
>
> Whether a partition is used automatically for booting or whether it is
> offered at all as bootable, is a matter of UEFI implementation and
> settings.
>

Okay.  I am running Debian Bullseye (selected earlier, during its testing
phase, because I needed its level of QEMU to import a VM from Mint 20's
QEMU:  Buster's QEMU refused).  My computer is an HP EliteDesk 705 G1-SFF.

I have a special requirement to run a Licenced version of Windows 10 Pro as
a QEMU/KVM Guest.  I have already set up QEMU GCOW2 files as gpt and
partitioned them with UEFI environments, but only with Linux guests so far,
as well as (in one instance) Refind.

Does QEMU/KVM support setting up Secure Boot, in a way that passes
Microsoft Muster?

Okay, I may be finding my own answers, via a Super User web page on this,
using Manjaro and ovmf:

https://superuser.com/questions/1389103/windows-10-uefi-physical-to-kvm-libvirt-virtual

And now I see that Bullseye has ovmf available as a package.

So this will be my next Project.  I guess I am asking if anyone on this
list has been successful with a virtualized Secure Boot that Microsoft
likes?

Have a nice day :)
>
> Thomas
>

Many thanks!

Kenneth Parker

Re: [Off topic thoughts] Re: debian installation issue

[tomas]

On Mon, Jun 14, 2021 at 10:46:34AM +0200, Thomas Schmitt wrote:
> Hi,
> 
> Greg Wooledge wrote:
> > > > Secure Boot (Microsoft's attempt to stop you from using Linux)
> 
> Andrei POPESCU wrote:
> > > While I'm not a fan of Microsoft:
> > > https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3
> > > "Microsoft act as a Certification Authority (CA) for SB, and they will
> > > sign programs on behalf of other trusted organisations so that their
> > > programs will also run."
> 
> to...@tuxteam.de wrote:
> >  - do you know any other alternative CA besides Microsoft
> >  - is there any internationally legal binding of Microsoft
> 
> Actually it is the mainboard producers and possibly the CPU producers who
> decide who is in charge as CA.

:-)

Yes, I know how it (should) work. I was pointing out what the actual
effect is.

> create an independent institution which authorizes the legitimate
> boot programs which are acceptable by default.

You know I'm a fan of some bastard of Clarke's Third Law and Hanlon's
Razor. In this case, it applies nicely:

 "Any sufficiently advanced malice is indistinguishable from stupidity"

(some call that "plausible deniability").

Now it doesn't help to whine around that "THEY" are cementing their
monopoly (again"). Well, duh. It's what they do, and I do commend
all the hacker's efforts to understand the new machinery some aliens
have dumped on our yards.

I was just toning down our nerdy "Oh, shiny, no more evil maid attacks"
enthusiasm and just refusing to let Microsoft off that hook, although
they are behaving in a halfway civilised way (the monopoly probes
might have some relation to that, who knows).

Cheers
 - t


signature.asc
Description: Digital signature

[Off topic thoughts] Re: debian installation issue

[Thomas Schmitt]

Hi,

Greg Wooledge wrote:
> > > Secure Boot (Microsoft's attempt to stop you from using Linux)

Andrei POPESCU wrote:
> > While I'm not a fan of Microsoft:
> > https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3
> > "Microsoft act as a Certification Authority (CA) for SB, and they will
> > sign programs on behalf of other trusted organisations so that their
> > programs will also run."

to...@tuxteam.de wrote:
>  - do you know any other alternative CA besides Microsoft
>  - is there any internationally legal binding of Microsoft

Actually it is the mainboard producers and possibly the CPU producers who
decide who is in charge as CA.
Further they decide whether the firmware offers the possibility to disable
Secure Boot or to become your own CA.

  https://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot
shows how it should be in an ideal world. Of course this is still expert's
work.

I myself would see few reason not to disable Secure Boot on my own machines
if necessary. But currently it does not even hamper kernel experiments.
(Dunno whether this is intended by Debian and kernel source code or
whether my test machine is just not as secure as its EFI pretends to be.
My experiments happen in kernel modules like sr, cdrom, isofs. Maybe a
change in the kernel's core would meet more distrust.)

I agree with Andrei POPESCU that Secure Boot is not really for the purpose
of hampering free operating systems, although it causes extra workload on
those who intend to support this boot procedure.
Secure Boot is rather the modern attempt to make systems safe against
simple hardware manipulations. The old way was to seal the USB ports by a
hot glue gun and to use security screws at the side plates of the box.

It is unfortunate that Intel and Microsoft could not bring themselves to
create an independent institution which authorizes the legitimate
boot programs which are acceptable by default.


As we are already off topic:

I agree to Greg Wooledge's overview of x86 boot firmware, as far as
Debian installation is concerned.

I have some nitpicking on technical details, though, which i did not post
because it would not be relevant to the initial topic.

Greg Wooledge wrote:
> UEFI booting requires a GPT disk label (partition table type),

No. UEFI specifies the formats of both, MBR partition table and GPT.
In both partition table types it specifies an identifier for the EFI
partition. (Type 0xEF for MBR partition table,
Type GUID C12A7328-F81F-11D2-BA4B-00A0C93EC93B for GPT.)

There exist some few UEFI firmware implementations which do not obey
the specs and ignore MBR partition tables.


> and one of the partitions on the disk must be an EFI partition.

Actually there is no UEFI implementation known which would not peek into
any recognized partition with a FAT filesystem, whether there is \EFI\BOOT
with the matching BOOT*.EFI file.
This seems to be a quirk which is protected by Microsoft Inc.

Whether a partition is used automatically for booting or whether it is
offered at all as bootable, is a matter of UEFI implementation and settings.


Have a nice day :)

Thomas

Re: cannot mount smartphone anymore

[Reco]

Hi.

On Mon, Jun 14, 2021 at 09:46:02AM +0200, Emanuel Berg wrote:
> Andrei POPESCU wrote:
> 
> > Removing usbguard is maybe a drastic decision, isn't?
> > Or maybe you don't want this package anymore for
> > other reasons?
> 
>  No, why do I need it for?
> >>>
> >>> He probably assumed you installed it intentionally, and so
> >>> for a reason, as it appears to be an optional package.
> >> 
> >> If so I don't remember why :)
> >
> > But aptitude might know:
> >
> > aptitude why usbguard
> 
> OK:
> 
> i   gnome-online-accounts Recommends gnome-control-center (>= 3.6.1)
> i A gnome-control-center  Dependsgnome-settings-daemon (>= 3.37)
> i A gnome-settings-daemon Suggests   usbguard   
> 
> Not really a GNOME user so again don't know what that means...

It means this, based on the package changelog:

gnome-settings-daemon (3.35.91-1) experimental; urgency=medium

  [ Sebastien Bacher ]
  * New upstream release:
- Add capability to disable USB while the lockscreen is on
  (based on USBGuard)
  * debian/control.in:
- Suggests usbguard for the new lockscreen protection, the feature
  didn't get much testing yet and usbguard could create problems so
  don't bring it in by default yet


I.e. what it should do is to deny any usb devices from configuring while
you have a lockscreen on. The changelog message also shows that
currently one have to install Suggests type of dependency to get this
feature.

Reco

Re: debian installation issue

[tomas]

On Mon, Jun 14, 2021 at 09:20:52AM +0300, Andrei POPESCU wrote:
> On Vi, 11 iun 21, 15:07:11, Greg Wooledge wrote:
> > 
> > Secure Boot (Microsoft's attempt to stop you from using Linux) relies on
> > UEFI booting, and therefore this was one of the driving forces behind it,
> > but not the *only* driving force.  If your machine doesn't use Secure Boot,
> > don't worry about it.  It won't affect you.
> 
> While I'm not a fan of Microsoft:
> 
> https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F

Quoting from there:

  "Microsoft act as a Certification Authority (CA) for SB, and they will
   sign programs on behalf of other trusted organisations so that their
   programs will also run."

Now two questions:

 - do you know any other alternative CA besides Microsoft who is
   capable of effectively doing this? In a way that it'd "work"
   with most PC vendors?

 - is there any internationally legal binding of Microsoft for
   them to provide that service in the future, in a fair and non
   discriminatory way?

I'd be surprised if the answer to /any/ of those questions were "yes".

We do have a dependency on Microsoft's "good will" here. Whether we like
it or not.

Cheers
 - t


signature.asc
Description: Digital signature

Re: Archiver mails

[didier gaumet]

peut-être regarder du côté de chewmail, ça a l'air de gérer Maildir

Re: cannot mount smartphone anymore

[Andrei POPESCU]

On Du, 13 iun 21, 21:49:03, Emanuel Berg wrote:
> Curt wrote:
> 
> >>> Removing usbguard is maybe a drastic decision, isn't?
> >>> Or maybe you don't want this package anymore for
> >>> other reasons?
> >>
> >> No, why do I need it for?
> >
> > He probably assumed you installed it intentionally, and so
> > for a reason, as it appears to be an optional package.
> 
> If so I don't remember why :)

But aptitude might know:

aptitude why usbguard


Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: debian installation issue

[Andrei POPESCU]

On Vi, 11 iun 21, 15:07:11, Greg Wooledge wrote:
> 
> Secure Boot (Microsoft's attempt to stop you from using Linux) relies on
> UEFI booting, and therefore this was one of the driving forces behind it,
> but not the *only* driving force.  If your machine doesn't use Secure Boot,
> don't worry about it.  It won't affect you.

While I'm not a fan of Microsoft:

https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F


Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature