Tootfinder

Do I know anyone involved with #Debian packaging?

And if it goes wrong and my computer explodes - I still have my second desktop with Debian 😆
#fedora #debian #linux

Right, I've managed to compile UnrealEngine for #Debian Stable, which feels like an achievement. If only I could do the same for a reasonably modern version of Shotwell!
#GameDev

Orphaned two of my #Debian packages today:
* #wicd: https://bugs.debian.org/1071199 (Upstream halfdead but h…

Orphaned two of my #Debian packages today:
* #wicd: https://bugs.debian.org/1071199 (Upstream halfdead but h…

#Debian 12 -- current stable -- provides Gradle 4.4.1. The current stable version of Gradle is 8.7.
Yes, the reason I choose and use Debian is because it is conservative, which means things don't break often. But that seems wildly out of date!

It really is a step backwards for most folk when #AI credentials mean more than factual accuracy.
A simple lookup table would have correctly shown that #Debian #Linux 10.x is called buster (trixie is the name of t…

It lives...!
Reinstalled #MintLinux “Vera” from DVD, so #Debian (and any #ArchLinux adventures) are on hold for the duration.

Hmmm, anyone familiar with the internals of #Zabbix happen to know why the 7.0.0 repo doesn't support #RaspberryPi running #Debian 12 (bookworm)?
They hav…

Yay, #Debian reduces #OpenSSH dependencies (in Debian Unstable for now) and removes #libsystemd dependency.
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification an…

I'm starting work on migrating my personal workstations from the most popular Debian-based distro back to #Debian again. There will be some challenges, I'm sure. But it's been long in coming. For now, I'll be dual-booting until I've made sure that everything I had working in the old distro will work fine in #Debian12

I should clarify that I’d reinstalled #MintLinux on Blue 1T (secondary PC, which remains stubbornly off) and Black 1T (primary), which died running #Debian. Surprisingly Black 1T booted, the technician notwithstanding.

Ohh lord, thanks to Timeshift I recovered my openbox session in Debian.
I went to spectrwm again but didn't conviced me then when I installed again Openbox the submenu piped in right click didn't work. :(
I had have to rollback.
#debian #timeshift

I can't believe I need to go through a pq import/export step every time I want to test a change to the build. Surely the #debian #gpb infrastructure allows you to test the build in situ while you are putting stuff together?

TIL deborphan. This makes me happy. #Debian #Linux

Because of a driver issues on my #ThinkPad with #Debian, I've tried to Install #Windows 11 in dual boot. Kind of funny that I can't even click the install-button because of missing driv…

I think I've whinged here before about my difficulties with #Shotwell after switching from #Ubuntu to #Debian. Well, I've fixed it, and I've published a gist in case anyone wants to do the same.

Downgrading Shotwell database from 23/0.31.5 to 20/0.30.17
Downgrading Shotwell database from 23/0.31.5 to 20/0.30.17 - Downgrading Shotwell database.md

Dunno if I made the #ArchLinux thumb drive bootable. I’ve two computers I can’t turn on (marvelous me). Shall unplug the #Debian SSD, swap things.

#Lintian merge request list down to a single page again. Phew!
#Debian

Anyone has an idea why for a few weeks, the #ComposeKey under #X11 on #Debian Unstable (set via "setxkbmap -option compose:menu -option compose:rwin -option compose:rctrl -option compose:ralt") suddenly …

Need some help.
I just flashed raspberry pi is lite 64 bit to an SD card and plugged it into a pi. I setup WiFi on the pi imager but wlan0 doesn't connect, Ethernet is fine. It's in a cluster tower and the other pi is connected to WiFi fine, same network.
Any ideas?
#linux #debian

Hace unos días probé #LocOS en una MSI netbook. Se re defendió el loco con lo limitante de ese hardware. #debian #linux

#BikeStreak, Day 65: After work from home I rode to the #Debian meetup at the https://dapizi2017.ch/ restaurant in Zu…

I have a machine in #VirtualBox (VirtualBox 7.0, #Debian 12) that randomly freezes for no discernible reason - most of the times it happens after a few minutes of operation, with no significant load. I also can't shut down the virtual machine (process goes into overdrive gobbling up CPU)…

#BikeStreak, Day 65: After work from home I rode to the #Debian meetup at the https://dapizi2017.ch/ restaurant in Zu…

•••my new best friend is deborphan #Debian #Linux
•••I don’t think Baltimore has been in the news since The Wire went off the air. Major, major infrastructure clusterfuck.
#KeyBridgeCollapse

From now on, I am hiring Meemaw to train my engineers. This is so wholesome.
#linux #debian #training #ffmpeg #HowTo

My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…

#30DaysOfBiking, Day Two: A Triangle
Normal morning commute.
In the early evening cycling over #Bucheggplatz and Kornhausbrücke towards Josefstrasse for the #Debian Switzerland

From now on, I am hiring Meemaw to train my engineers. This is so wholesome.
#linux #debian #training #ffmpeg #HowTo

My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…

#TIL: A #Xen #Dom0 running #Debian 12 Bookworm or #Gentoo

#TIL: A #Xen #Dom0 running #Debian 12 Bookworm or #Gentoo