Re: "Repeaters", etc.
On Mon, May 27, 2024 at 7:08 PM Stefan Monnier wrote: > > > I'd like to shop for such a device, but I don't know what it's called. > > I think it's called a "wireless bridge". > > Any device with a wifi card and (at least) an ethernet port can do that. > So "any" wifi router will do the trick, as long as you can get it to run > a firmware that's not hopelessly restricted. > > I'd recommend you look at the routers supported by OpenWRT. +1 for OpenWRT supported routers supported devices are listed here https://openwrt.org/toh/start If all you want is a wireless bridge you can probably get by with a woefully underpowered router. Put the wan and lan ports on vlan 1 so there's no router or firewall involved and disable dns, dhcp, etc. so it's just ethernet <=> wifi I've got a pair of TP-Link Archer C7s that are now out of production but cost about $55 when new that do a great job with everything on vlan 1. > Of course, if you can do it with cables (ethernet/powerline/younameit) > it's probably going to work better, but I guess you know that already. +1 again - cables are better. Even with a house you're most probably going to get some interference from the houses around you :( Regards, Lee
Re: youtube-dl blocked?
On Fri, Apr 26, 2024 at 11:37 AM Curt wrote: > > On 2024-04-26, Lee wrote: > > On Wed, Apr 24, 2024 at 12:43 PM Curt wrote: > >> > >> On 2024-04-24, David Wright wrote: > >> > > >> > My experience was similar to Bret's, only I'd long got used to not > >> > just taking Debian's proferred version, but checking whether there > >> > was a newer version somewhere around. It was in February 2023 when > >> > >> I had to use it once for a friend of my wife. I downloaded the > >> github version (as it keeps abreast of the frequent breakages, and I > >> lack the moral rigor of our numerous purists). > > > > I should probably switch to using the Debian package; I lack the moral > > rigor to keep it updated :( > > <.. snip output showing how old my software is ..> > > I'm really not a very technical personal at heart, but what I found at > once slightly disturbing and mildly surprising was the lack of > understanding of how the whole shebang works for a majority of my > contemporaries. Right. Ask someone to explain what all is involved with getting a packet from to on the Internet. I suspect most would ask "What's a packet?" > I mean, my wife went to the url of the youtube video, > downloaded *that* from her browser, and then expressed a certain > confusion that what she had downloaded onto her hard drive was not the > video itself, but something else entirely. My wife knows that won't work; she skips directly to the "can you do this for me" step. > There was no use trying to explain to her anything at all; she only > wanted the video for her friend, and if I could get it for her, that was > the full extent of her desire. She wasn't interested in understanding > how it "works" fundamentally. Her attitude was and is: you're interested > in that sort of thing, but I'm not and am not going waste my time with > whatever it is. > > There are many intelligent people floating around the world with similar > attributes. What can you do for them but what you can do for them? Try explaining? If they don't want to know that's one thing but if you keep it simple enough maybe they'll listen & learn something. Regards, Lee
Re: youtube-dl blocked?
On Wed, Apr 24, 2024 at 12:43 PM Curt wrote: > > On 2024-04-24, David Wright wrote: > > > > My experience was similar to Bret's, only I'd long got used to not > > just taking Debian's proferred version, but checking whether there > > was a newer version somewhere around. It was in February 2023 when > > I had to use it once for a friend of my wife. I downloaded the > github version (as it keeps abreast of the frequent breakages, and I > lack the moral rigor of our numerous purists). I should probably switch to using the Debian package; I lack the moral rigor to keep it updated :( $ which youtube-dl /usr/local/bin/youtube-dl $ youtube-dl --version 2021.12.17 $ which yt-dlp /usr/local/bin/yt-dlp $ yt-dlp --version 2023.03.04 Regards, Lee
Re: Bluetooth sound problems playing from a web browser
On Sun, Apr 7, 2024 at 3:30 PM Richmond wrote: > > Richmond writes: > > > Richmond writes: > > > >> When playing videos in a web browser, and sending the sound to a > >> bluetooth speaker (amazon echo) I get playback problems; stuttering, > >> sound quality reduction to AM radio level or lower). These things can > >> clear up after a minute or two, or be reduced. > >> > >> When playing from nvlc however I get no such problems. (I haven't > >> tried vlc so I am not sure if it is just that it is a command line). > >> > >> I have tried google-chrome and firefox-esr. > >> > >> Perhaps there is some other browser which will work? Maybe I need to > >> isolate the process from the browser? I tried pop-out picture on you > >> tube and it improved but there was still stuttering. > > > > I installed Falkon and Konqueror. I tried Falkon and it worked fine, no > > sound problems. But then I tried Google-chrome again and that was > > working fine too, and so was Firefox-esr. The problems have gone away > > and even rebooting doesn't bring them back. Maybe one of those browsers > > brought a better library with it. > > These problems have come back again. So unless you've updated or installed new hardware or software it's probably not a firmware/software issue. > I have tried rebooting. I tried > sending the same audio from an android phone and it works fine. How do I > find out what the problems is? I cannot see errors in journalctl It's possible that wifi or usb 3.0 could be interfering with your bluetooth speakers - eg https://www.zdnet.com/article/usb-3-and-usb-c-devices-can-cause-problems-with-wi-fi-and-bluetooth-connections-but-theres-a-solution/ https://sortatechy.com/spot-and-fix-bluetooth-interference-with-wifi/ If your PC is using wireless and can use a 5Ghz channel, try moving your PC wireless to a 5Ghz channel first. If you PC only supports 2.4Gh wireless you can install linssid https://packages.debian.org/bookworm/linssid and pick a relatively unused channel for your PC wireless. Or just try channels 1, 6 and 11 and see if any of those makes a difference.. If you're using a USB 3.0 device on your PC try turning it off or moving it to a USB 2.0 port and see if that fixes the bluetooth interference. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 4:07 PM Andy Smith wrote: > > Hi, > > On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote: ... snip ... > > Documentation and integration is perpetually out of date in Linux. Right. Intellectually I know that; emotionally I find it a bit difficult to accept. > Also no one can agree on which documentation is canonical, another area I'm struggling to accept. Seeing referrals to the Arch wiki on a debian mailing list just seems wrong.. > > Is there really nothing better than sudo find / > files with uid or gid perms> and try to figure out which of those > > program are not necessary? > > I don't think there is, no. After finding each of those things you > would need to do some research on each one. Right. That's what I was trying to avoid. > Those that are > particularly worrisome probably already do have some notes > somewhere. > > > $ sudo crontab -l > >... > > 47 4 * * * (apt update >> apt-update.log 2>/dev/null) && \ > > (apt list --upgradable 2>/dev/null |\ > > egrep -v '^Listing' >| /etc/motd) > > You may like to look in to "apticron-systemd" for a systemd timer > that does the above. Nope. I can't remember what I asked on this list years ago, but I got a few suggestions on how to be notified about software updates and ended up writing my own script. If nothing else, I trust it to work properly. I also trust that if there's a problem with my script someone will let me know :) Thanks, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 2:32 PM Andy Smith wrote: > > Hello, > > On Thu, Mar 28, 2024 at 11:24:08AM -0400, Greg Wooledge wrote: > > On Thu, Mar 28, 2024 at 01:30:32PM +, Andy Smith wrote: > > > https://www.debian.org/doc/manuals/debian-handbook/ > > > > > > This has a chapter on security, so possibly it would be appropriate > > > to mention "m,esg n" there. > > > > A more proactive endeavor would be to document known best practices > > on the wiki. > > Personally I'll read the handbook before the wiki, but I'm fairly > confident that the vast majority of users will read neither. > > Which leads me to ask OP which hardening documents have they > actually already read, and would the advice be suitable for those? Read and understood? None I have looked at the Debian Administrator's Manual and the Securing Debian Manual. I'll bet not enough has sunk in though. Years ago, I had to do CIS router security benchmarks for work so I know what went into a network security analysis & how much background knowledge was necessary to implement the policy .. Which is why I'm _sure_ I don't have enough background knowledge to do an adequate threat analysis for a Debian machine. I guess I'm just lazy :) and looking for a short-cut instead of doing the hard work and figuring it out for myself. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 1:48 PM Curt wrote: > > On 2024-03-28, Greg Wooledge wrote: > > > > A more proactive endeavor would be to document known best practices > > It makes no fucking difference, because your important data is elsewhere > and completely out of your control. Agreed - your important data is elsewhere and completely out of your control. But I don't think that's a good reason to quit trying. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 1:28 PM tomas wrote: > > On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote: > > On Thu, Mar 28, 2024 at 1:11 AM tomas wrote: > > [...] > > > > Security means first and foremost understanding the threat. > > > > Which I don't. Hence the request for 'secure by default' instructions > > for Debian. Even better would be a secure by default installation > > option. > > This makes little sense. No threat analysis -- no security. Security > is always a relative (to the threat model) term, "security by default" > suggests something absolute. This ain't going to work. I disagree. I don't think I'm qualified to make an adequate threat analysis for a Debian system and yet $ sudo aa-status apparmor module is loaded. 21 profiles are loaded. 19 profiles are in enforce mode. ... 6 processes are in enforce mode. so apparently somebody else has done a threat analysis and decided apparmor is the appropriate mitigation strategy? I'm coming to the realization that more is wishful thinking, but still.. it would be nice if I didn't feel like I was facing such an overwhelmingly steep learning curve. Regards, Lee
Re: making Debian secure by default
> Hope this helps a little bit. Yes, it does. I was hoping for something simple but it's becoming clear to me that there's no simple "make Debian secure for dummies" checklist to follow. Thanks, Lee On Thu, Mar 28, 2024 at 11:43 AM Hans wrote: > > Hello, > personally I think, the best way is to plan, what you want to do with your > system. What is its task. How secure it shall be. > > And then just think of: What can happen? For example: Can someone boot wirt an > external medium? Do more than one people got admin rights? How do people > access? Can the server be stolen? And so on. > > Make a list, do brainsorming with other people. Learn from other hacks. > > And then act for every point you made. Think, how can this and this and this > attack be inhibited, how can it be noticed and is there an alarm and so on. > > For my personal experience, I never saw an attack in the past, which was not > prepared. Before are runninng portscans or simple bruteforce attacks. > > Here I am talking of activists and script kiddies, not APT's. APT's are much > more difficult to defend and to discover, they can, but very, very difficult. > > A good point to start is the doc "securing debian", and then, after you did > this, think of, what you have forgotten and what did the docu not tell. > > IT-Security is no software, it is a process, and you will have to learn for > years, which is normal. The attackers learn, the defenders, too. > > There is no straight, golden way, every server is different, and so are its > defence. As I said, its a concept, and this can change during the years. > > Hope this helps a little bit. > > Best regards > > Hans
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 11:24 AM Greg Wooledge wrote: > > On Thu, Mar 28, 2024 at 01:30:32PM +, Andy Smith wrote: > > I'm just not sure that you'll find any "hardening" guide that will > > specifically say "disable writing to your terminal as there might be > > a bug in a binary that is setgid tty" before yesterday's reveal that > > there is such a bug in "wall". > > > > The more general advice to audit every setuid/setgid binary is more > > likely to be present. > [...] > > If the maintainer of util-linux doesn't agree, then the next thing > > I'd try is a bug against the Debian Administrator's Handbook: > > > > https://www.debian.org/doc/manuals/debian-handbook/ > > > > This has a chapter on security, so possibly it would be appropriate > > to mention "m,esg n" there. > > A more proactive endeavor would be to document known best practices > on the wiki. A quick search found a couple pages that might serve > as starting points: > > https://wiki.debian.org/SecurityManagement > https://wiki.debian.org/Hardening -- says it's for package maintainers > > Anyone who is serious about such a project probably has a long road ahead > of them. Is there a generally preferred web link checker program for Debian? I took a look at https://www.debian.org/doc/manuals/securing-debian-manual/ch04s15.en.html and the 4.15. Protecting against buffer overflows section has this bit: recompile the source code to introduce proper checks that prevent overflows, using the http://www.research.ibm.com/trl/projects/security/ssp/ patch for GCC (which is used by http://www.adamantix.org) http://www.research.ibm.com/trl/projects/security/ssp/ patch gives me a connect failed and http://www.adamantix.org sends me to a vietnamese tv site?? Seems to me that an easy first step would be to check that all the links still work. Regards, Lee
Re: making Debian secure by default
On Thu, Mar 28, 2024 at 1:11 AM tomas wrote: > > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote: > > I just saw this advisory > > Escape sequence injection in util-linux wall (CVE-2024-28085) > > https://seclists.org/fulldisclosure/2024/Mar/35 > > where they're talking about grabbing other users sudo password. > > Are there any users logged in to your computer you dont't trust? > > Thought so. > > Relax. > > Security means first and foremost understanding the threat. Which I don't. Hence the request for 'secure by default' instructions for Debian. Even better would be a secure by default installation option. To be clear, I'm not all that concerned about _this_ CVE. I've got the disable_mesg.sh file in /etc/profile.d so sending messages with control codes to other terminals should be disabled for all. My concern is all the other stuff that I don't even know about that could be configured in a more secure manner but isn't. For heavens sake, the man page says Traditionally, write access is allowed by default. However, as users become more conscious of various security risks, there is a trend to remove write access by default, at least for the primary login shell. To make sure your ttys are set the way you want them to be set, mesg should be executed in your login scripts. Clearly at least the man page writer realized there was a threat there _and chose not to remove the threat_ !? So what other goodies are there that I don't know about? Is there really nothing better than sudo find / and try to figure out which of those program are not necessary? And I'm still a bit surprised that needrestart isn't included as part of the default install. Or at least as part of the synaptic package manager install. I never guessed that I would _not_ be warned that I needed to reboot after updating software with the synaptic package manager -- that didn't happen until after I installed needrestart. > Randomly > reaching into the CVE box will most probably keep you from actually > working on your real issues. E.g. your browser. I think it's up to date: $ cat /etc/motd lee@spot ~ $ sudo crontab -l [sudo] password for lee: ... 47 4 * * * (apt update >> apt-update.log 2>/dev/null) && \ (apt list --upgradable 2>/dev/null |\ egrep -v '^Listing' >| /etc/motd) > Or your social media > account. I've never had one. > Cheers > > [1] https://xkcd.com/1200/ I like the quote I saved from the full disclosure mailing list back when it was fun & exploits were mailed out as attachments: And at some point, you really have to ask yourself "Is this really a plausible attack method, or did I forget to take my meds again?" -- Valdis Kletnieks Regards Lee
Re: making Debian secure by default
On Wed, Mar 27, 2024 at 10:22 PM Andy Smith wrote: > > Hello, > > On Thu, Mar 28, 2024 at 07:37:13AM +0800, jeremy ardley wrote: > > Some distros, like Debian, do not seem to have a command like > > command-not-found by default. > > […] > > > Which implies that Debian is secure by default against this particular > > exploit > > I suspect if OP is worried about users potentially falling for a > fake sudo password prompt then OP is probably not happy about all > the other possibilities around putting arbitrary text on a user's > terminal. Yes, that. I'm not thrilled with the idea of anybody putting arbitrary text on someone else's terminal; what really concerns me is the ability to send control codes. Wasn't there some exploit that involved injecting text and a control code that acted like a carriage return? Lee
Re: making Debian secure by default
On Wed, Mar 27, 2024 at 10:07 PM Andy Smith wrote: > > Hi, > > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote: > > I just saw this advisory > > Escape sequence injection in util-linux wall (CVE-2024-28085) > > https://seclists.org/fulldisclosure/2024/Mar/35 > > where they're talking about grabbing other users sudo password. > > It doesn't work by default on Debian as it relies on > command-not-found automatically running on the user's input. > command-not-found can be installed, however… > > > oof. Are there instructions somewhere on how to make Debian secure by > > default? > > Between the fact that "secure" means different things to different > people and that this advisory was only released a few hours ago, I > don't think you can reasonably expect documentation to already be > published for your standard of "secure". You snipped the bit from the man page about users becoming more more conscious of various security risks & removing write access by default. Considering how long it takes something to migrate into stable I'm guessing that man page is pretty old. So I don't think it's unreasonable to expect some kind of secure by default installation option. > There is a general push to get rid of setuid/setgid binaries. A lot > of "hardening" guides will suggest looking for setuid/setgid > binaries and deciding if you really need them. The problem with that is how many users are knowledgeable enough to know if something is necessary or not? > As you've never heard of "mesg" and probably don't use "wall" I > doubt you will have any issues chmod 0 /usr/bin/wall and then > setting it immutable¹ with chattr +i. I suppose that's one way. I'd rather uninstall it. > You could put a call to "mesg n" into a file in /etc/profile.d so > that all users execute it. Good idea: $ ls -l /etc/profile.d/disable_mesg.sh -rw-r--r-- 1 root root 383 Mar 28 00:15 /etc/profile.d/disable_mesg.sh $ cat /etc/profile.d/disable_mesg.sh # man mesg #... # Traditionally, write access is allowed by default. However, as users # become more conscious of various security risks, there is a trend to # remove write access by default, at least for the primary login shell. # To make sure your ttys are set the way you want them to be set, mesg # should be executed in your login scripts. /usr/bin/mesg n Then logout / login and.. $ mesg is n Thanks Lee
making Debian secure by default
I just saw this advisory Escape sequence injection in util-linux wall (CVE-2024-28085) https://seclists.org/fulldisclosure/2024/Mar/35 where they're talking about grabbing other users sudo password. Apparently the root of the security issue is that wall is a setguid program? Even more fun is the instructions To make sure the PoC will work, make sure your victim user can actually receive messages. First check that mesg is set to y (`mesg y`). If a user does not have mesg turned on, they are not exploitable. WTF?? I've never heard of a mesg, but $ which mesg /usr/bin/mesg So. There is a program called 'mesg', hrmmm.. man mesg ... Traditionally, write access is allowed by default. However, as users become more conscious of various security risks, there is a trend to remove write access by default, at least for the primary login shell. To make sure your ttys are set the way you want them to be set, mesg should be executed in your login scripts. oof. Are there instructions somewhere on how to make Debian secure by default? Thanks, Lee
Re: Root password strength
On Fri, Mar 22, 2024 at 9:02 AM Jan Krapivin wrote:
>
> The thing that bothers me are words: "any computer (and a fortiori any
> server) connected to the Internet is regularly targeted by automated
> connection attempts"
Change it to "any computer (and a fortiori any server) >>using IPv4
and directly<< connected to the Internet is regularly targeted by
automated connection attempts"
and yes, I'm 100% confident they're getting automated connection attempts.
Why the qualifier >>using IPv4 and directly<< connected?
The IPv4 address space is only 32 bits long. Scanning 2^32 = about
4,000,000,000 addresses for an open port is easily doable.
The IPv6 address space is a bit harder... Let's just say that 7/8th
of the IPv6 address space is reserved[1] so that means 2^125 addresses
would need to be scanned .. which just isn't going to happen.
There are ways for attackers to get the IPv6 address scan space down
to a reasonable number. I probably don't know most of them..
What's the difference between "connected" and "directly connected"?
None of my computers are directly connected to the Internet.
Everything is hiding behind a firewall that supposedly blocks _all_
unsolicited traffic coming in from the Internet.
So however much I believe no unsolicited traffic is allowed into my
network is about how much I believe there are no automated connection
attempts to my computers.
> I am not tech-savvy. Can you say with 100% (90%?) confidence that there is no
> such thing? That home PC without SSH and whatever complicated is safe (rather
> safe) from "automated connection attempts"?
What make it more fun is that it is not only SSH that could allow an
attacker in. A quick & easy check is to look for open ports - eg.
sudo ss -lptu
shows you all the programs listening for new connections (right now ..
10 minutes from now could be a whole different thing).
Except.. oops.. not _all_ the programs listening for new connections.
While writing this I tried
$ sudo ss -lwnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0:255 0.0.0.0:*
users:(("atop",pid=186997,fd=4))
so there's atop allowing connections on a "raw" socket. .. whatever that is.
And there's the non-tcp/udp protocols like GRE or IPSec (think VPN
tunnels) where connections might be allowed in.
> This thread reminded of that topic -
> https://forums.debian.net/viewtopic.php?t=154002
Indeed. Is a firewall necessary or no? Some say yes, some say no.
I look at a firewall as the place where you implement your basic
network security policy. Should SSH be allowed in from the Internet?
NetBIOS? how about SNMP?
I fall into the "some say yes" camp because I say the firewall is
where those questions should be answered.
Regards,
Lee
[1]
https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
The assignable Global Unicast Address space is defined in [RFC3513] as
the address block
defined by the prefix 2000::/3. [RFC3513] was later obsoleted by [RFC4291].
Re: Root password strength
On Wed, Mar 20, 2024 at 3:50 PM Pierre-Elliott Bécue wrote: > > De : Lee > À : Pierre-Elliott Bécue > Cc : Debian Users ML > Date : 20 mars 2024 20:40:52 > Objet : Re: Root password strength > > > On Wed, Mar 20, 2024 at 1:47 PM Pierre-Elliott Bécue wrote: > >> > >> Brad Rogers wrote on 20/03/2024 at 18:39:30+0100: > >>> On Wed, 20 Mar 2024 17:09:31 +0100 > >>> Pierre-Elliott Bécue wrote: > >>> > >>> Hello Pierre-Elliott, > >>> > >>>> Most of the time, writing down a password is a very bad idea. > >>> > >>> Not in your own home. And in any event, it depends where one keeps that > >>> 'written down' password. > >>> > >>> And if it *does* become an issue at home, you've got bigger, more > >>> immediate, problems to deal with; Of the intruder variety. > >> > >> You have a rather bad cybersecurity approach. And you did not do a > >> proper risk assessment. > > > > The OP said > > - My password is easy because i am not afraid of direct physical > > access to the computer. > > > > That seems like a good enough risk assessment to me, but please > > explain what you think is "a proper risk assessment." > > > > Thanks, > > Lee > > As stated elsewhere, I am done with this thread. Therefore I do not intend to > reply here. > > If you still want an answer I am happy to reply privately. Yes, I would like an answer. I've got passwords written down at home, so I started thinking about it and I'm much more concerned about other papers I have at home like bank statements etc. that could do much more damage to me if they ended up in the wrong hands than a password to an AP Thanks Lee
Re: Root password strength
On Wed, Mar 20, 2024 at 1:47 PM Pierre-Elliott Bécue wrote: > > Brad Rogers wrote on 20/03/2024 at 18:39:30+0100: > > On Wed, 20 Mar 2024 17:09:31 +0100 > > Pierre-Elliott Bécue wrote: > > > > Hello Pierre-Elliott, > > > >>Most of the time, writing down a password is a very bad idea. > > > > Not in your own home. And in any event, it depends where one keeps that > > 'written down' password. > > > > And if it *does* become an issue at home, you've got bigger, more > > immediate, problems to deal with; Of the intruder variety. > > You have a rather bad cybersecurity approach. And you did not do a > proper risk assessment. The OP said - My password is easy because i am not afraid of direct physical access to the computer. That seems like a good enough risk assessment to me, but please explain what you think is "a proper risk assessment." Thanks, Lee
Re: Hyphen-minus passwd
On Thu, Mar 7, 2024 at 12:50 PM Nicolas George wrote: > > Computer Planet (12024-03-07): > > How can I create this password with a hyphen in front? > > > > # openssl passwd -6 -salt username -password > > > > This is the response message when I try: > > passwd: Unknown option: -passwd > > Hi. No it is not. Start by copy-pasting EXACTLY what is in your > terminal. You're going to rag on him for not copy-pasting EXACTLY when you could have just told him the standard way to get a leading hyphen accepted on the command line is to backslash escape it!?? rude
Re: Hyphen-minus passwd
On Thu, Mar 7, 2024 at 12:44 PM Computer Planet wrote: > > Hi guys! > Please, Can someone help me? > > How can I create this password with a hyphen in front? > > # openssl passwd -6 -salt username -password > > This is the response message when I try: > passwd: Unknown option: -passwd > > Thanks for reply! $ openssl passwd -6 -salt username \\-password $6$username$7 ..etc..
Re: Commandline client to lookup MAC vendor
On Thu, Mar 7, 2024 at 12:22 PM Thomas Pircher wrote: > > On 2024-03-07 10:11, Ralph Aichinger wrote: > > Any idea if one or the other is preferable or newer? > > I think there is not much difference between the two files, the > ieee-data packages the data directly from the IEEE, with nmap you have > one intermediary project that needs to download and release the file > before Debian can pick it up. > > Then on the other hand, the ieee-data package is one minor version > behind on the data, while the nmap file was modified ~6 months ago in > Debian's VCS. > > The only difference I can see is that with the ieee-data package you get > some visibility which upstream version was used, while it would take > more effort to trace that back in the nmap case. I haven't tried either package - I just use the file from IEEE https://standards-oui.ieee.org/oui/oui.txt
Re: medically smart watches
On Sat, Feb 24, 2024 at 12:06 PM gene heskett wrote: > > On 2/24/24 11:03, Loïc Grenié wrote: > > On Sat Feb 24th, 2024, at 16:03, Gene Heskett wrote: > > > > Greetings all; > > > > As most of you know I'm a DM-II, but the recent shortage of > > trulicity, a > > weekly self administerd shot that helps regulate one's blood guclose > > levels has got us scrambling for alternatives. So a month back I > > bought > > one of the so called smart watches that purports to monitor blood sugar. > > > > > > "purports" appears to be the correct verb > > https://www.fda.gov/medical-devices/safety-communications/do-not-use-smartwatches-or-smart-rings-measure-blood-glucose-levels-fda-safety-communication > > > > <https://www.fda.gov/medical-devices/safety-communications/do-not-use-smartwatches-or-smart-rings-measure-blood-glucose-levels-fda-safety-communication> > > > I got a msg from our state AG warning me about these, but it was 2 days > after I had ordered this thing. Too little warning, too late, but I'm > the curios type, and this device looks good so I would like to see how > it compares with the antique finger prick model we've been using since > Hector's great grandfather was a puppy.. New tech sometimes work pretty > good while the FDA seems to try to protect old tech. Give the FreeStyle Libre 14 day sensor a try - it's so much nicer than poking holes in yourself whenever you want to know what your blood sugar is. There's a reader you have to buy or a current enough smart phone can be used as a reader. What I'd like to find is software that lets me get the data off the reader into my PC. Abbott wants everything uploaded to their servers and I quit reading the terms of service when it got to them giving out my data after 'anonymising' it. Regards Lee
Re: what keyboard do you use?
On Fri, Feb 2, 2024 at 10:51 PM Ralph Aichinger wrote: > > On Fri, 2024-02-02 at 20:25 -0500, Lee wrote: > > I figure there's a high percentage of keyboard jockeys here so .. > > which keyboard do you like and why? > > I like the flat style similar to what is in many notebooks. Current > favourites are the Apple keyboards (expensive though, for what they > are), the Microsoft Designer Compact Keyboard (stupid generic model > name), that seems to have a problem for some that the electronics die > prematurely, it might not be able to connect any longer after some > time. Great if it works though, can often be gotten relatively cheaply > for about half the normal price. Very minimal design, you can't take > away much more from a keyboard: > > https://www.microsoft.com/en/accessories/products/keyboards/microsoft-designer-compact-keyboard?activetab=pivot:overviewtab That looks nice for a tablet or something that you'll be carrying around. > And a new fascination of mine, the Logitech MX series, also kind > of expensive, and with rather ugly design, but typing feels just > wonderful. Logitech seems to be quitting the corded keyboard business :( I go to their keyboard selection site, select full sized with numpad and corded and only two keyboards show up - the one I pulled out of the closet that I think is too tall and a K-845. I don't have a whole lot of luck with batteries or wireless, so a cord is a must for me. > Of the cheaper ones, I like the Logitech k280e. Feels quite OK for the > price, not on the level of the obove three though. Also large, clunky > and heavy. > > I used to be a full layout (with keypad) person, but recently I began > to like the smaller layouts. Takes up less space on the desk, only > thing I miss are the full cursor keys. Easier to move around on the > desk, which I do a lot. > > Keyboards are a product where preferences diverge a lot and are very > personal. Fortunately there is lots of choice in the market currently. As I'm seeing :) Thanks Lee
Re: what keyboard do you use?
On Fri, Feb 2, 2024 at 9:09 PM Nate Bargmann wrote: > > * On 2024 02 Feb 19:26 -0600, Lee wrote: > > I bought a Dell desktop in 2019 and the keyboard just died :( > > > > ssh in from another machine & do a 'sudo reboot now' and get an alert > > about 'Keyboard not found.' on power up. The keyboard also doesn't > > work in another machine so it's really & truly dead. > > > > I figure there's a high percentage of keyboard jockeys here so .. > > which keyboard do you like and why? > > I have several of the now classic IBM Model M keyboards I procured in > the '90s. Modern BIOSes don't like them even with a PS/2 to USB > adapter so I gave up on them. The Lenovo KU-0225 is a good keyboard > with the "standard" extra keys that are useful in some desktops. It is > full size and quiet. > > My main keyboard is a daskeyboard I bought several years ago with the > Cherry key switches It is thick so you might not like it and it is > loud. It has the same number of keys as the Lenovo, 104, I think. This > one was not cheap while the Lenovo was considerably less expensive. Full size and quiet are good qualities :) Tall not so much.. the Logitech that I pulled out of the closet and think is too high is less than 1 inch high. The Lenovo is listed as 1.34 inches, so that's probably not for me. Thick and loud is a no, so I'll pass on the daskeyboard. Thanks Lee
Re: what keyboard do you use?
On Fri, Feb 2, 2024 at 8:57 PM Russell L. Harris wrote: > > On Fri, Feb 02, 2024 at 08:25:09PM -0500, Lee wrote: > >which keyboard do you like and why? > > CHERRY MX BOARD 3.0 (Purchased several years ago; in daily use since.) > Excellent mechanical quality of the keyswitch. Keyswitch plungers > which start sticking (high resistance upon depression) is the biggest > problem I have found. The next-greatest problem is intermittent > contact of key switch contacts. Both problems are maddening for the > touch typist. OK - good to know. I am a touch typist, so I guess I'm giving that one a pass. Thanks Lee
what keyboard do you use?
I bought a Dell desktop in 2019 and the keyboard just died :( ssh in from another machine & do a 'sudo reboot now' and get an alert about 'Keyboard not found.' on power up. The keyboard also doesn't work in another machine so it's really & truly dead. I figure there's a high percentage of keyboard jockeys here so .. which keyboard do you like and why? I have a Logitech k740 attached to my Windows machine which is ok. Not great but OK. I found a spare Logitech k120 keyboard in the closet; its better than nothing but too thick for regular use. And the old Dell keyboard from the Windows machine - also too thick, the keys are too cramped and lettering has worn off on about 1/4 of the keys (which is why I got the Logitech 740) Thanks Lee
Re: in an object oriented world
Hi,
On Fri, Jan 26, 2024 at 8:46 AM songbird wrote:
>
> John Hasler wrote:
> > songbird writes:
> >> any process which does not respond should be thus cast into the outer
> >> darkness of the bits and never to return (aka a virus or unauthorized
> >> program).
Q: is javascript sourced from who knows where on the Internet
considered an unauthorized program?
if no, have you heard of "malvertising"?
> > Malware can lie. A virus can infect an authorized program and use its
> > credentials.
>
> objects are only created by authorized calls to other
> objects so there is no pathway to infect if done correctly.
I hate it when someone blithely tosses off that "if done correctly"
nonsense - ignoring the last 60+ years of computer history that shows
people more often than not CANNOT actually "do it correctly."
I came across this recently
https://thephd.dev/c-undefined-behavior-and-the-sledgehammer-guideline
TL,DR: undefined behavior yields incorrect behavior
if (i >= 0 && i < sizeof(tab)) {
printf("tab[%d] looks safe because %d is between [0:%d]\n",
i, i, (int)sizeof(tab));
return tab[i];
}
doesn't actually verify that i is always within limits.
$ cat bad-behavior.c
#include
#include
#include
#include
uint8_t tab[0x1ff + 1];
int safe = 0;
uint8_t f(int32_t x)
{
if (x < 0)
return 0;
if ( safe ) { /* do a valid overflow check */
if ((INT32_MAX / 0x1ff) <= x) {
printf("overflow prevented!\n");
return 0;
}
}
int32_t i = x * 0x1ff / 0x;
/* signed integer overflow yields undefined behavior */
if (i >= 0 && i < sizeof(tab)) {
printf("tab[%d] looks safe because %d is between [0:%d]\n",
i, i, (int)sizeof(tab));
return tab[i];
}
return 1;
}
int main(int argc, char **argv)
{
(void)argc;
memset(tab, 0, sizeof(tab));
if ( strcmp(argv[1], "safe") == 0 ) safe = 1;
return f(atoi(argv[2]));
}
/*
* https://thephd.dev/c-undefined-behavior-and-the-sledgehammer-guideline
*
* gcc -O2 -o bad.exe bad-behavior.c
* ./bad unsafe 5000
* tab[62183] looks safe because 62183 is between [0;512]
*/
$ gcc -O2 -o bad.exe bad-behavior.c
$ ./bad unsafe 5000
tab[62183] looks safe because 62183 is between [0:512]
$ ./bad safe 5000
overflow prevented!
> if you do not allow random objects to be created that
> are not verified and vetted then there are no viruses.
That sounds so very easy. Not so easy to do in practice, but it sure
_sounds_ easy enough.
> note, i'm just kicking this around and wondering if it
> really would be possible.
I'd vote for possible but improbable.
Regards,
Lee
Re: how to clone apt repository to newest only?
I live in South Korea. Most of the government systems in Korea operate in a closed environment and are not connected to the internet. This is because they are vulnerable to security. Anyway, I decided to use the update dvd image. Alternatively, it would be good to create the image directly using jigdo. Thanks to all of you for your help. 2023년 12월 27일 (수) 오전 7:33, Andrew M.A. Cater 님이 작성: > On Tue, Dec 26, 2023 at 04:49:13PM -0500, Roy J. Tellason, Sr. wrote: > > On Tuesday 26 December 2023 09:34:00 am Andrew M.A. Cater wrote: > > > Living offline is not really feasible anymore - there are too many > security > > > updates needed. > > (snip) > > > Linux distributions do update and you should ideally be running the > latest > > > most up to date security patches. > > > > I must be missing something here. If one is running a system that's NOT > net-connected, why is security so important an issue? > > > > You always have to hope that it remains not connected :) > > Remembering that each point update introduces fixes which may clear > previous problems, it is always worth keeping the system up to date. > > Given the inadvertent upstream kernel problems we gained during the 12.3 > release which resulted in 12.4 and that we then needed 12.5 relatively > immediately to solve problems that some users had - if you'd _only_ > had the 12.4 medium, you might have had problems which could only have > been fixed by being net connected to pick up the appropriate kernel. > > Just because you have a (relatively) isolated system doesn't mean that > your system shouldn't be consistent, patched and up to date which will > allow you to be sure that known vulnerabilites have been addressed. > > There's nothing like the joy of inheriting a system tucked away somewhere > that hasn't been updated or rebooted in five years and not knowing what > you might expect when logging in, what services are running or what will > happen if you have to reboot. Marginally better because you know about it > then finding the system that everything depends on is undocumented, > running on a system with dead disks in the RAID and that has just > been bounced by the unscheduled power outage when the UPS failed .. > > > -- > > Member of the toughest, meanest, deadliest, most unrelenting -- and > > ablest -- form of life in this section of space, a critter that can > > be killed but can't be tamed. --Robert A. Heinlein, "The Puppet Masters" > > - > > Sounds like a project manager imposing random requirements :) > > All the very best, as ever, > > Andy Cater > (amaca...@debian.org) > > > Information is more dangerous than cannon to a society ruled by lies. > --James > > M Dakin > > > >
Re: how to clone apt repository to newest only?
The reason I'm asking for this feature is that For example, I want to install the most recent packages when installing an OS in a specific closed network environment. Of course, I could use a recently created DVD iso file, but I would need to have an internet connection to apply files that have been updated since this ISO was created, so I only want to copy and apply the most recent packages. Is there any way to do this? 2023년 12월 25일 (월) 오후 11:05, Andrew M.A. Cater 님이 작성: > On Mon, Dec 25, 2023 at 12:21:29PM +, �� wrote: > [Copied to the poster because they may not be subscribed] > > > how to clone apt repository to newest only? > > Fedora/Red Hat will organize the repository by copying only the most > recent packages from that distribution if you give it the "reposync > --newest-only" option, but Debian doesn't seem to be able to do that. > > > > What can I do? > > > > > Hi > > By default, apt will check the dates on the package manifests and bring you > up to date based on that. > > If you install from nothing then the installer will do the same assuming > that you have an internet connection. > > reposync is really a Red Hat ecosystem specific command, I think. > > (already answered on the list: can I suggest that you subscribe to the > list) > > Andy > (amaca...@debian.org) > >
Re: Test
On Fri, Dec 22, 2023 at 4:08 PM Tixy wrote: > > On Fri, 2023-12-22 at 12:15 -0500, Pocket wrote: > > This is a test of the emergency broadcast system > > Please stop spamming the 1000 or so people subscribed to this list. Would forwarding his message to commun...@debian.org and asking for a one month suspension violate the mailing list rules? I think no, but that might be wishful thinking..
Re: time question, as in ntp?
On Wed, Nov 29, 2023 at 12:50 PM gene heskett wrote: > > Greetings all; > > I have a 3d printer, an arm64 controller running ambian buster > it has an address of 169.254.xx.xx/16 > it can ping this machine but something is killing full net access, so it > can't set its time. With a 169.254.x.x address I'm surprised it can talk to anything else on your network. Your internet router is running dd-wrt - correct? Why not enable the dhcp server software on that and serve static IP addresses to everything on your network? eg https://wiki.dd-wrt.com/wiki/index.php/Static_DHCP Your /etc/hosts files will still work and you'll stop getting 169.254.x.x addresses assigned to your machines. Regards, Lee
Re: Bookworm: NetworkManager
On Mon, Oct 23, 2023 at 8:29 PM Andy Smith wrote: > > Hi, > > On Sun, Oct 22, 2023 at 06:36:28PM -0400, Lee wrote: > > My understanding is that ISC no longer supports their dhcp client > > software so the isc-dhcp-client package will go away someday? > > correct? & I suspect whatever works today will break when the new > > software comes out, so I'd rather get a head-start on how to work > > with the replacement. > > > > How can I find out who is working on what replacement? > > There was a fairly recent conversation on debian-devel over what to > replace isc-dhcp-client with for the trixie release onwards: > > https://lists.debian.org/debian-devel/2023/06/msg00184.html > > My understanding is that ultimately the choice will be made by the > ifupdown maintainer, assuming that remains the default way to > configure networking on trixie absent other dependencies. > > Unfortunately there does not seem to be a public response by the > ifupdown maintainer jo...@debian.org in that thread. Thanks for the info. I was thinking about replacing dhclient with the new whatever but I guess I can wait and burn that bridge when I get to it Best Regards, Lee
Re: Bookworm: NetworkManager
On Sun, Oct 22, 2023 at 7:13 PM Pocket wrote:
>
> On 10/22/23 18:36, Lee wrote:
> > On Sun, Oct 22, 2023 at 1:18 PM Greg Wooledge wrote:
> >> On Sun, Oct 22, 2023 at 11:22:06AM -0400, Lee wrote:
> >>> Just out of curiosity, why didn't you use the example from
> >>> https://wiki.debian.org/resolv.conf and do
> >>>
> >>> echo 'make_resolv_conf() { :; }' >
> >>> /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> >>> chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> >> Because that only affects isc-dhcp-client, and does nothing for other
> >> DHCP clients, such as Network Manager.
> > I can sort of understand that an all volunteer project is going to
> > have some rough edges and inconsistencies, but this is a bit much. My
> > understanding is that ISC no longer supports their dhcp client
> > software so the isc-dhcp-client package will go away someday?
> > correct? & I suspect whatever works today will break when the new
> > software comes out, so I'd rather get a head-start on how to work with
> > the replacement.
> >
> > How can I find out who is working on what replacement?
> >
> > Thanks
> > Lee
> >
>
> https://www.isc.org/kea/
Yes, that's the ISC replacement. But I get the impression Debian is
leaning towards using dhcpcd
https://lists.debian.org/debian-boot/2023/06/msg00121.html
https://lists.debian.org/debian-devel/2023/07/msg00277.html
There's a very good chance I'm missing something, which is why I'm
asking what will be the new default dhcp client software? (for
debian)
Thanks
Lee
Re: Bookworm: NetworkManager
On Sun, Oct 22, 2023 at 1:18 PM Greg Wooledge wrote:
>
> On Sun, Oct 22, 2023 at 11:22:06AM -0400, Lee wrote:
> > Just out of curiosity, why didn't you use the example from
> > https://wiki.debian.org/resolv.conf and do
> >
> > echo 'make_resolv_conf() { :; }' >
> > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> > chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
>
> Because that only affects isc-dhcp-client, and does nothing for other
> DHCP clients, such as Network Manager.
I can sort of understand that an all volunteer project is going to
have some rough edges and inconsistencies, but this is a bit much. My
understanding is that ISC no longer supports their dhcp client
software so the isc-dhcp-client package will go away someday?
correct? & I suspect whatever works today will break when the new
software comes out, so I'd rather get a head-start on how to work with
the replacement.
How can I find out who is working on what replacement?
Thanks
Lee
Re: Bookworm: NetworkManager
On Sun, Oct 22, 2023 at 11:25 AM wrote:
>
> On Sun, Oct 22, 2023 at 11:22:06AM -0400, Lee wrote:
> > On Sat, Oct 21, 2023 at 4:24 PM Pocket wrote:
> > >
> > > Ding ding ding we have a winner
> >
> > Just out of curiosity, why didn't you use the example from
> > https://wiki.debian.org/resolv.conf and do
> >
> > echo 'make_resolv_conf() { :; }' >
> > /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
> > chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
>
> Does NetworkManager honour this? Or is that "just" a
> dhclient thing?
I don't know.
my /etc/network/interfaces has
iface enp1s0 inet6 dhcp
and my /etc/NetworkManager/system-connections/Wired\ connection\ 1 has
[ipv6]
addr-gen-mode=eui64
dns-search=
ip6-privacy=0
method=dhcp
but /etc/network/interfaces over-rides /etc/NetworkManager - correct?
So maybe I'm just using dhclient and have no idea if this works for
NetworkManager or not. .
Lee
Re: Bookworm: NetworkManager
On Sat, Oct 21, 2023 at 4:24 PM Pocket wrote:
>
> Ding ding ding we have a winner
Just out of curiosity, why didn't you use the example from
https://wiki.debian.org/resolv.conf and do
echo 'make_resolv_conf() { :; }' >
/etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/leave_my_resolv_conf_alone
Are you using NTP? If yes, how are you keeping dhcp from over-writing
your ntp.conf?
I had to comment out the "ntp_servers_setup" line in
/etc/dhcp/dhclient-exit-hooks.d/ntp to keep dhcp from messing up my
list of ntp servers.
Regards,
Lee
>
> cat /etc/resolv.conf
> # Generated by NetworkManager
> search example.org
> nameserver 127.0.0.1
> nameserver ::1
> options edns0 trust-ad
>
> This make this work
>
> sudo cat /etc/NetworkManager/NetworkManager.conf
> [main]
> plugins=ifupdown,keyfile
>
> [ifupdown]
> managed=false
>
> [device]
> wifi.scan-rand-mac-address=no
>
> [global-dns]
> searches=example.org
> options=edns0 trust-ad
>
> cat /etc/NetworkManager/system-connections/Wired\ connection\ 1.nmconnection
> [connection]
> id=Wired connection 1
> uuid=fe51b7a9-f0a9-32b9-ba1d-7a4dd08d0718
> type=ethernet
> autoconnect-priority=-999
> interface-name=end0
> timestamp=1697818643
>
> [ethernet]
>
> [ipv4]
> dns=127.0.0.1;
> dns-search=example.org;
> ignore-auto-dns=true
> method=auto
>
> [ipv6]
> addr-gen-mode=default
> dns=::1;
> dns-search=example.org;
> ignore-auto-dns=true
> method=auto
> [proxy]
>
> [.nmmeta]
> nm-generated=true
Re: Intermittent WiFi on Network Manager
On 10/9/23, Ottavio Caruso wrote: > Am 08/10/2023 um 11:42 schrieb Lee: >> On 10/7/23, Ottavio Caruso wrote: >>> Am 07/10/2023 um 11:11 schrieb gene heskett: >>>> Another possibility is a leaky microwave oven in the vicinity >>> >>> This is an urban legend and an excuse I was using when I was in tech >>> support. >> >> It's real. Try it yourself - run iperf for 2 minutes, display the >> bandwidth report every second and then start the microwave for 1 >> minute. >> >> I get the thruput cut in half or or more when the microwave is on. >> Which is an improvement on the previous microwave which used to kill a >> wireless connection. (which was super annoying when the wife was doing >> work-from-home & I wasn't allowed to use the microwave _at_all_ during >> the day. I suspect that's the reason she got a toaster oven) >> >> Is it fairly well-known that microwave ovens interfere the most on channel >> 11? >> I just tried linssid again and there's a bunch of APs on channel 1 & >> 6, one on channel 2 and two on channel 8. Nothing on channel 11. >> >> Lee >> >> > > So the microwave should be running 100% 24/7? What is it? Am I > surrounded by 24/7 greasy spoons? I'm more inclined to believe in a > buggy driver implementation. All the nearby Windows laptops run fine. In other words, you didn't try running iperf and then starting the microwave, right? Or you did and don't want to admit that your microwave interferes with wifi. Either way, take a look at https://www.acrylicwifi.com/en/blog/performing-wifi-spectrum-analysis-information-provided/#How_to_Perform_a_Professional_Site_Survey scroll down just a bit and see The most common devices that create interference and noise in a wireless infrastructure are: Some of those do run 24/7. And finally https://www.zdnet.com/article/usb-3-and-usb-c-devices-can-cause-problems-with-wi-fi-and-bluetooth-connections-but-theres-a-solution/ which I've never seen in action, just read about. Lee
Re: Intermittent WiFi on Network Manager
On 10/8/23, gene heskett wrote: > On 10/8/23 07:43, Lee wrote: >> On 10/7/23, Ottavio Caruso wrote: >>> Am 07/10/2023 um 11:11 schrieb gene heskett: >>>> Another possibility is a leaky microwave oven in the vicinity >>> >>> This is an urban legend and an excuse I was using when I was in tech >>> support. >> >> It's real. Try it yourself - run iperf for 2 minutes, display the >> bandwidth report every second and then start the microwave for 1 >> minute. >> >> I get the thruput cut in half or or more when the microwave is on. >> Which is an improvement on the previous microwave which used to kill a >> wireless connection. (which was super annoying when the wife was doing >> work-from-home & I wasn't allowed to use the microwave _at_all_ during >> the day. I suspect that's the reason she got a toaster oven) >> >> Is it fairly well-known that microwave ovens interfere the most on channel >> 11? >> I just tried linssid again and there's a bunch of APs on channel 1 & >> 6, one on channel 2 and two on channel 8. Nothing on channel 11. > > That, again probably, would be because the microwave does NOT transmit > an SID, It doesn't transmit anything resembling a wifi frame (packet?), it's just noise as far as the wifi interface knows.. and not something that shows up on a wifi analyzer like linssid. You need a spectrum analyzer to see wifi noise/interference. I just took a quick look again for an affordable spectrum analyzer & didn't see anything. Then again, my definition of "affordable" is under $50 so I suppose that's not to surprising. Regards Lee
Re: Intermittent WiFi on Network Manager
On 10/7/23, Ottavio Caruso wrote: > Am 07/10/2023 um 11:11 schrieb gene heskett: >> Another possibility is a leaky microwave oven in the vicinity > > This is an urban legend and an excuse I was using when I was in tech > support. It's real. Try it yourself - run iperf for 2 minutes, display the bandwidth report every second and then start the microwave for 1 minute. I get the thruput cut in half or or more when the microwave is on. Which is an improvement on the previous microwave which used to kill a wireless connection. (which was super annoying when the wife was doing work-from-home & I wasn't allowed to use the microwave _at_all_ during the day. I suspect that's the reason she got a toaster oven) Is it fairly well-known that microwave ovens interfere the most on channel 11? I just tried linssid again and there's a bunch of APs on channel 1 & 6, one on channel 2 and two on channel 8. Nothing on channel 11. Lee
Re: CVE-2023-5217 unimportant for firefox?
On 9/30/23, hede wrote: > Hi, > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an > "open unimportant issue" for firefox-esr? Currently it is not fixed in > bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. At the bottom of the page of your [1] is the note src:firefox, src:firefox-esr and src:thunderbird use the system libvpx starting in bookworm and above. For older releases still needs the fixes in src:firefox-esr and src:thunderbird. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182#22 Date: Fri, 29 Sep 2023 14:58:43 + We believe that the bug you reported is fixed in the latest version of libvpx, which is due to be installed in the Debian FTP archive. But I'm just guessing that the firefox security tracker page hasn't been updated yet. Regards Lee > [1] https://security-tracker.debian.org/tracker/source-package/firefox-esr > [2] https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ > > hede
Re: chrome web browser worthless
On 8/2/23, Brian wrote: > On Wed 02 Aug 2023 at 14:52:26 -0400, gene heskett wrote: > >> On 8/2/23 14:26, Brian wrote: >> > No - that isn't the way it works. Give what is asked for, not a >> > censored >> > version that suits you. >> > >> ok, same cat in full: >> gene@bpi52:~$ cat /etc/hosts >> 127.0.0.1 localhost < ... snip ... > > Where is the line with 127.0.1.1? Debian always provides that. $ egrep '^127' /etc/hosts 127.0.0.1 localhost lee@spot ~ $ uname -a Linux spot 5.10.0-23-amd64 #1 SMP Debian 5.10.179-2 (2023-07-14) x86_64 GNU/Linux Regards, Lee
Re: thunderbird missing arrows for scrolling through list of email messages
On 5/26/23, zithro wrote:
> On 05 May 2023 18:07, Lee wrote:
>> On 5/4/23, zithro wrote:
>> I think you also need
>> user_pref("widget.gtk.overlay-scrollbars.enabled", false);
>>
>> and this is also nice
>> user_pref("widget.non-native-theme.scrollbar.size.override", 20);
>
> I tried them all, but now there's a simple GUI option (see my other post
> in this thread) ! \o/
yes, but
Settings -> General -> Browsing -> Always show scrollbars
shows a too-thin scrollbar with no up or down arrows at either end.
>> From there I can select the Chicago95 theme as any user and if there's
>> anything I don't like I can, once I figure out wtf needs to be changed
>> (which can be a non-trivial task for me), make the change.
>
> That was my point, wtf needs to be changed ?! ^^
That's why I picked the Chicago95 theme .. it was _real_ close to what I wanted.
Then again, I wanted different colors & I couldn't figure out how to
get everything changed the way I wanted so I went back to the default
:(
The changes I've got now are:
lee@spot ~/Templates/Chicago95-2.0.1/Theme
$ diff -u5 -r Chicago95 /usr/share/themes/Chicago95
Only in Chicago95: cinnamon
Only in Chicago95: gnome-shell
diff -u5 -r Chicago95/gtk-3.0/settings.ini
/usr/share/themes/Chicago95/gtk-3.0/settings.ini
--- Chicago95/gtk-3.0/settings.ini 2020-06-29 10:33:20.0 -0400
+++ /usr/share/themes/Chicago95/gtk-3.0/settings.ini2023-05-27
17:10:25.257049595 -0400
@@ -1,4 +1,14 @@
[Settings]
gtk-auto-mnemonics = 0
gtk-visible-focus = automatic
gtk-menu-images = true
+
+gtk-menu-popup-delay=0
+# LR: delay between pointing the mouse at a menu and that menu
opening (in milliseconds)
+
+gtk-primary-button-warps-slider = 0
+# LR: warp slider to click position (true) or move scrollbar by one
page (false)
+
+gtk-overlay-scrolling = 0
+# LR: 0: always show scrollbars 1: hide the scrollbar until a mouseover
+
Only in Chicago95: gtk-3.22
Only in Chicago95: gtk-3.24
Only in Chicago95: index.theme
Only in Chicago95: metacity-1
Only in Chicago95: misc
Only in Chicago95: xfwm4_hidpi
> I checked some themes in /usr/share/themes and ... well, I'll use my
> theme as it is !
I hope you've got a better set of themes than I have - I tried all of
them and didn't like any :(
Regards,
Lee
Re: sudoers question
On 5/12/23, DdB wrote: > Am 13.05.2023 um 00:03 schrieb Lee: >> On 5/12/23, Stefan Monnier wrote: >>>> Or configure sudo to disable tty_tickets, so that the timeout (10 >>>> minutes by default IIRC) applies to all terminals. >>> >>> `sudo bash` anyone? >> >> me! me! but I also have > (...) >> %adm ALL = (root) NOPASSWD: ADM_COMMANDS > > Of course, there are ways to allow any/all sudo commands without > password. And i also have to cast a warning here: > > The kind of mistakes, any user (including yourself) can initiate, grows > considerably, if he can use any commands without even thinking. In general, yes, but how much trouble can /usr/bin/dmesg, /usr/bin/apt list /usr/bin/apt update /usr/sbin/checkrestart /usr/sbin/needrestart cause? OTOH, I like the idea of logging in as root to do admin stuff. But that seems to be frowned on now.. I don't know why :( .. unless logging? 'sudo bash' or logging in as root doesn't leave an audit trail of commands you've done > To my eye, as there is a huge responsability involved with using > elevated powers, i would not want "my little brother" to accidentally > sit in front of my computer while just trying commands at a console, > that he may have heard of somewhere. I gave login credentials to a 4 yr old :) I was a bit apprehensive when he started mashing the keyboard but I'd already tried to find all the world-writeable files on the machine so I wasn't all _that_ worried. I'm more concerned that I did the search wrong & missed some thing than I am of getting a "rm -fr /" from random keyboard mashing. > Even worse: When i found out, how to prevent sudo from asking a pwd, i > in fact did cause a couple of bad mistakes, that the system would > otherwise have prevented from happening (including making it > unbootable). And it took my quite some time in order to get used to some > kind of a routine, that keps me from having to reinstall everything from > scratch after each mishap. > > So, after some time, i have become way more cautious at allowing too > many powers to myself without thinking. And especially the OP did reveal > some contradictory habits: > He was asking, how to allow any sudo command without being asked for a > password ( which means: without being controlled by the system ). On one > hand, this could make sense under certain premises. > OTOH, he was failing to display any kind of responsible attitude for the > job (like as if reading logfiles was hs only interest ...). > > Just simply asking for help in this regard let me wonder, as i had been > able to find out all this without even knowing about his group, > including the relevance of sudoedit in this regard (which no one even > mentioned). > > You can't have your cake and eat it too! > > If we (as a community) would support such a behavior, wouldn't we be > responsible for the effecs, this entails No. > Would you hand out a loaded weapon to a child? (I certainly did not.) Maybe I have? But this is a personal/household machine so if files get deleted I'll get to find out if my backup/restore process works as well as I hope it does :) At work, downtime is expensive, so I do tend to lock things down at work. At home I'm a lot more casual. Regards Lee
Re: sudoers question
On 5/12/23, Stefan Monnier wrote: >> Or configure sudo to disable tty_tickets, so that the timeout (10 >> minutes by default IIRC) applies to all terminals. > > `sudo bash` anyone? me! me! but I also have # cat /etc/sudoers.d/adm-grp-privs # members of adm can run certain commands as root without supplying # a password # Andrei POPESCU Sun, Dec 5, 2021 at 10:46 AM # To: debian-user@lists.debian.org # Re: Don't try this at home kids Cmnd_AliasADM_COMMANDS = /usr/bin/dmesg, \ /usr/bin/apt list, \ /usr/bin/apt update, \ /usr/sbin/checkrestart, \ /usr/sbin/needrestart, \ /usr/sbin/reboot %adm ALL = (root) NOPASSWD: ADM_COMMANDS Regards Lee
Re: EPSON ET M 1120 new printer: If You can read this, you are using the wrong driver
On 5/10/23, Schwibinger Michael wrote: nothing of interest .. same as every other day. *plonk*
Re: disk usage for /usr/lib on bullseye
On 5/2/23, Greg Wooledge wrote: > On Tue, May 02, 2023 at 10:18:10AM +0100, Tixy wrote: >> On Tue, 2023-05-02 at 17:03 +0800, Bret Busby wrote: >> > man apt >> >> Which doesn't say what 'apt purge' does without a package name. It says >> 'Performs the requested action on one or more packages specified via >> regex(7), glob(7) or exact match'. It doesn't go on to say what happens >> if you leave that blank. > > Maybe I can experiment? Let's see if "apt purge" is a syntax error: > > unicorn:~$ apt purge > E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: > Permission denied) > E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), > are you root? > > Rats! No luck here. Either "apt purge" is not an error, or the argument > processing and validation happens only after acquiring the lock. > > Now we have to tread dangerous waters to find out more information. > > unicorn:~$ sudo apt --dry-run > [sudo] password for greg: > E: Command line option --dry-run is not understood in combination with the > other options > > OK... that's progress. It looks like the --dry-run option exists. > So maybe we can use that to avoid destroying our system by trying commands > as root. > > unicorn:~$ sudo apt --dry-run purge > Reading package lists... Done > Building dependency tree... Done > Reading state information... Done > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. you're a better sysadmin? I get $ sudo apt --dry-run purge [sudo] password for lee: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: linux-image-5.10.0-19-amd64 linux-image-5.10.0-20-amd64 Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Regards Lee
Re: WiFi Not Working After System Reinstallation
On 5/8/23, Marko Randjelovic wrote: > Both systems are fully updated Bullseye on a laptop. I have two access > points, let's call them A and B. When I connect to A, DHCP does not > work. When I connect to B, DHCP works, laptop gets an IP address and > internet works without problems. On the other hand, my mobile phone > can successfully connect to both. Both APs have enabled DHCP server > and I made sure the IP ranges do not overlap. Does access point A have mac-address security enabled? OpenWRT calls it mac address filter and gives you the choice of - disabledallows anyone to connect - allow listed only list of mac addresses that are allowed to connect to the AP - allow all except listed why one would pick this instead of allow listed only?? Does the AP have any logging that you could look at? (dhcp)?diagnostics? Regards Lee
Re: relevance of packages in repositories
On 5/7/23, Jeffrey Walton wrote: > On Sun, May 7, 2023 at 7:30 AM Дмитрий wrote: >> >> the stable version of Neodim 9.0 in debian 12 is the SEVENTH version, and >> in order to get the current version, you need to drag something like >> Homebrew, it really pisses you off and pushes you away from using the >> distribution > > You might give Fedora a try. Its release cadence is every 6 months. At > each release, Fedora typically supplies the most current version of a > package. > > You may find Fedora aligns better with your requirements. How about Arch linux? https://en.wikipedia.org/wiki/Arch_Linux Arch Linux is an independently developed, x86-64 general-purpose Linux distribution that strives to provide the latest stable versions of most software by following a rolling-release model.
Re: thunderbird missing arrows for scrolling through list of email messages
On 5/4/23, zithro wrote:
> On 04 May 2023 22:11, Dan Ritter wrote:
>> zithro wrote:
>>>
>>> Well, I'm currently using "Greybird-dark" (so not the default).
>>> But it seems there's no GUI to alter the theme itself.
>>
>>
>> Right, you have to select a different theme.
>>
>> Or write your own.
>>
>> -dsr-
>
> Well, I just tried half of the stock themes, and some themes show the
> arrows, some don't, but ... it depends on the applications !
>
> As the OP reported, neither Thunderbird nor Firefox display the arrows,
> whereas editors, xterm or file managers do ...
>
> So I guess the problem is REALLY in the Mozilla apps.
> I opened about:config in Firefox (didn't find it in TB), typed
> "scrollbar" and played with some settings.
> "widget.non-native-theme.gtk.scrollbar.allow-buttons" seemed promising,
> but has no effect, even with skins displaying the arrows in other apps.
I think you also need
user_pref("widget.gtk.overlay-scrollbars.enabled", false);
and this is also nice
user_pref("widget.non-native-theme.scrollbar.size.override", 20);
> From what I read it's a problem with GTK2/3.
>
> PS: no I won't write a theme ^^
> But I may check how to edit one. You know how ?
I think vim is really nice :)
But that's probably not what you want to know, so what I did was to
start with the release tarball from
https://github.com/grassmunk/Chicago95
unpack it into my home directory and
mv ~/Templates/Chicago95-2.0.1/Theme/Chicago95/gtk-2.0
/usr/share/themes/Chicago95/
mv ~/Templates/Chicago95-2.0.1/Theme/Chicago95/gtk-3.0
/usr/share/themes/Chicago95/
>From there I can select the Chicago95 theme as any user and if there's
anything I don't like I can, once I figure out wtf needs to be changed
(which can be a non-trivial task for me), make the change.
Regards,
Lee
Re: processing /etc/sysctl.d
On 5/4/23, Greg Wooledge wrote: > On Thu, May 04, 2023 at 01:22:40PM -0400, Lee wrote: >> OK.. I'll try to figure out how to modify whatever in /etc/NetworkManager > > I've been told that Network Manager will ignore any interfaces that > are defined in /etc/network/interfaces. So the correct way to set up > a static address on that interface would be to add it in /e/n/i and > simply don't touch Network Manager at all. > > auto lo > iface lo inet loopback > > auto enp1s0 > iface enp1s0 inet static > address 192.168.x.y/24 > # gateway 192.168.x.1 if you need this to be the default route > up sysctl blah blah blah > > Also, having "auto enp1s0" here will tell systemd that this interface > is one that matters, and that this interface needs to be up before it > can activate any services that depend on the "network being up". I > have no idea how that works with N-M because I've never used N-M. That does sound like the way to go. I originally tried to configure the box that way and failed, but it seems like it's worth another try. But since I ended up with networkmanager because it was the only thing that worked for me I need to allow enough time for troubleshooting & restoring everything to my current setup before giving it a try -- which will be Monday at best. Thanks Lee
Re: processing /etc/sysctl.d
On 5/4/23, Andy Smith wrote: > Hello, > > On Thu, May 04, 2023 at 08:43:52AM +0200, Michel Verdier wrote: >> Yes setting parameter on interface is better done in >> /etc/network/interfaces or /etc/network/interfaces.d/* >> which is used when the interface is configured > > There's definitely race conditions between creation of interface and > setting of sysctls at boot, so I agree - I don't think I would use sysctl.d > for any of those interface settings except default/all. > > I also don't know if an interface goes away and comes back again ( > think ppp, dummy, VPNs, etc) if it gets the same sysctl settings as > you set last time or if it just gets the "default" ones all over > again. I suspect the latter. enp1s0 does _not_ get the default settings -- I spent way too much time figuring out how to get ipv6 working on this machine and now, after upgrading to 11.7, it's broken :( > So yeah, multiple reasons to not try setting per-interface sysctls > in sysctl.d. OK.. I'll try to figure out how to modify whatever in /etc/NetworkManager Why isn't that caveat mentioned in the man pages? It seems like a rather serious deficiency in sysctl.d Thanks Lee
Re: processing /etc/sysctl.d
On 5/4/23, Michel Verdier wrote: > Le 4 mai 2023 Greg Wooledge a écrit : > >> A guess: perhaps this parameter cannot be set during the initial boot, >> because the enp1s0 interface isn't in a working state yet. > > Yes setting parameter on interface is better done in > /etc/network/interfaces or /etc/network/interfaces.d/* > which is used when the interface is configured > with a stanse like > > auto enp1s0... > sysctl net/ipv6/conf/default/accept_ra = 1 I suspect that won't work for me: $ cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback $ ls -l interfaces.d total 0 I didn't know what I was doing when I set this machine up & used the GUI interface to network manager to configure a static ipv4 address. Or at least I think it's network manager .. ps shows it as /usr/bin/nm-connection-editor Thanks Lee
Re: processing /etc/sysctl.d
On 5/3/23, Andy Smith wrote: > Hello, > > On Wed, May 03, 2023 at 07:50:30PM -0400, Lee wrote: >> I'm at a loss for how to figure out why my settings aren't taking effect. >> >> $ head /etc/sysctl.d/local.conf > > […] > >> # accept router advertisements >> net/ipv6/conf/enp1s0/accept_ra = 1 > > Is it possible that enp1s0 didn't yet exist at the time that > systemd-sysctl.service ran? To check, you could instead set the key > > net/ipv6/conf/default/accept_ra = 1 > it's already set > then any new interfaces should get accept_ra=1 as they are created. > > Though when I look at my net/ipv6/conf/default/accept_ra it is > already set to 1, so another possibility is that you have something > that is setting net/ipv6/conf/enp1s0/accept_ra back to 0 after > systemd-sysctl.service already set it to 1. NetworkManager is known > to do this: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025073 > > So, what are you using to manage enp1s0? yup - I'm using NetworkManager I wanted a static ipv4 address and that was the only thing I could get working Thanks Lee
Re: processing /etc/sysctl.d
On 5/3/23, Greg Wooledge wrote: > On Wed, May 03, 2023 at 07:50:30PM -0400, Lee wrote: >> $ head /etc/sysctl.d/local.conf >> # my site local preferences >> # >> # man sysctl.d >> # Configure kernel parameters at boot >> # /etc/sysctl.d/*.conf >> # key/name/under/proc/sys = some value >> >> # accept router advertisements >> net/ipv6/conf/enp1s0/accept_ra = 1 >> >> >> $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra >> 0 >> >> >> Telling the system to read /etc/sysctl.d/local.conf works: >> $ sudo sysctl --load=/etc/sysctl.d/local.conf >> <.. snip lots ..> >> >> $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra >> 1 >> >> How do I get the system to read it at boot time? > > A guess: perhaps this parameter cannot be set during the initial boot, > because the enp1s0 interface isn't in a working state yet. > > If you put another parameter in the same local.conf file, one that's > *not* tied to a piece of hardware, does it work? Yes. All of the directives that do _not_ mention enp1s0 "take". What's annoying is that all this worked before upgrading to 11.7 .. and I'm positive of that because this is a server running bind that now dies on the query-source-v6 address xx::yy port *; line in named.conf :( Is there a way to get systemd to do list of commands in /etc/sysctl.d/something.conf and set of commands in /etc/sysctl.d/somethingElse.conf _after_ all the interfaces come up? Thanks Lee
processing /etc/sysctl.d
How to get /etc/sysctl.d/local.conf directives processed? I don't see any errors or warnings in the logs that look applicable, and grep sysctl doesn't give me anything interesting: $ grep sysctl /var/log/* 2>/dev/null /var/log/auth.log:May 3 19:41:17 spot sudo: lee : TTY=pts/0 ; PWD=/home/lee ; USER=root ; COMMAND=/usr/sbin/sysctl --load=/etc/sysctl.d/local.conf /var/log/kern.log:May 2 17:55:03 spot kernel: [0.070323] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 2 18:28:15 spot kernel: [0.070201] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 2 18:34:23 spot kernel: [0.070002] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 3 18:21:59 spot kernel: [0.069819] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 3 19:18:01 spot kernel: [0.070156] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/kern.log:May 3 19:29:12 spot kernel: [0.070329] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 2 17:55:03 spot kernel: [0.070323] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 2 18:28:15 spot kernel: [0.070201] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 2 18:34:23 spot kernel: [0.070002] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 3 18:21:59 spot kernel: [0.069819] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 3 19:18:01 spot kernel: [0.070156] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/messages:May 3 19:29:12 spot kernel: [0.070329] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 2 17:55:03 spot kernel: [0.070323] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 2 18:28:15 spot kernel: [0.070201] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 2 18:34:23 spot kernel: [0.070002] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 3 18:21:59 spot kernel: [0.069819] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 3 19:18:01 spot kernel: [0.070156] Yama: disabled by default; enable with sysctl kernel.yama.* /var/log/syslog:May 3 19:29:12 spot kernel: [0.070329] Yama: disabled by default; enable with sysctl kernel.yama.* I'm at a loss for how to figure out why my settings aren't taking effect. $ head /etc/sysctl.d/local.conf # my site local preferences # # man sysctl.d # Configure kernel parameters at boot # /etc/sysctl.d/*.conf # key/name/under/proc/sys = some value # accept router advertisements net/ipv6/conf/enp1s0/accept_ra = 1 $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra 0 Telling the system to read /etc/sysctl.d/local.conf works: $ sudo sysctl --load=/etc/sysctl.d/local.conf <.. snip lots ..> $ cat /proc/sys/net/ipv6/conf/enp1s0/accept_ra 1 How do I get the system to read it at boot time? TIA Lee
Re: how to reverse an IPv4
On 4/30/23, cor...@free.fr wrote:
> Hello list,
>
> I wrote this script for reversing an IP:
>
> #!/bin/bash
>
> IP=$1
>
> if [ -z $IP ];then
>echo "$0 IP"
>exit 1
> fi
>
> REVERSE=$(echo $IP|awk -F\. '{print $4.$3.$2.$1}')
> echo $REVERSE
>
>
> it won't work as the output below.
>
> $ bin/rbl.sh 61.144.56.32
> 325614461
>
>
> The "." was lost.
>
> If I changed the awk line to:
> REVERSE=$(echo $IP|awk -F\. '{print "$4.$3.$2.$1"}')
>
>
> It becomes:
>
> $ bin/rbl.sh 61.144.56.32
> $4.$3.$2.$1
>
>
>
> Can you help with this?
$ cat /tmp/reverse
#!/bin/bash
IP=$1
if [ -z $IP ];then
echo "$0 IP"
exit 1
fi
REVERSE=$(echo $IP|awk -F\. '{printf("%s.%s.%s.%s\n", $4, $3, $2, $1) }')
echo $REVERSE
$ /tmp/reverse 61.144.56.32
32.56.144.61
Regards
Lee
Re: repeat of previous question that has gone unanswered several times.
On 4/30/23, gene heskett wrote: > Greetings all; > > I have a mixed home network, some buster, some bullseye, all up to date > a/o yesterday. > > I have 2 printers shared on this bullseye main box, available as 5 or 6 > printers, each configured in cups to do a specific job. Good printers, > both running on brother's own linux drivers for that printer. > > All my buster machines can use both of these printers just as if they > were plugged into that machine, but a machine shop full of sawdust and > metal shavings is not a good printer environment, even if there was room > for them, which there isn't. > > All of my bullseye machines are locked out, printer screen at > localhost:631 is empty, and no printers can be found and added. > > But open a shell, and type "lpstat -t" and it gets the full list of > available printers on that same bullseye machine whose cups output is > empty. > > Why? Take a look at https://wiki.debian.org/CUPSQuickPrintQueues The quick ref is to install avahi-utils and run avahi-browse -rt _ipp._tcp | grep URF If you get a line matching URF the printer supports the AirPrint service. Install cups and see if it works (which is all that I needed to do to get the printer working). If no, what does avahi-browse -rt _ipp._tcp and systemctl status avahi-daemon show you? Regards, Lee
Re: Wireshark does not show physical interfaces for capture
On 4/29/23, Victor Sudakov wrote: > Lee wrote: >> On 4/29/23, Victor Sudakov wrote: > > [dd] > >> > >> > However when I startup wireshark from the GUI, it does not show the >> > physical interfaces in the list of interfaces to capture from, so I >> > cannot really capture anything from the non-root user. When started >> > via sudo, it does show enp3s0 and other interfaces and can capture. >> > >> > What am I missing? >> >> See if the interfaces have been hidden from the GUI. eg >> $ grep devices_hide .config/wireshark/preferences >> capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session > > Nothing much there: > > $ grep devices_hide .config/wireshark/preferences > #capture.devices_hide: > >> >> Or check from the GUI: >> Capture / Refresh Interfaces > > Does not add the NICs to the list. > >> Capture / Options >> select the Input tab and click Manage Interfaces >> select the Local Interfaces tab and make sure there's a checkmark >> under Show for all the physical interface names > > I don't see any physical interfaces there, this is all I see: > https://ibb.co/190ytwv Have you looked at https://www.wireshark.org/faq.html#capprobunix I have a vague memory of having to do sudo dpkg-reconfigure wireshark-common a few years ago before I was able to capture packets without using sudo Regards Lee
Re: Wireshark does not show physical interfaces for capture
On 4/29/23, Victor Sudakov wrote: > Dear Colleages, > > My user is a member of the "wireshark" group and can start /usr/bin/dumpcap > all right: > > $ ls -al /usr/bin/dumpcap > -rwxr-xr-- 1 root wireshark 129696 мар 4 2022 /usr/bin/dumpcap > > $ id > uid=1000(vas) gid=1000(vas) > группы=1000(vas),4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),30(dip),44(video),46(plugdev),121(lpadmin),136(lxd),137(sambashare),138(wireshark),1002(admin) > > $ /usr/bin/dumpcap > Capturing on 'enp3s0' > File: /tmp/wireshark_enp3s0Y3LW31.pcapng > Packets captured: 126 > Packets received/dropped on interface 'enp3s0': 126/0 > (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%) > $ > > However when I startup wireshark from the GUI, it does not show the > physical interfaces in the list of interfaces to capture from, so I > cannot really capture anything from the non-root user. When started > via sudo, it does show enp3s0 and other interfaces and can capture. > > What am I missing? See if the interfaces have been hidden from the GUI. eg $ grep devices_hide .config/wireshark/preferences capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session Or check from the GUI: Capture / Refresh Interfaces Capture / Options select the Input tab and click Manage Interfaces select the Local Interfaces tab and make sure there's a checkmark under Show for all the physical interface names Regards, Lee
Re: What do all those "* * *" mean on a traceroute log?
On 4/12/23, Albretch Mueller wrote: > I have found a few examples and "explanations" but in the cases of > the examples I have seen by other people, like: > > https://serverfault.com/questions/733005/what-does-having-mean-in-the-command-traceroute-and-how-can-you-cope-wit > > It is not with every site and it is mostly with one hop. I my case it > is with all sites and once the packets reach the web (from hop 5 to > 30), from wherever I connect to the Internet. Why would that happen you should probably start off with https://archive.nanog.org/sites/default/files/10_Roisman_Traceroute.pdf A Practical Guide to (Correctly) Troubleshooting with Traceroute > and why would that -consistently- "happen" to me? Ask your ISP - or VPN provider or whatever it is that you're using.. I did a search on your _gateway (199.83.128.1) address and found https://www.sitelock.com/blog/sitelock-trueshield-web-application-firewall-updates/ SiteLock TrueShield Complete IP Range in long form: 199.83.128.1-199.83.135.254 Maybe they can explain what's going on? Interestingly enough, I tried a traceroute to the last ip address that answered in your traceroute and got an answer from 1. my router 2. my ISP's router and nothing else !?? It seems that Verizon doesn't have a route to 199.83.128.1 -- https://www.verizon.com/business/why-verizon/looking-glass/ doesn't show anything for 199.83.128.1, so I'm guessing verizon is doing some form of Unicase Reverse Path Filtering (URPF) and dropping all those packets that don't have a route to the destination I also tried a traceroute to your _gateway (199.83.128.1) and got $ traceroute 199.83.128.1 traceroute to 199.83.128.1 (199.83.128.1), 30 hops max, 60 byte packets <.. snip ..> 4 0.ae5.BR2.IAD8.ALTER.NET (140.222.6.175) 12.963 ms 0.ae1.BR2.IAD8.ALTER.NET (140.222.239.85) 9.400 ms 0.ae5.BR2.IAD8.ALTER.NET (140.222.6.175) 12.919 ms 5 ash-b2-link.ip.twelve99.net (80.239.135.178) 9.211 ms 9.334 ms 9.424 ms 6 imperva-svc087369-lag004786.ip.twelve99-cust.net (62.115.55.139) 9.612 ms 7.612 ms 7.445 ms 7 * * * 8 * * * 9 * * * 10 * * * ... etc And finally https://bgp.tools/prefix/199.83.128.0/24#connectivity Anycast Detected When bgp.tools scanned this prefix, we found that 199.83.128.0 was anycasted. Upstreams This info take up to 6 hours to fully update ASN Description AS2914 NTT America, Inc. AS1299 Arelion (fka. Telia Carrier) So it seems you're doing something ... different. Regards, Lee > > $ traceroute google.com > traceroute to google.com (172.217.0.174), 30 hops max, 60 byte packets > 1 _gateway (199.83.128.1) 6.687 ms 6.660 ms 6.683 ms > 2 199.83.240.2 (199.83.240.2) 6.101 ms 6.622 ms 6.610 ms > 3 ad.nypl.org (199.254.254.1) 6.600 ms 6.588 ms 6.577 ms > 4 199.254.252.1 (199.254.252.1) 6.566 ms 6.590 ms 6.738 ms > 5 * * * > . . . > 30 * * * > > $ traceroute microsoft.com > traceroute to microsoft.com (20.81.111.85), 30 hops max, 60 byte packets > 1 _gateway (199.83.128.1) 12.353 ms 12.319 ms 12.306 ms > 2 199.83.240.2 (199.83.240.2) 11.803 ms 12.281 ms 12.268 ms > 3 ad.nypl.org (199.254.254.1) 12.256 ms 12.244 ms 12.231 ms > 4 199.254.252.1 (199.254.252.1) 12.255 ms 12.243 ms 12.511 ms > 5 * * * > . . . > 30 * * * > > $ traceroute debian.org > traceroute to debian.org (149.20.4.15), 30 hops max, 60 byte packets > 1 _gateway (199.83.128.1) 16.821 ms 17.804 ms 17.784 ms > 2 199.83.240.2 (199.83.240.2) 4.739 ms 5.086 ms 5.070 ms > 3 ad.nypl.org (199.254.254.1) 5.054 ms 5.389 ms 5.023 ms > 4 199.254.252.1 (199.254.252.1) 6.805 ms 6.282 ms 6.773 ms > 5 * * * > . . . > 30 * * * > > lbrtchx > >
Re: apt temporary failure resolving deb.debian.org
On 4/9/23, Tim Woodall wrote: > On Sun, 9 Apr 2023, Badli Al Rashid wrote: > >> Hi All, >> >> Gooday everybody. Anyone having temporary failure when running apt update >> with own bind local resolver ? I got a temporary failure resolving >> deb.debian.org and www.debian.org since last week thursday. I can resolve >> other sites like www.kernel.org and others. >> >> When I switch to other DNS servers I can resolve www.debian.org. >> >> The command dig with +cd option I was able to resolve dwb.debian.org and >> www.debian.org. >> >> I am using bullseye bind packages and then upgraded to bind to sury to >> test. It is still the same. >> > > I've also been having severe problems resolving debian.org domains. > > I've now turned off dnssec validation on my bind server. > > > // > // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > // https://www.isc.org/bind-keys > > // > dnssec-validation no; If it was "yes" that might be the problem. dnssec-validation auto; # If dnssec-validation is set to auto, then a default trust anchor for the DNS root zone will be used. # If it is set to yes, however, then at least one trust anchor must be configured with a trusted-keys #or managed-keys statement in named.conf, or DNSSEC validation will not occur. # The default setting is yes. The only DNS issues I've noticed are NTP starting before BIND at boot time and all the N.debian.pool.ntp.org queries failing until bind is up and running. Regards Lee
Re: what's the right way to resolve localhost's IPs
On 3/23/23, Nicolas George wrote: > Jeremy Ardley (12023-03-23): >> On your second topic I don't usually run firewalls on my cloud severs. > > But surely on a server the network configuration is static, including > the firewall rules, isn't it? Consider the IP addressing info coming from DHCP. The network configuration stays the same but the IP(v6)? address might change. For example, Verizon is my ISP; they delegate a /56 to my router and the router delegates /64's to the LANs. I've got DHCP configured to give out static host addresses to the various machines but the network portion of the ipv6 address does change at Verizon's whim .. which requires firewall rule changes because I haven't figured out how to automatically plug in the newly delegated /64 into the firewall rules for that lan :( Regards, Lee
Re: No /
Thanks David. Steps 1 through 6 describe just how the present drama unfolded. Good thinking. This is, I imagine, also what happens anytime power is taken away before COW has been able to do its thing. Is there a way to fix this, or is a re-installation the only remedy? Michael Am Montag, dem 13.03.2023 um 14:03 -0500 schrieb David Wright:
Re: No /
Thanks David. Steps 1 through 6 describe just how the present drama unfolded. Good thinking. Am Montag, dem 13.03.2023 um 14:03 -0500 schrieb David Wright:
Re: No /
Hello Tom, thanks for the reply. Good detective work. No, actually not; it's the SSD with the Debian on it. Michael Am Mittwoch, dem 08.03.2023 um 12:45 + schrieb Tom Furie:
Re: No /
I'd like to help my system find its root, and so be able to complete the boot up. Michael Am Dienstag, dem 07.03.2023 um 11:45 -0500 schrieb Dan Ritter: > Michael Lee wrote: > > Is it possible to reinstall the system and still retain the > > settings, > > logins, etc.? > > Not as such. > > That said: what do you actually want to accomplish? There may be > ways to do what you want with less effort. > > -dsr- >
No /
Is it possible to reinstall the system and still retain the settings, logins, etc.? Michael Lee
Boot Errors
While running the stable branch of 64-bit Debian, rebooted into an alternative OS, but forgot to unmount a USB device beforhand. Shutdown was taking too long, so forced it anyway. Now when I try to start Linux, I get these error messages: [1.922640] platform gpio_ich.2.auto: failed to claim resource 0:[io 0x0480-0x04ff] [8.934607] BTRFS error (device sdc2): parent transid verify faild on 176160768 wanted 680981 found 680979 [8.934649] BTRFS error (device sdc2): failed to read block groups 1 - 5 [8.935724] BTRFS error (device sdc2): open_ctree failed mount: mounting /dev/sdc2 on /root failed: invalid argument failed to mount /dev/sdc2 as root file system Then the initramfs command prompt appears. A little hard to find much on that. Read in the btrfs wiki that <-o ro,usebackuproot> with the mount command could help when the "wanted" and "found" numbers were not too far apart. mount -t btrfs -o ro,usebackuproot /dev/sdc2 TRIED with: /sysroot GOT: mount: mounting /dev/sdc2 on /sysroot failed: invalid argument TRIED with: / GOT: mount: mounting /dev/sdc2 on / failed: invalid argument TRIED with: /root GOT: mount: mounting /dev/sdc2 on /root failed: invalid argument Is this a GRUB issue, a btrfs issue, or must I reinstall the operating system, and if so where can I find out which files must be preserved in order to maintain continuity?
is there a tcp window size restriction?
I just noticed that I can't get a 1MB tcp window on debian 11 $ iperf --version iperf version 2.1.4 (18 August 2021) pthreads $ iperf -s -w 1M --time 60 -i 10 Server listening on TCP port 5001 TCP window size: 416 KByte (WARNING: requested 1.00 MByte) The exact same software (.. or at least the same source code) on a windows 10/cygwin machine says I get the full 1MB tcp window size: TCP window size: 1.00 MByte So is there something on the Debian machine limiting the tcp window & if so, how do I change it. Thanks Lee
Re: colorscheme in vi
On 12/23/22, Thomas Schmitt wrote: > Hi, > > Curt wrote: >> You'd think it would be more a question of the terminal. > > I myself am living happily with > :syntax off > > This reduces the flippy-colorful appearance of vim to what i have chosen > as -bg and -fg of my xterms. I used to agree with you about the flippy colors but then I tried https://github.com/egberts/vim-syntax-bind-named and it is _so_ much easier editing a bind RPZ file with syntax errors highlighted (unless your eyesight is good enough to easily tell the difference between a comma and a period .. then maybe not so much better) and a happy extra is that editing other types of files is also easier with syntax coloring .. but again, maybe I think it's better because of my poor eyesight Regards, Lee
Re: use of awk instead of complex multielement commands (was Re: 'grep -o -m' (was Re: Can't mount CD image of Win95 game))
On 12/20/22, David wrote:
> On Tue, 20 Dec 2022 at 22:04, David wrote:
>> On Tue, 20 Dec 2022 at 22:02, David wrote:
>
>> > $ echo -e '100:CD001\n200:CD001' | awk 'BEGIN { FS=":" } /CD001/ &&
>> > NR==1 { print $1 - 50 }'
>> > 50
>>
>> Oops, my mistake, that's not the solution. Give me another minute and I
>> will post a better one one.
>
> The below does a better job:
> (command should be all on one line)
>
> $ echo -e '100:CD001\nXXX\n200:CD001' | awk 'BEGIN { FS=":" ; done=0 }
> /CD001/ && done==0 { print $1 - 50 ; done=1 }'
> 50
You can do it without flags:
$ echo -e '100:CD001\nXXX\n200:CD001' | awk -F: '/CD001/ { print $1 -
50 ; exit }'
50
Re: Getting PC with Ubuntu; change to Debian?
On 12/4/22, Patrick Wiseman wrote: > Hello, fellow Debian users: > > I've had Debian on my computers for a very long time (can't remember > exactly when but early 2000's for sure); and I've had Lenovo laptops for > ages too. I finally need to replace my main laptop (an at least 10-year old > ThinkPad), so I've bought an X1 from Lenovo, with Ubuntu pre-installed (to > be delivered in January). > > So, a question. Should I side-grade to Debian (and, if so, how easy would > it be to do that?)? Or will I be happy with Ubuntu (which is, after all, a > Debian derivative)? "happy" is a personal judgement, so I'll just go with mine - I like Debian's philosophy & I don't like Ubuntu's https://www.omgubuntu.co.uk/2018/02/ubuntu-data-collection-opt-out Since few (if any) users would choose to opt-in to share this sort of data, Canonical is making participation in the scheme entirely opt-out. https://nakedsecurity.sophos.com/2012/11/01/ubuntu-search-amazon-privacy/ ... users can choose not to search Amazon if they want, while future releases will make it easier to opt-out of searching across third party services I'd rather opt-out of using anything from a company that does opt-out data collection. ... and yeah.. I still use firefox, so that's clearly a preference instead of a hard rule. And there's been talk about a Canonical IPO for ages - eg https://www.datamation.com/open-source/what-are-the-chances-for-an-ubuntu-ipo/ from 2015 and now https://techcrunch.com/2022/04/21/canonical-now-hopes-to-ipo-in-2023/ My assumption is that they're going to have to do more to generate income and I'd rather read about how they've monetized their users than find out first-hand. Regards, Lee
Re: Logout at apt upgrade
On 11/30/22, to...@tuxteam.de wrote: > On Wed, Nov 30, 2022 at 12:44:49AM +0100, DdB wrote: >> Am 29.11.2022 um 23:35 schrieb Loïc Grenié: >> > when I apt upgrade my system, I often (one every three, more >> > or less) find myself brutally logged out of the window system, >> > with systemd services painfully restarting (or failing to restart). >> > The only way I can recover is usually to reboot. >> >> Yes, i see similar problem, amd AFAICT it is somewhat related to my use >> of GNOME3. They insist on restarting the system for almost all package >> updates, but sometimes, i refuse to and keep the machine running without >> updating it. I am aware, this could cause troubles on the security-side. >> That is why i am keeping a long list of system-backups. > > FWIW it never happened to me. But: I'm on a pretty minimal system by > today's standards (X, Fvwm). The only application behaving strangely > after a dist-upgrade is... the browser, Firefix: "Ohmigod, something > funny happened, I'll have to close this tab, I'm sooo sorry". > > So it seems to be related to Gnome's love for complexity, yes (any > KDE/XFCE users out there?) XFCE user here - it's never happened to me. Then again, I use the synaptic package manager instead of apt upgrade so that might have something to do with it. And the needrestart package plays very nicely with the synaptic package manager - after updating software I get a popup offering to restart processes whose files were just updated Regards, Lee
Re: Lucy weah
Last opportunity to obtain exactly what you have been daydreaming about https://bit.ly/3VkfKOs Yours always,Lucy weah
Re: Simple HTML & CSS code.
On 10/25/22, pe...@easthope.ca wrote:
> Hi,
>
> Off scope but I don't know a better place to ask.
>
> If this HTML text is in a file, a browser should be able to render it.
>
>
>
>
> Test.html
>
>
>body { color: black; background: white; }
>div.inline { display: inline; justify-content: space-between; }
>
>
>
> leftright
>
>
>
> In bullseye, Firefox-esr, "leftright" is rendered at the left edge of
> the window.
>
> CSS "inline" puts the two words on a line as expected.
>
> I included "justify-content: space-between" with the objective of
> putting "left" at the left of the window and "right" at the right.
>
> Why doesn't it work?
dunno
> How should it be fixed?
I don't know how it _should_ be fixed, but this works for me
left
right
Regards,
Lee
Re: shellworld.net (for visually impaired users), (was: Re: question for seasoned links users?)
On 9/17/22, Maude Summerside wrote: <.. snip ..> > Screen reader or not, what don't you understand by STOP TOP POSTING ? *plonk*
Re: Paying Debian contributors (Was Re: Advantages/Disadvantages of Open Source Software)
On 9/15/22, Chuck Zmudzinski wrote: > > So I have to pay someone lots of money to fix a problem I already know how > to fix? > I don't think you really understand my use case very well. I surely don't. If you know how to fix whatever why haven't you fixed it already? Lee
Re: netperf / MIT License is not open source?
On 8/14/22, Nate Bargmann wrote: > * On 2022 14 Aug 09:09 -0500, Lee wrote: >> On 8/14/22, David Wright wrote: >> > On Sat 13 Aug 2022 at 19:23:46 (+0100), piorunz wrote: >> >> On 13/08/2022 18:30, Lee wrote: >> >> > I just noticed that the netperf package is in the [non-free] >> >> > repository >> >> >https://packages.debian.org/bullseye/netperf >> >> > which seems wrong. >> <.. snip ..> >> >> It seems that this package license has changed from full HP copyright >> >> to >> >> MIT, on 20 January 2021. >> > >> > The version in bullseye looks as if it was built on 15 November 2020 … >> > >> >> Perhaps package needs updating in Debian repository :) >> > >> > … and has not yet needed upgrading for bookworm AFAICT (amd64). >> >> argh.. I keep forgetting how long it takes for new software to migrate >> into the stable branch of Debian :( > > Even if the package is updated and put into the Free archive, the only > way it would make it into Bullseye is if it is uploaded to backports and > the user has that repository enabled. Otherwise, at best it will go > into Bookworm. At least that is how things usually work out. Right. My phrasing could have been better; I was thinking "stable" gets updated about every two years, but testing => stable is more of a replacement than a migration. Best Regards, Lee
Re: auth log full with
On 8/14/22, Matthias Böttcher wrote:
> Am So., 14. Aug. 2022 um 09:51 Uhr schrieb Reco :
>
>> Personally I don't use fail2ban for sshd. Because why bother with
>> userspace (written in python too, yuck) if the kernel does the same job?
>> I.e. block M$ AS, China Telecom AS and maybe add Eastern Europe to the
>> mix, and you've just reduced the number of offending logins by two
>> orders of magnitude.
>
> Hi Reco,
>
> how do I block these ip ranges?
> Which source can I use to determine the geo location of ip addresses?
I'd suggest a white-list approach - ie. allow ssh from
networks instead of playing wack-a-mole, but if you _really_ want to
block by country
1. learn expect
2. figure out how to script this bit:
get a list of ASNs (Autonomous System Number) for that country - eg
https://ipinfo.io/countries/cn
find some route servers that give you telnet access - eg.
https://bgp4.as/looking-glasses
you want the
CATEGORY 2 - IPv4 AND IPv6 BGP ROUTE SERVERS BY REGION (TELNET ACCESS)
table at the end of the page
figure out the correct syntax for showing bgp routes transiting the target ASN
for cisco routers it's "sh ip bgp regexp _ASN#_" so show all routes
transiting that ASN
route-server.he.net seems to be a cisco router, so
$ telnet route-server.he.net
...
route-server> sh ip bgp regexp _4812_
BGP table version is 0, local router ID is 64.62.142.154
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next HopMetric LocPrf Weight Path
* i36.111.0.0/2064.62.244.62 0100 0 4134 4134 4812 i
*>i 118.85.205.25 100 0 4134 4812 i
* i 118.85.205.25 100 0 4134 4812 i
* i 216.218.252.178 0100 0 4134 4134 4812 i
* i 216.218.252.164 0100 0 4134 4134 4812 i
* i 209.51.191.134 0100 0 4134 4134 4812 i
* i 209.51.191.134 0100 0 4134 4134 4812 i
* i 118.85.205.25 100 0 4134 4812 i
* i 209.51.191.134 0100 0 4134 4134 4812 i
* i 209.51.191.134 0100 0 4134 4134 4812 i
* i 64.62.244.62 0100 0 4134 4134 4812 i
* i 64.62.151.1020100 0 4134 4134 4812 i
* i 64.62.244.62 0100 0 4134 4134 4812 i
* i 209.51.191.134 0100 0 4134 4134 4812 i
* i 209.51.191.134 0100 0 4134 4134 4812 i
* i 216.218.252.169 0100 0 4134 4134 4812 i
* i36.255.128.0/22 118.85.205.25 100 0 4134 4812 63570 i
* i 118.85.205.25 100 0 4134 4812 63570 i
*>i 118.85.205.25 100 0 4134 4812 63570 i
* i40.0.176.0/2162.115.181.197 48 70 0 1299 4134
4812 4249 i
* i 62.115.14.5 48 70 0 1299 4134
4812 4249 i
And don't forget to block ipv6, so
route-server> sh bgp ipv6 regexp _4812_
BGP table version is 0, local router ID is 64.62.142.154
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next HopMetric LocPrf Weight Path
* i2400:6600::/32 2a04:f580:8210:100::9
0100 0 4134 4812 9812 i
* i 2001:470:0:38e::2
0100 0 4134 4812 9812 i
* i 2001:470:0:38e::2
0100 0 4134 4812 9812 i
* i 2001:470:0:5f::2
0100 0 4134 4812 9812 i
* i 2001:470:0:1a::1
0100 0 4134 4812 9812 i
* i 2001:470:0:5f::2
0100 0 4134 4812 9812 i
* i 2001:470:0:5f::2
0100 0 4134 4812 9812 i
Regards,
Lee
Re: netperf / MIT License is not open source?
On 8/14/22, David Wright wrote: > On Sat 13 Aug 2022 at 19:23:46 (+0100), piorunz wrote: >> On 13/08/2022 18:30, Lee wrote: >> > I just noticed that the netperf package is in the [non-free] repository >> >https://packages.debian.org/bullseye/netperf >> > which seems wrong. <.. snip ..> >> It seems that this package license has changed from full HP copyright to >> MIT, on 20 January 2021. > > The version in bullseye looks as if it was built on 15 November 2020 … > >> Perhaps package needs updating in Debian repository :) > > … and has not yet needed upgrading for bookworm AFAICT (amd64). argh.. I keep forgetting how long it takes for new software to migrate into the stable branch of Debian :( Thanks Lee
Re: netperf / MIT License is not open source?
On 8/13/22, piorunz wrote: > On 13/08/2022 18:30, Lee wrote: >> I just noticed that the netperf package is in the [non-free] repository >>https://packages.debian.org/bullseye/netperf >> which seems wrong. >> >> Is the MIT license really not compatible with open source or is the >> netperf package using outdated licensing info or .. what? > > Very interesting. I don't know about this specific package, but MIT in > general is allowed in DSFG. thanks for confirming MIT is allowed as open source > For example, this package is full MIT and its in Debian: > https://packages.debian.org/sid/kraptor > > netperf license, as seen on > https://metadata.ftp-master.debian.org/changelogs//non-free/n/netperf/netperf_2.7.0-0.1_copyright, > still reads: > > Copyright (C) 1993 Hewlett-Packard Company > ALL RIGHTS RESERVED. > > It must have been recently this package changed from Copyright (C) 1993 > Hewlett-Packard Company to MIT license, and Debian didn't catched up to > this fact yet? > > Also their github README states: > "This version of netperf has been opensourced by Hewlett Packard > Enterprise using the MIT license." > And also > "Licenses updated." > > Maybe older versions indeed were not under MIT. > > EDIT: Ok I think I found it. > https://github.com/HewlettPackard/netperf/commit/2d88bcc75d97f462eafe8605f8da0c1f875b7dad > > It seems that this package license has changed from full HP copyright to > MIT, on 20 January 2021. > > Perhaps package needs updating in Debian repository :) Wow!! Good detective work; that would explain why it's in non-free. Thanks Lee
netperf / MIT License is not open source?
I just noticed that the netperf package is in the [non-free] repository https://packages.debian.org/bullseye/netperf which seems wrong. Is the MIT license really not compatible with open source or is the netperf package using outdated licensing info or .. what? The debian package copyright file link points to https://metadata.ftp-master.debian.org/changelogs//non-free/n/netperf/netperf_2.7.0-0.1_copyright which has Upstream Authors: Copyright 1993-2007 Hewlett-Packard Company but the homepage link points to https://github.com/HewlettPackard/netperf which has a COPYING file pointing to https://github.com/HewlettPackard/netperf/blob/master/COPYING which has HewlettPackard/netperf is licensed under the MIT License # Copyright 2021 Hewlett Packard Enterprise Development LP Thanks Lee
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On 8/2/22, rhkra...@gmail.com wrote: > On Monday, August 01, 2022 12:08:47 PM Lee wrote: >> Verizon FIOS finally rolled out IPv6 in my area. yay! > > I guess if I read that right, Verizon still supports IPv4 and has not > announced any plans to discontinue it? correct it's quite likely that I'll be dead before IPv4 goes away. > I feel like I'm getting too old to learn (too many) new things, so if my ISP > made a similar announcement, I'd want to stick with IPv4. If it helps, IPv6 seems faster. It _is_ a huge learning curve.. but dumping all the kludges that were required to get a world-wide network to fit into a 32 bit address space seems worthwhile even if not absolutely required now. > Or, I'd be looking for a very simple explanation of how to switch to and use > Ipv6 -- not looking for that now, but Imight have to at some point. :-( yeah.. nothing simple that I've seen :( Regards, Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/2/22, Tim Woodall wrote: > On Tue, 2 Aug 2022, Lee wrote: > >> On 8/2/22, Tim Woodall wrote: >>> On Mon, 1 Aug 2022, Lee wrote: >>> >>>> Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for >>>> my Debian server to have a static IPv6 address.. same as I have for >>>> IPv4. But how to do that? >>>> >>>> I have a Netgate firewall that does a dhcp6 request for a /56 from >>>> Verizon, then the firewall delegates a /64 to each internal subnet. >>>> >>>> I haven't been able to figure out how to assign a static address when >>>> the network part might [will] change.. so I've got everything using >>>> managed addresses (ie. dhcp6). So effectively the server has a static >>>> address, but still.. I'd rather not depend on DHCPv6 >>>> >>>> Thoughts on how2? >>>> >>> Not sure I exactly understand what you want but you can specify the >>> local part of an SLAAC ipv6 address thus: >>> >>> iface eth0 inet6 auto >>> pre-up echo 64 >>>> /proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen >>> pre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0 >> >> Yes!! That looks like what I want. >> Where does it go if I want to always done at boot time? >> > > I've got it in /etc/network/interfaces.d/eth0 > > but whereever you've put the network configuration > /etc/network/interfaces perhaps? *sigh* Back when I first set up this machine I couldn't figure out how to get the /etc/network/xxx config to work. I ended up using the Advanced Network Configuration GUI that set up /etc/NetworkManager files. Hopefully you've given me enough of a hint that I can figure out the rest for myself Thanks Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/2/22, Jeremy Ardley wrote: > > On 2/8/22 9:50 pm, Tim Woodall wrote: >> >>> This is a DNS & NTP server, so it needs a static address. I'd also >>> like different firewall rules for different machines.. which also >>> requires static addresses for at least some machines. >>> >> >> Yes there is - see my earlier reply. >> >> ip token set ::/64 dev eth0 >> >> (I think you might be able to do this after the interface has an IP and >> it will then acquire an additional IP but I might be misremembering. I >> use a pre-up command in e/n/i) >> >> But SLAAC should normally give you a static address anyway, just tied to >> your mac address (which maybe you don't want) >> > > You can just run your network using auto-generated link-local addresses > fe80::/64 and use IPv6 NAT on the firewall/router for external access. Thanks, but unless absolutely necessary I'd rather not do NAT Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/2/22, Tim Woodall wrote: > On Mon, 1 Aug 2022, Lee wrote: > >> Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for >> my Debian server to have a static IPv6 address.. same as I have for >> IPv4. But how to do that? >> >> I have a Netgate firewall that does a dhcp6 request for a /56 from >> Verizon, then the firewall delegates a /64 to each internal subnet. >> >> I haven't been able to figure out how to assign a static address when >> the network part might [will] change.. so I've got everything using >> managed addresses (ie. dhcp6). So effectively the server has a static >> address, but still.. I'd rather not depend on DHCPv6 >> >> Thoughts on how2? >> > Not sure I exactly understand what you want but you can specify the > local part of an SLAAC ipv6 address thus: > > iface eth0 inet6 auto > pre-up echo 64 >>/proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen > pre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0 Yes!! That looks like what I want. Where does it go if I want to always done at boot time? Thanks Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/1/22, Andy Smith wrote: > Hello, > > On Mon, Aug 01, 2022 at 01:57:42PM -0400, Lee wrote: >> The dhcpv6 server on the netgate allows for static mappings like >> ::1:10 >> where it fills in the network/64 portion from the delegation and uses >> the ::a:b:c:d for the host address. I was hoping for something like >> that w/ Debian > > Oh, I thought you wanted to stop using DHCPv6 (protocol) entirely. I do want to stop using DHCPv6. I was hoping there was a way to tell a Debian machine to use as the (64 bit) host address and learn the network address from the router advertisement prefix info. This is a DNS & NTP server, so it needs a static address. I'd also like different firewall rules for different machines.. which also requires static addresses for at least some machines. Thanks Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/1/22, Andy Smith wrote: > Hello, > > On Mon, Aug 01, 2022 at 12:08:47PM -0400, Lee wrote: >> I'd like for my Debian server to have a static IPv6 address.. same >> as I have for IPv4. But how to do that? >> >> I have a Netgate firewall that does a dhcp6 request for a /56 from >> Verizon, then the firewall delegates a /64 to each internal subnet. > > If you know that the /64 that's going to be delegated is always the > same then you can just statically choose an address within it in > /etc/network/interfaces as normal. I wouldn't bet on it staying the same. The external IPv4 address will stay the same for months at a time; I don't expect any different for the IPv6 network > If you can potentially get a different /56 or different /64 > delegated then you have no real choice but to use DHCPv6. *sigh* The dhcpv6 server on the netgate allows for static mappings like ::1:10 where it fills in the network/64 portion from the delegation and uses the ::a:b:c:d for the host address. I was hoping for something like that w/ Debian > I don't know if static /56 is an option on fios. Although there is > no technical reason to not allocate you a static /56, Probably because it makes renumbering much harder. > it is often > used as a differentiator for a more costly service "because they > can". probably that Thanks Lee
ipv6: static ipv6 address with dynamic network address possible?
Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for my Debian server to have a static IPv6 address.. same as I have for IPv4. But how to do that? I have a Netgate firewall that does a dhcp6 request for a /56 from Verizon, then the firewall delegates a /64 to each internal subnet. I haven't been able to figure out how to assign a static address when the network part might [will] change.. so I've got everything using managed addresses (ie. dhcp6). So effectively the server has a static address, but still.. I'd rather not depend on DHCPv6 Thoughts on how2? Thanks Lee
Re: Debian 9 cron = sounds are ok : Debian 11 cron no sound
On 7/17/22, The Wanderer wrote: > On 2022-07-16 at 04:47, Roger Price wrote: > >> People occasionally have a cron job emit some sound each hour. On my >> Debian 9 >> machine I hear Biff [1] barking. In /etc/crontab I have an entry to call a >> >> script bark.sh which does the barking. Typically >> >> 0,1 0,12 * * * rprice full-path-to/bark.sh 12 2>>&1 >> >> where bark.sh is a Bash script which calls /usr/bin/play to play a .au >> file. >> >> This ran for years with Debian 9. I upgrade to Debian 11 and hear nothing. >> The >> usual advice is >> (a) in /etc/crontab export XDG_RUNTIME_DIR=/run/user/1000 >> (b) play the sound from a script. >> >> But that doesn't work with Debian 11. Does any reader of this list have >> sound >> coming from a Debian 11 cron job? If so, how is it done? > > I don't use cron to play sounds, so I can't speak to this directly, > but... > > While this may turn out in the end to be pure FUD, when I hear about > things which work properly when run by hand but not when run > automatically on a modern Debian system, my first suspicion is always > that the culprit is the systemd / logind / whatever-it-is "user session" > concept. I don't know about systemd, but cron sets just a very few environment vars (interestingly enough, you _do_ get /etc/environment processed). I'd guess the problem with "works when run interactively but fails when run from cron" is because most all of the sh setup is skipped for things started by cron. Lee
Re: Debian 9 cron = sounds are ok : Debian 11 cron no sound
On 7/16/22, Roger Price wrote: > On Sat, 16 Jul 2022, Lee wrote: > >> I don't have play, so I tried aplay .. and it works, even if I'm >> logged out, even if someone else is logged in. >> >> ## run the script every minute >> >> $ crontab -l | tail -3 >> # m h dom mon dow command >> * * * * */home/lee/bin/neener.sh >> >> ## which plays a .wav and an .au file >> >> $ cat ~/bin/neener.sh >> #!/bin/sh >> /usr/bin/aplay -q $HOME/Sounds/Old/NEENER.WAV >> sleep 0.25 >> /usr/bin/aplay -q $HOME/Sounds/SunOS/busy.au > > I get the following error message from aplay: > > ALSA lib pcm_dmix.c:1075:(snd_pcm_dmix_open) unable to open slave > aplay: main:830: audio open error: Device or resource busy > > and a different message from play: > > ALSA lib pcm_dmix.c:1075:(snd_pcm_dmix_open) unable to open slave > /usr/bin/play FAIL sox: Sorry, there is no default audio device > configured > > I'm wondering what causes this. Do you have any specific environment > variable > set which defines a default audio device? Nope. Audio has always just worked; I never had to do anything special or extra to get it working Lee
Re: Debian 9 cron = sounds are ok : Debian 11 cron no sound
On 7/16/22, Roger Price wrote: > People occasionally have a cron job emit some sound each hour. On my Debian > 9 > machine I hear Biff [1] barking. In /etc/crontab I have an entry to call a > script bark.sh which does the barking. Typically > > 0,1 0,12 * * * rprice full-path-to/bark.sh 12 2>>&1 > > where bark.sh is a Bash script which calls /usr/bin/play to play a .au > file. > > This ran for years with Debian 9. I upgrade to Debian 11 and hear nothing. > The > usual advice is > (a) in /etc/crontab export XDG_RUNTIME_DIR=/run/user/1000 > (b) play the sound from a script. > > But that doesn't work with Debian 11. Does any reader of this list have > sound > coming from a Debian 11 cron job? If so, how is it done? I don't have play, so I tried aplay .. and it works, even if I'm logged out, even if someone else is logged in. ## run the script every minute $ crontab -l | tail -3 # m h dom mon dow command * * * * */home/lee/bin/neener.sh ## which plays a .wav and an .au file $ cat ~/bin/neener.sh #!/bin/sh /usr/bin/aplay -q $HOME/Sounds/Old/NEENER.WAV sleep 0.25 /usr/bin/aplay -q $HOME/Sounds/SunOS/busy.au Lee
Re: Debian 11: How to disable IPv6
On 7/11/22, rhkramer wrote: > > From the peanut gallery: I disabled IPv6 quite some time ago. I don't > recall how I did it, but I might have that information in my notes, somewhere. > > The reason that I disabled it (which might not be totally logical) is that > in IPv4, I have always had my computers (and LAN) behind a NAT device. A NAT device does not necessarily act like a stateful firewall. Years ago I ran a TOR middle node ... and noticed someone scanning my internal network!! Turns out they were using loose source routing to get around NAT: https://en.wikipedia.org/wiki/Loose_Source_Routing Loose Source Routing is an IP option which can be used for address translation. My cable modem was quite willing to forward packets addressed to the publicly addressable outside IP address of the box to my internal LAN with the RFC-1918 address space .. that I thought was unreachable from the public Internet because NAT :( So lesson learned - get a firewall or router that will drop packets that have IP options set. Regards, Lee
Re: ipv6 accept_ra
On 6/28/22, Anssi Saari wrote: > Lee writes: > >> I have a desktop and a laptop - neither one is picking up the ipv6 >> network prefix from the router advertisement. 'ifconfig -a' on both >> show a single 'inet6 fe80::' line under each interface. > > Well, how do you manage your network? Poorly.. Verizon just enabled ipv6 in my area, so I'm trying to figure out how to get ipv6 working internally. > Is there a checkbox to check or uncheck somewhere? Yup - that was it. Netgate firewall had the DHCPv6 Server & RA set for Managed -- change it to Assisted and everything gets the ipv6 prefix info now. >> I checked with wireshark - the RAs look good. > > Checked how? Superficially :( The RA prefix information just had the On-link flag(L) After changing the DHCPv6 Server & RA router mode to assisted the RA prefix information had both the On-link flag(L) and the Autonomous address-configuration flag(A) set >> How do I get the default "accept_ra = 1" set on _all_ interfaces? > > You use sysctl -w to set those permanently. For testing, manipulate the > virtual files in /proc/sys/net/ipv6/conf/. > > Although, to me that looks OK, as in, it's what I have and for me IPv6 > works, weird as it is. Forwarding is off and accept_ra is like yours: > > net.ipv6.conf.all.accept_ra = 1 > net.ipv6.conf.default.accept_ra = 1 > net.ipv6.conf.docker0.accept_ra = 0 > net.ipv6.conf.enp5s0.accept_ra = 0 > net.ipv6.conf.lo.accept_ra = 1 > > and yet enp5s0 has a public IPv6 address. Same here. Forwarding is off, accept_ra is unchanged and yet ipv6 works for me now. https://sysctl-explorer.net/net/ipv6/accept_ra/ has this bit Possible values are: 0 Do not accept Router Advertisements. but router advertisements are clearly being accepted. .. or I'm not understanding what 'Router Advertisements' means. *sigh* Thanks Lee
ipv6 accept_ra
I have a desktop and a laptop - neither one is picking up the ipv6 network prefix from the router advertisement. 'ifconfig -a' on both show a single 'inet6 fe80::' line under each interface. if it makes a difference: $ cat /etc/debian_version 11.3 I checked with wireshark - the RAs look good. After some searching I came across this https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt accept_ra - INTEGER Accept Router Advertisements; autoconfigure using them. It also determines whether or not to transmit Router Solicitations. If and only if the functional setting is to accept Router Advertisements, Router Solicitations will be transmitted. Possible values are: 0 Do not accept Router Advertisements. 1 Accept Router Advertisements if forwarding is disabled. 2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled. Functional default: enabled if local forwarding is disabled. disabled if local forwarding is enabled. local forwarding is disabled $ sysctl -a 2>/dev/null | grep ipv6 | grep 'forwarding ' net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.enp1s0.forwarding = 0 net.ipv6.conf.enp1s0.mc_forwarding = 0 net.ipv6.conf.lo.forwarding = 0 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.wlp2s0.forwarding = 0 net.ipv6.conf.wlp2s0.mc_forwarding = 0 but so is accept_ra $ sysctl -a 2>/dev/null | grep 'accept_ra ' net.ipv6.conf.all.accept_ra = 1 net.ipv6.conf.default.accept_ra = 1 net.ipv6.conf.enp1s0.accept_ra = 0 net.ipv6.conf.lo.accept_ra = 1 net.ipv6.conf.wlp2s0.accept_ra = 0 How do I get the default "accept_ra = 1" set on _all_ interfaces? TIA, Lee
Re: How to change lightdm background in bullseye? (additional: weird stat behaviour)
On 6/16/22, Christoph K. wrote: > Hello, > > > Part 1: lightdm background > > I've just upgraded to bullseye and would like to change the background of > the lightdm greeter. > > According to ... > https://wiki.debian.org/LightDM#Change_the_greeter.27s_background > ... I'm supposed to edit ... > /etc/lightdm/lightdm-gtk-greeter.conf > > ... which I've done ... > > [greeter] > background=/usr/share/xfce4/backdrops/foo.png > user-background=/usr/share/xfce4/backdrops/foo.png Do those files exist? There's no /usr/share/xfce4/backdrops/ on my machine.. This works for me $ cat lightdm-gtk-greeter.conf [greeter] background = /usr/share/desktop-base/spacefun-theme/login/background.svg <.. snip ..> > I'm suspecting my changes in lightdm-gtk-greeter.conf have no effect. Try installing lightdm-gtk-greeter-settings I get a lot of error messages but it did change the background for me. > Part 2: weird stat behaviour (ext4 filesystem) > > I'm not too familiar with stat and access times, although I do believe to > have some understanding of it. But the following confuses me: Somebody with a lot more knowledge in that area needs to respond, but wasn't there a setup question about enabling that or no? .. along the lines of updating access times requires a disk write every time a file is accessed, so one can make things faster by not updating the access time. Regards, Lee
Re: Needless DNS queries
On 6/8/22, Greg Wooledge wrote: > On Wed, Jun 08, 2022 at 12:56:52AM +0000, Lee wrote: >> host and dig are non-standard. or use non-standard name lookups? >> library?? >> In any case, try your example with ping or ssh - the search list will >> be applied after the initial NXDOMAIN > > On Debian, the canonical tool for performing generic hostname lookups > according to the rules established by /etc/nsswitch.conf and other > local system config files would be: > > getent hosts NAME > > unicorn:~$ getent hosts www.google.com. > 2607:f8b0:4009:80b::2004 www.google.com > unicorn:~$ host www.google.com > www.google.com has address 142.250.190.100 > www.google.com has IPv6 address 2607:f8b0:4009:80b::2004 > > (Demonstrating the difference between canonical and useful. My system > has no IPv6 capability.) I'm in the same boat :( Verizon _still_ hasn't rolled out IPv6 in my area. I like having DNSSEC enabled, so I'm running bind locally; here's the bits from the bind log (with an 'rndc flush' between queries to clear out any cached info) $ getent hosts www.google.com query: www.google.com IN + (127.0.0.1) $ ping www.google.com query: www.google.com IN A + (127.0.0.1) query: www.google.com IN + (127.0.0.1) $ host www.google.com query: www.google.com IN A + (127.0.0.1) query: www.google.com IN + (127.0.0.1) query: www.google.com IN MX + (127.0.0.1) Why getent doesn't look for an IPv4 address I don't know. Same for host .. no idea why it goes looking for an MX record. Ping, ssh, telnet all look for an IPv4 and an IPv6 address. hrmm... Firefox only looks for an ipv4 address ... ah! right - because I've got network.dns.disableIPv6 set to true I was under the impression there was a standard method for doing the name -> address lookup but it seems that host, dig and even getent do something non-standard - maybe to give you more control for debugging purposes? Lee
Re: Needless DNS queries
On 6/7/22, Tim Woodall wrote: > On Tue, 7 Jun 2022, Greg Wooledge wrote: > >> On Tue, Jun 07, 2022 at 11:22:34AM -0400, Dan Ritter wrote: >>> >>> search Search list for host-name lookup. By default, the >>> search >>> [...] >>> This may be changed by listing the desired domain search >>> path following the search keyword with spaces or tabs separating the >>> names. Resolver queries having fewer than ndots dots (default is >>> 1) in them will be attempted using each component of the search path in >>> turn until a match is found. >> >> I've read this paragraph a few times, and as far as I can tell, it's >> simply wrong. >> > Seems right to me: > > $ cat /etc/resolv.conf > search home.woodall.me.uk > options ndots:3 > nameserver 2001:8b0:bfcd:100:216:3eff:fee0:7102 > nameserver 2001:8b0:bfcd:8100:216:3eff:fee1:7102 > > $ host ipv4.wlan.dirac > ipv4.wlan.dirac.home.woodall.me.uk has address 192.168.3.16 > ipv4.wlan.dirac.home.woodall.me.uk has address 192.168.4.16 > > Change that 3 to a 2 and: > > $ host ipv4.wlan.dirac > Host ipv4.wlan.dirac not found: 3(NXDOMAIN) > > >> If you go down farther in the page and look at: >> >> ndots:n >> Sets a threshold for the number of dots which must >> appear >> in a name given to res_query(3) (see resolver(3)) >> before >> an initial absolute query will be made. The default >> for >> n is 1, meaning that if there are any dots in a name, >> the >> name will be tried first as an absolute name before >> any >> search list elements are appended to it. The value >> for >> this option is silently capped to 15. >> >> This one says that it simply determines whether the name will be tried >> as is *before* appending the search domain(s) to it, or whether it just >> skips straight to appending the search domains. >> > > Doesn't that say that, in my second example it will try ipv4.wlan.dirac., > get NXDOMAIN, and pass that up the stack. host and dig are non-standard. or use non-standard name lookups? library?? In any case, try your example with ping or ssh - the search list will be applied after the initial NXDOMAIN Lee
Re: Needless DNS queries
On 6/7/22, Darac Marjal wrote: > > On 07/06/2022 17:53, Greg Wooledge wrote: >> >> To the best of my knowledge, there isn't any setting to *prevent* the >> appending of search domains to a name, no matter how many dots you put >> in the name. > > I've wondered about that in the past. Is this maybe a bug in the > application, then (I admit that it'll be a widespread bug if so). I'd go for a bug in the documentation. Names ending with a dot don't get the search list appended to the name on a lookup failure. Think about it.. the trailing dot is the root of the DNS tree. I wouldn't make sense to add anything after that. > To my > knowledge, DNS domains support "relative" names (e.g. "www.example.com") > as well as "absolute" names (e.g. "www.example.com." - with the trailing > dot). Should applications be querying for hostnames with the trailing > dot and, if so, would that prevent the resolver from trying to append > the search domains? You can always put the trailing dot in there yourself - eg ping foo.home. if you don't want the search list appended on a lookup failure. Lee
Re: Firewall blocking my new Debian 11 server ports 80 and 443
On 5/29/22, Greg Wooledge wrote: > On Sun, May 29, 2022 at 03:39:05PM -0500, Tom Browder wrote: >> I have not intentionally hidden anything, Greg--I just never saw the need >> for >> mentioning it given the dialogue--x.y.z.w is just shorthand. If you >> must know the exact IP address, it is 69.30.225.10. > > OK. Now we can actually start helping. > > First of all, this is a regular old routable IPv4 address. It's not one > of the non-routables, like 192.168.* or 10.*. This is good. It > eliminates a whole class of problems like "My machine's IP address says > 192.168.1.2 but I can't reach it from outside my network", all of which > were still on the table until now. > > Second, I cannot ping this IP address, nor can I telnet to port 80 of it. For whatever it's worth.. Pinging 69.30.225.10 with 32 bytes of data: Reply from 69.30.225.10: bytes=32 time=43ms TTL=53 Reply from 69.30.225.10: bytes=32 time=42ms TTL=53 Reply from 69.30.225.10: bytes=32 time=43ms TTL=53 Reply from 69.30.225.10: bytes=32 time=42ms TTL=53 I had wireshark running while trying to telnet there and I get a RST ~ 45ms after sending the SYN ssh gives me a login prompt Lee
Re: setting path for root after "sudo su" and "sudo" for Debian Bullseye (11)
On 5/22/22, Charles Kroeger wrote: >> There is no silver bullet that makes your system secure. > > I get a login shell with $su --login > > I don't have sudo installed > > is there something heretical about that, I should know? If this is for your personal machine, no. If this is a multi-user environment, you should be changing the root password whenever someone that knows the root password leaves. If you use sudo exclusively to get root permissions then the number of people leaving that could require a root password change is potentially smaller. Lee
