Re: [arch-general] btrfs raid 10 fileserver with ata errors

[Karol Babioch]

Hi,

Am 13.01.2017 um 03:22 schrieb niya levi via arch-general:
> how do i go about diagnosing and fixing the problem,
> any suggestions or guidance would be appreciated.
> shadrock

Check all cables and re-plug them. To narrow down the problem you can
also swap arond disks, so you know whether it is the disk itself or the
controller and/or cabling. But problems like these are a sometimes a
PITA to fix.

Best regards,
Karol Babioch



signature.asc
Description: OpenPGP digital signature

Re: [arch-general] Package signing on soyuz

[Jerome Leclanche]

So my current workflow allows doing everything on soyuz. I tried it
out for a couple of packages, it works well and FWICT it's secure.
Writeup on the setup below as requested on IRC the other day.



Local prerequisites:

- Extra socket must be enabled. In arch, that seems to be the case by
default. While doing this I discovered that systemd can manage
gpg-agent at the user level. To enable that: `systemctl --user enable
gpg-agent-extra.socket`. If you're managing this with systemctl, you
will also want to do `systemctl --user enable gpg-agent.socket` and
probably dirmngr.service as well.

When managed with systemd, these sockets will show up in
$XDG_RUNTIME_DIR/gnupg. If you have a custom $GNUPGHOME (eg. to move
it to ~/.config/gnupg), you'll need to unset that, as it is not
possible in gnupg to set the homedir without setting the socketdir.
Annoying. You can check the directories with `gpgconf --list-dir` (or
`gpgconf --list-dir socketdir specifically).

You definitely want the -extra socket. The regular one supports
exporting the private key (you definitely don't want that on the
remote). The -ssh one is for ssh-agent emulation, something different.

In .ssh/config, you want to add the following line to Host pkgbuild.com:

RemoteForward /run/user/1xxx/gnupg/S.gpg-agent
/run/user/1xxx/gnupg/S.gpg-agent.extra

The first path is the path *on the remote* (soyuz). The second is the
path on the client machine. You are forwarding your .extra socket to
be the gpg-agent socket. Replace the uid/path by the appropriate value
of $XDG_RUNTIME_DIR on the respective machines. Specifically, by the
value of $(gpgconf --list-dir agent-extra-socket) on the local and
$(gpgconf --list-dir agent-socket) on the remote.

Finally, as gpg-agent is currently enabled by default for users on
soyuz, it needs to be disabled. Disabling isn't even enough, as
forwarding the socket seems to be interpreted by systemd as "I want
this socket", which in turn triggers gpg-agent.
I'm still a little confused about this, but masking gpg-agent does the
trick: `systemctl --user mask gpg-agent.service`. This devnulls the
service file for your user.

Bluewind has already kindly taken care of adding
`StreamLocalBindUnlink yes` to the sshd_config, therefore removing the
sockets manually on logout is not necessary.

You should also make sure that you are not using pinentry-curses in
your gpg-agent.conf. That, afaik, won't work over ssh but I didn't
test it.

J. Leclanche


On Thu, Jan 19, 2017 at 12:51 AM, Jan Alexander Steffens via
arch-general  wrote:
> On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general <
> arch-general@archlinux.org> wrote:
>
>> I use only the ssh agent forwarding ("ForwardAgent yes" in
>> .ssh/config). On pkgbuild.com I build packages using the *-*-build as
>> always. When a package is built, I use a script [1] that downloads the
>> binary packages, signs them and uploads the signatures back to
>> pkgbuild.com. That way I can use communitypkg on pkgbuild.com to
>> upload everything.
>>
>
> I've got something very similar, except:
>
> I only check out the trunks on soyuz. I change the PKGBUILD, build and
> commit there.
>
> A local script then runs archco, rsyncs the packages from soyuz to local,
> rsyncs the packages from soyuz to orion, then locally runs commitpkg to
> sign and release the packages.

Re: [arch-general] Package signing on soyuz

[Jan Alexander Steffens via arch-general]

On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general <
arch-general@archlinux.org> wrote:

> I use only the ssh agent forwarding ("ForwardAgent yes" in
> .ssh/config). On pkgbuild.com I build packages using the *-*-build as
> always. When a package is built, I use a script [1] that downloads the
> binary packages, signs them and uploads the signatures back to
> pkgbuild.com. That way I can use communitypkg on pkgbuild.com to
> upload everything.
>

I've got something very similar, except:

I only check out the trunks on soyuz. I change the PKGBUILD, build and
commit there.

A local script then runs archco, rsyncs the packages from soyuz to local,
rsyncs the packages from soyuz to orion, then locally runs commitpkg to
sign and release the packages.

Re: [arch-general] Ardour 5 - Was: What's with Ray Rashif?

[Fons Adriaensen]

On Tue, Jan 17, 2017 at 11:39:10PM +0600, Rashif Ray Rahman wrote:
 
> Thanks guys for all the info you have been sharing, I got sloppy again
> and went into full panic mode in preparation for my master's thesis
> and subsequent defense (19th).

Good luck, break a leg, etc. !
 
-- 
FA

A world of exhaustive, reliable metadata would be an utopia.
It's also a pipe-dream, founded on self-delusion, nerd hubris
and hysterically inflated market opportunities. (Cory Doctorow)

Re: [arch-general] Package signing on soyuz

[Lukas Jirkovsky via arch-general]

On 17 January 2017 at 08:42, Jerome Leclanche  wrote:
> What is the current intended way to sign packages on the pkgbuild.com server?

I don't think there's any.

> I spent the past day setting up agent forwarding
> (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble
> setting it up due to systemd being seemingly overzealous about the
> gpg-agent socket.  I have it working now, for myself, but wondering if
> anyone else is using it or if everybody is just signing locally.
>
> J. Leclanche

I use only the ssh agent forwarding ("ForwardAgent yes" in
.ssh/config). On pkgbuild.com I build packages using the *-*-build as
always. When a package is built, I use a script [1] that downloads the
binary packages, signs them and uploads the signatures back to
pkgbuild.com. That way I can use communitypkg on pkgbuild.com to
upload everything.

[1] 
https://bitbucket.org/stativ/scripts/src/tip/shell/download-and-sign.sh?at=default=file-view-default

Lukas