Rechtslage: Was ist erlaubt beim Protest der Landwirte?
Landesweit protestieren Landwirte gegen die geplanten Maßnahmen der Regierung, blockieren Autobahnen und andere Straßen. Was ist erlaubt? Wo endet das Demonstrationsrecht? Und wo ist der Unterschied zu "Klimaklebern"? Von K. Schwartz.
Ampel nimmt Kürzungen zurück: Wie geht es weiter mit den Subventionen?
Im Streit um die Agrarsubventionen gehen den deutschen Landwirten die Zugeständnisse des Bundes nicht weit genug. Doch was hat die Ampelkoalition eigentlich beschlossen? Von Dietrich Karl Mäurer.
I’ve been getting annoyed with Raspberry Pi OS (Raspbian) for years now. It’s a fork of Debian, but manages to omit some of the most useful things. So I’ve decided to migrate all of my Pis to run pure Debian. These are my reasons:
Raspberry Pi OS has, for years now, specified that there is no upgrade path. That is, to get to a newer major release, it’s a reinstall. While I have sometimes worked around this, for a device that is frequently installed in hard-to-reach locations, this is even more important than usual. It’s common for me to upgrade machines for a decade or more across Debian releases and there’s no reason that it should be so much more difficult with Raspbian.
As I noted in Consider Security First, the security situation for Raspberry Pi OS isn’t as good as it is with Debian.
Raspbian lags behind Debian – often times by 6 months or more for major releases, and days or weeks for bug fixes and security patches.
Raspbian uses a custom kernel without initramfs support
It turns out it is actually possible to do an in-place migration from Raspberry Pi OS bullseye to Debian bookworm. Here I will describe how. Even if you don’t have a Raspberry Pi, this might still be instructive on how Raspbian and Debian packages work.
WARNINGS
Before continuing, back up your system. This process isn’t for the neophyte and it is entirely possible to mess up your boot device to the point that you have to do a fresh install to get your Pi to boot. This isn’t a supported process at all.
Architecture Confusion
Debian has three ARM-based architectures:
armel, for the lowest-end 32-bit ARM devices without hardware floating point support
armhf, for the higher-end 32-bit ARM devices with hardware float (hence “hf”)
arm64, for 64-bit ARM devices (which all have hardware float)
Although the Raspberry Pi 0 and 1 do support hardware float, they lack support for other CPU features that Debian’s armhf architecture assumes. Therefore, the Raspberry Pi 0 and 1 could only run Debian’s armel architecture.
Raspberry Pi 3 and above are capable of running 64-bit, and can run both armhf and arm64.
Prior to the release of the Raspberry Pi 5 / Raspbian bookworm, Raspbian only shipped the armhf architecture. Well, it was an architecture they called armhf, but it was different from Debian’s armhf in that everything was recompiled to work with the more limited set of features on the earlier Raspberry Pi boards. It was really somewhere between Debian’s armel and armhf archs. You could run Debian armel on those, but it would run more slowly, due to doing floating point calculations without hardware support. Debian’s raspi FAQ goes into this a bit.
What I am going to describe here is going from Raspbian armhf to Debian armhf with a 64-bit kernel. Therefore, it will only work with Raspberry Pi 3 and above. It may theoretically be possible to take a Raspberry Pi 2 to Debian armhf with a 32-bit kernel, but I haven’t tried this and it may be more difficult. I have seen conflicting information on whether armhf really works on a Pi 2. (If you do try it on a Pi 2, ignore everything about arm64 and 64-bit kernels below, and just go with the linux-image-armmp-lpae kernel per the ARMMP page)
There is another wrinkle: Debian doesn’t support running 32-bit ARM kernels on 64-bit ARM CPUs, though it does support running a 32-bit userland on them. So we will wind up with a system with kernel packages from arm64 and everything else from armhf. This is a perfectly valid configuration as the arm64 – like x86_64 – is multiarch (that is, the CPU can natively execute both the 32-bit and 64-bit instructions).
(It is theoretically possible to crossgrade a system from 32-bit to 64-bit userland, but that felt like a rather heavy lift for dubious benefit on a Pi; nevertheless, if you want to make this process even more complicated, refer to the CrossGrading page.)
Prerequisites and Limitations
In addition to the need for a Raspberry Pi 3 or above in order for this to work, there are a few other things to mention.
If you are using the GPIO features of the Pi, I don’t know if those work with Debian.
I think Raspberry Pi OS modified the desktop environment more than other components. All of my Pis are headless, so I don’t know if this process will work if you use a desktop environment.
I am assuming you are booting from a MicroSD card as is typical in the Raspberry Pi world. The Pi’s firmware looks for a FAT partition (MBR type 0x0c) and looks within it for boot information. Depending on how long ago you first installed an OS on your Pi, your /boot may be too small for Debian. Use df -h /boot to see how big it is. I recommend 200MB at minimum. If your /boot is smaller than that, stop now (or use some other system to shrink your root filesystem and rearrange your partitions; I’ve done this, but it’s outside the scope of this article.)
You need to have stable power. Once you begin this process, your pi will mostly be left in a non-bootable state until you finish. (You… did make a backup, right?)
Basic idea
The basic idea here is that since bookworm has almost entirely newer packages then bullseye, we can “just” switch over to it and let the Debian packages replace the Raspbian ones as they are upgraded. Well, it’s not quite that easy, but that’s the main idea.
Preparation
First, make a backup. Even an image of your MicroSD card might be nice. OK, I think I’ve said that enough now.
It would be a good idea to have a HDMI cable (with the appropriate size of connector for your particular Pi board) and a HDMI display handy so you can troubleshoot any bootup issues with a console.
Preparation: access
The Raspberry Pi OS by default sets up a user named pi that can use sudo to gain root without a password. I think this is an insecure practice, but assuming you haven’t changed it, you will need to ensure it still works once you move to Debian. Raspberry Pi OS had a patch in their sudo package to enable it, and that will be removed when Debian’s sudo package is installed. So, put this in /etc/sudoers.d/010_picompat:
Also, there may be no password set for the root account. It would be a good idea to set one; it makes it easier to log in at the console. Use the passwd command as root to do so.
Preparation: bluetooth
Debian doesn’t correctly identify the Bluetooth hardware address. You can save it off to a file by running hcitool dev > /root/bluetooth-from-raspbian.txt. I don’t use Bluetooth, but this should let you develop a script to bring it up properly.
From here on, we are making modifications to the system that can leave it in a non-bootable state.
Examine /etc/apt/sources.list and all the files in /etc/apt/sources.list.d. Most likely you will want to delete or comment out all lines in all files there. Replace them with something like:
<span class="line"><span class="cl">deb http://deb.debian.org/debian/ bookworm main non-free-firmware contrib non-free</span></span><span class="line"><span class="cl">deb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free</span></span><span class="line"><span class="cl">deb https://deb.debian.org/debian bookworm-backports main non-free-firmware contrib non-free</span></span>
(you might leave off contrib and non-free depending on your needs)
Now, we’re going to tell it that we’ll support arm64 packages:
If there are any errors from that command, fix them and don’t proceed until you have a clean run of apt-get update.
Moving /boot to /boot/firmware
The boot FAT partition I mentioned above is mounted at /boot by Raspberry Pi OS, but Debian’s scripts assume it will be at /boot/firmware. We need to fix this. First:
This mounts the filesystem at the new location, and moves all its contents back to where apt believes it should be. Debian’s packages will populate /boot/firmware later.
Installing the first packages
Now we start by installing the first of the needed packages. Eventually we will wind up with roughly the same set Debian uses.
If you get errors relating to firmware-brcm80211 from any commands, run that install firmware-brcm80211 command and then proceed. There are a few packages that Raspbian marked as newer than the version in bookworm (whether or not they really are), and that’s one of them.
Configuring the bootloader
We need to configure a few things in /etc/default/raspi-firmware before proceeding. Edit that file.
This is necessary because the microSD card device name often changes from /dev/mmcblk0 to /dev/mmcblk1 when switching to Debian’s kernel. raspi-firmware will encode the current device name in /boot/firmware/cmdline.txt by default, which will be wrong once you boot into Debian’s kernel. The PARTUUID approach lets it work regardless of the device name.
If it gives an error about the installed version of a package, you may need to force it to the bookworm version. For me, this often happened with firmware-atheros, firmware-libertas, and firmware-realtek.
Here’s how to resolve it, with firmware-realtek as an example:
<span class="line"><span class="cl">apt list '?narrow(?installed, ?not(?origin(Debian)))'</span></span>
Deal with them; mostly you will need to force the installation of a bookworm version using the procedure in the section Resolving firmware package version issues above (even if it’s not for a firmware package). For non-firmware packages, you might possibly want to add --mark-auto to your apt-get install command line to allow the package to be autoremoved later if the things depending on it go away.
If you aren’t going to use Bluetooth, I recommend apt-get --purge remove bluez as well. Sometimes it can hang at boot if you don’t fix it up as described above.
Set up networking
We’ll be switching to the Debian method of networking, so we’ll create some files in /etc/network/interfaces.d. First, eth0 should look like this:
Raspbian is inconsistent about using eth0/wlan0 or renamed interface. Run ifconfig or ip addr. If you see a long-named interface such as enx<something> or wlp<something>, copy the eth0 file to the one named after the enx interface, or the wlan0 file to the one named after the wlp interface, and edit the internal references to eth0/wlan0 in this new file to name the long interface name.
If using wifi, verify that your SSIDs and passwords are in /etc/wpa_supplicant/wpa_supplicant.conf. It should have lines like:
To set up the LEDs to trigger on MicroSD activity as they did with Raspbian, follow the Debian instructions. Run apt-get install sysfsutils. Then put this in a file at /etc/sysfs.d/local-raspi-leds.conf:
To make sure all the /boot/firmware files are updated, run update-initramfs -u. Verify that root in /boot/firmware/cmdline.txt references the PARTUUID as appropriate. Verify that /boot/firmware/config.txt contains the lines arm_64bit=1 and upstream_kernel=1. If not, go back to the section on modifying /etc/default/raspi-firmware and fix it up.
The moment arrives
Cross your fingers and try rebooting into your Debian system:
For some reason, I found that the first boot into Debian seems to hang for 30-60 seconds during bootstrap. I’m not sure why; don’t panic if that happens. It may be necessary to power cycle the Pi for this boot.
Troubleshooting
If things don’t work out, hook up the Pi to a HDMI display and see what’s up. If I anticipated a particular problem, I would have documented it here (a lot of the things I documented here are because I ran into them!) So I can’t give specific advice other than to watch boot messages on the console. If you don’t even get kernel messages going, then there is some problem with your partition table or /boot/firmware FAT partition. Otherwise, you’ve at least got the kernel going and can troubleshoot like usual from there.
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
Yubikey and OnlyKey are the only hardware keys that work with keepassxc. So if that’s a requirement for you, then those are your only options. This is true for me as well.
They cover this in their docs and faq page: keepassxc.org/docs/#faq-yubikey-2fa. OnlyKey is an unknown to me while I’ve heard of Yubikey for years.
Welche Regionen besonders vom Hochwasser betroffen sind
In den Hochwassergebieten herrscht weiter die Sorge vor steigenden Pegelständen. Der Deutsche Wetterdienst kündigt Dauerregen bis Donnerstag an. Welche Regionen sind besonders betroffen - und warum regnet es so viel? Ein Überblick.
Why does it surprise me that the owners of woke instances don’t understand this shit.
Wow, just wow. I’m pretty sure you must know this, but since you seem to have some sort of selective amnesia, let me break it down for your stupid ass. Lemmy follows the semantic versioning, meaning that 0.19.1 can be seen as:
0: the major version
19: the minor version
1: the patch version
Why are you fuckers so keen on updating to 0.19 so quickly anyway?
Lemmy is still in the major version 0, and not 1. Meaning that it is still in alpha, and hasn’t reached the stable version 1.x.y. Go and read the SemVar FAQ first.
Every user on this platform is an early adopter, and consists of developers and geeks. Also, the Lemmy devs run lemmy.ml.
My instance hasn’t and they probably won’t for a long time.
And? What are we supposed to do with this information?
Your comment adds no value to a productive discussion. Shush away.
Was ändert sich 2024 bei den Strom- und Gaspreisen?
Ob Haushalte 2024 mehr oder weniger für Strom und Gas zahlen müssen, hängt von vielen Faktoren ab. Einige Preisbestandteile werden teurer, es gibt aber auch Preissenkungen. Lohnt es sich, einen Anbieterwechsel zu prüfen? Ein Überblick.
Die Post soll Briefe künftig langsamer zustellen können. Die Ampel-Parteien haben sich auf Änderungen am Postgesetz verständigt, das Kabinett hat die Pläne gebilligt. Was ändert sich noch für Verbraucher?
Schärfere Regeln und Verfahren: Was die EU-Asylreform bedeutet
Die EU hat sich auf eine Verschärfung des Asylrechts geeinigt. Worum geht es? Und was ist an Europas Außengrenzen konkret vorgesehen? Antworten auf wichtige Fragen.
Urabstimmung der GDL: Was kommt auf Bahnreisende zu?
Die GDL gibt heute bekannt, ob die Mitglieder der Lokführergewerkschaft unbefristete Streiks bei der Bahn befürworten. Wird dann sofort wieder gestreikt - und worauf müssen sich Bahnreisende einstellen? Antworten auf wichtige Fragen.
Huthi-Angriffe im Roten Meer: Eine Gefahr - nicht nur für den Welthandel
Huthi-Rebellen greifen immer öfter Schiffe im Roten Meer an - einem der wichtigsten Handelswege der Welt. Welche Folgen hat das für die globalen Märkte? Wie reagiert die internationale Politik? Und was wollen die Rebellen überhaupt? Ein Überblick.
Der Kurznachrichtendienst Threads des Instagram-Konzerns Meta ist heute in der EU gestartet - mit einiger Verzögerung. Doch wie funktioniert Threads? Und muss Elon Musk mit X jetzt bangen? Von Angela Göpfert.
@thunderbird I just wanted to donate, but cancelled once I had to give my address! WTF I've used tb from day one and I'm more then willing to donate, but why in heavens name am I required to give all this personal info?
Von heute an gilt der neue Fahrplan der Deutschen Bahn. Auf welchen Strecken mehr Züge unterwegs sind, wo es häufiger Nachtverbindungen gibt, und welche Regionen besonders von Baustellen betroffen sind. Von Till Bücker.
Verfassungsschutz: "Gesichert extremistisch" - was folgt daraus?
Nach den AfD-Landesverbänden in Thüringen und Sachsen-Anhalt gilt nun auch die AfD Sachsen als "gesichert rechtsextremistisch". Was bedeutet die Einstufung des Verfassungsschutzes - und welche rechtlichen Folgen hat sie?
Welche staatlichen Förderungen es noch gibt - und welche nicht
Wegen der Haushaltskrise ist die Unsicherheit groß, wofür es staatliche Förderung gibt. Kredite für Bauen und Wohnen sind gestoppt, ebenso Zuschüsse für Wärmenetze. Vieles ist noch nicht beschlossen. Ein Überblick von Till Bücker.
Neue Regelung: Wie die telefonische Krankschreibung funktioniert
Während der Corona-Pandemie konnten sich Patienten telefonisch beim Arzt krankschreiben lassen. Nun soll die Regelung dauerhaft eingeführt werden. Welche Voraussetzungen gelten dabei? Ein Überblick.
Haushaltsdebatte: Höheres Bürgergeld stoppen - geht das eigentlich?
Um das Milliardenloch im Haushalt zu stopfen, fordern Politiker von CDU und FDP, die Erhöhung des Bürgergelds für 2024 zu stoppen. Geht das so einfach - und wie setzt sich das Bürgergeld zusammen? Ein Überblick.
Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:
No, you don't need to synchronize Passkeys
nor do you need to use Google/MS/Apple
nor is storing an encrypted binary blob a big danger
Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
#TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)
Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.
A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.
@ljrk hmm… the FIDO Passkey FAQs state that non-discoverable creds can’t be passkeys. Passkeys are by definition discoverable. (I wish this wasn’t true, but multiple people have pointed this out to me). https://fidoalliance.org/passkeys/#faq
#WeltAidsTag
Die Entdeckung des HI-Virus vor 40 Jahren hat die Welt verändert. Laut WHO lebten Ende 2022 schätzungsweise 39,0 Millionen Menschen weltweit mit #HIV.
Signa-Pleite: Warum es nach Weihnachten für Galeria eng werden könnte
Nach der Insolvenz der Signa-Gruppe steht ein Verkauf der Warenhauskette Galeria Karstadt Kaufhof im Raum. Ist ein Verkauf überhaupt realistisch? Wer könnte Interesse an den Häusern haben? Von Angela Göpfert.
Signa-Pleite: Warum es nach Weihnachten für Galeria eng werden könnte
Nach der Insolvenz der Signa-Gruppe steht ein Verkauf der Warenhauskette Galeria Karstadt Kaufhof im Raum. Ist ein Verkauf überhaupt realistisch? Wer könnte Interesse an den Häusern haben? Von Angela Göpfert.
Verlängerte Feuerpause in Nahost - hoffen auf weitere Freilassungen
Mit der verlängerten Waffenruhe wächst die Hoffnung, dass weitere Geiseln freikommen. Wie viele Menschen sind noch in der Gewalt der militant-islamistischen Hamas? Und inwiefern profitiert die Terrorgruppe von der Feuerpause?
Israel und die Hamas: Wie die Waffenruhe in Gaza ablaufen soll
Im Gazastreifen ist am Morgen die lang erwartete Waffenruhe in Kraft getreten. Durch die Vereinbarung sollen heute erste Geiseln freikommen - im Gegenzug lässt Israel palästinensische Gefangene frei. Was sind die nächsten Schritte?
Work-around for the federation bug found in 0.19.0 and 0.19.1
I’ve found the following work-around works pretty well. If you host an instance that’s currently on 0.19.0 or 0.19.1, consider implementing this....