Re: [SECURITY] [DSA 5113-1] firefox-esr security update

2022-04-16 Thread Odo Poppinger 

Why not?

On 16.04.22 16:05, Elmar Stellnberger wrote:
>Given that this should not be possible for some reason, please
> share your knowledge about these bugs, so that people like me
> can try to find a fix.
>
> Elmar


On 11.04.22 23:57, Moritz Muehlenhoff wrote:

It is possible; if someone tracks down the respective GCC change and backports
it to GCC 8 in Buster or alternatively lands a patch in the ESR91 branch
which changes the code to no longer trigger the ICE, that would fix it.

But realistically the number of people who actively care about i386 support is
really, really small so I wouldn't count on it...

Cheers,
 Moritz

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

2022-04-13 Thread Odo Poppinger 

On 13.04.22 19:18, Levis Yarema wrote:

If I would get an x64 CPU from a Linux pro, sure I would take it. 
Otherwise I would not recommend to just take any old hardware for 
exchange with my working one since not all of it was easily well 
supported by Linux these days, as far as I can remember.


   You can not replace any i386 machine with x64. Some old programs I 
am running only work with Windows XP and the serial and/or parallel 
port. Not every computer has that. However I do also need Linux, mainly 
for processing my data.

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

2022-04-13 Thread Odo Poppinger 
I have a beloved P4 Gericom Frontman and I do not want to give it away. 
It had a new game changing design as can today be found with many Apple 
computers. I also have a P4 notebook and some i386 desktops, some of 
which I am dual booting with some Windows and OS/2. New computers with a 
setup from zero are no considerable option for me. But yes, why not 
upgrade to Debian 11.


Odo

On 13.04.22 17:11, piorunz wrote:

On 13/04/2022 15:57, Michael Stone wrote:


family 15 model 2 is northwood based. no amd64. the best option for that
one is to find a cheap second hand box with a CPU that's only 10 years
old instead of (literally) 20 years old and retire it; those old p4's
were really power hungry, and it shouldn't be hard to find a replacement
for a cost (maybe even free) that will pay for itself in electricity
savings alone.


Ok. Yes indeed these CPUs are so old that I can give away better ones
for free for this fellow Debian user if he is in my country.
CPUs like that I sell on eBay from refurbished computers for almost
zero, just as a hobby, to give it second life. Working on such machine
is impossible apart from passive browsing and text typing.

--
With kindest regards, Piotr.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

2022-04-11 Thread Odo Poppinger 
I am still using i386 on some machines. Isn´t it possible to build with 
another gcc or to update gcc?


On 09.04.22 23:31, Moritz Mühlenhoff wrote:

Friedhelm Waitzmann wrote:

For the oldstable distribution (buster), these problems have
been fixed in version 91.8.0esr-1~deb10u1.

  Where can I get this from for buster and architecture i386?

  does not have it.

The Firefox ESR91 series triggers an internal compiler error
with the GCC version included in Debian 10, so there's no build
available currently.

There's one for Debian 11 (where GCC builds it correctly), but
I'd instead suggest to switch to amd64 instead.

Cheers,
 Moritz

Re: debcheckroot v2.0 released

2020-04-12 Thread Odo Poppinger 
Hi Paul,

  I would like to make use of DANE. What software can I use?

Odo

Am 04.04.20 um 09:47 schrieb Elmar Stellnberger:
> Am 02.04.20 um 16:49 schrieb Elmar Stellnberger:
>> Am 02.04.20 um 01:57 schrieb Paul Wise:
>>> On Wed, Apr 1, 2020 at 6:01 PM vi...@vheuser.com wrote:
>>>
 Did the discussion of continuing support for DANE end??
>>>
>>> In case I mislead anyone, a clarification:
>>>
>>> Debian itself isn't going to actively work on removing support for
>>> DANE from anything nor removing our DANE/DNSSEC records.
>>>
>>> Support for DANE is never going to happen for the web (given the
>>> opinions of the major browser makers) and it could disappear in other
>>> upstream projects as the popularity of DoH/DoT and other things in the
>>> DNS space eclipse DANE/DNSSEC. Should that happen to the software
>>> Debian uses for DNS/DANE, we may be forced to drop our DANE/DNSSEC
>>> records.
>>>
>>
>> What software is currently used for DNSSEC/DANE by Debian?
>> What do you mean by DoH/DoT?
>>
>
> Dear Paul,
>
>   Can you answer us that question: What software does Debian use that
> supports DANE? I do not know of any except dig and drill.
>
> Yours,
> Elmar Stellnberger
>

Re: debcheckroot v2.0 released

2019-11-21 Thread Odo Poppinger 
Am 20.11.19 um 12:29 schrieb Elmar Stellnberger:

debcheckroot is targeted at technically experienced users. No way to hunt
rootkits authored by the NSA otherwise. You have to be a tough user to take
this challenge! Well you can of course also use it for other kinds of
rootkits by other governments or from criminals but interpreting the
results requires some kind of knowledge about a Linux system. You need to
know what the kernel is, what an initrd is, what you can find under /bin,
/usr/bin, /sbin and /usr/sbin.

The tool has primarily been written against 5 eyes rootkits but I think it
is still missing some features to take this challenge. f.i. it should be
possible to unpack *.deb-s in an own boot run, separate from downloading
and verification. That would shield against attacks targeted at the
unpacking which affect the very system debcheckroot runs on. Supporting
file only repos for customly downloaded and installed packages like my
printer driver would also be an issue.

Why not simply use sha256 - lists as can already be used and generated with
debcheckroot (as far as I have seen)? That would resolve the problem of a
possible infection of the host system running debcheckroot because there
are no archives that need to be unpacked when using plain sha256 file
lists. We would only need some official support by Debian for this, i.e.
someone who creates/updates these sha256 lists every time the updates
repository is updated and puts them online in a publicly known place.