Dear Lazyweb,

is there a simple way to block some users who login with SSH to read /proc/<pid>/cmdline of processes they don't own? Or better yet: don't see these pids at all?

I know that there are PID namespaces, but they seem to require a special PID 1. Seems hard to get for a simple SSH login. (I wouldn't mind changing a user's shell. But brittle shell startup scripts wouldn't cut it.) systemd-nspawn wants to boot a full Linux distribution in a container and even then I'd be unsure how to wire it up so that it cannot be skipped. I wouldn't mind a read-only bind mount of the outermost Linux installation into a chroot environment, as long as the parent SSH process can get the user jailed into it securely. (No need for someone to be root in the chroot.)

I know that there are RBAC frameworks, but they're cumbersome to use. I don't need file labelling or path-based access control, as I do trust the Linux file permissions for this. I think SMACK wouldn't help here, AppArmor isn't really useable in Debian testing and TOMOYO is a tad crazy to use with its domain transitions through process invocations.

I bet that grsecurity would have something for me up its sleeve. But it's not in a Debian kernel. Even though I know how to compile my own kernel I'd only do that if everything else fails.

Thanks in advance for your help.

UPDATE: That was quick, thanks to everyone who participated! Vasiliy Kulikov came up with a kernel patch to my problem (a hidepid mount option for procfs) that landed in 3.3. I tested it with the kernel in experimental and it works just fine and as expected. With hidepid set to 1, it will still leak the process count and their euids and egids. With hidepid set to 2, you only see your own processes, unless you're root. For ps there's no visible distinction between the two. So to test it you can just invoke this as root on a host running 3.3+:

mount -o remount,hidepid=1 /proc

There's even a backport request in the Debian BTS to get the feature into the wheezy kernel (3.2).

While writing my previous post I heard a huge noise at the front of my house. I found one man being restrained in a seated position on the ground at my front door, the man who was holding him down was accusing him of theft and asking me to call the police, and a woman was hanging around and crying. When calling the police I discovered that Optus (the Telco that provides the virtual service which Virgin Mobile uses) doesn t accept 112 as an emergency number! This combined with the fact that CyanogenMod 7 on my phone doesn t accept 000 as an emergency number meant that I had to unlock my phone before calling the police. Unlocking your phone late at night when there s a situation that needs police attention isn t as easy as you would hope. As an aside there are usually no penalties for testing the emergency service on your phone, people who install PABX systems and other significant telephony devices test emergency services calls as a matter of routine, so testing emergency calls from your phone is a really good idea. If anyone knows how to configure CyanogenMod 7 to support 000 as an emergency call then please let me know! Anyway the man who was held down claimed that a friend of his had given him a bag containing tools that he had lugged from some place not particularly near my house. The man who was holding him down said that he witnessed the other man stealing the tools from his neighbor not far from my house. The woman was apparently the girlfriend of the man who was accused of burglary. The end result was that the police arrested the man who was accused of burglary and his girlfriend. He didn t have any obvious injuries and the police said that the man who detained him did them a favor, so it seems unlikely that there will be any assault charges filed. Presumably the man who detained the burglar is explaining it all at the police station now, I hope the police gave him a chance to put on pants and shoes first. The man who made the burglary accusation said that his house was robbed last night which is why he was more observant than usual tonight. This makes me glad of my policy of rejecting every job offer which involves moving to the US. In Australia hand guns are really hard to get so there s no way that a house burglary will involve a gun and there s also no way that someone who wants to help the police will have a gun. So while it was unpleasant to have this happen at my front door it didn t involve any risk to me. It could have ended up with someone other than me getting a beating but the probability of serious injury or death for them was quite low. As everyone knew that no-one had a gun and no-one wanted to be charged with assault it made sense for everyone to avoid excessive force. From what I saw no excessive force was used. The police arrived fairly quickly and EVERYONE was glad to see them. All up it took a bit more than 30 minutes from the first noise to the police departing after arresting both suspects and filling out a bunch of paperwork. I was impressed by that! Related posts:

1. CyanogenMod and the Galaxy S Thanks to some advice from Philipp Kern I have now...

When we added s390x to the main archive, coming from Debian Ports, we were unlucky. A new glib release had assumptions that weren't true on 64bit big endian architectures and it entered the archive just a few days before we made the initial import. This weekend we finally got a new major release into Debian unstable that fixed these issues. So we're almost on par with s390 now. It all untangled quite nicely after glib-networking was able to complete its testsuite. Only one build-dependency loop between nautilus and tracker had to be broken manually.

So what's left? There's a bunch of usertagged bugs (with both general FTBFSes and arch-specific issues; kudos to Aur lien Jarno providing a lot of patches) and we still need to file some, like iceweasel segfaulting during its build. That's important because another bunch of packages needs it to build (well, mozjs and/or xulrunner, or some package that needs those).

Thanks to klibc being fixed, rootskel finally built in the archive and hence we've now finally enabled the daily builds of debian-installer for s390x. They're still untested, though, and I hope to come around to that in the near future.

In other news I've spent some more time chasing weird 64bit big endian issues in glib. Newer versions have regressed in their support and again assume that certain fields are either 32bit/64bit little endian or 32bit big endian, which is unhelpful. Sadly the testsuite is guilty as well, which doesn't make debugging any easier. I still suspect a bug in either gio or GClosure's interface to libffi, let's hope that when that one's found that the remainder of the archive is building just fine (Currently a lot is blocking on glib-networking which fails in its testsuite. And of course there are still usertagged bugs that need to be fixed.)

It would be cool if we could run more testsuites during package building and find the bugs in them. glib does have one, but its failures are non-fatal for the build (also because there are so many failures). That would make porting to future architectures a tad easier.

TL;DR: Since a few months Debian also hosts a Gobby server. You can find it at gobby.debian.org. To use it, install gobby-0.5.

Gobby is a realtime collaborative editor, much like Etherpad, but as a standalone desktop application. (It's also open source since the beginning.) It resembles gedit somewhat. In retrospect plugging into gedit would've made more sense than to develop yet another editor.

Sadly there's a catch: Gobby had multiple iterations at getting its protocol right. So there are two incompatible versions: Gobby 0.4 and Gobby 0.5. But to confuse you, Gobby 0.4.9x is currently called Gobby 0.5. The lead developer wants to get self-hosting (i.e. the one-click creation of a server) back into the application before he calls it stable.

So to use the aforementioned server you need to apt-get install gobby-0.5, invoke gobby-0.5 and type gobby.debian.org into the "direct connection" field in the lower left bottom. This will give you a document tree on the left, where you can create new documents and folders. Please don't be destructive.

If you have a problem, if no one else can help, and if you can find them, you might contact the admins at admin@$service.

Adam sent a new call for testing for the next point release of Debian Squeeze. Please test the packages in squeeze-proposed-updates on some machines running squeeze if possible, so that we don't screw up your production machines with bad updates in a week. The point release is scheduled for January 28th, i.e. next Saturday. Don't forget to copy the debian-release mailing list when you encounter regressions. Thanks for your efforts.

If you want to receive these notices by mail, please subscribe to the debian-stable-announce mailing list.

It took quite a lot of effort to persuade all decision makers to make this happen, but here it is: A new Debian buildd is being hosted at Karlsruhe Institute of Technology, to support the s390(x) ports. Its name is zemlinsky. So we've got some redundancy now and despite them being some sort of fringe architectures, they're looking pretty good. s390x is currently bootstrapped in the archive and it's progressing pretty quick. This new fast builder is one of the reasons why the slope is so steep.

Pointing people at the Debian Machine Usage Policies (DMUP) is pretty helpful to get a consent, with relation to network usage and acceptable use of the machines themselves. In this case the hardest part was drafting a user agreement that allows other non-university persons to log into the box, which is crucial to have it maintained by the Debian System Administrators.

Thanks to all the people at IPD Reussner, Steinbuch Centre for Computing and BelW who helped me getting this done.

Thanks to some advice from Philipp Kern I have now got my Galaxy S running CyanogenMod 7.1.0 which is based on Android 2.3.7 [1]. CyanogenMod has lots of configuration options that seem to be lacking in the stock releases and also supports some advanced features such as OpenVPN and a command-line. I can t properly compare CyanogenMod to the stock Android as I ve only used versions 2.1 and 2.2 of the stock Android. Presumably some of the things that I like about CyanogenMod are in the stock Android 2.3.7 release. The process of updating a phone is difficult and has some risk. Fortunately Samsung provided Download mode in the BIOS to allow recovery. If you mess up the process of updating a Galaxy S and you can get Download mode by holding down volume-down, home, and then power buttons then you can almost certainly recover (so don t panic). The CyanogenMod people don t provide any documentation on upgrading from Android 2.2 (which is what Optus is still shipping AFAIK). So you will probably have some difficulty when upgrading a Galaxy S that you get in Australia (it seems that Optus is the only company shipping them in volume). As an aside if you want to buy a Gel Case for a Galaxy S in Australia then visit an Optus store. It seems that Optus is the only phone store that hasn t run out their Galaxy S accessories in favor of the Galaxy S2. I have previously written about the Galaxy S and Three Networking [2]. Now that I have the Galaxy S as my primary phone on the Virgin network all my data corruption problems are solved, the problem is entirely related to Three. With CyanogenMod there is an option to be able to toggle the LED Flash as a torch from the drop-down menu, this makes the lack of such a LED on the Galaxy S even more of an annoyance. I have also discovered that the Galaxy S apparently doesn t have a status LED! This makes it the only phone that I ve ever owned that has no clear way of informing me when the battery is charged! It s also really useful to have a flashing LED to indicate low battery when running a full screen app, and to have a flashing LED to indicate that email has been received. Someone should design a phone with multiple LEDs to indicate different things. I d like to have one LED to indicate charging status and another to indicate whether there is unread email or SMS. Whatever the cost of including a LED during manufacture it would have to be almost nothing compared to the ~$500 sale price of a phone. Wikipedia says The Samsung Galaxy S features a PowerVR graphics processor, yielding 20 million triangles per second, making it the fastest graphics processing unit in any smartphone at the time of release. Also, upon release, the Galaxy S was both the first Android phone to be certified for DivX HD, and at 9.9 mm was the thinnest smartphone available . I don t care about any of that, I want a phone with decent battery life, a LED Flash , and a status LED. The main benefit I get from the Galaxy S over the Xperia X10 is the greater storage. The Xperia X10 has a total of 1G of storage and only 465M of that is available for application install. My Galaxy S has 16G of internal storage of which 1.8G is available for phone apps and 13G is available for pictures and other mass storage. Having 1.8G for phone apps and internal phone storage used by such apps (which includes the offline IMAP cache) is a massive benefit, enough to outweigh the lack of a staus LED and a Flash LED. What I Really Want I d rather have a Samsung Galaxy Note. The Note has a LED flash, a 5.3 screen with 1280*800 resolution which is much better for running as a SSH client and also good for web browsing. I m not inclined to spend money on a phone now, so I ll probably use the Galaxy S until Virgin offers me a new phone or someone just gives me a new phone (I can always hope). One of the many nice features in the Galaxy Note is a built in stylus. When using my current phones for web browsing I sometimes find it difficult to have a touch registered to the desired part of the screen, this is a real problem with the Opera web browser which requires a long press to open a URL in a new tab.

• [1] http://www.cyanogenmod.com/
• [2] http://etbe.coker.com.au/2011/11/21/galaxy-xperia-android-network/

If you want to copy debian-installer for System z onto a z/VM user's CMS disk, you don't need access to FTP (and hence the host's TCP/IP stack). You can just use x3270 and transfer files with it. For odd reasons I forgot about this, so let's document it here:

• Figure out which CMS disk is actually writeable for you (most likely the A disk) by issuing Q DISK and looking for "R/W" in the STAT column.
• Select File, File Transfer.
• Tick "Send to host" and "Host is VM/CMS".
• Download the four installer files to your local machine: debian.exec (a startup script that punches the kernel, boot parameters and initrd onto cards and executes the card deck), kernel.debian, parmfile.debian (the boot parameters) and initrd.debian.
• Transfer debian.exec and parmfile.debian with "Transfer ASCII file" ticked and Record Format set to "Variable" ("Add/remove CR at end of line" and "Remap ASCII characters" should both be ticked by default; LRECL and BLKSIZE should both be empty.) The host filename is the CMS filename, so something like "DEBIAN EXEC A" (with the spaces, and A replaces with the letter of the writeable disk of your choice). Both files must be prefectly readable in XEDIT (i.e. properly converted to EBCDIC).
• Then transfer kernel.debian and initrd.debian with "Transfer binary file" ticked and Record Format set to "Fixed" with LRECL = 80. This may take a while.
• Boot up the installer by issuing DEBIAN to z/VM, starting the script. If you needed to rename the files above (the drive letter doesn't matter), you need to adjust DEBIAN EXEC first.
• You should see Linux kernel messages now. Profit.

Since my last post about Firefox extensions I've enabled two other addons:

Through the comments I got pointed to Fox to Phone which enables you to send links from your browser directly to your Android phone with Chrome to Phone installed. Thanks for that.

Another useful extension that was recommended to me is LeechBlock. You give it a list of news sites you regularly frequent and it will make sure that you only spend a given time budget on them per day or that you only browse them in the evenings (or even a combination of both).

As I expected I did deactivate RequestPolicy again. That said, Facebook recently switched its certificates, so Certificate Patrol was unhappy. It's impressive and sad how many pages actually do cross-site requests to embed Facebook's buttons. If somebody would invent something less annoying to stop this mess, that would be great.

Galaxy S Review I ve just been given an indefinite loan of a Samsung Galaxy S which is more useful than the Sony Ericsson Xperia X10 that I own. I think that the main benefit is that it runs Android 2.2 instead of Android 2.1 on the Xperia. 2.2 is what gives it USB tethering support without extra software (something I haven t tested yet but will use a lot if it works correctly) and Wifi AP support. Both phones are about the same size, the Galaxy S has slightly more RAM (reported as 304M vs 280M which doesn t really matter) and a lot more main storage (1.87G vs 465M usable after the OS is loaded). The main down-sides of the Galaxy S is that it lacks a flash . I m not aware of any phone camera having a proper flash, but the limited LED flash is useful for taking pictures at times and there are a variety of programs that can turn it on for use as a torch. Also I wonder whether the Samsung people actually test their phones in real use or whether they just build them to spec. When you read the specs it sounds nice to have a phone that s only 9.9mm thick (apart from the bulge at the bottom), but that makes it really difficult to hold. The Xperia X10 is 13mm thick and isn t as slick so you are much less likely to drop it. I sometimes wonder whether phone companies are designing their products to be broken so that they can sell replacements. Three Networking Sucks My parents use 3G broadband from Three as their only connection to the Internet, this is fast enough for viewing Youtube on occasion and generally works well for them. However whenever I try to transfer any data to their system which has integrity checks it turns out to be corrupted. About every megabyte of data transferred has a corrupt packet that has a matching checksum presumably it s a bug in Three s network. Because Three are desperate for customers they have given me a free 6 month subscription to a data SIM [1]. I ve been using that SIM with my Galaxy S and found the same data corruption problem and I ve reproduced it in many places around Melbourne so this isn t just one unreliable cell tower, it s something broken in the core of the Three network. The obvious solution to this is to use a VPN so the corrupt packets will be dropped. So I set up a PPTP VPN only to discover that it seems impossible to make the default route be via the VPN, there has been a bug report about this since 2009 the iPhone allows configuring whether Internet traffic should go via the VPN, it can t be that hard [2]. There is an option to use a proxy for web access, but when I tried that on Android 2.1 it only worked for the system web browser not for things like the Android Market. But there is no option for configuring a proxy for use when the VPN is active, so it doesn t seem likely that I could run a proxy on the VPN network and direct all traffic to it. Due to corruption on the Three network and the inability to get a VPN working correctly it seems that I can t use the Three SIM. Android isn t Really Free Software While Android implementations generally stick to the GPL and other free software licenses that are involved they seem to be a poor example of providing freedom to users. My Xperia X10 is running Android 2.1 because Sony-Ericsson has locked the boot loader so I can t install a newer kernel. They don t care enough to release a new version this is stupid of them because it means that I am much less likely to recommend their products. If Sony-Ericsson releases a newer Android release then it will be a total OS reinstall, unlike the way I can upgrade a Debian system an application at a time. I can t install new packages that replace system packages, so the Email and SMS programs that I ve installed sit along side the ones that came with the system. Periodically the unwanted SMS and Email programs show up. I can t make my Android phones perform basic networking tasks that I ve done on Linux systems since the early 90 s. Hiding the complexity from the newbies is OK, but they need to make the full capabilities of the system available to experts. It seems to me that Android effectively gives the majority of users no more freedom than the iPhone does. Even for the small minority of us who are technically capable of rooting phones and installing CyanogenMod etc it s often limited by technical measures and the amount of time required. Update: Philipp Kern pointed out that his Galaxy S has a front facing camera. I have checked my phone and discovered that it has one too. When I published this post I criticised the Galaxy S for not having a front facing camera for video-calls based on a misunderstanding of the Wikipedia page (which says that SOME models lack it) and not testing it. Thanks for the correction Philipp and sorry for publishing wrong data.

• [1] http://etbe.coker.com.au/2011/06/04/leaving-three/
• [2] http://code.google.com/p/android/issues/detail?id=4205

There are various presentations that state the goodness of PAV on Linux. Most revolve around using multipath-tools to assemble a volume if you don't have HyperPAV. But it turns out that the DASD device driver does multipathing for them internally in current kernels (which includes the squeeze kernel).

So all you need to do is setting those alias devices online. When you do that the kernel will log that it detected a new device, but you'll find that it won't create any dasd* device nodes for them, nor will it list partitions. lsdasd will only show you "alias" without mentioning the base volume, but you can fetch that information easily from the uid sysfs entry.

Many people around me switched to Chrome or Chromium. I also used it for a bit, but I was a bit disappointed about the extensions available. To show why, here's a list of the extensions I've currently installed:

• Adblock Plus: I guess everyone knows this. It sits quitely in the background and removes quite a bunch of eye-distracting stuff from web pages. You see the web differently and are always confused when viewing pages on your smartphone.
• British English Dictionary: Pretty self-explaining. Firefox has an integrated spell checker and that one needs a dictionary.
• BugMeNot: You can right-click on a login field and let it insert BugMeNot data automatically. I don't use it often enough to remember that it's there.
• Certificate Patrol: SSL's X.509 trust model is weak, to say the least. This extension implements the "save on first visit" trust model and warns you if the certificate or the CA of a URL changes.
• Download Statusbar: If you're used from, say, Chromium to see your download progress above the status bar, this extension will give you that. I don't like the separate window, especially with Awesome as my window manager.
• Firebug: Most people know this, too. Very useful when you do web development. You can see the effects of CSS as you type, for instance.
• Flashblock: YouTube has its HTML5 trial, so you don't need Flash for it. Sadly I had to give in recently (for live streaming sites like the German Parliament, go figure) and have it installed for "emergency" cases. But really nobody needs Flash advertisements or other silly Flash animations, so Flashblock will conveniently refuse to load the Flash plugin unless you tell it to.
• German Dictionary: As above.
• Google Translator for Firefox: Translates marked sections on a web page in place. It lets Google guess the source language, so you really only mark the area, click the button and be done.
• Greasemonkey: Modifies web pages in place to make them more sane, using little scripts. I use two currently:
• Better Outlook Web Access (OWA): For odd reasons I'm forced to use OWA 2007 at a company of Windows and Mac users. This makes it a little bit more bearable, by allowing you to save your password and by adding a message preview pane. You really don't want to use OWA Light 2007 without this.
• Tagesschau.de - video tag: A simple script that lets you watch videos on tagesschau.de without resorting to Flash. They ship Theora videos alongside H.264, which is supported by Firefox out of the box.
• Lazarus: Form Recovery: This already saved me many, many times. Sometimes I hit the stupid Thinkpad page back/page forward keys, or the browser crashes or I'm torn away from a page in another way. This extension keeps your form content mostly save, so that you don't need to start from scratch. A must have.
• Live HTTP headers: curl -D usually works. But sometimes you need authentication and cookies and stuff, hence doing it in the browser makes sort of sense.
• Modify Headers: I don't really use it anymore. There was this legend that YouTube lets you watch videos that are blocked in your country (Hello, GEMA, I'm looking at you!) if you provide a X-Forwarded-For header with an IP from another country. Never worked for me.
• Mozilla Archive Format: If you need to archive a web page or want to collect a bunch of pages for offline reading, this is the way to go. You can conveniently select either single pages or several tabs to be stored.
• Perspectives: I'm paranoid, so here's the second SSL certificate check. Perspectives uses a bunch of network notaries hosted on PlanetLab to check if everyone sees the same certificate. Together with Certificate Patrol that means if that you save a self-signed certificate on first visit if the notaries all agree that it's the currently installed one.
• PwdHash: Password re-use on different web sites is bad. There are sites where I'm not very concerned about the strength of my password, but where I don't want to leak my main ones. PwdHash uses the domain name and the password I give as components to a hash function. So if I'm at a computer without access to my saved passwords, I can easily reconstruct the hash. If need be, I can use the JavaScript on the developer's web site to do that.
• RequestPolicy: It's currently installed but I don't think it will stick around much longer. Too many sites are using embedded cross-site requests, which this extension will allow you to review. As an example every Blogger site that's on a custom domain (like my blog) will trigger it. Instead half of your web will have red flags everywhere full of blocked requests. Not that helpful. Interestingly enough it also polices Flash's outgoing web requests. Which breaks even more often than normal web pages.
• Secure Login: This gives you a button (or a keyboard shortcut) that allows you to choose from several logins and then goes on and posts those credentials securely to the page in question, bypassing any JavaScript that might want to see them. You also get auto-login bookmarks for those sites which don't allow you to remain logged-in across browser sessions. (Like OWA.)

If Firefox on Android were quicker to start and faster overall, I might even use it there. But as-is it's not very useful. Sadly this also means that I can't use Firefox Sync on my phone and as I don't use Chrome on my desktop I also can't use Chrome to Phone. So I usually go and build a QR code on my laptop and read that with Android's Barcode Scanner.

Of course I'm actually using Iceweasel and I'm very grateful for Mike Hommey's efforts to track the release channel on mozilla.debian.net.

There's a new call for testing for the next point release of Debian Squeeze. Please test the packages in squeeze-proposed-updates on some stable machines if possible, so that we don't screw up your production machines with bad updates in a week. The point release is scheduled for October 8th, i.e. next Saturday. Don't forget to copy the debian-release mailing list when you encounter regressions. Thanks for your efforts.

If you want to receive these notices by mail, please subscribe to the debian-stable-announce mailing list.

Two tiny bits:

• Thanks to Micha Lenk and after a fruitful discussion with Andrew Ruthven, you can finally find the Python bindings for Gnucash in the archive.
• If you want to check how your favourite package evolved over time: All historic build times and disk space information available in the Debian build logs are now imported into our database and are hence visible on log overview pages such as the insighttoolkit one.

If you still want to grab documents that used to be on gobby.debian.net:

• A Gobby server is back at that address. However its SSL certificate is issued on the name of gobby.0x539.de, which is upstream's public Gobby server. So you can just accept the certificate and then access the documents in the "debconf11" folder.
• I put up a tarball of all resulting plain-text documents. If you miss some content in one of them, please don't hesitate to contact me. I might be able to restore it from the records that dkg sent me before shredding the server.

Three things I learned about Debian s390 today:

• The kernel expects hexadecimal channel numbers in lower case. Trying uppercase digits is futile.
• To get a getty in the HMC's Operating System Messages window of an LPAR, just uncomment the dumb console entry in /etc/inittab.
• For the integrated ASCII console to work on LPAR, you need to put up a getty onto ttysclp0. You can reuse the same parameters as for ttyS0 (the device that just works with z/VM). Unlike the 3270 interface of z/VM the integrated ASCII console is actually pretty nice and usable. You can even run vim in it without getting completely crazy.

So there are two things I stumbled upon with caff:

• If you have two keys, you want to set $CONFIG 'local-user' to the content of $CONFIG 'keyid' . For some reason unbeknownst to me this option is not even listed in the configuration file template. keyid does something different that you'd expect
• More importantly it uses its own gpg.conf for whatever reason (probably because it sets its own GnuPG homedir and does not override the configuration file location). So if you, like me, put the right settings for strong signatures into ~/.gnupg/gpg.conf, you need to replicate them into ~/.caff/gnupghome/gpg.conf.

Thanks to Tom Marble for the hint. I'm still sad that I'd basically need to re-do yesterday's keysigning (which was about 100 e-mails), just to switch from the default SHA1 to SHA256

In the aftermath of the World IPv6 Day YouTube seems to be serving its content over IPv6 now. Interestingly the frontpage is still served via IPv4 (if you're not in a Google IPv6 whitelisted network). But all the Flash and HTML5 video content is served through IPv6 if available, as the cache servers return proper AAAA DNS records. Apparently that's the case unless your network is blacklisted because of bad IPv6 support and even if Google has some caches at your provider's site (which is the case for Alice DSL in Germany, at least).

I think that's quite some motivation for the providers to at least fix IPv6 connectivity if available and to suppress rogue IPv6 router advertisements in their networks. I had to ensure the former today and the latter is a constant source of grief with the bulk of L2 switches and Wi-Fi access points not being IPv6 ready.

Last week I tried switching a library to Gtk3. The needed changes to the code are available through --with-gtk3. However this is generally not enough. Even if your symbol list doesn't change, the ABI changes implicitly. The library in question had a .symbols file, but that's not enough because the resulting GUI application will bail out at runtime if symbols of both Gtk2 and Gtk3 are found in the same address space. That's mostly because C symbols don't contain any signatures with return types and parameters.

So if your library upstream did not change the soname for the Gtk3 build, please encourage them to do so. Also keep in mind that this most likely means new pkg-config files specific to the Gtk3 build, too. At least if you want your reverse-depends to be able to build against either Gtk2 or Gtk3 in a predictable way.

An example is this change to gtk-vnc, which uses gtk-vnc-2.0 as the new API/pkg-config name for the Gtk3 build, gtk-vnc-1.0 remains the old Gtk2 one. The soname changes from libgtk-vnc-1.0.so.0 to libgtk-vnc-2.0.so.0.

(Thanks to Michael Biebl and Julien Cristau for pointing out the obvious to me.)