ntpd is rather good in ignoring

Notice to my future self: Recently I wondered why one of the computers doesn’t show the correct time. Among others, there are the following lines in /etc/ntp.conf:

interface ignore eth2
interface ignore eth3

As this computer doesn’t have eth2 and eth3 but only eth0, ntpd assumes that I want to ignore all network devices and just listens on lo. After removing those lines, everything is working fine. The version of the Debian ntp package is 1:4.2.6.p5+dfsg-2+deb7u1 and you can find the bugreport here.

exim4 and catchall email address

If you search for a way how to configure a catchall email address with exim4, it is highly probable that you will see a router like:

system_aliases:
  debug_print = "R: system_aliases for $local_part@$domain"
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch*{/etc/aliases}}

In this case the catchall mechanism is included in the system_alias router that normally just uses:

 data = ${lookup{$local_part}lsearch{/etc/aliases}}

Thus each email sent to an address entered before the “:” in /etc/alias will be redirected to the mailbox entered after the “:”.
By changing lsearch to lsearch* you can have an entry in /etc/aliases that looks like

*: catchall

This should be at the end of the alias file and for every address that has no other entry, the email is redirected to the catchall-mailbox.

Unfortunately this has the drawback that you need to add an entry for every user that should get emails that looks like:

user: user

If you ommit it, all emails to user will be put into the catchall-mailbox. That’s because the sequence of exim4 routers matters and in the Debian default configuration the router that checks for local users is put behind the system_aliases-router. You might think about changing the sequence of routers, but this is generally a bad idea. If you reverse the order of system_aliases and local_user, you can no longer redirect emails to system accounts like uucp or news to something more appropriate.

So, why not leave the system_aliases-router alone and simply add another router at the end of the router section:

local_catchall:
  debug_print = "R: catchall for $local_part@$domain"
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data = catchall

It is very similar to the system_aliases-router but does not search anything for a matching entry but simply redirects everything to catchall. If it is really at the end, the email would have been rejected without this router and so no harm related to the behaviour of other routers is done. Due to driver = redirect it even takes care of .procmailrc and/or .forward …

My Debian Activities in March 2015

FTP assistant

Recently the NEW queue grew due to lots of uploads of new KDE software and several smaller node-packages. The KDE-stuff will be processed one after another, but the node-stuff seems to be rather strange. After the last discussion I was told that all those small packages can be accumulated into bigger chunks. I hope this discussion doesn’t need to be repeated again …

Anyway, this month I marked 117 packages for accept and rejected 51 packages.

Squeeze LTS

This was my ninth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 15.25h and I spent these hours to upload new versions of:

  • [DLA 163-1] bind9 security update
  • [DLA 166-1] libarchive security update
  • [DLA 167-1] redcloth security update
  • [DLA 170-1] mod-gnutls security update
  • [DLA 171-1] libssh2 security update
  • [DLA 181-1] xerces-c security update
  • [DLA 182-1] batik security update
  • [DLA 183-1] libxfont security update
  • [DLA 184-1] binutils security update

Finally I was also able to upload the binutils package. Up to now, I got no complaints that something is not working anymore, so yeah, I seem to make it. The next big adventure will be a new upload of PHP. I already started with some patches, but it is still a good piece of work.

I also uploaded update for DLA 164-1] unace security update, [DLA 168-1] konversation security update and [DLA 172-1] libextlib-ruby security update although no LTS sponsor indicated any interest.

Other packages

This month the severity of one bug in greylistd had been raised from normal to severe and such I had to upload a new version. Thanks to Andreas Beckmann for raising and for providing a patch.

I also uploaded a new version of dict-elements and closed a bug related to reproducible builds.

As I am the maintainer of libkeepalive, I got an email from Andreas Florath. He wanted to persuade me to create a package for his library libdontdie, which is rather similar to libkeepalive but has some improvements. As I promised to do some more packaging work, he didn’t have to argue much and voila, there now is a new package libdontdie available. As the cooperation with him is really pleasant, I also created a package for his other project: pipexec.

Donations

Thanks alot to all donors, this month I got 30€ in total. I really appreciate this and hope that everybody is pleased with my commitment. Don’t hesitate to make suggestions for improvements.

My Debian Activities in February 2015

FTP assistant

Processing the new queue got off the ground again. This month I marked 154 packages for accept and rejected 20 packages.

Some emails I got were rather funny and people are very creative when trying to interpret the license of upstream. But hey, most of the time upstream has a reason to choose a specific wording. You can try to interpret those words, but don’t waste your time. Better ask upstream about their intention and whether this fits into the world of Debian. It only sounds strange when upstream publishes their stuff under licenseA and wants to distribute their files under licenseB but insists on keeping the wording of licenseA. That’s life!

Squeeze LTS

This was my eighth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 14.5h and I spent these hours to upload new versions of:

  • [DLA-145-2] php5 regression update
  • [DLA 146-1] krb5 security update
  • [DLA 150-1] unzip security update
  • [DLA 151-1] libxml2 security update
  • [DLA 162-1] e2fsprogs security update

For whatever reason, the DLA-145-2 didn’t reach debian-lts-announce. As the listmaster didn’t find any reason for this (at least the other emails all appeared), I think there has been some extraterrestrial influence (“The Truth Is Out There”).

Anyway, I also worked on an upload for binutils, but one patch is a real 100kB-beast. Meanwhile I am down to only one regression in one source file, so I hope that there will be an upload in March.

I also uploaded one DLA for libgtk2-perl ([DLA 161-1] libgtk2-perl security update although no LTS sponsor indicated any interest.

Other packages

I didn’t do any work on other packages, but looking at the bug count, the number of bugs has increased. So, sorry, if you sent in a bug report and I didn’t answer. It is not forgotten.

Donations

After adding some micro payment buttons to my blog in January, I already got a donation of 20€ in February. I really appreciate this and I feel vindicated that my contributions to Debian are still useful.

USB 3.0 hub and Gigabit LAN adapter

Recently I bought an USB 3.0 Hub with three USB 3.0 ports and one Gigabit LAN port. It is manufactured by Delock and I purchased it from Reichelt (Delock 62440).

Under Wheezy the USB part is recognized without problems but the kernel (3.2.0-4) does not have a driver for the ethernet part.
The USB Id is idVendor=0b95 and idProduct=1790, the manufacturer is ASIX Elec. Corp. and the product is: AX88179. So Google led me to a product page at Asix, where I could download the driver for kernel 2.6.x and 3.x.

mkdir -p /usr/local/src/asix/ax88179
cd /usr/local/src/asix/ax88179
wget www.asix.com.tw/FrootAttach/driver/AX88179_178A_LINUX_DRIVER_v1.13.0_SOURCE.tar.bz2
tar -jxf AX88179_178A_LINUX_DRIVER_v1.13.0_SOURCE.tar.bz2
cd AX88179_178A_LINUX_DRIVER_v1.13.0_SOURCE
apt-get install module-assistant
module-assistant prepare
make
make install
modprobe ax88179_178a.ko

After editing /etc/network/interfaces and doing an ifup eth1, voila, I have a new network link. I hope the hardware is as good as the installation has been easy.

My Debian Activities in January 2015

FTP assistant

This month at the beginning of the year has been rather quiet as well. All in all I marked 50 packages for accept and rejected only 17 packages.

Squeeze LTS

This was my seventh month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 12h and I spent these hours to upload new versions of:

  • [DLA 127-1] pyyaml security update
  • [DLA 128-1] sox security update
  • [DLA 138-1] jasper security update
  • [DLA 145-1] php5 security update

In doing so, preparing the upload for php5 consumed most of the time as support from Upstream for the old version in Squeeze no longer exists. Oddly enough, a simple one-line-patch seems to have created a regression …

I also sponsored the upload of [DLA 133-1] unrtf security update, [DLA 134-1] curl security update and [DLA 130-1] firebird2.1 security update. Many thanks to Nguyen Cong from Toshiba who prepared the patches for these packages.

I also uploaded two DLAs for polarssel ([DLA 129-1] polarssl security update and [DLA 144-1] polarssl security update) although no LTS sponsor indicated any interest.

Other packages

Thanks to the relentless QA work of Andreas Beckmann, his piuparts tests detected an issue in the greylistd package. If greylistd has been installed in Wheezy, removed but not purged afterwards, the whole system dist-upgraded to Jessie and afterwards greylistd is installed again, there would be an error message. RC bug taken, fixed package uploaded and unblock request approved.

My Debian Activities in December 2014

FTP assistant

This month at the end of the year has been rather quiet as well. The holiday season is not suited for lots of REJECTs, so all in all I marked 91 packages for accept and rejected only 14 packages. But be aware, the period of grace is over now.

Squeeze LTS

This was my sixth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 20.5h and I spent these hours to upload new versions of:

  • [DLA 99-1] flac security update
  • [DLA 100-1] mutt security update
  • [DLA 101-1] jasper security update
  • [DLA 102-1] tcpdump security update
  • [DLA 105-1] graphviz security update
  • [DLA 107-1] unbound security update
  • [DLA 108-1] nfs-utils security update
  • [DLA 110-1] libyaml security update
  • [DLA 109-1] libyaml-libyaml-perl security update
  • [DLA 117-1] qt4-x11 security update
  • [DLA 121-1] jasper security update
  • [DLA 122-1] eglibc security update
  • [DLA 123-1] firebird2.5 security update
  • [DLA 124-1] unzip security update

This month I also sponsored the upload of [DLA 126-1] ettercap security update. As far as I know, this has been the first time that someone who is not (yet?) involved in Debian as a Debian Maintainer or Debian Developer prepared a patch for Squeeze LTS. So many thanks to Nguyen Cong for doing the work. Thanks to Toshiba as well, who allowed him to work on this package. I am sure there is more to come.

As December is the time of gifts, I also uploaded [DLA 104-1] pdns-recursor security update although no LTS sponsor indicated any interest.

Other packages

Unfortunately the Debian Med Advent Calendar wasn’t as successful as the years before. Only five bugs in packages python-mne, avifile , biomaj-watcher, trimmomatic and uc-echo have been closed. Things can only get better …

My Debian Activities in November 2014

FTP assistant

In contrast to the last month, this month has been rather quiet and I really liked that :-). The stress has moved to the next team. So all in all I marked 101 packages for accept and had to reject 27 packages. As I mostly reviewed really new packages, I didn’t have to file any RC bug this month.

Squeeze LTS

This was my fifth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 14.25h and I spent these hours to upload new versions of:

  • [DLA 82-1] wget security update
  • [DLA 84-1] curl security update
  • [DLA 89-1] nss security update
  • [DLA 90-1] imagemagick security update
  • [DLA 94-1] php5 security update
  • [DLA 97-1] eglibc security update

I also uploaded [DLA 85-1] libxml-security-java security update, but as nobody of the LTS sponsors had any interest in this package, I did this in my “spare” time. A package with security in its name should not be affected by security issues.

This month my failure of the month has been the binutils package. Although the security team prepared the way for finding the correct patches for all those CVEs, I somehow managed to not find them. This is embarassing …

I am also a bit disappointed by current LTS users. All important packages have been made available for testing before uploading them to the archive. Apart from some brave fellow DDs, no other feedback was reported on debian-lts. Complaints arrived only when the packages have been finally uploaded. Do admins have enough time nowadays and don’t need to use some kind of testbed? Times are changing …

Other packages

This month I even found some time to sponsor uploads, so please welcome a new version of fastaq in experimental and patiently wait for aegaen and kmc to pass NEW.

At this point I also want to mention the Debian Med Advent Calendar, which was announced in this email and already mentioned by Andreas in his latest Debian Med bits. Everybody is invited to take care of as much as possible poor souls.

Support

If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Manage own CA with Debian

Self signed SSL certificates are nice, but only provide encryption of retrieved data. Nobody knows who is really sending the data.

If one buys an SSL certificate for a website, the browser doesn’t complain as much as with a self signed certificate. But can you really trust the other side? Almost every commercial CA has some kind of “fast validation” or “domain validation, issued in minutes”, which is done by email or phone. So if required, within minutes everybody might become you. Even with putting money on the table your users can not be sure whether this server really belongs to the right guy.

Well, why wasting time and money? Just create your own Root CA and tell users that they need to add something in order to avoid some error messages. In Debian we basically have five packages who claim to be able to manage some kind of CA.

easy-rsa is mainly needed to manage certificates used by openVPN. Within this use case it works like a charm, but I don’t want to manage a more complex CA with it.

gnomint is dead upstream and only uses SHA1 as signature algorithm. This will cause lots of problems as Mircrosoft and Google want to deprecate SHA1 in their products by 2017. Besides, this package is already orphaned and maybe it can disappear now.

tinyCA uses more signature algorithms, unfortunately SHA1 seems to be the “best” it can. There are some patches to support up to SHA512, but they don’t work for all parts of the software yet. For example Sub-CAs still use SHA1 despite of choosing something different in the GUI. So nice, but not (yet) usable in Jessie.

FreeIPA seems to be great, but didn’t make it into Jessie in time. Unfortunately the Release Team has reasons to not unblock it. So nice, but not usable in Jessie.

xca is based on QT4. As announced in the 15th DPN of 2014 the deprecated QT4 will be removed from Debian Stretch (= Jessie+1). Apart from this, the software meets all my requirements.

WLAN stick and hostapd in Debian Jessie

Notice to my future self: please think twice before you buy another LogiLink WLAN stick

In this case the LogiLink WL0049A did work as normal WLAN stick out of the box, but was rather unreliable using it together with hostapd. The All0234Mini seems to be much better.