social.gl-como.it

Since Reddit has now sold out to AI, a reminder if you're into #Linux / #LinuxGaming that Lemmy exists and it's open source.

I'm a mod here too: https://lemmy.ml/c/linux_gaming@lemmy.ml

Diego Roversi reshared this.

Stop turning your Linux apps into Docker containers and removing the normal install methods.
reshared this

nano akkoma (AP)
a tower of blocks captioned "all modern video infrastructure". one tiny block on the bottom is stopping all of it from falling over, and it's labelled "ffmpeg"
Drew DeVault reshared this.

Mi preoccupa molto il Piracy Shield introdotto, anche se non vedo partite piratate o sia possessore di "pezzotto", ma per le implicazioni a corto/lungo termine che porta.
È notizia di un paio di giorni fa che insieme agli ip di alcuni siti di streaming video siano stati indiscriminatamente bloccati in toto gli ip di 2 CDN (cloud4c.com e parte di zenlayer), rendendo impossibile anche a chi avesse servizi leciti li sopra di essere raggiunti dall'Italia, l'organo che si occupa della faccenda (agcom) è un organo privato che si erge a "controllore", "multatore" e "bloccatore". Con il mer(d)aviglioso governo fascista che abbiamo ci vorrà poco affinché da un utilizzo anti pirateria si passi ai blocchi per fini politici adducendo motivazioni fantasiose (tipo il decreto antisemitismo di Salvini per gli artisti e le tv).
reshared this
Tutto sacrosanto, ma non mi risulta che Agcom sia privato.
@diegor si si è stata una mia inesattezza, ho travisato il privato con indipendente

Enoch mastodon (AP)
Happy caturday 🐈! Here’s a cat selfie I found somewhere on the www! 😂 i hope you all have a great weekend ☀️🥳🙌
Gray cat taking a selfie with 2 Rottweilers behind him standing in the snow
Diego Roversi reshared this.

Talen Lee mastodon (AP)

This youtube video does something I literally had no idea was possible with the subtitle system. Watch it without subtitles to get an idea for what the base video looks like, then watch it with the subtitles on.

https://www.youtube.com/watch?v=ZYlaUrj2Zkk

Diego Roversi reshared this.

Very proud that the IEEE has published my article “Why Bloat Is Still Software’s Biggest Vulnerability - A 2024 plea for lean software”:

https://spectrum.ieee.org/lean-software-development

reshared this

Filippone...
Ok che (come al solito dato che idee tue non ne hai mai avute), hai "copiato" l'impegno profuso da me e @kenobit sul progetto bookwyrm, ok che ti sei preso il dominio bookwyrm .it perché senza atteggiamenti predatori non ci sai stare, ok che hai mantenuto il logo ufficiale così puoi fare il paraculo e attirare gente spacciandoti per "istanza italiana" (tanto la descrizione non la legge nessuno), ma cazzo, copiare lettera per lettera (solo che non sai formattare il testo) il codice di condotta di bookwyrm.gatti.ninja... Dai su un po di fantasia, ce la puoi fare anche da solo no?
Nelle immagini in scuro gattininja in chiaro filippone.
:clapping:
#bookwyrm #gattininja
Policy copiata (male) dal collettivo devol
Policy originale
reshared this
Fata turchina mastodon (AP)
Forse ora risponderà che tanto i codici di condotta sono tutti uguali ma soprattutto che siete invidiosi.

@guardaminfaccia
Mannaggia!

Non dirò neppure che è una faccia da culo perché stimo troppo i culi.

È strano che non si sia già inventato un suo partito.

Yaku 🐗 mastodon (AP)
@guardaminfaccia Daje FilippONE facci sognare, accusa gattinija di aver copiato da te! :blobcatpopcornnom:

È strano che non abbia ancora registrato puntarella it.


[EDIT]Ah, capito… è GIÀ registrato.

This entry was edited (2 weeks ago)


Erty hometown (AP)
Saw a meme and decided it needed a 4x4 taking it to the furthest extreme
reshared this
Wynke Private message mastodon (AP)
Looks to me like Murphy understands the other ones pretty damn well...
brennen mastodon (AP)
ok, ok, but in the spirit of the original law, shouldn't murphy's razor be "anything that can be complicated, will be complicated"?

LWN.net mastodon (AP)
A locally exploitable glibc vulnerability https://lwn.net/Articles/960289/ #LWN
#LWN
reshared this
graywolf mastodon (AP)
Again? :/

This entry was edited (2 weeks ago)

Google announced that starting in June 2024, ad blockers such as uBlock Origin #uBO will be disabled in Chrome 127 and later with the rollout of Manifest V3 (#Mv3).

The new #Chrome manifest will prevent using custom filters and stops on demand updates of blocklist. Only #Google authorized updates to browser extension will be allowed in the future, which mean an automatic win for Google in their battle to stop YouTube #AdBlockers .

#ManifestV3 is deceitful and threatening to your privacy, and now is a good time to switch to #Firefox (@mozilla) and/or #TorBrowser (@torproject) if you haven't done so already!

EFF (@eff) on Google’s Manifest V3:

⚠️⁠https://www.eff.org/deeplinks/2021/12/chrome-users-beware-manifest-v3-deceitful-and-threatening
⚠️⁠https://www.eff.org/deeplinks/2021/12/googles-manifest-v3-still-hurts-privacy-security-innovation


Chrome Manifest V3 Transition Timeline (2023-11-16)

🚩⁠https://developer.chrome.com/blog/resuming-the-transition-to-mv3/


EDIT for clarification: MV3 in Chrome will still allow some ad blocking extensions, but will severely limit their blocking ability and even restricts pre-set filters to 50 MAX.

Mozilla Firefox :firefox:


Desktop
📥⁠https://www.mozilla.org/en-US/firefox/

Android Play Store
📥⁠https://play.google.com/store/apps/details?id=org.mozilla.firefox

iOS App Store
📥⁠https://apps.apple.com/us/app/firefox-private-safe-browser/id989804926


Tor Browser :tor:


Desktop
📥⁠https://www.torproject.org/download/

Android Play Store
📥⁠https://play.google.com/store/apps/details?id=org.torproject.torbrowser

Fdroid Repo
📥⁠https://support.torproject.org/tormobile/tormobile-7/

iOS App Store (try OnionBrowser)
📥⁠https://onionbrowser.com/


#Firefox #Mozilla #TorBrowser #Tor #Browser #Privacy

This entry was edited (3 months ago)
Mikko Tuumanen mastodon (AP)
@mozilla But where is the download link to get Firefox apk? I don't want Google Play in my phone.
Ah shoot I meant to write EU regulators but I keep forgetting. Like someone should investigate it and if there isn't a law to prevent it, write one.

Alex C mastodon (AP)

When I was a smartass computer nerd in the 80s and 90s, an eternal theme was friends and family sheepishly asking me for tech support help, and me slowly, patiently explaining to them that computers aren't scary, they're actually predictable, they won't explode or erase your data (unless you really make an effort), and they operate by simple (if somewhat arcane) rules. Edit > Cut, then click, then Edit > Paste. Save As. Use tabs, not spaces. Stuff like that. Maybe not easy, but simple, or at least consistent and learnable.

But that's not true anymore.

User interfaces lag. Text lies. Buttons don't click. Buttons don't even look like buttons! Panels pop up and obscure your workspace and you can't move or remove them -- a tiny floating x and a few horizontal lines is all you get. Mobile and web apps lose your draft text, refresh at whim, silently swallow errors, mysteriously move shit around when you're not looking, hide menus, bury options, don't respect or don't remember your chosen settings. Doing the same thing gives different results. The carefully researched PARC principles of human-computer interaction -- feedback, discoverabilty, affordances, consistency, personalization -- all that fundamental Don Norman shit -- have been completely discarded.

My tech support calls now are about me sadly explaining there's nothing I can do. Computers suck now. They run on superstition, not science. It's a real tragedy for humanity and I have no idea how to fix it.

#HCI #UX #UI #okdoomer

This entry was edited (3 weeks ago)
Alex C mastodon (AP)
that's the "phone book" edition I was talking about! thanks for finding it for me, i felt quite nostalgic paging through it just now
Alex C mastodon (AP)
@technicat the original Mac UI devs noticed and solved so many problems in *1986* that more recent Web 2.0+ frontend devs just ignore -- like this one, *drag delay* -- solving the problem that when the user moves their cursor towards an item on a popup menu, the mouse may drift outside the lines momentarily *en route*, so you should make sure not to close the menu prematurely; these days lots of popup menus instantly pop closed if you stray outside their bounds #UI #UX
This entry was edited (3 weeks ago)
Anatra reshared this.

Fabio friendica

Confy 0.7.1

Version 0.7.1 of #Confy, the #gtk4 / #libadwaita conference companion, has been tagged.

This release brings small fixes.
Main highlights are:

  • New German translation.
  • Flatpak now will use GNOME Runtime 45

#Arch #AUR packages are updated, #flatpak on #Flathub should be on its way.

https://sr.ht/~fabrixxm/Confy/

Diego Roversi reshared this.

Etienne Jacob mastodon (AP)
Haven't shared it on Mastodon, this page of my website is popular: https://bleuje.com/randomanimations/
It was on the frontpage of hackernews a week ago. 200+ of my animations in random order, next one with click or keypress.
Diego Roversi reshared this.

reshared this

minute mastodon (AP)
"qalc" is a nice little calculator and simple equation solver for the terminal.
screenshot of qalc solving two equations for x to help me narrow down a pair of feedback resistors to common values
reshared this
qalc is rocks 🤘️, is good enough for most of thing I need, it's my go to minimal calculator app.
pandora mastodon (AP)
tested it a bit and it is amazing... how come it is soo unknown

Lysander il breve iceshrimp (AP)
Ahh, come migliora la vita l'AI.
Risposta ad una recensione negativa su un noto sito di albergatori, tirata palesemente fuori da chatgpt.
Diego Roversi reshared this.

Hard to get more clear-cut than this: "this is my own performance of Bach. Who died 300 years ago. I own all the rights", and yet...

https://www.eff.org/takedowns/sony-finally-admits-it-doesnt-own-bach-and-it-only-took-public-pressure

Diego Roversi reshared this.
@LydiaConwell This is a pretty rampant issue, unfortunately. More than the various soundtrack pieces that I play where every composer is alive, I've had Greensleeves (composer unknown, traditional English piece), Londonderry Air (claimed as "Danny Boy" (which is the melody with lyrics added on), an Irish traditional piece), and Liebesleid (Fritz Kreisler (~1962)) all claimed numerous times :zerotwo_big_angry:
This entry was edited (1 month ago)

Olimex mastodon (AP)
ESP32-H2-DevKit-Lipo Open Source Hardware board with Zigbee, Threat, Matter, BLE5 is now available for pre-order https://olimex.wordpress.com/2024/01/18/esp32-h2-devkit-lipo-open-source-hardware-board-with-thread-matter-zigbee-and-ble5-is-ready-for-pre-order/ #zigbee #iot #esp32-h2 #oshw #threat #matter
Diego Roversi reshared this.
Olimex mastodon (AP)
@chrysn this is pUEXT 10 pin 1mm step connector
chrysn mastodon (AP)
Back when I started building hardware, UEXT was my go-to for extensibility because it was simple and well documented. Given there is now both mUEXT and pUEXT, please consider updating the specs.

Wookey mastodon (AP)
Is there anyone who lives near Bruxelles Midi station reading this today? I just came though Eurostar on way back to the UK and my friend's ice axe was confiscated, despite the letter from Eurostar saying "alpine equpiment (crampons and ice axe) _is_ permitted". We persuaded them to hold it for 24 hours before destroying it, so I am hoping to find someone very helpful who could go there to rescue it and give it to me at FOSDEM to post back to the UK.

Codeberg.org mastodon (AP)

We are currently having network issues. We are able to connect to our server's onboard recovery system, but the access is slow and unreliable.

We'll keep you updated.

JF reshared this.

againë

Forgive me if I'm stating a commonly asked question but why don't you guys use cloud flare. You just host code

Codeberg.org mastodon (AP)

@kirby cloudFlare is a privacy nightmare for many. And it costs a lot of $$$, see https://fosstodon.org/@drewdevault/111739234229534233


Just got off the phone with CloudFlare and WOW that's a big dollar sign


adamghill mastodon (AP)

An electrician had to cut a hole in our drywall and instead of just patching it up, my wife decided to make a little scene with miniatures embedded in the wall. 😂🖼️🤯

#art #miniatures

The whole subway scene. Left side of the subway scene.
Right side of the subway scene.

Kristen Wixx mastodon (AP)
Then I'm going to be immortal.
People who are always running late tend to end up living longer and healthier lives, according to Harvard researchers.
reshared this

Pseudo Nym mastodon (AP)

My million dollar idea I want someone to steal and do, so I can be a customer.

"Dumb Stuff" we sell electronic appliances that aren't Internet connected. That's all.

That's it. That's the pitch. I would buy the <bleep> out of this company if their electronic gadgets were even half way decent, and repairable.

Electronic, no wifi, regular screws to open it up. That's it. Do those three things, and you can be sold by this store.

I will pay this business to curate and find these devices for me.


John Goerzen mastodon (AP)

My advice to consider #security first when evaluating systems: https://changelog.complete.org/archives/10620-consider-security-first This is part of my decision to migrate my #RaspberryPi devices to running pure #Debian.


I write this in the context of my decision to ditch Raspberry Pi OS and move everything I possibly can, including my Raspberry Pi devices, to Debian. I will write about that later.

But for now, I wanted to comment on something I think is often overlooked and misunderstood by people considering distributions or operating systems: the huge importance of getting security updates in an automated and easy way.

Background


Let’s assume that these statements are true, which I think are well-supported by available evidence:

  1. Every computer system (OS plus applications) that can do useful modern work has security vulnerabilities, some of which are unknown at any given point in time;
  2. During the lifetime of that computer system, some of these vulnerabilities will be discovered. For a (hopefully large) subset of those vulnerabilities, timely patches will become available.

Now then, it follows that applying those timely patches is a critical part of having a system that it as secure as possible. Of course, you have to do other things as well – good passwords, secure practices, etc – but, fundamentally, if your system lacks patches for known vulnerabilities, you’ve already lost at the security ballgame.

How to stay patched


There is something of a continuum of how you might patch your system. It runs roughly like this, from best to worst:

  1. All components are kept up-to-date automatically, with no intervention from the user/operator
  2. The operator is automatically alerted to necessary patches, and they can be easily installed with minimal intervention
  3. The operator is automatically alerted to necessary patches, but they require significant effort to apply
  4. The operator has no way to detect vulnerabilities or necessary patches

It should be obvious that the first situation is ideal. Every other situation relies on the timeliness of human action to keep up-to-date with security patches. This is a fallible situation; humans are busy, take trips, dismiss alerts, miss alerts, etc. That said, it is rare to find any system living truly all the way in that scenario, as you’ll see.

What is “your system”?


A critical point here is: what is “your system”? It includes:

  • Your kernel
  • Your base operating system
  • Your applications
  • All the libraries needed to run all of the above

Some OSs, such as Debian, make little or no distinction between the base OS and the applications. Others, such as many BSDs, have a distinction there. And in some cases, people will compile or install applications outside of any OS mechanism. (It must be stressed that by doing so, you are taking the responsibility of patching them on your own shoulders.)

How do common systems stack up?


  • Debian, with its support for unattended-upgrades, needrestart, debian-security-support, and such, is largely category 1. It can automatically apply security patches, in most cases can restart the necessary services for the patch to take effect, and will alert you when some processes or the system must be manually restarted for a patch to take effect (for instance, a kernel update). Those cases requiring manual intervention are category 2. The debian-security-support package will even warn you of gaps in the system. You can also use debsecan to scan for known vulnerabilities on a given installation.
  • FreeBSD has no way to automatically install security patches for things in the packages collection. As with many rolling-release systems, you can’t automate the installation of these security patches with FreeBSD because it is not safe to blindly update packages. It’s not safe to blindly update packages because they may bring along more than just security patches: they may represent major upgrades that introduce incompatibilities, etc. Unlike Debian’s practice of backporting fixes and thus producing narrowly-tailored patches, forcing upgrades to newer versions precludes a “minimal intervention” install. Therefore, rolling release systems are category 3.
  • Things such as Snap, Flatpak, AppImage, Docker containers, Electron apps, and third-party binaries often contain embedded libraries and such for which you have no easy visibility into their status. For instance, if there was a bug in libpng, would you know how many of your containers had a vulnerability? These systems are category 4 – you don’t even know if you’re vulnerable. It’s for this reason that my Debian-based Docker containers apply security patches before starting processes, and also run unattended-upgrades and friends.


The pernicious library problem


As mentioned in my last category above, hidden vulnerabilities can be a big problem. I’ve been writing about this for years. Back in 2017, I wrote an article focused on Docker containers, but which applies to the other systems like Snap and so forth. I cited a study back then that “Over 80% of the :latest versions of official images contained at least one high severity vulnerability.” The situation is no better now. In December 2023, it was reported that, two years after the critical Log4Shell vulnerability, 25% of apps were still vulnerable to it. Also, only 21% of developers ever update third-party libraries after introducing them into their projects.

Clearly, you can’t rely on these images with embedded libraries to be secure. And since they are black box, they are difficult to audit.

Debian’s policy of always splitting libraries out from packages is hugely beneficial; it allows finegrained analysis of not just vulnerabilities, but also the dependency graph. If there’s a vulnerability in libpng, you have one place to patch it and you also know exactly what components of your system use it.

If you use snaps, or AppImages, you can’t know if they contain a deeply embedded vulnerability, nor could you patch it yourself if you even knew. You are at the mercy of upstream detecting and remedying the problem – a dicey situation at best.

Who makes the patches?


Fundamentally, humans produce security patches. Often, but not always, patches originate with the authors of a program and then are integrated into distribution packages. It should be noted that every security team has finite resources; there will always be some CVEs that aren’t patched in a given system for various reasons; perhaps they are not exploitable, or are too low-impact, or have better mitigations than patches.

Debian has an excellent security team; they manage the process of integrating patches into Debian, produce Debian Security Advisories, maintain the Debian Security Tracker (which maintains cross-references with the CVE database), etc.

Some distributions don’t have this infrastructure. For instance, I was unable to find this kind of tracker for Devuan or Raspberry Pi OS. In contrast, Ubuntu and Arch Linux both seem to have active security teams with trackers and advisories.

Implications for Raspberry Pi OS and others


As I mentioned above, I’m transitioning my Pi devices off Raspberry Pi OS (Raspbian). Security is one reason. Although Raspbian is a fork of Debian, and you can install packages like unattended-upgrades on it, they don’t work right because they use the Debian infrastructure, and Raspbian hasn’t modified them to use their own infrastructure. I don’t see any Raspberry Pi OS security advisories, trackers, etc. In short, they lack the infrastructure to support those Debian tools anyhow.

Not only that, but Raspbian lags behind Debian in both new releases and new security patches, sometimes by days or weeks.

A future post will include instructions for migrating Raspberry Pis to Debian.

https://changelog.complete.org/archives/10620-consider-security-first

#security


John Goerzen mastodon (AP)

I have a new post: Live Migrating from #RaspberryPiOs #bullseye to #Debian #bookworm. https://changelog.complete.org/archives/10622-live-migrating-from-raspberry-pi-os-bullseye-to-debian-bookworm

I got annoyed that #Raspbian officially has no upgrade path, the security situation, the lag behind Debian, lack of backports, and lack of initramfs in its custom kernel. So I managed to live migrate some Pis to Debian.


I’ve been getting annoyed with Raspberry Pi OS (Raspbian) for years now. It’s a fork of Debian, but manages to omit some of the most useful things. So I’ve decided to migrate all of my Pis to run pure Debian. These are my reasons:
  1. Raspberry Pi OS has, for years now, specified that there is no upgrade path. That is, to get to a newer major release, it’s a reinstall. While I have sometimes worked around this, for a device that is frequently installed in hard-to-reach locations, this is even more important than usual. It’s common for me to upgrade machines for a decade or more across Debian releases and there’s no reason that it should be so much more difficult with Raspbian.
  2. As I noted in Consider Security First, the security situation for Raspberry Pi OS isn’t as good as it is with Debian.
  3. Raspbian lags behind Debian – often times by 6 months or more for major releases, and days or weeks for bug fixes and security patches.
  4. Raspbian has no direct backports support, though Raspberry Pi 3 and above can use Debian’s backports (per my instructions as Installing Debian Backports on Raspberry Pi)
  5. Raspbian uses a custom kernel without initramfs support

It turns out it is actually possible to do an in-place migration from Raspberry Pi OS bullseye to Debian bookworm. Here I will describe how. Even if you don’t have a Raspberry Pi, this might still be instructive on how Raspbian and Debian packages work.

WARNINGS


Before continuing, back up your system. This process isn’t for the neophyte and it is entirely possible to mess up your boot device to the point that you have to do a fresh install to get your Pi to boot. This isn’t a supported process at all.

Architecture Confusion


Debian has three ARM-based architectures:

  • armel, for the lowest-end 32-bit ARM devices without hardware floating point support
  • armhf, for the higher-end 32-bit ARM devices with hardware float (hence “hf”)
  • arm64, for 64-bit ARM devices (which all have hardware float)

Although the Raspberry Pi 0 and 1 do support hardware float, they lack support for other CPU features that Debian’s armhf architecture assumes. Therefore, the Raspberry Pi 0 and 1 could only run Debian’s armel architecture.

Raspberry Pi 3 and above are capable of running 64-bit, and can run both armhf and arm64.

Prior to the release of the Raspberry Pi 5 / Raspbian bookworm, Raspbian only shipped the armhf architecture. Well, it was an architecture they called armhf, but it was different from Debian’s armhf in that everything was recompiled to work with the more limited set of features on the earlier Raspberry Pi boards. It was really somewhere between Debian’s armel and armhf archs. You could run Debian armel on those, but it would run more slowly, due to doing floating point calculations without hardware support. Debian’s raspi FAQ goes into this a bit.

What I am going to describe here is going from Raspbian armhf to Debian armhf with a 64-bit kernel. Therefore, it will only work with Raspberry Pi 3 and above. It may theoretically be possible to take a Raspberry Pi 2 to Debian armhf with a 32-bit kernel, but I haven’t tried this and it may be more difficult. I have seen conflicting information on whether armhf really works on a Pi 2. (If you do try it on a Pi 2, ignore everything about arm64 and 64-bit kernels below, and just go with the linux-image-armmp-lpae kernel per the ARMMP page)

There is another wrinkle: Debian doesn’t support running 32-bit ARM kernels on 64-bit ARM CPUs, though it does support running a 32-bit userland on them. So we will wind up with a system with kernel packages from arm64 and everything else from armhf. This is a perfectly valid configuration as the arm64 – like x86_64 – is multiarch (that is, the CPU can natively execute both the 32-bit and 64-bit instructions).

(It is theoretically possible to crossgrade a system from 32-bit to 64-bit userland, but that felt like a rather heavy lift for dubious benefit on a Pi; nevertheless, if you want to make this process even more complicated, refer to the CrossGrading page.)

Prerequisites and Limitations


In addition to the need for a Raspberry Pi 3 or above in order for this to work, there are a few other things to mention.

If you are using the GPIO features of the Pi, I don’t know if those work with Debian.

I think Raspberry Pi OS modified the desktop environment more than other components. All of my Pis are headless, so I don’t know if this process will work if you use a desktop environment.

I am assuming you are booting from a MicroSD card as is typical in the Raspberry Pi world. The Pi’s firmware looks for a FAT partition (MBR type 0x0c) and looks within it for boot information. Depending on how long ago you first installed an OS on your Pi, your /boot may be too small for Debian. Use df -h /boot to see how big it is. I recommend 200MB at minimum. If your /boot is smaller than that, stop now (or use some other system to shrink your root filesystem and rearrange your partitions; I’ve done this, but it’s outside the scope of this article.)

You need to have stable power. Once you begin this process, your pi will mostly be left in a non-bootable state until you finish. (You… did make a backup, right?)

Basic idea


The basic idea here is that since bookworm has almost entirely newer packages then bullseye, we can “just” switch over to it and let the Debian packages replace the Raspbian ones as they are upgraded. Well, it’s not quite that easy, but that’s the main idea.

Preparation


First, make a backup. Even an image of your MicroSD card might be nice. OK, I think I’ve said that enough now.

It would be a good idea to have a HDMI cable (with the appropriate size of connector for your particular Pi board) and a HDMI display handy so you can troubleshoot any bootup issues with a console.

Preparation: access


The Raspberry Pi OS by default sets up a user named pi that can use sudo to gain root without a password. I think this is an insecure practice, but assuming you haven’t changed it, you will need to ensure it still works once you move to Debian. Raspberry Pi OS had a patch in their sudo package to enable it, and that will be removed when Debian’s sudo package is installed. So, put this in /etc/sudoers.d/010_picompat:

pi ALL=(ALL) NOPASSWD: ALL

Also, there may be no password set for the root account. It would be a good idea to set one; it makes it easier to log in at the console. Use the passwd command as root to do so.

Preparation: bluetooth


Debian doesn’t correctly identify the Bluetooth hardware address. You can save it off to a file by running hcitool dev > /root/bluetooth-from-raspbian.txt. I don’t use Bluetooth, but this should let you develop a script to bring it up properly.

Preparation: Debian archive keyring


You will next need to install Debian’s archive keyring so that apt can authenticate packages from Debian. Go to the bookworm download page for debian-archive-keyring and copy the URL for one of the files, then download it on the pi. For instance:

wget http://http.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2023.3+deb12u1_all.deb

Use sha256sum to verify the checksum of the downloaded file, comparing it to the package page on the Debian site.

Now, you’ll install it with:

dpkg -i debian-archive-keyring_2023.3+deb12u1_all.deb

Package first steps


From here on, we are making modifications to the system that can leave it in a non-bootable state.

Examine /etc/apt/sources.list and all the files in /etc/apt/sources.list.d. Most likely you will want to delete or comment out all lines in all files there. Replace them with something like:

deb http://deb.debian.org/debian/ bookworm main non-free-firmware contrib non-freedeb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-freedeb https://deb.debian.org/debian bookworm-backports main non-free-firmware contrib non-free

(you might leave off contrib and non-free depending on your needs)

Now, we’re going to tell it that we’ll support arm64 packages:

dpkg --add-architecture arm64

And finally, download the bookworm package lists:

apt-get update

If there are any errors from that command, fix them and don’t proceed until you have a clean run of apt-get update.

Moving /boot to /boot/firmware


The boot FAT partition I mentioned above is mounted at /boot by Raspberry Pi OS, but Debian’s scripts assume it will be at /boot/firmware. We need to fix this. First:

umount /bootmkdir /boot/firmware

Now, edit fstab and change the reference to /boot to be to /boot/firmware. Now:

mount -v /boot/firmwarecd /boot/firmwaremv -vi * ..

This mounts the filesystem at the new location, and moves all its contents back to where apt believes it should be. Debian’s packages will populate /boot/firmware later.

Installing the first packages


Now we start by installing the first of the needed packages. Eventually we will wind up with roughly the same set Debian uses.

apt-get install linux-image-arm64apt-get install firmware-brcm80211=20230210-5apt-get install raspi-firmware

If you get errors relating to firmware-brcm80211 from any commands, run that install firmware-brcm80211 command and then proceed. There are a few packages that Raspbian marked as newer than the version in bookworm (whether or not they really are), and that’s one of them.

Configuring the bootloader


We need to configure a few things in /etc/default/raspi-firmware before proceeding. Edit that file.

First, uncomment (or add) a line like this:

KERNEL_ARCH="arm64"

Next, in /boot/cmdline.txt you can find your old Raspbian boot command line. It will say something like:

root=PARTUUID=...

Save off the bit starting with PARTUUID. Back in /etc/default/raspi-firmware, set a line like this:

ROOTPART=PARTUUID=abcdef00

(substituting your real value for abcdef00).

This is necessary because the microSD card device name often changes from /dev/mmcblk0 to /dev/mmcblk1 when switching to Debian’s kernel. raspi-firmware will encode the current device name in /boot/firmware/cmdline.txt by default, which will be wrong once you boot into Debian’s kernel. The PARTUUID approach lets it work regardless of the device name.

Purging the Raspbian kernel


Run:

dpkg --purge raspberrypi-kernel

Upgrading the system


At this point, we are going to run the procedure beginning at section 4.4.3 of the Debian release notes. Generally, you will do:

apt-get -u upgradeapt full-upgrade

Fix any errors at each step before proceeding to the next. Now, to remove some cruft, run:

apt-get --purge autoremove

Inspect the list to make sure nothing important isn’t going to be removed.

Removing Raspbian cruft


You can list some of the cruft with:

apt list '~o'

And remove it with:

apt purge '~o'

I also don’t run Bluetooth, and it seemed to sometimes hang on boot becuase I didn’t bother to fix it, so I did:

apt-get --purge remove bluez

Installing some packages


This makes sure some basic Debian infrastructure is available:

apt-get install wpasupplicant parted dosfstools wireless-tools iw alsa-toolsapt-get --purge autoremove

Installing firmware


Now run:

apt-get install firmware-linux

Resolving firmware package version issues


If it gives an error about the installed version of a package, you may need to force it to the bookworm version. For me, this often happened with firmware-atheros, firmware-libertas, and firmware-realtek.

Here’s how to resolve it, with firmware-realtek as an example:

  1. Go to https://packages.debian.org/PACKAGENAME – for instance, https://packages.debian.org/firmware-realtek. Note the version number in bookworm – in this case, 20230210-5.
  2. Now, you will force the installation of that package at that version:
    apt-get install firmware-realtek=20230210-5
  3. Repeat with every conflicting package until done.
  4. Rerun apt-get install firmware-linux and make sure it runs cleanly.

Also, in the end you should be able to:

apt-get install firmware-atheros firmware-libertas firmware-realtek firmware-linux

Dealing with other Raspbian packages


The Debian release notes discuss removing non-Debian packages. There will still be a few of those. Run:

apt list '?narrow(?installed, ?not(?origin(Debian)))'

Deal with them; mostly you will need to force the installation of a bookworm version using the procedure in the section Resolving firmware package version issues above (even if it’s not for a firmware package). For non-firmware packages, you might possibly want to add --mark-auto to your apt-get install command line to allow the package to be autoremoved later if the things depending on it go away.

If you aren’t going to use Bluetooth, I recommend apt-get --purge remove bluez as well. Sometimes it can hang at boot if you don’t fix it up as described above.

Set up networking


We’ll be switching to the Debian method of networking, so we’ll create some files in /etc/network/interfaces.d. First, eth0 should look like this:

allow-hotplug eth0iface eth0 inet dhcpiface eth0 inet6 auto

And wlan0 should look like this:

allow-hotplug wlan0iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Raspbian is inconsistent about using eth0/wlan0 or renamed interface. Run ifconfig or ip addr. If you see a long-named interface such as enx<something> or wlp<something>, copy the eth0 file to the one named after the enx interface, or the wlan0 file to the one named after the wlp interface, and edit the internal references to eth0/wlan0 in this new file to name the long interface name.

If using wifi, verify that your SSIDs and passwords are in /etc/wpa_supplicant/wpa_supplicant.conf. It should have lines like:

network={ ssid="NetworkName" psk="passwordHere"}

(This is where Raspberry Pi OS put them).

Deal with DHCP


Raspberry Pi OS used dhcpcd, whereas bookworm normally uses isc-dhcp-client. Verify the system is in the correct state:

apt-get install isc-dhcp-clientapt-get --purge remove dhcpcd dhcpcd-base dhcpcd5 dhcpcd-dbus

Set up LEDs


To set up the LEDs to trigger on MicroSD activity as they did with Raspbian, follow the Debian instructions. Run apt-get install sysfsutils. Then put this in a file at /etc/sysfs.d/local-raspi-leds.conf:

class/leds/ACT/brightness = 1class/leds/ACT/trigger = mmc1

Prepare for boot


To make sure all the /boot/firmware files are updated, run update-initramfs -u. Verify that root in /boot/firmware/cmdline.txt references the PARTUUID as appropriate. Verify that /boot/firmware/config.txt contains the lines arm_64bit=1 and upstream_kernel=1. If not, go back to the section on modifying /etc/default/raspi-firmware and fix it up.

The moment arrives


Cross your fingers and try rebooting into your Debian system:

reboot

For some reason, I found that the first boot into Debian seems to hang for 30-60 seconds during bootstrap. I’m not sure why; don’t panic if that happens. It may be necessary to power cycle the Pi for this boot.

Troubleshooting


If things don’t work out, hook up the Pi to a HDMI display and see what’s up. If I anticipated a particular problem, I would have documented it here (a lot of the things I documented here are because I ran into them!) So I can’t give specific advice other than to watch boot messages on the console. If you don’t even get kernel messages going, then there is some problem with your partition table or /boot/firmware FAT partition. Otherwise, you’ve at least got the kernel going and can troubleshoot like usual from there.

https://changelog.complete.org/archives/10622-live-migrating-from-raspberry-pi-os-bullseye-to-debian-bookworm

#raspberryPi


reshared this
John Goerzen mastodon (AP)
@gregoa_ I hear you. I have also generally upgraded my Pis in-place despite the warnings against it, but it seems the warnings were particularly strident this time. I don't follow testing, but I know the stable releases lag significantly. Debian Bookworm came out on June 10, and RPi Bookworm took 4 more months. It's pretty annoying having all my other systems on bookworm, having to deal with bullseye differences for months, and then warnings not to upgrade after that.

Compile your kernel (or whatever) withour wearing your ssd:

If you have /tmp on your SSD, instead of a tmpfs mount:

- create a new directory and mount it as tmpfs (1Gb)

# mkdir /tmp/tmp
# mount -t tmpfs -o size=1G tmpfs /tmp/tmp

- now tell gcc to use it:

# export TMPDIR=/tmp/tmp


I highly recommend supporting the Standard Ebooks project. 📚

«Standard Ebooks is a volunteer-driven project that produces new editions of public domain e-books that are lovingly formatted, open source, free of copyright restrictions, and free of cost.»

Donate 👇
https://standardebooks.org/donate

Please boost 🙏

#standardebook #standardebooks #ebook #ebooks #publicdomain #book #books #reading #epub #standard

Ereaders with a Standard Ebook open.
This entry was edited (1 month ago)
reshared this

nixCraft 🐧 mastodon (AP)
The predictable network interface device names in #Linux 🤣
The "swole doge and cheems" meme is a humorous way of discussing the predictable network interface device names in Linux. In the past, these names were simply "eth0," "eth1," etc. Nowadays, the naming convention has changed, and they are more complex, such as "enp0s31f6."
Diego Roversi reshared this.

Happy Festivus everyone! https://youtu.be/1njzgXSzA-A?si=YuQnjVfzQrXjllvN
#festivus #holidays #miracle
Diego Roversi reshared this.

Jonas Schäfer mastodon (AP)

https://www.postfix.org/smtp-smuggling.html

"SMTP Smuggling" vulnerability in Postfix allows to spoof senders even in the presence of some DMARC checks. Configuration workarounds exist.

Also, a wholehearted f* you to SEC Consult, who sat on this since June and disclosed it to some closed-source vendors and MSPs, but could apparently not be bothered to give e.g. Postfix a heads-up, publishing this close to the holidays.

Boosts for awareness welcome.

Edit: So this has kinda blown up. and especially because the author of the SEC advisory is going to have a slot at 37C3, I would like to add something important: I intentionally wrote "SEC Consult" above, not "$individual". Do not start harassing that person. For all we know, this is a corporate failure and the individual would actually appreciate guidance and tips. That does not mean to not ask the hard questions, but keep the framing in mind. They might genuinely have been told by their managers that that is how responsible disclosure works.

This entry was edited (1 month ago)
Deborah Pickett hometown (AP)

I see SEC Consult has amended their page https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ with something of an acknowledgment that they might have stuffed up disclosure a bit here. It does read a bit like "We contacted both vendors, Microsoft _and_ Cisco!"

A hearty Fuck You to SEC Consult for being bad at their one job, and a hearty side of Fuck You to Cisco for their arrogant "It's not a bug".

Now, after I have patched my Postfix server at $dayjob, back to my previously scheduled long weekend.


Optional Dictator mastodon (AP)

The internet is a big place. We can all have our own fedi. Each of us can have whatever kind of experience, community, connections, etc, we want here.

That’s the beauty of this place. There is enough room for everyone.

Be wary of anyone who tries to force you to be in community with them because of their myopic view of what online spaces should be.

We can make different decisions. We can make better decisions.

Andrew (cold) reshared this.

2024 is the year of no more "sprints." for security reasons, "snprints" is recommended instead.
Diego Roversi reshared this.

hackaday mastodon (AP)

If that cheapo desktop PSU feels a bit heavy, you might want to check and see if it has a box of iron filings inside. You know, for extra quality.

https://hackaday.com/2023/12/12/cheap-computer-psu-puts-on-weight-with-box-of-iron/

Diego Roversi reshared this.
remember when American keyboards came with steel plates just so they didn't feel as cheap as they were?
Same situation!!!
John Regehr mastodon (AP)
@penguin42 it's probably slag and it's probably toxic!

Infocert (ma ce ne sono tante altre): come disincentivare l'uso di password sicure in 3 soli comodi passi:

1) ogni 6 mesi obbligare a cambiare password
2) chiedere di inserire una password forte (io la genero casualmente)
3) chiedere di confermare la password disattivando il copia/incolla

Risultato: password extra di 24 caratteri alfanumerici random che ci vuole una vita a ridigitare sostituita con "ForzaNapoli2023,.1", "ForzaNapoli2023,.2", "ForzaNapoli2023,.3", etc..

reshared this
Rapita dagli alieni mastodon (AP)
io ho iniziato ad usare le bestemmie! è di un liberatorio... :awesome:
probabilmente sono anche a prova di attacco a dizionario! geniale! 🤣🤣🤣
Uriel Fanelli pleroma (AP)
non lo sono, ma se ne fai un hash md5, potrebbe essere la strada giusta.

era una battuta, il problema è ridigitarlo a mano un hash MD5, come pretendono certi siti

@rapitadaglialieni@puntarella.party

Io ho iniziato ad usare le iniziali di frasi. Una delle prime che avevo usato era una cosa del tipo:

Mi Sono Rotto Le Palle Di Cambiare La Password

completare con numeri :D

Comunque per il resto approvo al 100% . Aggiungi il fatto che: niente copia/incolla significa significa che non puoi gestire con password manager, e che uno dovrebbe usare password diverse per ogni singolo servizio. Alla fine convinci la gente usare la stessa password ovunque compreso siti scrausi che magari salvano le password degli utenti su db.

Anche i vecchi elenchi del telefono di 50 o più anni fa, da tenere distrattamente su uno scaffale, vanno bene: ElviraGuidobaldiViaMilano42_764356 mi pare ragionevole come pw, se viene cambiata periodicamente.
@Diego Roversi @Bloved ⛵⛵⛵ su db? perché farsi mancare così le cose quando puoi salvare le password in chiaro su uno shard aws aperto in lettura a tutti? :D

esatto, non posso usare il password manager per farmi generare una nuova pass. E poi avvisami prima! NON DURANTE UNA TRANSAZIONE CHE SCADE DOPO 60 secondi!

Non ricordo quale fosse, ma c'era un sito che controllava che tu inserissi effettivamente lettera per lettera la password, via javascript: se per caso ti mettevi a smanettare e riattivati il copia incolla, la password veniva considerata vuota 😭

Cuche akkoma (AP)
Io uso KeepassXC perché ha la funzione di autotype che permette di bypassare quelle stronzate là
@diegor

Robb Knight mastodon (AP)

Updated: Please, Expose your RSS https://rknight.me/please-expose-your-rss/

Added @james's suggestion (which I've done on my site) of making the RSS icon/button orange.

A black bar showing a link to Mastodon with a purple icon, and a link to a subscribe page with an RSS icon in orange.
reshared this

highvoltage pleroma (AP)
All hail Linux!
Screenshot of kernel.org website indicating the 6.6.6 release of the Linux kernel
This entry was edited (2 months ago)
reshared this
A-wai :debian: mastodon (AP)
The kernel of the beast!

Mark Hymers mastodon (AP)

For anyone who is interested, the 6.1.66-1 #Debian kernel packages are now in the bookworm-proposed-updates suite (also known as proposed-updates) and are going out to the mirror network as I type.

These packages are replacements for the 6.1.64-1 packages which contain the ext4 corruption bug and should *not* be used.

A full stable point release which incorporates these kernel packages will follow as soon as is feasible.

reshared this
Mark Hymers mastodon (AP)

A little status update.

We're currently rebuilding the debian-installer for the point release. When those packages are ready, we will pulse them onto the mirrors (this is necessary to complete the installer build). At that time, we will also remove the 6.1.64-1 packages so that no further installs can happen.

Shortly afterwards, we will do a point release which will put 6.1.66-1 into stable on the mirrors.

Mark Hymers mastodon (AP)

The mirror push which removed the 6.1.64-1 binary packages has now happened.

We are now building the final debian-installer components so that we can start the point release.

This entry was edited (2 months ago)

Luca mastodon (AP)
https://www.youtube.com/watch?v=yDp3cB5fHXQ
sono quasi 4 ore, ma le vale tutte.
poi capisco perchè tra un video e l'altro passano mille anni, come nei migliori canali youtube (vedi oversimplified)
Diego Roversi reshared this.
Later posts Earlier posts

This website uses cookies to recognize revisiting and logged in users. You accept the usage of these cookies by continue browsing this website.