[DNG] apt-get update fails
Hi everyone When I try to make an update, I get the following error: root@colibri:~# apt-get update Hit http://auto.mirror.devuan.org jessie InRelease Hit http://auto.mirror.devuan.org jessie-updates InRelease Get:1 http://auto.mirror.devuan.org jessie/main Sources [7,082 kB] Get:2 http://auto.mirror.devuan.org jessie/non-free Sources [99.0 kB] Get:3 http://auto.mirror.devuan.org jessie/contrib Sources [50.8 kB] Get:4 http://auto.mirror.devuan.org jessie/main amd64 Packages [6,794 kB] Hit http://auto.mirror.devuan.org jessie-security InRelease E: Release file for http://auto.mirror.devuan.org/merged/dists/jessie-security/InRelease is expired (invalid since 23h 18min 11s). Updates for this repository will not be applied. This also happens on the tor mirror: root@mouse:/usr/src# apt-get update Get:1 http://devuanfwojg73k6r.onion jessie InRelease [108 kB] Get:2 http://devuanfwojg73k6r.onion jessie-updates InRelease [119 kB] Hit http://devuanfwojg73k6r.onion jessie-security InRelease E: Release file for http://devuanfwojg73k6r.onion/merged/dists/jessie-security/InRelease is expired (invalid since 23h 17min 54s). Updates for this repository will not be applied. Could someone please fix this? Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] apt-get update fails
Hi Florian I know about the workaround. I just wanted to make sure the people who need to know about this issue know about it. Also, I hoped to get some more informations on how this could happen in the first place. Are the IRC discussions archived somewhere? Regards, Daniel Abrecht On 11/06/2016 03:03 PM, Florian Zieboll wrote: > On Sun, 6 Nov 2016 14:41:23 +0100 > Daniel Abrecht <d...@danielabrecht.ch> wrote: > >> When I try to make an update, I get the following error: >> >> (...) >> >> E: Release file for >> http://devuanfwojg73k6r.onion/merged/dists/jessie-security/InRelease >> is expired (invalid since 23h 17min 54s). Updates for this repository >> will not be applied. > > Hallo Daniel, > > as mlsmith stated on IRC #devuan [1], you can work around this issue with > > $ apt-get -o Acquire::Check-Valid-Until=false update > > > libre Grüße, > > Florian > > > [1] https://botbot.me/freenode/devuan/search/?q=Check-Valid-Until > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Won't boot after dist-upgrade
On 12/19/2016 10:08 PM, marc wrote: > And completely unrelated: The devuan I have doesn't mount the > cgroup fs (debian seems to rely on systemd to that), so if you want > to use lxc, you might want to add > > mount -t cgroup cgroup /sys/fs/cgroup > > to your startup scripts. I'm using the cgroupfs-mount package for this. regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] gvfs depends on libsystemd0
On 04/09/2017 08:01 PM, Steve Litt wrote: > On Sun, 09 Apr 2017 08:24:15 +0200 > Joachim Fahrner <j...@fahrner.name> wrote: >> without gvfs PCmanFM does not mount external usb drives > > Somewhere back in the archives I submitted a shellscript to > automatically mount thumb drives without a file manager. I think automatically mounting thumb drives is very different from mounting them when I klick on them in my file manager. Things like automatically mounting removable medias or even auto starting applications, I don't want that. What if I want to rescue a faulty thumb drives for example, automatically mounting it would could damage it even further. I think that Linux doesn't do or change things on it's own like Windows used to be a big strength of it. Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] tiny service state api [WAS: Fwd: init system agnosticism]
On 2017-04-14 20:16, Simon Hobson wrote: > "Enrico Weigelt, metux IT consult"wrote: > >>> For those of us who put consistency above boot speed, simply changing >>> the init script so MySQL doesn't flag as "started" until the daemon >>> is up and ready to accept requests would fix it; >> But then you'll have kind of daemon who watches mysql until it's really >> ready and then signals back to the service monitor, so it can proceed >> with the other services. In the long run, sounds like a maintenance >> hell to me. > Which is why I said I can see some value in a simple > communication/notification system. Ideally you'd have MySQL itself make > status calls along the lines of "I'm starting but not ready" and hopefully > end with "I'm now ready for business". The latter would then allow other > processes that depend on a working database to continue. > At present, IIRC the script starts the MySQL process, then loops round > waiting for to appear - at which point it assumes MySQL is ready > for action and prints OK on the console. > > > That way, there's a standard way for processes to communicate their status, > and a simple and standard way for dependent processes to determine if > something they need is ready yet. I still think this isn't a problem the service manager should attempt to solve. This is a situation where the database is temporary unavailable, for which there are many possible reasons. The services which relay on the database should be able to handle such a situation gracefully, or they are just not yet stable enough. I would expect a service which has to handle a task for which it needs the database to return an error in this situation, but to continue working. Once the database is available, and a new task arrives which requires the database, the service should work as expected. If such a service needs to do some initialization using the database, it can just re-queue that until the first successful database connection. This way, there isn't even a need to start the database first, the service would be rock solid, and there wouldn't be any need for the service manager to handling such edge cases. Just keep it simple. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] tiny service state api [WAS: Fwd: init system agnosticism]
Hi From my point of view, systemd always tries to keep services running, no matter how hard they fail, and to mask possible problems when starting a service, so the service maintainers don't have to fix their service, which is really unfortunate. In case of those service state notifications with sd_notify, I think they are usually used to signal when a service is starting, but not ready yet. This may seam reasonable at the beginning, but I think it fixes the problem at the wrong place; When a service needs another service, but it's temporary unavailable, it should cause an error or warning to be returned and logged, but it should never be a fatal error which causes the service to stop. When a service needs to handle this situation on it's own, it will become more stable over time. If this task is taken away from it, it will become fragile, and relay on the service manager. I think this would be really dangerous, because it could lead to cascades of failing services once one service fails. At some point, a service manager couldn't possibly handle that anymore and there would just be waves of restarting and failing processes. Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] FF pulseaudio hard dependency is here
On 03/12/2017 03:49 PM, Renaud (Ron) OLGIATI wrote: > On Mon, 13 Mar 2017 01:55:27 +1100 > Andrew McGlashanwrote: > >>> Plus, on Ubuntu (I am yet to fully test Midori on the Devuan laptop) I >>> found out it has many addons I was afraid wouldn't be available: >>> >>> Adblock "Block advertisements according to a filter list" >> The best blocker is "uBlock Origin" both words, not just uBlock. >> >> They say they are not an ad blocker, but they block ads and other bad >> stuff by default -- is that available for Midori? If it is, go with >> that in place of Adblock (any variant). > Have you considered rolling your own add-blocking with a list of unwanted > sites in /etc/hosts ? I'm using the block lists from Pi-hole on my local DNS Server, which has the benefit that I don't need to install an AD-blocker on each of my devices. signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] grub background image
On 2017-04-14 19:27, Joachim Fahrner wrote: > Am 2017-04-10 00:39, schrieb fsmithred: > >> desktop-base is supposed to handle that, but it's not cooperating. >> You can >> bypass it by adding the following (one) line to /etc/default/grub >> >> GRUB_THEME=/usr/share/desktop-base/grub-themes/desktop-grub-them/theme.txt >> > > Thank you for that hint. > The correct entry is: > GRUB_THEME=/usr/share/desktop-base/grub-themes/devuan/theme.txt > > This is a very nice grub theme. I'm wondering why this is not set in > the default installation? > > Jochen I don't have that file. Which package contains it? Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Excessive bounces
I'm sorry, I'm using DMARC, and I didn't get the DMARC report about the bounced mails, probably because I forgot a DMARC DNS entry for the report receiving mail address. I have changed my DMARC policy from reject to quarantine for now. That said, I won't remove the DMARC record completely, and I plan to switch my DMARC policy back to reject after this issue has been resolved. A lot of people claim that DMARC won't work with mailing lists, but this isn't correct, it's just that most mailing lists aren't configured in a way that makes DMARC usable, (and no, changing the from address isn't the correct solution.) I use DMARC and believe it to be necessary because it allows me to: 1) Make sure nobody can use my E-Mail address to impersonate me or send spam 2) I will be notified if anyone attempts to do so 3) The recipient can check if the message content was changed That said, the correct way to deal with DKIM, SPF and DMARC protected mails is to: 1) Provide an SPF record. This mailing list doesn't seam to have one 2) Don't change anything from the message below the DKIM headers, add the other headers before the DKIM signature instead. This will also solve the problem that some mail clients like the android mail client don't display text-only mails correctly. In think the email body, subject and from header shouldn't be altered anyway. Of course, changing the from header and removing the DKIM header would avoid the problem as well, but I'm against that solution since it obscures who wrote the mail. I haven't done much with mailman yet, so I don't know how it needs to be configured or if it can even be configured that way. I'll take a look at mailman in a few weeks. I've attached two versions of an email I've sent to the list earlier. The first one contains the message as I received it again from the list. The second one is edited in such a way that the added headers and the original message body are preserved and the DKIM check succeeds, only the added mailing list signature was removed. Daniel Abrecht mails.tar Description: Unix tar archive signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [test] Excessive bounces
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This is just a test mail, please ignore. This time without MIME/PGP signing, because it causes mailman to add a multipart header before the message, which interferes with the DKIM check. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJZg2sXAAoJEHAEo2n3S1aBDcUH/3CwGtjBX/tWq8bO9X6cAgKU ApKNiNCTUu/CATJ9PqeG3iwgGDDjOZwF9Ral0Eq70YspEosfPnOh9QxMqD/F/Qvu Pn6F1WPBXZSscjXMEUxPhBr19K3wprwm6dbfj+EUHR8KDAYILgjH4mqDiLf+6PAK CMVWuqXUYthNEYYn6OPNNcIjoYv+UDpoPgwxEHZ8YfGimw3q0fuQKCcZDMM4hFsI vHT3PnvsJbe0eB7aTzTmETCfoyvuan+uaEpLijz1ydL2yPN6dKySYNK3EM01u0sS yFTdinPPzFL+J99oCosArKMLJMk/Ie0eMmiGwz0Rn08N8zB8A4u/94MXh3tRkI0= =aZyR -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [test] Excessive bounces
This is just a test mail, please ignore. I have changed my OpenDKIM config again, and added Return-Path, References and In-Reply-To to the list of headers to be not covered by DKIM. (also, I switched back to MIME/PGP signing, I think I'll just have to search a better mail client for that.) Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Since thumbnails have to be generated somehow, they need some kind of generator. To use plugins, which are resembled by executables in this case, is a perfectly fine approach for this. The real problem is that despite it's well known that thumbnail generators have a really big attack surface, nothing has been done to limit the impact of vulnerabilities in thumbnail generators. An easy approach for safe thumbnail generators would be to enforce secomp before the plugin for thumbnail generation is loaded/executed. This would allow to prevent a thumbnail generator to do anything but reading from the file which needs a thumbnail, writing to the thumbnail file/memory, and maybe some memory allocations, which could be further restricted using rlimits. My guess on why noone actually does this is because it would break any existing thumbnailer and programs like imagemagic couldn't be used for thumbnail generation anymore. Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On 2017-07-18 20:07, Adam Borowski wrote: > On Tue, Jul 18, 2017 at 06:15:20PM +0000, Daniel Abrecht wrote: >> Since thumbnails have to be generated somehow, they need some kind of >> generator. To use plugins, which are resembled by executables in this >> case, is a perfectly fine approach for this. > > Uhm, but why? I can understand a thumbnail for an image file: it may be > useful to see what's inside without having to open it. But there's a limit > to thumbnailing. If it's an .exe, give it an icon that says "EXE" (or a > broken four-panelled window image), and that's it. It isn't possible to predict every image/file type a user may have to deal with, therefore others need a way to add support for not per default supported file formats. Additionally, if a developer writes a program, a 3D game for example, and it uses a custom file format, for a game level for example, said developer may want to add thumbnails to those files. A plugin system allows for this, and it enables the developer to choose to include a thumbnailer, it leaves the choice to include the thumbnailer in a package to it's package maintainer, and it allows the user to install or remove the thumbnailer. If there is no thumbnailer, a default icon for the file is used. At any point, anyone can decide if they want generated thumbnails for certain file types or not. That said, I don't see a reason to not provide a way to display thumbnails for exotic file types. I don't even see a problem in generating thumbnails for exe files. Most exe fils are just like some archive file containing some icon files, so whats wrong with someone providing a thumbnailer extracting those icons? Why should that be any more dangerous than generating thumbnails for any kind of image? There is no reason any thumbnail generator couldn't have any bugs, therefore it would make the most sense to prevent bugs in thumbnailers to have any security impact. >> The real problem is that despite it's well known that thumbnail >> generators have a really big attack surface, nothing has been done to >> limit the impact of vulnerabilities in thumbnail generators. > [...] >> My guess on why noone actually does this is because it would break any >> existing thumbnailer and programs like imagemagic couldn't be used for >> thumbnail generation anymore. > > Actually, imagemagick is one of worst offenders here. The version in Jessie > is at deb8u9, and every security update tends to mention ~20 CVEs. Yes, I know. I didn't mean to imply that keeping existing thumbnail generators or using imagemagick for thumbnail generation is a good thing. I just tried to reason why thumbnails may still be generated in an insecure manner. If I had the choice between keeping every desktop system insecure forever or breaking every thumbnailer ever created, I would always choose the later. However, I don't think that's an option for gnome or KDE. Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [Desktop-Environment] Cinnamon and MATE
I think this is getting ridiculous. How did we get from XY was compiled for one architecture by someone who made XY available in his own repo to we should drop support for [random but common other architecture] for all of devuan? Devuan offers a sane alternative to debian without systemd, it is what debian should have been. Since most packages come from debian anyway, without any need to recompile them, there is no extra time or resources needed to support those on other architectures which are already supported by debian. And for the remaining packages which had to be repackaged, I strongly assume that most of them had architecture any or all specified in their debian control file, which means that the CI can build all architectures at once anyway, which means that repackaging them for multiple architectures doesn't constitute significantly more work then packaging them for one architecture. Considering all this, from my perspective, arguing that an architecture is obsolete or not used anyways is pointless since it doesn't improve anything, it doesn't free any time or resources, but it does harm any user of the architecture to be dropped, and it would harm devuan as a whole since it would result in inferior hardware support compared to debian. That said, that someone who provides his own repos and therefore can't use the devuan CI thing may not want or have the time to setup the infrastructure to cross compile his packages for every architecture is quiet understandable. When using someone elses repository, that not every architecture may be provided has to be expected. I don't see any problem here at all. However, there is always room for improvement, and since it appears to me that the problem isn't that the packages in question can't be compiled for other architectures, I would leave the following suggestion to the package maintainer and the devuan team for consideration: Just put the packages in experimental. This way, the CI can just compile it for all architectures, and everyone is happy again. Daniel Abrecht On 2017-07-21 21:01, Dragan FOSS wrote: > On 07/21/2017 09:02 PM, goli...@dyne.org wrote: >> Cinnamon 3.0.x (only amd64) > > I think it's best to drop 32-bit support at all... it's such a waste of > time and resources. > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 While all android phones technically use a linux kernel, they have nothing else in common with a normal Linux system. Android has it's own libc: bionic. It also has special IPC mechanisms enabled in the linux kernel, and it uses gralloc instead of fbdev or DRM. I think gralloc is the biggest problem with android phones, it's absolutely useless for everything except for androids SurfaceFlinger and canonicals Mir. I Really hope the Librem 5 will get fbdev support, so I can see boot messages on a framebuffer console, and optionally DRM support for things like OpenGL and Vulkan. On 2017-08-31 15:01, info at smallinnovations dot nl wrote: > On 31-08-17 16:14, Narcis Garcia wrote: >> El 31/08/17 a les 15:24, info at smallinnovations dot nl ha >> escrit: >>> >>> As a owner of a BQ Aquaris E45 Ubuntu version i fully support >>> this kind of free smartphone development. But i doubt of a >>> linux smartphone will be functional comparable with Android or >>> iOS within 3 to 4 years. They should use the efforts of >>> Meego/Maemo development or work together wit Jolla. And trying >>> to get support from one or more large smartphone makers. Until >>> then when i have to replace my current BQ it will be a iPhone >>> as one of the lesser evil. >>> >> All Androids run Linux. > > Sure as far as it the kernel concerns that is true. As soon as you > want hardware support for a specific SOC you depend on the > hardware manufacturer. Which are not interested in open source and > you are already lucky if they even want to deliver a binary blob. -BEGIN PGP SIGNATURE- iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlmoaSUUHG1lQGRhbmll bGFicmVjaHQuY2gACgkQcASjafdLVoH5WAf/cZtmCtR9fKNl14IUqCjf8VIZh77p hcZeBYopuu7hXgMatlHY3R2GrczQbeOSFUJziMtYfcI3FOrARRmbvm6QM1FkvCEF d9bmcFTlxRJgV9fspU6XzAjvbW4L6CRip+C94ENjtpnIzjuiLcOZfkonknTfZV9N gddRKKu/jGf8BgD9Uxuxtq4Nm6ZQagROplwzl8qetlg3G/IXMYeWxKq5wYLQR3Br A1+vN4Pk1mGauHMpqZC5yyy6mIyxii/iGNMCuQBmkk1IjpX7T5dxAu/mG58LPIuK XO4Yobb73jjLXZDB4GJS9W8ltGjqORBIC0RcS3nPkNkBCPVkLUbhI8Ntew== =c/NO -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Failure installing eclipse on jessie
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The package is at: http://pkgmaster.devuan.org/merged/pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb Or: http://auto.mirror.devuan.org/merged/pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb Or: http://devuanfwojg73k6r.onion/merged/pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb As far as I know, pkgmaster.devuan.org and devuanfwojg73k6r.onion are the same server and use the new amprolla3, while auto.mirror.devuan.org still uses the old one until amprolla3 is sufficiently tested. Looking at the file http://pkgmaster.devuan.org/merged/dists/jessie/main/binary-amd64/Packages.gz, the entry for libcommons-pool-java is as follows: > Package: libcommons-pool-java Version: 1.6-2 Installed-Size: 165 > Maintainer: Debian Java Maintainers> Architecture: all Homepage: http://commons.apache.org/pool/ > Description: pooling implementation for Java objects > Description-md5: 3a9df963586886381885c548196b37ea Source: > commons-pool Tag: devel::lang:java, devel::library, > implemented-in::java, role::devel-lib, > role::shared-lib Section: java Priority: optional Filename: pool/DEBIAN/main/c/commons-pool/DEBIAN/libcommons-pool-java_1.6-2_all.deb > Size: 105476 MD5sum: a22fa2916fd991ca757c9b893e75778b SHA1: > 7155500feee34f5e0ffcd3297343b8f4e544718b SHA256: > d3d9fb183a9c7b6379b51998f7ae18bc32faafb091672620f7af47454aef2a1e The filename entry: pool/DEBIAN/main/c/commons-pool/DEBIAN/libcommons-pool-java_1.6-2_all.deb should be: pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb Looking at the file http://pkgmaster.devuan.org/merged/dists/jessie/main/binary-amd64/Packages.gz, the entry for libcommons-pool-java is as follows: > Package: libcommons-pool-java Source: commons-pool Version: 1.6-2 > Installed-Size: 165 Maintainer: Debian Java Maintainers > Architecture: all Description: pooling implementation for Java > objects Homepage: http://commons.apache.org/pool/ Description-md5: > 3a9df963586886381885c548196b37ea Tag: devel::lang:java, > devel::library, implemented-in::java, role::devel-lib, > role::shared-lib Section: java Priority: optional Filename: pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb > Size: 105476 MD5sum: a22fa2916fd991ca757c9b893e75778b SHA1: > 7155500feee34f5e0ffcd3297343b8f4e544718b SHA256: > d3d9fb183a9c7b6379b51998f7ae18bc32faafb091672620f7af47454aef2a1e Here, the filename is correct. As far as I know, amprolla merges the packages for jessie from https://deb.debian.org/debian/. The file at https://deb.debian.org/debian/dists/jessie/main/binary-amd64/Packages.gz contains: > Package: libcommons-pool-java Source: commons-pool Version: 1.6-2 > Installed-Size: 165 Maintainer: Debian Java Maintainers > Architecture: all Description: pooling implementation for Java > objects Homepage: http://commons.apache.org/pool/ Description-md5: > 3a9df963586886381885c548196b37ea Tag: devel::lang:java, > devel::library, implemented-in::java, role::devel-lib, > role::shared-lib Section: java Priority: optional Filename: > pool/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb Size: > 105476 MD5sum: a22fa2916fd991ca757c9b893e75778b SHA1: > 7155500feee34f5e0ffcd3297343b8f4e544718b SHA256: > d3d9fb183a9c7b6379b51998f7ae18bc32faafb091672620f7af47454aef2a1e Here, the filename is correct too. Therefore, there is probably an error in amprolla3. On 2017-12-04 01:54, lpb+dev...@kandl.houston.tx.us wrote: > On jessie, I'm having trouble the eclipse package, because I am > getting a 404 on a java package. Here's the error I get: > > Err tor+http://devuanfwojg73k6r.onion/merged/ jessie/main > libcommons-pool-java all 1.6-2 HttpError404 > > Here is my sources.list: > > deb tor+http://devuanfwojg73k6r.onion/merged jessie main > contrib deb tor+http://devuanfwojg73k6r.onion/merged jessie-updates > main contrib deb tor+http://devuanfwojg73k6r.onion/merged > jessie-security main contrib > > Any suggestions appreciated. > ___ Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -BEGIN PGP SIGNATURE- iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlolbz8UHG1lQGRhbmll bGFicmVjaHQuY2gACgkQcASjafdLVoETSAf+PZ+7vm6YGacIGrhq1DGvHr62G4Q7 5DJ50x9KhlbuMqSGMaOKyGiZdoo4BLYwwYmFodXE1qOhxQNAVMjPD7yEuU248iAm COKLs1Fp7vNfBtEXbWFiR642f68GZFgELt78+Q1Hde30i34MF/jT9LXlw+coFUWe +OgwPxTlNfCa3PRsIeQSBZeU67meAY+hc4WzMr6krj4bPbPxCpA9Qx/Bw3EaRTCK 4T0lyTRHfXXuO0Ci26RLj24C7ybCwMzMjBdOaphbCPiTS9etzogbq9sUYDU/QQ5J tKUAXr7ksgnaFkXOHQEJ58At8j90A0arjQWtASPdn5e4+1WTfzUt4Mcw+g== =/3Dm -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] NFS: was mounting /usr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I have configured everything needed to boot using PXE using NFS as root-filesystem at home some months ago: http://dpa.li/pxeboot.mp4 I export the root filesystem of an lxc container read only using NFS. It's really convenient, I can install and remove anything I want in my lxc container, and all Systems I booted using PXE will have the new programs immediately. At the same time, the PCs can't make any changes on the root file systems. But I don't actually use it, I just created that system because I can. I guess it would be pretty useful for large companies, if it weren't so slow and insecure. I don't think I could use kerberos in that case, but even if I could, I wouldn't want to use it. It's just so overcomplicated, if I could just use it over TLS or SSH directly, without any tricks, it would be so much easier. I don't even need encryption in my case, a simple way to check if the datas came from the correct place and weren't altered would be sufficient, but the only thing there is to secure NFS is kerberos, the same thing used to secure all MS stuff, the thing best used together with Active Directory, I don't like that. I think what NFS really needs now are simpler alternatives to kerberos. But I don't think mounting just /usr using NFS is a good idea, not because of NFS, but because it's technically a removable media, it may not always be there, even worse, in this case, it may be used and changed by other machines. I think the main problem here is that the current package managers can't handle installing some parts of a software on a removable media. It would be cool to be able to just install some software on some usb sticks or something, and to add and remove them when the software is needed, without the package manager and possibly the rest of the system freaking out. -BEGIN PGP SIGNATURE- iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlooKZYUHG1lQGRhbmll bGFicmVjaHQuY2gACgkQcASjafdLVoH2DAf+MBqFuxsQC7AN2jaUW4s4QAZchZma We2qXOd9x/zoeN15/Mt/pmTviYS0u3H9LGZAApmXEkk/mwXw1rYgmhQdV8XmtRgE YOP3cbzfqlRb3YJlKmW53wLMupZr9/FmO3YIpQyaBx2ZkWxF1HRTUCwYFapQJ+l4 0oRZMiX/bKIDbJckiCkKNkeyPHjR74SNsb722G5i7UiaS9wQ/AeZkjNGQbXTt3Zw 9H9lwz4Erf5LLVL//6Smp/mRqBHLYU4iCG2TYZo4YlSDkioFnqLmBrhQQlL/JqDU jkBQrRQY2Y9W7JsBGUwr33TS9ASAVGBhAJgnyf1hJfuxl7+GZcn6Hdih9Q== =1hmx -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] It's far from being over. Sigh!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2018-05-04 20:03, Rick Moen wrote: >> Librem 5 phone coming next year for me. > Ah, Librem. Let's see: > https://web.archive.org/web/20161010040458/https://blogs.coreboot.org/ blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-lib re/ > > https://web.archive.org/web/20161010100959/https://blogs.coreboot.org/bl og/2015/08/09/the-truth-about-purism-behind-the-coreboot-scenes/ > > Internet Archive links because someone (guess who?) raised a stink, > and Alex Gagniuc's comments were then taken down. I've ordered a librem 5 phone too. I'm really annoyed by the very few people that go to great lengths just to badmouth those who give their best to make products as good, libre, and user respecting as possible for them, just over some minor details. There is no such thing as a perfect system after all, and there are a lot of companies that are actually evil, to which raising awareness would help much more than complaining about those that do make a step in the right direction. Also, as far as I know, there is no other phone which: * Doesn't use gralloc and allows me to install any normal linux distro I want, not just ones for phones * Does care at all about privacy, for example by including physical kill switches * Provides development kits & documentation I can't speak for other people, but I prefer to do have a somewhat good and libre phone that I can control over no phone or phones I can't use the way I want them to. Regards, Daniel Abrecht -BEGIN PGP SIGNATURE- iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlrs1iwUHG1lQGRhbmll bGFicmVjaHQuY2gACgkQcASjafdLVoHsSQgAmlLJ1XVYSKKYnBLiQuUYLXaBRTX7 4PxBBx4iwwSdBvBow5+Lx1Y/mlb7WfHReoGf1/uhEf8fUptKGiglccDI+sUzpGU4 oz9HmvEIqY4N9s+I6JyDDaT7AkjMLSlbWkbLDreDFkfZNrfxuxcKgjVQqsah4QW7 srk1WGrg3J1hkHF0mPMmiR88Df2NJK8KSyOsC3bYwtB1ehCjiTCXC+LmnM43KrWu Bzs6KE1fJ8czkhOFUryG6eUsMxN2on2Mk++vjBdiX5+UkknZUSxqni7Cw/x1M4lS HCY3c9kGMYDIO9nv1kZWqkrrNCygldo6ZVkMJjcgJSldH6vpnER53+Afgg== =m6M4 -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] devuanfwojg73k6r.onion and pkgmaster.devuan.org are they and have they ever been the same?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2018-02-15 19:21, Fungal-net wrote: > AIt seems as obvious now that when amprolla3 tries to merge > from debian.onion debian has some amprolla like merging system of > its subrepositories (not all in a single server). Some of them may > be timing out, and amprolla3 is not forwarding those errors as > partial hits. For any packages that aren't devuan specific, amprolla3 just makes a HTTP 302 redirect to the corresponding debian server. It doesn't try to access the file from the debian server at any point, the client, in this case apt, has to follow the redirect and make a new request to the debian server. If apt reacts differently when a request fails after a redirect, which I don't know if it does, that would be a bug in apt. Of course, amprolla has to merge the package lists, but the package list is always the same no matter how you access it, and it is a normal file on the server that's not newly generated for each request. It also doesn't matter where it gets debians package lists from, since they should be the same everywhere. And of course, any file located directly on pkgmaster is the same no matter if you access it over http, https or the .onion address. > BUsing tor://pkgmaster. ...amprolla3 is hitting the > deb.debian.org (or some other clearnet address) and it never runs > into timing out issues, so tor://pkgmaster is always in tact and > consistent. It seems as in the past 2 weeks someone must have > realized what is going on and went in and adjusted the timeout > threshold, which explains the current consistent results. Or else, > there is a limit to how much I can speculate, but something seems > to have gotten fixed. I've used tor and the onion address for a long time now, and I haven't had any issues so far. But debian offers different mirrors for http, https and tor, so there is always a slight chance that only a few of their mirrors run temporarily into issues, which could cause only one way of accessing it to temporarly cause problems. > CThe political/security issue is that we (users) have been in > the blind. 1 When someone chose to shift the onion repository > address to pkgmaster (a beta system) someone should have made an > adequate announcement and such was never made, not in the webpage > not in the "officially official forum" that no developer has ever > visited. I did notice that change too, it was a long time ago, but even though it would have been nice to know in advance, it did not make any notable difference for devuan jessie, and devuan ascii wasn't even in beta at that time. If anything, I'm glad they made the change, because even though there have been minor issues with very few ascii packages, not using pkgmaster would have caused even more problems, some problems had to be expected from something not released yet, and these problems have been widely known, were easy to fix, and had to be expected. I guess someone should make a small notice on the web page that the .onion address goes to pkgmaster and not to auto.mirror, but it'll probably soon no longer matter anyway, since amprolla3 probably replaces amprolla anyway, or are there plans to keep both running? > 2If the admin of the pkgmaster.devuan.org can distinguish > whether a connection is using onion or clearnet (apart from tor, > they are not the same you know, you can use tor to access any > clearnet address that has not blacklisted all exit nodes, but you > can not use http/https to reach an onion address) either the server > on the onion address is a different server (as allowed to conclude > by differential parallel results) or it is forwarding those > connections to "other" servers. That ability to distinguish the > two and act based on that distinction is problematic! No, from everything I have seen so far, the onion address and pkgmaster are definitely the same server*. And it's absolutely necessary to make the http redirects to the http debian repo, the https redirects to the https debian repos, and the .onion redirects to debians .onion repos. You see, the different ways to connect to the repos cover different threat models. One may want to use http if he intends to use one of a pool of mirrors, and there is noone causing trouble (like ISPs inserting ADs for example). One may want to use HTTPS if there is someone causing trouble. One may want to use tor if he either wants a direct connection to the server, since they don't trust all their Certificate Authorities etc., or if they need to stay anonymous. Most .onion sites don't provide SSL certificates, since the connections are already end to end encrypted anyway, so they use http instead of https. But if we were to unconditionally make the redirects to debian servers to their http mirrors, a bad exit node could cause problems and, for example, delay new packages and updates. Similarly, redirecting https to http wouldn't work, since bad ISPs could cause problems again.
Re: [DNG] Provides: libsystemd0 (was Re: systemd and ssh-server)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2018-07-26 14:32, info at smallinnovations dot nl wrote: > It would help maintaining packages that depend on systemd too. You > only would have to add some code to use the libnosystemd instead > of libsystemd0. If a libnosystemd package provides libsystemd, then there shouldn't be any additional code or checks necessary in existing programs. But both, replicating and changing "the libsystemd API" is wrong. libsystemd is really badly and monolithically designed. It's main problem is that it doesn't have an API, it has a lot of different APIs in a single library! This prevents providing packages with dynamic libraries replacing only one of the APIs. Therefore, ideally, the systemd developers should split the libsystemd libraries in smaller ones providing just one API per library. Something like libjournal for their logging API for example, instead of munching it together with everything else in libsystemd0. But I doubt that anyone of the systemd devs ever had that insight, I would even suspect they put everything in the same library on purpose, allegedly for simplicity, but in reality for better lockin. If a libnosystemd package is made, the different systemd APIs should be defined, then some library names, and finally it should do nothing more than forwarding the libsystemd function calls to the individual libraries for the different APIs if said library exists, and otherwise either do nothing or return an error depending on what would be worse. This way, it would be possible for different people to provide various implementations for different systemd APIs, without requiring them to implement all of them. Another problem could arise though, how stable are the systemd APIs? I once wrote https://git.devuan.org/devuan-packages/sd_journal_shim , it generates the libjournal library and just provides a subset of systemds logging functions so it can be used as a shim for those, even though it can't replace libsystemd. I think it's still in experimental, even though I'm not sure if it still works, because thankfully, noone seams to use the systemd journald APIs still, so noone seams to have had any need for this shim. Also, I think any such library should make it clear that it's existents doesn't justify libsystemd usage and discourage developers from using it. On 2018-07-26 16:17, Steve Litt wrote: > sysvinit and OpenRC typically have init scripts tens or > hundreds of lines, making init integration of an application seem > like an arcane art. What are they thinking? IMHO these immense and > unfathomable init scripts are what opened the door for systemd. > Those init scripts allow for any kind of scripting language to be used, and thus also allow for the usage of ones that look like unit scripts. I made an interpreter that allows yaml for declarative init scripts that could be used with sysvinit or openrc: https://github.com/Daniel-Abrecht/unitscript Daniel Abrecht -BEGIN PGP SIGNATURE- iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAltaHIEUHG1lQGRhbmll bGFicmVjaHQuY2gACgkQcASjafdLVoGFbQgAsMfbIVyfKDj3Ze962oUrqSZoNFLR cTxcu73bUQxHuDVJhd9myXExBYtZgXtKLPMiCrIrOdKzwpGWNLkola7Fg2ggYQgJ jbWitQrpTgkUY3hrBdzkU8hBjKFkbMo7uXFGWbLa1q36gUyUwz44lX3HA8FM69Ax FYb4Cz6eLW7iDrWUtt3Ti5Ku4r8VY0nAgMNRP9U/fE5jrsVl5eSvtHkfOsfICMrR I13RtJ2evFkAty4HWicDrh3ejagLPP353jgRC7POjCaPdgEABd6CrHhIyYbJpkVS EYLl7ZJHaw171pKrQz6WRSTX/Xl/ybt+vv91Ia8TpHzgVKjsSDLGgORnQw== =Lc8K -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Wicd + dhclient no longer sends the correct host name and doesn't request search domains anymore in ascii.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I don't have time to do something about this at the moment, so I'll just inform everyone here about this problem and add the debian maintainers to the CC of this mail, so whomever has time or needs to know about this at least knows about this issue. In devuan/debian jessie, wicd does send the hostname and requests the search domains in the DHCP reply, but in ascii/stretch, it no longer does so. I believe it uses dhclient with a different dhclient.conf than before, but I don't know what exactly changed. There is an option to set the hostname in wicd, but using it doesn't have any effect and it's off by default. The hostname option is often used by dhcp servers to notify the local dns resolver about new clients, which makes it possible to use their hostname instead of their IP to access them. I think the default should be for the hostname to be sent, because it used to be that way, it may break existing setups and cause a lot of troubleshooting otherwise, and I don't think not having it helps with anything. The domain search option is important to get all search domains. A lot of networks, mine too, are split into different parts. One for lan and one for dmz for example. In that case, it's quiet common to have both in the search domain list. My search domains are "dmz.abrecht.li lan.abrecht.li". This way, I can access both, local clients and my servers using just the hostname and don't have to write out the whole domain. There are some other use cases too. I've only ever seen Windows machines not requesting search domains before, but I alway took for granted that they work everywhere else. They work by default on iOS, Android, Mac, and usually Linux, except if using wicd+dhclient in ascii/stretch. Not requesting the option also won't add any security benefits, because in that case the domain name is used as search domain. But that's insufficient for multiple domains. I'm still on wicd version 1.7.4+tb2-4, which is the same in debian and devuan, and not on the devuan version from backports, but that shouldn't make a difference since these versions only differ in some dependencies and nothing else. I've used "tcpdump -vvv port 68 or port 67" on my dhcp server to capture the DHCP requests. Here is one when using wicd: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 18:46:58.202250 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 60:36:dd:26:4a:bc (oui Unknown), length 300, xid 0x9160d35, Flags [none] (0x) Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown) Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover Requested-IP Option 50, length 4: 10.60.10.188 Hostname Option 12, length 10: "$_HOSTNAME" Parameter-Request Option 55, length 7: Subnet-Mask, BR, Time-Zone, Default-Gateway Domain-Name, Domain-Name-Server, Hostname END Option 255, length 0 PAD Option 0, length 0, occurs 29 18:46:58.202649 IP (tos 0xc0, ttl 64, id 8355, offset 0, flags [none], proto UDP (17), length 336) dog.bootps > 10.60.10.188.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 308, xid 0x9160d35, Flags [none] (0x) Your-IP 10.60.10.188 Server-IP dog Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown) file "legacy/pxeboot.0"[|bootp] 18:46:58.206962 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 60:36:dd:26:4a:bc (oui Unknown), length 300, xid 0x9160d35, Flags [none] (0x) Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown) Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request Server-ID Option 54, length 4: dog Requested-IP Option 50, length 4: 10.60.10.188 Hostname Option 12, length 10: "$_HOSTNAME" Parameter-Request Option 55, length 7: Subnet-Mask, BR, Time-Zone, Default-Gateway Domain-Name, Domain-Name-Server, Hostname END Option 255, length 0 PAD Option 0, length 0, occurs 23 18:46:58.269305 IP (tos 0xc0, ttl 64, id 8357, offset 0, flags [none], proto UDP (17), length 336) dog.bootps > 10.60.10.188.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 308, xid 0x9160d35, Flags [none] (0x) Your-IP 10.60.10.188 Server-IP dog Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown) file "legacy/pxeboot.0"[|bootp] Here we see that "$_HOSTNAME" was sent as hostname, instead of the real hostname. I think this is clearly a bug. Also Option 119 wasn't requested, which is the
Re: [DNG] The FSF seems to have finally sold out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2018-03-08 16:34, Alessandro Selli wrote: > https://puri.sm/shop/librem-5/ > > 155.26% funded > 4,339 backers > > $2,328,966 raised of the $1,500,000 goal. I'm one of the backers. I pre-ordered the phone and the dev-kit. I think what they are doing is truly amazing and important. They have created good hardware, cooperate with the FSF and the OSS Comunity in every way possible, and do their best to keep their products as libre as they can. But most importantly, they are creating a real linux phone! I've seen the other so called linux phones. I've had an Ubuntu Phone. I was really hyped up when I got the Ubuntu one, but I was really letdown by them soon. It used regular Android drivers, their Mir supported gralloc, but X nor Wayland did. It wasn't possible to install another distro. It wasn't even possible to use apt, because they choose to (OTA) update the phones with tar archives!!! It's the same with other linux phones. They don't build their own phones, they use gralloc, and they can't run other distros. But the purism librem 5 will be different. I believe this will finally be the phone I was waiting for. One, where I can install my distribution of choice, devuan. One, where I am in control what's installed on it and what it does. One, which I will even be able to completely replace my PC with. This is something no one else could or wanted give me. Purism is yet another step in the right direction. With all the things that go wrong in this world, I will do everything I can to make things better. -BEGIN PGP SIGNATURE- iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlqkeHYUHG1lQGRhbmll bGFicmVjaHQuY2gACgkQcASjafdLVoFXlQgAlaAWnGVu/G98Nx8k2tHk0HnCwsAF XSDUe6BW/5bs+YKcQTGE5JGAp8AOnxpdtJZ9Kmo8ZOzXsi0CLkM6FtghDnyRkXBQ YklxNJfuRgl/VKTdBYmQ/D9DW88+jD3nxZEAzrCUgYFzaU/Y7A1XO2ogLPzsKL3b 9LX0YJbCTGNROidTusdF9sNzM4ApMYukPdSypD9qgBn5ZplWJ3hhI4EO7iOZPE/d HHFgPpKlZ6jeMeSo+f6kEXLNd1bUrxLQDbfyMuKu+QOJGqHgyjc/MK59WuQ3W5fA vmRgaZXr2VUPXXNzI4IrSGFIPhl5S7Si5ExMk0GNWb+O7X9UPj8cjvtlCw== =Zxu2 -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Is the removal of powermgmt-base from apts' suggested packages a problem for us?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I've been following the apt mailing list just in case. Someone wants to remove powermgmt-base from apt's suggested packages, claiming it to be obsolete and only used on non-systemd systems anyway. Should we be worried about this? I've made a copy of the package source of powermgmt-base and pm-utils using "apt-get source" to be prepared just in case they suddenly disappear. Here is a link to the bug report on the debian bug tracker: https://bugs.debian.org/891610 -BEGIN PGP SIGNATURE- iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlqVYRgUHG1lQGRhbmll bGFicmVjaHQuY2gACgkQcASjafdLVoHDmQgAjL71jUnUAxwnavrF5kJNZ115ADn/ pvI7BitAYJsDmbvkCPRUlYtWJPPr/OivPz2zXDctzwMO0C5rNoa+CFqtiuEejOgt 3NVgIhInqMPRiC0OuIbqIm8TYDO86dYxaj5Wi4QXGKKNRytH2SOzdUDfaM2yOuIo W20RHQ9bEm6rlbsRjL7C5BOGvfSWV543SNQc6aQYHa0DN2KNanNRcyU+FvHxBN4J 554PYvddEvGA7e9j7EzNqoEBnNHOm5E9rsKMMtpqPDG0LbrV+WRz0sXJTz8L0QHY Nj1wVQsKIVVQgO6nlu2ZFU96xEOKWpqFXP6BJLqH7jlgBq8uWi9hKBw6sA== =r6PC -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Everyone OK for using the logger program for runit logging?
On 22/10/2018 19.38, Steve Litt wrote: Is logger just another sister of syslog-ng and rsyslog? logger does per default log to the system logger. That can be rsyslog, syslog-ng, or any other system syslog daemon, really (with the exception of journald, which does it's own thing.). This is why I think everything should log to the system logger, which can then still log everything to log files or to another server or anything else. logger is one of the few logging clients which even support rfc5424 and its structured data elements, so I quiet like it, but I think anything that can log to the syslog unix socket is fine. So, long story short, logger is a syslog client, while rsyslog, syslog-ng, etc. are logging daemons/servers. There is currently no c logging library with rfc5424 support I'm aware of (only rfc3164), while every logging daemon/server does support it, but thats a different and minor problem. (I really should write one and update my libjournal-shim) Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [devuan-dev] Debian Buster release to partially drop non-systemd support
On 19/10/2018 15.04, Enrico Weigelt, metux IT consult wrote: OTOH, we could (as mentioned in another thread) invent some small declarative config file format for expressing at least the very common cases There already is init-d-script (5). https://www.commandlinux.com/man-page/man5/init-d-script.5.html Before I knew about this, i wrote unitscript: https://github.com/Daniel-Abrecht/unitscript But unitscript still lacks a lot of features and testing, and I don't really have time for this at the moment. It also isn't a debian or devuan packet yet, so using init-d-script is probably preferable. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] The D in Systemd stands for 'Dammmmit!'
On 27/10/2018 19.38, Steve Litt wrote: I say: You must use strncpy()/strncat() because strcpy()/strcat() are soo old. What's it been now, 30 years since the strn versions of those commands have been around? You'd think they'd have taken that in and adopted it by now. But no! strcpy/strcat can be used safely if the length of the strings beforehand is checked properly. I've seen people changing perfectly fine code because some tool warned about functions being unsave, and then introducing bugs in the process I had to fix afterwards. There was an instance where some combination of strlen and strcpy was replaced by a strncpy, and of course they forgot that strncpy doesn't add the null byte if the buffer is full, and they missed that it fills the remaining buffer with null bytes otherwise too. Sure strcpy is dangerous, but strncpy isn't any better either. In fact, most things in c involving pointers and/or arrays are dangerous to do, it's easy to misunderstand semantics and intent of such code. I think strlcpy/strlcat are the functions which are the easiest to not use wrongly, but sadly they are non-standard, and even with those, people will still manage to make mistakes. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan on a Purism
On 31/10/2018 15.00, Hendrik Boom wrote: On Wed, Oct 31, 2018 at 09:44:48AM +0100, Martin Steigerwald wrote: Hendrik Boom - 31.10.18, 01:49: Now they're working on a Purism phone. They do seem to intend it to work with a variety of GNU/Linux systems. They're currently hoping to get some developers to adapt their free software to Purism's mobile hardware. AFAIR Purism also contact both the KDE and GNOME communities about adapting their desktops. Maybe some developers got test machines. I know they were selling development boards. But a development board doesn't have the same ergomonic affordances as an actual mobile device. I've ordered both back when their crowdfounding campaign was running. The devkits aren't for sale anymore, but the phone is still available for pre-order. The devkits haven't been delivered yet. Initially, they made one with i.MX6 processor, and posted images of it working. But then they decided to switch to the newer i.MX8, and that in addition to some other things delayed things a bit. The last estimate I know of was around the middle of October, but given the mails their devs accidentally sent to the public development mailing list around that time, (they renamed the mailinglist domain afterwards to make sure that doesn't happen again), they just got the Bord to boot to the console with the new core around that time, and they can't make changes to the hardware anymore. So I assume the boards may already exist, but I expect until they finish the software side and finally ship them, it'll probably take at least another month. The phone has already been delayed too. All the software is publicly available on their gitlab: https://source.puri.sm/Librem5 They have some documentation for new devs (some stuff needs an update though): https://developer.puri.sm/ There are instructions to setup a qemu vm, but I haven't done anything yet, because a VM just isn't the same thing. The mailing lists for the librem-5 are pretty quiet. They used to read them though. Most communication is probably on matrix, but I haven't looked at it yet. There is a someone at a mastodon instance somewhere who gives interesting updates, I forgot where exactly. Their twitter account mostly posts links to the usual boring public stuff, and they don't seam to read development questions sent to their twitter account. The mailing lists and matrix stuff can be found in the documentation too: https://developer.puri.sm/Contact.html There have been 21 progress reports as of now: https://puri.sm/posts/librem5-progress-report-1/ https://puri.sm/posts/librem5-progress-report-2/ ... (just replace the number in the url) https://puri.sm/posts/librem5-progress-report-21/ I hope they ship the devkit soon, I want to install devuan on it too. Getting a Desktop Environment and Apps to work so it is usable could then become a bit tricky though. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan on a librem5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 19/11/2018 02.01, Arnt Karlsen wrote: > ..you mirror straight off http://pkgmaster.devuan.org/merged/, or > off http://pkgmaster.devuan.org/devuan/ and pull some amprolla > style stunt? I don't pull any amprolla like stunts, I just use apt-mirror. I kind of mirror pkgmaster.devuan.org once per day, but using it's tor/onion address (devuanfwojg73k6r.onion), which is kind of unnecessary, but I didn't have a reason not do that either, so why not. I'm currently mirroring ascii and beowulf, including the -updates, - -security, -backports, and -proposed repos. I mirror the amd64, arm64, armel and armhf architectures. The stuff I mirror is also accessible at https://mirror.dpa.li/, but my Internet connection is sometimes a bit unreliable, so I don't recommend using it. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlvzT3kACgkQcASjafdL VoHENAgAnu9PhjyKRXdmJ0MDapyCaga3JzlzlAgXiQeWv0nGCRriqVXpliJM5yKH nWzuCwPy8KM+eL7KZQHF9JXEJmvBHVBQG2hj+CX2qVljBThs0rl8JtoizHPUA6mx pkuAJ6fTZVt1EFz/I2SXmWE6cShXDerl28d6GHC5Upm7z4Npmg0zj0lV1vEBpdor HTDqDcRlpOlN9+IJyZNN2dRq3BUHRcm5MIKP0aJt8WW8sYvgEX9CAPi9ybL4dCbe yXMwv//zRzK9qaJywL6Fa9s43lxULIt6gIQbZ02Wtgf5pQvwDbDjr+MmsoHGhK7G PttO5XEnee93LNnHw0ZxlyyBmmzW2g== =wyfh -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Devuan on a librem5
Hi everyone, I've taken a look at purisms' image-builder scripts, and then made my own for the devkit based on them to get an overview of all the components and how things work together. I don't have a devkit yet, so I don't have any idea if the images generated by my scripts will actually boot, but for those interested, this is what I've got so far: https://github.com/Daniel-Abrecht/librem5-image-builder https://gitlab.com/DanielAbrecht/librem5-image-builder It creates a really basic image at the moment, with almost nothing installed. But I think that's good enough for now, I can still add more things if it turns out to actually work. Also, I probably forgot to list a lot of the necessary packages to use this. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan on a librem5
On 18/11/2018 00.45, Arnt Karlsen wrote: ..you want to do a separate "make repo" and a "make clean-repo-too", and possibly move the repo out of the build/ tree, say, to repo/ or repos/ if you have multiple repos now or later. Ok, all git repos are now cloned into the repo/ folder. I've also added a few more make targets for resetting, removing and cloning repos, and some other stuff. ..another tip is run your own lan repo mirror and point REPO = there, that way you can feed _several_ build boxes cheaply. I already use a local mirror for the devuan packages for the debootstrapping part and some other stuff, but thanks for the suggestion. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Devuan on the Librem5 devkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 My devuan Images can boot on the librem5 devkit now. A lot of things, like the lcd display, don't work yet, but I'm working on it. A uart adapter is required to access the linux console, which is currently the only way to access the image after it has been flashed. The build scripts can be found here: * https://github.com/Daniel-Abrecht/librem5-image-builder * https://gitlab.com/DanielAbrecht/librem5-image-builder If anyone has cloned my repos before already, I recommend doing a "make reset", or at least a "make reset-repo" before rebuilding the images to make sure all repos are up-to-date. I also recommend doing a "make reset-repo@linux" and "make reset-repo@uboot" from time to time, to get the latest kernel & uboot, the repos are active at the moment. There is still a lot to do, I'll keep y'all updated. Regards, Daniel Abrecht -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlwqhcwACgkQcASjafdL VoE5qggAoA2dq+9lpgoEONU6DwDlehxWP7iXkUFt0uLIFn0Cr+jxjn+K9Wc6jPdy TBb2ujZcgN7oVVVbQnffKVcknyC0ISpio1y137J4teKDdK6XR35H318ept41lpMx 9PpgPx0/HxyZjW5WELN3AsFJJHbc50MFiU706tRW0dYLvhXqw+f5NcQSeQm0ddDe 9ar4IDI4ELWV+r+83BmJDMUhfmkK67XW1b3c0B1UD5ng3998EMHttKefflHI6zDs hKVQ6NWlbKMSUa8dEUSm8d4G/YMlWE0IKdhGfiYjsRDk7g4G5S3HXuBUml+NWzF3 /j7uuAYjmjIgfq4Z0Toobi/qJadDfw== =CNLF -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Fwd: April's fools mess
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It's now clear that this was a planned action and there was no danger. But when it happened, this wasn't obvious in any way. I assume the other staff members knew about it, was it discussed at the last meeting? I really like April Fools, but this was no April Fool. Faking a crime, in this case claiming to have been hacked, is no prank or joke. It doesn't matter that it was April 1. either. This was absolutely unacceptable, never do this again! Regards, Daniel Abrecht -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlyicfYACgkQcASjafdL VoGPKwf/X3xB71RjqPHO7EyxOiZbWA1oSj4jWNRV7GegPCpTWqLOQbdbiZtTgCeI fj1J8+ec0AUiL7MU8kG6iV1feK3coOdOUFXEzUZQ312niGo4EJEoVyfSQCLM0p/6 8ecxAPghEUPIPZeZRwB1pDPNgOggPJykLSRFfMywbYDCoqJ/5OzRC0IMNQGLRUht QHC7XCROiEsMSDh6LGNg0aINLTRuQ8RiiqVtklPYMaGp/0p+zSWeDKtZuzdzBCfl x4pOPSlVuRZ3x0R43kQw9m75hC6BaiH4msJyjyzr0kTnNhs1QhaetcjjR8Ujv7Hz ii69ahPVzG6zbrcBLfjjDDE/odWlxg== =c/i1 -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] simple-netaid-backend debugged.
On 2019-03-07 19:49, Alessandro Selli wrote: Next improvement would be using current commands (ip and iw) in place of the obsolete and deprecated ones, i.e. ifconfig and iwconfig: ifconfig and iwconfig being depracted or obsolete is questionable at best. They work, get security patches if they need them, provide a stable interface, and have a stable, parseable output that's known to not change. ip and iw on the other hand, well, they aren't suitable to pass networking information to other programs because they have a less stable interface. At least with ip, that will get a bit better with the -json option. But that option isn't in debians version yet. In addition to this, ifconfig and iwconfig will also work on other unix systems, such as FreeBSD. Parsing output in regular programs is more of a hack anyway. Why can't these tools provide a library for use in regular programs? There is also the option of using the kernel interfaces directly, but then the program directly depends on linux. There really is no good option. PS: It's not like I don't use ip at all, I do use it's netns feature on one of my servers to move all it's network interfaces to a different netns, which I then use for a libvirt container, in which I setup the routing between the host system, the containers, and the VMs on my server. There is no reason why ip should do this and not a dedicated program though. I think about using network namespaces, and maybe also some filesystem & user namespaces on my desktop PC too at some point. I could probably write a pam module to isolate user homes further and put different users into different network namespaces. That way, I could make sure all connections of certain users are part of my regular network, and all connections of another users are always routed over a vpn, a proxy, over tor, or something similar. But I won't be able to use ip for that. And I won't get to that any time soon, there is just so much stuff to do. But linux namespaces are really awesome, I use them all the time, and not just for containers. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] devuan.org website down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Devuan.org website seams to be down. I can't reach it, and neither can that checker page: https://www.isitdownrightnow.com/devuan.org.html Could someone fix that please? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlyEOw8ACgkQcASjafdL VoF9cgf/Sk0jL2//YU46u1GGyvnrTjCR2DqFK4P2B41a9YulJnnYUFB30GR/s6Tb Sqc+jZRNxC/tFwO/cft0qaexv74ULRhlH9m0mWwGJIxV8Zguub5Tj3avBhIXY4LI f+3/3Jp3UcLAyMBZ9Y4mgfce4XgoUeYsZvlX1oHkRsKMc1wpd/ky5rxIrSBWhPlW s6k7dMJEyuSex9lYrVeU1w6sjMn22oLMIkVC+AnL17x4S9jbuxPHdkzwc/i8DhTF 4+n7F+BIHRKwY5paTDsYucy19HqS6dxi0KNccMemv+j591D+FlE1QCJWg4PzdBku l+WC7jI1qvpFyrk897l5kq9QBu2r8g== =PxDd -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [ASCII] [Mutt+Torify+Fetchmail+Procmail+Msmtp] Problems torifying email
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15/05/2019 06.31, Se7en wrote: > The problem I have been having since November 2018 when I upgraded > to ASCII was that I simply can not torify Fetchmail. I later > discovered that Mutt is affected. The problem seems to be related > to my mail spool, /var/mail/se7en. Are you using torsocks to torify applications? I wouldn't recommend that. Using iptables, it's possible to configure tor as a transparent proxy. You can redirect network traffic using iptables over tor. That can be just traffic from the local host, or even traffic from a whole network. Using linux network namespaces, you can have different independent internal network configurations on your machine. You can then enter that namespace and execute an application there. To route traffic between network namespaces, you can use virtual ethernet interface pairs (veth). It is also possible to connect them using bridges. Physical network interfaces can be moved to a different network namespace as well. All this can be done using the "ip", "brctl" and "iptables" commands. You can also use containers for this, they usually use network namespacces too. I recommend torifying the complete system if possible, or even better, a whole dedicated network. If you keep the tor devices and the other devices completely seperate, it becomes much harder to deanonymize you. Use one thing in both environments, and you may have been deanonymized. On another note, there are also a lot of online services that block tor nodes, and i think some ports like smtp are blocked on pretty much all exit nodes. It's fine for mailing between onion addresses, but not for sending mails anywhere else from within tor. Good luck, Daniel Abrecht -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlzcil0ACgkQcASjafdL VoFkCQgArT1EdxEj8NxuoxJNJu3m4gwKlxoRVseYZByKVdiJwUar0L6/RLm3Ug3E 8k2hunHzK27xqFl6epeRKryzZl1X3kQsM31y8aclQlgdzHP6Mv8HXaY9wlIHaF6a kSj9R+YxZb0OLY0i2RH8rybfze0lH0CwMx8yhZkgV087lI+1UW4H1NYantN/2p8I KOWPo5MoHxmqPkNgMBVHaCD20QWPuwhCNrxjgln9FbRQxyCcDHzV0VTKPxc6YtfP Lo789jEFyB81gW4hQgdWRpzzxoQXQ78PWau3d16z3cDUhUS2lLnsxuHUdPolBPJv Rz8hxXFzm9MOVgUOLLgFzbeDAYJuig== =Hbdy -END PGP SIGNATURE- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Mail message headers
Hi golinux, I'm using Roundcube Webmail 1.2.3 on devuan ascii, with the following plugins: filesystem_attachments 1.0 GPLv3+ jqueryui 1.10.4 GPLv3+ Everything was installed from the regular repos. I don't have any of those strange http links in these headers. I also think this is most likely caused by a plugin of your roundcube mail client. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed?
On 2020-02-25 11:11, Hendrik Boom wrote: Which is the reason for a capability architecture. Is there anything resembling that in GNU/Linux userspace? Kind of, not really. There is something similar to role based access control, namely the unix file permission model, which is a kind of DAC. Users and groups (=roles), can have different permissions on files (reading, writing, executing). Then there are the security modules. These can extend that functionality, which is usually used to add some kind of MAC. For processes / syscalls, Linux has capabilities as a replacement for things usually reserved for root, but these usually aren't very useful, they are crude and can often be used to escalate to root anyway. For syscalls, there is also seccomp, but it's hard to use and architecture dependent, and it will break applications which use it regularly. Something which is currently missing is a way to manage permissions for specific ioctls. Usually, its per device, and some ioctls need need read or write permissions to the fd. Sometimes, that's suficent, sometimes not. There is kind of a horrible situation with /dev/dri/card* devices, if I remember correctly, you need root for the ioctls to become drm master and do modesetting, even if you have read and write permissions to the file, which is why this is delegated to logind or a suid binary, I think? One way to resolve this would be to splitt those card devices into multiple ones, but I don't think that's going to happen. I don't think configurable supplementary group based per ioctl permissions are going to happen either. Except maybe as an LSM. One interesting thing about files is that permissions are only checked when those are opened. A file descriptor is like an access token. And they can be sent over unix sockets, which can also be files. Those file descriptors are unrevokable, though. There is also a small problem with the DAC permission model. A process has only one set of user, group, supplementary groups. This means, either you can use them to restrict a program, or you can use them to restrict a user, but you can't have restrictions based on a user and a program. I was thinking a lot about this at some point, and wanted to write an LSM for that at some point, but I never got to to it. I did write down my thoughts, although retrospectively, I did make various mistakes and misused some terminology there in there: https://github.com/Daniel-Abrecht/Discretionary-Program-Access-Control/blob/proposal/Discretionary%20Program%20Access%20Control.md It's possible that there are still some other access control mechanisms I don't know of yet. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] why is polkit needed?
Hi I would like to add my point of view to the polkit debate. I don't think polkit is bad or unnecessary, it simply has a completely different usecase/scope than sudo has. sudo is for starting a process as an other user provided some preconditions (group/user allowed to use it, supplied arguments allowed, etc.) are met. And it can retain or restrict some resources inherited from the parent process (such as environment variables, for example). Therefore, the use case is to allow some users to execute certain commands in certain ways with certain resources. I know polkit less well, but my current understanding is, that polkit is for managing access to stuff on dbus. So next, why is dbus needed? dbus is a message bus. There usually is one for the whole system, and one for each session. There are various uses and missuses for it, but I think the most crucial things are: * Notify any process interested in something of these things. * Tell other programs which can do something to do something. This can be useful for various things, for example: * A program may want to now if a device got rotated, so it can rotate a screen. * A wlan management gui may want to tell it's daemon that it shall connect to a wlan, and it may want to know what connections it already has and manages. * A phone call application may want to ring when a call arrives, or it may want to let the user initiate a call. Now, those examples are mainly things that would need the system bus. I couldn't come up with a good example solely within a user session/bus, but I'm sure these exist too, especially because dbus doesn't need a graphical session. And with that, back to polkit. It'd be bad if just everyone/everything could do system level stuff, so per default, noone can. But that would make dbus useless for a lot of things. This is the problem polkit is there to solve, there are config files specifying who (user, group, etc.) can see/use which methods calls, signals/messages, etc. Without dbus, applications & daemons could do similar things using unix sockets. However, then, every application would need their own socket, permission management, configs, etc. This would have the same security implications as just using dbus, which also just uses unix sockets, but would leave a bigger attack surface, and a lot of scattered security critical configs with different formats. Now, there is also the approach of using a suid binary for the privileged stuff. As a good and bad thing, just like sudo, this can't escape a container, unlike a unix socket passed to one could. However, it would leave the problem of a bigger attack surface, and a lot of scattered security critical configs with different formats, and is very difficult to get right. All things considered, I think for the purpose of interacting with system level daemons/services and managing related permissions, especially in cases more complex than simply shutting down the system for example, dbus + polkit is a very nice solution, especially considering the alternatives. It does have some flaws, though, such as noone knowing how to correctly configure it, for example. Regarding pkexec, I think this thing is an abomination. Starting a process is absolutely not something which should be done in a way completely disregarding resources and restrictions of the spawning process. It's kind of useful for checking if polkit works at all, but aside from that, I recommend getting rid of it as fast as possible. Regarding gksudo, I think it's intended use case is an awful thing as well. The very Idea of asking for a users password for starting a more privileged process is a bad one. It means that if the user account is breached, as soon as sudo or gksudo is used to obtain root, it could have been replaced (z.B. by changing the PATH, setting an alias, etc.) by an attacker to get the password instead, and then compromise the rest of the system. In my opinion, sudo should always be used in such a way as to work without password, and only for known "safe" commands. For everything else, it'd be much better to just log in on a tty as root. Same goes for su. One last, only partially related thing. Does anyone know how to get polkit agents working properly? If I start `lxqt-policykit-agent`, for example, pkexec won't work. If I start it as `su -c 'lxqt-policykit-agent'`, it does, but I'm pretty sure that's not the right way to do this. I'm currently on devuan beowulf, but I think debian users may have similar problems, I think systemd/logind people may have broken something in polkit... Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Help needed:[Fwd: eudev: Methods to detect if running in a container.]
Hi, What's the point of trying to detect if eudev is run in a container? Is it just to not start it in that case? Would it just fail to start in them otherwise? Is that actually a problem? And could eudev not just be uninstalled in a container? In any case, I don't like the idea of doing hacks like looking at inode numbers or trying to determine if there is a container or not. In addition to this don't like the Idea of checking for being in a container in general. Instead, I would check for reasons why it doesn't work in a container, choose a sensible thing to check for out of those reasons, and then check for that. In this case, I would assume the following, although I haven't checked: 1) the container hypervisor (lxc/lxc, docker, libvirt-lxc, etc.) is responsible for managing/creating device files 2) eudev exists for managing/creating device files in other kinds of systems 3) device files can't be created in a container 4) 3. is due to the container hypervisor removing the cap_mknod capability from containers Given those assumptions, I think the sensible thing would be to either check for the mknod capability, or check if device nodes can't be created in /dev/ due to a lack of permissions. I think that's closer to the reason why one may not want to start eudev than trying to checking if we're in a container. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] couldn't register with accessibility bus in Beowulf (workaround)
Hi I've had that problem as well. It also prevents the auto-show feature of the `onboard` onscreen keyboard from working (which was annoying on my Librem 5 Phone, where I need that feature). To me, it seams to be caused by a combination of something `lightdm` does, and something `at-spi-bus-launcher` does not do. After a login with `lightdm`, the X11 root window has the `AT_SPI_BUS` property set (`xprop -root AT_SPI_BUS`), however, it seams the `at-spi-bus-launcher`/`at-spi2-registryd` instance which created that property does not exist anymore, causing applications to fail to connect to it. In addition to this, the presence of that property prevents a new instance of `at-spi-bus-launcher` from starting. My current workaround is to remove the `AT_SPI_BUS` property, and then start `at-spi-bus-launcher` again: ``` xprop -root -remove AT_SPI_BUS /usr/lib/at-spi2-core/at-spi-bus-launcher & ``` After that, the `onboard` auto-show feature works for me for newly started applications again (this may require `onboard` restart). At least for GTK Applications, that is, I still have the problem of that feature not working for some QT applications, such as the `kate` editor. I assume that should be the same for other things which use the accessibility bus as well. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Your system is not supported by certbot-auto anymore.
Am 2020-12-08 08:41, schrieb Simon Walter: Other than a manual install, are there any alternatives? I am interested to hear how others are doing this. Let's Encrypt has a list of various clients: https://letsencrypt.org/docs/client-options/ I'm using one I've written myself (and haven't bothered adding to the list yet): https://github.com/Daniel-Abrecht/DPA-ACME2 There currently only is a solver for dns-01 challenges for it, though. And I should probably move the solver to another project/repo & make some packages and such stuff. It works pretty well overall, I didn't have any problems with it for a long time anymore. But if you put it in a cron job, make sure to set up mail notifications so you know when it fails. And make sure not to use it around 0 UTC, the let's encrypt servers tend to be overloaded and unreliable around that time. I do think TLS is an awesome and important technology, but I do not like having to rely on yet another authority (the other one being DNS registrars) to be able to operate a webpage and other services. This is why I have also set up DANE. If some day, browsers start to finally support DANE, or free certificates become unavailable, I will immediately switch to self signed certificates (and keep DANE so they could still in theory get automatically validated). Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Some RAID1's inaccessible after upgrade to beowulf from ascii
Am 2021-11-09 19:56, schrieb Hendrik Boom via Dng: I upgraded my server to beowulf. After rebooting, all home directories except root's are no longer accessible. They are all on an LVM on software RAID. The problem seems to be that two of my three RAID1 systems are not starting up properly. What can I do about it? Do you still know which devices contained the raid? I'd first check out the metadata on them: ``` mdadm --query --examine /dev/sdXY ``` Ideally, the ones for the same arrays should have the same Version, Array UUID, and a number for Events which doesn't differ much. I'm not much of an export with raid myself. In fact, I already hosed one of mine once (I followed some tutorial which suggested using "mdadm --create" for a certain thing, but it was wrong and I should have used --grow instead). Anyway maybe try explicitly assembling the devices as a new raid device. There is also a --readonly option that should avoid it doing anything to the array, and a --readwrite option, which could be helpful. ``` mdadm --assemble /dev/md5 --readonly /dev/sdXY /dev/sdXY ``` If that works & the raid device works fine (maybe try mounting it), you can make it readwrite using ``` mdadm --readwrite /dev/md5 ``` Alternatively, you could also try --re-add to add devices to an existing raid again. I'd avoid doing anything with --create. I think that would be destructive. If it does stuff like resyncing after that, you can already use the device, but maybe wait with a reboot until it finishes. If you get it working, try doing the `mdadm --examine --scan` thing again / recreate /etc/mdadm/mdadm.conf. Maybe also recreate the initramfs using `update-initramfs -u`, just in case. And if all that works out, you may try rebooting to see if it detects it again. If things don't work out, maybe check for error messages / look at dmesg. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] mouse driver question
An alternative to "gpm" would be "consolation". It's based on "libinput". I've never tried serial mice, but you can probably install & start "inputattach", and then "consolation" should probably pick it up if it's installed. inputattach should also work with other things such as X11 and Wayland. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] mouse driver question
To find out what's behind which /dev/input/event* device, and generally what's going on with the input stuff on the kernel side, I usually check: "cat /proc/bus/input/devices" ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] resolv.conf
If you don't have a public domain, then the correct domain to use in an internal networks is home.arpa, see: https://tools.ietf.org/id/draft-ietf-homenet-dot-07.html home.arpa. is intentionaly set up as an unsigned delegation, so it won't break when someone uses dnssec. Other domains will fail dnssec. Unfortunately, noone seams to ever check dnssec for some reason, and noone seams to care about home.arpa either. But I'm still optimistic that this may someday change. Regards, Daniel Abrecht ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng