Category Archives: Debian

Debian 10 “buster” 來了

Debian 已正式釋出 Debian 10 “buster”,可喜可賀,小弟將 release notes 的重點總結了一下。

• Gnome 預設的 display server 改為 Wayland,對不想使用 Wayland 的用家仍可選用 Xorg。

• 91% 的 source package 已能 reproducible build。Reproducible build 意即每次從源代碼編譯出來的二進制程式都是完全一樣的。這樣能夠保證和證明你拿到的程式,確實是從沒被篡改過的源代碼編譯出來。

• 預設採用 AppArmor。

• APT 加入 seccomp-BPF,用於限制可使用的 system call 以提高安全性。APT 亦已正式支援 HTTPS。

• nftables 取代 iptables,iptables 仍可通過 iptables-legacy 支援,詳情可看 https://wiki.debian.org/nftables

• 正式支援 Secure Boot,在 amd64、i386 和 arm64 上無需關掉 secure boot 選項便可進行安裝和啟動系統。

(來源:https://www.debian.org/News/2019/20190706

Debian 哀悼 Ian Murdock 離世

bits.debian.org 上發佈了 Ian Murdock 的死訊,由於對 Ian 十分敬佩,看到之後立馬把它翻譯過來,本來已經在上月31號翻好並發到 debian-publicity 郵件列表,可是不知什麼原因那邊一直沒收到(已經用了兩個不同的 email)。由於剛好那段時間在日本旅遊,也就沒太注意。今天打算再看看什麼問題的時候,發現 Anthony Fok 已經把另一篇由 Bootingman 翻譯的中文版放上網站,既然如此我也不好把它換掉。可是翻譯畢竟已經完成,而且還花了點心血,結果還算滿意,因此就在這公佈一下。

原文:https://bits.debian.org/2015/12/mourning-ian-murdock.html

Ian Murdock 是一位自由/開源軟件的忠實擁護者、一名父親、兒子、以及 Debian 中的 ‘ian’,我們懷著沉重的心情,對 Ian 的離世致以深切哀悼。

Ian 於 1993 年 8 月啓動 Debian 計劃,並於同年不久推出首個版本。之後,Debian 逐漸成爲世界上的一個通用作業系統,無論從嵌入式設備,乃至國際太空站,皆能尋到它的蹤跡。

Ian 在創造 Debian 發行版與發展社羣文化時,無不專注於確保在道德層面,抑或技術層面,所做的事情都是正確的。譬如每個版本只會在最终完備時發佈,而 Debian 計劃對自由軟件的堅定立場,現已被視爲自由與開源領域的標準。

Ian 對於做正確事情的執著,使得他在 Debian 及往後的日子裏,一直朝向最美好的未來邁進。

Ian 的夢想猶在,Debian 社羣仍然非常活躍,上千的開發人員奉獻數不盡的日日夜夜,帶給世界一個穩定及安全的作業系統。

在這個傷痛的時刻,Debian 社羣眾人與 Ian 的家人心繫一起。他的家人亦請求各位,在這段艱難時期重視他們的私隱,我們對此表示尊重。各位來自 Debian 以及廣大 Linux 社羣的朋友,請將您們的慰問發送至 in-memoriam-ian@debian.org,所有唁函將被永遠保存。

譯者:黃彥邦 (Anthony Wong)

Obfuscated SSH tunnel

VPN providers were cracked down, open source anti-censorship tools were eliminated. This is what’s happening in China and has become even more severe than ever. Shadowsocks alone is no longer reliable due to more powerful deep packet inspection implemented at the GFW.

I am now replacing shadowsocks on my gateway with obfuscated SSH tunnel, based on Tor‘s obfsproxy. To the impatient ones, I will first give a concise summary of the necessary steps of my set up. You can follow it without drilling down the details. I will explain in more details later. But please note that you have to follow the other instructions in this blog post to complete the whole set up.

Quick Set up

On your server

Assume your server runs Debian 8 (jessie) or Ubuntu, and its IP is 1.2.3.4, run these commands:

On Raspberry Pi gateway

Edit ~/.ssh/config:

Run these commands:

How to include local packages for pbuilder

The ibus-cangjie suite consists of 3 source packages: libcangjie, pycangjie and ibus-cangjie, pycangjie depends on libcangjie and ibus-cangjie depends on the other two. When you use pbuilder or its wrappers (I mainly use pbuilder-dist) to build pycangjie or ibus-cangjie, you have to make sure the depended packages are in the pbuilder chroot somehow otherwise the build will fail.

I used to build the package in the lowest level first, in this case libcangjie, then login to the pbuilder chroot with the --save-after-login argument and manually copy the built packages to where the chroot is mounted, run dpkg to install the packages, then exit the chroot. Now libcangjie is installed the chroot and so the build dependencies of pycangjie can be satisfied. This is simple, but requires quite a lot of typing.

There is a simpler way. As pbuilder puts all its built packages in a single directory, we can make the chroot use it as an apt source.

Assume packages built by your pbuilder is located in /home/ubuntu/pbuilder/sid_result, and pbuilder hooks are stored in /var/cache/pbuilder/hook.d. Now, update your .pbuilderrc like this:

# cat ~/.pbuilderrc 
HOOKDIR="/var/cache/pbuilder/hook.d"
BINDMOUNTS="/home/ubuntu/pbuilder/sid_result"

Then put a new hook script to generate a Packages file:

# cat /var/cache/pbuilder/hook.d/D70results 
cd /home/ubuntu/pbuilder/sid_result
/usr/bin/dpkg-scanpackages . /dev/null > /home/ubuntu/pbuilder/sid_result/Packages
/usr/bin/apt-get update

To verify it is set up correctly, login to the pbuilder chroot with the --override-config and --othermirror arguments and check if /etc/apt/sources.list is updated, OTHERMIRROR parameter in .pbuilderrc does not work for me so I can only use --othermirror, not nice as you need to supply it every time you run pbuilder:

# pbuilder-dist testing login --override-config --othermirror "deb [trusted=yes] file:///home/ubuntu/pbuilder/sid_result ./"

# grep -r home /etc/apt
/etc/apt/sources.list:deb [trusted=yes] file:///home/ubuntu/pbuilder/sid_result ./

If everything goes well, build your package with the --override-config and --othermirror arguments like what you just did for the login operation:

# pbuilder-dist testing build --override-config --othermirror "deb [trusted=yes] file:///home/ubuntu/pbuilder/sid_result ./" <.dsc-file>
References

Debian GNU/Linux 4.0 Release Talk

Last night I gave a short presentation at Beijing Linux User Group (BLUG) on the Debian project and the new Etch release. As Roy Chan had given a talk about the new release in the Hong Kong Debian Etch release party, I asked for his permission to use his slides for this talk, and he happily agreed. I made some modifications to his slides and cut out the part about Linux introduction, you can find the presentation slides in OpenOffice.org 2 format here, PDF version here. In the meeting Darren mentioned the idea of using peer-to-peer technology in apt, so that users don’t need to set any repositories in the configuration, this is a very good idea, and coincidentally there is a Google Summer of Code project on this topic.