Salta al contenuto principale

Diego Roversi ha ricondiviso questo.


Hard to get more clear-cut than this: "this is my own performance of Bach. Who died 300 years ago. I own all the rights", and yet...

https://www.eff.org/takedowns/sony-finally-admits-it-doesnt-own-bach-and-it-only-took-public-pressure

reshared this

in reply to Terry Hancock (Director/Producer) Space Catitude 🚀 ha ricondiviso questo.

@LydiaConwell This is a pretty rampant issue, unfortunately. More than the various soundtrack pieces that I play where every composer is alive, I've had Greensleeves (composer unknown, traditional English piece), Londonderry Air (claimed as "Danny Boy" (which is the melody with lyrics added on), an Irish traditional piece), and Liebesleid (Fritz Kreisler (~1962)) all claimed numerous times :zerotwo_big_angry:
Questa voce è stata modificata (2 mesi fa)

Diego Roversi ha ricondiviso questo.


ESP32-H2-DevKit-Lipo Open Source Hardware board with Zigbee, Threat, Matter, BLE5 is now available for pre-order https://olimex.wordpress.com/2024/01/18/esp32-h2-devkit-lipo-open-source-hardware-board-with-thread-matter-zigbee-and-ble5-is-ready-for-pre-order/ #zigbee #iot #esp32-h2 #oshw #threat #matter

Diego Roversi reshared this.

in reply to Olimex Olimex ha ricondiviso questo.

Back when I started building hardware, UEXT was my go-to for extensibility because it was simple and well documented. Given there is now both mUEXT and pUEXT, please consider updating the specs.

Diego Roversi ha ricondiviso questo.


Is there anyone who lives near Bruxelles Midi station reading this today? I just came though Eurostar on way back to the UK and my friend's ice axe was confiscated, despite the letter from Eurostar saying "alpine equpiment (crampons and ice axe) _is_ permitted". We persuaded them to hold it for 24 hours before destroying it, so I am hoping to find someone very helpful who could go there to rescue it and give it to me at FOSDEM to post back to the UK.

Diego Roversi ha ricondiviso questo.


We are currently having network issues. We are able to connect to our server's onboard recovery system, but the access is slow and unreliable.

We'll keep you updated.

reshared this

in reply to Codeberg.org

againë

Forgive me if I'm stating a commonly asked question but why don't you guys use cloud flare. You just host code


Diego Roversi ha ricondiviso questo.


An electrician had to cut a hole in our drywall and instead of just patching it up, my wife decided to make a little scene with miniatures embedded in the wall. 😂🖼️🤯

Edit: https://pixelfed.social/@thisfunhouse has some more pictures of the subway and I will post lots more quirky art over there.

#art #miniatures

Questa voce è stata modificata (3 settimane fa)

Diego Roversi ha ricondiviso questo.


Then I'm going to be immortal.

reshared this


Diego Roversi ha ricondiviso questo.


My million dollar idea I want someone to steal and do, so I can be a customer.

"Dumb Stuff" we sell electronic appliances that aren't Internet connected. That's all.

That's it. That's the pitch. I would buy the <bleep> out of this company if their electronic gadgets were even half way decent, and repairable.

Electronic, no wifi, regular screws to open it up. That's it. Do those three things, and you can be sold by this store.

I will pay this business to curate and find these devices for me.

in reply to clacke@libranet.de is my main

@notclacke @clacke @taharez The Victronox brand has more than the Swiss army knife. Low frills, good quality and reasonably priced. The 8" chef knife is $60 and one of the best under $100. I've heard good things about their luggage as well.

Diego Roversi ha ricondiviso questo.


My advice to consider #security first when evaluating systems: https://changelog.complete.org/archives/10620-consider-security-first This is part of my decision to migrate my #RaspberryPi devices to running pure #Debian.


I write this in the context of my decision to ditch Raspberry Pi OS and move everything I possibly can, including my Raspberry Pi devices, to Debian. I will write about that later.

But for now, I wanted to comment on something I think is often overlooked and misunderstood by people considering distributions or operating systems: the huge importance of getting security updates in an automated and easy way.

Background


Let’s assume that these statements are true, which I think are well-supported by available evidence:

  1. Every computer system (OS plus applications) that can do useful modern work has security vulnerabilities, some of which are unknown at any given point in time;
  2. During the lifetime of that computer system, some of these vulnerabilities will be discovered. For a (hopefully large) subset of those vulnerabilities, timely patches will become available.

Now then, it follows that applying those timely patches is a critical part of having a system that it as secure as possible. Of course, you have to do other things as well – good passwords, secure practices, etc – but, fundamentally, if your system lacks patches for known vulnerabilities, you’ve already lost at the security ballgame.

How to stay patched


There is something of a continuum of how you might patch your system. It runs roughly like this, from best to worst:

  1. All components are kept up-to-date automatically, with no intervention from the user/operator
  2. The operator is automatically alerted to necessary patches, and they can be easily installed with minimal intervention
  3. The operator is automatically alerted to necessary patches, but they require significant effort to apply
  4. The operator has no way to detect vulnerabilities or necessary patches

It should be obvious that the first situation is ideal. Every other situation relies on the timeliness of human action to keep up-to-date with security patches. This is a fallible situation; humans are busy, take trips, dismiss alerts, miss alerts, etc. That said, it is rare to find any system living truly all the way in that scenario, as you’ll see.

What is “your system”?


A critical point here is: what is “your system”? It includes:

  • Your kernel
  • Your base operating system
  • Your applications
  • All the libraries needed to run all of the above

Some OSs, such as Debian, make little or no distinction between the base OS and the applications. Others, such as many BSDs, have a distinction there. And in some cases, people will compile or install applications outside of any OS mechanism. (It must be stressed that by doing so, you are taking the responsibility of patching them on your own shoulders.)

How do common systems stack up?


  • Debian, with its support for unattended-upgrades, needrestart, debian-security-support, and such, is largely category 1. It can automatically apply security patches, in most cases can restart the necessary services for the patch to take effect, and will alert you when some processes or the system must be manually restarted for a patch to take effect (for instance, a kernel update). Those cases requiring manual intervention are category 2. The debian-security-support package will even warn you of gaps in the system. You can also use debsecan to scan for known vulnerabilities on a given installation.
  • FreeBSD has no way to automatically install security patches for things in the packages collection. As with many rolling-release systems, you can’t automate the installation of these security patches with FreeBSD because it is not safe to blindly update packages. It’s not safe to blindly update packages because they may bring along more than just security patches: they may represent major upgrades that introduce incompatibilities, etc. Unlike Debian’s practice of backporting fixes and thus producing narrowly-tailored patches, forcing upgrades to newer versions precludes a “minimal intervention” install. Therefore, rolling release systems are category 3.
  • Things such as Snap, Flatpak, AppImage, Docker containers, Electron apps, and third-party binaries often contain embedded libraries and such for which you have no easy visibility into their status. For instance, if there was a bug in libpng, would you know how many of your containers had a vulnerability? These systems are category 4 – you don’t even know if you’re vulnerable. It’s for this reason that my Debian-based Docker containers apply security patches before starting processes, and also run unattended-upgrades and friends.


The pernicious library problem


As mentioned in my last category above, hidden vulnerabilities can be a big problem. I’ve been writing about this for years. Back in 2017, I wrote an article focused on Docker containers, but which applies to the other systems like Snap and so forth. I cited a study back then that “Over 80% of the :latest versions of official images contained at least one high severity vulnerability.” The situation is no better now. In December 2023, it was reported that, two years after the critical Log4Shell vulnerability, 25% of apps were still vulnerable to it. Also, only 21% of developers ever update third-party libraries after introducing them into their projects.

Clearly, you can’t rely on these images with embedded libraries to be secure. And since they are black box, they are difficult to audit.

Debian’s policy of always splitting libraries out from packages is hugely beneficial; it allows finegrained analysis of not just vulnerabilities, but also the dependency graph. If there’s a vulnerability in libpng, you have one place to patch it and you also know exactly what components of your system use it.

If you use snaps, or AppImages, you can’t know if they contain a deeply embedded vulnerability, nor could you patch it yourself if you even knew. You are at the mercy of upstream detecting and remedying the problem – a dicey situation at best.

Who makes the patches?


Fundamentally, humans produce security patches. Often, but not always, patches originate with the authors of a program and then are integrated into distribution packages. It should be noted that every security team has finite resources; there will always be some CVEs that aren’t patched in a given system for various reasons; perhaps they are not exploitable, or are too low-impact, or have better mitigations than patches.

Debian has an excellent security team; they manage the process of integrating patches into Debian, produce Debian Security Advisories, maintain the Debian Security Tracker (which maintains cross-references with the CVE database), etc.

Some distributions don’t have this infrastructure. For instance, I was unable to find this kind of tracker for Devuan or Raspberry Pi OS. In contrast, Ubuntu and Arch Linux both seem to have active security teams with trackers and advisories.

Implications for Raspberry Pi OS and others


As I mentioned above, I’m transitioning my Pi devices off Raspberry Pi OS (Raspbian). Security is one reason. Although Raspbian is a fork of Debian, and you can install packages like unattended-upgrades on it, they don’t work right because they use the Debian infrastructure, and Raspbian hasn’t modified them to use their own infrastructure. I don’t see any Raspberry Pi OS security advisories, trackers, etc. In short, they lack the infrastructure to support those Debian tools anyhow.

Not only that, but Raspbian lags behind Debian in both new releases and new security patches, sometimes by days or weeks.

A future post will include instructions for migrating Raspberry Pis to Debian.

https://changelog.complete.org/archives/10620-consider-security-first

#security


in reply to John Goerzen

I have a new post: Live Migrating from #RaspberryPiOs #bullseye to #Debian #bookworm. https://changelog.complete.org/archives/10622-live-migrating-from-raspberry-pi-os-bullseye-to-debian-bookworm

I got annoyed that #Raspbian officially has no upgrade path, the security situation, the lag behind Debian, lack of backports, and lack of initramfs in its custom kernel. So I managed to live migrate some Pis to Debian.


I’ve been getting annoyed with Raspberry Pi OS (Raspbian) for years now. It’s a fork of Debian, but manages to omit some of the most useful things. So I’ve decided to migrate all of my Pis to run pure Debian. These are my reasons:
  1. Raspberry Pi OS has, for years now, specified that there is no upgrade path. That is, to get to a newer major release, it’s a reinstall. While I have sometimes worked around this, for a device that is frequently installed in hard-to-reach locations, this is even more important than usual. It’s common for me to upgrade machines for a decade or more across Debian releases and there’s no reason that it should be so much more difficult with Raspbian.
  2. As I noted in Consider Security First, the security situation for Raspberry Pi OS isn’t as good as it is with Debian.
  3. Raspbian lags behind Debian – often times by 6 months or more for major releases, and days or weeks for bug fixes and security patches.
  4. Raspbian has no direct backports support, though Raspberry Pi 3 and above can use Debian’s backports (per my instructions as Installing Debian Backports on Raspberry Pi)
  5. Raspbian uses a custom kernel without initramfs support

It turns out it is actually possible to do an in-place migration from Raspberry Pi OS bullseye to Debian bookworm. Here I will describe how. Even if you don’t have a Raspberry Pi, this might still be instructive on how Raspbian and Debian packages work.

WARNINGS


Before continuing, back up your system. This process isn’t for the neophyte and it is entirely possible to mess up your boot device to the point that you have to do a fresh install to get your Pi to boot. This isn’t a supported process at all.

Architecture Confusion


Debian has three ARM-based architectures:

  • armel, for the lowest-end 32-bit ARM devices without hardware floating point support
  • armhf, for the higher-end 32-bit ARM devices with hardware float (hence “hf”)
  • arm64, for 64-bit ARM devices (which all have hardware float)

Although the Raspberry Pi 0 and 1 do support hardware float, they lack support for other CPU features that Debian’s armhf architecture assumes. Therefore, the Raspberry Pi 0 and 1 could only run Debian’s armel architecture.

Raspberry Pi 3 and above are capable of running 64-bit, and can run both armhf and arm64.

Prior to the release of the Raspberry Pi 5 / Raspbian bookworm, Raspbian only shipped the armhf architecture. Well, it was an architecture they called armhf, but it was different from Debian’s armhf in that everything was recompiled to work with the more limited set of features on the earlier Raspberry Pi boards. It was really somewhere between Debian’s armel and armhf archs. You could run Debian armel on those, but it would run more slowly, due to doing floating point calculations without hardware support. Debian’s raspi FAQ goes into this a bit.

What I am going to describe here is going from Raspbian armhf to Debian armhf with a 64-bit kernel. Therefore, it will only work with Raspberry Pi 3 and above. It may theoretically be possible to take a Raspberry Pi 2 to Debian armhf with a 32-bit kernel, but I haven’t tried this and it may be more difficult. I have seen conflicting information on whether armhf really works on a Pi 2. (If you do try it on a Pi 2, ignore everything about arm64 and 64-bit kernels below, and just go with the linux-image-armmp-lpae kernel per the ARMMP page)

There is another wrinkle: Debian doesn’t support running 32-bit ARM kernels on 64-bit ARM CPUs, though it does support running a 32-bit userland on them. So we will wind up with a system with kernel packages from arm64 and everything else from armhf. This is a perfectly valid configuration as the arm64 – like x86_64 – is multiarch (that is, the CPU can natively execute both the 32-bit and 64-bit instructions).

(It is theoretically possible to crossgrade a system from 32-bit to 64-bit userland, but that felt like a rather heavy lift for dubious benefit on a Pi; nevertheless, if you want to make this process even more complicated, refer to the CrossGrading page.)

Prerequisites and Limitations


In addition to the need for a Raspberry Pi 3 or above in order for this to work, there are a few other things to mention.

If you are using the GPIO features of the Pi, I don’t know if those work with Debian.

I think Raspberry Pi OS modified the desktop environment more than other components. All of my Pis are headless, so I don’t know if this process will work if you use a desktop environment.

I am assuming you are booting from a MicroSD card as is typical in the Raspberry Pi world. The Pi’s firmware looks for a FAT partition (MBR type 0x0c) and looks within it for boot information. Depending on how long ago you first installed an OS on your Pi, your /boot may be too small for Debian. Use df -h /boot to see how big it is. I recommend 200MB at minimum. If your /boot is smaller than that, stop now (or use some other system to shrink your root filesystem and rearrange your partitions; I’ve done this, but it’s outside the scope of this article.)

You need to have stable power. Once you begin this process, your pi will mostly be left in a non-bootable state until you finish. (You… did make a backup, right?)

Basic idea


The basic idea here is that since bookworm has almost entirely newer packages then bullseye, we can “just” switch over to it and let the Debian packages replace the Raspbian ones as they are upgraded. Well, it’s not quite that easy, but that’s the main idea.

Preparation


First, make a backup. Even an image of your MicroSD card might be nice. OK, I think I’ve said that enough now.

It would be a good idea to have a HDMI cable (with the appropriate size of connector for your particular Pi board) and a HDMI display handy so you can troubleshoot any bootup issues with a console.

Preparation: access


The Raspberry Pi OS by default sets up a user named pi that can use sudo to gain root without a password. I think this is an insecure practice, but assuming you haven’t changed it, you will need to ensure it still works once you move to Debian. Raspberry Pi OS had a patch in their sudo package to enable it, and that will be removed when Debian’s sudo package is installed. So, put this in /etc/sudoers.d/010_picompat:

pi ALL=(ALL) NOPASSWD: ALL

Also, there may be no password set for the root account. It would be a good idea to set one; it makes it easier to log in at the console. Use the passwd command as root to do so.

Preparation: bluetooth


Debian doesn’t correctly identify the Bluetooth hardware address. You can save it off to a file by running hcitool dev > /root/bluetooth-from-raspbian.txt. I don’t use Bluetooth, but this should let you develop a script to bring it up properly.

Preparation: Debian archive keyring


You will next need to install Debian’s archive keyring so that apt can authenticate packages from Debian. Go to the bookworm download page for debian-archive-keyring and copy the URL for one of the files, then download it on the pi. For instance:

wget http://http.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2023.3+deb12u1_all.deb

Use sha256sum to verify the checksum of the downloaded file, comparing it to the package page on the Debian site.

Now, you’ll install it with:

dpkg -i debian-archive-keyring_2023.3+deb12u1_all.deb

Package first steps


From here on, we are making modifications to the system that can leave it in a non-bootable state.

Examine /etc/apt/sources.list and all the files in /etc/apt/sources.list.d. Most likely you will want to delete or comment out all lines in all files there. Replace them with something like:

deb http://deb.debian.org/debian/ bookworm main non-free-firmware contrib non-freedeb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-freedeb https://deb.debian.org/debian bookworm-backports main non-free-firmware contrib non-free

(you might leave off contrib and non-free depending on your needs)

Now, we’re going to tell it that we’ll support arm64 packages:

dpkg --add-architecture arm64

And finally, download the bookworm package lists:

apt-get update

If there are any errors from that command, fix them and don’t proceed until you have a clean run of apt-get update.

Moving /boot to /boot/firmware


The boot FAT partition I mentioned above is mounted at /boot by Raspberry Pi OS, but Debian’s scripts assume it will be at /boot/firmware. We need to fix this. First:

umount /bootmkdir /boot/firmware

Now, edit fstab and change the reference to /boot to be to /boot/firmware. Now:

mount -v /boot/firmwarecd /boot/firmwaremv -vi * ..

This mounts the filesystem at the new location, and moves all its contents back to where apt believes it should be. Debian’s packages will populate /boot/firmware later.

Installing the first packages


Now we start by installing the first of the needed packages. Eventually we will wind up with roughly the same set Debian uses.

apt-get install linux-image-arm64apt-get install firmware-brcm80211=20230210-5apt-get install raspi-firmware

If you get errors relating to firmware-brcm80211 from any commands, run that install firmware-brcm80211 command and then proceed. There are a few packages that Raspbian marked as newer than the version in bookworm (whether or not they really are), and that’s one of them.

Configuring the bootloader


We need to configure a few things in /etc/default/raspi-firmware before proceeding. Edit that file.

First, uncomment (or add) a line like this:

KERNEL_ARCH="arm64"

Next, in /boot/cmdline.txt you can find your old Raspbian boot command line. It will say something like:

root=PARTUUID=...

Save off the bit starting with PARTUUID. Back in /etc/default/raspi-firmware, set a line like this:

ROOTPART=PARTUUID=abcdef00

(substituting your real value for abcdef00).

This is necessary because the microSD card device name often changes from /dev/mmcblk0 to /dev/mmcblk1 when switching to Debian’s kernel. raspi-firmware will encode the current device name in /boot/firmware/cmdline.txt by default, which will be wrong once you boot into Debian’s kernel. The PARTUUID approach lets it work regardless of the device name.

Purging the Raspbian kernel


Run:

dpkg --purge raspberrypi-kernel

Upgrading the system


At this point, we are going to run the procedure beginning at section 4.4.3 of the Debian release notes. Generally, you will do:

apt-get -u upgradeapt full-upgrade

Fix any errors at each step before proceeding to the next. Now, to remove some cruft, run:

apt-get --purge autoremove

Inspect the list to make sure nothing important isn’t going to be removed.

Removing Raspbian cruft


You can list some of the cruft with:

apt list '~o'

And remove it with:

apt purge '~o'

I also don’t run Bluetooth, and it seemed to sometimes hang on boot becuase I didn’t bother to fix it, so I did:

apt-get --purge remove bluez

Installing some packages


This makes sure some basic Debian infrastructure is available:

apt-get install wpasupplicant parted dosfstools wireless-tools iw alsa-toolsapt-get --purge autoremove

Installing firmware


Now run:

apt-get install firmware-linux

Resolving firmware package version issues


If it gives an error about the installed version of a package, you may need to force it to the bookworm version. For me, this often happened with firmware-atheros, firmware-libertas, and firmware-realtek.

Here’s how to resolve it, with firmware-realtek as an example:

  1. Go to https://packages.debian.org/PACKAGENAME – for instance, https://packages.debian.org/firmware-realtek. Note the version number in bookworm – in this case, 20230210-5.
  2. Now, you will force the installation of that package at that version:
    apt-get install firmware-realtek=20230210-5
  3. Repeat with every conflicting package until done.
  4. Rerun apt-get install firmware-linux and make sure it runs cleanly.

Also, in the end you should be able to:

apt-get install firmware-atheros firmware-libertas firmware-realtek firmware-linux

Dealing with other Raspbian packages


The Debian release notes discuss removing non-Debian packages. There will still be a few of those. Run:

apt list '?narrow(?installed, ?not(?origin(Debian)))'

Deal with them; mostly you will need to force the installation of a bookworm version using the procedure in the section Resolving firmware package version issues above (even if it’s not for a firmware package). For non-firmware packages, you might possibly want to add --mark-auto to your apt-get install command line to allow the package to be autoremoved later if the things depending on it go away.

If you aren’t going to use Bluetooth, I recommend apt-get --purge remove bluez as well. Sometimes it can hang at boot if you don’t fix it up as described above.

Set up networking


We’ll be switching to the Debian method of networking, so we’ll create some files in /etc/network/interfaces.d. First, eth0 should look like this:

allow-hotplug eth0iface eth0 inet dhcpiface eth0 inet6 auto

And wlan0 should look like this:

allow-hotplug wlan0iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Raspbian is inconsistent about using eth0/wlan0 or renamed interface. Run ifconfig or ip addr. If you see a long-named interface such as enx<something> or wlp<something>, copy the eth0 file to the one named after the enx interface, or the wlan0 file to the one named after the wlp interface, and edit the internal references to eth0/wlan0 in this new file to name the long interface name.

If using wifi, verify that your SSIDs and passwords are in /etc/wpa_supplicant/wpa_supplicant.conf. It should have lines like:

network={ ssid="NetworkName" psk="passwordHere"}

(This is where Raspberry Pi OS put them).

Deal with DHCP


Raspberry Pi OS used dhcpcd, whereas bookworm normally uses isc-dhcp-client. Verify the system is in the correct state:

apt-get install isc-dhcp-clientapt-get --purge remove dhcpcd dhcpcd-base dhcpcd5 dhcpcd-dbus

Set up LEDs


To set up the LEDs to trigger on MicroSD activity as they did with Raspbian, follow the Debian instructions. Run apt-get install sysfsutils. Then put this in a file at /etc/sysfs.d/local-raspi-leds.conf:

class/leds/ACT/brightness = 1class/leds/ACT/trigger = mmc1

Prepare for boot


To make sure all the /boot/firmware files are updated, run update-initramfs -u. Verify that root in /boot/firmware/cmdline.txt references the PARTUUID as appropriate. Verify that /boot/firmware/config.txt contains the lines arm_64bit=1 and upstream_kernel=1. If not, go back to the section on modifying /etc/default/raspi-firmware and fix it up.

The moment arrives


Cross your fingers and try rebooting into your Debian system:

reboot

For some reason, I found that the first boot into Debian seems to hang for 30-60 seconds during bootstrap. I’m not sure why; don’t panic if that happens. It may be necessary to power cycle the Pi for this boot.

Troubleshooting


If things don’t work out, hook up the Pi to a HDMI display and see what’s up. If I anticipated a particular problem, I would have documented it here (a lot of the things I documented here are because I ran into them!) So I can’t give specific advice other than to watch boot messages on the console. If you don’t even get kernel messages going, then there is some problem with your partition table or /boot/firmware FAT partition. Otherwise, you’ve at least got the kernel going and can troubleshoot like usual from there.

https://changelog.complete.org/archives/10622-live-migrating-from-raspberry-pi-os-bullseye-to-debian-bookworm

#raspberryPi


reshared this

Unknown parent

John Goerzen
@gregoa_ I hear you. I have also generally upgraded my Pis in-place despite the warnings against it, but it seems the warnings were particularly strident this time. I don't follow testing, but I know the stable releases lag significantly. Debian Bookworm came out on June 10, and RPi Bookworm took 4 more months. It's pretty annoying having all my other systems on bookworm, having to deal with bullseye differences for months, and then warnings not to upgrade after that.


Compile your kernel (or whatever) withour wearing your ssd:


If you have /tmp on your SSD, instead of a tmpfs mount:

- create a new directory and mount it as tmpfs (1Gb)

# mkdir /tmp/tmp
# mount -t tmpfs -o size=1G tmpfs /tmp/tmp

- now tell gcc to use it:

# export TMPDIR=/tmp/tmp


Diego Roversi ha ricondiviso questo.


I highly recommend supporting the Standard Ebooks project. 📚

«Standard Ebooks is a volunteer-driven project that produces new editions of public domain e-books that are lovingly formatted, open source, free of copyright restrictions, and free of cost.»

Donate 👇
https://standardebooks.org/donate

Please boost 🙏

#standardebook #standardebooks #ebook #ebooks #publicdomain #book #books #reading #epub #standard

Questa voce è stata modificata (2 mesi fa)

Diego Roversi ha ricondiviso questo.


The predictable network interface device names in #Linux 🤣

Diego Roversi reshared this.


Diego Roversi ha ricondiviso questo.


Happy Festivus everyone! https://youtu.be/1njzgXSzA-A?si=YuQnjVfzQrXjllvN
#festivus #holidays #miracle

reshared this


Diego Roversi ha ricondiviso questo.


https://www.postfix.org/smtp-smuggling.html

"SMTP Smuggling" vulnerability in Postfix allows to spoof senders even in the presence of some DMARC checks. Configuration workarounds exist.

Also, a wholehearted f* you to SEC Consult, who sat on this since June and disclosed it to some closed-source vendors and MSPs, but could apparently not be bothered to give e.g. Postfix a heads-up, publishing this close to the holidays.

Boosts for awareness welcome.

Edit: So this has kinda blown up. and especially because the author of the SEC advisory is going to have a slot at 37C3, I would like to add something important: I intentionally wrote "SEC Consult" above, not "$individual". Do not start harassing that person. For all we know, this is a corporate failure and the individual would actually appreciate guidance and tips. That does not mean to not ask the hard questions, but keep the framing in mind. They might genuinely have been told by their managers that that is how responsible disclosure works.

Questa voce è stata modificata (3 mesi fa)
in reply to Jonas Schäfer

I see SEC Consult has amended their page https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ with something of an acknowledgment that they might have stuffed up disclosure a bit here. It does read a bit like "We contacted both vendors, Microsoft _and_ Cisco!"

A hearty Fuck You to SEC Consult for being bad at their one job, and a hearty side of Fuck You to Cisco for their arrogant "It's not a bug".

Now, after I have patched my Postfix server at $dayjob, back to my previously scheduled long weekend.


Diego Roversi ha ricondiviso questo.


The internet is a big place. We can all have our own fedi. Each of us can have whatever kind of experience, community, connections, etc, we want here.

That’s the beauty of this place. There is enough room for everyone.

Be wary of anyone who tries to force you to be in community with them because of their myopic view of what online spaces should be.

We can make different decisions. We can make better decisions.


Diego Roversi ha ricondiviso questo.


2024 is the year of no more "sprints." for security reasons, "snprints" is recommended instead.

reshared this


Diego Roversi ha ricondiviso questo.


If that cheapo desktop PSU feels a bit heavy, you might want to check and see if it has a box of iron filings inside. You know, for extra quality.

https://hackaday.com/2023/12/12/cheap-computer-psu-puts-on-weight-with-box-of-iron/

Diego Roversi reshared this.

in reply to hackaday

remember when American keyboards came with steel plates just so they didn't feel as cheap as they were?
Same situation!!!

Diego Roversi ha ricondiviso questo.


Infocert (ma ce ne sono tante altre): come disincentivare l'uso di password sicure in 3 soli comodi passi:

1) ogni 6 mesi obbligare a cambiare password
2) chiedere di inserire una password forte (io la genero casualmente)
3) chiedere di confermare la password disattivando il copia/incolla

Risultato: password extra di 24 caratteri alfanumerici random che ci vuole una vita a ridigitare sostituita con "ForzaNapoli2023,.1", "ForzaNapoli2023,.2", "ForzaNapoli2023,.3", etc..

reshared this

in reply to PsicoNauta

io ho iniziato ad usare le bestemmie! è di un liberatorio... :awesome:
in reply to Rapita dagli alieni

probabilmente sono anche a prova di attacco a dizionario! geniale! 🤣🤣🤣
in reply to PsicoNauta

Io ho iniziato ad usare le iniziali di frasi. Una delle prime che avevo usato era una cosa del tipo:

Mi Sono Rotto Le Palle Di Cambiare La Password

completare con numeri :D

Comunque per il resto approvo al 100% . Aggiungi il fatto che: niente copia/incolla significa significa che non puoi gestire con password manager, e che uno dovrebbe usare password diverse per ogni singolo servizio. Alla fine convinci la gente usare la stessa password ovunque compreso siti scrausi che magari salvano le password degli utenti su db.

in reply to Diego Roversi

Anche i vecchi elenchi del telefono di 50 o più anni fa, da tenere distrattamente su uno scaffale, vanno bene: ElviraGuidobaldiViaMilano42_764356 mi pare ragionevole come pw, se viene cambiata periodicamente.
in reply to Diego Roversi

@Diego Roversi @Bloved ⛵⛵⛵ su db? perché farsi mancare così le cose quando puoi salvare le password in chiaro su uno shard aws aperto in lettura a tutti? :D
in reply to Diego Roversi

esatto, non posso usare il password manager per farmi generare una nuova pass. E poi avvisami prima! NON DURANTE UNA TRANSAZIONE CHE SCADE DOPO 60 secondi!

Non ricordo quale fosse, ma c'era un sito che controllava che tu inserissi effettivamente lettera per lettera la password, via javascript: se per caso ti mettevi a smanettare e riattivati il copia incolla, la password veniva considerata vuota 😭

in reply to PsicoNauta

Io uso KeepassXC perché ha la funzione di autotype che permette di bypassare quelle stronzate là
@diegor

Diego Roversi ha ricondiviso questo.


Updated: Please, Expose your RSS https://rknight.me/please-expose-your-rss/

Added @james's suggestion (which I've done on my site) of making the RSS icon/button orange.

reshared this


Diego Roversi ha ricondiviso questo.


All hail Linux!
Questa voce è stata modificata (3 mesi fa)

reshared this


Diego Roversi ha ricondiviso questo.


For anyone who is interested, the 6.1.66-1 #Debian kernel packages are now in the bookworm-proposed-updates suite (also known as proposed-updates) and are going out to the mirror network as I type.

These packages are replacements for the 6.1.64-1 packages which contain the ext4 corruption bug and should *not* be used.

A full stable point release which incorporates these kernel packages will follow as soon as is feasible.

reshared this

in reply to Mark Hymers

A little status update.

We're currently rebuilding the debian-installer for the point release. When those packages are ready, we will pulse them onto the mirrors (this is necessary to complete the installer build). At that time, we will also remove the 6.1.64-1 packages so that no further installs can happen.

Shortly afterwards, we will do a point release which will put 6.1.66-1 into stable on the mirrors.

in reply to Mark Hymers

The mirror push which removed the 6.1.64-1 binary packages has now happened.

We are now building the final debian-installer components so that we can start the point release.

Questa voce è stata modificata (3 mesi fa)

Diego Roversi ha ricondiviso questo.


https://www.youtube.com/watch?v=yDp3cB5fHXQ
sono quasi 4 ore, ma le vale tutte.
poi capisco perchè tra un video e l'altro passano mille anni, come nei migliori canali youtube (vedi oversimplified)

Diego Roversi reshared this.


Diego Roversi ha ricondiviso questo.


Modern XMPP Server


Posted on December 1, 2023
Just a quick mention that I’ve updated my instructions on how I configured my XMPP serverto its current status under Debian Bookworm.

And yes, it took me just a bit of time, we release when we’re ready here :D


https://blog.trueelena.org/blog/2023/12/01-modern-xmpp-server/index.html


Diego Roversi ha ricondiviso questo.


Attribution of source code has been limited to comments, but a deeper embedding of attribution into code is possible. When an embedded attribution is removed or is incorrect, the code should no longer work. I've developed a way to do this in Haskell that is lightweight to add, but requires more work to remove than seems worthwhile for someone who is training an LLM on my code. And when it's not removed, it invites LLM hallucinations of broken code.

https://joeyh.name/blog/entry/attribution_armored_code/


Diego Roversi ha ricondiviso questo.


So apparently WPA3 is just outright broken on Raspberry Pi: https://rachelbythebay.com/w/2023/11/06/wpa3/

Good for me, means I can re-send our patch that rips out the (now confirmed useless and non-functional) Cypress WPA3 support and replaces it with the Broadcom WPA3 support that does actually work on Broadcom chips in Apple machines.

We've had WPA3 in Asahi Linux since forever, the only reason it's not upstream yet is because the Broadcom maintainer guy was worried that ripping out the Cypress thing (that nobody knows about, and Cypress guys gave us the silent treatment when we sent them emails asking) would break Cypress. Looks like Cypress is already broken, so there.

Questa voce è stata modificata (4 mesi fa)

reshared this


Diego Roversi ha ricondiviso questo.


reshared this


Diego Roversi ha ricondiviso questo.


NASA is sending a software update to the Voyager 2 spacecraft today!

The patch contains logic to auto-recover from glitches similar to one in May 2022, when the AACS system on Voyager 1 started sending garbled data. The root cause was not fully diagnosed. The patch will be activated/tested on Oct 28. Voyager 1 will be next.

Data will be sent at 16 bps with a 19 kW transmitter using the 70-m dish at @canberradsn.
Distance: 20 billion km; 18:40 light hours

https://www.jpl.nasa.gov/news/nasas-voyager-team-focuses-on-software-patch-thrusters
#Voyager
1/n

Questa voce è stata modificata (5 mesi fa)
in reply to AkaSci 🛰️

A "glitch" is not the same as a "bug". A glitch is something transient, easy to miss…maybe it never happened. The term predates computers.

When a spacecraft loses all communications it is not a mere glitch. It is a serious bug.

Not as much fun to say, but it's still the right word.

in reply to Kent Borg

@Kent Borg @AkaSci 🛰️ @CanberraDSN They are two different classes of things. A glitch may be caused by a bug.

I don't have an opinion on whether this was correctly labeled a glitch, I haven't looked into it. I agree that a glitch is transient and disagree that it can't have serious impact.


Diego Roversi ha ricondiviso questo.


Udite! Udite!
Sia noto in tutto il regno che sabato si terrà la conferenza gratuita "Un patrimonio per la città: gli stranieri a Como nel Quattrocento".

#ASpassoNellaStoria #Storia #GEP

reshared this

Unknown parent

Elena ``of Valhalla''

@LaVi 🕊️📚🐈 sisi, decisamente interessante, e ti siam stati grati per la segnalazione.

l'unico problema è che forse forse dobbiamo un pezzettino di gratitudine anche a trenò? che se non t'avessimo seguita per le lamentele sui treni, non so se l'avremmo mai scoperto :D

(se ti è utile saperlo: hai causato 4 delle presenze :) )

Unknown parent

Elena ``of Valhalla''
@LaVi 🕊️📚🐈 (così ad occhio poteva pure essere un 20-25% dei presenti, esclusi i dipendenti dell'archivio, se ho stimato giusto quanti fossero: mi pare un risultato degno di un influencer!)

Diego Roversi ha ricondiviso questo.


Incredible. A fully modular gaming handheld using Framework Laptop 13 parts by pitstop_tech:

https://youtu.be/zd6WtTUf-30?si=aFQ8-jRQRPd9vymF

reshared this


Diego Roversi ha ricondiviso questo.


How I Keep my Life in Git


Posted on September 12, 2023

git secret_cabal greet

After watching My life in git, after subversion, after CVS. from DebConf, I’ve realized it’s been a while since I talked about the way I keep everything1 I do in git, and I don’t think I’ve ever done it online, so it looked like a good time for a blog post.

Beyond git itself (of course), I use a few git-related programs:

  • myrepos (also known as mr) to manage multiple git repositories with one command;
  • vcsh to make it easy to keep dot-files under git;
  • git annex to store media files (anything that is big and will not change);
  • etckeeper to keep an history of the /etc directory;
  • gitolite and cgit to host my git repositories;

and some programs that don’t use git directly, but easily interact with it:

  • ansible to keep track of the system configuration of all machines;
  • lesana as a project tracker and journal and to inventory the things made of atoms that are hard 2 to store in git.

All of these programs are installed from Debian packages, on stable (plus rarely backports) or testing, depending on the machine.

I’m also grateful to the vcs-home people, who wrote most of the tools I use, and sometimes hang around their IRC channel.

And now, on to what I’m actually doing.

With the git repositories I’ve decided to err for too much granularity rather than too little3, so of course each project has its own repository, and so do different kinds of media files, dot-files that are related to different programs etc.

Most of the repositories are hosted on two gitolite servers: one runs on the home server, for stuff that should remain private, and the other one is on my VPS for things that are public (or may become public in the future), and also has a web interface with cgit. Of course things where I’m collaborating with other people are sometimes hosted elsewhere, mostly on salsa, sourcehut or on $DAYJOB related gitlab instances.

The .mr directory is where everything is managed: I don’t have a single .mrconfig file but a few different ones, that in turn load all files in a directory with the same name:

  • collections.mr for the media file annexes and inventories (split into different files, so that computers with little disk space can only get the inventories);
  • private.mr for stuff that should only go on my own personal machine, not on shared ones;
  • projects.mr for the actual projects, with different files for the kinds of projects (software, docs, packaging, crafts, etc.);
  • setup.mr with all of the vcsh repositories, including the one that tracks the mr files (I’ll talk about the circular dependency later);
  • work.mr for repositories that are related to $DAYJOB.

Then there are the files in the .mr/machines directory, each one of which has the list of repositories that should be on every specific machine, including a generic workstation, but also specific machines such as e.g. the media center which has a custom set of repositories.

The dot files from my home directory are kept in vcsh, so that it’s easy to split them out into different repositories, and I’m mostly used the simplest configuration described in the 30 Second How-to in its homepage; vcsh gives some commands to work on all vcsh repositories at the same time, but most of the time I work on a single repository, and use mr to act on more than one repo.

The media collections are also pretty straightforward git-annex repositories, one for each kind of media (music, movies and other videos, e-books, pictures, etc.) and I don’t use any auto-syncing features but simply copy and move files around between clones with the git annex copy, git annex move and git annex get commands.

There isn’t much to say about the project repositories (plain git), and I think that the way I use my own program lesana for inventories and project tracking is worth an article of its own, here I’ll just say that the file format used has been designed (of course) to work nicely with git.

On every machine I install etckeeper so that there is a history of the changes in the /etc directory, but that’s only a local repository, not stored anywhere else, and is used mostly in case something breaks with an update or in similar situation. The authoritative source for the configuration of each machine is an ansible playbook (of course saved in git) which can be used to fully reconfigure the machine from a bare Debian installation.

When such a reconfiguration from scratch happens, it will be in two stages: first a run of ansible does the system-wide configuration (including installing packages, creating users etc.), and then I login on the machine and run mr to set up my own home. Of course there is a chicken-and-egg problem in that I need the mr configuration to know where to get the mr configuration, and that is solved by having setup two vcsh repositories from an old tarball export: the one with the ssh configuration to access the repositories and the one with the mr files.

So, after a machine has been configured with ansible what I’ll actually do is to login, use vcsh pull to update those two repositories and then run mr to checkout everything else.

And that’s it, if you have questions on something feel free to ask me on the fediverse or via email (contacts are in the about page)

Update (2023-09-12 17:00ish): The ~/.mr directory is not special for mr, it’s just what I use and then I always run mr -c ~/.mr/some/suitable/file.mr, with the actual file being different whether I’m registering a new repo or checking out / updating them. I could include some appropriate ~/.mr/machines/some_machine.mr in ~/.mrconfig, but I’ve never bothered to do so, since it wouldn’t cover all usecases anyway. Thanks to the person on #vcs-home@OFTC who asked me the question :)


  1. At least, everything that I made that is made of bits, and a diary and/or inventory of the things made of atoms.↩︎
  2. until we get a working replicator, I guess :D↩︎
  3. in time I’ve consolidated a bit some of the repositories, e.g. merging the repositories for music from different sources (CD rips, legal downloads, etc.) into a single repository, but that only happened a few times, and usually I’m fine with the excess of granularity.↩︎

https://blog.trueelena.org/blog/2023/09/12-how_i_keep_my_life_in_git/index.html

#vcs

reshared this


Diego Roversi ha ricondiviso questo.


Un amico mi scrive quanto segue:

“Ciao,

mi devo liberare dei #libri di cui puoi trovare le copertine al seguente link:

https://data.laboccadellupo.it/index.php/s/SYEWLWEMKYW3txo

Li ho rozzamente classificati e non li ho catalogati perche' non trovo che il gioco valga la candela. Voglio provare a salvarli dal loro tristo destino: finire nella stufa, una pagina alla volta, questo inverno. Mi dai una mano?

Sono i vecchi libri miei, di mia madre e di mio padre che abbiamo deciso di non tenere dopo aver venduto la vecchia casa di famiglia. La URL ti permette di accedere ad un gestore di file web: accedi ad una cartella, clicca su un'immagine e comincia a scorrere con i tasti freccia destra e sinistra tra le copertine. Qualcosa so che finira' sicuramente nella bocca della stufa, ma magari qualcosa no (spero la maggior parte!).

Sono quasi tutti in italiano, tranne quelli in un'apposita e chiara cartella. Cosa troverai? Arte e romanzi, saggi sull'Italia repubblicana, qualcosa di filosofia, vecchi manuali liceali, qualcosa di informatico, vecchie riviste e fumetti, pubblicazioni molto locali. Guardati intorno.

Segnati il nome del file che appare sopra l'immagine della copertina e mandamelo per dirmi che vuoi il libro o maggiori informazioni. Passa pure questo messaggio a persone che possono aiutarci a salvarli, pero' io agisco nella sola area di #Varese e dintorni mentre tu ti prendi la responsabilita' per amiche o amici piu' lontani.

Consulta il file "istruzioni.txt" per trovare il modo di contattarmi ed eventuali altre informazioni che potrei aver aggiunto nel tempo rispetto al momento in cui hai ricevuto questo messaggio.”

(hashtag miei)

Qualcuno qui sul fediverso vuole dargli una mano?

#mastoregalo

in reply to Scimmia di Mare :unverified:

@Scimmia di Mare :unverified: e immagino che tu non abbia qualche amico/parente/conoscente che capita in zona a cui far fare da corriere (della droga :D ), vero?


Diego Roversi ha ricondiviso questo.


Sto notando una nuova tendenza sulla locale, ossia quella di non utilizzare i CW per contenuti sensibili (violenza, politica, cronaca nera, etc).

Ricordiamoci che i CW non sono una limitazione alla nostra libertà di espressione, ma che consentono a tuttə di scegliere consapevolmente se esporsi a questi contenuti, espandendo quindi la libertà di tuttə tutelandoci a vicenda

reshared this


Diego Roversi ha ricondiviso questo.


Remember Kung Fury?
The crowdfunded, excellent 80s martial arts film spoof that is so absurd, it breaks the cool meter?

The full-length movie - Kung Fury II - has been in limbo for years due to an investor screwing the production team over after they finished filming.

But the film crew prevailed, and the movie is near!

https://www.imdb.com/title/tt5765844

David Sandberg has proven to be an excellent writer, director and actor, so I am pretty sure this movie will be a classic too :)

#KungFury #KungFury2

Diego Roversi reshared this.

in reply to unfa🇺🇦 Fabio ha ricondiviso questo.

I would like to mention here Stamps Back, which is also a crowdfunded movie, and it has english subtitles, so if you are interested in the 80s of Central Europe and Commodore 64, it's worth a watch.

📎: https://imdb.com/title/tt12370388/

YT 📎: https://www.youtube.com/watch?v=YUqn1OPxtmE

Questa voce è stata modificata (7 mesi fa)

Diego Roversi ha ricondiviso questo.


Confy 0.7.0


Confy 0.7.0 has been released

This is the first release with a brand new UI written in Gtk4/libadwaita, using Blueprint for UI definition!

User interaction has been revisited, while being mostly similar to the previous version: gone is the tab switcher in headbar, now starred talks can be found in navbar. Gone is also the map view (for now, at least).
Adding new conferences from URL is now done via a nice dialog, and editing of user-added conferences is done directly in the conference list view. Which is now a window by it's own, used as an "open" dialog.
There are some new shortcuts, like the "<primay>-c" shortcuts to copy the current talk details as plain text in clipboard.
The talk search can now be filtered to match only starred talks and there are two search "mode": the global search, activated by the button over in the navigation header and by the '<primary>-f' shortcut, and the "current list" search, which search in current talk list for
day/room/track.

I'm sure I'm missing something and I'm sure I've missed more than something testing this, so please open tickets on the tracker (tickets can be opened also via email just sending a text/plain mail to ~fabrixxm/confy@todo.sr.ht or
u.fabrixxm.confy@todo.sr.ht)

There is also a fix from ~edwardbetts for events that are after UTC midnight. Thanks!

#confy #gtk4 #libadwaita #newrelease

reshared this


Diego Roversi ha ricondiviso questo.


Attention! Today is World Pi Day, 22/7 or 3.14285, closer to the real value of Pi than American Pi (3.14). Please do not boost this as it confuses and annoys Americans.
in reply to James Wallis

Paolo Redaelli is ignored


Diego Roversi ha ricondiviso questo.


I love how this makes perfect sense as a programmer but would sound horrible to anyone else

reshared this


Diego Roversi ha ricondiviso questo.


BeagleV-Ahead: Default Development git repositories https://forum.beagleboard.org/t/beaglev-ahead-default-development-git-repositories/35333 #BeagleV #RISCV

reshared this


Diego Roversi ha ricondiviso questo.


There is no more famous pirate in East Asia than the woman known in the West as Ching Shih, her true historical name being Zheng Yi Sao, Pirate Queen of the South China Seas. Likely a prostitute who married a well-known pirate, she soon proved a capable commander and soon organized a confederacy of pirates, helping one another against the Qing government and other foes. Taking over for her husband, she proved an even more capable pirate and many flocked to her, women especially, for her egalitarian attitude and redistribution of wealth from the aristocratic Qing Chinese government. Even aided by Portuguese ships, the Chinese could not capture her and could not stop her fleet. At her height, she sailed a fleet of 400 ships with 40 to 60 thousand sailors. When the end came and she surrendered, Zheng Yi Sao could not be killed by the Chinese due to her power and influence, and instead a retirement was negotiated, one that was quite favorable to her and allowed her an easy life: for a pirate career spanning 10 years from 1801 to 1810, that's quite something. She retied to Guangdong, running an infamous gambling house and dying at the comfortable and respectable age of 66 in 1844: hail the Pirate Queen of China! #FairytaleTuesday

reshared this


Diego Roversi ha ricondiviso questo.


#OpenSourceHardware picks of the day:

➡️ @olimex - OSH manufacturer based in Bulgaria

➡️ @adafruit - OSH manufacturer based in USA

➡️ @mntmn - Small indie company making a libre laptop

➡️ @blitzcitydiy@mastodon.social (main) & @blitzcitydiy@diode.zone (videos) - Technician building fun electronics projects

➡️ @apertus - OSH for professional film-making, incl high end cameras

➡️ @nitrokey - Selling OSH security keys etc

➡️ @oshwassociation - US non-profit promoting OSH

➡️ @bonfire - Combining the Fedi with OSH data storage

reshared this


Diego Roversi ha ricondiviso questo.


Unfortunately, I was affected by layoffs at Posit PBC. I'm still processing this big change, but I'm now open to work.

If you're looking for a data scientist or someone more broadly with experience in R, package development, causal inference, Rust, and many other skills, please reach out to chat!

If you're curious about my work, check out my GitHub

https://github.com/malcolmbarrett

#rstats #rustlang

reshared this

Questo sito utilizza cookie per riconosce gli utenti loggati e quelli che tornano a visitare. Proseguendo la navigazione su questo sito, accetti l'utilizzo di questi cookie.