Yet Another Linux Blog

Admittedly, this is just one reason that Debian is awesome.

Debian is awesome because the Debian package maintainers do MOST of the work for you! In the case of very many packages, there are “best practices” and configurations that result from following the “best practices”. In most cases, that’s exactly how the Debian package is configured at install time.

Case in point: I wanted to have Tripwire on my home network gateway machine, but I also wanted it to be Free Software, which Tripwire is not. Enter AIDE, a Free Tripwire replacement. Diligent sysadmin that I am, I carefully read through The AIDE Manual and prepared for hours of tedious configuration and testing. But lo and behold, I merely typed `apt-get install aide` and then `zless /usr/share/doc/aide/README.Debian.gz` and it turns out that everything is already configured! I only had to check where the reports went, which was listed in /etc/default/aide as “MAILTO=root”, so I changed the root e-mail in /etc/aliases to point to mine. Done!

About a year ago, I wrote a blog entry about connecting people who know FLOSS and people who need help. I called it Linux Consultants Unite! : Part I. Today, I stumbled across a site that tries to do just that: http://www.findopensourcesupport.com/

They allow individuals to register for free, but charge companies $100/year to be in their support database. This seems like a very reasonable business model, as it should cover the cost of running such a website, and maybe even turn a profit.

I have heard a few people complain that GMail doesn’t support GPG. Perhaps those people haven’t thought about that issue for very long. I believe that GMail is an excellent way to deal with your e-mail. However, I also firmly believe that GMail will never offer PGP/GPG support. I mentioned this in a previous post, but I wanted to expand on it here.

First of all, there’s the technical reasons. You can’t have your webmail encrypt/decrypt your mail for you if it doesn’t have the keys, and storing your private keys on the GMail servers and then typing in your passphrase when sending mail is hardly a way to guarantee privacy. It’s not even “pretty good” privacy.

One great thing about webmail is that you can access it very easily from any computer. While having the webmail system store your keys is OK as long as it’s *your* webmail system (running on a server you own and control), typing in your passphrase at a random web kiosk to send an encrypted mail is probably not a good idea. If you’re paranoid enough to use GPG to encrypt your mail, you certainly wouldn’t use an untrusted machine to do so.

Secondly, encrypted mail goes against the GMail business plan. If you recall, GMail reads your mail and presents ads with matching content. If your mail was encrypted, GMail wouldn’t be able to do that. End of story. Thus GMail will *never* support encryption.

Thirdly, the biggest feature of GMail (the searching) would be nullified if your e-mails are encrypted. How is it supposed to search through your mails if it can’t read them?

“But,” you might object, “it would be nice to be able to just sign my mails, not necessarily encrypt them.” The technical objections still stand. The signatures work in a similar way to encryption, and GMail would need your key and passphrase to sign things. The other objection is that the purpose of the signature is to verify that the e-mail indeed came from you. If your key is already stored on the GMail server, then someone who gains access to your GMail account (say, using a key logger to get your password) can get your passphrase in the same exact way. This, to me, means that in this case the GPG signature is hardly worth more than the fact that the mail was sent from your GMail account (which can be verified through the mail headers).

You should definitely use public key access instead. Even better, you can configure ssh agent forwarding and only have to type one passphrase per day! Here’s an excellent short tutorial: An Illustrated Guide To SSH Agent Forwarding, and here’s a short howto about generating keys: HOWTO: set up ssh keys.

Here’s two links to some Debian/Xen documentation. My installation notes are probably newer than these pages, but I’m too lazy at the moment to make an account on the Debian wiki and update them:

Xen - Debian Wiki
DebianInstaller/Xen - Debian Wiki