[DNG] apt-get update fails

[Daniel Abrecht]

Hi everyone

When I try to make an update, I get the following error:

root@colibri:~# apt-get update
Hit http://auto.mirror.devuan.org jessie InRelease 
Hit http://auto.mirror.devuan.org jessie-updates InRelease
Get:1 http://auto.mirror.devuan.org jessie/main Sources [7,082
kB]
Get:2 http://auto.mirror.devuan.org jessie/non-free Sources [99.0
kB]
Get:3 http://auto.mirror.devuan.org jessie/contrib Sources [50.8
kB]
Get:4 http://auto.mirror.devuan.org jessie/main amd64 Packages [6,794
kB]   
Hit http://auto.mirror.devuan.org jessie-security InRelease   
E: Release file for
http://auto.mirror.devuan.org/merged/dists/jessie-security/InRelease is
expired (invalid since 23h 18min 11s). Updates for this repository will
not be applied.

This also happens on the tor mirror:

root@mouse:/usr/src# apt-get update
Get:1 http://devuanfwojg73k6r.onion jessie InRelease [108
kB]
Get:2 http://devuanfwojg73k6r.onion jessie-updates InRelease [119
kB]
Hit http://devuanfwojg73k6r.onion jessie-security
InRelease   
E: Release file for
http://devuanfwojg73k6r.onion/merged/dists/jessie-security/InRelease is
expired (invalid since 23h 17min 54s). Updates for this repository will
not be applied.

Could someone please fix this?

Regards,
Daniel Abrecht

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] apt-get update fails

[Daniel Abrecht]

Hi Florian

I know about the workaround. I just wanted to make sure the people who
need to know about this issue know about it. Also, I hoped to get some
more informations on how this could happen in the first place. Are the
IRC discussions archived somewhere?

Regards,
Daniel Abrecht

On 11/06/2016 03:03 PM, Florian Zieboll wrote:
> On Sun, 6 Nov 2016 14:41:23 +0100
> Daniel Abrecht <d...@danielabrecht.ch> wrote:
>
>> When I try to make an update, I get the following error:
>>
>> (...)
>>
>> E: Release file for
>> http://devuanfwojg73k6r.onion/merged/dists/jessie-security/InRelease
>> is expired (invalid since 23h 17min 54s). Updates for this repository
>> will not be applied.
>
> Hallo Daniel,
>
> as mlsmith stated on IRC #devuan [1], you can work around this issue with 
>
> $ apt-get -o Acquire::Check-Valid-Until=false update
>
>
> libre Grüße,
>
> Florian
>
>
> [1] https://botbot.me/freenode/devuan/search/?q=Check-Valid-Until 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Won't boot after dist-upgrade

[Daniel Abrecht]

On 12/19/2016 10:08 PM, marc wrote:
> And completely unrelated: The devuan I have doesn't mount the
> cgroup fs (debian seems to rely on systemd to that), so if you want
> to use lxc, you might want to add
>
> mount -t cgroup cgroup /sys/fs/cgroup 
>
> to your startup scripts.

I'm using the cgroupfs-mount package for this.


regards,
Daniel Abrecht

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] gvfs depends on libsystemd0

[Daniel Abrecht]

On 04/09/2017 08:01 PM, Steve Litt wrote:
> On Sun, 09 Apr 2017 08:24:15 +0200
> Joachim Fahrner <j...@fahrner.name> wrote:
>> without gvfs PCmanFM does not mount external usb drives
>
> Somewhere back in the archives I submitted a shellscript to
> automatically mount thumb drives without a file manager.

I think automatically mounting thumb drives is very different from
mounting them when I klick on them in my file manager. Things like
automatically mounting removable medias or even auto starting
applications, I don't want that. What if I want to rescue a faulty
thumb drives for example, automatically mounting it would could
damage it even further. I think that Linux doesn't do or change things
on it's own like Windows used to be a big strength of it.

Daniel Abrecht





signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] tiny service state api [WAS: Fwd: init system agnosticism]

[Daniel Abrecht]

On 2017-04-14 20:16, Simon Hobson wrote:
> "Enrico Weigelt, metux IT consult"  wrote:
>
>>> For those of us who put consistency above boot speed, simply changing
>>> the init script so MySQL doesn't flag as "started" until the daemon
>>> is up and ready to accept requests would fix it;
>> But then you'll have kind of daemon who watches mysql until it's really
>> ready and then signals back to the service monitor, so it can proceed
>> with the other services. In the long run, sounds like a maintenance
>> hell to me.
> Which is why I said I can see some value in a simple 
> communication/notification system. Ideally you'd have MySQL itself make 
> status calls along the lines of "I'm starting but not ready" and hopefully 
> end with "I'm now ready for business". The latter would then allow other 
> processes that depend on a working database to continue.
> At present, IIRC the script starts the MySQL process, then loops round 
> waiting for  to appear - at which point it assumes MySQL is ready 
> for action and prints OK on the console.
>
>
> That way, there's a standard way for processes to communicate their status, 
> and a simple and standard way for dependent processes to determine if 
> something they need is ready yet.

I still think this isn't a problem the service manager should attempt to
solve. This is a situation where the database is temporary unavailable,
for which there are many possible reasons. The services which relay on
the database should be able to handle such a situation gracefully, or
they are just not yet stable enough.
I would expect a service which has to handle a task for which it needs
the database to return an error in this situation, but to continue
working. Once the database is available, and a new task arrives which
requires the database, the service should work as expected. If such a
service needs to do some initialization using the database, it can just
re-queue that until the first successful database connection. This way,
there isn't even a need to start the database first, the service would
be rock solid, and there wouldn't be any need for the service manager to
handling such edge cases. Just keep it simple.




signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] tiny service state api [WAS: Fwd: init system agnosticism]

[Daniel Abrecht]

Hi

From my point of view, systemd always tries to keep services running, no
matter how hard they fail, and to mask possible problems when starting a
service, so the service maintainers don't have to fix their service,
which is really unfortunate.

In case of those service state notifications with sd_notify, I think
they are usually used to signal when a service is starting, but not
ready yet. This may seam reasonable at the beginning, but I think it
fixes the problem at the wrong place; When a service needs another
service, but it's temporary unavailable, it should cause an error or
warning to be returned and logged, but it should never be a fatal error
which causes the service to stop. When a service needs to handle this
situation on it's own, it will become more stable over time. If this
task is taken away from it, it will become fragile, and relay on the
service manager. I think this would be really dangerous, because it
could lead to cascades of failing services once one service fails. At
some point, a service manager couldn't possibly handle that anymore and
there would just be waves of restarting and failing processes.

Daniel Abrecht




signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] FF pulseaudio hard dependency is here

[Daniel Abrecht]

On 03/12/2017 03:49 PM, Renaud (Ron) OLGIATI wrote:
> On Mon, 13 Mar 2017 01:55:27 +1100
> Andrew McGlashan  wrote:
>
>>> Plus, on Ubuntu (I am yet to fully test Midori on the Devuan laptop) I
>>> found out it has many addons I was afraid wouldn't be available:
>>>
>>> Adblock "Block advertisements according to a filter list"  
>> The best blocker is "uBlock Origin" both words, not just uBlock.
>>
>> They say they are not an ad blocker, but they block ads and other bad
>> stuff by default -- is that available for Midori?  If it is, go with
>> that in place of Adblock (any variant).
> Have you considered rolling your own add-blocking with a list of unwanted 
> sites in /etc/hosts ?
I'm using the block lists from Pi-hole on my local DNS Server, which has
the benefit that I don't need to install an AD-blocker on each of my
devices.




signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] grub background image

[Daniel Abrecht]

On 2017-04-14 19:27, Joachim Fahrner wrote:
> Am 2017-04-10 00:39, schrieb fsmithred:
>
>> desktop-base is supposed to handle that, but it's not cooperating.
>> You can
>> bypass it by adding the following (one) line to /etc/default/grub
>>
>> GRUB_THEME=/usr/share/desktop-base/grub-themes/desktop-grub-them/theme.txt
>>
>
> Thank you for that hint.
> The correct entry is:
> GRUB_THEME=/usr/share/desktop-base/grub-themes/devuan/theme.txt
>
> This is a very nice grub theme. I'm wondering why this is not set in
> the default installation?
>
> Jochen

I don't have that file. Which package contains it?

Daniel Abrecht




signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Daniel Abrecht]

I'm sorry, I'm using DMARC, and I didn't get the DMARC report about the
bounced mails, probably because I forgot a DMARC DNS entry for the
report receiving mail address. I have changed my DMARC policy from
reject to quarantine for now.

That said, I won't remove the DMARC record completely, and I plan to
switch my DMARC policy back to reject after this issue has been
resolved. A lot of people claim that DMARC won't work with mailing
lists, but this isn't correct, it's just that most mailing lists aren't
configured in a way that makes DMARC usable, (and no, changing the from
address isn't the correct solution.)

I use DMARC and believe it to be necessary because it allows me to:
 1) Make sure nobody can use my E-Mail address to impersonate me or send
spam
 2) I will be notified if anyone attempts to do so
 3) The recipient can check if the message content was changed

That said, the correct way to deal with DKIM, SPF and DMARC protected
mails is to:
 1) Provide an SPF record. This mailing list doesn't seam to have one
 2) Don't change anything from the message below the DKIM headers, add
the other headers before the DKIM signature instead. This will also
solve the problem that some mail clients like the android mail client
don't display text-only mails correctly.

In think the email body, subject and from header shouldn't be altered
anyway. Of course, changing the from header and removing the DKIM header
would avoid the problem as well, but I'm against that solution since it
obscures who wrote the mail.

I haven't done much with mailman yet, so I don't know how it needs to be
configured or if it can even be configured that way. I'll take a look at
mailman in a few weeks.

I've attached two versions of an email I've sent to the list earlier.
The first one contains the message as I received it again from the list.
The second one is edited in such a way that the added headers and the
original message body are preserved and the DKIM check succeeds, only
the added mailing list signature was removed.

Daniel Abrecht


mails.tar
Description: Unix tar archive


signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [test] Excessive bounces

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

This is just a test mail, please ignore. This time without MIME/PGP
signing, because it causes mailman to add a multipart header before
the message, which interferes with the DKIM check.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZg2sXAAoJEHAEo2n3S1aBDcUH/3CwGtjBX/tWq8bO9X6cAgKU
ApKNiNCTUu/CATJ9PqeG3iwgGDDjOZwF9Ral0Eq70YspEosfPnOh9QxMqD/F/Qvu
Pn6F1WPBXZSscjXMEUxPhBr19K3wprwm6dbfj+EUHR8KDAYILgjH4mqDiLf+6PAK
CMVWuqXUYthNEYYn6OPNNcIjoYv+UDpoPgwxEHZ8YfGimw3q0fuQKCcZDMM4hFsI
vHT3PnvsJbe0eB7aTzTmETCfoyvuan+uaEpLijz1ydL2yPN6dKySYNK3EM01u0sS
yFTdinPPzFL+J99oCosArKMLJMk/Ie0eMmiGwz0Rn08N8zB8A4u/94MXh3tRkI0=
=aZyR
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [test] Excessive bounces

[Daniel Abrecht]

This is just a test mail, please ignore. I have changed my OpenDKIM
config again, and added Return-Path, References and In-Reply-To to the
list of headers to be not covered by DKIM.  (also, I switched back to
MIME/PGP signing, I think I'll just have to search a better mail client
for that.)

Daniel Abrecht



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] VBScript Injection via GNOME Thumbnailer

[Daniel Abrecht]

Since thumbnails have to be generated somehow, they need some kind of
generator. To use plugins, which are resembled by executables in this
case, is a perfectly fine approach for this.

The real problem is that despite it's well known that thumbnail
generators have a really big attack surface, nothing has been done to
limit the impact of vulnerabilities in thumbnail generators.

An easy approach for safe thumbnail generators would be to enforce
secomp before the plugin for thumbnail generation is loaded/executed.
This would allow to prevent a thumbnail generator to do anything but
reading from the file which needs a thumbnail, writing to the thumbnail
file/memory, and maybe some memory allocations, which could be further
restricted using rlimits.

My guess on why noone actually does this is because it would break any
existing thumbnailer and programs like imagemagic couldn't be used for
thumbnail generation anymore.


Daniel Abrecht



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] VBScript Injection via GNOME Thumbnailer

[Daniel Abrecht]

On 2017-07-18 20:07, Adam Borowski wrote:
> On Tue, Jul 18, 2017 at 06:15:20PM +0000, Daniel Abrecht wrote:
>> Since thumbnails have to be generated somehow, they need some kind of
>> generator. To use plugins, which are resembled by executables in this
>> case, is a perfectly fine approach for this.
> 
> Uhm, but why?  I can understand a thumbnail for an image file: it may be
> useful to see what's inside without having to open it.  But there's a limit
> to thumbnailing.  If it's an .exe, give it an icon that says "EXE" (or a
> broken four-panelled window image), and that's it.

It isn't possible to predict every image/file type a user may have to
deal with, therefore others need a way to add support for not per
default supported file formats. Additionally, if a developer writes a
program, a 3D game for example, and it uses a custom file format, for a
game level for example, said developer may want to add thumbnails to
those files. A plugin system allows for this, and it enables the
developer to choose to include a thumbnailer, it leaves the choice to
include the thumbnailer in a package to it's package maintainer, and it
allows the user to install or remove the thumbnailer. If there is no
thumbnailer, a default icon for the file is used. At any point, anyone
can decide if they want generated thumbnails for certain file types or not.

That said, I don't see a reason to not provide a way to display
thumbnails for exotic file types. I don't even see a problem in
generating thumbnails for exe files. Most exe fils are just like some
archive file containing some icon files, so whats wrong with someone
providing a thumbnailer extracting those icons? Why should that be any
more dangerous than generating thumbnails for any kind of image? There
is no reason any thumbnail generator couldn't have any bugs, therefore
it would make the most sense to prevent bugs in thumbnailers to have any
security impact.

>> The real problem is that despite it's well known that thumbnail
>> generators have a really big attack surface, nothing has been done to
>> limit the impact of vulnerabilities in thumbnail generators.
> [...]
>> My guess on why noone actually does this is because it would break any
>> existing thumbnailer and programs like imagemagic couldn't be used for
>> thumbnail generation anymore.
> 
> Actually, imagemagick is one of worst offenders here.  The version in Jessie
> is at deb8u9, and every security update tends to mention ~20 CVEs.

Yes, I know. I didn't mean to imply that keeping existing thumbnail
generators or using imagemagick for thumbnail generation is a good
thing. I just tried to reason why thumbnails may still be generated in
an insecure manner. If I had the choice between keeping every desktop
system insecure forever or breaking every thumbnailer ever created, I
would always choose the later. However, I don't think that's an option
for gnome or KDE.


Daniel Abrecht



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [Desktop-Environment] Cinnamon and MATE

[Daniel Abrecht]

I think this is getting ridiculous. How did we get from XY was compiled
for one architecture by someone who made XY available in his own repo to
we should drop support for [random but common other architecture] for
all of devuan?

Devuan offers a sane alternative to debian without systemd, it is what
debian should have been. Since most packages come from debian anyway,
without any need to recompile them, there is no extra time or resources
needed to support those on other architectures which are already
supported by debian. And for the remaining packages which had to be
repackaged, I strongly assume that most of them had architecture any or
all specified in their debian control file, which means that the CI can
build all architectures at once anyway, which means that repackaging
them for multiple architectures doesn't constitute significantly more
work then packaging them for one architecture.

Considering all this, from my perspective, arguing that an architecture
is obsolete or not used anyways is pointless since it doesn't improve
anything, it doesn't free any time or resources, but it does harm any
user of the architecture to be dropped, and it would harm devuan as a
whole since it would result in inferior hardware support compared to debian.

That said, that someone who provides his own repos and therefore can't
use the devuan CI thing may not want or have the time to setup the
infrastructure to cross compile his packages for every architecture is
quiet understandable. When using someone elses repository, that not
every architecture may be provided has to be expected. I don't see any
problem here at all.

However, there is always room for improvement, and since it appears to
me that the problem isn't that the packages in question can't be
compiled for other architectures, I would leave the following suggestion
to the package maintainer and the devuan team for consideration: Just
put the packages in experimental. This way, the CI can just compile it
for all architectures, and everyone is happy again.

Daniel Abrecht

On 2017-07-21 21:01, Dragan FOSS wrote:
> On 07/21/2017 09:02 PM, goli...@dyne.org wrote:
>>  Cinnamon 3.0.x (only amd64)
> 
> I think it's best to drop 32-bit support at all... it's such a waste of
> time and resources.
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng



signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] TALOS 2 - The Libre Owner Controlled POWER9 Workstation/Server

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

While all android phones technically use a linux kernel, they have
nothing else in common with a normal Linux system. Android has it's
own libc: bionic. It also has special IPC mechanisms enabled in the
linux kernel, and it uses gralloc instead of fbdev or DRM. I think
gralloc is the biggest problem with android phones, it's absolutely
useless for everything except for androids SurfaceFlinger and
canonicals Mir.

I Really hope the Librem 5 will get fbdev support, so I can see boot
messages on a framebuffer console, and optionally DRM support for
things like OpenGL and Vulkan.

On 2017-08-31 15:01, info at smallinnovations dot nl wrote:
> On 31-08-17 16:14, Narcis Garcia wrote:
>> El 31/08/17 a les 15:24, info at smallinnovations dot nl ha
>> escrit:
>>> 
>>> As a owner of a BQ Aquaris E45 Ubuntu version i fully support
>>> this kind of free smartphone development. But i doubt of a
>>> linux smartphone will be functional comparable with Android or
>>> iOS within 3 to 4 years. They should use the efforts of
>>> Meego/Maemo development or work together wit Jolla. And trying
>>> to get support from one or more large smartphone makers. Until
>>> then when i have to replace my current BQ it will be a iPhone
>>> as one of the lesser evil.
>>> 
>> All Androids run Linux.
> 
> Sure as far as it the kernel concerns that is true. As soon as you
> want hardware support for a specific SOC you depend on the
> hardware manufacturer. Which are not interested in open source and
> you are already lucky if they even want to deliver a binary blob.
-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlmoaSUUHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoH5WAf/cZtmCtR9fKNl14IUqCjf8VIZh77p
hcZeBYopuu7hXgMatlHY3R2GrczQbeOSFUJziMtYfcI3FOrARRmbvm6QM1FkvCEF
d9bmcFTlxRJgV9fspU6XzAjvbW4L6CRip+C94ENjtpnIzjuiLcOZfkonknTfZV9N
gddRKKu/jGf8BgD9Uxuxtq4Nm6ZQagROplwzl8qetlg3G/IXMYeWxKq5wYLQR3Br
A1+vN4Pk1mGauHMpqZC5yyy6mIyxii/iGNMCuQBmkk1IjpX7T5dxAu/mG58LPIuK
XO4Yobb73jjLXZDB4GJS9W8ltGjqORBIC0RcS3nPkNkBCPVkLUbhI8Ntew==
=c/NO
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Failure installing eclipse on jessie

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The package is at:
http://pkgmaster.devuan.org/merged/pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb
Or:
http://auto.mirror.devuan.org/merged/pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb
Or:
http://devuanfwojg73k6r.onion/merged/pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb

As far as I know, pkgmaster.devuan.org and devuanfwojg73k6r.onion are
the same server and use the new amprolla3, while
auto.mirror.devuan.org still uses the old one until amprolla3 is
sufficiently tested.

Looking at the file
http://pkgmaster.devuan.org/merged/dists/jessie/main/binary-amd64/Packages.gz,
the entry for libcommons-pool-java is as follows:
> Package: libcommons-pool-java Version: 1.6-2 Installed-Size: 165 
> Maintainer: Debian Java Maintainers

> Architecture: all Homepage: http://commons.apache.org/pool/ 
> Description: pooling implementation for Java objects 
> Description-md5: 3a9df963586886381885c548196b37ea Source:
> commons-pool Tag: devel::lang:java, devel::library,
> implemented-in::java,
role::devel-lib,
> role::shared-lib Section: java Priority: optional Filename:
pool/DEBIAN/main/c/commons-pool/DEBIAN/libcommons-pool-java_1.6-2_all.deb
> Size: 105476 MD5sum: a22fa2916fd991ca757c9b893e75778b SHA1:
> 7155500feee34f5e0ffcd3297343b8f4e544718b SHA256:
> d3d9fb183a9c7b6379b51998f7ae18bc32faafb091672620f7af47454aef2a1e

The filename entry:
pool/DEBIAN/main/c/commons-pool/DEBIAN/libcommons-pool-java_1.6-2_all.deb
should be:
pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb

Looking at the file
http://pkgmaster.devuan.org/merged/dists/jessie/main/binary-amd64/Packages.gz,
the entry for libcommons-pool-java is as follows:
> Package: libcommons-pool-java Source: commons-pool Version: 1.6-2 
> Installed-Size: 165 Maintainer: Debian Java Maintainers

> Architecture: all Description: pooling implementation for Java
> objects Homepage: http://commons.apache.org/pool/ Description-md5:
> 3a9df963586886381885c548196b37ea Tag: devel::lang:java,
> devel::library, implemented-in::java,
role::devel-lib,
> role::shared-lib Section: java Priority: optional Filename:
pool/DEBIAN/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb
> Size: 105476 MD5sum: a22fa2916fd991ca757c9b893e75778b SHA1:
> 7155500feee34f5e0ffcd3297343b8f4e544718b SHA256:
> d3d9fb183a9c7b6379b51998f7ae18bc32faafb091672620f7af47454aef2a1e

Here, the filename is correct.

As far as I know, amprolla merges the packages for jessie from
https://deb.debian.org/debian/. The file at
https://deb.debian.org/debian/dists/jessie/main/binary-amd64/Packages.gz
contains:
> Package: libcommons-pool-java Source: commons-pool Version: 1.6-2 
> Installed-Size: 165 Maintainer: Debian Java Maintainers

> Architecture: all Description: pooling implementation for Java
> objects Homepage: http://commons.apache.org/pool/ Description-md5:
> 3a9df963586886381885c548196b37ea Tag: devel::lang:java,
> devel::library, implemented-in::java,
role::devel-lib,
> role::shared-lib Section: java Priority: optional Filename:
> pool/main/c/commons-pool/libcommons-pool-java_1.6-2_all.deb Size:
> 105476 MD5sum: a22fa2916fd991ca757c9b893e75778b SHA1:
> 7155500feee34f5e0ffcd3297343b8f4e544718b SHA256:
> d3d9fb183a9c7b6379b51998f7ae18bc32faafb091672620f7af47454aef2a1e

Here, the filename is correct too. Therefore, there is probably an
error in amprolla3.

On 2017-12-04 01:54, lpb+dev...@kandl.houston.tx.us wrote:
> On jessie, I'm having trouble the eclipse package, because I am
> getting a 404 on a java package. Here's the error I get:
> 
> Err tor+http://devuanfwojg73k6r.onion/merged/ jessie/main 
> libcommons-pool-java all 1.6-2 HttpError404
> 
> Here is my sources.list:
> 
> deb tor+http://devuanfwojg73k6r.onion/merged jessie  main
> contrib deb tor+http://devuanfwojg73k6r.onion/merged jessie-updates
> main contrib deb tor+http://devuanfwojg73k6r.onion/merged
> jessie-security main contrib
> 
> Any suggestions appreciated. 
> ___ Dng mailing list 
> Dng@lists.dyne.org 
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 
-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlolbz8UHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoETSAf+PZ+7vm6YGacIGrhq1DGvHr62G4Q7
5DJ50x9KhlbuMqSGMaOKyGiZdoo4BLYwwYmFodXE1qOhxQNAVMjPD7yEuU248iAm
COKLs1Fp7vNfBtEXbWFiR642f68GZFgELt78+Q1Hde30i34MF/jT9LXlw+coFUWe
+OgwPxTlNfCa3PRsIeQSBZeU67meAY+hc4WzMr6krj4bPbPxCpA9Qx/Bw3EaRTCK
4T0lyTRHfXXuO0Ci26RLj24C7ybCwMzMjBdOaphbCPiTS9etzogbq9sUYDU/QQ5J
tKUAXr7ksgnaFkXOHQEJ58At8j90A0arjQWtASPdn5e4+1WTfzUt4Mcw+g==
=/3Dm
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I have configured everything needed to boot using PXE using NFS as
root-filesystem at home some months ago:
http://dpa.li/pxeboot.mp4

I export the root filesystem of an lxc container read only using NFS.
It's really convenient, I can install and remove anything I want in my
lxc container, and all Systems I booted using PXE will have the new
programs immediately. At the same time, the PCs can't make any changes
on the root file systems. But I don't actually use it, I just created
that system because I can.

I guess it would be pretty useful for large companies, if it weren't
so slow and insecure. I don't think I could use kerberos in that case,
but even if I could, I wouldn't want to use it. It's just so
overcomplicated, if I could just use it over TLS or SSH directly,
without any tricks, it would be so much easier. I don't even need
encryption in my case, a simple way to check if the datas came from
the correct place and weren't altered would be sufficient, but the
only thing there is to secure NFS is kerberos, the same thing used to
secure all MS stuff, the thing best used together with Active
Directory, I don't like that. I think what NFS really needs now are
simpler alternatives to kerberos.

But I don't think mounting just /usr using NFS is a good idea, not
because of NFS, but because it's technically a removable media, it may
not always be there, even worse, in this case, it may be used and
changed by other machines. I think the main problem here is that the
current package managers can't handle installing some parts of a
software on a removable media. It would be cool to be able to just
install some software on some usb sticks or something, and to add and
remove them when the software is needed, without the package manager
and possibly the rest of the system freaking out.

-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlooKZYUHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoH2DAf+MBqFuxsQC7AN2jaUW4s4QAZchZma
We2qXOd9x/zoeN15/Mt/pmTviYS0u3H9LGZAApmXEkk/mwXw1rYgmhQdV8XmtRgE
YOP3cbzfqlRb3YJlKmW53wLMupZr9/FmO3YIpQyaBx2ZkWxF1HRTUCwYFapQJ+l4
0oRZMiX/bKIDbJckiCkKNkeyPHjR74SNsb722G5i7UiaS9wQ/AeZkjNGQbXTt3Zw
9H9lwz4Erf5LLVL//6Smp/mRqBHLYU4iCG2TYZo4YlSDkioFnqLmBrhQQlL/JqDU
jkBQrRQY2Y9W7JsBGUwr33TS9ASAVGBhAJgnyf1hJfuxl7+GZcn6Hdih9Q==
=1hmx
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] It's far from being over. Sigh!

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2018-05-04 20:03, Rick Moen wrote:
>> Librem 5 phone coming next year for me.
> Ah, Librem.  Let's see: 
> https://web.archive.org/web/20161010040458/https://blogs.coreboot.org/
blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-lib
re/
>
> 
https://web.archive.org/web/20161010100959/https://blogs.coreboot.org/bl
og/2015/08/09/the-truth-about-purism-behind-the-coreboot-scenes/
> 
> Internet Archive links because someone (guess who?) raised a stink,
> and Alex Gagniuc's comments were then taken down.

I've ordered a librem 5 phone too. I'm really annoyed by the very few
people that go to great lengths just to badmouth those who give their
best to make products as good, libre, and user respecting as possible
for them, just over some minor details. There is no such thing as a
perfect system after all, and there are a lot of companies that are
actually evil, to which raising awareness would help much more than
complaining about those that do make a step in the right direction.

Also, as far as I know, there is no other phone which:
 * Doesn't use gralloc and allows me to install any normal linux
distro I want, not just ones for phones
 * Does care at all about privacy, for example by including physical
kill switches
 * Provides development kits & documentation

I can't speak for other people, but I prefer to do have a somewhat
good and libre phone that I can control over no phone or phones I
can't use the way I want them to.

Regards,
Daniel Abrecht
-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlrs1iwUHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoHsSQgAmlLJ1XVYSKKYnBLiQuUYLXaBRTX7
4PxBBx4iwwSdBvBow5+Lx1Y/mlb7WfHReoGf1/uhEf8fUptKGiglccDI+sUzpGU4
oz9HmvEIqY4N9s+I6JyDDaT7AkjMLSlbWkbLDreDFkfZNrfxuxcKgjVQqsah4QW7
srk1WGrg3J1hkHF0mPMmiR88Df2NJK8KSyOsC3bYwtB1ehCjiTCXC+LmnM43KrWu
Bzs6KE1fJ8czkhOFUryG6eUsMxN2on2Mk++vjBdiX5+UkknZUSxqni7Cw/x1M4lS
HCY3c9kGMYDIO9nv1kZWqkrrNCygldo6ZVkMJjcgJSldH6vpnER53+Afgg==
=m6M4
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] devuanfwojg73k6r.onion and pkgmaster.devuan.org are they and have they ever been the same?

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2018-02-15 19:21, Fungal-net wrote:
> AIt seems as obvious now that when amprolla3 tries to merge
> from debian.onion debian has some amprolla like merging system of
> its subrepositories (not all in a single server).  Some of them may
> be timing out, and amprolla3 is not forwarding those errors as
> partial hits.

For any packages that aren't devuan specific, amprolla3 just makes a
HTTP 302 redirect to the corresponding debian server. It doesn't try
to access the file from the debian server at any point, the client, in
this case apt, has to follow the redirect and make a new request to
the debian server. If apt reacts differently when a request fails
after a redirect, which I don't know if it does, that would be a bug
in apt. Of course, amprolla has to merge the package lists, but the
package list is always the same no matter how you access it, and it is
a normal file on the server that's not newly generated for each
request. It also doesn't matter where it gets debians package lists
from, since they should be the same everywhere. And of course, any
file located directly on pkgmaster is the same no matter if you access
it over http, https or the .onion address.

> BUsing tor://pkgmaster. ...amprolla3 is hitting the
> deb.debian.org (or some other clearnet address) and it never runs
> into timing out issues, so tor://pkgmaster is always in tact and
> consistent.  It seems as in the past 2 weeks someone must have
> realized what is going on and went in and adjusted the timeout
> threshold, which explains the current consistent results.  Or else,
> there is a limit to how much I can speculate, but something seems
> to have gotten fixed.

I've used tor and the onion address for a long time now, and I haven't
had any issues so far. But debian offers different mirrors for http,
https and tor, so there is always a slight chance that only a few of
their mirrors run temporarily into issues, which could cause only one
way of accessing it to temporarly cause problems.

> CThe political/security issue is that we (users) have been in
> the blind. 1   When someone chose to shift the onion repository
> address to pkgmaster (a beta system) someone should have made an
> adequate announcement and such was never made, not in the webpage
> not in the "officially official forum" that no developer has ever
> visited.

I did notice that change too, it was a long time ago, but even though
it would have been nice to know in advance, it did not make any
notable difference for devuan jessie, and devuan ascii wasn't even in
beta at that time. If anything, I'm glad they made the change, because
even though there have been minor issues with very few ascii packages,
not using pkgmaster would have caused even more problems, some
problems had to be expected from something not released yet, and these
problems have been widely known, were easy to fix, and had to be
expected. I guess someone should make a small notice on the web page
that the .onion address goes to pkgmaster and not to auto.mirror, but
it'll probably soon no longer matter anyway, since amprolla3 probably
replaces amprolla anyway, or are there plans to keep both running?

> 2If the admin of the pkgmaster.devuan.org can distinguish
> whether a connection is using onion or clearnet (apart from tor,
> they are not the same you know, you can use tor to access any
> clearnet address that has not blacklisted all exit nodes, but you
> can not use http/https to reach an onion address) either the server
> on the onion address is a different server (as allowed to conclude
> by differential parallel results) or it is forwarding those
> connections to "other" servers.  That ability to distinguish the
> two and act based on that distinction is problematic!

No, from everything I have seen so far, the onion address and
pkgmaster are definitely the same server*.

And it's absolutely necessary to make the http redirects to the http
debian repo, the https redirects to the https debian repos, and the
.onion redirects to debians .onion repos. You see, the different ways
to connect to the repos cover different threat models. One may want to
use http if he intends to use one of a pool of mirrors, and there is
noone causing trouble (like ISPs inserting ADs for example). One may
want to use HTTPS if there is someone causing trouble. One may want to
use tor if he either wants a direct connection to the server, since
they don't trust all their Certificate Authorities etc., or if they
need to stay anonymous. Most .onion sites don't provide SSL
certificates, since the connections are already end to end encrypted
anyway, so they use http instead of https. But if we were to
unconditionally make the redirects to debian servers to their http
mirrors, a bad exit node could cause problems and, for example, delay
new packages and updates. Similarly, redirecting https to http
wouldn't work, since bad ISPs could cause problems again. 

Re: [DNG] Provides: libsystemd0 (was Re: systemd and ssh-server)

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2018-07-26 14:32, info at smallinnovations dot nl wrote:
> It would help maintaining packages that depend on systemd too. You
> only would have to add some code to use the libnosystemd instead
> of libsystemd0.

If a libnosystemd package provides libsystemd, then there shouldn't be
any additional code or checks necessary in existing programs. But
both, replicating and changing "the libsystemd API" is wrong.
libsystemd is really badly and monolithically designed. It's main
problem is that it doesn't have an API, it has a lot of different APIs
in a single library! This prevents providing packages with dynamic
libraries replacing only one of the APIs. Therefore, ideally, the
systemd developers should split the libsystemd libraries in smaller
ones providing just one API per library. Something like libjournal for
their logging API for example, instead of munching it together with
everything else in libsystemd0. But I doubt that anyone of the systemd
devs ever had that insight, I would even suspect they put everything
in the same library on purpose, allegedly for simplicity, but in
reality for better lockin.

If a libnosystemd package is made, the different systemd APIs should
be defined, then some library names, and finally it should do nothing
more than forwarding the libsystemd function calls to the individual
libraries for the different APIs if said library exists, and otherwise
either do nothing or return an error depending on what would be worse.
This way, it would be possible for different people to provide various
implementations for different systemd APIs, without requiring them to
implement all of them.

Another problem could arise though, how stable are the systemd APIs? I
once wrote https://git.devuan.org/devuan-packages/sd_journal_shim , it
generates the libjournal library and just provides a subset of
systemds logging functions so it can be used as a shim for those, even
though it can't replace libsystemd. I think it's still in
experimental, even though I'm not sure if it still works, because
thankfully, noone seams to use the systemd journald APIs still, so
noone seams to have had any need for this shim.

Also, I think any such library should make it clear that it's
existents doesn't justify libsystemd usage and discourage developers
from using it.



On 2018-07-26 16:17, Steve Litt wrote:
>  sysvinit and OpenRC typically have init scripts tens or
> hundreds of lines, making init integration of an application seem
> like an arcane art. What are they thinking? IMHO these immense and
> unfathomable init scripts are what opened the door for systemd. 
> 

Those init scripts allow for any kind of scripting language to be
used, and thus also allow for the usage of ones that look like unit
scripts. I made an interpreter that allows yaml for declarative init
scripts that could be used with sysvinit or openrc:
https://github.com/Daniel-Abrecht/unitscript


Daniel Abrecht
-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAltaHIEUHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoGFbQgAsMfbIVyfKDj3Ze962oUrqSZoNFLR
cTxcu73bUQxHuDVJhd9myXExBYtZgXtKLPMiCrIrOdKzwpGWNLkola7Fg2ggYQgJ
jbWitQrpTgkUY3hrBdzkU8hBjKFkbMo7uXFGWbLa1q36gUyUwz44lX3HA8FM69Ax
FYb4Cz6eLW7iDrWUtt3Ti5Ku4r8VY0nAgMNRP9U/fE5jrsVl5eSvtHkfOsfICMrR
I13RtJ2evFkAty4HWicDrh3ejagLPP353jgRC7POjCaPdgEABd6CrHhIyYbJpkVS
EYLl7ZJHaw171pKrQz6WRSTX/Xl/ybt+vv91Ia8TpHzgVKjsSDLGgORnQw==
=Lc8K
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Wicd + dhclient no longer sends the correct host name and doesn't request search domains anymore in ascii.

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I don't have time to do something about this at the moment, so I'll
just inform everyone here about this problem and add the debian
maintainers to the CC of this mail, so whomever has time or needs to
know about this at least knows about this issue.

In devuan/debian jessie, wicd does send the hostname and requests the
search domains in the DHCP reply, but in ascii/stretch, it no longer
does so. I believe it uses dhclient with a different dhclient.conf
than before, but I don't know what exactly changed. There is an option
to set the hostname in wicd, but using it doesn't have any effect and
it's off by default.

The hostname option is often used by dhcp servers to notify the local
dns resolver about new clients, which makes it possible to use their
hostname instead of their IP to access them. I think the default
should be for the hostname to be sent, because it used to be that way,
it may break existing setups and cause a lot of troubleshooting
otherwise, and I don't think not having it helps with anything.

The domain search option is important to get all search domains. A lot
of networks, mine too, are split into different parts. One for lan and
one for dmz for example. In that case, it's quiet common to have both
in the search domain list. My search domains are "dmz.abrecht.li
lan.abrecht.li". This way, I can access both, local clients and my
servers using just the hostname and don't have to write out the whole
domain. There are some other use cases too. I've only ever seen
Windows machines not requesting search domains before, but I alway
took for granted that they work everywhere else. They work by default
on iOS, Android, Mac, and usually Linux, except if using wicd+dhclient
in ascii/stretch. Not requesting the option also won't add any
security benefits, because in that case the domain name is used as
search domain. But that's insufficient for multiple domains.

I'm still on wicd version 1.7.4+tb2-4, which is the same in debian and
devuan, and not on the devuan version from backports, but that
shouldn't make a difference since these versions only differ in some
dependencies and nothing else.


I've used "tcpdump -vvv port 68 or port 67" on my dhcp server to
capture the DHCP requests. Here is one when using wicd:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
262144 bytes
18:46:58.202250 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none],
proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP,
Request from 60:36:dd:26:4a:bc (oui Unknown), length 300, xid
0x9160d35, Flags [none] (0x)
  Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown)
  Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 10.60.10.188
Hostname Option 12, length 10: "$_HOSTNAME"
Parameter-Request Option 55, length 7:
  Subnet-Mask, BR, Time-Zone, Default-Gateway
  Domain-Name, Domain-Name-Server, Hostname
END Option 255, length 0
PAD Option 0, length 0, occurs 29
18:46:58.202649 IP (tos 0xc0, ttl 64, id 8355, offset 0, flags [none],
proto UDP (17), length 336)
dog.bootps > 10.60.10.188.bootpc: [udp sum ok] BOOTP/DHCP, Reply,
length 308, xid 0x9160d35, Flags [none] (0x)
  Your-IP 10.60.10.188
  Server-IP dog
  Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown)
  file "legacy/pxeboot.0"[|bootp]
18:46:58.206962 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none],
proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP,
Request from 60:36:dd:26:4a:bc (oui Unknown), length 300, xid
0x9160d35, Flags [none] (0x)
  Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown)
  Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: dog
Requested-IP Option 50, length 4: 10.60.10.188
Hostname Option 12, length 10: "$_HOSTNAME"
Parameter-Request Option 55, length 7:
  Subnet-Mask, BR, Time-Zone, Default-Gateway
  Domain-Name, Domain-Name-Server, Hostname
END Option 255, length 0
PAD Option 0, length 0, occurs 23
18:46:58.269305 IP (tos 0xc0, ttl 64, id 8357, offset 0, flags [none],
proto UDP (17), length 336)
dog.bootps > 10.60.10.188.bootpc: [udp sum ok] BOOTP/DHCP, Reply,
length 308, xid 0x9160d35, Flags [none] (0x)
  Your-IP 10.60.10.188
  Server-IP dog
  Client-Ethernet-Address 60:36:dd:26:4a:bc (oui Unknown)
  file "legacy/pxeboot.0"[|bootp]


Here we see that "$_HOSTNAME" was sent as hostname, instead of the
real hostname. I think this is clearly a bug. Also Option 119 wasn't
requested, which is the 

Re: [DNG] The FSF seems to have finally sold out

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2018-03-08 16:34, Alessandro Selli wrote:
> https://puri.sm/shop/librem-5/ > > 155.26% funded > 4,339 backers > 
> $2,328,966 raised of the
$1,500,000 goal.
I'm one of the backers. I pre-ordered the phone and the dev-kit. I think
what they are doing is truly amazing and important. They have created
good hardware, cooperate with the FSF and the OSS Comunity in every way
possible, and do their best to keep their products as libre as they can.

But most importantly, they are creating a real linux phone!

I've seen the other so called linux phones. I've had an Ubuntu Phone. I
was really hyped up when I got the Ubuntu one, but I was really letdown
by them soon. It used regular Android drivers, their Mir supported
gralloc, but X nor Wayland did. It wasn't possible to install another
distro. It wasn't even possible to use apt, because they choose to (OTA)
update the phones with tar archives!!! It's the same with other linux
phones. They don't build their own phones, they use gralloc, and they
can't run other distros.

But the purism librem 5 will be different. I believe this will finally
be the phone I was waiting for. One, where I can install my distribution
of choice, devuan. One, where I am in control what's installed on it and
what it does. One, which I will even be able to completely replace my PC
with. This is something no one else could or wanted give me.

Purism is yet another step in the right direction. With all the things
that go wrong in this world, I will do everything I can to make things
better.

-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlqkeHYUHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoFXlQgAlaAWnGVu/G98Nx8k2tHk0HnCwsAF
XSDUe6BW/5bs+YKcQTGE5JGAp8AOnxpdtJZ9Kmo8ZOzXsi0CLkM6FtghDnyRkXBQ
YklxNJfuRgl/VKTdBYmQ/D9DW88+jD3nxZEAzrCUgYFzaU/Y7A1XO2ogLPzsKL3b
9LX0YJbCTGNROidTusdF9sNzM4ApMYukPdSypD9qgBn5ZplWJ3hhI4EO7iOZPE/d
HHFgPpKlZ6jeMeSo+f6kEXLNd1bUrxLQDbfyMuKu+QOJGqHgyjc/MK59WuQ3W5fA
vmRgaZXr2VUPXXNzI4IrSGFIPhl5S7Si5ExMk0GNWb+O7X9UPj8cjvtlCw==
=Zxu2
-END PGP SIGNATURE-

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Is the removal of powermgmt-base from apts' suggested packages a problem for us?

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I've been following the apt mailing list just in case. Someone wants
to remove powermgmt-base from apt's suggested packages, claiming it to
be obsolete and only used on non-systemd systems anyway. Should we be
worried about this? I've made a copy of the package source of
powermgmt-base and pm-utils using "apt-get source" to be prepared just
in case they suddenly disappear.

Here is a link to the bug report on the debian bug tracker:
https://bugs.debian.org/891610
-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlqVYRgUHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoHDmQgAjL71jUnUAxwnavrF5kJNZ115ADn/
pvI7BitAYJsDmbvkCPRUlYtWJPPr/OivPz2zXDctzwMO0C5rNoa+CFqtiuEejOgt
3NVgIhInqMPRiC0OuIbqIm8TYDO86dYxaj5Wi4QXGKKNRytH2SOzdUDfaM2yOuIo
W20RHQ9bEm6rlbsRjL7C5BOGvfSWV543SNQc6aQYHa0DN2KNanNRcyU+FvHxBN4J
554PYvddEvGA7e9j7EzNqoEBnNHOm5E9rsKMMtpqPDG0LbrV+WRz0sXJTz8L0QHY
Nj1wVQsKIVVQgO6nlu2ZFU96xEOKWpqFXP6BJLqH7jlgBq8uWi9hKBw6sA==
=r6PC
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Everyone OK for using the logger program for runit logging?

[Daniel Abrecht]

On 22/10/2018 19.38, Steve Litt wrote:

Is logger just another sister of syslog-ng and rsyslog?



logger does per default log to the system logger. That can be rsyslog, 
syslog-ng, or any other system syslog daemon, really (with the exception 
of journald, which does it's own thing.). This is why I think everything 
should log to the system logger, which can then still log everything to 
log files or to another server or anything else. logger is one of the 
few logging clients which even support rfc5424 and its structured data 
elements, so I quiet like it, but I think anything that can log to the 
syslog unix socket is fine.


So, long story short, logger is a syslog client, while rsyslog, 
syslog-ng, etc. are logging daemons/servers.


There is currently no c logging library with rfc5424 support I'm aware 
of (only rfc3164), while every logging daemon/server does support it, 
but thats a different and minor problem. (I really should write one and 
update my libjournal-shim)



Regards,

Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [devuan-dev] Debian Buster release to partially drop non-systemd support

[Daniel Abrecht]

On 19/10/2018 15.04, Enrico Weigelt, metux IT consult wrote:

OTOH, we could (as mentioned in another thread) invent some small
declarative config file format for expressing at least the very
common cases


There already is init-d-script (5). 
https://www.commandlinux.com/man-page/man5/init-d-script.5.html


Before I knew about this, i wrote unitscript: 
https://github.com/Daniel-Abrecht/unitscript
But unitscript still lacks a lot of features and testing, and I don't 
really have time for this at the moment. It also isn't a debian or 
devuan packet yet, so using init-d-script is probably preferable.



Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] The D in Systemd stands for 'Dammmmit!'

[Daniel Abrecht]

On 27/10/2018 19.38, Steve Litt wrote:

I say: You must use strncpy()/strncat() because strcpy()/strcat() are
soo old.

What's it been now, 30 years since the strn versions of those
commands have been around? You'd think they'd have taken that in and
adopted it by now. But no!


strcpy/strcat can be used safely if the length of the strings beforehand 
is checked properly. I've seen people changing perfectly fine code 
because some tool warned about functions being unsave, and then 
introducing bugs in the process I had to fix afterwards. There was an 
instance where some combination of strlen and strcpy was replaced by a 
strncpy, and of course they forgot that strncpy doesn't add the null 
byte if the buffer is full, and they missed that it fills the remaining 
buffer with null bytes otherwise too. Sure strcpy is dangerous, but 
strncpy isn't any better either. In fact, most things in c involving 
pointers and/or arrays are dangerous to do, it's easy to misunderstand 
semantics and intent of such code.


I think strlcpy/strlcat are the functions which are the easiest to not 
use wrongly, but sadly they are non-standard, and even with those, 
people will still manage to make mistakes.



Regards,

Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Devuan on a Purism

[Daniel Abrecht]

On 31/10/2018 15.00, Hendrik Boom wrote:

On Wed, Oct 31, 2018 at 09:44:48AM +0100, Martin Steigerwald wrote:

Hendrik Boom - 31.10.18, 01:49:

Now they're working on a Purism phone.  They do seem to intend it to
work with a variety of GNU/Linux systems.  They're currently hoping
to get some developers to adapt their free software to Purism's
mobile hardware.


AFAIR Purism also contact both the KDE and GNOME communities about
adapting their desktops. Maybe some developers got test machines.


I know they were selling development boards.  But a development board
doesn't have the same ergomonic affordances as an actual mobile device.


I've ordered both back when their crowdfounding campaign was running. 
The devkits aren't for sale anymore, but the phone is still available 
for pre-order.


The devkits haven't been delivered yet. Initially, they made one with 
i.MX6 processor, and posted images of it working. But then they decided 
to switch to the newer i.MX8, and that in addition to some other things 
delayed things a bit. The last estimate I know of was around the middle 
of October, but given the mails their devs accidentally sent to the 
public development mailing list around that time, (they renamed the 
mailinglist domain afterwards to make sure that doesn't happen again), 
they just got the Bord to boot to the console with the new core around 
that time, and they can't make changes to the hardware anymore. So I 
assume the boards may already exist, but I expect until they finish the 
software side and finally ship them, it'll probably take at least 
another month. The phone has already been delayed too.


All the software is publicly available on their gitlab:
https://source.puri.sm/Librem5

They have some documentation for new devs (some stuff needs an update 
though):

https://developer.puri.sm/

There are instructions to setup a qemu vm, but I haven't done anything 
yet, because a VM just isn't the same thing.


The mailing lists for the librem-5 are pretty quiet. They used to read 
them though. Most communication is probably on matrix, but I haven't 
looked at it yet. There is a someone at a mastodon instance somewhere 
who gives interesting updates, I forgot where exactly. Their twitter 
account mostly posts links to the usual boring public stuff, and they 
don't seam to read development questions sent to their twitter account. 
The mailing lists and matrix stuff can be found in the documentation too:

https://developer.puri.sm/Contact.html

There have been 21 progress reports as of now:
https://puri.sm/posts/librem5-progress-report-1/
https://puri.sm/posts/librem5-progress-report-2/
... (just replace the number in the url)
https://puri.sm/posts/librem5-progress-report-21/

I hope they ship the devkit soon, I want to install devuan on it too. 
Getting a Desktop Environment and Apps to work so it is usable could 
then become a bit tricky though.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Devuan on a librem5

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 19/11/2018 02.01, Arnt Karlsen wrote:
> ..you mirror straight off http://pkgmaster.devuan.org/merged/, or
> off http://pkgmaster.devuan.org/devuan/ and pull some amprolla 
> style stunt?

I don't pull any amprolla like stunts, I just use apt-mirror.

I kind of mirror pkgmaster.devuan.org once per day, but using it's
tor/onion address (devuanfwojg73k6r.onion), which is kind of
unnecessary, but I didn't have a reason not do that either, so why not.

I'm currently mirroring ascii and beowulf, including the -updates,
- -security, -backports, and -proposed repos. I mirror the amd64, arm64,
armel and armhf architectures. The stuff I mirror is also accessible
at https://mirror.dpa.li/, but my Internet connection is sometimes a
bit unreliable, so I don't recommend using it.
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlvzT3kACgkQcASjafdL
VoHENAgAnu9PhjyKRXdmJ0MDapyCaga3JzlzlAgXiQeWv0nGCRriqVXpliJM5yKH
nWzuCwPy8KM+eL7KZQHF9JXEJmvBHVBQG2hj+CX2qVljBThs0rl8JtoizHPUA6mx
pkuAJ6fTZVt1EFz/I2SXmWE6cShXDerl28d6GHC5Upm7z4Npmg0zj0lV1vEBpdor
HTDqDcRlpOlN9+IJyZNN2dRq3BUHRcm5MIKP0aJt8WW8sYvgEX9CAPi9ybL4dCbe
yXMwv//zRzK9qaJywL6Fa9s43lxULIt6gIQbZ02Wtgf5pQvwDbDjr+MmsoHGhK7G
PttO5XEnee93LNnHw0ZxlyyBmmzW2g==
=wyfh
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Devuan on a librem5

[Daniel Abrecht]

Hi everyone,

I've taken a look at purisms' image-builder scripts, and then made my 
own for the devkit based on them to get an overview of all the 
components and how things work together. I don't have a devkit yet, so I 
don't have any idea if the images generated by my scripts will actually 
boot, but for those interested, this is what I've got so far:

https://github.com/Daniel-Abrecht/librem5-image-builder
https://gitlab.com/DanielAbrecht/librem5-image-builder

It creates a really basic image at the moment, with almost nothing 
installed. But I think that's good enough for now, I can still add more 
things if it turns out to actually work.


Also, I probably forgot to list a lot of the necessary packages to use 
this.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Devuan on a librem5

[Daniel Abrecht]

On 18/11/2018 00.45, Arnt Karlsen wrote:

..you want to do a separate "make repo" and a "make clean-repo-too",
and possibly move the repo out of the build/ tree, say, to repo/ or
repos/ if you have multiple repos now or later.


Ok, all git repos are now cloned into the repo/ folder. I've also added 
a few more make targets for resetting, removing and cloning repos, and 
some other stuff.



..another tip is run your own lan repo mirror and point REPO = there,
that way you can feed _several_ build boxes cheaply.


I already use a local mirror for the devuan packages for the 
debootstrapping part and some other stuff, but thanks for the suggestion.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] Devuan on the Librem5 devkit

[Daniel Abrecht via Dng]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

My devuan Images can boot on the librem5 devkit now. A lot of things,
like the lcd display, don't work yet, but I'm working on it. A uart
adapter is required to access the linux console, which is currently
the only way to access the image after it has been flashed.

The build scripts can be found here:
 * https://github.com/Daniel-Abrecht/librem5-image-builder
 * https://gitlab.com/DanielAbrecht/librem5-image-builder

If anyone has cloned my repos before already, I recommend doing a
"make reset", or at least a "make reset-repo" before rebuilding the
images to make sure all repos are up-to-date. I also recommend doing a
"make reset-repo@linux" and "make reset-repo@uboot" from time to time,
to get the latest kernel & uboot, the repos are active at the moment.

There is still a lot to do, I'll keep y'all updated.

Regards,
Daniel Abrecht
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlwqhcwACgkQcASjafdL
VoE5qggAoA2dq+9lpgoEONU6DwDlehxWP7iXkUFt0uLIFn0Cr+jxjn+K9Wc6jPdy
TBb2ujZcgN7oVVVbQnffKVcknyC0ISpio1y137J4teKDdK6XR35H318ept41lpMx
9PpgPx0/HxyZjW5WELN3AsFJJHbc50MFiU706tRW0dYLvhXqw+f5NcQSeQm0ddDe
9ar4IDI4ELWV+r+83BmJDMUhfmkK67XW1b3c0B1UD5ng3998EMHttKefflHI6zDs
hKVQ6NWlbKMSUa8dEUSm8d4G/YMlWE0IKdhGfiYjsRDk7g4G5S3HXuBUml+NWzF3
/j7uuAYjmjIgfq4Z0Toobi/qJadDfw==
=CNLF
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Fwd: April's fools mess

[Daniel Abrecht via Dng]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

It's now clear that this was a planned action and there was no danger.
But when it happened, this wasn't obvious in any way. I assume the
other staff members knew about it, was it discussed at the last meeting?

I really like April Fools, but this was no April Fool. Faking a crime,
in this case claiming to have been hacked, is no prank or joke. It
doesn't matter that it was April 1. either. This was absolutely
unacceptable, never do this again!

Regards,
Daniel Abrecht
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlyicfYACgkQcASjafdL
VoGPKwf/X3xB71RjqPHO7EyxOiZbWA1oSj4jWNRV7GegPCpTWqLOQbdbiZtTgCeI
fj1J8+ec0AUiL7MU8kG6iV1feK3coOdOUFXEzUZQ312niGo4EJEoVyfSQCLM0p/6
8ecxAPghEUPIPZeZRwB1pDPNgOggPJykLSRFfMywbYDCoqJ/5OzRC0IMNQGLRUht
QHC7XCROiEsMSDh6LGNg0aINLTRuQ8RiiqVtklPYMaGp/0p+zSWeDKtZuzdzBCfl
x4pOPSlVuRZ3x0R43kQw9m75hC6BaiH4msJyjyzr0kTnNhs1QhaetcjjR8Ujv7Hz
ii69ahPVzG6zbrcBLfjjDDE/odWlxg==
=c/i1
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] simple-netaid-backend debugged.

[Daniel Abrecht via Dng]

On 2019-03-07 19:49, Alessandro Selli wrote:

Next improvement would be using current commands (ip and iw) in place
of the obsolete and deprecated ones, i.e. ifconfig and iwconfig:


ifconfig and iwconfig being depracted or obsolete is questionable at 
best. They work, get security patches if they need them, provide a 
stable interface, and have a stable, parseable output that's known to 
not change.


ip and iw on the other hand, well, they aren't suitable to pass 
networking information to other programs because they have a less stable 
interface. At least with ip, that will get a bit better with the -json 
option. But that option isn't in debians version yet.


In addition to this, ifconfig and iwconfig will also work on other unix 
systems, such as FreeBSD.


Parsing output in regular programs is more of a hack anyway. Why can't 
these tools provide a library for use in regular programs?


There is also the option of using the kernel interfaces directly, but 
then the program directly depends on linux.


There really is no good option.


PS: It's not like I don't use ip at all, I do use it's netns feature on 
one of my servers to move all it's network interfaces to a different 
netns, which I then use for a libvirt container, in which I setup the 
routing between the host system, the containers, and the VMs on my 
server. There is no reason why ip should do this and not a dedicated 
program though.


I think about using network namespaces, and maybe also some filesystem & 
user namespaces on my desktop PC too at some point. I could probably 
write a pam module to isolate user homes further and put different users 
into different network namespaces. That way, I could make sure all 
connections of certain users are part of my regular network, and all 
connections of another users are always routed over a vpn, a proxy, over 
tor, or something similar. But I won't be able to use ip for that. And I 
won't get to that any time soon, there is just so much stuff to do. But 
linux namespaces are really awesome, I use them all the time, and not 
just for containers.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] devuan.org website down

[Daniel Abrecht via Dng]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Devuan.org website seams to be down. I can't reach it, and neither can
that checker page: https://www.isitdownrightnow.com/devuan.org.html

Could someone fix that please?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlyEOw8ACgkQcASjafdL
VoF9cgf/Sk0jL2//YU46u1GGyvnrTjCR2DqFK4P2B41a9YulJnnYUFB30GR/s6Tb
Sqc+jZRNxC/tFwO/cft0qaexv74ULRhlH9m0mWwGJIxV8Zguub5Tj3avBhIXY4LI
f+3/3Jp3UcLAyMBZ9Y4mgfce4XgoUeYsZvlX1oHkRsKMc1wpd/ky5rxIrSBWhPlW
s6k7dMJEyuSex9lYrVeU1w6sjMn22oLMIkVC+AnL17x4S9jbuxPHdkzwc/i8DhTF
4+n7F+BIHRKwY5paTDsYucy19HqS6dxi0KNccMemv+j591D+FlE1QCJWg4PzdBku
l+WC7jI1qvpFyrk897l5kq9QBu2r8g==
=PxDd
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [ASCII] [Mutt+Torify+Fetchmail+Procmail+Msmtp] Problems torifying email

[Daniel Abrecht via Dng]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 15/05/2019 06.31, Se7en wrote:
> The problem I have been having since November 2018 when I upgraded
> to ASCII was that I simply can not torify Fetchmail. I later
> discovered that Mutt is affected. The problem seems to be related
> to my mail spool, /var/mail/se7en.

Are you using torsocks to torify applications? I wouldn't recommend
that. Using iptables, it's possible to configure tor as a transparent
proxy. You can redirect network traffic using iptables over tor. That
can be just traffic from the local host, or even traffic from a whole
network. Using linux network namespaces, you can have different
independent internal network configurations on your machine. You can
then enter that namespace and execute an application there. To route
traffic between network namespaces, you can use virtual ethernet
interface pairs (veth). It is also possible to connect them using
bridges. Physical network interfaces can be moved to a different
network namespace as well. All this can be done using the "ip",
"brctl" and "iptables" commands. You can also use containers for this,
they usually use network namespacces too. I recommend torifying the
complete system if possible, or even better, a whole dedicated
network. If you keep the tor devices and the other devices completely
seperate, it becomes much harder to deanonymize you. Use one thing in
both environments, and you may have been deanonymized.

On another note, there are also a lot of online services that block
tor nodes, and i think some ports like smtp are blocked on pretty much
all exit nodes. It's fine for mailing between onion addresses, but not
for sending mails anywhere else from within tor.

Good luck,
Daniel Abrecht
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlzcil0ACgkQcASjafdL
VoFkCQgArT1EdxEj8NxuoxJNJu3m4gwKlxoRVseYZByKVdiJwUar0L6/RLm3Ug3E
8k2hunHzK27xqFl6epeRKryzZl1X3kQsM31y8aclQlgdzHP6Mv8HXaY9wlIHaF6a
kSj9R+YxZb0OLY0i2RH8rybfze0lH0CwMx8yhZkgV087lI+1UW4H1NYantN/2p8I
KOWPo5MoHxmqPkNgMBVHaCD20QWPuwhCNrxjgln9FbRQxyCcDHzV0VTKPxc6YtfP
Lo789jEFyB81gW4hQgdWRpzzxoQXQ78PWau3d16z3cDUhUS2lLnsxuHUdPolBPJv
Rz8hxXFzm9MOVgUOLLgFzbeDAYJuig==
=Hbdy
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Mail message headers

[Daniel Abrecht via Dng]

Hi golinux,

I'm using Roundcube Webmail 1.2.3 on devuan ascii, with the following 
plugins:

filesystem_attachments 1.0 GPLv3+
jqueryui 1.10.4 GPLv3+

Everything was installed from the regular repos.

I don't have any of those strange http links in these headers. I also 
think this is most likely caused by a plugin of your roundcube mail 
client.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Daniel Abrecht via Dng]

On 2020-02-25 11:11, Hendrik Boom wrote:

Which is the reason for a capability architecture.  Is there anything
resembling that in GNU/Linux userspace?


Kind of, not really.

There is something similar to role based access control, namely the unix 
file permission model, which is a kind of DAC. Users and groups 
(=roles), can have different permissions on files (reading, writing, 
executing).
Then there are the security modules. These can extend that 
functionality, which is usually used to add some kind of MAC.


For processes / syscalls, Linux has capabilities as a replacement for 
things usually reserved for root, but these usually aren't very useful, 
they are crude and can often be used to escalate to root anyway.
For syscalls, there is also seccomp, but it's hard to use and 
architecture dependent, and it will break applications which use it 
regularly.


Something which is currently missing is a way to manage permissions for 
specific ioctls. Usually, its per device, and some ioctls need need read 
or write permissions to the fd. Sometimes, that's suficent, sometimes 
not.
There is kind of a horrible situation with /dev/dri/card* devices, if I 
remember correctly, you need root for the ioctls to become drm master 
and do modesetting, even if you have read and write permissions to the 
file, which is why this is delegated to logind or a suid binary, I 
think? One way to resolve this would be to splitt those card devices 
into multiple ones, but I don't think that's going to happen. I don't 
think configurable supplementary group based per ioctl permissions are 
going to happen either. Except maybe as an LSM.


One interesting thing about files is that permissions are only checked 
when those are opened. A file descriptor is like an access token. And 
they can be sent over unix sockets, which can also be files. Those file 
descriptors are unrevokable, though.


There is also a small problem with the DAC permission model. A process 
has only one set of user, group, supplementary groups. This means, 
either you can use them to restrict a program, or you can use them to 
restrict a user, but you can't have restrictions based on a user and a 
program. I was thinking a lot about this at some point, and wanted to 
write an LSM for that at some point, but I never got to to it. I did 
write down my thoughts, although retrospectively, I did make various 
mistakes and misused some terminology there in there: 
https://github.com/Daniel-Abrecht/Discretionary-Program-Access-Control/blob/proposal/Discretionary%20Program%20Access%20Control.md


It's possible that there are still some other access control mechanisms 
I don't know of yet.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Daniel Abrecht via Dng]

Hi

I would like to add my point of view to the polkit debate.
I don't think polkit is bad or unnecessary, it simply has a completely 
different usecase/scope than sudo has.



sudo is for starting a process as an other user provided some 
preconditions (group/user allowed to use it, supplied arguments allowed, 
etc.) are met.
And it can retain or restrict some resources inherited from the parent 
process (such as environment variables, for example).
Therefore, the use case is to allow some users to execute certain 
commands in certain ways with certain resources.



I know polkit less well, but my current understanding is, that polkit is 
for managing access to stuff on dbus.


So next, why is dbus needed?
dbus is a message bus. There usually is one for the whole system, and 
one for each session.
There are various uses and missuses for it, but I think the most crucial 
things are:

 * Notify any process interested in something of these things.
 * Tell other programs which can do something to do something.

This can be useful for various things, for example:
 * A program may want to now if a device got rotated, so it can rotate a 
screen.
 * A wlan management gui may want to tell it's daemon that it shall 
connect to a wlan, and it may want to know what connections it already 
has and manages.
 * A phone call application may want to ring when a call arrives, or it 
may want to let the user initiate a call.


Now, those examples are mainly things that would need the system bus. I 
couldn't come up with a good example solely within a user session/bus, 
but I'm sure these exist too, especially because dbus doesn't need a 
graphical session.


And with that, back to polkit. It'd be bad if just everyone/everything 
could do system level stuff, so per default, noone can. But that would 
make dbus useless for a lot of things.
This is the problem polkit is there to solve, there are config files 
specifying who (user, group, etc.) can see/use which methods calls, 
signals/messages, etc.


Without dbus, applications & daemons could do similar things using unix 
sockets. However, then, every application would need their own socket, 
permission management, configs, etc. This would have the same security 
implications as just using dbus, which also just uses unix sockets, but 
would leave a bigger attack surface, and a lot of scattered security 
critical configs with different formats.


Now, there is also the approach of using a suid binary for the 
privileged stuff. As a good and bad thing, just like sudo, this can't 
escape a container, unlike a unix socket passed to one could. However, 
it would leave the problem of a bigger attack surface, and a lot of 
scattered security critical configs with different formats, and is very 
difficult to get right.


All things considered, I think for the purpose of interacting with 
system level daemons/services and managing related permissions, 
especially in cases more complex than simply shutting down the system 
for example, dbus + polkit is a very nice solution, especially 
considering the alternatives. It does have some flaws, though, such as 
noone knowing how to correctly configure it, for example.



Regarding pkexec, I think this thing is an abomination. Starting a 
process is absolutely not something which should be done in a way 
completely disregarding resources and restrictions of the spawning 
process. It's kind of useful for checking if polkit works at all, but 
aside from that, I recommend getting rid of it as fast as possible.


Regarding gksudo, I think it's intended use case is an awful thing as 
well. The very Idea of asking for a users password for starting a more 
privileged process is a bad one. It means that if the user account is 
breached, as soon as sudo or gksudo is used to obtain root, it could 
have been replaced (z.B. by changing the PATH, setting an alias, etc.) 
by an attacker to get the password instead, and then compromise the rest 
of the system. In my opinion, sudo should always be used in such a way 
as to work without password, and only for known "safe" commands. For 
everything else, it'd be much better to just log in on a tty as root. 
Same goes for su.



One last, only partially related thing. Does anyone know how to get 
polkit agents working properly? If I start `lxqt-policykit-agent`, for 
example, pkexec won't work. If I start it as `su -c 
'lxqt-policykit-agent'`, it does, but I'm pretty sure that's not the 
right way to do this. I'm currently on devuan beowulf, but I think 
debian users may have similar problems, I think systemd/logind people 
may have broken something in polkit...



Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Help needed:[Fwd: eudev: Methods to detect if running in a container.]

[Daniel Abrecht via Dng]

Hi,

What's the point of trying to detect if eudev is run in a container?
Is it just to not start it in that case?
Would it just fail to start in them otherwise?
Is that actually a problem?
And could eudev not just be uninstalled in a container?

In any case, I don't like the idea of doing hacks like looking at inode 
numbers or trying to determine if there is a container or not. In 
addition to this don't like the Idea of checking for being in a 
container in general.


Instead, I would check for reasons why it doesn't work in a container, 
choose a sensible thing to check for out of those reasons, and then 
check for that.


In this case, I would assume the following, although I haven't checked:
 1) the container hypervisor (lxc/lxc, docker, libvirt-lxc, etc.) is 
responsible for managing/creating device files
 2) eudev exists for managing/creating device files in other kinds of 
systems

 3) device files can't be created in a container
 4) 3. is due to the container hypervisor removing the cap_mknod 
capability from containers


Given those assumptions, I think the sensible thing would be to either 
check for the mknod capability, or check if device nodes can't be 
created in /dev/ due to a lack of permissions. I think that's closer to 
the reason why one may not want to start eudev than trying to checking 
if we're in a container.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] couldn't register with accessibility bus in Beowulf (workaround)

[Daniel Abrecht via Dng]

Hi

I've had that problem as well. It also prevents the auto-show feature of 
the `onboard` onscreen keyboard from working (which was annoying on my 
Librem 5 Phone, where I need that feature).


To me, it seams to be caused by a combination of something `lightdm` 
does, and something `at-spi-bus-launcher` does not do.
After a login with `lightdm`, the X11 root window has the `AT_SPI_BUS` 
property set (`xprop -root AT_SPI_BUS`), however, it seams the 
`at-spi-bus-launcher`/`at-spi2-registryd` instance which created that 
property does not exist anymore, causing applications to fail to connect 
to it. In addition to this, the presence of that property prevents a new 
instance of `at-spi-bus-launcher`

 from starting.

My current workaround is to remove the `AT_SPI_BUS` property, and then 
start `at-spi-bus-launcher` again:

```
xprop -root -remove AT_SPI_BUS
/usr/lib/at-spi2-core/at-spi-bus-launcher &
```

After that, the `onboard` auto-show feature works for me for newly 
started applications again (this may require `onboard` restart). At 
least for GTK Applications, that is, I still have the problem of that 
feature not working for some QT applications, such as the `kate` editor. 
I assume that should be the same for other things which use the 
accessibility bus as well.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Your system is not supported by certbot-auto anymore.

[Daniel Abrecht via Dng]

Am 2020-12-08 08:41, schrieb Simon Walter:

Other than a manual install, are there any alternatives? I am
interested to hear how others are doing this.


Let's Encrypt has a list of various clients: 
https://letsencrypt.org/docs/client-options/


I'm using one I've written myself (and haven't bothered adding to the 
list yet): https://github.com/Daniel-Abrecht/DPA-ACME2
There currently only is a solver for dns-01 challenges for it, though. 
And I should probably move the solver to another

project/repo &  make some packages and such stuff.

It works pretty well overall, I didn't have any problems with it for a 
long time anymore. But if you put it in a cron job,
make sure to set up mail notifications so you know when it fails. And 
make sure not to use it around 0 UTC, the let's encrypt

servers tend to be overloaded and unreliable around that time.

I do think TLS is an awesome and important technology, but I do not like 
having to rely on yet another authority (the other one being DNS 
registrars)
to be able to operate a webpage and other services. This is why I have 
also set up DANE. If some day, browsers start to finally support DANE,
or free certificates become unavailable, I will immediately switch to 
self signed certificates (and keep DANE so they could still in theory 
get automatically validated).


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Some RAID1's inaccessible after upgrade to beowulf from ascii

[Daniel Abrecht via Dng]

Am 2021-11-09 19:56, schrieb Hendrik Boom via Dng:

I upgraded my server to beowulf.

After rebooting, all home directories except root's are no longer
accessible.

They are all on an LVM on software RAID.

The problem seems to be that two of my three RAID1 systems are not
starting up properly.  What can I do about it?


Do you still know which devices contained the raid?
I'd first check out the metadata on them:
```
mdadm --query --examine /dev/sdXY
```

Ideally, the ones for the same arrays should have the same Version, 
Array UUID, and a number for Events which doesn't differ much.


I'm not much of an export with raid myself. In fact, I already hosed one 
of mine once (I followed some tutorial which suggested using "mdadm 
--create" for a certain thing, but it was wrong and I should have used 
--grow instead).


Anyway maybe try explicitly assembling the devices as a new raid device. 
There is also a --readonly option that should avoid it doing anything to 
the array, and a --readwrite option, which could be helpful.

```
mdadm --assemble /dev/md5 --readonly /dev/sdXY /dev/sdXY
```

If that works & the raid device works fine (maybe try mounting it), you 
can make it readwrite using

```
mdadm --readwrite /dev/md5
```

Alternatively, you could also try --re-add to add devices to an existing 
raid again.


I'd avoid doing anything with --create. I think that would be 
destructive.


If it does stuff like resyncing after that, you can already use the 
device, but maybe wait with a reboot until it finishes.
If you get it working, try doing the `mdadm --examine --scan` thing 
again / recreate /etc/mdadm/mdadm.conf. Maybe also recreate the 
initramfs using `update-initramfs -u`, just in case.
And if all that works out, you may try rebooting to see if it detects it 
again.


If things don't work out, maybe check for error messages / look at 
dmesg.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] mouse driver question

[Daniel Abrecht via Dng]

An alternative to "gpm" would be "consolation". It's based on 
"libinput". I've never tried serial mice, but you can probably install & 
start "inputattach", and then "consolation" should probably pick it up 
if it's installed. inputattach should also work with other things such 
as X11 and Wayland.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] mouse driver question

[Daniel Abrecht via Dng]

To find out what's behind which /dev/input/event* device, and generally 
what's going on with the input stuff on the kernel side, I usually 
check: "cat /proc/bus/input/devices"




___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] resolv.conf

[Daniel Abrecht via Dng]

If you don't have a public domain, then the correct domain to use in an 
internal networks is home.arpa, see: 
https://tools.ietf.org/id/draft-ietf-homenet-dot-07.html


home.arpa. is intentionaly set up as an unsigned delegation, so it won't 
break when someone uses dnssec. Other domains will fail dnssec.


Unfortunately, noone seams to ever check dnssec for some reason, and 
noone seams to care about home.arpa either. But I'm still optimistic 
that this may someday change.


Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng