Removing PulseAudio after migrating to PipeWire

After migrating to PipeWire you would want to fully remove PulseAudio. The problem is that certain packages, for example libcanberra-pulse, depend on pulseaudio even though they would work just as well if pipewire-pulse is installed. There are several relevant bugs to solve this issue, but meanwhile we could use equivs to generate a fake package that provides pulseaudio.

Copy the following file locally as pulseaudio-fake:

Section: misc
Priority: optional
Standards-Version: 3.9.2

Package: pulseaudio-fake
Provides: pulseaudio
Description: Fake pulseaudio package to satisfy depdendencies.
 This solves depdendencies for packages like libcanberra-pulse when actually using PipeWire instead of PulseAudio.

Build a package from it using equivs and install it:

$ equivs-build ./pulseaudio-fake
$ sudo apt install ./pulseaudio-fake_1.0_all.deb

Now you can safely remove pulseaudio.

GNOME 40 on Debian Unstable

These are the steps I took to install (most of) GNOME 40 Debian Unstable:

$ sudo apt install -t experimental gnome-shell gjs mutter gnome-control-center gnome-desktop3-data
$ sudo apt-mark auto gjs mutter

Failing to install gjs 1.68 from experimental will result in white or blue desktop backgrounds regardless of the wallpaper you choose. This bug was reported in Arch.

Most of GNOME 40 functionality should now work, including the updated activities overview.

What doesn’t work? Settings->About still display GNOME’s version as 3.38. I suspect it’s because gnome-session is still at 3.38.

Update 2021-08-24: I upgraded to gnome-session 40.1.1 and it didn’t solve the version string issue.

Update 2021-08-31: Following a comment by Jeremy, I installed gnome-desktop3-data from experimental and it fixed the version string issue.

[coc.nvim]: UnhandledRejection: Launching server “jedi” using command jedi-language-server failed.

Recently I switched over to coc.nvim, and when trying to edit a Python file, I encountered the following error:

[coc.nvim]: UnhandledRejection: Launching server "jedi" using command jedi-language-server failed.

The first problem turned out to be that while I had jedi installed, I didn’t install jedi-language-server. This can be done using:

pip install -u jedi-language-server

Next, coc.nvim couldn’t find the jedi-language-server executable, despite it being on my $PATH. The solution was to specifically define it in ~/.vim/coc-settings.json:

{
  "jedi.executable.command": "/home/guyru/.local/bin/jedi-language-server",
}

tmux <-> Wayland Clipboard integration

tmux 3.2 and above provides the copy-command option to set a command to pipe text to copy. You will also need wl-copy command from the wl-clipboard package. Add the following line to your ~/.tmux.conf:

set -s copy-command 'wl-copy'

As of writing this post, tmux-3.2 is only available in experimental, so you’ll need to install it from there:

$ sudo apt install -t experimental tmux

Autostart rclone mount using systemd

Create the following file under ~/.config/systemd/user/rclone-dropbox.service:

[Unit]
Description=Dropbox (rclone)
AssertPathIsDirectory=%h/Dropbox
# Make sure we have network enabled
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/rclone mount –vfs-cache-mode full Dropbox: Dropbox
# Perform lazy unmount
ExecStop=/usr/bin/fusermount -zu %h/Dropbox
# Restart the service whenever rclone exists with non-zero exit code
Restart=on-failure
RestartSec=15
[Install]
# Autostart after reboot
WantedBy=default.target

Reload the user services, enable and start the new service:

$ systemctl --user daemon-reload
$ systemctl --user enable --now rclone-dropbox

Import Subversion repositories to Git

Install the git-svn package:

sudo apt install git-svn

Create a file named authors.txt with a mapping between svn user names and git authors. For example:

guyru = Guy Rutenberg <guyrutenberg@gmail.com>

Do the actual import:

git svn clone --no-metadata --stdlayout--authors-file=authors.txt file:///path/to/svn/repo

The --no-metadata option will get rid of the git-svn-id: ... lines in the commit messages. It is useful in case you are doing a one-off import of svn repository to git. However, if you plan to repeatedly synchronize the svn to the git repo that option should be omitted.

The --stdlayout flag instructs git to assume the Subversion repository has a standard layout of trunk/tags/branches.

References:

Rename Debian packages according to version

This is a small bash utility function to allow renaming deb archives according to their version.

rename-deb () 
{ 
    base="${1%.deb}";
    version="$(dpkg-deb -f $1 Version)" || return 1;
    new="$base-$version.deb";
    mv -i "$1" "$new";
    echo "$1 -> $new"
}

You can either run it one time in your shell, or define it in your ~/.bash_aliases.

Example:

$ rename-deb zoom_amd64.deb
zoom_amd64.deb -> zoom_amd64-5.5.7011.0206.deb

Checking Thunderbolt security on Linux

Thunderbolt connections may provide DMA access to the host and pose a security risk. There are two mechanisms to mitigate against Thunderbolt DMA attacks in Linux, and you would probably want to verify at least one of them is active.

IOMMU DMA Protection

This uses IOMMU to explicitly allow what memory Thunderbolt devices can access via DMA. This is the prefered way to protect against Thunderbolt-based DMA attacks. It is available on recent hardware (~2018 and forward) and requires Kernel >= 5.0. You can verify IOMMU DMA Protection is enabled using:

cat /sys/bus/thunderbolt/devices/domain0/iommu_dma_protection
1

Value of 1 means it is enabled. This setting is controlled through UEFI. At least in Lenovo systems it is named cat "Kernel DMA Protection" (like the Microsoft name for this feature). You can find it under the Security tab.

Thunderbolt protection

This is the old style of protection, that preceded IOMMU protection. If configured properly, it allows the user to explicitly authorize Thunderbolt devices before granting them DMA access.

$ cat /sys/bus/thunderbolt/devices/domain0/security 
none

none means no protection at all (that will also be the case if you have IOMMU DMA protection enabled). user requires the user to authorize a Thunderbolt device each time it’s connected. secure is like user but devices authorized in the past do not require re-authorization. dponly only allow DisplayPort pass-through.