You may not know this, but I am a huge PowerDNS fan. This may be because it is so simple to use, supports different databases as backends or maybe just because I do not like BIND, pick one. I also happen to live in Germany where ISPs usually do not give static IP-addresses to private customers. Unless you pay extra or limit yourself to a bunch of providers that do good service but rely on old (DSL) technology, limiting you to some 16MBit/s down and 1MBit/s up. Luckily my ISP does not force the IP-address change, but it does happen from time to time (once in a couple of month usually). To access the machine(s) at home while on a non-IPv6-capable connection, I have been using my old (old, old, old) DynDNS.com account and pointing a CNAME from under die-welt.net to it. Some time ago, DynDNS.com started supporting AAAA records in their zones and I was happy: no need to type hostname.ipv6.kerker.die-welt.net to connect via v6 just let the application decide. Well, yes, almost. It s just DynDNS.com resets the AAAA record when you update the A record with ddclient and there is currently no IPv6 support in any of the DynDNS.com clients for Linux. So I end up with no AAAA record and am not as happy as I should be. Last Friday I got a mail from DynDNS:

Starting now, if you would like to maintain your free Dyn account, you must now log into your account once a month. Failure to do so will result in expiration and loss of your hostname. Note that using an update client will no longer suffice for this monthly login. You will still continue to get email alerts every 30 days if your email address is current.
Yes, thank you very much

Given that I have enough nameservers under my control and love hacking, I started writing an own dynamic DNS service. Actually you cannot call it a service. Or dynamic. But it s my own, and it does DNS: powerdyn. It is actually just a script, that can update DNS records in SQL (from which PowerDNS serves the zones). When you design such a service , you first think about user authentication and proper information transport. The machine that runs my PowerDNS database is reachable via SSH, so let s use SSH for that. You do not only get user authentication, server authentication and properly crypted data transport, you also do not have to try hard to find out the IP-address you want to update the hostname to, just use $SSH_CLIENT from your environment. If you expected further explanation what has to be done next: sorry, we re done. We have the user (or hostname) by looking at the SSH credentials, and we have the IP-address to update it to if the data in the database is outdated. The only thing missing is some execution daemon or cron(8). :) The machine at home has the following cron entry now:

*/5 * * * * ssh -4 -T -i /home/evgeni/.ssh/powerdyn_rsa powerdyn@ssh.die-welt.net

This connects to the machine with the database via v4 (my IPv6 address does not change) and that s all.
As an alternative, one can add the ssh call in /etc/network/if-up.d/, /etc/ppp/ip-up.d/ or /etc/ppp/ipv6-up.d (depending on your setup) to be executed every time the connection goes up. The machine with the database has the following authorized_keys entry for the powerdyn user:

no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding,no-user-rc,\ 
command="/home/powerdyn/powerdyn/powerdyn dorei.kerker.die-welt.net" ssh-rsa AAAA... evgeni@dorei

By forcing the command, the user has no way to get the database-credentials the script uses to write to the database and neither cannot update a different host. That seems secure enough for me. It won t scale for a setup as DynDNS.com and the user-management sucks (you even have to create the entries in the database first, the script can only update them), but it works fine for me and I bet it would for others too :) Update: included suggestions by XX and Helmut from the comments.

3 comment(s) this blog is flattr enabled

TL;DR: fqdn, "jabber.die-welt.net" . So, how many servers do you have, that are still running Squeeze? I count one, mostly because I did not figure out a proper upgrade path from OpenVZ to something else yet, but this is a different story. This post is about the upgrade of my communication machine, dengon.die-welt.net. It runs my private XMPP and IRC servers. I upgraded it to Wheezy, checked that my irssi and my BitlBee still could connect and left for work. There I noticed, that Pidgin could only connect to one of the two XMPP accounts I have on that server. sargentd@jabber.die-welt.net worked just fine, while evgeni@golov.de failed to connect. ejabberd was logging a failed authentication:
I(<0.1604.0>:ejabberd_c2s:802) : ( socket_state,tls, tlssock,#Port<0.5130>,#Port<0.5132> ,<0.1603.0> ) Failed authentication for evgeni@golov.de

While Pidgin was just throwing Not authorized errors. I checked the password in Pidgin (even if it did not change). I tried different (new) accounts: anything@jabber.die-welt.net worked, nothing@golov.de did not and somethingdifferent@jabber.<censored>.de worked too. So where was the difference between the three vhosts? jabber.die-welt.net and jabber.<censored>.de point directly (A/CNAME) to dengon.die-welt.net. golov.de has SRV records for XMPP pointing to jabber.die-welt.net. Let s ask Google about ejabberd pidgin srv . There are some bugs. But they are marked as fixed in Wheezy. Mhh Let s read again Okay, I have to set fqdn, "<my_srv_record_name>" . when this does not match my hostname. Edit /etc/ejabberd/ejabberd.cfg, add fqdn, "jabber.die-welt.net" . (do not forget the dot at the end) and restart the ejabberd. Pidgin can connect again. Yeah.

0 comment(s) this blog is flattr enabled

So you probably heard that I have that little new project of mine: QiFi the pure JavaScript WiFi QR Code Generator. It s been running pretty well and people even seem to like it. One of its (unannounced) features is a pretty clean stylesheet that is used for printing. When you print the result will be just the SSID and the QR code, so you can put that piece of paper everywhere you like. That works (I tested!) fine on Iceweasel/Firefox 10.0.12 and Chromium 25.0. Today I tried to do the same in Opera 12.14 and it failed terribly: the SSID was there, the QR code not. And here my journey begins First I suspected the CSS I used was fishy, so I kicked all the CSS involved and retried: still no QR code in the print-out. So maybe it s the QR code library I use that produces a weird canvas? Nope, the examples on http://diveintohtml5.info/canvas.html and http://devfiles.myopera.com/articles/649/example5.html don t print either. Uhm, let s Google for opera canvas print And oh boy I should not have done that. It seems it s a bug in Opera. And the proposed solution is to use canvas.toDataURL() to render the canvas as an image and load the image instead of the canvas. I almost went that way. But I felt that urge need to read the docs before. So I opened http://www.w3.org/html/wg/drafts/html/master/embedded-content-0.html#dom-canvas-todataurl and https://developer.mozilla.org/en-US/docs/DOM/HTMLCanvasElement and started puking:

When trying to use types other than image/png , authors can check if the image was really returned in the requested format by checking to see if the returned string starts with one of the exact strings data:image/png, or data:image/png; . If it does, the image is PNG, and thus the requested type was not supported. (The one exception to this is if the canvas has either no height or no width, in which case the result might simply be data:, .)

If the type requested is not image/png, and the returned value starts with data:image/png, then the requested type is not supported.

Really? I have to check the returned STRING to know if there was an error? Go home HTML5, you re drunk! Okay, okay. No canvas rendered to images then. Let s just render the QR code as a <table> instead of a <canvas> when the browser looks like Opera. There is nothing one could do wrong with tables, right? But let s test with the basic example first: Yes, this is 2013. Yes, this is Opera 12.14. Yes, the rendering of a fucking HTML table is wrong. Needles to say, Iceweasel and Chromium render the example just fine. I bet even a recent Internet Explorer would That said, there is no bugfixworkaround for Opera I want to implement. If you use Opera, I feel sorry for you. But that s all. Update: before someone cries ZOMG! BUG PLZ!!! , I filled this as DSK-383716 at Opera.

0 comment(s) this blog is flattr enabled

Some time ago, the QR Code Generator WiFi Access made quite some noise on the mighty Internet. Sure, it is cool to be able to share your WiFi-access with someone by just showing him a QR code he can scan on his phone and the phone will auto-connect to the WiFi. But I get a strange feeling telling someone I do not know my WiFi credentials. No, I do not mean my guests, I know them. I mean that shiny web-service that will generate a QR code for me. The geek in you will now say: So? Open up a terminal, install qrencode, pipe it the string WIFI:S:<SSID>;T:<WPA WEP >;P:<password>;; and you got our QR code . Yeah, that works. But was it one or two semicolons at the end? And was it really just WPA even if my WiFi uses WPA2? Oh and how do I encode that umlaut again? I do not want to remember this. Thus, without too much rumble, may I present you: QiFi the pure JS WiFi QR Code Generator. QiFi is a QR code generator for WiFi access in pure JavaScript. It will generate the QR code on your machine, in your browser, not leaking your precious credentials to anyone (but your guests). Don t trust me? Read the code. Fork the code. Host the code yourself. I hope you will find QiFi at least slightly useful ;-)

2 comment(s) this blog is flattr enabled

Do you deliver your mail with maildrop? If not, this post is only for your amusement . My mailserver runs Postfix as MTA and maildrop as MDA, a pretty common setup I d say. And it happens that maildrop supports quota. It supports it so good, that I have no idea how to disable that support, but I also actually never cared, as my user database declares each user has 10GB quota for mails (courier s authtest says Quota: 10000000000S , so does the configuration). And 10GB should be enough for everybody, right? Well, so I thought until I noticed that my Icedove indicated a 99% full mailbox and shortly afterwards maildrop stopped delivering mails with maildir over quota . Looking at the maildirsize file in my maildir, I noticed that the quota is set to 1410065408S, a mere 1.4GB. Where does this number come from? The proficient reader will quickly see that 10000000000 mod 2^32 = 1410065408, so this is actually an integer overflow happening somewhere in the code handling the maildirsize file (read: in maildrop). A short dig through the Debian BTS revealed a bug from 2003, saying exactly the same. The bug also indicated, the issue is fixed since maildrop 2.5. A short cowbuilder run later, I had a maildrop_2.5.5-2_i386.deb, installed it and after the next mail delivery, my quota was at 10GB as it should. TL;DR: If you run into strange maildir over quota errors with maildrop on Debian Squeeze, get a newer maildrop (or backport that single patch to Squeeze s maildrop).

0 comment(s) this blog is flattr enabled

This especially goes to planet.debian.org: SORRY! My WordPress thought it is a great idea to deliver empty (no date, no link, no content) posts, randomly, and planet started to post everything as new as it took the feed. I still haven t reenabled all the plugins, but it runs stable for several hours now and I ll try not to break it again.

0 comment(s) this blog is flattr enabled

good news: I'm seeing more & more people contributing to RC bugs in the BTS. here are my own contributions for the past week:

• #656552 zope2.12-sandbox: "zope2.12-sandbox: fails to install, remove and install again"
  add info to bug report
• #670405 ekiga: "ekiga: Ekiga crashes on startup"
  add info to bug report
• #673370 centerim: "centerim: Crash at startup (suspect login msn)"
  add info to bug report, then close on submitter's behalf
• #683061 ntp: "ntp: missing init script dependency on $named"
  sponsor NMU from Ivo De Decker (fix init script), upload to DELAYED/2, then cancelled by maintainer after severity change
• #684019 python-liblcms: "python-liblcms: static library in /usr/share"
  re-enable dropping of .a and .la files from python package, upload to DELAYED/2
• #684024 src:python-adodb: "python-adodb: broken binary-indep target"
  apply patches from Evgeni Golov (d/rules targets) and Jakub Wilk (python-support handling), upload to DELAYED/2
• #684078 wv2: "calligra: Buffer overflow"
  apply modified patch from KDE, upload to DELAYED/2
• #684150 python-wxgtk2.8: "python-wxgtk2.8 breaks upgrade from squeeze to wheezy"
  add info to bug report
• #684180 angband: "angband: removes files that were installed by another package: /usr/share/angband/*"
  don't remove directory belonging to other package in postrm, upload to DELAYED/2
• #684488 puppet-lint: "puppet-lint not working with ruby1.9.1"
  send a patch to the BTS

RCBW report for 2012/29 (16.7.-22.7.) The motto for this week was:

(Don t take it personally, it s just a meme :P)

• 681583 python-blist empty package
  patch to properly build a python module sent
• 681584 python-colorama missing dependency on python
  patch to use dh_python2 sent
• 681678 licq Fails to start without recommends being installed
  commented about a possible solution, awaiting maintainer comment
• 681379 django-celery FTBFS: building documentation fails
  patch to skip the building of the issuelist from github sent, uploaded by maintainer shortly afterwards
• 681328 blockdiag FTBFS: pep8: 21 errors / 0 warnings
  found patch in upstream s mercurial repository, sent it to the BTS
• 681901 datapm missing dependency on python-pkg-resources
  NMU uploaded with maintainer approval, filled 682053 while fixing
• 682053 datapm FTBFS if built twice in a row
  NMU uploaded with maintainer approval
• 681316 httpie missing dependency on python-pkg-resources
  trivial patch submitted, filled 682076 while fixing
• 682076 httpie FTBFS if built twice in a row
  patch submitted
• 663506 httpie Always bails out with pkg_resources.DistributionNotFound: requests>=0.10.4
  while not RC, IMHO an important bug to fix. submitted a patch while working on 681316 and 682076
• 682177 suitesparse libsuitesparse-dbg doesn t contain any debug information
  submitted a patch that fixes the issue, no intent to NMU as I cannot test the changes good enough
• 682249 frontaccounting fails to install: SQL syntax error
  submitted a patch to use ENGINE=(MyISAM InnoDB) instead of the deprecated and removed TYPE=
• 682354 gthumb glib errors, crash on startup
  tracked the problem down to too old libgtk-3, suggested tighter dependencies to be generated

0 comment(s) this blog is flattr enabled

thanks to the Paris BSP & other activities we're seeing a nice decline in RC bugs. here are my recent contributions:

• #554752 src:gtklp: "FTBFS with binutils-gold"
  add patch from Hideki Yamane, upload to DELAYED/2
• #640613 src:jaminid: "jaminid: FTBFS: xargs: /usr/lib/jvm/java-6-openjdk/bin/javac: No such file or directory"
  build-depend on default-jdk and set JAVA_HOME in debian/rules accordingly, upload to DELAYED/2
• #640630 src:policycoreutils: "policycoreutils: FTBFS: chmod: cannot access /build/policycoreutils-r6ObWS/policycoreutils-2.0.82/debian/policycoreutils/etc/init.d/policycoreutils': No such file or directory"
  apply patch from Ubuntu / Mitsuya Shibata, upload to DELAYED/4
• #640633 src:tunnelx: "tunnelx: FTBFS: xargs: /usr/lib/jvm/java-6-openjdk/bin/javac: No such file or directory"
  build-depend on default-jdk and set JAVA_HOME in debian/rules accordingly, upload to DELAYED/2
• #642686 src:javamorph: "javamorph: FTBFS: /bin/sh: 1: /usr/lib/jvm/java-6-openjdk/bin/javac: not found"
  build-depend on default-jdk and set JAVA in Makefile accordingly, upload to DELAYED/2
• #645493 src:postler: "Will FTBFS with libindicate 0.6"
  apply patch from Evgeni Golov, upload to DELAYED/2
• #646388 speech-dispatcher: "FTBFS due to locally changed files without patch"
  update autotools handling, partly taken from Ubuntu / Luke Yelavich, upload to DELAYED/2
• #646647 src:latex-cjk-chinese-arphic: "latex-cjk-chinese-arphic: FTBFS: The requested file, gbsn00lp.ttf, does not exist"
  apply (modified) patch from Hideki Yamane, upload to DELAYED/2
• #652222 src:sensors-applet: "sensors-applet: FTBFS: Could not parse DTD http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeeper-omf.dtd"
  add patch to use local DTD, upload to DELAYED/2
• #652758 src:policycoreutils: "policycoreutils: FTBFS: cc: error: /usr/lib/libsepol.a: No such file or directory"
  multiarchify, based on patch by Hideki Yamane, upload to DELAYED/4
• #658054 instead: "Can not upgrade package instead, because new package instead-data try rewrite files from old package instead."
  add a comment to the BTS

Evgeni Golov you re not the coolest fanboy. I ve got this And it s made by my girlfriend as a christmas gift. Also hand-made. Judge this

Today I wanted to clone my dotfiles repository (no, not available online, too much private stuff in there) to a remote machine and noticed that it has grown way too big (20MiB working directory and about 200MiB in .git), so I decided to clean it up. git gc did clean up a couple of megabytes, but .git was still about 190MiB, so I wasn t satisfied. Short thinking revealed the lost megabytes are somewhere in the history when I accidentally added some files and removed them afterwards (iceweasel, icedove, it s you I m blaming ;)). But how the heck do I find and remove them? git filter-branch -f --index-filter 'git rm --cached --ignore-unmatch FILE' -- --all will remove FILE from all commits, says git-filter-branch(1), but how to find those files? They are not in my working directory anymore and I do not want to checkout every revision and look for big files in there. Let s ask git itself :)
for commit in git log --all --pretty=format:%H ; do git ls-tree -r -l $commit; done awk ' print $4 " " $5 ' sort -nu will show all files (actually all versions of all files) ever known to git, with the biggest ones at the end. Just identify the really big (unused) ones and remove them as above, thats what you think, right? Right, but .git won t be any smaller. Huh? Read git-filter-branch(1) again, just create a clone and it will be smaller, so mission accomplished! Now I had just 6MiB to push (compressed). For reference, the old tree would have used something about 150MiB to push.

0 comment(s) this blog is flattr enabled

It s been a long time since my last post about my desktop in a shell , but today I stumbled over something absolutely awesome I want to share with you. A bit of background: I am using mutt with a single imap server (where everything is forwarded to), because I disliked the idea of having multiple mutt instances running and did not want to play the <change-folder>imaps://other.server.tld/<enter> game too much.
Now today I had to delete some mail from an account I don t use regularly (and where the webmail sucks), so I switched my screen to mutt and actually did the <change-folder> game and was like wow because the account showed up in my sidebar and I could just jump between the folders of both accounts. So I thought how to automate this, so I could actually use mutt with multiple accounts (without offline-imap and friends, which is what you find on the web). It s damn easy:

# muttrc
set imap_user=account1
set imap_pass=password
set folder="imaps://imap.one.example.com/INBOX"
set spoolfile="imaps://imap.one.example.com/INBOX"
...
push <change-folder>imaps://account2@imap.two.example.com/<enter>

Well, what does this do? It advises mutt to use imap.one.example.com, but then just jumps to imap.two.example.com at the end of the config, resulting in both accounts being loaded into the sidebar and usable. That s it, one line and it is awesome! Please note, the password to both accounts is the same, you will have to fiddle around and put it in the URL somehow if it differs.

0 comment(s) this blog is flattr enabled

you have to put options scsi_mod scan=sync somewhere in /etc/modprobe.d/ and regenerate the initrd.
(thanks to Michal Ludvig in http://lists.debian.org/debian-boot/2010/11/msg00369.html)Just happened to me on my Sun Netra T1-200 after the upgrade from Lenny to Squeeze, which threw me back into busybox of the initrd when it could not find the root-fs (on raid) and where mdadm -A /dev/md0 worked just fine to confuse me.

0 comment(s) this blog is flattr enabled