Unfortunately I live in the UK, where 6 months of the year, the time is GMT. Now is the time of year when I discover which of my servers don't have the right timezone configuration and show the wrong time during daylight saving. For future reference, here's how to set the timezone to Europe/London rather than UTC.

root@cms01:/tmp/openssl-0.9.8g# date
Mon Mar 31 08:23:35 GMT 2008
root@cms01:/tmp/openssl-0.9.8g# tzconfig
Your current time zone is set to GMT
Do you want to change that? [n]: y

Please enter the number of the geographic area in which you live:


   1) Africa         7) Australia

   2) America        8) Europe

   3) US time zones     9) Indian Ocean

   4) Canada time zones    10) Pacific Ocean

   5) Asia           11) Use System V style time zones

   6) Atlantic Ocean    12) None of the above


Then you will be shown a list of cities which represent the time zone
in which they are located. You should choose a city in your time zone.

Number: 8

Amsterdam Andorra Athens Belfast Belgrade Berlin Bratislava Brussels
Bucharest Budapest Chisinau Copenhagen Dublin Gibraltar Guernsey Helsinki
Isle_of_Man Istanbul Jersey Kaliningrad Kiev Lisbon Ljubljana London
Luxembourg Madrid Malta Mariehamn Minsk Monaco Moscow Nicosia Oslo Paris
Podgorica Prague Riga Rome Samara San_Marino Sarajevo Simferopol Skopje
Sofia Stockholm Tallinn Tirane Tiraspol Uzhgorod Vaduz Vatican Vienna
Vilnius Volgograd Warsaw Zagreb Zaporozhye Zurich

Please enter the name of one of these cities or zones
You just need to type enough letters to resolve ambiguities
Press Enter to view all of them again
Name: [] London
Your default time zone is set to 'Europe/London'.
Local time is now:      Mon Mar 31 09:23:48 BST 2008.
Universal Time is now:  Mon Mar 31 08:23:48 UTC 2008.

More information is available in the Debian System Administrator Manual.

Recently, we rolled out a Shibboleth Single Sign On service to protect one of our services. However, we started recieving intermittant login failures, both on our automated monitoring and from customers. Curiously these failures tended to happen mostly in the evening, which isn't a peak time for us. Debugging showed that the authentication worked, but the authorisaton was failing. Shibboleth works as an apache module and daemom that protects a service, which communicates with a webservice that does the authenication processing. The log files were showing an occasional SSL error in this communcation link.

INFO shibtarget.SessionCache [43005] sessionGet: trying to get new attributes 
      for session (ID=_d0cd2f93840bb92050b28fa73d19ce4f)
INFO SAML.SAMLSOAPHTTPBinding [43005] sessionGet: sending SOAP message to 
      https://login.example.com/shibboleth/AA
ERROR SAML.SAMLSOAPHTTPBinding [43005] sessionGet: failed while contacting   
      SAML responder: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad 
      decompression
ERROR shibtarget.SessionCache [43005] sessionGet: caught SAML exception 
      during SAML attribute query: SOAPHTTPBindingProvider::send() failed 
      while contacting SAML responder: error:1408F06B:SSL 
      routines:SSL3_GET_RECORD:bad decompression
ERROR shibtarget.SessionCache [43005] sessionGet: no response obtained

We didn't manage to find any suitable solutions on the internet, so we pulled out the trusty wireshark and started looking to see what was going on. We could see that the client was advertising deflate and null compression, and that the server was responding by asking for deflate compression. However the client would then claim that there was a decompression error in the servers response. This opened a few lines of enquiry. I made sure that both ends of the connection were running the same version of OpenSSL and they were both using 0.9.8a from Ubuntu Dapper. Interestingly 0.9.8a is the first version that had compression support. We found a couple of suggestions including forcing connections to be SSL2, which lacked compression or recompiling openssl without zlib support. As the former was easier, we tried that first by putting

SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

in /etc/apache2/mods-enabled/ssl.conf as suggested by Debian bug #338008, and this seemed to work for around an hour. Packet sniffing showed that it was still negotiating SSL3 including deflate compression. Clearly we had to try something else.

Rather than recompile OpenSSL without zlib support, I thought I'd try upgrading the version of OpenSSL to something later in case that fixed the decompression bug. the version in Hardy is 0.9.8g, which sadly required recompiling and disabling the Ubuntu change to enable -Bsymbolic-functions during linking. Installing this on the client end didn't fix the problem, however installing it on the server end seemed to fix it. So far it's been running for 24 hours without an error, so fingers crossed that this has fixed it for good.

dpkg has a very useful feature where if you delete a conffile (pretty much everything under /etc and a few other files) it isn't replaced when you upgrade the package[0]. This behaviour was confusing me for a while until I realised what was happening. I was attempting to reinstall a package to get the default configuration files back that had been accidentally deleted, but no matter what I tried, the files didn't exist after running dpkg. Once I figured out that dpkg had this behaviour the solution was simple; use the --force-confmiss command line argument.

root@quux:~# dpkg --force-confmiss -i /tmp/foo_2.0.0-build.14_all.deb 
(Reading database ... 33418 files and directories currently installed.)
Preparing to replace foo 2.0.0-build.14 (using .../foo_2.0.0-build.14_all.deb) ...
Unpacking replacement foo ...
Setting up foo (2.0.0-build.14) ...

Configuration file `/etc/foo/foo.xml', does not exist on system.
Installing new config file as you request.
root@quux:~#

[0] If the file didn't exist in the previously installed version, it is installed, so you get new configuration files.

I've spent the weekend playing around with the new Oracle XE Debian packages in preparation of having to use them at work in the near future. I've written up my experiences of setting the server and connecting remote clients in my latest article.

Talking of work, we have a position for a junior support role open. If you live in or around Brighton, England and know a little bit about Linux, Debian, Tomcat, Java, PostgreSQL and Oracle and willing to learn more, have a look at the job description and get in contact.

Having just mistakenly performed a large upgrade including powerdns, I'm wondering if there isn't something we can do to minimise the amount of time we stop a service between pre-inst and post-inst. Could we have something like a post-unpack maintainer script or a flag telling dpkg that the package contains a daemon and to minimise the time between the maintainer scripts where possible.

Yes I should read the list archives, but I'm about to go out. Must remember to check when I get back.

Edit:Adeodato Simó pointed out that in most cases daemons should just do a restart in the postinst, unless changing files on disk is a problem. Need to investigate if this is an issue for pdns-server and fix it.

Finally have irssi-0.8.10-rc6 packages out. Hopefully 0.8.10 will be out soon so I can upload it to debian without using nasty version numbers. The biggest change from the version in sid is that I've changed the package name to irssi and it should replace both irssi-text and irssi-snapshot. It also includes a devel package, so I'd appriciate if people could test upgrading and building irssi plugins. Email me any bugs you find.

deb http://www.davidpashley.com/debian/irssi ./

I have recently added a patch to irssi-text to fix #274201 (Displays incorrect Chinese characters on input bar). As I don't use Big5 myself, I can not properly test the patches. I would appriciate it if anyone that does use Big5 can install http://www.davidpashley.com/debian/irssi-text/irssi-text_0.8.9-6_i386.deb and let me know if it works for them.

Finally managed to get my ipv6 transport working and gain access to a IA64 box running Debian (well Ubuntu, but close enough) to debug the FTBFS on itanium (Thanks Thom). Turns out that the Ubuntu package didn't build either and after several aborted attempts to play around with the static specifier, I noticed that debian/rules special-cased not using -O2 on ia64. Removed that and it now compiles on both at least i386 and ia64. Hopefully my sponsor will build on powerpc and alpha for me too.

irssi-text (0.8.9-3) unstable; urgency=medium

  * Fix linker errors on IA64 by building with -O2 on that platform too.
  * Upload with medium urgency to get the previous fixes into sarge

 -- David Pashley <david@davidpashley.com>  Sat, 19 Mar 2005 17:43:07 +0000

I also spent an hour or two this morning tracking down a bug when using a turkish locale. It turned out that the perl plugin was taking the name of the different chat networks (e.g. IRC, SILC) and lowercasing all but the first character using g_strdown() to give the name of the perl module (Irssi::Silc). The problem was that g_strdown() uses the current locale to do the lowercasing and in turkish, the lower case of I is not i. A quick change to use the newer g_ascii_strdown() and irssi now starts in a turkish locale.

--- irssi-text-0.8.9.orig/src/perl/perl-common.c
+++ irssi-text-0.8.9/src/perl/perl-common.c
@@ -565,8 +565,8 @@
        chat_type = chat_protocol_lookup(rec->name);
        g_return_if_fail(chat_type >= 0);

-       name = g_strdup(rec->name);
-       g_strdown(name+1);
+       name = g_ascii_strdown(rec->name,-1);
+       *name = *(rec->name);

        /* window items: channel, query */
        type = module_get_uniq_id_str("WINDOW ITEM TYPE", "CHANNEL");

I have asked the submitter to check this bug and will upload once 0.8.9-3 is in sarge. I also need to send this patch upstream. In the meantime if you use a turkish locale, can you test out the package available at http://www.davidpashley.com/debian/irssi-text/

irssi-text (0.8.9-4) unstable; urgency=low

  * Correctly lower case chat protocols using g_ascii_strdown() rather than
    using the deprecated g_strdown() (Closes: #232628)

 -- David Pashley <david@davidpashley.com>  Wed, 23 Mar 2005 08:29:32 +0000

Finally got round to updating irssi-text packaging and fixing a few bugs that would be nice to get into sarge if I can. You can find a copy on my website. Currently in need of a sponsor, hint hint.

 irssi-text (0.8.9-2) unstable; urgency=medium
 .
   * Upload medium as it would be useful to get the irssi-common and perl fixes
     into sarge.
   * Conflict with irssi-common (Closes: #263320)
   * Update to Standards-Version 3.6.1
   * Update to building against libglib2.0
   * Fix the menu file quoting
   * Depend on autotools-dev and update config.{status,guess} automatically
     (Closes: #296989)
   * Recompile against libperl5.8 (5.8.4) (Closes: #248020, #224930, #247104)

Update:Steve McIntyre has sponsored an upload of i386, powerpc and alpha for me

I gave up reading the hot-babe thread shortly after it descended into discussing the crusades. To me, the whole discussion has failed to mention the more interesting question of whether the package is useful and if we want Debian to be full of silly pointless packages. I know traditionally if someone was willing to maintain a package and it was DFSG-free then it accepted into the archive. But now sarge doesn't even fit on a DVD anymore we have to start asking ourselves "Just how many media players/irc clients/load meters/menstrual calendars do we need in Debian?" Maybe it is time someone went through the archive, looking at the orphaned, unmaintained and trivial packages and ask "Do we really need this package?"

Last night I successfully managed to install Debian on my AlphaStation 255, after 5 attempts. d-i in sid is almost there. Had a couple of niggles. It seems that something broke the code to detect if the drive was using BSD disklabels. vorlon gave me points of where to look to fix it and 30 minutes later I had a fix. Hacking d-i in d-i is cool. Having stuff written in bash is very useful. Shame it doesn't have a full vim installation :). I need to check if the bug with the partitioner not detecting that you have /boot on a separate partition is still there.

The only other issue I had was that you need to leave a small space at the start of the drive for the bootloader. vorlon neglected to tell me this until I tripped over it (grrr :) ) but a quick repartition and a (not so) quick base install later and it was up and running.

I celebrated with a beer and some chocolate.