Entries for Planet Debian.
Billing an Italian public administration
Here's a simple guide for how I managed to bill one of my customers as is now mandated by law in Italy.
Create a new virtualbox machine
I would never do any of this to any system I would ever want to use for anything else, so it's virtual machine time.
- I started virtualbox, created a new machine for Ubuntu 32bit, 8Gb disk, 4Gb RAM, and placed the .vdi image in an encrypted partition. The web services of Infocert's fattura-pa requires "Java (JRE) a 32bit di versione 1.6 o superiore".
- I installed Ubuntu 12.04 on it: that is what dike declares to support.
- I booted the VM, installed virtualbox-guest-utils, and de sure I also had virtualbox-guest-x11
- I restarted the VM so that I could resize the virtualbox window and have Ubuntu resize itself as well. Now I could actually read popup error messages in full.
- I changed the desktop background to something that gave me the idea that this is an untrusted machine where I need to be very careful of what I type. I went for bright red.
Install smart card software into it
apt-get install pcscd pcsc-tools opensc
- In virtualbox, I went to Devices/USB devices and enabled the smart card reader in the virtual machine.
- I ran
pcsc_scanto see if it could see my smart card.
- I ran Firefox, went to preferences, advanced, security devices, load. Module
name is "CRS PKCS#11", module path is
- I went to https://fattura-pa.infocamere.it/fpmi/service and I was able to log in. To log in, I had to type the PIN 4 times into popups that offered little explanations about what was going on, enjoying cold shivers because the smart card would lock itself at the 3rd failed attempt.
- Congratulations to myself! I thought that all was set, but unfortunately, at this stage, I was not able to do anything else except log into the website.
Descent into darkness
Set up things for fattura-pa
- I got the PDF with the setup instructions from here. Get it too, for a reference, a laugh, and in case you do not believe the instructions below.
- I went to https://www.firma.infocert.it/installazione/certificato.php, and saved the two certificates.
- Firefox, preferences, advanced, show certificates, I imported both CA certificates, trusted for everything, all my base are belong to them.
apt-get install icedtea-plugin
- I went to https://fattura-pa.infocamere.it/fpmi/service and tried to sign. I could not: I got an error about invalid UTF8 for something or other in Firefox's stdandard error. Firefox froze and had to be killed.
Set up things for signing locally with dike
- I removed icedtea so that I could use the site without firefox crashing.
- I installed DiKe For Ubuntu 12.04 32bit
- I ran dikeutil to see if it could talk to my smart card
- When signing with the website, I chose the manual signing options and downloaded the zip file with the xml to be signed.
- I got a zip file, unzipped it.
- I loaded the xml into dike.
- I signed it with dike.
- I got this error message: "nessun certificato di firma presente sul dispositivo di firma" and then this error message: "Impossibile recuperare il certificato dal dispositivo di firma". No luck.
Set up things for signing locally with ArubaSign
- I went to https://www.pec.it/Download.aspx
- I downloaded ArubaSign for Linux 32 bit.
- Oh! People say that it only works with Oracle's version of Java.
sudo add-apt-repository ppa:webupd8team/java
apt-get install oracle-java7-installer
- During the installation process I had to agree to also sell my soul to Oracle.
tar axf ArubaSign*.tar*
java -jar ArubaSign.jar
- I let it download its own updates. Another time I did not. It does not seem to matter: I get asked that question every time I start it anyway.
- I enjoyed the fancy brushed metal theme, and had an interesting time navigating an interface where every label on every icon or input field was truncated.
- I downloaded https://www.pec.it/documenti/Manuale_ArubaSign2_firma%20Remota_V03_02_07_2012.pdf to get screenshots of that interface with all the labels intact
- I signed the xml that I got from the website. I got told that I needed to really view carefully what I was signing, because the signature would be legally binding
- I enjoyed carefully reading a legally binding, raw XML file.
- I told it to go ahead, and there was now a
.p7mfile ready for me. I rejoiced, as now I might, just might actually get paid for my work.
Try fattura-pa again
Maybe fattura-pa would work with Oracle's Java plugin?
- I went to https://fattura-pa.infocamere.it/fpmi/service
- I got asked to verify java at www.java.com. I did it.
- I told FireFox to enable java.
- Suddenly, and while I was still in java.com's tab, I got prompted about allowing Infocert's applet to run: I allowed it to run.
- I also got prompted several times, still while the current tab was not even Infocert's tab, about running components that could compromise the security of my system. I allowed and unblocked all of them.
- I entered my PIN.
- Congratulations! Now I have two ways of generating legally binding signatures with government issued smart cards!
I shut down that virtual machine and I'm making sure I never run anything important on it. Except, of course, generating legally binding signatures as required by the Italian government.
debtags rewritten in python3
In my long quest towards closing #540218, I
have uploaded a new libept to experimental.
Then I tried to build debtags on a sid+experimental chroot and the result runs
but has libc's
free() print existential warnings about whatevers.
At a quick glance, there are now things around like a new libapt, gcc 5 with ABI changes, and who knows what else. I figured how much time it'd take me to debug something like that, and I've used that time to rewrite debtags in python3. It took 8 hours, 5 of pleasant programming and the usual tax of another 3 of utter frustration packaging the results. I guess I gained over the risk of spending an unspecified amount of hours of just pure frustration.
So from now on debtags is going to be a pure python3 package, with dependencies on only python3-apt and python3-debian. 700 lines of python instead of several C++ files built on 4 layers of libraries. Hopefully, this is the last of the big headaches I get from hacking on this package. Also, one less package using libept.
Internet references saved for May 2015
Instead of keeping substantial tabs open until I have read all of them, or losing them in the jungle of browser bookmarks, I have written a script that collects them into a file per month, and turns them into markdown files for my blog. This way I sort of know where to find them, and if I do not, some internet search might. And if I wish, I can even choose to share it.
Jacob Kaplan-Moss is known for his work on Django but, as he would describe in his keynote, many think he had more to do with its creation than he actually did. While his talk ranged quite a bit, the theme covered something that software development organizations—and open source projects—may be grappling with: a myth about developer performance and how it impacts the industry. It was a thought-provoking talk that was frequently punctuated by applause; these are the kinds of issues that the Python community tries to confront head on, so the talk was aimed well.
git-buildpackage-based packaging practices from dkg
Why are there so many more undocumented systems than documented ones out there, and how can we cause more well-documented systems to exist? The answer isn’t “people are lazy”, and the solution is simple – though not easy.
Free German courses
This book is about helping us to focus on good people creating good things, to preserve that spirit of sharing, and to protect against those whose primary contribution is obstruction and disrespect
Collection of vim tips that people actually use
This page describes how to use SSL with a certificate fingerprint to automatically identify your registered nickname with NickServ on connect. You must have an IRC client that supports SSL with a client certificate.
I manage a few servers for myself, friends and family as well as for the Libravatar project. Here is how I customize recent releases of Debian on those servers.
SIP service, also providing test call services for SIP clients
Developers can get better at their craft by learning from the great writers who mastered theirs. Writing software isn’t the same as writing a novel, but there are parallels. Besides, advice from writers is better because writers have been struggling with their craft for many centuries, not just a few decades. It’s better-written as well. This talk shares great writers’ best advice for coders: Stephen King on refactoring, Anne Rice on development hardware, Hemingway on modelling with personas, and Neil Gaiman on everything.
Love thy neighbor as thyself
‘Love thy neighbor as thyself’, words which astoundingly occur already in the Old Testament.
One can love one’s neighbor less than one loves oneself; one is then the egoist, the racketeer, the capitalist, the bourgeois. and although one may accumulate money and power one does not of necessity have a joyful heart, and the best and most attractive pleasures of the soul are blocked.
Or one can love one’s neighbor more than oneself—then one is a poor devil, full of inferiority complexes, with a longing to love everything and still full of hate and torment towards oneself, living in a hell of which one lays the fire every day anew.
But the equilibrium of love, the capacity to love without being indebted to anyone, is the love of oneself which is not taken away from any other, this love of one’s neighbor which does no harm to the self.
I always have a hard time finding this quote on the Internet. Let's fix that.
Work around Google evil .ics feeds
I've happily been using
After doing that, I noticed that the fan in my laptop was on more often than usual, and I noticed that akonadi-server and postgres were running very often, and doing quite a lot of processing.
I investigated and realised that Google seems to be doing everything they can to make their ical feeds hard to sync against efficiently. This is the list of what I have observed Gmail doing to an unchanged ical feed:
Date:headers in HTTP replies are always now
If-Modified-Since:is not supported
DTSTAMPof each element is always now
VTIMEZONEentries appear in random order
CNentries randomly change between full name and plus.google.com user ID
ATTENDEEentries randomly change between having a CN or not having it
TRIGGERentries change spontaneously
CREATEDentries change spontaneously
This causes akonadi to download and reprocess the entire ical feed at every single poll, and I can't blame akonadi for doing it. In fact, Google is saying that there is a feed with several years worth of daily appointments that all keep being changed all the time.
As a work-around, I have configured the akonadi source to point at a local file
on disk, and I have written a script
to update the file only if the
.ics feed has actually changed.
Have a look at the script:
I consider it far from trivial, since it needs to do a partial parsing of the
.ics feed to throw away all the nondeterminism that Google pollutes it with.
$ cat ~/.config/systemd/user/update-ical-feeds.timer [Unit] Description=Updates ical feeds every hour # Only run when on AC power ConditionACPower=yes [Timer] # Run every hour OnActiveSec=1h # Run a minute after boot OnBootSec=1m Unit=update-ical-feeds.service $ cat ~/.config/systemd/user/update-ical-feeds.service [Unit] Description=Update ICal feeds [Service] # Use oneshot to prevent two updates being run in case the previous one # runs for more time than the timer interval Type=oneshot ExecStart=/home/enrico/tmp/calendars/update $ systemctl --user start update-ical-feeds.timer $ systemctl --user list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Wed 2015-03-25 22:19:54 CET 59min left Wed 2015-03-25 21:19:54 CET 2s ago update-ical-feeds.timer update-ical-feeds.service 1 timers listed. Pass --all to see loaded but inactive timers, too.
To reload the configuration after editing:
systemctl --user daemon-reload.
I wonder if
ConditionACPower needs to be in the
.timer or in the
.service, since there is a
[Unit] section is in both. Update: I have
been told it can be in the
I also wonder if there is a way to have the timer trigger only when online.
There is a
network-online.target and I do not know if it is applicable. I
also do not know how to ask systemd if all the preconditions are currently met
for a .service/.timer to run.
Finally, I especially wonder if it is worth hoping that Google will ever make
.ics feeds play nicely with calendar clients.
Screen-dependent window geometry
I have an external monitor for my laptop in my work desk at home, and when I work I keep a few windows like IRC on my laptop screen, and everything else on the external monitor. Then maybe I transfer on the sofa to watch a movie or in the kitchen to cook, and I unplug from the external monitor to bring the laptop with me. Then maybe I go back to the external monitor to resume working.
The result of this (with openbox) is that when I disconnect the external monitor all the windows on my external monitor get moved to the right edge of the laptop monitor, and when I reconnect the external monitor I need to rearrange them all again.
I would like to implement something that does the following:
- it keeps a dictionary mapping screen geometry to window geometries
- every time a window geometry and virtual desktop number changes, it gets recorded in the hash for the current screen geometry
- every time the screen geometry changes, for each window, if there was a saved window geometry + wirtual desktop number for it for the new screen geometry, it gets restored.
- Is anything like this already implemented? Where?
- If not, what would be a convenient way to implement it myself, ideally in a wmctrl-like way that does not depend on a specific WM?
Note: I am not interested in switching to a different WM unless it is openbox with this feature implemented in it.
Reuse passwords in /etc/crypttab
Today's scenario was a laptop with an SSD and a spinning disk, and the goal was to deploy a Debian system on it so that as many things as possible are encrypted.
My preferred option for it is to setup one big LUKS partition in each disk, and put a LVM2 Physical Volume inside each partition. At boot, the two LUKS partition are opened, their contents are assembled into a Volume Group, and I can have everything I want inside.
This has advantages:
- if any of the disks breaks, the other can still be unlocked, and it should still be possible to access the LVs inside it
- once boot has happened, any layout of LVs can be used with no further worries about encryption
- I can use pvmove to move partitions at will between SSD and spinning disks, which means I can at anytime renegotiate the tradeoffs between speed and disk space.
However, by default this causes cryptsetup to ask for the password once for each LUKS partition, even if the passwords are the same.
Searching for ways to mitigate this gave me unsatisfactory results, like:
- decrypt the first disk, and use a file inside it as the keyfile to decrypt the second one. But in this case if the first disk breaks, I also lose the data in the second disk.
- reuse the LUKS session key for the first disk in the second one. Same problem as before.
- put a detached LUKS header in /boot and use it for both disks, then make regular backups of /boot. It is an interesting option that I have not tried.
The solution that I found was something that did not show up in any of my search results, so I'm documenting it here:
# <target name> <source device> <key file> <options> ssd /dev/sda2 main luks,initramfs,discard,keyscript=decrypt_keyctl spin /dev/sdb1 main luks,initramfs,keyscript=decrypt_keyctl
This caches each password for 60 seconds, so that it can be reused to unlock
other devices that use it. The documentation can be found at the beginning of
/lib/cryptsetup/scripts/decrypt_keyctl, beware of the leopard™.
main is an arbitrary tag used to specify which devices use the same password.
This is also useful to work easily with multiple LUKS-on-LV setups:
# <target name> <source device> <key file> <options> home /dev/mapper/myvg-chome main luks,discard,keyscript=decrypt_keyctl backup /dev/mapper/myvg-cbackup main luks,discard,keyscript=decrypt_keyctl swap /dev/mapper/myvg-cswap main swap,discard,keyscript=decrypt_keyctl