Inter and IBM Plex fonts for your Linux desktop

Recently I came around a post on the Fediverse mentioning the Inter fonts. There is even a GNOME issue open discussing making the Inter fonts the default in a future version of the GNOME desktop. This prompted me to try this font, and I have to say I am liking it so far.

The Inter font, does not have a monospace version available, but the Inter developer recommended some nice monospace fonts which match Inter. I decided to go for the IBM Plex Mono font.

Both Inter and IBM Plex are packaged in Debian, so you can easily install them with apt:

# apt install fonts-inter fonts-ibm-plex

To change the fonts in the GNOME desktop, you need to launch gnome-tweaks (install the package with apt if it’s not present on your system, and go to Fonts. I set Interface Text and Document Text fonts to Inter Light 10, the Monospace Text font to IBM Plex Mono Regular 10 and the Legacy Windows Titles fonts to Inter Bold.

Then in Firefox in the menu click on Settings and if you scroll down you will find the Fonts section with a button Advanced… next to it. Click on that button and set Proportional font to Sans Serif, the Serif font to IBM Plex Serif, the Sans Serif font to Inter and the Monospace font to IBM Plex Mono.

Of course you can use these fonts in other desktops and browsers.

Enjoy your fresh desktop fonts!

Wireguard VPN with systemd-networkd and Foomuri

After my first successful implementation of Foomuuri on a server with an IPv4 connection, I wanted to try Foomuuri in a different environment. This time I choose to implement it on my IPv4/IPv6 dual stack Wireguard VPN server. I originally set up this system with Shorewall, so let’s see how we should configure this with Foomuuri.

While at it, I also moved the configuration of Wireguard to systemd-networkd, where the main network interface was already configured. This was also useful because some things which were configured in Shorewall before and which Foomuuri does not do by itself, can now be configured in systemd-networkd.

systemd-networkd configuration

I create /etc/systemd/network/wg0.netdev with these contents:

[NetDev]
Name = wg0
Kind = wireguard
Description = wg0 - Wireguard VPN server

[WireGuard]
PrivateKeyFile = /etc/systemd/network/wg0.privkey
ListenPort = 51820

# client 1
[WireGuardPeer]
PublicKey = publickey_of_client
AllowedIPs = 192.168.7.2/32
AllowedIPs = aaaa:bbbb:cccc:dddd:ffff::2/128

I moved the /etc/wireguard/privatekey file to /etc/systemd/network/wg0.privkey, and then give it appropriate permissions so that user systemd-network can read it:

# chown root:systemd-network /etc/systemd/network/wg0.privkey
# chmod 640 /etc/systemd/network/wg0.privkey

Then I create /etc/systemd/network/wg0.network:

[Match]
Name = wg0

[Network]
Address = 192.168.7.1/24
Address = fd42:42:42::1/64

[Route]
Destination = aaaa:bbbb:cccc:dddd:ffff::2/128

For IPv4, we set the address to 192.168.7.1/24 and systemd-networkd will automatically take care of adding this subnet to the routing table. As we are using public IPv6 addresses for the VPN clients, I add a [ROUTE] section which takes care of adding these IP address to the routing table.

The configuration of the public network interface is stored in /etc/systemd/network/public.network:

[Match]
Name=ens192

[Network]
Address=aaaa:bbbb:cccc:dddd:0000:0000:0000:0001/64
Gateway=fe80::1
DNS=2a0f:fc80::
DNS=2a0f:fc81::
DNS=193.110.81.0
DNS=185.253.5.0
Address=www.xxx.yyy.zzz/24
Gateway=www.xxx.yyy.1
IPForward=yes
IPv6ProxyNDP=1
IPv6ProxyNDPAddress=aaaa:bbbb:cccc:dddd:ffff::2

Important here is that we enable IP forwarding and IPv6 NDP proxy here. Both were things we could configure in Shorewall before, but Foomuuri does not support setting these. This is not a problem, because this can be set up directly in systemd-networkd.

To reload the configuration for all network interface, I run:

networkctl reload

To bring up the Wireguard connection:

networkctl up wg0

Because of systemd issue #25547, networkctl reload is not enough if you make changes to the peer configuration in wg0.netdev. You will first have to delete the network device with the command

networkctl delete wg0

after which you can run networkctl reload and bring up the network connection. In case of doubt all network interfaces are configured correctly, you can also completely restart the systemd-networkd service:

# systemctl restart systemd-networkd

While working on the network configuration, of course make sure you have access to a real console of the system, so that in case your system becomes inaccessible, you can still fix things through the console.

Foomuuri configuration

Now we define the zones in /etc/foomuuri/zones.conf:

zone {
  localhost
  public ens192
  vpn wg0
}

Foomuuri by default does not define a macro for the Wireguard UDP port, so I create one in /etc/foomuuri/services.conf:

macro {
	wireguard udp dport 51820
}

I adjust some logging settings in /etc/foomuuri/log.conf. In case I want to filter outgoing connections from the machine in the future, I want to log the UID of the process and I also increase the log rate, as I had the impression that I sometimes was missing valuable log messages while debugging. Adjust the values if you wan to reduce log spam.

foomuuri {
  log_rate "2/second burst 20"
  log_level "level info flags skuid"
}

I set up masquerading (SNAT) in /etc/foomuuri.conf/snat.conf :

snat {
  saddr 192.168.7.0/24 oifname ens192 masquerade
}

Then I set up these rules for traffic going through our firewall:

public-localhost {
  ssh
  wireguard
  icmpv6 1 2 3 4 128
  drop log
}

localhost-public {
  accept
}

vpn-public {
  accept
}

public-vpn {
  icmpv6 1 2 3 4 128
  drop log
}

vpn-localhost {
  accept
}

localhost-vpn {
  icmpv6 1 2 3 4 128
  reject log
}

Notice that I allow ICMPv6 traffic that should not be dropped.

As usually check your configuration before reloading it:

# fooomuuri check
# foomuuri reload

Testing and debugging

If things don’t work as expected, enable debugging in the wireguard kernel module and check the kernel logs. I refer to the previous article about this for more details.

Conclusion

Setting up Foomuuri was pretty easy again. The most difficult thing was getting the systemd-networkd configuration completely right. Especially with IPv6 it can take quite some time debugging before everything works as expected.

Setting up Foomuuri, an nftables based firewall

Up to now I have always been using the Shorewall firewall on all my Linux systems. I find it very easy to configure while at the same time it’s very powerful and flexible so that you can also use it with more complicated set-ups, such as routers with multiple network interfaces, VPN’s and bridges. Unfortunately Shorewall is still based on the old xtables (iptables, ip6tables, ebtables, etc…) infrastructure. While it still works and in reality the iptables commands are actually now front-ends to the more modern nftables back-end, Shorewall development has stalled and it looks very unlikely it will ever be ported to nftables.

I started using Firewalld, a firewall which is used by default on Red Hat and Fedora based systems. However I did not like it. Configuration of Firewalld happens through the command line with firewall-cmd, which I find much more complicated than just editing a configuration file which usually contains examples and gives you an easy overview of the configuration. Firewalld saves its configuration in XML files. You could edit these files instead of using firewall-cmd, but that is obviously much more complicated than editing configuration files which were designed for human editing. Furthermore I found Firewalld to be very inflexible. Firewalld does not have support of filtering traffic on a bridge (layer 2 filtering), unlike Shorewall.

Recently I discovered the nftables based firewall foomuuri. It’s still a very young project but it’s actively developed, already has extensive features, is packaged in Debian and is configured through human-readable configuration files. I decided to try it on a server where I wanted to filter incoming and outgoing network traffic.

Installing Foomuuri on Debian

Foomuuri is availabe in Debian testing and unstable, but it has also been backported to Debian 12 Bookworm. To use that package, you have to enable the bookworm-backports repository first. Then install the foomuuri package

# apt install foomuuri

If you are using NetworkManager also install foomuuri-firewalld, because it will allow NetworkManager to set the zone the network interface belongs to.

Configuring Foomuuri

Foomuuri can be configured through files in the /etc/foomuuri directory. Foomuuri will read all files which name ends with .conf, so you can split up the configuration in as many files as you want or just put everything in a single file, as you prefer. I like the split configuration files of Shorewall, so I will do something similar here.

Before activating the configuration, always run

# foomuuri check

to validate your configuration. You can start and stop the firewall by starting and stopping the systemd service, you can reload the configuration by running

 # foomuuri reload

You can find the documentation of Foomuuri on the Foomuuri wiki.

Defining zones

The first ting we have to do is define the zones and set which interfaces belongs to which zone. I create /etc/foomuuri/zones.conf:

zone {
  localhost
  public enp1s0
}

I create the zone localhost and the zone public and add the network interface enp1s0 to it. You can add multiple interfaces to a zone by separating them by spaces. If you are using NetworkManager, you don’t have to add the interfaces here and can leave the zone empty. You can configure the firewall zone in NetworkManager and it will set it through foomuuri-firewalld.

Using macros to alias configuration options

Macros can be used to define certain configuration options you want to use multiple times without having to write them completely every time. In practice a lot of macros are already configured which define the configuration for common services. You can see all defined macros by running

# foomuuri list macro

For example the macro imap defines the configuration tcp 143, so that you can just write imap instead of tcp 143 in the configuration. I added a few which were not defined by default in /etc/foomuuri/services.conf:

macro {
	nrpe	tcp 5666
	nmb	udp 137 138 139; tcp 139
}

Macros can be used to configure common subnets. For example I have a file named /etc/foomuuri/subnets.conf:

macro {
	mysubnet		192.168.0.1/24
	othersubnet		192.168.1.1/24
}

I also use macros to create lists of individual hosts, such as all NFS clients which need to access this NFS server in /etc/foomuuri/nfs_clients.conf

macro {
	nfs_clients   192.168.0.1 # web server
	nfs_clients + 192.168.0.2 # gitlab
	nfs_clients + 192.168.0.3 # nextcloud
}

For easy readability, I put every host in a single line, and I add a comment for my own reference. With the + sign I add all next hosts to the macro.

Firewall for incoming connections

To configure Foomuuri to filter incoming connections to my servers, I create a section public-localhost which contains the firewall rules for traffic coming from the public zone to localhost. I put this in the file /etc/foomuuri/public-localhost.conf:

public-localhost {
  dhcp-server
  ssh
  ping  saddr mysubnet
  nmb   saddr mysubnet
  smb   saddr mysubnet
  nfs   saddr nfs_clients
  nrpe  saddr 192.168.0.5
  drop log
}

My server is acting as a DCHP-server, so I use the dhcp-server macro to allow all this traffic, just as I allow all incoming ssh traffic. I allow ping, nmb and smb traffic from mysubnet. Notice that in these rules I use my custom macros nmb and mysubnet. Then I allow nfs from all addresses listed in my macro nfs_clients, and I allow nrpe from a specific IP address. Finally I end with a rule which drops and logs all traffic which has not matched any of the rules before.

Firewall for outgoing connections

I think that filtering outgoing connections is a very effective security hardening measure. In case people with bad intentions get access to your server through a non-root user account, this will severely limit their abilities to move laterally through your network and attack other systems, to run a crypto-miner, or download malware from the Internet.

localhost-public {
  dhcp-client
  nmb uid root
  ntp uid systemd-timesync
  ping uid root daddr mysubnet # dhcpd sometimes pings
  smtp daddr 192.168.0.1 uid postfix
  domain daddr 192.168.0.255 192.168.0.254
  uid root tcp daddr 192.168.0.5 dport 8140 # puppet agent
  uid _apt tcp dport 3142 daddr 192.168.0.6
  uid root ssh daddr 192.168.0.250 # backups
  drop daddr 169.254.169.254 tcp dport 80 # don't fill logs with Puppetlabs facter trying to collect facts from Amazon EC2/Azure
  reject log
}

I allow outgoing connections for different services, and for most services I set the user which can create that connection, and to which host I allow the connection. I explicitly drop without logging connections to 169.254.169.254 port 80, because facter tries to connect to this address every time it runs in order to get some metadata from your cloud service provider. If your system is running on Amazon or Microsoft Azure cloud services, you will probably want to allow this connection instead, so you can then just remove the drop word.

In order to log the UID of the process which tried to establish a rejected connection, in future Foomuuri versions (starting from Foomuuri version 0.22) you can replace the last rule by

reject log log_level "level warn flags skuid"

In current version 0.21, it is possible by setting this globally for all connections. I created /etc/foormuuri/loglevel.conf:

foomuuri {
  log_level "level info flags skuid"
}

Integrating Fail2ban with Foomuuri

I found inspiration for integrating Fail2ban with Foomuuri in issue 9 on the Foomuuri issue tracker.

Create /etc/fail2ban/action.d/foomuuri with these contents:

[Definition]
actionstart =
actionstop  =
actioncheck =
actionban   = foomuuri iplist add fail2ban <ip>
actionunban = foomuuri iplist del fail2ban <ip>
actionflush =

Then set foomuri as the default banaction by creating /etc/fail2ban/jail.d/foomuri.conf:

[DEFAULT]
banaction = foomuuri

Then foomuuri should create the fail2ban iplist. We can configure it to so by creating /etc/foomuuri/fail2ban.conf:

iplist {
	@fail2ban
}

Then I add this rule as first rule to the public-localhost section:

  saddr @fail2ban drop log fail2ban drop

This will drop all connections coming from an address in the iplist fail2ban, and will also log them with prefix fail2ban. If you don’t want this to be logged, just remove log fail2ban.

To ensure that Foomuuri is started before Fail2ban, so that the fail2ban iplist exists before Fail2ban starts to use it, create

/etc/systemd/system/fail2ban.service.d/override.conf:

[Unit]
After=foomuuri.service

After making these changes, first restart Foomuuri and then Fail2ban.

Conclusion

I found Foomuuri easy to use for a system with one network interface. Configuration through the configuration files is easy, also when implementing filtering for outgoing packets. Even though Foomuuri is still a young project, it already has many features and its author is very reactive to discussions and issues on Github. I also found the documentation on the wiki very helpful

I will try to implement Foomuuri on more complex setups in the future, such as on a host for virtual machines of which the network interface is bridged to the main network interface of the host, VPN servers, routers, etc…

Finally I want to thank the Foomuri developer Kim B. Heino and the maintainer of the Debian package Romain Francoise for their work and making this available to the community.

Noteworthy Debian Trixie/Sid changes July 22 2023

Version 1.207 of gcc-defaults uploaded to sid makes GCC version 13 the default GCC version in Debian Sid.

systemd was updated to version 254 RC2. One of the changes is that this introduces the command systemctl soft-reboot which does a user-space reboot. This means that the hardware nor the kernel is reset. This can be used as a lightweight, faster reboot.

sdl12-compat package 1.2.64-5 now replaces the SDL 1.2 libraries. This compatibility layer implements the SDL 1.2 APIs on top of SDL 2.

Finally more GNOME 44 packages, which were already available in experimental for some time, are now entering unstable. The file chooser in GTK+4 applications now has a grid view showing file thumbnails. In the Preferences of the Nautilus file manager you can enable the option Expandable folders in list view, a feature which was present in earlier Nautilus versions, but which was temporarily dropped when it was ported to GTK+4. The gnome-shell and gnome-control-center packages are not yet upgraded to version 44 in Sid, so if you want a more complete GNOME 44 experience, you still have to get these from experimental.

New in the Debian archive is Fangfrisch, a tool which can be used to regularly download additional signature databases for the ClamAV anti-virus software.

The Chromium web browser was updated to version 115. New in this version is the Topics API, which is a new attempt by Google to replace third-party cookies which comes after the failed FLoC attempt and hence we can expect it to be very controversial again. Go to the address chrome://flags/#privacy-sandbox-ads-apis in Chromium, to check whether the Privacy Sandbox Ads APIs are disabled. On my system it was, but I’m not sure whether because this is only enabled by default in Google proprietary Chrome builds or because I’m using different anti-tracking extensions. On a slightly related topic: Google is proposing a new API which basically implements DRM for web pages, which would give websites control over which devices and browsers can be used to view the site and could make it impossible to use ad-blockers. If you care about privacy and an open web, please stop using Chromium and switch to Firefox instead.

Speaking of Firefox, the firefox-esr package was updated from version 102 to version 115, bringing all new features of this version to the people who are using this default Firefox package.

The wine-development package was updated from version 7.22 to 8.3, which should improve compatibility with many Windows applications. I expect more updates to bring it in line with the latest 8.13 version, will be coming soon.

Furthermore I mention that Pipewire was updated to 0.3.74, the Flightgear flight simulator to version 2020.3.18 and many more.

Noteworthy Debian Trixie/Sid changes July 8 2023

Here is a late quick overview of important changes in Debian Sid during the last two weeks.

glibc was updated from version 2.36 to version 2.37. This version mostly contains bug fixes and mintor improvements. An important regression by this update was fixed in the Debian package 2.37-4, which is not yet in testing/trixie, so you might want to update immediately to the sid version of glibc if you are on testing.

Linux 6.3.11 fixes the so-called StackRot security vulnerability (CVE-2023-3269). An exploit wil be made public soon and will allow any local user to get root access rights, so make sure you are running this kernel on all your systems. This kernel also re-enables CONFIG_VIRTIO_MEM which got disabled by mistake in Debian 12 Bookworm. Both the StackRot security vulnerability as the CONFIG_VIRTIO_MEM regression are now also fixed in the latest kernel release in bookworm-security.

Server software

PowerDNS Authorative Server 4.8.0 adds Lightning Stream support, while PowerDNS Recursor 4.9.0 has some performance improvements, amongst others.

Cyrus IMAP 3.8.0 adds support for some IMAP RFCs and implements new JMAP features.

NGinx 1.24.0 enables TLSv1.3 by default.

Debian’s Slurm package was updated to version 23.02.3.

Desktop software

Firefox 115 is now available in sid. Keep in mind that the firefox package never moves to testing and stable, only the firefox-esr package does. Firefox 115 will become the future Firefox ESR release though. Most important change in Firefox 115 is that it enables hardware video decoding for Intel GPUs with VA-API on Linux by default.

Remmina in sid was updated from 1.4.29 to 1.4.31. This version brings back the remmina-plugin-spice package which was also disabled in Debian 12.

Digikam 8.0.0 has improved file format support, new OCR tool and other improvements.

The Kdenlive video editor version 23.04 adds nested timelines, new effects and transitions, improvements to subtile handling and integrates the Whisper speech recognition system.

Shotwell 0.32 also brings improved file format support and various other improvements.

Phosh, the GNOME Phone Shell was updated to version 0.29. Improvements include call notification on the lock screen and audio device selection to the settings.

Noteworthy Debian Trixie/Sid changes June 24 2023

As expected, the second week of Trixie development was a lot more quiet than the first week.

KDE Frameworks was updated from version 5.103 to 5.107. While this has little visible changes, these are libraries which lay the foundations for improvements and bug fixes in KDE applications.

KDE Gear apps Neochat (a Matrix client), Elisa (a music player), Dragon Player (a movie player), Filelight (a disk space visualizer) and Spectacle (a screenshot application) were updated to the 23.04 release. Spectacle has gotten a complete redesign of the user interface and supports screen recording on Wayland.

The QT based display manager sddm version 0.20 now has experimental Wayland support and has enabled HiDPI scaling by default.

The AV1 encoder and decoder svt-av1 was updated to version 1.6.0. This brings once again performance and quality improvements.

Other upgraded packages in sid include Homebank 5.6.5, Deluge 2.1, GNOME Music 44 and many others.

Noteworthy Debian Trixie/Sid changes week 1 (June 11 – June 17 2023)

A long time ago, I used to regularly post an overview of noteworthy changes in the Mandriva development version. For years now I am using Debian testing though. With the release of Debian 12 Bookworm, I though it could be interesting to keep track of noteworthy changes in the upcoming Debian version, Trixie.

I will be tracking sid trough the debian-devel-changes maling list. Usually about 10 days after a package entered sid, it should move to testing, at least if there are not important bugs in the package. The selection of which packages I mention here, is very personal. I will try to cover important changes for both desktop and server packages, but this list will never be complete. If you noticed an interesting change not mentioned, feel free to add a comment to this article.

I’m not sure whether I will make this kind of post regularly without interruption, but let’s see where this goes.

The first week of development, saw a huge amount of packages updated to the latest upstream versions. Some of these were already available in Experimental for some time. Let’s dive in.

Kernel, hardware support, low-level libraries

The Linux kernel was updated to the 6.3 series, coming from 6.1 in Bookworm. I refer to kernelnewbies.org for a complete overview of what’s new in Linux 6.2 and Linux 6.3, but I can mention BTRFS performance improvements in both versions (including discard=async being default on SSDs with TRIM support, performance improvements if you are using an Intel Skylake CPU and add retbleed=stuff to the kernel options and the usual driver improvements which improve hardware support, for example for the current Intel Arc GPUs. If you have an AMD processor with at least the Zen2 microarchitecture, you can enable the new amd_pstate_epp frequency scaling driver by adding the kernel option amd_pstate=active.

btrfs-progs has been updated to version 6.3.1. The major change in the 6.3 series is that block-group-tree is out of experimental mode. This will reduce the mount time of BTRFS file systems. You can enable this on an existing file system with the command

btrfstune --convert-to-block-group-tree <device>

Developers warn to be careful, because there might still be bugs.

The Mesa 3D drivers were upgraded from version 22.3.6 to 23.1.2. You will want to upgrade to this version if you are using an Intel Arc GPU because there have been many bug fixes. Also new in Mesa 23.1 is OpenCL support for AMD GPUs using rusticl.

power-profies-daemon version 0.13 entered Debian Sid. It adds support for the amd_pstate_epp driver which can be activated in Linux 6.3.

Tthe LLVM based Fortran compiler Flang is now available in Debian as the package flang-15. LLVM 16 is available in sid. Clang 16 and libc++ 16 are only available in experimental at this time and version 15 is still the default version in sid.

Server and virtualization

Samba 4.18.3 brings some performance improvements relative to version 4.17.8 in Bookworm.

Qemu was updated to 8.0.2. The 8 series brings various improvements, but maybe the most important thing to mention is that virtiofsd, a daemon which allows you to share directories on the host with guests, is not included in the qemu package any more. If you use this, you will need to install the new virtiofsd package which contains a new implementation in Rust.

Desktop

LibreOffice is now at version 7.5.4. The 7.5 series bings improved dark mode support, new application icons, nicer default table styles in Draw and Impress and other various improvements. See the release notes and the New Features in Libreoffice 7.5 video for more information.

This week we saw the first GNOME 44 packages enter sid. gnome-backgrounds 44 brings you new desktop wallpapers and evolution 3.48 brings lay-out improvements. If you don’t like the headerbar layout, you can disable it and switch back to the traditional toolbar.

New in Debian is the gdm-settings package. It lets you configure the GDM login manager and change its appearance through a user friendly user interface.

NetworkManager-openconnect 1.2.10 finally adds support for Single Sign-on implementations using SAML on the Cisco AnnyConnect and Palo Alto GlobalProtect VPNs. Unfortunately it does not seem to work for Pulse/Juniper. I have opened an issue for that, and in the meantime I use openconnect-pulse-gui.

The Transmission Bittorrent client 4 has moved from C to C++, uses less CPU and memory and has support for the Bittorrent v2 protocol, amongst other improvements.

The first KDE Gear 23.04 applications are now being uploaded to sid. Now in the repositories is the KDE Mastodon client Tokodon. Gwenview (supports pinch gestures to zoom in Wayland mode), Ghostwriter (automatic language detection for the spellchecker) and the Falkon web browser (dark colour scheme support) were updated to 23.04.

Tellico, the application which helps you to keep track of your music, movie and other collections has support for new data sources and improved support for existing data sources and has reports with an image grid.

Thhe dav1d AV1 video decoder was update d from 1.0 to version 1.2.1. This version brings many performance improvements thanks to new SIMD code. Also the svt-av1 encoder and decoder was updated to version 1.5.0, also adding some optimizations.

There are plans to remove the old SDL 1.2 packages, replacing them by SDL12-compat (Debian package libsdl1.2-compat-shim) which implements SDL 1.2 using the SDL 2. Version 1.64, which entered sid, added compatibility for some old games, such as Sid Meier’s Alpha Centauri and others.

Science, education and technical tools

GNU Octave 8.2 brings improved Matlab compatibility, the GUI has dark mode support and various other improvements.

The R statistical computing programming (package r-base) 4.3.1 (was 4.2.2 in Bookworm) brings many new features.

Labplot 2.10 comes with many new features, improvements and performance optimizations in different areas, as well as with support for new data formats and visualization types.

People who are into geographic information systems will by happy with the QGIS update. Version 3.28 introduces many improvements. Look at the changelog for more details.

The Electronics Design Automation Suite kicad has been updated to version 7. I don’t know anything of this kind of software, but the release announcement lists a large number major of improvements.

Others improvements

There are too many changes to list here in detail. I mention updated Pipewire 0.3.71, Wireplumer 0.4.14, GStreamer 1.22.3, Opus 1.4, Gajim 1.8.0, OpenJDK 20, Phosh 0.28.0 and much more.

Conclusion

The first week of Trixie development saw a huge amount of software enter Debian sid. This is of course due to the backlog of all new upstream versions which could not be submitted during the Bookworm freeze, are now all trickling in now. Some of these packages were already in Experimental.

My personal favourites are Linux 6.3 which now allows me to use the amd_state_epp driver and Evolution 3.48, which has an some improvements to the UI which I like a lot.

Now that the first flood of new packages have arrived, things will probably calm down a bit, also because of the upcoming summer and holidays in the northern hemisphere. But I guess we will see more of GNOME 44 and KDE Gear 23.04 entering sid soon.

Upgrading from Debian 11 Bullseye to Debian 12 Bookworm

Debian 12 Bookworm will be released very soon, on June 10 2023. The Debian Testing tree is now very close to the final release, so now is a good moment to start testing Bookworm if you did not do so. I already upgraded some of my server systems to Bookworm and I’m also running on all my desktop systems, so here are some notes of the upgrade process. Keep in mind that upgrading to Bookworm is only supported if you are running Bullseye. If you are running an older version of Debian (Buster), you will need to upgrade to Bullseye first and after that upgrade to Bookworm.

First of all, start with reading the release notes, it contains a very detailed howto guide describing all steps to upgrade your system to Bookworm. It also lists all major changes and important things to know before you upgrade.

First check which packages you have installed which do not come from the official Debian repositories with this command:

# apt list '?narrow(?installed, ?not(?origin(Debian)))'

Because these are not official Debian packages, Debian developers cannot guarantee that they will work correctly and will not conflict or cause compatibility problems when upgrading your system. For that reason, you should seriously consider uninstalling them during the upgrade process.

On one system I had a locally built snuffleupagus package installed. This package was built against a particular PHP version and because a newer Debian release will also include a newer PHP version, this could break things. So i removed this package:

# apt remove snuffleupagus

Then you need to verify whether you have put any packages on hold. Packages on hold will never be upgraded, so this can prevent a correct upgrade. Check all held packages with this command:

# apt-mark showhold

You can unhold them with this command:

# apt-mark unhold packagename

Then we need to adapt our apt sources.list and preferences.

You should have this in /etc/apt/sources.list (or in a .list file /etc/apt/sources.list.d):

deb [arch=amd64,i386] http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware

deb [arch=amd64,i386] http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

deb [arch=amd64,i386] http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware

deb [arch=amd64,i386] http://deb.debian.org/debian/ bookworm-proposed-updates main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-proposed-updates main contrib non-free non-free-firmware

Note the new non-free-firmware repository: non-free firmware used to be included in the non-free repository, but now they are in a new separate repository, so you will need to add that.

Then we need to set up the priorities of the different repositories in /etc/apt/preferences (or a ;pref file in /etc/apt/preferences.d):

Package: *
Pin: release n=bookworm
Pin-Priority: 810

Package: *
Pin: release n=bookworm-security
Pin-Priority: 810

Package: *
Pin: release n=bookworm-proposed-updates
Pin-Priority: 809

Package: *
Pin: release n=bookworm-backports
Pin-Priority: 808


Package: *
Pin: release n=bullseye
Pin-Priority: 710

Package: *
Pin: release n=bullseye-security
Pin-Priority: 710

Package: *
Pin: release n=bullseye-proposed-updates
Pin-Priority: 709

Package: *
Pin: release n=bullseye-backports
Pin-Priority: 708


Package: *
Pin: release n=trixie
Pin-Priority: 310


Package: *
Pin: release a=unstable
Pin-Priority: 200


Package: *
Pin: release a=experimental
Pin-Priority: 160

This gives the highest priority to all packages in Bookworm and the security updates, with a lower priority to the Bookworm proposed updates and then Bookworm backports. I added Bullseye in case you still need the Bullseye repositories for some reason. I also add Trixie (code name for what will become testing when Bullseye gets released) and sid (unstable) and experimental on the lowest priorities. Of course you can remove them from your preferences file if you don’t have set up these repositories.

I strongly recommend installing apt-listchanges, because it will give you information about important changes which might affect you before packages are upgraded:

# apt install apt-listchanges

I upgrade dpkg and apt first. I personally prefer to take advantages of eventual new improvements and bug fixes during the upgrade process.

# apt install -t bookworm apt dpkg

In Bookworm the systemd-resolved service now is in a seperate package. If you are currently using systemd-resolved, this can cause failures in DNS resolution. Before upgrading, make sure you know the addresses of your DNS servers, so that you can set them up manually if required; You can run the resolvectl command to find them. If DNS resolution breaks during the upgrade process later on, you can add them to /etc/resolv.conf manually to fix the problem. But I prefer to immediately install the new systemd-resolved package before upgrading everything else to take care of this problem:

# apt install -t bookworm systemd-resolved

Then we can upgrade all packages which can be upgraded without installing new packages:

# apt upgrade -t bookworm --without-new-pkgs

Once that’s done we proceed with the upgrade of all remaining packages, which will also install new dependencies:

# apt full-upgrade

During these two steps pay attention to which packages are going to be removed. It’s expected that old unused libraries and other packages (old PHP and Perl versions for example) will be removed, but you might to check this.

When the upgrade is done, I remove all unneeded packages with this command:

# apt autoremove --purge

Then run this command to remove all library packages which have no other packages depending on them any more:

# deborphan | xargs dpkg --purge

A package which often stays behind is libssl1.1. Normally you don’t need it any more so you can remove it safely:

# apt remove libssl1.1

Finally I also prefer to remove rsyslog. It is not installed any more by default on Debian Bookworm and everything is already logged to the systemd journal and I don’t want any double logging.

# apt remove rsyslog

Then personally I also install dbus-broker on Debian Bookworm. It replaces the traditional dbus implementation and is supposed to be more performant.

# apt install dbus-broker

I always recommend to verify that the metapackage linux-image-amd64 is installed, so that you are really running the latest kernel version.

# apt install linux-image-amd64

After upgrading all packages, reboot your system.

Debian 12 Bookworm and OpenLDAP

One major change in Debian 12 Bookworm is that it ships with OpenLDAP 2.5 which has removed the BDB and HDB back-ends. If your LDAP directory is still using this backend, you will have to convert it to the new MDB backend. There are some instructions in /usr/share/doc/slapd/README.Debian.gz and I might write some post here in the future about this. In any case, make sure you have recent backups of your LDAP directory in the form of LDIF gerenated with slapcat.

Is Debian Bookworm stable?

I’m permanently running Debian Testing on my laptop, and now I have also installed Bookworm on some servers. I strongly recommend using Testing for all desktop usage (even after Bookworm has been released), and to start using Bookworm on any new server installations. For upgrades of critical and more complicated server systems, I generally recommend to wait until at least the first point release.

At the moment I can think of two problems I am encountering on my systems. On my HP Elitebook 845 G8 when suspending the system (s2idle), Linux fails to read the current time from the RTC, resulting in the clock jumping years into the future. At the next resume you can fix the clock by restarting systemd-timesyncd, but the uptime command will continue to give a wrong output. I’m currently testing version 6.3 of the Linux kernel from experimental to see whether this bug also happens with this version.

Another problem is that in Debian 12 Bookworm the Spice plugin of Remmina is disabled. There is a work-around using packages from sid and experimental: upgrade to libspice-client-glib-2.0-8 version 0.42-2, which is currently in sid and then install remmina and remmina-plugin-spice from experimental. Maybe this problem will be fixed in a point release for Debian Bookworm, but that remains to be seen.

The security risks of Flathub

This week a big refresh of the Flathub website came online and there was quite some buzz around this in the Linux world. However this same week I noticed a worrying thing about Flathub: it is distributing different applications with known security problems. I am really worried about this because many people will unknowingly install these flatpaks, thinking that they are safe because they installed them from a reliable source.

The most striking example of this is Adobe Reader. This application was last updated by Adobe in 2013, so that means it’s 10 years old. Adobe does not support this software any more since 26 June 2013. While the Github Readme of the project mentions that this application is not supported any more, has know security vulnerabilities and is unstable, nothing of this is mentioned on the Flathub page itself. This means that many people who stumble upon this page, will install this flatpak without being aware of these risks. At the moment of writing, Adobe Reader is listed on the Flathub homepage as the third application, because it’s a new package and after a couple of days it had already 1666 installations. I’m wondering how many of these people are aware of the fact that they are installing a no longer supported application with known security bugs.

Unfortunately, Adobe Reader is not the only example. Let’s take a look at Visual Studio Code. I see three different variants on Flathub: two open-source builds Code – OSS and VSCodium and then the proprietary Microsoft build Visual Studio Code. Of these three, only one is up to date at the time of writng: VSCodium. Version 1.77.2 fixed a security problem, but neither the Code – OSS nor the Visual Studio Code flatpak have this version. The latter is the most popular one with 1.3 million installations.

Fortunately security sensitive flatpaks like Firefox, Chromium, Brave and Thunderbird are up to date, so it looks like this is not a bigger, more general problem. Still I think it’s unacceptable that several packages of vulnerable software are offered in the default Flathub repository.

But flatpak packages run in a sandbox so the security risk is only theoretical, isn’t it? Sorry, that ‘s not a serious way of dealing with security. You just need a security vulnerability in flatpak or in the Linux kernel and your software can escape the sandbox. At least two sandbox escape bugs have been found in flatpak in the past (CVE-2021-21261 and CVE-2019-10063). For sure more of these bugs will be discovered in the future, especially if flatpak becomes more popular. Combine this with a vulnerability in the packaged software, such as the Adobe Reader of Visual Studio Code, and opening a file downloaded from the Internet can be enough to get your system compromised.

In practice, we see such sandbox escape bugs being exploited in Chromium/Google Chrome: it has a built-in sandbox to protect the system from security vulnerabilities, yet it often has updates for zero-day vulnerabilities. Up to now already 2 different security fixes were published in 2023 which were already being exploited in the wild. Despite the sandbox. Sandbox escape is explicitly mentioned in the security advisory from a few days ago. Not relying on a single layer of defense against security breaches is called defense in depth and this is simply an essential practice if you care about security.

A PDF viewer is definitely at risk because you often open files downloaded from the Internet with it. But even though a programming editor/lightweight IDE like Visual Studio Code does not appear the most security sensitive application, make no mistake: they can also be targeted by people with bad intentions. I’m thinking of the case uncovered two years ago, where security researchers (!) were successfully targeted by North-Korean hackers who abused a feature in Microsoft’s fully fledged Visual Studio IDE. A security vulnerability in your IDE will only make such abuse easier. Think also of teachers who need to open (untrusted) code from students, which are at risk when their IDE has known security vulnerabilities.

One of the new features of the new website, is that flatpaks by the original developers of the software, are now marked as verified. But I don’t think that’s very useful because it does not say anything about how well it’s maintained and whether there are known security problems. Software which was not packaged by the original author, but which is well maintained, is by far preferred over software which was packaged by its original developer but who has now abandoned maintenance. Compare this to Linux distributions: the software is usually not packaged by the original developer, but by the distribution’s maintainers. That does not make these packages unreliable.

Windows does actually have much more security features enabled by default than Linux: files which originate from the Internet, are marked as such (mark-of-the-web) and these files will then undergo more security protections by the OS and by applications (Protected View in Office for example), there is an integrated malware scanner (Defender), Windows has a firewall enabled by default and it does automatic updates. Many of these things are not the case in Linux. Yet we hear of ransomware attacks on Windows users on a daily basis. It should make us realize that Linux will not be immune to these problems. The first thing we should do, is at least not run software with know security problems.

One thing that has to be done is, is that in the description on Flathub there is a warning in bold explaining that the software has known security vulnerabilities and it should clearly discourage users to install it. But I think that is not enough. People will just search for PDF, will recognize Adobe and won’t even read the description because they know the Adobe PDF reader. And then they will be surprised to discover during usage that the software is unstable and insecure. The same is true for Visual Studio Code: most people installing the flatpak simply won’t be aware that the packaged version has known vulnerabilities.

I think there is only one reasonable solution: these software packages should be moved to a separate repository which is not enabled by default. This repository should be called “unsupported”. If people do the effort of enabling this repository, then they should clearly get an extra warning that the software can be unstable, insecure and that they cannot expect any support. When searching, people should not get such software at the top between other well-maintained software. It should be shown in a separate unsupported category at the bottom. If we don’t do these things, then I’m afraid security incidents will happen one day, possibly destroying all trust in Flathub and Linux in general. And that is something which we should really avoid.

Alternatives for the net-tools utilities

Many modern distributions, like for example the upcoming Debian 12 Bookworm, do not install the package net-tools by default. This package contains popular utilities like ifconfig, route, netstat, arp and mii-tool. In this post I give alternatives for these utilities. You can of course just install the net-tools package if you prefer to keep using these commands.

ifconfig

To see the current network configuration:

$ ip addr

To see the currrent configuration for one specific interface, for example enp25s0:

$ ip addr show enp25s0

To add a static IP address to a network interface

$ ip addr add 192.168.10.2/24 dev enp25s0

Replace add by del to remove an IP address.

route

To see the current route table:

$ ip route

To set the default gateway:

$ ip route add default via 192.168.10.1 dev enp25s0

netstat

The ss command lists all open sockets. Some interesting options:

-ashow both open and listening sockets
-lonly show listening sockets
-pshows the process using the socket
-tshow only TCP sockets
-ushow only UDP sockets
-rresolve all IP addresses

To see all open and listening sockets on the system:

$ ss -a

To see all listening TPC and UDP ports:

$ ss -plut

arp

Display the contents of the ARP table:

$ ip neigh

mii-tool

Show the status of an Ethernet interface:

$ ethtool enp25s0