Re[2]: "Repeaters", etc.

[Michael Grant]

From "Monte Milanuk" 

To debian-user@lists.debian.org
Date 28/05/2024 22:42:07
Subject Re: "Repeaters", etc.



On 5/28/24 11:03, rtnetz...@windstream.net wrote:

- Original Message -
From: "Paul M Foster" 


I've never see a 3 phase in a house.

Quite some years ago my father inquired about getting
3 phase power to his house to power a rather husky lathe.
The answers were distributed between "impossible"
and "prohibitively expensive".



Phase converters are usually the answer for that sort of thing. Whether old 
electro-mechanical (rotary), or newer static inverter designs, there are 
solutions out there that will get the job done a lot cheaper than convincing 
the utility to run a three-phase service drop to a residence.

Ironically, used three-phase equipment like lathes, milling machines, large 
band saws, planers, etc. are relatively 'cheap as chips' on the second-hand 
market.

I have a friend in the US, who has a large milling machine that takes 
3-phase.  He wired he 1st phase direct to the outlet, then the 2nd phase 
through a motor which just sits there spinning with nothing connected to 
it.  And I think from memory the 3rd phase isn't connected at all.  This 
is apparently enough to run the machine.  The motor, not motor 
generator, is just an AC motor, is enough to offset the phase that it 
fools the machine into working.  I may not have all the details correct, 
if anyone is interested, shoot me a message offline and I'll chase him 
down and get the details of what he did.


I think we're way off topic now...

Re: moving some packages back to bookworm stable

[Michael Grant]

Max, your list looks very similiar to what I'm seeing.

I seem to have suceeded in removing all of the testing packages from
my backup instance, now, just need to flip the ips around and see if
the ship still floats.

The culprits that seemed to be causing the massive dependencies were
libsasl2-2 and libsasl2-modules-db.  Though not libsasl2-modules which
i also have installed.

Using apt to try and remove the first 2 were causing this:

The following packages will be REMOVED:
  apache2 apache2-bin clamav clamav-daemon clamav-freshclam clamav-milter 
clamav-unofficial-sigs clamdscan colord curl dirmngr git gnupg gnupg2 
gpg-wks-client
  libapache2-mod-php8.2 libapache2-mod-ruid2 libaprutil1-ldap libclamav11 
libcurl3-gnutls libcurl4 libgphoto2-6 libldap-2.5-0 libmailutils9 
libmemcached11 libpq5 libsane1
  libsasl2-2 mailutils mongo-tools opendkim opendkim-tools python-apt 
python3-certbot-apache python3-debianbts python3-pycurl python3-pysimplesoap 
python3-reportbug reportbug
  sane-utils sendmail sendmail-bin sensible-mda

I sucked down those 3 packages and downgraded them via 'dpkg -i' and
was able to uninstall and reinstall sendmail by apt and now, no more
packages from testing.

Whew, I won't do that again.  But it's good to know how these things work!

Thanks all for your help.


signature.asc
Description: PGP signature

Re: "Repeaters", etc.

[Michael Grant]

On Tue, May 28, 2024 at 06:11:48PM +0100, debian-u...@howorth.org.uk wrote:
> Most houses in the UK are wired to a single phase, so everything is
> connected together at the consumer unit and powerline works just fine.
> If you have a specific problem, then there are DIN rail powerline units
> designed specifically to be mounted in the CU to spread the signal
> better over ALL the circuits.
> 
> If your house has 3-phase wiring, which is unusual in the UK, then you
> may have a problem because powerline signals do need to be on the same
> phase.

In the US, most houses are wired with 240V split-phase giving 120V to
a mains outlet.  It's a 50/50 crapshot if you are on the same leg in a
different part of the house.  I don't know if some electricians like
to put all the mains outlets on the same leg or not.  I don't know if
these ethernet over power things will work over different legs.  The
legs share a neutral and ground, so maybe!  I'd be interested to know!

Similarrly, over 3-phase, I would suspect the same is true, 3
different legs around the property with a common neutral and common
ground.  


signature.asc
Description: PGP signature

Re: moving some packages back to bookworm stable

[Michael Grant]

> > # apt remove -s libc6
> 
> DO NOT do this.
> 
> Downgrade it.  DO NOT remove it and then hope to reinstall it later.
> Removing libc6 will break everything.
> 
> You seem to be flailing, so let me spell this out as explicitly as
> possible.  When I say "downgrade a library package", I mean:
> 
> 1) Download the .deb file for the bookworm(-security) version of the
>library package.
> 
> 2) Run "dpkg -i libc6_whatever.deb".
> 
> 3) When you inevitably get dependency conflicts, download the additional
>library packages that need to be downgraded at the same time, and add
>them to the list.
> 
> 4) dpkg -i libc6_whatever.deb libwhomever.deb 
> 
> 5) Repeat until it works.
> 
> 6) Helpful post-mess cleanup commands include "dpkg --configure -a" and
>"apt-get -f install".  (Yes, that last one has install with no package
>names.)
> 
> Apt is NOT built for downgrading.  If you happen to get any positive
> results from an apt command that involves downgrading, you can consider
> that a pleasant surprise.  Usually you need to invoke dpkg directly.

Ah I see, I did not realise that's what you meant by downgrading it,
thanks.

So once I've done this dpkg -i to install a package, I can do that
without removing the old one first?

And, once I've hammered a package into place with dpkg, in the future,
will apt take it into account as a dependency of things already
installed even though apt itself didn't install or rather downgrade
the package itself?  The fact that I am dpkg installing it over a
package that apt itself installed, perhaps this keeps apt happy?

Thanks for your help.  I use apt all the time to do upgrades but
rarely do I ever need to get into weeds with it.  It's a bit of a
black box to me.




signature.asc
Description: PGP signature

Re: moving some packages back to bookworm stable

[Michael Grant]

> So, which part are you confused about?  Did you think there was some
> easy way to FIX a frankendebian?  Are you confused because you keep
> thinking "there must be some single apt command that will do all the
> work for me"?
> 
> There's not.  You get to do all the work by hand.

I am trying to do it by hand.  There's not many packages to deal
with at this point, doing this by hand looks like 10 or so packages.

> You will most likely need to remove the testing versions of these packages
> (apache2, git and so on) and then install the bookworm versions afterward.

Those dependent packages (most if not all) are not from testing.
apache2, perl, they are all installed from bookworm or
bookworm-security.

That db5.3 from testing is uninstalled and reinstalling from stable is
causing these other packages from stable to be uninstalled.  I find
that confusing.

But what about libc6?  That one really worries me.

# apt remove -s libc6
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
a few pages of dependicies...

> The things to watch out for are config files (hence your backup), and
> any crazy dependency situations.  In the ideal case, you'll simply be
> able to remove all the packages that aren't libs, then downgrade the
> libs, then reinstall the packages.  And make sure you have sensible
> config files.  If you get stuck, there's always the big hammer
> (dpkg --force-depends and so on).
> 
> If/when it breaks, you get to reinstall from scratch.

I have a running second week old version of the same vm.  I'm rapidly
moving to abandon this and just swapping the instances around.

> This is why we tell people DO NOT MIX BINARY PACKAGES FROM MULTIPLE
> RELEASES.

Yup.  But this whole experience does make me wonder if there are
situations where it is safe.  For instance, if the thing you're
installing from a different release does not cause an update anything
from the current release to a new release.  It feels like apt might be
able to suss that out and if so, pop an "Are you sure??? (y/N)" in the
terminal.


signature.asc
Description: PGP signature

Re: moving some packages back to bookworm stable

[Michael Grant]

On Tue, May 28, 2024 at 06:59:50AM -0400, Greg Wooledge wrote:
> On Tue, May 28, 2024 at 06:10:11AM -0400, Michael Grant wrote:
> > The following packages will be REMOVED:
> >   [...] libdb5.3t64 [...]
> 
> You've *clearly* still got testing packages installed.

YES.  As I originally said, I created this mess by installing sendmail
from testing.  And then, a month or so later, I did an
apt-get upgrade (to do updates, not a full upgrade) which pulled in
some more things from testing.  I'm trying to get back to all being
from stable.

Unless this is somehow easily fixable, I am leaning towards reverting
to my backup before the apt-get upgrade which has just sendmail from
testing.  I can more easily remove that and reinstall that before
doing the update.

The more I futz with this live machine, the deeper I seem to dig
myself into a hole.


signature.asc
Description: PGP signature

Re: moving some packages back to bookworm stable

[Michael Grant]

On Mon, May 27, 2024 at 12:59:34PM -0500, David Wright wrote:
> So what did it say after that?

Sorry, here's the entire output of one of the tries:

[bottom /etc/mail #1168] apt install libdb5.3/bookworm db5.3-util/bookworm 
db-util/bookworm
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Selected version '5.3.28+dfsg2-1' (Debian:12.5/stable [amd64]) for 'libdb5.3'
Selected version '5.3.28+dfsg2-1' (Debian:12.5/stable [amd64]) for 'db5.3-util'
Selected version '5.3.2' (Debian:12.5/stable [all]) for 'db-util'
The following packages were automatically installed and are no longer required:
  acl apache2-data apache2-utils augeas-lenses avahi-daemon clamav-base 
colord-data git-man gnupg-l10n gnupg-utils gpg-wks-server guile-3.0-libs 
ipp-usb libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaugeas0 libavahi-core7 libcolorhug2 libdaemon0 
libexif12 libgphoto2-l10n libgphoto2-port12 libgudev-1.0-0 libgusb2 libhashkit2 
libieee1284-3 libldap-common
  liblua5.3-0 libnspr4 libnss-mdns libnss3 libopendbx1 libopendbx1-sqlite3 
libopendkim11 libpoppler-glib8 libpoppler126 libpython2-stdlib libpython3.11 
librbl1 librtmp1 libsane-common
  libsnmp-base libsnmp40 libssh2-1 libvbr2 mailutils-common python2 
python2-minimal python3-augeas sane-airscan update-inetd usb.ids
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  php8.2-fpm
Suggested packages:
  php-pear
The following packages will be REMOVED:
  apache2 apache2-bin clamav clamav-daemon clamav-freshclam clamav-milter 
clamav-unofficial-sigs clamdscan colord curl dirmngr git gnupg gnupg2 
gpg-wks-client libapache2-mod-php8.2
  libapache2-mod-ruid2 libaprutil1-ldap libclamav11 libcurl3-gnutls libcurl4 
libdb5.3t64 libgphoto2-6 libldap-2.5-0 libmailutils9 libmemcached11 libpq5 
libsane1 libsasl2-2
  libsasl2-modules-db mailutils mongo-tools opendkim opendkim-tools python-apt 
python3-certbot-apache python3-debianbts python3-pycurl python3-pysimplesoap 
python3-reportbug reportbug
  sane-utils sasl2-bin sendmail sendmail-bin sensible-mda
The following NEW packages will be installed:
  libdb5.3 php8.2-fpm
The following packages will be DOWNGRADED:
  db-util db5.3-util
0 upgraded, 2 newly installed, 2 downgraded, 46 to remove and 0 not upgraded.
Need to get 1,743 kB/2,507 kB of archives.
After this operation, 234 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.

> > Is there some way to get apt to reinstall a package such that it does
> > not think it has to uninstall things which depend on it because it's
> > being immediatly reinstalled?
> 
> That is the idea behind reinstall, though downgrading is always
> a test of its ability to succeed.

What it says it's going to do is actually remove those 46 packages and
not reinstall them.  I believe it!  Clearly apt is unwinding the
dependencies.  It seems like it's not taking into account the
downgraded libdb5.3 is a valid dependency for all the things it's
about to uninstall so it doesn't need to uninstall those things.  I
thought it should do that, but for some reason, it's not doing that
for me.



signature.asc
Description: PGP signature

Re: "Repeaters", etc. - FRITZ!Box 7490

[Michael Grant]

When you say your provider wants to provide you a "wireless router",
are you implying that you do not have any physically wired
high-speed internet to this property.  As in, the old copper either isn't
good enough for decent internet and no fibre yet, no cable modem either?

I read your original post thinking you might be thinking of
"extending" the reach of the "wifi" (which is probably isn't, it's
probably 4G or 5G in this case) to your rooms.  That's not what you
do, you don't extend that signal.

Some providers can provide now a box which has a SIM card in it and
talks to the provider over 4G/5G cellular.  On the inside of the
house, they provide a wifi access, just like most other providers.
Also, most of these routers have an ethernet port on the back so you
can, if you like, plug in an ethernet switch or another wifi router
(netgear or TPlink or whatever).

To be clear, the wifi is the part that is at your property.  There are
some providers termed WISPs (wireless internet service providers) that
use wifi (not 4G/5G) to connect you to the internet.  Just being clear
here that even if they do this, we're not talking about extending that
wifi signal.  That signal (whether it's really wifi or 4G or 5G or
even adsl or fibre or cable), it gets terminated at or just before
your router in your house.  So I'm not talking about that side of your
connection at all.

So if I understand properly, you have some devices around your home
that don't have built-in wifi and you are not going to string ethernet
to them.  In this case, what I would do would be to consider some
ethernet-over-powerline (e.g. https://www.tp-link.com/us/powerline/).
In this case, you'd plug the ethernet on the provided router, and then
you would put one (or more) of these devices around the house in the
other rooms and they basically function as an ethernet switch.

Another solution is a wifi device that functions in "client mode" and
gives you an ethernet port.  Essentially a device that functions as a
wifi router in reverse in that the wifi part (WAN) connects to your in
home wifi network and you plug devices into it on the ethernet ports
(LAN ports).  Some wifi routers can be configured this way, especially
older ones.  I have used the older ubiquiti eqiupment like this a lot.
The newer ubiquiti stuff though looks to be more geared towards
offices and hotels, probably way overkill for what you need.  However,
I did find a TP-link product, the "TP-Link AC750 Dual Band Wi-Fi
Travel Router" which seems to do this out of the box along with many
other tricks.  There are many other products out there.  Many of these
devices can also act as wifi repeaters or extenders too.

There are some other technical considerations like whether you care if
NAT is running on this little box or not, but for something like a
television in another room, you probably don't have to care.  NAT
isn't a consideration with the ethernet over power, they thankfully
don't do that.

Me personally, like others on this list, I'd try to find a way to get
an ethernet cable to the other rooms, but in some cases, this just
isn't practical.  I have an ethernet cable up the wall outside my
house and over the top of the roof, not in a conduit!  Been like that
for more than a decade.  But it rarely freezes here.  Your
mileage/kilometerage may vary!

Michael Grant



signature.asc
Description: PGP signature

Re: moving some packages back to bookworm stable

[Michael Grant]

Hans, thanks for that but I am a bit confused following your
instructions.  Did you mean to I should remove the lines for 'stable'
from sources.list?  Or remove the lines for 'testing'?  I am trying to
get the packages to go back to stable.

I am more familiar with apt than aptitude.

I managed to do part of what Greg recommended.  I removed sendmail and
sasl2-bin and reinstalled them from stable.  That seemed to work fine,
I have fewer testing pkgs installed now:

$ apt-show-versions | g testing
db-util:all/testing 5.3.3 uptodate
db5.3-util:amd64/testing 5.3.28+dfsg2-7 uptodate
libc-bin:amd64/testing 2.38-11 uptodate
libc-dev-bin:amd64/testing 2.38-11 uptodate
libc-devtools:amd64/testing 2.38-11 uptodate
libc-l10n:all/testing 2.38-11 uptodate
libc6:amd64/testing 2.38-11 uptodate
libc6-dev:amd64/testing 2.38-11 uptodate
libdb5.3t64:amd64/testing 5.3.28+dfsg2-7 uptodate
libmilter1.0.1:amd64/testing 8.18.1-3 uptodate
libsasl2-2:amd64/testing 2.1.28+dfsg1-6 uptodate
libsasl2-modules:amd64/testing 2.1.28+dfsg1-6 uptodate
libsasl2-modules-db:amd64/testing 2.1.28+dfsg1-6 uptodate
libssl3t64:amd64/testing 3.2.1-3 uptodate
libzstd1:amd64/testing 1.5.5+dfsg2-2 uptodate
locales:all/testing 2.38-11 uptodate
openssh-client:amd64/testing 1:9.7p1-5 uptodate
openssh-server:amd64/testing 1:9.7p1-5 uptodate
openssh-sftp-server:amd64/testing 1:9.7p1-5 uptodate
openssl:amd64/testing 3.2.1-3 uptodate
zstd:amd64/testing 1.5.5+dfsg2-2 uptodate

so I thought I'd try the same process with db5.3, but removing db5.3
wants to remove a slew of packages:

# apt reinstall -s libdb5.3/bookworm
...
Selected version '5.3.28+dfsg2-1' (Debian:12.5/stable [amd64]) for 'libdb5.3'
The following packages were automatically installed and are no longer required:
  acl apache2-data apache2-utils augeas-lenses avahi-daemon clamav-base 
colord-data git-man gnupg-l10n gnupg-utils gpg-wks-server guile-3.0-libs 
ipp-usb libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaugeas0 libavahi-core7 libcolorhug2 libdaemon0 
libexif12 libgphoto2-l10n libgphoto2-port12 libgudev-1.0-0 libgusb2 libhashkit2 
libieee1284-3 libldap-common
  liblua5.3-0 libnspr4 libnss-mdns libnss3 libopendbx1 libopendbx1-sqlite3 
libopendkim11 libpoppler-glib8 libpoppler126 libpython2-stdlib libpython3.11 
librbl1 librtmp1 libsane-common
  libsnmp-base libsnmp40 libssh2-1 libvbr2 mailutils-common python2 
python2-minimal python3-augeas sane-airscan update-inetd usb.ids
Use 'apt autoremove' to remove them

Is there some way to get apt to reinstall a package such that it does
not think it has to uninstall things which depend on it because it's
being immediatly reinstalled?

And for those of you telling me to have a backup, I do.  I have booted
a snapshot from about a week ago.  However, to make that the live one
and dump this one, it's not so easy but possible.  That snapshot has
only sendmail from testing. Hard to know what is more work, going down
this route or making the other instance live.  I'm starting to think
about abandoning this and reconfiguring the backup instance.


signature.asc
Description: PGP signature

Re: moving some packages back to bookworm stable

[Michael Grant]

On Mon, May 27, 2024 at 10:19:48AM -0400, Greg Wooledge wrote:
> On Mon, May 27, 2024 at 09:56:54AM -0400, Michael Grant wrote:
> > I needed to install a version of sendmail from testing a while back to
> > test it.
> 
> Your subject header says "bookworm stable".  You don't install binary
> packages from testing on a stable system.  You use backports instead.

ugh no, wait, I may be using the wrong terminology.  I'm not wanting
to install special packages and definitely don't need to build my own.

What I want to do is get the system back to just using the packages
from stable rather than testing.  Only those few packages before
things get worse in the next update.  There's not many.



signature.asc
Description: PGP signature

moving some packages back to bookworm stable

[Michael Grant]

 version (1.5.5+dfsg2-2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.


Yes, I am guilty of creating this mess, let's not dwell on that.

Michael Grant


signature.asc
Description: PGP signature

Re: how many iptables rules can a VPS have

[Michael Grant]

On 24 May 2024 23:23:44 BST, Andy Smith  wrote:
>You will likely get better performance if you switch to nftables and
>use an ipset to hold all the bans, though I've no idea how easy
>that is to configure with fail2ban.

It's easy, supported out of the box. I have been using nftables for years with 
f2b.  Cleaner looking, easier to read rules, structured syntax. I like it.

I can't speak to the performance, i don't have any way to test that.

Michael Grant

Re[2]: Debian 12, Pyzor, Razor, DCC?

[Michael Grant]

I have built dcc myself from their most recent source.  I guess I could 
send that to whoever wants it, or the debian dir.


Michael Grant


-- Original Message --

From "Marco Moock" 

To debian-user@lists.debian.org
Date 08/04/2024 13:25:26
Subject Re: Debian 12, Pyzor, Razor, DCC?


Am 08.04.2024 um 07:52:34 Uhr schrieb David Mehler:


 This is to any users running Debian 12 as a mail server. I am
 wondering if you have some, most, all, or none of these packages
 installed, Pyzor, Razor, DCC? If so how did you get them going and
 how did you get them to start?


No, I haven't. apt can't find ddc, what is the correct packet name?

I only have installed Cyrus, sendmail and opendkim.

If you have problems setting up other services, specify which server
packages you use and how they should interact.

--
kind regards
Marco

Send unsolicited bulk mail to 171254mu...@cartoonies.org

finger causing kernel seg fault

[Michael Grant]

I use tmux on my server.  tmux creates multiple pttys.  When I run 
finger, I see an error like this:


$ finger
finger: /dev//pts/6: No such file or directory

and in the log, I see:

/var/log/syslog:Mar 15 05:06:18 strange kernel: [2740248.159942] 
finger[1987858]: segfault at 1c ip 55b1c20baad5 sp 7ffc8878b8b0 
error 4 in finger[55b1c20b9000+3000] likely on CPU 1 (core 1, socket 0)
/var/log/syslog:Mar 15 05:06:18 strange kernel: [2740248.161979] Code: 
7b 20 00 0f 85 cc fe ff ff 31 c0 48 8d 3d 80 18 00 00 e8 7e 0f 00 00 83 
7b 08 01 0f 85 d0 fe ff ff 48 8d 7b 18 e8 8b e8 ff ff <8b> 70 1c 85 f6 
0f 85 d0 00 00 00 8b 70 08 8b 50 04 85 f6 0f 85 f2


I do not see pts/6 being used:

$ w
 04:56:14 up 31 days, 17:01,  6 users,  load average: 0.68, 0.20, 0.06
USER TTY  FROM   LOGIN@   IDLE   JCPU   PCPU WHAT
mgrant   pts/01.2.3.4Tue127:53m  0.32s  0.32s -tcsh
mgrant   pts/11.2.3.403:573.00s  0.03s  0.03s tmux 
attach

mgrant   pts/2tmux(1243630).%0   02Mar24  3.00s  0.18s  0.01s w
mgrant   pts/3tmux(1243630).%1   02Mar24 12days 29.02s 29.02s emacs
mgrant   pts/4tmux(1243630).%2   04Mar24 32:52m  0.05s  0.05s -bash

w reports one more user than there seems to be in the utmp.  I didn't 
close a tmux window but i have disconnected and reconnected several 
times.  If I start enough tmux windows and one happens to end up on the 
missing pts, the error goes away.  I'm not sure if this is a bug in 
finger, tmux, or something that manages the utmp getting out of sync.  
Any ideas what to do about this?


Michael Grant

Re: {OT] Mailing lists etc for postmasters

[Michael Grant]

https://list.mailop.org/listinfo/mailop

And the main page 
https://www.mailop.org/


On 1 March 2024 05:43:44 GMT, to...@tuxteam.de wrote:
>On Fri, Mar 01, 2024 at 01:42:07AM +, Gareth Evans wrote:
>> I have somehow only just discovered that Gmail, Apple and Yahoo are 
>> introducing, or have recently introduced, DMARC requirements for senders.
>> 
>> See for exmaple
>> https://www.proofpoint.com/us/blog/email-and-cloud-threats/google-and-yahoo-set-new-email-authentication-requirements
>> 
>> Can anyone recommend good mailing lists or other resources for people who 
>> look after email servers/services?  It takes up little of my work, but an 
>> area of interest.
>
>Me too :)
>
>ISTR that there was a mention of such a thing here in debian-user@,
>but my search-fu hasn't been up to the challenge of finding it.
>
>OTOH, my memory could be playing games on me.
>
>Cheers
>-- 
>t

Re: script/history

[Michael Grant]

> $ script foo.txt
> Script started, output log file is 'foo.txt'.
> $ date
> Sun  4 Feb 09:44:00 GMT 2024
> $ exit
> exit
> Script done.
> $ history|tail -n2
> 30797  2024-02-04 09:43:57  script foo.txt
> 30798  2024-02-04 09:44:21  history|tail -n2
> 
> I did try to search on this but just got lots of "bash history" and "history 
> in
> bash script" references.

So this might surprise you but the commands are actually in the
history list!  But not in the current shell.

What happens is this:

You start 'script foo.txt' and this starts a sub bash shell on a
different pseudo tty.  You run some commands, it appends each command
to the history of this sub-shell's history.

You then exit your script.  Those commands you ran are at the bottom
of .bash_history (try to cat that file out after you exit script and
you should see them).

But those commands are not sucked into the history of your current
shell.  Then, you log out (or exit) your current shell and the history
of that shell overwrites the history of the previous one.

If all you want to do is save off the commands after you exit your
script session, then simply move or copy .bash_history out of the way
before it gets overwritten.

You might consider setting $HISTFILE to some other location other than
.bash_history.

Michael Grant


signature.asc
Description: PGP signature

Re: How to insert symbols into emails (was: Re: Monospace fonts, Re: Changing The PSI Definition)

[Michael Grant]

On Mon, Jan 29, 2024 at 03:29:57PM +0100, Franco Martelli wrote:
> On 26/01/24 at 20:50, David Wright wrote: > I'll give a shout-out for Hack,¹
> which I can't fault for use in > xterms. Comparing xterm -geometry 80x25+0+0
> -fa hack -fs 16 > with xterm -geometry 80x25+0 Sangu verification:
> ⓘ No issues found, please report it if otherwise
> Request analyst action Verified by Sangu
> On 26/01/24 at 20:50, David Wright wrote:
> > I'll give a shout-out for Hack,¹ which I can't fault for use in
> > xterms. Comparingxterm -geometry 80x25+0+0 -fa hack -fs 16
> > with   xterm -geometry 80x25+0+0 -fa inconsolata -fs 18
> > (to make the sizes roughly the same), I find the inconsolata
> > stroke width on the basic Roman alphabet is a little spindly.
> >
> > Other criticisms are that the stroke widths (and even the size)
> > later in the table (eg 0x256–1312) are thicker or larger, and
> > many single-width characters are slightly oversize and get
> > truncated at the top & right (eg Ŵ at 0x372, Lj 456). Mixing
> > fractions is ugly, too: ½ ⅓ ⅔ ¼ ¾ ⅛ ⅜ ⅝ ⅞. The ‘’ quotes
> > are pretty, though.
> 
> Those symbols are very nice, which tool have you used to insert them?
> I'm using Thunderbird for my emails but I've to enable "Compose message
> in HTML" to have a small subset of symbols, for me isn't enough. I'm
> using KDE desktop.
> 
> Thanks in advance, best regards.

I bet this has come up before.  I'll tell you what I did to solve
this.

For the most part, I use Debian on servers and I access them through a
windows desktop, so for me, the solution starts on Windows.  There's
different keyboards you can configure on windows but none of them get
you at arbitrary unicode characters.  What I did do was use a program
named kbdedit which allowed me to craft a key mapping for my keyboard
so I could create the various keys I wanted to use, and for the
characters that I don't use regularrly, I just copypaste the code from
either a web page or from kbdedit into the window, be that putty or ms
word.

What I did was create a heavily compose-key key mapping.  I use the
right hand alt key as the compose key.  So for me ½ is simply alt-1
2.  The accented letters like é is just alt-e '.

Is there a way to create a similar keyboard mapping in X-windows on
debian based systems?

I've often wondered what a "full unicode keyboard" might look like.
Unfortunately composing only gets you so far.  There's definitely some
common characters you can do by composing 2 characters logically but
it's far far from complete.  I do wonder if someday we'll see larger
physical keyboards with some extra keys at the top to eventually
access all characters via some logical interface rather than having to
know their unicode code point.

Michael Grant


signature.asc
Description: PGP signature

finger segfaults

[Michael Grant]

I'm seeing many of these in my log as we use the 'finger' program
(which essentially prints out who's logged in):

/var/log/syslog:Jan 21 17:24:02 hostname kernel: [994887.868396] Code: 7b 20 00 
0f 85 cc fe ff ff 31 c0 48 8d 3d 80 18 00 00 e8 7e 0f 00 00 83 7b 08 01 0f 85 
d0 fe ff ff 48 8d 7b 18 e8 8b e8 ff ff <8b> 70 1c 85 f6 0f 85 d0 00 00 00 8b 70 
08 8b 50 04 85 f6 0f 85 f2 
/var/log/syslog:Jan 21 17:46:20 hostname kernel: [996225.511633] 
finger[535517]: segfault at 1c ip 55c42a3ccad5 sp 7ffd268c28b0 error 4 
in finger[55c42a3cb000+3000] likely on CPU 0 (core 0, socket 0) 

It doesn't happen all the time.  It seems to be linked to tmux where
tmux but I wouldn't swear to it.  


signature.asc
Description: PGP signature

Re: counting commas

[Michael Grant]

On Fri, Jan 19, 2024 at 09:25:14AM +0100, Thomas Schmitt wrote:
> fxkl4...@protonmail.com wrote:
> > why doesn't grep count 2 commas
> > echo 'Kích thước máy xay cỏ, giá máy thế nào , phụ tùng máy mua ở đâu' |
> > grep -c ,
> > 1

Here's my way:

$ echo 'Kích thước máy xay cỏ, giá máy thế nào , phụ tùng máy mua ở đâu' |  
fold -w1 | grep -c ,
2




signature.asc
Description: PGP signature

Re: system not updating

[Michael Grant]

> Any chance you have phased updates set up? Search apt_preferences(5)
> for Phased-Update-Percentage for details, and check your apt
> configuration.

Nope, not using that.

sources.list:

deb http://mirrors.linode.com/debian-security/ bookworm-security main 
contrib non-free
deb-src http://mirrors.linode.com/debian-security/ bookworm-security main 
contrib non-free

deb http://mirrors.linode.com/debian/   bookworm-updates main contrib 
non-free
deb-src http://mirrors.linode.com/debian/   bookworm-updates main contrib 
non-free

deb http://mirrors.linode.com/debian/   bookworm-backports main contrib 
non-free
deb-src http://mirrors.linode.com/debian/   bookworm-backports main contrib 
non-free

deb http://mirrors.linode.com/debian/   bookworm main contrib non-free 
non-free-firmware
deb-src http://mirrors.linode.com/debian/   bookworm main contrib non-free 
non-free-firmware

preferences:

Package: *
Pin: release a=bookworm-security
Pin-Priority: 1000

Package: *
Pin: release a=bookworm
Pin-Priority: 500

Package: *
Pin: release a=bookworm-backports
Pin-Priority: 490


And these are the same across all the machines.


signature.asc
Description: PGP signature

Re: system not updating

[Michael Grant]

> Go to one of the other two, and get the *name* of one of the packages
> that you wish more information about.
> 
> Then, on all three systems, run:
> 
> apt policy my-pkg-name

On the one that's not getting updates:

[strange /etc/apt #1939] apt policy openvpn
openvpn:
  Installed: 2.6.3-1+deb12u2
  Candidate: 2.6.3-1+deb12u2
  Version table:
 2.6.7-1 250
250 http://mirrors.linode.com/debian testing/main amd64 Packages
 10 http://mirrors.linode.com/debian unstable/main amd64 Packages
 *** 2.6.3-1+deb12u2 500
500 http://mirrors.linode.com/debian-security bookworm-security/main 
amd64 Packages
500 http://mirrors.linode.com/debian bookworm/main amd64 Packages
100 /var/lib/dpkg/status

On the one that is getting updates:

[top /etc/apt #1211] apt policy openvpn
openvpn:
  Installed: 2.6.3-1+deb12u1
  Candidate: 2.6.3-1+deb12u2
  Version table:
 2.6.7-1 250
250 http://mirrors.linode.com/debian testing/main amd64 Packages
 10 http://mirrors.linode.com/debian unstable/main amd64 Packages
 2.6.3-1+deb12u2 500
500 http://mirrors.linode.com/debian-security bookworm-security/main 
amd64 Packages
500 http://mirrors.linode.com/debian bookworm/main amd64 Packages
 *** 2.6.3-1+deb12u1 100
100 /var/lib/dpkg/status

on the one that isn't getting updates:

[strange /etc/apt #1940] apt list --upgradable
Listing... Done
ca-certificates-java/stable 20230710~deb12u1 all [upgradable from: 
20230620~deb12u1]
linux-image-amd64/stable-updates 6.1.67-1 amd64 [upgradable from: 6.1.55-1]

note that even though the candidate is openvpn 2.6.3-1+deb12u2, it
won't be installed.  Why?  What's blocking it?

Michael Grant



signature.asc
Description: PGP signature

system not updating

[Michael Grant]

I have 3 debian servers which are mostly the same.  2 of them if I run
apt list --upgradable, I get a list of 20 or so packages to update.
One of them only shows this:

$ apt list --upgradable
Listing... Done
ca-certificates-java/stable 20230710~deb12u1 all [upgradable from: 
20230620~deb12u1]
linux-image-amd64/stable-updates 6.1.67-1 amd64 [upgradable from: 6.1.55-1]

The sources files are identical.  There's nothing being held back that
I know of.  Packages on this server currently match the other
servers...for example, openvpn is the same version, it's going to be
updated on the other servers but not this one.

How can I find what's causing this?

Michael Grant


signature.asc
Description: PGP signature

TCP: tcp_parse_options: Illegal window scaling value 15 > 14 received

[Michael Grant]

I'm seeing this error over and over in /var/log/messages:

Sep  6 05:02:42 hostname kernel: [408794.655182] TCP: tcp_parse_options: 
Illegal window scaling value 15 > 14 received
Sep  6 05:02:43 hostname kernel: [408794.830639] TCP: tcp_parse_options: 
Illegal window scaling value 15 > 14 received
Sep  6 05:02:43 hostname kernel: [408794.960811] TCP: tcp_parse_options: 
Illegal window scaling value 15 > 14 received
Sep  6 05:02:43 hostname kernel: [408795.180464] TCP: tcp_parse_options: 
Illegal window scaling value 15 > 14 received

I've not been able to find much about these messages by searching,
nothing useful is coming up.  Is anyone else seeing something like
this?  Is this some sort of attack?

Please cc me on replies, thanks.

Michael Grant


signature.asc
Description: PGP signature

RE: strange boot messages

[Michael Grant]

Thanks Kushal (and thanks Cindy Sue).  Glad I’m not the only one seeing these!

An observation to anyone who might be able to do something about this in the 
future... it would be less stressful or scary if these messages were said in 
such a way that they didn’t look like failures.

Is ConditionFirstBoot something set when Debian boots for the first time after 
an install?  It seems like this shouldn’t even be a message since it’s going to 
be printed into the log forever going forward!  First boot, sure, say it’s true 
and do whatever but after that, imho, no need to print anything unless perhaps 
some verbose flag is set.

Anyway, this stuff may not even be Debian specific, just my observations from a 
user (a sysadmin user).  Hope this gets tidied up at some point.

I’m happy and relieved you knew what these were and will now summarily ignore 
them in the future!

Michael Grant

From: Kushal Kumaran
Sent: 27 February 2022 19:01
To: debian-user@lists.debian.org
Cc: Michael Grant
Subject: Re: strange boot messages

cc-ing as requested

On Sun, Feb 27 2022 at 09:01:31 AM, Michael Grant  wrote:
> I'm running Debian 11.2 stable on a Linode (a popular VPS).  After a recent 
> update, I think from
> around 25th of January, I'm starting to see some strange messages in
> my logs:
>
> systemd[1]: First Boot Complete was skipped because of a failed
> condition check (ConditionFirstBoot=yes).
>
> systemd[1]: getty on tty2-tty6 if dbus and logind are not available
> was skipped because of a failed condition check
> (ConditionPathExists=!/usr/bin/dbus-daemon).
>
> systemd[1]: Platform Persistent Storage Archival was skipped because
> of a failed condition check
> (ConditionDirectoryNotEmpty=/sys/fs/pstore).
>
> systemd[1]: Set Up Additional Binary Formats was skipped because all trigger 
> condition checks failed.
>
> systemd[1]: Store a System Token in an EFI Variable was skipped
> because of a failed condition check
> (ConditionPathExists=/sys/firmware/efi/efivars/LoaderFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
>
> systemd-udevd[277]: Network interface NamePolicy= disabled on kernel command 
> line, ignoring.
>
> systemd[1]: fast remote file copy program daemon was skipped because
> of a failed condition check (ConditionPathExists=/etc/rsyncd.conf).
>
>
> Are these just informational or are these problems I need to fix?  I
> did some searching but couldn't find much.
>
> Please CC me, I'm not currently on the list.
>
> Michael Grant

These are normal.  Several bits of bootup are conditional based on the
ambient environment (whether it is a first boot, whether you have
specific hardware features such as pstore or efi available, or whether
you have particular binary packages are installed, etc.).  My system has
the same messages in slightly different format.

Feb 23 22:26:28 copper systemd[1]: Condition check resulted in Kernel Module 
supporting RPCSEC_GSS being skipped.
Feb 23 22:26:28 copper systemd[1]: Condition check resulted in Set Up 
Additional Binary Formats being skipped.
Feb 23 22:26:28 copper systemd[1]: Condition check resulted in File System 
Check on Root Device being skipped.
Feb 23 22:26:28 copper systemd[1]: Condition check resulted in Rebuild Hardware 
Database being skipped.Feb 23 22:26:28 copper systemd[1]: Condition check 
resulted in Platform Persistent Storage Archival being skipped.
Feb 23 22:26:28 copper systemd[1]: Condition check resulted in First Boot 
Complete being skipped.
Feb 23 22:26:28 copper systemd[1]: Condition check resulted in Dispatch 
Password Requests to Console Directory Watch being skipped.
Feb 23 22:26:28 copper systemd[1]: Condition check resulted in Virtual Machine 
and Container Storage (Compatibility) being skipped.
Feb 23 22:26:29 copper systemd[1]: Condition check resulted in Dispatch 
Password Requests to Console Directory Watch being skipped.
Feb 23 22:26:29 copper systemd[1]: Condition check resulted in Set Up 
Additional Binary Formats being skipped.
Feb 23 22:26:29 copper systemd[1]: Condition check resulted in File System 
Check on Root Device being skipped.

I guess either a version or a configuration difference results in your
system logging the actual condition.

-- 
regards,
kushal

strange boot messages

[Michael Grant]

I'm running Debian 11.2 stable on a Linode (a popular VPS).  After a recent 
update, I think from
around 25th of January, I'm starting to see some strange messages in
my logs:

systemd[1]: First Boot Complete was skipped because of a failed condition check 
(ConditionFirstBoot=yes).

systemd[1]: getty on tty2-tty6 if dbus and logind are not available was skipped 
because of a failed condition check (ConditionPathExists=!/usr/bin/dbus-daemon).

systemd[1]: Platform Persistent Storage Archival was skipped because of a 
failed condition check (ConditionDirectoryNotEmpty=/sys/fs/pstore).

systemd[1]: Set Up Additional Binary Formats was skipped because all trigger 
condition checks failed.

systemd[1]: Store a System Token in an EFI Variable was skipped because of a 
failed condition check 
(ConditionPathExists=/sys/firmware/efi/efivars/LoaderFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).

systemd-udevd[277]: Network interface NamePolicy= disabled on kernel command 
line, ignoring.

systemd[1]: fast remote file copy program daemon was skipped because of a 
failed condition check (ConditionPathExists=/etc/rsyncd.conf).


Are these just informational or are these problems I need to fix?  I
did some searching but couldn't find much.

Please CC me, I'm not currently on the list.

Michael Grant


signature.asc
Description: PGP signature

Re: Internet diagnosing

[Michael Grant]

On Sun, Sep 05, 2021 at 04:57:44PM +0200, Julius Hamilton wrote:

> I was wondering if anyone knew a similar user email group like this one for
> questions related to internet connectivity. Maybe there is a widely used open
> source network software tool where people discuss network questions.

I too have been wondering about this.  There used to be some usenet
news groups.  I did manage to find the old comp.networks group but
it's not well attended.  https://groups.google.com/g/comp.networks

When I have networking questions, I try to narrow them down to a
specific area.  For example, if it's about Ubiquiti routers, I'll post
on the Ubiquiti forum.  If it's an OpenVPN issue, I end up posting on
that forum.  If it seems like a networking issue in Debian, here is
very appropriate and there's lots of experienced folks here.

But where to post some general networking issue that's not specific
and you are completely in the dark as to where to start, yah I sure,
start here if you're using Debian on at least one thing you can't get
to the network.  I wouldn't ask an Android or windows question here
but if say your problem occurs on Debian and not on Android, yah very
appropriate to ask here.

In relation to your question which seems like it's Android related,
I'd see if it also happens if you access thoses sites in Debian.  If
yes, then it's a general problem.  If no, then I'd probably post on a
forum like the Andronix Forum.  If both, then this is possibly
something with the internet connection or wifi router.  Many router
manufacturers and ISPs have help forums.

Thing is, these days, there's so much networking stuff out there that
if there is an active general networking help list (which there may be
and I haven't found it), it'd probably have so much chatter on it that
it may not be useful.  One needs to narrow down the scope at least a
bit to find some forum which might help, even if someone points you to
another forum which ultimately helps you.

Without more info, I'd say you may have some DNS resolution problem.
Is there some firewall blocking access to some sites?  Are you using
anything like Pi-hole, VPN, or some browser extension which might be
trying to do some weird VPN like stuff?  What happens when you try
with something running Debian?  Can you narrow it down to a sitiation
where it always works and one where it always fails?

Michael Grant


signature.asc
Description: PGP signature

Re: Moving from Testing to Stable + Backports

[Michael Grant]

>   some people have different goals than i.

You're correct.  Though I do have a primary goal to have a stable
system, I sometimes (albeit it's rare) I need to install package
that's not in stable, or I need some feature from a more recent
version of something which is why backports is important to me.

Up to now, I have been running Testing which has served me pretty
well.  I've been convinced by discussion here to move to Stable +
Backports.

I included Experimental which probably was a mistake and I probably
meant Unstable.  (I can see Greg rolling his eyes...)

Here's a blog post I was looking at: https://rabexc.org/posts/apt-config

This is very close, if not exactly, what I want to do.  I'm very aware
about mixing releases.  If you ever do this, you need to be very
careful not to suck in a ton of dependencies.  Greg is correct, you
can at the click of a key unwittingly install so many dependencies
that your system becomes that release.



signature.asc
Description: PGP signature

Re: Moving from Testing to Stable + Backports

[Michael Grant]

> You're missing the "bullseye-updates" repository, but it's optional.  If
> the lines above were the only lines in your sources.list, you would be
> doing it correctly.
> 
> Bullseye-backports is also optional, and there probably aren't any yet.
> And even when there are some, there's no guarantee that you'll need them.
> Personally, I prefer to leave the -backports out of it unless and until
> I actually need one.  But if you want to bring it in proactively, that's
> acceptable.
> 
> > deb http://deb.debian.org/debian/   testing main contrib non-free
> > deb-src http://deb.debian.org/debian/   testing main contrib non-free
> 
> *THIS*, however, is wrong.
> 
> With testing lines added to your sources.list, you are not running stable
> (bullseye) any longer.  You are still running testing, just with a
> fallback option to retrieve bullseye packages as well.
> 
> > deb http://deb.debian.org/debian/   experimental main contrib non-free
> > deb-src http://deb.debian.org/debian/   experimental main contrib non-free
> 
> And this is just stupid.  Remove this immediately.
> 

Ok I added bullseye-updates now, thanks.

What priority should I apply to bullseye-update in preferences?

With respect to having testing and experimental in the sources.list, I
had testing prioritized at 250 and experimental at 1.  The idea was
that if some new package came along that I wanted to mess with, I
could install it easily but if the there was a package belonging to
bullseye, it would be installed there by priority.  I am vigilant not
to install things that contain dependencies that might update my
entire system to, say, testing.  Given that, are these lines still
insane?

Is there some way to tell apt to ask me if I want to install something
from a particular repository, for example, something I want to test.
I would like to have apt tell me "that's not in one of these
repositories but it's in one of these other repositories you have in
sources.list, ok to install it from there?"  Something like a warn-me
flag?  Or something that shows me what repository I'm about to install
something from?  I was sort of hoping that's what setting a priority
<500 would do.

Here's an updated version now of what I have, though I would uncomment
testing and experimental if I understand correctly.  Wondering if I
should also add unstable in there at an equally low priority.

/etc/apt/sources.list
deb http://security.debian.org/debian-security/ bullseye-security main 
contrib non-free
deb-src http://security.debian.org/debian-security/ bullseye-security main 
contrib non-free

deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib non-free

deb http://deb.debian.org/debian/ bullseye-backports main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-backports main contrib non-free

deb http://deb.debian.org/debian/   bullseye main contrib non-free
deb-src http://deb.debian.org/debian/   bullseye main contrib non-free

#deb http://deb.debian.org/debian/   testing main contrib non-free
#deb-src http://deb.debian.org/debian/   testing main contrib non-free

#deb http://deb.debian.org/debian/   experimental main contrib non-free
#deb-src http://deb.debian.org/debian/   experimental main contrib non-free

/etc/apt/preferences
Package: *
Pin: release a=bullseye-security
Pin-Priority: 1000

Package: *
Pin: release a=bullseye-updates
Pin-Priority: 950

Package: *
Pin: release a=bullseye-backports
Pin-Priority: 950

Package: *
Pin: release a=bullseye
Pin-Priority: 900

Package: *
Pin: release a=testing
Pin-Priority: 250

Package: *
Pin: release a=experimental
Pin-Priority: 1


signature.asc
Description: PGP signature

Moving from Testing to Stable + Backports

[Michael Grant]

I've been using Testing for about a decade now with very few problems.
But now I'm moving to Stable.  Just wanted to mae sure I'm doing this
right.

I last updated using Testing on the friday, then the release happened
on saturday.  I changed my sources.list as below, did an apt update;
apt upgrade, and uncerimoniously there were no updates to install, my
system was already on bullseye.  Easy.

My intention is that when I upgrade or install something from now on,
I want to take the latest most resonable version of it.

If there's a security update, I want that version first.

Normally if I install something, it should come from stable.  However,
if there's a backport of that thing, I prioritize the newer backport
instead.

But what if something got updated from backports and then later
there's a security update for it in bullseye-security. Since I
prioritize bullseye-security, what's going to happen?  Is it going to
reinstall a lower version number from bullseye-security?

Lastly, I want to be able to manually install things from testing and
from experimental.

Here's my apt config files:

sources.list
deb http://security.debian.org/debian-security/ bullseye-security main 
contrib non-free
deb-src http://security.debian.org/debian-security/ bullseye-security main 
contrib non-free

deb http://deb.debian.org/debian/ bullseye-backports main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-backports main contrib non-free

deb http://deb.debian.org/debian/   bullseye main contrib non-free
deb-src http://deb.debian.org/debian/   bullseye main contrib non-free

deb http://deb.debian.org/debian/   testing main contrib non-free
deb-src http://deb.debian.org/debian/   testing main contrib non-free

deb http://deb.debian.org/debian/   experimental main contrib non-free
deb-src http://deb.debian.org/debian/   experimental main contrib non-free

preferences
Package: *
Pin: release a=bullseye-security
Pin-Priority: 1000

Package: *
Pin: release a=bullseye-backports
Pin-Priority: 950

Package: *
Pin: release a=bullseye
Pin-Priority: 900

Package: *
Pin: release a=testing
Pin-Priority: 250

Package: *
Pin: release a=experimental
Pin-Priority: 1



signature.asc
Description: PGP signature

Re: what's wrong with my "/etc/apt/sources.list"? Updating from such a repository can't be done securely, and is therefore disabled by default

[Michael Grant]

> deb http://security.debian.org/debian-security bullseye/updates main contrib
> non-free
> deb-src http://security.debian.org/debian-security bullseye/updates main
> contrib non-free

I think you are missing bullseye-security.  I have this:

deb http://mirrors.linode.com/debian-security/ bullseye-security main 
contrib non-free
deb-src http://mirrors.linode.com/debian-security/ bullseye-security main 
contrib non-free

I'm not so sure I need the 'contrib non-free' at the end of the line
but it's not giving me any errors.




signature.asc
Description: PGP signature

Re: Messed up Email

[Michael Grant]

> Apparently the lines are blurry enough for you to include Signal in that 
> list.

Why?  Not blurry at all.  Signal is just as closed a system as
WhatsApp.  Maybe more private, but unless you know something I don't,
Signal doesn't talk to anything other than other Signal.  Puppeted
bridges are not interoperability, as far as I am aware, all users
still need to be on Signal.

You'll notice that I didn't put Matrix on that list.  One day there
will be multiple Matrix servers and clients and it's not dependent on
any single company's infrastructure.

Michael Grant


signature.asc
Description: PGP signature

Re: Messed up Email

[Michael Grant]

On Tue, Jun 22, 2021 at 07:36:33PM +0100, Brian wrote:
> On Tue 22 Jun 2021 at 10:44:55 +0100, Brad Rogers wrote:
> 
> > In addition to everything everybody else has said, and just to make it
> > absolutely clear;
> > 
> > gmail != email
> 
> Nonsense.
>  
> > or, in words;
> > 
> > gmail IS NOT email
> 
> More nonsense.

Not nonsense at all.

gmail is a mail reader (like as Thunderbird, Mutt, Pine, or Outlook (the
program) + a mail server + domain name (gmail.com).

email is set standards which gmail implements.

email is NOT gmail and let's not forget this.

I'm sure most everyone on this list is tech savy enough to understand
that.  Brian, it would astonish me if you don't, but your reply is
difficult to understand your intent whether it's toungue in cheek or
not.

It's quite shocking to me to have conversations with young people,
even into their early 20s who do not understand this distinction.  And
there are many people who do not understand the distinction between a
standards based system such as mail or the web and a proprietary
system such as facebook, WhatsApp, Signal, Telegram, etc etc.  And
many of them simply don't care, for them, they just use it because
their friends do.

Michael Grant


signature.asc
Description: PGP signature

Re: A Proposal: Each of Online Debian Man pages could have a wiki (Main page / Talk Page, etc.) at its bottom, with only Example Code Lines ...

[Michael Grant]

On Fri, Jun 18, 2021 at 09:20:56PM +0530, Susmita/Rajib wrote:
> The subject line is  being amended to add the word "Online " before
> "... Debian Man pages ..." for the thread at:
> https://lists.debian.org/debian-user/2021/06/msg00432.html, continued
> till https://lists.debian.org/debian-user/2021/06/msg00438.html, to
> further clarify confusion of rhkramer , who privately
> communicated, and for  Jonathan Dowland , who showed
> interest on the topic. I also hope that with this Email I shall also
> be able to address the confusions inadvertently caused to Mr. David
> Wright ,.
> 
> The Drive Folder for a sample Man file and an attempt at pictorial
> analysis of a sample command:
> https://bit.ly/Apt_readingManPages
> 
> An analysis of the Drive File : DebianApt-get.txt
> 
> https://manpages.debian.org/buster/apt/apt-get.8.en.html
> 
> apt-get [-asqdyfmubV] [-o=config_string] [-c=config_file] [-t=target_release]
> 
> Please look at the parts:
> Let
> A = apt-get
> B = [-asqdyfmubV]
> C = [-o=config_string]
> D = [-c=config_file]
> E = [-t=target_release]
> 
> An apt-get command is a Text String formed by one particular choice of
> all the options available, of each of A, B, C, D and E, with a space
> in between.
> 
> Say, in abstraction, a Text-String formed by, say:
> Aₕ Bₖ Cₘ Dₙ Eₚ,  where each of h,k,m,n and p is any one of all the
> options available for each of them individually.
> 
> For example, one code-line could be A₁ B₂ C₅ D₆ E₁₂, as an illustration.
> 
> I was just trying to say this illustratively for writers (without a
> general mathematical background) who would help edit the code lines,
> by the svg picture.
> 
> No authorisation required. Please have all the files downloaded to
> your local HDD and then use EOG (or any other image viewer you are
> comfortable with) for viewing the images, and plain text reader like
> leafpad to read the text files.
> 
> Ideally, if your browser if properly set up, you need not download.
> You could view/read files from your browser-tab itself.
> 
> I use Mozilla Firefox. But for any Mozilla forked web-browser like
> Google Chrome or Chromium, operations are similar.
> 
> A GUI user would usually click the link on the Email (Gmail) Tab. If
> settings are standard on the web-browser, the link shall open on a
> separate Tab.
> 
> My proposal is, by a specific example, for the Debian Apt Man Online Page,
> Let M be The Debian Apt Man Online Webpage.
> i.e., M = https://manpages.debian.org/buster/apt/apt.8.en.html
> 
> Then my proposal:
> 
> M = M + Examples of all the representative combinations of code-lines
> related to Command, at the bottom, like my file (i have, for
> illustration, presented pictorially the scheme, whereas what's
> required are all example/representative code lines, into rows of code
> lines, with, if required, one line/phrase explanations)
> 
> Pictorially illustrated on the Drive folder.
> 
> Best,
> Rajib
> 
> 

I honestly couldn't decode this message but I have been following this
thread.  If I understand correctly what I think Rajib wants is:

1) when a package is added to debian's repo, some automation which
looks at the package, determines if it has man pages, and for each of
those man pages, create a corresponding wiki page in a debian owned
man page wiki.

2) somehow automatically patch the man page to include a link to said
wiki page.  (note, this will be hard).

Maybe some automation could be created to create these wiki pages.
But I see problems.

Packages change, become obsolete, sometimes get renamed.  Even
command names change over time.

It's a little odd for Debian to host a documentation wiki for upstream
tools.  The package maintainers would need to look after the wiki page
that corresponds to the package they are maintaining.  Not everyone is
going to be happy with more work.  Even if they are not the ones
writing it, they will need to be aware of it and if things change,
tweak it.

It seems like Rajib is looking for something at a higher level, not at
the level of Debian, but at the level of Unix/Linux itself, as in, how
to document things you've worked on in a standard way in a globally
editable/extendable forum.

Wikis tend to be GUI based and man pages are text files used generally
at the command propt.  The closest text based thing I can think of is
the gnu info system which is/was meant for this sort of thing but is
not very widely used.  It predates markdown and wikis by many years.

I'm all for better documentation but I don't see how Debian can be the
documentation repository for all tools that just happen to be Debian
packages.

It feels like you should try to start a sort of "unixepedia" thing
like wikipedia and then one by one try to get people to create pages
for their tools.  Then, eventually people will put links into their
man pages pointing at this global resource.  That's my best opinion
after reading all your posts.

Michael Grant


signature.asc
Description: PGP signature

Re: PC fan getting very loud

[Michael Grant]

> You had some bad liquid cooler then, or damaged water pump. I have AIO
> liquid cooler from Corsair, bought it together with Ryzen 95W CPU about
> 4 years ago, haven't reapplied paste since then. No cleaning done
> either, apart from de-dusting case every 6 months or so. Temperatures
> are ideal, under Linux I have no control over 2 AIO fans, but everything
> works perfectly on its own.

My previous liquid cooler was a Corsair and it failed after about 5 or
6 years.  And yes, I highly suspect it was in the water pump, the
blades getting gummed up or something over the years it was in
operation which was pretty much 24x7.


signature.asc
Description: PGP signature

Re: PC fan getting very loud

[Michael Grant]

On Sat, May 08, 2021 at 11:23:06AM +0200, Sven Joachim wrote:
> On 2021-05-08 11:13 +0200, deloptes wrote:
> 
> > Fujitsu ESPRIMO Q520 when opening some sh*tty web sitesin firefox the fan
> > gets extremly noisy.
> 
> Such is the modern web. :-(

I also recently had something like this happen.  I tried to redo the
thermal paste between the CPU and cooler but it did not help.  I have
a liquid cooler on my CPU.  Apparently these things get clogged up
over time.  They need to be replaced (or taken apart carefully and
cleaned) from time to time.

I replaced my cooler with a Thermaltake and I have to say my desktop
went from sounding like a jet engine to near total silence.  I was
actually so surprised at first I thought it wasn't working!

I don't know if this brand is particularrly quiet or if they're all
quiet now days.  However, replacing the cooler definitely helped
considerably.

Michael Grant


signature.asc
Description: PGP signature

Re: how to use fetchmail with MS Office 365 / davmail?

[Michael Grant]

I saw in the last 6 months a daemon that let you get oauth tokens on
linux and then it refereshed the token indefinitely until told to
stop.  Essentially making the token available on linux so you could
use it in another program that requied a password, for example
fetchmail or getmail.

I've tried to find it but I'm turning up nothing.  I'm pretty sure I
didn't imagine it!  Does anyone recall the name?  This could
definitely be helpful for fetching mail from an account with oauth
setup.

Michael Grant


signature.asc
Description: PGP signature

Re: dovecot packages

[Michael Grant]

On Mon, Apr 19, 2021 at 10:49:52PM +0200, Tomaž Šolc wrote:
> On 19. 04. 21 19:38, Reco wrote:
> > https://dovecot.org/releases/2.3/dovecot-([\.0-9]+)\.tar\.gz
> 
> I think this should still match the latest dovecot release that Michael
> mentions:
> 
> https://dovecot.org/releases/2.3/dovecot-2.3.14.tar.gz
> 

Yes, interesting, it definitely should match.

Anyway, thanks all.  I emailed dove...@packages.debian.org, hopefully
it's helpful info to them.

Michael Grant


signature.asc
Description: PGP signature

dovecot packages

[Michael Grant]

Just noticed on the dovecot.org site, the latest version of dovecot
seems to be v2.3.14, but on the dovecot package tracker on the debian
site: https://tracker.debian.org/pkg/dovecot, we're at v2.3.13.

V2.1.14 has been around for about a month.  What's surprising is that
on the tracker web page, usually there's an 'action needed' with a 'A
new upstream version is available...' but not here.  Is something
broken there?  Who do I tell?

For comparison, if you look at Sendmail's debian tracker page:
https://tracker.debian.org/pkg/sendmail you see that it shows there's
a new upstream version.

Is this 'action needed' something that is updated manually?  I
coulnd't easily find the debian maintainer to pass this on.
Suggestions? or should I just ignore it and eventually someone will
get to it?

Michael Grant


signature.asc
Description: PGP signature

Re: Whether Man pages could visually be structured in an abstract form to be understood easier

[Michael Grant]

> Also, other man pages are similarly converted. Really, man pages are
> sick without a teacher, for me of course.
> Rajib

Rajib,

The pushback you will get here is not because it isn't a good idea to
have some documentation that is easier to use.  The problem is
historical and one of standardization.

So you understand, here's my understanding (I'm sure people will
correct me where I'm wrong):

Debian is one of many different linux distributions and is a variant
of Unix of which there are several still existing variants.  Unix
having it's roots in Multix and was said to be "Unix is Multix without the
balls".  All of these different operationg systems have the same
origin dating back to the 60s and 70s. The man pages are one of these
throw backs.

The pieces of software that make up debian don't all originate within
the debian project.  Much of the software originates from what we call
"upstream" meaning it's outside of debian and it "flows" into debian.

Nobody here on this list or even within the debian community has any
authority to get other variants of unix/linux to move to a new
manual format.

Furthermore, The unix/gnu-linux man pages are only supposed to be
succient reference pages, though often they do contain working
examples.  They are definitely not meant to be tutorials, they never
were and never have been.

For me, the biggest change I've seen globally to man pages is that
someone thankfully fixed the ROFF man processor to format man pages as
a single long page rather than multiple pages of fixed 66 lines with
headers and footers at 66 line intervals.  Those headers and footers
in the middle of the man page annoyed me for decades!  I don't know
who finally fixed that but if you're reading this, THANK YOU.

This change happened because someone upstream altered the workings of
the 'man' command which had a global effect.  Altering the contents of
man pages is not the same thing.

There are other systems such as 'info' which came out of the gnuemacs
info which I think is probably more appropriate for the tutorial like
things you want.

Things like the debian wiki that was mentioned, this is really debian
specific and again, unix/linux is a much larger thing of which debian
is a "consumer" of.  It would be quite good if when people built
software that beyond simple man pages that they were also nudged to
create longer documentation in info or something that could be used to
create some easy to use documentation site like some global unix wiki.

Anyway, just trying to get my point across that your ideas may be
laudible and good, but what you seek globally can't be accomplished
locally.  You either need to do it outside on the side of all the
software out there, a monumental effort, or somehow effectuate a
change to get software authors to write better documentation and ship
it with their software.

Michael Grant


signature.asc
Description: PGP signature

Re: Possible?! A Debian public repository for all complex code lines with examples and scripts?

[Michael Grant]

Unfortunately this is a bit of a mess but you need to understand the
history and politics here.

First off, Debian, as well as the other Unix and Linux distributions
are a collection of lots of different things from differnet places and
you get an operating system out of it all.  Something like Microsoft's
Windows or the old mainframe operating systems like DEC's VMS or the
various IBM operating systems, these operating systems were put out by
a company which had complete control over all aspects of the system
and it's documentation.  GNU/Linux meaning Debian, Ubuntu, RedHat, or
any of the hundred or so linux distrubtions just are not this way.

Unix and Linux distrubtions are a collection of many things from many
places.  The 'ls' man page you mention is part of the GNU utilities,
not written by the Debian project, nor is the shell like sh, csh,
bash, zsh etc..

Unix Man pages have been around for many decades and each component
usually (not always!) comes with a man page.  There's no single
company or organization that has any overarching responsility to make
sure any individual man page is consistent with another.  Furthermore,
some things like some of the Gnu tools have documentation in a system
called 'info' and there's often files distributed in /usr/share/docs
and then some projects document things in web pages and in markdown
files like readmes in git repositories.  There just isn't a single
point of documentation and I doubt you'll get everyone to
double-document things by making man pages AND writing documentation
in some global documentation repository.

It is unfortunate that today, sometimes the best documentation is by
doing a web search and reading though things on sites like
stackexchange or perople's personal blogs.  I say unfortunate but it
works.

Don't get me wrong, it would be great if there was like a wikipedia
for all this but I doubt it will ever happen, and Debian is just one
of many different projects that consumes as well as produces things.


signature.asc
Description: PGP signature

apt upgrade merging modified files

[Michael Grant]

When I apt-update, sometimes I update something for which I modified a config 
file and I get this menu:

Configuration file '/etc/matrix-synapse/homeserver.yaml'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
Y or I  : install the package maintainer's version
N or O  : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
 The default action is to keep your current version.
*** homeserver.yaml (Y/I/N/O/D/Z) [default=N]

Sometimes, rarely, I get a 5th option offering to try to merge the
files.  I don't know what causes the merge option to be available or
not.

If this is a file which I indeed modified, what I inevitably end up
doing is using the Z option, popping into a shell, then presents me 2
variables (without $ in front of them) which give me 2 files: current
and new.

So what I do is manually echo the two variables out (putting a $ in
front of them) and run emacs and emerge them together.  This is fine,
it's usually pretty easy.

Is there some way I can at minimum add a 5th option to the above menu
to run emacs in emerge mode with those files as args?  This would save
lazy me the steps of echoing the vars and starting emacs manually.

I run etckeeper, it would be really sweet if this was smart enough to
attempt a 3-way merge (merge with an ancestor file).

Michael Grant


signature.asc
Description: PGP signature

Re: Kernel message: BUG: Bad page state in process kworker

[Michael Grant]

> I'd say it is a Linode problem, unless you run custom kernel modules.
> It looks like a "memory" corruption to me and since it is virtualized system,
> you should check if host system is ok.
> Memory in quotes because this issue could be also related to a storage
> sub-system (local or network attached) of the host or VM.

I'm definitely not running a custom kernel.

They live migrated this linode to a new physical machine and still
getting these errors so I don't think it's a h/w issue.  It seems to
be a qemu issue to me but I am not very familiar with qemu.

The fact that they live migrated it does seem to imply it's all part
of the same virtualization system, probably same qemu, which would
make sense that it didn't fix the error.

I'd like to know if anyone else is seeing this who is using linode and
has recently been migrated to their new metal.


signature.asc
Description: PGP signature

Kernel message: BUG: Bad page state in process kworker

[Michael Grant]

I'm seeing lots of errors like this in my kern.log on 2 of 3 of my
deban Linodes running testing on Linode's provided kerne 5.10.13.  Is
this a problem in Debian or is this a Linode issue?

Mar 12 19:32:18 strange kernel: [10849.820363] BUG: Bad page state in process 
kworker/0:3  pfn:10902f
Mar 12 19:32:18 strange kernel: [10849.825374] page:edbc1187 
refcount:-1 mapcount:0 mapping: index:0x0 pfn:0x10902f
Mar 12 19:32:18 strange kernel: [10849.827665] flags: 0x200()
Mar 12 19:32:18 strange kernel: [10849.828894] raw: 0200 
dead0100 dead0122 
Mar 12 19:32:18 strange kernel: [10849.830817] raw:  
0011  
Mar 12 19:32:18 strange kernel: [10849.832758] page dumped because: nonzero 
_refcount
Mar 12 19:32:18 strange kernel: [10849.834141] Modules linked in:
Mar 12 19:32:18 strange kernel: [10849.835229] CPU: 0 PID: 769 Comm: 
kworker/0:3 Tainted: GB 5.10.13-x86_64-linode141 #1
Mar 12 19:32:18 strange kernel: [10849.837423] Hardware name: QEMU Standard PC 
(Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Mar 12 19:32:18 strange kernel: [10849.840005] Workqueue: mm_percpu_wq 
drain_local_pages_wq
Mar 12 19:32:18 strange kernel: [10849.841538] Call Trace:
Mar 12 19:32:18 strange kernel: [10849.842620]  dump_stack+0x6d/0x88
Mar 12 19:32:18 strange kernel: [10849.843813]  bad_page.cold.119+0x63/0x93
Mar 12 19:32:18 strange kernel: [10849.845096]  free_pcppages_bulk+0x18e/0x6a0
Mar 12 19:32:18 strange kernel: [10849.846423]  drain_pages_zone+0x41/0x50
Mar 12 19:32:18 strange kernel: [10849.847740]  drain_pages+0x3c/0x50
Mar 12 19:32:18 strange kernel: [10849.848956]  drain_local_pages_wq+0xe/0x10
Mar 12 19:32:18 strange kernel: [10849.850282]  process_one_work+0x1fb/0x390
Mar 12 19:32:18 strange kernel: [10849.851579]  ? process_one_work+0x390/0x390
Mar 12 19:32:18 strange kernel: [10849.852929]  worker_thread+0x221/0x3e0
Mar 12 19:32:18 strange kernel: [10849.854159]  ? process_one_work+0x390/0x390
Mar 12 19:32:18 strange kernel: [10849.855648]  kthread+0x116/0x130
Mar 12 19:32:18 strange kernel: [10849.857066]  ? kthread_park+0x80/0x80
Mar 12 19:32:18 strange kernel: [10849.858424]  ret_from_fork+0x22/0x30


signature.asc
Description: PGP signature

Re: A suggestion to multiply your users

[Michael Grant]

Brett,

Dan's exactly correct:

> Debian is a Linux distribution -- a collection of software that
> works together as a complete operating system plus applications.

A Linux distribution can run programs written to run in Linux of which
Inkscape is but one of those programs.  The Debian users on this list
did not write it.

Debian is geeky and this makes it easy and clear for us who use it.

There are a ton of other Linux distributions that are based on Debian
that may be more suited to a non geek and still you can run all the
same software.

(And there's a ton of other Linux distributions that are not based on
Debian too, oh so many to choose from!)

Do a search for 'linux distributions based on debian' in your favorite
search engine.  There's a wikipedia page here:
https://en.wikipedia.org/wiki/Category:Debian-based_distributions

Ubuntu is certainly one of the most popular.  They all look and feel a
bit different, it gets down to personal preference and how easy one is
for you to use.

Many of these off shoots of Debian are aimed at non geeky people.

Think of Debian as a platform that these other things are built on.
Debian itself is built on Linux, GNU, and a many tools and utilities.
Layer on layer if you may.

Hope this helps.

Michel Grant


signature.asc
Description: PGP signature

Re: How automatic are backport package updates?

[Michael Grant]

On Sat, Feb 13, 2021 at 06:58:36PM +0200, Andrei POPESCU wrote:
> On Sb, 13 feb 21, 10:47:41, Michael Grant wrote:
> > 
> > I completely understand the desire for stability and reliability.  But
> > it seems like having to wait up to 2 years for some major new feature
> > to get into Debian can be daunting, especially when it gets into
> > Testing.  I was wondering, is there, or has anyone given any thought
> > to something in between Testing+Backports and Stable+Security that is
> > something like Stable at each dot release, thus reducing this window
> > down to 3 months as opposed to 2 years?
> 
> Yes, it's called Ubuntu ;)

I see I made an error in my paragraph above.  I meant to say something
in between Testing+Security and Stable+Backports+Security (though as
has been said, you can't apply Security patches to Testing.)

Huh, I did not know that this is what Ubuntu was based on.  I always
thought the 6-month releases were based on the dot releases of Debian.

Maybe I should consider moving to Ubuntu Server?  Hmm, that sounds
like a nightmare waiting to happen.

Michael Grant




signature.asc
Description: PGP signature

Re: How automatic are backport package updates?

[Michael Grant]

On Sat, Feb 13, 2021 at 11:31:16AM -0500, songbird wrote:
>   yes, but since Debian is run by volunteers and many of
> them are very busy it has been talked about but not beyond 
> that.  the idea of rolling releases, always releasable, and 
> some other phrases has been discussed, but until enough 
> people get together to actually do it and prove that it 
> works and will be supported it won't happen.  unstable is
> perhaps the closest currently coming to that idea, but
> the freeze process pushes development off into experimental
> or upstream until the freeze is done and then the whole
> cycle comes up again.

I understood that Unstable == Sid from Andrew's detailed message in
this thread and it's also on confirmed on this page:
https://wiki.debian.org/DebianUnstable.

I was not thinking this would cause more (or significantly more
anyway) work than we already do.  Dot releases are tested.  It might
even be *less* work as upgrades would be incremental and smaller
rather than large.

Thinking back, this is one of the beauties of Testing is that things
happen incrementally over time.  Sure, I may have to fix something
here and there but that often turns out to be easier and less
stressful than doing a major upgrade and having to set aside an entire
weekend.

Michael Grant


signature.asc
Description: PGP signature

Re: How automatic are backport package updates?

[Michael Grant]

t in Backports and were regularlly maintained in
Testing.  I'm afraid I don't recall which packages anymore, I think it
might have been Sendmail.  Back then I thought (perhaps mistakenly)
that Testing was getting security fixes.  

Let me add to your recommendations above:

For the packages in Testing which don't make it into Backports, one
can first try to try to install the package from Testing, but if it
attempts to bring in other dependencies from Testing, stop.  If you
can't wait for the next release of Debian or someone to do a backport,
then the next best option is to try and build a backport yourself.
Pull down the source from Testing and use dbuild and build a local
package on Stable and apt install it.  This often works unless the
package depends on kernel or other specific things in the next Debian
release.

That process is detailed here:

https://wiki.debian.org/SimpleBackportCreation

Building packages has definitely gotten easier.

I completely understand the desire for stability and reliability.  But
it seems like having to wait up to 2 years for some major new feature
to get into Debian can be daunting, especially when it gets into
Testing.  I was wondering, is there, or has anyone given any thought
to something in between Testing+Backports and Stable+Security that is
something like Stable at each dot release, thus reducing this window
down to 3 months as opposed to 2 years?

Michael Grant


signature.asc
Description: PGP signature

Re: How automatic are backport package updates?

[Michael Grant]

Replying to this message that's just over a month old now.  Now that
10.8 just came out, is this a good time to jump off the testing repo
and onto stable for my production box?  Is this one of those rare
moments when testing and stable line up?  Or should I continue to wait
for Bullseye?

On Tue, Jan 12, 2021 at 10:35:05AM -0500, Dan Ritter wrote:
> Michael Grant wrote: 

>> Let's say I want to run 'testing' to be more on the edge to get the
>> latest and greatest of packages and to incrementally always be on top
>> of updates rather than having to do large release updates.  But from
>> time to time there is a security update to a package which is newer,
>> or if something specific is broken, I may want to go back to a
>> specific version of something.  What should I put in my sources.list?
> 
> Are you running a production system?

Yes.

> That is, are you running a Debian system which is essential to
> your business or personal activities, so that having to recover
> from a disaster would be a significant hardship?

Well, yes, though I do have daily snapshots.

> If so, you should be running buster, and considering moving to
> the next stable release no sooner than a few weeks after the
> transition to bullseye. You should accept security updates as
> soon as is convenient for you, on an ongoing basis. Backports
> are to solve specific issues.
> 
> If you are running a system for fun, or if there is no real
> issue with protracted unavailability, testing is a fine thing
> to be running. You should expect a little chaos every time you
> update.
> 
> Only stable gets security updates. Testing may get security
> updates when they come from upstream, but it's not guaranteed.

I thought all security updates were tested in testing, committed to
testing, and then also committed to stable-security.  I had not
noticed that testing was not getting security updates, I thought it
was, maybe again, it was just luck that the packages I noticed needed
security updates were the ones I mentally track most like sendmail,
dovecot, spamassassin...

Michael Grant


signature.asc
Description: PGP signature

RE: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP withreserved IPs on wlan0?

[Michael Grant]

I have used openwrt, but not recent version of it.  I have been using Ubiquiti 
EdgeRouters running the stock EdgeOS.  Very solid routers.  I even have one 
sitting up in a tree in a Tupperware container in the snowy mountains!

I recently discovered that EdgeOS is based on Debian and you can install Debian 
packages on them.

Michael Grant

Re: How automatic are backport package updates?

[Michael Grant]

On Tue, Jan 12, 2021 at 10:35:05AM -0500, Dan Ritter wrote:
> Are you running a production system?

Yes, I guess you could call it production.  It's my family & friends server.  
In all the time I have been running Debian Testing, I have never once suffered 
a serious or protracted disaster as you envision.  Maybe I'm lucky!  Little 
things, yes, like the systemd thing the other day.  On very rare occasions, I 
have had to pin a package.

> If so, you should be running buster, and considering moving to
> the next stable release no sooner than a few weeks after the
> transition to bullseye. You should accept security updates as
> soon as is convenient for you, on an ongoing basis. Backports
> are to solve specific issues.

Hence using buster as an example of today (understand should substitute 
bullseye after that release):

deb http://httpredir.debian.org/debian buster main non-free contrib
deb-src http://httpredir.debian.org/debian buster main non-free contrib

deb http://security.debian.org/debian-security buster/updates main contrib 
non-free
deb-src http://security.debian.org/debian-security buster/updates main contrib 
non-free

deb http://deb.debian.org/debian buster-backports main contrib non-free
deb-src http://deb.debian.org/debian buster-backports main contrib non-free

Is it then possible to add the /testing line to be able to occasionally pull in 
specific packages from testing?  I think I would need a 
preferences.d/something.pref file.

deb http://mirrors.linode.com/debian/   testing main contrib non-free
deb-src http://mirrors.linode.com/debian/   testing main contrib non-free

Clearly if the package I wanted to install from testing would suck in a lot of 
dependencies, then I likely would not do that, but I don't want it to suck 
things in from testing automatically otherwise, I am then running testing.

Is this setup possible or am I really just going to have to be patient if 
something isn't in backports?

Michael Grant



signature.asc
Description: PGP signature

Re: How automatic are backport package updates?

[Michael Grant]

Let's say I want to run 'testing' to be more on the edge to get the latest and 
greatest of packages and to incrementally always be on top of updates rather 
than having to do large release updates.  But from time to time there is a 
security update to a package which is newer, or if something specific is 
broken, I may want to go back to a specific version of something.  What should 
I put in my sources.list?

I read all the argments here for running stable vs sid and I kind of like being 
in the middle.  I update my systems every few weeks or more if necessary.  I 
used to run stable+backports but there were things that just took ages to get 
into backports, or never made it into backports, but installing them from 
testing would suck in so many dependencies that I would end up running testing 
or some weird hybrid.  I am considering changing things around though and going 
back to running stable + backports and occasionally pulling something in from 
testing but I am not sure yet, the dependency nightmare still looms in my mind. 
 Honestly I have been running testing for about 10 years now in production and 
have had very few problems.

As I read about this, it seems like it's not going to be possible to run 
testing and pull in security fixes.  Is it correct that security fixes can only 
be applied to stable releases?

Or are the backports now so well up to date with testing that I shouldn't worry 
about this and move back to a stable release?

Michael Grant


signature.asc
Description: PGP signature

Re: po...@lists.debian.org

[Michael Grant]

I'm not sure this is the proper forum for this thread but it is something I 
have interest in.

I also ran one of the early usenet nodes.  One of the shames of usenet is that 
it was quite useful at one point and then it's signal to noise ratio went so 
far down it was unusable.

Mailing lists such as this one did slowly take over as venues for people to 
talk about things around a subject but if you were and are always at the 
subject to the owners of the list.  Get "out of line" and you get ejected from 
the list.

Finding somehow the balance such that you can have a completely distributed and 
open system that never gets spammed and only has high quality content is 
difficult.  I'm not sure it's an insolvable problem but it's not an easy one.

I don't know how many people have noticed this but one of the biggest things 
that seems to go untalked about isn't crypto, it's IDENTITY.  Anyone can create 
a gpg key, but knowing that this person is a real person is more difficult.  
Knowing that two (or more) different posters are the same individual is even 
harder.

Have any of you noticed many providers now link your id to a mobile number?  
It's under the auspices of better security, 2 factor authentication.  This is 
true, but it's also the way they attempt to tie you to a real and single 
person.  Sure you can get around that by having multiple numbers but there is a 
practical limit to that, most people don't.

The problem with identity is that there's just so many to choose from.  Google 
has theirs.  Facebook has theirs.  Github theirs.  Almost always tied to your 
email address (in fact, I can't think of any that are not off the top of my 
head).  Many of these Identites are tied to your mobile number behind the 
scene.  Of course you could have more than one number.  What we don't have is 
an internet standard on identity that is not tied to a single vendor or tied to 
your email address which might change.  Such things are in the works though.  I 
have read about iden3 https://iden3.io/ and DIF https://identity.foundation/.  
I have seen others as well.

If it's not obvious why a decentralized identity is important, without some 
identity that you own (as opposed to google or facebook being your identity 
provider), you are not in control with what happens to information about you.  
You should be able to identify yourself without, say, having to give a site 
your mobile number, your birth certificate, a scan of a government ID...etc.  
In my opinion, a decentralized identity is one of the next big things that will 
happen on the internet.

gpg/pgp and getting someone else to sign your key, or getting an x509 client 
certificate, these are not really idea solutions, but it's what we have today.  
(x509 is really a format and not an identity, but it's not really used as a 
global identity today, I am not exactly being fair by this comparison).

What does this have to do with the subject of usenet and open forums and even 
fighting spam?  Franky everything.  Once you have an identity, people can sign 
posts with their identity and you can be reasonably assured that they are from 
a real person.  You can be reasonably assured that two different posters are 
not sock-puppeting one another.  You can be assured of the source of the news.  
When only real people can post, you shouldn't have any bots.  IDs that are 
stolen can be revoked.  All of these things go a long way to making the net 
more usable, more sane, and yes, more free.

This sort of identity does not mean you can't be anonymous.  Different sites 
can require different levels of identity.  One site may let you post completely 
anonymously as long as you have an identity proving you are a real person.  
Another site could go further and require you use your real name and be a real 
person.  So this isn't about being anonymous.

Lastly, we have email which is store and forward messaging really one to one 
messages and we do mailing lists on top. Email is not owned by any company.  
There have been some attempts over the years to create something like 
distributed chats (instant messages).  But so far, other than usenet, there are 
very few.  IRC is centralized per server.  The most recent one I have seen 
which looks really promising is Matrix.  It's completely distributed, not run 
by a company, similar to email.  It's still young though, it looks promising.  
It is not linked to any sort of real identity.  Your matrix id is like an email 
address but nothing stops you from having multiple matrix IDs.  This is 
probably a very touchy subject.

These are my opinions.  Your welcome to tell me I'm wrong, feel free to contact 
me off list.

Michael Grant



signature.asc
Description: PGP signature

Re: Failed to migrate controller cgroups

[Michael Grant]

On Wed, Jan 06, 2021 at 10:35:00AM +, Thomas Pircher wrote:
> Michael Grant wrote:
> > I'm seeing warnings like this in my logs:
> > 
> > Jan  3 04:48:49 bottom systemd[3436917]: -.slice: Failed to migrate 
> > controller cgroups from
> > +/user.slice/user-108.slice/user@108.service, ignoring: Permission denied
> 
> I take it you are using Debian testing and systemd 247.1?
> Try setting systemd.unified_cgroup_hierarchy=true in your kernel boot
> arguments, as suggested here[1].
> 
> Thomas
> 
> [1] https://bbs.archlinux.org/viewtopic.php?id=261330

Yes, it's true, I'm using 'testing' and yes, "apt-policy systemd" reports I a 
have systemd 247.1-3+deb11u1.

I'm using Linode.  I never saw a place to set these params in Linode and sure 
enough there doesn't appear to be.  Is there some way to set this without it 
needing to pass to the kernel as command line args at boot time?

Perhaps it's ok to just ignore this for now and it will get resolved 
eventually.  Any idea what problems this might be causing?  I haven't noticed 
anything.

Thanks for pointing me to that, I had not found that despite searching multiple 
times over the last couple weeks!

Michael Grant


signature.asc
Description: PGP signature

Failed to migrate controller cgroups

[Michael Grant]

I sent this a few days ago but nobody responded.  Does anyone have any ideas 
how to fix this permission problem?

I'm seeing warnings like this in my logs:

Jan  3 04:48:49 bottom systemd[3436917]: -.slice: Failed to migrate controller 
cgroups from
+/user.slice/user-108.slice/user@108.service, ignoring: Permission denied
Jan  3 08:20:25 bottom systemd[1410]: -.slice: Failed to migrate controller 
cgroups from
+/user.slice/user-108.slice/user@108.service, ignoring: Permission denied
Jan  3 08:20:25 bottom systemd[1411]: -.slice: Failed to migrate controller 
cgroups from
+/user.slice/user-115.slice/user@115.service, ignoring: Permission denied
Jan  3 08:41:04 bottom systemd[6153]: -.slice: Failed to migrate controller 
cgroups from
+/user.slice/user-1001.slice/user@1001.service, ignoring: Permission denied

I did some googling around and someone recommended looking at the output of 
journalctl:

# journalctl -b --no-hostname -u user@1001.service
-- Journal begins at Sat 2020-10-17 13:43:00 EDT, ends at Sun 2021-01-03 
08:41:16 EST. --
Jan 03 08:41:04 systemd[1]: Starting User Manager for UID 1001...
Jan 03 08:41:04 systemd[6153]: pam_unix(systemd-user:session): session opened 
for user strange by (uid=0)
Jan 03 08:41:04 systemd[6153]: Queued start job for default target Main User 
Target.
Jan 03 08:41:04 systemd[6153]: -.slice: Failed to migrate controller cgroups 
from
+/user.slice/user-1001.slice/user@1001.service, ignoring: Permission denied
Jan 03 08:41:04 systemd[6153]: Created slice User Application Slice.
Jan 03 08:41:04 systemd[6153]: Reached target Paths.
Jan 03 08:41:04 systemd[6153]: Reached target Timers.
Jan 03 08:41:04 systemd[6153]: Starting D-Bus User Message Bus Socket.
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG network certificate 
management daemon.
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent and 
passphrase cache (access for web browsers).
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent and 
passphrase cache (restricted).
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent 
(ssh-agent emulation).
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent and 
passphrase cache.
Jan 03 08:41:04 systemd[6153]: Listening on D-Bus User Message Bus Socket.
Jan 03 08:41:04 systemd[6153]: Reached target Sockets.
Jan 03 08:41:04 systemd[6153]: Reached target Basic System.
Jan 03 08:41:04 systemd[6153]: Reached target Main User Target.
Jan 03 08:41:04 systemd[6153]: Startup finished in 119ms.
Jan 03 08:41:04 systemd[1]: Started User Manager for UID 1001.

But this isn't helpful in finding the problem.  Where else might I look to find 
out what is causing this permission error so that I can fix it?



signature.asc
Description: PGP signature

Failed to migrate controller cgroups

[Michael Grant]

I'm seeing warnings like this in my logs:

Jan  3 04:48:49 bottom systemd[3436917]: -.slice: Failed to migrate controller 
cgroups from /user.slice/user-108.slice/user@108.service, ignoring: Permission 
denied
Jan  3 08:20:25 bottom systemd[1410]: -.slice: Failed to migrate controller 
cgroups from /user.slice/user-108.slice/user@108.service, ignoring: Permission 
denied
Jan  3 08:20:25 bottom systemd[1411]: -.slice: Failed to migrate controller 
cgroups from /user.slice/user-115.slice/user@115.service, ignoring: Permission 
denied
Jan  3 08:41:04 bottom systemd[6153]: -.slice: Failed to migrate controller 
cgroups from /user.slice/user-1001.slice/user@1001.service, ignoring: 
Permission denied

I did some googling around and someone recommended looking at the output of 
journalctl:

# journalctl -b --no-hostname -u user@1001.service
-- Journal begins at Sat 2020-10-17 13:43:00 EDT, ends at Sun 2021-01-03 
08:41:16 EST. --
Jan 03 08:41:04 systemd[1]: Starting User Manager for UID 1001...
Jan 03 08:41:04 systemd[6153]: pam_unix(systemd-user:session): session opened 
for user strange by (uid=0)
Jan 03 08:41:04 systemd[6153]: Queued start job for default target Main User 
Target.
Jan 03 08:41:04 systemd[6153]: -.slice: Failed to migrate controller cgroups 
from /user.slice/user-1001.slice/user@1001.service, ignoring: Permission denied
Jan 03 08:41:04 systemd[6153]: Created slice User Application Slice.
Jan 03 08:41:04 systemd[6153]: Reached target Paths.
Jan 03 08:41:04 systemd[6153]: Reached target Timers.
Jan 03 08:41:04 systemd[6153]: Starting D-Bus User Message Bus Socket.
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG network certificate 
management daemon.
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent and 
passphrase cache (access for web browsers).
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent and 
passphrase cache (restricted).
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent 
(ssh-agent emulation).
Jan 03 08:41:04 systemd[6153]: Listening on GnuPG cryptographic agent and 
passphrase cache.
Jan 03 08:41:04 systemd[6153]: Listening on D-Bus User Message Bus Socket.
Jan 03 08:41:04 systemd[6153]: Reached target Sockets.
Jan 03 08:41:04 systemd[6153]: Reached target Basic System.
Jan 03 08:41:04 systemd[6153]: Reached target Main User Target.
Jan 03 08:41:04 systemd[6153]: Startup finished in 119ms.
Jan 03 08:41:04 systemd[1]: Started User Manager for UID 1001.

But this isn't helpful in finding the problem.  Where else might I look to find 
out what is causing this permission error so that I can fix it?



signature.asc
Description: PGP signature

Re: setting the date for testing

[Michael Grant]

> Could it be that you have systemd-timesyncd running?
> 
> BTW, this is what I do to manually/explicitly set the system time (taken
> verbatim from my vimwiki, so don't mind the wording):
> 
> Changing the Current Date:
> 
> # timedatectl set-time 
> 
> Or both at once:
> 
> # timedatectl set-time  
> 
> This commands will fail if an NTP service is enabled. The NTP service can be
> enabled and disabled using a command as follows:
> 
> # timedatectl set-ntp 
> 
> Changes to the status of chrony or ntpd will not be immediately noticed by
> timedatectl. If changes to the configuration or status of these tools are
> made, enter the following command:
> 
> # systemctl restart systemd-timedated.service
> 
> By default, the system is configured to use UTC. To configure your system to
> maintain the clock in the local time, run the timedatectl command with the
> set-local-rtc option as root:
> 
> # timedatectl set-local-rtc 

I tried stopping systemd-timedated and ntp:

# systemctl stop systemd-timedated.service
# systemctl stop ntp

Then:

# timedatectl set-time 2025-12-13 14:01:42

and here's what I see by running date every few seconds:

# date
Sat 13 Dec 14:01:43 GMT 2025
# date
Sat 13 Dec 14:01:44 GMT 2025
# date
Sun 13 Dec 14:01:48 GMT 2020
# date
Sun 13 Dec 14:01:49 GMT 2020

I can't see anything running that would re-set the date.

This is a VM running inside virtualbox.  I just figured it out, it WAS
using the hardware clock.  I shut down the VM and ran this on the
host:

VBoxManage modifyvm MyVM --biossystemtimeoffset 12623040

and now when it booted, I saw this:

$ date
Sun 13 Dec 15:29:47 GMT 2020
$ date
Fri 13 Dec 15:29:59 GMT 2024
$ date
Fri 13 Dec 15:30:00 GMT 2024
$ date
Fri 13 Dec 15:30:01 GMT 2024
$ date
Fri 13 Dec 15:30:01 GMT 2024
$ date
Fri 13 Dec 15:31:49 GMT 2024

and now it appears to stick.  So I'm good.  Thanks for your help though!

Michael Grant


signature.asc
Description: PGP signature

RE: setting the date for testing

[Michael Grant]

This did not work:

# timedatectl set-ntp true
Failed to set ntp: NTP not supported
# timedatectl set-ntp false
Failed to set ntp: NTP not supported

Other ideas?

I am trying to set the date manually so that I can test the system set at 
future dates.  Setting the system using the date command, it just resets itself 
back to the current date/time after a few seconds.  How can I stop this?

Thanks!

Michael Grant
From: hdv@gmail
Sent: 07 December 2020 07:53
To: debian-user@lists.debian.org
Subject: Re: setting the date for testing

On 2020-12-06 21:56, hdv@gmail wrote:

 > # timedatectl set-ntp true

I am sorry for the typo. This should of course have been "false"!

Grx HdV

setting the date for testing

[Michael Grant]

I need to set the date to several years in the future in order to test 
something.  When I do this via the date command, the date returns back almost 
instantly (or within a few seconds).

# timedatectl set-time 2025-12-06 20:41:41
# date
Sat  6 Dec 20:41:43 GMT 2025
# date
Sat  6 Dec 20:41:44 GMT 2025
# date
Sun  6 Dec 20:41:48 GMT 2020

I’m not using ntp (that I know of). 

# timedatectl timesync-status
Failed to query server: The name org.freedesktop.timesync1 was not provided by 
any .service files

# timedatectl show
Timezone=Europe/London
LocalRTC=no
CanNTP=no
NTP=no
NTPSynchronized=no
TimeUSec=Sun 2020-12-06 20:37:19 GMT
RTCTimeUSec=Sun 2020-12-06 18:51:22 GMT

How can I stop (temporarily) the system from automatically setting the date so 
that I can set it forward?

Re: Most maintainable way to install perl modules on Debian sysetms

[Michael Grant]

> Well, that would do the job thoughtlessly. It might backfire
> spectacularly.
> 
> If one set up a service in that way, it would eventually get a
> terrible reputation.
> 
> If, on the other hand, one spent the time to maintain those
> packages properly... you could be a Debian Maintainer, and get
> them into the primary repos.
> 
> The third course, that doesn't commit you to doing that work and 
> doesn't expose you to that risk, is more or less as I've already
> outlined. 

apt has an excellent reputation, I'm not sure I see why mechanizing
such a process as apt does should be necessarily be bad.  I'm not
talking about blind nightly updates.

If this is truely the best way at the moment to keep perl modules
maintainable, I will try it.

Thanks.


signature.asc
Description: PGP signature

Re: Most maintainable way to install perl modules on Debian sysetms

[Michael Grant]

> cpan2deb takes a CPAN module and builds it as a Debian package.
> Use a common suffix like -mgrant and you can spot these in
> package listings.
> 
> When you upgrade, build new versions of all the -mgrant
> packages.

Thanks.  So in one way this makes it easier to remove the module which
cpan doesn't do, but I'd still have to track the module manually and
run this again and again, remembering or scripting something to do all
of this automatically.

Has anyone built something which when you ran apt upgrade, it would
look at each of these packages that were made by cpan2deb, then look
in cpan to see if the module was updated, then create a new deb and
upgrade the package?

That would really automate the whole process like apt upgrade.


signature.asc
Description: PGP signature

Most maintainable way to install perl modules on Debian sysetms

[Michael Grant]

I try to keep my systems as up to date as possible.  I use apt update 
regularly.  When I can install a perl module from apt, I usually do so because 
then apt update picks up new versions of it.  When I install something which 
has a dependency on a perl module in apt, that module gets installed.  Things 
just work and I am unstressed and happy.

However, what should I do if I need a perl module that someone hasn’t kindly 
created a package for?  I know I can install it from cpan.  But once I do that, 
then I have to keep that module up to date via cpan.  Perhaps I’m not alone and 
someone has a way to cross maintain these things that I’m unaware of?

So I yesterday, I decided to install a perl module from cpan.  I ran cpan for 
the first time in a long time, it asked me some question which I took the 
default (maybe I shouldn’t have!), then I installed Mail::DMARC.  It downloaded 
the source, grinded away for several minutes and when it was finished, it 
successfully installed the module.  Miraculous!

But it installed it in /usr/share/perl/5.30/Mail/DMARC.

I thought that’s odd, why would it install it in a folder that has a perl 
version?  Why not somewhere a bit more general like /usr/share/perl5?

What happens when Perl gets updated and /usr/share/perl/5.30/ is no longer in 
perl’s search path for its modules?  I’m worried that using this DMARC perl 
module, updating perl could just break mail someday!  Shouldn’t the default for 
cpan be something other than this version based directory on Debian?  Should I 
worry about this?  (this may be more a CPAN question than a Debian question to 
be honest).

So my question is, is there a recommended, maintainable way to install perl 
modules on Debian that are not installed by apt-get such that things get 
updated properly?

I suppose this could even be a general question when you consider other things 
like python, php, nodejs  and others, all of which have their own module 
systems.  Feels like there’s a need for a sort of meta-module system that works 
with apt, but I’m not sure which is why I am asking here.

Suggestions and advice welcome!

Michael Grant

loop module

[Michael Grant]

I’m seeing this error in my syslog on reboot:

/var/log/syslog:Mar 20 11:12:10 top kernel: [1.540080] loop: module loaded
/var/log/syslog:Mar 20 11:12:10 top systemd-modules-load[381]: Failed to lookup 
module alias 'loop': Function not implemented


In /etc/modules I have:

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.

loop

lsmod reports an empty list:

# lsmod
Module  Size  Used by


Any ideas what (if anything) I should do about this 'Function not implemented' 
error?




signature.asc
Description: PGP signature

RE: Group thoughts on: Anti-virus tools

[Michael Grant]

I use clamav along with clamav-unofficial-sigs, Sanesecurity and Securiteinfo 
(which I pay for)

Secondly, I use “Bitdefender Security for Mail Servers – Linux”, again which I 
pay for.

I use clamav-milter and the bdmilterd to scan mail using clamav and Bit 
Defender.

I must say that it was pretty difficult to convince someone to actually sell me 
Bit Defender for Linux!  It’s like a totally hidden product of theirs, but it 
does work and is effective.

systemd-modules-load: Failed to lookup module alias 'loop': Function not implemented

[Michael Grant]

I just updated my debian testing machine today and when I rebooted, I see these 
in the syslog:

/var/log/syslog:Mar  7 11:15:45 testing systemd-modules-load[368]: Failed to 
lookup module alias 'loop': Function not implemented
/var/log/syslog:Mar  7 11:15:45 testing kernel: [1.546655] loop: module 
loaded

Should I be worried?



signature.asc
Description: PGP signature

RE: certbot options

[Michael Grant]

Thanks folks, all great answers!  Not sure if there’s a best or correct answer. 

I did not know about certbot *.conf despite combing through the docs many times 
and I did not know about the systemctl override dir or the fact that you could 
copy that system file to the other dir and it would replace it, I figured that 
would make it run twice, good to know!  

The renewal/*.conf files seem to be created automatically, I certainly didn’t 
create those by hand, so modifying them looks like a bad idea.  Maybe using a 
pre/post arg to the original certbot command will cause that to be added to 
these files on creation?  I need to try that.

Michael Grant

From: Jim Popovitch
Sent: 28 November 2018 14:56
To: debian-user@lists.debian.org
Subject: Re: certbot options

On Wed, 2018-11-28 at 13:29 +, Michael Grant wrote:
> In /lib/systemd/system/certbot.service
>  
> The line to start certbot is:
> ExecStart=/usr/bin/certbot -q renew
>  
> If I modify this file by hand:
>  
> ExecStart=/usr/bin/certbot -q --pre-hook /usr/local/bin/certbot-
> prehook.sh renew
>  
> The next time certbot is updated by apt, this file gets overwritten
> and my change goes away.
>  
> Could someone please tell me the proper place to modify certbot’s
> default arg list or is there some systemctl command I should be doing
> instead of modifying this file directly?  Or is this a bug and
> apt-get should warn me before overwriting this file on update?


Is there a reason why you don't put 
"pre-hook /usr/local/bin/certbot-prehook.sh"
in /etc/letsencrypt/renewal/*.conf ?

-Jim P.


 

certbot options

[Michael Grant]

In /lib/systemd/system/certbot.service

The line to start certbot is:
ExecStart=/usr/bin/certbot -q renew

If I modify this file by hand:

ExecStart=/usr/bin/certbot -q --pre-hook /usr/local/bin/certbot-prehook.sh renew

The next time certbot is updated by apt, this file gets overwritten and my 
change goes away.

Could someone please tell me the proper place to modify certbot’s default arg 
list or is there some systemctl command I should be doing instead of modifying 
this file directly?  Or is this a bug and apt-get should warn me before 
overwriting this file on update?

restarting ntp

[Michael Grant]

I restarted ntp today and noticed this in the logs:

Mar 17 07:12:41 bottom systemd[1]:
/lib/systemd/system/system-update-cleanup.service:35: Unknown lvalue
'SuccessAction' in section 'Service'
Mar 17 07:12:42 bottom systemd[1]:
/lib/systemd/system/system-update-cleanup.service:35: Unknown lvalue
'SuccessAction' in section 'Service'
Mar 17 07:12:43 bottom systemd[1]:
/lib/systemd/system/system-update-cleanup.service:35: Unknown lvalue
'SuccessAction' in section 'Service'
Mar 17 07:12:44 bottom systemd[1]:
/lib/systemd/system/system-update-cleanup.service:35: Unknown lvalue
'SuccessAction' in section 'Service'
Mar 17 07:12:44 bottom systemd[1]:
/lib/systemd/system/system-update-cleanup.service:35: Unknown lvalue
'SuccessAction' in section 'Service'
Mar 17 07:12:50 bottom systemd[1]: Stopping Network Time Service...

So I looked at this line in the system-update-cleanup.service file:

SuccessAction=reboot

It's the last line in the file in the [Service] section.  A little research
shows that this line seems to belong in the [Unit] section.

Dare I move it?  Not sure if this is a known bug or if this is just some
rot that's occurred over time on my debian systems.

I don't really know what this file does with respect to stopping ntp but it
would be a bit odd if my system rebooted when I simply restarted ntp!

systemd errors

[Michael Grant]

I'm seeing the following errors in my daemon.log:

Jan  5 05:05:30 debian systemd[1]: File
/lib/systemd/system/systemd-journald.service:35 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:30 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:30 debian systemd[1]: File
/lib/systemd/system/systemd-logind.service:37 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:30 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:30 debian systemd[1]: File
/lib/systemd/system/systemd-udevd.service:34 configures an IP firewall
(IPAddressDeny=any), but the local system does not support BPF/cgroup
based firewalling.
Jan  5 05:05:30 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:30 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:30 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:31 debian systemd[1]: Reloading.
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-journald.service:35 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-logind.service:37 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-udevd.service:34 configures an IP firewall
(IPAddressDeny=any), but the local system does not support BPF/cgroup
based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:31 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:31 debian systemd[1]: Reloading.
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-journald.service:35 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-logind.service:37 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-udevd.service:34 configures an IP firewall
(IPAddressDeny=any), but the local system does not support BPF/cgroup
based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:31 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:31 debian systemd[1]: Reloading.
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-journald.service:35 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-logind.service:37 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]: File
/lib/systemd/system/systemd-udevd.service:34 configures an IP firewall
(IPAddressDeny=any), but the local system does not support BPF/cgroup
based firewalling.
Jan  5 05:05:31 debian systemd[1]: Proceeding WITHOUT firewalling in effect!
Jan  5 05:05:31 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:31 debian systemd[1]:
/lib/systemd/system/user@.service:21: Failed to parse boolean value,
ignoring: pids cpu
Jan  5 05:05:31 debian systemd[1]: Reexecuting.
Jan  5 05:05:31 debian systemd[1]: systemd 236 running in system mode.
(+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP
+LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS
+KMOD -IDN2 +IDN default-hierarchy=hybrid)
Jan  5 05:05:31 debian systemd[1]: Detected virtualization kvm.
Jan  5 05:05:31 debian systemd[1]: Detected architecture x86-64.
Jan  5 05:05:31 debian systemd[1]: File

Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

[Michael Grant]

> First, this LD_PRELOAD library does exactly one thing - it downgrades
> default TLS version to TLS1.0. If your users have the trouble connecting
> to your mailserver because their clients cannot do TLS1.2 and that's the
> only thing your mailserver advertizes - your users still won't be able
> to connect after downgrading *their* end to TLS1.0.
> Second, I somehow doubt that your users' MUAs are based on openssl.
> Third, since then LD_PRELOAD works on Windows?

First, using your LD_PRELOAD hack on the Debian server, if a client
connects and DOES support TLSv1.2, will use 1.2 or 1.0?

Second, reading the code, and I'm no expert with the openssl library,
does this cause "outbound" connections to be version 1.0? If I
understand you and your code properly, that's what it's going to do.
I don't know if there's a mechanism in TLS to start with 1.2 and fail
back to a lesser version if the other end doesn't support it.

> What you *can* do with this library is to deploy it on your *server* and
> LD_PRELOAD cirrus/dovecot/exim/postfix/whatever you have there. It may
> even work (I haven't tried it though).

Yes of course!  I had no intention of trying to install this on the
clients!  I have not tried your hack yet either.

> 'if you have to do a
> server - you use Debian stable'.

Why am I using Debian Testing?  I have been using Testing for several
years now and this is the first such issue I've had where it wasn't
clear what to do.  And as stated, this issue will probably find it's
way into Stable too, this is just a preview.

Several years ago I was running Stable but I found that there were
many packages that did not make it into back-ports.  I was constantly
in situations where packages I needed to install simply were not
available in stable and they had dependencies which I could not easily
resolve.  I did not want to start building my own packages.  After
frustration upon frustration, I finally moved to testing and all my
problems like this disappeared.  I have been delighted with the
Testing branch.  It's very very stable and in the odd case where it
isn't, pinning a package for a while has not caused me problems.
However, this situation is different as this package might need to be
pinned for YEARS. And as we've said, it's probably going to affect
Stable as well at some point and then I may be forced to do something
different.

What about publicly forking the libssl1 package (like Sven did
privately) and having a version of this that tracks all the bug fixes
and improvements except the 1.2 requirement?  Once you install it, it
over-rides/replaces the original.  There is probably a right way to do
this.

Ok so I'm not running a university or a large business.  I'm just
doing this for a bunch of professional friends and family, still I
treat it like real infra since we all have livelihoods that depend on
this infra.

Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

[Michael Grant]

Nifty, been a while since I used the LD_PRELOAD trick myself.

This whole thing has been bothering me over the last couple days.  Why
are so few people having this issue?  18 or so posts on this, only 3
or so of us have done anything about this.  I backed out libssl (and
pinned it).  Reco makes a LD_PRELOAD hack.  Sven recompiles OpenSSL
with patch removed.

Did this or will this patch get into Stretch Stable yet as a security
patch?  If yes, then won't there be hundreds if not thousands of
people screaming about this?

I am wondering why it's so few of us who seem to be affected?  I
suspect it's because 1) we're running Debian Testing and most of the
Debian world runs Stable, 2) more and more people are turning to gmail
and outlook.com instead of running their own mail servers and 3) the
few remaining people who do go to the trouble of using Debian Testing
as a mail server probably wouldn't care that much about getting TLS
set up with imap/pop/smtp working at all.

If this patch won't go to Stretch as a security fix, then the world is
hidden from this until Buster comes out in about 2 years.

But what's going to happen if there is some other security fix which
is needed in Stretch's libssl1.1 (1.1.0f-3)?  Will there be some fork
of this library for Stretch without this patch?  Or will at that time
this patch get swept in with some other future security patch and the
hit the wild with Stretch stable + security patches?

By pinning this library at 1.1.0f-3 on my system, I feel somehow I've
done the wrong thing.  I started to think I should put in Reco's hack
until these Windows 7 and Mac 10.11 users move to more modern releases
or MS and Apple send out patches for their older stuff.  Or maybe I
should follow Stretch (and it's security fixes) for only this package
instead of pinning it to this version.

And by the way, this isn't just limited to mail clients.  It's also
affecting MTAs.  I see a large number of mail servers connecting to my
server that only do TLSv1 and TLSv1.1.  When they can't do TLS, I
think they just fall back to SMTP in the clear.  So the problem isn't
obvious to any user and mail in general is just less secure.

In doing some reading about TLS and it's problems, there are problems
with TLSv1 and I understand those were fixed in Debian's libssl1.
TlSv1.1 had some problems but were more minor and the move to 1.2
seemed more about enhancing security versus some removing design
flaws.  Clearly the vendors like Microsoft and Apple did not think it
critical to move away from TLSv1 and TLS1.1 and probably patched it
like Debian.  Hence they consider their versions of TLSv1 and TLSv1.1
safe enough.

While I am totally sympathetic to getting the world onto TLSv1.2 and
greater, this seems like a support disaster waiting to happen.

What is the right way for an admin to handle this problem on Debian Testing?

Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

[Michael Grant]

On 5 September 2017 at 22:40, Sven Hartge <s...@svenhartge.de> wrote:
> Michael Grant <mgr...@grant.org> wrote:
>
>> Is there something I can set on Debian side to force this newer
>> openssl to accept older 1.x connections?
>
> No, you can't.
>
> Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a
> program needs to call a special function of OpenSSL to override the
> default minimum TLS-version of TLS1.2.
>
> Problem is: next to no program implements this as of yet.
>
> The Dovecot developers may introduce the needed change in some of the
> coming versions, with sendmail I believe you will be out of luck.

Ugh no!

> First help: Grab an older OpenSSL version from snapshots.debian.org to
> get going again.
>
> My solution (other than complaining on the debian-devel mailinglist) was
> to recompile OpenSSL with the patch in question removed.
>
> Of course in doing so I burdened myself with tracking any new release of
> the OpenSSL packages and recompile them until this situation has been
> resolved in some other way.

Thanks for confirming that I did the best thing I could: reinstall the
previous version of libssl.

I was surprised that this problem affected fairly recent MacOS and
Windows Outlook users.  I was also surprised that not many people had
reported this and as I continued to google around for this, I found
only this chain of posts!  And this has been in the wild now for about
10 days.

I'm sure this fix needs to be in there, forcing it on people without
making sure major mailers are going to accept it is just going to
create more problems.  It probably would have been a good idea to put
a loud warning in the log files about this.  The message given by apt
during the update:

  By default the minimum supported TLS version is 1.2. If you still need to
  talk to applications that only support TLS 1.0 you should configure the
  application to set the minimum supported version.

This is highly misleading that it is easy to do this!

Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

[Michael Grant]

On 5 September 2017 at 20:29, Michael Grant <mgr...@grant.org> wrote:
> On 5 September 2017 at 19:15, Gene Heskett <ghesk...@shentel.net> wrote:
>> On Tuesday 05 September 2017 13:40:00 Michael Grant wrote:
>>
>>> I upgraded openssl today in my server running testing.  It installed
>>> version 1.1.0f-5.  To my surprise, my mac clients can no longer send
>>> and receive email!
>>>
>> As that is a security related upgrade, I would next push the Mac people
>> to match it, or if possible, configure the Macs to use the more secure
>> protocol.
>
> Any clues how to configure the Mac to use the more secure protocol?
> All the software is up-to-date on the Mac side.  I don't see any
> obvious option in any of the mail settings on the Mac side.
>
> This is the error I see in the mail logs for both dovecot and sendmail:
>
> dovecot:
> TLS handshaking: SSL_accept() failed: error:1417D102:SSL
> routines:tls_process_client_hello:unsupported protocol, session=<...>
>
> sendmail:
> STARTTLS=server: 0:error:1417D102:SSL
> routines:tls_process_client_hello:unsupported
> protocol:../ssl/statem/statem_srvr.c:974:
>
> I realize this isn't a MacOS forum but the error message here is on
> the Debian side.  Other mail clients like Windows Mail connect fine.
>
> Is there something I can set on Debian side to force this newer
> openssl to accept older 1.x connections?

I could not find any option I could set in the dovecot.conf or the
sendmail.mc file to make libssl accept tls 1.1.  I managed to revert
back libssl to get back to a working situation until the client's get
updated.

I downloaded libssl1.1_1.1.0f-3_amd64.deb

and did:

dpkg -i libssl1.1_1.1.0f-3_amd64.deb

restarted sendmail and dovecot and everyone can now connect.

Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

[Michael Grant]

On 5 September 2017 at 19:15, Gene Heskett <ghesk...@shentel.net> wrote:
> On Tuesday 05 September 2017 13:40:00 Michael Grant wrote:
>
>> I upgraded openssl today in my server running testing.  It installed
>> version 1.1.0f-5.  To my surprise, my mac clients can no longer send
>> and receive email!
>>
> As that is a security related upgrade, I would next push the Mac people
> to match it, or if possible, configure the Macs to use the more secure
> protocol.

Any clues how to configure the Mac to use the more secure protocol?
All the software is up-to-date on the Mac side.  I don't see any
obvious option in any of the mail settings on the Mac side.

This is the error I see in the mail logs for both dovecot and sendmail:

dovecot:
TLS handshaking: SSL_accept() failed: error:1417D102:SSL
routines:tls_process_client_hello:unsupported protocol, session=<...>

sendmail:
STARTTLS=server: 0:error:1417D102:SSL
routines:tls_process_client_hello:unsupported
protocol:../ssl/statem/statem_srvr.c:974:

I realize this isn't a MacOS forum but the error message here is on
the Debian side.  Other mail clients like Windows Mail connect fine.

Is there something I can set on Debian side to force this newer
openssl to accept older 1.x connections?

Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

[Michael Grant]

I upgraded openssl today in my server running testing.  It installed
version 1.1.0f-5.  To my surprise, my mac clients can no longer send
and receive email!

How do I roll back to the previous version of openssl?

"apt-cache showpkg openssl" only shows version 1.1.0f-5.

apt install openssl=1.1.0f-3
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '1.1.0f-3' for 'openssl' was not found

I gather I need to add something to my sources.list to get at the
older versions.

Re: OCR

[Michael Grant]

I have used expensify.com at work.  They have a free tier.  Scanning
and an app on the phone that you just take a photo of receipts as you
go works well.  If you can limit your expenses to 10 scans a month
it's free.

Re: w, who, finger, last, and netstat and ipv6

[Michael Grant]

I just figured out what is going on.  The problem is gnu screen.

It's screen that's truncating the address.  When login and don't reattach
to my screen, I get the full address and "PROCPS_FROMLEN=40 w" prints the
expected full address.

Re: w, who, finger, last, and netstat and ipv6

[Michael Grant]

>
>
>
> > % who
> > mgrant   pts/12016-07-18 06:15 (2a00:S.1)
>
> I type "who" on Debian jessie and I do get the full IPv6 address:
>
> $ who
> andy pts/62016-07-23 01:42 (2001:ba8:1f1:f019::2)
> $ who --version
> who (GNU coreutils) 8.23
> Copyright (C) 2014 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Joseph Arceneaux, David MacKenzie, and Michael Stone.
>

I'm running Debian Testing

% who --version
who (GNU coreutils) 8.25
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Joseph Arceneaux, David MacKenzie, and Michael Stone.

How odd that you are getting completely different results from me.  I tried
setting PROCPS_FROMLEN and it indeed makes the field wider but it's all
blank padded out, this does not make the address any longer.

I feel maybe I have some conflicting lib installed somehow that's messing
up the representation of these addresses.  I did not back out this version
and install 8.23.


>
> Using the "-a" option to put the hostname/IP at the end does allow
> it to be of arbitrary length:
>
> $ last -a
> andy pts/6Sat Jul 23 01:42   still logged in
> 2001:ba8:1f1:f019::2


last -a and netstat --wide do help, thanks for that!

w, who, finger, last, and netstat and ipv6

[Michael Grant]

Why is it w, who, and finger truncate an ipv6 address just after the first
4 characters of the address (the first :)?

% who
mgrant   pts/12016-07-18 06:15 (2a00:S.1)

% w
 18:37:31 up 4 days, 12:26,  4 users,  load average: 0.05, 0.07, 0.05
USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
mgrant   pts/12a00:S.1 Mon064days  0.02s  0.02s /bin/bash

%  finger
Login NameTty  Idle  Login Time   Office Office
Phone
mgrantMichael Grant   pts/1  4d  Jul 18 06:15 (2a00:S.1)


The 'last' command does a little better, it truncates at 16 characters:

mgrant   pts/02a00:23c4:6d10:4 Fri Jul 22 18:04:00 2016   still
logged in

netstat does a little better still but not much:

tcp6   0   2640 2600:3c00:::9:22 2a00:23c4:6d10:4d:36663
ESTABLISHED 12345/sshd: mgrant


It seems near impossible to find out what the ip address someone is logged
in from when they come in via ipv6.  tcpdump -n seems about the only way.

This seems so basic.  Could all of these programs except tcpdump be broken
with respect to displaying ipv6 addresses?


Michael Grant

conservative automatic updating with cron-apt

[Michael Grant]

I feel the need to do some updates automatically but sometimes this just
isn't a good idea.

I use cron-apt.  But I don't have it auto installing because if something
starts asking questions I have no way to intervene.  However, for many
(most!) updates, they go without problems and do not require user
interaction.

Is there some combination of options to apt-get which will not do any
updates (and their dependencies) which require input or require me to diff
or manually update files which can't be done automatically?

Essentially what I want cron-apt to do is 1) do all the updates you can
which do not require user interaction, and 2) tell me what you didn't do
that I need to take care of manually.

Anyone found a way to do this?

Re: who/w/finger/last printing ip address

[Michael Grant]

(I of course edited my own host's ip address here for 10.20.30.40)

But yes, getent resolves my host ip to a name.  who/w/finger/last all still
do not resolve the host.

On Tue, Sep 8, 2015 at 1:14 PM, Reco <recovery...@gmail.com> wrote:

>  Hi.
>
> On Tue, Sep 08, 2015 at 12:39:06PM +0100, Michael Grant wrote:
> > Any idea why I'm NOT getting hostnames by default?
> >
> > $ who
> > mgrant   pts/12015-09-05 07:30 (10.20.30.40:S.1)
> > mgrant   pts/22015-09-05 07:30 (10.20.30.40:S.2)
> > mgrant   pts/32015-09-05 07:30 (10.20.30.40:S.3)
> > mgrant   pts/42015-09-05 07:30 (10.20.30.40:S.4)
> > $ w
> >  07:34:29 up 3 days, 6 min,  4 users,  load average: 0.03, 0.06, 0.05
> > USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
> > mgrant   pts/110.20.30.40:S. Sat07   26:48m  0.09s  0.09s /bin/bash
> > $  finger
> > Login     NameTty  Idle  Login Time   Office Office
> Phone
> > mgrantMichael Grant   pts/1  1d  Sep  5 07:30 (10.20.30.40:S.1)
> > mgrantMichael Grant   pts/2   14:12  Sep  5 07:30 (10.20.30.40:S.2)
> > mgrantMichael Grant   pts/3  Sep  5 07:30 (10.20.30.40:S.3)
> > mgrantMichael Grant   pts/4  3d  Sep  5 07:30 (10.20.30.40:S.4)
>
> Because your host is unable to resolve the IPs to hostnames, maybe?
> What does 'getent hosts 10.20.30.40' show?
>
> Reco
>

Re: who/w/finger/last printing ip address

[Michael Grant]

$ ls -al /usr/bin/w
lrwxrwxrwx 1 root root 19 Feb 11  2014 /usr/bin/w -> /etc/alternatives/w
$ ls -al /etc/alternatives/w
lrwxrwxrwx 1 root root 17 Feb 11  2014 /etc/alternatives/w ->
/usr/bin/w.procps
$ w -V
w from procps-ng 3.3.10
$ who --version
who (GNU coreutils) 8.23


also "who --lookup" makes no attempt to look up the ip addresses either.

So is this now the expected behavior in Debian?

Re: who/w/finger/last printing ip address

[Michael Grant]

Any idea why I'm NOT getting hostnames by default?

$ who
mgrant   pts/12015-09-05 07:30 (*10.20.30.40*:S.1)
mgrant   pts/22015-09-05 07:30 (*10.20.30.40*:S.2)
mgrant   pts/32015-09-05 07:30 (*10.20.30.40*:S.3)
mgrant   pts/42015-09-05 07:30 (*10.20.30.40*:S.4)
$ w
 07:34:29 up 3 days, 6 min,  4 users,  load average: 0.03, 0.06, 0.05
USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
mgrant   pts/1*10.20.30.40*:S. Sat07   26:48m  0.09s  0.09s /bin/bash
$  finger
Login NameTty  Idle  Login Time   Office Office
Phone
mgrantMichael Grant   pts/1  1d  Sep  5 07:30 (*10.20.30.40*:S.1)
mgrantMichael Grant   pts/2   14:12  Sep  5 07:30 (*10.20.30.40*:S.2)
mgrantMichael Grant   pts/3  Sep  5 07:30 (*10.20.30.40*:S.3)
mgrantMichael Grant   pts/4  3d  Sep  5 07:30 (*10.20.30.40*:S.4)

who/w/finger/last printing ip address

[Michael Grant]

I'm running debian testing.  Just did an apt-get update.  who, w, finger,
and last are all now printing the ip address instead of the hostname.  the
wtmp seems to have the ip address now instead of the hostname.  Last shows
hostnames up to when I did the apt-get update today and then ip addresses.

Is this expected?  Is something in the works and this is in the process of
changing?

I have to say in some ways this seems like a feature not a bug!  I've long
missed the option some other unixes have to inhibit resolving the name.
But at the moment the hostname!  Frankly, there should be an option to w,
who, finger, and last to not resolve the addresses.

Re: sendmail on debian testing

[Michael Grant]

I finally managed to get sendmail working using systemd.

Here is my /etc/systemd/system/sendmail.service:

[Unit]
Description=Sendmail Mail Transport Agent
Requires=clamav-daemon.service spamassassin.service
After=syslog.target network.target clamav-daemon.service
spamassassin.service
Conflicts=postfix.service exim.service

[Service]
Type=forking
PIDFile=/run/sendmail/mta/sendmail.pid
Environment=SENDMAIL_OPTS=-q1h
EnvironmentFile=-/etc/default/sendmail
ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG

[Install]
WantedBy=multi-user.target

and my /etc/tmpfiles.d/sendmail.conf file:
d /run/sendmail/ 0755 smmta smmsp
d /run/sendmail/mta/ 0755 smmta smmsp

I am using clamav-milter and spamass-milter, hence the Requires= and After=
lines.  If you are not using these, probably you should remove those.

Is it wrong to include these dependencies in sendmail.system?  The thing
is, these milters are not specific to sendmail.  Other mailers that support
the milter interface can use them as well.  And they are not required for
sendmail.  So I wonder which pakage's responsibility it would be to add
these dependencies to sendmail.system or if this is even the correct place
to do that.

With the init.d, clamav-milter and spamass-milter install themselves with a
lower number than sendmail and always start before whatever mailer is
installed.  Once you go to explicit dependencies like this, is it clam's
and spamassassin's job to know all the possible mailers out there that
might use it?  Or is it sendmail's job to know all the possible milters out
there and state them as dependencies?

Another observation, to get this working, the only way I found to properly
test this was to continually reboot.  I could get sendmail to start by hand
quite early on, but it was not starting by on reboot because of the timing
problem in the dependencies.  This makes systemd rather more difficult to
debug things in my opinion.

Re: SCIM - terminal spreadsheet - sc fork

[Michael Grant]

  El 22/02/2015, a las 00:52, Michael Grant mgr...@grant.org escribió:
 ...
 
  ttycalc or ttc as a short name for the command.
 
  The calc part of the name is reminiscent of VisiCalc, the original
 spreadsheet.


On Sun, Feb 22, 2015 at 1:14 PM, Andrés Martinelli andma...@gmail.com
 wrote:

 I like it!!!  How would you pronounce it??


Well, I suppose that all depends how you pronounce tty.  I hear people
pronounce pty like pitty.

Re: SCIM - terminal spreadsheet - sc fork

[Michael Grant]

On 21 February 2015 14:09:14 CET, Andrés Martinelli andma...@gmail.com 
wrote:
Hello there!
As many of you already pointed, the spreadsheet app SCIM I am working
on,
collides in its name with Smart Common Input Method.
I decided that is time to change its name to avoid problems and to get
lost
with the other.

What are your suggestions?

Thanks!

Andrés M.

Not sure if this has been used.

ttycalc or ttc as a short name for the command.

The calc part of the name is reminiscent of VisiCalc, the original spreadsheet.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/69c68239-de99-4d00-a5e8-9053e498c...@grant.org

Re: sendmail on debian testing

[Michael Grant]

I'm still searching for an answer to this.

After upgrade from wheezy to testing, sendmail no longer starts.

I see that the system is using systemd.  I see that the
/etc/init.d/sendmail script now runs /bin/systemctl start
sendmail.service.  But sendmail isn't started.  Even running
'/bin/systemctl start sendmail.service' manually, nothing happens.

I don't see any obvious way to get any debug info out of systemctl.

# systemctl is-enabled sendmail
Failed to get unit file state for sendmail.service: No such file or
directory

and

# /bin/systemctl enable sendmail.service
Synchronizing state for sendmail.service with sysvinit using update-rc.d...
Executing /usr/sbin/update-rc.d sendmail defaults
Executing /usr/sbin/update-rc.d sendmail enable
# systemctl is-enabled sendmail
Failed to get unit file state for sendmail.service: No such file or
directory


On Sun, Feb 1, 2015 at 12:11 AM, Michael Grant mgr...@grant.org wrote:

 Today I upgraded a test machine from wheezy to testing.

 It seemed to install systemd, I'm not sure if it's using it or not.

 One thing I noticed though was that sendmail no longer starts at boot.
 Even if I run:

 /etc/init.d/sendmail start

 or if I cd to /etc/mail and run:

 make restart

 or if I do this:


 nothing except running 'sendmail -bd' will start sendmail.

 In syslog I see this:

 Jan 31 18:53:43 blah systemd[1]: Started LSB: powerful, efficient, and
 scalable Mail Transport Agent.

 in mail.log I don't see anything when I try to start sendmail via
 /etc/init.d/sendmail.

 I do not have the lsb-invalid-mta package installed.  I have tried
 reinstalling the sendmail package.  I have tried the testing and unstable
 versions of sendmail.

 Any ideas where I should look next to figure out what's going on?

 Michael Grant

Re: sendmail on debian testing

[Michael Grant]

On Tue, Feb 3, 2015 at 4:04 PM, Reco recovery...@gmail.com wrote:

  Hi.

 On Tue, Feb 03, 2015 at 02:03:25PM +, Michael Grant wrote:
  I'm still searching for an answer to this.
 
  After upgrade from wheezy to testing, sendmail no longer starts.
 
  I see that the system is using systemd.  I see that the
 /etc/init.d/sendmail script now runs /bin/systemctl start
 sendmail.service.  But sendmail isn't
  started.  Even running '/bin/systemctl start sendmail.service' manually,
 nothing happens.

 A nessesary correction - /etc/init.d/sendmail *tries* to run
 '/bin/systemctl start sendmail.service'.

 But, since no sendmail* package provide systemd's service file -
 nothing happens.

 Such behaviour cannot be considered systemd's bug IMO - systemd simply
 does what it's intended to do in this case.

 But, at the same time, such behaviour can be considered as a sendmail
 bug (given that systemd is Jessie's default init, and sendmail is not
 starting with this init).

 Still, there's a way to workaround this.

 Try adding

 export _SYSTEMCTL_SKIP_REDIRECT=true

 to /etc/init.d/sendmail


Thanks, this is progress, I can now start sendmail by hand by running
'/etc/init.d/sendmail start', but it's not starting automatically at boot
time.

I don't know if this has anything to do with that:

# systemctl enable sendmail
Synchronizing state for sendmail.service with sysvinit using update-rc.d...
Executing /usr/sbin/update-rc.d sendmail defaults
Executing /usr/sbin/update-rc.d sendmail enable

# systemctl is-enabled sendmail
Failed to get unit file state for sendmail.service: No such file or
directory

also, a better place to add this:

export _SYSTEMCTL_SKIP_REDIRECT=true

to is /etc/default/sendmail and not modify /etc/init.d/sendmail.  Adding
this to /etc/default/sendmail seems to work equally as well in that running
'/etc/init.d/sendmail start' does manually start sendmail.

Incidentally, the sendmail package even in experimental is significantly
out of date. The package appears orphaned. Several people seem to have
tried to step up to do something about this but nothing has happened. Is
sendmail dead on Debian?

Re: sendmail on debian testing

[Michael Grant]

On Tue, Feb 3, 2015 at 6:26 PM, Ansgar Burchardt ans...@debian.org wrote:

 ...
 Could you try restarting sendmail (systemctl restart sendmail) and show
 the output of `systemctl status sendmail'? It also shows the most recent
 log entries, but the output of journalctl --unit sendmail --since -5min
 might also be useful (if it shows more messages).


So, this is interesting.   'systemctl restart sendmail' with no other
changes to the system does start sendmail manually.  However, 'systemctl
start sendmail' does not, at least, not without Reco's line in
/etc/default/sendmail.

so after a REstart which succeeds, the status looks like this:

# systemctl status sendmail
● sendmail.service - LSB: powerful, efficient, and scalable Mail Transport
Agent
   Loaded: loaded (/etc/init.d/sendmail)
   Active: active (running) since Tue 2015-02-03 18:12:38 EST; 4min 8s ago
  Process: 3733 ExecStop=/etc/init.d/sendmail stop (code=exited,
status=0/SUCCESS)
  Process: 3757 ExecStart=/etc/init.d/sendmail start (code=exited,
status=0/SUCCESS)
   CGroup: /system.slice/sendmail.service
   └─3785 sendmail: MTA: accepting connections

Feb 03 18:12:36 bottom.networkguild.org systemd[1]: Starting LSB: powerful,
e...
Feb 03 18:12:36 bottom.networkguild.org sm-mta[3785]: starting daemon
(8.14.4...
Feb 03 18:12:36 bottom.networkguild.org sm-mta[3785]: daemon could not open
c...
Feb 03 18:12:36 bottom.networkguild.org sm-mta[3785]: started as:
/usr/sbin/s...
Feb 03 18:12:38 bottom.networkguild.org sendmail[3757]: Starting Mail
Transpo...
Feb 03 18:12:38 bottom.networkguild.org systemd[1]: Started LSB: powerful,
ef...
Hint: Some lines were ellipsized, use -l to show in full.

Now here's something I can't explain.  After I do the systemctl restart,
now I can do systectl stop and systemctl start and they work fine but only
after doing a restart first after boot.

In case this isn't clear:

1) reboot
2) sendmail not running
3) run 'systemctl start sendmail' by hand, exits quickly, sendmail NOT
started
4) run 'systemctl restart sendmail'.  It takes a few seconds, sendmail
starts
5) run 'systemctl stop sendmail'.  again, takes a few seconds, sendmail
stops
6) run 'systemctl start sendmail', it takes a few seconds, sendmail starts.

When I run systemctl status sendmail just after rebooting, this is what it
looks like:

# systemctl status sendmail
● sendmail.service - LSB: powerful, efficient, and scalable Mail Transport
Agent
   Loaded: loaded (/etc/init.d/sendmail)
   Active: active (exited) since Tue 2015-02-03 18:23:25 EST; 1min 27s ago
  Process: 2604 ExecStart=/etc/init.d/sendmail start (code=exited,
status=0/SUCCESS)

Feb 03 18:23:24 bottom.networkguild.org sendmail[2604]: Starting Mail
Transpo...
Feb 03 18:23:24 bottom.networkguild.org sm-mta[2822]: NOQUEUE:
SYSERR(root): ...
Feb 03 18:23:25 bottom.networkguild.org sendmail[2604]: .
Feb 03 18:23:25 bottom.networkguild.org systemd[1]: Started LSB: powerful,
ef...
Hint: Some lines were ellipsized, use -l to show in full.

# ps aux | grep sendmail | grep -v grep

There's no sendmail process.


 I tried installing sendmail on a minimal test installation and systemd
 started at least one daemon (sendmail: MTA: accepting connections),
 so at least something gets started (though it complained about the test
 installation not having a FQDN so other parts might be broken and not
 have started).


So one difference is I upgraded a machine from wheezy to testing.  Yes,
that's the sendmail daemon you see, that's what success looks like.  But at
least you are getting it to start at boot whereas I am not.

Re: sendmail on debian testing

[Michael Grant]

On Tue, Feb 3, 2015 at 6:16 PM, Reco recovery...@gmail.com wrote:

 On Tue, Feb 03, 2015 at 05:31:26PM +, Michael Grant wrote:
  On Tue, Feb 3, 2015 at 4:04 PM, Reco recovery...@gmail.com wrote:
 ...
 
  Try adding
 
  export _SYSTEMCTL_SKIP_REDIRECT=true
 
  to /etc/init.d/sendmail
 
  Thanks, this is progress, I can now start sendmail by hand by running
 '/etc/init.d/sendmail start', but it's not starting automatically at boot
 time.

 An expected result, sadly (see below).


  I don't know if this has anything to do with that:
 
  # systemctl enable sendmail
  Synchronizing state for sendmail.service with sysvinit using
 update-rc.d...
  Executing /usr/sbin/update-rc.d sendmail defaults
  Executing /usr/sbin/update-rc.d sendmail enable
 
  # systemctl is-enabled sendmail
  Failed to get unit file state for sendmail.service: No such file or
 directory

 No, it doesn't have anything with it.

 Systemd uses it's own way to define a service called a 'service unit'.
 Presumably, systemd has something for the compatibility with old init
 (aka sysvinit), which *should* start those /etc/init.d/ scripts just as
 good as if sysvinit itself would do it. Well, now we see how well it
 works in the reality :)


 Ok, let's try something different then - based on [1]. Try creating the
 file called /etc/systemd/system/sendmail.service with the following
 contents:

 ###cut###

 [Unit]
 Description=Sendmail Mail Transport Agent
 After=syslog.target network.target
 Conflicts=postfix.service exim.service

 [Service]
 Type=forking
 PIDFile=/run/sendmail.pid
 Environment=SENDMAIL_OPTS=-q1h
 EnvironmentFile=-/etc/default/sendmail
 ExecStartPre=-/etc/mail/make
 ExecStartPre=-/etc/mail/make aliases
 ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG

 [Install]
 WantedBy=multi-user.target

 ###cut###


 Revert the _SYSTEMCTL_SKIP_REDIRECT change, see how it goes now.
 This unit file may require tweaking in $SENDMAIL_OPTS $SENDMAIL_OPTARG
 part - I'm unable to check now what kind of variables are sourced by
 /etc/default/sendmail.

 Ok, I tried creating that file and removing the line from
/etc/default/sendmail.  It still did not come up when the machine booted.



  Incidentally, the sendmail package even in experimental is significantly
 out of date. The package appears orphaned. Several people seem to have
 tried to step
  up to do something about this but nothing has happened. Is sendmail dead
 on Debian?

 Unknown to me. Truth to be told, personally I try to avoid using
 sendmail whenever possible. Sendmail.cf's syntax is way too arcane to me.
 Still, I can't stand a broken Debian package more than a certain MTA :)


I've used sendmail since the '80s.  It's difficult find a more stable  and
well tested mailer.  Almost impossible to get it to drop a message to
/dev/null unlike some other mailers out there.  I used to write my own cf
files back in the day but you really don't have to mess with that now.  The
m4 syntax is a bit ugly but usable and now it's just a configuration file.

Re: sendmail on debian testing

[Michael Grant]

On Tue, Feb 3, 2015 at 7:03 PM, Bob Proulx b...@proulx.com wrote:

 Michael Grant wrote:
  I'm still searching for an answer to this.
  After upgrade from wheezy to testing, sendmail no longer starts.
  I see that the system is using systemd.
  ...

 Some comments that I think are relevant...

 Since it took a while for someone to respond to your question it tells
 me that it is a combination of tools that not many people are using.
 You are using sendmail in combination with systemd.  That is an
 unusual combination.  If it were widely used then many people would
 have been responding already.  Frankly you might be one of the few
 trailblazing that combination.


I do not mind trailblazing this to get this working for the greater good.
It may be an upgrade issue or some other dependency, it would not surprise
me in the least since this is a copy of an existing vm that I tried to
upgrade.

It is true that fewer and fewer people are using sendmail these days,
especially since it seems to have been orphaned.  Sendmail may be old but
it's incredibly reliable, well tested, and stable.


 Trailblazers are great!  They are the ones who make things happen.
 However not everyone wants to be a trailblazer.  There just isn't
 enough time for everyone to do everything.  You sound like a busy
 person without the time to debug everything.  Perhaps it would be good
 to change to a more mainstream combination?  If it were a mainstream
 combination then the problem would almost certainly already have been
 seen and fixed.  Something with a lot of users and a lot of support.


Maybe I will one day.


 In this case I would suggest that Sendmail is no longer the mainstream
 mail transfer agent.  Instead I suggest migrating to Postfix.  (Or
 Exim but I personally really prefer Postfix so will recommend
 Postfix.)  Postfix is well tested and very well supported.  There has
 been discussion of making Postfix the default mta on Debian.  (But
 that will never happen because Exim isn't bad just not as popular.)


I have tried postfix several times over the years.  I was surprised that I
was able to make seemingly innocent config mistakes in postfix and it would
just drop mail into /dev/null.  This is surprisingly difficult in sendmail
as its failure mode is to reject or not accept the mail in this case.


 Since you are using Sendmail I assume you have been using Sendmail
 forever.  You probably have multiple editions of the O'Reilly Sendmail
 book on your bookshelf.  You probably hate to take the time to migrate
 a working configuration tuned over decades to something different.  I
 have been there and glance over at my two remaining editions of the
 O'Reilly Sendmail books on my bookshelf.  Let me say that moving to
 Postfix was very easy.  I don't even have one copy of the O'Reilly
 Postfix book.  It has an easy to understand design and the online
 documentation is excellent.  I have been where you are with Sendmail
 and migrating to Postfix was a good decision for me.  I suggest that
 it would be for you too.  YMMV.


Well, you know, I never bought that bat book either!  But yes, you are
right, I have been using Sendmail since perhaps it first appeared in BSD, I
first encountered it in 1983 in BSD on the VAX 11/780, well before M4 and I
used to write my own cf files back then too!

sendmail on debian testing

[Michael Grant]

Today I upgraded a test machine from wheezy to testing.

It seemed to install systemd, I'm not sure if it's using it or not.

One thing I noticed though was that sendmail no longer starts at boot. Even
if I run:

/etc/init.d/sendmail start

or if I cd to /etc/mail and run:

make restart

or if I do this:


nothing except running 'sendmail -bd' will start sendmail.

In syslog I see this:

Jan 31 18:53:43 blah systemd[1]: Started LSB: powerful, efficient, and
scalable Mail Transport Agent.

in mail.log I don't see anything when I try to start sendmail via
/etc/init.d/sendmail.

I do not have the lsb-invalid-mta package installed.  I have tried
reinstalling the sendmail package.  I have tried the testing and unstable
versions of sendmail.

Any ideas where I should look next to figure out what's going on?

Michael Grant

logrotate problem

[Michael Grant]

When logrotate fired this month, almost all of my logs remain at zero
length and the .1 log continues to grow.  For example:

ls -l /var/log
...
-rw-r- 1 root adm 0 Oct  5 06:25 messages
-rw-r- 1 root adm  4938 Oct  6 06:56 messages.1
...
-rw-r- 1 root adm 0 Oct  1 06:25 syslog
-rw-r- 1 root adm  15767734 Oct  6 13:17 syslog.1

I'm running debian wheezy 7.6 on two separate systems.

I'm guessing that logrotate didn't complete to restart the daemons.  When I
run logrotate -dv, I see no errors.

I update both with cron-apt and I would not be surprised if one of the
updates caused this but I'm not sure.

Has anyone else seen this?  Any idea how to fix it so this works next month?

Re: logrotate problem

[Michael Grant]

I think I've tracked this down to rsyslogd being updated a few days ago and
it not restarting.

So I tried to restart it by hand with /etc/init.d/rsyslogd restart but it
failed to stop.  So trying to understand why it didn't stop, I tried
running start-stop-daemon manually and here's what I see:

# start-stop-daemon -v --stop --retry=TERM/30/KILL/5 --pidfile
/var/run/rsyslogd.pid --exec /usr/sbin/rsyslogd
No /usr/sbin/rsyslogd found running; none killed.
# ps ax | grep /usr/sbin/rsyslogd
 3401 ?Sl 2:36 /usr/sbin/rsyslogd -c5
 9922 pts/3S+ 0:00 grep -i --color /usr/sbin/rsyslogd
# more /var/run/rsyslogd.pid
3401

Why would start-stop-daemon not be able to find /usr/sbin/rsysogd?  It's
spelled properly, it's pid is properly in the pid file.  (Sure, I can kill
it by hand but I really want to know why start-stop-daemon can't kill it
because there is probably some underlying problem that needs solving!)

On Mon, Oct 6, 2014 at 8:06 PM, Joe j...@jretrading.com wrote:

 On Mon, 6 Oct 2014 19:51:38 +0100
 Michael Grant mgr...@grant.org wrote:

  When logrotate fired this month, almost all of my logs remain at zero
  length and the .1 log continues to grow.  For example:
 
  ls -l /var/log
  ...
  -rw-r- 1 root adm 0 Oct  5 06:25 messages
  -rw-r- 1 root adm  4938 Oct  6 06:56 messages.1
  ...
  -rw-r- 1 root adm 0 Oct  1 06:25 syslog
  -rw-r- 1 root adm  15767734 Oct  6 13:17 syslog.1
 
  I'm running debian wheezy 7.6 on two separate systems.
 
  I'm guessing that logrotate didn't complete to restart the daemons.
  When I run logrotate -dv, I see no errors.
 
  I update both with cron-apt and I would not be surprised if one of the
  updates caused this but I'm not sure.
 
  Has anyone else seen this?  Any idea how to fix it so this works next
  month?

 Mine rotate every day, and seem to be doing so quite happily, but they
 are on a server and it's run by the default cron system.

 Have you tried running logrotate manually without -d? It's possible an
 update has caused a permissions issue somewhere, and you may get clues
 from the console.

 --
 Joe


 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact
 listmas...@lists.debian.org
 Archive:
 https://lists.debian.org/20141006200646.394fc...@jresid.jretrading.com

Re: Software version issue

[Michael Grant]

Peter,

Try adding back-ports to your /etc/apt/sources.list:

deb http://http.debian.net/debian wheezy-backports main

and then run apt-get update and then try updating gimp and see if it
updates it.

I did not check specifically for gimp, but if there is no newer version of
gimp in backports, you can try adding the jessie sources, however, if you
do this you would be wise to restrict it to just gimp.  Some other kind
person here may be able to help you do this but it's not always easy/wise
to do this in my experience since you can end up installing a ton of
unexpected libraries and other tools from jessie into your weezy system.
Consider updating to or installing a wheezy system if gimp there is the
later version.

Michael Grant


On Mon, Oct 6, 2014 at 7:43 PM, PETER ZOELLER peter_zoel...@rogers.com
wrote:


 Hi:

 I have been using Debian for sometime and am happy with the distribution.
 However I recently experienced a problem with the Gimp supplied by Debian
 and contacted the Gimp organization with the issue I was having.  I
 subsequently discovered through this contact that the version of Gimp
 supplied by Debian Wheezy is old.

 How do I make sure that the software Debian supplies is the most current?
 What change do I need to make to the sources list to get up to date
 software?

 Peter
 peter_zoel...@rogers.com