Re: buster VM does not always start sshd
* Steve McIntyre: > f...@deneb.enyo.de wrote: >>I've got a buster VM (upgraded from stretch) which does not launch >>sshd (and Unbound) until a login attempt happens on a TTY. (An >>unsuccessful attempt appears to be enough.) >> >>At that point, both sshd and Unbound start successfully, and network >>login is possible. I don't think I have changed the service >>configuration. There is nothing unusual about the networking setup, >>except that it doesn't use DHCP, and there is a static stanza in >>/etc/network/interfaces, with a matching auto directive. > > The most likely cause is lack of randomness at boot. Check your boot > messages for "crng init done". This is biting lots of people. > > If you're running a VM, look into how to share a random device from > the host. Thanks, that's it. I knew about this problem in theory, but have never seen it in action. In my case, the VM had the wrong CPU model configured (one without RDRAND).
buster VM does not always start sshd
I've got a buster VM (upgraded from stretch) which does not launch sshd (and Unbound) until a login attempt happens on a TTY. (An unsuccessful attempt appears to be enough.) At that point, both sshd and Unbound start successfully, and network login is possible. I don't think I have changed the service configuration. There is nothing unusual about the networking setup, except that it doesn't use DHCP, and there is a static stanza in /etc/network/interfaces, with a matching auto directive. ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab Active: active (running) since Sat 2019-05-04 17:47:31 UTC; 8min ago Docs: man:sshd(8) man:sshd_config(5) Process: 684 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 694 (sshd) Tasks: 1 (limit: 1149) Memory: 3.1M CGroup: /system.slice/ssh.service └─694 /usr/sbin/sshd -D May 04 17:46:20 storage1 systemd[1]: Starting OpenBSD Secure Shell server... May 04 17:47:31 storage1 sshd[694]: Server listening on 0.0.0.0 port 22. May 04 17:47:31 storage1 sshd[694]: Server listening on :: port 22. May 04 17:47:31 storage1 systemd[1]: Started OpenBSD Secure Shell server. May 04 17:48:04 storage1 sshd[708]: Accepted publickey for fw from 172.17.151.1 May 04 17:48:04 storage1 sshd[708]: pam_unix(sshd:session): session opened for u ● unbound.service - Unbound DNS server Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: Active: active (running) since Sat 2019-05-04 17:47:32 UTC; 9min ago Docs: man:unbound(8) Process: 683 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=e Process: 687 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_up Main PID: 695 (unbound) Tasks: 1 (limit: 1149) Memory: 8.0M CGroup: /system.slice/unbound.service └─695 /usr/sbin/unbound -d May 04 17:46:20 storage1 systemd[1]: Starting Unbound DNS server... May 04 17:47:32 storage1 package-helper[687]: /var/lib/unbound/root.key has cont May 04 17:47:32 storage1 package-helper[687]: success: the anchor is ok May 04 17:47:32 storage1 unbound[695]: [695:0] notice: init module 0: subnet May 04 17:47:32 storage1 unbound[695]: [695:0] notice: init module 1: validator May 04 17:47:32 storage1 unbound[695]: [695:0] notice: init module 2: iterator May 04 17:47:32 storage1 unbound[695]: [695:0] info: start of service (unbound 1 May 04 17:47:32 storage1 systemd[1]: Started Unbound DNS server. As far as I can tell, the system reaches multi-user.target successfully, at which point I expect that sshd.service can start as well: ● multi-user.target - Multi-User System Loaded: loaded (/lib/systemd/system/multi-user.target; static; vendor preset: Active: active since Sat 2019-05-04 17:34:16 UTC; 22min ago Docs: man:systemd.special(7) May 04 17:34:16 storage1 systemd[1]: Reached target Multi-User System. Any suggestions how to debug this further? I don't think this happened with Debian stretch.
Re: intermittent name resolution failures
* kamaraju kusumanchi: > On Fri, Dec 28, 2018 at 3:51 AM wrote: >> >> Whenever your DNS fails try a "traceroute 8.8.8.8". Compare its results >> to what you get when you do it at times where your DNS works. Perhaps >> this sheds some light on it. > > That is tough to capture because the problem is intermittent. When I > retry it seems to come back and vice versa. Instead I ran the > traceroute command 10 times and stored the output in trial_1.txt, > trial_2.txt, ... trial_10.txt in > http://kamaraju.xyz/tmp/network_issues/ > > Command used: > $ for i in `seq 1 10`; do traceroute 8.8.8.8 > trial_$i.txt; done This is more useful than the dig +trace output (which is not representative at all because +trace > I see a lot of differences between trial_6.txt and trial_4.txt. Does > that mean anything or is this variation expected? The first hop should be the same in all cases and reachable (no stars). It looks like the network is down intermittently. What kind of network connection is this? Do you have physical access to the machine.
Xfce: Apply keyboard settings on USB plug
I'm using the Xfce desktop environment on Debian jessie. The keyboard is plugged into a KVM switch which issues a USB disconnect if I switch to another machine. Once I switch back, the USB connection comes back again, but the keyboard settings are gone. This affects both the changes in keyboard repeat/delay I configured within Xfce, and the modmap I set with Xmodmap on session start. Is there are simple solution to restore the keyboard settings, one which is less hackish than watching for USB-related messages in dmesg?
Re: Debian Compatibility for CISCO UCS Servers
* Dilan Wijesooriya: > We need to install (bare metal ) Dabian 7 and Dabian 8 for bellow CISCO > Server model (Quantity 2) , can you pls let us know the compatibility > Of this , much appreciated your kind support and help for this project . Dear Dilan, you need to ask your hardware provider to self-certify Debian compatibility, ideally before buying their hardware. Regards, Florian
Re: Understanding DNS, Create an Failover
If the DNS information does not change frequently, then you can make the changes to both databases manually. You may be able to just copy the zone files, I'm not sure, but you will need to update the serial numbers. Basti asked about resolvers, you are talking about authoritative servers. Basti, if the timeout from the first listed name server bothers you can either install a local resolver such as BIND or Unbound and configure it as a forwarder (the local resolver will react more gracefully to unavailable upstream resolvers), or use techniques such as IP anycast or some other high-availability approach to make sure that there is always a server responding under the IP address you have configured. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87mw8flz04@mid.deneb.enyo.de
Re: EFI SecureBoot and Trusted Computing in Debian
* Marty: What I call the manifesto [1] claims that UEFI SecureBoot is needed in a post Snowden World. I don't think it's true. Apple and some Android devices are already locked down very tightly, and it is not clear that this has helped to protect users' privacy and prevent access to stored information without their authorization. Independent of that, we previously discussed the Microsoft Secure Boot policy change/clarification: https://lists.debian.org/debian-project/2014/01/msg00042.html The referenced policy keeps changing (the article has been revised a couple of times since publication). The current iteration approximately matches which was discussed in the thread on debian-project. (An older version required use of an EV-compliant code signing CA for the embedded CA certificates, which means FIPS 140-2 Level *3*, which is really expensive to implement.) There is also the larger policy question if we want platform lockdown through a cryptographically verified boot process, and cryptographically secured userspace, including remote attestation capabilities. Mozilla has announced that they plan to add DRM support to Firefox: https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/ Coupled with remote attestation, this could enable web site operators to restrict access to client devices which use vendor keys and run authorized Firefox binaries only. In this possible outcome, the ability of device owners to enroll their own keys would be increasingly meaningless because once you do that, you'd lose access to lots of online content (probably even your Gmail inbox—because an unauthorized browser could have automation to accelerate sending spam). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87d29dttu2@mid.deneb.enyo.de
Re: UEFI Secure Boot and enabling W8/Linux dual boot - some links/refs
* Steve Litt: I've personally disabled Secure Boot from a cold boot to the BIOS, and then installed Ubuntu, and had both OS's work. I've done this at least twice, maybe more. That being said, perhaps the reason I failed to install a *Debian* dual-boot was because I shut off Secure Boot from the BIOS instead of Windows. I once disabled Secure Boot by swapping out the mainboard, and Windows didn't care about that, either. Curiously, the previous mainboard (which had Secure Boot enabled) was bricked by a firmware update gone wrong, precisely the thing the UEFI security architecture should prevent (through firmware signing). And with the new mainboard, Secure Boot came back after a firmware update (luckily, because I needed it for interop testing). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8761h9bueg@mid.deneb.enyo.de
Re: MIT discovered issue with gcc
* Bob Proulx: In those systems the zero page is initially bit-zero and reading from the zero point will return zero values from the contents there. If the program writes to the zero page then subsequent reads will return whatever was written there. This is bad behavior that was the default due to bugs in much legacy software. Unmapping the zero page will cause those programs to segfault and therefore the vendors default to having the page mapped to avoid support calls from their customers. There is also an optimization which allows better code generation for loops over linked lists. But for that, a read-only mapping is sufficient. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877gbuq0f3@mid.deneb.enyo.de
Re: Is this OK in C++ and C?
* Zbigniew Komarnicki: Is this OK or is this a bug, when the wariable 'n' is initializing by negative value? There no any warning. Is this normal? I know that value -5 is converted to unsigned but probably this should by printed a warning, when this is a constant value. What do you think about this? $ g++ -Wsign-conversion t.cc t.cc: In function ‘int main()’: t.cc:7:25: warning: negative integer implicitly converted to unsigned type [-Wsign-conversion] This is with GCC 4.7 in wheezy. This warning isn't in -Wall or -Wextra, probably because the false-positive rate is atrocious. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ip7hqher@mid.deneb.enyo.de
Using multiarch on wheezy
I'm trying to install the i386 version of openjdk-7-jre on an amd64 system. So I did: # dpkg --add-architecture i386 # apt-get update This appears to have been successful. But I still cannot install packages: # apt-get install openjdk-7-jre:i386 Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: openjdk-7-jre:i386 : Depends: libgif4:i386 (= 4.1.4) but it is not going to be installed Recommends: libgnome2-0:i386 but it is not going to be installed Recommends: libgnomevfs2-0:i386 but it is not going to be installed E: Unable to correct problems, you have held broken packages. # apt-get install libgif4:i386 Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: emacs23 : Depends: libgif4 (= 4.1.4) but it is not going to be installed E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages. This does not make much sense. A proper version of libgif4 is available: # apt-cache show libgif4:i386 Package: libgif4 Source: giflib Version: 4.1.6-9.1 Installed-Size: 87 Maintainer: Thibaut GRIDEL tgri...@free.fr Architecture: i386 Provides: libungif4g Depends: libc6 (= 2.1.3) Description-en: library for GIF images (library) GIFLIB is a package of portable tools and library routines for working with GIF images. . This package contains the library. Homepage: http://giflib.sourceforge.net/ Description-md5: 6e1b50f7983687352e4b68758c6a50d6 Tag: implemented-in::c, role::shared-lib Section: libs Priority: optional Filename: pool/main/g/giflib/libgif4_4.1.6-9.1_i386.deb Size: 42198 MD5sum: 7881f3c5f903f745d108325e8a743178 SHA1: 6518f571ed6dbb232e42c78b9e25aa79d1c2a2a6 SHA256: c21c28bd6fd14c68dee1023eaf0132645b45800f7700f1e247ee538a8cab7301 Package: libgif4 Source: giflib Version: 4.1.6-9.1 Installed-Size: 62 Maintainer: Thibaut GRIDEL tgri...@free.fr Architecture: amd64 Provides: libungif4g Depends: libc6 (= 2.2.5) Description-en: library for GIF images (library) GIFLIB is a package of portable tools and library routines for working with GIF images. . This package contains the library. Homepage: http://giflib.sourceforge.net/ Description-md5: 6e1b50f7983687352e4b68758c6a50d6 Tag: implemented-in::c, role::shared-lib Section: libs Priority: optional Filename: pool/main/g/giflib/libgif4_4.1.6-9.1_amd64.deb Size: 42098 MD5sum: 0003397b0895147c8f83c6fb65dfdf28 SHA1: d2bfc2deb9bf96ab57a2eb5466d3acfb32a6671f SHA256: b309d7723d528becfc9c448822ddefdf9746c4558890134010a5b0791a668915 It is also installed for amd64: # dpkg -l libgif4 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==---= ii libgif44.1.6-9.1amd64library for GIF images (library) Why does apt-get complain about dependency, which is already fullfilled? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87txt5wtfz@mid.deneb.enyo.de
Re: Network Security Services Update question
* ricccardo: ric@ricmbp:~$ dpkg -l | grep libnss ii libnss3 2:3.13.4-3~bpo60+1 Network Security Service libraries ii libnss3-1d 2:3.13.4-3~bpo60+1 Network Security Service libraries - transitional package These packages do not come from the stable distribution. You're using backports, presumably for iceweasel. Upgrades in backports are not as seemless as they are for the stable distribution because they reflect active development. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878vfvlj8a@mid.deneb.enyo.de
Re: Corrupted security update package files
* Bill Wohler: When updating lenny this morning (yes, upgrading is on my todo list), I got the following error: E: Problem with MergeList /var/lib/apt/lists/security.debian.org_dists_lenny_updates_main_binary-i386_Packages E: The package lists or status file could not be parsed or opened. E: Couldn't rebuild package cache The security archive underwent maintenance this weekend. This issue has been addressed. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ty5g8ri3@mid.deneb.enyo.de
fcron as cron
Has anybody try to use fcron instead of Vixie cron? How well does it work in practice, especially if you've got tons of existing cron jobs written for Vixie cron? I'm mainly interested in time zone support because our systems run on UTC, but we have jobs which need to run daily according to local time and our current workarounds aren't nice (hourly execution with an additional check, or edit the entries twice a year). -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/82zkhvlls4@mid.bfk.de
Re: Unified Extensible Firmware Interface (UEFI) firmware
* Alex: Any comments on the Unified Extensible Firmware Interface (UEFI) firmware and its ability to preclude booting from alternative operating systems such as Linux, BSD etc., would be greatly appreciated, as per article entitled Windows 8 secure boot would exclude' Linux It seems to me that this technology was pioneered on Android devices (which tend to lock out alternative operating systems, not just custom kernels). -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/82fwjnll89@mid.bfk.de
Re: fcron as cron
* Henrique de Moraes Holschuh: If you don't need SELinux integration, I think upstream fcron will be able to handle a large number of jobs just fine. However, fcron is in deep maintenance mode upstream, Just like the default cron (and upstream even asked everyone to retire that code base long ago). *sigh* and there are newer cron alternatives that are being actively developed such as bcron. It is probably worth it to check them out first. Hmm. bcron hasn't got time zone support, only improved DST handling (which OpenBSD seems to have implemented for Vixie cron, too). I'm mainly interested in time zone support because our systems run on UTC, but we have jobs which need to run daily according to local time and our current workarounds aren't nice (hourly execution with an additional check, or edit the entries twice a year). I don't think fcron does much to help you with this use case, but it has been some time since I last read through its full documentation. The documentation suggests that it's supported. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/82zkhvgsl0@mid.bfk.de
Re: What is the future for Debian on (Android) tablets?
* Brad Alexander: Have you looked at the Maemo distribution? It came out for the Nokia Nseries tablets (n770/800/810/900), and is Debian-based. I have (briefly) started looking at whether this supports tablets. Since it was designed for (smaller) tablets, hopefully, it will work on the larger tablets. I think those devices are pretty much tied to the vendor or reseller, like mobile phones. These companies will screw their customers for very bizarre reasons. Typically, you can't really buy the hardware--- supposedly, it is licensed to you, and the license does not cover commercial or volunteer use (such as Debian activities). My problem with tablets (aside from the android dillution), is the cost. For the cost of a tablet, you could get a pretty nice laptop, which seems more cost effective. I'm looking for a tablet which can serve as an ebook reader (particularly for PDFs without DRM). Any suggestions? I don't need anything fancy; a decent screen and a couple of hours uptime on a single battery charge are enough. If there's 3G, I would want to work it under Debian, but it's not required. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87k4bhgmo1@mid.deneb.enyo.de
Re: mails to t...@security.debian.org - no ACK?
* Fresel Michal: just wanted to get some feedback on mailing to t...@security.debian.org any knowledge why there is no answer or any ACK of recieve after 8h? There is no autoresponder, so all replies you receive are written by hand. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87mxione9n@mid.deneb.enyo.de
Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
* Kelly Dean: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel fixed, or does it have the vulnerability? According to our records, this issue was addressed in version 2.6.32-31 of the linux-2.6 package, which is also the version currently in sqeeze. http://security-tracker.debian.org/tracker/status/release/stable currently says that the stable suite has the vulnerability, and Squeeze is currently the latest stable, but the page doesn't explicitly say that Squeeze is the latest stable and has the vulnerability, and there's no timestamp on the page. The last-modified header appears to have the common bug of reporting the server's current clock time rather than the page's last modified timestamp, so that's useless too. The page is generated dynamically. The release mapping is the current one. The first table, listing packages, also shows the current versions of the package and whether they are vulnerable or not. As far as I can tell, all the information you need is there. Did Squeeze really get released with a high-urgency remote kernel vulnerability which was published four months earlier? Security bugs are not release blockers because we have process for fixing them after the release. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/874o557y68@mid.deneb.enyo.de
Re: Reverting to an old version of libstdc++6
* Joe Riel: This weekend I upgraded, and libstdc++6 went from 4.5.2-4 - 4.6.0-2. This has broken a commercial package I use; I now get By the way, this a bug in GCC 4.6.0, possibly related to http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48465. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87bp022gta@mid.deneb.enyo.de
Re: Unattended installation of KVM virtual machines
* T. o. n. g.: On Sun, 06 Feb 2011 18:20:45 +0100, Florian Weimer wrote: I would like to automate the process of setting up KVM virtual machines (containing lenny and squeeze images). The straightforward doesn't work because the installer does not seem to support a serial console, and automating VNC is a bit difficult. Hi, I hope you find a good solution. It seems that AMD's Tapper might be useful for this purpose: http://developer.amd.com/zones/opensource/AMDTapper/Pages/default.aspx Has anybody given it a try? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8762qb71h1@mid.deneb.enyo.de
Unattended installation of KVM virtual machines
I would like to automate the process of setting up KVM virtual machines (containing lenny and squeeze images). The straightforward doesn't work because the installer does not seem to support a serial console, and automating VNC is a bit difficult. A debootstrap variant which results in a bootable hard disk image would work, too. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877hdd5bbm@mid.deneb.enyo.de
Re: what about acroread in squeeze i386?
* Francesco Pietra: Unfortunately, for dealing with most editors of scientific journals, and for personal use of the scientific literature, either as author or referee, neither the readers you mention, nor any one other I know except acroread, are enough. Because of these problems (which are not unique to acroread), most my colleagues have turned to either Microsoft or Apple for the desktop. What problems exactly? The usual criticism of alternatives for Adobe's Reader revolves around PDF forms, which are still problematic to fill out. Embedded Flash and Javascript are obviously problematic, too, but it seems that no one misses *that*. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87tysz3iq1@mid.deneb.enyo.de
Re: Upgrade to Lenny?
* Hadi Motamedi: Thank you so much . At now , my Lenny has access to Internet . I wanted to install ethereal on my Lenny by trying as : #apt-get install ethereal But it cannot find it . Ethereal has been renamed to Wireshark, so just install the latter. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877hpyivud@mid.deneb.enyo.de
Re: how to renew a security certificate?
* Boyd Stephen Smith, Jr.: Who set up the dovecot installtion? Dovecot doesn't use a certificate by default, so the person that generated the cert and got it signed would be the best source of information on the cert. dovecot-common's postinst in etch automatically generates a certificate which is valid for one year. Not sure about lenny. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Debian PCI Question
* Matt McCants: Does anyone here have PCI audits being done on their Debian boxes? Yes, we hear about that from time to time. The company I work for uses TrustKeeper and the one Debian box I've managed to get my boss to allow keeps failing unjustly. Usually they fail us due to version strings only (Saying anything less than the latest version is insecure [hah!]), and when I appeal that, they fail us for reasons that don't even affect us. There are probably companies that provide a more thorough analysis. http://security-tracker.debian.org/tracker/CVE-2009-2699 http://security-tracker.debian.org/tracker/CVE-2009-3095 http://security-tracker.debian.org/tracker/CVE-2009-3094 The first is self explanatory, and as for mod_proxy_ftp, I don't even have that loaded. The other two are already fixed in stable-proposed-updates in 2.2.9-10+lenny5, so you could upgrade to that version. The general issue is difficult to address, I'm afraid. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Security.debian.org confused?
* Andrew Reid: http://security.debian.org//srv/security-master.debian.org/ftp/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny1_amd64.deb This should have been fixed by now. During an internal migration, incorrect package metadata was pushed to the security mirror network. Sorry about that. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Courier Font package
* J. Hwan Kim: I hope to install Courier font in my lenny but I did not find the proper package. Whant package should I install ? ttf-liberation contains a monospaced Truetype font which is fully compatible with Courier New on Windows systems. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Inquiry:Incorrectly built binary
* hadi motamedi: Can you please do me favor and let me know what is the cause of the following error message that I got when trying to run my application on the Linux server : Incorrectly built binary which accesses errno, h_errno or _res directly. Needs to be fixed. You need to include errno.h in source code files which refers to errno, instead of using extern int errno; or some other mechanism. If your application is qmail, there already exist patches. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DNS Spoof query
* Daniel D. Jones: After doing that, my Snort report from my Debian server started showing the following: 62 192.168.2.10 209.170.146.89 DNS SPOOF query response with TTL of 1 min. and no authority This Snort rule appears to be complete bogus. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to install Java in Lenny?
* Edward C. Jones: I installed sun-java5-bin from sid non-free. I still get the error message. This works, even with OpenJDK: appletviewer 'http://radar.weather.gov/radar.php?rid=lwxproduct=N0Roverlay=1110loop=yes' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [OT] Hosting a DNS
What do you think is the main reason or the importance of hosting your own DNS when your ISP and/or Domain Registrar can host it for you for FREE? You remain reachable when your DNS provider is under a DoS attack. Such attacks happen from time to time to large providers (check the news). If your DNS provider uses AXFR to transfer the zone data from you, you can use the tools you like to edit your zones. Normally if you are going to host your own DNS for your organization, ideally you need to run it at least on two (2) different machines connected at least to two (2) different ISPs. It's not an either-or decision. You can use both an external service and a server of your own. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Old PHP on new Debian
* Adrian Levi: 2009/3/8 Florian Weimer f...@deneb.enyo.de: * Pet: /etc/apt/sources.list This looks fine. How did you figure out that you had installed PHP 5.1.6? He doesn't have it installed, he wants it installed. Ah, stupid me. Pet, PHP 5.1.6 is out of security support by upstream. You might run into significant issues by using it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Old PHP on new Debian
* Pet: I'd like to install newest version of Debian available, but with one of older releases of PHP (5.1.6). Is it possible? How can I accomplish this? For a while, PHP 5.1.6 hasn't been available in a released Debian distribution. Could you post your /etc/apt/sources.list file? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Old PHP on new Debian
* Pet: /etc/apt/sources.list This looks fine. How did you figure out that you had installed PHP 5.1.6? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: ECC RAM failure data - jre
* john re: What rates do you have? Zero with appropriate cooling, more without it. I fully agree with Stefan's comment below. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Debian VPN
* Phillipus Gunawan: Is there any debian package offer such thing like that? A deb linux VPN server to serve wind0e$ client? OpenVPN is typically used for that. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: hard crash on leap second
* Travis Crump: I had a hard crash of my lenny system precisely when the leap second was added. While X has flaked in the past, I've never had a hard crash before. I have no other evidence they were related, but I wasn't doing anything unusual at the time. Any ideas? Do you run Oracle RAC? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Tying debsecan Zabbix (or RT) together?
* Richard Hartmann: How are you handling this? Self-baked scripts to parse your daily mail? Are you doing it by hand? Not at all? What would be required for Zabbix integration? What kind of data does Zabbix need? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Tying debsecan Zabbix (or RT) together?
* Richard Hartmann: What kind of data does Zabbix need? It can collect, and then trigger on, arbitrary data. In this case, it would probably make sense to collect CVE number, remote/local, the package in question, the version in question, the severity and if there is a fix available. The default debsecan output format might suffice for this. If any of this changes (probably only the availability of a fix or if a fixed package has been installed), it should send new data. However, it does not contain change detection. I take it you have an interest in this to make centralised host security management easier? Yes, but I don't know if Zabbix is part of the solution. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Secure-testing-team] Re: announcing the beginning of security support for testing
* Jiann-Ming Su: On 9/9/05, Joey Hess [EMAIL PROTECTED] wrote: deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free How is this different from deb http://security.debian.org/ testing/updates main? Is testing/updates actually used? I don't think so. Apparently, the archive doesn't contain any packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Do we still need libc5?
* Jeroen van Wolffelaar: Fact is though that libc6 has been in Debian stable for over 7 years, since hamm was releaed mid-1998, This suggests that we should give it three more years or something like that. However, if the packages aren't covered by security support anyway, it probably doesn't make a difference to our users if we stop shipping them. and I think Debian is like the only living Linux distribution out there still shipping libc5. Are you sure? I would be very surprised if the enterprise distributions didn't ship it as well. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Noteedit, Finale, and testing
* Daniel Burrows: Okay. I avoided stating my personal opinion, but here it is: I think upstream is tired of the project and just using this as an excuse to shut it down. If you go to the webpage, it contains a single sentence stating that it is shut down due to a port of Finale, and a link to a long discussion of the possibility of asking Coda to port Finale to Linux, which appeared (from what I could see) to go nowhere. If this is enough to make him shut the project down, I think that either external concerns (ie, real life) or other projects are the real reason, because, as you said, his stated reason doesn't make sense. He might also be tired of people who debunk his work. At least one posting (http://eca.cx/lau/2004/07/0284.html) has such an undertone. After all, noteedit is much more than just vaporware. (This is a shame, I used noteedit with some, ahem, success after listening too often to Glenn Gould's fugue commercial.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cite for print-to-postscript exploit in Mozilla?
* Kevin B. McCarty: On 07/10/2004 12:18 PM, Florian Weimer wrote: 1.7 incorporates some other security fixes, apparently in the area of cross-domain scripting vulnerabilities. So you probably should upgrade anyway. Does anyone know if there is some reason these fixes haven't been backported to woody? There is simply no way to backport them all, you would have to push the 1.7 branch to woody (even 1.4 is not sufficient because it's already unsupport upstream AFAIK). This is quite complicated because Mozilla's upgrades are known to break profiles, and Debian's mozilla has a few dependencies which you have to backport, too (Galeon etc.). All in all, fixing Mozilla for woody isn't particularly rewarding. Even SuSE doesn't dare to fix Mozilla security bugs, so it's not a Debian-specific problem at all. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cite for print-to-postscript exploit in Mozilla?
* Kevin B. McCarty: I admit this last question is a bit rhetorical. My point is that, as sysadmin of a physics cluster running Debian/woody on which people frequently look at downloaded PS files anyway, I want to know whether it is really worth my time to upgrade Mozilla [currently running 1.4 from Adrian Bunk's backports], install Xprint from unstable, and go through the apparently non-trivial task of getting it to work well. 1.7 incorporates some other security fixes, apparently in the area of cross-domain scripting vulnerabilities. So you probably should upgrade anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mozilla/Firefox PostScript/default security problems
* Don Armstrong: Perhaps I've missed something, but everything that I've read in the threads so far amounts to people either assuming that there's an issue and not defining it, or attempting to figure out where the issue is. This summary is correct as far as I can see. No real security issue has been disclosed so far. Two things could lead to vulnerabilities: * It's possible to use scripting to set another print command. * Untrusted content might be put verbatim into the Postscript file. The latter case shouldn't be a problem because viewers and print spoolers should not assume benign Postscript files (if they do, it's their fault, not Mozilla's). If the first issue is a problem, printing to a pipe should be disabled, but not printing to a file (or printing should be made unscriptable). I find these rumors quite disturbing. Some people are trying very hard to put Mozilla's security efforts in a very bad shape. First the shell: protocol handler issue (on Windows) that has been known (in principle) since 2002, and now this mess. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: why must Debian call Taiwan a Province of China?
Miles Bader wrote: I'm not sure what this has to do with the original question, but the simplified chinese characters used in the PRC can look _very_ different from the traditional forms used in Taiwan (anyway, it's not accurate to say the difference is `close to bold-versus-normal'). It's even quite obvious when you pick the right examples. Furthermore, doesn't Hong Kong use Traditional Chinese? In this case, the issue of writing style is rather independent of the status of Taiwan. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Reading PGP with GPG
Bill Wohler [EMAIL PROTECTED] writes: That would explain the disappearance of the idea package. Are there any other steps that I could that would allow me to read my friend's email besides having him switch to gnupg? README.idea reads: | Due to patent problems we do not keep the idea.c file any longer here on | this server. If you are in a country where the distribution is allowed, | you might want to get it from its new distribution server; however we | suggest to avoid this algorithm entirely due to interoperability problems. | | For information on the dangers of softwarepatents, please visit the website | | http://www.noepatents.org | | The new URLs are: | | http://www.gnupg.dk/pub/contrib-dk/idea.c | http://www.gnupg.dk/pub/contrib-dk/idea.c.sig | | Thanks. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
GDB from unstable and GCC 3.1 (on x86)
GDB from unstable (x86) is unable to read debugging information generated by current GCC 3.1 CVS (using the -g) switch. Is this a known problem? Are there any workarounds? I thought that GDB 5.1 finally supported DWARF2, which is needed by more recent GCC versions. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: egcs 1.1.2 for kernel compilation
Steve Kowalik [EMAIL PROTECTED] writes: At 10:04 am, Tuesday, October 9 2001, J.H.M. Dassen (Ray) mumbled: On Mon, Oct 08, 2001 at 12:36:27 +0200, Florian Weimer wrote: Has anybody packaged egcs 1.1.2 for kernel compilation? I did some work on it, but abandoned it as I've encountered no problems with 2.95.x in my configurations. There's a diff at http://www.cistron.nl/~jhm/egcs_1.1.2-0.diff.gz It's still the official compiler for the Linux kernel, FUD. Are you sure? From the kernel README: | COMPILING the kernel: | | - Make sure you have gcc-2.91.66 (egcs-1.1.2) available. gcc 2.95.2 may |also work but is not as safe, and *gcc 2.7.2.3 is no longer supported*. |Also remember to upgrade your binutils package (for as/ld/nm and company) |if necessary. For more information, refer to ./Documentation/Changes. People using XFS have triggered code generation errors in GCC 2.95.x, I've read. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
egcs 1.1.2 for kernel compilation
Has anybody packaged egcs 1.1.2 for kernel compilation? It's still the official compiler for the Linux kernel, and there are definitely problems when using GCC 2.95.x instead. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: undelete for ext2
Shriram Shrikumar [EMAIL PROTECTED] writes: it seems to find the deleted inodes and then tries to dump them in a specified folder which leaves me with a lot of dump files - anybody with any clues as to what I can do with these files to put them back where they belong ? or maybe even a better undelete sofware. Hmm, restore your backup. ;-) The file names were stored in the directory entries, which likely have been overwritten during the deletion process. So the best thing is to recover the essential data (e.g., mailboxes), and just reinstall the system (after a backup). -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: About PGP signatures
Karsten M. Self kmself@ix.netcom.com writes: Request: I'd like a list of clients supporting RFC 2015 attachments and the plugins necessary to support this. Of particular interest: All Windows-based clients which support MIME only by translation at gateways (for example, Lotus Notes, and probably MS-Exchange-based solutions) cannot implement RFC 2015 since it's a MIME application. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Upgrading from Debian 2.1 to unstable
The direct attempt (editing /etc/apt/sources.list, 'apt-get update') does not succeed, 'apt-get update' results in the following error messages: E: Line 97707 in package file /var/state/apt/lists/source.rfc822.org_debian_dists_sid_main_binary-i386_Packages is too long.(2) E: Line 97707 in package file /var/state/apt/lists/source.rfc822.org_debian_dists_sid_main_binary-i386_Packages is too long.(2) Unfortunately, the apt packages in stable and unstable depend on glibc 2.1.x, resulting in a chicken-and-egg problem. Which is the easiest way to upgrade to unstable under this circumstances? Recompiling apt for glibc 2.0.7? Editing the Package file?
Re: Upgrading from Debian 2.1 to unstable
Tibor D. [EMAIL PROTECTED] writes: Unfortunately, the apt packages in stable and unstable depend on glibc 2.1.x, resulting in a chicken-and-egg problem. Which is the easiest way to upgrade to unstable under this circumstances? Recompiling apt for glibc 2.0.7? Editing the Package file? Check out your favorite debian-mirror: there should be a statically linked apt.deb (in debian/tools I think), which will eliminate your problem. I think the relevant apt-get binary for i386 is located in: http://http.us.debian.org/debian/dists/potato/main/upgrade-i386/ I'm going to test it tomorrow. Thanks.
Re: instalation of 'potato'
Tom [EMAIL PROTECTED] writes: But I erased (for a mistake) the CD-ROM`s drive of my computer. To install the potato from debian2.2 CD, will I need to install again the CD-ROM drive (of the windows) , or no ? That's not strictly necessary. On many systems, you can just boot from the first CD (if you adjust your BIOS settings). No drivers are required for that. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: latex question
Manuel Hendel [EMAIL PROTECTED] writes: I tried this. But if I do \footnote{The Text I want}, I always get a line above and number in the front. Can I change this in a way? I need to write my address, Aufsichtsrat (sorry I don't know the english meaning) and bankaccount there. Perhaps you could use scrlettr.cls? It supports putting some material at the bottom of the first page (and perhaps subsequent ones, I'm not sure about that). -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: OT: gecko rendering engine and galeon/skipstone
Thomas J. Hamman [EMAIL PROTECTED] writes: If you want a small browser without relying on Mozilla's gecko, you might want to try BrowseX (at www.browsex.com). As far as licenses go, it's free and open source, but I'm not sure if it's Free (as in speech). The source code includes a copy of the OpenSSL library (BSD-style license *with* advertising clause), and code under the GPL and LGPL. In addition, the license doesn't permit you to change the start page URL. All in all, these terms seem quite incompatible to me. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898