How to properly set contrast on Iiyama ProLite GE2488HS-B1

In the spirit of this Finnish IT retailer listing most returned products, for once, this is not really an howto. The easiest solution I found was to return it. The contrast and luminosity is impossible to set. It changes over reboot, it changes over operating system. And even set to get high contrast, black is never black, despite Iiyama claiming that “it is also possible to adjust the brightness and the dark shades with the Black Tuner, giving greater viewing performance in shadowed areas”. I replaced it with a SyncMaster S24D340H and had none of these problems.

Getting back suspend/resume with KDE 5’s powerdevil and no systemd by installing an obsolete version of upower

Using a package out of date since more 2 years ago does not sound like a success story but that is the only way so far I found to get suspend/resume to work without systemd within KDE5 without headaches. pm-suspend and pm-hibernate, on the command line, work perfectly though.

Why? Because Powerdevil, KDE’s power management tool, use upower which itself deprecated pm-utils support in favor of systemd.  So, no matter whether your hardware can actually suspend and hibernate, no matter if the kernel, GNU/Linux itself, can handle, upower won’t.

When calling upower -d, it should output something with can-suspend and can-hibernate. Since they dropped support for pm-utils, it won’t if you don’t use systemd . It’ll behave as if it knew what it was doing except it does not.

I filled a bug report and this one was discarded very fast. Martin Gräßlin immediately marked it as RESOLVED DOWNSTREAM with the comment “This works fine on Debian testing. Please get in contact with your distribution to figure out why this broke in your Debian fork. You might consider of course to install systemd”. You get the idea.  Thanks to Michael Palimaka, I got confirmation that it was tied to upower version (which I guessed beforehand because of several related messages by some Ubuntu or else users – hence the mention “with upower 0.99.3 and Devuan” in my report title) and he listed working solutions: using systemd; using ConsoleKit2; using upower <=0.9.23.

Using systemd to fix a problem caused by an attempt not to use systemd? Not an option. Using ConsoleKit2? Except I have no knowledge of ConsoleKit2 being packaged yet, neither do I know which release of upower actually got ConsoleKit2 support.

So I went for the third option, the lamest obviously, that is installing obsolete, unsupported software, and put in on hold. It can be done as follow:

echo "deb wheezy main" > /etc/apt/sources.list.d/oldstable.list
apt-get update
apt-get -t wheezy install libgnutls26 libgcrypt11 libtasn1-3 libusbmuxd1 libimobiledevice2 upower libupower-glib libplist1
echo "upower hold" | dpkg --set-selections

Then a call to upower -d gives:

 daemon-version: 0.9.17
 can-suspend: no
 can-hibernate no
 on-battery: no
 on-low-battery: no
 lid-is-closed: no
 lid-is-present: no
 is-docked: no

It is better but still no good. As root it’ll work, though. You need to add some PolicyKit rule to allow regular users to use it. The following assumes that powerdev group exists and that your regular users are in this group (if they are not, add them with adduser thisuser powerdev):

echo "[Suspend power group override]

[Hibernate power group override]
ResultActive=yes" > /etc/polkit-1/localauthority/50-local.d/power-group.suspend-override.pkla

Now, if done properly, upower -d returns:

 daemon-version: 0.9.17
 can-suspend: yes
 can-hibernate yes
 on-battery: no
 on-low-battery: no
 lid-is-closed: no
 lid-is-present: no
 is-docked: no

Logout and login should be enough to have back suspend and hibernate within KDE5.

So this works. For now. But there is no doubt, this is wrong in so many ways. I wonder for how long it will be possible to run a modern desktop environment on GNU/Linux, and not on systemd/whatever.


Preventing filenames with semicolon “:” to be garbled by Samba

In some cases, Samba garble file names, as backward compatibility with old Microsoft Windows system that cannot handle long filenames or filenames with specific characters. It would then be shown with the form XXXXX~X.ext

(If you don’t need backward compatibility with Microsoft Windows system from another era), you can switch off this mecanism:

In /etc/samba/smb.conf, in [Global], add:

mangle case = no
mangled names = no

Then simply restart Samba (invoke-rc.d samba restart).

Using GnuPG/PGP on multiple devices

I started using GnuPG in 2002. I dont usually do stuff that requires heavy privacy so I dont care much for it. From time to time, I just encrypt some useless crap so if anyday I had serious stuff to encrypt it would not look obviously suspicious.

Things is most of the people I communicate with are not using GnuPG and are probably not about to.

There is also an obvious issue with GnuPG is how to share key among computers/clients. How to decrypt messages with your phone or webmail? Copy the private key everywhere? It might just be worse than having no security at all.

I dont use GnuPG much, especially since I created my key in 2002 and don’t even know how secure this key is still now. I need it nonetheless to sign stuff like packages. Confronted to the problem of having to copy the key by hand on one more laptop,  I considered dropping my current set  and, inspired by this example of  primary key/subkeys model and debian’s one, to have a primary key secure somewhere and give a short-lived subkey per device.

But, it fixes not much of GnuPG problems, and implies lot of annoying not automated work, not satisfying. And anyway, if en/decrypt can only work for one subkey. So one subkey per device is not really working.

To make the process less painy, on a box being made from time to time available over network, I did as follow:

I created a primary key running gpg --expert --gen-key (cannot sign, cannot encrypt) with 4y expiry. (more entropy with rngd -r /dev/urandom).

I added with adduid and trust save the relevant additional addresses running gpg --expert --edit-key myemail

I created a sign and a encrypt subkey with no expiry (considering that they ll be revoked on the fly from the primary whenever it make sense).

I made up that prompt for the hostname of the box hosting the keyring, will import the ring and remove the primary key from it, leaving just the necessary keys to sign and encrypt.

This script could probably be used in a chain (box secured from the net -> script run on gate server -> script run on a end client). It requires further testing.


Managing an SSH public keys ring with git

Using ssh-updatekeys, you can set up and maintain ~/.ssh/authorized_keys with specific sets on the fly.

You just have  to put your public keys on a public git repository. The script will fetch the keys, either by git + SSH (for write access) or just git + https (for read access).

It can handle different sets of keys (for instance you may want to differenciate keys with or without passphrares). In the git repository, any directory with a name starting by set (set0, setA, setTest, etc) will be treated as a set.

( is part of my -utils package).

Update : you can now grab it with the command

wget -O

Importing CardDav (ownCloud) contacts into (SquirrelMail) .abook

I’m still using SquirrelMail, even though it looks a bit old. It’s robust and just works – and when I’m using a webmail, that’s mandatory.

SquirrelMail does not use CardDav but some sort of .abook format (that I hope is the same abook as mutt).

I just wrote, a wrapper that requires an ~/.carddav2abookrc with the following:

carddav = https://HOST/remote.php/carddav/addressbooks/USER/contacts_shared_by_USER?export
user = USER
password = PASSWORD
abook = /var/lib/squirrelmail/data/USER.abook
wget_args = --no-check-certificate


As you notice, I’m using a specific export account that has been given only read access to this file. Otherwise the CardDav url would not include the _shared_by_USER part.

I configured it to directly write .abook in SquirrelMail data directly. Obviously, it means you need to adjust read write access for the relevant user (or use www-data, but I would not recommend to store password in an rcfile given to this user).

Once it works, just put up a cronjob (with 2>/dev/null since the perl vCard module tends to print some garbage).

( is part of my -utils-webmail package).