Bug#338889: Overzealously prefers signed packages to identical unsigned ones

[Andras Korn]

: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages apt depends on:
ii  libc6 2.3.5-6GNU C Library: Shared libraries an
ii  libgcc1   1:4.0.2-3  GCC support library
ii  libstdc++64.0.2-3The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Modem sex begins with a handshake.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#339030: svlogd appends extra newline to lines logged to file if also logging to udp

[Andras Korn]

Package: runit
Version: 1.3.1-1
Severity: normal

Hi,

I recently started seeing extra newlines between the messages in my system
logs (logged via socklog and svlogd). stracing svlogd I see this (sorry
about the long lines):

read(0, mail.info: Nov 14 16:40:21 amavis[2679]: (02679-12) Passed, [EMAIL 
PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], Hits: 
-2.592\n, 1024) = 207
gettimeofday({1131982821, 161063}, NULL) = 0
sendto(6, mail.info: Nov 14 16:40:21 amavis[2679]: (02679-12) Passed, [EMAIL 
PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], Hits: 
-2.592\n, 207, 0, {sa_family=AF_UNSPEC, 
sa_data=\2\2\230BS\205\0\0\0\0\0\0\0\0}, 16) = 207
write(7, @40004378afef0999a24c mail.info: Nov 14 16:40:21 amavis[2679]: 
(02679-12) Passed, [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: 
[EMAIL PROTECTED], Hits: -2.592\n\n, 234) = 234

As you can see, the line as read from stdin only had one \n at the end; it
was then transmitted via udp to a log server, still with only one \n at the
end; and then, it was logged to a file with an extra \n.

The config file for the relevant log directory reads:

--- cut here ---
s50
n25
-*
+*:*:*:* amavis*
+*: amavis*
!/usr/local/sbin/multilogcheck amavis
uIP.OF.LOG.SERVER
--- cut here ---

If I remove the last line (uIP.OF.LOG.SERVER), the extra newline is no
longer appended.

Andras

-- System Information:
Debian Release: unstable
  APT prefers breezy-security
  APT policy: (500, 'breezy-security'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.7-chardonnay-skas3-v8-rc2
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   A faba szorult favago esete Toth Marival.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#338889: Overzealously prefers signed packages to identical unsigned ones

[Andras Korn]

On Wed, Nov 23, 2005 at 04:47:02PM +0100, Michael Vogt wrote:

Hi,

  I have a local package repository that is pieced together from many
  different sources. I don't have a signed Release file (is there an easy way
  to generate one automatically?); I only generate my own Packages file.
 
 It's a matter of runing apt-ftparchive and gpg, see apt-secure(8) for
 a discussion.

OK, will do; thanks.

  Nevertheless, when apt-get needs to fetch packages, it ignores my local
  repository and downloads the exact same packages from the net instead,
  presumably because those repositories are signed. (But do correct me if I'm
  wrong.)
 [..]
 
 Yes, it's a feature of apt to prefer signed sources. But if you run it
 with --allow-unauthenticated, it should behave exactly as the 0.5.x
 versions. Can you please try/confirm this?

This switch seems to work as advertised here; alas, the manpage isn't very
clear about it - it just seems to say that this turns off the prompt about
unsigned packages.

This is a good enough workaround for me, but I still think the new behaviour
is wasteful (it wastes bandwidth) - if two packages have the same size and
md5sum, they can IMO be assumed to have the same signatures too.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Whoever decided to limit taglines to a single line can just kiss my


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#386608: svlogd: please warn about buffer size

[Andras Korn]

Package: runit
Version: 1.5.1-1
Severity: wishlist

Hi,

svlogd can become a performance bottleneck if log traffic is high. The pipe
buffer between it and the service is filled and svlogd doesn't read older
messages quickly enough with the default buffer size of 1024.

In one particular scenario, increasing buffer size to 16384 (with -b)
reduced system cpu time from 80% to about 65%.

I can imagine several ways of dealing with this problem:

- increase default buffer size (probably unnecessary);

- point out performance effect in documentation;

- print warnings to stderr if the read() returns buflen characters a
suitably low consecutive N times in a row (which would indicate buffer
congestion);

- instead of (or in addition to) the warning, increase the buffer adaptively
(max. size should be configurable);

- (probably overkill:) make svlogd multi-threaded, with one thread
constantly reading the input and stuffing it into a larger buffer for the
other thread to retrieve and commit to disk/udp.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
All programmers are optimists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#375433: Please support custom commands in sv and/or runsv

[Andras Korn]

Hi Gerrit,

I just realized that for custom commands like 'reload' to work, it's not
even necessary to go through runsv; sv could manage it on its own, just like
it does 'check'. You'd just need the custom scripts in the service
directory, where check resides anyway (or in a subdirectory so you could
have actions called 'run' and 'finish').

sv could then just call the corresponding script when called with an unknown
command argument, preferably changing to the service directory first so that
things like 'sv h .' work (which is what 'reload' would do in many cases).

What do you think?

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 It doesn't work, but it looks pretty.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#391165: runit retains a controlling tty; ctrl-c on tty1 reboots/halts system

[Andras Korn]

Subject: runit: retains a controlling terminal; ctrl-c on tty1 halts/reboots 
system
Package: runit
Version: 1.6.0-1
Severity: important

Hi,

under some (unknown) circumstances, runit(8) retains a controlling tty:

USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
root 1  0.0  0.010420 tty1 Ss+  09:07   0:00 runit

This has the important side effect that the getty-1 service is unable to set
its own controlling tty to tty1, and that pressing ctrl-c in the login shell
started by getty-1 will deliver the SIGINT to runit so that a ctrl-alt-del
event is triggered.

This doesn't happen on all computers I run runit on, but it happened on at
least two (one amd64, one i386). Both run runit 1.6.0-1.

I guess replacing /sbin/init with a shell script that does exec chpst -P
runit-init might be a workaround, but I'd be happier if this weren't
necessary. :)

-- System Information:
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-utopia
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

runit depends on no packages.

Versions of packages runit recommends:
pn  fgettynone (no description available)

-- no debconf information

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Make love not war - see me for details.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#391165: runit retains a controlling tty; ctrl-c on tty1 reboots/halts system

[Andras Korn]

On Thu, Oct 05, 2006 at 08:47:37AM +, Gerrit Pape wrote:

Hi,

  under some (unknown) circumstances, runit(8) retains a controlling tty:
 
 Hi Andras, can you please check the kernel versions on the affected
 systems?  I've reports that this problem happens with some 2.6 kernel
 versions, most probably starting with some minor version.

You seem to be right: all affected systems run 2.6.17 (either Ubuntu
distribution kernels or self-compiled).

Xen-testing patched 2.6.16.13 is the latest I could find that was not
affected (I don't have any boxes with kernels between this and 2.6.17,
unfortunately).

Vanilla 2.6.15.4 is also fine.

Plain old init on 2.6.17 is fine too.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Nem iszom tobbet. De kevesebbet sem.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#80633: joe: When running inside a screen(1), cursor often placed in wrong column

[Andras Korn]

On Mon, Sep 25, 2006 at 06:04:40PM +0200, Josip Rodin wrote:

 On Thu, Dec 28, 2000 at 12:51:24AM +0100, Josip Rodin wrote:
   apparently the screen process needs to be running for some time before the
   bug manifests itself; what happens is that the cursor is sometimes,
   seemingly at random, placed at column 1-8; a couple of characters I type
   appear there, and then, as I continue typing, everything returns to normal
   (except that most tabs appear to be displayed as a simple space and those
   few characters stay at the beginning of the line until I hit ctrl-r).
  
  I think I've seen this one myself... but it's just screen corruption, the
  data is written correctly, right?
 
 Can you reproduce this bug with joe 3.x?

I couldn't ever reproduce it as such - it just happened occasionally.

I'm no longer sure (it was six years ago, after all) if it's the same issue,
but in the meantime I've found that enabling 'meta as-is' causes display
corruption if the file contains 'weird' non-printable characters. While this
is arguably a feature (after all, I asked for those characters to be
displayed), the problem is that this seems to be the only way to see
accented international characters too.

So fixing this would involve displaying printable characters but suppressing
(or escaping) nonprintable ones, like vim does.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
A yer ago I kudnt spel progremr now I are won.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#401547: tryto -n1 often reports that child crashed even if it didn't

[Andras Korn]

\0\3\0\1\0\0\0\20Z\1\0004\0\0\0D\304\21\0\0\0\0\0004\0
 \0\n\0(\0=\0[EMAIL 
PROTECTED]@\1\0\0\5\0\0\0\4\0\0\0\3\0\0\0\200\10\21\0\200\10\21\0\200\10\21\0\23\0\0\0\23\0\0\0\4\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0005\200\21\0005\200\21\0\5\0\0\0\0\20\0\0\1\0\0\0\300\217\21\0\300\237\21\0\300\237\21\0\274)\0\0\274U\0\0\6\0\0...,
 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1166796, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0xb7fa3000
mmap2(NULL, 1176956, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0xb7e83000
mmap2(0xb7f9c000, 16384, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x118) = 0xb7f9c000
mmap2(0xb7fa, 9596, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fa
close(3)= 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0xb7e82000
set_thread_area({entry_number:-1 - 6, base_addr:0xb7e826b0, limit:1048575, 
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, 
useable:1}) = 0
mprotect(0xb7f9c000, 8192, PROT_READ)   = 0
munmap(0xb7fa4000, 62219)   = 0
open(/usr/lib/locale/locale-archive, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No 
such file or directory)
brk(0)  = 0x804c000
brk(0x806d000)  = 0x806d000
open(/usr/share/locale/locale.alias, O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2586, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0xb7fb3000
read(3, # Locale name alias data base.\n# Copyright (C) 1996-2001,2003 Free 
Software Foundation, Inc.\n#\n# This program is free software; you can 
redistribute it and/or modify\n# it under the terms of the GNU Ge..., 4096) = 
2586
read(3, , 4096)   = 0
close(3)= 0
munmap(0xb7fb3000, 4096)= 0
open(/usr/lib/locale/hu_HU/LC_CTYPE, O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=207996, ...}) = 0
mmap2(NULL, 207996, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7e4f000
close(3)= 0
close(1)= 0
exit_group(0)   = ?

Best regards,

Andras

-- System Information:
Versions of packages socklog depends on:
ii  adduser3.77  Add and remove users and groups
ii  libc6  2.4-1ubuntu12 GNU C Library: Shared libraries

Versions of packages socklog recommends:
ii  ipsvd 0.12.1-1   Internet protocol service daemons
ii  runit 1.5.1-1a UNIX init scheme with service su
pn  socklog-run   none (no description available)

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
It begins when you sink into his arms, and it ends with your arms in his sink.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#498020: Some upstream files not shipped; breaks script engine

[Andras Korn]

Package: nmap
Version: 4.68-1
Severity: normal

Hi,

the Debian nmap package fails to include the following files:

/usr/share/nmap/nselib/comm.lua
/usr/share/nmap/nselib/datafiles.lua
/usr/share/nmap/nselib/http.lua
/usr/share/nmap/nselib/tab.lua
/usr/share/nmap/scripts/MySQLinfo.nse
/usr/share/nmap/scripts/UPnP-info.nse
/usr/share/nmap/scripts/rpcinfo.nse

I think the fix is as simple as adding these to nmap.files.

Without the above files, nmap's script engine breaks, complaining that
rpcinfo.nse is not a file, like this:

SCRIPT ENGINE: Initiating script scanning.
SCRIPT ENGINE: rpcinfo.nse is not a file.
SCRIPT ENGINE: Aborting script scan.

Reproduce by doing nmap -A -O -v scanme.nmap.org.

Best regards,

Andras

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.19-arcadia-grsec2.1.11-vs2.2.0.7 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages nmap depends on:
ii  libc6 2.7-11 GNU C Library: Shared libraries
ii  libgcc1   1:4.3.1-3  GCC support library
ii  libpcap0.80.9.8-3system interface for user-level pa
ii  libpcre3  7.6-2  Perl 5 Compatible Regular Expressi
ii  libssl0.9.8   0.9.8g-10  SSL shared libraries
ii  libstdc++64.3.1-3The GNU Standard C++ Library v3

nmap recommends no packages.

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Those who do not understand Unix are condemned to reinvent it, poorly.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#305917: Please include attached plugin for nut

[Andras Korn]

Hi,

it's been more than two years; any news? :)

I just noticed that the script contains some bashisms, so the first line
should read #!/bin/bash instead of #!/bin/sh.

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   To be or to not be, that is the split infinitive.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#149897: The bug you reported about ip route ... equalize ...

[Andras Korn]

On Sat, Dec 29, 2007 at 03:15:08PM +0100, Andreas Henriksson wrote:

Hi,

  Very good to hear this has resolved itself. The only thing that remains
  is the false statement in the documentation about having to patch the
  kernel. Lets treat this report as a bug against the documentation from
  now on. I'll try to dig some and see if I can find it which kernel
  version the support first appeared.
 
 It seems like the required patch[1] which implements the feature is only
 available for 2.4.18. As far as I can tell it only /looks/ like it works
 with current kernels, because the kernel has the RTM_F_EQUALIZE flag
 (but no actual implementation). The flag has been there since atleast
 2.4.0.
 
 man 7 rtnetlink says:
 RTM_F_EQUALIZE   a multicast equalizer (not yet implemented)

This at least should be multipath, not multicast.

 So. Updating the documentation to state the fact that the required
 kernel patch doesn't exist (for kernels supported by Debian) doesn't
 seem very useful.

Oh, I think it would be useful. Maybe add a note to README.Debian to the
tune of This version of iproute supports multipath route equalization, but
as of 2007-12-30 no kernel implements it. Routes that rely on the 'equalize'
keyword will not work as expected. See
http://www.ussg.iu.edu/hypermail/linux/kernel/0203.2/1314.html and e.g.
http://www.mail-archive.com/[EMAIL PROTECTED]/msg10038.html for more
information.

 Possibly the support for equalize in iproute should be dropped completely
 since it's never been part of any official kernel release, and since it
 hasn't been solved in all these years noone will probably ever implement
 this. I'll ask upstream

I don't know. I see the current situation as being halfway there; adding the
required support to the kernel would be a step forward, while also removing
it from iproute would be a step backward.

Also, removing equalize support from iproute may break scripts that use it,
so that e.g. after a reboot, a box would be unable to set its routing up and
become unreachable. Not good. Even if 'equalize' doesn't do what's expected,
it at least works to the extent that the routes are created.

The most I think could be done is make ip(8) print a warning when equalize
is used. This will, however, still annoy a lot of people because it'll cause
normally silent scripts to suddenly spew warnings.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  The Moon is covered with the results of astronomical odds.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#301361: Move processing from apt_all plugin to apt-get update cronjob

[Andras Korn]

Package: munin-node
Version: 1.2.2-2
Severity: normal

Hi,

The processing done by the apt_all plugin can be rather expensive if there
are many packages installed and/or many sources in sources.list. On one of
my systems the plugin even times out sometimes.

Since the results it obtains will always be the same anyway until apt-get
update is run again, why not move the processing there? Either write a file
into /var/cache with the output of the plugin from the apt-get update
cronjob; or maybe there is a mechanism to have apt invoke a program after
apt-get update, so the plugin output would also be updated on manual
apt-get updates.

The plugin itself would just need to cat the file from /var/cache.
Considering that the plugin gets run every five minutes or so, the savings
could be significant.

I file this report with a severity of 'normal' instead of 'wishlist' because
due to the timeout the plugin sometimes actually fails.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-ak1-chardonnay
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages munin-node depends on:
ii  libnet-server-perl0.87-2 An extensible, general perl server
ii  perl  5.8.4-5Larry Wall's Practical Extraction 
ii  procps1:3.2.5-1  /proc file system utilities

-- no debconf information

Best regards,

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
A road map always tells you everything except how to refold it.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#299589: per-plugin group directive apparently ignored

[Andras Korn]

Package: munin-node
Version: 1.2.2-2
Severity: normal

Hi,

I have a /etc/munin/plugin-conf.d/entropy file which reads:

[entropy]
user root
group proc

Originally it just had group proc, because:

dr-xr-x---  11 root proc 0 Mar 15 09:10 /proc/sys

(/proc/sys is only accessible to root and to group proc on my ststem).

I recently noticed that this no longer worked; the entropy plugin couldn't
read the entropy_avail file. I added an 'id' command to the plugin, and
noticed the following:

# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at name-of-box
fetch entropy
#uid=0(root) gid=183(munin) groups=183(munin)
entropy.value 16814
.

Note how it is not a member of the proc group. The situation is the same
if I remove user root (obviously it runs as a different uid then, but
still no group proc). Naturally, a large number of other plugins are
affected as well.

This used to work before and got broken recently. Alas, I can't say exactly
when.

Andras

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages munin-node depends on:
ii  libnet-server-perl0.87-2 An extensible, general perl server
ii  perl  5.8.4-5Larry Wall's Practical Extraction 
ii  procps1:3.2.5-1  /proc file system utilities

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Computer Lie #1: You'll never use all that disk space.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#305917: Oversights and fixes

[Andras Korn]

A slight oversight:

@@ -23,7 +23,7 @@
| tr -d '][' \
| while read ups; do
for i in voltages freq charge current; do
-   echo ${ups}_${i}
+   echo [EMAIL PROTECTED]
done
done
 fi

Also, munin-node shouldn't skip plugins whose names contain the @ character.
As you can see, there is a perfectly legitimate use for it. :)

Until this is done, the above patch should not be applied to the ups_
plugin; instead, the following two lines should be added after UPS is
assigned:

# Fixup until munin-node no longer skips plugins with @s
echo $UPS | fgrep -q '@' || [EMAIL PROTECTED]

While looking at that part of the code of munin-node, I found what I believe
to be a bug. Line 328 of munin-node reads:

warn Something wicked happened while reading \$servicedir/$file\. Check the 
previous log lines for spesifics.;

That $servicedir should be $sconfdir, I think.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Laughing stock: cattle with a sense of humour.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#297173: Please support name-based virtualhosting (yes, I know it's impossible)

[Andras Korn]

Package: openssh
Severity: wishlist

Hi,

it'd be useful if ssh did name-based virtualhosting, for example if you
provide services on top of ssh where it's irrelevant what physical box the
service resides on: e.g. subversion. If name-based virtualhosting were
supported, it would be possible to move a repository from one physical host
to the other, change DNS, and the clients would transparently begin using
the new server.

This is currently impossible without also changing the host key of the new
host to be the same as the old one (otherwise the clients report that the
host key changed). Changing the host key of the new server may, however,
have adverse side effects if the server isn't really new, just the new
home of the repository.

What I propose is to have one host key per 'virtualhost', and possibly also
per-virtualhost config settings (e.g. command=svnserve -t for an entire
virtualhost). Obviously the client would have to tell the server what
virtualhost it wanted to connect to before keys are exchanged.

I realize this is difficult to do and requires major changes to the code and
the protocol. Feel free to add a wontfix tag; I just wanted to publicize
this idea in the hope someone will like it enough to surmount the
difficulties.

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   If debugging is removing bugs, then programming must be putting them in.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#375433: patch to support custom commands in sv

[Andras Korn]

tags 375433 patch
thanks

Hi,

Allied-Visions GmbH developed a patch to support custom commands (such as
reload) in sv's initscript emulation.

This required some changes in the way sv handles commands.

You can now have /service/foo/custom/reload, and sv reload foo will execute
that. This makes it possible to finally seamlessly support e.g. Debian
package upgrades where the original initscript has been replaced by a
symlink pointing to sv.

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
cat dad*.dna mom*.dna baby.out
Index: sv.c
===
--- sv.c	(revision 144)
+++ sv.c	(revision 146)
@@ -29,6 +29,9 @@
 #define TIMEOUT timeout: 
 #define KILLkill: 
 
+char custom_command_[64];
+char *custom_command = custom_command_+7;
+
 char *progname;
 char *action;
 char *acts;
@@ -204,6 +207,43 @@
   return(!wait_exitcode(w));
 }
 
+int execute_custom_command()
+{
+  char *prog[2];
+  int pid, w;
+
+  if ((pid =fork()) == -1) {
+outs2(WARN); outs2(unable to fork for ); outs2(*service);
+outs2(custom_command); outs2(error_str(errno)); flush2(\n);
+return(0);
+  }
+  if (!pid) {
+/* Probably faster than a for cycle for 9 bytes) */
+custom_command_[0] = 'c';
+custom_command_[1] = 'u';
+custom_command_[2] = 's';
+custom_command_[3] = 't';
+custom_command_[4] = 'o';
+custom_command_[5] = 'm';
+custom_command_[6] = '/';  
+prog[0] =custom_command_;
+prog[1] =0;
+close(1);
+execve(custom_command_, prog, environ);
+outs2(WARN); outs2(unable to run ); outs2(*service); outs2(/);outs2(custom_command_);outs2(: );
+outs2(error_str(errno)); flush2(\n);
+_exit(0);
+  }
+  while (wait_pid(w, pid) == -1) {
+if (errno == error_intr) continue;
+outs2(WARN); outs2(unable to wait for child ); outs2(*service);
+outs2(/);outs2(custom_command_);outs2(: );outs2(error_str(errno)); flush2(\n);
+return(0);
+  }
+  return(!wait_exitcode(w));
+
+}
+
 int check(char *a) {
   unsigned int pid;
 
@@ -216,6 +256,9 @@
 pid =8; pid +=(unsigned char)svstatus[12];
 switch (*a) {
 case 'x': return(0);
+case '0':
+  execute_custom_command();
+  break;
 case 'u':
   if (!pid || svstatus[19] != 1) return(0);
   if (!checkscript()) return(0);
@@ -261,9 +304,62 @@
   return(1);
 }
 
+typedef enum {
+  argf_kll  = 1, /* Set kll to 1 */
+  argf_act0 = 2, /* Set act to 0 */
+  argf_acts = 4, /* Set act to status */
+} arg_flag_t;
+
+typedef struct {
+  char *name;
+  char *acts;
+  void *cbk;
+  arg_flag_t flags;
+} arg_t ;
+
+/* Built in arguments - what is not listed here is taken as custom */
+arg_t arguments[] = {
+/* Argument  acts   cbkflags */
+  {exit,   x,   NULL,  0},
+  {x,  x,   NULL,  0},
+  {Exit,   x,   check, argf_kll},
+  {X,  x,   check, argf_kll},
+  {D,  d,   check, argf_kll},
+  {T,  tc,  check, argf_kll},
+  {c,  C,   check, argf_act0},
+  {check,  C,   check, argf_act0},
+  {tc, tc,  NULL,  0},
+  {tcu,tcu, NULL,  0},
+  {down,   d,   NULL,  0},
+  {once,   o,   NULL,  0},
+  {up, u,   NULL,  0},
+  {pause,  p,   NULL,  0},
+  {cont,   c,   NULL,  0},
+  {hup,h,   NULL,  0},
+  {alarm,  a,   NULL,  0},
+  {interrupt,  i,   NULL,  0},
+  {quit,   q,   NULL,  0},
+  {term,   t,   NULL,  0},
+  {kill,   k,   NULL,  0},
+  {1,  1,   NULL,  0},
+  {2,  2,   NULL,  0},
+  {shutdown,   x,   check, 0},
+  {start,  u,   check, 0},
+  {stop,   d,   check, 0},
+  {status, s,   NULL,  argf_acts},
+  {s,  s,   check, argf_acts},
+  {restart,tcu, check, 0},
+  {force-reload,   tc,  check, argf_kll},
+  {force-restart,  tcu, check, argf_kll},
+  {force-shutdown, x,   check, argf_kll},
+  {force-stop, d,   check, argf_kll},
+  {NULL, NULL,  NULL,  0}  /* terminator record */
+} ;
+
 int main(int argc, char **argv) {
   unsigned int i, done;
   char *x;
+  arg_t *arg;
 
   progname =*argv;
   for (i =str_len(*argv); i; --i) if ((*argv)[i -1] == '/') break;
@@ -293,42 +389,34 @@
 
   act =control; acts =s;
   if (verbose) cbk =check;
-  switch (*action) {
-  case 'x': case 'e':
-acts =x; break;
-  case 'X': case 'E':
-acts =x; kll =1; cbk =check; break;
-  case 'D':
-acts =d; kll =1; cbk =check; break;
-  case 'T':
-acts =tc; kll =1; cbk =check; break;
-  case 'c':
-if (!str_diff(action, check)) { act =0; acts =C; cbk =check; break; }
-  case 'u': case 'd': case 'o': case 't': case 'p': case 'h':
-  case 'a': case 'i': case 'k': case 'q': case '1': case '2':
-action[1] =0; acts =action; break;
-  case 's

Bug#447020: ipsvd: please support CIDR-based configuration directories and hierarchical DNS based configuration

[Andras Korn]

Package: ipsvd
Version: 0.13.0-1
Severity: wishlist
Tags: patch

Hi,

the flat directory configuration scheme for ipsvd doesn't scale well for
large subnets that are not class A, B or C; for example, a /25 network would
need 128 configuration files.

Allied-Visions GmbH developed a patch to support CIDR-based configuration
(attached). This patch also adds support for configfile expiry on
filesystems mounted with noatime; a new switch, -T, causes {tcp,udp}svd to
touch (hence the T) the files it accesses, keeping the atime updated.

Configuration now works as follows:

- the configfile for 1.2.3.0/24 would be the file called 24 in the directory
  called 1.2.3.0

- if you want separate configuration for the IP 1.2.3.0, call the file
  1.2.3.0/32

- if we don't have permission to read a dir, then we assume we don't have
  permission to read the files in it either and act accordingly

To further increase scalability in large configurations, hierarchical
processing of domain names is now possible: the configuration in foo/bar
applies to all clients under the domain .bar.foo.

This patch hasn't received thorough testing yet, but it appears to work.

We'll test it further and post new versions of the patch here if necessary;
this submission is in the spirit of 'release early, release often'. :)

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Hogy en ambivalens??? Talan igen, talan nem...
Index: CIDR_test/test.c
===
--- CIDR_test/test.c	(.../ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 0)
+++ CIDR_test/test.c	(.../floss/ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 147)
@@ -0,0 +1,19 @@
+#include stdio.h
+#include ../CIDR.h
+int main()
+{
+	unsigned char ip_num[4];
+	char *ip = 123.4.31.01;
+	char result[32];
+	int n;
+	
+	printf(res=%d\n, ip2num(ip, ip_num));
+	printf(%u.%u.%u.%u\n, ip_num[0], ip_num[1], ip_num[2], ip_num[3]);
+	
+	*result = '\0';
+	for(n=32; n0; n--) {
+		num2CIDR(ip_num, result, n);
+		printf(%2d=%s\n, n, result);
+	}
+	return 0;
+}
Index: CIDR_test/Makefile
===
--- CIDR_test/Makefile	(.../ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 0)
+++ CIDR_test/Makefile	(.../floss/ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 147)
@@ -0,0 +1,9 @@
+CFLAGS = -Wall -g
+test: test.o ../CIDR.o
+
+test.o: test.c
+
+../CIDR.o: ../CIDR.c
+
+clean:
+	rm test.o test
Index: udpsvd.c
===
--- udpsvd.c	(.../ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 73)
+++ udpsvd.c	(.../floss/ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 147)
@@ -170,8 +170,9 @@
 
   progname =*argv;
 
-  while ((opt =getopt(argc, argv, vu:l:hpi:x:t:V)) != opteof) {
+  while ((opt =getopt(argc, argv, Tvu:l:hpi:x:t:V)) != opteof) {
 switch(opt) {
+		case 'T': check_touch_configs = 1; break;
 case 'v':
   ++verbose;
   break;
Index: tcpsvd.c
===
--- tcpsvd.c	(.../ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 73)
+++ tcpsvd.c	(.../floss/ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 147)
@@ -271,12 +271,13 @@
 
 #ifdef SSLSVD
   while ((opt =getopt(argc, (const char **)argv,
-  c:C:i:x:u:l:Eb:hpt:vVU:/:Z:K:)) != opteof) {
+  Tc:C:i:x:u:l:Eb:hpt:vVU:/:Z:K:)) != opteof) {
 #else
   while ((opt =getopt(argc, (const char **)argv,
-  c:C:i:x:u:l:Eb:hpt:vV)) != opteof) {
+  Tc:C:i:x:u:l:Eb:hpt:vV)) != opteof) {
 #endif
 switch(opt) {
+		case 'T': check_touch_configs = 1; break;
 case 'c': scan_ulong(optarg, cmax); if (cmax  1) usage(); break;
 case 'C':
   delim =scan_ulong(optarg, phccmax);
Index: ipsvd_check.c
===
--- ipsvd_check.c	(.../ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 73)
+++ ipsvd_check.c	(.../floss/ipsvd/ipsvd-0.13.0/net/ipsvd-0.13.0/src)	(revision 147)
@@ -2,6 +2,7 @@
 #include sys/stat.h
 #include unistd.h
 #include time.h
+#include utime.h
 #include ipsvd_check.h
 #include ipsvd_log.h
 #include ipsvd_fmt.h
@@ -17,7 +18,11 @@
 #include pathexec.h
 #include dns.h
 #include ip4.h
+#include alloc.h
+#include CIDR.h
 
+int check_touch_configs = 0;
+
 extern const char *progname;
 static stralloc sa ={0};
 static stralloc ips ={0};
@@ -118,12 +123,28 @@
   return(rc);
 }
 
+void touch(const char *file_name, time_t atime)
+{
+	struct utimbuf ut;
+
+	if (atime == 0)
+		atime = time(NULL);
+
+	ut.actime  = atime;
+	ut.modtime = atime;
+
+	utime(file_name, ut);
+}
+
 int ipsvd_check_direntry(stralloc *d, stralloc *m, char *ip,
  time_t now, unsigned long t, int *rc) {
   int i;
   struct stat s;
 
   if (stat(m-s, s) != -1) {
+		/* Do not consider

Bug#441316: sv once ineffective if 'finish' exists and is executable

[Andras Korn]

Package: runit
Version: 1.7.2-1
Severity: normal

Hi,

if ./finish exists and is executable, runsv will execute it and then restart 
the service even if it was in the 'sv once' state.

Andras

-- System Information:
Debian Release: 4.0
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20.13-vs2.2.0-chardonnay
Locale: LANG=POSIX, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

runit depends on no packages.

Versions of packages runit recommends:
pn  fgettynone (no description available)

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  A printer consists of a case, a jammed paper tray and a blinking red light.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#441316: sv once ineffective if 'finish' exists and is executable

[Andras Korn]

On Mon, Sep 10, 2007 at 12:27:39PM +, Gerrit Pape wrote:

Hi,

  if ./finish exists and is executable, runsv will execute it and then 
  restart 
  the service even if it was in the 'sv once' state.
 
 Hmm, it doesn't fail for me
 [...]
 Can you post the exact commands to reproduce the issue?

Yes, will do. Very busy today, so probably tomorrow.

Thanks

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Santa's business model: 1. make toys. 2. give them away. 3. ??? 4. profit.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#441316: sv once ineffective if 'finish' exists and is executable

[Andras Korn]

On Mon, Sep 10, 2007 at 12:27:39PM +, Gerrit Pape wrote:

Hi,

  if ./finish exists and is executable, runsv will execute it and then 
  restart 
  the service even if it was in the 'sv once' state.
 
 Hmm, it doesn't fail for me

You're right. It was my fault, but the scenario is, I think, instructive. :)

I have two services that depend on each other: x depends on y. Hence, x/run
does sv start y || exit 1, whereas y/finish stops x. So far, so good.

However, x doesn't deal well with the TERM signal and only exits cleanly on
a SIGUSR1. I now realize the clean way would have been to write an
x/control/t script; instead, I had sv once x (to avoid restarting x when
it exited), followed by sv 1 x and sv force-stop x.

This had the effect of _starting_ x if it was down already (with sv once),
which brought y up again.

Wouldn't it be useful to have an 'sv once' style command that doesn't start
the service, merely causes it not to be restarted when it exits, provided it
is running?

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Money isn't everything... but it's not a bad start.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#385292: Please include -P option as in Ubuntu

[Andras Korn]

Hi,

I attach the ubuntu patches against klogd.c and klogd.8 for your reference.

Also included is the ubuntu klogd initscript.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Growing old is mandatory, growing up is optional!
--- sysklogd-1.4.1.orig/klogd.c
+++ sysklogd-1.4.1/klogd.c
@@ -20,6 +20,13 @@
 */
 
 /*
+ * Thu Nov 25 16:48:39 CET 2004:  Martin Pitt
+ *  Added option -P to give alternative location of /proc/kmsg (- for
+ *  stdin). This allows to run klogd entirely without root privileges.
+ *
+ *  Added support for macro PIDFILE_DIR which is used as pid file directory
+ *  instead of _PATH_VARRUN.
+ *
  * Steve Lord ([EMAIL PROTECTED]) 7th Nov 92
  *
  * Modified to check for kernel info by Dr. G.W. Wettstein 02/17/93.
@@ -279,7 +286,9 @@
 #define LOG_LINE_LENGTH 1000
 
 #ifndef TESTING
-#if defined(FSSTND)
+#if defined(PIDFILE_DIR)
+static char*PidFile = PIDFILE_DIR klogd.pid;
+#elif defined(FSSTND)
 static char*PidFile = _PATH_VARRUN klogd.pid;
 #else
 static char*PidFile = /etc/klogd.pid;
@@ -303,6 +312,8 @@
 
 static FILE *output_file = (FILE *) 0;
 
+static char *kmsg_file = NULL; /* NULL means default /proc/kmsg */
+
 static enum LOGSRC {none, proc, kernel} logsrc;
 
 int debugging = 0;
@@ -524,6 +535,22 @@
ksyslog(6, NULL, 0);
}
 
+/* Do we read kernel messages from a pipe? */
+if ( kmsg_file ) {
+if ( !strcmp(kmsg_file, -) )
+kmsg = fileno(stdin);
+else {
+if ( (kmsg = open(kmsg_file, O_RDONLY))  0 )
+{
+fprintf(stderr, klogd: Cannot open kmsg file, 
 \
+%d - %s.\n, errno, strerror(errno));
+ksyslog(7, NULL, 0);
+exit(1);
+}
+}
+return proc;
+}
+
/*
 * First do a stat to determine whether or not the proc based
 * file system is available to get kernel messages from.
@@ -994,7 +1021,7 @@
chdir (/);
 #endif
/* Parse the command-line. */
-   while ((ch = getopt(argc, argv, c:df:iIk:nopsvx2)) != EOF)
+   while ((ch = getopt(argc, argv, c:df:iIk:nopP:svx2)) != EOF)
switch((char)ch)
{
case '2':   /* Print lines with symbols twice. */
@@ -1028,6 +1055,9 @@
case 'p':
SetParanoiaLevel(1);/* Load symbols on oops. */
break;  
+case 'P':   /* Alternative kmsg file path */
+kmsg_file = strdup(optarg);
+break;
case 's':   /* Use syscall interface. */
use_syscall = 1;
break;
@@ -1039,7 +1069,6 @@
break;
}
 
-
/* Set console logging level. */
if ( log_level != (char *) 0 )
{
--- sysklogd-1.4.1.orig/klogd.8
+++ sysklogd-1.4.1/klogd.8
@@ -21,6 +21,9 @@
 .RB [  \-n  ]
 .RB [  \-o  ]
 .RB [  \-p  ]
+.RB [  \-P 
+.I path
+]
 .RB [  \-s  ]
 .RB [  \-k 
 .I fname
@@ -58,18 +61,23 @@
 is started and controlled by 
 .BR init (8).
 .TP
-.B -o
+.B \-o
 Execute in 'one\-shot' mode.  This causes \fBklogd\fP to read and log
 all the messages that are found in the kernel message buffers.  After
 a single read and log cycle the daemon exits.
 .TP
-.B -p
+.B \-p
 Enable paranoia.  This option controls when klogd loads kernel module symbol
 information.  Setting this switch causes klogd to load the kernel module
 symbol information whenever an Oops string is detected in the kernel message
 stream.
 .TP
-.B -s
+.BI \-P  path
+Use \fIpath\fR instead of /proc/kmsg as the source of the kernel message.
+Specify - to read from standard input.  This allows klogd to run entirely
+without root privileges.
+.TP
+.B \-s
 Force \fBklogd\fP to use the system call interface to the kernel message
 buffers.
 .TP
@@ -100,10 +108,15 @@
 .I /proc
 file system and the syscall (sys_syslog) interface, although
 ultimately they are one and the same.  Klogd is designed to choose
-whichever source of information is the most appropriate.  It does this
-by first checking for the presence of a mounted 
+whichever source of information is the most appropriate.  If the
+.B \-P
+switch is used,
+.B klogd
+opens the specified path as the source of kernel log information.  Otherwise
+.B klogd
+checks for the presence of a mounted 
 .I /proc
-file system.  If this is found the 
+file system and if this is found the 
 .I /proc/kmsg
 file is used as the source of kernel log
 information.  If the proc file system is not mounted 
@@ -321,7 +334,7 @@
 .B klogd
 to reload the module symbol information

Bug#253588: this bug / #253588: tcp(7) contains incorrect/biased information about syncookies

[Andras Korn]

On Mon, Jan 08, 2007 at 03:19:47PM +0100, Andi Kleen wrote:

Hi,

  Since you wrote much of the text of tcp.7, I thought it might be best to
  consult you.
  
  Would you be willing to take a look at the patch proposed here, and comment?
  
  For the full thread, see:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=253588
 
 I don't think such a detailed discussion fits into the manpage. It drowns
 the other information and doesn't fit.
 
 If you want to change anything just say that syncookies are deprecated and 
 shouldn't
 be used anymore.

It's been two weeks and no actual arguments were voiced for or against my
proposed patch.

tcp.7 contains bad FUD about syncookies, which is a disgrace. Nothing
shipped by Debian should contain FUD. See the wikipedia article at
http://en.wikipedia.org/wiki/Syncookies which also says that 'The use of SYN
Cookies does not break any protocol specifications, and therefore should be
compatible with all TCP implementations.' This is actually a well-known fact
in the security community, which makes the presence of the FUD in tcp.7 all
the more appalling.

If you have any more technical concerns, I can refer you to peer-reviewed
papers that deal with anti-synflood mechanisms. You won't find any that
support the view that '[syncookies are] a violation of the TCP protocol.' No
arguments have been brought forth to support this view in this thread
either.

Please, remove the FUD.

I'd be happy to help, so if you don't like my proposed text, tell me how it
should be different (e.g. shorter); but let's not wait another three years,
shall we?

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 My software never has bugs. It just develops random features.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#253588: this bug / #253588: tcp(7) contains incorrect/biased information about syncookies

[Andras Korn]

On Thu, Jan 25, 2007 at 09:20:55AM +1100, Andi Kleen wrote:

  tcp.7 contains bad FUD about syncookies, 
 
 I don't see any FUD in there

   tcp_syncookies (Boolean)
  Enable TCP syncookies.  The kernel must be  compiled  with  CON-
  FIG_SYN_COOKIES.  Send out syncookies when the syn backlog queue
  of a socket overflows.  The syncookies feature attempts to  pro-
  tect a socket from a SYN flood attack.  This should be used as a
  
  last resort, if at all.  This is a violation of the  TCP  proto-
  
  col,  and  conflicts  with other areas of TCP such as TCP exten-
  
  sions.  It can cause problems for clients and relays.  It is not
  ~
  recommended  as a tuning mechanism for heavily loaded servers to
  help with overloaded or misconfigured  conditions.   For  recom-
  mended alternatives see tcp_max_syn_backlog, tcp_synack_retries,
  and tcp_abort_on_overflow.

I underlined the FUD.

Summary of facts:

- syncookies are a particular choice of initial sequence number. A host is
allowed to choose its inital sequence number. No violation there.

- as for the conflict: indeed, a connection saved by syncookies cannot use
large windows. But the connection would have been lost without syncookies,
because the backlog has to be full for syncookies to be used. So
effectively, you are saying that while syncookies 'conflict with TCP
extensions', dropping the connection attempts does not.

- because initial sequence numbers are arbitrary, a particular choice of
sequence number cannot cause problems for clients or relays, because they
can't assume anything about the ISN anyway.

- actually, there is no other working mechanism in the Linux kernel that
would allow a host to weather a syn flood while still being able to provide
TCP service on the attacked ports. (I guess you could come up with something
very complicated using tc, but that would still drop legitimate connections
from the same subnet as the attack.) Therefore, the best advice is in fact
to _enable_ syncookies unless the server has asymmetric bandwidth, with
upstream being much less than downstream.

But I'd be interested in hearing your arguments.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Sure you can trust the government. Just ask the Indians.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#253588: this bug / #253588: tcp(7) contains incorrect/biased information about syncookies

[Andras Korn]

On Thu, Jan 25, 2007 at 09:20:55AM +1100, Andi Kleen wrote:

  tcp.7 contains bad FUD about syncookies, 
 
 I don't see any FUD in there

Hey, you actually _wrote_ much of the Linux syncookie implementation. Now
I'm really interested in knowing why you changed your mind about them. And
the manpage should definitely include your arguments, if they are valid,
which I still doubt.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Minel tobb emberrel talalkozom, annal jobban szeretem a kutyamat.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#287369: closed by Sven Arvidsson [EMAIL PROTECTED] (Close 287369)

[Andras Korn]

On Thu, Apr 26, 2007 at 08:45:12PM +, Debian Bug Tracking System wrote:

Hi,

 I'm closing this bug as there have been no activity, or no response to
 followup questions, and new releases of the package in question which
 likely has fixed this bug or made it obsolete.

Sorry, I didn't receive your followup from 2005.

I'm not currently in a position to test this behaviour with a new version of
nautilus, but I can at least attach a test file.

I'll try to remember and see what nautilus does with it. Just give me a few
days.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Learn bomb disposal at home. Send 29.95 to...
˙ţ

This is a text file created with 
MicrosoftŽ Word! and saved as  Unicode 
Text .

Bla

Bla

Bla



Let s add a few international 
characters for good measure:



Öt szép szq
zlány Q
rült írót nyúz.



Voix ambiguë d'un coeur qui au zéphyr 
préfčre les jattes de kiwis.



El veloz murciélago hindú comía feliz 
cardillo y kiwi. La cigüeńa tocaba el 
saxofón detrás del palenque de paja.



Pijamal1
 hasta, ya
1
z _
oföre çabucak 
güvendi.



'5H[5 F
R5Z5 [EMAIL PROTECTED] _0: ?1YH020 
[EMAIL PROTECTED];870F8XC 35=A:8E [EMAIL PROTECTED]



!J5HL 5IQ MB8E O3:8E [EMAIL PROTECTED]:8E 
1C;:, 40 2K?59 65 G0N.



PY
ília
 ~
lue
ou

ký ko
H
 úp
l 
ábelské ódy.



KU
de
 a
e
astných 
at
ov u

í pri ústí Váhu m:
kveho koH
a ~
rae
 kôru 
a 

erstvé mäso.

Bug#287369: closed by Sven Arvidsson [EMAIL PROTECTED] (Close 287369)

[Andras Korn]

On Fri, Apr 27, 2007 at 12:09:11AM +0200, Sven Arvidsson wrote:

 On Thu, 2007-04-26 at 23:21 +0200, Andras Korn wrote:
  Sorry, I didn't receive your followup from 2005.
  
  I'm not currently in a position to test this behaviour with a new version of
  nautilus, but I can at least attach a test file.
  
  I'll try to remember and see what nautilus does with it. Just give me a few
  days.
 
 Sure, a test file would be great.

OK, I can confirm the bug is gone in nautilus 2.16.0-0ubuntu3. Not sure when
it disappeared.

Thanks

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Hardware: The part you kick. Software: this you corrupt!

Bug#432265: Uses more than double amount of memory on 64bit

[Andras Korn]

Package: amavisd-new
Version: 1:2.4.2-6.1
Severity: normal

Hi,

I just noticed that two almost identical amavisd-new installations had
wildly different memory usages.

The only difference is that one system is i386, whereas the other amd64.

On i386, top reports:

 VIRT  RES  SHR CODE DATA SWAP nFLT %MEM   TIME+  COMMAND
58660  52m 5176 1024  46m 47009  5.3  0:01.94 amavisd (master)
59428  49m 1468 1024  46m 91760  4.9  0:00.00 amavisd (virgin child)
59428  49m 1440 1024  46m 92040  4.9  0:00.01 amavisd (virgin child)
59428  49m 1464 1024  46m 91800  4.9  0:00.01 amavisd (virgin child)

Whereas on amd64:

 VIRT  RES  SHR CODE DATA SWAP nFLT %MEM   TIME+  COMMAND
 164m  95m 9016   12  83m  68m   12  9.5  0:02.93 amavisd (master)
 165m  88m 1408   12  83m  77m0  8.8  0:00.01 amavisd (virgin child)
 165m  88m 1400   12  83m  77m0  8.8  0:00.01 amavisd (virgin child)
 165m  88m 1372   12  83m  77m0  8.8  0:00.01 amavisd (virgin child)

Both were started a few minutes ago, so the difference isn't caused by the
64bit version having been running for a long time.

I'm having a hard time accepting this difference as normal.

Maybe this is a bug in perl?

i386:  This is perl, v5.8.8 built for i486-linux-gnu-thread-multi
amd64: This is perl, v5.8.8 built for x86_64-linux-gnu-thread-multi

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   The future has been cancelled owing to lack of interest.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#430951: Please support linux-vserver

[Andras Korn]

Package: runit
Version: 1.7.2-1
Severity: wishlist

Hi,

it would be great to be able to use runit to supervise processes running in
vserver guests.

Using a kludge, this is already sort of possible; see
http://linux-vserver.org/Running_runit-supervised_services_inside_a_vserver

Essentially, the only addition needed is to do something like

xid_t xid = vc_get_task_xid(child);
vc_ctx_kill(xid, child, signal);

instead of just kill(), provided vserver support is enabled in runit and the
kernel.

See http://people.linux-vserver.org/~dhozac/t/signal-relay.c which is the
kludge program to enable runit to control processes in vserver guests.

I guess this support needs to be a compile-time option to avoid creating
unnecessary dependencies.

Thanks

Andras

-- System Information:
Debian Release: 4.0
  APT prefers feisty-updates
  APT policy: (1200, 'feisty-updates'), (1200, 'feisty-security'), (1200, 
'feisty-backports'), (1200, 'feisty'), (100, 'experimental'), (100, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20.13-vs2.2.0-chardonnay
Locale: LANG=, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

runit depends on no packages.

Versions of packages runit recommends:
pn  fgettynone (no description available)

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
A stitch in time would have confused Einstein.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#431069: Unnecessary dependency on patch

[Andras Korn]

Package: cupsys
Version: 1.2.7-2
Severity: normal

Hi,

cupsys depends on patch but doesn't appear to use it.

dlocate -L cupsys | xargs zfgrep patch only returns hits from the
documentation.

Maybe the dependency isn't needed?

Andras

-- System Information:
...
Versions of packages cupsys depends on:
...
ii  patch  2.5.9-4   Apply a diff file to an original
...
-- debconf information excluded

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Beauty is just a light switch away... 'click!'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#419003: 64bit issues

[Andras Korn]

exit(1 unfinished ...
SYS_exit_group(1 unfinished ...
+++ exited (status 1) +++

uname -a: Linux cador 2.6.15-1-amd64-generic #2 Tue Mar 7 06:24:40 UTC 2006 
x86_64 GNU/Linux

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (1200, 'unstable'), (500, 'feisty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.19.2-vs2.2.0-rc8.7-hellgate (PREEMPT)
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages sing depends on:
ii  debconf [debconf-2.0]   1.5.11   Debian configuration management sy
ii  libc6   2.5-0ubuntu9 GNU C Library: Shared libraries
ii  libnet0 1.0.2a-7 library for the construction and h
ii  libpcap0.8  0.9.5-1  System interface for user-level pa

sing recommends no packages.

-- debconf information excluded

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Mind Like A Steel Trap - Rusty And Illegal In 37 States.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#324524: Copyright text not embedded in small images that don't need resizing

[Andras Korn]

Package: libapache-gallery-perl
Version: 0.99-svn050524-1
Severity: normal

Hi,

if an image is smaller than the minimum selectable resolution specified in
the configuration, that is, A::G doesn't need to resize it, the copyright
image isn't superimposed on it; effectively, the user gets to see the
original, even if originals are otherwise not served.

Example: http://chardonnay.math.bme.hu/~korn/gallery/Egyeb/20050820-repulok/

The second, relatively high-resolution picture has the copyright; the other,
low-res (and poor quality, but that's not the point) pictures don't.

Obviously there will be a point where the original image is smaller than the
copyright image, but this is not it.

Best regards,

Andras

-- System Information:
Debian Release: testing/unstable
  APT prefers warty-updates
  APT policy: (500, 'warty-updates'), (500, 'warty-security'), (500, 'warty'), 
(500, 'oldstable'), (500, 'hoary-security'), (500, 'hoary'), (500, 'unstable'), 
(1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.7-chardonnay-skas3-v8-rc2
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages libapache-gallery-perl depends on:
ii  libapache-request-perl1.1-0.1Generic Apache Request Library
ii  libimage-imlib2-perl  1.04-1 perl interface to the imlib2 imagi
ii  libimage-info-perl1.16-2 allows extraction of meta informat
ii  libimage-size-perl2.992-1determine the size of images in se
ii  libtemplate-perl  2.14-1 template processing system written
ii  libtext-template-perl 1.44-1.1   Text::Template perl module
ii  perl  5.8.7-4Larry Wall's Practical Extraction 

libapache-gallery-perl recommends no packages.

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Discoveries are made by not following instructions.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#329146: Please add setting to the effect of don't pop up any windows other than conversation windows. ever. not even if you, like, really feel like it.

[Andras Korn]

Package: gaim
Version: 1:1.5.0-1
Severity: wishlist

Hi,

gaim currently pops up all kinds of windows whether the user wants them or
not:

- the buddy list is popped up when the user checks an 'online' checkbox
in the account dialog

- connection status notification windows are popped up when
auto-reconnecting (sometimes the buddy list seems to pop up too)

- connection error notifications are popped up if a connection error occurs

- the away message has its own window, which negates away status if closed

What's really annoying is that some of these windows even steal input focus
or overlap other gaim windows the user had been working with. A good example
of this is the buddy list, which tends to appear right on top of the
accounts dialog so I can't log on with more than one account at a time
without closing it. (Sure, I could move it away, but I'd prefer if it didn't
even appear in the first place.) The connection status notification dialogs
behave in a similar way, but at least they disappear on their own after a
while.

Some of these can/could apparently be disabled via preferences, but the
settings are confusing (it's not obvious which window is which, or where to
disable a certain popup - for example, what's the difference between hide
disconnect errors and hide login errors in the auto-reconnect plugin
settings?).

I think it would be better to have all window-related settings in one place
(possibly keeping them in their current location as well for the sake of
people who somehow got used to them as they are).

-- System Information:
Debian Release: testing/unstable
  APT prefers warty-updates
  APT policy: (500, 'warty-updates'), (500, 'warty-security'), (500, 'warty'), 
(500, 'hoary-security'), (500, 'hoary'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.7-chardonnay-skas3-v8-rc2
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages gaim depends on:
ii  gaim-data1:1.5.0-1   multi-protocol instant messaging c
ii  libao2   0.8.6-1.1   Cross Platform Audio Output Librar
ii  libaspell15  0.60.3-5GNU Aspell spell-checker runtime l
ii  libatk1.0-0  1.10.3-1The ATK accessibility toolkit
ii  libaudiofile00.2.6-6 Open-source version of SGI's audio
ii  libc62.3.5-6 GNU C Library: Shared libraries an
ii  libgcrypt11  1.2.1-4 LGPL Crypto library - runtime libr
ii  libglib2.0-0 2.8.0-1 The GLib library of C routines
ii  libgnutls11  1.0.16-13.1 GNU TLS library - runtime library
ii  libgtk2.0-0  2.8.3-1 The GTK+ graphical user interface 
ii  libgtkspell0 2.0.10-3a spell-checking addon for GTK's T
ii  libice6  6.8.99.900.dfsg.1-0pre1 Inter-Client Exchange library
ii  libpango1.0-01.10.0-2Layout and rendering of internatio
ii  libsm6   6.8.99.900.dfsg.1-0pre1 X Window System Session Management
ii  libstartup-notif 0.8-1   library for program launch feedbac
ii  libx11-6 6.8.99.900.dfsg.1-0pre1 X Window System protocol client li
ii  libxext6 6.8.99.900.dfsg.1-0pre1 X Window System miscellaneous exte
ii  libxss1  6.8.99.900.dfsg.1-0pre1 X Screen Saver client-side library
ii  xlibs6.8.99.900.dfsg.1-0pre1 X Window System client libraries m

gaim recommends no packages.

-- no debconf information

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
A day without sunshine is like a night.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#316360: Please update magyar.ldf

[Andras Korn]

Package: tetex-base
Version: 3.0-3
Severity: wishlist
Tags: l10n

Hi,

please update /usr/share/texmf/tex/generic/babel/magyar.ldf to the new
version available from
http://www.math.bme.hu/~pts/cvsget.cgi/u=magyar/p=/M=lakk/c=f1/n=/lakk/texmf/tex/generic/magyar/magyar.ldf
- the mathematicians tell me many things don't work correctly with the old
one. I can ask them to elaborate if necessary.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   I'd love to go out with you, but I have to floss my cat.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#316360: Please update magyar.ldf

[Andras Korn]

On Thu, Jun 30, 2005 at 05:32:26PM +0200, Frank Küster wrote:

  Package: tetex-base
  Version: 3.0-3
  Severity: wishlist
  Tags: l10n
 
  Hi,
 
  please update /usr/share/texmf/tex/generic/babel/magyar.ldf to the new
  version available from
  http://www.math.bme.hu/~pts/cvsget.cgi/u=magyar/p=/M=lakk/c=f1/n=/lakk/texmf/tex/generic/magyar/magyar.ldf
  - the mathematicians tell me many things don't work correctly with the old
  one. I can ask them to elaborate if necessary.
 
 Ah, interesting.  What kind of repository is this, and what is the lakk
 module?  

Um, I have no idea whatsoever. Putting Peter Szabo on Cc, maybe he can
clarify.

 teTeX is usually made from CTAN, therefore it would be best if you ask
 Peter Szabo to upload the file (together with magyar.dtx) to CTAN.
 Furthermore, he should add again the license statement that was in the
 earlier version.
 
 I hope that this is in fact a newer version, and not a fork -- the file
 in our package says that Arpad Biro and Joszef Berces own copyright from
 work until 2004 and doesn't mention Peter Szabo, while the file at the
 above link says that Peter was working on it since 2003, and Joszef
 stopped working in 2001.  This should really be cleared up --
 unfortunately I don't have an e-mail address of any of them.
 
 Regards, Frank
 -- 
 Frank Küster
 Inst. f. Biochemie der Univ. Zürich
 Debian Developer

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Nem iszom tobbet. De kevesebbet sem.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#478966: cron.daily/standard not silent

[Andras Korn]

Package: cron
Version: 3.0pl1-100
Severity: normal

Hi,

the following part of the standard cronjob can produce an uninteresting
error message:

# Get a list of the (potential) ext2, ext3 and xfs l+f directories
df -P --type=ext2 --type=ext3 --type=xfs |

If there are no matching filesystems, this says df: no file systems
processed which is neither helpful nor interesting, but results in mail
being sent.

I suggest 21 and grepping this particular error out, or something similar.

Andras

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.18-vs2.2.0.6-arcadia (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages cron depends on:
ii  adduser  3.105   add and remove users and groups
ii  debianutils  2.25.2  Miscellaneous utilities specific t
ii  libc62.7-6   GNU C Library: Shared libraries
ii  libpam0g 0.99.7.1-5  Pluggable Authentication Modules l
ii  libselinux1  2.0.15-2+b1 SELinux shared libraries
ii  lsb-base 3.1-24  Linux Standard Base 3.1 init scrip

Versions of packages cron recommends:
ii  qmail [mail-tra 1.03-43+kqmail20051105-7 Secure, reliable, efficient, simpl

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 I just got my phone bill. Buy ATT stock now!



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#478967: cron.daily/standard contains race condition

[Andras Korn]

Package: cron
Version: 3.0pl1-100
Severity: normal

While looking at the script, I couldn't help noticing what I believe to be a
race condition with potentially harmful conseqences.

In the beginning, you have:

lockfile-touch $LOCKFILE 
LOCKTOUCHPID=$!

Then you do a number of things which can potentially take forever, and in
the end you have:

if [ -x /usr/bin/lockfile-create ] ; then
kill $LOCKTOUCHPID
lockfile-remove $LOCKFILE
fi

There are several things wrong with this:

#1. lockfile-touch may die in the meantime (for whatever reason, OOM is one
example that comes to mind). Its PID may be reused, so in the end, you may
end up killing the wrong process.

Also, if lockfile-touch dies, a second instance of the standard script may
obtain a lock on the lockfile and execute in parallel with the previous one,
and so on.

#2. lockfile-create may be uninstalled while the script is being executed,
so you start a lockfile-touch process in the beginning but don't kill it at
the end. The process may stick around forever. Better test for
[ -n $LOCKTOUCHPID ], if you must do locking this way.

Regarding #1, I think it would be a far better approach to launch the script
so that it itself holds a lock on the lockfile. chpst(8) from the runit
package could be used for that, like this:

#!/bin/sh
LOCKFILE=/var/lock/cron.daily.lock
[ $1 != have-lock ] || exec chpst -L $LOCKFILE $0 have-lock
# rest of script

This results in chpst getting a lock for $LOCKFILE and then exec()ing the
daily standard script again, with the lockfile open on one of its FDs and
the lock held. The lock automatically expires when the script exits. No need
to keep a lockfile daemon running or to use fragile heuristics to kill
random processes at the end. :)

chpst exits with an error if it can't get the lock.

I'm sure lockfile-progs could be enhanced to include similar (trivial)
functionality if you don't want to rely on chpst.

Andras

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.18-vs2.2.0.6-arcadia (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages cron depends on:
ii  adduser  3.105   add and remove users and groups
ii  debianutils  2.25.2  Miscellaneous utilities specific t
ii  libc62.7-6   GNU C Library: Shared libraries
ii  libpam0g 0.99.7.1-5  Pluggable Authentication Modules l
ii  libselinux1  2.0.15-2+b1 SELinux shared libraries
ii  lsb-base 3.1-24  Linux Standard Base 3.1 init scrip

Versions of packages cron recommends:
ii  qmail [mail-tra 1.03-43+kqmail20051105-7 Secure, reliable, efficient, simpl

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Ok, I pulled the pin. Now what? Where are you going?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#478967: cron.daily/standard contains race condition

[Andras Korn]

Hey,

I just noticed I reported this problem already, almost five years ago. :)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=194805#15

But I didn't suggest a better solution then, so there is some progress at
least. :)

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Karbantartas miatt a PCI buszok vonalain holnapig AT buszok kozlekednek.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#149395: This is really two requests.

[Andras Korn]

Hi,

for some reason, I never received your follow-up from 2003. I just found it
while browsing my bugreports.

 Yep, an include directive would be nice.  Under what circumstances do
 you think it is needed?

It would be especially great if it could work recursively, like apache's.

Scripts could generate, remove and update interface definitions a lot more
easily (because there would only be one interface definition per file).

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
The Jews are God's chosen people. The Eskimos are God's frozen people.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#386207: Please improve documentation

[Andras Korn]

On Sun, May 04, 2008 at 12:49:31PM +0200, Michael Mende wrote:

Hi,

 I guess the problem is solved by linking against libpcre. 

This is good news.

 I tried to reproduce your example with current version and it worked as
 expected:
 
 CheckURL ^/foo($|/):
 http://bla/foo - HTTP/1.1 404 Not Found 
 http://bla/foo/- HTTP/1.1 404 Not Found 
 http://bla/foo/bla - HTTP/1.1 404 Not Found 
 http://bla/blafoo/ - HTTP/1.0 501 Not Implemented
 
 The 404 errors are ok, because there is no `foo' on the webserver.
 
 If you have no objection, I would like to close this bug.

Fine with me, as long as the documentation says that perl compatible regular
expressions can be used. I think a single sentence suffices.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  After they make styrofoam, what do they ship it in?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#354017: Please include fixed in xfonts-base package description

[Andras Korn]

Package: xfonts-base
Version: 6.8.99.900.dfsg.1-0pre1
Severity: minor

Hi,

currently it's difficult for someone with little knowledge of the Debian
package pool to find out what package is missing if an X server reports
unable to open default font 'fixed'. It would be great if apt-cache search
could be used to discover xfonts-base.

The paragraph

 If you are not using a remote font server, you must install this package if
 you are installing an X server.  It contains fonts without which X servers
 will not work.

could be rephrased to read

 If you are not using a remote font server, you must install this package if
 you are installing an X server.  It contains fonts such as 'fixed' without
 which X servers will not work.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   How do you make Windows faster? Throw it harder!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#351436: Please make graph_width, graph_height and possibly others configurable per-node and/or per-server

[Andras Korn]

Package: munin-node
Version: 1.2.4-1
Severity: wishlist

Hi,

it'd be useful to be able to adjust the size of the graphs centrally.

Shouldn't be very hard to do either. If the plugin doesn't specify
graph_width, just use what's in the nodewise or serverwise config.

Andras

Ps. and what about the nut plugin I submitted? :)

-- System Information:
Debian Release: unstable
  APT prefers breezy-security
  APT policy: (500, 'breezy-security'), (500, 'breezy'), (500, 'unstable'), (1, 
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.7-chardonnay-skas3-v8-rc2
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages munin-node depends on:
ii  adduser   3.77   Add and remove users and groups
ii  libnet-server-perl0.87-3 An extensible, general perl server
ii  lsb-base  3.0-15 Linux Standard Base 3.0 init scrip
ii  perl  5.8.7-5Larry Wall's Practical Extraction 
ii  procps1:3.2.5-1  /proc file system utilities

Versions of packages munin-node recommends:
pn  libnet-snmp-perl  none (no description available)

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  I'd love to go out with you, but it's too close to the turn of the century.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#352837: Consider using irc (perhaps other IM?) as a communication backend

[Andras Korn]

Package: munin
Version: 1.2.4-1
Severity: wishlist

Hi,

a crazy idea just hit me. Wouldn't it be cool to use irc, or some other
instant messenger as the communication medium between the munin 'server' and
munin-nodes?

The server and all the nodes would just join a channel on a server; the
nodes would periodically announce their values (or they could be prompted
via PRIVMSG), and the grapher would just need to harvest the channel for the
data.

The advantage would be that no direct 'server'=node communication would be
necessary, which can be tricky in firewalled/NATed/dynamic IP scenarios.
Also, the overhead of setting up potentially large numbers of tcp sessions
could be eliminated.

There certainly are security issues (channel takeover and whatnot), but
these are only relevant if a public irc network is used. The channel could
have a key; the chatter could be encrypted; etc.

Other IMs like ICQ and Jabber could also be used.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   I'd give my right arm to be ambidextrous.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#355607: svlogd: please support hierarchical configuration

[Andras Korn]

Package: runit
Version: 1.3.3-1
Severity: wishlist

Hi,

I'm using socklog and svlogd to manage logs coming in from several boxes via
UDP.

Configuration would be a lot easier if I could have a hierarchical
setup where I have a directory tree for each syslog client and can select
only lines coming from that client in the root of that tree.

For example, assuming I have box1 at 1.2.3.4 and box2 at 2.3.4.5, I'd like
to be able to have the following directory tree:

box1/
box1/mail/
box1/cron/
box1/kernel/
[...]
box2/
box2/firewall/
box2/kernel/
box2/mail/
[...]

box1/config could read something like this:
---8---
-*
+1.2.3.4:*
/mail
/cron
/kernel
---8---

In box1/mail I would then do:
---8---
s123456
n123
-*
+*mail*
---8---

The benefit would be that I could use the same 'mail/config' for both box1
and box2, and would only need to modify the IP address of each box in one
place if it changes.

The inverse could also be useful (mail/box1, mail/box2 etc.).

Although something similar albeit less flexible can already be achieved
using a template-based approach with e.g. sed, I feel this feature wouldn't
bloat svlogd very much. I don't think directory trees deeper than, say, 3
levels would be useful either.

Best regards,

Andras

Ps. any plans to implement multilog's = command (log status to file)?

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Crime, Sex, Alcohol, Drugs... God, I love Congress!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#355859: When using pinning or --target-release, upgrades packages to the already installed version

[Andras Korn]

Package: apt
Version: 0.6.43.2ubuntu1
Severity: normal

Hi,

If pinning or the --*-release= options are used, apt seems to treat
available packages with the highest priority as newer than the already
installed packages even if they have the same version.

This is from an apt-get dist-upgrade:

[...]
Preparing to replace ncftp 2:3.1.9-1 (using .../ncftp_2%3a3.1.9-1_amd64.deb) ...
Preparing to replace netmask 2.3.7 (using .../netmask_2.3.7_amd64.deb) ...
Preparing to replace netmon-applet 0.4-11 (using 
.../netmon-applet_0.4-11_amd64.deb) ...
Preparing to replace ntfsprogs 1.12.1-1 (using 
.../ntfsprogs_1.12.1-1_amd64.deb) ...
[...]

If I rerun apt-get dist-upgrade after it has completed, it again tries to
upgrade the same packages to the already installed version. While this is
mostly harmless, it potentially wastes large amounts of bandwidth.

# apt-get -u dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Calculating upgrade... Done
The following packages have been kept back:
  libkrb5-17-heimdal sasl2-bin unixodbc
The following packages will be upgraded:
  antiword apcalc atftp aumix awesfx base-passwd bc camorama ccache cpio cvs
  dc deborphan devfsd directory-administrator dlocate dmake docbook-xml
  dosbox dosfstools dvdauthor fbset fdutils finger flow-tools fping
  freeglut3 ftp glunarclock gnome-doc-tools gnome-photo-printer
  gnome-randr-applet gnome-swallow-applet gocr gpdf gphotocoll grep
  grep-dctrl groff groff-base gsfonts gtk2-engines-cleanice
  gtk2-engines-magicchicken gtk2-engines-qtpixmap gtk2-engines-spherecrystal
  gtk2-engines-wonderland gtkhtml3.6 gtm gtweakui gzip hermes1 html2text
  indent ipchains ipmasqadm ksymoops less libaa1 libadns1 libapr0 libatm1
  libaudiofile0 libavc1394-0 libbeecrypt6 libcap1 libcln4 libcroco3 libdb2
  libdb3 libdb3-util libdc1394-13 libdvbpsi4 libdvdread3 libedit2 libelfg0
  libevent-perl libevent1 libexpat1 libgc1c2 libgcrypt11 libgdbm3
  libgdk-pixbuf-gnome2 libgdk-pixbuf2 libgimpprint1 libgnomecups1.0-1
  libgnomeprint-bin libgnomeprint15 libgtk1.2 libgtkhtml3.6-18 libgtkspell0
  libid3-3.8.3c2a libid3tag0 libieee1284-3 libimlib2 libintl-gettext-ruby1.8
  libintl-xs-perl liblocale-gettext-perl liblockfile1 libltdl3 liblzo1
  libmad0 libmodplug0c2 libmpcdec3 libnfsidmap1 libntfs8 libopencdk8
  liborbit0 libpcap0.8 libpcd2 libpixman1 libpng12-0 libpvm3 libqalculate1
  libruby1.8 libsdl-net1.2 libshout3 libsmpeg0 libsqlite3-0 libtag1c2a
  libtar libtext-charwidth-perl libtext-iconv-perl libwavpack0 libwmf0.2-7
  libxml-parser-ruby1.8 libxml1 localepurge logrotate lsof m4 man-db mdetect
  menu mii-diag mpg321 nasm ncftp netmask netmon-applet ntfsprogs nvi
  pidentd pkg-config powermgmt-base ppthtml prelink psmisc pump pvm
  python2.3-numeric qalc rdesktop ruby1.8 sed setserial sgml-data
  shared-mime-info sharutils socklog sox tcsh telnet time toolame traceroute
  vacation vgrind vorbis-tools wamerican watchdog wget zip
172 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
Need to get 0B/35.1MB of archives.
After unpacking 0B of additional disk space will be used.
Do you want to continue [Y/n]?

All these packages are already the version apt wants to upgrade them to.

While this specific box runs an apt from Ubuntu, the problem is also present
in Debian's apt.

/etc/apt/preferences:

Package: *
Pin: release o=Ubuntu
Pin-Priority: 1200

Package: *
Pin: release o=Debian
Pin-Priority: 100

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Taxation is little more than legalized extortion.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#360984: Tries to update auto-whitelist for wrong user

[Andras Korn]

Package: spamassassin
Version: 3.1.0a-2
Severity: normal

Hi,

I run spamassassin with the following command line:

spamd -c -H -m 2 -i 0.0.0.0 -A some-ips --syslog-socket=unix

Both local and remote users use spamc -f in their .procmailrc to have their
mail filtered. auto-whitelisting is turned on.

Sometimes (often), the following happens:

2006-03-24 03:31:30.188563500 [13731] info: spamd: connection from remoteclient 
[192.168.0.15] at port 49250
2006-03-24 03:31:36.071642500 [13731] info: spamd: handle_user unable to find 
user: remoteuser
2006-03-24 03:31:36.649337500 [13731] warn: spamd: still running as root: user 
not specified with -u, not found, or set to root, falling back to nobody at 
/usr/sbin/spamd line 1150, GEN662 line 4.
2006-03-24 03:31:43.034921500 [13731] info: spamd: processing message 
message_id for remoteuser:65534
2006-03-24 03:32:35.643921500 [13731] error: locker: safe_lock: cannot create 
lockfile /home/localuser/.spamassassin/auto-whitelist.mutex: Permission denied
2006-03-24 03:32:35.694168500 [13731] warn: auto-whitelist: open of 
auto-whitelist file failed: locker: safe_lock: cannot create lockfile 
/home/localuser/.spamassassin/auto-whitelist.mutex: Permission denied
2006-03-24 03:32:35.765700500 [13731] error: Can't call method finish on an 
undefined value at /usr/share/perl5/Mail/SpamAssassin/Plugin/AWL.pm line 397.
2006-03-24 03:32:36.920501500 [13731] info: spamd: clean message (0.0/5.0) for 
elan:65534 in 67.3 seconds, 4017 bytes.
2006-03-24 03:32:36.932078500 [13731] info: spamd: result: .  0 -  
scantime=67.3,size=4017,user=remoteuser,uid=65534,required_score=5.0,rhost=remoteclient,raddr=192.168.0.15,rport=49250,mid=message_id,autolearn=no

The username of remoteuser doesn't exist locally, so spamd is right in
falling back to nobody. However, it shouldn't try to fiddle with the
auto-whitelist settings of localuser (incidentally, one of the local users
who also use spamc -f).

Could it be that spamd somehow unintentionally remembers the location of the
last auto-whitelist file it updated, and only changes this value if the
specified local username exists, but not on falling back to the nobody user?

Andras

-- System Information:
Debian Release: unstable
  APT prefers breezy-security
  APT policy: (500, 'breezy-security'), (500, 'breezy'), (500, 'unstable'), (1, 
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.7-chardonnay-skas3-v8-rc2
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages spamassassin depends on:
ii  libdigest-sha1-perl   2.10-1 NIST SHA-1 message digest algorith
ii  libhtml-parser-perl   3.45-2 A collection of modules that parse
ii  libnet-dns-perl   0.48-1 Perform DNS queries from a Perl sc
ii  libsocket6-perl   0.17-1 Perl extensions for IPv6
ii  perl  5.8.7-5Larry Wall's Practical Extraction 

Versions of packages spamassassin recommends:
ii  libmail-spf-query-perl1.997-2Query SPF (Sender Permitted From) 
ii  perl [libmime-base64-perl]5.8.7-5Larry Wall's Practical Extraction 
ii  spamc 3.1.0a-2   Client for SpamAssassin spam filte

-- debconf information:
  spamassassin/upgrade/2.40:
  spamassassin/upgrade/2.40w:
  spamassassin/upgrade/cancel: Continue
* spamassassin/upgrade/2.42: No
  spamassassin/upgrade/2.42m: No
  spamassassin/upgrade/2.42u: No

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Would you like a Y/N prompt (Y/N)?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#374796: Please apply attached patch to allow the hddtemp daemon to stay in the foreground

[Andras Korn]

Package: hddtemp
Version: 0.3-beta15-12
Severity: wishlist
Tags: patch

Hi,

it would be nice to be able to run the hddtemp daemon under a process
supervisor such as runit, daemontools or daemon.

I added a -F command line switch that causes hddtemp to stay in the
foreground even in daemon mode to facilitate this.

Please apply my attached patch.

Thanks

Andras

-- System Information:
Debian Release: unstable
  APT prefers dapper-updates
  APT policy: (1200, 'dapper-updates'), (1200, 'dapper-security'), (1200, 
'dapper'), (1200, 'breezy-security'), (1200, 'breezy'), (100, 'experimental'), 
(100, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.10+skasv3pre9-chardonnay-skas3-v9-pre9
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages hddtemp depends on:
ii  debconf [debconf-2.0]1.5.0   Debian configuration management sy
ii  grep 2.5.1.ds2-4 GNU grep, egrep and fgrep
ii  libc62.3.6-15GNU C Library: Shared libraries
ii  sed  4.1.4-4 The GNU sed stream editor

hddtemp recommends no packages.

-- debconf information excluded

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Everything is fine with the world - one mile under ground.
diff -ur hddtemp-0.3-beta15/doc/hddtemp.8 
hddtemp-0.3-beta15+foreground/doc/hddtemp.8
--- hddtemp-0.3-beta15/doc/hddtemp.82006-06-21 12:18:51.940989511 +0200
+++ hddtemp-0.3-beta15+foreground/doc/hddtemp.8 2006-06-21 12:19:15.888615926 
+0200
@@ -80,6 +80,10 @@
 .B \-q, \-\-quiet
 Don't check if the drive is supported.
 .TP
+.B \-F, \-\-foreground
+Don't fork into the background even in daemon mode.  This is useful
+when running under a process supervisor.
+.TP
 .B \-v, \-\-version
 Display hddtemp version number.
 .TP
diff -ur hddtemp-0.3-beta15/src/daemon.c 
hddtemp-0.3-beta15+foreground/src/daemon.c
--- hddtemp-0.3-beta15/src/daemon.c 2006-06-21 12:18:51.940989511 +0200
+++ hddtemp-0.3-beta15+foreground/src/daemon.c  2006-06-21 12:19:07.124752634 
+0200
@@ -273,28 +273,30 @@
   fd_set deffds;
   time_t next_time;
 
-  switch(fork()) {
-  case -1:
-perror(fork);
-exit(2);
-break;
-  case 0:
-break;
-  default:
-exit(0);
-  }
-  
-  setsid();
-  
-  switch(fork()) {
-  case -1:
-perror(fork);
-exit(2);
-break;
-  case 0:
-break;
-  default:
-exit(0);
+  if (!foreground) {
+switch(fork()) {
+case -1:
+  perror(fork);
+  exit(2);
+  break;
+case 0:
+  break;
+default:
+  exit(0);
+}
+
+setsid();
+
+switch(fork()) {
+case -1:
+  perror(fork);
+  exit(2);
+  break;
+case 0:
+  break;
+default:
+  exit(0);
+}
   }
   chdir(/);
   umask(0);
diff -ur hddtemp-0.3-beta15/src/hddtemp.c 
hddtemp-0.3-beta15+foreground/src/hddtemp.c
--- hddtemp-0.3-beta15/src/hddtemp.c2006-04-19 04:37:35.0 +0200
+++ hddtemp-0.3-beta15+foreground/src/hddtemp.c 2006-06-21 12:19:01.760836310 
+0200
@@ -75,7 +75,7 @@
 char   separator = SEPARATOR;
 
 struct bustype *   bus[BUS_TYPE_MAX];
-inttcp_daemon, debug, quiet, numeric, wakeup, af_hint;
+inttcp_daemon, debug, quiet, numeric, wakeup, af_hint, 
foreground;
 
 static enum { DEFAULT, CELSIUS, FAHRENHEIT } unit;
 
@@ -279,7 +279,7 @@
   bindtextdomain (PACKAGE, LOCALEDIR);
   textdomain (PACKAGE);
   
-  show_db = debug = numeric = quiet = wakeup = af_hint = syslog_interval = 0;
+  show_db = debug = numeric = quiet = wakeup = af_hint = syslog_interval = 
foreground = 0;
   unit = DEFAULT;
   portnum = PORT_NUMBER;
   listen_addr = NULL;
@@ -302,10 +302,11 @@
   {unit,   1, NULL, 'u'},
   {syslog, 1, NULL, 'S'},
   {wake-up,0, NULL, 'w'},
+  {foreground, 0, NULL, 'F'},
   {0, 0, 0, 0}
 };
  
-c = getopt_long (argc, argv, bDdf:l:hp:qs:u:vnw46S:, long_options, 
lindex);
+c = getopt_long (argc, argv, bDdf:l:hp:qs:u:vnw46FS:, long_options, 
lindex);
 if (c == -1)
   break;
 
@@ -391,6 +392,7 @@
   -q   --quiet   :  do not check if the drive is 
supported.\n
   -v   --version :  display hddtemp version number.\n
   -w   --wake-up :  wake-up the drive if need.\n
+  -F   --foreground  :  don't daemonize. Stay in 
foreground.\n
   -4 :  listen on IPv4 sockets only.\n
   -6 :  listen on IPv6 sockets only.\n
 \n
@@ -406,6 +408,9 @@
   case 'w':
wakeup = 1;
break;
+  case 'F':
+foreground = 1;
+break;
   case 'S':
{
  char *end = NULL;
diff -ur hddtemp-0.3-beta15/src/hddtemp.h 
hddtemp-0.3-beta15+foreground/src/hddtemp.h
--- hddtemp-0.3-beta15/src

Bug#375433: Please support custom commands in sv and/or runsv

[Andras Korn]

Package: runit
Version: 1.5.1-1
Severity: wishlist

Hi,

it'd be nice (for example during upgrades) if /etc/init.d/gdm reload could
be made to work even if gdm is run supervised and /etc/init.d/gdm is a
symlink to /usr/bin/sv.

Arbitrary commands could be supported, provided the administrator supplied
the appropriate action script. If these scripts could affect the output of
sv(8), that would be wonderful, but probably hard to do in a robust way.

Quite a few initscripts support numerous commands in addition to the
standard start/stop/force-*, and replacing them with runit's sv would be a
lot less painful if these could be supported transparently.

I realize there is a difficulty with the one-character control fifo
protocol, but I think there are several ways around that (for example, a new
fifo could be used for the custom commands; that way, backward compatibility
with daemontools could be retained).

Regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
I must follow them; I am their leader.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#369840: svlogd seems to ignore old unprocessed logs when deleting old log files during rotation

[Andras Korn]

On Tue, Jun 06, 2006 at 03:35:32PM +, Gerrit Pape wrote:

Hi,

 On Fri, Jun 02, 2006 at 03:28:15PM +, Gerrit Pape wrote:
  On Fri, Jun 02, 2006 at 04:59:39PM +0200, Andras Korn wrote:
   OK, here is a test scenario.
  
  Thanks Andras, I can reproduce it, and'll take a look soon.
 
 Hi, could you try this patch?  Thanks, Gerrit.

Sorry about the delay.

The patch seems to fix the problem (at least I can no longer reproduce it
systematically).

Thanks!

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Just because you are paranoid, it doesn't mean they are not out to get you.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#372746: Please apply attached patch to allow and to run in foreground

[Andras Korn]

Package: and
Version: 1.2.2-1
Severity: wishlist
Tags: patch

Hi,

the attached patch adds a '-f' switch to and(8) that causes it to stay in
the foreground. This is useful when running it under a service monitor like
runit.

Thanks

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Barium: what you do with dead chemists.
diff -u -r and-1.2.2/and.8.man and-1.2.2+fg/and.8.man
--- and-1.2.2/and.8.man 2006-06-11 14:24:31.752873281 +0200
+++ and-1.2.2+fg/and.8.man  2006-06-11 14:23:49.636154000 +0200
@@ -5,7 +5,7 @@
 
 .SH SYNOPSIS
 .B and
-.RB [ \-htvsx ]
+.RB [ \-htvsxf ]
 .RB [ \-i
 .IR interval ]
 .RB [ \-c
@@ -101,6 +101,10 @@
 Run in full operational mode, i.e. really renice or kill things.
 This is the default.
 
+.TP 0.5i
+.B \-f
+Foreground mode. Don't daemonize.
+
 .SH SIGNALS
 
 On
diff -u -r and-1.2.2/and.c and-1.2.2+fg/and.c
--- and-1.2.2/and.c 2004-04-05 21:19:01.0 +0200
+++ and-1.2.2+fg/and.c  2006-06-11 14:21:01.217289000 +0200
@@ -156,6 +156,7 @@
 struct {
   char hostname [512];
   int test;
+  int foreground;
   char *program;
   char *config_file;
   char *database_file;
@@ -179,6 +180,7 @@
 void set_defaults (int argc, char **argv)
 {
   and_config.test = 0;
+  and_config.foreground = 0;
   and_config.verbose = 0;
   and_config.to_stdout = 0;
   and_config.program = argv[0];
@@ -884,7 +886,7 @@
 
 void and_getopt (int argc, char** argv)
 {
-#define OPTIONS c:d:i:vstxh
+#define OPTIONS c:d:i:vstxfh
   int opt, value;
   opt = getopt(argc,argv,OPTIONS);
   while (opt != -1) {
@@ -921,12 +923,16 @@
 case 'x':
   and_config.test = 0;
   break;
+case 'f':
+  and_config.foreground = 1;
+  break;
 case 'h':
   printf(auto nice daemon version %s (%s)\n
 %s [-v] [-s]  [-t] [-x] [-c configfile] [-d databasefile] [-i 
interval]\n
 -v: verbosity -v, -vv, -vvv etc\n
 -s: log to stdout (default is syslog, or debug.and)\n
 -x: really execute renices and kills (default)\n
+ -f: don't daemonize, stay in foreground\n
 -t: test configuration (don't really renice)\n
 -i interval: loop interval in seconds (default %i)\n
 -c configfile: specify config file (default %s)\n
@@ -986,7 +992,11 @@
   if (and_config.test) {
 and_worker();
   } else {
-if (fork() == 0) and_worker();
+if (and_config.foreground) {
+  and_worker();
+} else {
+  if (fork() == 0) and_worker();
+}
   }
   return 0;
 }

Bug#369840: svlogd seems to ignore old unprocessed logs when deleting old log files during rotation

[Andras Korn]

Package: runit
Version: 1.4.1-1
Severity: normal

Hi,

I just noticed that some of my log directories had many more log files in
them than the value of the 'n' parameter in the corresponding svlogd config.

A great deal of these were unprocessed .u files. Unfortunately, I'm not sure
if there were also more .s files than configured, but I set up an experiment
if you like.

If the behaviour of not deleting .u files during log rotation is
intentional, svlogd(8) should probably point it out. It currently does not.
I expected .u and .s files to be treated the same way for the purposes of
log rotation (as is the case with multilog).

Andras

-- System Information:
Debian Release: unstable
  APT prefers dapper-updates
  APT policy: (1200, 'dapper-updates'), (1200, 'dapper-security'), (1200, 
'dapper'), (1200, 'breezy-security'), (1200, 'breezy'), (100, 'experimental'), 
(100, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.10+skasv3pre9-chardonnay-skas3-v9-pre9
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Oops. My brain just hit another bad sector.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#369840: svlogd seems to ignore old unprocessed logs when deleting old log files during rotation

[Andras Korn]

On Fri, Jun 02, 2006 at 02:36:03PM +, Gerrit Pape wrote:

Hi,

  I just noticed that some of my log directories had many more log files in
  them than the value of the 'n' parameter in the corresponding svlogd config.
  
  A great deal of these were unprocessed .u files. Unfortunately, I'm not sure
  if there were also more .s files than configured, but I set up an experiment
  if you like.
  
  If the behaviour of not deleting .u files during log rotation is
  intentional, svlogd(8) should probably point it out. It currently does not.
  I expected .u and .s files to be treated the same way for the purposes of
  log rotation (as is the case with multilog).
 
 svlogd doesn't differentiate between .u, .t, and .s files, it looks for
 file name starting with @ that are 27 characters long.
 
 But svlogd doesn't reduce the number of old log files if there are
 already more than configured; I guess this is what happens to you.

I know that, but this is not, I think, what happened to me. The number of
files was definitely increasing.

I'll try to reproduce this.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Teenagers are your punishment for enjoying sex!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#369840: svlogd seems to ignore old unprocessed logs when deleting old log files during rotation

[Andras Korn]

Hi,

OK, here is a test scenario.

mkdir /tmp/svlogd-test
cat EOF /tmp/svlogd-test/config
s100
n3
!gzip -9
EOF
svlogd /tmp/svlogd-test /dev/urandom

Let it run for a while; it seems to work, there are never more than 3 @*
files.

Now press ctrl-c, and then restart svlogd. Repeat a few times. I was left
with:

-rwxr--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc1feb0734.s
-rwxr--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc20bca35c.s
-rwxr--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc2192e304.s
-rwxr--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc2265d304.s
-rwxr--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc233999dc.s
-rwxr--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc240d7ff4.s
-rwxr--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc24e03d2c.s
-rw-r--r--+  1 korn admin  123 Jun  2 16:57 @4000448051fc25b15484.t
-rw-r--r--+  1 korn admin   17 Jun  2 16:57 config
-rw-r--r--+  1 korn admin  100 Jun  2 16:57 current
-rw---+  1 korn admin0 Jun  2 16:57 lock
-rw-r--r--+  1 korn admin0 Jun  2 16:57 newstate
-rw-r--r--+  1 korn admin0 Jun  2 16:57 state

Obviously way more than 3.

So, somehow, when svlogd exits due to a signal, the number of logfiles can
get out of hand.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  What we call work the Mexicans call siesta.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#369840: svlogd seems to ignore old unprocessed logs when deleting old log files during rotation

[Andras Korn]

On Tue, Jun 06, 2006 at 03:35:32PM +, Gerrit Pape wrote:

Hi,

  On Fri, Jun 02, 2006 at 04:59:39PM +0200, Andras Korn wrote:
   OK, here is a test scenario.
  
  Thanks Andras, I can reproduce it, and'll take a look soon.
 
 Hi, could you try this patch?  Thanks, Gerrit.

Yes, will do, either today or tomorrow.

Thanks

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Sometimes too much to drink is barely enough.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#385292: Please include -P option as in Ubuntu

[Andras Korn]

Package: klogd
Version: 1.4.1-18
Severity: wishlist

Hi,

Ubuntu's klogd has a -P option that does this:

   -P path
  Use path instead of /proc/kmsg as the source of the kernel
  message.  Specify - to read from standard input.  This
  allows klogd to run entirely without root privileges.

The idea then is to use a dd process to shovel messages from /proc/kmsg into
a fifo for klogd to read.

The security benefits, while admittedly somewhat far-fetched, should be
obvious (an attacker can theoretically exercise some control over the
messages the kernel logs, so a bug in klogd could conceivably be exploited
in this manner).

Additionally, this seems to work around a problem where klogd used to
garble kernel messages when they were arriving at a high rate (this isn't
easy to describe and probably impossible to reproduce on purpose: it's as if
some lines were logged incompletely, or fragments of other lines inserted).

Since Ubuntu obviously has a patch for -P, it shouldn't be hard to include
it in Debian's klogd too.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Energizer Bunny arrested. Charged with battery.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#385308: Please provide way to run xend in the foreground, without daemonizing

[Andras Korn]

Package: xen-utils-3.0
Version: 3.0.2+hg9697-2
Severity: wishlist

Hi,

it would be nice to run xend under the supervision of runit. xenconsoled and
xenstored already provide relevant switches (-i and --no-fork).

Thanks

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Paranoid: someone who just figured out what's going on.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#385308: [Pkg-xen-devel] Bug#385308: Please provide way to run xend in the foreground, without daemonizing

[Andras Korn]

On Wed, Aug 30, 2006 at 03:08:21PM +0200, Bastian Blank wrote:

 On Wed, Aug 30, 2006 at 02:21:07PM +0200, Andras Korn wrote:
  it would be nice to run xend under the supervision of runit. xenconsoled and
  xenstored already provide relevant switches (-i and --no-fork).
 
 They are started by xend, so please provide concret informations.

I'm not sure in what way I wasn't specific enough, but anyway:

What I do now is run xenconsoled and xenstored from runit, but xend still
has to be started the System V init way. I'd like to run that under runit
too.

root  3953  Ss   11:26   0:00 runsvdir -P /var/service log: ...
[...]
root  3549  Ss   14:55   0:00  \_ runsv xenconsoled
log   3626  S14:55   0:00  |   \_ svlogd -t /var/log/sv/xenconsoled
root  3847  Sl   14:57   0:00  |   \_ /usr/sbin/xenconsoled -i
root  3840  Ss   14:57   0:00  \_ runsv xenstored
log   3841  S14:57   0:00  |   \_ svlogd -t /var/log/sv/xenstored
root  3843  S14:57   0:00  |   \_ /usr/sbin/xenstored --no-fork
root  5271  S15:26   0:00 python /usr/sbin/xend start
root  5272  Sl   15:26   0:00  \_ python /usr/sbin/xend start

This way xend doesn't start them, because they are already running by the
time xend starts. (xend stop doesn't stop them in either case, which might
be a bug, btw.)

I can now do this:

# sv status xenconsoled
run: xenconsoled: (pid 3847) 3253s; run: log: (pid 3626) 3350s

And runit restarts xenconsoled for me should it ever crash. Same for
xenstored.

I don't know enough about the architecture of xen to say whether it would be
better to have xenconsoled and xenstored started by xend or not, I just know
I'd like to get away from System V init and use runit to the extent
possible. AFAICT now, having a foreground argument to xend (instead of
start) is all that's needed.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Southern DOS:  Y'all reckon? (yep/Nope)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#385335: new entry ST3160811AS 194 C Seagate ST3160811AS

[Andras Korn]

Package: hddtemp
Version: 0.3-beta14-5
Severity: wishlist

Hi,

ST3160811AS   194  C  Seagate ST3160811AS

This seems to work well with my 160G Seagate SATA drive.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Ifyoucanreadthis,youspendtoomuchtimefiguringoutnonsense!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#385308: [Pkg-xen-devel] Bug#385308: Please provide way to run xend in the foreground, without daemonizing

[Andras Korn]

On Wed, Aug 30, 2006 at 03:08:21PM +0200, Bastian Blank wrote:

 On Wed, Aug 30, 2006 at 02:21:07PM +0200, Andras Korn wrote:
  it would be nice to run xend under the supervision of runit. xenconsoled and
  xenstored already provide relevant switches (-i and --no-fork).
 
 They are started by xend, so please provide concret informations.

OK, they don't work when not started by xend: xend can't connect to the
xenstored socket, which is strange because unixclient can. I guess xend
removes and recreates the socket even if xenstored is running, or something
like that.

I'm now back to running xenconsoled and xenstored from xend, but xenconsoled
sometimes fails (apparently when a domU crashes and is restarted before its
console can be attached to), and is not restarted by xend.

It would really be a lot nicer to have them supervised by runit separately,
so that if any of them were to fail, they could be restarted automatically.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Money can't buy friends, but you can afford a better class of enemy.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#386207: Please improve documentation

[Andras Korn]

Package: pound
Version: 2.0-1
Severity: minor

Hi,

currently, the documentation doesn't say what syntax is supported when
specifying URL patterns. Based on the examples, it's a subset of POSIX
regular expressions, but ^ and $ don't seem to work. It would be nice if
extended regular expressions were properly supported, or, failing that, the
documentation would at least say what is supposed to work and what isn't.

Specifically, I tried

CheckURL ^/foo($|/)

But this didn't have the anticipated effect (/foo and /foo/ were equally
refused).

Also, under the Service heading, the man page says:

   URL pattern
  Match the incoming request. If a request fails to match than
  this service will be skipped and next one tried. If all
  services fail to match Pound returns an error. You may define
  multiple URL conditions per service. If no URL was defined
  then all requests match.

It's not clear whether multiple URL conditions are evaluated in an AND or an
OR manner, i.e. whether all must match or only one.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Time is a great teacher, but it kills all its pupils.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#43594: Is this fixed?

[Andras Korn]

 Did you get to check this out, can I close the bug report?

Uh. Been a while. :)

Sorry, I don't think I'll use this package ever again, and the problem I had
reported was apparently pretty much unreproducible to begin with, so yes, I
think you can close the bug.

7 years... it has already completed first grade at school. :)

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 Daddy, what does Formatting Drive C: mean?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#356339: Please add option to tag each line with fixed string to svlogd

[Andras Korn]

Package: runit
Version: 1.3.3-1
Severity: wishlist

Hi,

sorting the logs of generic services (i.e. ones that just write to stdout,
not to syslog) when they are received via udp would be easier if svlogd
could prepend a service-specific tag to each logged line (either
unconditionally, or only when logging to udp). Without such tags, it's a
pain to sort log lines on the receiving end.

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   A dime saved is a dollar earned. The rest is Uncle Sam's.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#274818: Please add option to work from Packages (or available) instead of status

[Andras Korn]

On Thu, Mar 13, 2008 at 11:25:24PM +0100, Carsten Hey wrote:

Hi,

  I think it would be useful to be able to analyze the dependencies of a
  Debian package pool in order to possibly identify e.g. old libraries
  that no one needs any longer.
 
 I just asked someone from the release team whether this would be a
 useful feature for them and he denied it. So although this feature would
 be relatively trivial to implement I will probably not do this since I
 don't see any use case for it.
 
 If you or anyboby else can imagine a use case for this (except usage by
 the release team), please attach an explanation to this bug and remove
 the wontfix tag.

Use case: if you have your own package pool which includes old and/or
orphaned packages from Debian that are no longer a part of the official
archive, it would be good to know which old libraries are safe to get rid
of. I used to have such a pool with packages such as 'xv', 'spamdb' and
quite a few others (and their dependencies) when I filed this bug.

I'm not removing the wontfix tag, because you may not agree this is a valid
use case.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Everything that is not mandatory is forbidden.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#616091: Please provide optional fallback to subsequent TargetURLs even for 404co

[Andras Korn]

Package: apt-cacher-ng
Version: 0.6-1
Severity: wishlist

Hi,

currently, if apt-cacher-ng is configured for redirection, not just merging,
and the first preferred upstream mirror is responsive but malfuntcioning
(resets connection, doesn't have files it should have etc.), acng clients
can't download files.

It would be great if you could introduce some form of fallback mechanism
that would cause acng to try failing http requests on other mirrors before
reporting failure to the client.

Something like FallbackLimit n would be nice, where an additional n
mirrors would be tried in case a file couldn't be fetched from the first
(even though it did respond). It could default to 0, which is the current
behaviour.

Andras

-- 
 Andras Korn korn at elan.rulez.org
  Automatic simply means that you cannot repair it yourself.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#616091: Please provide optional fallback to subsequent TargetURLs even for 404co

[Andras Korn]

On Wed, Mar 02, 2011 at 09:22:35PM +0100, Eduard Bloch wrote:

  currently, if apt-cacher-ng is configured for redirection, not just merging,
 
 First, which configuration / config directive do you exactly mean?

Remap.

I got redirection and merging from the documentation, sorry. :)

  and the first preferred upstream mirror is responsive but malfuntcioning
  (resets connection, doesn't have files it should have etc.), acng clients
  can't download files.
 
 Second, it does already have a fallback behaviour.

I know, but it doesn't kick in in all cases where I think it should.

 However, code 404 is not interpreted as failure. Because apt does a lot of
 such requests, e.g. for translation files which can be missing.

And what's so terrible about retrying those on other servers as well?

If it _is_ very bad for some reason, then request types that can be
reasonably expected to fail shouldn't be retried on other servers, but
requests for package files should (not by default, but optionally yes).

Specific problem:

Remap-debrep: file:deb_mirror*.gz /ftp.debian.org/debian/ 
/cdn.debian.net/debian/ /debian ; http://cdn.debian.net/debian/ 
http://ftp.hu.debian.org/debian/ [...]

The idea is to prefer whatever mirror cdn.debian.net prefers, and to fall
back to a small set of specific mirrors if the first mirror doesn't work.

For a few days, the mirror cdn.debian.net pointed to was incomplete. It had
up to date Packages files but many .debs were simply missing. Later, the
problem changed, and the mirror aborted all connections without replying
anything.

Any apt requests that referenced these URLs, using whatever specific mirror,
were redirected to cdn.debian.net, and thus failed (either giving 404 or 502
when the upstream mirror aborted the connection).

This was understandably very frustrating for the users.

It would greatly increase the robustness of ACNG (reduce its susceptibility
to problems with specific mirrors) if it could retry the same request on
different mirrors if the first one failed.

On a related note, I think speed could be improved substantially by
connecting to several mirrors in parallel and dropping surplus connections
once at least one succeeds; this way there'd be no need to wait for the
first connection to time out before trying the second, for the second to
time out before trying the third and so on.

Andras

-- 
 Andras Korn korn at elan.rulez.org
Timing error. Please wait. And wait. And wait.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#513880: Optionally omit timestamps from lines sent over UDP

[Andras Korn]

Package: socklog
Version: 2.1.0-8
Severity: wishlist

Hi,

when logging kernel messages over UDP with socklog+svlogd, the end result
looks like this:

@40004986304d23ededec 172.18.17.254: @40004986304d23676c54 kern.warn: 
Feb  2 00:29:07 kernel: ...

The line contains three timestamps, which is not very useful and only makes
the message harder to read. I know I can do the following:

1. get rid of the first timestamp by not telling svlogd on the logserver to
   log one;

2. get rid of the second timestamp by not telling svlogd on the client system
   to log one.

The problem with #1 is that some syslog clients send timestamps whereas
others don't, and I need to have timestamps enabled in svlogd on the server
for the sake of the latter.

The problem with #2 is that the client also writes the logs to local storage
and I definitely want the timestamps there.

I can see the following options:

1. Adding a new config command to send via UDP without timestamp.

2. Making timestamps toggleable on a per-directory basis (I could have a
   logdir with only udp targets and no timestamps and other logdirs with
   no udp targets and timestamps enabled).

3. Some mangling on the server side to recognise a tai64n timestamp at the
   beginning of the incoming line, and insert the client IP field after it
   instead of in front of it. This seems somewhat kludgy to me even though
   it would probably work very well in practice.

This still doesn't get rid of the third, useless, syslog-style timestamp,
but I guess you wouldn't want to add sed-style editing functions, and I
can't really see any other way. :)

Andras

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.18-vs2.2.0.6-arcadia (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages socklog depends on:
ii  adduser   3.110  add and remove users and groups
ii  libc6 2.7-13 GNU C Library: Shared libraries

Versions of packages socklog recommends:
ii  ipsvd 1.0.0-1Internet protocol service daemons
ii  runit 2.0.0-1a UNIX init scheme with service su
pn  socklog-run   none (no description available)

socklog suggests no packages.

-- no debconf information

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   When smashing monuments, always save the pedestals - they come in handy.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#529744: Seems to be leaking file descriptors, leads to 100% CPU usage

[Andras Korn]

Package: apt-cacher-ng
Version: 0.3.11-1
Severity: normal

Hi,

I noticed that apt-cacher-ng's CPU usage goes to 100% and stays there after
a few days of running. stracing it revealed the following:

select(7, [6], [], NULL, NULL)  = 1 (in [6])
accept(6, 0x7fff3bdad5a0, [171252509438902400]) = -1 EMFILE (Too many open 
files)
select(7, [6], [], NULL, NULL)  = 1 (in [6])
accept(6, 0x7fff3bdad5a0, [171252509438902400]) = -1 EMFILE (Too many open 
files)
select(7, [6], [], NULL, NULL)  = 1 (in [6])
accept(6, 0x7fff3bdad5a0, [171252509438902400]) = -1 EMFILE (Too many open 
files)
select(7, [6], [], NULL, NULL)  = 1 (in [6])
accept(6, 0x7fff3bdad5a0, [171252509438902400]) = -1 EMFILE (Too many open 
files)

... and so on.

It had 1024 files open, 676 of which were pipes, 343 were sockets, and the
rest was this:

lr-x-- 1 apt-cacher-ng apt-cacher-ng 64 May 21 11:06 0 - /dev/null
l-wx-- 1 apt-cacher-ng apt-cacher-ng 64 May 21 11:06 123 - 
/var/cache/apt-cacher-ng/debrep/dists/sid/main/source/Sources.diff/_actmp/tmp 
(deleted)
lr-x-- 1 apt-cacher-ng apt-cacher-ng 64 May 21 11:06 3 - 
/var/lib/vservers/aptproxy-bud
l-wx-- 1 apt-cacher-ng apt-cacher-ng 64 May 21 11:06 4 - 
/var/log/apt-cacher-ng/apt-cacher.err
l-wx-- 1 apt-cacher-ng apt-cacher-ng 64 May 21 11:06 5 - 
/var/log/apt-cacher-ng/apt-cacher.log

The last lines of the errorlog were:

Tue May 19 17:16:48 2009|Not creating Unix Domain Socket, fifo_path not 
specified
Tue May 19 17:18:25 2009|Not creating Unix Domain Socket, fifo_path not 
specified
Wed May 20 10:15:03 
2009|/var/cache/apt-cacher-ng/debrep/dists/unstable/Release.gpg storage error 
[503 Inconsistent file state]: File exists
Wed May 20 11:24:34 2009|Error creating pipe file descriptors
Wed May 20 11:25:34 2009|Error creating pipe file descriptors
Wed May 20 11:26:34 2009|Error creating pipe file descriptors
Wed May 20 11:27:34 2009|Error creating pipe file descriptors
Wed May 20 11:28:34 2009|Error creating pipe file descriptors

I'm running acng under runit, launching it with the following command line:

exec chpst -u apt-cacher-ng apt-cacher-ng -c /etc/apt-cacher-ng ForeGround=1

My acng.conf reads as follows:

CacheDir: /var/cache/apt-cacher-ng
LogDir: /var/log/apt-cacher-ng
Port:4128
Remap-debrep: file:deb_mirror*.gz /debian ; http://ftp.hu.debian.org/debian/ 
http://ftp.at.debian.org/debian/ http://ftp.kfki.hu/linux/debian/ 
http://ftp.externet.hu/debian/
Remap-uburep: file:ubuntu_mirrors /ubuntu ; 
http://hu.archive.ubuntu.com/ubuntu/ http://at.archive.ubuntu.com/ubuntu/ 
http://ftp.kfki.hu/linux/ubuntu/
Remap-debsec: /security.debian.org/debian-security /debian-security ; 
http://ftp2.de.debian.org/debian-security/ 
http://security.debian.org/debian-security/ 
Remap-debbackports: /backports.org/debian/ /debian-backports ; 
http://backports.org/debian/
Remap-debpeople: /people.debian.org/ /debian-people ; http://people.debian.org/
Remap-debmultimedia: /debian-multimedia file:marillat_mirrors ; 
file:marillat_mirrors
Remap-skype: /download.skype.com/linux/repos/debian /skype ; 
http://download.skype.com/linux/repos/debian/
Remap-opera: /deb.opera.com/opera /opera ; http://deb.opera.com/opera/
Remap-volatile: /volatile.debian.org/debian-volatile/ 
/ftp2.de.debian.org/debian-volatile/ /debian-volatile ; 
http://volatile.debian.org/debian-volatile/ 
http://ftp2.de.debian.org/debian-volatile/
Remap-debsnap: /snapshot.debian.net /debian-snapshot ; 
http://snapshot.debian.net/
Remap-canonical: /archive.canonical.com/ubuntu /canonical ; 
http://archive.canonical.com/ubuntu/
Remap-grml: http://deb.grml.org/ /grml ; http://deb.grml.org/
Remap-igraph: http://cneurocvs.rmki.kfki.hu/ /igraph ; 
http://cneurocvs.rmki.kfki.hu/
Remap-inno: http://inno.bme.hu/debian/ /inno ; http://inno.bme.hu/debian/
Remap-debunofficial: http://ftp.debian-unofficial.org/debian/ 
/debian-unofficial ; http://ftp.debian-unofficial.org/debian/
Remap-backports: http://www.backports.org/debian /backports ; 
http://www.backports.org/debian/
Remap-gosa: http://oss.gonicus.de/debian /gosa ; http://oss.gonicus.de/debian/
Remap-virtualbox: http://download.virtualbox.org/virtualbox/debian /virtualbox 
/vbox ; http://download.virtualbox.org/virtualbox/debian
Remap-av: http://debian.av.hu/ /av ; http://debian.av.hu/
ReportPage: acng-report.html
ForeGround: 0
ExTreshold: 5
LogSubmittedOrigin: 1

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-vs2.3.0.36.9-pre4-stallion (SMP w/3 CPU cores)

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Black holes really suck...



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#506173: Actually, syslog-ng shouldn't conflict with any other syslog package

[Andras Korn]

Package: syslog-ng
Version: 2.0.9-4.1
Followup-For: Bug #506173

Hi,

there are circumstances when having more than one syslog daemon installed
makes sense (for example, I want to use klogd and socklog for local messages
and syslog-ng to listen on a UDP socket).

It's the same as having more than one webserver, or more than one HTTP
proxy. The default configurations may conflict, but there is no inherent
conflict.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
  Unless you're the lead dog, the view never changes.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#515181: Ignores return status of open(stripe) for coss

[Andras Korn]

Package: squid3
Version: 3.0.STABLE8-3
Severity: normal

Hi,

I tried to use

cache_dir coss /dev/proxy_squid_coss 2048 block-size=512 max-size=131072

based on

http://wiki.squid-cache.org/Features/CyclicObjectStorageSystem

Apparently, it's no longer possible to use a raw device directly, but the
way squid handles this is buggy:

stat(/dev/proxy_squid_coss, {st_mode=S_IFBLK|0660, st_rdev=makedev(253, 13), 
...}) = 0
open(/dev/proxy_squid_coss/stripe, O_WRONLY|O_CREAT|O_TRUNC, 0600) = -1 
ENOTDIR (Not a directory)
write(4294967295, \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1024) = -1 
EBADF (Bad file descriptor)

Andras

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
I left my 2 XP CDs on my dashboard. Someone broke into my car and left 2 more.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#515194: Documentation could be improved

[Andras Korn]

 remapping

URL remapping has several uses. First, it allows your apt-cacher-ng based
proxy to masquerade as a Debian or Ubuntu mirror; it can be made to appear
to contain the same directory structure and files the client would find on a
real mirror. Instead of referencing a real mirror, the client's sources.list
file would contain a line like 'deb http://name.of.proxy.host/debian stable
main'. Your backend definition in apt-cacher-ng's configuration determines
which actual debian mirror will be used to fetch the files.

This keeps the client configuration clean, simple and straightforward.
Without URL remapping, the sources.list file on the client would have to
read something like 'deb http://name.of.proxy.host/ftp.de.debian.org/debain
stable main'. Note that, depending on the remapping configuration, it is
possible that apt-cacher-ng will actually use a mirror other than
ftp.de.debian.org even in this case (see below). [Is this right?]

A second use is obscuring the real location of a repository from your
clients. This allows you to change the real location easily, without having
to modify the configuration of all clients; you just have to edit the
backend configuration in one single place.

You configure URL remapping with lines like the following:

Remap-debian: http://ftp.de.debian.org/debian

This is the simplest case. When a client asks for
http://proxy.host/ftp.de.debian.org/debian/something, apt-cacher-ng fetches
http://ftp.de.debian.org/debian/something. [Is this right?]

Slightly more complex examples:

Remap-ubuntu: /ubuntu ; http://us.archive.ubuntu.com/ubuntu
Remap-medibuntu: /medibuntu ; http://packages.medibuntu.org

These two examples specify trivial mappings. Whenever a client asks for
http://proxy.host/ubuntu/foo, apt-cacher-ng will retreive
http://us.archive.ubuntu.com/ubuntu/foo. When a client wants
http://proxy.host/medibuntu/bar, apt-cacher-ng fetches
http://packages.medibuntu.org/bar. This is still relatively simple.

More complex remappings are also possible. A Remap- line contains three
pieces of information:

1. A unique internal identifier for the remapping ruleset specified by the
line; in the examples above, ubuntu and medibuntu. These identifiers
have no meaning; we could just as well have chosen blarg and deedledum.
Restrictions: the identifier must be valid as a filename; it mustn't begin
with an underscore; and it mustn't contain whitespace.

This is the part of the line between Remap- and the first colon (':').

2. A list of pathnames to apply remapping to. These can be specified
directly, separated by spaces, but apt-cacher-ng can also read them from
files. Large lists of pathnames to remap are handled efficiently. You can
use file:filename to read a list of pathnames from filename. Filename
can be absolute, or relative to the configuration directory. You can mix
files and literal pathnames in the list. Pathnames mustn't contain
wildcards, but file: specifications may. apt-cacher-ng can decompress .gz
and .bz2 files. A leading http://; in pathnames is replaced by a single
/.

This is the part of the line between the first colon and the first semicolon
(';').

3. A list of backend servers to fetch the files from, whenever clients
request a file from a remapped path. Backend lists are specified the same
way as path lists.

Example:

Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian

This causes apt-cacher-ng to read a list of debian mirrors from all files
matching deb_mirror*.gz and construct a list of pathnames consisting of
entries like /ftp.de.debian.org/debian /ftp.kfki.hu/linux/debian and so on.
The last element of the list will be simply /debian. All these paths will be
remapped to paths read from backends_debian, which can contain the base URL
of a single Debian mirror, or several URLs, one per line. [What happens when
there are several?] The same RFC822-like format deb_mirrors.gz is supplied
in is also supported, so you could just make backends_debian a subset of
deb_mirrors.gz.

Client sources.list files could specify either of the following and still
actually use the mirrors from backends_debian:

- 'deb http://proxy.host/arbitrary.official.debian.mirror/basepath stable main'

- 'deb http://proxy.host/debian stable main'

[Would transparent proxying work? I.e. could you just redirect requests to
port 80 of debian mirrors to the port of apt-cacher-ng?]

--- 8 ---

What I think is missing from the documentation:

- description of the fields in the RFC822 files;

- explanation of how a backend to download from is chosen if more than one
  is specified;

- an explanation of the unix socket thing;

- an explanation of ForceManaged (based on 3.2 one is under the impression
  that only remapped paths are supported anyway).

Please feel free to include whatever I wrote in the documentation verbatim
if you like it.

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD

Bug#466138: Is this LVM message actually useful?

[Andras Korn]

Hi,

as far as I can tell, the File descriptor x left open message is just
telling the user about open file descriptors the lvm utility inherited and
successfully closed. The --quiet option doesn't appear to suppress the
message.

Does printing the message serve any useful purpose? I'd expect lvcreate,
lvremove and similar commands to be silent when called with --quiet; only
errors should be printed. How is successfully closing a file descriptor an
error?

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
  Smash forehead on keyboard to continue.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#466138: Is this LVM message actually useful?

[Andras Korn]

On Wed, Jul 08, 2009 at 02:21:05PM +0100, Alasdair G Kergon wrote:

Hi,

 It's often an indication of a careless programming and can lead to
 security problems if a child process inherits access to a rogue file
 descriptor and can interfere with it.  The messages were added during a
 bug investigation to prove that LVM was not involved.
 
 selinux with a strict policy now also detects this sort of bug.
 
 They can be suppressed by setting the (deliberately-undocumented)
 environment variable LVM_SUPPRESS_FD_WARNINGS, but really, the source of
 the problem you're seeing should be addressed instead of ignoring the
 symptoms.

I don't agree; surely, following the above argumentation, each and every
program should go out of its way to close any inherited file descriptor it
didn't expect, and warn the user about them. Incidentally, this would make
chpst -l (which relies on obtaining a lock on a file and then passing this
filedescriptor on to its child, which it execs without a fork) useless.

In my case, I know where the stray FD is coming from: I'm invoking lvm
utilities from a zsh script that has a logging coprocess, and it does an
exec p early on so that all output of any programs invoked goes to the
coprocess instead of stdout. Child processes inherit a pipe to the
coprocess, but this isn't a problem that needs to be addressed; it has no
ill effects and certainly doesn't warrant an obnoxious warning I can only
turn off by relying on an undocumented feature.

I certainly agree that the warnings are a good debugging aid, but making
them unnecessarily hard to turn off is, in my opinion, contrary to the unix
philosophy, which entails letting the user shoot himself in the foot if he
wants, and not assuming that your program is necessarily smarter than the
person running it, or that the developer was able to anticipate all
circumstances his or her program might be run in. I think --quiet should get
rid of these warnings too; you should assume that anyone who goes out of
their way to specify --quiet really does want the utility to be quiet except
when critical errors occur. It's what --quiet should do, and what the
documentation implies --quiet does.

Anyway, thank you for the hint about LVM_SUPPRESS_FD_WARNINGS, and sorry
about the ranting.

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
When in darkness or in doubt, run in circles, scream and shout.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#466138: Is this LVM message actually useful?

[Andras Korn]

On Wed, Jul 08, 2009 at 06:21:27PM +0100, Alasdair G Kergon wrote:

  ill effects and certainly doesn't warrant an obnoxious warning I can only
  turn off by relying on an undocumented feature.
 
 What stops you closing the fd just before the execve()?

Nothing, I suppose, other than that it adds a difficult to read line with no
obvious purpose to the script (nothing a comment couldn't explain, to be
sure). But I agree it's a workaround (whether it's nicer than the magic
envvar, I couldn't say).

 lvm will not write to pre-existing fds other than 0, 1  2 and lvm is 
 currently
 imposing it as a requirement that other fds, which lvm will not use, should be
 closed before invocation.

I'm still not sure I understand why this is such a big deal that it's
unacceptable to just close them silently, but I don't want to argue this
point ad nauseam.

  I think --quiet should get rid of these warnings too;
 
 Unfortunately the program structure makes that impossible: these checks
 are performed during initialisation, before even looking at any command line.

Well, the fact that it's difficult to fix doesn't mean it's not broken. :)

Currently, --quiet doesn't work properly because LVM still prints messages
that aren't critical errors.

I wouldn't object to this bug being downgraded to wishlist and retitled to
something like Please fix --quiet so that it suppresseses the warning about
FDs left open (it's not my bug, so I won't mess with it myself). Add a
wontfix tag if you think it's never going to be fixed.

However, I think at the very least the magic envvar should be documented for
use in those cases where a stay FD is known to be present and LVM should be
silent. This would help avoid kludges like lvsomething 21 | fgrep -v ...

(And hey, maybe there are even valid uses for stray FDs, only we can't think
of any right now - so that not even closing them may always be desirable.)

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
 Bathroom scale: Something you stand on and swear at.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#576936: OpenVPN Access Server is not free software

[Andras Korn]

Hi,

sorry for butting in; I just noticed this in the BTS and thought I could
help out by replying.

 Did you read the information on the pricing page? They give you two, non
 expiring, keys for free so that you can have up to two clients
 simultaneously connected. You can have as many clients in the pool as you
 wish, you are just limited to the number that can connect at any one time.
 If you want more keys, they charge $10 each. So whether or not this is
 free software depends on your usage requirements.

The point isn't whether they charge you money; the point is that it's not
free as in freedom. It doesn't meet the Debian Free Software Guidelines, so
it'd have to go into the non-free repository, but from the looks of it
Debian couldn't legally distribute it even then.

However, seeing that the vendor provides Ubuntu packages, it shouldn't be
too hard to persuade them to repackage it for Debian as well; the required
changes are probably minimal.

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
   Backup not found: (A)bort (R)etry (P)anic



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#580899: Please support certificates where a CN attribute is not part of the subject DN

[Andras Korn]

Package: openvpn
Version: 2.1.0-2
Severity: wishlist

Hi,

with LDAP deployments becoming more and more commonplace, private PKIs can
be expected to try to create a mapping between the LDAP DNs of users and the
DNs in their certificates.

A typical LDAP DN at a Unix site looks like this:

uid=username,ou=People,dc=somedomain,dc=tld

It's entirely possible to issue a certificate to this DN as a subject. Alas,
using such certificates with OpenVPN is currently impossible; an attempt to
do so yields:

VERIFY ERROR: could not extract Common Name from X509 subject string 
('/UID=someuser/OU=People/DC=somedomain/DC=tld') -- note that the Common Name 
length is limited to 64 characters
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object - incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, client-instance restarting

IIUC, the only point in parsing out the CN is to have a hopefully unique
friendly name for the client. The --username-as-common-name option looks
like a promising workaround, but unfortunately the failure to find a CN in
the subject string still causes the connection to fail even if a remote
username is supplied and username-as-common-name is enabled.

Please implement one or more of the following:

1. If username-as-common-name is specified, use the remote username as the
CN right away and don't even try to parse the CN out of the subject string.

2. Allow the administrator to specify a different attribute instead of CN to
look for in the subject string (e.g. uid). This would not be ideal because
while people would have uids, devices would still have CNs (so OpenVPN
servers may have to deal with differently constructed DNs).

3. Allow the administrator to specify a list of attributes to look for in
the subject string to use as CN.

4. Add an option to use the entire DN instead of only part of it to name
the client.

5. Allow an external script or plugin to set OpenVPN's idea of the CN based
on the client certificate (or just the subject string) and/or the username.

Thanks

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
Just because nobody complains doesn’t mean all parachutes are perfect.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#580899: Please support certificates where a CN attribute is not part of the subject DN

[Andras Korn]

On Sun, May 09, 2010 at 07:37:50PM +0200, Andras Korn wrote:

 VERIFY ERROR: could not extract Common Name from X509 subject string 
 ('/UID=someuser/OU=People/DC=somedomain/DC=tld') -- note that the Common Name 
 length is limited to 64 characters

This was a mistake; the DN in an X.509 certificate is read from left to
right, not right to left (but this is irrelevant as far as the original
wishlist report is concerned).

However, it just occurred to me that it may make sense to force the username
(in username+password authentication) to be either the uid/cn from the
certificate subject, or the entire DN. This would strengthen double
authentication in that it wouldn't be sufficient to know _a_
username/password pair and obtain _a_ valid certificate; it'd be necessary
for the client to know the current password of the exact user whose
certificate it is using to connect.

I suppose external verify scripts can already be used to do this though.

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
  I couldn't repair your brakes, so I made your horn louder.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#575228: Please support passing arguments or variables to {pre,post}{,dis}connection scripts

[Andras Korn]

Package: wicd-daemon
Severity: normal

Hi,

I'm pretty certain this used to work at some point, maybe early 2009, but
was then fixed; hence the severity.

I have a script called netconfig that takes a parameter and sets up some
local things based on that parameter. I'd like wicd to pass it a command
line argument, but can't seem to do so; the entire command line is treated
as the name of the script, including spaces. Neither does wicd appear to
pass in any meaningful environment variables.

I can think of a number of workarounds, but the best would be for wicd to
just spawn a shell to evaluate the command line pertaining to the script, so
that word splitting would be performed automatically. I don't think people
commonly use scripts that have spaces in their names, so this would be less
of a violation of the Principle of Least Surprise.

Cheers,

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
  Most car accidents involve people with driver's licenses, so I tore mine up.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#575228: Please support passing arguments or variables to {pre,post}{,dis}connection scripts

[Andras Korn]

On Wed, Mar 24, 2010 at 01:29:30PM +0100, David Paleino wrote:

Hi,

 To the wired scripts, wired is passed (three times, just for compatibility 
 with the wireless ones, even though I disagree with upstream on this, but 
 have 
 found no sufficient motivation to patch it), i.e. if you put netconfig as a 
 pre/post connection/disconnection script, it will be called as:
 
 $ netconfig wired wired wired
 
 To the wireless scripts, WICD passes wireless, the ESSID and the BSSID, 
 i.e.:
 
 $ netconfig wireless my-wlan 00:11:22:33:44:55

I'm afraid that's not quite good enough (it's only good enough for a
workaround).

You see, my netconfig script does several things like this one:

#!/bin/zsh
cd /etc  {
echo Fixing resolv.conf...
[[ -L resolv.conf ]]  [[ -e resolv.conf-$1 ]]  {
rm resolv.conf
ln -s resolv.conf-$1 resolv.conf
}
}

$1 is supposed to be the same for a specific set of wireless networks and
different for others.

I could of course make the script more complex (add a key lookup), or have
more resolv.conf-* files that are identical; but I think the best would be
to be able to pass a custom command line argument to the netconfig script
from wicd. I'm fine with it being the fourth argument.

 Maybe we could mangle this bug appropriately to make it a documentation-bug.

Not just yet. :)

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
  Never agree with me, it shakes my self-confidence.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#570929: Hungarian locale: zs is treated as a single letter, with undesirable consequences

[Andras Korn]

Package: locales
Version: 2.10.2-6
Severity: normal

Hi,

in Hungarian, zs (as well as sz, cs, ty, dz, dzs, gy and ly)
are said to be part of the alphabet and each combination is considered to be
a single letter; however, they are represented by two or more characters;
there aren't single glyphs for them.

zs in particular is causing trouble for grep:

% echo zs | LANG=C grep '^[^a-z]*$'
% echo zs | LANG=hu_HU.UTF-8 grep '^[^a-z]*$'
zs

It's possible to come up with expressions that lead to similarly unexpected
results for the other multi-char letters as well, but these don't occur
frequently:

% echo ty | LANG=C grep '^[s-u]*$'
% echo ty | LANG=hu_HU.UTF-8 grep '^[s-u]*$'
ty

This is undesirable and dumb, for several reasons:

1. grep has no way of knowing whether a zs sequence is a single letter
or two letters, because the combination can occur in compound words without
becoming a zs letter; for example, in fúvószenekar (fúvós +
zenekar), it's simply an s and a z letter next to each other. There
may even exist words that make (a different) sense either way, but I can't
think of any right now.

2. zs is the last letter of the Hungarian alphabet; therefore, no sane
character range in a regular expression can include it ([a-zs] would be
ambiguous because there isn't a zs glyph).

zs and the other multi-char letters play an important role in sorting
(zs has to be sorted after za and so on), but please can we treat them
as two characters in all other contexts?

I can also make a socio-ergonomic point: I think most people who deal with
regular expressions don't expect Hungarian multi-character letters to be
treated as single characters in regular expressions, whether they are
Hungarian or not.

Andras

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.7-vs2.3.0.36.28-hellgate (SMP w/3 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages locales depends on:
ii  debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii  libc6 [glibc-2.10-1]  2.10.2-2   GNU C Library: Shared libraries

locales recommends no packages.

locales suggests no packages.

-- debconf information:
* locales/default_environment_locale: None
* locales/locales_to_be_generated: en_GB ISO-8859-1, en_GB.ISO-8859-15 
ISO-8859-15, en_GB.UTF-8 UTF-8, en_US ISO-8859-1, en_US.ISO-8859-15 
ISO-8859-15, en_US.UTF-8 UTF-8, hu_HU ISO-8859-2, hu_HU.UTF-8 UTF-8

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
A stitch in time would have confused Einstein.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#570929: Hungarian locale: zs is treated as a single letter, with undesirable consequences

[Andras Korn]

On Mon, Feb 22, 2010 at 11:07:21AM +0100, Andras Korn wrote:

 1. grep has no way of knowing whether a zs sequence is a single letter
 or two letters, because the combination can occur in compound words without
 becoming a zs letter; for example, in fúvószenekar (fúvós +
 zenekar), it's simply an s and a z letter next to each other. There
 may even exist words that make (a different) sense either way, but I can't
 think of any right now.

Uh, sorry, wrong example (sz instead of zs). Some examples for zs are
község, egészség (especially interesting because it contains an sz
followed by an s, not an s followed by a zs), gazság etc.

 2. zs is the last letter of the Hungarian alphabet; therefore, no sane
 character range in a regular expression can include it ([a-zs] would be
 ambiguous because there isn't a zs glyph).

It actually gets even more confusing, because grep's behaviour is
inconsistent:

% echo zs | LANG=hu_HU.UTF-8 grep ^[a-z]*$
zs
% echo azsa | LANG=hu_HU.UTF-8 grep ^a.a$
% echo azsa | LANG=hu_HU.UTF-8 grep ^a[^a-z]a$
azsa

So is zs a member of the [a-z] class or not? The first attempt matches z
and s individually, because zs doesn't match . (as shown in the second
example). However, in the last example, zs matches [^a-z], which is also
only supposed to match a single character.

The problem also affects sed(1) similarly:

% echo azsa | LANG=hu_HU.UTF-8 sed -n /^a[^a-z]a$/p
azsa

Therefore, I believe this is a bug in locales, not grep.

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
Never say 'OOPS!' Always say 'Ah, Interesting!'



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#570929: Hungarian locale: zs is treated as a single letter, with undesirable consequences

[Andras Korn]

On Tue, Feb 23, 2010 at 10:29:25PM -0600, Jonathan Nieder wrote:

  2. zs is the last letter of the Hungarian alphabet; therefore, no sane
  character range in a regular expression can include it ([a-zs] would be
  ambiguous because there isn't a zs glyph).
 
 Would [a-[.zs.]] work?

̈́No, because apparently [.zs.] isn't a valid collating element:

% echo azsa | LANG=hu_HU.UTF-8 grep ^a[a-[.zs.]]a$
grep: Invalid collation character

 See
 http://www.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_03_05

That was helpful, thanks - I didn't know about collating elements in REs.

 Lots of the behavior of regular expressions in non-C locales is
 counterintuitive, so it might be helpful to point out if each example
 violates some rule of the standard or only common sense (both are
 important, of course).

Uh, that standard is too dense for me; I'll pass on that and can only vouch
for common sense.

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
My new year's resolution is 1920x1080.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598194: ntfsclone: please support o_direct and different block sizes

[Andras Korn]

Package: ntfsprogs
Version: 2.0.0-1+b1
Severity: wishlist

Hi,

I think it may help speed up ntfsclone if it could read with block sizes
other than 4k and if direct i/o could optionally be used.

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
 Múltkor is pixeles volt az ég alja, esett is másnap.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598195: ntfsclone: please support cloning to multiple destinations

[Andras Korn]

Package: ntfsprogs
Version: 2.0.0-1+b1
Severity: wishlist

Hi,

it'd be great to be able to use ntfsclone to mass-clone ntfs images, writing
to several disks simultaneously.

I suppose I could do this using tee(1) and sending the image to stdout, but
I still think this feature could be sensibly incorporated into ntfsclone
itself (especially coupled with o_direct support).

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
  Get married and share the problems you didn't know you had.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#601813: Please provide a more friendly/useful message instead of Warning: The resulting partition is not properly aligned for best performance.

[Andras Korn]

Package: parted
Version: 2.3-2
Severity: wishlist
Tags: upstream

Hi,

I'm attempting to create a partition on a disk with a GPT.

I have a partition that ends at sector 501535; that was apparently fine
performance-wise, because parted printed no warning.

Now I would like to create a new partition, starting from sector 501536, but
parted tells me that's not optimal. It doesn't tell me what _would_ be
optimal, even though it could.

Seeing that I started parted with -a optimal, which supposedly automatically
aligns partitions optimally, it'd be great if it could at least tell me what
the nearest optimal sector to the one I chose is.

The only workaround I found was to switch to some unit larger than sectors,
which resulted in the beginning of the new partition to be shifted forward
by 224.

Please either print the suggested optimal value or even offer to use that
instead of what the user supplied.

Thanks.

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
Feet smell? Nose runs? Hey, you're upside down!



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#270099: getfacl doesn't show setuid/setgid/sticky bits

[Andras Korn]

Hi,

I just tried what Markus Steinborn tried and it seems to work for me (i.e.
the setuid bit isn't lost):

 # ls -l passwd
-rwsr-xr-x 1 root root 43280 Sep 26 15:59 passwd*
 # cat passwd.acl
# file: passwd
# owner: root
# group: root
# flags: s--
user::rwx
group::r-x
other::r-x

 # setfacl --restore passwd.acl
 # ls -l passwd
-rwsr-xr-x 1 root root 43280 Sep 26 15:59 passwd*

I'm using acl version 2.2.49-4, fwiw.

I believe this bug is fixed.

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
 The flesh was willing but the grass was wet.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#520309: 'force group' still broken in 3.3.2

[Andras Korn]

Package: samba
Version: 2:3.3.2-1
Severity: normal

Hi,

I have a samba pdc that uses an ldapsam backend. Everything seems to work,
with the expection of the following share:

[store]
path = /store
hide unreadable = yes
csc policy = disable
force group = +Power Users
inherit acls = true
volume = STORE
create mask = 0666
directory mask = 0777

When I connect to this share from either smbclient or Windows on a domain
workstation, the connection is denied and samba logs make_connection:
connection to store denied due to security descriptor. If I comment out
force group, connections succeed.

The users I tested with were members of power users, but I also tested
with just force group = username (the name of the actual user), which
should have had no effect for that user as his primary gid was already his
own usergroup. But the connection was denied even so.

The [global] section of my smb.conf reads as follows:

[global]
dos charset = CP852   
display charset = UTF-8
workgroup = KORN 
netbios name = PDC
server string = PDC
auth methods = guest sam
update encrypted = Yes
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://192.168.0.99/
pam password change = Yes
passwd chat debug = Yes
log level = 1
debug class = yes
debug prefix timestamp = yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
min protocol = LANMAN1
announce version = 9.9
name resolve order = lmhosts host wins bcast
time server = Yes
deadtime = 1440
max smbd processes = 30
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 
SO_RCVBUF=8192
hostname lookups = Yes
add machine script = /usr/local/sbin/add-machine %u
logon script = %u.cmd
logon path = 
logon drive = N:  
logon home = \\%L\%u\profile
domain logons = Yes
os level = 255
preferred master = Yes  
domain master = Yes
ldap admin dn = cn=admin,dc=intra
ldap group suffix = ou=Group
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap user suffix = ou=People
ldap suffix = dc=intra,dc=guy
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
ldapsam:trusted = yes
ldapsam:editposix = yes
admin users = root, Administrator
hosts allow = 192.168.0.0/24, 127.0.0.0/8
profile acls = Yes
use sendfile = Yes
hide dot files = No
map archive = No   
algorithmic rid base = 10
unix password sync = yes
client ntlmv2 auth = yes
acl group control = yes 
force unknown acl user = yes
smb ports = 445 139
min receivefile size = 32k
disable netbios = no
reset on zero vc = yes
ea support = yes
map acl inherit = yes
server signing = auto
printcap name = cups 
printing = cups
cups options = raw
mangle prefix = 3   
hide special files = yes
map read only = permissions
wins support = yes
preload = guy
utmp = yes   
delete readonly = yes
dos filemode = yes   

Andras

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28.5-vs2.3.0.36.7
Locale: LANG=C, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 He who laughs, lasts.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#512437: 32bit nscd can't serve 64bit clients

[Andras Korn]

Package: nscd
Version: 2.7-18
Severity: normal

Hi,

due to complicated circumstances it is perhaps not important to go into
here, I have an nscd instance, compiled for i386, that should serve a mix of
i386 and amd64 clients over the same unix domain socket (imagine, for
example, chroots with different architectures).

Apparently, some structure is aligned in an unfortunate way or maybe missing
a 'packed' attribute; while 32bit clients can query nscd fine, queries from
64bit clients fail.

I have obtained straces of the two kinds of behaviour.

Good (i386 client):

connect(3, {sa_family=AF_FILE, path=/var/run/nscd/socket...}, 110) = 0
send(3, 
\x02\x00\x00\x00\x0b\x00\x00\x00\x07\x00\x00\x00\x70\x61\x73\x73\x77\x64\x00...,
 19, MSG_NOSIGNAL) = 19
poll([{fd=3, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=3, 
revents=POLLIN|POLLHUP}])
recvmsg(3, {msg_name(0)=NULL, msg_iov(2)=[{\x70\x61\x73\x73\x77\x64\x00..., 
7}, {\xb8\x4f\x03\x00\x00\x00\x00\x00..., 8}], msg_controllen=16, 
{cmsg_len=16, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {4}}, msg_flags=0}, 
MSG_CMSG_CLOEXEC) = 15
mmap2(NULL, 217016, PROT_READ, MAP_SHARED, 4, 0) = 0xf7d8a000
close(4)= 0
close(3)= 0
fstat64(1, {st_dev=makedev(0, 10), st_ino=22, st_mode=S_IFCHR|0620, st_nlink=1, 
st_uid=0, st_gid=5, st_blksize=1024, st_blocks=0, st_rdev=makedev(136, 20), 
st_atime=2009/01/20-18:46:57, st_mtime=2009/01/20-18:46:57, 
st_ctime=2009/01/20-18:31:00}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0xf7f06000
write(1, foobar:x:1061:1061:foo bar:/home/foobar:/bin/bash\n..., 55) = 55
exit_group(0)   = ?

Bad (amd64 client):

connect(3, {sa_family=AF_FILE, path=/var/run/nscd/socket...}, 110) = 0
sendto(3, 
\x02\x00\x00\x00\x0b\x00\x00\x00\x07\x00\x00\x00\x70\x61\x73\x73\x77\x64\x00...,
 19, MSG_NOSIGNAL, NULL, 0) = 19
poll([{fd=3, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=3, 
revents=POLLIN|POLLHUP}])
recvmsg(3, {msg_name(0)=NULL, msg_iov(2)=[{\x70\x61\x73\x73\x77\x64\x00..., 
7}, {\xb8\x4f\x03\x00\x00\x00\x00\x00..., 8}], msg_controllen=24, 
{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {4}}, msg_flags=0}, 
MSG_CMSG_CLOEXEC) = 15
mmap(NULL, 217016, PROT_READ, MAP_SHARED, 4, 0) = 0x2ac05280d000
close(4)= 0
close(3)= 0
exit_group(2)   = ?

I imagine the problem may be related to

msg_controllen=16, {cmsg_len=16, cmsg_level=SOL_SOCKET, ...

vs.

msg_controllen=24, {cmsg_len=20, cmsg_level=SOL_SOCKET, ...

It would be great not to have to run two instances of nscd that both cache
the same backend.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386

Kernel: Linux 2.6.22.19-vs2.2.0.7-stop
Locale: LANG=C, LC_CTYPE=C
Shell: /bin/sh linked to /bin/bash

Best regards,

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
All generalizations are false (incl. this one)



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#372746: Any news?

[Andras Korn]

Hi,

did you hear anything from Patrick?

If not, maybe you could just include my patch in the version of and
shipped by Debian? It's a trivial and non-intrusive patch, after all, that
adds a simple but very useful feature...

This would still allow Patrick to accept the patch at some point in the
future, if and when he has time.

Thanks

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Ha a recsegesek lathatok is, akkor az televizio.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#520309: [Pkg-samba-maint] Bug#520309: 'force group' still broken in 3.3.2

[Andras Korn]

On Thu, Mar 19, 2009 at 08:41:12AM +0100, Christian Perrier wrote:

Hi,

 (second attempts.your mail server is apparently blacklisting my
 ISP mail server...which is quite silly)

Hmmm, strange; I didn't see it in the log (and according to the BTS, your
first message was delivered by the same 88.169.112.155 as the second, which
I did receive).

Anyway.

  When I connect to this share from either smbclient or Windows on a domain
  workstation, the connection is denied and samba logs make_connection:
  connection to store denied due to security descriptor. If I comment out
  force group, connections succeed.
 
 Could you get a level 3 debug log of such a failed attempt ?

Sure, sorry about not attaching it right away.

I'm including a log with a failure and one with a success (without force
group).

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
 I was once thrown out of a mental hospital for depressing the other patients.
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  2]   smbldap_open_connection: connection opened
[2009/03/19 22:10:50,  3]   ldap_connect_system: successful connection to the 
LDAP server
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3, class=auth]   check_ntlm_password:  Checking password 
for unmapped user [intra]\[g...@[hellgate] with the new password interface
[2009/03/19 22:10:50,  3, class=auth]   check_ntlm_password:  mapped user is: 
[korn]\[g...@[hellgate]
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  2, class=passdb]   init_sam_from_ldap: Entry found for 
user: guy
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3, class=passdb]   primary group of [guy] not found
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3, class=auth]   check_ntlm_password: sam authentication 
for user [guy] succeeded
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  2, class=auth]   check_ntlm_password:  authentication 
for user [guy] - [guy] - [guy] succeeded
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  2, class=passdb]   init_group_from_ldap: Entry found for 
group: 210
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  2, class=passdb]   init_group_from_ldap: Entry found for 
group: 100
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/03/19 22:10:50,  3]   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/19 22:10:50,  3]   get_privileges: No privileges assigned to SID 
[S-1-5-21-655183313-499555889

Bug#521232: Please provide options to run in foreground

[Andras Korn]

Package: courier-mta
Version: 0.61.2-1
Severity: wishlist

Hi,

I'd like to run all components of courier under runit (which is a System V
init replacement and/or a service management package).

Some context:

Runit avoids many problems related to daemonised processes (mostly the pid
guessing game and unnecessary complexity in initscripts) by keeping daemons
in the foreground, each running as the child of a 'runsv' process that
manages its child.

Each service has a so-called 'run' script that's started by the runsv
process and that's responsible for setting up the initial environment of the
service, then exec the service so that the process which started out as the
shell running the run script doesn't exit as long as the service doesn't.
The runsv process can then be told to send signals to the service or to
automatically restart it when it exits.

Logging is also provided: runsv can open a pipe between the stdout of the
run script and the stdin of a logging process. This has advantages and
disadvantages compared to the traditional syslog approach which I won't go
into here.

The point is, all this works beautifully with courier-imap and
courier-authdaemon; it also appears to work with courierd itself, with the
following 'run' script:

--- snip ---
#!/bin/sh
exec 21
set -a
. /etc/courier/courierd
exec /usr/lib/courier/courier/courierd
--- snip ---

(I'm not yet sure what happens to courierd's log messages in this case.)

However, I couldn't find a way to start courierfilter so that it stays in
the foreground and preferably logs errors to stdout or stderr. Looking at
the source, I get the impression that the program goes out of its way to
daemonise and start a separate logging process, neither of which can
apparently be disabled.

Unfortunately I don't have what it takes to plough through liblock and
implement a clean solution for staying in the foreground and logging to
stderr, so I'm sending this wishlist report instead.

Ideally, there should probably be a command line option or an envvar that
disables daemonisation and another one that causes log messages to go to
stderr, but for me and other users of similar init replacements a single
option that does both would suffice.

People wanting to use daemontools or freedt with courier would face the same
issue, as would those who'd like to start courierfilter from inittab for
whatever reason.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Can February March? No, but April May...



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#521232: Please provide options to run in foreground

[Andras Korn]

On Thu, Mar 26, 2009 at 08:25:28AM +0100, Stefan Hornburg wrote:

Hi,

 I'd like to run all components of courier under runit (which is a System V
 init replacement and/or a service management package).

 That's fine, but please bring this up on the courier mailinglist. There are
 the guys who know much more about courierfilter et al than me.

OK, I did (I thought maybe there was some BTS somewhere that I just didn't
find oslt).

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
   Ajtostul rontok a szadba!



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#520309: [Pkg-samba-maint] Bug#520309: Bug#520309: 'force group' still broken in 3.3.2

[Andras Korn]

On Sun, Mar 29, 2009 at 11:07:58AM +0200, Christian Perrier wrote:

Hi,

 I finally took time to report this upstream with all information you
 provided. Thanks for your cooperation.
 
 It would be good if you could follow upstream bug so that you can
 provide more information if they need it, avoiding me or other samba
 maintainers to act as proxies.

OK, thanks, will do.

Andras

-- 
 Andras Korn korn at chardonnay.math.bme.hu
 http://chardonnay.math.bme.hu/~korn/ QOTD:
Dyslexics of the world...UNTIE!



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#588965: Please add support for replacing a failing but still usable drive with a spare without marking the first drive as failed

[Andras Korn]

Package: mdadm
Version: 3.1.2-2
Severity: wishlist
Tags: upstream

Hi,

Especially in the case of RAID5 arrays it would often be life-saving to be
able to activate a hot-spare and prepare to replace a live drive with it,
without marking that drive as failed first.

Consider the following scenario. Let's say we have a RAID5 array composed of
sdb, sdc and sdd, with sde added as a spare (i.e. 3 active drives).

sdc starts to noticeably fail. Unknown to the user, sdd also has developed a
bad sector. The user marks sdc as failed and waits for sde to be synced;
however, during the resync, the system hits the bad sector on sdd, causing
sdd to also be marked as failed, the resync to fail and the array to become
unusable. (The same can happen if an intermittent bit error occurs during
the resync operation.)

The algorithm I'd like to see implemented would work as follows:

sdc starts to noticeably fail. The user marks it for replacement. sde is
activated and the system copies everything from sdc to sde, using the
redundancy provided by the other drives if/when necessary. Temporarily,
while this operation is in progress, sdc and sde are both active and in the
same slot; any writes that hit the array get committed to both. When sde is
completely up to date, sdc gets deactivated and marked as failed. The bad
sector on sdd doesn't compromise our ability to sync the hotspare. At this
point, another spare could be added, sdd marked for replacement, and so on.

I realise this also requires changes to the kernel. Apologies if it's
already planned; I haven't seen it discussed anywhere.

Best regards,

Andras

-- 
 Andras Korn korn at elan.rulez.org - http://chardonnay.math.bme.hu/~korn/
  All that glitters may not be gold, but it sure has a high refractive index.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#510004: subversion: SSL/TLS support for svnserve

[Andras Korn]

 Doesn't the SASL support take care of this?

It doesn't - as I understand it, SASL won't authenticate the server to the
client and won't encrypt the traffic either. It's just a way for the server
to authenticate the client.

I would also welcome ssl/tls support in svnserve (and the client).

Andras

-- 
 Andras Korn korn at elan.rulez.org
Man is the best computer we can put aboard a spacecraft... and the only
  one that can be mass produced with unskilled labour.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#637646: New upstream release 3.1.0 available

[Andras Korn]

Package: mldonkey-server
Version: 3.0.7-2
Severity: wishlist

Hi,

http://sourceforge.net/news/?group_id=156414id=302714

*
  MLDonkey: New release 3.1.0

  Bittorrent: DHT support
  small fixes

  2011-08-10 17:35:14 UTC by spiralvoice

Having DHT support would be nice.

When are you planning to package the new version?

Thanks

-- 
 Andras Korn korn at elan.rulez.org
 My sun-dial is slow.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#638605: runit: chpst fails to change uid not listed in /etc/passwd

[Andras Korn]

Hi,

FWIW, I use the following workaround to this problem:

#!/bin/sh
[...]
RUNASUID=$(getent passwd $RUNASUSER | cut -d: -f3)
RUNASGROUPS=$(id -G $RUNASUSER | tr ' ' ':')
[...]
exec chpst -u :$RUNASUID:$RUNASGROUPS [...]

HTH.

Andras

-- 
 Andras Korn korn at elan.rulez.org
   Constant change is here to stay.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#678985: Please consider including attached start-stop-daemon.runit script

[Andras Korn]

Package: runit
Version: 2.1.1-6.2
Severity: wishlist
Tags: patch

Hi,

Since the release of 2.88dsf-23 of sysv-rc, dependency based boot ordering
is mandatory in Debian; however, insserv fails to recognise symlinks to
/usr/bin/sv as valid initscripts.

This makes using runit unnecessarily painful; to ease the pain, I wrote a
pretty complete start-stop-daemon wrapper for runit (alas, in zsh).

Diverting /sbin/start-stop-daemon to /sbin/start-stop-daemon.real and using
this script, conventional initscripts continue to work. My script
determines whether it should pass the call through to the real
start-stop-daemon or to use sv(8) to manage a runit service.

While it's a bit of a kludge, it appears to work fairly well.

An important drawback is that it needs to be adapted each time the semantics
of start-stop-daemon change, but maybe that doesn't happen so often.

The script uses few zsh-specific features; a determined person should be
able to modify it to run in bash or even plain sh relatively easily (but I
have no time/interest to do so myself).

The script is licensed under the GPL v3, with the special exception that
permission is granted to include it in the runit package and license it to
users of the runit package under the same license as the rest of the
package.

Work on the script was sponsored by CAE Engineering Kft.

Best regards,

Andras

-- 
 Andras Korn korn at elan.rulez.org
  All that glitters may not be gold, but it sure has a high refractive index.
#!/bin/zsh
#
# This script is intended to wrap start-stop-daemon. It will call the
# original start-stop-daemon with the supplied arguments unless the daemon
# to be started appears to exist as a runit service, in which case it will
# map the start-stop-daemon call to an sv(8) call.
#

# If called by non-root user, fall back to original start-stop-daemon
# unconditionally
[[ $UID -gt 0 ]]  exec /sbin/start-stop-daemon.real $@

set -A args $@

SVDIR=${SVDIR:-/etc/service}

unset mode signal exec timeout startas testmode oknodo quiet verbose command 
svstat
oknodo=0
quiet=0

while [[ -n $1 ]]; do
case $1 in
-S|--start)
mode=start
;;
-K|--stop)
mode=stop
;;
-T|--status)
mode=status
;;
-H|--help|-V|--version)
exec /sbin/start-stop-daemon.real $args
;;
-x|--exec)
shift
exec=$1
;;
-s|--signal)
shift
signal=$1
;;
--signal=*)
signal=${1/--signal=/}
;;
-R|--retry)
shift
timeout=$1
;;
--retry=*)
timeout=${1/--retry=/}
;;
-a|--startas)
shift
startas=$1
;;
-t|--test)
testmode=1
;;
-o|--oknodo)
oknodo=1
;;
-q|--quiet)
quiet=1
exec /dev/null
;;
-v|--verbose)
verbose=1
;;

-p|--pidfile|-n|--name|-u|--user|-g|--group|-r|--chroot|-d|--chdir|-N|--nicelevel|-P|--procsched|-I|--iosched|-k|--umask|-m|--make-pidfile)
# ignored
shift
;;

--pidfile=*|-b|--background|--nicelevel=*|--procsched=*|--iosched=*|--umask=*)
;;
--)
# What follows is args to the daemon. Avoid parsing
# those accidentally.
break
;;
*)
# Assume the previous was the last option; the rest
# is the name of the daemon plus args, of which we
# only care about the daemon.
command=$1
break
;;
esac
shift
done
# Try to infer runit service name. If our parent is an initscript, use its
# basename
read foo script foo /proc/$PPID/cmdline
if [[ ${script:h} = /etc/init.d ]]; then
svname=${script:t}
elif [[ ${$(readlink -f /proc/$PPID/exe):h} = /etc/init.d ]]; then
read svname  /proc/$PPID/comm
fi
# if not, try other heuristics
svnames=($startas $exec $command)
while ! [[ -d $SVDIR/$svname/supervise/. ]]  [[ -n $svnames[1] ]]; do
svname=${svnames[1]:t

Bug#678985: Please consider including attached start-stop-daemon.runit script

[Andras Korn]

Hi,

I fixed two bugs in the script and am attaching the fixed version.

Fixed bugs:

 * No longer assume name of parent initscript is 2nd word of
   /proc/$PPID/cmdline.

 * When sending a service the kill signal, issue sv d servicename first
   because initscripts assume that the service will be down after a kill.

Andras

-- 
 Andras Korn korn at elan.rulez.org
  There is no spoon(). Only a fork().
#!/bin/zsh
#
# This script is intended to wrap start-stop-daemon. It will call the
# original start-stop-daemon with the supplied arguments unless the daemon
# to be started appears to exist as a runit service, in which case it will
# map the start-stop-daemon call to an sv(8) call.
#

# If called by non-root user, fall back to original start-stop-daemon
# unconditionally
[[ $UID -gt 0 ]]  exec /sbin/start-stop-daemon.real $@

set -A args $@

SVDIR=${SVDIR:-/etc/service}

unset mode signal exec timeout startas testmode oknodo quiet verbose command 
svstat
oknodo=0
quiet=0

while [[ -n $1 ]]; do
case $1 in
-S|--start)
mode=start
;;
-K|--stop)
mode=stop
;;
-T|--status)
mode=status
;;
-H|--help|-V|--version)
exec /sbin/start-stop-daemon.real $args
;;
-x|--exec)
shift
exec=$1
;;
-s|--signal)
shift
signal=$1
;;
--signal=*)
signal=${1/--signal=/}
;;
-R|--retry)
shift
timeout=$1
;;
--retry=*)
timeout=${1/--retry=/}
;;
-a|--startas)
shift
startas=$1
;;
-t|--test)
testmode=1
;;
-o|--oknodo)
oknodo=1
;;
-q|--quiet)
quiet=1
exec /dev/null
;;
-v|--verbose)
verbose=1
;;

-p|--pidfile|-n|--name|-u|--user|-g|--group|-r|--chroot|-d|--chdir|-N|--nicelevel|-P|--procsched|-I|--iosched|-k|--umask|-m|--make-pidfile)
# ignored
shift
;;

--pidfile=*|-b|--background|--nicelevel=*|--procsched=*|--iosched=*|--umask=*)
;;
--)
# What follows is args to the daemon. Avoid parsing
# those accidentally.
break
;;
*)
# Assume the previous was the last option; the rest
# is the name of the daemon plus args, of which we
# only care about the daemon.
command=$1
break
;;
esac
shift
done
# Try to infer runit service name. If our parent is an initscript, use its
# basename
read -A cmdline /proc/$PPID/cmdline
while [[ -n $cmdline[1] ]]; do
if [[ ${cmdline[1]:h} = /etc/init.d ]]; then
svname=${cmdline[1]:t}
break
fi
shift cmdline
done
if [[ -z $svname ]]  [[ ${$(readlink -f /proc/$PPID/exe):h} = /etc/init.d 
]]; then
read svname  /proc/$PPID/comm
fi
# if not, try other heuristics
svnames=($startas $exec $command)
while ! [[ -d $SVDIR/$svname/supervise/. ]]  [[ -n $svnames[1] ]]; do
svname=${svnames[1]:t}
shift svnames
done
# if runit service doesn't exist, call real start-stop-daemon.
if ! [[ -d $SVDIR/$svname/supervise/. ]] || [[ -z $svname ]]; then
exec /sbin/start-stop-daemon.real $args
fi
# otherwise, do what we've been asked to
[[ $quiet = 0 ]]  [[ $verbose = 1 ]]  echo 
start-stop-daemon.runit: will act on $svname service. 2

function sendsig() {
case $signal in
HUP|1)
sv hup $svname
;;
INT|2)
sv interrupt $svname
;;
QUIT|3)
sv quit $svname
;;
KILL|9)
sv d $svname
sv kill $svname
;;
USR1|10)
sv 1 $svname
;;
USR2|12)
sv 2

Bug#674562: Please include/apply http://www.skarnet.org/software/djbdns-fwdzone/djbdns-1.04-fwdzone.patch

[Andras Korn]

Package: dbndns
Version: 1:1.05-8
Severity: wishlist
Tags: patch

Hi,

the patch at
http://www.skarnet.org/software/djbdns-fwdzone/djbdns-1.04-fwdzone.patch
allows dnscache to issue recursive queries to the servers of some domains
while issuing iterative queries for others (effectively making the behaviour
of FORWARDONLY domain-based).

The patch itself is fairly trivial; however, it removes support for
FORWARDONLY (to get that behaviour you have to chmod +t root/servers/@), so
that users should be warned on upgrading.

The patch needs minor massaging to apply after the ipv6 patch (s/64/256/ in
2-3 places; s/\[4\]/[16]/ in one place).

Thanks

Andras

-- 
 Andras Korn korn at elan.rulez.org
  I'm in a class by myself. Everyone else graduated.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#644401: trac: Translations are missing

[Andras Korn]

Package: trac
Version: 0.12.2-1
Followup-For: Bug #644401

Hi,

the problem seems to be a missing Build-Depends on python-babel.

I rebuilt the package with Babel installed (changing nothing else), and
localisation magically started working.

-- 
 Andras Korn korn at elan.rulez.org
  Bugs come in through open Windows.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org