Re: One-line password generator
On Wed, Aug 23, 2017 at 03:23:50PM -0400, Greg Wooledge wrote:
> On Wed, Aug 23, 2017 at 01:16:56PM -0600, Aaron Toponce wrote:
> > Three POSIX-compliant shell functions that rely on no extra utilities
> > shuff () {
> > if [ $(command -v shuf) ]
>
> Needs quotes.
Good catch.
> > shuffle -f /dev/stdin -p "$1"
>
> /dev/stdin is not POSIX-compliant.
Interesting. I was not aware of that.
> > else
> > awk 'BEGIN{
> > "od -tu4 -N4 -A n /dev/urandom" | getline
>
> /dev/urandom is not POSIX-compliant. Then again, I don't believe there
> is *any* POSIX-compliant source of randomness available to shell scripts
> other than awk's srand and rand.
>
> Emulating /dev/urandom in awk is left as an exercise. ;-)
>
> > [ $(uname) = "SunOS" ] && FILE="/usr/dict/words" ||
> > FILE="/usr/share/dict/words"
>
> It'd be better to list all the possible places the dict file may exist,
> and iterate through them until you find it, regardless of uname.
Agreed. I tested this on the BSDs, GNU/Linux, and Solaris/OmniOS/SmartOS. I
don't have access to HP-UX, IBM AIX, True64, and some of the other Unices. Is
Plan9 still a thing?
> Also, don't use all-caps shell variable names. All-caps names are
> reserved for special internal variables, and environment variables.
I've gone back and forth on this. I'd be interested to see a standard
specification on this, if such exists. It seems convention that uppercase is
used more frequently for shell variables than lowercase. I've tended to lean on
uppercase more frequently as a result. Just so long as it doesn't clash with
existing variables, I don't see the reason not to.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
signature.asc
Description: PGP signature
Re: One-line password generator
On Tue, Aug 22, 2017 at 10:04:59AM -0500, Mario Castelán Castro wrote:
> I have the following line in my Bash init file:
>
> “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"”
>
> This generates a password with just above 128 bits of entropy. You may
> find it useful.
Three POSIX-compliant shell functions that rely on no extra utilities outside
of standard base installs. shuff() is needed for some BSD systems where
shuffle(1) is used in place of shuf(1):
shuff () {
if [ $(command -v shuf) ]
then
shuf -n "$1"
elif [ $(command -v shuffle) ]
then
shuffle -f /dev/stdin -p "$1"
else
awk 'BEGIN{
"od -tu4 -N4 -A n /dev/urandom" | getline
srand(0+$0)
}
{print rand()"\t"$0}' | sort -n | cut -f 2 | head -n "$1"
fi
}
gen_monkey_pass () {
I=0
[ $(printf "$1" | grep -E '[0-9]+') ] && NUM="$1" || NUM="1"
until [ "$I" -eq "$NUM" ]
do
I=$((I+1))
LC_CTYPE=C strings /dev/urandom | grep -o '[a-hjkmnp-z2-9-]' | head
-n 24 | paste -s -d \\0 /dev/stdin
done | column
}
gen_xkcd_pass () {
I=0
[ $(printf "$1" | grep -E '[0-9]+') ] && NUM="$1" || NUM="1"
[ $(uname) = "SunOS" ] && FILE="/usr/dict/words" ||
FILE="/usr/share/dict/words"
DICT=$(LC_CTYPE=C grep -E '^[a-zA-Z]{3,6}$' "$FILE")
until [ "$I" -eq "$NUM" ]
do
I=$((I+1))
printf "$DICT" | shuff 6 | paste -s -d '.' /dev/stdin
done | column
}
They can optionally take an argument on how many passwords to generate:
$ gen_monkey_pass 10
rq5xm9b7-jn2-s76-v7rymj2pe9txqkuprr3nn9yczsp23rb
uxsx4-673xcv7wkeu7c8g66k88qd-y549n5pg3g87v33yetw
tbf6nrnbub8q39wqt943cjasts64jgxjw7ut84--2cw6uzxj
vk4am2pr8nbuvr3e4gk7tsnmuhdsby7838gkgpnqjzvy73jm
2ckgppd7c2uasbd598-44z6zse8-74smtafh4h9dmeyschkc
$ gen_xkcd_pass 10
irking.bidets.listen.Soyuz.dahlia.supped
boob.lacing.peyote.glob.lack.trifle
shirt.gushed.Aron.notch.agates.Fergus
hewed.burlap.wales.beck.prisms.rangy
route.retook.gills.cilium.wadis.gem
stools.scurf.lugged.mooch.skater.throng
heist.bye.Google.shyly.Tutsi.rip
taboo.queues.totes.moors.Suzhou.newest
sawyer.gill.clutch.opts.zits.larch
Eisner.sulks.Bradly.Schulz.Adler.puking
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
signature.asc
Description: PGP signature
Re: Worry about entropy?
On Mon, Dec 01, 2014 at 04:48:36PM -0400, francis picabia wrote: I'm looking at DNSSEC implementation. One guide points out haveged as a way to speed up performance of dnssec-keygen. It certainly did. I'm wondering if anyone has noticed performance improvement by running haveged on systems with certain applications. Instead of trying to rely on /dev/random, use /dev/urandom. Haveged is intetresting, but I think it might be a bit liberal on its entropy estimates. At any event, it feeds data into the same CSPRNG that both /dev/random and /dev/urandom read, so it's no more secure than just relying on /dev/urandom directly. Commonly found advice on the net is to look at /proc/sys/kernel/random/entropy_avail and it should be around 2000 or better. Another comment said that value is merely an estimate. Checking some Redhat server systems I handle, I'm seeing values between 100 and 200 most often. One Debian KVM system wildly varies from 2000 down to 150 within a few seconds, but it isn't doing any noticeable load. Entropy is _always_ an estimate. It's an approximate measurement of the unpredictability of the state of the system. In physics, it's an approximate measurement of the unpredictability of the state of gas particles in a closed system. Entropy isn't something you use. Has anyone experience with seeing significant performance boost, or at least avoiding timeouts when under load, related to keeping entropy fed some how? I've already read the articles discussing use of /dev/random etc., but I'm talking about things I implement, not things I code. I can imagine encrypted file system or owncloud and that sort of thing being aided, but could it also be important for SSL? OpenSSL, OpenSSH (which uses OpenSSL for random number generation), OpenVPN (which also uses OpenSSL), Kerberos (ditto), and even GnuPG (except for key generation), all use /dev/urandom. You should too. The only thing you'll get out of /dev/random is frustration due to blocking, because the entropy estimate of the system is low. Use /dev/urandom, and be happy. And secure. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpTao_Y0MK4j.pgp Description: PGP signature
Re: Debian fork: 'Devuan', Debian without Systemd
On Tue, Dec 02, 2014 at 09:40:20PM +0100, Märk Owen wrote: It's a waste. They shouldn't have left. I'm pretty neutral about systemd as I'm only an end user but I disklike having it forced upon me this way. # apt-get install upstart # apt-get install sysvinit-core # apt-get install openrc No one is forcing you to stick with systemd. The fork is just silly. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpUp3YHpJVru.pgp Description: PGP signature
Re: Debian fork: 'Devuan', Debian without Systemd
On Tue, Dec 02, 2014 at 06:47:38PM -0300, Renaud OLGIATI wrote: Another way to look at it is forward planning for the release after Jessie, when systemd may well become compulsory... Most would call that FUD. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgph4NmlzHiM5.pgp Description: PGP signature
Re: Irony
On Thu, Aug 14, 2014 at 09:10:59PM -0400, Jerry Stuckle wrote: It is the LANGUAGE that is STRUCTURED - not the data. SQL was created to deal with relational data, not structured data. When interleaving or bottom-posting your reply (++), please make sure to also trim out irrelevant content. Thanks, -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpJkpAdEBuNt.pgp Description: PGP signature
Re: raid recomendation
On Thu, Dec 06, 2012 at 01:18:38PM -0300, Roberto Scattini wrote: hi, i have a new dell r720 server with 5 600gb disks. his function will be a postgresql server (the size of the databases is really small with 600gb we should be fine for a long time). which raid configuration would you recommend? i was thinking in raid 5 with all five disks but i am not a expert. i prefer redundandcy against size (i mean, i can sacrifice space). and i dont want performance degradation for doing raid with an incorrect number of disks. I'll be the first one in this thread to recommend ZFS [1]. With 5 disks, I would personally do a RAID-1+0, with a hot spare. A RAID-1 will outperform a parity-based RAID using the same disks every time, due to calculating the parity. Further, striping across two mirrors will give increased performance that parity-based RAID cannot achieve. Lastly, you can suffer any sort of disk failures, provided all mirrors in the stripe remains in tact. 1: http://zfsonlinux.org If you must absolutely do a parity-based RAID, then I would suggest a 5-disk RAIDZ-1 without a hot spare. It's best practice to use the power of two, plus parity for your number of disks. In this case, it will give you the best performance, decent space, and allow for 1 disk failure. Further, I would recommend the investment in two Intel 300-series SSDs. You can then partition the SSDs giving 1 GB on each in a mirrored ZIL, and the rest to a striped L2ARC. For a PostgreSQL DB, you will see immensive performance gains that you cannot achieve with Linux-based software RAID and filesystems. And, because ZFS is also a volume manager, there is no need for LVM and the cache troubles it's plagued with [2]. 2: http://serverfault.com/questions/279571/lvm-dangers-and-caveats If interested, I've been blogging on this very topic. You can see the relevent posts to your setup here: * Installing ZFS on Debian: http://pthree.org/?p=2357 * The ZIL: http://pthree.org/?p=2592 * The ZFS ARC: http://pthree.org/?p=2659 Just my $.02. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpDxZ39JLKBv.pgp Description: PGP signature
Re: Netflix on Debian Linux
On Mon, Nov 19, 2012 at 01:26:14PM -0300, Beco wrote: Last month I signed a netflix account just to be amazed it did not work nor give support to linux. There's plenty of proprietary software that has poor or no functionality at all in Debian. After calling the call center and get the news, I just canceled it, very frustrated. If you want/need proprietary software, then it's probably best to stick with a proprietary platform. Having a local VM of Windows around is handy for this purpose. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgp2y5ncBd54U.pgp Description: PGP signature
Re: hard drive clean / microsoft hidden partition
On Sat, Sep 22, 2012 at 12:33:47PM -0700, Scarletdown wrote: On 9/22/2012 12:20 PM, Andrei POPESCU wrote: dd if=/dev/zero of=/dev/yourdrive bs=1M But does that remove the partitions themselves? I thought the OP was wanting to actually delete the MS partitions, which are used to restore a computer to its factory default with all the overbloated crappeware that gets put on them by the OEM. You don't even need to go that far. Microsoft Windows uses the MSDOS/Intel partition structure, which means the partition table for the entire drive relies only on the first 512 bytes of the drive. # dd if=/dev/zero of=/dev/sda bs=1 count=512 Done, and much faster than waiting for your drive to be erased from head to toe (unless you do actually need that). -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpsA6BCECrnk.pgp Description: PGP signature
Re: 83 key IBM model m XT keyboard with Debian?
On Sun, Jun 17, 2012 at 10:40:10PM -0400, Nick Lidakis wrote: Anybody using an 83 key IBM model M keyboard with a modern PC? Clickykeyboards.com has info about a key codes adapter here: http://www.clickykeyboards.com/index.cfm/fa/items.main/parentcat/11298/subcatid/0/id/500722 Was wondering if anyone is a fan of the old 83 key keyboards and if there any glitches when using one of these adapters, i.e., limits on maximum typing speed. I had an 83-key Model M, like, 20 years ago, at the latest. I haven't seen them personally since. However, I really missed the tactile feedback of that keyboard, so I ended up going with a more modern Das Keyboard: http://daskeyboard.com. 105-keys, and not quite the same, but still a solid keyboard with the Cherry Blue keyswitches. I know it doesn't answer your question, or address your concerns. Just thought I'd bring it up. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgp1JignqOE1t.pgp Description: PGP signature
Re: ..neat wee litigation trap, was: zfs-fuse or zfsonlinux
On Sat, May 12, 2012 at 09:09:14AM +0100, Jon Dowland wrote: It's a problem if you ever want help if/when there's a bug or problem with the module, since the kernel will be marked 'tainted'. If it's a problem with the module, contact the module maintainers. If it's a problem with the kernel, unload the module, and contact the kernel maintainers. I don't see the problem. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpXyDxIUkx5e.pgp Description: PGP signature
Re: ..neat wee litigation trap, was: zfs-fuse or zfsonlinux
On Fri, May 11, 2012 at 02:32:54PM +0100, Jon Dowland wrote: Yes that's what I was referring to. The CDDL is incompatible with the GPL, but it is fine with the BSD license, so Debian GNU/KFreeBSD doesn't have those problems. And it's not a problem as a kernel module either, seeing as though it's the user who has to manually load it. For that, the license could be proprietarded. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpu8d5h8wuyx.pgp Description: PGP signature
Re: zfs-fuse or zfsonlinux
On Wed, May 09, 2012 at 07:07:51PM +0100, Lists wrote: I'm looking at using ZFS for a box that will serve as a storage/backup box. I'm aware of Debian/kFreeBSD, which seems to be the best solution if I want to use Debian, but it does introduce some limitations, so I haven't decided on it (yet). There are two solutions for linux: [1] zfs-fuse - http://zfs-fuse.net/ [2] zfsonlinux - http://zfsonlinux.org/ Does anyone here have recent experience with both and can comment on which they prefer and why? Yes. I have experience with both. See http://pthree.org/?p=2357. ZFS for Linux 0.7.0 FUSE is using pool versions 23, which is quite old. Because it's using FUSE, it's not as performant as if it were kernel mainline, or a loaded module. Contrast that with ZFS for Linux http://zfsonlinux.org, which is a loadable kernel module, and it is also ZFS pool version 28, which is the latest source code that the Free Software community has access to until Oracle gets their act together, and delivers on their promise that they will release the source code after every Solaris release. I have used both, and the kernel module ZFS is superior. It is less buggy, more stable, and performs better than the FUSE counterpart. I've been using it for my backup servers and backup drives now for a couple months, and have not had any problems. I have a close friend who has been using it for a year or so, also with zero issues. In fact, if you use Time Slider with frequent snapshots, it becomes trivial to restore data should corruption occur. The biggest limitation is the lack of native encryption support, which was released in pool version 30, which we don't have access to the source. As a result, I've been using LUKS containers to put the RAID-Z pool in. If you have the AES instruction set on your CPU, then performance isn't really impacted. A word of caution: as tempting as deduplication might be, avoid it. Unless you have significant RAM, and a fast RAID-0 SSD ZIL, I would advise against it. It causes massive performance problems, and the benefit isn't worth the cost. On the other hand, enabling compression is very much worth it. LZJB is fast, and massive gains can be achieved with little effort. Just my two-cents. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpreLZEP70wM.pgp Description: PGP signature
Re: zfs-fuse or zfsonlinux
On Thu, May 10, 2012 at 02:43:37PM +0100, Lists wrote: Is Time Slider a feature for ZFS or (Open)Solaris? It seems to be the latter. It is a feature of ZFS native. It's available in the http://zfsonlinux.org project. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpWXu0Wi4C7W.pgp Description: PGP signature
Re: Xen vs KVM
On Wed, Mar 28, 2012 at 09:35:25AM +0100, Jon Dowland wrote: For me, it became yesterday's technology when it became apparent that the hypervisor model (putting an entirely new kernel between Linux and the hardware) created all sorts of performance problems, and neglected the decades of work that had gone into the Linux network stack, amongst other parts. Increasingly ugly hacks were (are) needed to pass through to the privileged domain, all of which is totally unnecessary with the KVM model, where the (much more) tried and tested Linux kernel goes on the bottom of the pile. Can you expound on these ugly hacks? The Xen kernel is a full type-I hypervisor, with unfettered access to the hardware. The dom0 presents the virtualized hardware to the domU guests. Using Xen HVM, the presentation uses Qemu, which is exactly the same for KVM. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpuF9gp0Nqtz.pgp Description: PGP signature
Xen vs KVM (was: Re: When will Debian 7.0 with Linux Kernel 3.x be Released?)
On Tue, Mar 27, 2012 at 09:51:28AM +0100, Jon Dowland wrote: On Tue, Mar 27, 2012 at 01:04:57PM +0800, Teo En Ming (Zhang Enming) wrote: When will Debian 7.0 be released? Debian with Linux Kernel 3.x release seems very slow when all the other Linux distros already have the latest Linux Kernel 3.x. Why do I want Linux Kernel 3.x? Because I want to play around with Xen virtualization (dom0 required). So you want a cutting-edge kernel to play with yesterday's virtualisation technology? The mind boggles! Debian 6.0 has KVM, libvirt, virt-manager… How is Xen yesterday's virtualization technology? It's fully supported by Citrix XenServer and Oracle VM. Sun used it for the basis of their xVM solution, and Virtual Iron used Xen for the basis of theirs as well (both of whom were purchased by Oracle). Some will say that Xen is more stable than KVM. After being a RHEL and Debian system administrator, and deploying KVM with both the commercial RHEV product, and with libvrt(8) and virt-manager(1), I think I agree. I've had the hypervisor kernel do some wacky stuff with KVM that I haven't seen with Xen. With that said, my heart belongs to KVM, I just wish it had a bit more stability. Xen also has a longer history of 3rd party support, and has had a longer time to mature. It was just recently accepted into the mainline Linux kernel, and still shows very active development. Xen also supports full virtualization and paravirtualization. IMO, Xen isn't yesterday's virtualization technology. It's very current, stable, flexible, supported and very much today's virtualization technology. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpD6ymIBsmbY.pgp Description: PGP signature
Bottom posting (was Re: Xfce steals keyboard shortcuts?)
On Sun, Jan 08, 2012 at 04:54:51PM -0800, Freeman wrote: On Mon, Nov 28, 2011 at 04:13:37PM -0800, evenso wrote: On Sun, Nov 27, 2011 at 10:01:09PM +0400, Roman Khomasuridze wrote: (snip) (Starting the bottom post protocol used here.) (snip) Note, that you haven't properly bottom-posted, unless you have properly trimmed your reply, leaving only the context to your reply. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Dvorak Keyboards.
On Fri, Jan 06, 2012 at 06:44:22PM +, Raf Czlonka wrote: I guess I wasn't clear enough. This should have been: What's wrong with simply re-arrange the keys on your existing keyboard and changing the layout at the same time (I'm aware it won't be 100%)? This way one can try it out without spending money and changing their mind. Later it's time to start learning to touch type. What's wrong with rearranging your keys to match the layout? How about: 1. The notches on the 'f' and 'j' keys will be moved, making it difficult to find the home row without looking. 2. Some keyboard have differently shaped posts under 'f' and 'j' preventing them from being moved anyway. 3. Many keyboards have a natural curvature from the top row to the bottom row. Moving the keys around messes up that curvature, and requires the fingers to be lifted higher, creating more work to type, and thus defeating the purpose. 4. Moving your keys around will encourage you to look at your fingers while you type, preventing true touch typing, and slowing down your progress in speed and accuracy. I am a Dvorak typist, and have been for 6+ years. Personally, I don't understand why there are any characters printed on the keys to begin with. Competent musicians don't keep the notes on their instruments, so they know where to play 'C' or 'B-flat, for example, so why should they be on your typing keyboard. As a result, I'm a large proponent of the blank keyboards at http://daskeyboard.com (I own two). While there are hardware switches that allow you to switch between QWERTY and Dvorak for keyboards, I wouldn't recommend it. Just learn were the new characters are on the printed QWERTY layout, and start touch typing. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Dvorak Keyboards.
On Sat, Jan 07, 2012 at 11:22:09PM +, Lisi wrote: On Saturday 07 January 2012 23:15:01 Aaron Toponce wrote: Competent musicians don't keep the notes on their instruments, What about incompetent musicians? Off-topic. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Dvorak Keyboards.
On Sat, Jan 07, 2012 at 05:35:39PM -0600, green wrote: Aaron Toponce wrote at 2012-01-07 17:15 -0600: Personally, I don't understand why there are any characters printed on the keys to begin with. I type fairly well with the Dvorak, but I *do* like the keys to be properly labeled. Why? Because I occasionally hit a key or shortcut with one hand while the other is using the mouse. Or perhaps type something in with one hand while holding a notebook with the other. Etcetera. There is nothing preventing you from still looking at the keyboard, and clearly identifying where the key is located that you want to hit, even when the keys are blank. Piano players do this all the time. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: what does the s stand for
On Thu, Dec 01, 2011 at 03:50:55PM -0500, doug wrote: Tried this in pclos. There is no chmod in the info file. There is also no man chmod. I don't know what pclos is, but chomd(1) is part of the coreutils package. If you have cat(1), you have chmod(1). -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Full Disk Encryption
On Tue, Nov 29, 2011 at 12:23:10AM -0700, Aaron Toponce wrote: ECB (electronic code block) out performs the other block ciphers, but it suffers from a pattern attack [1]. 1. http://ae7.st/s/i.pr My apologies on the short URL. It is the wrong one. Rather than copy/paste, I just looked at it in the address bar, and typed it out by hand. This is why characters such as '1', 'l' 'i' should not be used in such scenarios, especially passwords (among others). The correct short URL preview is: http://ae7.st/s/l.pr Which redirects to a secure Wikipedia article entry about the problem with ECB. Thanks Bob for bringing this to my attention. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Full Disk Encryption
Because this is a subject near and dear to my heart, I feel the urge to chime in. On Sat, Nov 26, 2011 at 10:45:29AM +0530, J. Bakshi wrote: I am always interested in Full disk encryption for my laptop ( i5 + 3 GB ), but what makes me stop is the thinking of performance lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full disk encryption and it is performing normal, haven't found any lag... I have done extensive benchmarking, and have found that you will have different performance results, based on the cipher and key size that you choose. ECB (electronic code block) out performs the other block ciphers, but it suffers from a pattern attack [1]. As a result, when using a LUKS formatted partition/volume with cryptsetup(8), I usually do the following: # dd if=/dev/urandom of=/path/to/device bs=4096 # cryptsetup luksFormat -c aes -s 128 /path/to/device The first step, obviously, it to fill the entire device with pseudorandom data, so it is not clear where the encrypted filesystem starts and ends. Then, I create the encrypted filesystem in the second step. Those options have given me the best performance, with ~1-2% hit on reads, and ~5% hit on writes. 1. http://ae7.st/s/i.pr So I am interested to give the FUD a try on my own laptop. How can I proceed ? My laptop is debian wheezy with lots of important data.. so backup is must.. but what next ? What configuration will give me a better performance , LVM based or simple partition based ? Presently excluding swap I have 3 reiserfs partition for / ; /home and /movie ... no LVM. Like to hear some feedback from you guys.. LVM will add some additional overhead, but nothing more than ~2% hit for writes. Usually, I'll setup my filesystem as follows: # dd if=/dev/urandom of=/path/to/device bs=4096 # cryptsetup luksFormat -c aes -s 128 /path/to/device # cryptsetup luksOpen /path/to/device crypt-device # pvcreate /dev/mapper/crypt-device # vgcreate data /dev/mapper/crypt-device # lvcreate -l 100%FREE -n crypt-volume data # mkfs.ext4 /dev/mapper/crypt-volume # mount /dev/mapper/crypt-volume /mnt At which point I can start copying data. If the device has already been filled with pseudorandom or encrypted data, then there is no point in running the dd(1) step. Hope that helps. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: which system is similar with debian
On Wed, Oct 19, 2011 at 01:04:28PM +0800, lina wrote: I want to download a software, which only provided the below options except Windows: 1] RedHat Enterprise Linux 4 (64 bit) 2] RedHat Enterprise Linux 5 (64 bit) 3] Suse Linux Enterprise 10/11 (64 bit). I am not sure which one will relatively better fit the x86_64 GNU/Linux wheezy one. These are not similar to Debian much at all. They ship the same kernel (although different versions), and many of the GNU, BSD and other userland tools, but the filesystems are totally different, the package managers are different, and much more. Further, you shouldn't using RHEL 4 or 5, as both are old releases. RHEL 6.1 is current, even though they all still receive security patches. At any rate, if one of the above must be installed, then you're going to learn a new system. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
[OT] Re: Please kill the noise
On 10/06/2011 06:32 AM, Stan Hoeppner wrote: All of the off topic crap the last couple of days is making it more difficult to assist those who actually need help with Debian. If you are using an MUA that supports threading, then I don't see the issue. It's all contained in one thread, and it doesn't prevent me from seeing other posts in other threads. Debian is an OS for _mature_ Linux users. Please act like one and stop this juvenile OT nonsense. Following the Re: Wow, Evolution left me with eggs in my face thread, including all of its off-topic sub-threads, has shown a great level of maturity and tact. I see nothing juvenile about the thread personally. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e8dba07.30...@gmail.com
Re: Hash salt (was Re: BCRYPT - Why not using it?)
On Wed, Apr 06, 2011 at 06:37:38PM -1000, Joel Roth wrote: So is the salt a fixed number of characters? From system to system, it varies. On my Fedora 14 virtual machine, it's 16 characters. On Debian 6.0 stable, it's 8. Otherwise, how would a process know which portion of the string is the salt? You can read the shadow(5) manual on your Debian system to learn about the syntax of the password. However, I'll give you the rundown: The password is separated by '$'. Between the first and second '$' tells the process what algorithm to use for the hash (MD5, SHA1, bcrypt, etc.). Between the second and third '$' is the salt itself. After the third '$' is the hash. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Hash salt (was Re: BCRYPT - Why not using it?)
On Wed, Apr 06, 2011 at 11:52:04PM -0500, Ron Johnson wrote: Is the salt just bits that are either pre- or suffixed to your password before being run through the hashing function? The salt is generally appended to the password. For the specific case of passwd(1), I'm not entirely sure, without looking at the source. The first 3 characters of every hash in my /etc/shadow are the same. That's what, 24 bits? Thats interesting. Each salt is created at random. Combined with the password string, it shuold produce a very unique hash. Because your hashes all start with the same 3 characters, then you've been very lucky in the output, due to the immense size of the keyspace. But if you're machine is rooted then (besides having lots of other problems) the attacker has your system-wide salt. (But the rainbow table would still be unimaginably huge...) The salt is not system-wide, but local to the account. Each account will have a unique salt, by default. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Hash salt (was Re: BCRYPT - Why not using it?)
On Thu, Apr 07, 2011 at 01:31:27AM -0500, Ron Johnson wrote: Having the first 3 characters all be $6$ makes sense based upon the explanation in your other email. I thought that was the salt. Each user's salt is definitely different. Ah, those first 3 characters. Yeah, that tells you that your hash is of the SHA512 form. I thought you meant the first 3 characters of the hash itself. $alg$salt$password is the form. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Aptitude and apt-get curiosity.....
On Wed, Apr 06, 2011 at 08:35:08AM +1000, Charlie wrote: I upgrade my Debian Wheezy system with aptitude and it upgrades all but one application file. Redo: aptitude update and it shows that file hangs around for several days and doesn't get upgraded when I do aptitude safe-upgrade after aptitude update each time day after day. So I do apt-get update and apt-get upgrade and the file is upgraded. Why does aptitude just ignore it again and again and apt-get upgrade it? 'apt-get upgrade' is synonymous with 'aptitude full-upgrade'. Had you run 'aptitude why-not package' you likely would have received the answer on why aptitude was refusing to update it. Generally, when I've seen this, it is because it relies on a dependency version that you don't have, so it waits until that comes down the pipe. Either way, not to be a dick and suggest you RTFM, but you really should RTFM. :) -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: BCRYPT - Why not using it?
On Wed, Apr 06, 2011 at 06:18:45PM -0500, Ron Johnson wrote: On 04/06/2011 01:42 PM, johhny_at_poland77 wrote: http://unix.stackexchange.com/questions/10326/does-openbsd-use-bcrypt-by-default Why doesn't every modern Linux Distribution use BCRYPT? http://codahale.com/how-to-safely-store-a-password/ https://secure.wikimedia.org/wikipedia/en/wiki/Bcrypt WHY Just to piss you off. That was the most helpful answer I think you could have given. Well done. For this link: http://codahale.com/how-to-safely-store-a-password/, he is clearly confused about many details of the hashed password stored in the /etc/shadow file. Here are my issues with his article: First, if you don't have the salt, but you do have the hash, then a rainbow table attack is completely pointless. Reason being is rainbow tables store hashes with a 1:1 ration to text. How the table is traversed is another story, but the fact remains that one hash will lead you to one piece of text. Now add a salt. If the salt is unknown, the length of the salt is 8 characters, and the characters used in the salt are [A-Za-z0-9./], or 64 characters, then there are effectively 64^8 possible hashes for one password. That's 281474976710656 hashes. Even moving at 700,000,000 passwords per second, you have to generate that many hashes per password. Point is, you have one massive keyspace to search through. Good luck. Second, if the salt is known as well as the hash, then utilities like John the Ripper can scream through a dictionary attack. I have access to a cluster of 20 HP blades with 16 cores per blade. Running John the Ripper can acheive a speed of 3.8 million passwords per second. .5% the claimed speed in the article, but even then, I have not been able to crack a password that contains 72-bits of entropy, that is not based on a dictionary word, 1337 speak, or other silliness. It's been running for almost 3 years on the same password. I'm just letting it go out of curiosity to see if it will find it. I'm not hopeful it will before the Death of the Universe. But, it's fun at any rate. Lastly, the SHA1 and SHA2 algorithms were designed with security in mind. Sure, they're fast, but that's the point. If you're concerned about knocking a login prompt, you shouldn't be considering the speed of the algorithm. Instead, you should be spending your time learning PAM. If you're concerned about someone brute forcing an unshadow file, bcrypt isn't going to help you if the password is low in entropy (he gives an example of a 6-character password- seriously???). If your password is high in entropy, as it should be, then even if SHA1 could churn through 400GBps, it's not going to find it. Case in point, consider http://distributed.net hacking the 72-bit RSA key. 72-bits of entropy, and it would take them 1,100 years at their current rate to exhaust the keyspace entirely. That's only an 11-character password with [A-Za-z0-9] and [:punct:] as the possible characters. 1,100 years for an 11-character password. To get at your question though, bcrypt is supported in many GNU/Linux operating systems. openSUSE used to default to bcrypt as their default password hash for a long time (I don't know if they still do). Debian GNU/Linux and GNU/kFreeBSD both ship bcrypt, although not installed by default. Fedora also ships bcrypt out the gate. So, to answer your question, most GNU/Linux operating systems support it. It's only a matter of installing it and configuring PAM correctly. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Hash salt (was Re: BCRYPT - Why not using it?)
On Wed, Apr 06, 2011 at 09:02:10PM -0500, Ron Johnson wrote: The OS must store the salt somewhere, in order to correctly authenticate the user when he logs in. But I've never heard of /etc/hashsalt so what am I misunderstanding? Yes, the salt and the password are both stored in the /etc/shadow file. If you can read that file, then you have access to both. However, if you don't have the salt but you do have the hash (maybe it's a different application besides login you're attacking that stores the salt elsewhere), you don't know the size of the salt, nor what was used in the salt to create the hash. So, your search space has just expanded by 64^(number of characters in salt). For example, say you have the hash 633427ee13ba83a92778c91a795d444564b9214c (which actually isn't the encoded format as shown in /etc/shadow, but it will illustrate the point). You don't know what salt was used to create that hash. It's 160 bits, so it could be SHA1. Assuming such, you send it through a 7TB rainbow table, and turn up empty handed. So, either the password is exceptionally strong, or it's using a salt, and could still be strong, or could be weak. You don't know. And the only way to work it out is start incrementing through salts for every string you try, up to some reasonable point. I hope you have time on your hands, because you'll need it. In this case, the password was 'foo' and the salt was 'salt': $ echo foosalt | sha1sum 633427ee13ba83a92778c91a795d444564b9214c - -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Hash salt (was Re: BCRYPT - Why not using it?)
On Thu, Apr 07, 2011 at 06:52:42AM +0200, Martin Ågren wrote:
In this particular scheme, it appears ('foo','salt') has the same hash
as ('foosalt',''). In a serious application, hopefully the wheel
wouldn't be reinvented in this way, but some well-studied, thoroughly
scrutinized approach would be used. :) But as a toy example it works,
sure!
The point was to illustrate how a password and salt work to create a unique
hash. Sure, I could have covered all the details on the specific
/etc/shadow implementation, but then we wouldn't see the forest from the
trees.
At any event, point taken.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
signature.asc
Description: Digital signature
Re: Debian was hacked: The Canterbury Distribution (howto write the date)
On Sat, Apr 02, 2011 at 02:23:31PM +1100, Scott Ferguson wrote: Why not use the Debian standard?? Reasoning - it's already been extensively debated *and* voted on, it's a system already in place, it's the Debian way. (Is there more than one (Debian standard)?) From :- http://www.debian.org/doc/debian-policy/ch-source.html#s-dpkgchangelog The date has the following format[17] (compatible and with the same semantics of RFC 2822 and RFC 5322): day-of-week, dd month hh:mm:ss + I'm not the one who typed the initial date of 04/01/11. Had the Debian standard of Fri, 01 Apr 2011 00:00:00 -0700 been used, there would have been no ambiguity, now would there? Further, why do all that typing on a mailing list thread, when 2011-04-01 is, oh I don't know, _one_ _third_ the length, and still retains unambiguity? Heh. You can do things the short way or the long way. I'll take the short way. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Debian was hacked: The Canterbury Distribution
On Fri, Apr 01, 2011 at 09:01:41PM +1100, Scott Ferguson wrote: On 01/04/11 20:17, Lisi wrote: On Friday 01 April 2011 10:05:54 Liam O'Toole wrote: On 2011-04-01, Freeman hew...@gmail.com wrote: 04/01/11 ! What does the 4th of January have to do with it?? Perhaps on an international list we should say the month names as Liam has here. Otherwise one is playing guessing games to work out the upbringing of any writer who uses an ambiguous form for the date. In this case the context made guessing easy, but that is rarely the case. The North American date format wasn't that hard to work out - though I suspect Liam is taking the p1ss (2 weeks late?). For international mailing lists, if you stick with ISO 8601, there should be no ambiguity in the date: 2011-04-01 or 20110401 is defined as April 1, 2011, or truncated as 11-04-01 or 110401. Standards. Who would have thought? -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Debian was hacked: The Canterbury Distribution
On Fri, Apr 01, 2011 at 12:17:52PM -0600, Paul E Condon wrote: On 20110401_051637, Jerome BENOIT wrote: Hello List, right now, the Official Debian site seems hacked by The Canterbury Distribution. I guess it is a joke. Apparently not a joke. ... except tomorrow, when you see that the joke was on you. :) -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Helping Arch Linux with package signing
I'm sure everyone has read the following from LWN [1]. I was just thinking that Debian has had package signing for a while, and the top users of the PGP Strong Set [2] (maybe even most of it) are Debian developers. Seeing as though Debian has such a strong history with OpenPGP and package signing, I was wondering if we could help them along. 1: https://lwn.net/SubscriberLink/434990/4c611307c60a7ae1/ 2: http://pgp.cs.uu.nl/plot/ Dan McGee, the lead Arch Linux developer, has stated [3] that he is willing to accept patches getting OpenPGP implemented into Pacman and the rest of Arch. So, given the history of package signing with Debian, I'm wondering if there is anything we can do as a project to help another project out. Be it documentation, how-tos, patches, whatever. It appears to be open for discussion [4], and even though I'm a hardcore Debian user through and through, it would be great to see another GNU/Linux operating system step up in the security ranks. 3: https://lwn.net/Articles/435251/ 4: https://bugs.archlinux.org/task/5331 If I'm way out of line, then let me know. Thoughts? P.S.: I would have posted this to -devel, but I didn't know if it would be appropriate or not, and I figured many developers might be on this list anyway, and if necessary, could cross-post it. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Best and most popular distros for the enterprise desktop
On 02/28/2011 12:47 PM, Jason Hsu wrote: Are there any rankings of the most popular Linux distros for the enterprise desktop? My guess is that the most popular enterprise desktop distros are Ubuntu, RedHat, and SUSE. What features/characteristics are needed for an enterprise desktop computer that aren't needed for a home desktop computer? Are there companies or organizations that use Linux Mint? Linux Mint is the distro I recommend to Windows users. Linux Mint has a Windows-like feel, and I find it more user-friendly than Ubuntu. Since Mint is based on Ubuntu, most of the help out there for Ubuntu also applies for Mint. For those of you who have helped a company or organization migrate from Windows to Linux or from one Linux distro to another, what is your preference? First, I hate the buzzword enterprise. Somehow, it's supposed to convey some sort of big iron rock solid software, yet when push comes to shove, enterprise comes from the administrator, and the IT team, not necessarily the software. Second, just for clarity with the rest of the list, it's Red Hat, not RedHat; it's openSUSE and SUSE not OpenSuSE or SuSE, or any other convoluted camel case spelling. Thirdly, anything really can fit the bill for the datacenter. At my place of employment, all of our servers are RHEL, Solaris and HPUX. Our developers use virtualized desktops which were migrated from Windows to GNU/Linux. So, for those virtual desktops, we use Red Hat Enterprise Desktop 6. We tried Ubuntu and openSUSE in the past, and other GNU/Linux-based operating systems, and they usually fell short in one area or the other, or they were too much work to administer. For us, the features that are important are java support and oracle support on the servers, and remote display protocol support on the virtualized desktops, for which we use NoMachine NX. We need provisioning tools, such as RHN Satellite, Cobbler and Kickstart. We need clustering and management support and a local repository for all the server and desktop software. More importantly, we need solid stability and security. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature
Re: How do you remotely access a home server/network?
On 02/26/2011 03:56 PM, Jason Hsu wrote: I've learned how to turn an old computer into a firewall and DHCP server for my tiny home network. I understand that I can install an SSH server on this machine so that I can access it from outside. Once I have this SSH server connected to the Internet, how do I access it from another location? I have DSL broadband service, but I don't think I have a static IP address. Open up port 22 in your firewall, and find out what your IP address is. If you don't have a static IP, you can check out many of the dynamic DNS services available, such as dyndns.org. You could also install OpenVPN, and get full unfettered access to your internal home network. Of course, you would have to punch open port 1194 to get access. Either way, you're exposing your internal network to the Internet if you don't have good security procedures in place. Have a strong password (I recommend http://passwordcard.org), chroot jail your daemon, use remote logging, and take advantage of strict firewalls. In other words, lock it down. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature
Re: Things I Don't Understand About Debian
On Fri, Feb 25, 2011 at 12:42:51PM +0100, Sjoerd Hardeman wrote: SQL injecting and web forms will not work for ssh directly, unless you have a very poorly configured apache+mysql-config. Of course there are ways of obtaining someone's password. Heh. SQL injections can get you all sorts of things. The goal is to get into the server via any route possible. If you leave the server open to the outside world, disabling root login via ssh isn't granting you any security. Shared key seems more secure, with a good policy for guarding the keys. I am not arguing that. It is just that when you disable root logins there's in principle an extra layer of protection. This 'in principle' of course only helps when done properly, thus not reusing passwords etc. The fact that a compromised user account = a compromised machine is of course very true. However, when detected it might be that the attacker did not manage yet to get root permissions. Thus, it buys some time. There are many paths to root, once the attacker is successfully in. Privilege escalation exploits, buffer overflows, brute force attacks, insufficient input sanitization, you name it. Don't think for one second that attackers don't have vulnerability lists that haven't been reported. And don't think that as soon as they've broken in, you can boot them out before any damage is done. My point is, removing root logins via SSH is not hard security. It's barely a speed bump to the talented and dedicated. If you want a secure server, then learn firewalls, mandatory access control, ACLs, chrooted jails, information intropy for passwords, and keep your damn server patched. As Anonymous has clearly shown lately, if you're a target, you'll get damage, one way or the other. Even if all they can do is a DDOS. Taking root logins out of SSH isn't going to buy you any security. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Apache spawning hundreds of pids
After updating from Lenny to Squeeze, my Apache2 server has been acting really weird. Hundreds of pids will have been spawned, filling up RAM and filling up swap, causing the kernel OOM killer to start. Nothing in /var/log/messages or dmesg gives any indication of what is happening. Nothing in /var/log/apache2/access.log or error.log either that could be of help. This isn't a robust server, so when it happens, it brings the server to its knees, and it's down for hours before the kernel manages to kill the pids and restore sanity. Further, there doesn't seem to be any standard time interval when the pids are created. I've seen the server go 6 hours after boot before the problems start, and I've seen it go as long as 3 days. It seems entirely arbitrary on when it's going to happen. I've got kernels 2.6.32-5-686, 2.6.26-2-686 and 2.6.26-1-686 installed. The problem exists with all three booted kernels. Apache2 version is 2.2.16-6. IfModule mpm_prefork_module StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0 /IfModule I am not aware of any changes that I have made to the apache2.conf since the upgrade, nor am I aware of any changes that dpkg made during the upgrade. I don't want to reinstall the server unless I absolutely have to. I do have all my data backed up, so it's not a concern of doing so, it's just that I don't have the time to dedicate to reinstalling and restoring data. What can I do to troubleshoot this problem, and restore sanity to my Apache installation? Any help will be greatly appreciated. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Things I Don't Understand About Debian
On 02/25/2011 06:16 PM, shawn wilson wrote: 'nothing but time' - you know that businesses spend tons of money to get more 9s of uptime. if a website grosses $500 an hour (for ads or for what they sell) and you wipe the box and reinstall, you might have lost $2k (if you're real good at setting up a web server). It takes you 4 hours to setup a web server?! Wow. You know, there are ghosting and imaging technologies that you can use to have a pristine golden image restored in under 3 minutes, right? Depending on your network and data restoration techniques, you should be able to restore data back on the drive as fast as the drive can go. Assuming this is a data center with raided FC or SCSI drives (you should be able to afford that if a single server is responsible for $500/hour of revenue), there should be no reason why you can't achieve 300 MBps during the restore- 800 MBps if using a moderate SAN. My experience has shown that when a box goes down, and I need to rebuild, if I'm at it for more than 20 minutes, I'm wasting time. and if you use something from your previous install that has something you don't want, you've gained nothing. if you go and reinstall the backend db, you might have gained nothing as if you recreate the db with your old data that has an account you don't want or a trigger that does something you were trying to stop, you gained nothing. Garbage. That's the whole point of restoring data. If you are rebuilding a server that just got compromised, you restore everything the server contained up to break in. remember, there is rarely a good reason to reboot a linux box and even less of a reason to reinstall. More garbage. There are _many_ good reasons to reboot a UNIX or GNU/Linux server: * Proper maintenance ensuring all services start on boot. * Cleaning out stale memory and swap as a refresh. * Booting into a new kernel. * Forcing applications to use the new libraries. * Ensuring all hardware is still in good, working order. * Running filesystem checks on filesystems to make sure data is sound. * Even modifying partitions or filesystems to accommodate new storage needs. imo, good logs, properly configured ids, services run in chroot, selinux, and properly configured f5 are better than wasting time for no good reason. Anything is better than wasting your time. What's your point? -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature
Re: Things I Don't Understand About Debian
On 02/25/2011 06:35 PM, shawn wilson wrote: i don't think your examples are very good / secure. however, if you want security, you might go with openbsd. http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ Security isn't a binary function, and it's not something that is shipped with operating systems or software. Security is implemented by the administrator, not the vendor. You can secure a Windows server just as hard as a GNU/Linux one, and if you don't think you can, you're fooling yourself. however, if you are a restaurant with a small web site, you are probably not getting that many visitors in the first place (defacement isn't going to cost you much), you probably aren't taking in data (no disclosure of loss of pii required), maybe you don't even have any form fields (no sql injection, xss, xsrf, etc), maybe you even host it with a hosting company so they've got their own security. so, you've got decent security by default and you're losses would be minimal. so, you'd be stupid to spend tons of money on securing your web page. Remind me not to hire you as my administrator. A small business is likely to lose much, much more when targeted with an attack than a global empire. Funds are usually tight, good technical expertise is hard to come by, and coming back from a compromise costs more time and energy due to limited resources than a mega corporation. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature
Re: Things I Don't Understand About Debian
On Thu, Feb 24, 2011 at 10:18:20AM +0100, Klistvud wrote: 4. The sshd daemon allows root logins by default. Oh brother. The ssh daemon also allows logins via passwords. I assume you think this is less secure as well, as ssh keys should be the preferred method. We should also change the port off 22 to something like 31867, right? Security by obscurity my friend. Security by obscurity. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Things I Don't Understand About Debian
On Thu, Feb 24, 2011 at 05:21:51PM +0100, Sjoerd Hardeman wrote: No, it is not. When root logins are allowed, you only need to know one password. When root-logins are not allowed, you need to know two passwords *and* a user name. You assume that the only way into an SSH server is through usernames and passwords. There are many more ways than that. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Things I Don't Understand About Debian
On Thu, Feb 24, 2011 at 04:51:30PM -0600, Boyd Stephen Smith Jr. wrote: For example, you might let one user sudo without a password, disable root logins via ssh, have every other user (including root) be disabled in /etc/shadow, disable password logins via ssh, and have all other non-root users have a bogus shell like /bin/false. That user of course only have one entry in authorized_keys, and it is a 4242-bit key. Or you could an SQL injection, or you could attack a web form, or you could... -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: To 64 or Not to 64?
On Wed, Feb 23, 2011 at 10:27:31PM +0200, David Baron wrote: Should I go to a 64-bit kernel? Benefits vs. Risks? Will 64bit enable kvm functionality on this box? I've made these arguements on this list here before: http://lists.debian.org/debian-user/2010/05/msg01055.html In terms of enabling hardware virtualization, check the flags in /proc/cpuinfo. % egrep '(vmx|svm)' /proc/cpuinfo Will this work with existing packages which could then be changed to 64 bit piecemeal or if taking the plunge, must/should redo everything? If you make the move to 64-bit, then you will need to reinstall your operating system, and pull the packages from the amd64 repository. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: upgrading squeeze/sid to stable
On Wed, Feb 23, 2011 at 10:26:12PM +0100, Alex Declent wrote: is it so simple aptitude update aptitude upgrade and squeeze/sid becomes stable? are there any package repositories which must be added? That's not upgrading. That's downgrading. Upgrading would be going stable - testing - unstable. Going the other direction will likely cause a great deal of breakage and other pain. If you want stable, you need to reinstall your operating system. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Tool to perform same task over several hosts at same time.
On Fri, Dec 24, 2010 at 04:21:00PM +0100, François TOURDE wrote: Or cssh from the clusterssh package. I was also going to recommend the clusterssh package. That has made my day-to-day administration of 300+ SSH servers an absolute joy. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: New default artwork for Debian Squeeze
On 11/27/2010 07:14 AM, Rob Owens wrote: Is this theme in the repos, or does it have to be installed manually? It's already in the repositories for Sid. Dunno if it's made it to testing yet. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature
Re: Does the HDCP crack have any implications for Debian?
On Fri, Sep 17, 2010 at 04:12:47PM -0500, Mark Allums wrote: The master key to HDCP was leaked and it has been reported that it is legitimate, meaning it is now possible to crack Blu-Ray. I'm not interested in that, but I wondered if that meant that we would eventually be able to play Blu-Ray on Debian machines. Do you suppose we will see Blu-Ray support in VLC anytime soon? I would count on it. As much as libdecss is a part of the GNU/Linux ecosystem, I would expect libdehdcp, or similar to become a part of the same. That is, if Blu-ray is here to stay. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Straw poll: What browser do you use?
On Tue, Sep 14, 2010 at 05:05:11PM +0100, Lisi wrote: On Tuesday 14 September 2010 16:48:46 Bret Busby wrote: Because the Debian people (I believe) omitted iceape and iceweasel from Debian 5, I had to search, and installed the previous release packages. Iceweasel is there: l...@tux:~$ cat /etc/debian_version 5.0.6 l...@tux:~$ aptitude show iceweasel Package: iceweasel State: installed [snip] But Iceape does indeed seem not be there in its entirety, only the development files: l...@tux:~$ aptitude search iceape p iceape-dev - Development files for the Iceape Internet Suite p iceape-dev-bin - Development files for the Iceape Internet Suite l...@tux:~$ Iceweasel, Icedove and Iceape, among many, many other packages, rely on only a handful of core packages, notably xulrunner. The reason Iceape didn't ship, is because it couldn't be built against the xulrunner version that supported Iceweasel, Icedove, Epiphany and the others. That is why for Squeeze, you won't be seeing the latest and greatest Icedove and Iceweasel, because Iceape and other packages can now be shipped with the current xulrunner version. The latest and greatest require a new xulrunner, that many packages haven't had the time to be tested against. And with Squeeze frozen, we'll have to wait for Wheezy. You could ship multiple xulrunner versions, but then you introduce twice the overhead for the security team. Long story short, it's give-and-take. Hope that makes sense. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Straw poll: What browser do you use?
On Wed, Sep 08, 2010 at 05:56:41PM -0600, Aaron Toponce wrote: I never said they would die. I only said that Microsoft is putting more effort into HTML5 for IE than Silverlight. It's evident by the lack of even Silverlight pages on Microsoft's own site, as well as partner sites. No, Microsoft will continue to push .NET, as well as its many devoted fans. .NET isn't going anywhere, and I certainly don't expect Microsoft to kill it off. Seems I'm not the only one who has recognized the dilemma Microsoft is in with HTML5 vs Silverlight: http://goo.gl/EK73 -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: new squeeze
On Thu, Sep 09, 2010 at 10:30:35PM -0400, Doug wrote: I just downloaded debian-testing i386 Net Inst and burned the .iso onto disk. Before I do something silly, I want to make sure that this is designed to live with other os's on the hd. (I remember one older version of Ubuntu that took over the drive, and wiped everything else out.) If everything is copacetic, I'll put it on my laptop along with Win XP and PcLinuxOs. Please advise. This isn't Ubuntu. :) Happy hacking, -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Straw poll: What browser do you use?
On 9/8/2010 3:07 PM, Angus Hedger wrote: Flash might be one of the evils of the web, but it better than moonlight as most silverlight stuff wont work in moonlight 2.2 where as flash v10.1 works with pretty much everything (ignoring the total lack of a good 64bit plug-in and the instability of nsplugins!), just about. I was disappointed that Silverlight didn't take off. The reason being, the GNU/Linux community really doesn't have a solid Flash alternative. Yeah there's Gnash and others, but they don't play well with a lot of the Flash-based sites. Browsing _sucked_ in GNU/Linux for years because of this. So, with Miguel and Mono, I was eager to see a solid Silverlight alternative in Moonlight. Mono was staying very up-to-date with the .NET ABI, and there is so much momentum behind Mono, it was hard to see Moonlight as failing. Then HTML5 started hitting the web, and well, even Microsoft started abandoning Silverlight for HTML5 with IE. I still think that because of Silverlight, the GNU/Linux community would have had a much better browsing experience through Moonlight and Mono than we currently have with Flash. But with HTML5 here and now a solid reality, just not wide-spread adoption, and now with hardware acceleration hitting the GNU/Linux browsers (Firefox/Iceweasel 4 and Chrome/Chromium 7), we _finally_ have browsers and browsing experiences that DON'T SUCK. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Straw poll: What browser do you use?
On 9/8/2010 5:22 PM, Angus Hedger wrote: I highly doubt Silverlight, .Net, and thus by extension moonlight and mono will die, for example MS's new phone OS is pretty much all Silverlight and .Net I never said they would die. I only said that Microsoft is putting more effort into HTML5 for IE than Silverlight. It's evident by the lack of even Silverlight pages on Microsoft's own site, as well as partner sites. No, Microsoft will continue to push .NET, as well as its many devoted fans. .NET isn't going anywhere, and I certainly don't expect Microsoft to kill it off. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Straw poll: What browser do you use?
On Tue, Sep 07, 2010 at 03:47:00PM +0200, Klistvud wrote: Epiphany is (marginally) better than Iceweasel/Firefox. Internet browsing on GNU/Linux, frankly, just plain sucks -- I mean, it sucks up all my CPU and all my RAM, permanently. It also makes my machine(s) heat up and my fans roar like a fully loaded B-52. I've never discovered this problem. I've used Iceweasel, Arora, Epiphany and now Chromium. I have never had CPU problems. I do have RAM problems, but I'm a tab-hungry power-user. I usually need to restart my browser at least once per day. Disabling all flash and other flishy-flashy-bang-blink-boom-whiz plugins may help a bit. Or replacing your graphical browser with a text-only browser like w3m/elinks/lynx, if you can afford to. Except with text-only browsers, you lose the ability to view images, video, and other interactive features that the web provides. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Straw poll: What browser do you use?
On Tue, Sep 07, 2010 at 09:16:26AM -0400, B. Alexander wrote: I'm just wondering, since firefox/iceweasel seems to be getting unusable. What is unusable about Iceweasel? I have a 2.2GHz C2D box with an nvidia card at home, and a 3.0GHz C2D with a (lame) ATI card at work. I find that firefox (or xulrunner-stub) have memory leaks, and after a couple of days, it eats up a significant amount (10-30%) of memory. The work box has 3GB and the home box has 4GB. It also eats up a significant amount of CPU. This isn't a memory leak. I mean, I'm sure there might be a bug where there are small amounts of memory leaks, but the massive amounts of RAM you're chewing through is a feature, not a bug. Your browser is caching all the pages for each tab you use. The more the tabs, the more the cache. The more the cache, the more the RAM you chew through. This is fundamental to all tab-based browsers. Eating up CPU is another story. If you do have CPU problems, check your tabs to see if there are any flash-intensive pages in animation. If you haven't installed an ad blocker by this point in your life, I would recommend it. You should notice less bandwidth consumed, which means faster loading pages, and blocking the annoying flash-based ads that do require CPU to perform. If your browser is chewing through CPU without any pages showing some sort of heavy animation or javascript, then I would troubleshoot the issue, and see what you can nail down. This morning, after idling all weekend, iceweasel on my work system was chewing up between 70 and 100% of my cpus, and scrolling pages were hesitating for several seconds. Again, check your tabs, and see what's actively running on the page (videos, flash ads, etc). So what do others use? I use the 'chromium-browser' package with Sid. I can't wait for the next stable release before the latest version of Iceweasel hits Sid. I'm too impatient with my browser releases. If chromim-browser doesn't hit v6 soon, I'll re-enable the Google repository, and grab google-chrome-browser. Iceweasel 4 might win me back with hardware acceleration and tab-candy, but Chromium 7 is looking to bring a lot of those features to the user as well. We'll see. Right now, I'm a Chromium user. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Straw poll: What browser do you use?
On 09/07/2010 10:15 AM, Morgan Gangwere wrote: Normally, I use Iceweasel as my normal browser, but on the poor box I have (a 1Ghz p3 Coppermine w/256MiB of RAM) I get this odd problem... It just eats memory like candy, and I don't even /have/ flash installed! You must not use Chromium/Chrome then. It chews through much more memory with its process-per-tab feature. Much more than Firefox too. Its not plugins its the /rendering engine/ and its /memory management techniques/. I've seen a single instance of FF sit there and eat memory progressively over 4-5 hours if I have 10-30 tabs open (Generally over 5-6 windows). I've seen it eat almost all of my 2GB swap too, which I keep on a flash drive. Again, this is the feature of any tab-based browser. You are caching each page in each tab. Not only are you caching the pages, but the browser needs to keep track of what page is associated with what tab, and the tabs history independent of the others. This is a feature, and you can turn this off it if bothers you. Worst case, don't use tabs, and you'll notice your browser using much less memory. I'm personally using Midori, a webkit one, at the moment. it doesn't eat memory like the hog that iceweasel is, and on the crappy 8mb gfx card I'm on (laptop), its no problem for me to spare 3 seconds waiting for a page to load. Midori also doesn't have extension capability, and its plugin architecture is severely limited. Your browser does a lot for you, a lot more than I think you realize. Midori doesn't use the amount of RAM Firefox does, because its feature set is substantially smaller. You could call this bloat in Firefox, if you wish, or crucial productivity tools. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Straw poll: What browser do you use?
On 09/07/2010 02:55 PM, Boyd Stephen Smith Jr. wrote: In 20100907151244.gk7...@poseidon.cocyt.us, Aaron Toponce wrote: Your browser is caching all the pages for each tab you use. The more the tabs, the more the cache. The more the cache, the more the RAM you chew through. This is fundamental to all tab-based browsers. Same number of tabs with the same URLs. Konqueror remains fast of light at 18 tabs. Iceweasel process starts to bog down and begin churning through my RAM. No javascript, large images, some flash, which both browsers render (incorrectly) using gnash or a variant. It's certainly not as bad as it has been in the past, but I think characterizing Iceweasel memory usage as fundamental to having tabs ludicrous, especially with the number of counter-examples around. So you understand more of what you're talking about: http://weblogs.mozillazine.org/ben/archives/009749.html -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: thoughts on RHCE
On Wed, Sep 01, 2010 at 07:44:36PM +0200, Julien Vehent wrote: Well, I understood the exam was multiple choices questions, isn't it ? No. The exam is 100% hands-on. In other words, if you are asked to setup a DHCP server, then you are expected to do just that, on a box, with RHEL installed. Check out http://www.redhat.com/certification/rhce/ for more info. Note: you do sign an NDA about the exam contents. You need to take this into account with your personal philosophies. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: thoughts on RHCE
On Wed, Sep 01, 2010 at 05:04:37PM +0200, Julien Vehent wrote: I know this is kind of off-topic on a Debian mailing list, but since there's no Debian certification, I was considering taking RHCE. The thing is, RHCE fast track course is $3000, and so far, everything I've seen or read is pretty classic linux knowledge. So I was wondering what other people thought of it. Most of what you will learn in the RHCE course can easily be applied to Debian, openSUSE, HPUX and many other UNIX and unix-like operating systems. I would recommend the certification. Is it worth something as a linux certification, in the context of working as an independant contractor for example ? My RHCE has been a valuable tool to put on a resumé. I know hands down that it got me my current job, even placing me above candidates who had computer science degrees and years of experience. Considering I have about 7 years of linux sysadmin in my head, not specifically with red hat though, is it doable to just take the exam (with a bit of preparation before, eg. centos and a good book) ? The exam itself is $750. Look over the preparation guide, and make sure you can accomplish each of those items with 100% certainty. If so, then you should be able to take the exam without the course. However, if there is even one topic on there that you are slightly unsure about, I would strongly recommend taking the course before the exam. I used to be an examiner for Red Hat, and I can say with confidence that the exam is very difficult. Many students would come into my class, very arrogant and confident they could do the exam with minimal effort, then fail miserably. The course is given for a reason. The topics covered are given for a reason. The book and labs are given for a reason. Take advantage of them. Did I miss any other certification worth of interest ? I am looking at continuing my Red Hat certification towards earning my RHCA. Additional topics, classes and exams are needed, but it would be rewarding for me in my field. I'm also looking at getting some of the Cisco certifications. I hear the market puts great value on some of the higher Cisco certs, and people with them are highly sought after, and paid quite well. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Debian based NAS? What to buy?
On Wed, Sep 01, 2010 at 11:06:57PM +0200, Francisco Borges wrote: I am thinking about buying a new NAS box. Not a DIY box, but a ready to use NAS (2 to max 4 trays) for home use (it has to be *small* and quiet). As I had a lot of trouble with my ReadyNas Duo (Debian based but now unsupported), for which I now have trouble buying supported 2G disks, so I am looking out to buy something more future proof WRT software support. Can anyone recommend me a Debian-based NAS? I was in the same situation as you not a month or two ago. I spend days online looking for a good NAS, and really couldn't find anything that impressed me. I ended up going with 4-1 TB 3.5 drives, and putting them in a Linux software RAID 10 with LVM on top. I know it's not a NAS, but no matter what I looked at, I couldn't find anything decent. I had a lot of friends online recommend this and that, then they'd get into a discussion why this brand or the other sucks. So, my RAID array is now accessible via SSHFS, NFS, asd CIFS. All my GNU/Linux machines, my wife's iMac and our virtual XP box can access the data on the drives. Works great. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Debian based NAS? What to buy?
On Wed, Sep 01, 2010 at 11:43:02PM +0200, Jochen Schulz wrote: What mainboar, CPU and case do you use? I am currently searching for a similar solution as well. I am considering to buy a Mini-ITX Atom board, but it's hard to find a decent case with enough space for 3-4 hard disks. CPU: AMD Athlon xP 1800+ case: standard ATX case with 3-5½ bays and 3-3½ bays Mobo: MSI MS-6380E I had to get a SATA board as I don't have SATA on this mobo. I ended up getting a Rosewill 4-port SATA PCI card. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Re: Now lost boot dir
On 08/30/2010 01:00 PM, Jordan Metzmeier wrote: Your reply seems to have removed all newline characters making it unreadable. I had no problems reading the HTML version of the mail. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature
Re: Is it possible to put a swap file in the fstab
On 08/30/2010 03:48 PM, François TOURDE wrote: One reply line... 20 noise lines... What a signal/noise ratio 1/20 :( Some haven't learned the value of trimming your relpies. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature
Re: help
On 08/29/2010 05:10 AM, Александр Аносов wrote: добрый день подскажите пожалуйста как прописать сканер эпсон 1670 если можно по шагово заранее благодарен Это английский список рассылки. Пожалуйста, проверьте http://lists.debian.org/debian-russian/ для вашего языка. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Mailing list protocol
On 08/27/2010 01:16 AM, Celejar wrote: Or use Sylpheed, where you can subscribe to a newsgroup and read it with an MUA ... ... or use Icedove/Thunderbird for reading not only news://, but RSS as well as mail. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
/usr/hsare/dict/words
Why isn't /usr/share/dict/words managed by alternatives? Why does it point to /etc/dictionaries-common/words which in turn points back to /usr/share/dict/american-english (for me)? Wouldn't the alternatives system be perfect for this? Just curious. Thanks, -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Mixing apt-get and aptitude
On 8/27/2010 9:52 PM, Osamu Aoki wrote: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594512 I just updates most gross errors in CVS so updated page will show up soon. Ah yes. The page should describe more of why aptitude vs apt-get, and let the user decide. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Mailing list protocol
On 08/26/2010 05:37 AM, Mihamina Rakotomandimby wrote: noela...@gmail.com : In Kmail, and probably some other MUAs, you can select the text first and then hit reply, and only the selected section will be quoted. Yep. Pan (a nntp newsreader) has such option. So does Claws-mail. As does Icedove/Thunderbird. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Eye Candy Window Manager
On 08/26/2010 12:37 AM, Jangita wrote: Hello List, When it comes to graphics and linux, is there a Eye Candy window manager out there; for me if I'm to go GUI and I have a powerful graphics card humming under the hood; I'd like something that looks nice, shadows, transparent well drawn icons, widgets and all. Any thoughts? Enlightenment DR17. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Now lost boot dir
On 08/26/2010 06:09 AM, David Baron wrote: Dead in the water. What to do keeping data in lvm partitions? I'm assuming that you have more than one disk? Are they the same size? If so, you should have been using Linux software RAID to prevent the volume from losing data. Not much you can do at this point, except rebuild, and restore from backup. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Mixing apt-get and aptitude
On Thu, Aug 26, 2010 at 10:27:58PM +0900, Osamu Aoki wrote: On Wed, Aug 25, 2010 at 06:23:56PM -0600, Aaron Toponce wrote: http://www.debian.org/doc/manuals/debian-faq/ch-pkgtools.en.html#s-aptitude This needs update. This is very old. Why is this old? What is out-of-date? -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Mixing apt-get and aptitude
On Thu, Aug 26, 2010 at 08:51:29AM -0500, Tom Browder wrote: Aside, can you post another blog (or another thread here) about why you use both Ubuntu and Debian? http://pthree.org/2009/02/19/server-migration-from-ubuntu-804-to-debian-50/ Long story short- Debian does a better job at package quality assurance and bug fixing BEFORE release than Ubuntu, which does a great deal of it afterwards. If you want a server, I would only trust Debian stable and CentOS to power my data. For the desktop, I see no reason why Debian GNU/Linux doesn't fit the bill either. I have it installed on a workstation, two laptops, a netbook and a virtual machine, all without any headache (there is an annoyance with the netbook, actually, but minor). The only reason I can see usuing Ubuntu is if you like the direction they are taking with their operating system (UbuntuOne, MeMenu, notifications, etc). In terms of hardware, I don't have any additional problems getting Debian installed, with everything working out of the box, than Ubuntu. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Mixing apt-get and aptitude
On 08/25/2010 01:09 PM, T o n g wrote: I used to use either apt-get or aptitude to install packages. Is it OK to do so? Yes. However, aptitude is a much more powerful program. Check my blog post on the many reasons to use aptitude over apt: http://pthree.org/2007/08/12/aptitude-vs-apt-get/ Debian also mentions to use aptitude over apt: http://www.debian.org/doc/manuals/debian-faq/ch-pkgtools.en.html#s-aptitude To answer your question directly though, both apt and aptitude rely on dpkg for the installation and removal of packages. So, no worries. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Mailing list protocol
On 08/25/2010 10:52 AM, Gary Roach wrote: This is kind of an embarrassing question considering I have been subscribed to this list for several years. What is the protocol for a reply. Though I have bumbled through the process in the past, I am not sure how it should really be done. I searched for about a half hour on google and on the debian site and still have questions. Specifically: If I reply to debian-user@lists.debian.org , how does my reply get included with the correct snippets of other messages. Or is this my responsibility to cut and paste relevent sections. I sent this email to the chromium-discuss mailing list, as there doesn't seem to be a soul who understands how to read email text, and how to properly reply to a technical list (probably because they're all using the crappy Gmail MUA): http://groups.google.com/a/chromium.org/group/chromium-discuss/msg/df924dbb59ec4330?dmode=source Long story short: * Trim your reply. Only include the relevant text to support your reply. * Bottom-post or interweave. People don't read English text from the bottom to top. Your reply should always be beneath what you're replying to. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: gdm crashes unexpectedly every now and then
On 08/22/2010 12:57 PM, Peter Tenenbaum wrote: I'll open a report today or tomorrow on this item. Can you fix your MUA so it doesn't start a new thread every time you hit 'reply'? -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Mandatory Access Control Systems?
On Wed, Aug 18, 2010 at 03:06:09PM -0400, Perry E. Metzger wrote: Are any MAC systems integrated into Debian other than SELinux? (Also, does this differ between Lenny and Squeeze?) grsecurity exists for stable. You can google the differences between SELinux and grsecurity if you wish. AppArmor does not exist in Debian that I'm aware of. We might see it in Squeeze+1, as it's just been accepted into the mainline kernel. Time will tell I guess. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Broken/Obsolete packages - I think we can do better.
On Wed, Aug 18, 2010 at 01:56:44PM -0500, Timothy Legg wrote: I just installed a stable Debian package that advertises to perform so many wonderful tasks, but in reality, it does little more than provide an attractive graphical interface for a segmentation fault. I searched google and indeed found others that had this problem with this package. I also found out that this problem was solved a couple years ago in a newer version. Unfortunately, Debian is still delivering a broken-out-of-the-box version of this package. What is this mysterious package and what is the bug? -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Broken/Obsolete packages - I think we can do better.
On Wed, Aug 18, 2010 at 03:59:29PM -0500, Ron Johnson wrote: It's called do-not-feed-the-troll. Package not found. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Blank blue screen after logging into an account for the first time with gdm and choosing window manager
On Tue, Aug 17, 2010 at 05:04:56PM +, Daniel Trebbien wrote: Does this problem always occur after bringing your netbook out of standby? Yes. When after coming out of standby is the question. Sometimes immediate, sometimes a few minutes later. In addition to the blank, blue screen, do you see the mouse cursor? No mouse cursor. What is the timeline like? How many seconds or minutes pass until the first flicker? How many flickers are there? How long is it until the screen shows only blue? The flickers are completely intermittent. It's not predictable, but the flickers start immediately after coming out of standby, and remain until the screen goes blue, which could be very soon or many minutes later. Is there anything in `.xsession-errors`? (This file is in the home directory of the account that you are logged in as.) I haven't checked there, actually, but I'll look. Thanks, -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Blank blue screen after logging into an account for the first time with gdm amp; choosing window manager
On Sat, Aug 14, 2010 at 11:41:26PM +, Daniel Trebbien wrote: So why didn't Nautilus start after I selected a window manager? I figured it out. For some reason, the X session manager was set to `/usr/bin/choosewm` by default when it needed to be `/usr/bin/gnome-session`. I corrected this with: sudo update-alternatives --config x-session-manager I would like to continue this discussion, if that's okay. When I bring my HP Mini 100 netbook out of standby, the screen flickers on occassion, and then at some random moment in time, it seems, it will go to a blank blue screen. The session is still active. I can SSH to the netbook, and I can change TTYs to a virtual TTY (although the screen remains blank blue), and CTR+ALT+DELETE will reboot. I only have one link in alternatives for x-session-manager, and it's pointing to /usr/bin/gnome-session, so not sure what the deal is. There is nothing interesting in /var/log/Xorg.log, nothing in dmesg nor /var/log/messages. So, I'm at a loss. Any ideas? -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Why is troubleshooting Linux so hard?
On Sun, Aug 15, 2010 at 02:31:49AM -0400, John A. Sullivan III wrote: Very interesting and helpful post. Thank you. I've snipped most of it out for the sake of those for whom long emails are a problem or expensive. You should ALWAYS trim your messages, cutting out the irrelevant cruft, leaving only enough of the original message to which you're replying, so others can make sense of your reply. Thank you for trimming. Now if everyone else would learn that lesson. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Installing Debian from USB stick
On Fri, Aug 13, 2010 at 12:18:57PM -0400, Jordan Metzmeier wrote: I am a regular help on the Debian IRC channel, and I can say that I am not sure unetbootin works for anyone. I have tested once myself, and I had the same issue has the floods of users on IRC. failed to find cdrom devices. For this reason, we push the usb installation method documented in the install guide. I personally have never had a problem with unetbootin. I've created several bootable USB drives with it: Fedora, Ubuntu, Debian and more. Works great here. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Installing Debian from USB stick
On Fri, Aug 13, 2010 at 12:58:13PM -0400, Jordan Metzmeier wrote: - From what I understand, it works with testing but not stable. I have also used it with other distributions without issue. Ah, the only stable install I have is a headless server. All of my graphical installs are either testing or unstable. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: looks hot debian
On Thu, Aug 12, 2010 at 10:42:34AM +0100, Nuno Magalhães wrote: Red Hat and Ubuntu come to mind. This is a Debian mailing list, so I'm surprised you didn't recommend: http://debian.org/consultants Just because we're a community-driven operating system, doesn't mean we can't offer world-class support. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: I was told to MSN somebody
On Wed, Aug 11, 2010 at 04:13:42AM +0800, jida...@jidanni.org wrote: I was told to MSN somebody. So which MSN replacement program do you folks recommend of $ apt-cache search MSN | wc -l 53 given that I don't use KDE etc. but just nodm. Bitlbee. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Debian Squeeze Frozen
On Fri, Aug 06, 2010 at 04:27:31PM +0200, Brent Clark wrote: http://lists.debian.org/debian-annou.../msg9.html Flippen AWESOME. Now to get kfreebsd into shape with gnu. To me, that's what is making this release stellar. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Anti virus and Firewall
On Tue, Aug 03, 2010 at 10:43:05PM +0100, Tingez Unknown wrote: I am looking for any suggestions regarding Anti virus and firewall software that is suitable with your Debian 5 64bit operating system. Wanting to add as much security as possible to our server to reduce any problems we may encounter. I would like any suggestions as to the best software that can be used either paid for or freeware if you would be so kind. While antivirus software exists for GNU/Linux systems such as Debian, it's not really needed as most viruses are targeting Windows machines. If you are concerned about the potential impact, I would recommend running SELinux coupled with AIDE over any antivirus software. While their goals are slightly different, the overall idea is the same- lock down the server, and prevent any unouthorized changes to the filesystem. When changes occur, report the change, and give an ability to restore completely from backup. The best antivirus software will do for you is report the virus, and attempt to remove the virus. Because you can never be sure what has been changed, it's always best to do a reinstall after an infection. You would do the same with SELinux and AIDE. In terms of firewall, the Linux kernel has a builtin firewall through the Netfilter module and the 'iptables' userspace command. There are frontends for iptables, if it is too intimidating for you. There's also TCP wrappers and xinetd for additional firewalling. You could even using ACLs to allow and deny access to your services. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: Two lvm questions
On Mon, Aug 02, 2010 at 01:23:28PM -0400, S Scharf wrote: I am running Squeeze with two 1.5 TB disks. Each disk has a /boot partition and a swap partition. The rest of each disk is 1/2 of a mdadm raid1 (/dev/md0). md0 is then used as the physical volume for lvm which hosts my 100GB root and 500GB /home partitions. Having plenty of extra space I also have 6 (six) snapshots of each partition going back in time. Question 1: Is having all of those snapshots killing my disk performance. Or, is LVM smart enough so that when I change something on the disk that exists in all of the snapshots it only makes one additional copy rather than 6 copies (one for each snapshot) Curious, but why are you holding on to your snapshots? The only reason I've found for creating snapshots is to do an immediate backup of the volume, after which I remove the snapshot. Having 6 in play, I can imagine that your processor, and disk are probably a bit overwhelmed. And yes, LVM is smart enough to copy data to the snapshot when there are changes made on the target. You do understand that upon an initial snapshot, only pointers are created that are pointing to the original data at that specific point in time are created, right? That's why after a snapshot, not much, of any data is use. However, as soon as you start removing data off the target, for example, then the snapshot needs a copy of that data. Question 2: The system take about 1/2 hour to boot, most of which is in LVM discovery. Is there any way to speed this up? I have tried to tweek /etc/lvm/lvm.conf but couldn't find much to do there other than set the filter to only scan the md0 device; My first advice, would be to get rid of the 6 snapshots, make a new one, back it up, send the backup off disk, then remove that backup and snapshot. LVM is taking too much time trying to get all the pointers and data in place with the snapshots that you have. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: keylogger.c
On Mon, Aug 02, 2010 at 10:59:00PM +0200, Jozsi Vadkan wrote: are there any working keyloggers, written in c, that works under Debian Lenny? Does anyone has one ready? :P or just an url? I would suggest you look at strace for starters. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: Digital signature
Re: need native app to listen to internet radios
On Thu, Jul 29, 2010 at 10:00:30PM +0530, Madhurya Kakati wrote: Is there any good native linux app for streaming online radio? I prefer shoutcast. Do you want a native GNU/Linux application, or an online streaming site? Shoutcast isn't an installable application. Shoutcast is an online radio streaming service. If you want a good online radio, I recommend last.fm or blip.fm. If you want a good installable application from the Debian repositories, then I suggest the lastfm application, Banshee, Exaile or Amarok. So, maybe you should clarify what you want? signature.asc Description: Digital signature
Re: Linux filesystems was [Re: Debian cd supporting ext4.]
On 7/27/2010 1:23 AM, Lisi wrote: On Tuesday 27 July 2010 08:10:15 Stan Hoeppner wrote: XFS which is superior to all other Linux filesystems. Stan - Have you the time to give a rationale for this? Except XFS filesystems can't shrink, only grow. Sucks when you need to resize partitions/volumes, and they're all XFS. Further, XFS makes more system calls to the kernel than standard Ext2/3/4. Export an XFS filesystem on LVM over NFS, and you'll get a kernel oops on a 32-bit kernel. Trace it, and you'll see the plethora of nested system calls XFS makes. You won't oops with Ext2/3/4 in the same scenario. This can be mitigated by running a 64-bit system, if you have the hardware to do so. XFS has also had a history for randomly corrupting data. While this might have improved over time, I don't trust it. XFS does have dynamic inode allocation, and better data storage algorithms than the Ext-family. It's also a good performer, but Ext4 give XFS a run for its money. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Linux filesystems was [Re: Debian cd supporting ext4.]
On 7/27/2010 11:20 AM, Stan Hoeppner wrote: Aaron Toponce put forth on 7/27/2010 10:41 AM: XFS has also had a history for randomly corrupting data. While this might have improved over time, I don't trust it. Can you cite or reference anything to back your claim? Time frame? Irix or Linux? Serious users reported this or casual/hobbyist users? If this was ever the case the situation could not have lasted long before patches fixed it. Have you seen SGI's customer list and the size of the systems and storage they run with nothing but XFS? For instance, NAS has over 1.4PB of XFS filesystems, 1PB CXFS and over 400TB XFS: We have used it three times in the past, and lost about 5TB worth of data due to corruption. The data corruption appeared to not be the result of lost power to the drive. Imperical evidence is enough for me to stop trusting it. I've also had friends who are admins that have complained of XFS data corruption, mainly with regards to booting. I don't know their specific scenarios, but they stopped using XFS as well. NASA trusts it with over 1PB of storage, but _you_ don't trust it? Who are you again? How many hundreds of TB of storage do you manage on EXT3/4? ;) I guess NASA has us beat. Nothing in the PB range, that's for sure. Currently, at my location, we have about 40 TB of SAN, with another 50 TB on the way. In production, we have about 200 TB SAN. We'll be building a federated shadowing infrastructure that well have Oracle databases in 16 different locations across the United States. We're currently targeting about 20 TB in each of the 16 locations. We won't be deploying XFS. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Debian cd supporting ext4.
On 7/26/2010 11:46 AM, Andrei Popescu wrote: On Lu, 26 iul 10, 12:42:05, Steve McIntyre wrote: As an ex-DPL and the guy who puts together the official release Debian CDs, I can vouch for his work. It's been very useful for me in the past. jokeYou forgot to GPG sign the mail/joke :p Maybe this isn't the Steve McIntyre you think it is... :) -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Missing /etc/init.d/functions
On 07/23/2010 11:29 AM, Bruno Costacurta wrote: /etc/init.d/functions is missing. How / where to grab it ? /etc/init.d/functions is a Red Hat developed script for SYSVR4 init on GNU/Linux. It has carried on to other systems that use RPM as their package backend. If you want the Debian-equivalent (where the correct location _should_ be) check out /lib/lsb/init/functions and /etc/default/rcs. Also, don't forget the directory configs under /etc/default/[service-name]. But really, /lib/lsb/init-functions in your direct equivalent to /etc/init.d/functions in the Red Hat world. Probably the best way to have found the file on your own, would be to open an /etc/init.d/[service] file, and notice that most, if not all, are sourcing /lib/lsb/init-functions and /etc/default/rcs. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: expect does not expect anything
On 07/24/2010 07:35 PM, Dirk wrote: #!/usr/bin/expect -f spawn rsync -r --progress a u...@bla.com:/b expect assword: send password\r expect hostname why does this script stop while rsync is still transferring? (hostname is the name of the host in the prompt) and, yes, it HAS TO BE done using expect... any answer including the word keys will not be helpful Why? -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: is this result of keylogger? am i hacked?
On 07/21/2010 06:39 AM, Sergey Spiridonov wrote: I found yesterday that some files in /etc/ (/etc/shells and /etc/default/default/schroot) are changed. They contain data which I was typing on keyboard. Strange enough, this files are not overwritten, but contain data they should contain + somewhere in the middle or at the beginning of the file they contain something I typed in browser or in command line in X window system. This looks like that I am hacked and somebody try to get my passwords. But may be there is another explanation, like broken package? Or can somebody suggest, how can I check it? Reinstalling everything from scratch is a lot of work... System is squeeze, upgraded from lenny few weeks ago. Check 'last' and 'lastb' to see if there are any other logins or login attempts other than yourself. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: amd64 does net detect my wired and wireless nic at installation
On 7/19/2010 7:32 AM, Bernard Fay wrote: Hello everyone, When I try to install amd64 (Debian 5.05) on my new laptop, a Lenovo x201 tablet. I wish to use amd64 because I have 8GB for RAM and I think 64-bit is now the way to go. The installer does not detect neither my wired or wireless NIC. The installer gives me a list of network adapter drivers, I select the the appropriate drivers but it keeps saying it cannot find the network hardware. I tried Ubuntu amd64 and it was succesful but I would prefer to go with Debian. Someone has a clue on this problem? I had a similar problem with my HP Mini 110. The NIC driver, although FOSS, was not in the Lenny kernel. The wireless driver is Broadcom, which relies on a binary blob. So, I needed to use a recent build of the Squeeze installer, that had a kernel with the NIC driver. I was then able to do a successful netinst, after which I could get everything else setup. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
Re: Vim yank paste
On 7/19/2010 10:49 AM, Panayiotis Karabassis wrote: In Ubuntu it was possible to yank some lines of text, exit Vim, open a new Vim instance and paste the yanked lines. In debian it is necessary to use the * register. How can I reproduce the Ubuntu behavior? Not sure what the * register is, but I've always used: +Y to yank the current line/selection +P to paste what's in the clipboard -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature
