Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 20 February 2018 at 05:09, Andy Smith  wrote:

> Hello,
>
> On Mon, Feb 19, 2018 at 09:03:20PM +, Michael Fothergill wrote:
> > On 19 February 2018 at 19:10, Michael Lange 
> wrote:
> > > no, I meant to say that you were looking at the wrong place if you
> wanted
> > > to see if the "spectre-2" fix has arrived in debian, for this one you
> > > will have to look here:
> > >
> > > https://security-tracker.debian.org/tracker/CVE-2017-5715
> >
> > ​No, we were not looking for it.  I think a joint fix for meltdown and
> > spectre 1 would fit the bill at present .
>
> They are different bugs with different fixes. No one is even certain
> HOW to fix Spectre variant 1 yet, or if it can be without entirely
> new CPUs. Things have only got as far as kicking around ideas on how
> to make exploiting it harder.
>
> Your suggestion makes about as much sense as lumping every single
> buffer overflow bug into one CVE and then saying almost all software
> ever made is vulnerable, until there is one patch that fixes
> everything at once.
>

​I think I just got Spectre 1 and 2 mixed up in the discussion.  I did not
think
the Spectre fix worked for the entirety of the the Spectre vulnerability.
​
​I also read in quite a few places that fixing all of it was an open ended
problem.​


>
> Your comments along the lines of "I thought it was fixed…", as
> Michael Lange pointed out, were about Spectre variant 2 but you are
> looking at the security tracker page for Spectre variant 1.
> CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
> yet, not even in Linux upstream.
>
> Spectre v2, which you are talking about, is CVE-2017-5715, again as
> Michael Lange just pointed out to you. As you can see from the link
> that Michael gave you, Spectre v2 is fixed in the kernel package in
> sid. Read it again:
>
> 
>
> That's the retpoline stuff you're talking about.
>

​For me at any rate if the new version of gcc 4.9 makes it easier for a
new user to get access to that portion of Spectre vulnerability jointly
with the the availability of Meltdown as is, then as I said I would be
very pleased.  and if a third person comes on the site asking about
this problem then we could encourage them to try it.

Cheers

MF​




> Cheers,
> Andy
>
> --
> https://bitfolk.com/ -- No-nonsense VPS hosting
>
>

Python/ansible - strange memory management?

[Kamil Jońca]

I have strange problem:
there is an ansible playbook.
And on some some computers this playbooks takes < 500M RAM, on 2 others
more than 3-4GG.
I cannot see any corelations between python versions, ansible versions,
or python modules.

Any thoughts (I do not know, libc version or kernel memory strategy, or
something?)

KJ

-- 
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
Unquestionably, there is progress.  The average American now pays out
twice as much in taxes as he formerly got in wages.
-- H. L. Mencken

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Stephan Seitz]

On Di, Feb 20, 2018 at 05:09:12 +, Andy Smith wrote:

CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
yet, not even in Linux upstream.


Are you sure?

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the 
mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits 
array_index_mask_nospec())
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 3 
jump-then-lfence instructions found, should be >= 30 (heuristic))

STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)


Kernel is Linux 4.15.4 #1 SMP Sat Feb 17 23:19:56 CET 2018 x86_64, 
compiled myself with gcc 7.3 from testing.


According to spectre-meltdown-checker all three vulnerabilities are 
mitigated.


Shade and sweet water!

Stephan

--
| Public Keys: http://fsing.rootsland.net/~stse/keys.html |


smime.p7s
Description: S/MIME cryptographic signature

Re: how to offer Internet connection?

[Michelle Konzack]

Hi back,

Am 2018-02-20 hackte Long Wind in die Tasten:
> Thank Michelle Konzack  and John Doe!
> maybe the easy way is buy a wireless card for pc and connect it to cell
> phone

If you have time, you can get for less then 5 Euro USB Wireless
adapters from eBay... Do not expect, they are working over more
then 10-15m and trough a concrete wall...

> or connect pc to cell phone thru a USB connectiondoes linux or XP
support
> such network connection?

You mean USBNet?  AFAIK it is supported by Win7 Win8 and Win10,
but it should be in first place supported by zour cellphone
which I dubt...  I have not found a singel one where it works.

> On Tuesday, February 20, 2018 1:54 AM, john doe
>  wrote:
>
>
>  On 2/20/2018 7:30 AM, Long Wind wrote:
>> i have a debian pc that is on 2 networks:
>> 1) connected to cell phone access point, cell phone offers Internet
>> connection2) connected to router, thru ethernet interface
>> is it possilble for debian pc to offer Internet connection to other pc
>> connected to router?
>> Thanks!
>> PS: other pc don't have wireless card and can't connect to cell phone
>>
>
> I'm not sure I understand your question:
>
> So you have one Debian box with two internet connections (cellphone AP,
> and wired connection to router)?
> If so that Debian box would need to act as a router to share those
> internet connections to the rest of your network.


-- 
Michelle KonzackMiila ITSystems @ TDnet
GNU/Linux Developer 00372-54541400

Re: how to offer Internet connection?

[err404]

you can connect your PC with usb cable to the phone.
on your smartphone you need to enabling "sharing by usb"
and your smartphone will become router and dhcpd server for your PC.

on your pc, you will have usb0 interface (with 0 can be more), or unpredictable 
interface name like enx.

but...

if you realy want use one of your pc like a router, you need to activate 
"net.ipv4.ip_forward = 1" in /etc/sysctl.conf
and many time you will want nat from your local networt to Internet.

so, you will 
 - define statics IP and adding routes, or 
 - configure a dhcpd server 

nat routing:
iptables -A POSTROUTING -s {{base_ip}}.{{client_network}}/{{masque}} -j 
MASQUERADE

replace {{base_ip}}.{{client_network}}/{{masque}} with your values (yes it may 
become little bit complicated)

(some time, I think using babeld is simpler...)

I am sure I omit some pieces to your configuration

Re: how to offer Internet connection?

[Michelle Konzack]

Hi back,

Am 2018-02-20 hackte Long Wind in die Tasten:
> Thank Michelle Konzack  and John Doe!
> maybe the easy way is buy a wireless card for pc and connect it to cell
> phone

If you have time, you can get for less then 5 Euro USB Wireless
adapters from eBay... Do not expect, they are working over more
then 10-15m and trough a concrete wall...

> or connect pc to cell phone thru a USB connectiondoes linux or XP support
> such network connection?

You mean USBNet?  AFAIK it is supported by Win7 Win8 and Win10,
but it should be in first place supported by zour cellphone
which I dubt...  I have not found a singel one where it works.

> On Tuesday, February 20, 2018 1:54 AM, john doe
>  wrote:
>
>
>  On 2/20/2018 7:30 AM, Long Wind wrote:
>> i have a debian pc that is on 2 networks:
>> 1) connected to cell phone access point, cell phone offers Internet
>> connection2) connected to router, thru ethernet interface
>> is it possilble for debian pc to offer Internet connection to other pc
>> connected to router?
>> Thanks!
>> PS: other pc don't have wireless card and can't connect to cell phone
>>
>
> I'm not sure I understand your question:
>
> So you have one Debian box with two internet connections (cellphone AP,
> and wired connection to router)?
> If so that Debian box would need to act as a router to share those
> internet connections to the rest of your network.
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

Hi,

On Tue, 20 Feb 2018 08:05:19 +
Michael Fothergill  wrote:

> ​For me at any rate if the new version of gcc 4.9 makes it easier for a
> new user to get access to that portion of Spectre vulnerability jointly
> with the the availability of Meltdown as is, then as I said I would be
> very pleased.  and if a third person comes on the site asking about
> this problem then we could encourage them to try it.

As I understood from what you wrote earlier you are using Buster, so why
not just stick with its default gcc-7 which from what
https://packages.debian.org/search?keywords=gcc-7&searchon=names&suite=testing§ion=all
says has been updated to 7.3.0 which was iirc what you were waiting for.

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Deflector shields just came on, Captain.

Re: how to offer Internet connection?

[john doe]

On 2/20/2018 10:41 AM, Long Wind wrote:

Thank err404!
it's too hard for me to make a linux pc become router



In that case something like the following could be considered (they are 
other alternatives out there):


http://www.ipcop.org/

The only thing that would need to be done  behind that "router" would be 
to connect all your devices to that router (wireless or cable).


--
John Doe

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Roger Price]

Thanks again for your suggestions.

On Sun, 18 Feb 2018, Gene Heskett wrote:


Is the machine fully uptodate?


The netinst CD is freshly downloaded and identifies as << Debian
GNU/Linux 9.3.0 "Stretch" - Official i386 NETINST 20171209-13:03 >>.  Is
there a newer CD?

On Sun, 18 Feb 2018, Brian wrote:


On Sun 18 Feb 2018 at 23:19:48 +0100, Roger Price wrote:

  3. Load installer components from CD
 [X] choose-mirror


Why? I've never used it. I don't know what it does. It's optional. Don't
select it.



Try a different mirror. With and without step 3.


On Sun, 18 Feb 2018, David Wright wrote:


 And as Brian said, forget this option:

   Installer components to load:
   [ ] choose-mirror: Choose mirror to install from (menu item)

Work your way through the main menu …

...

… and don't think about mirrors until you get to this point.
 │  Select and install software


I naïvely choose that component because I assumed it provided the "choose a 
mirror" function.  If that is not true, then the option needs to be renamed.


Choosing this component has the considerable advantage that it gets to the 
problem much more quickly without having to specify users and partition disks at 
each test.


I tried 11 other mirrors.

 ftp.fr.debian.org  ftp.ch.debian.org ftp.se.debian.org
 ftp.fi.debian.org  ftp.hk.debian.org debian.proxad.net
 ftp.uni-stuttgart.de   debian.mirror.lrz.de  mirror.ox.ac.uk
 opensource.nchc.org.tw debian.mirrors.easynet.fr

They all connect and then hang on "HTTP request sent, awaiting response...".

I tried ftp.uni-kl.de which gets as far as "200 OK" and then hangs.

I tried debian.mirrors.ovh.net which succeeds with retries.  At the step "Select 
and install software", the only option is [X] Standard system utilities. 
Nothing else.


I choose the default linux kernel, and when finally I boot the new installation, 
I get many ACPI errors and then fall into initramfs which offers me Busybox.


I tried again with debian.mirrors.ovh.net and saw on Ctl-Alt-F4

 main-menu[346]: (process:4174): unknown udeb stretch-support
 main-menu[346]: INFO: falling back to the package description for brltty-udeb

Is this a sign that something is wrong?

Later the installation hangs with the message:

 in-target: Failed to fetch
 http://debian.mirrors.ovh.net/debian/dists/stretch/main/i18n/Translation-en
 Cannot initiate the connection to debian.mirrors.ovh.net:80
 (2001:41d0:202:100:213:32:5:7). - connect (101: Network is unreachable)
 [IP 2001:41d0:202:100:213:32:5:7 80]

There is no mention of IPv4 and I do not have IPv6.  Is there some way
of telling the installer not to use IPv6?  I have read
https://wiki.debian.org/DebianIPv6#How_to_turn_off_IPv6 but the
installer does not have file /etc/sysctl.conf

Roger

Re: troubleshooting Kmail

[Curt]

On 2018-02-19, Gene Heskett  wrote:
>
> That would result in my 5 digit balance being moved. However a phone call 
> generally resolves the problem, but the threat is there, and they know 
> it.

Five digits, huh? Like $102.55?

Of course here they don't have those quaint little Mom and Pop local
banks like they do in America, where maybe five digits (to the left of
the decimal point!) might mean something; but the big boys couldn't care
less about five, five is cacahuètes, you need at least seven to get
anyone's attention (as in customer service) and probably more like
eight.

-- 
New York was no mere city. It was instead an infinitely romantic notion, the
mysterious nexus of all love and money and power, the shining and the
perishable dream itself. To think of 'living' there was to reduce the
miraculous to the mundane; one does not 'live' at Xanadu. --Joan Didion

Re: how to offer Internet connection?

[Jude DaShiell]

What is it, packet forwarding and nat?  I've heard about that but never 
had occassion to try that myself before.


On Tue, 20 Feb 2018, john doe wrote:


Date: Tue, 20 Feb 2018 01:54:19
From: john doe 
To: debian-user@lists.debian.org
Subject: Re: how to offer Internet connection?
Resent-Date: Tue, 20 Feb 2018 06:54:43 + (UTC)
Resent-From: debian-user@lists.debian.org

On 2/20/2018 7:30 AM, Long Wind wrote:

 i have a debian pc that is on 2 networks:
 1) connected to cell phone access point, cell phone offers Internet
 connection2) connected to router, thru ethernet interface
 is it possilble for debian pc to offer Internet connection to other pc
 connected to router?
 Thanks!
 PS: other pc don't have wireless card and can't connect to cell phone



I'm not sure I understand your question:

So you have one Debian box with two internet connections (cellphone AP, and 
wired connection to router)?
If so that Debian box would need to act as a router to share those internet 
connections to the rest of your network.





--

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Reco]

Hi.

On Tue, Feb 20, 2018 at 12:23:06PM +0100, Roger Price wrote:
> Later the installation hangs with the message:
> 
>  in-target: Failed to fetch
>  http://debian.mirrors.ovh.net/debian/dists/stretch/main/i18n/Translation-en
>  Cannot initiate the connection to debian.mirrors.ovh.net:80
>  (2001:41d0:202:100:213:32:5:7). - connect (101: Network is unreachable)
>  [IP 2001:41d0:202:100:213:32:5:7 80]
> 
> There is no mention of IPv4 and I do not have IPv6. 

Of course you have IPv6, probably in the form of SLAAC/RA. How else
Linux kernel used in the installer would know which IPv6 address to use
and which IPv6 route to choose to 2001:41d0:202:100:213:32:5:7.

> Is there some way
> of telling the installer not to use IPv6?  I have read
> https://wiki.debian.org/DebianIPv6#How_to_turn_off_IPv6 but the
> installer does not have file /etc/sysctl.conf

Yet what installer *does* have that's /proc.
So, wait for the network autoconfiguration, switch to root vt, invoke:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

And you just disabled IPv6 until the next reboot.

Reco

Re: how to offer Internet connection?

[Jude DaShiell]

I'm pretty sure part of the software side of this will be setting up 
sshd-server as securely as possible and installing the fail2ban package 
for those who make too many mistakes entering passwords for private 
accounts.  If what's envisioned is a public internet site that has its 
own set of security requirements and problems.


On Tue, 20 Feb 2018, Michelle Konzack wrote:


Date: Tue, 20 Feb 2018 04:20:09
From: Michelle Konzack 
To: debian-user@lists.debian.org
Subject: Re: how to offer Internet connection?
Resent-Date: Tue, 20 Feb 2018 09:42:20 + (UTC)
Resent-From: debian-user@lists.debian.org

Hi back,

Am 2018-02-20 hackte Long Wind in die Tasten:

Thank Michelle Konzack?? and John Doe!
maybe the easy way is buy a wireless card for pc and connect it to cell
phone


If you have time, you can get for less then 5 Euro USB Wireless
adapters from eBay... Do not expect, they are working over more
then 10-15m and trough a concrete wall...


or connect pc to cell phone thru a USB connectiondoes linux or XP support
such network connection?


You mean USBNet?  AFAIK it is supported by Win7 Win8 and Win10,
but it should be in first place supported by zour cellphone
which I dubt...  I have not found a singel one where it works.


On Tuesday, February 20, 2018 1:54 AM, john doe
 wrote:


 On 2/20/2018 7:30 AM, Long Wind wrote:

i have a debian pc that is on 2 networks:
1) connected to cell phone access point, cell phone offers Internet
connection2) connected to router, thru ethernet interface
is it possilble for debian pc to offer Internet connection to other pc
connected to router?
Thanks!
PS: other pc don't have wireless card and can't connect to cell phone



I'm not sure I understand your question:

So you have one Debian box with two internet connections (cellphone AP,
and wired connection to router)?
If so that Debian box would need to act as a router to share those
internet connections to the rest of your network.






--

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Greg Wooledge]

On Tue, Feb 20, 2018 at 04:52:45AM +, Andy Smith wrote:
> Versions of gcc that have the retpoline feature backported into them
> have already hit stable and oldstable (and maybe others; haven't
> checked),

Just oldstable, actually.  Not stable yet.

 is for oldstable only.

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Curt]

On 2018-02-20, Reco  wrote:
>
>> Is there some way
>> of telling the installer not to use IPv6?  I have read
>> https://wiki.debian.org/DebianIPv6#How_to_turn_off_IPv6 but the
>> installer does not have file /etc/sysctl.conf

I looked up the router (I've now lost the page and the router
references--but it did mention "supported protocols IPv4 + IPv6" as
indicated below).

At any rate: 

 if you have an IPv6 router or a DHCP server on your local network, but
 want to avoid them because e.g. they give wrong answers, you can use
 the parameter netcfg/disable_autoconfig=true to prevent any automatic
 configuration of the network (neither v4 nor v6) and to enter the
 information manually.

https://www.debian.org/releases/stable/i386/ch05s03.html.en

So I guess the 'netcfg/disable_autoconfig=true' as boot parameter would
allow for manual configuration of the network within the installer, thus
obviating the IPv6 conundrum.

> Yet what installer *does* have that's /proc.
> So, wait for the network autoconfiguration, switch to root vt, invoke:
>
> echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Maybe this would be less trouble.

> And you just disabled IPv6 until the next reboot.
>
> Reco


-- 
New York was no mere city. It was instead an infinitely romantic notion, the
mysterious nexus of all love and money and power, the shining and the
perishable dream itself. To think of 'living' there was to reduce the
miraculous to the mundane; one does not 'live' at Xanadu. --Joan Didion

Re: troubleshooting Kmail

[Gene Heskett]

On Tuesday 20 February 2018 06:08:05 Curt wrote:

> On 2018-02-19, Gene Heskett  wrote:
> > That would result in my 5 digit balance being moved. However a phone
> > call generally resolves the problem, but the threat is there, and
> > they know it.
>
> Five digits, huh? Like $102.55?
>
No decimal point, and the first digit isn't a 1.

> Of course here they don't have those quaint little Mom and Pop local
> banks like they do in America, where maybe five digits (to the left of
> the decimal point!) might mean something; but the big boys couldn't
> care less about five, five is cacahuètes, you need at least seven to
> get anyone's attention (as in customer service) and probably more like
> eight.

This is a multistate banking concern. Yet they do care.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: how to offer Internet connection?

[john doe]

On 2/20/2018 12:58 PM, Jude DaShiell wrote:
What is it, packet forwarding and nat?  I've heard about that but never 
had occassion to try that myself before.




From a Google search:

https://en.wikipedia.org/wiki/Network_address_translation

https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding

The URLs might be folded by my mailer.

--
John Doe

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 20 February 2018 at 10:01, Michael Lange  wrote:

> Hi,
>
> On Tue, 20 Feb 2018 08:05:19 +
> Michael Fothergill  wrote:
>
> > ​For me at any rate if the new version of gcc 4.9 makes it easier for a
> > new user to get access to that portion of Spectre vulnerability jointly
> > with the the availability of Meltdown as is, then as I said I would be
> > very pleased.  and if a third person comes on the site asking about
> > this problem then we could encourage them to try it.
>
> As I understood from what you wrote earlier you are using Buster, so why
> not just stick with its default gcc-7 which from what
> https://packages.debian.org/search?keywords=gcc-7&;
> searchon=names&suite=testing§ion=all
> says has been updated to 7.3.0 which was iirc what you were waiting for.
>

​I am not worried about what I would need personally to compile a kernel to
use in Debian.
I am currently using sid so there is no problem for me using e.g. gcc 7.3
etc.

And installing new kernels in gentoo that I run is easy.

What interests me more here are the options for a new user.

Greg's latest post suggests the new gcc 4.9 only works in oldstable ie
jessie not stretch.

So perhaps I have to revise my thinking on this once again.

Cheers

MF​


>
> Regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> Deflector shields just came on, Captain.
>
>

Re: troubleshooting Kmail

[rhkramer]

On Tuesday, February 20, 2018 09:35:33 AM Gene Heskett wrote:
> On Tuesday 20 February 2018 06:08:05 Curt wrote:
> > On 2018-02-19, Gene Heskett  wrote:
> > > That would result in my 5 digit balance being moved. However a phone
> > > call generally resolves the problem, but the threat is there, and
> > > they know it.
> > 
> > Five digits, huh? Like $102.55?

Just for the record, back in my working days, I had an agreement with my boss 
that if I needed more money I could add as many digits as I wanted to the 
right of the decimal place.
 
> No decimal point, and the first digit isn't a 1.

I wouldn't post any information like that in an unencrypted post / email.

Re: how to offer Internet connection?

[David Wright]

On Tue 20 Feb 2018 at 06:30:11 (+), Long Wind wrote:
> i have a debian pc that is on 2 networks:
> 1) connected to cell phone access point, cell phone offers Internet 
> connection2) connected to router, thru ethernet interface
> is it possilble for debian pc to offer Internet connection to other pc 
> connected to router?
> Thanks!
> PS: other pc don't have wireless card and can't connect to cell phone

When you ask a question like this, it would help if you also
told people some relevant information about the devices you
want to connect. For example:

Does the router have other devices connected to it?
Does the router have unconnected LAN ports?
Does the router have wireless?
What's connected to the WAN side of the router?
Does the Debian PC have a spare ethernet port?
Does the Debian PC have a slot free for a cheap card?
What interfaces does the Other PC have, if any?

Knowing the answers to questions like these would make it possible to
suggest solutions. Otherwise we're left guessing.

You might:
use a cheap wireless dongle for the Other PC
(I did that for an old PC with busted wireless)
or:
CAT5 connect the 2 PCs with PtP and masquerade a connection
(I did that 10 years ago before buying new router with free dongle included)
or:
Cat5 the Other PC to the router
(I've never tried using a router like that)

Generally speaking, if there are "wires", then you can do it, even
through the Serial or Parallel Ports.

Cheers,
David.

Re: how to offer Internet connection?

[rhkramer]

On Tuesday, February 20, 2018 09:45:15 AM john doe wrote:
> https://en.wikipedia.org/wiki/Network_address_translation
> 
> https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding
> 
> The URLs might be folded by my mailer.

I guess it is my day to make extraneous comments: It is a shame that "fold" 
has two meanings very relevant to computers and text.  I prefer to use 
"wrapped" for what you are concerned about, I reserve folded for what happens 
in an editor with what Microsoft would call collapsible outlining (and is 
typically called folding in the *nix editing world).

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Andy Smith]

Hi Stephen,

On Tue, Feb 20, 2018 at 10:09:52AM +0100, Stephan Seitz wrote:
> On Di, Feb 20, 2018 at 05:09:12 +, Andy Smith wrote:
> >CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
> >yet, not even in Linux upstream.
> 
> Are you sure?

[…]

> >STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
> 
> Kernel is Linux 4.15.4 #1 SMP Sat Feb 17 23:19:56 CET 2018 x86_64, compiled
> myself with gcc 7.3 from testing.

Ah, I think you might be right that the known exploit for Spectre v1
is fixed now.

The commit message¹ speaks of infrastructure for future mitigations,
I think because further exploits are expected to be thought up for
this, but when they do I imagine they will have their own CVE
numbers (and names :)).

Cheers,
Andy

¹ https://lkml.org/lkml/2018/1/20/152

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Stretch net install on EeePC - unable to resolve mirror host address

[Brian]

On Tue 20 Feb 2018 at 13:39:25 +, Curt wrote:

> On 2018-02-20, Reco  wrote:
> >
> >> Is there some way
> >> of telling the installer not to use IPv6?  I have read
> >> https://wiki.debian.org/DebianIPv6#How_to_turn_off_IPv6 but the
> >> installer does not have file /etc/sysctl.conf
> 
> I looked up the router (I've now lost the page and the router
> references--but it did mention "supported protocols IPv4 + IPv6" as
> indicated below).
> 
> At any rate: 
> 
>  if you have an IPv6 router or a DHCP server on your local network, but
>  want to avoid them because e.g. they give wrong answers, you can use
>  the parameter netcfg/disable_autoconfig=true to prevent any automatic
>  configuration of the network (neither v4 nor v6) and to enter the
>  information manually.
> 
> https://www.debian.org/releases/stable/i386/ch05s03.html.en
> 
> So I guess the 'netcfg/disable_autoconfig=true' as boot parameter would
> allow for manual configuration of the network within the installer, thus
> obviating the IPv6 conundrum.
> 
> > Yet what installer *does* have that's /proc.
> > So, wait for the network autoconfiguration, switch to root vt, invoke:
> >
> > echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
> 
> Maybe this would be less trouble.

The OP's wget command could be tested immediately after the network is
set up and IPv6 is disabled using either yours or Reco's method.

-- 
Brian.

Re: how to offer Internet connection?

[Gene Heskett]

On Tuesday 20 February 2018 09:45:15 john doe wrote:

> On 2/20/2018 12:58 PM, Jude DaShiell wrote:
> > What is it, packet forwarding and nat?  I've heard about that but
> > never had occassion to try that myself before.
>
>  From a Google search:
>
> https://en.wikipedia.org/wiki/Network_address_translation
>
Piece of cake for a router thats been reflashed with dd-wrt or similar.

That translation can be restricted to a single "port" address, which is 
why you can see my web page, on this machine, at an odd port address if 
you click on the link in the sig.

This is of course dependent on having a fixed ip, and mine is somehow 
derived from the mac address of my router, so if I should have to change 
routers, that would change until such time as I clone this mac address 
into the other router, at which point the routers reboot gives me back 
the old address and my registered domain name once again works, if the 
other router also does this port forwarding.

> https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwa
>rding
>
> The URLs might be folded by my mailer.



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: troubleshooting Kmail

[Gene Heskett]

On Tuesday 20 February 2018 09:54:28 rhkra...@gmail.com wrote:

> On Tuesday, February 20, 2018 09:35:33 AM Gene Heskett wrote:
> > On Tuesday 20 February 2018 06:08:05 Curt wrote:
> > > On 2018-02-19, Gene Heskett  wrote:
> > > > That would result in my 5 digit balance being moved. However a
> > > > phone call generally resolves the problem, but the threat is
> > > > there, and they know it.
> > >
> > > Five digits, huh? Like $102.55?
>
> Just for the record, back in my working days, I had an agreement with
> my boss that if I needed more money I could add as many digits as I
> wanted to the right of the decimal place.
>
> > No decimal point, and the first digit isn't a 1.
>
> I wouldn't post any information like that in an unencrypted post /
> email.

twasn't too smart...



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Were is gapcmon?

[Juan R. de Silva]

I've been using gapcmon GUI to control my APC UPS backup units for years. 
I cannot find it in Debian Stretch repos. Was the package removed? For 
what reason? What can I use in its stead?

Thanks.

Re: Were is gapcmon?

[Roberto C . Sánchez]

On Tue, Feb 20, 2018 at 05:26:41PM +, Juan R. de Silva wrote:
> I've been using gapcmon GUI to control my APC UPS backup units for years. 
> I cannot find it in Debian Stretch repos. Was the package removed? For 
> what reason? What can I use in its stead?
> 
https://packages.qa.debian.org/g/gapcmon.html

It was removed from Debian more than two years before the release of
wheezy and had not been updated for nearly two years prior to that.

Here is the bug that requested its removal:

https://bugs.debian.org/617593

I am not sure what your requirements are, but I use apcupsd (with its
web interface in the apcupsd-cgi package). That does the job for me.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Were is gapcmon?

[Juan R. de Silva]

On Tue, 20 Feb 2018 13:04:20 -0500, Roberto C. Sánchez wrote:

> On Tue, Feb 20, 2018 at 05:26:41PM +, Juan R. de Silva wrote:
>> I've been using gapcmon GUI to control my APC UPS backup units for
>> years.
>> I cannot find it in Debian Stretch repos. Was the package removed? For
>> what reason? What can I use in its stead?
>> 
> https://packages.qa.debian.org/g/gapcmon.html
> 
> It was removed from Debian more than two years before the release of
> wheezy and had not been updated for nearly two years prior to that.

Interesting. I've been using it in Jessie and do believe I took it from 
Debian repos.

> Here is the bug that requested its removal:
> 
> https://bugs.debian.org/617593

I found no details about the bug. I personaly never experienced any 
problems with it.

> I am not sure what your requirements are, but I use apcupsd (with its
> web interface in the apcupsd-cgi package). That does the job for me.

With gapcmon I did not need to start my web browser. It was just a click 
away.

I'll try web interface. Is it easy to use? Oh, well, if I don't like it I 
still have an option to use terminal. :-)

Thank you Roberto.

Re: Were is gapcmon?

[Marc Auslander]

"Juan R. de Silva"  writes:

>I've been using gapcmon GUI to control my APC UPS backup units for years. 
>I cannot find it in Debian Stretch repos. Was the package removed? For 
>what reason? What can I use in its stead?
>
>Thanks.

I've always use apcupsd which still works in stretch.  My use is pretty
trivial - just reports - I don't do anything automatic on power fail
since I can't figure out how to do anything that will always wind up
with my machine running when the power comes back!

Re: ThinkSystem RAID 930-8i driver/module for Debian 9

[Dan Ritter]

On Tue, Feb 20, 2018 at 08:37:45AM +0100, John Naggets wrote:
> Thanks Dan for suggesting some alternatives. Unfortunately most of
> them are not really convenient or simple. What about a 5th alternative
> which would be simply to "Install Debian 10 (buster/testing)" ? In
> theory as it has a more modern kernel version the module/driver for
> this new RAID card should be supported. What do you think except for
> the fact that this is a testing release...

I think that installing testing is not a great idea for a system
that you (a) update regularly and (b) depend on being up all the
time.

If that situation does not apply, go right ahead.

-dsr-

Re: Sound devices.

[peter]

*   From: deloptes delop...@gmail.com
*   Date: Thu, 08 Feb 2018 23:24:25 +0100
> I am not 100% sure but I think you need 
> alsa-oss - ALSA wrapper for OSS applications
> to be able to use dsp.

root@dalton:/home/peter# dpkg -l | grep alsa-oss
ii  alsa-oss  1.0.28-1  i386  ALSA wrapper for OSS applications
  
root@dalton:/home/peter# lsmod | grep oss
[nothing]

*   From: Michael Lange klappn...@freenet.de
*   Date: Fri, 9 Feb 2018 11:12:38 +0100
> probably the snd-pcm-oss driver is not loaded and thus /dev/dsp does not
> exist.

root@dalton:/home/peter# modprobe snd-pcm-oss
root@dalton:/home/peter# lsmod | grep oss
snd_pcm_oss45056  0
snd_mixer_oss  24576  1 snd_pcm_oss
snd_pcm86016  2 snd_pcm_oss,snd_usb_audio
snd57344  17 snd_pcm_oss,snd_hwdep,snd_mixer_oss,snd_usb_aud
io,snd_timer,snd_rawmidi,snd_usbmidi_lib,snd_seq_device,snd_pcm

[Better;  but shouldn't modules load automatically?]

root@dalton:/home/peter# grep audio /etc/group
audio:x:29:peter,pulse
root@dalton:/home/peter# exit
peter@dalton:~$ cat /usr/share/sounds/ekiga/ring.wav > /dev/dsp
[Horrible screeching noise.  (Easrphones burned out?  Maintainer laughing?)]

peter@dalton:~$ mplayer /usr/share/sounds/ekiga/ring.wav
[Telephone bell ring.]

??

Thanks,... Peter E.



-- 

123456789 123456789 123456789 123456789 123456789 123456789 123456789
Tel: +1 360 639 0202  Pender Is.: +1 250 629 3757
http://easthope.ca/Peter.html  Bcc: peter at easthope. ca

DTrace GPLed?

[Weaver]

Of interest to some?

https://www.theregister.co.uk/2018/02/19/oracle_open_sources_dtrace_changes_licence_to_gpl/

Cheers!

-- 
`The difference between friendship and love is how much you can hurt
each other’. 
― Ashleigh Brilliant

Registered Linux User: 554515

Re: Sound devices.

[Michael Lange]

Hi,

On Tue, 20 Feb 2018 10:40:59 -0800
pe...@easthope.ca wrote:

(...)
> 
> [Better;  but shouldn't modules load automatically?]

I guess the developers figured that these modules are not necessary,
since most apps today of course play well together with the alsa drivers.
A simple extra line

snd-pcm-oss

in /etc/modules does the trick, though.

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Four thousand throats may be cut in one night by a running man.
-- Klingon Soldier, "Day of the Dove", stardate unknown

Re: domain names, was: hostname

[Jeremy Nicoll]

Thanks to everyone who replied, not just Dan...

So...

On Mon, 19 Feb 2018, at 13:30, Dan Purgert wrote:
> Jeremy Nicoll wrote:

> > What, on a home LAN, is that used for?
> 
> In general terms, supplying domain information at setup time adds a
> "helper" record to /etc/resolv.conf (or whatever RH, Windows, etc.
> uses).  Note that if you use DHCP, this step is usually skipped, as the
> DHCP server provides the information.

On a Win8.1 system, ipconfig /alldoes show me a hostname (the same 
value as %COMPUTERNAME%) which happens to be a combination of the
machine's manufacturer name, and model

There's no domain value at all, though DHCP is in use... but I suppose I 
configured the DHCP server (in the router/switch) and maybe left fields 
blank there...


> In short, the "helper" record appends the domain name to a hostname, so
> you don't have to type out a FQDN when you're trying to get to a remote
> host.

Do you mean when someone outside the LAN is trying to connect to my 
machine?I'd assume that makes sense only on a corporate / company 
LAN with a static IP gateway address and that address would be defined
in DNS matching the company's domain name... and - if that's right - I 
can see that telling each pc on the LAN that it's part of the company's
domain makes sense...


Other than that, opinion seems divided on whether for a home LAN it 
makes more sense to leave domain name unset, or to provide a value
(picked carefully, perhaps ending ".test"  or ".invalid").   In some ways
I like the idea of providing a planned/known name, if only because I'd
recognise it for what it is if I saw it in error messages, logs etc in future.  

I almost wonder if, to avoid any potential name conflict, one would be
sensible to register a domain, and then NOT have it point at one's own 
home LAN - because unless a dynamic DNS service is used, how could 
one keep that uptodate (my cable internet ISP does change my WAN
ip address occasionally) - and use its name on the home system.   But 
then again that might have unintended consequences.

-- 
Jeremy Nicoll - my opinions are my own.

Re: domain names, was: hostname

[Greg Wooledge]

On Tue, Feb 20, 2018 at 07:36:49PM +, Jeremy Nicoll wrote:
> > In short, the "helper" record appends the domain name to a hostname, so
> > you don't have to type out a FQDN when you're trying to get to a remote
> > host.
> 
> Do you mean when someone outside the LAN is trying to connect to my 
> machine?

No.  It's for when you try to look up a hostname without a domain.

For example, if your local area network uses "Greek gods" as its hostname
theme, and your machine is named "hermes", you might try to "ping zeus"
and see if it's up.

In this case, "zeus" has no domain name attached to it, so the values in
the /etc/resolv.conf file (search and/or domain) will be used instead.

Suppose your /etc/resolv.conf contains this:

search pantheon.gods
nameserver 10.20.30.40

Then your "zeus" gets turned into "zeus.pantheon.gods", and will be looked
up in DNS (using the recursive resolver at 10.20.30.40).

(Unless of course it was already found in /etc/hosts or however you have
configured your local /etc/nsswitch.conf to behave.)

Re: domain names, was: hostname

[Jeremy Nicoll]

On Tue, 20 Feb 2018, at 19:42, Greg Wooledge wrote:
> On Tue, Feb 20, 2018 at 07:36:49PM +, Jeremy Nicoll wrote:

> > Do you mean when someone outside the LAN is trying to connect to my 
> > machine?
> 
> No.  It's for when you try to look up a hostname without a domain.
> 
> For example, if your local area network uses "Greek gods" as its hostname
> theme, and your machine is named "hermes", you might try to "ping zeus"
> and see if it's up.
> 
> In this case, "zeus" has no domain name attached to it, so the values in
> the /etc/resolv.conf file (search and/or domain) will be used instead.
> 
> Suppose your /etc/resolv.conf contains this:
> 
> search pantheon.gods
> nameserver 10.20.30.40
> 
> Then your "zeus" gets turned into "zeus.pantheon.gods", and will be looked
> up in DNS (using the recursive resolver at 10.20.30.40).
> 
> (Unless of course it was already found in /etc/hosts or however you have
> configured your local /etc/nsswitch.conf to behave.)

Ah... light is dawning.(Probably a god has created another world.)

I've only done pinging of other machines on the LAN before (using 
either Windows or RISC OS) with static machine addresses & named
pcs defined in each pc's  /etc/hosts  or equivalent.

-- 
Jeremy Nicoll - my opinions are my own.

Re: DTrace GPLed?

[Joel Wirāmu Pauling]

eBPF makes dtrace less interesting.

On 21 February 2018 at 08:27, Weaver  wrote:

> Of interest to some?
>
> https://www.theregister.co.uk/2018/02/19/oracle_open_
> sources_dtrace_changes_licence_to_gpl/
>
> Cheers!
>
> --
> `The difference between friendship and love is how much you can hurt
> each other’.
> ― Ashleigh Brilliant
>
> Registered Linux User: 554515
>
>

Re: My site has become unreachable when I've implemented SSL

[Aldo Maggi]

Thank you for answering!
I'm really sorry but it seems not to be a SSL or Apache problem, today,
while I was away from home and I was using my laptop, I tried to open
my site and I was successful!  
So I can open "mysite. com" from outside my Lan but if I try to
connect to "mysite. com" from a Lan computer, the connection is
refused.  
I think it is a "ufw" problem but I do not know what to check.

Thank you anyway, 

Aldo :-)

Il giorno Mon, 19 Feb 2018 21:08:34 -0500
Bob Weber  ha scritto:

> On 2/19/18 2:54 PM, Aldo Maggi wrote:
> > Thank you for your fast answer!
> >
> > root@Casa-mia-1:~# lsof -i :443
> > COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > apache2  879 root6u  IPv6  20270  0t0  TCP *:https
> > (LISTEN) apache2  948 www-data6u  IPv6  20270  0t0  TCP
> > *:https (LISTEN) apache2  949 www-data6u  IPv6  20270  0t0
> > TCP *:https (LISTEN) apache2  950 www-data6u  IPv6  20270
> > 0t0  TCP *:https (LISTEN) apache2  951 www-data6u  IPv6
> > 20270  0t0  TCP *:https (LISTEN) apache2  952 www-data6u
> > IPv6  20270  0t0  TCP *:https (LISTEN) apache2 1385 www-data
> > 6u  IPv6  20270  0t0  TCP *:https (LISTEN) apache2 1386
> > www-data6u  IPv6  20270  0t0  TCP *:https (LISTEN) apache2
> > 3386 www-data6u  IPv6  20270  0t0  TCP *:https (LISTEN)
> >
> > As for ufw, indeed port 443 was not enabled and I had problems in
> > doing it (bad port), at the end I wrote:
> > ufw allow https
> > Rule added
> > Rule added (v6)
> >
> > now I have:
> >
> > root@Casa-mia-1:~# ufw status
> > Status: active
> >
> > To Action  From
> > -- --  
> > 22/tcp ALLOW   Anywhere
> > CUPS   ALLOW   Anywhere
> > ..
> > Telnet ALLOW   Anywhere
> > VNCALLOW   Anywhere
> > WWWALLOW   Anywhere
> > Anywhere   ALLOW   192.168.3.100
> > Anywhere   ALLOW   192.168.3.0/24
> > /tcp   ALLOW   Anywhere
> > 5900:5910/tcp  ALLOW   Anywhere
> > 2049   ALLOW   192.168.3.100
> > 80/tcp ALLOW   Anywhere
> > 443/tcpALLOW   Anywhere
> > 22/tcp (v6)ALLOW   Anywhere (v6)
> > CUPS (v6)  ALLOW   Anywhere (v6)
> > ...
> > WWW (v6)   ALLOW   Anywhere (v6)
> > /tcp (v6)  ALLOW   Anywhere (v6)
> > 5900:5910/tcp (v6) ALLOW   Anywhere (v6)
> > 80/tcp (v6)ALLOW   Anywhere (v6)
> > 443/tcp (v6)   ALLOW   Anywhere (v6)
> >
> > root@Casa-mia-1:~# systemctl restart apache2
> >
> > but ... no avail, still "connection refused"
> >
> > What else could be the culprit :-D
> >
> > Thanks for your time!
> >
> > Aldo :-)
> >
> > P.S. Furthermore in /apache2/error.log I find:
> > PHP Warning:  PHP Startup: Unable to load dynamic library
> > '/usr/lib/php/20151012/apc.so' - /usr/lib/php/20151012/apc.so:
> > cannot open shared object file: No such file or directory in
> > Unknown on line 0
> >
> > Il giorno Mon, 19 Feb 2018 12:48:25 -0500
> > Greg Wooledge  ha scritto:
> >
> >> On Mon, Feb 19, 2018 at 06:36:01PM +0100, Aldo Maggi wrote:
> >>> Anyway, now if I browse writing my IP I get the Apache default
> >>> page (the browser tells me, anyway, that the site is unsecure),
> >>> if I write the name of the site I get (traslated from Italian):
> >>> Unable to reach the site
> >>> Connection denied by mysite.com
> >> "Connection refused" (the correct English translation) means that
> >> either the service is not listening to that port, or the packets
> >> were rejected by a firewall.
> >>
> >> You will need to examine both of those possibilities.
> >>
> >> Making sure the service is listening on :443 should be fairly easy.
> >> You can use "lsof -i :443" for example, or some ss or netstat
> >> command.
> >>
> >> Checking whether you have a firewall blocking incoming 443 will be
> >> a bit harder.
> >>
> >
> Looks like apache is only listening to IPV6 (see above lsof output).
> So if the domain that you used in the command:
> 
> letsencrypt --apache -d mysite.com
> 
> resolves to an IPV4 address you need to tell apache to listen to your
> IPV4 address.  Your firewall looks like it has opened IPV4 and IPV6.
> I also assume that you try to access the site with that domain name
> in the url in your browser.  Check the file /etc/apache2/ports.conf.
> It might be useful to run the command "ip a" to see what addresses
> are assigned to your ethernet ports so you can properly set up the
> ports.conf file.
> 

[SOLVED]Re: My site has become unreachable when I've implemented SSL

[Aldo Maggi]

I've edited /etc/hosts adding a line where I put the IP address of the
server and the name of site.
Now everything works with SSL :-)

Thank you to all,

Aldo 

Il giorno Tue, 20 Feb 2018 21:23:52 +0100
Aldo Maggi  ha scritto:

> Thank you for answering!
> I'm really sorry but it seems not to be a SSL or Apache problem,
> today, while I was away from home and I was using my laptop, I tried
> to open my site and I was successful!  
> So I can open "mysite. com" from outside my Lan but if I try to
> connect to "mysite. com" from a Lan computer, the connection is
> refused.  
> I think it is a "ufw" problem but I do not know what to check.
> 
> Thank you anyway, 
> 
> Aldo :-)
> 
> Il giorno Mon, 19 Feb 2018 21:08:34 -0500
> Bob Weber  ha scritto:
> 
> > On 2/19/18 2:54 PM, Aldo Maggi wrote:  
> > > Thank you for your fast answer!
> > >
> > > root@Casa-mia-1:~# lsof -i :443
> > > COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > apache2  879 root6u  IPv6  20270  0t0  TCP *:https
> > > (LISTEN) apache2  948 www-data6u  IPv6  20270  0t0  TCP
> > > *:https (LISTEN) apache2  949 www-data6u  IPv6  20270  0t0
> > > TCP *:https (LISTEN) apache2  950 www-data6u  IPv6  20270
> > > 0t0  TCP *:https (LISTEN) apache2  951 www-data6u  IPv6
> > > 20270  0t0  TCP *:https (LISTEN) apache2  952 www-data6u
> > > IPv6  20270  0t0  TCP *:https (LISTEN) apache2 1385 www-data
> > > 6u  IPv6  20270  0t0  TCP *:https (LISTEN) apache2 1386
> > > www-data6u  IPv6  20270  0t0  TCP *:https (LISTEN) apache2
> > > 3386 www-data6u  IPv6  20270  0t0  TCP *:https (LISTEN)
> > >
> > > As for ufw, indeed port 443 was not enabled and I had problems in
> > > doing it (bad port), at the end I wrote:
> > > ufw allow https
> > > Rule added
> > > Rule added (v6)
> > >
> > > now I have:
> > >
> > > root@Casa-mia-1:~# ufw status
> > > Status: active
> > >
> > > To Action  From
> > > -- --  
> > > 22/tcp ALLOW   Anywhere
> > > CUPS   ALLOW   Anywhere
> > > ..
> > > Telnet ALLOW   Anywhere
> > > VNCALLOW   Anywhere
> > > WWWALLOW   Anywhere
> > > Anywhere   ALLOW   192.168.3.100
> > > Anywhere   ALLOW   192.168.3.0/24
> > > /tcp   ALLOW   Anywhere
> > > 5900:5910/tcp  ALLOW   Anywhere
> > > 2049   ALLOW   192.168.3.100
> > > 80/tcp ALLOW   Anywhere
> > > 443/tcpALLOW   Anywhere
> > > 22/tcp (v6)ALLOW   Anywhere (v6)
> > > CUPS (v6)  ALLOW   Anywhere (v6)
> > > ...
> > > WWW (v6)   ALLOW   Anywhere (v6)
> > > /tcp (v6)  ALLOW   Anywhere (v6)
> > > 5900:5910/tcp (v6) ALLOW   Anywhere (v6)
> > > 80/tcp (v6)ALLOW   Anywhere (v6)
> > > 443/tcp (v6)   ALLOW   Anywhere (v6)
> > >
> > > root@Casa-mia-1:~# systemctl restart apache2
> > >
> > > but ... no avail, still "connection refused"
> > >
> > > What else could be the culprit :-D
> > >
> > > Thanks for your time!
> > >
> > > Aldo :-)
> > >
> > > P.S. Furthermore in /apache2/error.log I find:
> > > PHP Warning:  PHP Startup: Unable to load dynamic library
> > > '/usr/lib/php/20151012/apc.so' - /usr/lib/php/20151012/apc.so:
> > > cannot open shared object file: No such file or directory in
> > > Unknown on line 0
> > >
> > > Il giorno Mon, 19 Feb 2018 12:48:25 -0500
> > > Greg Wooledge  ha scritto:
> > >  
> > >> On Mon, Feb 19, 2018 at 06:36:01PM +0100, Aldo Maggi wrote:  
> > >>> Anyway, now if I browse writing my IP I get the Apache default
> > >>> page (the browser tells me, anyway, that the site is unsecure),
> > >>> if I write the name of the site I get (traslated from Italian):
> > >>> Unable to reach the site
> > >>> Connection denied by mysite.com  
> > >> "Connection refused" (the correct English translation) means that
> > >> either the service is not listening to that port, or the packets
> > >> were rejected by a firewall.
> > >>
> > >> You will need to examine both of those possibilities.
> > >>
> > >> Making sure the service is listening on :443 should be fairly
> > >> easy. You can use "lsof -i :443" for example, or some ss or
> > >> netstat command.
> > >>
> > >> Checking whether you have a firewall blocking incoming 443 will
> > >> be a bit harder.
> > >>  
> > >  
> > Looks like apache is only listening to IPV6 (see above lsof output).
> > So if the domain that you used in the command:
> > 
> > letsencrypt --apache -d mysite.com
> > 
> > resolves to an IPV4 address you need to tell apache to listen to
> > your IPV4 address.  Your firewall looks like it has opened IPV4 and
> > IPV6. I also assume that you try to access the site

Re: DTrace GPLed?

[Reco]

Hi.

On Tue, Feb 20, 2018 at 11:27:20AM -0800, Weaver wrote:
> Of interest to some?
> 
> https://www.theregister.co.uk/2018/02/19/oracle_open_sources_dtrace_changes_licence_to_gpl/

https://news.ycombinator.com/item?id=16375938

Brendan Gregg, author of DTrace Toolkit, has this to say about it:

Unfortunately for DTrace, this is too late. Oracle should have done this
years ago. Now Linux has a more powerful tracer builtin, eBPF, and it
would be a backwards step to switch the kernel code to DTrace (assuming
the DTrace port is completed, which it is not). I'm sure this will not
be lost on the maintainers, who have the ultimate say as to what is
included in Linux mainline.
The only hope for DTrace is to have the frontend emit BPF bytecode. The
bulk of this GPL DTrace code is no longer needed, only the user-level
front end.

So, folks, nothing to see here, really. Move along to:

https://github.com/brendangregg/perf-tools

https://github.com/iovisor/bcc

Reco

Problem with suspend-to-disk

[Hans]

Hi folks, 
I am working on a little problem. Just let me shortly describe:

When I am running suspend-to-disk, I can see, that the RAM is saved to the 
partition (in 
my case I defined the swap partition).

Everything is working fine, after that writing to disk, the computer is 
shutting down. So far, 
so well.

But when I wake it up, I can see, the computer is starting from BIOS, and the 
data is 
rewritten from the partition into ram. 

But then - the computer shuts down, and is starting from BIOS again. 

Then, after a (necessary)  filecheck the computer is normally booting (just as 
it was 
completely shut down before).

So far so well. 

Now my problem: Is there a way, to see, what happens, when the computer writes 
its data 
from swap into memory and then crashes? I found no log entries, which showed 
me, why 
the computer resets after refilling the ram. Kernel logs are overwritten at 
next boot, and 
tricks , like cutting of power before the second boot, and then examining the 
log files with 
a second operating system like a livefile system gave me no further 
information, too.

I would file a bugreport, but without any good information, a bugreport is not 
easy to tell.

Any suggestions, how I can get more information? (Besides, there is a bugreport 
of this 
behaviour at "powerdevil", but sadly I can not help much more)

Thanks for reading this and any help!

Best regards

Hans

Re: domain names, was: hostname

[Dan Purgert]

Jeremy Nicoll wrote:
> Thanks to everyone who replied, not just Dan...
>
> So...
>
> On Mon, 19 Feb 2018, at 13:30, Dan Purgert wrote:
>> Jeremy Nicoll wrote:
>
>> > What, on a home LAN, is that used for?
>> 
>> In general terms, supplying domain information at setup time adds a
>> "helper" record to /etc/resolv.conf (or whatever RH, Windows, etc.
>> uses).  Note that if you use DHCP, this step is usually skipped, as the
>> DHCP server provides the information.
>
> On a Win8.1 system, ipconfig /alldoes show me a hostname (the same 
> value as %COMPUTERNAME%) which happens to be a combination of the
> machine's manufacturer name, and model
>
> There's no domain value at all, though DHCP is in use... but I suppose I 
> configured the DHCP server (in the router/switch) and maybe left fields 
> blank there...

Yep, it's because your DHCP server does not have anything set.  I
should've said something more like "if you're setting a host to use
DHCP, the setup assumption is that the DHCP server will provide it".

Of course, it is not a requirement that the DHCP server provide this
information.
>
>
>> In short, the "helper" record appends the domain name to a hostname, so
>> you don't have to type out a FQDN when you're trying to get to a remote
>> host.
>
> Do you mean when someone outside the LAN is trying to connect to my 
> machine?I'd assume that makes sense only on a corporate / company 
> LAN with a static IP gateway address and that address would be defined
> in DNS matching the company's domain name... and - if that's right - I 
> can see that telling each pc on the LAN that it's part of the company's
> domain makes sense...

No, I mean for your own local network.  It's so that when you're on the
LAN, you can just connect to a host by its name. It doesn't help at all
off the local network.


Say your "domain name" is cybertron.net and you have three hosts -
OptimusPrime, Bumblebee, and Ironhide.  

Normally, if you wanted to ping one of them, you'd have a command along
the lines of "ping Ironhide.cybertron.net" ... kind of a lot of typing,
so you can add the "helpers" which lets you simply use a hostname in
your commands -- "ping Ironhide".
>
>
> Other than that, opinion seems divided on whether for a home LAN it 
> makes more sense to leave domain name unset, or to provide a value
> (picked carefully, perhaps ending ".test"  or ".invalid").   In some ways
> I like the idea of providing a planned/known name, if only because I'd
> recognise it for what it is if I saw it in error messages, logs etc in
> future.  

If you're going to set up a local domain, double-check the RFCs for
reserved / allowed to use without registration TLDs -- and make sure
you're checking CURRENT docs (stff like "*local" used to be allowed, but
now it's set for mDNS / bonjour / avahi).

Or pay $15 for a year (ish) and get yourself your own registered domain,
and don't worry about it getting changed somewhere down the line.
>
> I almost wonder if, to avoid any potential name conflict, one would be
> sensible to register a domain, and then NOT have it point at one's own 
> home LAN - because unless a dynamic DNS service is used, how could 
> one keep that uptodate (my cable internet ISP does change my WAN
> ip address occasionally) - and use its name on the home system.   But 
> then again that might have unintended consequences.
>

That's what I do (except I do also pay for ddns, because I use my domain
name for simple things with friends / family). The real killer is paying
for TLS certs, though perhaps this year I'll move everything to Let's
Encrypt.


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: troubleshooting Kmail

[Mark Neidorff]

On Tuesday, February 20, 2018 2:07:29 AM EST deloptes wrote:
> Hi,
> 
<<>>
> > I am a long time kmail user.  I have noticed significant improvment in
> > stability and the filtering of incoming mail.  I use the filtering
> > extensively.
> > Before the last release, at the beginning of a KDE session, filtering was
> > OK,
> > but it slowed down with use.  In the latest version, it is extremely fast,
> > and
> > it doesn't get slower with use.  The only "bug" I have found in this
> > version
> > of kmail (5.5.2) is that an occasional "ghost" message will be in a folder
> > and
> > can't be removed.  I store emails locally via IMAP--one message per
> > file--and
> > except for the ghosts, I am extremely pleased.  I currently have over
> > 126,000
> > messages stored and about 8 "ghost" messages.  I searched through the
> > individual files that contain the e-mails and I can't find files for the
> > ghost
> > messages.
> > 
> > 
> > If the attitude of the KDE folks is the problem, please remember that they
> > are
> > not full time KDE programmers and customer service is probably not their
> > strong suit.
> 
> Look, either something works or does not work. Those bugs and KDE not
> fixing them is not acceptable.
> I know that they are not working full time or for profit. This is also not
> an excuse. Don't try to cover them and their attitude, please.
> It is pointless. When they bring up a working product, I will start using
> it and I mean working at acceptable level.
> Those problems you or others describe can not qualify the product as stable.
> I am willing to do some compromise on my requirements, but there is too
> much to compromise on, looking at KDE.
> And as I said - the biggest problem is their attitude. The attitude to
> release crap in stable and call it stable - call it whatever you want but
> not stable!
> 
> > I don't know if you consider this a valid comparison or not, but:
> > In October 2017 (as I recall), my bank (which shall remain nameless)
> > announced
> > that there would be a new version of the on-line access software coming
> > out on
> > January 1st.  Then, around January 10th they announced that the upgrade
> > had
> > some unresolved issues, and would not be rolled out until February 1st.
> > February 1st arrived and passed.  The new software was put in place on the
> > 12th.  Since then, I have been unable to login to my account.  No help on
> > the
> > screen.  When I called last week, they said that they were ware of the
> > problem
> > and were working very hard to resolve it.  No apology.  They can tell me
> > my
> > balance over the phone, but that is about it.  IMO, this is absurd.
> > 
> > Well this is what I am talking about - KDE is exactly the same - absurd!
> 
> I have to admit that KDE5 is much better that KDE4, but still - no stable
> and with that attitude and mind set, I doubt they will ever bring up
> something stable, which is really a pity.
> 
> I was involved in couple of discussions with them back in 2007 or 2008
> after they released the KDE4 crap. Can you imagine this was 10y ago.
> 
> regards

Deloptes,

I respect your opinion, and the many contributions that you have made to this 
list.  You and I have both been more than annoyed with bad attitudes, you with 
KDE me with my bank.  I pointed out the problem that I had and how it has been 
mishandled, IMO. You mentioned "those bugs" but you haven't given specific 
examples.  Please give the examples.

Thanks,
Mark

-- 
Its not whether you win or lose, its how you place the blame...

Re: domain names, was: hostname

[mick crane]

On 2018-02-20 19:36, Jeremy Nicoll wrote:
,snipped>

Other than that, opinion seems divided on whether for a home LAN it
makes more sense to leave domain name unset, or to provide a value
(picked carefully, perhaps ending ".test"  or ".invalid").   In some 
ways

I like the idea of providing a planned/known name, if only because I'd
recognise it for what it is if I saw it in error messages, logs etc in 
future.


I almost wonder if, to avoid any potential name conflict, one would be
sensible to register a domain, and then NOT have it point at one's own
home LAN - because unless a dynamic DNS service is used, how could
one keep that uptodate (my cable internet ISP does change my WAN
ip address occasionally) - and use its name on the home system.   But
then again that might have unintended consequences.


I think it used to be OK and was suggested to use ".home" for local 
network but then a cellphone company started using it. Now I think it is 
OK to use ".local"


mick

--
Key ID  4BFEBB31

Re: domain names, was: hostname

[Dan Purgert]

mick crane wrote:
> On 2018-02-20 19:36, Jeremy Nicoll wrote:
> ,snipped>
>> Other than that, opinion seems divided on whether for a home LAN it
>> makes more sense to leave domain name unset, or to provide a value
>> (picked carefully, perhaps ending ".test"  or ".invalid").   In some 
>> ways
>> I like the idea of providing a planned/known name, if only because I'd
>> recognise it for what it is if I saw it in error messages, logs etc in 
>> future.
>> 
>> I almost wonder if, to avoid any potential name conflict, one would be
>> sensible to register a domain, and then NOT have it point at one's own
>> home LAN - because unless a dynamic DNS service is used, how could
>> one keep that uptodate (my cable internet ISP does change my WAN
>> ip address occasionally) - and use its name on the home system.   But
>> then again that might have unintended consequences.
>
> I think it used to be OK and was suggested to use ".home" for local 
> network but then a cellphone company started using it. Now I think it is 
> OK to use ".local"


".local" is out too -- reserved for mDNS (bonjour / avahi ).

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: hostname

[Richard Hector]

On 20/02/18 05:32, Greg Wooledge wrote:
> You appear to be concerned that your hostname contains secret information,
> and that having your hostname "leaked" to the rest of the world will be
> an issue for you?
> 
> If that's the case, try not putting secret information into your
> hostname.  E.g. naming your machine my_mothers_maiden_name_is_johnson
> might be a bad idea.

I haven't been following the thread, but to be fair hostnames could
sometimes contain info that you might not want to spread around
unnecessarily. Eg "pg1-linode-tx" might be a useful hostname for your
first Texas DB VM, but you might not want to reveal that much info to
the whole world.

Richard



signature.asc
Description: OpenPGP digital signature

Re: domain names, was: hostname

[mick crane]

On 2018-02-21 00:33, Dan Purgert wrote:

mick crane wrote:

On 2018-02-20 19:36, Jeremy Nicoll wrote:
,snipped>

Other than that, opinion seems divided on whether for a home LAN it
makes more sense to leave domain name unset, or to provide a value
(picked carefully, perhaps ending ".test"  or ".invalid").   In some
ways
I like the idea of providing a planned/known name, if only because 
I'd
recognise it for what it is if I saw it in error messages, logs etc 
in

future.

I almost wonder if, to avoid any potential name conflict, one would 
be
sensible to register a domain, and then NOT have it point at one's 
own

home LAN - because unless a dynamic DNS service is used, how could
one keep that uptodate (my cable internet ISP does change my WAN
ip address occasionally) - and use its name on the home system.   But
then again that might have unintended consequences.


I think it used to be OK and was suggested to use ".home" for local
network but then a cellphone company started using it. Now I think it 
is

OK to use ".local"



".local" is out too -- reserved for mDNS (bonjour / avahi ).


Oh, for gawd's sake. Is there not an RFC for local domains ?
see  .test .example .invalid .localhost mentioned as reserved but 
they're not suitable.
I was incorrect earlier was an ISP started using ".home". I noticed that 
a cellphone company was using the supposedly private 10.0.0.0 block.


mick


--
Key ID  4BFEBB31

Re: domain names, was: hostname

[Glenn English]

On Wed, Feb 21, 2018 at 12:33 AM, Dan Purgert  wrote:

> ".local" is out too -- reserved for mDNS (bonjour / avahi ).

How about .lan, .dmz, and .wan? (Not allowed to or from the 'Net, of course.)

-- 
Glenn English

Re: troubleshooting Kmail

[rhkramer]

On Tuesday, February 20, 2018 12:20:46 PM Gene Heskett wrote:
> On Tuesday 20 February 2018 09:54:28 rhkra...@gmail.com wrote:
> > I wouldn't post any information like that in an unencrypted post /
> > email.
> 
> twasn't too smart...

And I should have sent that sentence to you privately, and encrypted if I 
could.  Sorry.

Have a good evening!

Re: troubleshooting Kmail

[Gene Heskett]

On Tuesday 20 February 2018 20:29:07 rhkra...@gmail.com wrote:

> On Tuesday, February 20, 2018 12:20:46 PM Gene Heskett wrote:
> > On Tuesday 20 February 2018 09:54:28 rhkra...@gmail.com wrote:
> > > I wouldn't post any information like that in an unencrypted post /
> > > email.
> >
> > twasn't too smart...
>
> And I should have sent that sentence to you privately, and encrypted
> if I could.  Sorry.
>
> Have a good evening!

Not so good. The woof is back in the shop.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Specifying a device for sox output.

[peter]

This system has three snd devices.   
peter@dalton:~$ ls /dev/snd/by-id/*
/dev/snd/by-id/usb-046d_0807_C9748B60-02
/dev/snd/by-id/usb-0d8c_C-Media_USB_Audio_Device-00
/dev/snd/by-id/usb-0d8c_C-Media_USB_Headphone_Set-00
peter@dalton:~$ ls /dev/snd/by-path/*
/dev/snd/by-path/pci-:00:03.0-usb-0:2:1.0
/dev/snd/by-path/pci-:00:03.2-usb-0:1:1.0
/dev/snd/by-path/pci-:00:03.2-usb-0:2:1.2

The two C-Media devices should be able to accept sox output.
How should one of them be specified?  If ekiga is running, 
is contention possible?  If so, is there a way to resolve it.

Thanks,   ... Peter E.





-- 

123456789 123456789 123456789 123456789 123456789 123456789 123456789
Tel: +1 360 639 0202  Pender Is.: +1 250 629 3757
http://easthope.ca/Peter.html  Bcc: peter at easthope. ca

Re: BIOS Can Not Find Disk

[Dan Norton]

As the OP, I want to try to clear up some of the confusion. I have
caused plenty of it. :-)

I drop-kicked the partitions I had set up and started over with a bare
(nothing but free space) sda block device. At some point I have
expressed doubt that my PC could handle UEFI correctly. This is not
true. I have been able to install multiple Debian systems (jessie,
stretch, and sid) using GPT and LVM. These same systems have also been
installed on this PC using the old primary/logical (dos) scheme with
LVM, starting with a bare disk. This desktop PC, according to dmesg is:

HP Pro 3400 Series MT/2ABF, BIOS 7.16 03/23/2012

Placing faith in the installer and letting it do as much of the work as
it will seems to be a good approach. YMMV. Also be unafraid to
power-off and re-boot the installer if you can't figure a way out of
some difficulty. Hey, after a few dozen of these, you may even start to
relax! The backup (/home and /var) has definitely been tested.

IIRC, the installer handles a greater proportion of the job in the
primary/logical LVM scheme and manual partitioning. 

In contrast, with GPT and LVM, for the second and subsequent
installations, the partitioning and defining of PVs, VGs, and LVs needs
to be done before installation using gdisk and the LVM tools in /sbin.
Then, the installer with manual partitioning can succeed by defining
the mount points of the various LVs.

 - Dan

Re: troubleshooting Kmail

[rhkramer]

On Tuesday, February 20, 2018 08:57:27 PM Gene Heskett wrote:
> Not so good. The woof is back in the shop.

Woof?  The dog?

Re: domain names, was: hostname

[Reco]

Hi.

On Wed, Feb 21, 2018 at 01:05:41AM +, mick crane wrote:
> On 2018-02-21 00:33, Dan Purgert wrote:
> > mick crane wrote:
> > > On 2018-02-20 19:36, Jeremy Nicoll wrote:
> > > ,snipped>
> > > > Other than that, opinion seems divided on whether for a home LAN it
> > > > makes more sense to leave domain name unset, or to provide a value
> > > > (picked carefully, perhaps ending ".test"  or ".invalid").   In some
> > > > ways
> > > > I like the idea of providing a planned/known name, if only
> > > > because I'd
> > > > recognise it for what it is if I saw it in error messages, logs
> > > > etc in
> > > > future.
> > > > 
> > > > I almost wonder if, to avoid any potential name conflict, one
> > > > would be
> > > > sensible to register a domain, and then NOT have it point at
> > > > one's own
> > > > home LAN - because unless a dynamic DNS service is used, how could
> > > > one keep that uptodate (my cable internet ISP does change my WAN
> > > > ip address occasionally) - and use its name on the home system.   But
> > > > then again that might have unintended consequences.
> > > 
> > > I think it used to be OK and was suggested to use ".home" for local
> > > network but then a cellphone company started using it. Now I think
> > > it is
> > > OK to use ".local"
> > 
> > 
> > ".local" is out too -- reserved for mDNS (bonjour / avahi ).
> 
> Oh, for gawd's sake. Is there not an RFC for local domains ?

There is, see RFC 7788 and RFC 8244. ".home", while being controversial,
is probably fine. And there's ".test", which is perfectly fine as far as
RFC 6761 concerned.

Reco

Re: troubleshooting Kmail

[deloptes]

Mark Neidorff wrote:

> I respect your opinion, and the many contributions that you have made to
> this list.  You and I have both been more than annoyed with bad attitudes,
> you with KDE me with my bank.  I pointed out the problem that I had and
> how it has been mishandled, IMO. You mentioned "those bugs" but you
> haven't given specific examples.  Please give the examples.

I mainly referred to the bugs that were discussed here. I can recall that
10y ago as KDE4 came out, almost nothing worked and there was discussion
why it was released so early. As in the next 2 years almost nothing changed
I stayed with old KDE and never had a desire to have a look at the new KDE,
though I am subscribed to the KDE list, so I follow by reading what issues
people had.
After 10y there are still issues with critical application and attitude is
the same. This must be a joke. A joke I see not only with KDE. Similar
attitude was behind systemd - so some developers developed attitude of
negligence regarding needs of users. This is the problem I have. They are
guided by their road map and not by user satisfaction. This is contra
productive. Despite of this I hope that KDE will deliver a stable system
some day, or at least where the critical application will just work.

regayrds