Planet Debian

Two weeks have passed since Debconf 23 came to a close in Kochi, Kerala, India this year.

In keeping with the more relaxed nature of Debconf in India, the rest of my photos from the event were to be published about two weeks from the end of the event. That will give me a bit more time to process them correctly and also give all of you a chance to see these pictures with fresh eyes and stir up new memories from the event.

In the end we are looking at 653 photos and one video. Several different group photos, including a return of the pool group photo that was missing from the event since Mexico in 2006! This year was the first for a new camera (Canon R7) and I am quite happy with the results, even if I still need to learn a lot about this new beast. Also the gradual improvements of panorama stiching software (Hugin) ment that this year I did not need to manually correct any face-melt events on any of the group photos. So that is cool!

You can find all my photos on:

• Google Photos album
• Debconf23 git-lfs share

Also, don't forget to explore the rest of the Git LFS share content - there are very many great photos by others this year as well!

Family member getting sick, and I'm starting to feel bad. This is bad.

Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

• JAA little-things: add ArchiveBot monitor script, fix up Bing scraping script (both sent on IRC)
• forum-dl: cleanup
• fdupes: cleanups
• debcargo/debcargo-conf: minimise package long description boilerplate (1 2)
• pypi2deb: fix crash
• Debian QA services: update architecture hardcoding
• Debian PTS: update to UDD lintian service, disable updating dead/broken data
• Debian wiki: fix log rotation
• Debian BTS usertags: fix architecture/release/debhelper/privacy usertags
• Debian wiki pages: ArchitectureVariants, DavidWeinehall, DebConf (21/Bids/Sweden, 22/Organizers, 25/Bids), DebianDay/2023/Türkiye/İzmir, DebianInstaller (ReleaseProcess, TrackingStatus), DebianNetDomains, Derivatives/Census/Ubuntu, ExternalEntities, FastTrack, Firmware/Updates, how-can-i-help (Ideas), ImportantDirectories, InstallingDebianOn/Olimex/Teres-I, LoongArch, LXD, M68k/QemuSystemM68k, MiniDebConf (1 2), NvidiaGraphicsDrivers, PaulWise/InterestingSoftware, Ports (loong64, riscv64), PortTemplate, ppviewerFonts, Services/lintian.debian.org, SourcesList, StaticLinking, Statistics (1 2), Teams (DebConf/Video/FunnyMoments, Publicity/ReleasePointAnnouncements, Webmaster/PointReleaseWorkflow), ThomasChung, uk/Hardware/Database, UsefulImprovements, YutakaNiibe
• FOSSjobs wiki pages: Resources

Issues

• Bad data in UDD bugs script
• Conffile removal needed in smart-notifier, scite
• Duplicate menu items in evolution
• Incorrect unsigned mail handling in evolution
• Missing dependency in libcairo2-dev
• Incorrect redirects in gnu.org, ArchiveBot
• TMP issue in mmdebstrap
• Formatting issue in iproute2
• False positive in anorack
• Broken manual page in jbig2
• SWH listers needed for git9, Kallithea

Review

• Spam: reported 2 Debian bug reports
• Debian wiki: RecentChanges for the month
• Debian BTS usertags: changes for the month
• Debian screenshots:
  • approved fzf lame lsd termshark vifm
  • rejected orthanc (private data), gpr/orthanc (Windows), qrencode (random QR codes), weboob-qt (chess website)

Administration

• Debian IRC: fix #debian-pkg-security topic/metadata
• Debian wiki: unblock IP addresses, approve accounts

Communication

• Initiate discussion about relaxing Debian package description rules
• Respond to queries from Debian users and contributors on the mailing lists and IRC

Sponsors

The SWH work was sponsored. All other work was done on a volunteer basis.

Interesting article in Wired about adversarial attacks on ML systems to get them to do things that they are explicitely programmed not to do such as describe how to make illegal drugs [1]. The most interesting part of this is that the attacks work on most GPT systems which is probably due to the similar data used to train them.

Vice has an interesting article about the Danish “Synthetic Party”, a political partyled by an AI [2]. Citizens can vote for candidates who will try to get laws passed that match the AI generated goals, there is no option of voting for an AI character. The policies they are advocating for are designed to appeal to the 20% of Danes who don’t vote. They are also trying to inspire similar parties in other countries. I think this has the potential to improve democracy.

Vice reports that in 2021 a man tried to assasinate the Queen of England with inspiration from Star Wars and an AI chat bot [3]. While someone who wants to be a real-life Sith is probably going to end up doing something bad we still don’t want to have chat bots encourage it.

Bruce Schneier wrote an interesting article about milestones for AI involvement in the political process [4].

Sam Varghese wrote an interesting article about the allegations that India is following the example of Saudi Arabia and assasinating people in other countries who disagree with their government [5]. We need to stop this.

Ian Jackson wrote an interesting blog post advocating that DKIM PRIVATE keys be rotated and PUBLISHED [6]. The idea is that if a hostile party gets access to the mailbox of someone who received private email from you then in the normal DKIM setup of keys never changing they can prove that the email is authentic when they leak it. While if you mail server publishes the old keys as Ian advocates then the hostile party can’t prove that you sent the email in question as anyone could have forged a signature. Anything that involves publishing a private key gets an immediate negative reaction but I can’t fault the logic here.

• [1] https://www.wired.com/story/ai-adversarial-attacks/
• [2] https://tinyurl.com/2jz8qf6z
• [3] https://tinyurl.com/ykhcjfw8
• [4] https://tinyurl.com/2y8j9rbv
• [5] https://tinyurl.com/25k3qmgu
• [6] https://diziet.dreamwidth.org/16025.html

Related posts:

1. Links August 2023 This is an interesting idea from Bruce Schneier, an “AI...
2. Links May 2023 Petter Reinholdtsen wrote an interesting blog post about their work...
3. Links June 2023 Tablet Magazine has an interesting article about Jewish men who...

Almost 4 years after initial auto-cpufreq v2.0 release, 4200 Github stars, 65 contributors & 42 releases, tool being topic of numerous Linux podcasts and shows,...

The post auto-cpufreq v2.0 appeared first on FoolControl: Phear the penguin.

There are a couple of things I tend to do after packaging a piece of software for Debian, filing an Intent To Package bug and uploading the package. This is both a checklist for me and (hopefully) a way to inspire other maintainers to go beyond the basic package maintainer duties as documented in the Debian Developer's Reference.

If I've missed anything, please leave an comment or send me an email!

Salsa for collaborative development

To foster collaboration and allow others to contribute to the packaging, I upload my package to a new subproject on Salsa. By doing this, I enable other Debian contributors to make improvements and propose changes via merge requests.

I also like to upload the project logo in the settings page (i.e. https://salsa.debian.org/debian/packagename/edit) since that will show up on some dashboards like the Package overview.

Launchpad for interacting with downstream Ubuntu users

While Debian is my primary focus, I also want to keep an eye on how my package is doing on derivative distributions like Ubuntu. To do this, I subscribe to bugs related to my package on Launchpad. Ubuntu bugs are rarely Ubuntu-specific and so I will often fix them in Debian.

I also set myself as the answer contact on Launchpad Answers since these questions are often the sign of a Debian or a lack of documentation.

I don't generally bother to fix bugs on Ubuntu directly though since I've not had much luck with packages in universe lately. I'd rather not spend much time preparing a package that's not going to end up being released to users as part of a Stable Release Update. On the other hand, I have succesfully requested simple Debian syncs when an important update was uploaded after the Debian Import Freeze.

Screenshots and tags

I take screenshots of my package and upload them on https://screenshots.debian.net to help users understand what my package offers and how it looks. I believe that these screenshots end up in software "stores" type of applications.

Similarly, I add tags to my package using https://debtags.debian.org. I'm not entirely sure where these tags are used, but they are visible from apt show packagename.

Monitoring Upstream Releases

Staying up-to-date with upstream releases is one of the most important duties of a software packager. There are a lot of different ways that upstream software authors publicize their new releases. Here are some of the things I do to monitor these releases:

• I have a cronjob which run uscan once a day to check for new upstream releases using the information specified in my debian/watch files:

  0 12 * * 1-5 francois test -e /home/francois/devel/deb && HTTPS_PROXY= https_proxy= uscan --report /home/francois/devel/deb || true

• I subscribe to the upstream project's releases RSS feed, if available. For example, I subscribe to the GitHub tags feed for git-secrets and Launchpad announcements for email-reminder.

• If the upstream project maintains an announcement mailing list, I subscribe to it (e.g. rkhunter-announce or tor release announcements).

When nothing else is available, I write a cronjob that downloads the upstream changelog once a day and commits it to a local git repo:

#!/bin/bash pushd /home/francois/devel/zlib-changelog > /dev/null wget --quiet -O ChangeLog.txt https://zlib.net/ChangeLog.txt || exit 1 git diff git commit -a -m "Updated changelog" > /dev/null popd > /dev/null

This sends me a diff by email when a new release is added (and no emails otherwise).

There is an article The Inappropriately Excluded by the Polymath Archives [1] that gets cited a lot. Mainly by Mensa types who think that their lack of success is due to being too smart.

The Main Claim is Wrong

The main claim is:
The probability of entering and remaining in an intellectually elite profession such as Physician, Judge, Professor, Scientist, Corporate Executive, etc. increases with IQ to about 133. It then falls by about 1/3 at 140. By 150 IQ the probability has fallen from its peak by 97%!

The first thing to consider is whether taking those professions is a smart thing to do. These are the types of jobs that a school career adviser would tell you are good choices for well paying jobs, but really there’s lots of professional positions that get similar pay with less demanding work. Physicians have to deal with people who are sick and patients who die – including cases where the physician needs to make a recommendation on incomplete information where the wrong choice will result in serious injury or death, there are significant benefits to being a medical researcher or doing biological engineering. Being a Judge has a high public profile and has a reasonable amount of pressure, good for status but you can probably earn more money with less work as a corporate lawyer. Being a professor is a position that is respected but which in many countries is very poorly paid. In a mid-size company executives probably get about $300k compared to $220k for middle managers and $100k-$180k for senior professional roles in the same company.

There has been research on how much happyness is increased by having more money, here is one from CBS saying that income up to $500K can increase happiness[2] which contradicts previous research suggesting that income over $75K didn’t provide much benefit. I think that part of this is determined by the conditions that you live in, if you live in a country like Australia with cheap healthcare then you won’t feel as great a need to hoard money. Another part is whether you feel obliged to compete with other people for financial status, if driving an old car of a non-prestige brand while my neighbours have new BMWs concerned me then I might desire an executive position.

I think that the smart thing to do is to get work that is relatively enjoyable, pays enough for all the essentials and some reasonable luxury, and doesn’t require excessive effort or long hours. Unless you have a great need for attention from other people then for every job with a high profile there will be several with similar salaries but less attention.

The main point of the article is that people with high IQs all want to reach the pinnacle of their career path and don’t do so because they are excluded. It doesn’t consider the possibility that smart people might have chosen the option that’s best for them. For example I’ve seen what my manager and the CIO of my company do and it doesn’t look like fun for me. I’m happy to have them earn more than me as compensation for doing things I don’t want to do.

Why is This Happening?

This section of the article starts with “Because of the dearth of objective evidence, the cause of the exclusion cannot be determined directly” which is possibly where they should have given up. Also I could have concluded this blog post with “I’m not excluded from this list of jobs that suck”, but I will continue listing problems with the article.

One claim in the article is:
Garth Zietsman has said, referring to people with D15IQs over 152, ‘A common experience with people in this category or higher is that they are not wanted – the masses (including the professional classes) find them an affront of some sort.’

The question I have is whether it’s being smart or being a jerk that “the masses” find to be an affront, I’m guessing the latter. I don’t recall seeing evidence outside high school of people inherently disliking smarter people.

The article claims that “We have no reason to conclude that this upper limit on IQ differences changes in adulthood“. Schools don’t cater well to smart kids and it isn’t good for kids to have no intellectual peers. One benefit I’ve found in the Free Software community is that there are a lot of smart people.

Regarding leadership it claims “D.K. Simonton found that persuasiveness is at its maximum when the IQ differential between speaker and audience is about 20 points“. A good counter example is Julius Sumner Miller who successfully combined science education and advertising for children’s chocolate [3]. Maybe being a little smarter than other people makes it more difficult to communicate with them but being as smart as Julius Sumner Miller can outweigh that. The article goes on to claim that the intellectual elites have an average IQ of 125 because they have to convince people who have an average IQ of 105. I think that if that 20 point difference was really a thing then you would have politicians with an IQ of 125 appointing leaders of the public service with an IQ of 145 who would then hire scientific advisers with an IQ of 165. In a corporate environment a CEO with an IQ of 125 could hire a CIO with an IQ of 145 who could then hire IT staff with an IQ of 165. If people with 165 IQs wanted to be Prime Minister or CEO that might suck for them, but if they wanted to have the most senior technical roles in public service or corporations then it would work out well. For the work I do I almost never speak to a CEO and rarely speak to anyone who regularly speaks to them, if CEOs don’t like me and won’t hire people like me then it doesn’t matter to me as I won’t meet them.

Inappropriate Educational Options

The section on “Inappropriate Educational Options” is one where I almost agree with the author. I say almost because I don’t think that schools are good for anyone. Yes schools have some particular problems for smart kids, but they also have serious problems for kids who are below average IQ, kids who have problems at home, kids who are disabled, etc. Most schools fail so many groups of kids in so many ways that the overall culture of schools can’t be functional.

Social Isolation

The section on “Social Isolation” is another where I almost agree with the author. But as with schools I think that society overall is poorly structured to support people such that people on the entire range of IQs have more difficulty in finding friends and relationships than they should. One easy change to make would be to increase the minimum wage such that one minimum wage job can support a family without working more than 35 hours a week and to set the maximum work week to something less than 40 hours Atlassian has a good blog post about the data on working weeks [4]. Wired has an article suggesting that 5 hours a day is an ideal work time for some jobs [5].

We also need improvements in public transport and city design to have less wasted time and better options for socialising.

Conclusion

The blogspot site hosting the article in question also has a very complex plan for funding a magazine for such articles [6]. The problems with that funding model start with selling “advertising” that converts to shares in a Turks & Caicos company in an attempt to circumvent securities regulations (things don’t work that way). Then it goes in to some complex formulas for where money will go. This isn’t the smart way to start a company, the smart way is to run a kickstarter with fixed rewards for specific amounts of contributions and then possibly have an offer of profit sharing with people who donate extra or something. As a general rule when doing something that’s new to you it’s a good idea to look at how others have succeeded at it in the past. Devising an experimental new way of doing something is best reserved to people who have some experience withe the more common methods.

Mentioning this may seem like an ad hominem attack, but I think it’s relevant to consider this in the context of people who score well in IQ tests but don’t do so well in other things. Maybe someone who didn’t think that they were a lot smarter than everyone else would have tried to launch a magazine in a more common way and actually had some success at it.

In a more general sense I think that people who believe that they are suffering because of being too smart are in a similar category as incels. It’s more of a psychological problem than anything else and one that they could solve for themselves.

• [1] http://polymatharchives.blogspot.com/2015/01/the-inappropriately-excluded.html
• [2] https://tinyurl.com/ys2jdzzp
• [3] https://en.wikipedia.org/wiki/Julius_Sumner_Miller
• [4] https://tinyurl.com/yz55u53g
• [5] https://www.wired.co.uk/article/working-day-time-five-hours
• [6] http://polymatharchives.blogspot.com/p/prepaid-footer-ad.html

Related posts:

1. Links August 2012 Google are providing some really good employee benefits including benefits...
2. Choosing an Android Phone My phone contract ends in a few months, so I’m...
3. Being Obviously Wrong About Autism I’m watching a Louis Theroux documentary about Autism (here’s the...

KDE Plasma 6

I would like to welcome you to my revamped site. It is still a work in progress, so please be patient while I work out the kinks! I have also explained a bit more about myself in my About Me page for those that may have questions about my homesteader lifestyle. Check it out when you have time.

My site is mostly my adventures in packaging software in Linux in a variety of formats ( mostly Debian and Ubuntu Snaps containerized packages ). This keeps me very busy, as folks don’t realize the importance of packaging. Without it, applications remain in source code form which isn’t very usable by the users! While turning the source code into something user friendly we often run into issues and work with upstream ( I am a very strong believer in upstream first ) to resolve any issues. This makes for a better user experience and less buggy software. Workarounds are very hard to maintain and thus fixing it right the first time is the best path! With this said, while I am not strong in any one programming language ( Well maybe Ruby from my CI tooling background ) I am versed in many languages, as I have to understand the code that I am filing bug reports for! We have to have a strong knowledge of being able to understand build failures, debug runtime failures and most importantly we have to be able to fix them, or find the resources to assist in fixing them. As most of you know I am KDE’s biggest fan ( There is nothing wrong with Gnome, its a great platform ). So a big portion of my work is dedicated to KDE. A fantastic tool for working on my KDE packaging has been KDE Neon! With the developer version I have all the tools necessary to debug and fix issues that arise. There is also the added bonus of living on the edge and finding out runtime issues right away!

That is enough about me for now and on to my weekly round up!

KDE neon:

Carlos ( check out his new blog! https://www.ethicalconstruct.au/dotclear_blog/ ) and I have been very busy with another round of KDE applications making the move to Qt6. We have finished KDE PIM and KDE Games in Neon/unstable!

I have worked out issues with print-manager and re-enabled it in experimental as it’s qt6 development is still happening in kf6 branch. Instructions here: https://blog.neon.kde.org/2023/08/04/announcing-kde-neon-experimental/

Fixed issues with a broken kscreenlocker and missing window decorations. You can now safely leave your computer and not worry about that dreaded black screen.

Debian:

I have uploaded the newest squashfuse to unstable.

I have uploaded another NEW dependency for bubblegum golang-github-alecthomas-mango-kong-dev

Ubuntu Snaps:

This week continues working closely with Jarred Wilson of Canonical in getting his Qt6 content snap in shape for use with my KDE Frameworks 6 snap ( an essential snap to move forward with our next generation Qt6 applications and of course the Plasma snap.

I spent some time debugging the neochat snap and fixed some QML issues, but I am now facing issues with wayland. It now works fine for those of us still on X11. I will continue working out wayland.

Thank you!

I rely on donations to upkeep my everyday living and so far thanks to each and every one of you I have survived almost a full year! It has been scary from time to time, but I am surviving. Until my snap project goes through I must rely on the kindness of my supporters. The proceeds of my donations goes to the following:

• Car payment
• Car insurance
• Land Payment
• Gas for vehicles ( car for errands, truck to haul water )
• Propane
• Food
• Phone / Internet ( Very important in this line of work! )
• Pet Food ( Yes we have a few )
• Misc everyday living supplies ( shampoo etc )

I have joined the kool kids and moved to Donorbox for donations.

Donate

I still have Gofundme for those that don’t want to signup for yetanotherdonationplatform.

https://gofund.me/b8b69e54

Part of what I love to do is to play with embedded devices running Linux. And many times I need to juggle with an SD card in order to copy a filesystem to a board... until I found SDWire.

This little gadget is an SD muxer: it allows you to use it as a "normal" card reader or switch the SD card to the SD card slot. So next time I need to copy contents to a SD card and then push it to a board I can just do it from the command line.

Now the software to control this device was not in Debian, so I fixed that.

I am keeping the code and the packaging on GitLab, as "The Tizen project is not anymore really active".

At the time of writing the package was just accepted, so it might take a couple of hours to be available on the archive.

Enjoy!

Yesterday I tagged a new version of onak, my OpenPGP compatible keyserver. I’d spent a bit of time during DebConf doing some minor cleanups, in particular an annoying systemd socket activation issue I’d been seeing. That turned out to be due completely failing to compile in the systemd support, even when it was detected. There was also a signature verification issue with certain Ed225519 signatures (thanks Antoine Beaupré for making me dig into that one), along with various code cleanups.

I also worked on Stateless OpenPGP CLI support, which is something I talked about when I released 0.6.2. It isn’t something that’s suitable for release, but it is sufficient to allow running the OpenPGP interoperability test suite verification tests, which I’m pleased to say all now pass.

For the next release I’m hoping the OpenPGP crypto refresh process will have completed, which at the very least will mean adding support for v6 packet types and fingerprints. The PostgreSQL DB backend could also use some love, and I might see if performance with SQLite3 has improved any.

Anyway. Available locally or via GitHub.

0.6.3 - 26th September 2023

• Fix systemd detection + socket activation
• Add CMake checking for Berkeley DB
• Minor improvements to keyd logging
• Fix decoding of signature creation time
• Relax version check on parsing signature + key packets
• Improve HTML escaping
• Handle failed database initialisation more gracefully
• Fix bug with EDDSA signatures with top 8+ bits unset

The following contributors got their Debian Developer accounts in the last two months:

• Marius Gripsgard (mariogrip)
• Mohammed Bilal (rmb)
• Lukas Märdian (slyon)
• Robin Gustafsson (rgson)
• David da Silva Polverari (polverari)
• Emmanuel Arias (eamanu)

The following contributors were added as Debian Maintainers in the last two months:

• Aymeric Agon-Rambosson
• Blair Noctis
• Lena Voytek
• Philippe Coval
• John Scott

Congratulations!

Now this was quite a tease! For those who haven't seen it, I encourage you to check it out, it has a nice photo of a Debian t-shirt I did not know about, to quote the Fine Article:

Today, when going through a box of old T-shirts, I found the shirt I was looking for to bring to the occasion: [...]

For the benefit of people who read this using a non-image-displaying browser or RSS client, they are respectively:

10 years 100 countries 1000 maintainers 10000 packages

and

1 project 10 architectures 100 countries 1000 maintainers 10000 packages 100000 bugs fixed 1000000 installations 10000000 users 100000000 lines of code

20 years ago we celebrated eating grilled meat at J0rd1’s house. This year, we had vegan tostadas in the menu. And maybe we are no longer that young, but we are still very proud and happy of our project!

Now… How would numbers line up today for Debian, 20 years later? Have we managed to get the “bugs fixed” line increase by a factor of 10? Quite probably, the lines of code we also have, and I can only guess the number of users and installations, which was already just a wild guess back then, might have multiplied by over 10, at least if we count indirect users and installs as well…

Now I don't know about you, but I really expected someone to come up with an answer to this, directly on Debian Planet! I have patiently waited for such an answer but enough is enough, I'm a Debian member, surely I can cull all of this together. So, low and behold, here are the actual numbers from 2023!

• 1 project: unchanged, although we could count 129 derivatives in the current census

• ~10 architectures: number almost unchanged, but the actual architectures are of course different (woody released with i386, m68k, Alpha, SPARC, PowerPC, ARM, IA-64, hppa, mips, s390; while bookworm released with actually 9 supported architectures instead of 10: i386, amd64, aarch64, armel, armhf, mipsel, mips64el, ppc64el, s390x)

• ~100 countries: actually 63 now, but I suspect we were generously rounding up last time as well (extracted with ldapsearch -b ou=users,dc=debian,dc=org -D uid=anarcat,ou=users,dc=debian,dc=org -ZZ -vLxW '(c=*)' c | grep ^c: | sort | uniq -c | sort -n | wc -l on coccia)

• ~1000 maintainers: amazingly, almost unchanged (according to the last DPL vote, there were 831 DDs in 2003 and 996 in the last vote)

• 35000 packages: that number obviously increased quite a bit, but according to sources.debian.org, woody released with 5580 source packages and bookworm with 34782 source packages and according to UDD, there are actually 200k+ binary packages ( SELECT COUNT(DISTINCT package) FROM all_packages; => 211151)

• 1 000 000+ (OVER ONE MILLION!) bugs fixed! now that number grew by a whole order of magnitude, incredibly (934809 done, 16 fixed, 7595 forwarded, 82492 pending, 938 pending-fixed, according to UDD again, SELECT COUNT(id),status FROM all_bugs GROUP BY status;)

• ~1 000 000 installations (?): that one is hard to call. popcon has 225419 recorded installs, but it is likely an underestimate - hard to count

• how many users? even harder, we were claiming ten million users then, how many now? how can we even begin to tell, with Debian running on the space station?

• 1 000 000 000+ (OVER ONE BILLION!) lines of code: that, interestingly, has also grown by an order of magnitude, from 100M to 1B lines of code, again according to sources.debian.org, woody shipped with 143M lines of codes and bookworm with 1.3 billion lines of code

So it doesn't line up as nicely, but it looks something like this:

1 project 10 architectures 30 years 100 countries (actually 63, but we'd like to have yours!) 1000 maintainers (yep, still there!) 35000 packages 211000 *binary* packages 1000000 bugs fixed 1000000000 lines of code uncounted installations and users, we don't track you

So maybe the the more accurate, rounding to the nearest logarithm, would look something like:

1 project 10 architectures 100 countries (actually 63, but we'd like to have yours!) 1000 maintainers (yep, still there!) 100000 packages 1000000 bugs fixed 1000000000 lines of code uncounted installations and users, we don't track you

I really like how the "packages" and "bugs fixed" still have an order of magnitude between them there, but that the "bugs fixed" vs "lines of code" have an extra order of magnitude, that is we have fixed ten times less bugs per line of code since we last did this count, 20 years ago.

Also, I am tempted to put 100 years in there, but that would be rounding up too much. Let's give it another 30 years first.

Hopefully, some real scientist is going to balk at this crude methodology and come up with some more interesting numbers for the next t-shirt. Otherwise I'm available for bar mitzvahs and children parties.

I recently bought an HP Chromebook from Abhas who had already flashed coreboot in it. I ran a fresh installation of Debian 12 (Bookworm) on it with KDE Plasma.

Right after installation, the Wi-Fi and bluetooth were working, but I was facing two issues:

• Playing a music file or any audio file does not give any audio.

• Keyboard buttons like the ones for brightness and audio adjustment were not working (alphabet keys were working).

So I asked my friend Alper for help on fixing the same as he has some experience with Chromebooks. Thanks a lot Alper for the help. I am documenting our steps here for helping others who are facing this issue.

Note: This works in X11. For wayland, the steps might differ.

To set system-wide keyboard configuration on Debian systems:

$ sudo dpkg-reconfigure keyboard-configuration

Choose “Chromebook” as the “Keyboard Model”.

Each DE should default to the system configuration, but might need its own configuration which would similarly be available in their GUI tools. But you can check and set it manually from the command line, for example as in this thread.

To check the keyboard model Xorg-based DEs:

$ setxkbmap -print -query | grep model: model:    pc104

To change it temporarily, until a reboot:

$ setxkbmap -model chromebook

If it’s not there in KDE settings that would be a bug, To change it persistently for KDE:

$ cat >>.config/kxkbrc <<EOF [Layout] Model=chromebook EOF

This thread was helpful.

I recently bought an HP Chromebook from Abhas who had already flashed coreboot in it. I ran a fresh installation of Debian 12 (Bookworm) on it with KDE Plasma.

Right after installation, the Wi-Fi and bluetooth were working, but I was facing two issues:

• Playing a music file or any audio file does not give any audio.

• Keyboard buttons like the ones for brightness and audio adjustment were not working (alphabet keys were working).

Fixing audio

I ran the script mentioned here and that fixed the audio.

The instructions from that link are:

git clone https://github.com/WeirdTreeThing/chromebook-linux-audio cd chromebook-linux-audio ./setup-audio Fixing keyboard

I asked my friend Alper for help on fixing the keyboard as he has some experience with Chromebooks. Thanks a lot Alper for the help. I am documenting our steps here for helping others who are facing this issue.

Note: This works in X11. For wayland, the steps might differ.

To set system-wide keyboard configuration on Debian systems:

$ sudo dpkg-reconfigure keyboard-configuration

Choose “Chromebook” as the “Keyboard Model”.

Each DE should default to the system configuration, but might need its own configuration which would similarly be available in their GUI tools. But you can check and set it manually from the command line, for example as in this thread.

To check the keyboard model Xorg-based DEs:

$ setxkbmap -print -query | grep model: model:    pc104

To change it temporarily, until a reboot:

$ setxkbmap -model chromebook

If it’s not there in KDE settings that would be a bug, To change it persistently for KDE:

$ cat >>.config/kxkbrc <<EOF [Layout] Model=chromebook EOF

This thread was helpful.

I’m one of the few folks left who run and maintain mail servers. Recently I had major troubles receiving mails from the mail servers used by a bank, and when asking my favourite search engine, I’m clearly not the only one who ran into such an issue. Actually, I should have checked off the issue and not become a customer at that bank, but the tech nerd in me couldn’t resist getting to the bottom of the problem. Since I got it working and this might be useful for others, here we are. :)

I was trying to get an online banking account set up, but the corresponding account creation mail didn’t arrive me, at all. Looking at my mail server logs, my postfix mail server didn’t accept the mail due to:

postfix/smtpd[3319640]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283: postfix/smtpd[3319640]: lost connection after STARTTLS from mx01.arz.at[193.110.182.61]

Huh, what’s going on here?! Let’s increase the TLS loglevel (setting smtpd_tls_loglevel = 2) and retry. But how can I retry receiving yet another mail? Luckily, on the registration website of the bank there was a URL available, that let me request a one-time password. This triggered another mail, so I did that and managed to grab this in the logs:

postfix/smtpd[3320018]: initializing the server-side TLS engine postfix/tlsmgr[3320020]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache postfix/tlsmgr[3320020]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup postfix/smtpd[3320018]: connect from mx01.arz.at[193.110.182.61] postfix/smtpd[3320018]: setting up TLS connection from mx01.arz.at[193.110.182.61] postfix/smtpd[3320018]: mx01.arz.at[193.110.182.61]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" postfix/smtpd[3320018]: SSL_accept:before SSL initialization postfix/smtpd[3320018]: SSL_accept:before SSL initialization postfix/smtpd[3320018]: SSL3 alert write:fatal:handshake failure postfix/smtpd[3320018]: SSL_accept:error in error postfix/smtpd[3320018]: SSL_accept error from mx01.arz.at[193.110.182.61]: -1 postfix/smtpd[3320018]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283: postfix/smtpd[3320018]: lost connection after STARTTLS from mx01.arz.at[193.110.182.61] postfix/smtpd[3320018]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 starttls=0/1 commands=1/2 postfix/smtpd[3320018]: connect from mx01.arz.at[193.110.182.61] postfix/smtpd[3320018]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2

Ok, so this TLS cipher list “aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH” looked like the tls_medium_cipherlist setting in postfix, but which ciphers might we expect? Let’s see what their SMTP server would speak to us:

% testssl --cipher-per-proto -t=smtp mx01.arz.at:25 [...] Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 SSLv3 TLS 1 TLS 1.1 TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.3

Looks like a very small subset of ciphers, and they don’t seem to be talking TLS v1.3 at all? Not great. :(

A nice web service to verify the situation from another point of view is checktls, which also confirmed this:

[000.705] <-- 220 2.0.0 Ready to start TLS [000.705] STARTTLS command works on this server [001.260] Connection converted to SSL SSLVersion in use: TLSv1_2 Cipher in use: ECDHE-RSA-AES256-GCM-SHA384 Perfect Forward Secrecy: yes Session Algorithm in use: Curve P-256 DHE(256 bits) Certificate #1 of 3 (sent by MX): Cert VALIDATED: ok Cert Hostname VERIFIED (mx01.arz.at = *.arz.at | DNS:*.arz.at | DNS:arz.at) [...] [001.517] TLS successfully started on this server

I got distracted by some other work, and when coming back to this problem, the one-time password procedure no longer worked, as the password reset URL was no longer valid. :( I managed to find the underlying URL, and with some web developer tools tinkering I could still use the website to let me trigger sending further one-time password mails, phew.

Let’s continue, so my mail server was running Debian/bullseye with postfix v3.5.18-0+deb11u1 and openssl v1.1.1n-0+deb11u5, let’s see what it offers:

% testssl --cipher-per-proto -t=smtp mail.example.com:25 [...] Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 SSLv3 TLS 1 xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA TLS 1.1 xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA TLS 1.2 xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 xc0af ECDHE-ECDSA-AES256-CCM8 ECDH 253 AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 xc0ad ECDHE-ECDSA-AES256-CCM ECDH 253 AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA xa7 ADH-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 x6d ADH-AES256-SHA256 DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA xc5 ADH-CAMELLIA256-SHA256 DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH 253 AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 xc0ac ECDHE-ECDSA-AES128-CCM ECDH 253 AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA xa6 ADH-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256 x6c ADH-AES128-SHA256 DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256 x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA xbf ADH-CAMELLIA128-SHA256 DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256

Not so bad, but sadly no overlap with any of the ciphers that mx01.arz.at offers.

What about disabling STARTTLS for the mx01.arz.at (+ mx02.arz.at being another one used by the relevant domain) mail servers when talking to mine? Let’s try that:

% sudo postconf -nf smtpd_discard_ehlo_keyword_address_maps smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/smtpd_discard_ehlo_keywords % cat /etc/postfix/smtpd_discard_ehlo_keywords # *disable* starttls for mx01.arz.at / mx02.arz.at: 193.110.182.61 starttls 193.110.182.62 starttls

But the remote mail server doesn’t seem to send mails without TLS:

postfix/smtpd[4151799]: connect from mx01.arz.at[193.110.182.61] postfix/smtpd[4151799]: discarding EHLO keywords: STARTTLS postfix/smtpd[4151799]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2

Let’s verify this further, but without fiddling with the main mail server too much. We can add a dedicated service to postfix (see serverfault), and run it in verbose mode, to get more detailled logging:

% sudo postconf -Mf [...] 10025 inet n - - - - smtpd -o syslog_name=postfix/smtpd/badstarttls -o smtpd_tls_security_level=none -o smtpd_helo_required=yes -o smtpd_helo_restrictions=pcre:/etc/postfix/helo_badstarttls_allow,reject -v [...] % cat /etc/postfix/helo_badstarttls_allow /mx01.arz.at/ OK /mx02.arz.at/ OK /193.110.182.61/ OK /193.110.182.62/ OK

We redirect the traffic from mx01.arz.at + mx02.arz.at towards our new postfix service, listening on port 10025:

% sudo iptables -t nat -A PREROUTING -p tcp -s 193.110.182.61 --dport 25 -j REDIRECT --to-port 10025 % sudo iptables -t nat -A PREROUTING -p tcp -s 193.110.182.62 --dport 25 -j REDIRECT --to-port 10025

With this setup we get very detailed logging, and it seems to confirm our suspicion that the mail server doesn’t want to talk unencrypted with us:

[...] postfix/smtpd/badstarttls/smtpd[3491900]: connect from mx01.arz.at[193.110.182.61] [...] postfix/smtpd/badstarttls/smtpd[3491901]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2 postfix/smtpd/badstarttls/smtpd[3491901]: master_notify: status 1 postfix/smtpd/badstarttls/smtpd[3491901]: connection closed [...]

Let’s step back and revert those changes, back to our original postfix setup. Might the problem be related to our Let’s Encrypt certificate? Let’s see what we have:

% echo QUIT | openssl s_client -connect mail.example.com:25 -starttls [...] issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA384 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 4455 bytes and written 427 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 384 bit [...]

We have an ECDSA based certificate, what about switching to RSA instead? Thanks to the wonderful dehydrated, this is as easy as:

% echo KEY_ALGO=rsa > certs/mail.example.com/config % ./dehydrated -c --domain mail.example.com --force % sudo systemctl reload postfix

With switching to RSA type key we get:

% echo QUIT | openssl s_client -connect mail.example.com:25 -starttls smtp CONNECTED(00000003) [...] issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 5295 bytes and written 427 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit

Which ciphers do we offer now? Let’s check:

% testssl --cipher-per-proto -t=smtp mail.example.com:25 [...] Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 SSLv3 TLS 1 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9a DHE-RSA-SEED-SHA DH 2048 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.1 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9a DHE-RSA-SEED-SHA DH 2048 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc0a3 DHE-RSA-AES256-CCM8 DH 2048 AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 xc4 DHE-RSA-CAMELLIA256-SHA256 DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA xa7 ADH-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 x6d ADH-AES256-SHA256 DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA xc5 ADH-CAMELLIA256-SHA256 DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc053 DHE-RSA-ARIA256-GCM-SHA384 DH 2048 ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 xc0a2 DHE-RSA-AES128-CCM8 DH 2048 AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 xbe DHE-RSA-CAMELLIA128-SHA256 DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 x9a DHE-RSA-SEED-SHA DH 2048 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA xa6 ADH-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256 x6c ADH-AES128-SHA256 DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256 x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA xbf ADH-CAMELLIA128-SHA256 DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc052 DHE-RSA-ARIA128-GCM-SHA256 DH 2048 ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256

With switching our SSL certificate to RSA, we gained around 51 new cipher options, amongst them being ones that also mx01.arz.at claimed to support.

FTR, the result from above is what you get with the default settings for postfix v3.5.18, being:

smtpd_tls_ciphers = medium smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

But the delay between triggering the password reset mail and getting a mail server connect was getting bigger and bigger. Therefore while waiting for the next mail to arrive, I decided to capture the network traffic, to be able to look further into this if it should continue to be failing:

% sudo tshark -n -i eth0 -s 65535 -w arz.pcap -f "host 193.110.182.61 or host 193.110.182.62"

A few hours later the mail server connected again, and the mail went through!

postfix/smtpd[4162835]: connect from mx01.arz.at[193.110.182.61] postfix/smtpd[4162835]: Anonymous TLS connection established from mx01.arz.at[193.110.182.61]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) postfix/smtpd[4162835]: E50D6401E6: client=mx01.arz.at[193.110.182.61] postfix/smtpd[4162835]: disconnect from mx01.arz.at[193.110.182.61] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

Now also having the captured network traffic, we can check the details there:

[...] % tshark -o smtp.decryption:true -r arz.pcap 1 0.000000000 193.110.182.61 → 203.0.113.42 TCP 74 24699 → 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2261106119 TSecr=0 WS=128 2 0.000042827 203.0.113.42 → 193.110.182.61 TCP 74 25 → 24699 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3233422181 TSecr=2261106119 WS=128 3 0.020719269 193.110.182.61 → 203.0.113.42 TCP 66 24699 → 25 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2261106139 TSecr=3233422181 4 0.022883259 203.0.113.42 → 193.110.182.61 SMTP 96 S: 220 mail.example.com ESMTP 5 0.043682626 193.110.182.61 → 203.0.113.42 TCP 66 24699 → 25 [ACK] Seq=1 Ack=31 Win=29312 Len=0 TSval=2261106162 TSecr=3233422203 6 0.043799047 193.110.182.61 → 203.0.113.42 SMTP 84 C: EHLO mx01.arz.at 7 0.043811363 203.0.113.42 → 193.110.182.61 TCP 66 25 → 24699 [ACK] Seq=31 Ack=19 Win=65280 Len=0 TSval=3233422224 TSecr=2261106162 8 0.043898412 203.0.113.42 → 193.110.182.61 SMTP 253 S: 250-mail.example.com | PIPELINING | SIZE 20240000 | VRFY | ETRN | AUTH PLAIN | AUTH=PLAIN | ENHANCEDSTATUSCODES | 8BITMIME | DSN | SMTPUTF8 | CHUNKING 9 0.064625499 193.110.182.61 → 203.0.113.42 SMTP 72 C: QUIT 10 0.064750257 203.0.113.42 → 193.110.182.61 SMTP 81 S: 221 2.0.0 Bye 11 0.064760200 203.0.113.42 → 193.110.182.61 TCP 66 25 → 24699 [FIN, ACK] Seq=233 Ack=25 Win=65280 Len=0 TSval=3233422245 TSecr=2261106183 12 0.085573715 193.110.182.61 → 203.0.113.42 TCP 66 24699 → 25 [FIN, ACK] Seq=25 Ack=234 Win=30336 Len=0 TSval=2261106204 TSecr=3233422245 13 0.085610229 203.0.113.42 → 193.110.182.61 TCP 66 25 → 24699 [ACK] Seq=234 Ack=26 Win=65280 Len=0 TSval=3233422266 TSecr=2261106204 14 1799.888108373 193.110.182.61 → 203.0.113.42 TCP 74 10330 → 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2262906007 TSecr=0 WS=128 15 1799.888161311 203.0.113.42 → 193.110.182.61 TCP 74 25 → 10330 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3235222069 TSecr=2262906007 WS=128 16 1799.909030335 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2262906028 TSecr=3235222069 17 1799.956621011 203.0.113.42 → 193.110.182.61 SMTP 96 S: 220 mail.example.com ESMTP 18 1799.977229656 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=1 Ack=31 Win=29312 Len=0 TSval=2262906096 TSecr=3235222137 19 1799.977229698 193.110.182.61 → 203.0.113.42 SMTP 84 C: EHLO mx01.arz.at 20 1799.977266759 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=31 Ack=19 Win=65280 Len=0 TSval=3235222158 TSecr=2262906096 21 1799.977351663 203.0.113.42 → 193.110.182.61 SMTP 267 S: 250-mail.example.com | PIPELINING | SIZE 20240000 | VRFY | ETRN | STARTTLS | AUTH PLAIN | AUTH=PLAIN | ENHANCEDSTATUSCODES | 8BITMIME | DSN | SMTPUTF8 | CHUNKING 22 1800.011494861 193.110.182.61 → 203.0.113.42 SMTP 76 C: STARTTLS 23 1800.011589267 203.0.113.42 → 193.110.182.61 SMTP 96 S: 220 2.0.0 Ready to start TLS 24 1800.032812294 193.110.182.61 → 203.0.113.42 TLSv1 223 Client Hello 25 1800.032987264 203.0.113.42 → 193.110.182.61 TLSv1.2 2962 Server Hello 26 1800.032995513 203.0.113.42 → 193.110.182.61 TCP 1266 25 → 10330 [PSH, ACK] Seq=3158 Ack=186 Win=65152 Len=1200 TSval=3235222214 TSecr=2262906151 [TCP segment of a reassembled PDU] 27 1800.053546755 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=186 Ack=3158 Win=36096 Len=0 TSval=2262906172 TSecr=3235222214 28 1800.092852469 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=186 Ack=4358 Win=39040 Len=0 TSval=2262906212 TSecr=3235222214 29 1800.092892905 203.0.113.42 → 193.110.182.61 TLSv1.2 900 Certificate, Server Key Exchange, Server Hello Done 30 1800.113546769 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=186 Ack=5192 Win=41856 Len=0 TSval=2262906232 TSecr=3235222273 31 1800.114763363 193.110.182.61 → 203.0.113.42 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 32 1800.115000416 203.0.113.42 → 193.110.182.61 TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message 33 1800.136070200 193.110.182.61 → 203.0.113.42 TLSv1.2 113 Application Data 34 1800.136155526 203.0.113.42 → 193.110.182.61 TLSv1.2 282 Application Data 35 1800.158854473 193.110.182.61 → 203.0.113.42 TLSv1.2 162 Application Data 36 1800.159254794 203.0.113.42 → 193.110.182.61 TLSv1.2 109 Application Data 37 1800.180286407 193.110.182.61 → 203.0.113.42 TLSv1.2 144 Application Data 38 1800.223005960 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5502 Ack=533 Win=65152 Len=0 TSval=3235222404 TSecr=2262906299 39 1802.230300244 203.0.113.42 → 193.110.182.61 TLSv1.2 146 Application Data 40 1802.251994333 193.110.182.61 → 203.0.113.42 TCP 2962 [TCP segment of a reassembled PDU] 41 1802.252034015 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5582 Ack=3429 Win=63616 Len=0 TSval=3235224433 TSecr=2262908371 42 1802.252279083 193.110.182.61 → 203.0.113.42 TLSv1.2 1295 Application Data 43 1802.252288316 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5582 Ack=4658 Win=64128 Len=0 TSval=3235224433 TSecr=2262908371 44 1802.272816060 193.110.182.61 → 203.0.113.42 TLSv1.2 833 Application Data, Application Data 45 1802.272827542 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5582 Ack=5425 Win=64128 Len=0 TSval=3235224453 TSecr=2262908392 46 1802.338807683 203.0.113.42 → 193.110.182.61 TLSv1.2 131 Application Data 47 1802.398968611 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=5425 Ack=5647 Win=44800 Len=0 TSval=2262908518 TSecr=3235224519 48 1863.257457500 193.110.182.61 → 203.0.113.42 TLSv1.2 101 Application Data 49 1863.257495688 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5647 Ack=5460 Win=64128 Len=0 TSval=3235285438 TSecr=2262969376 50 1863.257654942 203.0.113.42 → 193.110.182.61 TLSv1.2 110 Application Data 51 1863.257721010 203.0.113.42 → 193.110.182.61 TLSv1.2 97 Encrypted Alert 52 1863.278242216 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=5460 Ack=5691 Win=44800 Len=0 TSval=2262969397 TSecr=3235285438 53 1863.278464176 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [RST, ACK] Seq=5460 Ack=5723 Win=44800 Len=0 TSval=2262969397 TSecr=3235285438 % tshark -O tls -r arz.pcap [...] Transport Layer Security TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 152 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 148 Version: TLS 1.2 (0x0303) Random: 4575d1e7c93c09a564edc00b8b56ea6f5d826f8cfe78eb980c451a70a9c5123f GMT Unix Time: Dec 5, 2006 21:09:11.000000000 CET Random Bytes: c93c09a564edc00b8b56ea6f5d826f8cfe78eb980c451a70a9c5123f Session ID Length: 0 Cipher Suites Length: 26 Cipher Suites (13 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) [...] Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 89 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 85 Version: TLS 1.2 (0x0303) Random: cf2ed24e3300e95e5f56023bf8b4e5904b862bb2ed8a5796444f574e47524401 GMT Unix Time: Feb 23, 2080 23:16:46.000000000 CET Random Bytes: 3300e95e5f56023bf8b4e5904b862bb2ed8a5796444f574e47524401 Session ID Length: 32 Session ID: 63d041b126ecebf857d685abd9d4593c46a3672e1ad76228f3eacf2164f86fb9 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) [...]

In this network dump we see what cipher suites are offered, and the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 here is the Cipher Suite Name in IANA/RFC speak. Whis corresponds to the ECDHE-RSA-AES256-GCM-SHA384 in openssl speak (see Mozilla’s Mozilla’s cipher suite correspondence table), which we also saw in the postfix log.

Mission accomplished! :)

Now, if we’re interested in avoiding certain ciphers and increase security level, we can e.g. get rid of the SEED, CAMELLIA and all anonymous ciphers, and could accept only TLS v1.2 + v1.3, by further adjusting postfix’s main.cf:

smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = aNULL CAMELLIA smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3 smtpd_tls_protocols = TLSv1.2 TLSv1.3

Which would then gives us:

% testssl --cipher-per-proto -t=smtp mail.example.com:25 [...] Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 SSLv3 TLS 1 TLS 1.1 TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc0a3 DHE-RSA-AES256-CCM8 DH 2048 AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc053 DHE-RSA-ARIA256-GCM-SHA384 DH 2048 ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 xc0a2 DHE-RSA-AES128-CCM8 DH 2048 AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc052 DHE-RSA-ARIA128-GCM-SHA256 DH 2048 ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256

Don’t forget to also adjust the smpt_tls_* accordingly (for your sending side). For further information see the Postfix TLS Support documentation. Also check out options like tls_ssl_options (setting it to e.g. NO_COMPRESSION) and tls_preempt_cipherlist (setting it to yes would prefer the servers’ order of ciphers over clients).

Conclusions:

• no matter what you change in your mail server settings, be aware that the type of your SSL certificate also matters for what ciphers are offered and used
• there are mail servers out there that don’t support SSL certificates with ECDSA, using RSA for those ensure better compatibility (nowadays postfix supports parallel usage of ECDSA and RSA keys BTW, check out the smtpd_tls_eccert_file + smtpd_tls_eckey_file options)
• testssl is a very useful tool, especially with its –cipher-per-proto -t=smtp option to check SMTP servers
• if you’re uncertain what’s going on, consider capturing network data (tshark/tcpdump/… are your friends)
• review your postfix configuration and logs every now and then :)

The new 7945HX CPU from AMD is currently the most powerful. I’d love to have one of them, to replace the now aging 6 core Xeon that I’ve been using for more than 5 years. So, I’ve been searching for a laptop with that CPU.

Absolutely all of the laptops I found with this CPU also embed a very powerful RTX 40×0 series GPU, that I have no use: I don’t play games, and I don’t do AI. I just want something that builds Debian packages fast (like Ceph, that takes more than 1h to build for me…). The more cores I get, the faster all OpenStack unit tests are running too (stestr does a moderately good job at spreading the tests to all cores). That’d be ok if I had to pay more for a GPU that I don’t need, and I would have deal with the annoyance of the NVidia driver, if only I could find something with a correct size. But I can only find 16″ or bigger laptops, that wont fit in my scooter back case (most of the time, these laptops have an 17 inch screen: that’s a way too big).

Currently, I found:

• Lenovo Legion Pro 5: screen is 16.8″
• Dell Alienware m6: super heavy, 16″
• Asus ROG Zephyrus Duo 16: 16″
• MSI alpha (16 and 17): also 16″

If one of the readers of this post find a smaller laptop with a 7945HX CPU, please let me know! Even better if I can get rid of the expensive NVidia GPU.

Man, you’re no longer with us, but I am touched by the number of people you have positively impacted. Almost every DebConf presentations by locals, I saw after you carried how you were instrumental in bringing them there. How you were a dear friend and brother.

It’s a weird turn of events, that you left us during one thing we deeply cared and worked towards making possible since the past 3 years, together. Who would have known, that “Sahil, I’m going back to my apartment tonight” and casual bye post that would be the last conversation we ever had.

Things were terrible after I heard the news. I had a hard time convincing myself to come see you one last time during your funeral. That was the last time I was going to get to see you, and I kept on looking at you. You, there in front of me, all calm, gave me peace. I’ll carry that image all my life now. Your smile will always remain with me. Who’ll meet and receive me on the door at almost every Debian event (just by sheer co-incidence?). Who’ll help me speak out loud about all the Debian shortcomings (and then discuss solutions, when sober :)).

It was a testament of the amount of time we had already spent together online, that when we first met during MDC Palakkad, it didn’t feel we’re physically meeting for the first time. The conversations just continued. Now this song is associated with you now due to your speech during MiniDebConf Palakkad dinner. Hearing this keeps on reminding me of all the times we spent together chilling and talking community (which you cared deeply about). IG now we can’t stop caring for the community, because your energy was contagious.

Now, I can’t directly dial your number to listen - “Hey Sahil! What’s up?” from the other end, or “Tell me, tell me” on any mention of the problem. Nor would I be able to send ref of usage of Debian packaging guide in the wild. You already know about that text of yours. How many people that guide has helped with getting started with packaging. Did I ever tell you, I too got my first start with packaging from there. Hell, I started looking up to you from there, even before we met or talked. Now, I missed telling you, I was probably your biggest fan whenever you had the mic in hand and started speaking. You always surprised me all the insights and idea you brought and would keep on impressing me for someone who was just my age but was way more mature.

Reading recent toots from Raju Dev made me realize, how much I loved your writings. You wrote How the Future will remember Us, Doing what’s right and many more. The level of depth in your thought was unparalleled. I loved reading those, that’s why I kept pestering you to write more, which you slowly stopped. Now I fully understand why though, you were busy, really busy helping people out or just working for making things better. You were doing Debian, upstream projects, web development, designs, graphics, mentoring, evangelist while being the go-to person for almost everyone around. Everyone depended on you, because you were too kind to turn down anyone.

Man, I still get your spelling wrong :) Did I ever tell you that? That was the reason, I used to use AR instead.

You’ll be missed and will always be part of our conversations, because you have left a profound impact on me, our friends, Debian India and everyone around. See you! the coolest man around.

In memory:

• Farewell Abraham video by Vysakh Premkumar
• Tails project dedicating 5.17.1 release
• Hopscotch team dedicating 2023.8.1
• Athul dedicating 0.2.5 release of waka-readme
• Debian project

PS - Just found you even had a Youtube channel, you one heck of a talented man.

This post describes how to define and use rule templates with semantic names using extends or !reference tags, how to define manual jobs using the same templates and how to use gitlab-ci inputs as macros to give names to regular expressions used by rules.

Basic rule templates

I keep my templates in a rules.yml file stored on a common repository used from different projects as I mentioned on my previous post, but they can be defined anywhere, the important thing is that the files that need them include their definition somehow.

The first version of my rules.yml file was as follows:

.rules_common: # Common rules; we include them from others instead of forcing a workflow rules: # Disable branch pipelines while there is an open merge request from it - if: >- $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE != "merge_request_event" when: never .rules_default: # Default rules, we need to add the when: on_success to make things work rules: - !reference [.rules_common, rules] - when: on_success

The main idea is that .rules_common defines a rule section to disable jobs as we can do on a workflow definition; in our case common rules only have if rules that apply to all jobs and are used to disable them. The example includes one that avoids creating duplicated jobs when we push to a branch that is the source of an open MR as explained here.

To use the rules in a job we have two options, use the extends keyword (we do that when we want to use the rule as is) or declare a rules section and add a !reference to the template we want to use as described here (we do that when we want to add additional rules to disable a job before evaluating the template conditions).

As an example, with the following definitions both jobs use the same rules:

job_1: extends: - .rules_default [...] job_2: rules: - !reference [.rules_default, rules] [...] Manual jobs and rule templates

To make the jobs manual we have two options, create a version of the job that includes when: manual and defines if we want it to be optional or not (allow_failure: true makes the job optional, if we don’t add that to the rule the job is blocking) or add the when: manual and the allow_failure value to the job (if we work at the job level the default value for allow_failure is false for when: manual, so it is optional by default, we have to add an explicit allow_failure = true it to make it blocking).

The following example shows how we define blocking or optional manual jobs using rules with when conditions:

.rules_default_manual_blocking: # Default rules for optional manual jobs rules: - !reference [.rules_common, rules] - when: manual # allow_failure: false is implicit .rules_default_manual_optional: # Default rules for optional manual jobs rules: - !reference [.rules_common, rules] - when: manual allow_failure: true manual_blocking_job: extends: - .rules_default_manual_blocking [...] manual_optional_job: extends: - .rules_default_manual_optional [...]

The problem here is that we have to create new versions of the same rule template to add the conditions, but we can avoid it using the keywords at the job level with the original rules to get the same effect; the following definitions create jobs equivalent to the ones defined earlier without creating additional templates:

manual_blocking_job: extends: - .rules_default when: manual allow_failure: false [...] manual_optional_job: extends: - .rules_default when: manual # allow_failure: true is implicit [...]

As you can imagine, that is my preferred way of doing it, as it keeps the rules.yml file smaller and I see that the job is manual in its definition without problem.

Rules with allow_failure, changes, exists, needs or variables

Unluckily for us, for now there is no way to avoid creating additional templates as we did on the when: manual case when a rule is similar to an existing one but adds changes, exists, needs or variables to it.

So, for now, if a rule needs to add any of those fields we have to copy the original rule and add the keyword section.

Some notes, though:

• we only need to add allow_failure if we want to change its value for a given condition, in other cases we can set the value at the job level.
• if we are adding changes to the rule it is important to make sure that they are going to be evaluated as explained here.
• when we add a needs value to a rule for a specific condition and it matches it replaces the job needs section; when using templates I would use two different job names with different conditions instead of adding a needs on a single job.

Defining rule templates with semantic names

I started to use rule templates to avoid repetition when defining jobs that needed the same rules and soon I noticed that giving them names with a semantic meaning they where easier to use and understand (we provide a name that tells us when we are going to execute the job, while the details of the variables names or values used on the rules are an implementation detail of the templates).

We are not going to define real jobs on this post, but as an example we are going to define a set of rules that can be useful if we plan to follow a scaled trunk based development workflow when developing, that is, we are going to put the releasable code on the main branch and use short-lived branches to test and complete changes before pushing things to main.

Using this approach we can define an initial set of rule templates with semantic names:

.rules_mr_to_main: rules: - !reference [.rules_common, rules] - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'main' .rules_mr_or_push_to_main: rules: - !reference [.rules_common, rules] - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'main' - if: >- $CI_COMMIT_BRANCH == 'main' && $CI_PIPELINE_SOURCE != 'merge_request_event' .rules_push_to_main: rules: - !reference [.rules_common, rules] - if: >- $CI_COMMIT_BRANCH == 'main' && $CI_PIPELINE_SOURCE != 'merge_request_event' .rules_push_to_branch: rules: - !reference [.rules_common, rules] - if: >- $CI_COMMIT_BRANCH != 'main' && $CI_PIPELINE_SOURCE != 'merge_request_event' .rules_push_to_branch_or_mr_to_main: rules: - !reference [.rules_push_to_branch, rules] - if: >- $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != 'main' && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'main' .rules_release_tag: rules: - !reference [.rules_common, rules] - if: $CI_COMMIT_TAG =~ /^([0-9a-zA-Z_.-]+-)?v\d+.\d+.\d+$/ .rules_non_release_tag: rules: - !reference [.rules_common, rules] - if: $CI_COMMIT_TAG !~ /^([0-9a-zA-Z_.-]+-)?v\d+.\d+.\d+$/

With those names it is clear when a job is going to be executed and when using the templates on real jobs we can add additional restrictions and make the execution manual if needed as described earlier.

Using inputs as macros

On the previous rules we have used a regular expression to identify the release tag format and assumed that the general branches are the ones with a name different than main; if we want to force a format for those branch names we can replace the condition != 'main' by a regex comparison (=~ if we look for matches, !~ if we want to define valid branch names removing the invalid ones).

When testing the new gitlab-ci inputs my colleague Jorge noticed that if you keep their default value they basically work as macros.

The variables declared as inputs can’t hold YAML values, the truth is that their value is always a string that is replaced by the value assigned to them when including the file (if given) or by their default value, if defined.

If you don’t assign a value to an input variable when including the file that declares it its occurrences are replaced by its default value, making them work basically as macros; this is useful for us when working with strings that can’t managed as variables, like the regular expressions used inside if conditions.

With those two ideas we can add the following prefix to the rules.yaml defining inputs for both regular expressions and replace the rules that can use them by the ones shown here:

spec: inputs: # Regular expression for branches; the prefix matches the type of changes # we plan to work on inside the branch (we use conventional commit types as # the branch prefix) branch_regex: default: '/^(build|ci|chore|docs|feat|fix|perf|refactor|style|test)\/.+$/' # Regular expression for tags release_tag_regex: default: '/^([0-9a-zA-Z_.-]+-)?v\d+.\d+.\d+$/' --- [...] .rules_push_to_changes_branch: rules: - !reference [.rules_common, rules] - if: >- $CI_COMMIT_BRANCH =~ $[[ inputs.branch_regex ]] && $CI_PIPELINE_SOURCE != 'merge_request_event' .rules_push_to_branch_or_mr_to_main: rules: - !reference [.rules_push_to_branch, rules] - if: >- $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ $[[ inputs.branch_regex ]] && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'main' .rules_release_tag: rules: - !reference [.rules_common, rules] - if: $CI_COMMIT_TAG =~ $[[ inputs.release_tag_regex ]] .rules_non_release_tag: rules: - !reference [.rules_common, rules] - if: $CI_COMMIT_TAG !~ $[[ inputs.release_tag_regex ]] Creating rules reusing existing ones

I’m going to finish this post with a comment about how I avoid defining extra rule templates in some common cases.

The idea is simple, we can use !reference tags to fine tune rules when we need to add conditions to disable them simply adding conditions with when: never before referencing the template.

As an example, in some projects I’m using different job definitions depending on the DEPLOY_ENVIRONMENT value to make the job manual or automatic; as we just said we can define different jobs referencing the same rule adding a condition to check if the environment is the one we are interested in:

deploy_job_auto: rules: # Only deploy automatically if the environment is 'dev' by skipping this job # for other values of the DEPLOY_ENVIRONMENT variable - if: $DEPLOY_ENVIRONMENT != "dev" when: never - !reference [.rules_release_tag, rules] [...] deploy_job_manually: rules: # Disable this job if the environment is 'dev' - if: $DEPLOY_ENVIRONMENT == "dev" when: never - !reference [.rules_release_tag, rules] when: manual # Change this to `false` to make the deployment job blocking allow_failure: true [...]

If you think about it the idea of adding negative conditions is what we do with the .rules_common template; we add conditions to disable the job before evaluating the real rules.

The difference in that case is that we reference them at the beginning because we want those negative conditions on all jobs and that is also why we have a .rules_default condition with an when: on_success for the jobs that only need to respect the default workflow (we need the last condition to make sure that they are executed if the negative rules don’t match).

Last week tragedy struck, and I saw the very best of the Debian community at work.

I heard first hand testimony about how helpless so many people felt at being physically unable to help their friend. I heard about how they couldn’t bear to leave and had to be ushered away to make space for rescue services to do their work. I heard of those who continued the search with private divers, even after the official rescue was called off.

I saw the shock and grief which engulfed everybody who I saw that night and in the following days. I watched friends comfort each other when it became too much. I read the messages we wrote in memory and smiled at how they described the person I’d only just started to know.

When I felt angry, and helpless, and frustrated that I couldn’t do more, the people around me caught me, comforted me, and cared for me.

Debian, you are like family and nobody can claim otherwise. You bicker and argue about the silliest things and sometimes it feels like we’ll never get past them. But when it comes to simple human compassion for each other, you always surprise me with your ability to care.

Official logo of DebConf23 Introduction

DebConf23, the 24th annual Debian Conference, was held in India in the city of Kochi, Kerala from 3 September - 17 September 2023. I was excited to attend DebConf in my home country ever since I got to know about it (more than an year ago). This was my second DebConf as I attended one last year in Kosovo. I was very happy that I don’t need to apply for a visa to attend the conference. This time I submitted two talks - one on Debian packaging for beginners and the other on ideas on sustainable solutions for self-hosting. I got full bursary to attend the event (thanks a lot to debian for that!) which is always helpful in covering the expenses, especially if the venue is a five star hotel :)

My friend Suresh, who is enthusiastic about debian and free software, also wanted to attend the DebConf. When the registration started, I reminded him to apply. We landed in Kochi on 28 August 2023 during the Onam festival. Then, we celebrated Onam in Kochi, had a trip to Wayanad and returned to Kochi. On 3 September evening, we reached the venue - Four Points Hotel by Sheraton, Infopark Kochi, Ernakulam, Kerala, India.

Hotel overview

The hotel had 14 floors, and featured a swimming pool and gym - these were included in our package. The hotel gave us elevator access only for our floor and public spaces like reception, gym, swimming pool and meals. The temperature inside the hotel was pretty cold and I had to buy a jacket to survive. Perhaps the hotel had tie up with warm clothing sellers :)

Meals

On the first day, Suresh and I went to dinner which was at the eatery on the third floor. At the entrance, there was a staff who asked us about how many people we want the table for. I told her that it’s just the two [of us] at the moment, but we might be joined by others, as we are attending a conference, more people may join us. Even so, they gave us a table for two. Within a few minutes, Alper (from Turkey) and urbec (Germany) showed up and joined us. So we shifted to a larger table, and even more people joined, so we were busy adding more chairs to our table. urbec was already in Kerala since 5-6 days and was very happy already with the quality and taste of bananas in Kerala, and also afraid of the spicy food :)

Two days later, the lunch and dinner got shifted to the All Spice Restaurant at the 14th floor, but the breakfast was still at eatery. Since eatery (on 3rd floor) had much more options than the other venue, this move made breakfast the best meal for me and many others. Many attendees from outside India were not accustomed to the “spicy” and hot food. It is difficult for locals to help because what they find non spicy can be spicy for non Indians. It is not easy to satisy everyone at the dining table but I think the organizing team did a very good job in the food department. Well, it didn’t matter for me after a point and you will know why. The pappadam were really good, I liked the rice labelled “Kerala rice”. I actually brought that exact rice and pappadam home during my last trip to Kochi and everyone at my home liked it (thanks to Abhijit PA). I also wished to eat all types of payasams from Kerala and this really happened (thanks to Sruthi who designed the menu). Every meal had a different variety of payasam and it was awesome, although I didn’t like some of them mostly because of them being very sweet. Meals were later shifted to the ground floor (taking away the best breakfast option which was eatery).

Swag bag was excellent

The debconf registration desk was at the second floor. We got a very nice swag bag. The swag bags were available in multiple colors - grey, green, blue, red. The bag included an umbrella, a steel mug, a multiboot USB drive by Mostly Harmless, a thermal flask, a mug by Canonical, a [paper] coaster and stickers. It rained almost everyday in Kochi when we were there so handing out an umbrella to every attendee was a good idea.

Picture of awesome swag bag we got in debconf23. Nattie got a gift

One day during the breakfast, Nattie said she wants to buy a coffee filter. Next time when I went to the market, I bought a coffee filter for her as a gift. She seemed happy with the gift and was flattered to receive a gift from a young man :)

Mentoring by me

There were many newbies and they were eager to learn and contribute to debian. So, I mentored whoever came to me and was interested to learn. I took a packaging workshop in the bootcamp but could only cover how to setup debian unstable environment, not how to package (but I covered in my talk). Carlos (Brazil) gave a keysigning session in the bootcamp. Praveen was also mentoring in the bootcamp. I helped people in understanding why we sign gpg keys and how to sign it. I planned to take a workshop on it but cancelled it later.

My talk

My debian packaging talk was on 10 September 2023. I had not prepared slides for my debian packaging talk in advance and I thought I can do it during the trip but I didn’t get time for that. So I prepared them within a day before the talk. Since it was mostly a tutorial, it didn’t need so much preparation for the slides. it was possible to do in a hurry because Suresh helped me with the slides. Thanks to him.

My talk was well received by the audience as implied by their comments. I am glad that I could give an interesting presentation.

My presentation photo. Credits: Valessio A visit to saree shop

After my talk, I went with Anisa and Kristi (both from Albania), whose fascination for the Indian culture is never ending :), (along with Suresh and Alper) as they wanted to buy sarees for themselves. We took autos to Kakkanad market and found a shop with lots of variety of sarees. Obviously, I got a little familiar with the area surrounding the hotel as I was there since a week. Indian women usually don’t try sarees on themselves while buying, they only select the design. But Anisa wanted to put one on along with a photoshoot. The shop staff weren’t ready with a trial saree for this, so they took a saree from a mannequin. It took about an hour for the lady at the shop to get that saree on her. Anyone can tell that she felt in heaven while wearing that saree and immediately bought that one :) Alper also bought a saree to take back to Turkey for his mother. Me and Suresh wanted to buy a kurta which can go along mundu we already had, but we didn’t find anything that we liked.

Selfie with Anisa and Kristi. Cheese and Wine Party

11 September was Cheese and Wine Party, a tradition of every debconf. I brought Kaju Samosa and Nankhatai from home. Many attendees told me they liked the samosa. During the party, I was with Abhas and had a lot of fun. Abhas brought paan packets and put them for the Cheese and Wine Party. We discussed interesting things and ate burgers. But due to the restrictive alcohol laws in the state, it was not the same as in previous debconf because you can only drink alcohol served by the hotel in public places. If you buy your own alcohol, you can only drink in private places like in your room or friend’s room but not in public places.

Me helping with the Cheese and Wine Party Party at my room

Last year, Joenio (Brazilian) brought pastis from France which I liked. He brought the same alocholic drink this year too. So I invited him to my room after Cheese and Wine party to have pastis. My idea was to have this with my roommate Suresh and Joenio. But then we permitted Joenio to bring as many people as he wants. He brought some ten people I think and suddenly it was crowded. I was having good time in the party, serving them snacks that Abhas gave me. The news of an alcohol party at my room spread like wildfire. Soon there were so many people that the AC was not cooling anymore and I was sweating. I left the room and roamed around in the hotel for some fresh air. I came back after 1.5 hours, after sitting mostly at the ground floor with someone whose name I can’t remember. And then I met Abraham near the gym (which was my last meeting with him). I came back to my room at around 02:30 AM and nobody seems to have realized that I was gone. They were thanking me for hosting such a good party. A lot of people left at that point and the remaining people were playing songs and dancing (everyone was dancing all along!). I had no energy left to dance and to join them. They left around 03:00 AM. But I am glad that people enjoyed partying in my room.

This picture was taken when there were few people in my room for the party. Sadhya Thali

On 12 September, we got sadhya thali in lunch. It is vegetarian thali served on banana leaf and served on the eve of Thiruvonam. That day was not thiruvonam but we got a special filling lunch. Rasam and payasam were especially yummy.

Sadhya Thali: A vegetarian meal served on banana leaf. Payasam and rasam were especially yummy! Day trip

13 September was the daytrip. I chose the daytrip Houseboat in Allepey. Suresh also chose the same and we registered for that daytrip as soon as it was open. This was the most preferred daytrip by debconf attendees (80 people registered for it). Our bus was set to leave at 9 AM on 13 September. Me and Suresh woke up at 08:40 and hurried to get the bus in time. It took two hours to reach the venue where we get the houseboat.

The houseboat experience was good. The trip featured some good scenery. I was having experience of the renowned Kerala backwaters. We were served food on the boat. We also stopped at a place and had coconut water. We came back to the place where we boarded the boat by evening.

Group photo of our daytrip. Credits: Radhika Jhalani Lost a good friend during daytrip

When we came back from the daytrip, we got the news that Abhraham Raji died due to drowning. He went to the kayaking daytrip. I am not sure what exactly happened but the story goes that he jumped into the water for swimming and drowned.

Abraham Raji was a very good friend of mine. In my trip to Albania - Kosovo - Dubai last year, he was my roommate in the apartment in Tirana, had lot of discussions during DebConf22 Kosovo and I roamed around in Dubai with him. In fact, the photo of me on the homepage of this blogpost was taken by Abraham. Then I met him in MiniDebConf22 Palakkad and MiniDebConf23 Tamil Nadu. I also went to his flat in Kochi this year in June. Plus we had many projects in common. He was also a Free Software activist and was the designer of the DebConf23 logo. He also designed logos for other debian events in India.

A selfie in memory of Abraham.

We all got pretty shocked by the news. As far as I am concerned, I have still not recovered (9 days after the incident) and still cannot believe it happened. Food does not taste anything and sleep is hard to come by. That night, Anisa and Kristi cheered me up and gave me company. Thanks a lot to them. Next day, Joenio also tried to console me. I thank him for doing a great job. I thank everyone who helped me in coping the difficult situation.

Next day (14 September), Debian project leader Jonathan Carter addressed and announced the news officially. Debian project also published it on their website. In fact, Abraham was supposed to give a talk at that time. All the talks were cancelled on that day. The conference dinner was also cancelled. I was totally devastated!

A visit to Abraham’s house

On 15 September, the conference ran two buses from the hotel to Abraham’s house in Kottayam (2 hours ride). I hopped in the first bus and my mood was not very good. Evangelos (Germany) was sitting in front of me and he started discussing with me. The distraction helped and I was back to normal for a while. Thanks to Evangelos as he supported me a lot on that trip. He was also very impressed by my use of the StreetComplete app which I was using to edit OpenStreetMap.

In two hours, we reached Abraham’s house. Obviously, I bursted into tears and couldn’t control myself. Then I went to see the dead body. I met his family (mother, father and sister). I had nothing to say and I felt helpless. I had no energy left, mainly due to lack of sleep since last few days and my shrinking apetite, so I didn’t think it was good idea for me to stay there. I went back by taking the bus after one hour and had lunch at the hotel. I withdrew my talk scheduled on 16th September.

A Japanese gift

I got a nice Japanese gift from Niibe Yutaka (Japan) - a folder to keep papers which had ancient Japanese manga characters. He said he felt guilty as he swapped his talk with me and so it got rescheduled from 12th September to 16 September which I withdrew later.

Thanks to Niibe Yutaka (the person towards your right hand) from Japan (FSIJ) gave me a wonderful Japanese gift during debconf23: A folder to keep pages with ancient Japanese manga characters printed on it. I realized I immediately needed that :) This is the japanese gift I recieved. Group photo

On 16th September, we had a group photo and I am glad this year I was more clear in the picture than debconf22.

Click to enlarge Volunteer work and talks attended

I went to training for video team and I worked as a camera operator. The Bits from DPL was nice. I enjoyed Abhas’ presentation on home automation. He basically demonstrated how he liberated home devices which work with internet. I also liked Kristi’s presentation on ways to engage with the GNOME community.

Kristi on GNOME community. Abhas' talk on home automation

I also attended lightning talks on the last day. Me, Badri and Wouter gave a demo on how to register on prav app. Prav app also got its fair share of advertising during last few days.

17 September night

On 17 September night, Suresh left the hotel and Badri joined me in my room. That night I wore a mundu (thanks to Abhijit PA, Kiran and Ananthu).

Me in mundu. Picture credits: Abhijith PA

Then I joined Kalyani, Mangesh, Ruchika, Anisa, Ananthu and Kiran. We took pictures and this marked the last night of debconf.

Departure Day

18 September was departure day. Badri slept in my room and left early morning (06:30 AM). I dropped him at the hotel gate. The breakfast was at the eatery (3rd floor) again and it was good.

Me, Sahil, Saswata, Nilesh hanged out sometime at the ground floor.

From left: Nilesh, Saswata, me, Sahil

I had a 8 PM flight from Kochi to Delhi. So I took a cab with Rhonda (Austria), Michael (Nigeria) and Yash (India). We were also joined by other debconf attendees at the Kochi airport. We took another selfie at the airport:

Ruchika (taking the selfie) and from left to right: Yash, Joost (Netherlands), me, Rhonda

Joost had the same flight with me and we sat next to each other. He then took a connecting flight from Delhi to Netherlands. And I went with Yash to New Delhi station and we took our respective trains. I reached home in the morning of 19 September 2023.

Joost and me going to Delhi Big thanks to the organizers

DebConf23 was hard to organize - strict alcohol laws, wierd hotel rules, death of a close friend (almost a family member) and a scary notice by the immigration bureau. People from the team are my close friends and I am proud that they organized such a good event. None of this would have been possible without the organizers who put more than a year long voluntary effort to produce this. In the meanwhile, many of them had organized local events in the run up before debconf.

Shoutout for them.

The organizers also tried their best to get clearance for countries the ministry didn’t approve. I am also sad that people from China, Kosovo, Iran could not join. Especially, I feel bad for people from Kosovo who wanted to attend but could not (as India does not consider their passport as a valid travel document) as we Indians were well received last year in their country.

Note about myself

I am writing this on 22 September 2023 and it took three days to put up this post. This was one of the tragic and hard to write posts for me. I have literally forced myself to write this. I have still not recovered from the loss of my friend. Thanks a lot to all those who helped me.

PS: Credits to contrapuntus for correcting grammatical mistakes.