Re: need help on cracking wireless password

[deloptes]

Long Wind wrote:

> i've installed reaver
> how to know bssid? it's required argumentfrom wicd-gtk, i click
> "Properties" then "Information"i can see Access point address, it's
> bssid?? after i enter reaver with -i, -b and -vv, nothing seems to happen
> Thanks!

I agree with Reco, but you can try Kali Linux - there are pretty interesting
tools there

regards

Re: need help on cracking wireless password

[Reco]

Hi.

On Fri, Feb 23, 2018 at 09:55:30PM +, Long Wind wrote:
> i've installed reaver
> how to know bssid? it's required argumentfrom wicd-gtk, i click "Properties" 
> then "Information"i can see Access point address, it's bssid??
> after i enter reaver with -i, -b and -vv, nothing seems to happen

I don't know about China, but here where I live using reaver considered
a criminal activity.
So I refuse to participate in this thread further, but I'll give you a
hint - airdump-ng.

Reco

Re: domain names, was: hostname

[David Wright]

On Fri 23 Feb 2018 at 12:53:34 (+), Brian wrote:
> On Thu 22 Feb 2018 at 11:58:18 -0600, David Wright wrote:
> 
> > On Mon 19 Feb 2018 at 18:39:02 (+), Brian wrote:
> > > On Mon 19 Feb 2018 at 10:23:56 -0600, David Wright wrote:
> > > 
> > > > $ cat /etc/mailname 
> > > > alum
> > > 
> > > Debian's exim4 README says that mailname should be a FQDN. I find that
> > > useful for sending mail to "anotheruser".
> > 
> > Sorry, but I haven't been able to work out what you mean.
> > Is "anotheruser" a username on the same system, somebody or
> > some machine on the LAN, or something different?
> 
> Exim will qualify all unqualified addresses with mailname. "anotheruser"
> could be a user on the system or have an email account elsewhere.
> With mailname as gmail.com a mail sent to or cc'ed to tom123 would go to
> tom...@gmail.com.

In the long distant past, I had bar.ac.uk in /etc/mailname, and
foo.bar.ac.uk as the canonical name in /etc/hosts. Before the
firewalls went up, foo.bar.ac.uk (and a group of other hosts)
would all resolve, and that's probably a common situation for
exim4 users.

Naturally, most of my emails would be to addresses like a.n.ot...@bar.ac.uk
and s...@bar.ac.uk, so I could write just a.n.other and spqr in the
composer and it would get qualified for me.

Now I'm a home user, that situation doesn't pertain. The only
common denominator in email addresses now is @. I have a set
of mail alias files that translate from, say, isp to
Unlimited Web Hosting UK Ltd 
and so on for all the people I have emailed regularly since 1998.

So, having dreamed up alum.dreamtup, how often would I expect to
benefit from baz being turned into baz.dreamtup?

> > This is a genuine query. If I'm missing out on some useful aspect
> > of writing in a domain, I'd like to know what it is so I can try
> > using it. (I have a spare domain registration handy as it happens.)
> 
> The mailname needn't be the canonical_hostname, although exim will
> indeed set it up with this when it is installed and mailname does not
> exist. Easily changed.

Yes, but to what (that's of any use or benefit)?

> > > But mailname has nothing to
> > > do with domain as enquired about by Jeremy Nicoll.
> > 
> > The contents of /etc/mailname is the answer to this question:
> > "It should be the single, fully qualified domainname (FQDN)."
> > so, because the domain is empty, the FQDN will be the same as
> > the hostname. I was merely showing that to be the case here.
> 
> Yes. I don't think this disadvantages the majority of users. It is only
> when setting up an MTA that some thought has to be put into what purpose
> you want mailname to serve. A single word entry, the hostname, say,
> would not suit me.

I refer again to the question I tried to answer:

"What, on a home LAN, is that used for?"

Obviously I don't know your relationship with cityscape.co.uk
but it's a company domain. There's really only one person on
lionunicorn.co.uk and that's me. (My wife uses her institutional
address.) About the only local emails here are from root.

> > As pointed out elsewhere, mailname can be used to generate
> > Message-IDs (mutt does) which might not be globally unique,
> 
> A Message-ID is not used to transport a mail, so how it is generated is
> not of great importance. As it happens, I generate my own through mutt.

And they reveal a domain that looks as though there are few users whose
unqualified names need that particular domain to be added to them.
(I'm obviously guessing here.)

> > not something to concern most home users, and it can be
> > mitigated. It's also used as the envelope-from, it appears,
> > between the mail client and exim which can rewrite it.
> 
> That's exim qualifying an unqualified address.

It doesn't qualify it, it rewrites it. It finds the "FQDN" that's
in /etc/mailname, strips it off and replaces it with dc_readhost.

> > I guess that if you submit mail directly from, say, mutt to
> > a remote smarthost, it would be a good idea to place an
> > email address into /etc/mailname.

I wasn't aware that mutt read /etc/mailname, and it's not in the man
page, but it can use the value of envelope_from_address instead of
the sender if use_envelope_from is set. However, it's some years
since I tried sending emails with its smtp_url. I prefer to stick
them in exim4's queue and have a log entry kept.

> I think it is always a good idea to have a FQDN in /etc/mailname,
> irrespective of what is in /etc/hosts.

I don't think I've seen a good explanation of why though. However, at
least one problem might now be solved, with the recent decision on
.home, .corp and .mail.

Cheers,
David.

Re: no audio

[Glenn English]

On Fri, Feb 23, 2018 at 10:42 PM, songbird  wrote:

>   install paman and see what it says about sources
> and sinks.

It says a lot, but I'm not sure what it all means. Would screenshots
help? But as best I can tell, things are OK there. All the blanks are
filled in, and the sinks say two things: #2 is about Hammerfall. I
don't see anything about Intel, but #1 is 'Built-in Audio Digital
Stereo (IEC958)'. My guess is that's the mobo chip.

There are four sources listed. Two are that Built-in something and the
last two are the Hammerfall.

I found the PA Volume Meter, and it bounces along with Audacity's
meters. I assume that means alsa is working, right?

I found a window labeled Volume Control. It was set to zero. I don't
understand how the meters were bouncing with that at zero, but I
brought it up. Still nothing.

In Audacity, there's a drop-down to select the card/chip. Set to
defaults or HDA Intel, both Audacity and the PA meters bounce.

Here's something interesting: I logged into a buster laptop across the
room (with no recent updates) and ran alsamixer. It's card is HDA
Intel PCH, and its chip is Realtek ALC3235. Not PulseAudio.

I scp'ed a piece of audio to it and opened it in Audacity. Sound works
over there.

There seems to be no way to find PA's version (no mention of a version
option in the man page or in -h).

logs:
dpkg.log:2018-02-23 11:54:58 configure gstreamer1.0-pulseaudio:amd64
1.12.4-1+b1 
dpkg.log:2018-02-23 11:54:58 status unpacked
gstreamer1.0-pulseaudio:amd64 1.12.4-1+b1
dpkg.log:2018-02-23 11:54:58 status half-configured
gstreamer1.0-pulseaudio:amd64 1.12.4-1+b1
dpkg.log:2018-02-23 11:54:58 status installed
gstreamer1.0-pulseaudio:amd64 1.12.4-1+b1

syslog:Feb 23 09:40:31 sbox dbus-daemon[662]: [system] Activating via
systemd: service name='org.freedesktop.RealtimeKit1'
unit='rtkit-daemon.service' requested by ':1.26' (uid=1000 pid=1398
comm="/usr/bin/pulseaudio --daemonize=no ")
syslog:Feb 23 12:15:16 sbox dbus-daemon[680]: [system] Activating via
systemd: service name='org.freedesktop.RealtimeKit1'
unit='rtkit-daemon.service' requested by ':1.24' (uid=1000 pid=1306
comm="/usr/bin/pulseaudio --daemonize=no ")

That's not everything, but it's everything I think is relevant.

There were a few updates and reboots today. And can't find it again,
but I could swear I saw a PA update...

-- 
Glenn English

Re: no audio

[bw]

On Fri, 23 Feb 2018, Glenn English wrote:

> On Fri, Feb 23, 2018 at 10:42 PM, songbird  wrote:
> 
> >   check for something set to Mute or the volume may
> > be set very low somewhere.
> 
> Possible, but there's no mm/MM (that I can see) below the faders, and
> the faders are all up in the red. Were anyway. I took them down to the
> white because I don't like to see red things on a mixer...
> 

Yeah I used to feel this way also, but digital is different than the old 
VU meters we used to use.

AFAIK, maxing out alsamixer won't distort, it should be 0.00dB gain 
which is optimal for less noise, IMO.

Crank it up!!

Re: no audio

[Glenn English]

On Fri, Feb 23, 2018 at 10:42 PM, songbird  wrote:

>   check for something set to Mute or the volume may
> be set very low somewhere.

Possible, but there's no mm/MM (that I can see) below the faders, and
the faders are all up in the red. Were anyway. I took them down to the
white because I don't like to see red things on a mixer...

>   install paman and see what it says about sources
> and sinks.

Will do.

-- 
Glenn English

Re: no audio

[Glenn English]

On Fri, Feb 23, 2018 at 10:42 PM, Ric Moore  wrote:

> Check your logs.

K.

> I have the Realtek alc892 and alsamixer
> finds it without problems.

Alsamixer finds it with no problem here too. It just doesn't stay as
the chip when I try to select it.

> p/s when you use alsamixer you want to see "OO" and not "MM" at the bottom
> of the volume bars. Use the 'm' key to switch the state and then the arrows
> keys to switch between outputs/inputs. "OO" means they are active and "MM"
> is muted.

Been there, and that does stay in place when I set it.

-- 
Glenn English

Re: Stretch: problème avec Ethernet Controller RTL8111

[mirtouf]

Bonsoir,

Le 22/02/2018 à 12:58, bd a écrit :
> Bonjour à tous,
> Je viens d'installer Stretch sur mon nouveau desktop. A l'installation,
> impossible d'avoir une connexion filiaire Ethernet, j'ai dû me contenter
> d'une connexion WiFi. Une fois installé, toujours pas de connexion. Le
> contrôleur graphique me dit : "Réseau" "Filiaire" "câble débranché", ce
> qui n'est évidemment pas le cas.
> 
> lspci me dit : Ethernet controller RTL8111/8168/8411 PCI Express Gigabit
> Ethernet Controller... ... kernel driver in use : r8169. Kernel module
> r8169.
> 
> Cet Ethernet Controller est partie intégrante de ma **Carte mère
> Gigabyte H110M-S2H **
> 
> Parmi les messages dans /var/log/messages, j'ai récupéré notamment
> notamment ceux-ci :
> ...
> - ACPI FADT declares the system doesn't support PCIe ASPM, so disable it
> .
> r8169 :02:00.0 : can't disable ASPM ; OS doesn't have ASPM control
> ...
> r8169  :02:00.0  eth0: RTL8168g/8111g at 
> 28169... enp2s0: renamed from eth0
> 
> enp2s0 link is not ready
> Direct firmware load for rtl_nic/rtl8168g-2.fw failed with error -2
> unable to load firmware patch rtl_nic/rtl8168g-2.fw (-2)
> link down
> 
> Merci d'avance pour votre assistance
> 
> Bernard
> 
> 
A tout hasard, est-il possible de passer le paramètre suivant au noyau ?
"pcie_aspm=force" ou "pcie_aspm=off" et de regarder ce qu'il se passe
dans les logs.

Il serait aussi intéressant d'essayer avec le paquet
https://packages.debian.org/stretch/r8168-dkms
qui remplace le module du noyau.

Je sais ça pue c'est pas libre mais cela a été utile pour moi sur une
autre carte-mère (même si pour le coup je n'avais pas de problème avec
l'ASPM).

A+
Cyril



signature.asc
Description: OpenPGP digital signature

Re:Stretch: problème avec Ethernet Controller RTL8111 (8168)

[bd]

J'ai tenté de bidouiller le bios, et d'activer : Network Stack 
Configuration (disabled ==>enabled).

Activated support for
IPV4 PXE Support
IPV4 HTTP support
IPV6 PXE support
IPV6 HTTP support

Starting HTTP boot over IPV4

(longue attente)

Puis reboot

WiFi : ==> connexion filiaire en cours (attente de près de deux minutes)
puis ==> câble débranché
et çà recommence : connexion filiaire en cours

pendant ce temps, il y a bien clignotement lumineux sur le port éthernet 
au dos du boîtier


Et çà continue d'afficher: "Connexion filiaire en cours 100 Mbs"
puis: "câble débranché"
et à nouveau : "Connexion filiaire en cours 100 Mbs"

et ainsi de suite et ainsi de suite...

et après 5 ou 6 de ces cycles : ==> connecté 100 Mbs !

mais, après quelques dizaines de secondes, çà recommence :

"Câble débranché"
"Connexion filiaire en cours ..."

Je dois dire que j'ai désactivé le WiFi, mais çà n'a pas permis une 
connexion filiaire plus durable.


Si les spécialistes veulent jeter un oeil à la portion de mon 
/var/log/messages qui concerne ces essais, je le mets en pièce attachée 
(si les pièces attachées sont acceptées sur cette liste, sinon je le 
mettrai en ligne d'une autre façon)




messages.bz2
Description: application/bzip

Re: Super (Mod4) + L behavior for MATE

[Matt Zagrabelny]

On Thu, Feb 22, 2018 at 5:01 PM, Matt Zagrabelny  wrote:

> Greetings,
>
> Just upgraded to MATE 1.20.0 (Debian Sid) and I'm noticing something that
> I had not before...
>
> If I hit Super + L, I get a screen lock. However, screen lock is bound to
> Ctrl + Alt + L.
>
> Anyone have ideas as to what is up?
>

Dug into things a little. Here is the short answer:

dconf write /org/mate/marco/global-keybindings/run-command-1 "'disabled'"
dconf write /org/mate/marco/keybinding-commands/command-1 "''"

The longer answer has more questions in it. Such as, why doesn't:

dconf read /org/mate/marco/global-keybindings/run-command-1

return

'l'

??

It only returns a value after the value changes (with the "write" command
above). But that feels like a bug in dconf.

-m

Re: no audio

[songbird]

Glenn English wrote:
...
> Ideas? Suggestions as to what I'm doing wrong?

  check for something set to Mute or the volume may
be set very low somewhere.

  install paman and see what it says about sources
and sinks.


  songbird

Re: no audio

[Ric Moore]

On 02/23/2018 04:26 PM, Glenn English wrote:


I've heard that PulseAudio is the spawn of Satan, and I've used alsa
and its predecessor successfully for years with the mobo audio and
alsa with my RME Hammerfall card.

I haven't scoured to logs for errors yet...


Check your logs. I've used pulse for years with nary a burp in the 
barrel. Do you have pavucontrol installed?? If not, please do so. Use it 
to attempt to configure your sound card. Pulse sits on top of alsa. If 
alsa doesn't work, pulse doesn't stand a chance.  I have the Realtek 
alc892 and alsamixer finds it without problems. Do you have some old 
edits to files like .asoundrc?? I do not have those files. 
Troubleshooting with a shotgun, Ric


p/s when you use alsamixer you want to see "OO" and not "MM" at the 
bottom of the volume bars. Use the 'm' key to switch the state and then 
the arrows keys to switch between outputs/inputs. "OO" means they are 
active and "MM" is muted.



--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
http://linuxcounter.net/user/44256.html

Re: Stretch: problème avec Ethernet Controller RTL8111

[andre_debian]

On Friday 23 February 2018 23:31:54 Bernard wrote:
> humbert.olivie...@free.fr wrote:
> > Quel est le résultat d'un "cat /etc/network/interfaces" ?

> #This file describes the network interfaces available on your system
> # and how to activate them. For mor information, see interfaces (5).
> # The loopback network interface
> auto lo
> iface lo inet loopback

Il devrait aussi contenir ces lignes :
auto eth1
iface eth1 inet dhcp

# WiFi :
auto wlanX
allow-hotplug wlanX
iface wlanX inet dhcp
wpa-ssid 
wpa-psk 
# X = n° wlan , Y = ssid | et Z = mot de passe.

Si ça tombe, c'est ça la panne de l'E.C. RTL8111...

Re: Stretch: problème avec Ethernet Controller RTL8111

[Bernard]

humbert.olivie...@free.fr wrote:

Quel est le résultat d'un "cat /etc/network/interfaces" ?
  

Voilà :

cat /etc/network/interfaces

#This file describes the network interfaces available on your system
# and how to activate them. For mor information, see interfaces (5).

source /etc/network/interfaces.d*

# The loopback network interface
auto lo
iface lo inet loopback


  

no audio

[Glenn English]

buster -- recent update(s), SuperMicro box

There's no audio, but there was a few weeks ago.

In alsamixer, I've tried selecting the mobo sound chip (HDA Intel).
When alsamixer comes up, it says PulseAudio is the selected card and
chip. I change that to the Intel (the card is HDA Intel, and the chip
is Realtek ALC888) and exit. No sound. When I bring up alsamixer
again, PulseAudio is the card/chip again.

I've read both the alsamixer and PulseAudio man pages and tried a few
things, no help there. I tried starting PulseAudio as root, and see a
line saying I should start it as non-root. I do and there's a line of
what to me is gibberish, but no error message. And there's still no
sound.

I've tried to get some sound with Audacity and SoX. In both, the
output 'meters' bounce like there should be sound in my known working
headphones, but there isn't.

I've heard that PulseAudio is the spawn of Satan, and I've used alsa
and its predecessor successfully for years with the mobo audio and
alsa with my RME Hammerfall card.

I haven't scoured to logs for errors yet...

Ideas? Suggestions as to what I'm doing wrong?

-- 
Glenn English

Re: Fwd: Re: Unknown URL

[Stephen P. Molnar]

On 02/23/2018 02:32 PM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 02:24:13PM -0500, Stephen P. Molnar wrote:

Sorry it took me a while to get it, but:

root@Igor:~# netstat -nr -f inet6
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt Iface
0.0.0.0 192.168.1.254   0.0.0.0 UG0 0  0 enp0s12
192.168.1.0 0.0.0.0 255.255.255.0   U 0 0  0 enp0s12

Hate to break it to you, but it's IPv4 routing table. "-f" does not
designate address family in net-tools' netstat.

What I meant was "ip -6 ro l", although "netstat -rn6" will do.



One, hopefully final, question.  In case I mess up, how do I enable IPv6?

Non-persistent:

echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Persistent - remove appropriate line from /etc/sysctl.conf.
Invoke "sysctl --system"

Reco



I think I got it right this time:

root@Igor:/home/comp# netstat -rn6
Kernel IPv6 routing table
DestinationNext Hop   Flag Met Ref 
Use If
2600:1700:4280:3690::48/128:: Ue   256 1 
0 enp0s12
2600:1700:4280:3690::/64   :: U100 1 
0 enp0s12
2600:1700:4280:3690::/60   fe80::3e04:61ff:feb3:3c20  UG   100 1 
0 enp0s12
fe80::3e04:61ff:feb3:3c20/128  :: U100 1 
0 enp0s12
fe80::/64  :: U256 1 
0 enp0s12
::/0   fe80::3e04:61ff:feb3:3c20  UG   100 2 
8 enp0s12

::/0   :: !n   -1 1 9 lo
::1/128:: Un   0 3 3 lo
2600:1700:4280:3690::48/128:: Un   0 2 0 
enp0s12
2600:1700:4280:3690:2a0:ccff:fe78:c91f/128 :: 
Un   0   2 0 enp0s12
2600:1700:4280:3690:e0d8:d806:ce55:b634/128 :: 
Un   0   2 0 enp0s12
fe80::2a0:ccff:fe78:c91f/128   :: Un   0 3 3 
enp0s12
ff00::/8   :: U256 2
29 enp0s12

::/0   :: !n   -1 1 9 lo
root@Igor:/home/comp#

--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

root@Igor:/home/comp# netstat -rn6
Kernel IPv6 routing table
DestinationNext Hop   Flag Met Ref Use If
2600:1700:4280:3690::48/128:: Ue   256 1 0 
enp0s12
2600:1700:4280:3690::/64   :: U100 1 0 
enp0s12
2600:1700:4280:3690::/60   fe80::3e04:61ff:feb3:3c20  UG   100 1 0 
enp0s12
fe80::3e04:61ff:feb3:3c20/128  :: U100 1 0 
enp0s12
fe80::/64  :: U256 1 0 
enp0s12
::/0   fe80::3e04:61ff:feb3:3c20  UG   100 2 8 
enp0s12
::/0   :: !n   -1  1 9 lo
::1/128:: Un   0   3 3 lo
2600:1700:4280:3690::48/128:: Un   0   2 0 
enp0s12
2600:1700:4280:3690:2a0:ccff:fe78:c91f/128 :: Un   0   
2 0 enp0s12
2600:1700:4280:3690:e0d8:d806:ce55:b634/128 :: Un   0   
2 0 enp0s12
fe80::2a0:ccff:fe78:c91f/128   :: Un   0   3 3 
enp0s12
ff00::/8   :: U256 229 
enp0s12
::/0   :: !n   -1  1 9 lo
root@Igor:/home/comp#

Re: Metalink s a Debian 9

[Juanjo Benages]

El 23/02/18 a las 08:00, Narcis Garcia escribió:

__
I'm using this express-made address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should fix this against automated addresses collectors.
El 22/02/18 a les 21:23, Juanjo Benages ha escrit:

El 22/02/18 a las 09:07, Narcis Garcia escribió:

Algú ha aconseguir descarregar fitxers utilitzant un «metalink»?
He provat amb wget i aria2c sense èxit. Ambdós donen errors estranys.

Un exemple de descàrrega:
https://files.kde.org/kdenlive/unstable/kdenlive-18.04-beta1.AppImage.mirrorlist



Per més informació:
https://es.wikipedia.org/wiki/Metalink


Jo sí puc am l'aria2. He probat:
http://files.kde.org/kdenlive/unstable/kdenlive-18.04-beta1.AppImage.meta4



Quina sintaxi has fet servir exactament?




Simplement:
aria2c 
http://files.kde.org/kdenlive/unstable/kdenlive-18.04-beta1.AppImage.meta4


Quins errors et dona?

Re: Stretch: problème avec Ethernet Controller RTL8111

[Pierre L.]

> Apparemment la carte realtek, ou tout au moins un autre chip inclus
> dans la carte mère, gère aussi le WiFi et je n'avais donc pas besoin
> de cette carte spéciale. Mais, la connexion WiFi que j'obtiens se fait
> sur cette dernière, et non pas sur le chipset de la carte mère.
Humm, et en retirant physiquement la carte wifi additionnelle ?
(histoire d'être fixé)
Et vérifiant dans le bios de l'ordi que les cartes intégrées LAN et wifi
sont bien activées... A voir



signature.asc
Description: OpenPGP digital signature

Re: Stretch: problème avec Ethernet Controller RTL8111

[humbert . olivier . 1]

Quel est le résultat d'un "cat /etc/network/interfaces" ?

Re: Stretch: problème avec Ethernet Controller RTL8111

[Pierre L.]

Le 23/02/2018 à 21:12, Pascal Hambourg a écrit :
> Le 23/02/2018 à 20:32, Pierre L. a écrit :
>>
>> Et s'il tentait avec une Debian Live version firmware non-free ?
>> Si je ne m'abuse, l'ico contient spécialement un petit cocktail de ce
>> type de firmwares ?
>
> Qu'est-ce que "l'ico" ?
Vraiment aucune idée ?
>
> Bernard a déjà indiqué avoir installé le paquet firmware-realtek
> contenant les firmwares pour RTL8168, sans succès.
>
Bon... effectivement dans ce cas ça parait redondant. J'aurais pensé
qu'un autre firmware intégré à cet ISO aurait pu faire avancer les choses.



signature.asc
Description: OpenPGP digital signature

Re: Stretch: problème avec Ethernet Controller RTL8111

[Bernard]

Pierre L. wrote:

Le 23/02/2018 à 20:15, Pascal Hambourg a écrit :
  

Tu peux te procurer l'installateur de Lenny, le lancer sur ce PC et
voir si l'ethernet fonctionne.



Bonsoir,

Et s'il tentait avec une Debian Live version firmware non-free ?
Si je ne m'abuse, l'ico contient spécialement un petit cocktail de ce
type de firmwares ?
https://cdimage.debian.org/images/unofficial/non-free/images-including-firmware/
  
Merci pour cette suggestion. Mais il paraît probable que cela ne 
fonctionnera pas. C'est qu'en effet - voir mes précédents messages - 
j'ai bien installé le firmware "non-free" et le système l'a reconnu : 
avant son installation, un message dans '/var/log/messages' disait que 
le chargement n'avait pas fonctionné, error 2, alors qu'après 
installation du firmware, /var/log/messages précisait que le firmware 
avait bien été chargé, mais à la ligne suivante : "link down'. Donc le 
firmware est bien là, mais il ne fait pas son office sur mon système


  

Re: Stretch: problème avec Ethernet Controller RTL8111

[Bernard]

Pascal Hambourg wrote:

Le 23/02/2018 à 13:53, Bernard a écrit :


Toutefois, je viens de découvrir quelque chose : sur mon vieux 
Desktop sous Lenny (celui d'où j'écris ce message), j'ai la même 
carte réseau rtl8168 que celui qui me pose problème sur mon nouveau 
Desktop sous Stretch.


Exactement le mème modèle ? La même désignation complète, les mêmes 
identifiants PCI, la même révision ?
L'ennui avec les RTL8168 est qu'il en existe une foule de variantes, 
qui ne fonctionnent pas forcément toutes très bien avec le pilote 
r8169 du noyau.


Cette carte ne date pas d'hier, car mon vieux PC date de 2007 ; j'y 
avais d'abord installé Debian Sarge... puis Lenny, sans avoir connu 
aucun problème avec cette carte réseau. Alors, est-ce là un problème 
dû à Stretch ?


Tu peux te procurer l'installateur de Lenny, le lancer sur ce PC et 
voir si l'ethernet fonctionne.


Ou bien est-ce un problème de hardware chez moi ?  Le moniteur de 
réseau me dit : connexion filiaire ==> câble non connecté ! Bien 
évidemment le câble est connecté, et j'ai même essayé de permuter les 
deux cables ethernet alimentant chacun de mes deux PC, sans résultat.


Les voyants du port ethernet s'allument et clignotent ?


Non, je n'ai rien remarqué, c'est à l'arrière de l'unité centrale, et, 
en regardant, j'ai même l'impression qu'il n'y a pas de voyants



Bon : j'essaye d'abord connman... puis wicd...


Ces programmes n'y changeront rien : c'est le pilote du noyau qui 
rapporte l'état déconnecté, à tort ou à raison.



En effet, je n'ai pu installer aucun de ces deux pilotes : des erreurs 
avant la fin de l'installation.


Sans doute ai-je un problème de hardware. A un moment, à force d'essayer 
d'installer des packages et de les désinstaller (purge), je n'avais même 
plus de connexion WiFi, c'est à dire que je ne pouvais plus faire grand 
chose. Je n'arrivais à me connecter - en WiFi - qu'en bootant en mode 
rescue, mais, retour au boot normal cela ne fonctionnait plus. Il va 
sans dire que, même en mode rescue, pas de connexion filiaire, toujours 
la même réponse : "câble débranché"


Alors j'ai dû réinstaller tout Debian. A la seconde installation, le 
programme m'a dès le départ - dès l'examen des possibilités réseau - 
prévenu qu'il me manquait un firmware non-free pour faire fonctionner ma 
connexion Ethernet. Le nom indiqué correspondait bien : rtl8168g-2.fw ; 
le programme d'installation m'a proposé d'introduire une clef usb avec 
ce fichier, puis de cliquer sur 'continuer'. Ce que j'ai fait. Malgré 
cela, la connexion n'a pas eu lieu et le système s'est encore rabattu 
sur le Wifi... pire encore, cette seconde installation n'est pas allée 
jusqu'au bout : à un moment donné tout s'est bloqué, plus d'accès à la 
souris... J'ai dû tout arrêter, rebooter et recommencer une troisième 
installation.


A la troisième installation, le programme ne m'a pas demandé de fournir 
le firmware sur une clef usb. D'ailleurs, la première installation ne 
m'avait rien demandé non plus. Et, cette fois encore les tentatives de 
connexion en filiaire ont échoué, avec les épisodes suivants :


"La configuration automatique a échoué. Le protocole DHCP n'est 
probablement pas utilisé sur le réseau. Il est également possible que le 
serveur DHCP soit lent ou que certains équipements réseau ne 
fonctionnent pas correctement" (message que j'ai chaque fois, même la 
fois où le système m'a demandé de fournir le firmware sur une clef usb). 
Après plusisuers tentatives pour donner des noms au matériel, on s'est 
encore rabattu sur la connexion WiFi.


Le problème de hardware que je soupçonne vaguement est le suivant. Il 
s'agit d'un PC que je viens de faire faire par un assembleur, pour 
lequel j'ai choisi mes composants sur leur catalogue web. La carte mère 
choisie contenait le chip realtek, mais, comme une lecture trop rapide 
m'avait laissé croire qu'avec cette carte il n'y avait pas de 
possibilité de Wifi, j'ai fait ajouter une carte WiFi en plus. Se 
pourrait il que ces deux cartes soient incompatibles, et qu'il faille en 
désinstaller une ?  Apparemment la carte realtek, ou tout au moins un 
autre chip inclus dans la carte mère, gère aussi le WiFi et je n'avais 
donc pas besoin de cette carte spéciale. Mais, la connexion WiFi que 
j'obtiens se fait sur cette dernière, et non pas sur le chipset de la 
carte mère.


Ou encore, la carte mère comprenant le chipset Realtek 8168 est 
physiquement mal installée, ou ses connexions ne sont pas toutes faites.


Le problème, c'est que mon assembleur est à 400 km de chez moi !  Et 
qu'en plus il n'y connait rien aux systèmes Linux

Re: Stretch: problème avec Ethernet Controller RTL8111

[Pascal Hambourg]

Le 23/02/2018 à 20:32, Pierre L. a écrit :


Et s'il tentait avec une Debian Live version firmware non-free ?
Si je ne m'abuse, l'ico contient spécialement un petit cocktail de ce
type de firmwares ?


Qu'est-ce que "l'ico" ?

Bernard a déjà indiqué avoir installé le paquet firmware-realtek 
contenant les firmwares pour RTL8168, sans succès.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 18:41, Michael Lange  wrote:

> On Fri, 23 Feb 2018 16:27:23 +
> Michael Fothergill  wrote:
>
> >
> > ​Sure enough, looking at the spectre meltdown checker on the kernel I am
> > using in gentoo
> > shows the ​
> >
> > ​retpoline is enabled and that the vulnerability status is "not
> > vulnerable".
> >
> > ​It's not recent enough a kernel to address the spectre variant 1
> > problem as far as I am aware.
> >
> > Oh well...
>
> Ha! Then it seems like for once debian is one step ahead :))
>

​OK.

I installed kernel 4.15.4 in gentoo.

I ran the​ spectre-checker again and got some odd results:


jt /home/mikef/spectre-meltdown-checker # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities on current system
Kernel is Linux 4.15.4-gentoo #1 SMP Fri Feb 23 19:14:21 GMT 2018 x86_64
CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Mitigation 1
  * Hardware support (CPU microcode)
* Indirect Branch Restricted Speculation (IBRS)
  * SPEC_CTRL MSR is available:  NO
  * CPU indicates IBRS capability:  NO
* Indirect Branch Prediction Barrier (IBPB)
  * PRED_CMD MSR is available:  NO
  * CPU indicates IBPB capability:  NO
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
* IBRS enabled for Kernel space:  NO
* IBRS enabled for User space:  NO
* IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports
full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
* Running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not
vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
djt /home/mikef/spectre-meltdown-checker #


​Even though the previous kernel check I think had retpoline enabled and
the STATUS not vulnerable flag set,
here the retpoline enabled says NO and the STATUS flag says not vulnerable.

So now the schizophrenia has migrated to gentoo (stop laughing).​

Regards

MF​






>
> scnr
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> Fascinating, a totally parochial attitude.
> -- Spock, "Metamorphosis", stardate 3219.8
>
>

Re: domain names, was: hostname

[Frank]

Op 21-02-18 om 16:11 schreef Curt:


https://icannwiki.org/.home

TLD;DR

Name Collision Concerns Impede Delegation

  ICANN hired firm Interisle Consulting to carry out an independent 
investigation
  on the issues that may arise from new gTLDs that are identical to TLDs being
  used on internal networks. The publishing of the report sparked a
  community-wide debate that later became known as the Name Collision issue. The
  firm reported at ICANN 47 that .home and .corp gTLDs were cause for serious
  concern since those strings are widely in use by internal naming systems. In
  response to the report, ICANN labeled the .home and .corp strings as "high
  risk" and proposed that neither of the strings be delegated until it could be
  proven that risk is low.[8] These two strings are currently severely delayed
  and some community members guess they may never be delegated.

They hired a consulting firm.


It's already beyond that:

https://www.theregister.co.uk/2018/02/12/icann_corp_home_mail_gtlds/

Regards,
Frank

Re: Stretch: problème avec Ethernet Controller RTL8111

[Pierre L.]

Le 23/02/2018 à 20:15, Pascal Hambourg a écrit :
>
> Tu peux te procurer l'installateur de Lenny, le lancer sur ce PC et
> voir si l'ethernet fonctionne.
>
Bonsoir,

Et s'il tentait avec une Debian Live version firmware non-free ?
Si je ne m'abuse, l'ico contient spécialement un petit cocktail de ce
type de firmwares ?
https://cdimage.debian.org/images/unofficial/non-free/images-including-firmware/




signature.asc
Description: OpenPGP digital signature

Re: Fwd: Re: Unknown URL

[Reco]

Hi.

On Fri, Feb 23, 2018 at 02:24:13PM -0500, Stephen P. Molnar wrote:
> Sorry it took me a while to get it, but:
> 
> root@Igor:~# netstat -nr -f inet6
> Kernel IP routing table
> Destination Gateway Genmask Flags   MSS Window  irtt Iface
> 0.0.0.0 192.168.1.254   0.0.0.0 UG0 0  0 
> enp0s12
> 192.168.1.0 0.0.0.0 255.255.255.0   U 0 0  0 
> enp0s12

Hate to break it to you, but it's IPv4 routing table. "-f" does not
designate address family in net-tools' netstat.

What I meant was "ip -6 ro l", although "netstat -rn6" will do.


> One, hopefully final, question.  In case I mess up, how do I enable IPv6?

Non-persistent:

echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Persistent - remove appropriate line from /etc/sysctl.conf.
Invoke "sysctl --system"

Reco

Re: Fwd: Re: Unknown URL

[Stephen P. Molnar]

On 02/23/2018 01:02 PM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 12:55:41PM -0500, Stephen P. Molnar wrote:

On 02/23/2018 12:34 PM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 12:10:47PM -0500, Stephen P. Molnar wrote:

Of course, the above becomes moot, after I disable IPV6.

Exactly.



I have three other devices on my router, a Desktop, a Laptop and a Printer.
How will disabling IPv6 on the router affect them?

A printer should live. Assuming that's a good printer, not that modern
kids' toy that comes to Internet just for the heck of it.

A desktop and a laptop should not notice it. It depends on their OS of
course, but as long as you don't need to connect to them from outside
world via IPv6 - nobody will change for them.

What about just disabling IPv6 on the platform that's having the problem?
How can I do that?

echo net.ipv6.conf.all.disable_ipv6 = 1 >> /etc/sysctl.conf



Also, just out of curiosity I installed Stretch in a VirtualBox on this
computer and it isn't having any problems with IPv6.

That's … unexpected. But, assuming you're using VirtualBox NAT -
explainable.
But if you're using VirtualBox's bridged connection - what would be
interesting.



The other Desktop is an older 32 bit computer that used to run WindowsXP on
which I installed the 32 bit version of Stretch  It isn't having any
problems, other than those that can be ascribed to a tired platform way past
it's prime.

Care to share IPv6 routing table from this another host?

Reco



Sorry it took me a while to get it, but:

root@Igor:~# netstat -nr -f inet6
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt Iface
0.0.0.0 192.168.1.254   0.0.0.0 UG0 0  0 enp0s12
192.168.1.0 0.0.0.0 255.255.255.0   U 0 0  0 enp0s12

One, hopefully final, question.  In case I mess up, how do I enable IPv6?

--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

Re: Stretch: problème avec Ethernet Controller RTL8111

[Pascal Hambourg]

Le 23/02/2018 à 13:53, Bernard a écrit :


Toutefois, je viens de découvrir quelque chose : sur mon vieux Desktop 
sous Lenny (celui d'où j'écris ce message), j'ai la même carte réseau 
rtl8168 que celui qui me pose problème sur mon nouveau Desktop sous 
Stretch.


Exactement le mème modèle ? La même désignation complète, les mêmes 
identifiants PCI, la même révision ?
L'ennui avec les RTL8168 est qu'il en existe une foule de variantes, qui 
ne fonctionnent pas forcément toutes très bien avec le pilote r8169 du 
noyau.


Cette carte ne date pas d'hier, car mon vieux PC date de 2007 ; 
j'y avais d'abord installé Debian Sarge... puis Lenny, sans avoir connu 
aucun problème avec cette carte réseau. Alors, est-ce là un problème dû 
à Stretch ?


Tu peux te procurer l'installateur de Lenny, le lancer sur ce PC et voir 
si l'ethernet fonctionne.


Ou bien est-ce un problème de hardware chez moi ?  Le 
moniteur de réseau me dit : connexion filiaire ==> câble non connecté ! 
Bien évidemment le câble est connecté, et j'ai même essayé de permuter 
les deux cables ethernet alimentant chacun de mes deux PC, sans résultat.


Les voyants du port ethernet s'allument et clignotent ?


Bon : j'essaye d'abord connman... puis wicd...


Ces programmes n'y changeront rien : c'est le pilote du noyau qui 
rapporte l'état déconnecté, à tort ou à raison.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

On Fri, 23 Feb 2018 16:27:23 +
Michael Fothergill  wrote:

> 
> ​Sure enough, looking at the spectre meltdown checker on the kernel I am
> using in gentoo
> shows the ​
> 
> ​retpoline is enabled and that the vulnerability status is "not
> vulnerable".
> 
> ​It's not recent enough a kernel to address the spectre variant 1
> problem as far as I am aware.
> 
> Oh well...

Ha! Then it seems like for once debian is one step ahead :))

scnr

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Fascinating, a totally parochial attitude.
-- Spock, "Metamorphosis", stardate 3219.8

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

On Fri, 23 Feb 2018 16:40:00 +
Michael Fothergill  wrote:

(...)
> > * Mitigation 2
> >   * Kernel compiled with retpoline option:  YES
> >   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> > reports full retpoline compilation)
> > > STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
> >
> 
> ​That is a bit topsy turvy
> 
> But maybe it's saying that the compilation did work after all.

I cannot see anything topsy-turvy in the output of that command, it
clearly says that the mitigation for "spectre-2" is in place (as well as
the mitigations for "spectre-1" and "meltdown"). So as far as I can see,
since yesterday's updates this whole discussion seems quite obsolete now.

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

No more blah, blah, blah!
-- Kirk, "Miri", stardate 2713.6

Re: Install or build an older gcc/g++ on new Debian (GCC backport)

[Reco]

Hi.

On Fri, Feb 23, 2018 at 05:57:59PM +, Bas Ali wrote:
> 
> Hi,
> Just to need help for what concerning to build or/and install an older GCC on 
> a new Debian Distro (e.g 8.8 or 9.3)
> The goal is to be able to compile and build binaries on the New Debian with 
> an older GCC to keep backcompatibility of binaries program previously built 
> on Debian 7 (32bits Wheezy)  using the built-in GCC (4.7.2). Ideally the two 
> binaries built from a Debian 7 32bits and from Debian 8 64bits will be the 
> same byte a byte. 

That could be much more complex than using old GCC.
These guys - [1] - are trying to solve much easier problem - and they
aren't there yet.


> At this moment I know that it possible (but maybe not the good solution ?) to 
> build a 4.7.2 GCC source with the Built-in GCC of a Debian 8.8 (64bits 
> Jessie) but it appears that for > 4.5 GCC there is a need to build too other 
> packages (MPC, MPFR,..) separately (using some option to built on good 
> directory).

Being lazy, I solve such problems with good old chroot.
I mean, why go into all this trouble by compiling a toolchain from the
source if someone did it already.

You need something built for Debian 7 i386? Make a chroot of Debian 7
i386 and build you binaries there.

Making chroot by hand sounds too complex? Use LXC, they have a nice easy
way to set up pretty much any major Linux distribution in a container.

[1] https://wiki.debian.org/ReproducibleBuilds

Reco

Re: Install or build an older gcc/g++ on new Debian (GCC backport)

[Greg Wooledge]

On Fri, Feb 23, 2018 at 05:57:59PM +, Bas Ali wrote:
> Just to need help for what concerning to build or/and install an older GCC on 
> a new Debian Distro (e.g 8.8 or 9.3)
> The goal is to be able to compile and build binaries on the New Debian with 
> an older GCC to keep backcompatibility of binaries program previously built 
> on Debian 7 (32bits Wheezy)  using the built-in GCC (4.7.2). Ideally the two 
> binaries built from a Debian 7 32bits and from Debian 8 64bits will be the 
> same byte a byte. 

Just install wheezy in a chroot and compile there, if you want to produce
programs that can run on wheezy.

Re: Setting up a local DNS server but clients that use it can't access the internet

[Greg Wooledge]

On Fri, Feb 23, 2018 at 05:57:21PM +, Aero Maxx wrote:
> Basically I have local clients that are a mixture of windows and linux,
> these clients need to be able to access the internet for updates and so on,
> but to also access services that are on the local network by a hostname
> that has been setup correctly I believe on the local DNS server.

What domain name did you choose for your local area network?

What software are you using on the DNS server?  How is it configured?

Did you use a combined nameserver + recursive resolver on a single
host, or did you separate the functionality?

Plus, all the other excellent questions others have already given.
In short, you must give details.  All of the details.

Install or build an older gcc/g++ on new Debian (GCC backport)

[Bas Ali]

Hi,
Just to need help for what concerning to build or/and install an older GCC on a 
new Debian Distro (e.g 8.8 or 9.3)
The goal is to be able to compile and build binaries on the New Debian with an 
older GCC to keep backcompatibility of binaries program previously built on 
Debian 7 (32bits Wheezy)  using the built-in GCC (4.7.2). Ideally the two 
binaries built from a Debian 7 32bits and from Debian 8 64bits will be the same 
byte a byte. 
At this moment I know that it possible (but maybe not the good solution ?) to 
build a 4.7.2 GCC source with the Built-in GCC of a Debian 8.8 (64bits Jessie) 
but it appears that for > 4.5 GCC there is a need to build too other packages 
(MPC, MPFR,..) separately (using some option to built on good directory).
Is this method bellow correct ? 
I think there will be the main libraries (libgcc, libc, libstdc++,.. ) to check 
for changes from previous version etc...
 Do I need to install gcc-multilib because the 4.7.2 GCC was from a 32 bits 
machine ?Do I need to add Multi ARCH  (e.g.: dpkg  --add-architecture i386) ?
Thanks in advanceAli

Re: HS: Virtualisation côté serveur

[JF Straeten]

Hello,

On Fri, Feb 23, 2018 at 07:00:16PM +0100, Raphaël POITEVIN wrote:

[...]
> Je souhaite mettre différents services sur un serveur : Web, Mail,
> Jitsi etc. Je voudrais en profiter pour virtualiser afin de séparer
> ces différents services. Je penche pour LXC, n’ayant que des
> GNU/Linux à faire tourner.

Tu peux, c'est un bon choix à mon humble avis.

C'est assez facile à mettre en œuvre, parce que de base dans la
distribution. VServer existe toujours, mais tu passes ton temps à « te
battre » avec la distri pour le mettre en œuvre (trouver le kernel,
forcer son installation, adapter tous les VServers pour n'écouter que
sur leur IP, etc...), alors que LXC est dedans et marche pratiquement
tout seul...

Je ne vois qu'un seul bémol aux containers LXC, c'est qu'ils sont plus
lourds et moins rapides que des VServer :-/


> Est-il recomandé de le coupler à Libvirt ? Je ne connais ni l’un ni
> l’autre pour le moment.

Tu peux, mais ce n'est pas obligatoire. Les outils fournis de base
marchent très bien...

Et je me demande si ça a un intérêt quand on utilise qu'une seule
technologie de virtualisation ? Avec plusieurs, l'abstraction que ça
procure permet de n'étudier que libvirt... Mais avec une seule ?

Hih,
-- 

JFS.

Re: Setting up a local DNS server but clients that use it can't access the internet

[Roberto C . Sánchez]

On Fri, Feb 23, 2018 at 05:57:21PM +, Aero Maxx wrote:
>I was wondering if someone would be as so kind to point me in the right
>direction for what I am trying to achieve.

[snip vague problem description]

What is the output of 'ip addr ls' and 'ip route ls' on one of the Linux
clients? What are the contents of /etc/resolv.conf and /etc/hosts on one
of the Linux clients? What are the contents of /etc/bind/named.conf*
(that is, all the configuration files with names starting with
/etc/bind/named.conf)? What is the actual output where you see errors?
For example, if nslookup fails, please provide the complete command-line
and the complete error output. Same for apt-get or any other thing that
is failing.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Thunderbird et noyau 4.15

[David BERCOT]

Bonjour,

Je viens de passer sur un noyau 4.15 (cool, le test pour Meltdown et
Spectre est négatif ;-)) et j'ai un problème bizarre avec Thunderbird :
"Thunderbird is already running, but is not responding. To open a new
window, you must first close the existing Thunderbird process, or
restart your system."

Or, Thunderbird n'est pas lancé !!! Un ps -ef | grep thunder me le
confirme...

D'autre part, j'ai bien sûr vérifié les lock et autres joyeusetés du
même genre.

Bizarrement, si je reboot sur un noyau 4.12 (et ce, plusieurs fois de
suite sur ces 2 noyaux), tout marche parfaitement.

J'ai également testé un "safe mode" sans succès...

Auriez-vous une idée ?

Merci d'avance.

David.

Re: Setting up a local DNS server but clients that use it can't access the internet

[Reco]

Hi.

On Fri, Feb 23, 2018 at 05:57:21PM +, Aero Maxx wrote:
> If someone is able to point in the right direction I would be ever so
> grateful!

Please invoke this on one of the problematic client hosts:

dig in a debian.org +trace +recurse

dig in a google.com +trace +recurse

Reco

Re: HS: Virtualisation côté serveur

[daniel huhardeaux]

Le 23/02/2018 à 19:00, Raphaël POITEVIN a écrit :

Bonsoir,


Bonsoir



Je souhaite mettre différents services sur un serveur : Web, Mail,
Jitsi etc. Je voudrais en profiter pour virtualiser afin de séparer ces
différents services. Je penche pour LXC, n’ayant que des GNU/Linux à
faire tourner. Est-il recomandé de le coupler à Libvirt ? Je ne connais
ni l’un ni l’autre pour le moment.


Perso c'est kvm+libvirt

--
Daniel

Re: Fwd: Re: Unknown URL

[Reco]

Hi.

On Fri, Feb 23, 2018 at 12:55:41PM -0500, Stephen P. Molnar wrote:
> 
> On 02/23/2018 12:34 PM, Reco wrote:
> > Hi.
> > 
> > On Fri, Feb 23, 2018 at 12:10:47PM -0500, Stephen P. Molnar wrote:
> > > Of course, the above becomes moot, after I disable IPV6.
> > Exactly.
> > 
> > 
> > > I have three other devices on my router, a Desktop, a Laptop and a 
> > > Printer.
> > > How will disabling IPv6 on the router affect them?
> > A printer should live. Assuming that's a good printer, not that modern
> > kids' toy that comes to Internet just for the heck of it.
> > 
> > A desktop and a laptop should not notice it. It depends on their OS of
> > course, but as long as you don't need to connect to them from outside
> > world via IPv6 - nobody will change for them.
>
> What about just disabling IPv6 on the platform that's having the problem?
> How can I do that?

echo net.ipv6.conf.all.disable_ipv6 = 1 >> /etc/sysctl.conf


> Also, just out of curiosity I installed Stretch in a VirtualBox on this
> computer and it isn't having any problems with IPv6.

That's … unexpected. But, assuming you're using VirtualBox NAT -
explainable.
But if you're using VirtualBox's bridged connection - what would be
interesting.


> The other Desktop is an older 32 bit computer that used to run WindowsXP on
> which I installed the 32 bit version of Stretch  It isn't having any
> problems, other than those that can be ascribed to a tired platform way past
> it's prime.

Care to share IPv6 routing table from this another host?

Reco

HS: Virtualisation côté serveur

[Raphaël POITEVIN]

Bonsoir,

Je souhaite mettre différents services sur un serveur : Web, Mail,
Jitsi etc. Je voudrais en profiter pour virtualiser afin de séparer ces
différents services. Je penche pour LXC, n’ayant que des GNU/Linux à
faire tourner. Est-il recomandé de le coupler à Libvirt ? Je ne connais
ni l’un ni l’autre pour le moment.

grand merci.

Cordialement,
-- 
Raphaël POITEVIN

Setting up a local DNS server but clients that use it can't access the internet

[Aero Maxx]

I was wondering if someone would be as so kind to point me in the right
direction for what I am trying to achieve.

Basically I have local clients that are a mixture of windows and linux,
these clients need to be able to access the internet for updates and so on,
but to also access services that are on the local network by a hostname
that has been setup correctly I believe on the local DNS server.

The clients are able to use the dns server when specified as a nameserver
on linux in the resolv.conf file and as a dns server on windows, I have
only tested this with the linux clients at present but when they are using
the local dns server as the sole name server the linux clients can do an
nslookup on domains such as google for example, and get google's ip
address.  So it would seem as that internet access works, but when trying
to do updates from apt-get this fails as ***.debian.org fails to resolve to
an ip address, and nslookup debian.org doesn't work, no ip address is
returned.

The local domain and subdomains that are setup on the local dns server do
work, the clients are able to access the correct services, in order for the
linux clients to do updates the isp name servers have to be put back in
resolv.conf then updates work, and then the file has to be changed back to
the local dns server once again.

I have followed the ubuntu guide at the link below, and yes I realise I am
not using ubuntu and using debian instead, but as these are both debian
like and/or based distro's I didn't think it would be an issue.

https://help.ubuntu.com/lts/serverguide/dns-configuration.html

I am not sure if this is relevant, but each server and client has two
network cards the first network card is for internet access only and DHCP
addresses are provided to that card, the other network card is access to a
vlan that the servers and other clients are on, no internet access is
possible through the second network card.  This setup isn't something that
can be changed and so the solution would need to work with this setup.

If someone is able to point in the right direction I would be ever so
grateful!

Thank you.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: Fwd: Re: Unknown URL

[Stephen P. Molnar]

On 02/23/2018 12:34 PM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 12:10:47PM -0500, Stephen P. Molnar wrote:

Of course, the above becomes moot, after I disable IPV6.

Exactly.



I have three other devices on my router, a Desktop, a Laptop and a Printer.
How will disabling IPv6 on the router affect them?

A printer should live. Assuming that's a good printer, not that modern
kids' toy that comes to Internet just for the heck of it.

A desktop and a laptop should not notice it. It depends on their OS of
course, but as long as you don't need to connect to them from outside
world via IPv6 - nobody will change for them.

Reco


What about just disabling IPv6 on the platform that's having the 
problem?  How can I do that?


Also, just out of curiosity I installed Stretch in a VirtualBox on this 
computer and it isn't having any problems with IPv6.


The other Desktop is an older 32 bit computer that used to run WindowsXP 
on which I installed the 32 bit version of Stretch  It isn't having any 
problems, other than those that can be ascribed to a tired platform way 
past it's prime.


--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

Re: Fwd: Re: Unknown URL

[Reco]

Hi.

On Fri, Feb 23, 2018 at 12:10:47PM -0500, Stephen P. Molnar wrote:
> Of course, the above becomes moot, after I disable IPV6.

Exactly.


> I have three other devices on my router, a Desktop, a Laptop and a Printer.
> How will disabling IPv6 on the router affect them?

A printer should live. Assuming that's a good printer, not that modern
kids' toy that comes to Internet just for the heck of it.

A desktop and a laptop should not notice it. It depends on their OS of
course, but as long as you don't need to connect to them from outside
world via IPv6 - nobody will change for them.

Reco

Re: Fwd: Re: Unknown URL

[Stephen P. Molnar]

On 02/23/2018 11:30 AM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 10:45:24AM -0500, Stephen P. Molnar wrote:

root@AbNormal:/home/comp# ip netns exec test ip a l
3: net0@if2:  mtu 1500 qdisc noqueue state
UP group default qlen 1000
 link/ether be:80:71:d1:8a:96 brd ff:ff:ff:ff:ff:ff link-netnsid 0
 inet6 2600:1700:4280:3690:bc80:71ff:fed1:8a96/64 scope global mngtmpaddr
dynamic
valid_lft 1209450sec preferred_lft 1209450sec
 inet6 fe80::bc80:71ff:fed1:8a96/64 scope link
valid_lft forever preferred_lft forever

So, I have a good news, and a bad news.
Good news being - I honestly don't know how you were able to achieve
*that* IPv6 configuration in a primary network namespace, but in this
separate network namespace things look reasonable.
You have one RA-provided IPv6 address, which is normal if one disables
IPv6 privacy extensions (they are disabled by default, btw).



root@AbNormal:/home/comp# ip netns exec test ip -6 ro l
2600:1700:4280:3690::/64 dev net0 proto kernel metric 256  expires
1209439sec pref medium
fe80::/64 dev net0 proto kernel metric 256  pref medium
default via fe80::3e04:61ff:feb3:3c20 dev net0 proto ra metric 1024 expires
1639sec hoplimit 64 pref medium

And you have perfectly normal IPv6 routing table, with RA-provided
default route.



root@AbNormal:/home/comp# ip netns exec test traceroute -n
2a02:16a8:dc41:100::233
traceroute to 2a02:16a8:dc41:100::233 (2a02:16a8:dc41:100::233), 30 hops
max, 80 byte packets
  1  * * *

Which brings me to the bad news.
Whatever router you're using refuses forwarding your IPv6 packets.

It does not matter if it drops the packets, or sends your host some
"refused" messages via SNMP - the thing fails to perform its primary
function.

I deliberately stay clear from SOHO routers, regardless of whoever
produced them, so I cannot help you here. In fact, I choose mine with
exactly one quality in mind - an ability to run Debian. Which I
installed on it the moment they delivered me the thing.

Best advice I can give - get yourself something that can be flashed with
openwrt.
Until then - disable IPv6 on your router altogether, it's not going to
work.

Reco




I realoly hate to have to send this, but I had occasion to restart the 
OS and this is what Igot:


root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Get:2 http://debian.uchicago.edu/debian stretch-updates InRelease [91.0 kB]
Get:3 http://debian.uchicago.edu/debian stretch-backports InRelease 
[91.8 kB]

Hit:4 http://debian.uchicago.edu/debian stretch Release
Get:5 http://debian.uchicago.edu/debian stretch-backports/main 
Sources.diff/Index [27.8 kB]
Get:6 http://debian.uchicago.edu/debian stretch-backports/main amd64 
Packages.diff/Index [27.8 kB]
Get:7 http://debian.uchicago.edu/debian stretch-backports/main Sources 
2018-02-23-1422.59.pdiff [871 B]
Get:7 http://debian.uchicago.edu/debian stretch-backports/main Sources 
2018-02-23-1422.59.pdiff [871 B]
Get:8 http://debian.uchicago.edu/debian stretch-backports/main amd64 
Packages 2018-02-23-1422.59.pdiff [802 B]
Get:8 http://debian.uchicago.edu/debian stretch-backports/main amd64 
Packages 2018-02-23-1422.59.pdiff [802 B]

0% [Connecting to prod.debian.map.fastly.net (2a04:4e42:b::204)]

Then, after about 30 seconds I got:

Hit:10 http://security.debian.org/debian-security stretch/updates InRelease
Fetched 240 kB in 2min 0s (1,991 B/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

Of course, the above becomes moot, after I disable IPV6.

I have three other devices on my router, a Desktop, a Laptop and a 
Printer.  How will disabling IPv6 on the router affect them?


--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

Re: domain names, was: hostname

[Joe]

On Fri, 23 Feb 2018 12:54:10 - (UTC)
Dan Purgert  wrote:


> 
> While this may be true in many cases, my local (home) relay *only*
> accepts relay requests from hosts within the scope of my domain.
> Granted, now that I've moved ISPs, some remote mailhosts (hotmail,
> I'm lookin' at you) like to reject things.  Gonna have to find what
> their relay is, so I can relay through their mailserver and make it
> look legit.
> 
> Funny thing is, gmail, att/yahoo, and others all happily accept the
> mail.
> 

What the mail admin accepts is a matter of taste, and whether any
blacklists are used. I have my own blacklist (which contains a couple
of /8s), plus a list of about 20 country tlds, plus a few really
egregious ISPs that I reject. I did also reject servers without proper
PTR records, but I've relaxed that now as so many domestic accounts
seem to have them and so many small outsourcing email providers don't. I
require a sending domain and HELO that are resolvable in public DNS,
and I request an ident on a thirty-second timeout, which many spammers
give up on. Every little helps...

-- 
Joe

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 16:28, Michael Lange  wrote:

> Hi,
>
> On Fri, 23 Feb 2018 16:52:12 +0100
> Felipe Salvador  wrote:
>
> (...)
> > > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> > > * Mitigated according to the /sys interface:  YES  (kernel confirms
> > > that the mitigation is active)
> > > * Mitigation 1
> > >   * Kernel is compiled with IBRS/IBPB support:  NO
> > >   * Currently enabled features
> > > * IBRS enabled for Kernel space:  NO
> > > * IBRS enabled for User space:  NO
> > > * IBPB enabled:  NO
> > > * Mitigation 2
> > >   * Kernel compiled with retpoline option:  YES
> > >   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> > > reports full retpoline compilation)
> > >   * Retpoline enabled:  NO
> > ^^
> > I get the same result. I wonder why reptoline is disabled.
>
> I asked myself the same question (same result here). Maybe the answer is
> that it is a bug in the script? With the latest version from github the
> respective part here now looks like:
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports
> full retpoline compilation)
> > STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
>

​That is a bit topsy turvy

But maybe it's saying that the compilation did work after all.

Regards

MF
​



>
> Regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> Death.  Destruction.  Disease.  Horror.  That's what war is all about.
> That's what makes it a thing to be avoided.
> -- Kirk, "A Taste of Armageddon", stardate 3193.0
>
>

Re: Problems with clean install of fvwm

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Feb 23, 2018 at 09:57:12AM -0600, Richard Owlett wrote:

[...]

> I just did "apt-get install xorg".
> Now typing "startx" at command line does give me a fvwm screen.

So fvwm is running already (more below)

> However typing "fvwm" at command line gives
> >[fvwm][main] <> can't open display

You are trying to start it off a console not "in" X? This won't
work -- fvwm needs (as every X application) to know which X server
to talk to. This is usually done via the DISPLAY environment
variable. So to start fvwm you would have either to start it
from "whithin" the X session (e.g. from an XTerm running in
there, or more typically from an X session init script) or
you'd have to provide the "display" address yourself.

The canonical way of doing that is that X invokes a session
init script (in your trusty debian somewhere /etc/X11/Xsession,
which collects bits and pieces in /etc/X11/Xsession.d -- therein
50x11-common_determine-startup should be doing the window manager
magic for you. So that's probably why X "does give me a fvwm
screen" above, if I got you correctly.

> What's still to be installed/configured?
> Would this be a bug against the fvwm package for not installing and
> configuring xorg?

All should be well (or I misunderstood you)

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqQR80ACgkQBcgs9XrR2kauNQCggJWzWudyCiVdrTZ3BZL+3eGl
2ikAoIHgJByHyanoAMWnssJTne906BFr
=d1q8
-END PGP SIGNATURE-

Re: Problems with clean install of fvwm

[Brian]

On Fri 23 Feb 2018 at 09:57:12 -0600, Richard Owlett wrote:

> I just did "apt-get install xorg".
> Now typing "startx" at command line does give me a fvwm screen.

Fine. Now use the mouse (click) to get a menu.

> However typing "fvwm" at command line gives
> > [fvwm][main] <> can't open display

Do you mean you typed 'fvwm' instead of 'startx'? If you did - stop
doing it.

> What's still to be installed/configured?

Nothing.
> Would this be a bug against the fvwm package for not installing and
> configuring xorg?

No.

-- 
Brian.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 16:14, Michael Fothergill <
michael.fotherg...@gmail.com> wrote:

>
>
> On 23 February 2018 at 14:14, Michael Fothergill <
> michael.fotherg...@gmail.com> wrote:
>
>>
>>
>> On 23 February 2018 at 14:05, mlnl  wrote:
>>
>>> Hi,
>>>
>>> > ​Can it be true?  A version of gcc that runs on stretch that will
>>> > compile the latest fancy spectre fixes etc?
>>>
>>> with latest vanilla kernel 4.15.4 and updated gcc-6:
>>>
>>> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
>>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>>> the mitigation is active)
>>> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
>>> bits array_index_mask_nospec())
>>> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
>>>
>>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>>> the mitigation is active)
>>> * Mitigation 1
>>>   * Kernel is compiled with IBRS/IBPB support:  NO
>>>   * Currently enabled features
>>> * IBRS enabled for Kernel space:  NO
>>> * IBRS enabled for User space:  NO
>>> * IBPB enabled:  NO
>>> * Mitigation 2
>>>   * Kernel compiled with retpoline option:  YES
>>>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
>>> reports full retpoline compilation)
>>>   * Retpoline enabled:  NO
>>>
>>
> ​Wot?  How can retpoline not be  enabled but the status is not
> vulnerable..
>

​Sure enough, looking at the spectre meltdown checker on the kernel I am
using in gentoo
shows the ​

​retpoline is enabled and that the vulnerability status is "not vulnerable".

​It's not recent enough a kernel to address the spectre variant 1 problem
as far as I am aware.

Oh well...

Cheers MF



> djt /home/mikef/spectre-meltdown-checker # ./spectre-meltdown-checker.sh
> Spectre and Meltdown mitigation detection tool v0.32
>
> Checking for vulnerabilities on current system
> Kernel is Linux 4.14.15-gentoo #1 SMP Tue Jan 30 16:22:47 GMT 2018 x86_64
> CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  NO  (kernel confirms your
> system is vulnerable)
> > STATUS:  VULNERABLE  (Vulnerable)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Hardware support (CPU microcode)
> * Indirect Branch Restricted Speculation (IBRS)
>   * SPEC_CTRL MSR is available:  NO
>   * CPU indicates IBRS capability:  NO
> * Indirect Branch Prediction Barrier (IBPB)
>   * PRED_CMD MSR is available:  NO
>   * CPU indicates IBPB capability:  NO
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports
> full retpoline compilation)
>   * Retpoline enabled:  YES
> > STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> your CPU is unaffected)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  NO
> * Running under Xen PV (64 bits):  NO
> > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not
> vulnerable)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
> djt /home/mikef/spectre-meltdown-checker #
>
> ​
>
>
>
>> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>>>
>>> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
>>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>>> the mitigation is active)
>>> * Kernel supports Page Table Isolation (PTI):  YES
>>> * PTI enabled and active:  YES
>>> * Running as a Xen PV DomU:  NO
>>> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>>>
>> ​
>> Absolutely whale harpooned it
>>
>> Great stuff.
>>
>> Cheers
>>
>> MF
>> ​
>>
>>>
>>> grep bugs /proc/cpuinfo
>>> bugs: cpu_meltdown spectre_v1 spectre_v2
>>> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
>>>
>>>
>>>
>>> stepping: 3
>>>
>>>
>>>
>>> microcode   : 0x22
>>>
>>> --
>>> mlnl
>>>
>>>
>>
>

Re: Problems with clean install of fvwm

[John Hasler]

David Wright writes:
> It doesn't mean that if you install a package designed to run on X
> that apt will immediately install all the packages required for a
> functional X system.

Fvwm does not depend on an X server because it might be running on a
headless machine while an X server is running on the machine the user is
sitting in front of.  The X Window System is a *network* system.  Every
window on your screen could be coming from a different remote computer.
So could the window manager, which is just another process to the X
server.

Install the xorg package.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: Problems with clean install of fvwm

[Brian]

On Fri 23 Feb 2018 at 16:56:19 +0100, to...@tuxteam.de wrote:

> On Fri, Feb 23, 2018 at 09:12:04AM -0600, Richard Owlett wrote:
> 
> 
> > To clarify I got a console command line (Whole screen is one window
> > with no graphical ornaments !)
> 
> Aha. As someone already said in this thread, it seems you have no
> X installed. Package xserver-xorg, I'd guess...

'apt install xorg' is better for most users (which includes the OP).
 
> > I tried issuing "startx" itself and received "command not found".
 
> Hm. This one is in package xinit, which is not a necessary part
> of X. So not a bad omen in itself.

xorg depends on xinit.

> > When I had initially done "apt-get install fvwm", should some
> > portion of the Xsystem been installed?
> 
> Yes, I'd venture your X server is missing.

To answer the question as posed - no.

An xserver is a display device. It runs on the machine the user is
sat in front of. The program to be displayed (fvwm in this case) can
be located on any machine on the network, like the supercomputer a
few thousand miles away. The speed of display will be limited by the
network connection. Over dial-up, fvwm and xorg may as well be on the
same machine.

So, you are correct and helpful - but didn't (as you usually do) answer
the question. ;)

-- 
Brian.

Re: Problems with clean install of fvwm

[David Wright]

On Fri 23 Feb 2018 at 10:23:53 (-0600), David Wright wrote:
> 
> #!/bin/sh
> exec /usr/bin/fvwm >| $HOME/.fvwm-stdout 2>| $HOME/.fvwm-stderr &
> WMPID=$!

This line got wrapped; sorry.

> xterm …
> xterm …
> swisswatch -title local -noshape
> xconsole -name console -file /dev/xconsole -exitOnFail
> xclock -strftime "%a %d"
> # and so on
> # wait for the window manager in the background to die
> wait $WMPID

A clean copy:

#!/bin/sh
exec /usr/bin/fvwm >| $HOME/.fvwm-stdout 2>| $HOME/.fvwm-stderr & WMPID=$!
xterm …
xterm …
swisswatch -title local -noshape
xconsole -name console -file /dev/xconsole -exitOnFail
xclock -strftime "%a %d"
# and so on
# wait for the window manager in the background to die
wait $WMPID

Cheers,
David.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

Hi,

On Fri, 23 Feb 2018 16:52:12 +0100
Felipe Salvador  wrote:

(...)
> > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> > * Mitigated according to the /sys interface:  YES  (kernel confirms
> > that the mitigation is active)
> > * Mitigation 1
> >   * Kernel is compiled with IBRS/IBPB support:  NO
> >   * Currently enabled features
> > * IBRS enabled for Kernel space:  NO
> > * IBRS enabled for User space:  NO
> > * IBPB enabled:  NO
> > * Mitigation 2
> >   * Kernel compiled with retpoline option:  YES
> >   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> > reports full retpoline compilation)
> >   * Retpoline enabled:  NO
> ^^
> I get the same result. I wonder why reptoline is disabled.

I asked myself the same question (same result here). Maybe the answer is
that it is a bug in the script? With the latest version from github the
respective part here now looks like:

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the 
mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
* IBRS enabled for Kernel space:  NO 
* IBRS enabled for User space:  NO 
* IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full 
retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Death.  Destruction.  Disease.  Horror.  That's what war is all about.
That's what makes it a thing to be avoided.
-- Kirk, "A Taste of Armageddon", stardate 3193.0

Re: Fwd: Re: Unknown URL

[Reco]

Hi.

On Fri, Feb 23, 2018 at 10:45:24AM -0500, Stephen P. Molnar wrote:
> root@AbNormal:/home/comp# ip netns exec test ip a l
> 3: net0@if2:  mtu 1500 qdisc noqueue state
> UP group default qlen 1000
> link/ether be:80:71:d1:8a:96 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet6 2600:1700:4280:3690:bc80:71ff:fed1:8a96/64 scope global mngtmpaddr
> dynamic
>valid_lft 1209450sec preferred_lft 1209450sec
> inet6 fe80::bc80:71ff:fed1:8a96/64 scope link
>valid_lft forever preferred_lft forever

So, I have a good news, and a bad news.
Good news being - I honestly don't know how you were able to achieve
*that* IPv6 configuration in a primary network namespace, but in this
separate network namespace things look reasonable.
You have one RA-provided IPv6 address, which is normal if one disables
IPv6 privacy extensions (they are disabled by default, btw).


> root@AbNormal:/home/comp# ip netns exec test ip -6 ro l
> 2600:1700:4280:3690::/64 dev net0 proto kernel metric 256  expires
> 1209439sec pref medium
> fe80::/64 dev net0 proto kernel metric 256  pref medium
> default via fe80::3e04:61ff:feb3:3c20 dev net0 proto ra metric 1024 expires
> 1639sec hoplimit 64 pref medium

And you have perfectly normal IPv6 routing table, with RA-provided
default route.


> root@AbNormal:/home/comp# ip netns exec test traceroute -n
> 2a02:16a8:dc41:100::233
> traceroute to 2a02:16a8:dc41:100::233 (2a02:16a8:dc41:100::233), 30 hops
> max, 80 byte packets
>  1  * * *

Which brings me to the bad news.
Whatever router you're using refuses forwarding your IPv6 packets.

It does not matter if it drops the packets, or sends your host some
"refused" messages via SNMP - the thing fails to perform its primary
function.

I deliberately stay clear from SOHO routers, regardless of whoever
produced them, so I cannot help you here. In fact, I choose mine with
exactly one quality in mind - an ability to run Debian. Which I
installed on it the moment they delivered me the thing.

Best advice I can give - get yourself something that can be flashed with
openwrt.
Until then - disable IPv6 on your router altogether, it's not going to
work.

Reco

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 14:14, Michael Fothergill <
michael.fotherg...@gmail.com> wrote:

>
>
> On 23 February 2018 at 14:05, mlnl  wrote:
>
>> Hi,
>>
>> > ​Can it be true?  A version of gcc that runs on stretch that will
>> > compile the latest fancy spectre fixes etc?
>>
>> with latest vanilla kernel 4.15.4 and updated gcc-6:
>>
>> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>> the mitigation is active)
>> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
>> bits array_index_mask_nospec())
>> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
>>
>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>> the mitigation is active)
>> * Mitigation 1
>>   * Kernel is compiled with IBRS/IBPB support:  NO
>>   * Currently enabled features
>> * IBRS enabled for Kernel space:  NO
>> * IBRS enabled for User space:  NO
>> * IBPB enabled:  NO
>> * Mitigation 2
>>   * Kernel compiled with retpoline option:  YES
>>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
>> reports full retpoline compilation)
>>   * Retpoline enabled:  NO
>>
>
​Wot?  How can retpoline not be  enabled but the status is not
vulnerable..

​



> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>>
>> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>> the mitigation is active)
>> * Kernel supports Page Table Isolation (PTI):  YES
>> * PTI enabled and active:  YES
>> * Running as a Xen PV DomU:  NO
>> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>>
> ​
> Absolutely whale harpooned it
>
> Great stuff.
>
> Cheers
>
> MF
> ​
>
>>
>> grep bugs /proc/cpuinfo
>> bugs: cpu_meltdown spectre_v1 spectre_v2
>> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
>>
>>
>>
>> stepping: 3
>>
>>
>>
>> microcode   : 0x22
>>
>> --
>> mlnl
>>
>>
>

Re: Problems with clean install of fvwm

[David Wright]

On Fri 23 Feb 2018 at 09:57:12 (-0600), Richard Owlett wrote:
> On 02/23/2018 09:12 AM, Richard Owlett wrote:
> >On 02/23/2018 05:46 AM, Richard Owlett wrote:
> >>History
> >>I run MATE, but to paraphrase a restaurant - "I want Debian MyWay" ;)
> >>It was suggested that I wanted what KDE calls "activities".
> >>It looked promising. I installed it. It suffers from featuritis.
> >>fvwm-crystal was also suggested. When installed it was in some
> >>sense "cleaner" but still too busy. Launched fvwm which had been
> >>installed by the fvwm-crystal package.
> >>
> >>The problem
> >>It had "inherited" configuration items from fvwm-crystal. The
> >>web pages I had read spoke of a default 1st run display. I could
> >>not figure out how to get that to appear.
> >>
> >>Having adequate space available I used netinst to do a base
> >>command line only install to a new partition. It was followed by
> >>doing "apt-get install fvwm".
> >>
> >>I rebooted expecting a minimal fvwm display. I got a command line.
> >
> >To clarify I got a console command line (Whole screen is one
> >window with no graphical ornaments !)
> >
> >>I found that though a "/home/richard/.fvwm" directory had been
> >>created, it was empty. I couldn't find copies of what files
> >>should have been there on initial first run. Only
> >>instructions/examples for adding this or that doodad.
> >>
> >
> >It was suggested that
> >>So to get you kick-started,
> >>just create a file named "config" in your /home/richard/.fvwm
> >>consisting of this one line:
> >>
> >>  Read /usr/share/fvwm/default-config/config
> >That did not solve my problem.
> >
> >I copied the file at
> >http://www.einval.com/~steve/debian/fvwm2rc.example to
> >/home/richard/.fvwm2rc  .
> >I then executed `fvwm2 -f "FvwmM4 .fvwm2rc"'
> >The result was " [fvwm][main] <> can't open display
> >
> >Reasoning by analogy with use of startx I had tried "fvwm" at the
> >command line and received "can't open display".
> >
> >I tried issuing "startx" itself and received "command not found".
> >
> >When I had initially done "apt-get install fvwm", should some
> >portion of the Xsystem been installed?
> >
> >TIA
> 
> I just did "apt-get install xorg".
> Now typing "startx" at command line does give me a fvwm screen.
> However typing "fvwm" at command line gives
> >[fvwm][main] <> can't open display
> 
> What's still to be installed/configured?
> Would this be a bug against the fvwm package for not installing and
> configuring xorg?

>From https://lists.debian.org/debian-user/2018/02/msg00794.html

As mentioned in another thread just now, I run X with startx.
I've always stuck to the Debian Way™ which means using ~/.xsession
rather than ~/.xinitrc.

Stripped down to the essentials, my ~/.xsession consists of:

#!/bin/sh
exec /usr/bin/fvwm >| $HOME/.fvwm-stdout 2>| $HOME/.fvwm-stderr &
WMPID=$!
xterm …
xterm …
swisswatch -title local -noshape
xconsole -name console -file /dev/xconsole -exitOnFail
xclock -strftime "%a %d"
# and so on
# wait for the window manager in the background to die
wait $WMPID

IOW you run it in your ~/.xsession as X starts up, not from
the command line.

Cheers,
David.

Re: domain names, was: hostname

[Brian]

On Thu 22 Feb 2018 at 11:58:18 -0600, David Wright wrote:

> On Mon 19 Feb 2018 at 18:39:02 (+), Brian wrote:
> > On Mon 19 Feb 2018 at 10:23:56 -0600, David Wright wrote:
> > 
> > > 127.0.0.1   localhost
> > > 127.0.1.1   alum
> > 
> > alum is the canonical_hostname. It is used by exim to HELO with. Many
> > mail servers will not accept mail directly from you because it is not a
> > FQDN.
> 
> This is why I wrote "broken" at ². The OP wrote "on a home LAN",
> in which case it's unlikely that they relay mail to mail servers
> on port 25. More likely is that they use a smarthost with a mail
> submission system on port 587 or possibly 465 (though 25 is
> allowed for broken senders³).

Not using a smarthost does not invalidate the claim.
 
> As submission involves obligatory authentication, there's no reason
> to reject a submission just because the HELO has no dot in it. And
> even if a sender screws up the envelope-from, it's likely that the
> mail submission knows a valid email address associated with the
> authenticator's registration details.

With

 127.0.1.1   gmail

in /etc/hosts the conversation would go like this:

  brian@desktop:~$ telnet bendel.debian.org 25
  Trying 82.195.75.100...
  Connected to bendel.debian.org.
  Escape character is '^]'.
  220 bendel.debian.org ESMTP Postfix
  helo gmail
  250 bendel.debian.org
  mail from:
  250 2.1.0 Ok
  rcpt to:
  504 5.5.2 : Helo command rejected: need fully-qualified hostname

gmail.com is ok with bendel.

OTOH:

  brian@desktop:~$ telnet cloud11.unlimitedwebhosting.co.uk 25
  Trying 149.255.60.164...
  Connected to cloud11.unlimitedwebhosting.co.uk.
  Escape character is '^]'.
  220 cloud11.unlimitedwebhosting.co.uk ESMTP Postfix
  helo gmail
  250 cloud11.unlimitedwebhosting.co.uk
  mail from:
  250 2.1.0 Ok
  rcpt to:
  250 2.1.5 Ok
  data
  354 End data with .

cloud11.unlimitedwebhosting.co.uk appears not to be bothered by the
helo; bendel is.

> > > I've sometimes wondered what other people dream up as their
> > > domainnames; that is, people who don't have a legitimate reason
> > > to put something like example.com.
> > 
> > Whatever is dreamt up as a domain name is put into /etc/hosts by the
> > installer as
> > 
> > 127.0.1.1   alum.dreamtupalum
> 
> And what is the benefit for the mail submission system in being woken
> up with   HELO alum.dreamtup   rather than   HELO alum   ?
> Extra brownie points for imagination perhaps.

Most large ISPs presumably do not see any benefit as they basically
ignore an RFC non-compliant helo. The large number of broken mailers
about might be a reason. I'm not prepared to risk having mail rejected
because the canonical_hostname is not a FQDN known in the DNS.

-- 
Brian.

Re: Problems with clean install of fvwm

[David Wright]

On Fri 23 Feb 2018 at 09:12:04 (-0600), Richard Owlett wrote:
> On 02/23/2018 05:46 AM, Richard Owlett wrote:
> >History
> >I run MATE, but to paraphrase a restaurant - "I want Debian MyWay" ;)
> >It was suggested that I wanted what KDE calls "activities".
> >It looked promising. I installed it. It suffers from featuritis.
> >fvwm-crystal was also suggested. When installed it was in some
> >sense "cleaner" but still too busy. Launched fvwm which had been
> >installed by the fvwm-crystal package.
> >
> >The problem
> >It had "inherited" configuration items from fvwm-crystal. The web
> >pages I had read spoke of a default 1st run display. I could not
> >figure out how to get that to appear.
> >
> >Having adequate space available I used netinst to do a base
> >command line only install to a new partition. It was followed by
> >doing "apt-get install fvwm".
> >
> >I rebooted expecting a minimal fvwm display. I got a command line.
> 
> To clarify I got a console command line (Whole screen is one window
> with no graphical ornaments !)
> 
> >I found that though a "/home/richard/.fvwm" directory had been
> >created, it was empty. I couldn't find copies of what files should
> >have been there on initial first run. Only instructions/examples
> >for adding this or that doodad.
> >
> 
> It was suggested that
> >So to get you kick-started,
> >just create a file named "config" in your /home/richard/.fvwm
> >consisting of this one line:
> >
> >  Read /usr/share/fvwm/default-config/config
> That did not solve my problem.
> 
> I copied the file at
> http://www.einval.com/~steve/debian/fvwm2rc.example to
> /home/richard/.fvwm2rc  .
> I then executed `fvwm2 -f "FvwmM4 .fvwm2rc"'
> The result was " [fvwm][main] <> can't open display
> 
> Reasoning by analogy with use of startx I had tried "fvwm" at the
> command line and received "can't open display".
> 
> I tried issuing "startx" itself and received "command not found".
> 
> When I had initially done "apt-get install fvwm", should some
> portion of the Xsystem been installed?

It sounds to me as if you're misinterpreting the concept of Debian's
dependencies. The idea is that when you install package A (which
needs library B) and run it, the call to library B doesn't point
into outer space but into an installed library.

It doesn't mean that if you install a package designed to run on
X that apt will immediately install all the packages required for
a functional X system.

So what fvwm does is to run, look around, then say "I don't see
anything upon which I could usefully perform, so it gives up
in good order after saying why.

Cheers,
David.

Re: Problems with clean install of fvwm

[Richard Owlett]

On 02/23/2018 09:12 AM, Richard Owlett wrote:

On 02/23/2018 05:46 AM, Richard Owlett wrote:

History
I run MATE, but to paraphrase a restaurant - "I want Debian MyWay" ;)
It was suggested that I wanted what KDE calls "activities".
It looked promising. I installed it. It suffers from featuritis.
fvwm-crystal was also suggested. When installed it was in some sense 
"cleaner" but still too busy. Launched fvwm which had been installed 
by the fvwm-crystal package.


The problem
It had "inherited" configuration items from fvwm-crystal. The web 
pages I had read spoke of a default 1st run display. I could not 
figure out how to get that to appear.


Having adequate space available I used netinst to do a base command 
line only install to a new partition. It was followed by doing 
"apt-get install fvwm".


I rebooted expecting a minimal fvwm display. I got a command line.


To clarify I got a console command line (Whole screen is one window with 
no graphical ornaments !)


I found that though a "/home/richard/.fvwm" directory had been 
created, it was empty. I couldn't find copies of what files should 
have been there on initial first run. Only instructions/examples for 
adding this or that doodad.




It was suggested that

So to get you kick-started,
just create a file named "config" in your /home/richard/.fvwm
consisting of this one line:

  Read /usr/share/fvwm/default-config/config

That did not solve my problem.

I copied the file at http://www.einval.com/~steve/debian/fvwm2rc.example 
to /home/richard/.fvwm2rc  .

I then executed `fvwm2 -f "FvwmM4 .fvwm2rc"'
The result was " [fvwm][main] <> can't open display

Reasoning by analogy with use of startx I had tried "fvwm" at the 
command line and received "can't open display".


I tried issuing "startx" itself and received "command not found".

When I had initially done "apt-get install fvwm", should some portion of 
the Xsystem been installed?


TIA


I just did "apt-get install xorg".
Now typing "startx" at command line does give me a fvwm screen.
However typing "fvwm" at command line gives

[fvwm][main] <> can't open display


What's still to be installed/configured?
Would this be a bug against the fvwm package for not installing and 
configuring xorg?

Re: Problems with clean install of fvwm

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Feb 23, 2018 at 09:12:04AM -0600, Richard Owlett wrote:

[...]

> To clarify I got a console command line (Whole screen is one window
> with no graphical ornaments !)

Aha. As someone already said in this thread, it seems you have no
X installed. Package xserver-xorg, I'd guess...

> I tried issuing "startx" itself and received "command not found".

Hm. This one is in package xinit, which is not a necessary part
of X. So not a bad omen in itself.

> When I had initially done "apt-get install fvwm", should some
> portion of the Xsystem been installed?

Yes, I'd venture your X server is missing.

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqQOaMACgkQBcgs9XrR2kbd4ACfV7A7U+gc+Jjh23LiMx8/MsJE
jQMAnR17hNtIYOUZaCXda85B/Rqggnla
=oA0h
-END PGP SIGNATURE-

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Felipe Salvador]

On Fri, Feb 23, 2018 at 03:05:18PM +0100, mlnl wrote:
> Hi,
> 
> > ​Can it be true?  A version of gcc that runs on stretch that will
> > compile the latest fancy spectre fixes etc?
> 
> with latest vanilla kernel 4.15.4 and updated gcc-6:
> 
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
> bits array_index_mask_nospec())
> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
> 
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> reports full retpoline compilation)
>   * Retpoline enabled:  NO
  ^^
I get the same result. I wonder why reptoline is disabled.

> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
> 
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
> 
> grep bugs /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
> 
> 
> 
> stepping: 3
> 
> 
> 
> microcode   : 0x22
> 
> -- 
> mlnl

-- 
Felipe Salvador

Re: Fwd: Re: Unknown URL

[Stephen P. Molnar]

On 02/23/2018 10:09 AM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 09:57:07AM -0500, Stephen P. Molnar wrote:

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch-backports InRelease
Hit:4 http://debian.uchicago.edu/debian stretch Release
Hit:6 http://security.debian.org/debian-security stretch/updates
InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

with a long pause before it finished.

And now, let's return to the malfunctioning IPv6.

Let's sum it up first:


2600:1700:4280:3690::46 dev enp2s0 proto kernel metric 256  expires
1201893sec pref medium

You have /128 address given you by your router.


2600:1700:4280:3690::/64 dev enp2s0 proto ra metric 100  pref medium

And, you have your usual /64 route from /64 address procured by RA.


2600:1700:4280:3690::/60 via fe80::3e04:61ff:feb3:3c20 dev enp2s0
proto ra metric 100  pref medium

But, you have /60 route with the gateway address, which should serve the
purpose of connecting to *other* IPv6 addresses from /60 block that's
assigned to you. Unusual, but probably OK.


fe80::3e04:61ff:feb3:3c20 dev enp2s0 proto static metric 100  pref
medium
fe80::/64 dev enp2s0 proto kernel metric 256  pref medium

These are your usual link-local routes.


default via fe80::3e04:61ff:feb3:3c20 dev enp2s0 proto static metric
100 pref medium

And that's fishy. Why is this route is designated as "proto static",
i.e.
added by hand? Kernel RA does not work like this.


Assuming that your router is configured correctly (i.e. the way AT
want it to be configured), that points us to the whatever your host is
using for the network configuration.

So let's put it aside for the moment. A quick test like this should
clear things a bit (everything that's in here requires root):

ip netns add test
ip link add link enp2s0 name net0 type macvlan mode private
ip link set net0 netns test
ip netns exec test ip link set lo up
ip netns exec test ip link set net0 up
sleep 120
ip netns exec test ip a l
ip netns exec test ip -6 ro l
ip netns exec test traceroute -n 2a02:16a8:dc41:100::233
ip netns del test

Basically, that creates a separate network namespace, clones your wired
NIC into it, waits for the kernel RA autoconfiguration to kick in, and
destroys it.

Reco



Here's what happened:

root@AbNormal:/home/comp# ip link add link enp2s0 name net0 type macvlan 
mode private

root@AbNormal:/home/comp# ip link set net0 netns test
root@AbNormal:/home/comp# ip netns exec test ip link set lo up
root@AbNormal:/home/comp# ip netns exec test ip link set net0 up
root@AbNormal:/home/comp# sleep 120
root@AbNormal:/home/comp# ip netns exec test ip a l
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
3: net0@if2:  mtu 1500 qdisc noqueue 
state UP group default qlen 1000

link/ether be:80:71:d1:8a:96 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 2600:1700:4280:3690:bc80:71ff:fed1:8a96/64 scope global 
mngtmpaddr dynamic

   valid_lft 1209450sec preferred_lft 1209450sec
inet6 fe80::bc80:71ff:fed1:8a96/64 scope link
   valid_lft forever preferred_lft forever
root@AbNormal:/home/comp# ip netns exec test ip -6 ro l
2600:1700:4280:3690::/64 dev net0 proto kernel metric 256  expires 
1209439sec pref medium

fe80::/64 dev net0 proto kernel metric 256  pref medium
default via fe80::3e04:61ff:feb3:3c20 dev net0 proto ra metric 1024 
expires 1639sec hoplimit 64 pref medium
root@AbNormal:/home/comp# ip netns exec test traceroute -n 
2a02:16a8:dc41:100::233
traceroute to 2a02:16a8:dc41:100::233 (2a02:16a8:dc41:100::233), 30 hops 
max, 80 byte packets

 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
root@AbNormal:/home/comp# ip netns del test
root@AbNormal:/home/comp#

And then;

root@AbNormal:/home/comp# apt update
Hit:1 http://security.debian.org/debian-security stretch/updates InRelease
Ign:2 http://debian.uchicago.edu/debian stretch InRelease
Hit:3 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:4 http://debian.uchicago.edu/debian stretch-backports InRelease
Hit:5 http://debian.uchicago.edu/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
root@AbNormal:/home/comp#

Oh, yes.

apt-get install bvi:i386 and apt-get 

Re: Problems with clean install of fvwm

[Richard Owlett]

On 02/23/2018 05:46 AM, Richard Owlett wrote:

History
I run MATE, but to paraphrase a restaurant - "I want Debian MyWay" ;)
It was suggested that I wanted what KDE calls "activities".
It looked promising. I installed it. It suffers from featuritis.
fvwm-crystal was also suggested. When installed it was in some sense 
"cleaner" but still too busy. Launched fvwm which had been installed by 
the fvwm-crystal package.


The problem
It had "inherited" configuration items from fvwm-crystal. The web pages 
I had read spoke of a default 1st run display. I could not figure out 
how to get that to appear.


Having adequate space available I used netinst to do a base command line 
only install to a new partition. It was followed by doing "apt-get 
install fvwm".


I rebooted expecting a minimal fvwm display. I got a command line.


To clarify I got a console command line (Whole screen is one window with 
no graphical ornaments !)


I found that though a "/home/richard/.fvwm" directory had been created, 
it was empty. I couldn't find copies of what files should have been 
there on initial first run. Only instructions/examples for adding this 
or that doodad.




It was suggested that

So to get you kick-started,
just create a file named "config" in your /home/richard/.fvwm
consisting of this one line:

  Read /usr/share/fvwm/default-config/config

That did not solve my problem.

I copied the file at http://www.einval.com/~steve/debian/fvwm2rc.example 
to /home/richard/.fvwm2rc  .

I then executed `fvwm2 -f "FvwmM4 .fvwm2rc"'
The result was " [fvwm][main] <> can't open display

Reasoning by analogy with use of startx I had tried "fvwm" at the 
command line and received "can't open display".


I tried issuing "startx" itself and received "command not found".

When I had initially done "apt-get install fvwm", should some portion of 
the Xsystem been installed?


TIA

Re: Fwd: Re: Unknown URL

[Reco]

Hi.

On Fri, Feb 23, 2018 at 09:57:07AM -0500, Stephen P. Molnar wrote:
> > > root@AbNormal:/home/comp# apt update
> > > Ign:1 http://debian.uchicago.edu/debian stretch InRelease
> > > Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
> > > Hit:3 http://debian.uchicago.edu/debian stretch-backports InRelease
> > > Hit:4 http://debian.uchicago.edu/debian stretch Release
> > > Hit:6 http://security.debian.org/debian-security stretch/updates
> > > InRelease
> > > Reading package lists... Done
> > > Building dependency tree
> > > Reading state information... Done
> > > All packages are up to date.
> > > 
> > > with a long pause before it finished.

And now, let's return to the malfunctioning IPv6.

Let's sum it up first:

> 2600:1700:4280:3690::46 dev enp2s0 proto kernel metric 256  expires
> 1201893sec pref medium

You have /128 address given you by your router.

> 2600:1700:4280:3690::/64 dev enp2s0 proto ra metric 100  pref medium

And, you have your usual /64 route from /64 address procured by RA.

> 2600:1700:4280:3690::/60 via fe80::3e04:61ff:feb3:3c20 dev enp2s0
> proto ra metric 100  pref medium

But, you have /60 route with the gateway address, which should serve the
purpose of connecting to *other* IPv6 addresses from /60 block that's
assigned to you. Unusual, but probably OK.

> fe80::3e04:61ff:feb3:3c20 dev enp2s0 proto static metric 100  pref
> medium
> fe80::/64 dev enp2s0 proto kernel metric 256  pref medium

These are your usual link-local routes.

> default via fe80::3e04:61ff:feb3:3c20 dev enp2s0 proto static metric
> 100 pref medium

And that's fishy. Why is this route is designated as "proto static",
i.e.
added by hand? Kernel RA does not work like this.


Assuming that your router is configured correctly (i.e. the way AT
want it to be configured), that points us to the whatever your host is
using for the network configuration.

So let's put it aside for the moment. A quick test like this should
clear things a bit (everything that's in here requires root):

ip netns add test
ip link add link enp2s0 name net0 type macvlan mode private
ip link set net0 netns test
ip netns exec test ip link set lo up
ip netns exec test ip link set net0 up
sleep 120
ip netns exec test ip a l
ip netns exec test ip -6 ro l
ip netns exec test traceroute -n 2a02:16a8:dc41:100::233
ip netns del test

Basically, that creates a separate network namespace, clones your wired
NIC into it, waits for the kernel RA autoconfiguration to kick in, and
destroys it.

Reco

Re: Fwd: Re: Unknown URL

[Reco]

Hi.

On Fri, Feb 23, 2018 at 09:57:07AM -0500, Stephen P. Molnar wrote:
> > Therefore, it's no wonder that apt is still broken for you, in regards
> > of downloading.
> > 
> > Second, let's check if your i386 arch is really operational.
> > 
> > apt-cache policy bash:i386
> > 
> Here's what you requested.
> 
> root@AbNormal:/home/comp# apt-cache policy bash:i386
> bash:i386:
>   Installed: (none)
>   Candidate: 4.4-5
>   Version table:
>  4.4-5 500
> 500 http://debian.uchicago.edu/debian stretch/main i386 Packages

And that's a good thing. On my non-multiarch system that gives:

$ apt-cache policy bash:i386
N: Unable to locate package bash:i386

I conclude that you should be able to install i386 packages without any
trouble. Let's test it just to be sure.

apt-get install bvi:i386

apt-get purge bvi:i386

Reco

Re: Debian 9 Image Magick/display xwd(1) format

[Eric S Fraga]

On Thursday, 22 Feb 2018 at 23:27, Thomas Schmitt wrote:
> Hi,
>
> have a look at
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853262
>
> So does this work ?
>
>   display xwd:myfile

One more data point.

Just tried this on my (testing+sid) system, relatively up to date, and
display does not work without the xwd: prefix.  display does not seem to
autorecognise xwd format files, as noted in the bug report.

imagemagick version 8:6.9.7.4+dfsg-1

-- 
Eric S Fraga via Emacs 27.0.50 & org 9.1.6 on Debian buster/sid


signature.asc
Description: PGP signature

Re: Fwd: Re: Unknown URL

[Stephen P. Molnar]

On 02/23/2018 09:27 AM, Reco wrote:

Hi.

Moved this to correct thread.


Interesting,

The only entry in Synaptic for DHCP was kea-dhcp6-server. Synaptic
installed:

kea-common (1.1.0-1)
kea-dhcp6-server (1.1.0-1)
liblog4cplus-1.1-9 (1.1.2-3.2)

Now, when I do  apt update I get:

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://security.debian.org/debian-security stretch/updates
InRelease
Hit:4 http://debian.uchicago.edu/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

Although if I do:

root@AbNormal:/home/comp# dpkg --add-architecture i386
root@AbNormal:/home/comp# spt update

then

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch Release
Hit:4 http://security.debian.org/debian-security stretch/updates
InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

but, gdebi happily installed acroread, which requires i386 libraries,
there were no warning or error messages.  Acroread works notmally.

This is a bit later than the above message.

I added backports to /etc/apt/sources.list

# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD
# Binary-1
20171209-12:11]/ stretch contrib main

# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD
# Binary-1
20171209-12:11]/ stretch main contrib

deb http://debian.uchicago.edu/debian/ stretch main non-free contrib
deb-src http://debian.uchicago.edu/debian/ stretch main non-free contrib

deb http://security.debian.org/debian-security/ stretch/updates main
contrib
non-free
deb-src http://security.debian.org/debian-security/ stretch/updates main
contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://debian.uchicago.edu/debian/ stretch-updates main contrib
non-free
deb-src http://debian.uchicago.edu/debian/ stretch-updates main contrib
non-free

deb http://debian.uchicago.edu/debian/ stretch-backports main contrib
non-free
deb-src http://debian.uchicago.edu/debian/ stretch-backports main
contrib
non-free

the I rebooted the system and got

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch-backports InRelease
Hit:4 http://debian.uchicago.edu/debian stretch Release
Hit:6 http://security.debian.org/debian-security stretch/updates
InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

with a long pause before it finished.

Then I ran sysctl -w net.ipv6.conf.all.disable_ipv6=1 (as root) and got
the
same result from apt update, but without the pause.  Still no listing
for
i386.

So, first things first. Your setup is different from Roger Price's.
Whenever you have DHCPv6-capable client or not is not relevant, as
you're using in-kernel RA for that (presumably).

Therefore, it's no wonder that apt is still broken for you, in regards
of downloading.

Second, let's check if your i386 arch is really operational.

apt-cache policy bash:i386

Reco



Sorry about picking the wrong thread.   Unfortunately, I resent the 
message to this thread before seeing this reply.


My apologies to the debian-users list for wasting the bandwidth.

Here's what you requested.

root@AbNormal:/home/comp# apt-cache policy bash:i386
bash:i386:
  Installed: (none)
  Candidate: 4.4-5
  Version table:
 4.4-5 500
500 http://debian.uchicago.edu/debian stretch/main i386 Packages
root@AbNormal:/home/comp#





--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

Re: Fwd: Re: Unknown URL

[Stephen P. Molnar]

On 02/23/2018 08:38 AM, Stephen P. Molnar wrote:


On 02/23/2018 07:12 AM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 12:22:26PM +0100, Roger Price wrote:

On Thu, 22 Feb 2018, Reco wrote:


On the EeePC Ctl-Alt-F3 /dev/tty3:
  ~ # ip address
  3: enp0s4:  ...
...
inet 10.218.0.100 scope global enp0s4
inet6 fe80::22cf:30ff:fe10:43fd/64 scope link

The "fe" at the beginning of the IPv6 address says that this is 
not capable

of working with the public IPv6 network.

There's one crucial detail that's missing here. I agree that fe80
designates link-local IPv6 (they don't put "scope link" there for
nothing), but what about routing?
I.e. I'm curious about the output of "ip -6 ro l".

rprice@kananga:~$ ip -6 ro l
fe80::/64 dev wlan0 proto kernel metric 256  pref medium

Now *that* actually means it should be impossible for this host to
connect to 2001:41d0:202:100:213:32:5:7.

So either we have a little wonder here, or ... do you have DHCP6 client
installed there by chance? Installer most certainly should include one,
and that could explain the difference in behavior between your current
host and d-i.

Reco



Interesting,

The only entry in Synaptic for DHCP was kea-dhcp6-server. Synaptic 
installed:


kea-common (1.1.0-1)
kea-dhcp6-server (1.1.0-1)
liblog4cplus-1.1-9 (1.1.2-3.2)

Now, when I do  apt update I get:

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://security.debian.org/debian-security stretch/updates 
InRelease

Hit:4 http://debian.uchicago.edu/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

Although if I do:

root@AbNormal:/home/comp# dpkg --add-architecture i386
root@AbNormal:/home/comp# spt update

then

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch Release
Hit:4 http://security.debian.org/debian-security stretch/updates 
InRelease

Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

but, gdebi happily installed acroread, which requires i386 libraries, 
there were no warning or error messages.  Acroread works notmally.



This is a bit later than the above message.

I added backports to /etc/apt/sources.list

# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD 
Binary-1 20171209-12:11]/ stretch contrib main


# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD 
Binary-1 20171209-12:11]/ stretch main contrib


deb http://debian.uchicago.edu/debian/ stretch main non-free contrib
deb-src http://debian.uchicago.edu/debian/ stretch main non-free contrib

deb http://security.debian.org/debian-security/ stretch/updates main 
contrib non-free
deb-src http://security.debian.org/debian-security/ stretch/updates main 
contrib non-free


# stretch-updates, previously known as 'volatile'
deb http://debian.uchicago.edu/debian/ stretch-updates main contrib 
non-free
deb-src http://debian.uchicago.edu/debian/ stretch-updates main contrib 
non-free


deb http://debian.uchicago.edu/debian/ stretch-backports main contrib 
non-free
deb-src http://debian.uchicago.edu/debian/ stretch-backports main 
contrib non-free


the I rebooted the system and got

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch-backports InRelease
Hit:4 http://debian.uchicago.edu/debian stretch Release
Hit:6 http://security.debian.org/debian-security stretch/updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

with a long pause before it finished.

Then I ran sysctl -w net.ipv6.conf.all.disable_ipv6=1 (as root) and got 
the same result from apt update, but without the pause.  Still no 
listing for i386.




--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

Re: Problems with clean install of fvwm

[John Hasler]

Richard Owlett writes:
> I rebooted expecting a minimal fvwm display. I got a command line.  I
> found that though a "/home/richard/.fvwm" directory had been created,
> it was empty. I couldn't find copies of what files should have been
> there on initial first run. Only instructions/examples for adding this
> or that doodad.

You should get an empty display.  Clicking it should get you a menu.
One of the choices should be some sort of configuration widget.  I've
never used it: like most fvwm users I have a highly idiosyncratic config
that has evolved over many years.

You should install all the recommended and and suggested packages.  The
default config others have suggested is a good starting point.

However, the fact that you got a command line is a problem.  Did you
install a display manager?  If not you need to start X manually.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 14:05, mlnl  wrote:

> Hi,
>
> > ​Can it be true?  A version of gcc that runs on stretch that will
> > compile the latest fancy spectre fixes etc?
>
> with latest vanilla kernel 4.15.4 and updated gcc-6:
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
> bits array_index_mask_nospec())
> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> reports full retpoline compilation)
>   * Retpoline enabled:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>
​
Absolutely whale harpooned it

Great stuff.

Cheers

MF
​

>
> grep bugs /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
>
>
>
> stepping: 3
>
>
>
> microcode   : 0x22
>
> --
> mlnl
>
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 14:08, Reco  wrote:

> Hi.
>
> On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote:
> > On 23 February 2018 at 13:42, Reco  wrote:
> >
> > > Hi.
> > >
> > > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > > > On 23 February 2018 at 12:43, Reco  wrote:
> > > >
> > > > > Hi.
> > > > >
> > > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > > > Hi,
> > > > > >
> > > > > > Do you have any clue on when the gcc fix for stretch is to be
> > > released ?
> > > > > >
> > > > > > Actually the retpoline-compliant kernel is ready, and gcc fixes
> for
> > > > > stretch
> > > > > > seem to have already been implemented. So I dunno what is still
> > > blocking
> > > > > > the release. :'(
> > > > >
> > > > > https://www.debian.org/security/2018/dsa-4120
> > > >
> > > >
> > > > ​Can it be true?  A version of gcc that runs on stretch that will
> compile
> > > > the latest fancy spectre fixes etc?
> > > >
> > > > ​Cheers
> > >
> > > So it seems. New kernel came today with the usual 'apt update && apt
> > > upgrade' routine:
> > >
> > > $ uname -r
> > > 4.9.0-6-amd64
> > >
> > > $ grep bug /proc/cpuinfo
> > > bugs: cpu_meltdown spectre_v1 spectre_v2
> > >
> >
> > ​Could you install this kernel in stretch at present or only in buster?
>
> I *only* use Debian stable, so yes, it's definitely possible to install
> this kernel in stretch. This particular package is provided by
> security.debian.org, so entire world is installing it on Debian stable
> as I'm writing this.
>

​Excellent news. Stellar stuff.

Cheers

MF​


>
> Theoretically, of course, it should be possible to install this kernel
> in testing (buster) and even get a bootable system.
>
> Reco
>
>

Re: Fwd: Re: Unknown URL

[Reco]

Hi.

Moved this to correct thread.

> Interesting,
>
> The only entry in Synaptic for DHCP was kea-dhcp6-server. Synaptic
> installed:
>
> kea-common (1.1.0-1)
> kea-dhcp6-server (1.1.0-1)
> liblog4cplus-1.1-9 (1.1.2-3.2)
>
> Now, when I do  apt update I get:
>
> root@AbNormal:/home/comp# apt update
> Ign:1 http://debian.uchicago.edu/debian stretch InRelease
> Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
> Hit:3 http://security.debian.org/debian-security stretch/updates
> InRelease
> Hit:4 http://debian.uchicago.edu/debian stretch Release
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> All packages are up to date.
>
> Although if I do:
>
> root@AbNormal:/home/comp# dpkg --add-architecture i386
> root@AbNormal:/home/comp# spt update
>
> then
>
> root@AbNormal:/home/comp# apt update
> Ign:1 http://debian.uchicago.edu/debian stretch InRelease
> Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
> Hit:3 http://debian.uchicago.edu/debian stretch Release
> Hit:4 http://security.debian.org/debian-security stretch/updates
> InRelease
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> All packages are up to date.
>
> but, gdebi happily installed acroread, which requires i386 libraries,
> there were no warning or error messages.  Acroread works notmally.
>

>This is a bit later than the above message.
>
>I added backports to /etc/apt/sources.list
>
># deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD
># Binary-1
>20171209-12:11]/ stretch contrib main
>
># deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD
># Binary-1
>20171209-12:11]/ stretch main contrib
>
>deb http://debian.uchicago.edu/debian/ stretch main non-free contrib
>deb-src http://debian.uchicago.edu/debian/ stretch main non-free contrib
>
>deb http://security.debian.org/debian-security/ stretch/updates main
>contrib
>non-free
>deb-src http://security.debian.org/debian-security/ stretch/updates main
>contrib non-free
>
># stretch-updates, previously known as 'volatile'
>deb http://debian.uchicago.edu/debian/ stretch-updates main contrib
>non-free
>deb-src http://debian.uchicago.edu/debian/ stretch-updates main contrib
>non-free
>
>deb http://debian.uchicago.edu/debian/ stretch-backports main contrib
>non-free
>deb-src http://debian.uchicago.edu/debian/ stretch-backports main
>contrib
>non-free
>
>the I rebooted the system and got
>
>root@AbNormal:/home/comp# apt update
>Ign:1 http://debian.uchicago.edu/debian stretch InRelease
>Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
>Hit:3 http://debian.uchicago.edu/debian stretch-backports InRelease
>Hit:4 http://debian.uchicago.edu/debian stretch Release
>Hit:6 http://security.debian.org/debian-security stretch/updates
>InRelease
>Reading package lists... Done
>Building dependency tree
>Reading state information... Done
>All packages are up to date.
>
>with a long pause before it finished.
>
>Then I ran sysctl -w net.ipv6.conf.all.disable_ipv6=1 (as root) and got
>the
>same result from apt update, but without the pause.  Still no listing
>for
>i386.

So, first things first. Your setup is different from Roger Price's.
Whenever you have DHCPv6-capable client or not is not relevant, as
you're using in-kernel RA for that (presumably).

Therefore, it's no wonder that apt is still broken for you, in regards
of downloading.

Second, let's check if your i386 arch is really operational.

apt-cache policy bash:i386

Reco

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Reco]

Hi.

You're replying to the wrong thread.
These two are similar as both are about IPv6 malfunction.
Let's not confuse thing further, and move this part of the discussion to
"Wrong URL" thread.

On Fri, Feb 23, 2018 at 09:10:23AM -0500, Stephen P. Molnar wrote:
> 
> On 02/23/2018 08:38 AM, Stephen P. Molnar wrote:
> > 
> > On 02/23/2018 07:12 AM, Reco wrote:
> > > Hi.
> > > 
> > > On Fri, Feb 23, 2018 at 12:22:26PM +0100, Roger Price wrote:
> > > > On Thu, 22 Feb 2018, Reco wrote:
> > > > 
> > > > > > On the EeePC Ctl-Alt-F3 /dev/tty3:
> > > > > >   ~ # ip address
> > > > > >   3: enp0s4:  ...
> > > > > > ...
> > > > > > inet 10.218.0.100 scope global enp0s4
> > > > > > inet6 fe80::22cf:30ff:fe10:43fd/64 scope link
> > > > > > 
> > > > > > The "fe" at the beginning of the IPv6 address says that
> > > > > > this is not capable
> > > > > > of working with the public IPv6 network.
> > > > > There's one crucial detail that's missing here. I agree that fe80
> > > > > designates link-local IPv6 (they don't put "scope link" there for
> > > > > nothing), but what about routing?
> > > > > I.e. I'm curious about the output of "ip -6 ro l".
> > > > rprice@kananga:~$ ip -6 ro l
> > > > fe80::/64 dev wlan0 proto kernel metric 256  pref medium
> > > Now *that* actually means it should be impossible for this host to
> > > connect to 2001:41d0:202:100:213:32:5:7.
> > > 
> > > So either we have a little wonder here, or … do you have DHCP6 client
> > > installed there by chance? Installer most certainly should include one,
> > > and that could explain the difference in behavior between your current
> > > host and d-i.
> > > 
> > > Reco
> > > 
> > > 
> > Interesting,
> > 
> > The only entry in Synaptic for DHCP was kea-dhcp6-server. Synaptic
> > installed:
> > 
> > kea-common (1.1.0-1)
> > kea-dhcp6-server (1.1.0-1)
> > liblog4cplus-1.1-9 (1.1.2-3.2)
> > 
> > Now, when I do  apt update I get:
> > 
> > root@AbNormal:/home/comp# apt update
> > Ign:1 http://debian.uchicago.edu/debian stretch InRelease
> > Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
> > Hit:3 http://security.debian.org/debian-security stretch/updates
> > InRelease
> > Hit:4 http://debian.uchicago.edu/debian stretch Release
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > All packages are up to date.
> > 
> > Although if I do:
> > 
> > root@AbNormal:/home/comp# dpkg --add-architecture i386
> > root@AbNormal:/home/comp# spt update
> > 
> > then
> > 
> > root@AbNormal:/home/comp# apt update
> > Ign:1 http://debian.uchicago.edu/debian stretch InRelease
> > Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
> > Hit:3 http://debian.uchicago.edu/debian stretch Release
> > Hit:4 http://security.debian.org/debian-security stretch/updates
> > InRelease
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > All packages are up to date.
> > 
> > but, gdebi happily installed acroread, which requires i386 libraries,
> > there were no warning or error messages.  Acroread works notmally.
> > 
> This is a bit later than the above message.
> 
> I added backports to /etc/apt/sources.list
> 
> # deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD Binary-1
> 20171209-12:11]/ stretch contrib main
> 
> # deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD Binary-1
> 20171209-12:11]/ stretch main contrib
> 
> deb http://debian.uchicago.edu/debian/ stretch main non-free contrib
> deb-src http://debian.uchicago.edu/debian/ stretch main non-free contrib
> 
> deb http://security.debian.org/debian-security/ stretch/updates main contrib
> non-free
> deb-src http://security.debian.org/debian-security/ stretch/updates main
> contrib non-free
> 
> # stretch-updates, previously known as 'volatile'
> deb http://debian.uchicago.edu/debian/ stretch-updates main contrib non-free
> deb-src http://debian.uchicago.edu/debian/ stretch-updates main contrib
> non-free
> 
> deb http://debian.uchicago.edu/debian/ stretch-backports main contrib
> non-free
> deb-src http://debian.uchicago.edu/debian/ stretch-backports main contrib
> non-free
> 
> the I rebooted the system and got
> 
> root@AbNormal:/home/comp# apt update
> Ign:1 http://debian.uchicago.edu/debian stretch InRelease
> Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
> Hit:3 http://debian.uchicago.edu/debian stretch-backports InRelease
> Hit:4 http://debian.uchicago.edu/debian stretch Release
> Hit:6 http://security.debian.org/debian-security stretch/updates InRelease
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> All packages are up to date.
> 
> with a long pause before it finished.
> 
> Then I ran sysctl -w net.ipv6.conf.all.disable_ipv6=1 (as root) and got the
> same result from apt update, but without the pause.  Still no listing for
> i386.

Reco

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Stephen P. Molnar]

On 02/23/2018 08:38 AM, Stephen P. Molnar wrote:


On 02/23/2018 07:12 AM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 12:22:26PM +0100, Roger Price wrote:

On Thu, 22 Feb 2018, Reco wrote:


On the EeePC Ctl-Alt-F3 /dev/tty3:
  ~ # ip address
  3: enp0s4:  ...
...
inet 10.218.0.100 scope global enp0s4
inet6 fe80::22cf:30ff:fe10:43fd/64 scope link

The "fe" at the beginning of the IPv6 address says that this is 
not capable

of working with the public IPv6 network.

There's one crucial detail that's missing here. I agree that fe80
designates link-local IPv6 (they don't put "scope link" there for
nothing), but what about routing?
I.e. I'm curious about the output of "ip -6 ro l".

rprice@kananga:~$ ip -6 ro l
fe80::/64 dev wlan0 proto kernel metric 256  pref medium

Now *that* actually means it should be impossible for this host to
connect to 2001:41d0:202:100:213:32:5:7.

So either we have a little wonder here, or … do you have DHCP6 client
installed there by chance? Installer most certainly should include one,
and that could explain the difference in behavior between your current
host and d-i.

Reco



Interesting,

The only entry in Synaptic for DHCP was kea-dhcp6-server. Synaptic 
installed:


kea-common (1.1.0-1)
kea-dhcp6-server (1.1.0-1)
liblog4cplus-1.1-9 (1.1.2-3.2)

Now, when I do  apt update I get:

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://security.debian.org/debian-security stretch/updates 
InRelease

Hit:4 http://debian.uchicago.edu/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

Although if I do:

root@AbNormal:/home/comp# dpkg --add-architecture i386
root@AbNormal:/home/comp# spt update

then

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch Release
Hit:4 http://security.debian.org/debian-security stretch/updates 
InRelease

Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

but, gdebi happily installed acroread, which requires i386 libraries, 
there were no warning or error messages.  Acroread works notmally.



This is a bit later than the above message.

I added backports to /etc/apt/sources.list

# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD 
Binary-1 20171209-12:11]/ stretch contrib main


# deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 DVD 
Binary-1 20171209-12:11]/ stretch main contrib


deb http://debian.uchicago.edu/debian/ stretch main non-free contrib
deb-src http://debian.uchicago.edu/debian/ stretch main non-free contrib

deb http://security.debian.org/debian-security/ stretch/updates main 
contrib non-free
deb-src http://security.debian.org/debian-security/ stretch/updates main 
contrib non-free


# stretch-updates, previously known as 'volatile'
deb http://debian.uchicago.edu/debian/ stretch-updates main contrib 
non-free
deb-src http://debian.uchicago.edu/debian/ stretch-updates main contrib 
non-free


deb http://debian.uchicago.edu/debian/ stretch-backports main contrib 
non-free
deb-src http://debian.uchicago.edu/debian/ stretch-backports main 
contrib non-free


the I rebooted the system and got

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch-backports InRelease
Hit:4 http://debian.uchicago.edu/debian stretch Release
Hit:6 http://security.debian.org/debian-security stretch/updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

with a long pause before it finished.

Then I ran sysctl -w net.ipv6.conf.all.disable_ipv6=1 (as root) and got 
the same result from apt update, but without the pause.  Still no 
listing for i386.




--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

Hi.

On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote:
> On 23 February 2018 at 13:42, Reco  wrote:
> 
> > Hi.
> >
> > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > > On 23 February 2018 at 12:43, Reco  wrote:
> > >
> > > > Hi.
> > > >
> > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > > Hi,
> > > > >
> > > > > Do you have any clue on when the gcc fix for stretch is to be
> > released ?
> > > > >
> > > > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > > > stretch
> > > > > seem to have already been implemented. So I dunno what is still
> > blocking
> > > > > the release. :'(
> > > >
> > > > https://www.debian.org/security/2018/dsa-4120
> > >
> > >
> > > ​Can it be true?  A version of gcc that runs on stretch that will compile
> > > the latest fancy spectre fixes etc?
> > >
> > > ​Cheers
> >
> > So it seems. New kernel came today with the usual 'apt update && apt
> > upgrade' routine:
> >
> > $ uname -r
> > 4.9.0-6-amd64
> >
> > $ grep bug /proc/cpuinfo
> > bugs: cpu_meltdown spectre_v1 spectre_v2
> >
> 
> ​Could you install this kernel in stretch at present or only in buster?

I *only* use Debian stable, so yes, it's definitely possible to install
this kernel in stretch. This particular package is provided by
security.debian.org, so entire world is installing it on Debian stable
as I'm writing this.

Theoretically, of course, it should be possible to install this kernel
in testing (buster) and even get a bootable system.

Reco

Re: Mijndomein Websites die niet werken met Firefox-esr

[Paul van der Vlis]

Hoi allen,

Ik heb net ook nog een bericht van Mijndomein gehad. Ze hebben de
blokkade van Firefox ESR toch verwijderd!

Ik had ook enkele journalisten hierover geschreven. Wellicht dat zij
navraag hebben gedaan, en dat Mijndomein toch maar geen zin had in
slechte publiciteit.

Groeten,
Paul

---
 Daniël (mijndomein.nl - helpdesk)

23 feb. 14:56 CET

Goedemiddag Paul,

Aller eerst bedankt voor je geduld, de opvolgende reactie heeft even op
zich laten wachten, dit is uiteraard niet onze norm.

Ik ben hier verder in gedoken omdat de ESR versie n.a.v. zijn doel als
lange termijn ondersteunde browser niet geblokkeerd moet worden, echter
is deze blokkade regel blijven hangen op 1 van onze firewalls naar alle
waarschijnlijkheid door dat de 'normale' user agent string van Firefox
52 misbruikt is.

Zojuist heb ik deze regel verwijderd zodat de sites ook met de ESR
versie van Firefox weer beschikbaar zijn:

curl -L -I -A "Mozilla/5.0 (X11; Linux x86_64...) Gecko/20090101
Firefox/52.0" http://www.fenicks.nl/
HTTP/1.1 301 Moved Permanently
Date: Fri, 23 Feb 2018 13:53:54 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.6.17-1~dotdeb+7.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Location: http://fenicks.nl/
Content-Type: text/html; charset=UTF-8
Set-Cookie: wfvt_3649448265=5a901cf37df45; expires=Fri, 23-Feb-2018
14:23:55 GMT; Max-Age=1800; path=/; httponly
Set-Cookie: PHPSESSID=acabjc9465ndicq3g92r5uglb1; path=/

HTTP/1.1 200 OK
Date: Fri, 23 Feb 2018 13:53:55 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.6.17-1~dotdeb+7.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Link: ; rel="https://api.w.org/;
Link: ; rel=shortlink
Content-Type: text/html; charset=UTF-8
Set-Cookie: wfvt_3649448265=5a901cf4bba53; expires=Fri, 23-Feb-2018
14:23:56 GMT; Max-Age=1800; path=/; httponly
Set-Cookie: PHPSESSID=mgk9d7i9n33chhtomuaarelg27; path=/

Het zijn uiteraard maatregelen die getroffen worden in specifieke
gevallen, wel hebben we erg sterk verouderde user-agents geblokkeerd als
bewust keuze.
De reden hiervan is dat er zoveel misbruik (abuse) middels gepleegd
wordt dat onze klanten daarvan hinder ervaren.

M.b.t. je punt om een nette melding te geven, is op zich daar wat van te
zeggen, maar bij de aantallen waarmee het misbruikt wordt is dat geen optie.
En ook met die nette melding, maak je de aanvallers, mits deze er actief
op let, slimmer dan dat nodig is, je wil vanzelfsprekend je diensten
beschermen.

Ik verwacht je hiermee voldoende te hebben geïnformeerd, mocht dit niet
het geval zijn, neem dan gerust nogmaals contact met mij op.

Met vriendelijke groet,
Daniël
--



-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[mlnl]

Hi,

> ​Can it be true?  A version of gcc that runs on stretch that will
> compile the latest fancy spectre fixes etc?

with latest vanilla kernel 4.15.4 and updated gcc-6:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
* IBRS enabled for Kernel space:  NO
* IBRS enabled for User space:  NO
* IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
reports full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

grep bugs /proc/cpuinfo
bugs: cpu_meltdown spectre_v1 spectre_v2
model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz



stepping: 3



microcode   : 0x22

-- 
mlnl

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 13:42, Reco  wrote:

> Hi.
>
> On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > On 23 February 2018 at 12:43, Reco  wrote:
> >
> > > Hi.
> > >
> > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > Hi,
> > > >
> > > > Do you have any clue on when the gcc fix for stretch is to be
> released ?
> > > >
> > > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > > stretch
> > > > seem to have already been implemented. So I dunno what is still
> blocking
> > > > the release. :'(
> > >
> > > https://www.debian.org/security/2018/dsa-4120
> >
> >
> > ​Can it be true?  A version of gcc that runs on stretch that will compile
> > the latest fancy spectre fixes etc?
> >
> > ​Cheers
>
> So it seems. New kernel came today with the usual 'apt update && apt
> upgrade' routine:
>
> $ uname -r
> 4.9.0-6-amd64
>
> $ grep bug /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
>

​Could you install this kernel in stretch at present or only in buster?

Regards

MF
​


> ...
>
> Reco
>
>

apt vs apt-get (was: Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?)

[Reco]

Hi.

On Fri, Feb 23, 2018 at 08:54:31AM -0500, Greg Wooledge wrote:
> On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote:
> > So it seems. New kernel came today with the usual 'apt update && apt
> > upgrade' routine:
> > 
> > $ uname -r
> > 4.9.0-6-amd64
> 
> You mean "apt (or apt-get) dist-upgrade", right?

What works too.


> /me tries it on a different computer that hasn't dist-upgraded yet...
> Wait, wait, wait... what?  WHAT?!
> "apt upgrade" and "apt-get upgrade" DON'T DO THE SAME THING ?!?

apt(8) has this to say on this:

   upgrade (apt-get(8))
   upgrade is used to install available upgrades of all packages
currently installed on the system from the sources configured via
sources.list(5). New packages will be installed if required to satisfy
dependencies, but existing packages will never be removed.

So yes, "apt-get upgrade" and "apt upgrade" are different, that's
intended, and once again Debian project choose sane default behavior.

In this particular case, "linux-image-4.9.0-6-amd64" was pulled as a
dependency of "linux-image-amd64", and old "linux-image-4.9.0-5-amd64"
was not removed. Neat, isn't it?

Reco

Re: Problems with clean install of fvwm

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Feb 23, 2018 at 08:43:42AM -0500, Greg Wooledge wrote:
> On Fri, Feb 23, 2018 at 02:21:11PM +0100, Thomas Schmitt wrote:
> > Hi,
> > 
> > tracker.debian.org tells me that there is a default configuration file in
> >   
> > https://sources.debian.org/data/main/f/fvwm/1:2.6.7-3/default-config/config
> > which is the download view of
> >   https://sources.debian.org/src/fvwm/1:2.6.7-3/default-config/config/
> > 
> > It looks like a clean starting point for modification and enhancement.
> > I'd put it on disk as: ~/.fvwm2rc
> 
> >From the fvwm(1) man page:
> 
>Here is the complete list of all
>file locations queried in the default installation (only the first
>found file is used):
> 
>$HOME/.fvwm/config
>/usr/local/share/fvwm/config
> 
>$HOME/.fvwm/.fvwm2rc
>$HOME/.fvwm2rc
>/usr/local/share/fvwm/.fvwm2rc
>/usr/local/share/fvwm/system.fvwm2rc
>/etc/system.fvwm2rc

Now, /usr/local isn't a good place for distribution files. For the
Debian-distributed fvwm I'd expect things to be in /usr/share (and
so on). And yes, you'll find things in /usr/share, except that
config is "hidden" in a sub-directory, like so:

  /usr/share/fvwm/default-config/config

(as I noted in my previous post, btw). Probably to avoid interfering
with an already existing local config, I don't know.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqQHZYACgkQBcgs9XrR2kYFFQCfc0LLy0YRPIKSbG0UAeyHqm+Z
l1kAn3Vo9SQa4WhPrthFxWKnMSd2nEpB
=L5/P
-END PGP SIGNATURE-

Re: Mijndomein Websites die niet werken met Firefox-esr

[Stem ook met je portomonee]

On Fri, Feb 23, 2018 at 02:04:16PM +0100, Sjoerd Hiemstra wrote:
> Je herinnert je de reactie van MijnDomein van 11 februari, waarin werd
> gezegd:
> 
> > Wat hier verder de procedure van is, is mij nog niet duidelijk en om
> > die reden zet ik dit ticket even door naar iemand die je hier een
> > gepast antwoord op kan geven.
> 
> Het heeft even geduurd, maar nu is dat 'gepaste antwoord' dan toch
> gekomen. Hier een weergave.
> 
> 
> Goedemorgen,
> 
> Mijn excuses dat het antwoord even op zich heeft laten wachten. Het is
> op dit moment drukker dan normaal. Daarom duurt het langer voordat je
> een passend antwoord krijgt van ons.
> 
> De reden dat de user agent geblokkeerd is, is omdat deze misbruikt werd
> richting ons platform, zoals Rowan al aangaf. Dit misbruik was zo erg
> dat onze klanten hier last van kregen en daarom hebben we moeten
> besluiten de user agent van Firefox 52 rw blokkeren. Dit is ook niet
> iets wat ik voor je kan oplossen. Er zijn 2 dingen die je kunt doen.
> 
> - Updaten naar nieuwere versie van Firefox
> - Je vervroegd overzetten naar ons vernieuwde webhosting pakket
> 
> Op het vernieuwde webhosting pakket is Firefox 52 niet geblokkeerd.
> Ik kan geen garantie geven dat dit in de toekomst zo blijft. Wel is
> het zo dat de kans dat dit nodig is een stuk kleiner is. Zie voor het
> vervroegd overzetten de onderstaande uitleg.
> 
> Dit pakket bevat veel nieuwe mogelijkheden, zoals SSL certificaten
> zonder extra kosten, PHP 7.1 en automatische installaties van
> veelgebruikte software. Wil je exact weten wat dit nieuwe pakket
> inhoudt, dan kan je even kijken op onze website bij:
> https://www.mijndomein.nl/producten/webhosting.
> 
> Ook jij kunt straks gebruik maken van dit pakket. We zijn op dit moment
> bezig om alle klanten gratis overzetten naar dit platform. Tot de
> eerstvolgende verlengdatum van je pakket betaal je hier niks extra
> voor. Daarna bedragen de jaarlijkse kosten van het pakket 60 euro.
> 
> Als je akkoord gaat kan ik alle domeinen met webhosting pakket onder
> dit account op de lijst zetten, ze worden dan binnen enkele werkdagen
> overgezet.
> 
> Ik hoor graag van je of je je in deze oplossing kan vinden.
> 
> Met vriendelijke groet,
> Sander | mijndomein.nl Klantbeleving
> 

Hallo Sander,
Hallo Collega van Sander,

Dat nieuwe platform, naast PHP 7, wat heeft nog meer aan voordelen?

Krijgen bezoekers van mijn website, daar gaat het immers over,
wel een bericht als ze in jullie ogen een foute User-Agent hebben?

Uit jullie uitspraak (op genoemde URL)
  "Door onze unieke cachelaag zorgen wij ervoor dat jouw website ontzettend snel
   kan worden geladen. Nooit meer seconden lang wachten."
kan ik het niet opmaken.
Wel heb ik de herinnering van wachten op time-outs nog vers in mijn geheugen.


Ander ding waar ik wel nieuwsgierig naar ben,
laat het nieuw platform wel zien hoeveel "aanvallers" er buiten gehouden zijn?

Op https://www.mijndomein.nl/producten/webhosting staat daar niets meer over
als: "Direct inzicht in de bezoekersaantallen van je website met onze 
vernieuwde websitestatistieken."


Groeten
Jullie Klant

P.S.
Iedere als jullie reclame spotje voorbij komt,
dan denk ik: Oja, mijndomein.nl betaal ik om mijn bezoekers te schofferen.

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Greg Wooledge]

On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote:
> So it seems. New kernel came today with the usual 'apt update && apt
> upgrade' routine:
> 
> $ uname -r
> 4.9.0-6-amd64

You mean "apt (or apt-get) dist-upgrade", right?

/me tries it on a different computer that hasn't dist-upgraded yet...

Wait, wait, wait... what?  WHAT?!

"apt upgrade" and "apt-get upgrade" DON'T DO THE SAME THING ?!?

What the hell, Debian?

Re: Problems with clean install of fvwm

[Greg Wooledge]

On Fri, Feb 23, 2018 at 02:21:11PM +0100, Thomas Schmitt wrote:
> Hi,
> 
> tracker.debian.org tells me that there is a default configuration file in
>   https://sources.debian.org/data/main/f/fvwm/1:2.6.7-3/default-config/config
> which is the download view of
>   https://sources.debian.org/src/fvwm/1:2.6.7-3/default-config/config/
> 
> It looks like a clean starting point for modification and enhancement.
> I'd put it on disk as: ~/.fvwm2rc

>From the fvwm(1) man page:

   Here is the complete list of all
   file locations queried in the default installation (only the first
   found file is used):

   $HOME/.fvwm/config
   /usr/local/share/fvwm/config

   $HOME/.fvwm/.fvwm2rc
   $HOME/.fvwm2rc
   /usr/local/share/fvwm/.fvwm2rc
   /usr/local/share/fvwm/system.fvwm2rc
   /etc/system.fvwm2rc

   Please note, the last 5 locations are not guaranteed to be supported in
   the future.

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

Hi.

On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> On 23 February 2018 at 12:43, Reco  wrote:
> 
> > Hi.
> >
> > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > Hi,
> > >
> > > Do you have any clue on when the gcc fix for stretch is to be released ?
> > >
> > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > stretch
> > > seem to have already been implemented. So I dunno what is still blocking
> > > the release. :'(
> >
> > https://www.debian.org/security/2018/dsa-4120
> 
> 
> ​Can it be true?  A version of gcc that runs on stretch that will compile
> the latest fancy spectre fixes etc?
> 
> ​Cheers

So it seems. New kernel came today with the usual 'apt update && apt
upgrade' routine:

$ uname -r
4.9.0-6-amd64

$ grep bug /proc/cpuinfo
bugs: cpu_meltdown spectre_v1 spectre_v2
...

Reco

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Stephen P. Molnar]

On 02/23/2018 07:12 AM, Reco wrote:

Hi.

On Fri, Feb 23, 2018 at 12:22:26PM +0100, Roger Price wrote:

On Thu, 22 Feb 2018, Reco wrote:


On the EeePC Ctl-Alt-F3 /dev/tty3:
  ~ # ip address
  3: enp0s4:  ...
...
inet 10.218.0.100 scope global enp0s4
inet6 fe80::22cf:30ff:fe10:43fd/64 scope link

The "fe" at the beginning of the IPv6 address says that this is not capable
of working with the public IPv6 network.

There's one crucial detail that's missing here. I agree that fe80
designates link-local IPv6 (they don't put "scope link" there for
nothing), but what about routing?
I.e. I'm curious about the output of "ip -6 ro l".

rprice@kananga:~$ ip -6 ro l
fe80::/64 dev wlan0 proto kernel metric 256  pref medium

Now *that* actually means it should be impossible for this host to
connect to 2001:41d0:202:100:213:32:5:7.

So either we have a little wonder here, or … do you have DHCP6 client
installed there by chance? Installer most certainly should include one,
and that could explain the difference in behavior between your current
host and d-i.

Reco



Interesting,

The only entry in Synaptic for DHCP was kea-dhcp6-server.  Synaptic 
installed:


kea-common (1.1.0-1)
kea-dhcp6-server (1.1.0-1)
liblog4cplus-1.1-9 (1.1.2-3.2)

Now, when I do  apt update I get:

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://security.debian.org/debian-security stretch/updates InRelease
Hit:4 http://debian.uchicago.edu/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

Although if I do:

root@AbNormal:/home/comp# dpkg --add-architecture i386
root@AbNormal:/home/comp# spt update

then

root@AbNormal:/home/comp# apt update
Ign:1 http://debian.uchicago.edu/debian stretch InRelease
Hit:2 http://debian.uchicago.edu/debian stretch-updates InRelease
Hit:3 http://debian.uchicago.edu/debian stretch Release
Hit:4 http://security.debian.org/debian-security stretch/updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

but, gdebi happily installed acroread, which requires i386 libraries, 
there were no warning or error messages.  Acroread works notmally.


--
Stephen P. Molnar, Ph.D.
Consultant
www.molecular-modeling.net
(614)312-7528 (c)
Skype: smolnar1

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 12:43, Reco  wrote:

> Hi.
>
> On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > Hi,
> >
> > Do you have any clue on when the gcc fix for stretch is to be released ?
> >
> > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> stretch
> > seem to have already been implemented. So I dunno what is still blocking
> > the release. :'(
>
> https://www.debian.org/security/2018/dsa-4120


​Can it be true?  A version of gcc that runs on stretch that will compile
the latest fancy spectre fixes etc?

​Cheers

MF



>
>
> Reco
>
>

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Reco]

On Fri, Feb 23, 2018 at 02:22:01PM +0100, Erwan David wrote:
> On Fri, Feb 23, 2018 at 01:12:41PM CET, Reco  said:
> > Hi.
> > 
> > On Fri, Feb 23, 2018 at 12:22:26PM +0100, Roger Price wrote:
> > > On Thu, 22 Feb 2018, Reco wrote:
> > > 
> > > > > On the EeePC Ctl-Alt-F3 /dev/tty3:
> > > > >  ~ # ip address
> > > > >  3: enp0s4:  ...
> > > > >...
> > > > >inet 10.218.0.100 scope global enp0s4
> > > > >inet6 fe80::22cf:30ff:fe10:43fd/64 scope link
> > > > > 
> > > > > The "fe" at the beginning of the IPv6 address says that this is not 
> > > > > capable
> > > > > of working with the public IPv6 network.
> > > > 
> > > > There's one crucial detail that's missing here. I agree that fe80
> > > > designates link-local IPv6 (they don't put "scope link" there for
> > > > nothing), but what about routing?
> > > > I.e. I'm curious about the output of "ip -6 ro l".
> > > 
> > > rprice@kananga:~$ ip -6 ro l
> > > fe80::/64 dev wlan0 proto kernel metric 256  pref medium
> > 
> > Now *that* actually means it should be impossible for this host to
> > connect to 2001:41d0:202:100:213:32:5:7.
> 
> No. In SLAAC the router often sends its linklocal address as
> gateway.

And this particular routing table does not have it.
What it does have is the usual link-local /64 route, which cannot be
used to send packets to 2001::/96.


But, looking at all this once more, I see a discrepancy - "ip a" shows
Unpredictable Network Name, yet "ip ro" shows conventional "wlan0".

Reco

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Erwan David]

On Fri, Feb 23, 2018 at 01:12:41PM CET, Reco  said:
>   Hi.
> 
> On Fri, Feb 23, 2018 at 12:22:26PM +0100, Roger Price wrote:
> > On Thu, 22 Feb 2018, Reco wrote:
> > 
> > > > On the EeePC Ctl-Alt-F3 /dev/tty3:
> > > >  ~ # ip address
> > > >  3: enp0s4:  ...
> > > >...
> > > >inet 10.218.0.100 scope global enp0s4
> > > >inet6 fe80::22cf:30ff:fe10:43fd/64 scope link
> > > > 
> > > > The "fe" at the beginning of the IPv6 address says that this is not 
> > > > capable
> > > > of working with the public IPv6 network.
> > > 
> > > There's one crucial detail that's missing here. I agree that fe80
> > > designates link-local IPv6 (they don't put "scope link" there for
> > > nothing), but what about routing?
> > > I.e. I'm curious about the output of "ip -6 ro l".
> > 
> > rprice@kananga:~$ ip -6 ro l
> > fe80::/64 dev wlan0 proto kernel metric 256  pref medium
> 
> Now *that* actually means it should be impossible for this host to
> connect to 2001:41d0:202:100:213:32:5:7.

No. In SLAAC the router often sends its linklocal address as
gateway. The IP address of the gateway has only one use : to get it's
mac address (same in IPv4 or IPv6), thus link local is OK.


-- 
Erwan

Re: Problems with clean install of fvwm

[Thomas Schmitt]

Hi,

tracker.debian.org tells me that there is a default configuration file in
  https://sources.debian.org/data/main/f/fvwm/1:2.6.7-3/default-config/config
which is the download view of
  https://sources.debian.org/src/fvwm/1:2.6.7-3/default-config/config/

It looks like a clean starting point for modification and enhancement.
I'd put it on disk as: ~/.fvwm2rc

Usage instructions 
  # The root menu will PopUp with a click in the root
  # window or using alt-f1 (or menu).

This menu is supposed to offer items like "Programs" and "XTerm".
>From there on it should be possible to edit the configuration and to
then choose "Restart" from the root menu to apply it.

(An early experiment could be to add
+  "I" Module FvwmCommandS
 to StartFunction in order to be able to run shell command FvwmCommand
 for testing single fvwm commands.)


Have a nice day :)

Thomas

Re: domain names, was: hostname

[Dan Purgert]

David Wright wrote:
> On Mon 19 Feb 2018 at 18:39:02 (+), Brian wrote:
>> [...]
>> alum is the canonical_hostname. It is used by exim to HELO with. Many
>> mail servers will not accept mail directly from you because it is not a
>> FQDN.
>
> This is why I wrote "broken" at ². The OP wrote "on a home LAN",
> in which case it's unlikely that they relay mail to mail servers
> on port 25. More likely is that they use a smarthost with a mail
> submission system on port 587 or possibly 465 (though 25 is
> allowed for broken senders³).

While this may be true in many cases, my local (home) relay *only* accepts
relay requests from hosts within the scope of my domain. Granted, now
that I've moved ISPs, some remote mailhosts (hotmail, I'm lookin' at you)
like to reject things.  Gonna have to find what their relay is, so I can
relay through their mailserver and make it look legit.

Funny thing is, gmail, att/yahoo, and others all happily accept the
mail.

Re: domain names, was: hostname

[Brian]

On Thu 22 Feb 2018 at 11:58:18 -0600, David Wright wrote:

> On Mon 19 Feb 2018 at 18:39:02 (+), Brian wrote:
> > On Mon 19 Feb 2018 at 10:23:56 -0600, David Wright wrote:
> > 
> > > $ cat /etc/mailname 
> > > alum
> > 
> > Debian's exim4 README says that mailname should be a FQDN. I find that
> > useful for sending mail to "anotheruser".
> 
> Sorry, but I haven't been able to work out what you mean.
> Is "anotheruser" a username on the same system, somebody or
> some machine on the LAN, or something different?

Exim will qualify all unqualified addresses with mailname. "anotheruser"
could be a user on the system or have an email account elsewhere.
With mailname as gmail.com a mail sent to or cc'ed to tom123 would go to
tom...@gmail.com.

> This is a genuine query. If I'm missing out on some useful aspect
> of writing in a domain, I'd like to know what it is so I can try
> using it. (I have a spare domain registration handy as it happens.)

The mailname needn't be the canonical_hostname, although exim will
indeed set it up with this when it is installed and mailname does not
exist. Easily changed.
 
> > But mailname has nothing to
> > do with domain as enquired about by Jeremy Nicoll.
> 
> The contents of /etc/mailname is the answer to this question:
> "It should be the single, fully qualified domainname (FQDN)."
> so, because the domain is empty, the FQDN will be the same as
> the hostname. I was merely showing that to be the case here.

Yes. I don't think this disadvantages the majority of users. It is only
when setting up an MTA that some thought has to be put into what purpose
you want mailname to serve. A single word entry, the hostname, say,
would not suit me.

> As pointed out elsewhere, mailname can be used to generate
> Message-IDs (mutt does) which might not be globally unique,

A Message-ID is not used to transport a mail, so how it is generated is
not of great importance. As it happens, I generate my own through mutt.

> not something to concern most home users, and it can be
> mitigated. It's also used as the envelope-from, it appears,
> between the mail client and exim which can rewrite it.

That's exim qualifying an unqualified address.

> I guess that if you submit mail directly from, say, mutt to
> a remote smarthost, it would be a good idea to place an
> email address into /etc/mailname.

I think it is always a good idea to have a FQDN in /etc/mailname,
irrespective of what is in /etc/hosts.

-- 
Brian.

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

Hi.

On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> Hi,
> 
> Do you have any clue on when the gcc fix for stretch is to be released ?
> 
> Actually the retpoline-compliant kernel is ready, and gcc fixes for stretch
> seem to have already been implemented. So I dunno what is still blocking
> the release. :'(

https://www.debian.org/security/2018/dsa-4120

Reco

Re: Problems with clean install of fvwm

[Thomas Schmitt]

Hi,

Richard Owlett wrote:
> fvwm-crystal was also suggested. When installed it was in some sense
> "cleaner" but still too busy. Launched fvwm which had been installed by the
> fvwm-crystal package.

There's not much configuration in the fvwm package of Debian, indeed.

> I rebooted expecting a minimal fvwm display. I got a command line.

A console command line ? (Whole screen is one window with no graphical
ornaments ?)
Iirc, i got an empty screen with no input opportunity but a pull-down
menu by right mouse button, where i could start an xterm.
As stated earlier, i then copied my ~/.fvwm2rc from backup to my newly
installed Debian.


You will have to start with some example configuration and then adapt
it until suits your expectations.
There are many. But there is the problem of trusting such software.

Steve McIntyre's example would be trustworthy
  https://lists.debian.org/debian-user/2015/08/msg00464.html
  http://www.einval.com/~steve/debian/fvwm2rc.example
because you trust Steve with each and every Debian installation.
I cannot say, though, how easy it will be to adapt.
  # Heavy use of m4 here - needs to be called as `fvwm2 -f "FvwmM4 .fvwm2rc"'

I could also give you mine. With many of its lines i should be able
to tell why i have them and what they do. But some might be surprising
for me too. Not all are necessarily supposed to do something usable.
I have an empty ~/.fvwm directory too. It does not hamper my ~/.fvwm2rc.

Give me a note if i shall send it to you in private. (I will have to
check it for embarrassing personal details first ...)


Have a nice day :)

Thomas

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Reco]

Hi.

On Fri, Feb 23, 2018 at 12:22:26PM +0100, Roger Price wrote:
> On Thu, 22 Feb 2018, Reco wrote:
> 
> > > On the EeePC Ctl-Alt-F3 /dev/tty3:
> > >  ~ # ip address
> > >  3: enp0s4:  ...
> > >...
> > >inet 10.218.0.100 scope global enp0s4
> > >inet6 fe80::22cf:30ff:fe10:43fd/64 scope link
> > > 
> > > The "fe" at the beginning of the IPv6 address says that this is not 
> > > capable
> > > of working with the public IPv6 network.
> > 
> > There's one crucial detail that's missing here. I agree that fe80
> > designates link-local IPv6 (they don't put "scope link" there for
> > nothing), but what about routing?
> > I.e. I'm curious about the output of "ip -6 ro l".
> 
> rprice@kananga:~$ ip -6 ro l
> fe80::/64 dev wlan0 proto kernel metric 256  pref medium

Now *that* actually means it should be impossible for this host to
connect to 2001:41d0:202:100:213:32:5:7.

So either we have a little wonder here, or … do you have DHCP6 client
installed there by chance? Installer most certainly should include one,
and that could explain the difference in behavior between your current
host and d-i.

Reco

Re: Problems with clean install of fvwm

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Feb 23, 2018 at 05:46:40AM -0600, Richard Owlett wrote:

> I rebooted expecting a minimal fvwm display. I got a command line.
> I found that though a "/home/richard/.fvwm" directory had been
> created, it was empty. I couldn't find copies of what files should
> have been there on initial first run. Only instructions/examples for
> adding this or that doodad.

The place for fvwm's default system-wide config in Debian seems to
be /usr/share/fvwm/default-config/config. So to get you kick-started,
just create a file named "config" in your /home/richard/.fvwm
consisting of this one line:

  Read /usr/share/fvwm/default-config/config

(leading space just here, for readability). Be warned that fvwm's
config language is... idiosyncratic. But copiously documented in
man pages. There are people out there (yes, I'm one of them) for
whom fvwm is just what the doctor ordered.

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqQAmYACgkQBcgs9XrR2kYAQwCfSrx8kCP65/hGc2CspHM9L9Kv
l70An1Mfn/cfWlf88/zHrsA1Oo0tVxC+
=WaSW
-END PGP SIGNATURE-

Re: Stretch: problème avec Ethernet Controller RTL8111

[Bernard]

Merci Jean Louis et Bernard pour ces suggestions, que je ne vais pas 
manquer d'essayer.


Toutefois, je viens de découvrir quelque chose : sur mon vieux Desktop 
sous Lenny (celui d'où j'écris ce message), j'ai la même carte réseau 
rtl8168 que celui qui me pose problème sur mon nouveau Desktop sous 
Stretch. Cette carte ne date pas d'hier, car mon vieux PC date de 2007 ; 
j'y avais d'abord installé Debian Sarge... puis Lenny, sans avoir connu 
aucun problème avec cette carte réseau. Alors, est-ce là un problème dû 
à Stretch ?  Ou bien est-ce un problème de hardware chez moi ?  Le 
moniteur de réseau me dit : connexion filiaire ==> câble non connecté !  
Bien évidemment le câble est connecté, et j'ai même essayé de permuter 
les deux cables ethernet alimentant chacun de mes deux PC, sans résultat.


Comment puis-je trouver si mon chipset est défectueux ?  A 
l'installation de Stretch, le programme d'installation ayant cherché une 
connexion filiaire m'a informé que DHCP ne paraissait pas fonctionner, 
et m'a proposé d'entrer des paramètres ; n'ayant pas su quoi mettre, 
j'ai essayé plusieurs choses ; après plusieurs essais le programme s'est 
rabattu sur une connexion WiFi.


Bon : j'essaye d'abord connman... puis wicd... et je vous tiens au 
courant des résultats


Bernard


Jean Louis Giraud Desrondiers wrote:

Bonjour,
  

serait il possible d'installer wicd (?) car sur mon ordi portable
c'est le seul moyen que j'ai trouvé d'activer la carte wifi



encore mieux selon moi : connman (j'ai eu plein de problème de
configuration avec wicd et avec connman ma connexion a été établie en
deux coups de cuiller à pot)
  

slt
bernard





  

Problems with clean install of fvwm

[Richard Owlett]

History
I run MATE, but to paraphrase a restaurant - "I want Debian MyWay" ;)
It was suggested that I wanted what KDE calls "activities".
It looked promising. I installed it. It suffers from featuritis.
fvwm-crystal was also suggested. When installed it was in some sense 
"cleaner" but still too busy. Launched fvwm which had been installed by 
the fvwm-crystal package.


The problem
It had "inherited" configuration items from fvwm-crystal. The web pages 
I had read spoke of a default 1st run display. I could not figure out 
how to get that to appear.


Having adequate space available I used netinst to do a base command line 
only install to a new partition. It was followed by doing "apt-get 
install fvwm".


I rebooted expecting a minimal fvwm display. I got a command line.
I found that though a "/home/richard/.fvwm" directory had been created, 
it was empty. I couldn't find copies of what files should have been 
there on initial first run. Only instructions/examples for adding this 
or that doodad.


Help please.
TIA

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Roger Price]

On Thu, 22 Feb 2018, Reco wrote:


On the EeePC Ctl-Alt-F3 /dev/tty3:
 ~ # ip address
 3: enp0s4:  ...
   ...
   inet 10.218.0.100 scope global enp0s4
   inet6 fe80::22cf:30ff:fe10:43fd/64 scope link

The "fe" at the beginning of the IPv6 address says that this is not capable
of working with the public IPv6 network.


There's one crucial detail that's missing here. I agree that fe80
designates link-local IPv6 (they don't put "scope link" there for
nothing), but what about routing?
I.e. I'm curious about the output of "ip -6 ro l".


rprice@kananga:~$ ip -6 ro l
fe80::/64 dev wlan0 proto kernel metric 256  pref medium

Roger