Re: [arch-dev-public] Trimming down our default kernel configuration
Am 28.03.2014 06:25, schrieb Connor Behan: On 27/03/14 08:24 AM, tho...@archlinux.org wrote: Am 27.03.2014 09:52, schrieb Connor Behan: On 27/03/14 01:07 AM, tho...@archlinux.org wrote: Am 26.03.2014 20:08, schrieb Dave Reisner: Looks like audit is still built into our kernel. Wasn't this meant to be reverted as well? Forgot about that. That was pulled in by AppArmor or so. Wasn't it pulled in by http://bugs.archlinux.org/task/12584 and the fact that community/audit came out shortly after? No, it was pulled in accidentally as a dependency of AppArmor. I doubt that. AppArmor was enabled a year and a half after audit was. https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/kernel26id=e46bc1d41848b258a138df26590967dc1e0a3417 https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/kernel26id=688e0f7508fa943868470e9d6c0dcb12823b06f0 Yeah, that was incorrect in my memory. It was actually SELinux that pulled it in. If we actually want audit, we should support it as well. Our systemd package is compiled with -AUDIT for example. Since audit is one of those enabled unless the user intervenes option that also does annoying things, I would like to get rid of it in our kernel. It is supported if you count [community] packages. I'll ask on the LKML if anything can be done about the logging. It's not about logging, it's about being enabled by default when it is supported by the kernel. There's no disable audit by default switch. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Trimming down our default kernel configuration
On 28.03.2014 06:25, Connor Behan wrote: [...] Not sure why, but your last 2 replies to the thread refer to message IDs I don't have (mailman.*.arch-dev-public@archlinux.org) so threading is broken. Are you replying to digest posts? signature.asc Description: OpenPGP digital signature
[arch-dev-public] Signoff report for [testing]
=== Signoff report for [testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 11 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 11 fully signed off packages * 37 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == New packages in [testing] in last 24 hours (11 total) == * tzdata-2014b-1 (any) * groff-1.22.2-6 (i686) * libpipeline-1.3.0-1 (i686) * groff-1.22.2-6 (x86_64) * libpipeline-1.3.0-1 (x86_64) * ghostscript-9.14-1 (i686) * nvidia-utils-334.21-7 (i686) * x264-1:142.20140311-1 (i686) * ghostscript-9.14-1 (x86_64) * nvidia-utils-334.21-7 (x86_64) * x264-1:142.20140311-1 (x86_64) == Incomplete signoffs for [core] (5 total) == * flex-2.5.39-1 (i686) 0/1 signoffs * gmp-6.0.0-1 (i686) 0/1 signoffs * groff-1.22.2-6 (i686) 0/1 signoffs * flex-2.5.39-1 (x86_64) 1/2 signoffs * groff-1.22.2-6 (x86_64) 0/2 signoffs == Incomplete signoffs for [extra] (32 total) == * apr-util-1.5.3-4 (i686) 0/1 signoffs * avidemux-2.5.6-9 (i686) 0/1 signoffs * ffmpeg-1:2.2-2 (i686) 0/1 signoffs * ffmpeg-compat-1:0.10.12-2 (i686) 0/1 signoffs * fontconfig-2.11.1-1 (i686) 0/1 signoffs * ghostscript-9.14-1 (i686) 0/1 signoffs * gst-plugins-ugly-1.2.3-2 (i686) 0/1 signoffs * gstreamer0.10-ugly-0.10.19-10 (i686) 0/1 signoffs * libevdev-1.1-1 (i686) 0/1 signoffs * mplayer-37051-1 (i686) 0/1 signoffs * nss-3.15.5-2 (i686) 0/1 signoffs * nvidia-utils-334.21-7 (i686) 0/1 signoffs * opal-3.10.11-3 (i686) 0/1 signoffs * vim-7.4.214-1 (i686) 0/1 signoffs * vlc-2.1.4-2 (i686) 0/1 signoffs * x264-1:142.20140311-1 (i686) 0/1 signoffs * apr-util-1.5.3-4 (x86_64) 0/2 signoffs * avidemux-2.5.6-9 (x86_64) 0/2 signoffs * ffmpeg-1:2.2-2 (x86_64) 0/2 signoffs * ffmpeg-compat-1:0.10.12-2 (x86_64) 0/2 signoffs * fontconfig-2.11.1-1 (x86_64) 0/2 signoffs * ghostscript-9.14-1 (x86_64) 0/2 signoffs * gst-plugins-ugly-1.2.3-2 (x86_64) 0/2 signoffs * gstreamer0.10-ugly-0.10.19-10 (x86_64) 0/2 signoffs * libevdev-1.1-1 (x86_64) 0/2 signoffs * mplayer-37051-1 (x86_64) 0/2 signoffs * nss-3.15.5-2 (x86_64) 0/2 signoffs * nvidia-utils-334.21-7 (x86_64) 0/2 signoffs * opal-3.10.11-3 (x86_64) 0/2 signoffs * vim-7.4.214-1 (x86_64) 0/2 signoffs * vlc-2.1.4-2 (x86_64) 0/2 signoffs * x264-1:142.20140311-1 (x86_64) 0/2 signoffs == Completed signoffs (11 total) == * ca-certificates-20140223-2 (any) * tzdata-2014b-1 (any) * curl-7.36.0-1 (i686) * file-5.18-1 (i686) * libpipeline-1.3.0-1 (i686) * openssl-1.0.1.f-2 (i686) * curl-7.36.0-1 (x86_64) * file-5.18-1 (x86_64) * gmp-6.0.0-1 (x86_64) * libpipeline-1.3.0-1 (x86_64) * openssl-1.0.1.f-2 (x86_64) == Top five in signoffs in last 24 hours == 1. eric - 10 signoffs 2. fyan - 5 signoffs 3. spupykin - 1 signoffs
Re: [arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
On Fri, Mar 28, 2014 at 1:01 AM, Thomas Bächler tho...@archlinux.orgwrote: Affected packages: [...] community/snapper 0.2.1-1 /etc/cron.hourly/snapper Next version of snapper will have the timer unit provided by upstream, so this package will get it anyway.
Re: [arch-dev-public] brynhild down a.k.a pkgbuild.com
On 03/24/2014 07:11 PM, Pierre Schmitz wrote: Hi, A replacement for alderaan would be great as we could easily use more RAM for our DB. I'd even say the EX40 with SSDs might be worth a look. That would probably solve our forum search issues by brute force. I'd prefer this over ECC, but I wouldn't argue if we can pay for both. As for the current alderaan server: I'd say we cancel this as well and get at least an EX40 as build system. It's faster, has better disks and four times the RAM. The monthly fee is the same. Greetings, Pierre Hello, We have to do something about it before getting a new invoice for this piece of crap. I see that Bluewind started to resolve a bit this issue but now it's offline again. alderaan replacement - 32 gb ECC with 2x240gb ssd is a.k.a PX60-SSD 79€/mo + 99 € setup brynhild replament (if we don't keep the current alderaan for building) - 32 gb non ecc - 49€/mo + 49€ setup. We need to decide until 31 march. Lets do a vote. -- Ionuț signature.asc Description: OpenPGP digital signature
[arch-dev-public] Integrity Check x86_64: core, extra, community, multilib 28-03-2014
Warning : the repository multilib does not exist in /srv/abs/rsync/any === = Integrity Check x86_64 of core,extra,community,multilib = === Performing integrity checks... == parsing pkgbuilds == parsing db files == checking mismatches == checking archs == checking dependencies == checking makedepends == checking hierarchy == checking for circular dependencies == checking for differences between db files and pkgbuilds Missing PKGBUILDs --- /srv/abs/rsync/any/multilib Duplicate PKGBUILDs - /srv/abs/rsync/any/extra/pyopenssl vs. /srv/abs/rsync/x86_64/extra/pyopenssl /srv/abs/rsync/any/extra/pyopenssl vs. /srv/abs/rsync/x86_64/extra/pyopenssl /srv/abs/rsync/x86_64/community/lib32-libphobos vs. /srv/abs/rsync/x86_64/multilib/lib32-libphobos /srv/abs/rsync/x86_64/community/lib32-libphobos vs. /srv/abs/rsync/x86_64/multilib/lib32-libphobos Missing Dependencies -- community/chmsee -- 'xulrunner28.0' Missing Makedepends - extra/gnome-speech -- 'openjdk6' multilib/lib32-libstdc++5 -- 'binutils-multilib' Repo Hierarchy for Dependencies - community/playonlinux depends on multilib/wine (102 extra (make)deps to pull) community/wine-mono depends on multilib/wine (102 extra (make)deps to pull) core/gettext depends on extra/libunistring (439 extra (make)deps to pull) core/make depends on extra/guile (439 extra (make)deps to pull) core/systemd depends on extra/libseccomp (439 extra (make)deps to pull) extra/accerciser depends on community/ipython (22 extra (make)deps to pull) extra/archboot depends on community/arch-wiki-lite (24 extra (make)deps to pull) extra/archboot depends on community/arch-wiki-lite (24 extra (make)deps to pull) extra/archboot depends on community/chntpw (22 extra (make)deps to pull) extra/archboot depends on community/cpupower (25 extra (make)deps to pull) extra/archboot depends on community/squashfs-tools (22 extra (make)deps to pull) extra/archboot depends on community/usb_modeswitch (22 extra (make)deps to pull) extra/archboot depends on community/wvdial (25 extra (make)deps to pull) extra/archboot depends on community/xl2tpd (22 extra (make)deps to pull) extra/archiso depends on community/squashfs-tools (22 extra (make)deps to pull) extra/ardour depends on community/libsmf (22 extra (make)deps to pull) extra/brltty depends on community/cython (22 extra (make)deps to pull) extra/calligra-krita depends on community/opencolorio (22 extra (make)deps to pull) extra/efl depends on community/luajit (22 extra (make)deps to pull) extra/fvwm-crystal depends on community/hsetroot (22 extra (make)deps to pull) extra/gnucash depends on community/aqbanking (24 extra (make)deps to pull) extra/gnucash depends on community/libdbi-drivers (24 extra (make)deps to pull) extra/hefur depends on community/protobuf (22 extra (make)deps to pull) extra/i8kutils depends on community/acpi (22 extra (make)deps to pull) extra/libqinfinity depends on community/libinfinity (22 extra (make)deps to pull) extra/libquvi-scripts depends on community/lua-bitop (22 extra (make)deps to pull) extra/libquvi-scripts depends on community/lua-expat (22 extra (make)deps to pull) extra/libquvi-scripts depends on community/lua-socket (22 extra (make)deps to pull) extra/mod_perl depends on community/perl-linux-pid (22 extra (make)deps to pull) extra/octave depends on community/arpack (22 extra (make)deps to pull) extra/python-cryptography depends on community/python-six (22 extra (make)deps to pull) extra/python-pyopenssl depends on community/python-six (22 extra (make)deps to pull) extra/python-rdflib depends on community/python-isodate (22 extra (make)deps to pull) extra/python2-cryptography depends on community/python2-six (22 extra (make)deps to pull) extra/python2-pyopenssl depends on community/python2-six (22 extra (make)deps to pull) extra/python2-rdflib depends on community/python2-isodate (22 extra (make)deps to pull) extra/qemu depends on community/usbredir (22 extra (make)deps to pull) extra/ruby depends on community/libyaml (0 extra (make)deps to pull) extra/vinagre depends on community/spice-gtk3 (25 extra (make)deps to pull) extra/x2goserver depends on community/pwgen (22 extra (make)deps to pull) extra/x2goserver depends on community/sshfs (22 extra (make)deps to pull) Repo Hierarchy for Makedepends community/virtualbox depends on multilib/dev86 (5 extra (make)deps to pull : lib32-glibc gcc-multilib gcc-libs-multilib gcc-ada-multilib lib32-gcc-libs) community/virtualbox depends on multilib/gcc-multilib (5 extra (make)deps to pull : gcc-libs-multilib gcc-ada-multilib lib32-glibc gcc-multilib lib32-gcc-libs) community/virtualbox depends on multilib/lib32-glibc (5 extra (make)deps to pull : gcc-multilib gcc-libs-multilib gcc-ada-multilib lib32-glibc
[arch-dev-public] Integrity Check i686: core, extra, community 28-03-2014
= Integrity Check i686 of core,extra,community = Performing integrity checks... == parsing pkgbuilds == parsing db files == checking mismatches == checking archs == checking dependencies == checking makedepends == checking hierarchy == checking for circular dependencies == checking for differences between db files and pkgbuilds Duplicate PKGBUILDs - /srv/abs/rsync/any/extra/pyopenssl vs. /srv/abs/rsync/i686/extra/pyopenssl /srv/abs/rsync/any/extra/pyopenssl vs. /srv/abs/rsync/i686/extra/pyopenssl Missing Dependencies -- community/chmsee -- 'xulrunner28.0' Missing Makedepends - extra/gnome-speech -- 'openjdk6' Repo Hierarchy for Dependencies - core/gettext depends on extra/libunistring (518 extra (make)deps to pull) core/make depends on extra/guile (518 extra (make)deps to pull) core/systemd depends on extra/libseccomp (518 extra (make)deps to pull) extra/accerciser depends on community/ipython (28 extra (make)deps to pull) extra/archboot depends on community/arch-wiki-lite (30 extra (make)deps to pull) extra/archboot depends on community/arch-wiki-lite (30 extra (make)deps to pull) extra/archboot depends on community/chntpw (28 extra (make)deps to pull) extra/archboot depends on community/cpupower (31 extra (make)deps to pull) extra/archboot depends on community/squashfs-tools (28 extra (make)deps to pull) extra/archboot depends on community/usb_modeswitch (28 extra (make)deps to pull) extra/archboot depends on community/wvdial (31 extra (make)deps to pull) extra/archboot depends on community/xl2tpd (28 extra (make)deps to pull) extra/archiso depends on community/squashfs-tools (28 extra (make)deps to pull) extra/ardour depends on community/libsmf (28 extra (make)deps to pull) extra/brltty depends on community/cython (28 extra (make)deps to pull) extra/calligra-krita depends on community/opencolorio (28 extra (make)deps to pull) extra/efl depends on community/luajit (28 extra (make)deps to pull) extra/fvwm-crystal depends on community/hsetroot (28 extra (make)deps to pull) extra/gnucash depends on community/aqbanking (30 extra (make)deps to pull) extra/gnucash depends on community/libdbi-drivers (30 extra (make)deps to pull) extra/hefur depends on community/protobuf (28 extra (make)deps to pull) extra/i8kutils depends on community/acpi (28 extra (make)deps to pull) extra/libqinfinity depends on community/libinfinity (28 extra (make)deps to pull) extra/libquvi-scripts depends on community/lua-bitop (28 extra (make)deps to pull) extra/libquvi-scripts depends on community/lua-expat (28 extra (make)deps to pull) extra/libquvi-scripts depends on community/lua-socket (28 extra (make)deps to pull) extra/mod_perl depends on community/perl-linux-pid (28 extra (make)deps to pull) extra/octave depends on community/arpack (28 extra (make)deps to pull) extra/python-cryptography depends on community/python-six (28 extra (make)deps to pull) extra/python-pyopenssl depends on community/python-six (28 extra (make)deps to pull) extra/python-rdflib depends on community/python-isodate (28 extra (make)deps to pull) extra/python2-cryptography depends on community/python2-six (28 extra (make)deps to pull) extra/python2-pyopenssl depends on community/python2-six (28 extra (make)deps to pull) extra/python2-rdflib depends on community/python2-isodate (28 extra (make)deps to pull) extra/qemu depends on community/usbredir (28 extra (make)deps to pull) extra/ruby depends on community/libyaml (0 extra (make)deps to pull) extra/vinagre depends on community/spice-gtk3 (31 extra (make)deps to pull) extra/x2goserver depends on community/pwgen (28 extra (make)deps to pull) extra/x2goserver depends on community/sshfs (28 extra (make)deps to pull) Repo Hierarchy for Makedepends core/btrfs-progs depends on extra/git (518 extra (make)deps to pull) core/ca-certificates depends on extra/python2 (518 extra (make)deps to pull) core/crda depends on community/python2-m2crypto (518 extra (make)deps to pull) core/dbus depends on extra/docbook-xsl (518 extra (make)deps to pull) core/dbus depends on extra/libx11 (518 extra (make)deps to pull) core/dbus depends on extra/xmlto (518 extra (make)deps to pull) core/device-mapper depends on extra/thin-provisioning-tools (518 extra (make)deps to pull) core/e2fsprogs depends on extra/bc (518 extra (make)deps to pull) core/efibootmgr depends on extra/git (518 extra (make)deps to pull) core/efivar depends on extra/git (518 extra (make)deps to pull) core/filesystem depends on community/asciidoc (518 extra (make)deps to pull) core/gcc depends on extra/doxygen (518 extra (make)deps to pull) core/gcc-ada depends on extra/doxygen (518 extra (make)deps to pull) core/gcc-fortran depends on extra/doxygen (518 extra (make)deps to pull) core/gcc-go depends on extra/doxygen (518 extra
Re: [arch-dev-public] brynhild down a.k.a pkgbuild.com
Am 28.03.2014 15:26, schrieb Ionut Biru: We have to do something about it before getting a new invoice for this piece of crap. I see that Bluewind started to resolve a bit this issue but now it's offline again. alderaan replacement - 32 gb ECC with 2x240gb ssd is a.k.a PX60-SSD 79€/mo + 99 € setup brynhild replament (if we don't keep the current alderaan for building) - 32 gb non ecc - 49€/mo + 49€ setup. We need to decide until 31 march. Lets do a vote. Let me forward that to Aaron to check if he can give his OK financially. That would be a one time fee of 99 + 49 = 148 € and our monthly fees would increase by 30 €. This means about 20 € extra for ECC RAM (if we still think that worth it) and 10 € for SSDs instead of spinning drives. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
Re: [arch-dev-public] brynhild down a.k.a pkgbuild.com
We absolutely have the funds for that! Shouldn't be a problem at all. I haven't done an exact in/out estimation of funds, but we have more than enough in reserve to cover this for a while. On Fri, Mar 28, 2014 at 11:27 AM, Pierre Schmitz pie...@archlinux.dewrote: Am 28.03.2014 15:26, schrieb Ionut Biru: We have to do something about it before getting a new invoice for this piece of crap. I see that Bluewind started to resolve a bit this issue but now it's offline again. alderaan replacement - 32 gb ECC with 2x240gb ssd is a.k.a PX60-SSD 79€/mo + 99 € setup brynhild replament (if we don't keep the current alderaan for building) - 32 gb non ecc - 49€/mo + 49€ setup. We need to decide until 31 march. Lets do a vote. Let me forward that to Aaron to check if he can give his OK financially. That would be a one time fee of 99 + 49 = 148 € and our monthly fees would increase by 30 €. This means about 20 € extra for ECC RAM (if we still think that worth it) and 10 € for SSDs instead of spinning drives. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
Re: [arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
Am 28.03.2014 01:01, schrieb Thomas Bächler: core/logrotate 3.8.7-1 /etc/cron.daily/logrotate core/man-db 2.6.6-1 /etc/cron.daily/man-db core/mlocate 0.26-1 /etc/cron.daily/updatedb core/shadow 4.1.5.1-7 /etc/cron.daily/shadow extra/pkgstats 2.3-3/etc/cron.weekly/pkgstats After the overall positive response, I converted these. Since none of my machines used any cron jobs, I uninstalled cronie from them. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
On Fri, Mar 28, 2014 at 3:01 AM, Gaetan Bisson bis...@archlinux.org wrote: [2014-03-27 21:01:17 -0400] Daniel Micay: setuid binary (crontab) so it opens up a vulnerability in the base install. Among others (although one requires cron to be enabled): * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424 * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097 There were bugs that have been fixed a while ago; what's your point? I support switching to systemd timers in order to streamline our base install, as well as regroup daemons and periodic commands configuration in just one place. But I do not believe that replacing a small setuid binary by a larger one addresses any potential security issue. I agree with Gaetan that I don't see the big security concern here. However, I'm always in favor of dropping stuff from base whenever the opportunity arises. Once other base packages no longer ship cron jobs, I suppose there is no longer a reason to keep cronie in base? What's your take on that Gaetan (not sure if your comment was against dropping it, or just against the security concern)? Cheers, Tom
Re: [arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
On 03/28/2014 06:26 PM, Thomas Bächler wrote: Am 28.03.2014 01:01, schrieb Thomas Bächler: core/logrotate 3.8.7-1 /etc/cron.daily/logrotate core/man-db 2.6.6-1 /etc/cron.daily/man-db core/mlocate 0.26-1 /etc/cron.daily/updatedb core/shadow 4.1.5.1-7 /etc/cron.daily/shadow extra/pkgstats 2.3-3/etc/cron.weekly/pkgstats After the overall positive response, I converted these. Since none of my machines used any cron jobs, I uninstalled cronie from them. Nice :) I guess for man-db should be better use tmpfiles instead of mkdir in the service unit. -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1 signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
On 28/03/14 06:01 PM, Tom Gundersen wrote: On Fri, Mar 28, 2014 at 3:01 AM, Gaetan Bisson bis...@archlinux.org wrote: [2014-03-27 21:01:17 -0400] Daniel Micay: setuid binary (crontab) so it opens up a vulnerability in the base install. Among others (although one requires cron to be enabled): * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424 * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097 There were bugs that have been fixed a while ago; what's your point? I support switching to systemd timers in order to streamline our base install, as well as regroup daemons and periodic commands configuration in just one place. But I do not believe that replacing a small setuid binary by a larger one addresses any potential security issue. I agree with Gaetan that I don't see the big security concern here. However, I'm always in favor of dropping stuff from base whenever the opportunity arises. Once other base packages no longer ship cron jobs, I suppose there is no longer a reason to keep cronie in base? What's your take on that Gaetan (not sure if your comment was against dropping it, or just against the security concern)? Cheers, Tom It's a very minor security concern, but I think it's a valid reason for having people who want it install it explicitly. It's not currently enabled by default, and will have a narrow use case when the existing packaged cron jobs on are. I don't think there will be a use case for a single user system anymore, or even *most* multi-user ones. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
On 28/03/14 08:52 PM, Daniel Micay wrote: It's not currently enabled by default, and will have a narrow use case when the existing cron jobs on are. are gone*. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
[2014-03-28 23:01:22 +0100] Tom Gundersen: However, I'm always in favor of dropping stuff from base whenever the opportunity arises. Once other base packages no longer ship cron jobs, I suppose there is no longer a reason to keep cronie in base? What's your take on that Gaetan (not sure if your comment was against dropping it, or just against the security concern)? Yes, I will be very happy to move cronie out of [core] and stop maintaining it. :) My disagreement was only with the security argument. Cheers. -- Gaetan
