Re: [DNG] Configuring ethernet port for IPv6
Curtis Maurand wrote: > I think this is all great right up until you need a fixed address for > something like a mail server or a web server. That is no more of a problem with IPv6 as it is with IPv4 - if you have a “poor quality” ISP that doesn’t do fixed addresses then you have a problem with anything that needs a fixed(dish) IP. > So far, I've found IPV6 to be unreliable. In what way ? I’m not currently running IPv6 at home as I’ve not got round to reconfiguring the network to use my own (pre-systemd Debian, Linux VM) router, and the ISP supplied router doesn’t have the option to forward (IIRC) GRE needed to make my HE tunnel work. But in the past when I have had IPv6 running, it’s worked fine. I didn’t run my email over IPv6 for the simple reason that at the time, there was one element of my software stack that didn’t fully cope with it. Again, not found time to update everything - I believe that one issue was fixed a while ago. Going back probably around 10 years, I enabled IPv6 on our office network and waited to see if anyone noticed - no-one did, and we didn’t start experiencing new problems. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] meta: list
Marjorie Roome via Dng wrote: > I configure strict postfix rules that incoming mail should have a > reverse DNS. Ah, we’re talking two different checks. I too reject connections if there’s no reverse DNS, but ideally that reverse DNS should forward resolve to a list (one or more IPs) containing the IP of the connecting device. It’s this latter bit that people seem too incapable of getting right. But while rejecting “no reverse DNS” does block a lot, there is a lot of spam that comes from addresses that have generic reverse DNS entries - many ISPs have reverse DNS setup for their customer IP ranges along the lines of a-b-c-d.dynamic.ispname.net. I find grey-listing to be by far the most effective spam blocker. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] meta: list
declassed art via Dng wrote: > I do have an unconfigured PTR for a couple of reasons, one of those is lack > of static IP for now. I figured out quite quickly that checking reverse DNS is a waste of time - too many systems, even those run by professional network/server engineers, are just badly configured. Gregory Nowak via Dng wrote: > I have toyed more than once with the question of what would happen if > a group of us running our own mail exchanges made the choice to > reject mail from gmail.com with a 550? If a few of us did it, we might > miss mail we maybe wanted to get. If a bunch of us did it, then a > bunch of gmail users would complain to google. My guess is google's > response would be "this is a free service; if it doesn't work for you, > then don't use it.” No, I’ll tell you what Google’s response will be : “Our system is working fine, the other system is broken”. Don’t forget that this is a company that is quite happy to simply change the rules on the basis that it’s big enough that the rest of the world will adapt. Look at the history of stuff they’ve “just changed” because it suits them. Sticking with email, they were one of the first to implement SPF fully knowing that it would break most mailing lists and mail forwarders around the world - and so most mailing lists around the world had to update software & change setups to suit Google’s* new set of “how email is to work” rules. I know, I had a customer facing mail server** and mailing list server. * OK, they weren’t the only ones, but they were one of the first. In the network world, Android devices don’t work on managed networks using DHCPv6 for address assignment. For idealogical reasons, they don’t support DHCPv6 and even actively block third party support (by pressuring chipset manufacturers to block the packets in the hardware). I could be flippant and suggest it’s because they see it as their job to snoop on people and using DHCP allows network admins to do that, but it’s mostly because they are interested only in mobile applications and refuse to consider the needs of any other environment (even where it’s a legal requirement). In the web world they are pushing for “SSL or it doesn’t exist” despite the fact that it does actually cost money** to add SSL and there are situations (such as supporting older hardware) where there is no SSL and never will be. And of course, there’s the shenanigans with QUIK and DoH ... So basically, Google’s attitude is that if some other system doesn’t work with their offering - then it’s the other system that’s broken. And they are big enough that they can get away with that, especially when they are able to tell users who complain that that’s the case. ** When SPF started getting applied, clients started seeing problems. Ideally we’d have them set up an account in their mail client to get mail from our server using IMAP, but many customers would refuse to do that - “I want my mail in my inbox”. Trying to explain why that’s not a good idea is an exercise in futility. So once their ISP is checking SFP, they no longer get any emails from sources setting SPF - and it’s our fault that the client insists on doing the broken way. Instead, they’d say it’s because out mail server is faulty - because that’s what their ISP (usually using an ISP mail account) told them and apparently the hell desks at the big ISPs are more honest that a small IT services company where they can be on first name terms with the staff. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
Following up from this old thread, over on an IETF list I’ve come across this resource for learning IPv6. https://afrinic.academy/ I’ve not looked at the content or quality - but the headings seem logical and it’s free. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] do I need drivers for
Antony Stone wrote: > PS: Just in case you wonder "hm, sdv is awfully close to sdz - what happens > next?", the answer is simply that the standard Linux kernel then moves on to > device names /dev/sdaa, /dev/sdab, etc... > > I'm not sure where the current limit of device names is, but I don't think > you'll be able to reach it with any hardware means of connecting drives (you > might manage it at a push with iSCSI devies etc). Ooh, a few multi-port cards and then some port expanders. Backblaze are up to 60 drives in a box ! https://www.backblaze.com/blog/open-source-data-storage-server/ Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] install on a raid 1 array
evant bits omitted). Yeah I’m a bit old school and still use ext3 ! Now, back to your specific setup. I suspect you really want your efi partition to be a plain partition - so that’ll be sda1. I’d create a matching sdb1 partition - and possibly clone the contents of /efi onto it at some point so you have a working boot setup from sdb. Personally I’d keep to having a separate array for /boot - so that’ll be sda2 & sdb2. Create those two, then create an md array using them, then create a filesystem on it. Then you can either continue creating partition pairs, creating a raid array on each pair, and putting a filesystem on each array - but at some point you’ll hit limits on creating partitions. Or you can just create a partition for “the rest of the disk” (minus a little to allow for a replacement disk not being identical in size), create an array across the pair of partitions (sda3 & sdb3), then assign the array as an LVM PV, create an LVM VG using that PV, and finally create the LVM LVs you want for each filesystem - using LVM is more flexible as it’s easy to resize an LV. For /home, partition the disks (sdc & sdd) using the whole disk. Put the two partitions (sdc1 and sdd1) into an array. Put a filesystem on the array. There are two ways to do this with the Debian installer (from memory). Using the installer, do the partitioning but at this stage specify to do nothing with each partition (apart from efi, I don’t use such new fangled stuff so I don’t know what it does by default with that). Exit the partitioner and it’ll ask if you want to do the partitioning - say yes. Now go into the raid array option in the partitioner and create the arrays - when prompted, create the arrays and exit the raid setup. The partitioner should now show you some physical partitions as being in raid arrays, plus the raid arrays. Go into the LVM setup section, create an LVM VG and use the array previously created (sda3 & sdb3 in the above example) for it’s single PV. Then create LVs as required. You can configure the /boot array as “create filesystem, mount on /boot”. If you have created any more arrays (e.g. for /), then configure these accordingly. For /home, use the array containing sdc1 & sdd1. Similarly, configure each LVM LV. You should now see “something” for each filesystem you want - the volume used will be either a partition (/efi), an array (/boot, possibly /), or an LV (swap, /var, ...). Now, when you exit the partitioner, it’ll create all the filesystems, and mount them all on the target directory it uses for the installation. As an alternative to using the installer, IIRC you can switch to another console and it’ll give you a root shell. You can now do all the above steps manually using the command line - partition the disks, create the arrays, create the LVM VG & LVs, create the filesystems. When you with back to the installer, you may have to exit the partitioner tool and re-enter it to see all the now existing partitions, arrays, LVs, and filesystems. Flag each filesystem according to where you want it mounted, but keep the exiting filesystem. When you exit the partitioner you’ll be at the same step as doing it all via the installer. In either case, you can switch to another console and see what’s mounted where - if there’s something wrong then go back and correct it now. Can I tell you what the commands are to create an MD array ? Can I - I do it so infrequently that I have to look it up each time :-( “man” is your friend, along with “md —help”. Hendrik Boom wrote: > I set up a separate RAID 1 pair for /boot. > > I don' know if it is necessary now, but there's an older mdadm [artition > format where the RAID signature is placed at the end of th partition. > > I specified this older format when I reated the RAID pair for /boot. > > So when I boot, there's no problem finding the boot partition and reading it, > because the important stuff that's used at boot time (i'e', the file system) > is found at the start of the partition. And it doesn't matter which of the > two copies I boot from becuase they are identical. All this booting is done > before RAID assembly. If one of the disks is missing because of hardware > failute, it just boots from the other. It’s my understanding that GRUB now understands both md arrays and LVM - so you can use the later partition format for the array. But as you point out, if you use the older format (which only puts it’s metadata right at the end of the array) then something that doesn’t understand raid will just see two identical partitions with the same contents. Regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] starting mysql in background ?
Radisson via Dng wrote: > i use sysv-init with a simple start script in init.d. > in the end the script starts mysqld_safe in background and > waits for a pid. (yes i could remove that but i do not know the side > effects) The side effect of removing that wait for a PID is that any other service that depends on the database will be started before the database is actually running. If you don’t actually have any other services that depend on the database then it’s not a problem - you’ll just have to know not to try and run user programs needing it until it’s up. If you do have such services, then you’d need to delay their startup - and then you’re back to the system sitting there waiting for the database to be running. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] starting mysql in background ?
Radisson via Dng wrote: > i would like to start my mysqld 8.0 in background because it takes > several minutes to start. Under what init/process manger setup ? If under SysVInit, then I would suggest you could simply modify the relevant init scripts to not wait for the process to fully start - i.e. just return success as soon as it looks like it is starting normally. But you’ll also need to modify anything that depends on mysql such that it will wait for it to be available rather than just the init script having exited normally. There is an argument that the correct way to start processes is to simply start them all at once (zero attempt at sequencing) - and have the beginning of each script (or other config mechanism) be a “wait until my prerequisites (however I define them) to be available” step. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] install on a raid 1 array
it - RAID it and use it as an LVM PV. Note the “less a bit”. If you have a raid array and a disk fails, you cannot replace the failed disk with one that’s even a single block smaller. I’ve been bitten by this in the past - with the support company sending me a replacement 9G drive that won’t work, and spending ages talking people through why one 9G disk is not the same as another 9G disk (they had to hunt around for the same model disk in the end). So I always leave a bit of space unused at the end of the disk to allow for these differences - and these days it’s unusual to be clamouring to use every last block. As an aside, back in the 90s I used to deal in Apple Macs. The disks all had unused space - so at the factory they could just mass duplicate a master copy onto the disks without having to worry about different sized disks, the image just had to be small enough to fit on the smallest disk they used for each nominal size (back then, typically a choice of 20meg, 40meg, or 80meg if you had loads of brass). Note: If you have 3 or more disks then you can pick and choose the RAID level you use. /boot is always RAID-1 so each disk holds a full copy of it. The rest you can pick and choose depending on your requirements. Generally RAID 5 gives you the most space, with more disks, RAID 6 is an option and gives you two-disk redundancy. But if your priority is performance, then striped & mirrored or mirrored & striped gives you the best performance with single disk redundancy. Once over, you had to set up mirrored pairs, and then stripe the resulting volumes together; or stripe the partitions and then mirror the two stripe sets. Yes, a bit of a PITA and only works with an even number of members ! These days, Linux RAID supports RAID-10 where it’s done automatically and (IIRC) supports an odd number of members. Not to mention, these days you can add disks to arrays dynamically - it used to be “fun" finding the disk space to copy all your data to while you rebuilt RAID arrays from scratch. Not to mention the out of hours tedium of waiting for it to copy, and the feeling of trepidation (I hope the disk I’ve copied it all to it OK ...) when you go and nuke your existing array in order to build a new larger one. * I **ALWAYS** have a separate /var. Trust me, if you have (e.g.) a runaway log and it fills the filesystem, then you will thank yourself for restricting it to /var. After that, it’s all down to what the system is for. E.g. for a mail server I’ll have a separate /var/mail; for a web server, a separate filesystem for that (wherever it gets put); and so on; perhaps a filesystem for your database(s). If it’s a system you “work on”, then you might want a separate /home for users’ home directories. Again, protects the system to a certain extent against users going mad creating big files. You can do a lot of this with disk quotas these days, but separating filesystems is a powerful tool. And with LVM it’s generally fairly easy to resize the filesystems if you don’t get it right first time. Now, back to how to install it ! You’ll need to go into the custom partitioner, and from there, you can partition the disks manually - don’t forget to set the partition types. When you’ve partitioned the disks (and written the partitions out to disk), you need to go into the raid configurator and create your RAID array(s). When you come out of the RAID config, you should then see the array(s) listed along with the various partitions. You can now go into the LVM manager and configure LVM volume group(s) (VGs), and then your logical volumes (LVs). Again, when you exit the LVM config, you should see the LVs listed. Make sure each partition/array/LV is set appropriately - whether to format it, where to mount it, and so on. This is the key bit to getting the different bits of the system where you want them. From memory, I’ve found that it will then format the filesystems, mount then in the right places, and install the system on it. Your mdadm and lvm configs should be correctly configured in your installed system. I think by default in only does a grub-install on one disk, so when you’ve booted your new system, do this for each disk that’s part of your /boot array - it’s “annoying” to find (when a disk fails) that the others disks don’t have the first stage boot loader installed :( Hope this helps, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wifi problem - dhclient times out with no reply
Gregory Nowak via Dng wrote: > If I understand that you can associate with the access point through > wpa_gui, what does iwconfig(8) say? If iwconfig says the adapter is > associated with the access point, can you configure a static IP > address valid on your network, and does that work, or do you still > have no internet connection. Yes, that would narrow it down to a network problem or a DHCP problem. Assuming the network is working (can statically configure and pass traffic), then I think the next stage would be to start sniffing traffic (e.g. with wireshark, or the cmd line version, shark). Are you getting packets out, are there replies coming back, etc. Also repeat that on the DHCP server (if you can). Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] online purchasing (dunno - - - maybe OT)
o1bigtenor via Dng wrote: > I made a purchase from an online store - - - its a smaller entity that > covers some interesting niches - - therefore the order. > > In doing the purchase - - - noticed, using uBlockOrigin and > PrivacyBadger, that paypal 'only' has some 9 domains linked into the > transaction. Hmmm - - - that's not all - - - that's what PrivacyBadger > was picking up - - - uBlockOrigin noted that there were some 15 > domains of which it blocked some 4. Still linked were crackbook and a > bunch of ms googly's garbage. > > So I called the company to tell them that I found this concerning. > > I asked the person that I was talking to if they were into internet > privacy and security - - - very much so was the answer. So I asked him > why he needed all these domains connected. The long and short of it > was that he got quite huffy and asked me to cancel my order (and > without saying so) get lost. It is more important to him that everyone > and his dog know about his transactions that it is for him to make > transactions. I suspect it’s more a case of two things : They are using a packaged system that doesn’t make it easy to do things properly - only how the system designer things they should be done. and/or They get a lot of their business via those routes so there’s a potential financial hit if they turn off the tracking. Recently I had a case where I went to an organisation’s web site and got (IIRC) a non-complaint cookie notice. IIRC it was the sort that basically said “we use cookies” rather than “can we use cookies”. When I contacted them, they were grateful I’d done so - they’d had some work done, and because everyone internally used the site all the time, they never saw what a visitor with a “clean” browser would see. It got fixed. > I do wish there were a way of warning other customers - - - - his > website is likely a magnet for web bottom feeders and he doesn't think > its worth things about. No easy way to tell other (potential) customers. But for the business, you didn’t say what country they are in. Both Germany and France have found the use of certain Google “services” breach GDPR. Perhaps report the site for that ? I think this is going to get “interesting” for site owners ;-) https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/ https://www.theregister.com/2022/02/10/google_analytics_gdpr_breach/ https://www.theregister.com/2022/01/13/google_analytics_gdpr/ Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] questions further into networking
o1bigtenor via Dng wrote: > When this (streaming device only works with the vendor's DNS) happens > - - - is there a way to > counter or change that particular behavior? > > (Fascinating what's all connected!!!) Obviously when you buy those closed boxes, you get what’s lent and it does what the vendor wants it to do. But with DNS, you have the option to filter the DNS packets at the firewall and re-direct them to the internal DNS server. But you also have to arrange for the replies to get re-written as well so the devices sees the replies as having come back from the same address it sent the query to. Fundamentally this needs the traffic to pass through the firewall in both directions - either because the firewall is in the traffic path, or because it’s the default router for the DNS server. There’s a lot of stuff in the Shorewall FAQs, though I guess they “lose a bit in translation” if you aren’t familiar with Shorewall and it’s config files. https://shorewall.org/FAQ.htm#faq1f Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
d to have them receive > DHCP from somewhere, and try to configure the DHCP to specific MAC > addresses. That’s one way of doing it, but can be quite inconvenient - depending on your use case. Personally, I have the WiFi inside the network, and run multiple SSIDs so different stuff can go on different networks - including having a guest network with client isolation turned on. At the moment I have a few bits of the puzzle missing, but eventually (given time and cost constraints) it’s my intention to run multiple VLANs for better segregation. For many people, having wireless laptops behave differently to wired systems would be “a problem”. Especially if you have services (printing, file shares) that use mdns to locate/use them. The reality is that there is no “right” or “wrong” way to do it - just different sets of priorities that make different topologies “better” or “worse” for different people. It really a game of finding “best” for your personal set of requirements and priorities. As I said above you can make a system really really REALLY secure - but also of no practical use ! Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
o1bigtenor via Dng wrote: > Not only do I want to echo mr Joel but for mr Simon. > This gives great information - - - all together AND in a fashion that > I think I may even be understanding this. Thanks, that makes it worthwhile having written it. As you might have guessed, I’m in the IPv6 is good camp. Frustratingly my ISP ran IPv6 trials several years ago but has since gone quiet - even though their parent company (a larger ISP) rolled out IPv6 by default several years ago ! > Please would you fashion perhaps 2 or three more messages for > intermediate and maybe even extend this into more of the > 'advanced' networking country. I’m not sure there’s all that much I can add. One of the problems of not using it often enough is that I’ve forgotten a lot of what I learned when I worked through the tunnelbroker certification - which BTW will (if it’s still part of the deal) will get you what must be one of the geekiest tee shirts ever created ! One thing I didn’t cover is addressing, and how they are represented. https://en.wikipedia.org/wiki/IPv6_address gives a fairly decent overview - apart from perpetuating the myth that EUI-64 addresses are still common - they were deprecated a while ago. Then I can perhaps outline what you need to do to set up your own router supporting IPv6. On the ISP end you need the appropriate interface and software. So this may be PPPoE, or direct Ethernet with one of a number of configuration protocols, or ... So the first thing to do is sort out whatever combination of bits will get you connected. One of the problems is that there are a number of different components, that can be used in different combinations - so you’ll need to find out exactly what your ISP uses/supports. This is all from memory, so can’t rule out errors :-( In my case, it was a case of using a DSL modem and running PPPoE over an ethernet link. With PPP, LCP (Link Control Protocol) will negotiate the session with the far end PPP service, then the PPP package will configure the protocols you tell it to - IPCP (IP Config Protocol) for IPv4, IPv6CP for IPv6. Checking my notes, I then had to run a DHCPv6 client to get an IPv6 delegation - in this case asking for a /56 prefix. I manually/statically configured all this with scripts for expedience (we got static IPv6 allocations) - it’s possible to automate steps using features in some of the software, which has generally advanced since I last did this. So now we should have a working IPv6 link to the ISP and an IPv6 prefix. The link may just have a link-local address (starting fe80:) or it may also have a GUA (Globally Unique Address) as well - depends on the ISP setup and your own setup. So my script then added a GUA address to the PPP interface, a route to the internet via that link, and a different GUA to the internal interface. At this point, you should have a system that can route packets between an internal device and the internet. You will want to configure an IPv6 firewall. I used Shorewall for this - it’s an amazing package. It’s still usable, but it’s time is now limited as it’s deeply entangled with iptables which is now deprecated and replaced with nftables. I imagine that at some point the iptables compatibility shim will go away and that will stop Shorewall. You now need to configure devices on that internal network. You can do it statically - but that’s a p.i.t.a. So configure and start an RA daemon. Again, as this was a trial and we had static allocations, I just put the prefix in the config file and had my script bring up radvd. This is perhaps one of the steps that would be harder to automate since you need to pick a /64 prefix out of your (hopefully) larger delegation. And you also have the ability to run multiple internal networks with different prefixes. Once you startup the RA daemon, you should see clients auto-configure and be able to use your new IPv6 service. > I am not needing ipv6 at present but likely this spring fiber optics > are happening (finally some decent speed options) and they are > in the process of moving to ipv6 likely within a year or so. I would > prefer to know at least some more before I 'need' it. Good news then - the more ISPs do IPv6 the better. The main thing to remember is that IPv4 vs IPv6 is orthogonal to the rest of the stack - the physical layer underneath (fibre, ethernet, xDSL, cable, dial-up, damp string, carrier pigeon, ...) and the session layers higher up (DNS, HTTP, SMTP, ...). Things are not completely disconnected as things need to support the differences - e.g. handling 128 bit long addresses, doing lookups as well as A, and so on. But (and not speaking as someone who’s had to deal with that), I think a lot of that is handled by the standard libraries. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] questions further into networking
o1bigtenor via Dng wrote: > I have been considering setting up a 'Pihole' to enhance my network here. > > Is a Pihole a useful addition into a ipv6 network or ? (As already mentioned) The Pihole works at the DNS level, so it simply blocks DNS lookups for “stuff you don’t want”. So it’s agnostic to the transport layer - IPv4 or IPv6. I can’t help thinking that one (of several) reasons for things like DNSoverHTTPS, and as I recently read on another mailing list that (at least) one of the TV streaming devices only works with the vendor’s DNS service is to bypass protections like DNS filtering/blocking. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Configuring ethernet port for IPv6
DHCP packets at the hardware level, thus blocking third party software from working. As a result of this, a network cannot disable SLAAC and use DHCP without breaking Android devices - and so persists a situation where some people want to add everything from DHCP into RAs because DHCP "doesn’t work”. Steve Litt wrote: > On my next router, (probably OpenBSD/pf), I'm going to block all IPV6. > I enjoy that the badguys have to jump through one more hoop (NAT) to > hit me where it hurts. NAT doesn’t really offer much by way of security - the “everything appears as one IP address” being the only feature I can think of. A stateful firewall will give you the same level of security for IPv6 as it does for IPv4. With IPv6 however, you gain the ability to hide like a matchstick in a very large forest. The MINIMUM address range an ISP can give you is a /64 prefix, giving you 2^^64 addresses to play with - and as above, by default devices will pick random addresses within this range. That’s a MINIMUM of 2^^32 times the entire address space of the IPv4 internet all to yourself ! That’s the minimum. Recommendations are for ISPs to delegate at least a /56, and preferably /48 - that gives you 256 (2^^8) or 16636 (2^^16) /64 prefixes to do with as you like. So trivially easy to have separate prefixes for multiple wired networks, WiFI SSIDs, etc, etc. All with global addresses - just configure your firewall to allow/drop traffic according to your requirements. Unfortunately, it appears some ISPs can’t shift the “addresses are scarce” mentality, and offer only the minimum of a single /64. In terms of privacy, it simply changes from “everything behind one address” to “everything behind one prefix and using random addresses that change periodically”. Even if someone knows your prefix, they need to scan 2^^64 addresses to find your devices (that’s assuming your firewall allows inward connections) - and by the time they find an active address, it’s probably changed. Of course, where you want something to be externally accessible, that’s just a matter of configuring a fixed address and opening a corresponding firewall rule - you don’t need to configure NAT port forwarding as well as, and you’ve plenty of addresses to run multiple servers/services on the same port(s), something not easy when you’ve only one IPv4 address. > I'm not an authority on firewalls and routers, but I'm going to try > hard to pass only a very few IP addresses on my LAN, and put the Wifi > on a third network card. That’s easy enough to do. Get a switch that supports VLANs and you can segregate traffic to multiple wired segments without needing multiple cards in your server/router. > In my opinion, IOT (the Internet Of Things) is for the most part an > abomination. I don't want my thermostat on the same subnet as my LAN. Agreed there. As an aside, and not specifically in response to either of the above emails, I recommend the certification scheme run by HE at https://ipv6.he.net/certification/, and if your ISP doesn’t yet offer IPv6, then their tunnel service will provide you with good IPv6 connectivity. It’s true that there is some learning you need to do for IPv6, but this course will take you through things in steps - start with the basics and work up to the more complicated stuff. The only bit I thought was a p.i.t.a. is a stage where you have to provide ping and traceroute results to 100 different IPv6 destinations over 100 days. The hardest part if finding 100 different destinations - at the time I did it, I did some grepping of DNS server logs at work to find them ;-) Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What is your take on finit?
Steve Litt wrote: > * It requires each daemon to background itself. Eww, gross! Does it ? I read the examples as supporting foreground processes : > # The BusyBox ntpd does not use syslog when running in the foreground > # So we use this trick to redirect stdout/stderr to a log file. Also the syslog and kluged examples both show the use of -n to avoid backgrounding. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Qt, KDE, unbelievable
o1bigtenor via Dng wrote: > Now if all that advertising was actually good for something except making rich > people richer - - - - Or simply paying for things that people want but don’t want to pay directly for ? The problem isn’t the advertising pe se, it’s the lengths advertisers (and some of the sites/programs that use them) go to in order to make their ad stand out more than the other garish ones served either side of it. IFF they were plain and static so we could ignore them, and IFF the noxious cesspits that serve some fo them could be trusted not to serve up malware as well, and IFF … well then there’d be no problem. But it’s this race to make them ever more difficult to ignore, and the evidenced absence of any morals in some parts of the industry that makes then a problem. As someone else pointed out, my magazines are full of ads, in part that’s how they are paid for - but those are static, they don’t jump out of the page and hit you in the face. Without them the magazine (or society subscription) would need to be higher and then less people would sign up. And yes, I have over the years seen ads that fit the “ah, I’ve been looking for something like that” category. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Apple Mac programming (was: bash / quote weirdness)
Hendrik Boom wrote: >> I recall a lot of resistance when Apple brought out the Mac and suddenly >> programmers had to learn how to write programs that did what the user wanted >> - when the user wanted. > > Sounds good. But for the first two years the Mac was out, programmers > couldn't use it to write programs. To program it you had to use a much moe > expensive machine, and Apple Lisa. > > Not what I, a potential user, wanter. > > After two years, somewone marketed a Pascal interpreter -- not even a > compiler. Indeed, there were multiple issues at first - but programmers resistant to doing a bit of work so the user didn’t have to was one of them. Back in 84 I was at Uni and took out out for a Test Drive and Apple was calling it back then - no intension or ability to actually buy one ! I do recall when I returned it and being asked what I thought, replying along the lines of “nice machine, pity they are trying to cripple it with s**t marketing” as the test drive program was (IMO) really horrible. At work I have to use Windows laptops, and it’s a constant reminder of how Apple brought standardisation every time I try Ctrl-W and remember that in Outlook it’s Esc to close a window, or in IE Ctrl-W doesn’t work if it’s a PDF in the window. MS can’t even standardise basics within it’s own dross, so it’s no wonder no-one else bothers either. We had the full set of Inside Mac back then - strange to think that the entire programming manuals (dead trees back then) were only about 3” thick back then ! But one of the 3 manuals was entirely dedicated to what the UI should look like and how it should work. Was it Borland that did the Pascal first ? Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] bash / quote weirdness
Steve Litt wrote: > This is one reason why, in shellscripts, you > need to quote almost all variables: So they act correctly with the > space laden filenames that windows dwoobydogs just love to create. Not just Windows users. I regularly use spaces in file names. There’s an argument that computers should be tools, not slavemasters. I’m sure you’ll remember going back a few decades how interacting with computers meant that the human had to learn how to deal with the computer’s way of doing things. So, for example, typically when writing a document you had an edit mode from which you couldn’t print, and a print mode (menu) from which you couldn’t edit - you could not simply write you document and when ready just tell the computer to print it. I recall a lot of resistance when Apple brought out the Mac and suddenly programmers had to learn how to write programs that did what the user wanted - when the user wanted. So, for example, open an editor, write your document, and whenever you want - hit Cmd-P (or choose Print from the File menu) and it gets printed, right there from inside your “edit mode”. And now most people stuff like that for granted. rings have shifted from the user doing the work to make the computer side easy to the user expecting the computer side to do the work - after all, isn’t the purpose of computer to do “stuff” for us ? Similarly with file names. Once upon a time the human had to adapt to what the computer supported - such as fitting your entire file name into 8 characters. Now the computer (mostly) supports what is natural for a human - and that includes using spaces in their writing. After_all_it_does_seem_a_bit_un-natural_not_being_allowed_to_use_spaces_in_your_writing_-_it_would_make_a_hard_to_read_book_! Another OT anecdote. This talk of spaces and quoting reminds me of an issue I had to deal with a couple of work hats ago. I had some users who would struggle sometimes to log into their terminals on the SCO OpenServer system. When I watched them carefully, I’d see them mistyping either their username or password, so for example assume their username is “username”, they might mistype it thus : “usermname” rather than “usermname”. Because it looked OK on the screen, it was hard to persuade them that what the system saw them type was “usermname” and not the “username” they could clearly see on the screen. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
Antony Stone wrote: > The one feature I'd like to see on fail2ban is multi-server communication, so > that if one of my machines has a reason to block an address, it tells all my > others to block that address as well. That’s also possible to “roll your own”. I was considering this at my last place, but never got round to doing it. The only hard bit is messaging between machines, but my plan was to send a message to the outside router so it could block the address at the perimeter. One thought I had was to use syslog to send certain messages to the router’s syslog so fail2ban could pick them up and apply rules. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] nftables firewall and fail2ban replacement.
onefang wrote: > My main problem with fail2ban is that it fails to ban. Or rather it does > ban, for that one rule I wrote myself, but not for any of the built in > rules, but then it releases the ban, even though I have told shorewall to > ban that particular IP. So the IP ends up being unbanned, coz fail2ban > says so. > > Yes, I'm aware you can configure fail2ban to shift from temporary to > permanent bans for persistent rule breakers. Would be good if the built > in rules actually worked. From experience, the built in rules worked last time I set a system up - worth checking all the config files as (again from memory) none of them are enabled by default. But what I did for the persistent offenders was to write my own rule (don’t remember any details now) that basically looked for repeated bans and then blocked them for a long time. That allows for users (or yourself) accidentally triggering the first rule - you just have to wait for it to time out - but will ban persistent offenders quite quickly as they’ll still be hammering the system when the first rule times out. Another thing to be aware of is that applying iptables drop rules to existing connections doesn’t stop the traffic. That’s important when trying to deal with UDP traffic - that may only apply when there is packet mangling (e.g. NAT) and so contract comes into play, or when the traffic terminates on the box you are trying to firewall it on. But TBH it’s a while now since I dealt with th and I don’t recall any details other than needing to clear entries in the contract table to actually stop traffic - I vaguely recall having to log onto the main router and drop it there sometimes. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] RGBling
Syeed Ali wrote: > I have a closed case yet light still leaks out of the back of my PSU. > > Numlock, desktop speaker, mouse DPI setting, monitors even when asleep, > my KVM, and every single port on my USB hub all leak. And then someone invented blue LEDs and suddenly the dark is lost to little floodlights in the colour our night vision is most sensitive to - as every designer decided that it would be “cool” to have a really bright blue LED on an many devices as possible. Just don’t get me started on the id10t who thought making the sleep LED on the front of a MacBook Pro “throb” just to make it even more difficult to ignore. For the last 21 months, my office has been the spare bedroom. I have to switch everything off at the wall when it gets used as a bedroom. To your list add network switch - which flickers all the time with background traffic even when the computers are all off. It’s something when it’s possible to walk around the house lit only by little LEDs - even the smoke detectors are tiny little floodlights, thankfully only dim and green. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] lpr print pdf file landscape orientation
Marjorie Roome via Dng wrote: >> How does one print a PDF with landscape orientattion? >> > Isn't the page orientation used encoded in the pdf? > > To change it, other than by shrinking the page down so it fits on the > paper in landscape orientation I think you would need to use a pdf > editor to reflow the content. > > If you have a document or image that you are converting to a pdf then > if you format the document or image landscape then the exported pdf > will also be landscape. Yes, the PDF is a complete description of a number of pages. It is possible to change some things by pre-pending some Postscript to change the meaning of some verbs, though it’s so long (couple of decades) since I last fiddled at this level that I can’t remember the details. So you could turn pages around (rotate the content by 90˚), but that won’t reflow any text/re-arrange the contents. One trick I do recall doing was where we printed inbound faxes on our SCO OpenServer system at a previous job. I changed the meaning of the “showpage” operator so that instead of just printing the currently imaged page, it would add a header to the page with key details (date, time, number, etc) and then print the imaged page. At the same place I also did a custom text-ps script, adding in options to use some of the printer specific features we had on our printers - like doing A3 landscape on a laser instead of printing to the old green lined fanfold. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] networking thinking
o1bigtenor via Dng wrote: > 1. is my splitting the network system into the three parts a good idea or > should I truncate parts 1 and 2 into the router? If you would please give > reasons - - - please? Six of one, half a dozen of the other. Sometimes having separate boxes is good, other times it isn’t. For example, if you run a router doing NAT (on IPv4) behind a firewall, then the firewall doesn’t see details of where the traffic comes from - only the mangled version where it’s all coming from one address. On the other hand, sometimes it can be tricky making everything work on one box - e.g. doing traffic shaping both ways when there’s multiple internal networks can require an intermediate virtual port (an IFB, intermediate function block, in iptables terminology) to route traffic through and I never did get the hang of that. > 2. are there any good sources for information on and about networking? > debian has moved to nftables from iptables - - - is devuan doing > similar? Everything has moved, or will be moving, to nftables - it’s a kernel thing. There’s a shim layer to provide an iptables interface to help people through the transition, but I suspect it might struggle with some of the more complex stuff due to differences in semantics between iptables and nftables. > Where does one find information to enable a firewall that works yet > isn't stupid? I’m afraid that’s up there with the answer to life, the universe, and everything - and in this case it’s not 42 ;-) Back when it was part of the day job, I would “sort of absorb” bits and pieces until I knew enough about networking to be dangerous. After that, it’s a case of recognising when there’s a gap in the knowledge and filling it through reading/research. Sometimes a good starting point is to have a specific thing you need a pointer to and asking others. In the past my preferred firewall was Shorewall - it’s quite a steep learning curve, but not as steep as native iptables, and not as limiting as most other firewalls. However, I’m not sure of it’s current status as it was always very tightly bound into the semantics of iptables and would probably need a bottom up re-write to work well with nftables. But while the learning curve can be steep when past the basics, the examples will let you get common setups going very quickly. But by far the biggest thing that I liked about Shorewall was the “everything is in a bunch of text files” approach - meaning that you can look at the files and see what’s going on - and, I know this will frighten many used to GUIs, you can put comments in the files to tell you what is going on ! At the same job I mention below, some of the fireballing was down with Zyxel appliances - all though a “rubbish” GUI that makes finding anything difficult and documenting it impossible. Almost a write-only system. For the ultimate in control, eschew packages and get down and dirty with the native commands - i.e. learn how to drive nftables directly. tito via Dng wrote: > I personally prefer x86 hardware for this kind of things Me too, though there’s some fairly decent small computers about these days. IIRC the rPi4 has a “real” network interface, and gigabit at that - so it would probably make a fairly decent “router on a stick”. Router on a stick being a reference to something like a lollipop where there’s a “blob” on the end of a single stick. You can use VLANs up this single ethernet link to separate the different classes of traffic - e.g. a VLAN for the connection to your ISP, another for a management subnet for the switches etc, another for the main office LAN, another for a guess WiFi, … At my last place I had a Debian VM (pre SystemD) with something like 3 DSL (PPPoE) connections, another via an ethernet provider, a backend for inter-server traffic, office LAN, guest LAN, management LAN, and possibly something else as well. Most run on separate VLANs over a single ethernet interface. And all configured with Shorewall. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] system administration of non-systemd distros and releases
Steve Litt wrote: >>> I've wondered for a long time if it would be independently possible >>> to make systemd optional. >> >> I think you found that the answer is no. > > I think you might be pleasantly surprised. In, to use the term loosely, > "discussions" with systemd's biggest fanboy whose initials weren't LP, > I found out, according to him, that the only two systemd services that > can't be removed are PID1 and journald. If the fanboy is correct, then > you can install the runit process supervisor (not the whole init > system), and one by one, disable systemd's handling of the other > services, so all systemd does is launch runit and act as a logging > mechanism. I’ll admit that I’ve not really followed the subject all that much, but it’s my understanding that you can’t just replace a couple of services. It’s not that you can’t replace a SystemD service with something else, but the way SystemD has been extending it’s tentacles into all sorts of stuff that wasn't broken (and replacing it with broken alternatives - c.f. ntp). I may be completely wrong, but it was my impression that they’ve been so trigger happy replacing established APIs with “better because it’s new” APIs that a lot of packages won’t work OFF THE SHELF without SystemD running and servicing those new APIs. So I think it comes down to whether the devs for the package you want to run took the time to encode multiple “if systemd then do X else do Y” (or ifdef buildforsystemd then do X else do Y) stuff in their code. At some point, if you are writing with an eye on distros that all run SystemD then someone could be tempted to just write “do X” - and then that package won’t work if the API for X isn’t present. And of course, at some point (if there isn’t already) then it’s likely that SystemD will introduce something whose semantics are different - so it’s not just a case of “call API X or call API Y”, but case of do a bunch of stuff one way or do it a different way. So the statement you’ve quoted may technically be correct, but may also be “somewhat misleading”. Lars Noodén via Dng wrote: > That's not too far off from new cars as they are today. They are lousy > with sensors and everything is tied directly or indirectly to the > dealer, either through proprietary programs + proprietary protocols or > service contracts or both. You can't change your own oil though I think > changing the wiper blades on your own is still allowed. And by "you" I > mean the ostensible owner or an independent repair shop. > > The cars are not recognized as computer systems, but as Cory Doctorow > pointed out they are a computer you put your body into. I have only a > weak grasp of the situation, having kept my head in the sand as long as > I could, but I think two non-excusive approaches to solving the car > software / protocol problem might be through software liability (as > outlined by Geer and Kamp [1]) and through the ongoing attempts to > restore the "right to repair" as led by Rossmann [2], in particular the > latter which is picking momentum in regards to heavy farm equipment. I can’t speak for commercial vehicles or agricultural machinery, but for cars things took a positive turn in the EU many years ago. At one point, car manufacturers were heading down the road towards “only a franchised dealer can do X, Y, Z” and independents would be locked out - due to lack of third party diagnostics etc as we’re seeing with (for example) John Deere. The first I recall was BMW where only franchised dealers were allowed access to the unit needed to reset the maintenance light - but as I recall, it wasn’t long before the protocol was reverse engineered and third parties started selling the ability to non-franchised dealers. The car manufacturers rolled out all the familiar reasons why only franchised dealers should be allowed to do anything - the “think about idiots fitting substandard parts” one being the biggest. But the rules were changed, the car market was stripped of it’s exemption from certain competition laws, and suddenly it was illegal to have franchised dealers with defined geographic areas, it was illegal to tie franchised dealers to only dealing with the one manufacturer, and the biggest benefit of all was that it was illegal to withhold maintenance and diagnostics information from non-franchised dealers. I can’t remember whether it was part of this or a separate rule change, but at some point it was made a legal requirement to implement a standardised diagnostics port - and the EOBD port was born. So I guess we have it easy over here, and I hope things change in that way for you over the other side of the pond. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] system administration of non-systemd distros and releases
project has an incentive to maximise their intrusion into every aspect of system operation. Because the harder they can make it for devs to make they software run on SystemD or any other init system, the more they can make other software depend on SystemD and thus make it harder to keep SystemD optional in the wider view. So having had SystemD create such a gulf between the requirements to run on “traditional” systems dn SystemD systems, effectively any shim would have to recreate a heck of a lot of SystemD. And we all know that such a shim would be trivial to write given the well documented and stable interfaces between the SystemD components >> Peter Duffy said on Thu, 25 Nov 2021 13:51:18 + >> >>> I've said it before and I'll say it again. All this could have been >>> avoided - if systemd had been made optional from day 1. People who >>> liked it could use it; people who didn't like it could use something >>> else. And in the Debian world, I distinctly recall there being an air of “don’t worry, it’s optional anyway” alongside the “and it’s only another init system” arguments. It was only once it was too late and the GR had been fudged to get a pro-SystemD vote that people realised that it was never going to be optional. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] system administration of non-systemd distros and releases
have the skills outside of the toolset provided by SystemD. Just like there are a lot of Windows admins who can’t cope with anything beyond randomly changing settings in the GUI. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] To cc or not cc. (was: Devuan with usr merge?)
Steve Litt wrote: > The biggest accomplishment of this DMARC/DKIM thing was to make email > such a mess that it sent even more of the dummy dwobes to Facebook, a > private club having a monopoly over communication. What could POSSIBLY > go wrong? I don’t think it has. From past experience, it’s taught many people that “the only email you should use is gmail (or one of a handful of others)” because of the things they broke (deliberately). At my last job, we ran a mail server for our clients. When I started there it was (IIRC) iMail ruling on Win NT and it got hacked regularly. I got asked if I could knock something up - which I did, a “temporary” setup with linux, Postfix, Postfixadmin, Amavis, and a few more bits. It was temporary for quite a long time, and needless to say, quite reliable in spite of me only having “hand me down” hardware to run my servers on - I was putting hardware into service that was (as my manager described it) 9 year past it’s swap out date ! But I digress. After a good few years, I did a refresh and built a clustered system with before-acceptance mail scanning - something the big guys don’t seem to be able to manage. As a policy, we’d setup clients with their own email to match their websites - so (e.g.) bloggscoffeeshop.co.uk would have (e.g.) i...@bloggscoffeeshop.co.uk for email. I’ve always thought it looks just plain naff when you see a custom website with a nice domain name - and a generic email like (e.g.) blogg...@btinternet.com. But, many clients just refused to have two email accounts on their computer even though we’d offer to set it up for them. So many were simple redirects so that mail to i...@bloggscoffeeshop.co.uk just got redirected to blogg...@btinternet.com. Which worked fine until Google, MS, and Yahoo between them broke it and we had to explain to our clients that Google, MS, Yahoo, et al had broken their email setup deliberately. But still, many refused to simply setup their nice email address as a second account in their client - I’ve noticed that even MS have relented and the built-in client in Win 10 now allows this, the built-in piece of rubbish in Win 8 didn’t. So many simply changed the address on their website to be their ISP provided email. And as far as the clients were concerned, the problem was our broken mail service - hence they need to use a “proper” one. I did look into applying SRS, but with the combination of tools I was using, that broke one of our key anti-spam measures. So as far as I’m concerned, the fact that they broke stuff was quite deliberate. The likes of Google, MS, Yahoo, etc would far rather people use their systems (so they can monetise their emails) than have it easy for smaller outfits to run fully functional emails systems. And between them they had/have enough of the market to simply declare something broken, change it, and force the rest of the world to change to suit them. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] FHS deficiencies: Was: Er, Not that way ? .Re: Announcing Devuan 4.0: Chimaera!
Olaf Meeuwissen via Dng wrote: >>> Might I suggest $HOME/bin :-) >> >> ~/bin isn't ideal for two reasons: >> >> 1) It's integrated with all sorts of config, cache, and who knows what, >> and can easily be lost or wiped out in a re-installation. > > In the case of $HOME/bin getting lost or wiped out in a re-installation > I'd argue you have bigger problems than just losing $HOME/bin. You have > most likely lost all of your $HOME, and maybe even other users' $HOME as > well. Agreed. The most logical place for personal stuff is in your $HOME. If it’s a mess at home, then tidy up a bit - better than deciding home is too much of a mess and effectively just moving house to start again at another home. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Chimaera and ntpd/openntpd/chrony???
On 2021-10-20 15:09, Ralph Ronnquist via Dng wrote: > Hmm not sure where you take information from: > > https://pkginfo.devuan.org/cgi-bin/policy-query.html?c=file=bin%2Fntpd=submit > > https://pkginfo.devuan.org/cgi-bin/package-query.html?c=package=ntp=1:4.2.8p15+dfsg-1 > > perhaps a missing crucial "apt-get update" ? > Aha! ntpd isn't in the repos. ntp is. ;) Thanks for the hint, Ralph! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Chimaera and ntpd/openntpd/chrony???
Hi all, ntpd doesn't seem to be in the default repos. What is the recommended NTP daemon? I've never used openntpd nor chrony. Thanks, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fw: Testers for Chimaera alpha netinstall iso
On 2021-10-12 21:13, Simon Walter wrote: > On 2021-10-12 21:04, Simon Walter wrote: >> >> >> On 2021-10-12 20:58, Simon Walter wrote: >>> On 2021-10-12 19:19, Ralph Ronnquist via Dng wrote: >>>> Which ISO does this concern? Does it happen with the latest? >>> >>> devuan_chimaera_4.0.RC-20211011_amd64_netinstall.iso >>> >>>> Which hands-on is involved? >>>> Bugs would still be reported as per the original instruction. >>> >>> I will check for the existence of the file that aitor mentioned >>> (.disk/info). >>> >> >> It turns out that something went wrong with the the USB device (iso) or >> the mounting of it. Because at first, there were no files in /cdrom. >> Then when I remounted the USB device at /cdrom, I could see the >> /.disk/info file. I will start from the top and see if it occurs again. >> > > It was shitty HW. I'm sorry for the noise. So it turns out this may be a problem with a chipset or some HW other than the USB storage device. The USB storage device will, at various stages in the installation, "disappear" (there is no more /dev/sda*) and then "reappear" (there is now /dev/sdb*). Mounting it again at /cdrom and /target/media/cdrom allows me to carry on the installation. If you have a 11th gen Intel machine that could be an issue. Devuan 3 installer didn't find the NIC. So I opted to try 4. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fw: Testers for Chimaera alpha netinstall iso
On 2021-10-12 21:04, Simon Walter wrote: > > > On 2021-10-12 20:58, Simon Walter wrote: >> On 2021-10-12 19:19, Ralph Ronnquist via Dng wrote: >>> Which ISO does this concern? Does it happen with the latest? >> >> devuan_chimaera_4.0.RC-20211011_amd64_netinstall.iso >> >>> Which hands-on is involved? >>> Bugs would still be reported as per the original instruction. >> >> I will check for the existence of the file that aitor mentioned >> (.disk/info). >> > > It turns out that something went wrong with the the USB device (iso) or > the mounting of it. Because at first, there were no files in /cdrom. > Then when I remounted the USB device at /cdrom, I could see the > /.disk/info file. I will start from the top and see if it occurs again. > It was shitty HW. I'm sorry for the noise. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fw: Testers for Chimaera alpha netinstall iso
On 2021-10-12 20:58, Simon Walter wrote: > On 2021-10-12 19:19, Ralph Ronnquist via Dng wrote: >> Which ISO does this concern? Does it happen with the latest? > > devuan_chimaera_4.0.RC-20211011_amd64_netinstall.iso > >> Which hands-on is involved? >> Bugs would still be reported as per the original instruction. > > I will check for the existence of the file that aitor mentioned > (.disk/info). > It turns out that something went wrong with the the USB device (iso) or the mounting of it. Because at first, there were no files in /cdrom. Then when I remounted the USB device at /cdrom, I could see the /.disk/info file. I will start from the top and see if it occurs again. One more detail is that I am installing to an encrypted LVM (via the curses UI - guided partitioning - all files in one partition). Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fw: Testers for Chimaera alpha netinstall iso
On 2021-10-12 19:19, Ralph Ronnquist via Dng wrote: > Which ISO does this concern? Does it happen with the latest? devuan_chimaera_4.0.RC-20211011_amd64_netinstall.iso > Which hands-on is involved? > Bugs would still be reported as per the original instruction. I will check for the existence of the file that aitor mentioned (.disk/info). Thanks, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fw: Testers for Chimaera alpha netinstall iso
I'm trying to install Chimaera from the netinstall, and I get the debootstrap error: "Failed to determine the codename for the release" Is this known? Where should I report problems with the installer? Thanks, Simon On 2021-06-18 07:24, Ralph Ronnquist via Dng wrote: > > > Begin forwarded message: > > Date: Fri, 18 Jun 2021 08:22:06 +1000 > From: Ralph Ronnquist > To: Devuan Maintainers > Subject: Testers for Chimaera alpha netinstall iso > > > The Chimaera alpha netinstall ISOs version dated 14-Jun-2021 or later > now include "the final" versions of the forked udebs, and they need > testing to confirm that it is ready for RC1 in the coming month. > > The URL path at files.devuan.org is devuan_chimaera/installer-iso/ > but that's rather slow to download from, and you're better off using > some of mirrors listed at https://www.devuan.org/get-devuan > > E.g > https://sledjhamr.org/devuan-cd/devuan_chimaera/installer-iso/devuan_chimaera_4.0.alpha-20210614_amd64_netinstall.iso > > Please report bugs via email sent to "submit" at bugs.devuan.org with > the first 2 lines being the following: > Package: devuan-installer > Version: 4.0 > > But, please report against the source package concerned where you can > isolate that. And, note that most packages come directly from Debian > without forking, and that upstreamed reporting directly to Debian's bug > tracking is then best (https://www.debian.org/Bugs/Reporting). > > > regards, > > Ralph. > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Twitch and 2FA (TOTP)
Bernard Rosset via Dng wrote: > Something very important is implied there, and probably only a few will > notice it: there is a requirement for a smartphone. In general, it’s also possible to do 2FA using applications on a desktop. But, what I don’t like is the assumption prevalent behind a lot of this (my bank keeps trying to persuade me to use “their app”) that we’re happy carrying around the keys to our lives on something that is a) easily lost, b) easily stolen, c) liable to run out of power at inopportune moments, or d) can break/be broken. b) is the worst case of course - because then the thief not only has your 2FA keys, but they also have access to your backup routes (e.g. SMS and email) as well. And for as long as it takes you to realise that it’s gone and be able to access the various services and change the access to them - which might not be easy if you are away from home and without access to your desktop or laptop. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] random sudden stops
Hendrik Boom wrote: > When the machine stops I cannot access it by network. Even existing > connexions stop working. Have you disabled console screen blanking (IIRC “setterm --blank 0”)so that any messages put out are readable ? Perhaps you’ve already tried that and there’s no clues given ? Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..tenacity replaces Audacity like Devuan replaces Debian? Tenacity ditches spyware.
Dr. Nikolaus Klepp wrote: > This is a strict no-go. Any software even with the "option" to get you > prosecuted by any countries laws will get you in trouble. Any sane person > should stay away from that crap as far as possible. Unfortunately you’ll struggle to stay away. There is a lot of free/open software that can get you into trouble - without you doing anything wrong. DeCSS is still (AIUI) illegal in the USA - but is needed to watch a DVD on Linux. Many tools (e.g. WiFi scanners, network sniffers) can get you into trouble because they have a use as “hacking” tools. Basically any tool which could be considered to have sinister uses, even if that’s only in the eyes of a technically illiterate law enforcement officer, can get you into trouble. Heck, even using a web browser can get you into trouble - there have been a few cases of people, for example, simply editing the URL and being accused of hacking. Now, back to the original story. If any business collects data, then they may be required to hand that data over to the law enforcement authorities in their country in accordance with the laws of that country. That is certainly the case with the UK and the USA - but normally there is a process that must be followed rather than them simply turning up and telling you to hand it over. In other countries it may be “accepted practice” for someone to turn up and tell you to hand over data, with a firearm to provide some incentive to comply. Furthermore, in some countries there is a legal requirement to collect certain data - there certainly is in the UK with some service providers. The best option from a privacy PoV is for anyone to collect the least amount of data that’s compliant with their laws - that way they minimise what they could be asked to hand over. If you are interested in finding out how users actually use your product, e.g. which features are used and need maintenance vs those that are unused cruft, then you might want to collect some usage stats. IFF that is done openly and with the user’s permission then I don’t see that as a big problem - each user can make the decision as to whether they are happy to help with that. The biggest problem with Audacity is that they did it without adequately explaining what they were doing, using a third party with a “dubious” record on privacy, and generally having a track record of putting self interest above the interests of it’s users. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Microsoft: Really?
Mark Rousell wrote: > As I see it there are only two USPs for a service like this: > > (1) It's accessible for anywhere you have Internet access and a computing > device. > > (2) It is (I presume) backed up so you don't need to run your own backups... > well, in theory. In practice that should not be relied upon but people > definitely will give up doing their own backups due to systems like this. You missed what is possibly the most important for many businesses : (3) It's able to be bought as Opex rather than Capex. Put another way, someone, somewhere, in the organisation can buy this on their expenses and cut out the IT department. They don't need to create a business case and go through an approvals process to spend on a capital asset - it just hides away in the operating budget for the department. That in part is behind the rapid rise of a number of "something as a service" offerings - they can be hidden in departmental operating budgets instead of having to go and get capital approval, and allowing the IT dept to veto it. So some middle manager somewhere who's got a crappy old PC can get themselves a nice juicy one in the cloud as long as they can cover the cost in their expenses. The fact that it ends up costing the company more than if they actually bought him a better one is besides the point - he's presumably doing this because they asked for a better PC and that request was turned down. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan as a hypervisor?
On 2021-07-31 10:25, yami...@cock.li wrote: > Hi. > > I want to install a bare metal hypervisor in my computer to get the > benefits from dual booting except without the mess that is dual booting. > > I'm going to use it for both linux and windows systems and all I want is > for the vms and their files to be isolated, control over their > resources, PCI passthrough, and good performance. I don't care for a GUI > as long as scripts are an option. > > Currently I'm between Xen and Qemu, but I'm open to other options. > Which would be the best option in this case, and is this even a good idea? > VirtualBox is also a good option if you need a GUI for Windows for example. I find it more performant than SPICE or VNC. Qemu is an emulator. I don't think that is what you want, as it's quite slow. Qemu is also has a set of useful tools. What works well for me WRT KVM is virt-manager. I only started using because Oracle effed up VirtualBox, but I'm happy to report that I tried out VirtualBox again a few days ago to access some of my old VMs, and the nonsense had disappeared in ascii at least. I don't think you need Xen, but it is a good option. LXC is great for isolating Linux. They have no overhead. Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Missing syslog
Hendrik Boom wrote: > I did a ls -l on syslog* > > april:~# ls -l /var/log/syslog* > -rw-r- 1 root adm 734459 May 17 2013 /var/log/syslog > -rw-r- 1 root adm 1197017 May 17 2013 /var/log/syslog.0 > -rw-r- 1 root adm 79876 May 13 2013 /var/log/syslog.1.gz > -rw-r- 1 root adm 127547 May 12 2013 /var/log/syslog.2.gz > -rw-r- 1 root adm 51821 May 10 2013 /var/log/syslog.3.gz > -rw-r- 1 root adm 44679 May 9 2013 /var/log/syslog.4.gz > -rw-r- 1 root adm 46240 May 8 2013 /var/log/syslog.5.gz > -rw-r- 1 root adm 41297 May 7 2013 /var/log/syslog.6.gz > april:~# > > It looks like nothing has been written to syslog for the last eight > years! This may seem a stupid question ... But you have checked the contents of the files haven't you ? I.e. checked that they were that old, and don't just have the wrong timestamp due to "some unknown problem" ? Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Nasty Linux systemd security bug revealed
Andreas Messer wrote: > Once we had a crash in > simple limit switch device. As a result the high-rack robot pushed a > pallet in 15m height out of the rack. Fortunately, it was just another > robot which was destroyed (stood just below) - not a human being. Still > a very expensive case for the company. So I'm used implement a lot of > checks :-). (Actually we even don't use heap allocation after booting > the firmware) Back in the 90s I had an acquaintance that did a lot of consulting for sites with "management issues" and running "big iron". He got a jolly to see a site that was run by systems from that vendor - the very early days of warehouse automation. High bar warehousing, automated forklifts, with operators riding along to move boxes between pallet on the forks and pallet on the racks - it was a highly seasonal business, and in the run up to Christmas they be getting order in in all sorts of quantities, putting a small box on a pallet is highly inefficient so the need for manual handling to combine multiple shipments onto one pallet on the racks. Apparently the average stay before the operators quit from the stress was only 3 months ! Then one day a forklift went wrong - fortunately with no operator on board. It accelerated in an uncontrolled manner until it crashed through the side of the building and fell over in the field next door - at which point, all the operators walked out ! g4sra via Dng wrote: > There is nothing stopping *me* for applying for systems programming work in > Nuclear Power Stations, Air Traffic Control, Industrial Robotics, etc... Yes, but if you look a little deeper, in that sort of industry the programmers don't get to "just get on with it". The higher the risk, the higher the degree of risk management. By the time the programmer gets to write code, there's been a lot of safety based design - and when they've written the code, there's a lot of testing and assurance before it can go live. Of course, if you are Boeing and designing systems for aircraft - then it seems it's a different matter ! Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] deprecated options (Was: Refracta have a static IP)
Bernard Rosset via Dng wrote: >> Perhaps it's time for the relevant package to spit out some notice level >> logging when it hits deprecated options ? > > I can't imagine the volume of information that would produce on system > upgrades, even updates packs. > Unreadable, if you ask me: Too much information = No information, as it will > be discarded. No, I'm not talking about changelogs - which as you say tend to get very lengthy on a system upgrade and either ignored or are a pita to wade through, and for many users, much of what's in there isn't relevant to their use case. I'm talking about, as a service/daemon starts, then it spits out a warning notice **IFF** a deprecated option is encountered in the config. I've seen the latter many times, and it works - doesn't stop the service working, doesn't disappear in a gazzillion pages of changelogs that no-one reads (because a lot of the changelog isn't relevant to the user's use case) - but does provide a warning that the config needs re-visiting. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Refracta have a static IP
Bernard Rosset via Dng wrote: > Documentation states, for both INET & INET6 families: > address address > Address (dotted quad/netmask) required > > netmask mask > Netmask (dotted quad or number of bits) deprecated > > Are we really debating how to configure network addresses without first > searching in the man pages? Hmm, that's new since I last **needed** to look in the man page for it - don't tell me you look at man pages for stuff you already know how to do, each time you do it ? Looks like "deprecated" was added between ascii and beowulf. Checking my next oldest system (Debian Wheezy), I see that it includes CIDR format. Guess it's a while since I last needed to check the man page for that ! Perhaps it's time for the relevant package to spit out some notice level logging when it hits deprecated options ? Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Refracta have a static IP
Arnt Karlsen wrote: >> So I made my /etc/network/interfaces look like the following, which >> follows the guidelines of "man interfaces": >> >> === >> auto lo >> iface lo inet loopback >> >> allow-hotplug eth0 >> iface eth0 inet static >> address 192.168.0.199 > > ..could this be as simple as: > address 192.168.0.199/24 #??? It shouldn't be. > >> gateway 192.168.0.1 >> === No, in /etc/network/interfaces it needs a net mask line like this : > auto eth0 > iface eth0 inet static > address 192.168.nnn.nnn > netmask 255.255.255.0 > gateway 192.168.nnn.nnn I usually use auto, but I believe for a "server" type setup then the effect is the same as allow-hotplug. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..maybe webmin?, was: Cockpit removal might make sense
On 6/21/21 6:26 PM, Olaf Meeuwissen wrote: Using adduser/deluser and addgroup/delgroup isn't exactly rocket science :-P If they don't get that, then they probably shouldn't be adminning users and permissions to begin with ... There are managers who have tasted G-Suite/O365/Some_Cloud_Providers_GUI. If they take full responsibility, why not empower them? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..maybe webmin?, was: Cockpit removal might make sense
was difficult because of their state layer. Anyway, I tend to be sympathetic to people like Olaf "A (remote) command-line suits just fine." It's when you need to delegate administration of users and permissions to someone who does not know the CLI. Then you wish for a decent GUI. Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ntp setup
k...@aspodata.se wrote: >> npt only synchronizes only on machine starts. > > That is wrong, I guess you are thinking about initial sync. > > You can do initial syncronisation with e.g. ntpdate, but ntpd can do > that also, but can take more time before it decides to jump the clock > if it differ too much. > > Then ntpd, while running, will at some regular interval, > syncronize the clock. Run ntpq -p to see the polling interval. > > The ntp.conf file installed with devuan is perfectly fine for > a newbies always-connected system. If your box only has intermittent > connection to the internet, ntpd might not be what you need. > You might then be better served by chrony or something else. For clarification ... From memory, ntp does have problems with clocks that are a long way out of sync - or has that been fixed ? I suspect that was part of the reason for running ntpdate on startup. As I'm normally working with systems that a) are always on, and b) have working hardware clocks with batteries, this hasn't been a problem for me so I haven't followed developments. By default, ntpd will start with a polling interval of 64 seconds, and over time will increase this up to 1024s (17 minutes). If you specify an iburst value for a peer in the config file, then it will poll several times in a short space of time during startup - shortening it's sync time. As above, ntpq -p will list the currently configured peers and their status. After a while, one will be listed with "*" before it's entry - this is peer it currently considers the primary and which it will sync the clock. Others marked with "+" are candidate to be the primary. My configured servers are : server ntp.plus.net server ntp2b.mcc.ac.uk server ntp2c.mcc.ac.uk server ntp.cis.strath.ac.uk server ntp.ox.ac.uk $ ntpq -p remote refid st t when poll reach delay offset jitter == -cdns01.plus.net 195.66.241.3 2 u 396 1024 377 30.702 -0.750 0.322 *frome.mc.man.ac 193.62.22.66 2 u 452 1024 377 39.6840.277 0.231 +utserv.mcc.ac.u 193.62.22.66 2 u 317 1024 377 39.488 -0.010 0.382 +ntp0.cis.strath 193.62.22.74 2 u 630 1024 377 42.8580.002 0.672 ntp0.ox.ac.uk .STEP. 16 u- 102400.0000.000 0.000 Taking the second line from this, it says my local daemon is synced to frome.mc.man.ac[.uk] (ntp2b.mcc.ac.uk is an alias to frome) which in turn is synced to 193.62.22.66. Frome is a stratum 2 server, it was last polled 452 seconds ago, the polling interval is now 1024s and it responded for each of the last 8 polls (377 in octal is , if any poll fails, then the reach column will indicate this with a 0 for each poll that failed). The round trip time for the poll was a little under 40 ms, the local clock is offset by .27ms, and the jitter (variation in round trip time and time offset between polls) is 0.23ms. I'm assuming ntpd has selected this peer because it has the lowest jitter. If there were peers with different stratums, then ntpd will favour the higher stratum ones - stratum is basically how many hops from a "high quality" time source (such as the atomic clocks run by the likes of NPL). ntp0.ox.ac.uk has never responded (must get round to removing that some time), and I think cdns01.plus.net (ntp.plus.net) has been discounted as a candidate for primary peer because it's clock disagrees with the rest. On another system I see : $ ntpq -p remote refid st t when poll reach delay offset jitter == *patsy.thehobson 130.88.203.133 u 423 1024 3771.079 -0.125 0.237 showing that the ntp daemon running on patsy is stratum 3 because it's synced to a stratum 2 peer. As said, just installed the ntp package should give you a working time sync - using four servers from the ntp.org pool. If your clock is not syncing, then the first debugging tool is ntpq -p and see what is going on. As an aside, you may find this interesting to see how some miscreants are (or were, it was written 5 years ago) using the Debian pool to find devices to port scan. http://netpatterns.blogspot.com/2016/01/the-rising-sophistication-of-network.html Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..maybe webmin?, was: Cockpit removal might make sense
On 2021-06-10 18:47, Rowland penny via Dng wrote: > On 10/06/2021 10:36, Curtis Maurand via Dng wrote: >> If you’re looking at something like zentyal, you could look at HPE’s >> clearos as well. there is a free version. It does all the things >> that zentyal does. it’s only drawback is that it’s based on centos >> and it’s laced with systemd. >> > > One thing clearos cannot do that zentyal can, it cannot be an AD DC. > That's a pretty big one thing. I would imagine that anyone wanting such an OS would want a fancy GUI for the AD component. Yes, some people still want Windows. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] halt
I am researching the behavior of halt on various Linux distros. They seem to be inconsistent. halt has different man pages: In ascii: " AUTHOR Miquel van Smoorenburg, miqu...@cistron.nl " At https://linux.die.net/man/8/halt " Author Written by Scott James Remnant " Does anyone have any insight on this? Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..maybe webmin?, was: Cockpit removal might make sense
On 6/8/21 7:05 AM, Arnt Karlsen wrote: ..turns out ebox changed its name, and, it does not support Procmail: https://zentyal.com/features/ It seemed to be going in a good direction, but maybe they didn't have enough funding. The last version I used was 5. After that, there was no benefit, as it became too brittle and resource hungry. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Cockpit removal might make sense
On 5/26/21 5:23 PM, Mark Hindley wrote:
On Wed, May 26, 2021 at 04:23:56PM +0900, Simon Walter wrote:
On 5/26/21 12:37 AM, Mark Hindley wrote:
This is actually a Debian bug and should be fixed there.
If cockpit requires systemd, is should declare that dependency.
AFAICT, it requires a systemd socket. It doesn't require any systemd
packages (debs). Would that still be considered a dependency WRT to
packages?
I am no systemd expert ;) and have little first hand knowledge of it. But my
limited understanding is that systemd socket activation is the systemd
absorption/reimplementation of inetd(8) and requires systemd itself to be
running.
Cockpit uses a systemd socket get started on demand. The socket is not
needed for the cockpit-ws cockpit-bridge etc to run. However, I am told
that the version used in Beowulf is old and a newer version will fail to
work w/o systemd. So, I guess lets see how far it makes it on Devuan. It
may become totally useless, and then I'll file a bug upstream. You can
see my bug report here:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1806544.html
In an email not on bug tracker for some reason:
"More recent cockpit versions have a much more complex unit with
cockpit.{socket,service} controlling the cockpit-tls component, and that in
turn launches per-client-certificate cockpit-ws instances (as a separate
user)
through systemd socket activation. So this init script does not apply
at all
to current versions, and there is no reasonable way how to write one.
So in summary, there is no way of running cockpit in a non-systemd/Linux
environment that I'd be willing to support. For these I'd rather recommend
looking at webmin, ebox, or similar project."
Best regards,
Simon
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Cockpit removal might make sense
On 5/26/21 12:53 AM, Rowland penny via Dng wrote: Why would you want to remove something that works ? It just needs an init script. I've been shown by Rowland that a lot of it does work without systemd and, yes, an init script is needed, which I've submitted upstream, thanks to Rowland. Thanks everyone for your feedback. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Cockpit removal might make sense
On 5/26/21 12:37 AM, Mark Hindley wrote: This is actually a Debian bug and should be fixed there. If cockpit requires systemd, is should declare that dependency. AFAICT, it requires a systemd socket. It doesn't require any systemd packages (debs). Would that still be considered a dependency WRT to packages? If the dependency were present, amprolla would exclude cockpit from the Devuan archives. So I suggest you submit a bug to Debian's BTS asking for the explicit systemd dependency to be added. If it turns out to be the case, I will do so. Thanks, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Cockpit removal might make sense
On 5/26/21 1:25 AM, Rowland penny via Dng wrote: On 25/05/2021 17:09, Tomasz Torcz wrote: ... Have you seen Cockpit working on Devuan system? Yes, I had it running on my old Samba AD DC's and I now have it running on a Devuan Unix domain member on my way to installing the Samba AD DC module. ... I am really interested in how you were able to do this. I've installed it on a fresh Beowulf installation and would appreciate some guidance/hints in setting it up without a systemd socket. Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Cockpit removal might make sense
Hi all, I wanted to see if Cockpit would by some unknown magic run on Devuan. The reason I wanted to do this is because the packages are available in the default repos. After installing it on an fresh Beowulf installation, it does not run and to my knowledge will never be able to w/o systemd sockets. So, may I suggest that it is removed from the default repos, as it is misleading for beginners and may lead to unnecessary bug reports. IIRC, the policy is not to remove anything related, but use stubs and let the user deal with half-broken software (ie. GNOME). Cockpit doesn't (currently) have dependencies on systemd and it's modules, but it requires a systemd socket to function. So, AFAICT, it is not even partially usable. Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] network measurement
Ludovic Bellière wrote: > You could also explore alternatives to zoom, like the FOSS > (jitsi)[https://jitsi.org/]. FWIW, of all the options I've used on my (rather old, 2005 model) Mac, Zoom has the lowest load. Jitsi is considerably higher, and I have to manually turn down the video to the lowest setting to get the CPU usage at anything but maxed out. mett wrote: > When you are sure your LAN is OK, > you can just ping with different size and options: > 1/the pppoe concentrator of your provider, > which is usually the first hop from your WAN address, > 2/the next hop > 3/the next-next hop > and so on. Matt's TraceRoute (mtr) is handy for troubleshooting. It's sort of a cross between ping and traceroute - continuously shows round trip times and packet loss to each hop down the route. When you are in a situation where you think you are losing packets, keep it running and watch the stats while you are doing things that stress the network - dropped packets tend to show up fairly quickly. > That said, DSL is quite old technology, > according to Wikipedia, the latest protocol > allows 24Mbit/s upstream and 3.3Mbit/s downstream > (those are just standards number, so with overhead > you will certainly get way less). That sounds like ADSL2, which is only one variant of DSL. DSL is definitely not old tech, it's pretty well the mainstay of all non-cable connections in the UK - whether it be ADSL2 (up to 24M down, earlier ADSL was up to 8M down), VDSL (or in marketing speak, "superfast" or FTTC) which in the UK does up to 80M down, or now they are trying to roll out gFast in some places which does some much higher speed but only over ridiculously short distances (literally from pole to house). As to the original question ... MTR is a useful tool for visualising data, either on it's own with your own hand-rolled scripts, or with Cacti. You can pick up interface traffic stats from somewhere in /proc/net - or Cacti will (IIRC) automate that for you (but only does down to 5 minute resolution by default). At my last place I put in place monitoring using some bash scripts and MTR - before that we had no idea what was using the bandwidth, only that the VoIP didn't work very well at busy times. The next step was to put in place traffic shaping - which you can do yourself with the native tc tools (I suspect replaced with something in the netfilter tools now), or (as I did) use Shorewall to give a higher level of abstraction (along with routing and firewalling. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] FSF and human rights
> On 27 Mar 2021, at 03:55, John Morris wrote: > > On Fri, 2021-03-26 at 15:46 -0400, Steve Litt wrote: >> >> I'd suggest nobody sign anything, and nobody respond to this email. >> >> If you believe that Stallman was removed, shunned and criticized >> because of guilt by association, then it's not much of a stretch to >> believe that you will suffer the same fate if you defend him. And then >> any who defends *you* will suffer the same fate, ad infinitum. > > This exactly how a "climate of fear" works. Anyone who has looked three > seconds at the Cultural Revolution or any of the other descents into > madness of the 20th Century knows exactly what is going on here. Agreed. The very first thing that went through my mind when I read SL's post was ... https://en.wikipedia.org/wiki/First_they_came_... > First they came for the socialists, and I did not speak out— > Because I was not a socialist. > > Then they came for the trade unionists, and I did not speak out— > Because I was not a trade unionist. > > ... I met RMS when he did a speaking tour over here in the UK a while back. I can fully understand the comments people have made about him being the most infuriating person to deal with. But then, people with principles usually are in my opinion - the ones you need to watch out for are the ones who put "being liked" high on their list of priorities. With people who hold on to their principles, yo know where you stand - even if you don't like them. With the latter type you don't know where you stand - but best not turn your back lest you (figuratively) get a knife in it. I can say that for all his annoyances, his principles were clear - and held nothing whatsoever that I could imagine any **reasonable** person finding argument with. As to Debian, well one thing that goes through my mind is how flipping hypocritical they are when the Debian project would almost certainly not even exist if it weren't for RMS and both his technical output and his principled stance. Obviously individuals will need to consider their own situation. I will be signing in support of RMS. In the UK we still have (in spite of attempts by some to copy the worst ideas to come from the USA) a number of protections - so I have zero worries about losing my employment etc. And as I'm not on FaecesBorg I don't need to worry about that. My 2d worth, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Motel wifi: was web conferencing software
Rick Moen wrote: >> That latter point means that you go to https://myfavouritewebsite.com >> and no you don't get the portal page - you get a certificate warning. >> Given that most people these days will have https URLs cached in their >> browser, you have to manually and explicitly try and connect to a site >> (doesn't matter what, any random URL will do) over HTTP. > > Counter-tactic: If you're in a place (hotel, motel, conference centre) > where you suspect there might be a captive portal, fire up first an > _alternate_ Web browser (after temporarily disabling one's bespoke > choice of DNS nameserver IP), and try to load something, to see if the > captive portal page shows up. After navigating any captive portal, > switch to your production-use Web browser. > > Equivalently (I think?), use a private-browsing tab for the first page > load. Indeed, a number of ways around the problem. I usually just open up a new window and navigate to (not literally) http://some_site_I'm_not_going _to_use so I don't poison the system DNS or browser page caches for any site I am planning to use. Doesn't help for all the stuff that automatically tries to connect in the background and starts popping up certificate error messages while you are trying to get the problem fixed. The last thing anyone wants when there's a problem you are working on is more alerts telling you about the problem ! Mind you, not all captive portals work that way. I've seen at least one that gives you genuine DNS results, but intercept the port 80 traffic (and I assume block the rest). A "VPN over DNS" tunnel would probably be a workaround, but I've never been bothered enough by this one to make the effort worthwhile - the only time I recall seeing it was many years ago when I was abroad with work. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Jitsi-meet server in DMZ
g4sra wrote: >> It is as simple as needing to connect to the server at different IPs (i.e. >> the internal IP from inside, the external IP from outside), but using the >> same URL ? > > In a nutshell, yes. OK, then I'd use split horizon DNS - problem solved (but noting the comment made about Android). As also noted, SIP is one of the things that is well and truly screwed up by NAT - not that you'll find many NAT apologists admitting that. And in my experience, SIP ALGs (Application Level Gateways) can screw things up more than they fix. >> If so, then split horizon DNS is your friend - and I'm assuming that's >> what you are referring to when you say using BINDs response policy. > No. > > BIND's 'responce policy' is a, um, policy similar to a normal zone BUT > anything in this zone can mask a real resolve from occurring. I hadn't seen that one, it's newer than when I last setup a BIND server. >> Some will tell you that it's wrong - but as long as we have NAT then it's a >> decent and reliable workaround for the breakage that NAT causes. > The reason it is wrong is...your internal DNS server is exposed to to a > higher hacking threat than if you had two separate servers, with the one in > the DMZ serving external queries and the internal one on the local lan behind > a secondary firewall. It can be done with two different servers, and that's (sort of) actually how I have it. My own server is not internet accessible other than from secondary servers at a hosting company which publicly host my external zone for me. But the reason I was told, with absolute certainty" by a supposedly professional consultant is that firstly I should not have different servers with the same name - e.g. internal and external web server for the same domain. But mostly, I should not be running my own DNS because only our ISP could keep our zone up to date ! In hindsight, with a little effort and guided learning I could have been a consultant with that sort of job - except that I never had, and never had the desire to have, the gift of "bulls**tting my way through anything". Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Jitsi-meet server in DMZ
g4sra via Dng wrote: >>> The meeting being hosted on the server needs to be simultaneously >>> accessible as two different domains, internal.com and external.com. >>> Anyone achieved this yet or know a better way ? > Decided to use the external FQDN and implement BIND's response-policy' lying > to the internal domain. > If anyone can think of a good reason why this is a bad idea please shout. Can you clarify what the issue is ? It is as simple as needing to connect to the server at different IPs (i.e. the internal IP from inside, the external IP from outside), but using the same URL ? If so, then split horizon DNS is your friend - and I'm assuming that's what you are referring to when you say using BINDs response policy. I run split horizon DNS at home. I have an internal zone for thehobsons.co.uk which has internal addresses for my devices, and an external zone for it which lists only the public IPs. Two views (in BIND terminology), with rules applied to determine which view is used for which clients. Some will tell you that it's wrong - but as long as we have NAT then it's a decent and reliable workaround for the breakage that NAT causes. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Motel wifi: was web conferencing software
> On 8 Mar 2021, at 14:08, Steve Litt wrote: > > Rick Moen said: > >> The above is a vexing problem for travelers w/laptops who prefer to >> specify their own choice of nameserver and still use hotel/motel WiFi >> (and wired ethernet, actually). Best case, you have to disable your >> nameserver IP override long enough to navigate the captive portal, and >> then can put the override back. But, no, you cannot just leave your >> choice of nameserver IPs in place (without disappointment). > > This is good information. I've sometimes wondered why I couldn't log in > at the library or Macdonalds. And the other thing they screw up is that by redirecting you, nothing presents the right certificate ! I hate using such public connections because it's so much hassle remembering to put every bit of software into offline mode first - if you don't then I get a flurry of certificate warnings and it can mean quitting and re-opening software for it to pick up the now correct IP address. But if it's a choice between that or nothing then ... The process is simple enough. When you are not an authorised user, the captive system responds to every DNS request with the IP of it's captive portal. For HTTP requests that's simple enough - you get their portal page instead of what you were asking for. Once you've signed in (and possibly had to pay for it !), then you get the right IP addresses returned. But of course, your system has cached the wrong address and may or may not flush it in a timely manner. Your browser has cached the portal page instead of the real page (assuming it was an HTTP request). And everything using secure connections, gives you certificate errors. That latter point means that you go to https://myfavouritewebsite.com and no you don't get the portal page - you get a certificate warning. Given that most people these days will have https URLs cached in their browser, you have to manually and explicitly try and connect to a site (doesn't matter what, any random URL will do) over HTTP. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] OT"? Wanted a simple 2d plan drafting/sketching/plotting program
terryc wrote: > I need to sketch a plan of a land plot for an erection by a > contractor. the 'erection' can be described as three to five rectangles > with ramps between them. Ancillary data to be plotted/drawn is building > sides, pathway and drive way. placement of shrubbery is optional. I'm > really after a vector based program. ... > I come from the world of drafting where first you define your scale, > then draw up your plan to scale. the problem there is I've spent the > last three days intermittently looking at eight CAD/sketching programs. > > Bummer, as nothing 'sets a scale' any more. Apparently the 'modern' > approach is to describe it in 'elements' of real world dimensions and > then scale the result. It might be worth having a look at http://www.sweethome3d.com/ It's not really designed for 2D work - but it can do a 2D plan view of any floor. It's not too hard to get going with, but it is geared up for building houses etc. You'd define your different levels by creating them as blocks placed on ground level - with their height as whatever you want the elevation of that surface to be. And I'm afraid (unless they've enhanced that since I last did anything with it, or I've missed something important) your ramps will need to be a series of steps as the only things that support sloping tops are roofs. What is fun is setting your illumination and then going around (and inside) with your viewpoint :D I think I understand what you are saying about scaling. But really, "setting a scale" was one of those things that was done simply because before things went all computerised, it wasn't possible to work how things do it today. BTW - I trust you've never worked with "scales" then, like a ruler, but marked in scaled units to save having to calculate a scaled length of each measurement ? Working with a scale would be exactly like the modern computer method of working in real world units and scaling the output to (e.g.) fit the drawing on one sheet of paper. The other advantage of working with real units and then scaling the output is that you don't have to pre-define your output drawing size before you start work - so can easily do A4 at home, or get someone to run it off on their A0 plotter if you need a big detailed drawing. Ask yourself, do you think "that is 4 inches long on the drawing which equates to 16 feet", or do you think "that is 16 feet long" (because you've taken that directly from the printed scale) ? Of course, you should always be reading the numbers that are printed against dimension lines - obeying the "do not scale" instruction on most drawings. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Opennic
Gabe Stanton via Dng wrote: > You're right that I didn't address the fact that queries to root > servers don't all go to one server. My understanding of that wasn't > firm when I was writing so I said 'upstream server'. But that would be > a small hurdle to overcome if everyone started protecting their dns > queries by running a caching resolver, because of the financial > incentive for doing so. The collusion it would take to exploit all > exploitable data would be minimal. I beg to differ. It would need a great deal of collusion (at least for the root servers), involving a variety of entities from around the world - and it only takes one of them to blow the whistle. If anyone tied it, it would kick up quite a storm. At the very least, it is not something that could be done without anyone realising. > Those are great arguments for runnning a caching resolver, and of > course that's a good thing, but there are a couple cases I outlined > that potentially offer better privacy. > 1. Running your own recursive server where your dns requests are pooled > with others. > 2. Pointing at a single resolver that doesn't keep logs and where your > dns requests are pooled. Of course you never know what logs are being > kept for sure, but if operators are honest and don't keep logs, and if > they run doh, dot, or dnscrypt, then you have potentially better > privacy because of no logs and pooled requests. It occurred to me (after writing my previous message) that one option open to you is to get together with a few friends and share a resolver that's under your own control. You could turn off query logging and then know that there's no logs for anyone to look at. The difficult bit is getting enough people together who all trust each other such that you can pool enough queries as to make any data collected by others into useless noise. But also as mentioned earlier, none of this deals with the eavesdropper problem. Your ISP can look at all your DNS queries just by filtering out all port 53 traffic and copying it to their logging servers. I suspect in some jurisdictions that's done because "the authorities say so", and I'm sure that some will be doing it because the law doesn't stop them and it's something they can monetise. As Rick Moen says, the only defence against that is to deal with an ISP that isn't run by sleaze balls. And that problem was behind the development of DoH - which simply replaces one problem of trust with a different problem of trust ! Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Opennic
Gabe Stanton via Dng wrote: > Of course using a local (or controlled by you) caching dns resolver > ENHANCES privacy. That's not even a question and doesn't represent a > real argument against the likelihood that, in the case of everyone > running their own caching resolver, that second level nameservers would > end up being a very good source of info to match dns requests to ip > addresses, to be exploited just as any other big dns provider is likely > to do. I think you missed that if you use an external service for resolution, then **ALL** your queries go via one point - so there's a single point someone can slurp that information from. Obviously, the inclination to slurp that data and use it in ways we aren't happy with will vary between providers. Once you run your own local resolver then important things happen. The queries are now not concentrated at one point. Yes, you are correct that if you visit (e.g.) www.amazon.com, then your local resolver will go to the .com tld servers to find the NS records for amazon.com - but it will only do that once every 2 days and so the .com tld servers will only see ONE query every two days regardless of how often you visit anything in the amazon.com domain. The fact that the frequency information is vastly diluted significantly reduces the value of that information. Also, the .com tld servers will have ZERO visibility of you visiting www.amazon.ch (or in my case, amazon.co.uk) because no query for that will go near them. Similarly, once your resolver has the amazon. ns records cached, nothing other than those nameservers will see whether you switch from (say) www.amazon.whatever to smile.amazon.whatever. So to gather even a fraction of what you can get from clients using one source for a resolver, someone would need to get information from multiple different sources - run by different entities. Once anyone tried that, then it's a lot harder for them to hide what they are doing - if some commercial entity were to go round asking various tld server operators for data, then it's highly likely that at least one of them would go public with this information. Because different domains use different servers, without getting data from many sources, no-one can correlate your DNS lookups to work out your path around the internet. They may be able to get snippets of it, but not the detail they'd get by seeing all your queries and being able to time correlate them. As already mentioned, what information you do leak is limited in volume. Once your resolver has cached information, it will not go upstream to request it again until it's TTL expires. So regardless of how frequently you go somewhere, upstream will only see a small volume of that. I've never looked into it, but I suspect that at least some packages might offer a config option to not send the full query string upstream. The default is that if you lookup (say) www.amazon.com and nothing is currently cached, then I know that BIND will send that query string to the root servers - which will replay with the NS records for the .com zone. BIND will then send the full name to the .com servers which will respond with the NS records for amazon.com domain. In principle (though there are some complications that would need to be worked around), it would be possible to only ask the root servers for the NS records for .com, and then only ask the .com servers for the NS records for amazon.com - whcih would significantly mask your activity. As I say, there are some complications, and I don't know if any package actually offers that ability. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
Dr. Nikolaus Klepp wrote: >> I doubt this could be ever implemented correctly as you have to check >> every code path of every app you will armorize or as soon as your usage >> diverges from what the distro gurus have envisioned your program >> will stop working without even a warning. >> Next then we will need a uber-apparmor that checks apparmor safety >> and anyway more code more bugs less security. Why not fix the existing >> programs instead? > > The point is to delegate access control to a higher instance e.g. kernel. The > problem is, that apparmor looks at a program from the the outside and tries > to do the right thing with that black box - or what the profiles provider > thought was the right thing. > > OpenBSD has quite an interesting aproach with unveil ( > https://man.openbsd.org/unveil.2 ) and pledge ( > https://man.openbsd.org/pledge ). The programmer itself takes care what the > program will use and tells the system that what e.g. access privileges it > does not want to use from now on. That's the look at the world from the > inside, no black box involved. If you droped things, you can never get them > back, so evil hackers code is confined inside the same cage. As I see it, both approaches have merit. The downside of doing it inside the application is that you are then trusting the programmer to have got the protection code correct - when we are assuming the function of the protection code is to protect from the programmer's errors. Yes, dropping privileges is a good idea - as long as it's done reliably. The alternative of looking from the outside at a black box is that the person doing the looking was not the one building the black box. Thus while you lose the granularity possible when doing it from inside the box, you have created a separation of functions. I don't think either approach is "right" or "wrong" - but doing both would probably be best. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] My Qemu LAN-peer documentation is now in its first draft
Steve Litt wrote: > The vast majority of documents I've read tell me that once you make the > bridge, the hardware NIC must be robbed of its IP addresses. So that's > what I did. That is the correct way to do it - though from memory it does seem to still work for host-LAN communications if you use an IP address on the physical NIC. By putting IP address(es) on the bridge, it's functionally identical to having a host virtual NIC which connects to that bridge and hence via another NIC to the LAN. To a certain extent I think the relationship between a host physical NIC and a virtual bridge it's connected to can be a bit schizophrenic as I notice that my bridge has the same MAC address as the physical NIC it's connected to - possibly it just gets the MAC address of the first NIC to be connected to it though I've never tested that. There is one thing I'm unclear about in your document, and that's the object you refer to as mybridge0. My experience is with Xen, which is configured almost identically to how you show it, and I believe uses QEMU for some functions. What you call mybridge0 and describe as a bridge, in the Xen world is (by default) called vifn.m‡ and is a virtual NIC. I'm suspecting that what you call mybridge0 is in fact a virtual NIC which connects to the bridge br0. Thus what you have is the bridge (analogous to a network switch), with a virtual NIC (mybridge0) connected to it - then there's a virtual point-point network link between that and eth0 in the guest. I'm guessing that "brctl show" will probably show something like this : bridge name bridge id STP enabled interfaces br0 8000.2cf05d7a5c1d no enp40s0 mybridge0 ‡ Where n is the id (number) of the guest, and m is the interface number starting with 0 for the first and incrementing if multiple VIFs are created. I forget how many I've got to with one guest, I don't think it was double digits although it must have been close ! I don't actually use the vifm.n format - I prefer to manually specify "meaningful" names (specified in the network section for creating a Xen guest) that make it easier to see what's connected to what. If you do see that, then it would avoid a lot of confusion to do a global find & replace to rename mybridge0 to something more like a NIC. https://wiki.xenproject.org/wiki/Xen_Networking#Paravirtualised_Network_Devices may help Oh yes, and use a different name for each guest - having two guests configured to use the same name for the host end of their virtual link produces "interesting" results. Lastly, there is a definite point of correction to be made. A bridge/switch is **NOT** "kinda-sorta like a network router in that it connects two distinct IP address ranges into one network", and nor is it a hub (though it does behave at the most basic level in the same way). A switch is IP address, and even protocol, agnostic - unless you apply filtering (e.g. ebtables on Linux) then it simply forwards packets without caring what is in them. In this respect, it is mostly definitely in no way "kinda-sorta like a network router" ! The difference between a bridge/switch and a hub is that a switch is clever about which ports it sends traffic out on. It keeps track of what MAC addresses are connected to each port, and will only send a packet out of the appropriate port. Thus point-point traffic does not appear on other links - which means that (e.g.) A can talk at full wire speed to B, while C can talk to D at full wire speed assuming that A-D are connected to different switch ports. A hub is "dumb" - every packet it receives is simply repeated out of every other port with no buffering or delay. Thus every node in the network sees all traffic, and the entire network is one flat collision domain. With a switch, it will queue packets destined for a port that is already carrying a packet - and thus splits the collision domain up. https://en.wikipedia.org/wiki/Network_switch On Linux, you can see the MAC forwarding table (for bridge br0) with "brctl showmacs br0" which should produce output like : port no mac addris local? ageing timer 1 00:16:3e:xx:xx:xx no24.96 4 00:16:3e:xx:xx:xx no 0.13 1 00:1e:0b:xx:xx:xx yes0.00 ... 00:16:3e is the OUI prefix used by Xen - so those first two lines are virtual machines Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Stable identifiers (Was: My Qemu LAN-peer documentation is now in its first draft)
tito via Dng wrote: > I wonder why instead of predictable names they didn't choose > prefix+mac_address at least for initial setup of names and leave it > to user to name the interfaces they way he likes. This would have > guaranteed (almost) unique persistent names and by using standard > prefixes would have identified easily the class of network device. As suggested already, this is Freedesktop.org - so logic and simplicity are not allowed. Far better to force admins to keep changing a miriad of configs whenever IF names change and break things than to allow a sensible and reliable mechanism to have things stable. It's a variation of Apple's "you're holding it wrong" attitude to user expectations. FWIW, there's a different but related issue with DHCP. With DHCP for IPv4, an identifier included in packets is the MAC address - more technically, Client Interface Address as non-ethernet interfaces are also supported (e.g. token ring). And many workflows rely on this as a stable client identifier - even though it can change. For whatever reasons that may have made sense at the time, with DHCP for IPv6 this was explicitly not done "because MAC addresses can change". Instead, a DUID (DHCP Unique Identifier) was created to be the sole identifier for a node - note node, not interface, the DUID would be the same for all interfaces on a node. Result ? The DUID changes a lot more than the MAC address ever did ! Absent any standardised way of storing it in the machine on typical hardware, any re-install or change of environment can change the DUID unless the admin takes steps to preserve it. And I've had a problem with this. Built a new VM, found it kept changing address on every boot and my reserved lease for it was ignored. I find that for some reason I can't figure, when it starts up it doesn't have a DUID and so creates a new one - so to the server it's a different node and gets a new address. By the time the system mounts the real /var from disk (where the stable DUID is stored), the network is already configured - a manual ifdown-ifup cycle will get it it's correct address. I think the client leases file (which contains the client DUID) should be included in the initram image but doesn't get used. Interestingly, I tried adding some debugging to the network scripts - and the timing changes they produced changed this behaviour ! Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] My Qemu LAN-peer documentation is now in its first draft
Florian Zieboll via Dng wrote: > For the sake of completeness and y'all's convenience, here a link to the > related info in the Debianwiki: > > https://wiki.debian.org/NetworkInterfaceNames Did anyone else read that and think it could be summarised along the lines of : "We thought X was badly broken, so we developed Y which will require you to reconfigure lots of stuff - but even we have to admit that Y is actually more broken and here's the complicated ways to get sane behaviour" Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] GNUPGP Web of trust
Gabe Stanton via Dng wrote: > Is it as simple as inviting anyone that wants to, to send their public > key to this list? I'm not experienced in web of trust common/accepted > practices but have been interested for some time. No, it's not that simple ! Try this for starters : https://en.wikipedia.org/wiki/Web_of_trust Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Very offtopic: 70's music
Stephane Ascoet via Dng wrote:
>> Of course, the 80's were better, and the 90's were even better than
>> that, but the 70's were no slouch when it comes to music. If you skip
>> disco.
>
> Hi, it's a joke? 70s are considered by lot of people to be the best decade in
> music, just some examples: Crosby Stills Nash and Young(and every various
> related combination of these four guys), Fleetwood Mac, Eagles, Genesis, Pink
> Floyd, Elton John, James Taylor, Jackson Browne, David Bowie, Eric Clapton,
> Led Zeppelin, former Beatles in solo, Dire Straits and Michael Jackson
> debuts...
I think it's a case of two things :
1) Everyone has different tastes - what someone might think of as rubbish is
someone else's favourite.
2) All periods had some good music, and all periods also had some ... lets just
say not so good music. Where "good" depends on preference - see 1 above. If you
mostly didn't like the music that characterises a period, then you will tend to
remember the stuff you didn't like - and hence "all music from ${period} is
rubbish". Similarly, there's a tendency to forget the best forgotten stuff from
a period you otherwise liked - and hence "all music from ${period} was great",
as long as you forget the stuff you couldn't stand ;-)
And added to that, people's preferences change. I now listen to stuff I would
never have dreamed of listening to a couple of decades ago - but find myself
thinking that "hmm, actually I quite like that now". It can also work the other
way round, but I can't immediately think of any in my case.
In my department at work, the fortnightly new letter has a Desert Island Disks
section where someone from the department picks 8 tracks, gives a little bit
about themselves, and a little bit about why they chose each track. I was on a
few months ago - and boy, was it hard picking those 8 tracks.
But, it's interesting to look at people's selections, and often I'll be
thinking "yes, I like that" and "hmm, I'll give that a go - not thought of
listening to that before". It has slightly broadened my taste in music - which
was already rather wide and eclectic to start with. After this morning's list,
Eminem is still not on my list of stuff to listen to though !
Getting slightly on-topic for this list, there's parallels with taste in
software. Clearly most people on this list are a self selected group who put
freedom (of init) above other considerations. There are others who put "ease of
use" first. Some who put absolute "free and open" above all else. Some who are
more pragmatic and accept that sometimes non-free or non-open is acceptable
when it comes to getting work done.
There isn't a right or wrong - just a "best for your preferences" compromise.
Sorry, couldn't resist this quote : https://www.youtube.com/watch?v=jVygqjyS4CA
Simon
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Need install Devuan Beowolf but got "initramfs" prompt
I wish that the first three emails had their replies intact and were in the reply after quote style. Then I would print it out and frame it. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] librewolf
Hi all, I noticed several discussions about browsers. Has anyone used librewolf? It's not a debian package. There is an appimage though. I'm not sure this is the official home page: https://librewolf.readthedocs.io/en/latest/ Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Why X does keyboard and mouse.
Hendrik Boom wrote: >>>> It didn't have to be this way. In 2020, better alternatives could >>>> have been made. If I were the project manager, the first thing I'd >>>> do is uncouple keyboard, mouse and video from each other. Why X has >>>> anything to do with keyboard or mouse is beyond me. >>> >>> Perhaps because X was originally a means of having a graphical user >>> interface to multiple machines over a network. Which usualy involves >>> a screen, keyboard, and mouse. >>> >>> Each X window could be talking to a different computer. It mattered >>> which computer your keystrokes went to. >> >> Yes, but that doesn't preclude three or more separate pieces of >> software: One for the screen, one for the keyboard, and one for the >> mouse. There can be others as input devices are added. There could even >> be a struct that passes a pointer to each of those three (or more). > > The X server would still have to take the keystrokes, see which window was > active and sent those keystrokes to the remote machine using that window. > That > connects them together. ... > But when the X inventors did this, they left out audio. I can connect to a > remote host, run a media player, and never hear the sound, because it's > playing > on the remote host. In some ways that's an argument for doing some form of multiple streams - and multiplex them down one transport. That way, you implement the stream types you know about now, and when new ones come along (e.g. people now want audio rather than just a beep) then it can be easily added as an additional stream type. Intelligent multiplexing should be able to retain the sequence of (e.g. key presses and mouse clicks), though I guess there's always the chance that processes could get scheduled in such a way that very closely spaced events might get re-ordered. Such an example could be if you hit a key and click the mouse together - but given the processing abilities of modern hardware, I think it would need to be "together" (from human response times PoV) for it to be a risk. But really it's a moot discussion. It didn't happen, and it's not likely to given the vested interests in pushing their own ideas these days. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Apollo computers (Was: savings from parallelism)
Didier Kryn wrote: > I remember these Apollos. They were shining and ran some brand of > Unix if I remember well. We had a few in my lab but I never got a chance > to touch one. I knew "just about zero" about Unix back then so can't comment on how they compared with anything else. The OS was Domain/IX (or something similar) - ah, wonders of modern search engines, Domain/OS https://en.wikipedia.org/wiki/Domain/OS And now I read that, I also recall AEGIS being part of the name somehow. See also https://en.wikipedia.org/wiki/Apollo/Domain Brings back some details. We had the DN1 as a number cruncher, and before it got locked down, I recall it was blazingly fast compared to our workstations - one of the "demo" programs around on the network did real-time calculations for a load of bouncy balls "tipped into the top of the screen" (so the dynamics of gravity, plus the dynamics of collisions between the balls and boundaries or other balls) and the DN1 could do the maths (I guess, from memory) an order of magnitude or more faster judging by how much better the balls moved when the maths was done remotely. Reading the articles, I guess we probably had DN3000 workstations. But the one outstanding feature of the system was it was designed to run a network. Every file on any system on the network was located under one tree. While we are used to "/..." starts at the root of our own box's file system, on the Apollo Domain system, they all came under "//..." with "//https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] double negative
On 12/26/20 2:31 AM, Hendrik Boom wrote: On Fri, Dec 25, 2020 at 10:07:57AM -0500, Steve Litt wrote: On Fri, 25 Dec 2020 00:18:55 -0800 Rick Moen wrote: Quoting Didier Kryn (k...@in2p3.fr): Just to remind, if you forgot it. There's one known case where double positive means negative: C++ "Yeah, yeah." (The gag may not travel well, so: At least in some USA regions, the phrase "Yeah, yeah" is something of a dismissive phrase with meaning at least bordering on denial.) Here's what I want to know... Why is the first word of any answer to any question asked of self defined intellectuals "so"? To give them time to think. Merry Christmas and a Happy New Year? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] savings from parallelism (Was: if2mac init.d service for persistent network interface names)
Didier Kryn wrote: > Therefore I suspect the authors managed to launch several threads in order to > save 0.01s of the boot time. Or to loose more because thread scheduling might > well consume more than what parallelism saves. In the general case, parallelism only saves wall clock time IFF you have a number of processes that have to wait on outside events while not (significantly) using resources on the machine - or if they are exceedingly computationally intensive that running tasks across multiple cores gives a saving (not common during startup). So if you have things like bringing up interfaces - waiting for WiFi to connect and DHCP to get an address, that sort of thing. But even then there's probably little to be saved since you usually have most of the system waiting for the network to be up before it can proceed. But otherwise, especially with a spinning disk, parallelism will slow things down because you force the disk to go off here there and everywhere getting data for different processes. Not applicable during startup, but there are memory considerations* too if the jobs are large. With SSD this is much less of a problem. * As an aside, at a previous job many years ago, they got a network of Apollo workstations in for running engineering software. The whole thing was primarily driven by the naval architects for doing complex fluid dynamics and structural modelling - and at the time Apollo had the higher spec number cruncher. For context, this was when a 286 with a couple of megs of RAM was considered high end - Apollo were using (from memory) Motorola 68000 range processors and I think most of the workstations had 68020. They had to stop people running their own jobs on the big machine simply because if asked to run more than one then it would slow to a crawl when it started swapping. But users were unable to grasp the concept of "wait your f'in turn" (some would even cancel other running jobs to get theirs to run faster) - so restrictions were imposed and only the admins could run jobs on it, everyone else had to put their requests in a queue. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] snapd in Devuan? Dependency on systemd...
On 12/2/20 4:44 PM, Ian Zimmerman wrote: On 2020-12-02 01:09, Bernard Rosset via Dng wrote: Certbot has removed support of certbot-auto for Debian-based systems Sorry, I feel contrarian today (and many other days too). So there: http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml Nice read. Thanks! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Ethernet names revisited
Hendrik Boom wrote: > I had to solve it by assigning new names to the interfaces (thus not eth0 or > eth1) and modifying all the config files mentioning those interface names (I > found them with grep) to use the new names instead. Not for the OPs reason, but a long time ago I started to use "meaningful names" like ethext, ethint, and so on. Making it clearer in config files what each interface is. On one box (router) I had a fair number of interfaces (I can recall at least 8 inc 3 PPP (VDSL2) networks) - made remembering what's what a heck of a lot easier. Also did the same thing with my Xen guests - gave the interfaces on the host meaningful names via the guest config files. I think removing the need to remember something is better than being good at remembering it (which I'm not anyway !) Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] godaddy (was Your system is not supported by certbot-auto anymore.)
Hendrik Boom wrote: > Know any domain registrars that don't mess with the user? You could take a look at mythic-beasts.com or portfast.net When I left my last place, I decided to move my domains away from them (as an employee I got "cost price" domains and free hosting) - knowing that the people left in charge are (staying polite) "ethics challenged" and "technically challenged". Good choice as it happened, because one "person" decided to just switch off* the remaining servers - "DNS will be OK, it's all mirrored at Portfast". I had mixed emotions when I heard that they'd been in a panic to setup about 100 remaining domains on their preferred hosting platform (with a truly horrible GUI for managing DNS) after a week when the secondary DNS servers expired all the records - a strong sense of schadenfreude as their own domain was one of them, but with my professional hat ot a distinct sense of anger that a) it had impacted clients, and b) they'd be told a bunch of lies as to why it had happened. * Didn't just switch off, but switched off, and ripped out of the rack and all the networking ripped apart - so couldn't just switch it back on again. Anyway, my personal domains are now mirrored at Portfast - they were before as we used them to mirror our primary (have a neat API to keep their list up to date with ours). And on a recommendation from someone in my local-ish LUG moved my registrations to Mythic Beasts. What I can say is that when we were setting up our secondary DNS service at Portfast, we had good support dealing with real people in technical roles - not support droids with a computer flowchart. We'd previously had a secondary service from another UK supplier (Gradwell) who'd decided to pull out of that side of things - and they arranged to transfer our service to an equivalent one with Portfast rather that the more typical approach of "we're turning your service off, bog off and find another service yourself". And I see that I'm now down to around 5 years left on my domains - so time to extend that back up to 9+ years. Like you, I don't subscribe to the "year by year and leave it late" renewals policy. We had clients with domain name problems caused by that. Of course, the alternative problem is that you "know" there's a long time left and the years can roll by faster than you realise :-( Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What I learned at Distrowatch
On 12/9/20 7:01 AM, Mason Loring Bliss wrote:
On Fri, Dec 04, 2020 at 09:56:54AM +0900, Simon Walter wrote:
Unfortunately for those who are scared of source code and perhaps those
who are scared in general, it is all too easy to become paranoid. After
all, you are at the mercy of those who are not scared. I'd say, pick up
programming as a hobby and conquer your fear. Walk with your head high.
Doesn't that embarass you, writing something like that?
Embarrass? Why would it?
Then maybe you'll understand what stub means.
I'm curious if you've actually looked at the source code we're talking
about.
Let's start with how much systemd code we're talking about. Admittedly, I'm
not cutting out comments or whitespace here, but even so:
.../elogind-241.4/src$ find . -name '*.c' -exec cat {} \; | wc -l
125582
We were talking about libsystemd0 being a stub. It is too easy to assume
you are a troll by the way you edit my email.
If you can't trust the Devuan devs, then maybe you Devuan is not
suitable for your uses. Why don't you find out who the authors of
libsystemd0 are and present your concerns to them?
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Your system is not supported by certbot-auto anymore.
Simon Walter wrote: > Other than a manual install, are there any alternatives? I am interested to > hear how others are doing this. I never got round to switching from using SSLMate - only $16/yr (equates to around £10/yr for me) for a basic (domain.tld + www.domain.tld) cert, but quickly gets expensive if you want more than that https://sslmate.com/pricing They have a client script that will automatically renew and retrieve certs if you want to do that, or you can do it manually. TBH, once you've set up your services (the script will provide example config snippets on request), just getting updated is a matter of a couple of minutes every year. Given that it's only around £10, and only a couple of minutes to renew once a year, I've just not had any particular pressure to change. At my last job, we used GoDaddy for certs - not sure how much was GoDaddy and how much was my lack of experience, but it used to seem like a right PITA at times. I switched to SSLMate for the (linux) systems I managed. Oh yes, and when I have had any issues, they've been quite helpful and responsive. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Your system is not supported by certbot-auto anymore.
On 12/8/20 6:02 PM, Martin Steigerwald wrote: […] Other than a manual install, are there any alternatives? I am interested to hear how others are doing this. I am still using dehydrated. It is a simple shell script which just depends on curl, openssl and ca-certificates. There is an additional package for apache2 support, which just contains the site configuration for the web challenge thing, and one for DNS challenge. I think there is an alternative to it, called acme.sh. I never looked into it. Aside from that there is a huge ton of other ACME clients in various programming languages. AFAIR Let's Encrypt web page has a list. I found it at: https://letsencrypt.org/docs/client-options/ Thank you so much. I actually don't need anything messing with my Apache configs. I just need automatic renewal. I will study the various clients on that page. Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Your system is not supported by certbot-auto anymore.
It is nice to see that there is instructions for Devuan at https://certbot.eff.org/lets-encrypt/devuanascii-apache and that they don't say to use snapd. However, what has certbot become? I have yet to look at the source code, but there are a lot of dependencies: The following NEW packages will be installed: certbot python-certbot-apache python3-acme python3-augeas python3-certbot python3-certbot-apache python3-cffi-backend python3-configargparse python3-configobj python3-cryptography python3-idna python3-josepy python3-mock python3-openssl python3-parsedatetime python3-pbr python3-pyasn1 python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface Other than a manual install, are there any alternatives? I am interested to hear how others are doing this. Best regards, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] TB and Enigmail
On 11/6/20 11:08 AM, Simon Walter wrote: > I updated another field/site laptop yesterday and noticed (again) that > TB was not updated passed 68. My heart was glad. > > I want to thank the Devuan maintainers for making these kind of sane > choices. Thank you! Thank you! Thank you! Well, it was actually something else holding back TB 78. As soon as I installed zmap, which pulled in libjson-c3, TB was upgraded to 78. Appropriate pinning was necessary along with removing the LastVersion line in compatibility.ini in the profile dir. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946588 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Oldstable and Archive timing expectations?
On December 4, 2020 9:17:12 PM UTC, goli...@devuan.org wrote: >On 2020-12-04 14:25, Adam Borowski wrote: >> On Fri, Dec 04, 2020 at 12:43:25PM -0600, goli...@devuan.org wrote: >>> > I have a lot of systems running ascii and no plan to upgrade them >yet. I >>> > don't want to upgrade when ascii is archived but before. Do you >think 6 >>> > more months of ascii support a safe bet? >>> >>> You might want to have a look at Debian's release schedule: >>> >>> https://wiki.debian.org/DebianReleases >>> >>> Stretch will not go to oldstable status until Bullseye is released >and >>> there >>> is not even release date set yet for that to happen. Devuan's >release >>> of >>> Chimaera will be sometime after Bulleye becomes stable. No way ATM >to >>> guesstimate when in 2021 that will happen. >> >> Stretch has been oldstable for 1.5 years already. >> > >Sorry about that. Of course, I meant Buster . . . > >It's all becoming a bit of a blur these days . . . > >> A guesstimate for Bullseye's release is June, although effect of >> actions to >> shorten freeze time remains to be seen. >> > >And of course, Chimaera will be sometime after that. The more hands on > >deck, the sooner that will happen. > >But currently, as requested, please do what you can to test the >proposed >updates to be included on the Beowulf 3.1 point release. > >golinux > >> >> Meow! > >___ >Dng mailing list >Dng@lists.dyne.org >https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Got it! Thanks! So I should keep an eye on Debian to get a hint. -- Sent from my mobile device. Please excuse my brevity.___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Mental Outlaw does Devuan
He has a lot of good videos - not so accurate, but I love his enthusiasm. He reminds me of myself when I was 15. He just put this out: Devuan 3.0 Beowulf Install & Review - The Best Entry to Freedom from SystemD https://www.youtube.com/watch?v=uzDwiEaehrQ=0 -- Sent from my mobile device. Please excuse my brevity.___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] samba/NAS box problem
On 12/4/20 11:47 AM, Florian Zieboll via Dng wrote: > Am 4. Dezember 2020 02:19:42 MEZ schrieb Simon Walter : >> On 2020-12-02 02:18, Florian Zieboll via Dng wrote: >> ... >>> You can 'nmap --script smb-protocols ' for a list of supported >>> versions. >>> >>> libre Grüße, >>> Florian >> Hi Florian, >> >> What package holds said "smb-protocols" script? >> >> I regularly troubleshoot in MS shops and that looks useful. > > Hallo Simon, > > it's in nmap-common > > libre Grüße, > Florian > Aha! It's not in Ascii. That explains a lot. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Oldstable and Archive timing expectations?
On 12/4/20 10:47 AM, goli...@devuan.org wrote: > On 2020-12-03 19:39, Simon Walter wrote: >> Hi all, >> >> First of all, sorry if I missed this in the docs somewhere. I had a look >> around the website and particularly https://www.devuan.org/os/releases >> has no info. >> >> When can I expect oldstable to move to archived? I suppose I should keep >> an eye out for a Chimaera BETA announcement and then change is imminent. >> >> Thanks, >> >> Simon >> ___ >> > > When chimaera stable 4.0 is released, ascii will become oldoldstable > and archived. That won't be happening anytime soon afaik. We do have > a beowulf point release in the works. > > golinux > I have a lot of systems running ascii and no plan to upgrade them yet. I don't want to upgrade when ascii is archived but before. Do you think 6 more months of ascii support a safe bet? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Oldstable and Archive timing expectations?
Hi all, First of all, sorry if I missed this in the docs somewhere. I had a look around the website and particularly https://www.devuan.org/os/releases has no info. When can I expect oldstable to move to archived? I suppose I should keep an eye out for a Chimaera BETA announcement and then change is imminent. Thanks, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] samba/NAS box problem
On 2020-12-02 02:18, Florian Zieboll via Dng wrote: ... > > You can 'nmap --script smb-protocols ' for a list of supported > versions. > > libre Grüße, > Florian Hi Florian, What package holds said "smb-protocols" script? I regularly troubleshoot in MS shops and that looks useful. Vielen Dank, Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Firefox and its forks are losing the power of add-ons.
On 2020-12-04 08:59, John Crisp via Dng wrote: > On 3 December 2020 09:12:07 CET, Edward Bartolo via Dng > wrote: >> Dear All, >> >> If you have other solutions which I did not think of, please suggest >> them. Thanks for taking the time to reply. >> > > "Firefox" has lost it. Hey ho. > That they have. Maybe the rendering and JS engines can be of use to someone. I want to block JS like with NoScript. So far it still works with FF 78. Oh thank you Devuan maintainers! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Anybody successfully worked with an Nvidia GeForce gt 710 with Devuan?
On 2020-11-29 21:26, Steve Litt wrote: > Hi all, > > Has anyone successfully worked with an Nvidia GeForce gt 710 with > Devuan? As a bonus, has anyone gotten it to work without Pulseaudio? I set up an old Dell XPS desktop for a friend's son with Manjaro. I chose this because it was the only distro that came with the drivers "out of the box". The Dell has a GTX 460. Not the same, though, I think the drivers are the same. None of the recent drivers worked. I am not a gamer nor am I familiar with Nvidia binary blobs. Though I vaguley remember something about various open and closed source drivers that varying levels of feature support. The old 460 works well, but not with the recent drivers. I think those are for a different architecture - if you can call it that. You could install Manjaro and see what drivers they are using and install those on Devuan. For a bonus, check out mgame. That was how I found out that Nvidia drivers are included in Manjaro - amazing and a bit funny too. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What I learned at Distrowatch
On 2020-12-01 23:59, Mason Loring Bliss wrote: > On Tue, Dec 01, 2020 at 03:33:41PM +0100, Antony Stone wrote: > >> What, specifically, gets installed as part of Devuan which you don't want to >> see there? > > As an exercise, try doing a minimal install via debootstrap, which is > arguably the easiest way to tailor an install. I've thus far not managed to > get an install through without elogind creeping in, even if I explicitly > mark it as something to ignore. The Devuan live media I use for installs > runs elogind. It sort of reminds me of the Agent Smith virus speech from > The Matrix. > > >> libsystemd0 is a stub library which contains none of the objectionable >> code or "features" which people who don't want systemd are trying to keep >> away from. > > Unix libraries bundle related functionality together so that you can link > just that which you need. Can you explain how libsystemd0 fits into this > model? I'm unclear on what set of related functions it provides. > Unfortunately for those who are scared of source code and perhaps those who are scared in general, it is all too easy to become paranoid. After all, you are at the mercy of those who are not scared. I'd say, pick up programming as a hobby and conquer your fear. Walk with your head high. Then maybe you'll understand what stub means. The people on this list are very helpful and welcoming and will even feed trolls. If you are not one, then educate yourself and stop acting like one. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] cdist real-world
I just now had time to update cdist and saw this gem in docs/src/cdist-real-world.rst: case "$os" in devuan) : ;; *) echo "OS $os currently not supported" >&2 exit 1 ;; esac ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Clarification please
On 11/3/20 8:44 PM, Olaf Meeuwissen via Dng wrote: Hi Rick, Rick Moen writes: Quoting g4sra via Dng (dng@lists.dyne.org): Can anybody suggest a suitable authoritative/recursive DNSSEC supporting name server for SOHO domain use on embedded systems. What I am looking for is something like dnsmasq. dnsmasq, it should be noted, is _just_ a forwarder. It forwards outbound queries to one or more IP-identified recursive servers you specify. Those recursive servers do the actual work. I have a dnsmasq instance that does *authorative* resolution for an internal domain. Anything not in that domain is forwarded to the corporate DNS servers. Works fine for me so I think dnsmasq can be more than _just_ a forwarder (which is all I wanted to point out). Personally, I really like OPNsense. It uses Unbound these days. I don't use it for everything. However, for most of my clients needs, it handles their DNS needs very well. Specifically "overrides" provide a local authority. If they need a true authoritative server, I am familiar with BIND. So BIND it is. OPNsense is a BSD. So the PID "bug", I guess, is not relevant. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Clarification please
On 11/3/20 4:36 PM, Steve Litt wrote: On Sat, 31 Oct 2020 09:08:50 +0900 Simon Walter wrote: On 10/30/20 7:29 AM, Rick Moen wrote: ... FWIW, I am no longer comfortable with the idea of a combined authoritative/recursive server on a publicly exposed static IP. That has been deprecated for long decades as bad security, particularly because it increases the risk of cache poisoning of the recursive server. IMO, a LAN connected to public networks, even a small one, ought to have the authoritative service on a separate, public-facing host, and the recursive service on a protected, internal-network machine that is as shielded from public networks as possible. Thanks for the bits of wisdom. Do you know any papers/articles/sites that discuss and explain this more? I have not updated my IT knowledge in years and am a bit thirsty. When it comes to separation of authoritative and resolver parts of DNS, the documentation from the old djbdns makes it very clear, and is an excellent starting point. I'll have to check that out. Thanks! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] TB and Enigmail
I updated another field/site laptop yesterday and noticed (again) that TB was not updated passed 68. My heart was glad. I want to thank the Devuan maintainers for making these kind of sane choices. Thank you! Thank you! Thank you! ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
