X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/e1a848631f3018a38b20f81b6517319283f236e2..d6886f7be80b96366e231e17e1aba1aa839e969e:/blog/index.html diff --git a/blog/index.html b/blog/index.html index 23c7c14163..12d04c8d16 100644 --- a/blog/index.html +++ b/blog/index.html @@ -3,15 +3,15 @@ Petter Reinholdtsen - - + +

- Petter Reinholdtsen + Petter Reinholdtsen

@@ -20,143 +20,87 @@
-
Forcing new users to change their password on first login
-
2010-05-02 13:40
+
LUMA, a very nice LDAP GUI
+
2010-06-28 00:30
-

One interesting feature in Active Directory, is the ability to -create a new user with an expired password, and thus force the user to -change the password on the first login attempt.

- -

I'm not quite sure how to do that with the LDAP setup in Debian -Edu, but did some initial testing with a local account. The account -and password aging information is available in /etc/shadow, but -unfortunately, it is not possible to specify an expiration time for -passwords, only a maximum age for passwords.

- -

A freshly created account (using adduser test) will have these -settings in /etc/shadow:

- -
-root@tjener:~# chage -l test
-Last password change                                    : May 02, 2010
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 99999
-Number of days of warning before password expires       : 7
-root@tjener:~#
-
- -

The only way I could come up with to create a user with an expired -account, is to change the date of the last password change to the -lowest value possible (January 1th 1970), and the maximum password age -to the difference in days between that date and today. To make it -simple, I went for 30 years (30 * 365 = 10950) and January 2th (to -avoid testing if 0 is a valid value).

- -

After using these commands to set it up, it seem to work as -intended:

- -
-root@tjener:~# chage -d 1 test; chage -M 10950 test
-root@tjener:~# chage -l test
-Last password change                                    : Jan 02, 1970
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 10950
-Number of days of warning before password expires       : 7
-root@tjener:~#  
-
- -

So far I have tested this with ssh and console, and kdm (in -Squeeze) login, and all ask for a new password before login in the -user (with ssh, I was thrown out and had to log in again).

- -

Perhaps we should set up something similar for Debian Edu, to make -sure only the user itself have the account password?

- -

If you want to comment on or help out with implementing this for -Debian Edu, please contact us on debian-edu@lists.debian.org.

+

The last few days I have been looking into the status of the LDAP +directory in Debian Edu, and in the process I started to miss a GUI +tool to browse the LDAP tree. The only one I was able to find in +Debian/Squeeze and Lenny is +LUMA, which has proved to +be a great tool to get a overview of the current LDAP directory +populated by default in Skolelinux. Thanks to it, I have been able to +find empty and obsolete subtrees, misplaced objects and duplicate +objects. It will be installed by default in Debian/Squeeze. If you +are working with LDAP, give it a go. :)

+ +

I did notice one problem with it I have not had time to report to +the BTS yet. There is no .desktop file in the package, so the tool do +not show up in the Gnome and KDE menus, but only deep down in in the +Debian submenu in KDE. I hope that can be fixed before Squeeze is +released.

+ +

I have not yet been able to get it to modify the tree yet. I would +like to move objects and remove subtrees directly in the GUI, but have +not found a way to do that with LUMA yet. So in the mean time, I use +ldapvi for that.

+ +

If you have tips on other GUI tools for LDAP that might be useful +in Debian Edu, please contact us on debian-edu@lists.debian.org.

- Tags: debian edu, english, nuug. + Tags: debian, debian edu, english, ldap, nuug.
-
Thoughts on roaming laptop setup for Debian Edu
-
2010-04-28 20:40
+
Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object
+
2010-06-24 00:35
-

For some years now, I have wondered how we should handle laptops in -Debian Edu. The Debian Edu infrastructure is mostly designed to -handle stationary computers, and less suited for computers that come -and go.

- -

Now I finally believe I have an sensible idea on how to adjust -Debian Edu for laptops, by introducing a new profile for them, for -example called Roaming Workstations. Here are my thought on this. -The setup would consist of the following:

- -
    - -
  • During installation, the user name of the owner / primary user of - the laptop is requested and a local home directory is set up for - the user, with uid and gid information fetched from the LDAP - server. This allow the user to work also when offline. The - central home directory can be available in a subdirectory on - request, for example mounted via CIFS. It could be mounted - automatically when a user log in while on the Debian Edu network, - and unmounted when the machine is taken away (network down, - hibernate, etc), it can be set up to do automatic mounting on - request (using autofs), or perhaps some GUI button on the desktop - can be used to access it when needed. Perhaps it is enough to use - the fish protocol in KDE?
    • - -
  • Password checking is set up to use LDAP or Kerberos - authentication when the machine is on the Debian Edu network, and - to cache the password for offline checking when the machine unable - to reach the LDAP or Kerberos server. This can be done using - libpam-ccreds - or the Fedora developed - System - Security Services Daemon packages.
    • - -
  • File synchronisation with the central home directory is set up - using a shared directory in both the local and the central home - directory, using unison.
    • - -
  • Printing should be set up to print to all printers broadcasting - their existence on the local network, and should then work out of - the box with CUPS. For sites needing accurate printer quotas, some - system with Kerberos authentication or printing via ssh could be - implemented.
    • - -
  • For users that should have local root access to their laptop, - sudo should be used to allow this to the local user.
    • - -
  • It would be nice if user and group information from LDAP is - cached on the client, but given that there are entries for the - local user and primary group in /etc/, it should not be needed.
    • - -
- -

I believe all the pieces to implement this are in Debian/testing at -the moment. If we work quickly, we should be able to get this ready -in time for the Squeeze release to freeze. Some of the pieces need -tweaking, like libpam-ccreds should get support for pam-auth-update -(#566718) and nslcd (or -perhaps debian-edu-config) should get some integration code to stop -its daemon when the LDAP server is unavailable to avoid long timeouts -when disconnected from the net. If we get Kerberos enabled, we need -to make sure we avoid long timeouts there too.

+

A while back, I +complained +about the fact that it is not possible with the provided schemas +for storing DNS and DHCP information in LDAP to combine the two sets +of information into one LDAP object representing a computer.

+ +

In the mean time, I discovered that a simple fix would be to make +the dhcpHost object class auxiliary, to allow it to be combined with +the dNSDomain object class, and thus forming one object for one +computer when storing both DHCP and DNS information in LDAP.

+ +

If I understand this correctly, it is not safe to do this change +without also changing the assigned number for the object class, and I +do not know enough about LDAP schema design to do that properly for +Debian Edu.

+ +

Anyway, for future reference, this is how I believe we could change +the +DHCP +schema to solve at least part of the problem with the LDAP schemas +available today from IETF.

+ +
+--- dhcp.schema    (revision 65192)
++++ dhcp.schema    (working copy)
+@@ -376,7 +376,7 @@
+ objectclass ( 2.16.840.1.113719.1.203.6.6
+        NAME 'dhcpHost'
+        DESC 'This represents information about a particular client'
+-       SUP top
++       SUP top AUXILIARY
+        MUST cn
+        MAY  (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
+        X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
+
+ +

I very much welcome clues on how to do this properly for Debian +Edu/Squeeze. We provide the DHCP schema in our debian-edu-config +package, and should thus be free to rewrite it as we see fit.

If you want to help out with implementing this for Debian Edu, please contact us on debian-edu@lists.debian.org.

@@ -165,315 +109,655 @@ please contact us on debian-edu@lists.debian.org.

- Tags: debian edu, english, nuug. + Tags: debian, debian edu, english, ldap, nuug.
-
Great book: "Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future"
-
2010-04-19 17:10
+
Calling tasksel like the installer, while still getting useful output
+
2010-06-16 14:55
-

The last few weeks i have had the pleasure of reading a -thought-provoking collection of essays by Cory Doctorow, on topics -touching copyright, virtual worlds, the future of man when the -conscience mind can be duplicated into a computer and many more. The -book titled "Content: Selected Essays on Technology, Creativity, -Copyright, and the Future of the Future" is available with few -restrictions on the web, for example from -his own site. I read the -epub-version from -feedbooks using -fbreader and my N810. I -strongly recommend this book.

+

A few times I have had the need to simulate the way tasksel +installs packages during the normal debian-installer run. Until now, +I have ended up letting tasksel do the work, with the annoying problem +of not getting any feedback at all when something fails (like a +conffile question from dpkg or a download that fails), using code like +this: + +

+export DEBIAN_FRONTEND=noninteractive
+tasksel --new-install
+
+ +This would invoke tasksel, let its automatic task selection pick the +tasks to install, and continue to install the requested tasks without +any output what so ever. + +Recently I revisited this problem while working on the automatic +package upgrade testing, because tasksel would some times hang without +any useful feedback, and I want to see what is going on when it +happen. Then it occured to me, I can parse the output from tasksel +when asked to run in test mode, and use that aptitude command line +printed by tasksel then to simulate the tasksel run. I ended up using +code like this: + +
+export DEBIAN_FRONTEND=noninteractive
+cmd="$(in_target tasksel -t --new-install | sed 's/debconf-apt-progress -- //')"
+$cmd
+
+ +

The content of $cmd is typically something like "aptitude -q +--without-recommends -o APT::Install-Recommends=no -y install +~t^desktop$ ~t^gnome-desktop$ ~t^laptop$ ~pstandard ~prequired +~pimportant", which will install the gnome desktop task, the +laptop task and all packages with priority standard , required and +important, just like tasksel would have done it during +installation.

+ +

A better approach is probably to extend tasksel to be able to +install packages without using debconf-apt-progress, for use cases +like this.

- Tags: english, fildeling, nuug, opphavsrett, personvern, sikkerhet, web. + Tags: debian, english, nuug.
-
Kerberos for Debian Edu/Squeeze?
-
2010-04-14 17:20
+
Vinmonopolet bryter loven åpenlyst - og flere planlegger å gjøre det samme
+
2010-06-16 11:00
-

Yesterdays -NUUG presentation about Kerberos was inspiring, and reminded me -about the need to start using Kerberos in Skolelinux. Setting up a -Kerberos server seem to be straight forward, and if we get this in -place a long time before the Squeeze version of Debian freezes, we -have a chance to migrate Skolelinux away from NFSv3 for the home -directories, and over to an architecture where the infrastructure do -not have to trust IP addresses and machines, and instead can trust -users and cryptographic keys instead.

- -

A challenge will be integration and administration. Is there a -Kerberos implementation for Debian where one can control the -administration access in Kerberos using LDAP groups? With it, the -school administration will have to maintain access control using flat -files on the main server, which give a huge potential for errors.

- -

A related question I would like to know is how well Kerberos and -pam-ccreds (offline password check) work together. Anyone know?

- -

Next step will be to use Kerberos for access control in Lwat and -Nagios. I have no idea how much work that will be to implement. We -would also need to document how to integrate with Windows AD, as such -shared network will require two Kerberos realms that need to cooperate -to work properly.

- -

I believe a good start would be to start using Kerberos on the -skolelinux.no machines, and this way get ourselves experience with -configuration and integration. A natural starting point would be -setting up ldap.skolelinux.no as the Kerberos server, and migrate the -rest of the machines from PAM via LDAP to PAM via Kerberos one at the -time.

- -

If you would like to contribute to get this working in Skolelinux, -I recommend you to see the video recording from yesterdays NUUG -presentation, and start using Kerberos at home. The video show show -up in a few days.

+

Dagbladet +melder at Vinmonopolet med bakgrunn i vekterstreiken som pågår i +Norge for tiden, har bestemt seg for med vitende og vilje å bryte +sentralbanklovens paragraf 14 ved å nekte folk å betale med +kontanter, og at flere butikker planlegger å følge deres eksempel. +Jeg synes det er hårreisende hvis de slipper unna med et slikt +soleklart lovbrudd, og lurer på hva slags muligheter jeg vil ha hvis +jeg blir nektet å handle med kontanter. Jeg handler i hovedsak med +kontanter selv, da jeg anser det som en borgerrett å kunne handle +anonymt uten at det blir registrert. For meg er det et angrep på mitt +personvern å nekte å ta imot kontant betaling.

+ +

Paragrafen +i sentralbankloven lyder:

+ +
+

§ 14. Tvungent betalingsmiddel

+ +

Bankens sedler og mynter er tvungent betalingsmiddel i Norge. Ingen +er pliktig til i én betaling å ta imot mer enn femogtyve mynter av +hver enhet.

+ +

Sterkt skadde sedler og mynter er ikke tvungent +betalingsmiddel. Banken gir nærmere forskrifter om erstatning for +bortkomne, brente eller skadde sedler og mynter.

+ +

Selv om en avtale inneholder klausul om betaling av en +pengeforpliktelse i gullverdi, kan skyldneren frigjøre seg med tvungne +betalingsmidler uten hensyn til denne klausul.

+
+ +

Det er med bakgrunn i denne lovet ikke tillatt å nekte å ta imot +kontakt betaling. Det er en lov jeg har sans for, og som jeg mener må +håndheves strengt.

- Tags: debian edu, english, nuug. + Tags: norsk, personvern.
-
PÃ¥ vegne av vanvitting mange, Aftenposten!
-
2010-03-06 21:15
+
Officeshots taking shape
+
2010-06-13 11:40
-

Aftenposten -melder på forsiden av webavisen sin at de tror Erling Fossen -provoserer nordlendinger med sine uttalelser på -fotballtinget. Jeg er utflyttet nordlending, og må innrømme at jeg -ikke kjennet så mye som et snev av provokasjon fra denne litt morsomme -uttalelsen til Hr. Fossen. Lurer på om Aftenposten har noen kilder -utenom redaksjonen for sin påstand om at nordledinger er provosert av -Hr. Fossen. Må innrømme at jeg tviler på det.

- -

Det hele bringer tankene tilbake til Sture Hansen i Hallo i Uken.

+

For those of us caring about document exchange and +interoperability, OfficeShots +is a great service. It is to ODF documents what +BrowserShots is for web +pages.

+ +

A while back, I was contacted by Knut Yrvin at the part of Nokia +that used to be Trolltech, who wanted to help the OfficeShots project +and wondered if the University of Oslo where I work would be +interested in supporting the project. I helped him to navigate his +request to the right people at work, and his request was answered with +a spot in the machine room with power and network connected, and Knut +arranged funding for a machine to fill the spot. The machine is +administrated by the OfficeShots people, so I do not have daily +contact with its progress, and thus from time to time check back to +see how the project is doing.

+ +

Today I had a look, and was happy to see that the Dell box in our +machine room now is the host for several virtual machines running as +OfficeShots factories, and the project is able to render ODF documents +in 17 different document processing implementation on Linux and +Windows. This is great.

- Tags: norsk. + Tags: english, standard.
-
After 6 years of waiting, the Xreset.d feature is implemented
-
2010-03-06 18:15
+
Lenny->Squeeze upgrades, removals by apt and aptitude
+
2010-06-13 09:05
-

6 years ago, as part of the Debian Edu development I am involved -in, I asked for a hook in the kdm and gdm setup to run scripts as root -when the user log out. A bug was submitted against the xfree86-common -package in 2004 (#230422), -and revisited every time Debian Edu was working on a new release. -Today, this finally paid off.

- -

The framework for this feature was today commited to the git -repositry for the xorg package, and the git repository for xdm has -been updated to use this framework. Next on my agenda is to make sure -kdm and gdm also add code to use this framework.

- -

In Debian Edu, we want to ability to run commands as root when the -user log out, to get rid of runaway processes and do general cleanup -after a user. With this framework in place, we finally can do that in -a generic way that work with all display managers using this -framework. My goal is to get all display managers in Debian use it, -similar to how they use the Xsession.d framework today.

+

My +testing +of Debian upgrades from Lenny to Squeeze continues, and I've +finally made the upgrade logs available from +http://people.skolelinux.org/pere/debian-upgrade-testing/. +I am now testing dist-upgrade of Gnome and KDE in a chroot using both +apt and aptitude, and found their differences interesting. This time +I will only focus on their removal plans.

+ +

After installing a Gnome desktop and the laptop task, apt-get wants +to remove 72 packages when dist-upgrading from Lenny to Squeeze. The +surprising part is that it want to remove xorg and all +xserver-xorg-video* drivers. Clearly not a good choice, but I am not +sure why. When asking aptitude to do the same, it want to remove 129 +packages, but most of them are library packages I suspect are no +longer needed. Both of them want to remove bluetooth packages, which +I do not know. Perhaps these bluetooth packages are obsolete?

+ +

For KDE, apt-get want to remove 82 packages, among them kdebase +which seem like a bad idea and xorg the same way as with Gnome. Asking +aptitude for the same, it wants to remove 192 packages, none which are +too surprising.

+ +

I guess the removal of xorg during upgrades should be investigated +and avoided, and perhaps others as well. Here are the complete list +of planned removals. The complete logs is available from the URL +above. Note if you want to repeat these tests, that the upgrade test +for kde+apt-get hung in the tasksel setup because of dpkg asking +conffile questions. No idea why. I worked around it by using +'echo >> /proc/pidofdpkg/fd/0' to tell dpkg to +continue.

+ +

apt-get gnome 72 +
bluez-gnome cupsddk-drivers deskbar-applet gnome + gnome-desktop-environment gnome-network-admin gtkhtml3.14 + iceweasel-gnome-support libavcodec51 libdatrie0 libgdl-1-0 + libgnomekbd2 libgnomekbdui2 libmetacity0 libslab0 libxcb-xlib0 + nautilus-cd-burner python-gnome2-desktop python-gnome2-extras + serpentine swfdec-mozilla update-manager xorg xserver-xorg + xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-evdev + xserver-xorg-input-kbd xserver-xorg-input-mouse + xserver-xorg-input-synaptics xserver-xorg-input-wacom + xserver-xorg-video-all xserver-xorg-video-apm xserver-xorg-video-ark + xserver-xorg-video-ati xserver-xorg-video-chips + xserver-xorg-video-cirrus xserver-xorg-video-cyrix + xserver-xorg-video-dummy xserver-xorg-video-fbdev + xserver-xorg-video-glint xserver-xorg-video-i128 + xserver-xorg-video-i740 xserver-xorg-video-imstt + xserver-xorg-video-intel xserver-xorg-video-mach64 + xserver-xorg-video-mga xserver-xorg-video-neomagic + xserver-xorg-video-nsc xserver-xorg-video-nv + xserver-xorg-video-openchrome xserver-xorg-video-r128 + xserver-xorg-video-radeon xserver-xorg-video-radeonhd + xserver-xorg-video-rendition xserver-xorg-video-s3 + xserver-xorg-video-s3virge xserver-xorg-video-savage + xserver-xorg-video-siliconmotion xserver-xorg-video-sis + xserver-xorg-video-sisusb xserver-xorg-video-tdfx + xserver-xorg-video-tga xserver-xorg-video-trident + xserver-xorg-video-tseng xserver-xorg-video-v4l + xserver-xorg-video-vesa xserver-xorg-video-vga + xserver-xorg-video-vmware xserver-xorg-video-voodoo xulrunner-1.9 + xulrunner-1.9-gnome-support

+ +

aptitude gnome 129 + +
bluez-gnome bluez-utils cpp-4.3 cupsddk-drivers dhcdbd + djvulibre-desktop finger gnome-app-install gnome-mount + gnome-network-admin gnome-spell gnome-vfs-obexftp + gnome-volume-manager gstreamer0.10-gnomevfs gtkhtml3.14 libao2 + libavahi-compat-libdnssd1 libavahi-core5 libavcodec51 libbluetooth2 + libcamel1.2-11 libcdio7 libcucul0 libcupsys2 libcurl3 libdatrie0 + libdirectfb-1.0-0 libdvdread3 libedataserver1.2-9 libeel2-2.20 + libeel2-data libepc-1.0-1 libepc-ui-1.0-1 libfaad0 libgail-common + libgd2-noxpm libgda3-3 libgda3-common libgdl-1-0 libgdl-1-common + libggz2 libggzcore9 libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 + libgnomecups1.0-1 libgnomekbd2 libgnomekbdui2 libgnomeprint2.2-0 + libgnomeprint2.2-data libgnomeprintui2.2-0 libgnomeprintui2.2-common + libgnomevfs2-bin libgpod3 libgraphviz4 libgtkhtml2-0 + libgtksourceview-common libgtksourceview1.0-0 libgucharmap6 + libhesiod0 libicu38 libiw29 libkpathsea4 libltdl3 libmagick++10 + libmagick10 libmalaga7 libmetacity0 libmtp7 libmysqlclient15off + libnautilus-burn4 libneon27 libnm-glib0 libnm-util0 libopal-2.2 + libosp5 libparted1.8-10 libpoppler-glib3 libpoppler3 libpt-1.10.10 + libpt-1.10.10-plugins-alsa libpt-1.10.10-plugins-v4l libraw1394-8 + libsensors3 libslab0 libsmbios2 libsoup2.2-8 libssh2-1 + libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 libtotem-plparser10 + libtrackerclient0 libxalan2-java libxalan2-java-gcj libxcb-xlib0 + libxerces2-java libxerces2-java-gcj libxklavier12 libxtrap6 + libxxf86misc1 libzephyr3 mysql-common nautilus-cd-burner + openoffice.org-writer2latex openssl-blacklist p7zip + python-4suite-xml python-eggtrayicon python-gnome2-desktop + python-gnome2-extras python-gtkhtml2 python-gtkmozembed + python-numeric python-sexy serpentine svgalibg1 swfdec-gnome + swfdec-mozilla totem-gstreamer update-manager wodim + xserver-xorg-video-cyrix xserver-xorg-video-imstt + xserver-xorg-video-nsc xserver-xorg-video-v4l xserver-xorg-video-vga + zip

+ +

apt-get kde 82 + +
cupsddk-drivers karm kaudiocreator kcoloredit kcontrol kde kde-core + kdeaddons kdeartwork kdebase kdebase-bin kdebase-bin-kde3 + kdebase-kio-plugins kdesktop kdeutils khelpcenter kicker + kicker-applets knewsticker kolourpaint konq-plugins konqueror korn + kpersonalizer kscreensaver ksplash libavcodec51 libdatrie0 libkiten1 + libxcb-xlib0 quanta superkaramba texlive-base-bin xorg xserver-xorg + xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-evdev + xserver-xorg-input-kbd xserver-xorg-input-mouse + xserver-xorg-input-synaptics xserver-xorg-input-wacom + xserver-xorg-video-all xserver-xorg-video-apm xserver-xorg-video-ark + xserver-xorg-video-ati xserver-xorg-video-chips + xserver-xorg-video-cirrus xserver-xorg-video-cyrix + xserver-xorg-video-dummy xserver-xorg-video-fbdev + xserver-xorg-video-glint xserver-xorg-video-i128 + xserver-xorg-video-i740 xserver-xorg-video-imstt + xserver-xorg-video-intel xserver-xorg-video-mach64 + xserver-xorg-video-mga xserver-xorg-video-neomagic + xserver-xorg-video-nsc xserver-xorg-video-nv + xserver-xorg-video-openchrome xserver-xorg-video-r128 + xserver-xorg-video-radeon xserver-xorg-video-radeonhd + xserver-xorg-video-rendition xserver-xorg-video-s3 + xserver-xorg-video-s3virge xserver-xorg-video-savage + xserver-xorg-video-siliconmotion xserver-xorg-video-sis + xserver-xorg-video-sisusb xserver-xorg-video-tdfx + xserver-xorg-video-tga xserver-xorg-video-trident + xserver-xorg-video-tseng xserver-xorg-video-v4l + xserver-xorg-video-vesa xserver-xorg-video-vga + xserver-xorg-video-vmware xserver-xorg-video-voodoo xulrunner-1.9

+ +

aptitude kde 192 +
bluez-utils cpp-4.3 cupsddk-drivers cvs dcoprss dhcdbd + djvulibre-desktop dosfstools eyesapplet fifteenapplet finger gettext + ghostscript-x imlib-base imlib11 indi kandy karm kasteroids + kaudiocreator kbackgammon kbstate kcoloredit kcontrol kcron kdat + kdeadmin-kfile-plugins kdeartwork-misc kdeartwork-theme-window + kdebase-bin-kde3 kdebase-kio-plugins kdeedu-data + kdegraphics-kfile-plugins kdelirc kdemultimedia-kappfinder-data + kdemultimedia-kfile-plugins kdenetwork-kfile-plugins + kdepim-kfile-plugins kdepim-kio-plugins kdeprint kdesktop kdessh + kdict kdnssd kdvi kedit keduca kenolaba kfax kfaxview kfouleggs + kghostview khelpcenter khexedit kiconedit kitchensync klatin + klickety kmailcvt kmenuedit kmid kmilo kmoon kmrml kodo kolourpaint + kooka korn kpager kpdf kpercentage kpf kpilot kpoker kpovmodeler + krec kregexpeditor ksayit ksim ksirc ksirtet ksmiletris ksmserver + ksnake ksokoban ksplash ksvg ksysv ktip ktnef kuickshow kverbos + kview kviewshell kvoctrain kwifimanager kwin kwin4 kworldclock + kxsldbg libakode2 libao2 libarts1-akode libarts1-audiofile + libarts1-mpeglib libarts1-xine libavahi-compat-libdnssd1 + libavahi-core5 libavc1394-0 libavcodec51 libbluetooth2 + libboost-python1.34.1 libcucul0 libcurl3 libcvsservice0 libdatrie0 + libdirectfb-1.0-0 libdjvulibre21 libdvdread3 libfaad0 libfreebob0 + libgail-common libgd2-noxpm libgraphviz4 libgsmme1c2a libgtkhtml2-0 + libicu38 libiec61883-0 libindex0 libiw29 libk3b3 libkcal2b libkcddb1 + libkdeedu3 libkdepim1a libkgantt0 libkiten1 libkleopatra1 libkmime2 + libkpathsea4 libkpimexchange1 libkpimidentities1 libkscan1 + libksieve0 libktnef1 liblockdev1 libltdl3 libmagick10 libmimelib1c2a + libmozjs1d libmpcdec3 libneon27 libnm-util0 libopensync0 libpisock9 + libpoppler-glib3 libpoppler-qt2 libpoppler3 libraw1394-8 libsmbios2 + libssh2-1 libsuitesparse-3.1.0 libtalloc1 libtiff-tools + libxalan2-java libxalan2-java-gcj libxcb-xlib0 libxerces2-java + libxerces2-java-gcj libxtrap6 mpeglib networkstatus + openoffice.org-writer2latex pmount poster psutils quanta quanta-data + superkaramba svgalibg1 tex-common texlive-base texlive-base-bin + texlive-common texlive-doc-base texlive-fonts-recommended + xserver-xorg-video-cyrix xserver-xorg-video-imstt + xserver-xorg-video-nsc xserver-xorg-video-v4l xserver-xorg-video-vga + xulrunner-1.9

+
- Tags: debian edu, english, nuug. + Tags: debian, debian edu, english.
-
Digitale bøker uten digitale restriksjonsmekanismer (DRM) bør få mva-fritak
-
2010-03-03 19:00
+
Åpne trådløsnett er et samfunnsgode
+
2010-06-12 12:45
-

Den norske bokbransjen har -bedt om at -digitale bøker må få mva-fritak slik papirbøker har det, og -finansdepartementet -har sagt nei. Det er et interessant spørsmål om digitale bøker -bør ha mva-fritak eller ikke, og svaret er ikke så enkelt som et ja -eller nei. -Enkelte -medlemmer av bokbransjen truer med å droppe den planlagte -lanseringen av norske digitale bøker med digitale restriksjonsmekanismer -(DRM) som de har snakket om å gjennomføre nå i vår, og det må de -gjerne gjøre for min del.

- -

Papirbøker har mva-fritak pga. at de fremmer kultur- og -kunnskapsspredning. Digitale bøker uten digitale -restriksjonsmekanismer (DRM) fremmer kultur- og kunnskapsspredning, -mens digitale bøker med DRM hindrer kultur og kunnskapsspredning. -Digitale bøker uten DRM bør få mva-fritak da det er salg av bøker på -lik linje med salg av papirbøker, mens digitale bøker med DRM ikke bør -få det da det er utleie av bøker og ikke salg.

- -

Jeg foretrekker å kjøpe bøker, og velger dermed å la være å bruke -DRM-belastede digitale bøker. Vet ikke helt hva jeg ville være villig -til å betale for å leie en bok, men tror ikke det er mange kronene. -Heldigvis er det mye bøker tilgjengelig uten slike restriksjoner, og -de som vil ha tak i engelske bøker kan laste ned bøker som er -tilgjengelig uten bruksbegresninger fra The -Internet Archive. Der er det pr. i dag 1 889 313 bøker -tilgjengelig. De er tilgjengelig i flere formater. Besøk -oversikten over tekster -der for å se hva de har. +

Veldig glad for å oppdage via +Slashdot +at folk i Finland har forstått at åpne trådløsnett er et samfunnsgode. +Jeg ser på åpne trådløsnett som et fellesgode på linje med retten til +ferdsel i utmark og retten til å bevege seg i strandsonen. Jeg har +glede av åpne trådløsnett når jeg finner dem, og deler gladelig nett +med andre så lenge de ikke forstyrrer min bruk av eget nett. +Nettkapasiteten er sjelden en begrensning ved normal browsing og enkel +SSH-innlogging (som er min vanligste nettbruk), og nett kan brukes til +så mye positivt og nyttig (som nyhetslesing, sjekke været, kontakte +slekt og venner, holde seg oppdatert om politiske saker, kontakte +organisasjoner og politikere, etc), at det for meg er helt urimelig å +blokkere dette for alle som ikke gjør en flue fortred. De som mener +at potensialet for misbruk er grunn nok til å hindre all den positive +og lovlydige bruken av et åpent trådløsnett har jeg dermed ingen +forståelse for. En kan ikke eksistensen av forbrytere styre hvordan +samfunnet skal organiseres. Da får en et kontrollsamfunn de færreste +ønsker å leve i, og det at vi har et samfunn i Norge der tilliten til +hverandre er høy gjør at samfunnet fungerer ganske godt. Det bør vi +anstrenge oss for å beholde.

- Tags: norsk, nuug, opphavsrett. + Tags: fildeling, norsk, nuug, opphavsrett, personvern, sikkerhet.
-
Debian Edu / Skolelinux based on Lenny released, work continues
-
2010-02-11 17:15
+
Automatic upgrade testing from Lenny to Squeeze
+
2010-06-11 22:50
-

On Tuesday, the Debian/Lenny based version of -Skolelinux was finally -shipped. This was a major leap forward for the project, and I am very -pleased that we finally got the release wrapped up. Work on the first -point release starts imediately, as we plan to get that one out a -month after the major release, to include all fixes for bugs we found -and fixed too late in the release process to include last Tuesday.

- -

Perhaps it even is time for some partying?

- -

After this first point release, my plan is to focus again on the -next major release, based on Squeeze. We will try to get as many of -the fixes we need into the official Debian packages before the freeze, -and have just a few weeks or months to make it happen.

+

The last few days I have done some upgrade testing in Debian, to +see if the upgrade from Lenny to Squeeze will go smoothly. A few bugs +have been discovered and reported in the process +(#585410 in nagios3-cgi, +#584879 already fixed in +enscript and #584861 in +kdebase-workspace-data), and to get a more regular testing going on, I +am working on a script to automate the test.

+ +

The idea is to create a Lenny chroot and use tasksel to install a +Gnome or KDE desktop installation inside the chroot before upgrading +it. To ensure no services are started in the chroot, a policy-rc.d +script is inserted. To make sure tasksel believe it is to install a +desktop on a laptop, the tasksel tests are replaced in the chroot +(only acceptable because this is a throw-away chroot).

+ +

A naive upgrade from Lenny to Squeeze using aptitude dist-upgrade +currently always fail because udev refuses to upgrade with the kernel +in Lenny, so to avoid that problem the file /etc/udev/kernel-upgrade +is created. The bug report +#566000 make me suspect +this problem do not trigger in a chroot, but I touch the file anyway +to make sure the upgrade go well. Testing on virtual and real +hardware have failed me because of udev so far, and creating this file +do the trick in such settings anyway. This is a +known +issue and the current udev behaviour is intended by the udev +maintainer because he lack the resources to rewrite udev to keep +working with old kernels or something like that. I really wish the +udev upstream would keep udev backwards compatible, to avoid such +upgrade problem, but given that they fail to do so, I guess +documenting the way out of this mess is the best option we got for +Debian Squeeze.

+ +

Anyway, back to the task at hand, testing upgrades. This test +script, which I call upgrade-test for now, is doing the +trick:

+ +
+#!/bin/sh
+set -ex
+
+if [ "$1" ] ; then
+    desktop=$1
+else
+    desktop=gnome
+fi
+
+from=lenny
+to=squeeze
+
+exec < /dev/null
+unset LANG
+mirror=http://ftp.skolelinux.org/debian
+tmpdir=chroot-$from-upgrade-$to-$desktop
+fuser -mv .
+debootstrap $from $tmpdir $mirror
+chroot $tmpdir aptitude update
+cat > $tmpdir/usr/sbin/policy-rc.d <<EOF
+#!/bin/sh
+exit 101
+EOF
+chmod a+rx $tmpdir/usr/sbin/policy-rc.d
+exit_cleanup() {
+    umount $tmpdir/proc
+}
+mount -t proc proc $tmpdir/proc
+# Make sure proc is unmounted also on failure
+trap exit_cleanup EXIT INT
+
+chroot $tmpdir aptitude -y install debconf-utils
+
+# Make sure tasksel autoselection trigger.  It need the test scripts
+# to return the correct answers.
+echo tasksel tasksel/desktop multiselect $desktop | \
+    chroot $tmpdir debconf-set-selections
+
+# Include the desktop and laptop task
+for test in desktop laptop ; do
+    echo > $tmpdir/usr/lib/tasksel/tests/$test <<EOF
+#!/bin/sh
+exit 2
+EOF
+    chmod a+rx $tmpdir/usr/lib/tasksel/tests/$test
+done
+
+DEBIAN_FRONTEND=noninteractive
+DEBIAN_PRIORITY=critical
+export DEBIAN_FRONTEND DEBIAN_PRIORITY
+chroot $tmpdir tasksel --new-install
+
+echo deb $mirror $to main > $tmpdir/etc/apt/sources.list
+chroot $tmpdir aptitude update
+touch $tmpdir/etc/udev/kernel-upgrade
+chroot $tmpdir aptitude -y dist-upgrade
+fuser -mv
+
+ +

I suspect it would be useful to test upgrades with both apt-get and +with aptitude, but I have not had time to look at how they behave +differently so far. I hope to get a cron job running to do the test +regularly and post the result on the web. The Gnome upgrade currently +work, while the KDE upgrade fail because of the bug in +kdebase-workspace-data

+ +

I am not quite sure what kind of extract from the huge upgrade logs +(KDE 167 KiB, Gnome 516 KiB) it make sense to include in this blog +post, so I will refrain from trying. I can report that for Gnome, +aptitude report 760 packages upgraded, 448 newly installed, 129 to +remove and 1 not upgraded and 1024MB need to be downloaded while for +KDE the same numbers are 702 packages upgraded, 507 newly installed, +193 to remove and 0 not upgraded and 1117MB need to be downloaded

+ +

I am very happy to notice that the Gnome desktop + laptop upgrade +is able to migrate to dependency based boot sequencing and parallel +booting without a hitch. Was unsure if there were still bugs with +packages failing to clean up their obsolete init.d script during +upgrades, and no such problem seem to affect the Gnome desktop+laptop +packages.

- Tags: debian edu, english, nuug. + Tags: bootsystem, debian, debian edu, english.
-
Danmark går for ODF?
-
2010-01-29 12:00
+
Skolelinux er laget for sentraldrifting, naturligvis
+
2010-06-09 12:30
-

Ble nettopp gjort oppmerksom på en -nyhet fra Version2 -fra Danmark, der det hevdes at Folketinget har vedtatt at ODF skal -brukes som dokumentutvekslingsformat i Staten.

- -

Hyggelig lesning, spesielt hvis det viser seg at de av vedtatt -kravlisten for hva som skal aksepteres som referert i kommentarfeltet -til artikkelen og -en -annen artikkel i samme nett-avis. Liker spesielt godt denne:

- -

Det skal demonstreres, at standarden i sin helhed kan -implementeres af alle direkte i sin helhed på flere -platforme.

- -

Noe slikt burde være et krav også i Norge.

+

Det er merkelig hvordan myter om Skolelinux overlever. En slik +myte er at Skolelinux ikke kan sentraldriftes og ha sentralt plasserte +tjenermaskiner. I siste Computerworld Norge er +IT-sjef +Viggo Billdal i Steinkjer intervjuet, og forteller uten +blygsel:

+ +

Vi hadde Skolelinux, men det har vi sluttet med. Vi testet +om det lønte seg med Microsoft eller en åpen plattform. Vi fant ut at +Microsoft egentlig var totalt sett bedre egnet. Det var store +driftskostnader med Skolelinux, blant annet på grunn av +desentraliserte servere. Det var komplisert, så vi gikk vekk fra det +og bruker nå bare Windows.

+ +

En rask +sjekk mot den norske brukerlista i Skolelinuxprosjektet forteller +at Steinkjers forsøk foregikk fram til 2004/2005, og at Røysing skole +i Steinkjer skal ha vært svært fornøyd med Skolelinux men at kommunen +overkjørte skolen og krevde at de gikk over til Windows. Et søk på +nettet sendte meg til +Dagens +IT nr. 18 2005 hvor en kan lese på side 18:

+ +

Inge Tømmerås ved Røysing skole i Steinkjer kjører ennå +Microsoft, men forteller at kompetanseutfordringen med Skolelinux ikke +var så stor. ­ Jeg syntes Skolelinux var utrolig lett å drifte uten +forkunnskaper. Men man må jo selvsagt ha tilgang på ekstern kompetanse +til installasjoner og maskinvarefeil, sier Tømmerås.

+ +

Som systemarkitekten bak Skolelinux, kan jeg bare riste på hodet +over påstanden om at Skolelinux krever desentraliserte tjenere. +Skolelinux-arkitekturen er laget for sentralisert drift og plassering +av tjenerne lokalt eller sentralt alt etter behov og nettkapasitet. +Den er modellert på nettverks- og tjenerløsningen som brukes på +Universitetet i Tromsø og Oslo, der jeg jobber med utvikling av +driftstjenester. Dette er det heldigvis noen som har fått med seg, og +jeg er glad for å kunne sitere fra en kommentar på den overnevnte +artikkelen. Min venn og gamle kollega Sturle Sunde forteller der: + +

+

I Flora kommune køyrer vi Skulelinux på skular med alt frå 15 til +meir enn 500 elevar. Dei store skulane har eigen tenar, for det er +mest praktisk. Eg, som er driftsansvarleg for heile nettet, ser +sjeldan dei tenarane fysisk, men at dei står der gjer skulane mindre +avhengige av eksterne linjer som er trege eller dyre. Dei minste +skulane har ikkje eigen tenar. Å bruke sentral tenar er heller ikkje +noko problem. Småskulane klarar seg fint med 1 mbit-linje til ein +sentral tenar eller tenaren på ein større skule.

+ +

Det beste med Skulelinux er halvtjukke klientar. Dei treng ikkje +harddisk og brukar minimalt med ressursar på tenaren fordi dei køyrer +programma lokalt. Eit klasserom med 30 sju-åtte år gamle maskiner har +mykje meir CPU og RAM totalt enn nokon moderne tenar til under +millionen. Det trengst to kommandoar på den sentrale tenaren for å +oppdatere alle klientane, både tynne og halvtjukke. Vi har ingen +problem med diskar som ryk heller, som var eit problem før fordi +elevane sat og sparka i maskinene. Og dei krev lite bandbreidde i +nettet, so det er fullt mogleg å køyre slike på småskular med trege +linjer mot tenaren på ein større skule.

+ +

Flora kommune har nesten 800 Linux-maskiner i sitt skulenett, og +ein person som tek seg av drift av heile nettet, inkludert tenarar, +klientar, operativsystem, programvare, heimekontorløysing og +administrasjon av brukarar.

+ +

No skal det seiast at vi ikkje køyrer rein Skulelinux ut av +boksen. Vi har gjort ein del tilpassingar mot noko Novell-greier som +var der frå før, og som har komplisert installasjonen vår. Etter at +oppsettet var gjort har løysinga vore stabil og kravd minimalt med +arbeid.

+
+ +

Jeg vet at Narvik, Harstad og Oslo er kommuner der Skolelinux +sentraldriftes med sentrale tjenere. Det forteller meg at Steinkjers +IT-sjef neppe bør skylde på Skolelinux-løsningen for sine 5 år gamle +minner.

- Tags: norsk, nuug, standard. + Tags: debian edu, norsk, nuug.
-
Automatic Munin and Nagios configuration
-
2010-01-27 15:15
+
Upstart or sysvinit - as init.d scripts see it
+
2010-06-06 23:55
-

One of the new features in the next Debian/Lenny based release of -Debian Edu/Skolelinux, which is scheduled for release in the next few -days, is automatic configuration of the service monitoring system -Nagios. The previous release had automatic configuration of trend -analysis using Munin, and this Lenny based release take that a step -further.

- -

When installing a Debian Edu Main-server, it is automatically -configured as a Munin and Nagios server. In addition, it is -configured to be a server for the -SiteSummary -system I have written for use in Debian Edu. The SiteSummary -system is inspired by a system used by the University of Oslo where I -work. In short, the system provide a centralised collector of -information about the computers on the network, and a client on each -computer submitting information to this collector. This allow for -automatic information on which packages are installed on each machine, -which kernel the machines are using, what kind of configuration the -packages got etc. This also allow us to automatically generate Munin -and Nagios configuration.

- -

All computers reporting to the sitesummary collector with the -munin-node package installed is automatically enabled as a Munin -client and graphs from the statistics collected from that machine show -up automatically on http://www/munin/ on the Main-server.

- -

All non-laptop computers reporting to the sitesummary collector are -automatically monitored for network presence (ping and any network -services detected). In addition, all computers (also laptops) with -the nagios-nrpe-server package installed and configured the way -sitesummary would configure it, are monitored for full disks, software -raid status, swap free and other checks that need to run locally on -the machine.

- -

The result is that the administrator on a school using Debian Edu -based on Lenny will be able to check the health of his installation -with one look at the Nagios settings, without having to spend any time -keeping the Nagios configuration up-to-date.

- -

The only configuration one need to do to get Nagios up and running -is to set the password used to get access via HTTP. The system -administrator need to run "htpasswd /etc/nagios3/htpasswd.users -nagiosadmin" to create a nagiosadmin user and set a password for -it to be able to log into the Nagios web pages. After that, -everything is taken care of.

+

If Debian is to migrate to upstart on Linux, I expect some init.d +scripts to migrate (some of) their operations to upstart job while +keeping the init.d for hurd and kfreebsd. The packages with such +needs will need a way to get their init.d scripts to behave +differently when used with sysvinit and with upstart. Because of +this, I had a look at the environment variables set when a init.d +script is running under upstart, and when it is not.

+ +

With upstart, I notice these environment variables are set when a +script is started from rcS.d/ (ignoring some irrelevant ones like +COLUMNS):

+ +
+DEFAULT_RUNLEVEL=2
+previous=N
+PREVLEVEL=
+RUNLEVEL=
+runlevel=S
+UPSTART_EVENTS=startup
+UPSTART_INSTANCE=
+UPSTART_JOB=rc-sysinit
+
+ +

With sysvinit, these environment variables are set for the same +script.

+ +
+INIT_VERSION=sysvinit-2.88
+previous=N
+PREVLEVEL=N
+RUNLEVEL=S
+runlevel=S
+
+ +

The RUNLEVEL and PREVLEVEL environment variables passed on from +sysvinit are not set by upstart. Not sure if it is intentional or not +to not be compatible with sysvinit in this regard.

+ +

For scripts needing to behave differently when upstart is used, +looking for the UPSTART_JOB environment variable seem to be a good +choice.

- Tags: debian edu, english, nuug. + Tags: bootsystem, debian, english.
-

RSS feed

+

RSS feed