Debian on SWiK

Julien Danjou: Boarding the Prometheus

Sun, 18 May 2008 03:13:09 -0700

As I said a month ago, my main server Delmak was dying. Well it still runs (proof: you could read this blog some days ago).

Thanks to friends I host for free, they've kindly given enough money to buy a brand new server (C2D E8400, 4 GB RAM, 2x500 GB RAID 1) in order to replace the good old Delmak. This new box has been named Prometheus after the only BC-303 class battleship ever built.

Delmak was used to mainly run as a Web, mail and databases server. I decided to do use this server switch to change the server software I use.

The first mail server I setup was based on Exim 3, courier-{imap,pop}{-ssl,} with userdb files. That was... rough. Later I switched to Exim 4, using vexim, and MySQL as a back-end. That was something like 3 years ago I guess. Since then I never really touched that back. I added spamassassin and clamav filtering some months after, because some users asked for it. That's all.

So this week, I decided to switch away from this configuration. I do not understand Exim anymore anyway, so I decided to use Postfix which I often use and administrate at work. Obviously, I also now use PostgreSQL as database back-end, since it rocks, and since Postfixadmin supports it. By the way, be aware that the Debian package of postfixadmin is crappy (the configuration file is readable by anyone by default, with the database password in it). I also set up postgrey which is quite nice and efficient.

Well, then was time for amavisd-new installation, but I did not do it. Seriously, amavisd-new configuration is a bloody mess, as the language it is written in (yes, Perl).

So I switched to dspam which I heard is nice. Well, it seems to be for now, since it even supports clamav daemon usage directly, which is very very nice because that means I do not have to set up another thing for that.

I also switched from courier to dovecot, mainly because the latter seems to be faster and lighter. I then changed the default virtual_transport to Dovecot LDA. The main advantage of this is that the LDA updates the Dovecot index while delivering. It also supports quota, which I do not use and plug-ins, like the Sieve language for mail filtering.

So I decided to change my procmailrc to a new Sieve filter. My procmailrc is quite small since I only use regex to match lists and some mail address, so it has only something like 12 rules. And well, I did not do it since I discovered after some googling that Dovecot implementation of Sieve is grabbed from Cyrus which does not support variables for now. That means that the following procmailrc code:

:0:
* ^X-Mailing-List: <debian-.+@lists.debian.org>
* ^X-Mailing-List: <debian-\/[^@]+
list-debian-$MATCH/

which will translate to:

require [ "regex", "variables", "fileinto" ]
if header :regex "X-Mailing-List" "<debian-(.+)@"
{
    fileinto "lists.debian.${1}";
    stop;
}

But that won't work since Dovecot Sieve implementation does not support "variables". Well, since I'm not ready to list all the lists I'm subscribed to, Sieve is a no-go for now. I'll stick with procmail.

Russell Coker: Debian SSH Problems

Sat, 17 May 2008 23:14:10 -0700

It has recently been announced that Debian had a serious bug in the OpenSSL code [1], the most visible affect of this is compromising SSH keys - but it can also affect VPN and HTTPS keys. Erich Schubert was one of the first people to point out the true horror of the problem, only 2^15 different keys can be created [2]. It should not be difficult for an attacker to generate 2^15 host keys to try all combinations for decrypting a login session. It should also be possible to make up to 2^15 attempts to login to a session remotely if an attacker believes that an authorized key was being used - that would take less than an hour at a rate of 10 attempts per second (which is possible with modern net connections) and could be done in a day if the server was connected to the net by a modem.

John Goerzen has some insightful thoughts about the issue [3]. I recommend reading his post. One point he makes is that the person who made the mistake in question should not be lynched. One thing I think we should keep in mind is the fact that people tend to be more careful after they have made mistakes, I expect that anyone who makes a mistake in such a public way which impacts so many people will be very careful for a long time…

Steinar H. Gunderson analyses the maths in relation to DSA keys, it seems that if a DSA key is ever used with a bad RNG then it can be cracked by someone who sniffs the network [4]. It seems that it is safest to just not use DSA to avoid this risk. Another issue is that if a client supports multiple host keys (ssh version 2 can use three different key types, one for the ssh1 protocol, one for ssh2 with RSA, and one for ssh2 with DSA) then a man in the middle attack can be implemented by forcing a client to use a different key type - see Stealth’s article in Phrack for the details [5]. So it seems that we should remove support for anything other than SSHv2 with RSA keys.

To remove such support from the ssh server edit /etc/ssh/sshd_config and make sure it has a line with “Protocol 2“, and that the only HostKey line references an RSA key. To remove it from the ssh client (the important thing) edit /etc/ssh/ssh_config and make sure that it has something like the following:

Host *
Protocol 2
HostKeyAlgorithms ssh-rsa
ForwardX11 no
ForwardX11Trusted no

You can override this for different machines. So if you have a machine that uses DSA only then it would be easy to add a section:

Host strange-machine
Protocol 2
HostKeyAlgorithms ssh-dsa

So making the default configuration of the ssh client on all machines you manage has the potential to dramatically reduce the incidence of MITM attacks from the less knowledgable users.

When skilled users who do not have root access need to change things they can always edit the file ~/.ssh/config (which has the same syntax as /etc/ssh/ssh_config) or they can use command-line options to override it. The command ssh -o “HostKeyAlgorithms ssh-dsa” user@server will force the use of DSA encryption even if the configuration file requests RSA.

Enrico Zini describes how to use ssh-keygen to get the fingerprint of the host key [6]. One thing I have learned from comments on this post is how to get a fingerprint from a known hosts file. A common situation is that machine A has a known hosts file with an entry for machine B. I want to get the right key in machine C and there is no way of directly communicating between machine A and machine C (EG they are in different locations with no network access). In that situation the command “ssh-keygen -l -f ~/.ssh/known_hosts” can be used to display all the fingerprints of hosts that you have connected to in the past, then it’s a simple matter of grepping the output.

Docunext has an interesting post about ways of mitigating such problems [7]. One thing that they suggest is using fail2ban to block IP addresses that appear to be trying to do brute-force attacks. It’s unfortunate that the version of fail2ban in Debian uses /tmp/fail2ban.sock for it’s Unix domain socket for talking to the server (the version in Unstable uses /var/run/fail2ban/fail2ban.sock). They also mention patching network drivers to add entropy to the kernel random number generator. One thing that seems interesting is the package randomsound (currently in Debian/Unstable) which takes ALSA sound input as a source of entropy, note that you don’t need to have any sound input device connected.

When considering fail2ban and similar things, it’s probably best to start by restricting the number of machines which can connect to your SSH server. Firstly if you put it on a non-default port then it’ll take some brute-force to find it. This will waste some of the attacker’s time and also make the less persistent attackers go elsewhere. One thing that I am considering is having a few unused ports configured such that any IP address which connects to them gets added to my NetFilter configuration - if you connect to such ports then you can’t connect to any other ports for a week (or until the list becomes too full). So if for example I had port N configured in such a manner and port N+100 used for ssh listening then it’s likely that someone who port-scans my server would be blocked before they even discovered the SSH server. Does anyone know of free software to do this?

The next thing to consider is which IP addresses may connect. If you were to allow all the IP addresses from all the major ISPs in your country to connect to your server then it would still be a small fraction of the IP address space. Sure attackers could use machines that they already cracked in your country to launch their attacks, but they would have to guess that you had such a defense in place, and even so it would be an inconvenience for them. You don’t necessarily need to have a perfect defense, you only need to make the effort to reward ratio be worse for attacking you than for attacking someone else. Note that I am not advocating taking a minimalist approach to security, merely noting that even a small increment in the strength of your defenses can make a significant difference to the risk you face.

Update: based on comments I’m now considering knockd to open ports on demand. The upstream site for knockd is here [8], and some documentation on setting it up in Debian is here [9]. The concept of knockd is that you make connections to a series of ports which act as a password for changing the firewall rules. An attacker who doesn’t know those port numbers won’t be able to connect. Of course anyone who can sniff your network will discover the ports soon enough, but I guess you can always login and change the port numbers once knockd has let you in.

Also thanks to Helmut for advice on ssh-keygen.

[1] http://www.debian.org/security/2008/dsa-1571

[2] http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html

[3] http://changelog.complete.org/posts/714-Thoughtfulness-on-the-OpenSSL-bug.html

[4] http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths.html

[5] http://www.phrack.org/issues.html?id=11&issue=59

[6] http://www.enricozini.org/2008/tips/ssh-host-key-fingerprint.html

[7] http://www.docunext.com/blog/2008/05/14/my-security/

[8] http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki

[9] http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/

The Linux HTPC Howto - Basic and Advance Media Center Build Tips

Sat, 17 May 2008 20:12:06 -0700

lirc + Debian - SWiK

Sat, 17 May 2008 20:12:04 -0700

Simon Richter: Solutions

Sat, 17 May 2008 19:12:44 -0700

(tl;dr: if you have a few minutes, please add information here)

Joss,

the problem with the new package formats is that there is nothing that actually uses the additional information in a way that adds significant new functionality, so the net result of the change was that we throw away the information at a different layer in our software stack, and one of the interfaces got a lot more complicated in the process.

One possible application would be a "poor man's patch tracking" inside the BTS, perhaps with a new state "fixed in patch".

I can see two ways of implementing that:

by extending the interface of the "new" package formats that {Debian,Ubuntu} bug numbers are attached to the actual patch files and having the archive maintenance software extract and process that information (reject packages that add a patch for a bug without closing it in the changelog, notify the BTS), or
by leaving the package format untouched and simply adding a regex matching "Fixes: #nnnnnn" that is reported to the BTS as "we have added a patch", so the submitter is notified that the bug is gone for him/her; the bug is then closed in the changelog of the upload removing the patch.

The former approach also allows us to link to patches from BTS pages, which the latter doesn't, so there could be actual benefit here if we believe it is worth the additional complexity.

(Update: Raphaël thinks it is. I like the idea of a package format with separate patches a lot more in this context than I did without it, but still my fear that it will actually be perceived as sanctioning large patchsets still remains.)

About mandatory co-maintenance: the problem isn't "helping". We have plenty of people with commit access to packages they don't even remotely understand who are really helpful (not). The problem is that someone needs to actually read all the commit logs and understand what the changes do in this context. In most cases, that person or group would be upstream, not a DD.

My first impression after reading the patch was "adding uninitialized data to the entropy pool is pointless/harmful as it is not random, so this patch makes sense", because the loop around it was not contained in the patch. Obviously I'm not an OpenSSL developer.

There is nothing Debian could have done internally to verify the correctness of this patch that would properly scale to the entire archive, even if we put "more emphasis on security". The only solution I see is reporting every patch to upstream immediately and getting affirmation that it is correct.

This, however means that we need to produce patches that upstream can accept. For obvious code bugs, that is simple, but for integration patches like paths it is not sufficient to replace one string with another, but rather make it configurable in some place that can be reached from debian/rules.

In an ideal world, we end up with very few Debian specific patches, so essentially we are talking about adding functionality to dpkg that we don't want to use.

I've started a page in the Debian Wiki, Getting Packaged with an outline of a possible document aimed at upstream developers that should list the typical problems we run into and how to avoid them.

tuttodebian.blogspot.com: HOWTO: Debian, Xen and VLANs

Sat, 17 May 2008 16:22:27 -0700

Simon Richter: OLPC and Windows

Sat, 17 May 2008 15:13:00 -0700

There is an article on TechCrunch on Windows on the OLPC. This article started out as a comment below lots of comments that were missing the point, but eventually grew too large.

The entire discussion circles around the question whether it would be beneficial to give the users the same view and behaviour that is on 90% of machines worldwide, so they can start out prospective jobs with a minimum of training. Learning your way around the UI is only a significant part of training if that actual work you will do is trivial — so this argument basically boils down to "I don't expect the African kids to do anything but grunt work during their lifetime anyway, so we better start training them early", which is the wrong approach not only to education.

To make a bad car analogy, roads are usually made of several layers, from the foundation providing the stability up to the paint defining lanes. Operating systems are similarly layered, with a core that applications (cars) never touch directly, and several other layers on top of that that are not really required for basic functionality, but that add safety (process separation) or comfort (standard functions). The minimum standard of things is a "platform definition", which all car (or application) makers can expect — all roads have a minimum width and there are no dangerous spikes (if that is not true, you can get a steamroller or respectively format your harddisk).

Railways use the same kind of foundation (operating system), but the platform (heh) is quite different. You cannot drive a car on a railway, or a train on a road, just as you cannot run a Windows application on a Linux system or vice versa (there are special wagons you can place your car on, and special trucks with rails on them if you feel like it, but these are heavier and need more energy to pull).

Now in this discussion, people have been comparing Windows (the platform) to Linux (the operating system). That doesn't work.

On Linux, there are several platforms available, the most prominent being GNOME and KDE for the desktop and POSIX utilities on the command line, but there are lots of others as well. Part of most platform definitions is an user interface, which abstracts what is really happening to something comprehensible to the user, using analogies (a tachometer displays our speed as an angle usually, but other representations are possible).

The "desktop" idiom happened to be the first graphical UI some thirty years back, and was perpetuated into today's computers (just like the width of roads hasn't changed from the days of the Roman empire, where it was "two horses and then some"), however this doesn't mean it is the best choice available — it's just what we are used to.

If you look at the screen contents on the day traders' computers (lots of that on the TV right now thanks to the market crisis), you will notice the vast majority does not use overlapping windows or standardized "rising-edge" buttons to click on, but rather, they have a tightly-packed grid layout with high-contrast information displays that also color-code certain messages.

I think that is the most important point here: to achieve optimal results, the presentation idiom needs to be chosen in a task specific way.

With children as the target audience, we lose one of the key requirements behind the adoption of the windowed view: the need for side-by-side presentation of data from multiple unrelated sources (which is also a problem given the lack of screen space). With the introduction of ad-hoc mesh networking and collaborative applications, the "desktop" analogy begins to break down.

The project's mission also defines requirements on the platform. If we want to keep the requirement "users should be able to build and share their own stuff", then we want a framework where it is hard to make mistakes, especially those that can be spotted only after an interesting failure, and more importantly impossible to write code that makes unrelated components fail, because these components might be your way back out of the situation.

Windows has an excellent event model with fairly good isolation of components (to the point where a problem in an event handler can be handled by the event loop rather than terminating the program, so for example Internet Explorer can shut down broken plugins rather than crashing), but the detail knowledge required to really work with the API (how to build a message loop that also runs queued I/O completion handlers correctly) leads to a fairly steep learning curve, and would teach implementation details rather than concepts.

The normal "linuxy" approach of going low level whenever higher-level approaches fail is not the answer either as we want to truly empower people rather than just training them to be a cheap replacement for the tech support Indians (no offence), so it is vital that the "real" applications use the same framework that people implementing new things would use, and thus all the complexity that we want in our "official" applications needs to be taken care of by the platform, with all the safety features in place too.

So no existing platform provides what we want. — hence Sugar. And that is the problem for Windows advocates: Sugar replaces those bits that make Windows a platform and not just a kernel, so porting Sugar to Windows doesn't make sense from a technical point of view, since we already replaced the bits that we didn't have free software for before.

Other than that, the "Linux vs. Windows" kernel choice is secondary; in fact both kernels are very similar in design and function, the various advantages and disadvantages of either aren't that relevant really.

The only technical reason in favour of Linux is the virtual memory management — the Windows VMM behaves erratically in the absence of a swap device, but I believe that is not something that cannot be fixed.

The reason why I believe Linux is the better choice here is long-term support.

Since these devices will be used in basic education (which hasn't changed that much in the past years as 1 plus 1 still equals 2), there is hardly any need for radical changes after the initial rollout — why add instability when you don't have to? With Microsoft as a for-profit company, there needs to be a business model sustaining that behind it, and I believe it will be very hard to find one. "Subscription" falls down in that it is a long-term recurring expense, which governments tend to be pretty wary of.

The alternative is to upgrade several million computers' OS every few years. Lots of companies are skipping entire Windows releases because of the migration cost, and even with the "console bonus" (all hardware is the same) and bootloader support for software upgrades over a mesh network, this is still a massive endeavour. That each machine would have to reserve enough memory for the entire "upgrade pack" so it can transition "in one go" also makes this model unworkable.

To summarize, using Windows on the OLPC does not make sense at all. If you use just the kernel, you don't gain anything over Linux, and if you use the entire platform (and by extension, the UI), you add unnecessary complexity that is not only not required for the actual task, but also distracting. If you add restrictions and extensions to make it work, you invent a new platform, which is precisely what Sugar did.

The argument that it is important for pupils to use the same thing that the rest of the world is using to ease their entry into the workforce is bogus at best, and racist at worst.

Sune Vuorela: Comaintainers wanted

Sat, 17 May 2008 15:12:59 -0700

gnupg (1.4.6-3) unstable; urgency=low

* Adopt package. Thanks to James Troup for his work in the far past.
Thanks to NMU'ers Bastian and Thijs. (Closes: #476418)
* Co-maintainers wanted.
* Don't build-dep on pcap on non-linux-archs. (Closes: #357267)

-- Sune Vuorela Sat, 17 May 2008 15:42:55 +0200

TODO:

Coordinate with release-team and d-i what changes can still be done before lenny
Look at the new upstream version
Get a alioth project and host stuff in a version control system
Decide on version control system
Get a team and figure out team workflow
Look at this newfangled packaging thing called debhelper
Make all bugs either closed or forwarded

So - anyone interested?

Romain Francoise: Some .diff.gz statistics

Sat, 17 May 2008 15:12:59 -0700

The OpenSSL fiasco has started a fresh discussion on Debian source packages and the way we handle changes to upstream software. One of the issues under discussion is that some Debian packages don't use a patch system and ship all their modifications unseparated in the Debian .diff.gz, which makes it harder or impossible to extract patches later on and to understand why some changes were made. The commonly recommended way of doing things is instead to keep the upstream source pristine, storing modifications cleanly separated and documented under debian/patches; several tools such as quilt or dpatch can make this process easy.

Out of curiosity, I did a quick scan of my local mirror to see how many packages ship changes outside debian/ in their .diff.gz, and I was surprised to see that 4803 source packages out of 11853 (40%) do so! This is much more than I expected. Some packages even use a patch system but still have changes in .diff.gz, as shown by this lintian check.

The most commonly patched files in affected packages are:

   1006 config.sub
   1002 config.guess
    823 Makefile
    754 configure
    715 Makefile.in
    484 aclocal.m4

Most of these are caused by autotools updates which are necessary if upstream ships old versions of these files. In many cases there are clean ways to deal with this, for example to always have up-to-date versions of config.{guess,sub} you can simply make them re-exec their authoritative versions (as shown by this patch) and build-depend on autotools-dev.

If you don't use a patch system, now is a good time to start. The New Maintainers' guide has more information on the topic.

Neil Williams: diff.gz stats

Sat, 17 May 2008 15:12:59 -0700

Romain, you might just want to check 471263 where there is disagreement over how this lintian test should or should not behave towards generated files. In particular, if a package contains a patch in debian/patches that causes upstream files to be modified indirectly (e.g. because upstream is old / quiet and hasn't updated the autotools stuff for years, any patch that affects Makefile.am or configure.in|ac is going to cause changes in generated files and these changes should not be wrapped into yet more patch files because of the inevitable build failures when any of the tools used to generate those files are updated.

Your stats may also be out because of this problem - it is hard to see how lintian can resolve the problem cleanly without carrying a long list of "possibly generated files" and risking the list going stale.

There is more to the contents of .diff.gz than may meet the eye.

Jeff Bailey: 3mo surgery update; Step-Grandmother-in-law; Almost back to work

Sat, 17 May 2008 14:13:53 -0700

Hey! I have my 3-month update with my surgeon on Tuesday. We'll be hopefully reviewing my movement restrictions and getting the final all-clear to return to work at the beginning of next month. I don't expect that I'll be able to lift Leif, but even if I can twist and bend a little bit and reach out with both my arms at once it would be a huge improvement for me.

Do any of you have any questions? I'm going to ask for some clarification on the photo that I posted before (and hopefully will get another one). But if there's anything that other people want to know, I'll ask as much as I can.

Yesterday my wife's (Angie) father's (Ernie) wife's (Janet) mother (Lydia) died from a heart attack. I've only met her a few times, so I'm not really shaken by it, but she was a really nice lady. Something I think about is that with Janet marrying into the family after Angie and her siblings had all moved out means that there's a large chunk of Leif's family now that Angie and I can't really teach him about. So, I worry about Henry, and I'm thinking a lot about Janet. Since we're going up to Vancouver at the end of the week, we should hopefully be in town for any memorial service.

It's crazy to think back over the past 3 months. Various family members health problems; Leif learning to walk, and getting his first words; Leif moving to his own room and his own bed; Going from where I needed a walker and a trip to the mailbox was far, to where a ~1km to a park pushing a stroller makes me tired, but I can do the trip back easily enough; Going through the work to change to a new work visa; almost completing one of my master's courses; and importantly: I've got 30 of the songs finished on "Hard" in Guitar Hero 2.

It'll be fun to get back to work and regular life, though. =)

Kartik Mistry: Inhumanity

Sat, 17 May 2008 14:13:53 -0700

* Somebody told that ‘This is inhuman‘. Now, please someone please preach similar to China!

[from wnpxrz] Setting up Subversion and websvn on Debian | HowtoForge - Linux Howtos and Tutorials

Sat, 17 May 2008 13:18:45 -0700

Kartik Mistry: Meeting with Kstar and Weekend

Sat, 17 May 2008 13:14:37 -0700

* Mistake happens in Life. I did it too, you may have done it in the past. There is no point of digging grave. Probabaly time to do some work to make sure that it will not happen again.

XKCD Tribute.

* Kstar (Akarsh Simha, GSoC candidate of KDE Project, Kstars) is in city (I mean his hometown!) enjoying his vacation, so I decided to meet him on Friday. I wanted to do it on Saturday but some other plan was there which indeed never happen and that is another story itself. Anyway, we met near MG Road/Brigede Road junction and went to Pizza Hut. Nice disucssion of 2 hours, nice pizzas and finally mandatory click. We talked from Debian to FOSS culture in IITM (Note that IITM has 2 most active DDs from India!).

* So, my Saturday was totally wasted due to silly things. Dear Kushal was not there in town — so, none was there to annoy from me. I thought I was able to wash my all dirty clothes in the morning but, it was power cut! I waited till 12PM to bathe (Indeed, you can’t take bath without power as bathroom is too dark, and I fear cockroach too much).

Power went again around 6 PM and I went outside, wondered here and there, came back to home. Still no power. OMG, it came after 10.30 PM!

Yet another reason to hate this city, BLR.

Bridging domains to tagged VLANs in Xen at renial.net

Sat, 17 May 2008 12:22:54 -0700

Debian Stable + Exim3 + Amavisd-new with Spamassassin, Razor, F-Prot filtering for Exchange.

Sat, 17 May 2008 12:19:34 -0700

[from wnpxrz] Setting up multiple Subversion repositories

Sat, 17 May 2008 12:18:31 -0700

eBox Platform

Sat, 17 May 2008 12:13:49 -0700

Debian Stable + Exim3 + Amavisd-new with Spamassassin, Razor, F-Prot filtering for Exchange.

Sat, 17 May 2008 12:07:44 -0700

Debian Anti-Spam Anti-Virus Gateway Email Server using Postfix, Amavisd-new, SpamAssassin, Razor, DCC, Pyzor, and ClamAV HOWTO

Sat, 17 May 2008 12:07:44 -0700

Mailman Configuration in Debian

Sat, 17 May 2008 12:07:43 -0700

Tutorial: ISP-style Email Service with Debian-Sarge and Postfix 2.1

Sat, 17 May 2008 12:07:43 -0700

Debian Mail System [Wiki]

Sat, 17 May 2008 12:07:42 -0700

lists.debian.org - Re: Sarge - postfix/saslauthd issues

Sat, 17 May 2008 12:07:42 -0700

Intrusion Detection With BASE And Snort | HowtoForge - Linux Howtos and Tutorials

Sat, 17 May 2008 12:06:38 -0700

Easy Ubuntu Linux

Sat, 17 May 2008 11:15:03 -0700

Uwe Hermann: Green energy from Lichtblick getting... cheaper!

Sat, 17 May 2008 11:13:55 -0700

You might remember that I wrote a blog entry about my switch to the green electric utility "Lichblick" (Germany) a while ago. I did that purely out of environmental reasons, I didn't want to continue to waste money on polluting and/or dangerous crap such as fossil or nuclear power. Yes, even if that meant a slightly higher price (but I really didn't compare prices much before switching — I was after an environmentally clean solution, not the cheapest solution).

Quick status update: the switch went really nice and easy, no downtimes, no hassle. I've been a happy customer for more than 8 months now.

Today in my snail mail inbox: a letter from Lichtblick that they're going to reduce the price per kWh from 20.25 to 19.99 (Euro) cents starting July 1st and they give you a guarantee that there won't be any price raises before the end of 2009 (more details also here). Now, that's a positive surprise there.

Compare that to 98% of all other energy providers in Germany who have lately increased prices quite a lot for very obscure or non-existant reasons.

Yes, I do realize that the reduced costs are not that dramatic, and Lichtblick is using this as a means to impress people and gain new customers. But I fully support them in doing so, the more people are switching to a green energy provider the better, if you ask me. I encourage everyone to consider switching, either to Lichtblick, or some of their competitors (in Germany) e.g. Greenpeace energy, Elektrizitätswerke Schönau, or Naturstrom AG. There are various alternatives in other countries too, of course.

ActiveDirectoryWinbindHowto - Community Ubuntu Documentation

Sat, 17 May 2008 10:14:19 -0700

To have pam_winbind automatically refresh the kerberos ticket Add the winbind refresh tickets line to smb.conf :

Sébastien Wains " Request-Tracker 3.6 on Debian Etch + Postfix + Fetchmail

Sat, 17 May 2008 10:07:34 -0700

Debian + Courier + Fetchmail + Postfix + Procmail

Sat, 17 May 2008 10:07:31 -0700