 nifia pa öng extentia— entāijia woldar i dinaik� leirio termuala ka m Pretty isn't the wrong sadaq te אז non pane i n'a pondano kola tawaks. We've got tawks on to our afternoon tea. There is a slot which is currently empty because I miscalculated. And we're looking at doing lightning tawks in the afternoon. That might get brought forward straight after afternoon tea. If no one jumps up and down and says, I would actually like to talk about something, or two people want to talk about something. So, yeah, please let me know if you've got a burning desire that you want to give a serious talk about something that you can do and prompt you, or have prepared slides. Yeah, that would be awesome. So, to start off with, I'd like to welcome up Francois-Marie. I'll talk about supporting DB machines with friends and family. He's been a—how long have you been a DB developer for? Ten years as a DD. Soon he helped me become more involved with DB and he has metled a lot of people over the years about how to get involved with DB and how to package your favourite app and all sorts of areas like that. So, thank you, Francois. Let's jump over to you. All right. I shouldn't be on mute. All right. So, what I want to talk about today is basically how do you make free software enjoyable for friends and family, right? If you have ever installed Debian or Ubuntu or whatever for friends and family, you may want to make sure that they have a good experience, right, so that they can enjoy the benefits of free software. But the thing is, you're probably not—if you're doing that for your friends and family, you probably don't want to end up being a full-time sysadmin for them, right? You don't want to spend all of your free time doing that support. So, how do you strike that balance? That's what I want to talk about today. So, I'm going to talk about a few things. So, in comments about hardware, package updates, because that's important to do once in a while, monitoring, safety, security, remote access, and also backups. So, throughout my talk, I'm going to be referring to one specific example of a person whose computer is I maintain. My clicker doesn't work anymore. There we go. It's my dad. My dad lives in Canada, and those who don't know, that's so there. But the important part is that the link, or the shortest path between New Zealand and Canada, is actually quite long. So, there's quite a bit of latency there, and that is going to be important later on. His computer is renamed after Icelandic cities. So, Keplavik, which is basically a computer that sits on top of the cabinet there. It does Mith TV. It does, it's also, this clicker is really bad. It also does asterisk. So, there's a voice-over at the phone, and this Keplavik has an asterisk server on it. Another computer is called Akureri, and it's basically a normal sort of desktop computer, which happens to be running Ubuntu. In terms of hardware, I want to make a couple of comments. The first one is that whenever I support someone's machine, I make a few suggestions for actually requirements, and the first one is I'm not going to support your machine if it doesn't have double the number of hard drives that it needs. So, I want to set it up as RAID 1. So, if you want one 300 gig hard drive, you're going to have to buy two, because I set them up with RAID 1 so that they're married, and if one of them dies, doesn't matter. You can swap it, and I can access it into your box and re-sync the drives. Now, it turns out that that has been incredibly useful for my dad's computer. I've had to replace a very large number of Seagate hard drives. A little hint here, don't buy Seagate, but if you do buy Seagate or end up with some crappy Seagate drives in there, make sure they're married. That has saved a lot of time, because you don't want to spend all your time reinstalling the box from scratch when a hard drive dies. So, very, very useful, and it's not that expensive anyway. The other thing that I do, it's a little bit dirty, but it's behind the cupboard. That's why there's a little bit of stuff there, but it's a UPS. So, that's another thing that doesn't cost that much money, but it's really, really convenient, because you don't have to deal with little power glitches and the server rebooting in the middle of sinking of hard drives or whatever. The cool thing is that you can plug in the router, the cable motor, and the main computer, not the monitor, and then you can just SSH into it, and you can see on your console, oh, the power's been cut, but you're still SSH-ing in there, and you can shut things down properly. So, quite useful, I highly recommend it. It turns out that a lot of people have bad power. This UPS actually kicks in quite often for five seconds. I'm not sure why, but sometimes it has to do with the fridge or the washing machine kicking in. It's kind of weird, but again, I think it's worth it to do this. The other thing I do is when I set up a new computer, right from the start, I'm going to run memtest86 on it. That checks whether or not the memory is any good to the RAM, and if it's not, just abort. Basically, replace the RAM. If you don't have good RAM, everything is going to blow up, and there will be random errors, and it's just not worth any of your time. So do that before you set up a computer. The other thing is useful for checking the hard drives for bad blocks, but the RAM is probably the most important there. In terms of package updates, there's a couple of things that you can do. I use two different packages. The first one is apicron. The other one is called unattended upgrades. So unattended upgrades does what it says on the tin. Basically, it runs ad get update, ad get upgrade, and upgrades everything automatically for you. By default, it only does that for security updates, not for stable updates. Apicron is a different one. What that one does is that it will not apply updates for you, but it will actually send you an email every time there's package updates that are outstanding. So if you do them, then you're not going to get emails, but if you get an email about it, then you can log into the machine, do it, and then the next day, you're not going to get an email. If you slack and you're not doing it, then you'll get emails every day until you actually do the updates. The reason why I use both of those is that for some machines, I don't actually want to have unattended upgrades, like the myth TV machine. I don't want that to be automatically updated in case something blows up in myth TV and then later there's a bunch of recordings. So I do those manually, and I use Apicron for that, but for other machines, I just unattended updates, and if something blows up, then I'll deal with it later. Other things that are kind of useful in this sort of package updates area, Deb Orphan and Deb Troster, this is basically about finding out the stuff that's no longer needed on your system. So packages that you may have installed as dependencies of other ones or things that you install and you no longer using, so they will help you find those packages. Sometimes these packages, they're obsolete, have been removed from Debian, and therefore are no longer security supported, for example, and you may not notice. So it's kind of good to run these things, to clean up. You can save some disk space, but that's not the main point there. I think it's more about making sure that you don't have stuff that's not needed anymore or not supported. Along those lines is a new package. I think this got added maybe in squeeze LTS or Weezy, I'm not too sure. This is really cool. What this does when you install this, it will warn you if you have, I think it's at up-get time, if you have any packages that are out of support, out of security support for Debian, because normally Debian supports everything for security, but with squeeze LTS, now we have basically a set of packages that are no longer supported because it's really hard to support random PHP applications for five or seven years. So this package will actually tell you if you have anything installed that's no longer supported. So I think on the Weezy system, Jesse probably doesn't do much unless the sometimes actually things are removed from stable as well for various reasons, so that could potentially warn you about this. In terms of monitoring, I've got a couple of things that I do. Log check is kind of the main one that I use, and this is basically a tool that you use to, so there's a lot of log files on a typical Debian system, right? And it's really hard to, they're really noisy, it's really hard to find the stuff that really matters if you look at all of your logs, so the natural thing to do is to just not look at the logs until you have a problem, then you go into the logs and you can see, oh that's probably what the problem was. Now that's not a very proactive kind of way of using log files, so log check is slightly different, it allows you to find this sort of needle in a haystack by, it looks at all of the important log files, and then it has rules of stuff to ignore, so basically you ignore all the normal stuff, all the normal noise that log files produce, and you only get an email about the stuff that doesn't match any of those rules, so basically unusual stuff, unexpected messages, so log check is used with stuff like that. It's a little bit high maintenance because when you set it up, you have a whole lot of new rules that you need to add to ignore the stuff that you don't care about, but once it's set up it's really nice, you only get an email from those machines that you support when something bad happens or something weird, and that can tell you, for example, sometimes you have drive controller errors, like read errors from hard drives, things like that with CPU errors, all kinds of weird hardware stuff that happens, you'll often see that in logs. So smart run tools is really nice, this is one that, this is a package that uses something that's built into drive controllers, so a lot of ATA hard drives and SCSI hard drives and stuff, in fact I think all of them come with this thing called smart, which it watches, so it's on the drive control itself and it watches a whole bunch of things that tell you about the health of the hard drive. It watches temperature, it watches the number of relocated sectors when you have bad sectors and they get moved around on the drive, and a couple of other things like this. Really good thing to do to use because then you get advanced warning when something is likely to fail, and it can also run a self-test, so the drive will actually test itself, like look, reading every sector of the drive, and that's an online test, you can do other stuff while this is happening, although it slows down your system quite a bit, and if that ever fails, it takes about two hours to run this, so you can run it once, I think I've got that set to run once a week, and if that actually fails, that's a really bad sign, so you might want to replace that drive, but because you have this computer set up with RAID 1, then it doesn't matter that much, you can take the drive out, order the new one, and then think again. MC log is slightly less useful because it doesn't catch as many things, but this is basically about CPU errors, so normally what you would see in your logs is something like MC error, and that's it, in like Syslog or something like that, or maybe it's a kernel log, I'm not sure, and that stands for machine check exception. It's not particularly useful because that's all it says in the logs. If you install MC log, then that actually queries the CPU to find out more information about what it is that the CPU has encountered, what sort of error it has encountered. Now that's not necessarily useful for you reading the error message, but it might be useful to actually search for it and figure out whether that might be a microcode error or whatever, so it gives you a little bit more debugging output. LM sensors, that's an interesting one, it will talk to all of the various sensors on your motor board in CPU, so you get like temperature readings, RPM readings for fans, so for example if you have a fan that normally goes at 1,200 rpm and all of a sudden it goes at like 50, that's probably dying and might be time to replace it. If it's a CPU fan you probably want to do that quickly because you're going to see other, you might see the temperature rising in other things. This is, unfortunately that package only works if you have a supported motor board, like it's actually, I'm lucky because I have one of those motor boards that support it so that it's pretty easy and nice, otherwise it's a lot of fiddling and you have to configure a bunch of stuff manually, so if it's too much work just, you know, I don't do it, but when you can actually set it up it can be quite useful. SISTAP is another tool I use that's quite nice, so this is basically something you need to install ahead of time and it will, every, I think it's every 10 minutes, every 10 minutes, it will take a snapshot of various things on your computer, so like how much the swap values use, how much memory is used, the percentage of idleness in the CPU, those kinds of things. So if you, if the person whose computer you're supporting tells you, oh our computer is a bit slow and you know, I don't know what's going on, sometimes if you train that person to, like I did with my dad, I train him to always write down the time when something like that happens, because if he complains to me like, oh my computer is still sometimes, it's not particularly actionable, but if he tells me it was slow, adaptive to the time, then I can look and SISTAP and sometimes I can see, oh well I was running out of memory and it was swapping like crazy, that's why, so you know, you can sort of debug things a little bit better if you have that installed and set to collect this information every 10 minutes. In terms of safety, there's a couple of packages that I found quite useful. Molyguard is really interesting, so Molyguard is about preventing accidental reboots of the wrong server, so for example you might be SSH'd into another computer and then you upgrade your own laptop and it's time to reboot to take in the new kernel updates and you type reboot, enter and you realize that you're actually rebooting this other server that was recording, you know, Viomit TV or something like that. What Molyguard does is that when you type reboot, it prompts you for the name of the box that you want to reboot, so if you type it in the wrong SSH or in the wrong terminal, you type it in an SSH session or something like that, you're not going to make that, you know, you actually have to type in the wrong host name as well to make that mistake, so it's pretty handy. Another one that's quite handy is a tool that I wrote called Safefirem. If you do something like this, you want to delete the file in the userlib and you accidentally do this, put a little stray space there. RM is going to do something somewhat undesirable and proceed to delete all of your userlib, so what Safefirem does instead, and that's what's going to happen, it's a very pleasant thing to recover from. What Safefirem does instead is that it's basically a wrapper around the RM command and it has a built-in blacklist, which is configurable, so these things, for example, are in the blacklist and in the default one, and if it sees any of those paths that you're trying to delete, it will just ignore them, it will do this. So the idea here is that there are certain paths on my system that if I ever ask the RM command to delete, there's almost certainly a mistake. There's absolutely no reason that I can see for me to want to delete userlib normally, and so this is what Safefirem is there to prevent, and if you actually want to delete it, you can go and use the slashbin slash RM command directly and do it, but it does prevent those sorts of accidental mistakes. Yes, it affects script as well, so you don't want to put stuff that, basically, in your blacklist, you want to put only stuff that should never be deleted for any reason, like userlib. If you have a script that leads to userlib, it's probably a bad script. There's an ISC bot or something that deleted the Flash user, I think, this is a famous GitHub bug that would have prevented something like that, unless it actually uses the syscall. This wraps around the RM command. If you're not using the RM command, then it doesn't do anything. Etsykeeper is another one that's quite neat, so what this does is that it keeps your slash Etsy in revision control. Now, I put this into the safety category because I think it's quite useful, because when your slash Etsy is a git repo, you can easily tell that you've made changes to files that you didn't want to change, for example, in just the git status, you see what your changes are, the git diff, and then, oh, I didn't actually mean to touch this file, and you can revert it easily. Also, what you can do is commit to your repo after you've made some changes, and that allows you to keep track of the changes that you're making. And what I often do as well is I will use git log for a particular file to see, for example, if you're trying out a new config for Apache or something like that, and then it turns out it fails, you can go git revert, or if you only realize much later on that you made a mistake three months ago, you can go back in the history for that file and then go back to the previous config that you have. So I quite like that, and it works with git, bizarre, mercurial, darks, whatever version control system you want to use. Probably not CVS or SVM, but who knows. This is another one that's quite useful for me because of that machine that runs Mit TV, and this was written by Andrew here. So basically what that does is that when you log into the machine, it shows you this, which is, is this computer currently recording anything, and when is the next scheduled recording. So if you need to reboot for a kernel update or something like that, you can look at the scheduled recordings and see whether or not you have enough time to do the reboot or whether you should wait after that show is recorded. But the other thing is if the computer is currently recording something, it may not be such a great time for this to upgrade, for example. So you might want to wait a little bit longer. SL is a pretty cool package, another one to prevent some accidental typos you should install it. And that brings me to security. So my approach here in security is kind of in line with what I talked at the beginning of the talk in terms of not making this my full-time job, because I'm doing this to help our friends and family. So I'm not going for the super secure kind of approach. There are lots of things that you can do to make a system much more secure. You can say, for example, have checksums that are stored on a different computer or have like a log server that will collect logs for everything. So if an attacker comes in and deletes you of our log, you still have something. But that requires more effort, requires more setup than I'm necessarily willing to do. So I'm kind of going for a reasonable approach. I'm trying to go for the sort of the quick security wins that I can get. The things that are basically no effort, but add basically some obstacles to any wannabe hackers getting into your box. That's an easy one to install. You can install AppArmer and the default profiles that come with Debian. So that will protect some applications that have profiles built in. So like, for example, if you have a service that runs and it happens to come with an AppArmer profile, then it will be restricted a little bit more. But if you're running services that don't have profiles built in, then basically it does nothing. But this is like, if you just install these things or protect a few things with no effort whatsoever. So that's the kind of solution that I'm looking for there. Debsums is interesting. What this one does is that it looks at all of the files that are installed by your packages and it does a checksum of them. It compares that with the checksum that comes with the .dev that installed the package. So all of the Debian packages come with a checksum built in to the dev. And if, for some reason, after you've installed them, some of the files were modified, say, you know, something in user bin or user sbin got modified, one of the binaries is different from what the package says it should be, that's probably something that you should look into. There are a few exceptions where you can whitelist where it's okay. There's a package that installs PCI IDs and USB IDs and there are tools to keep that up to date, like if you want to run that on Chrome or something like that. In which case you have to whitelist these files because they will be more up to date than what the package is expecting. But normally, if you have things that have changed and you get a warning from Debsums, it's a bad sign. It could be a security thing or it could also be just like a bad hard drive or something like that and some bits have flipped. So the comment was that it's good to install this early because there are a few packages that don't, I'm not sure why it's like that, but there are a few packages that don't have checksums built in. So it must be something that the dev helper does. So packages that don't use dev helper may or may not have checksums. And for those, Debsums will actually look at what you've got installed and create checksums for them. So it's good to install it early, as was suggested there, to make sure that you set up this checksum database and that it can be checked all the time. And that comes with a Chrome job that can optionally run daily to go through your file system and check everything. There's another one that's related called fcheck. This one looks at the files directly. It doesn't know anything about the packages, but they will look in userlib, it will look in userbin as bin directories like that and it will warn you if something has changed. And so it gets triggered. So there is a hook for apt-get so that whenever you upgrade a package, it will update its own checksums. But basically it keeps its checksums in varlib and if anything changes in one of those wash directories, then you'll get an email. So that covers stuff that's not necessarily packaged. If you have something in userlib that didn't come from a package, then fcheck will catch it. Now of course, as I said before, there are much better solutions if you want to have very good security. You should ideally keep those checksums on a different machine and things like that because if an attacker comes and changes your binary, then they can just update the checksums and they can change the checksum in the dev as well that would defeat both of these packages. But that's a lot more work than I'm willing to put in and these things will catch less sophisticated attackers. I should have pointed out that I'm not trying to make my computers NSA-proof because that seems to be the big hip thing to do now. Check root kit, check security, easy things to install that probably don't do a whole lot but check a few things. RK Hunter is another one that looks for evidence of root kits so it knows about a few root kits and it will warn you if it detects these things. That's a little bit like AV programs on Windows. It looks for a particular signature and if it finds it, then it warns you about it. So not particularly exciting but you know why not. Tiger is, I like that one a lot more. Tiger actually checks for, there is a guide, I'm not sure what it's called in Debian, of basically security best practices that's in this admin so it will tell you things like for example if you, when you configure SSH, don't enable v1 the protocol because it's secure so it should be v2 only. So a bunch of basically best practices like this are in that guide and Tiger is a thing that checks for them so it will warn you if you have anonymous FTP or SSH v1 things like that and then it will email you about it. Now the neat thing is that it emails you once about every problem that it finds. So once when it finds a problem and then once after it detects that you've actually resolved a problem. So if it warns you about a problem that you don't care about you can just delete the email and you'll never hear about it again. But that's really useful when you install it so when you set up a new computer you can install that and that kind of double checks the stuff that you should have done when you set it up to make sure that you don't forget little tweaks here and there that in a lot of cases really should be defaults in Debian I guess but it's a good configuration thing to have. In terms of remote access obviously I use SSH and there's another tool for SSH called Mosh which is if you don't know about it it's really neat. It runs over UDP instead of TCP and it kind of fakes a really low latency SSH client by kind of showing you the keystrokes that you type as you type them as opposed to waiting for the server to echo them back to you. Because it's UDP based you can also do really neat tricks like you are on the network and you log into a box, you move to different networks so you go from Wi-Fi to a mobile network and you can still keep going you're not disconnected even though your IP address changes because it's IP address agnostic it's just like basically a TCP you're sending TCP packets and you've got a little demon on the server that listens for them. The neat thing about it is that to start using it all you have to do is app get installed on the server app get installed on the client that's it like it uses SSH that your existing SSH keys to bootstrap itself and it's basically zero configuration you can just start instead of connecting to your server using SSH server name you just use Mosh server name and you're done. It's really quite cool. I've also got a blog post about a few little tweaks you can do to SSH to increase the amount of logging that you get and also restrict SSH a bit more than the default configuration. I use IP tables as a firewall and a lot of people like UFW. I never really got into UFW because my IP table files are actually quite simple that's basically you know the sort of boilerplate that I've got on all of my machines and I find it kind of useful to know what the underlying because UFW is basically a wrapper around IP tables which is the real is closer to the kernel stuff and all I do really is use that that sort of boilerplate there and enable ports for servers you know it's quite actually quite readable and in Debian you can stick it into stashetc slash network slash IP tables that up the rules and then that will be picked up and there's a really neat tool called IP tables dash apply that will try a new firewall rule it asks you whether or not you can still connect to the machine and it's got a timeout of 30 seconds that will revert the new rules if you if you don't say yes so if you apply a new rule to the server that you connected over by SSH and it locks you out then it doesn't matter because in 30 seconds the thing will be reverted it's quite neat I also use a piece of software called FWNOP and this is actually pretty neat it's a technique called single packet authentication it's derived from I guess in the history of it is that it used to be about port knocking which is this technique where your firewall has closed off say the SSH ports but then if you actually if you if you use a particular client and you try to connect to say port 1000 and then you try port 1200 and 1400 then if you do this sequence of like trying to connect to those three specific ports then it detects that you've done this the magic knocking sequence and it will open up port 22 just for you for 30 seconds or something like that just for your IP address so this is a way of basically closing all the ports but allowing you to re-enabled them using this kind of magic sequence FWNOP extends that idea further because there are a lot of limitations with port knocking this for example if people configure it to be you know ports 1000 1000 1002 then you know a port scan would actually open it up so because it'll just hit those those those ports sequentially FWNOP is really neat you send one single packet to to a port I think it may even be any port and it's if you GPG encrypt the the magic passphrase or something the password that you've got set up then you can tell the firewall because the firewall will see this packet that it will drop it and then it will look at it and see oh this actually matches the magic password thing and it will open up SSH for you for 30 seconds just for your IP so um so this is basically about hiding the fact that you're running SSH and then once you use the thing then it opens it up for you you can log in and then it closes it again so it's quite neat um I also use um din DNS the service for um because I'm behind most of the boxes that I maintain are behind um dynamic IP addresses and there's a neat little tool called IP checking devian which is one of many to keep that automatically up to date and I also use uh so so this is not for servers this is for the desktops that I support I set up PNC um because um it's when when you're trying to describe a problem to someone over the phone or you're hearing someone's description of a problem it's just so much easier if you can actually see what they see on the screen because very often you know they will they will be describing something that um and and just you know not noticing because there's a little tiny thing that actually makes a huge difference and then when you see it on your screen it's like oh yeah it's because of that and it could cut down the the uh the the amount of time that you do text support for immensely really really useful um I use so the first one is this there's the server component values this um starts up a vnc server with the running x client so there's lots of ways to sell vnc this one will basically it's it's like sharing the existing x session that a person has over the vnc protocol so I can start that login as my dad in his box start this up and then I run the the ssvnc as a client none on my laptop tunnel over ssh because um vnc doesn't have very good a very good authentication story and then I can basically take over his computer he can see what I'm doing I can move the mouse etc um I've got a blog post so that the tweaks I've done to for the high latency link that I've got um there's a few things you can do where it's actually quite good uh could almost watch a video at a very low frame rate um but yeah it's like if we if you tweak it they can it can be quite good um backups so backups of course are important um and and one thing with backups is that you don't have a backup until you've actually tested your backup so always important to keep that in mind I'm going to talk about backups but really I should be talking about restores because you need to test it um I split the the stuff that I backup in three different categories so all the data that's on my dad's computer is either um config files like stuff that I set up myself um important documents like I don't know like uh the like believer office documents uh banking statements or whatever that he wants to keep uh and then um the third category I call non-critical data and I put in there stuff like the myth tv box will record tv shows and and I put that in that category so for the first category the config files I back that up using duplicity um which is a really neat tool that will do incremental backups over ssh encrypt them using gpg so I just store all of that on my existing linode because it's all gpg encrypted anyways and um I so the reason why I backup config files is that if the machine were to crash I don't want to have to reinstall everything from scratch um because that takes a bit of time and so I've got a backup of the latest config all the time also if I screw something up in the config even though it's in slash at sea I should be okay but uh but there's there's another copy in there anyways um so I put all the slash at sea I put the list of installed packages so if you have to reinstall the machine from scratch the other thing you need to do is you have to remember to reinstall all the packages that were installed in the first place um and thankfully there's a neat deep package command that you can run to actually output all of that to a file and then you can just reapply that as as a single command and then reinstall everything um so if you've got that the list of packages and all of the config files you pretty much have a box into the same condition you can you can restore very quickly to the same state that you had the other thing I backup is the new tv database uh dump my school database done in terms of the important documents there's a couple of things that I put in that category I created inside his documents folder I created a like a safe sub directory and I I told my dad if you put anything in there and I will back it up you don't put it in there it's not backup so if he's got something that is so I told him also like don't put like a 10 gig file in there because uh duplicity doesn't really like gpg encrypting large files and then scp them over um but this is the the the way that he um can basically ensure that certain things are backed up I also do his emails and um his bookmarks because bookmarks are just like a single hdml file in firefox so that's why not um back and on it's pretty easy um for the non-critical data I've basically told my dad like that's up to you I've shown I've shown him how to like burn dvds and usb keys and stuff like that but basically I told him like just if you if I were to like just reset your computer completely um what would you miss so you know like music files the tv show recordings that kind of stuff so he backs it up himself and um so I've basically kind of put that out of scope for uh in terms of what I do for him um so and then the last section that is about um giving back and um that's kind of uh I guess in in a sort of a broad way um there's a couple of packages that can help devian and other folks that uh that I install on all of the boxes that I run um one of them is popularity contest I think it's installed by default but it's not set to send submit data by default um but what this does is that it submits the packages that are installed on your machine um anonymously to devian servers and that gets used in the project for various things and the initial um idea behind it was it would tell us which packages have to go on to the first cd um because devian news to come on cds um it still does but um I don't know that the first cd is that useful anymore um but that was the initial um idea behind that that package now it's been used for a whole lot of other stuff um to gauge sort of uh to sort of basic metrics as to whether or not certain things are still in use in devian or not um so it's a good thing to to install on your machines to make sure that you kind of vote for packages that you use uh another one is called kernel oops and so when your uh kernel crashes um so that's called oops um it will send essentially like a back trace debugging information back to uh kernel dot work so that they can uh so this is a little bit like you know when those just crashed would you like to send this report to microsoft um this is the equivalent for the linux kernel and uh I think it might it's overly useful sometimes to to try and debug things but also to get um an idea of what the worst defenders are in terms of kernel modules and things like that and of course that's usually in video um but um they sometimes it can be other things as well um so yeah so you just need to get installed those two and you're done so that's basically what I do when I support other people's computers um sort of you know accumulated a list of favorite packages over the years um but I'd be quite happy to hear what you know if other people have suggestions of things I should do keeping in mind that I want to stay a amateur assessment I don't want to have to I don't want to install something that will turn me into a full time uh so yeah I'm happy to take questions or suggestions of other packages and yep so this I'll repeat the question so that so you apt list bugs uh was the suggestion um I uh I I used that on my own machine so what apt list bug does is that when you are going to apt gift upgrade uh where I get install a package if the package has released critical bugs the very severe bugs then uh or maybe just important I'm not sure what the severity cutoff is but it will warn you about it so like you're about to upgrade to this new version of Apache uh but actually it doesn't start uh would you like to do that or not so you can abort the apt gift upgrade at that point so it's quite useful um it tends not to um in my experience it's not so useful on stable it's very useful and unstable uh if you want to get unstable yep something like that so when I talked about uh SSH why did did I not mention deny host um stuff um I I don't particularly I don't really use that um on on my machines I blog post I link to has a few other things that I do um but um I've not really found that to be I may maybe I'm on I've not really found that to be a super useful um restriction it's kind it's a little bit annoying to maintain as well but um yeah yes um so the comment so the there's two comments the the comment was basically ups is sometimes make things worse because for example you have to replace a battery when it dies so apparently sometimes it makes the power worse as well because the the tolerance is too tight and like it uses a battery too much and runs it down I've that's that's possible I think I've only had to replace it once in about like eight years so that's been working okay for me but yeah it's good to know oh yes sorry how do you how do you the question is how do you test whether another ups is working is that a question um the the best way to test it really is to uh is to pull the cord out while it's running uh then yeah I found my dad did that um and uh yeah that's basically um that similarly the best way to test whether or not your uh your range configuration is working is to take one of the drives out and do something about it and then you know see if you can see if you can actually boot from with only one drive which you know if you forgot to install grab on both of the drives it won't um and then you know like re-sink everything twice so yeah best way to test a ups thing I found was to just unplug the power and see if it so it goes okay still on the ups Jenna's energy managed to fry two mainboards for me by fiddling with the smart meters and other stuff so it is very recommended in certain parts of New Zealand and it's worth well the effort and updating the battery on occasion did you have a comment as well right there is various packages which will do automatic ups testing if you have usb or serial connections and then send you emails about failed test reports okay any questions comments yep um so the question was have I tried to support other architectures like non-intel architectures uh the answer is no like all the all of my friends and family have very standard um like AMD or Intel boxes right no it's just i'm looking for perhaps supporting something for a family member who manages to block fans and fry them other boards and stuff like that and I was thinking of getting something like a QB truck which has no fan and can't be blocked and it runs tb in fine well thank you very much thank you Francois