Re: [CentOS] Any CentOS 6 Issues on Lenovo Y700?

[Andreas Benzler]

Hello Brain,

for such new software you go with Centos 7. The older version is more rocket 
stable,
but in case you use such new laptop the newer one is the better / best choice.

You need to upgrade the kernel, there is no  way out. Centos  deliver „only“ 
2.6 or 3.10.

http://elrepo.org/tiki/kernel-lt or http://elrepo.org/tiki/kernel-ml
can fix this.

- Totem and multimedia isn’t work fully. Gstreamer is cut down.

Yesterday I installed my laptop with new hardware and most of it  fully work,
but it was hard to go. Why ? Take a look at my private repo 
http://centos.cms4all.org/centos/7/
What it does? Update Kernel, Drivers, Mesa , GStreamer, Gutenprint (printers). 
I’m
liite bit of centos 7 and in this parts I’m on my own.

Don’t flame me - Ubuntu LTS 16.04 is on the way and this should work for you.

The new nvidia series 9 will come with kernel 4.5 as i know (open source part)

Greatings

Andy

> Am 28.04.2016 um 05:47 schrieb Valeri Galtsev :
> 
> 
> On Wed, April 27, 2016 10:07 pm, Brian Bernard wrote:
>> Oh, I wouldn't flame you.
>> 
>> Hmm, I didn't think of using a virtual machine. The Lenovo has a NVidia
>> 960MX, so I wonder if it would fully work under a virtual machine.
> 
> Probably not. Normally virtual machine does not have that level of
> possession of hardware. At least Sun-Oracle Virtual Box doesn't. Somebody
> may correct me if I'm wrong here. If I were to do it, I would choose as
> host system the system your software requiring OpenGL is available for.
> And add other systems you need in virtual machines. Laptops, though
> powerful these days, still not the best choice for virtual machines IMHO.
> 
> Valeri
> 
>> 
>> The reason why I ask is that I do systems adminstration with
>> meteorological
>> software that requires OpenGL 2.0 and at least 2GB of video ram.
>> 
>> Thank you for your reply, Mike.
>> 
>> Brian Bernard
>> On Apr 27, 2016 10:43 PM, "Mike Mohr"  wrote:
>>> 
>>> Don't flame me, but I really recommend using Ubuntu on laptops. If you
>>> really want CentOS, you should go with version 7. Many new laptops won't
>>> work well with that either though.
>>> 
>>> CentOS 6 only works well these days on older hardware or on virtual
>>> machines.
>>> On Apr 27, 2016 7:27 PM, "Brian Bernard" 
>>> wrote:
>>> 
>>> Hi all,
>>> 
>>> I'm looking at buying a Lenovo Y700 Notebook, and wondering if it would
>>> work with CentOS 6. Or if anyone has experience with using it under
>>> CentOS
>>> 6. I assume that the WiFi could be an issue as it uses an Intel 8260
>>> card.
>>> I want to make the correct decision.
>>> 
>>> Thank you,
>>> 
>>> Brian Bernard
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>> 
> 
> 
> 
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> 
> ___
> CentOS mailing list
> CentOS@centos.org 
> https://lists.centos.org/mailman/listinfo/centos 
> 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any CentOS 6 Issues on Lenovo Y700?

[Valeri Galtsev]

On Wed, April 27, 2016 10:07 pm, Brian Bernard wrote:
> Oh, I wouldn't flame you.
>
> Hmm, I didn't think of using a virtual machine. The Lenovo has a NVidia
> 960MX, so I wonder if it would fully work under a virtual machine.

Probably not. Normally virtual machine does not have that level of
possession of hardware. At least Sun-Oracle Virtual Box doesn't. Somebody
may correct me if I'm wrong here. If I were to do it, I would choose as
host system the system your software requiring OpenGL is available for.
And add other systems you need in virtual machines. Laptops, though
powerful these days, still not the best choice for virtual machines IMHO.

Valeri

>
> The reason why I ask is that I do systems adminstration with
> meteorological
> software that requires OpenGL 2.0 and at least 2GB of video ram.
>
> Thank you for your reply, Mike.
>
> Brian Bernard
> On Apr 27, 2016 10:43 PM, "Mike Mohr"  wrote:
>>
>> Don't flame me, but I really recommend using Ubuntu on laptops. If you
>> really want CentOS, you should go with version 7. Many new laptops won't
>> work well with that either though.
>>
>> CentOS 6 only works well these days on older hardware or on virtual
>> machines.
>> On Apr 27, 2016 7:27 PM, "Brian Bernard" 
>> wrote:
>>
>> Hi all,
>>
>> I'm looking at buying a Lenovo Y700 Notebook, and wondering if it would
>> work with CentOS 6. Or if anyone has experience with using it under
>> CentOS
>> 6. I assume that the WiFi could be an issue as it uses an Intel 8260
>> card.
>> I want to make the correct decision.
>>
>> Thank you,
>>
>> Brian Bernard
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any CentOS 6 Issues on Lenovo Y700?

[Valeri Galtsev]

On Wed, April 27, 2016 10:12 pm, Alice Wonder wrote:
> On 04/27/2016 07:43 PM, Mike Mohr wrote:
>> Don't flame me, but I really recommend using Ubuntu on laptops. If you
>> really want CentOS, you should go with version 7. Many new laptops won't
>> work well with that either though.
>
> CentOS 7 works fine on my T410 thinkpad but that's not a new laptop...
>
> I use to use Ubuntu on the desktop but I stopped when they believed it
> was okay to send information I searched for my local workstation to
> Amazon without asking me first.
>
> I can not support any distribution that believes it is okay to do that
> sort of thing.
>
> Maybe it would have been okay if it had been opt-in, but it wasn't opt-in.

I would first try CentOS 7, second Debain. I have the same feelings about
Ubuntu as Alice does. I also do tend to avoid Lenovo after they were
caught installing malware on Windows system the ship. You can search for
superfish and lenovo. Once caught, they stopped it. But once caught one
looses my trust for very-very long. I would look for Dell if I were
needing laptop without much trouble installing Linux on it - you can find
one certified for Ubuntu (sigh) and shipped with it. Just wipe Ubuntu, and
install system of your choice. For myself I got Toshiba ultrabook U904,
had no trouble to make it dual boot: Windows and CentOS 7 (all worked on
Linux side including touch screen, not much fanciness in Linux as far as
touch screen is concerned, but I kind of don't like touching my screen
anyway). Now, however, I wiped both systems and run only FreeBSD on
Toshiba ultrabook U904. Compared to Linux took me a bit of effort, but I
like it more that way.

I hope, others will mention other hardware choices (I figure, Lenovo
really set me off by what they did, sorry Lenovo fans).

I hope, this helps.

Valeri


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any CentOS 6 Issues on Lenovo Y700?

[Alice Wonder]

On 04/27/2016 07:43 PM, Mike Mohr wrote:

Don't flame me, but I really recommend using Ubuntu on laptops. If you
really want CentOS, you should go with version 7. Many new laptops won't
work well with that either though.


CentOS 7 works fine on my T410 thinkpad but that's not a new laptop...

I use to use Ubuntu on the desktop but I stopped when they believed it 
was okay to send information I searched for my local workstation to 
Amazon without asking me first.


I can not support any distribution that believes it is okay to do that 
sort of thing.


Maybe it would have been okay if it had been opt-in, but it wasn't opt-in.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any CentOS 6 Issues on Lenovo Y700?

[Brian Bernard]

Oh, I wouldn't flame you.

Hmm, I didn't think of using a virtual machine. The Lenovo has a NVidia
960MX, so I wonder if it would fully work under a virtual machine.

The reason why I ask is that I do systems adminstration with meteorological
software that requires OpenGL 2.0 and at least 2GB of video ram.

Thank you for your reply, Mike.

Brian Bernard
On Apr 27, 2016 10:43 PM, "Mike Mohr"  wrote:
>
> Don't flame me, but I really recommend using Ubuntu on laptops. If you
> really want CentOS, you should go with version 7. Many new laptops won't
> work well with that either though.
>
> CentOS 6 only works well these days on older hardware or on virtual
> machines.
> On Apr 27, 2016 7:27 PM, "Brian Bernard" 
> wrote:
>
> Hi all,
>
> I'm looking at buying a Lenovo Y700 Notebook, and wondering if it would
> work with CentOS 6. Or if anyone has experience with using it under CentOS
> 6. I assume that the WiFi could be an issue as it uses an Intel 8260 card.
> I want to make the correct decision.
>
> Thank you,
>
> Brian Bernard
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any CentOS 6 Issues on Lenovo Y700?

[Mike Mohr]

Don't flame me, but I really recommend using Ubuntu on laptops. If you
really want CentOS, you should go with version 7. Many new laptops won't
work well with that either though.

CentOS 6 only works well these days on older hardware or on virtual
machines.
On Apr 27, 2016 7:27 PM, "Brian Bernard" 
wrote:

Hi all,

I'm looking at buying a Lenovo Y700 Notebook, and wondering if it would
work with CentOS 6. Or if anyone has experience with using it under CentOS
6. I assume that the WiFi could be an issue as it uses an Intel 8260 card.
I want to make the correct decision.

Thank you,

Brian Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Any CentOS 6 Issues on Lenovo Y700?

[Brian Bernard]

Hi all,

I'm looking at buying a Lenovo Y700 Notebook, and wondering if it would
work with CentOS 6. Or if anyone has experience with using it under CentOS
6. I assume that the WiFi could be an issue as it uses an Intel 8260 card.
I want to make the correct decision.

Thank you,

Brian Bernard
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemd-journald corruption

[Chris Adams]

Once upon a time, Chris Murphy  said:
> Also I wonder if merely restarting the journal daemon solves it:
> 
> systemctl restart systemd-journald
> 
> What should happen is it realizes its own logs are corrupt and ignores
> them, and starts working on new copies. And journalctl should still
> try to read the old ones but skips the corrupt entries.

I tried that and it didn't work (at least not every time).  I had to
actually remove the journal file to get it functional again.

So far, turning off the compression appears to have worked (but I'll
have to watch it for a day or two to really see).

-- 
Chris Adams 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Pouar]

On 04/27/16 15:16, William A. Mahaffey III wrote:
> On 04/27/16 13:21, Pouar wrote:
>> On 04/27/16 08:49, William A. Mahaffey III wrote:
>>> On 04/26/16 21:13, John R Pierce wrote:
 On 4/26/2016 6:45 PM, Jack Bailey wrote:
> Today someone in a meeting claimed the Bourne shell is deprecated,
> one of the reasons being it supposedly has security issues.  Well
> that's all news to me, and I cannot find anything online to
> corroborate the claim.  Is this true, is it a bash vs. Bourne FUD,
> or something else?
 there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to
 /bin/bash...

 last OS I can think of with an actual Bourne shell was Solaris.


>>> The various *BSD's have & use the actual Bourne shell 
>>>
>>>
>> Which one? All the BSDs I know of use the Almquist Shell except for
>> OpenBSD which uses a patched version of the Public Domain Korn Shell
>>
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>
> NetBSD 6.1.5 uses the Bourne shell by default for root logins & uses
> it for the rc.d system. FreeBSD 9.3 Release has it installed because
> it is needed for the rc.d system. All I can vouch for 
>
>
I'm pretty sure that's a variant of the Almquist Shell*
*

-- 
Pouar

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemd-journald corruption

[Chris Murphy]

On Wed, Apr 27, 2016 at 7:05 AM, Chris Adams  wrote:
> Once upon a time, Chris Murphy  said:
>> On Tue, Apr 26, 2016 at 3:01 PM, Chris Adams  wrote:
>> > Once upon a time, Chris Murphy  said:
>> >> On Tue, Apr 26, 2016, 2:09 PM Chris Adams  wrote:
>> >> > I have several recently-installed CentOS 7 servers that keep having
>> >> > systemd-journald corruption
>> >>
>> >> Determined with 'journalctl --verify' or another way?
>
> One system did get into this state overnight, and that said:
>
> [root@spamscan3 ~]# journalctl --verify
> 15bd478: invalid object
> File corruption detected at 
> /run/log/journal/f8ade260c5f84b8aa04095c233c041e0/system.journal:15bd478 (of 
> 25165824 bytes, 90%).
> FAIL: /run/log/journal/f8ade260c5f84b8aa04095c233c041e0/system.journal 
> (Cannot assign requested address)
> (and then a bunch of passes on the rest of the files)
>
>> There's also this patch as a suggested fix:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1292447#c9
>
> I'll take a look at that.
>
>> What version of systemd and rsyslog? systemd-219-19.el7_2.7 and
>> rsyslog-7.4.7-12 are current.
>
> Those are the versions I have.
>
>> If you're there already you could ry editing
>> /etc/systemd/journald.conf and uncommenting Compress=yes and changing
>> it to no.
>
> Thanks, I'm trying that on these servers.

Also I wonder if merely restarting the journal daemon solves it:

systemctl restart systemd-journald

What should happen is it realizes its own logs are corrupt and ignores
them, and starts working on new copies. And journalctl should still
try to read the old ones but skips the corrupt entries.

If that works you could schedule a restart of the journal periodically
as a goofy hack work around until it gets fixed. Clearly Red Hat knows
about this problem.

-- 
Chris Murphy
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[JJB]

On 04/27/16 15:33, Jon LaBadie wrote:

The V1 shell was of course not Bourne's.

However Bourne's code was consider "unmaintainable" as he was an
algol coder, not a C coder.  He had numerous macros defined to
allow him to use his algol coding style with a C compiler.


So *that's* what it is!  I have a copy of the source (on paper). What a 
hoot!  I thought he was trying to make C look like shell code.


Jack

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[JJB]

On 04/27/16 15:18, Chris Adams wrote:

Once upon a time, JJB  said:

Interesting.  Back in 1980 we called /bin/sh the Mashey shell.  It
did not have command substitution or other things we now take for
granted.  Bourne did that for us.  So there's a version or two
missing in history...

Check the history here:

https://github.com/dspinellis/unix-history-repo



This history might be that of a particular lineage.  CB UNIX and PWB 
UNIX existed in the gap between 1975 and 1979.


https://en.wikipedia.org/wiki/CB_UNIX

Jack

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Jon LaBadie]

On Wed, Apr 27, 2016 at 03:32:49PM -0453, William A. Mahaffey III wrote:
> 
> From NetBSD 6.1.5:
> 
> 
> 4256EE1 # man sh
...
> SH(1)
> 
> NAME
>  sh -- command interpreter (shell)
...
> 
> HISTORY
>  A sh command appeared in Version 1 AT&T UNIX.  It was, however,
>  unmaintainable so we wrote this one.
> 

The V1 shell was of course not Bourne's.

However Bourne's code was consider "unmaintainable" as he was an
algol coder, not a C coder.  He had numerous macros defined to
allow him to use his algol coding style with a C compiler.

jl
-- 
Jon H. LaBadie j...@jgcomp.com
 11226 South Shore Rd.  (703) 787-0688 (H)
 Reston, VA  20190  (703) 935-6720 (C)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Chris Adams]

Once upon a time, JJB  said:
> Interesting.  Back in 1980 we called /bin/sh the Mashey shell.  It
> did not have command substitution or other things we now take for
> granted.  Bourne did that for us.  So there's a version or two
> missing in history...

Check the history here:

https://github.com/dspinellis/unix-history-repo
-- 
Chris Adams 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Valeri Galtsev]

On Wed, April 27, 2016 3:16 pm, William A. Mahaffey III wrote:
> On 04/27/16 13:21, Pouar wrote:
>> On 04/27/16 08:49, William A. Mahaffey III wrote:
>>> On 04/26/16 21:13, John R Pierce wrote:
 On 4/26/2016 6:45 PM, Jack Bailey wrote:
> Today someone in a meeting claimed the Bourne shell is deprecated,
> one of the reasons being it supposedly has security issues.  Well
> that's all news to me, and I cannot find anything online to
> corroborate the claim.  Is this true, is it a bash vs. Bourne FUD,
> or something else?
 there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to
 /bin/bash...

 last OS I can think of with an actual Bourne shell was Solaris.


>>> The various *BSD's have & use the actual Bourne shell 
>>>
>>>
>> Which one? All the BSDs I know of use the Almquist Shell except for
>> OpenBSD which uses a patched version of the Public Domain Korn Shell
>>
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>
> NetBSD 6.1.5 uses the Bourne shell by default for root logins & uses it
> for the rc.d system. FreeBSD 9.3 Release has it installed because it is
> needed for the rc.d system. All I can vouch for 
>

Yes. Here is excerpt from "man sh" (appears the same on FreeBSD 9.3 and
10.3):

 A sh command, the Thompson shell, appeared in Version 1 AT&T UNIX.  It
 was superseded in Version 7 AT&T UNIX by the Bourne shell, which inher-
 ited the name sh.

 This version of sh was rewritten in 1989 under the BSD license after the
 Bourne shell from AT&T System V Release 4 UNIX.



>
> --
>
>   William A. Mahaffey III
>
>   --
>
>   "The M1 Garand is without doubt the finest implement of war
>ever devised by man."
> -- Gen. George S. Patton Jr.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[William A. Mahaffey III]

On 04/27/16 14:19, John R Pierce wrote:



>>last OS I can think of with an actual Bourne shell was Solaris.
>>
>>

>
>The various *BSD's have & use the actual Bourne shell 
>
>

Which one? All the BSDs I know of use the Almquist Shell except for
OpenBSD which uses a patched version of the Public Domain Korn Shell


indeed, the man for sh(1) on freebsd 10.3 says (in part)

HISTORY
 A sh command, the Thompsonshell, appearedin Version 1 
AT&T UNIX. It
 was superseded in Version 7 AT&T UNIX by the Bourne shell,
which inher-

 ited the name sh.

 This version of shwas rewritten in 1989 under theBSD 
license after the

 Bourne shell from AT&T System V Release 4 UNIX.

AUTHORS
 This version of shwas originally written by Kenneth Almquist.






From NetBSD 6.1.5:


4256EE1 # man sh
man: Formatting manual page...
SH(1)   General Commands Manual  
SH(1)


NAME
 sh -- command interpreter (shell)

SYNOPSIS
 sh [-aCefnuvxIimqVEb] [+aCefnuvxIimqVEb] [-o option_name]
[+o option_name] [command_file [argument ...]]
 sh -c [-aCefnuvxIimqVEb] [+aCefnuvxIimqVEb] [-o option_name]
[+o option_name] command_string [command_name [argument ...]]
 sh -s [-aCefnuvxIimqVEb] [+aCefnuvxIimqVEb] [-o option_name]
[+o option_name] [argument ...]

DESCRIPTION
 sh is the standard command interpreter for the system.  The current
 version of sh is in the process of being changed to conform with the
 POSIX 1003.2 and 1003.2a specifications for the shell.  This 
version has
 many features which make it appear similar in some respects to the 
Korn

 shell, but it is not a Korn shell clone (see ksh(1)).  Only features
 designated by POSIX, plus a few Berkeley extensions, are being
 incorporated into this shell.  This man page is not intended to be a
 tutorial or a complete specification of the shell.

.
.
.


HISTORY
 A sh command appeared in Version 1 AT&T UNIX.  It was, however,
 unmaintainable so we wrote this one.

BUGS
 Setuid shell scripts should be avoided at all costs, as they are a
 significant security risk.

 PS1, PS2, and PS4 should be subject to parameter expansion before 
being

 displayed.

 The characters generated by filename completion should probably be 
quoted
 to ensure that the filename is still valid after the input line 
has been

 processed.

NetBSD 6.1.5October 4, 2011 NetBSD 6.1.5
4256EE1 #


There was/is nothing at the end w/ any more identifying info.


From FreeBSD 9.3R:

[root@kabini1, /etc, 3:22:38pm] 888 % man sh
SH(1)   FreeBSD General Commands Manual  
SH(1)


NAME
 sh -- command interpreter (shell)

SYNOPSIS
 sh [-/+abCEefhIimnPpTuVvx] [-/+o longname] [script [arg ...]]
 sh [-/+abCEefhIimnPpTuVvx] [-/+o longname] -c string [name [arg ...]]
 sh [-/+abCEefhIimnPpTuVvx] [-/+o longname] -s [arg ...]

DESCRIPTION
 The sh utility is the standard command interpreter for the 
system.  The
 current version of sh is close to the IEEE Std 1003.1 
(``POSIX.1'') spec-
 ification for the shell.  It only supports features designated by 
POSIX,

 plus a few Berkeley extensions.  This man page is not intended to be a
 tutorial nor a complete specification of the shell.

.
.
.

HISTORY
 A sh command, the Thompson shell, appeared in Version 1 AT&T UNIX.  It
 was superseded in Version 7 AT&T UNIX by the Bourne shell, which 
inher-

 ited the name sh.

 This version of sh was rewritten in 1989 under the BSD license 
after the

 Bourne shell from AT&T System V Release 4 UNIX.

AUTHORS
 This version of sh was originally written by Kenneth Almquist.

BUGS
 The sh utility does not recognize multibyte characters other than 
UTF-8.
 Splitting using IFS and the line editing library editline(3) do 
not rec-

 ognize multibyte characters.

FreeBSD 9.3 January 3, 2014 FreeBSD 9.3
[root@kabini1, /etc, 3:31:58pm] 889 %



So FreeBSD does indeed appear to use the Almquist shell.


--

William A. Mahaffey III

 --

"The M1 Garand is without doubt the finest implement of war
 ever devised by man."
   -- Gen. George S. Patton Jr.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[William A. Mahaffey III]

On 04/27/16 13:21, Pouar wrote:

On 04/27/16 08:49, William A. Mahaffey III wrote:

On 04/26/16 21:13, John R Pierce wrote:

On 4/26/2016 6:45 PM, Jack Bailey wrote:

Today someone in a meeting claimed the Bourne shell is deprecated,
one of the reasons being it supposedly has security issues.  Well
that's all news to me, and I cannot find anything online to
corroborate the claim.  Is this true, is it a bash vs. Bourne FUD,
or something else?

there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to
/bin/bash...

last OS I can think of with an actual Bourne shell was Solaris.



The various *BSD's have & use the actual Bourne shell 



Which one? All the BSDs I know of use the Almquist Shell except for
OpenBSD which uses a patched version of the Public Domain Korn Shell



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


NetBSD 6.1.5 uses the Bourne shell by default for root logins & uses it 
for the rc.d system. FreeBSD 9.3 Release has it installed because it is 
needed for the rc.d system. All I can vouch for 



--

William A. Mahaffey III

 --

"The M1 Garand is without doubt the finest implement of war
 ever devised by man."
   -- Gen. George S. Patton Jr.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[John R Pierce]

On 4/27/2016 12:59 PM, JJB wrote:




Interesting.  Back in 1980 we called /bin/sh the Mashey shell.  It did 
not have command substitution or other things we now take for 
granted.  Bourne did that for us.  So there's a version or two missing 
in history... 


this suggests the PWB/Mashey shell was pretty short lived... 
https://en.wikipedia.org/wiki/PWB_shell


derivatives of Unix Version 7 were about the first Unix version most 
people outside of a few universities ever saw, like I believe my first 
in depth exposure to Unix was 4.1BSD, on Dec VAX 11/780.   I remember 
having to get a Unix/32V license from AT&T, then photocopy the label of 
the tape and fax it to Berkeley before we could get 4.1BSD from them due 
to licensing weirdness.  I don't remember ever even mounting that AT&T tape.



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[JJB]

>The various *BSD's have & use the actual Bourne shell 
>
>

Which one? All the BSDs I know of use the Almquist Shell except for
OpenBSD which uses a patched version of the Public Domain Korn Shell


indeed, the man for sh(1) on freebsd 10.3 says (in part)

HISTORY
 A sh command, the Thompsonshell, appearedin Version 1 
AT&T UNIX. It
 was superseded in Version 7 AT&T UNIX by the Bourne shell,
which inher-

 ited the name sh.

 This version of shwas rewritten in 1989 under theBSD 
license after the

 Bourne shell from AT&T System V Release 4 UNIX.



Interesting.  Back in 1980 we called /bin/sh the Mashey shell.  It did 
not have command substitution or other things we now take for granted.  
Bourne did that for us.  So there's a version or two missing in history...


Jack
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[John R Pierce]

>>last OS I can think of with an actual Bourne shell was Solaris.
>>
>>

>
>The various *BSD's have & use the actual Bourne shell 
>
>

Which one? All the BSDs I know of use the Almquist Shell except for
OpenBSD which uses a patched version of the Public Domain Korn Shell


indeed, the man for sh(1) on freebsd 10.3 says (in part)

HISTORY
 A sh command, the Thompson shell, appeared in Version 1 AT&T UNIX.  It
 was superseded in Version 7 AT&T UNIX by the Bourne shell, which inher-
 ited the name sh.

 This version of sh was rewritten in 1989 under the BSD license after the
 Bourne shell from AT&T System V Release 4 UNIX.

AUTHORS
 This version of sh was originally written by Kenneth Almquist.



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Pouar]

On 04/27/16 08:49, William A. Mahaffey III wrote:
> On 04/26/16 21:13, John R Pierce wrote:
>> On 4/26/2016 6:45 PM, Jack Bailey wrote:
>>>
>>> Today someone in a meeting claimed the Bourne shell is deprecated,
>>> one of the reasons being it supposedly has security issues.  Well
>>> that's all news to me, and I cannot find anything online to
>>> corroborate the claim.  Is this true, is it a bash vs. Bourne FUD,
>>> or something else? 
>>
>> there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to
>> /bin/bash...
>>
>> last OS I can think of with an actual Bourne shell was Solaris.
>>
>>
>
> The various *BSD's have & use the actual Bourne shell 
>
>
Which one? All the BSDs I know of use the Almquist Shell except for
OpenBSD which uses a patched version of the Public Domain Korn Shell

-- 
Pouar

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS CI Testing Prior to Releasing Packages

[Johnny Hughes]

In another thread I talked about running CI testing on a packge before
release.  I thought I would explain that a bit more AND ask for tests,
if they are needed.

Prior to pushing newly released packages into the main CentOS os,
updates, extras, cr, or fasttrack repositories, we run our t_functional
CI test suite on the entire repo set.  So if we are releasing an update,
it would be against the os and updates repositories.  Or if we release
fasttrack package, it would be os, updates, fasttrack repositories.

We also run this test suite on the final OS repository during point
release upgrades.

Here is information on the t_functional suite.

https://wiki.centos.org/QaWiki/AutomatedTests/WritingTests/t_functional

And here is where I actually run the suite prior to releasing updates:

https://ci.centos.org/view/CentOS-Core/

The reason I bring this up is we will accept updates to the tests to
check for things that should be tested prior to release of a repository. 

If you know of something that we sometimes get wrong and create a test
that returns exit code other than 0 for a fail, and if you can convince
us (on the CentOS-Devel mailing list) that it should be included, then
you can help us release better updates to CentOS Linux.

Thanks,
Johnny Hughes





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 46.0 fails on CentOS 6.7 due to GTK3 requirement

[Johnny Hughes]

On 04/27/2016 10:36 AM, Phelps, Matthew wrote:
> On Wed, Apr 27, 2016 at 11:23 AM, Johnny Hughes  wrote:
> 
>> On 04/27/2016 09:23 AM, James Pearson wrote:
>>> Phil Wyett wrote:
 On Wed, 2016-04-27 at 08:27 -0400, Phelps, Matthew wrote:
> The latest version of firefox, 46.0 requires GTK3 and so it fails on
> CentOS
> 6.7.
>
> I know there is the ESR release supplied by upstream, but that is
> based on
> version 38. We have regularly installed the Mozilla "Linux" version of
> Firefox in a central location for our users, and this has worked just
> fine
> until 46.0. (I note from
> https://www.mozilla.org/en-US/firefox/organizations/faq/ that even
> that ESR
> release is due to stop being supported soon).
>
> I filed a bugzilla report at
> https://bugzilla.mozilla.org/show_bug.cgi?id=1267815. If this matters
>> to
> you, please consider tagging onto that bug.
>
> Yes, yes we have to upgrade to CentOS 7. But in our shop, the amount of
> work required to get this done is huge, and won't happen soon.
>
> The whole idea of using RHEL/CentOS is to have a stable, supported
> version
> for a long period of time. How can we do this if even a web browser
> won't
> work?
>

 Hi,

 The latest firefox ESR for RHEL/CentOS 5, 6 and 7 is 45.1. That version
 should appear in CentOS updates when Mr Hughes has worked his magic.

 With 46 not being an ESR and not released for RHEL/CentOS, it is not
 really something most here would be too worried about.
>>>
>>> Mozilla still (currently) support GTK2 as a build option - so if want to
>>> run Firefox 46 (and above) on CentOS 6, then you will need to build it
>>> from source
>>>
>>> You might be able to start with the 45.1 SRPM and hack the spec file to
>>> build 46.0 ...
>>
>> Or just use the ESR version that Red Hat releases :)
>>
>> ESR is updated at intervals, and it went from 38 to 45, will go up again
>> in 6 or 7 releases again.
>>
>> Things move on (like firefox) while enterprise distros purposely have a
>> slower cadence.  Fedora has GTK3 and all the other bells and whistles.
>> If that is the type of cadence you want, Fedora is an excellent distro.
>>
>> I should have the CentOS-6 (and CentOS-5) version of Firefox 45 out in a
>> couple of minutes .. currently building metadata and testing them on
>> https://ci.centos.org/
>>
>> CentOS-7 version of Firefox 45 was released yesterday.
>>
>>
>>
> Thanks Johnny. Getting the ESR release up to 45 for CO6 is good enough for
> us while we work on CO7.
> 
> I didn't realize the ESR would ever move off of 38.x.
> 
> 

FYI .. Here is the ESR program, run by Mozilla.  Red Hat usually is very
quick to move, usually at the 'MAJOR.1' release (in this case 45.1).
You can see the next rebase will be version 52.  So we will likely move
from 45.7 or 45.8 to 52.0 or 52.1.  Unless they do something that makes
it completely incompatible with a CentOS version.

https://www.mozilla.org/en-US/firefox/organizations/faq/





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] where, if at all, is my virtual printer output?

[Michael Hennebry]

On Tue, 26 Apr 2016, Frank Cox wrote:


On Tue, 26 Apr 2016 17:57:31 -0500 (CDT)
Michael Hennebry wrote:


Now there are two virtual printers,
one named Cups-PDF


Out of the box, cups-pdf creates a pdf and puts it on your desktop.

You can configure that with /etc/cups/cups-pdf.conf


Thanks.

--
Michael   henne...@web.cs.ndsu.nodak.edu
"Sorry but your password must contain an uppercase letter, a number,
a haiku, a gang sign, a heiroglyph, and the blood of a virgin."
 --  someeecards
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Mod_radius_auth for apache?

[Eero Volotinen]

Any package with srpm available for radius auth on apache?

Eero
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Gordon Messmer]

On 04/27/2016 05:20 AM, Joerg Schilling wrote:

While older versions of the Bourne Shell are not POSIX compliant, recent
versions only miss the feature "arithmetic expansion" and are otherwise
probably closer to POSIX than bash or dash. Note that "dash" does not support
multi-byte characters and thus cannot be certified for a full UNIX system but
only for embedded UNIX systems.


That's good to know.  But, since there seem to be several forks of 
Bourne shell, currently, is there a reference for the differences 
between them?



As far as I can see, this was related to "mailx" and not to the shell.


I looked for substantiation of the original claim that the bourne shell 
had security problems.  Apparently I should have looked closer.  Thanks 
for catching that.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] system-config-printer samba broken

[Andreas Benzler]

Hello guys…

while i was working with special printer setup fallow problems are there:

samba:
1. system-config-printer 1.4.1 - printers not browsable. Fixed by fedora.

can be found here. Patch included

http://centos.cms4all.org/centos/7/printing/SRPM/ 


system-config-printer-1.4.1-20.el7.centos.src.rpm


2. system-config-printer Verify … works as expected

3. "Prompt user if authentication is required“ - never happens

4. Set authentication details now:
Fail because of realm

   Only User - fail
   WORKGROUP\User fail

   How to fill the username to get realm passed?

Thanks for advice

Andy

In the meantime i update my gutenprint for more printers. needs to be tested.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: very weird vi behaviour

[Jon LaBadie]

On Wed, Apr 27, 2016 at 09:39:10AM -0400, m.r...@5-cent.us wrote:
> This is weird. As in, *deeply* weird.
> 
> I ssh as root from one box to another (there are keys involved), and I go
> to vi a file, such as
> # line 1 #
> # line 2 #
> # line 3
> # line 4
> 
> And what I see in vi is
> # line 3
> # line 4
> 
> BUT, if I scroll the cursor over each line with the arrow key... I see all
> four lines. I've also looked at another file, and same thing. Just checked
> it out on the server I ssh'd in from, and no problem.  And now, I just
> ssh'd in from another windows, same way... and the weirdness isn't there.
> 
> Anyone have any clues as to what's going on with that one session?

That sounds like a file generated from different OS's that have
different end of line terminators.  For example a line like this:

  # line 1 #\r# line 3\n   (\r == CR, \n == NL)

might display as just "# line 3" because the cursor returned to the
beginning of the line at the "\r".

Jon
-- 
Jon H. LaBadie j...@jgcomp.com
 11226 South Shore Rd.  (703) 787-0688 (H)
 Reston, VA  20190  (703) 935-6720 (C)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Alice Wonder]

On 04/27/2016 08:46 AM, Valeri Galtsev wrote:


On Wed, April 27, 2016 10:29 am, m.r...@5-cent.us wrote:

Alice Wonder wrote:

On 04/27/2016 01:21 AM, Brandon Vincent wrote:

On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen 

wrote:

Sounds good, but how many domain MX servers have set up these
fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess

I'm thinking

it uses it if available. So even if you do post it on your DNS, how

many clients out there are using DANE on their set up? By the time it
becomes more than a tiny % and generally useful, it will be in CentOS 8.
It

also requires certificates to be implemented more ubiquitously than at

present - although we do now have affordable solutions, so this one may
resolve

more quickly.



Security and Privacy on the Internet are both severely broken.

If you read the white papers from when the Internet was first being

designed, security was rarely even mentioned.

Just as a point of information, when those RFCs were written, the Internet
was *only* for US gov't, and selected research and educational
organizations, and NO ONE else. The open 'Net only came in in the nineties
- so security wasn't broken and insecure, back then there was physical
security and careful selection as to who was allowed on, at all.


That is true, they had in mind resilience of communication net to portions
of it brought down (implying some nasty thing like nuclear exchange). Real
security though is not in restriction of those who can access something
(like government only). Security experts often say: if a secret in known
to two people it likely is not a secret anymore ;-(


Yes, but that is why we need to focus on fixing it from the ground up - 
and that means DNS needs to be secured.


DNSSEC is not perfect, but I don't think there is anything that is truly 
perfect. Even "perfect forward secrecy" is not perfect (DHE should not 
be used with DH groups < 2048bit)


But to secure the Internet, one must be able to validate DNS responses 
and that requires DNSSEC.


To secure TLS, one must be able to validate the certificate and that 
requires DANE - we know Certificate Authorities can't be trusted.


So "Enterprise" or not, system administrators need to be implementing 
both of those - and mail servers should be making use of DANE records 
when they do exist.


Even if it means bumping a software version.

-=-

Illusion of security where it doesn't exist is dangerous, so deprecated 
protocols and cipher suites should not be supported, even if that means 
some e-mail messages end up sent in the plain.


But TLS libraries and software that uses them should be updated to 
support modern cryptography, even on Enterprise distributions, to avoid 
that.


That's my philosophy.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[m . roth]

Valeri Galtsev wrote:
> On Wed, April 27, 2016 10:29 am, m.r...@5-cent.us wrote:
>> Alice Wonder wrote:
>>> On 04/27/2016 01:21 AM, Brandon Vincent wrote:
 On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen
 
>> wrote:
> Sounds good, but how many domain MX servers have set up these
> fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess
>> I'm thinking
> it uses it if available. So even if you do post it on your DNS, how
> many clients out there are using DANE on their set up? By the time it
> becomes more than a tiny % and generally useful, it will be in
CentOS 8.
> It also requires certificates to be implemented more ubiquitously than
> at  present - although we do now have affordable solutions, so this
> one may resolve more quickly.

>>> Security and Privacy on the Internet are both severely broken.
>>>
>>> If you read the white papers from when the Internet was first being
>>> designed, security was rarely even mentioned.

>> Just as a point of information, when those RFCs were written, the
>> Internet was *only* for US gov't, and selected research and educational
>> organizations, and NO ONE else. The open 'Net only came in in the
>> nineties - so security wasn't broken and insecure, back then there was
physical
>> security and careful selection as to who was allowed on, at all.
>
> That is true, they had in mind resilience of communication net to portions
> of it brought down (implying some nasty thing like nuclear exchange). Real
> security though is not in restriction of those who can access something
> (like government only). Security experts often say: if a secret in known
> to two people it likely is not a secret anymore ;-(

Yup, which drives some governments and companies *nuts*... but the
original specs included the idea that "if you can find ANY way for your
packets to get through, even if three-quarters of all the computers
between me and you are now radioactive dust, you will get those packets
through".

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 46.0 fails on CentOS 6.7 due to GTK3 requirement

[isdtor]

 
> I should have the CentOS-6 (and CentOS-5) version of Firefox 45 out in a
> couple of minutes .. currently building metadata and testing them on
> https://ci.centos.org/

Btw. this is the first ESR after the controversial removal of the "ask me every 
time" cookie policy. When the new browser is started for the first time, it 
will reset cookie policy to the default "keep until they expire".

Something to look out for

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Valeri Galtsev]

On Wed, April 27, 2016 10:29 am, m.r...@5-cent.us wrote:
> Alice Wonder wrote:
>> On 04/27/2016 01:21 AM, Brandon Vincent wrote:
>>> On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen 
> wrote:
 Sounds good, but how many domain MX servers have set up these
 fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess
> I'm thinking
 it uses it if available. So even if you do post it on your DNS, how
> many clients out there are using DANE on their set up? By the time it
> becomes more than a tiny % and generally useful, it will be in CentOS 8.
> It
 also requires certificates to be implemented more ubiquitously than at
> present - although we do now have affordable solutions, so this one may
> resolve
 more quickly.
>>>
>> Security and Privacy on the Internet are both severely broken.
>>
>> If you read the white papers from when the Internet was first being
> designed, security was rarely even mentioned.
> 
> Just as a point of information, when those RFCs were written, the Internet
> was *only* for US gov't, and selected research and educational
> organizations, and NO ONE else. The open 'Net only came in in the nineties
> - so security wasn't broken and insecure, back then there was physical
> security and careful selection as to who was allowed on, at all.

That is true, they had in mind resilience of communication net to portions
of it brought down (implying some nasty thing like nuclear exchange). Real
security though is not in restriction of those who can access something
(like government only). Security experts often say: if a secret in known
to two people it likely is not a secret anymore ;-(

Valeri

>
>mark
>
>
>
>
>
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Valeri Galtsev]

On Tue, April 26, 2016 9:27 pm, Alice Wonder wrote:
> On 04/26/2016 07:21 PM, Digimer wrote:
>> On 26/04/16 10:07 PM, John R Pierce wrote:
>>> On 4/26/2016 6:45 PM, Jack Bailey wrote:

 Today someone in a meeting claimed the Bourne shell is deprecated, one
 of the reasons being it supposedly has security issues.  Well that's
 all news to me, and I cannot find anything online to corroborate the
 claim.  Is this true, is it a bash vs. Bourne FUD, or something else?
>>>
>>> there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to
>>> /bin/bash...
>>>
>>> last OS I can think of with an actual Bourne shell was Solaris.
>>
>> ??
>>
>> [root@an-striker01 ~]# cat /etc/redhat-release
>> CentOS release 6.7 (Final)
>>
>> [root@an-striker01 ~]# which bash
>> /bin/bash
>>
>> [root@an-striker01 ~]# ls -lah /bin/bash
>> -rwxr-xr-x. 1 root root 885K Sep 22  2015 /bin/bash
>>
>> [root@an-striker01 ~]# which sh
>> /bin/sh
>>
>> [root@an-striker01 ~]# ls -lah /bin/sh
>> lrwxrwxrwx. 1 root root 4 Mar 27 18:40 /bin/sh -> bash
>
> Yes, Red Hat and most (all?) GNU/Linux distributions have used bash as
> far back as I can remember.
>
> Some of the BSDs use to have a bourne shell and maybe some do, I don't
> know.
>
> bash is mostly compatible with bourne (can run most bourne scripts)
> which is why /bin/sh is a symlink to /bin/bash on GNU and most other
> *nix systems.
>
> Bourne is for all practical purposes dead.

Nope. FreeBSD (and its clones like PC-BSD) use Bourne shell for startup
scripts. OpenBSD comes with Bourne shell as well (though they use ksh for
system scripts if I remember it correctly). Not dead and there is a reason
for that.

Valeri

>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 46.0 fails on CentOS 6.7 due to GTK3 requirement

[Phelps, Matthew]

On Wed, Apr 27, 2016 at 11:23 AM, Johnny Hughes  wrote:

> On 04/27/2016 09:23 AM, James Pearson wrote:
> > Phil Wyett wrote:
> >> On Wed, 2016-04-27 at 08:27 -0400, Phelps, Matthew wrote:
> >>> The latest version of firefox, 46.0 requires GTK3 and so it fails on
> >>> CentOS
> >>> 6.7.
> >>>
> >>> I know there is the ESR release supplied by upstream, but that is
> >>> based on
> >>> version 38. We have regularly installed the Mozilla "Linux" version of
> >>> Firefox in a central location for our users, and this has worked just
> >>> fine
> >>> until 46.0. (I note from
> >>> https://www.mozilla.org/en-US/firefox/organizations/faq/ that even
> >>> that ESR
> >>> release is due to stop being supported soon).
> >>>
> >>> I filed a bugzilla report at
> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1267815. If this matters
> to
> >>> you, please consider tagging onto that bug.
> >>>
> >>> Yes, yes we have to upgrade to CentOS 7. But in our shop, the amount of
> >>> work required to get this done is huge, and won't happen soon.
> >>>
> >>> The whole idea of using RHEL/CentOS is to have a stable, supported
> >>> version
> >>> for a long period of time. How can we do this if even a web browser
> >>> won't
> >>> work?
> >>>
> >>
> >> Hi,
> >>
> >> The latest firefox ESR for RHEL/CentOS 5, 6 and 7 is 45.1. That version
> >> should appear in CentOS updates when Mr Hughes has worked his magic.
> >>
> >> With 46 not being an ESR and not released for RHEL/CentOS, it is not
> >> really something most here would be too worried about.
> >
> > Mozilla still (currently) support GTK2 as a build option - so if want to
> > run Firefox 46 (and above) on CentOS 6, then you will need to build it
> > from source
> >
> > You might be able to start with the 45.1 SRPM and hack the spec file to
> > build 46.0 ...
>
> Or just use the ESR version that Red Hat releases :)
>
> ESR is updated at intervals, and it went from 38 to 45, will go up again
> in 6 or 7 releases again.
>
> Things move on (like firefox) while enterprise distros purposely have a
> slower cadence.  Fedora has GTK3 and all the other bells and whistles.
> If that is the type of cadence you want, Fedora is an excellent distro.
>
> I should have the CentOS-6 (and CentOS-5) version of Firefox 45 out in a
> couple of minutes .. currently building metadata and testing them on
> https://ci.centos.org/
>
> CentOS-7 version of Firefox 45 was released yesterday.
>
>
>
Thanks Johnny. Getting the ESR release up to 45 for CO6 is good enough for
us while we work on CO7.

I didn't realize the ESR would ever move off of 38.x.


-- 
Matt Phelps
System Administrator, Computation Facility
Harvard - Smithsonian Center for Astrophysics
mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[m . roth]

Alice Wonder wrote:
> On 04/27/2016 01:21 AM, Brandon Vincent wrote:
>> On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen 
wrote:
>>> Sounds good, but how many domain MX servers have set up these
>>> fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess
I'm thinking
>>> it uses it if available. So even if you do post it on your DNS, how
many clients out there are using DANE on their set up? By the time it
becomes more than a tiny % and generally useful, it will be in CentOS 8.
It
>>> also requires certificates to be implemented more ubiquitously than at
present - although we do now have affordable solutions, so this one may
resolve
>>> more quickly.
>>
> Security and Privacy on the Internet are both severely broken.
>
> If you read the white papers from when the Internet was first being
designed, security was rarely even mentioned.

Just as a point of information, when those RFCs were written, the Internet
was *only* for US gov't, and selected research and educational
organizations, and NO ONE else. The open 'Net only came in in the nineties
- so security wasn't broken and insecure, back then there was physical
security and careful selection as to who was allowed on, at all.

   mark








___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 46.0 fails on CentOS 6.7 due to GTK3 requirement

[Johnny Hughes]

On 04/27/2016 09:23 AM, James Pearson wrote:
> Phil Wyett wrote:
>> On Wed, 2016-04-27 at 08:27 -0400, Phelps, Matthew wrote:
>>> The latest version of firefox, 46.0 requires GTK3 and so it fails on
>>> CentOS
>>> 6.7.
>>>
>>> I know there is the ESR release supplied by upstream, but that is
>>> based on
>>> version 38. We have regularly installed the Mozilla "Linux" version of
>>> Firefox in a central location for our users, and this has worked just
>>> fine
>>> until 46.0. (I note from
>>> https://www.mozilla.org/en-US/firefox/organizations/faq/ that even
>>> that ESR
>>> release is due to stop being supported soon).
>>>
>>> I filed a bugzilla report at
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1267815. If this matters to
>>> you, please consider tagging onto that bug.
>>>
>>> Yes, yes we have to upgrade to CentOS 7. But in our shop, the amount of
>>> work required to get this done is huge, and won't happen soon.
>>>
>>> The whole idea of using RHEL/CentOS is to have a stable, supported
>>> version
>>> for a long period of time. How can we do this if even a web browser
>>> won't
>>> work?
>>>
>>
>> Hi,
>>
>> The latest firefox ESR for RHEL/CentOS 5, 6 and 7 is 45.1. That version
>> should appear in CentOS updates when Mr Hughes has worked his magic.
>>
>> With 46 not being an ESR and not released for RHEL/CentOS, it is not
>> really something most here would be too worried about.
> 
> Mozilla still (currently) support GTK2 as a build option - so if want to
> run Firefox 46 (and above) on CentOS 6, then you will need to build it
> from source
> 
> You might be able to start with the 45.1 SRPM and hack the spec file to
> build 46.0 ...

Or just use the ESR version that Red Hat releases :)

ESR is updated at intervals, and it went from 38 to 45, will go up again
in 6 or 7 releases again.

Things move on (like firefox) while enterprise distros purposely have a
slower cadence.  Fedora has GTK3 and all the other bells and whistles.
If that is the type of cadence you want, Fedora is an excellent distro.

I should have the CentOS-6 (and CentOS-5) version of Firefox 45 out in a
couple of minutes .. currently building metadata and testing them on
https://ci.centos.org/

CentOS-7 version of Firefox 45 was released yesterday.




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Valeri Galtsev]

On Wed, April 27, 2016 10:01 am, m.r...@5-cent.us wrote:
> Scott Robbins wrote:
>> On Tue, Apr 26, 2016 at 07:27:26PM -0700, Alice Wonder wrote:
>>>
>>> Some of the BSDs use to have a bourne shell and maybe some do, I don't
> know.
>>>
>> Yup.
>>
>>> bash is mostly compatible with bourne (can run most bourne scripts)
> which is why /bin/sh is a symlink to /bin/bash on GNU and most other
> *nix systems.
>>
>> Bash can run Bourne, but not necessarily vice versa, which can be
> problematic if, say, moving a Linux script to a BSD or AIX box.   I
> remember something I'd done which used, IIRC, $UID, without realizing it
> was a bashism, instead of using id -u.

There is at least one good reason Bourne shell is still alive and not
striving to cover all Bourne-Again shell (bash) features IMHO. Bourne
shell is very well debugged, and code is much smaller, hence much less
chance to have undiscovered bugs. Therefore, it should be much better
security wise. Imagine you never heard about shellshock, and I ask you is
it bash or is it Bourne shell, what would you bet be? (90 or 95% it is
bash would be mine, - if I recollect correctly my reaction when I first
heard about that).

Just my $0.02

Valeri

>
> I'll also note that all *production* scripts were once required to be
> bourne, but by the mid-ninties, management was starting to mandate that
> they be Korn shell, instead, for many reasons - capabilities, etc. Bash -
> I don't think I saw that till I started running RH 5.1, I think it was,
> about 18 years ago
>
>   mark
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Paul Heinlein]

On Tue, 26 Apr 2016, Tim Dunphy wrote:

So what I'd like to know is it better in your opinion to install 
from repos than to install by source as a best practice?


"Better" all depends on your workflow and your customers' concerns.

If you are always available to update all your customers' 
installations, esp. when there's a security update, then installing 
from source may allow you to roll out new features more quickly than 
stock CentOS.


OTOH, if you go on vacation, or get injured, or whatever -- then your 
clients may be left exposed when a new exploit is released. Someone at 
Red Hat (and from there CentOS) will be dealing with it, and your 
customers get the benefit of that work with a simple "yum update".


At the very least, I'd inform the clients of the benefits and risks of 
both approaches and see what best matches their concerns.


Is it always better to use puppet, chef, ansible etc even if the 
environment is small? I'm sure this is a matter preference, but I 
would like to know what your preferences are.


Personally, I've found the break-even point to be three to four 
systems. That is, once I'm managing four systems, I'll spend less time 
over the life-cycle of those hosts spinning up puppet or cfengine than 
I will managing those systems by hand. Other admins may have a 
different opinion, but that's what I've discovered.


--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[m . roth]

Scott Robbins wrote:
> On Tue, Apr 26, 2016 at 07:27:26PM -0700, Alice Wonder wrote:
>>
>> Some of the BSDs use to have a bourne shell and maybe some do, I don't
know.
>>
> Yup.
>
>> bash is mostly compatible with bourne (can run most bourne scripts)
which is why /bin/sh is a symlink to /bin/bash on GNU and most other
*nix systems.
>
> Bash can run Bourne, but not necessarily vice versa, which can be
problematic if, say, moving a Linux script to a BSD or AIX box.   I
remember something I'd done which used, IIRC, $UID, without realizing it
was a bashism, instead of using id -u.

I'll also note that all *production* scripts were once required to be
bourne, but by the mid-ninties, management was starting to mandate that
they be Korn shell, instead, for many reasons - capabilities, etc. Bash -
I don't think I saw that till I started running RH 5.1, I think it was,
about 18 years ago

  mark



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: very weird vi behaviour

[William A. Mahaffey III]

On 04/27/16 09:11, m.r...@5-cent.us wrote:

Richard wrote:

Date: Wednesday, April 27, 2016 13:43:00 +
From: "Vanhorn, Mike" 
On 4/27/16, 9:39 AM, "centos-boun...@centos.org on behalf of
m.r...@5-cent.us"  wrote:


And now, I just
ssh'd in from another windows, same way... and the weirdness isn't
there.

Anyone have any clues as to what's going on with that one session?


It sounds as if, for some reason, in that one session, vi doesn’t
know what your terminal settings are, so it’s in line editing
mode (like ed or ex). I don’t have an explanation as to why it
would only happen with that one session, though.

Or your "colors" could be set oddly in that terminal window/vi
session.

Unfortunately you are giving almost no details - OSs (original and
target machine), shells, terminal settings, etc., so it's hard to do
more than jump to potentially rash conclusions.

Sorry, original machine that I sudo'd to root is CentOS 6; the machine
where it was acting weird was CentOS7. Terminal is rxvt, and my colors are
set everywhere to be the color Ghod (and IBM) meant them to be, green on
black. 

I'd been googling, and tried reset, and tried , and none of it
helped. I renamed /root/.viminfo, and tried vi -V, which showed it only
going after /etc/virc and /etc/vimrc, and neither modified. I also tried
vi --noplugin.

   mark


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




A bit of a flyer, but I have issues w/ vi when I ssh to other machines 
on my LAN from an RXVT window. I am all *BSD, which is what makes this a 
flyer, but I do have issues w/ the vi/ssh/rxvt combo, to the point where 
I use xterm's for windows where I know I will want to 'vi' something on 
another box (I *love* rxvt otherwise). $0.02, no more, no less 




--

William A. Mahaffey III

 --

"The M1 Garand is without doubt the finest implement of war
 ever devised by man."
   -- Gen. George S. Patton Jr.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: very weird vi behaviour

[Valeri Galtsev]

On Wed, April 27, 2016 8:39 am, m.r...@5-cent.us wrote:
> This is weird. As in, *deeply* weird.
>
> I ssh as root from one box to another (there are keys involved), and I go
> to vi a file, such as
> # line 1 #
> # line 2 #
> # line 3
> # line 4
>
> And what I see in vi is
> # line 3
> # line 4
>
> BUT, if I scroll the cursor over each line with the arrow key... I see all
> four lines. I've also looked at another file, and same thing. Just checked
> it out on the server I ssh'd in from, and no problem.  And now, I just
> ssh'd in from another windows, same way... and the weirdness isn't there.
>
> Anyone have any clues as to what's going on with that one session?
>

Mark, I can not reproduce it. I ssh (with the key) from FrraBSD 9.3 box
(from either /bin/sh Bourne shell or /usr/local/bin/bash Bourne again
shell) to centos 5 (fully updated, bash shell), and my vi does behave as
expected, it is:

which vi
/bin/vi

vi -V

~
~  VIM - Vi IMproved
~
~   version 7.0.237
~   by Bram Moolenaar et al.
~ Vim is open source and freely distributable


I guess we need more detail about what you have.


Here is the file I open with vi:

cosmo ~]# cat test
# line 1 #
# line 2 #
# line 3
# line 4

Here is what I see when I open it with vi:

cosmo ~]# vi test

# line 1 #
# line 2 #
# line 3
# line 4
~


Valeri

>  mark
>
> file
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 46.0 fails on CentOS 6.7 due to GTK3 requirement

[James Pearson]

Phil Wyett wrote:

On Wed, 2016-04-27 at 08:27 -0400, Phelps, Matthew wrote:

The latest version of firefox, 46.0 requires GTK3 and so it fails on CentOS
6.7.

I know there is the ESR release supplied by upstream, but that is based on
version 38. We have regularly installed the Mozilla "Linux" version of
Firefox in a central location for our users, and this has worked just fine
until 46.0. (I note from
https://www.mozilla.org/en-US/firefox/organizations/faq/ that even that ESR
release is due to stop being supported soon).

I filed a bugzilla report at
https://bugzilla.mozilla.org/show_bug.cgi?id=1267815. If this matters to
you, please consider tagging onto that bug.

Yes, yes we have to upgrade to CentOS 7. But in our shop, the amount of
work required to get this done is huge, and won't happen soon.

The whole idea of using RHEL/CentOS is to have a stable, supported version
for a long period of time. How can we do this if even a web browser won't
work?



Hi,

The latest firefox ESR for RHEL/CentOS 5, 6 and 7 is 45.1. That version
should appear in CentOS updates when Mr Hughes has worked his magic.

With 46 not being an ESR and not released for RHEL/CentOS, it is not
really something most here would be too worried about.


Mozilla still (currently) support GTK2 as a build option - so if want to 
run Firefox 46 (and above) on CentOS 6, then you will need to build it 
from source


You might be able to start with the 45.1 SRPM and hack the spec file to 
build 46.0 ...


James

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: very weird vi behaviour

[m . roth]

m.r...@5-cent.us wrote:
> Richard wrote:
>>> Date: Wednesday, April 27, 2016 13:43:00 +
>>> From: "Vanhorn, Mike" 
>>> On 4/27/16, 9:39 AM, "centos-boun...@centos.org on behalf of
>>> m.r...@5-cent.us" >> m.r...@5-cent.us> wrote:
>>>
 And now, I just
 ssh'd in from another windows, same way... and the weirdness isn't
 there.

 Anyone have any clues as to what's going on with that one session?

>>> It sounds as if, for some reason, in that one session, vi doesn’t
>>> know what your terminal settings are, so it’s in line editing
>>> mode (like ed or ex). I don’t have an explanation as to why it
>>> would only happen with that one session, though.
>>
>> Or your "colors" could be set oddly in that terminal window/vi
>> session.
>>
>> Unfortunately you are giving almost no details - OSs (original and
>> target machine), shells, terminal settings, etc., so it's hard to do
>> more than jump to potentially rash conclusions.
>
> Sorry, original machine that I sudo'd to root is CentOS 6; the machine
> where it was acting weird was CentOS7. Terminal is rxvt, and my colors are
> set everywhere to be the color Ghod (and IBM) meant them to be, green on
> black. 
>
> I'd been googling, and tried reset, and tried , and none of it
> helped. I renamed /root/.viminfo, and tried vi -V, which showed it only
> going after /etc/virc and /etc/vimrc, and neither modified. I also tried
> vi --noplugin.
>
Sorry, one more detail: file under "anal", and, as a buddy, a sr. sysadmin
many years ago used to say, "professionally paid to be paranoid" - I log
out of *everything*, including my workstation, when I leave for the night,
so new session every day.

   mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: very weird vi behaviour

[m . roth]

Richard wrote:
>> Date: Wednesday, April 27, 2016 13:43:00 +
>> From: "Vanhorn, Mike" 
>> On 4/27/16, 9:39 AM, "centos-boun...@centos.org on behalf of
>> m.r...@5-cent.us" > m.r...@5-cent.us> wrote:
>>
>>> And now, I just
>>> ssh'd in from another windows, same way... and the weirdness isn't
>>> there.
>>>
>>> Anyone have any clues as to what's going on with that one session?
>>>
>> It sounds as if, for some reason, in that one session, vi doesn’t
>> know what your terminal settings are, so it’s in line editing
>> mode (like ed or ex). I don’t have an explanation as to why it
>> would only happen with that one session, though.
>
> Or your "colors" could be set oddly in that terminal window/vi
> session.
>
> Unfortunately you are giving almost no details - OSs (original and
> target machine), shells, terminal settings, etc., so it's hard to do
> more than jump to potentially rash conclusions.

Sorry, original machine that I sudo'd to root is CentOS 6; the machine
where it was acting weird was CentOS7. Terminal is rxvt, and my colors are
set everywhere to be the color Ghod (and IBM) meant them to be, green on
black. 

I'd been googling, and tried reset, and tried , and none of it
helped. I renamed /root/.viminfo, and tried vi -V, which showed it only
going after /etc/virc and /etc/vimrc, and neither modified. I also tried
vi --noplugin.

  mark


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: very weird vi behaviour

[Richard]

> Date: Wednesday, April 27, 2016 13:43:00 +
> From: "Vanhorn, Mike" 
>
> On 4/27/16, 9:39 AM, "centos-boun...@centos.org on behalf of
> m.r...@5-cent.us"  m.r...@5-cent.us> wrote:
> 
>> And now, I just
>> ssh'd in from another windows, same way... and the weirdness isn't
>> there.
>> 
>> Anyone have any clues as to what's going on with that one session?
>> 
>> Mark
> 
> It sounds as if, for some reason, in that one session, vi doesn’t
> know what your terminal settings are, so it’s in line editing
> mode (like ed or ex). I don’t have an explanation as to why it
> would only happen with that one session, though.
> 

Or your "colors" could be set oddly in that terminal window/vi
session.

Unfortunately you are giving almost no details - OSs (original and
target machine), shells, terminal settings, etc., so it's hard to do
more than jump to potentially rash conclusions.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[William A. Mahaffey III]

On 04/26/16 21:13, John R Pierce wrote:

On 4/26/2016 6:45 PM, Jack Bailey wrote:


Today someone in a meeting claimed the Bourne shell is deprecated, 
one of the reasons being it supposedly has security issues.  Well 
that's all news to me, and I cannot find anything online to 
corroborate the claim.  Is this true, is it a bash vs. Bourne FUD, or 
something else? 


there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to 
/bin/bash...


last OS I can think of with an actual Bourne shell was Solaris.




The various *BSD's have & use the actual Bourne shell 


--

William A. Mahaffey III

 --

"The M1 Garand is without doubt the finest implement of war
 ever devised by man."
   -- Gen. George S. Patton Jr.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: very weird vi behaviour

[Vanhorn, Mike]

On 4/27/16, 9:39 AM, "centos-boun...@centos.org on behalf of
m.r...@5-cent.us"  wrote:

> And now, I just
>ssh'd in from another windows, same way... and the weirdness isn't there.
>
>Anyone have any clues as to what's going on with that one session?
>
> Mark

It sounds as if, for some reason, in that one session, vi doesn’t know
what your terminal settings are, so it’s in line editing mode (like ed or
ex). I don’t have an explanation as to why it would only happen with that
one session, though.

---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanh...@wright.edu
http://www.cecs.wright.edu/~mvanhorn/





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Semi-OT: very weird vi behaviour

[m . roth]

This is weird. As in, *deeply* weird.

I ssh as root from one box to another (there are keys involved), and I go
to vi a file, such as
# line 1 #
# line 2 #
# line 3
# line 4

And what I see in vi is
# line 3
# line 4

BUT, if I scroll the cursor over each line with the arrow key... I see all
four lines. I've also looked at another file, and same thing. Just checked
it out on the server I ssh'd in from, and no problem.  And now, I just
ssh'd in from another windows, same way... and the weirdness isn't there.

Anyone have any clues as to what's going on with that one session?

 mark

file

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 46.0 fails on CentOS 6.7 due to GTK3 requirement

[Phil Wyett]

On Wed, 2016-04-27 at 08:27 -0400, Phelps, Matthew wrote:
> The latest version of firefox, 46.0 requires GTK3 and so it fails on CentOS
> 6.7.
> 
> I know there is the ESR release supplied by upstream, but that is based on
> version 38. We have regularly installed the Mozilla "Linux" version of
> Firefox in a central location for our users, and this has worked just fine
> until 46.0. (I note from
> https://www.mozilla.org/en-US/firefox/organizations/faq/ that even that ESR
> release is due to stop being supported soon).
> 
> I filed a bugzilla report at
> https://bugzilla.mozilla.org/show_bug.cgi?id=1267815. If this matters to
> you, please consider tagging onto that bug.
> 
> Yes, yes we have to upgrade to CentOS 7. But in our shop, the amount of
> work required to get this done is huge, and won't happen soon.
> 
> The whole idea of using RHEL/CentOS is to have a stable, supported version
> for a long period of time. How can we do this if even a web browser won't
> work?
> 

Hi,

The latest firefox ESR for RHEL/CentOS 5, 6 and 7 is 45.1. That version
should appear in CentOS updates when Mr Hughes has worked his magic.

With 46 not being an ESR and not released for RHEL/CentOS, it is not
really something most here would be too worried about.

Regards

Phil



signature.asc
Description: This is a digitally signed message part
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] DNSSEC / Security stats (forked from php thread)

[Alice Wonder]

I don't have a source, I'd have to dig through my browser history, but I 
looked at some of these stats just last month.


Roughly 2% of the top 1000 domains in the United States had deployed 
DNSSEC - which I *think* is double what it was a year ago.


Roughly 7% of ISP recursive DNS servers enforce DNSSEC.

Comcast does and Google's public DNS does. Those are the big ones that 
enforce DNSSEC on their recursive servers.


I do not see any statistics for DANE adoption, either on port 443 or 
port 25 (the two where it is most common currently)


Roughly 20% of all e-mail traffic in the United States was not encrypted.

Of the e-mail traffic that was not even encrypted, a large percentage of 
it was spam. What wasn't spam was often sent by scripting languages 
(e.g. php) running blogs or other web services.


Only a small percentage of e-mail sent by clients through a SMTP server 
was not encrypted in the MTA to MTA transfer.


-=-=-

What we can do as sysadmins, we can run unbound on our local machines, 
it defaults to DNSSEC enforcing. That way we don't have to worry if the 
recursive resolver our ISP uses is part of the 7%.


Linode enforced last time I checked, but I don't know about other 
hosting services.


Still safer to just run unbound listening only on the localhost, and 
configure /etc/resolv.conf to point to ::1 (or 127.0.0.1)


If at all possible, deploy DNSSEC on any zones you have control over. 
Even without DANE, DNSSEC greatly improves security for the 7% (and 
growing) recursive resolvers that enforce DNSSEC.


Before deploying DNSSEC do a lot of reading on it, because if you screw 
it up, those 7% enforcing recursive resolvers won't resolve your zone.


I personally use a 2048-bit KSK and a 1024-bit ZSK.

The KSK is what you have to get the DS record for uploaded to your TLS, 
and it should be rotated once a year.


The ZSK is just in your zone, best practice says to rotate once a month 
but I rotate once a week, every Sunday. It should be automated, so it 
doesn't hurt to do it more often than the once a month. Doing it once a 
week means if my zone signing server is down or under DDoS when the 
signing happens, it isn't a big deal, because it happens 4X the best 
practices recommended anyway.


With our web applications that send e-mail, don't use the SMTP services 
of the scripting language. Yes it is cool that you can play SMTP server 
with PHP etc. and yes, if PHP is built against a TLS library it can 
encrypt, but don't use PHP to play SMTP.


Run postfix on the web server and have your web applications connect to 
the SMTP on the local host.


This isn't just for the benefit of encrypting, it also lets you do 
things like sign the message with DKIM and if your postfix is new 
enough, check the DANE records of the MX record the message is being 
sent to.


I don't know why so many web applications try to play SMTP themselves, 
it is a very bad habit and usually results in mail being sent without 
TLS and sometimes rejected by spam filters if the domain it allegedly 
comes from uses DKIM but the web application doesn't.


-=-=-

Hope I didn't bore too many people, or offend anyone, these are just my 
opinions and this is a topic I am passionate about.


I think system administrators need to do a better job at securing 
Internet infrastructure.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemd-journald corruption

[Chris Adams]

Once upon a time, Chris Murphy  said:
> On Tue, Apr 26, 2016 at 3:01 PM, Chris Adams  wrote:
> > Once upon a time, Chris Murphy  said:
> >> On Tue, Apr 26, 2016, 2:09 PM Chris Adams  wrote:
> >> > I have several recently-installed CentOS 7 servers that keep having
> >> > systemd-journald corruption
> >>
> >> Determined with 'journalctl --verify' or another way?

One system did get into this state overnight, and that said:

[root@spamscan3 ~]# journalctl --verify
15bd478: invalid object  
File corruption detected at 
/run/log/journal/f8ade260c5f84b8aa04095c233c041e0/system.journal:15bd478 (of 
25165824 bytes, 90%).
FAIL: /run/log/journal/f8ade260c5f84b8aa04095c233c041e0/system.journal (Cannot 
assign requested address)
(and then a bunch of passes on the rest of the files)

> There's also this patch as a suggested fix:
> https://bugzilla.redhat.com/show_bug.cgi?id=1292447#c9

I'll take a look at that.

> What version of systemd and rsyslog? systemd-219-19.el7_2.7 and
> rsyslog-7.4.7-12 are current.

Those are the versions I have.

> If you're there already you could ry editing
> /etc/systemd/journald.conf and uncommenting Compress=yes and changing
> it to no.

Thanks, I'm trying that on these servers.
-- 
Chris Adams 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[Scott Robbins]

On Tue, Apr 26, 2016 at 07:27:26PM -0700, Alice Wonder wrote:
> 
> Some of the BSDs use to have a bourne shell and maybe some do, I don't know.
> 
Yup.  

> bash is mostly compatible with bourne (can run most bourne scripts)
> which is why /bin/sh is a symlink to /bin/bash on GNU and most other
> *nix systems.

Bash can run Bourne, but not necessarily vice versa, which can be
problematic if, say, moving a Linux script to a BSD or AIX box.   I
remember something I'd done which used, IIRC, $UID, without realizing it
was a bashism, instead of using id -u.  


-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Firefox 46.0 fails on CentOS 6.7 due to GTK3 requirement

[Phelps, Matthew]

The latest version of firefox, 46.0 requires GTK3 and so it fails on CentOS
6.7.

I know there is the ESR release supplied by upstream, but that is based on
version 38. We have regularly installed the Mozilla "Linux" version of
Firefox in a central location for our users, and this has worked just fine
until 46.0. (I note from
https://www.mozilla.org/en-US/firefox/organizations/faq/ that even that ESR
release is due to stop being supported soon).

I filed a bugzilla report at
https://bugzilla.mozilla.org/show_bug.cgi?id=1267815. If this matters to
you, please consider tagging onto that bug.

Yes, yes we have to upgrade to CentOS 7. But in our shop, the amount of
work required to get this done is huge, and won't happen soon.

The whole idea of using RHEL/CentOS is to have a stable, supported version
for a long period of time. How can we do this if even a web browser won't
work?

-- 
Matt Phelps
System Administrator, Computation Facility
Harvard - Smithsonian Center for Astrophysics
mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Alice Wonder]

On 04/27/2016 01:21 AM, Brandon Vincent wrote:

On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen  wrote:

Sounds good, but how many domain MX servers have set up these fingerprint
keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it
uses it if available. So even if you do post it on your DNS, how many
clients out there are using DANE on their set up? By the time it becomes
more than a tiny % and generally useful, it will be in CentOS 8. It also
requires certificates to be implemented more ubiquitously than at present -
although we do now have affordable solutions, so this one may resolve more
quickly.


I hope my prior comments weren't too off topic but a lot of people
don't seem to understand the purpose for an enterprise distribution.

DANE is a perfect example of this. Go poll the SMTP servers for any
company on the S&P 500 and I can almost guarantee that 99.9% of them
will not have TLSA records for DANE. It's a new/emerging technology.
The same is true with DNSSEC (which is actually quite old).


Last poll I saw, 2% of the top 500 did in fact have DNSSEC.

TLSA is just a record like any other DNS record, it is just meaningless 
without DNSSEC.




Enterprises are typically behind in the technology they adopt.
Stability and reliability are paramount. This is where RHEL and CentOS
come in.


Stability though should not come at the cost of halting progress.

Security and Privacy on the Internet are both severely broken.

If you read the white papers from when the Internet was first being 
designed, security was rarely even mentioned.


Look at how many "secure" web servers still use SSLv2 and SSLv3 - this 
is because the "stable" Enterprise UNIX distributions were slow to progress.


DNS is a severely insecure system, and so is SMTP.

Hell - security of SMTP is so sloppy that quite often, the TLS 
certificate doesn't even match the hostname.


Cipher suites that we know to be insecure are often still supported by 
mail servers because they take the flawed attitude that weak ciphers are 
better than plain and the opportunistic nature of SMTP allows for plain.


It was that same mindset that resulted in a lot of mail servers 
supporting SSLv2 resulting in capture of the private key in DROWN attack.


When it comes to security, we can't be stale. We have to progress 
because what we currently have is not good enough.


We need to embrace DNSSEC and we need to promote DNSSEC. Trust is easy 
to exploit, DNSSEC provides a means to verify so that trust is not needed.


Using "enterprise" as an excuse to not move forward with security 
progress is just plain foolish.


Enterprise or not, DNSSEC should be a top priority to deploy in your DNS 
zone.


Enterprise or not, if you run a mail server, you really need to publish 
an accurate TLSA record for TCP port 25 of your MX mail servers.


Enterprise or not, your mail servers should look for a TLSA record on 
port 25 of the receiving server, and if found, only connect to that 
server if the connection is secure and the TLS certificate matches the 
TLSA record.


The Internet is broken security-wise, and a big part of the solution is 
available now and free to deploy.


If that means upgrading software in an "Enterprise" distribution, then 
that's what you do.


It's called taking responsibility for the security and privacy of your 
users. It's called using intelligence. It's called doing the job right.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-announce Digest, Vol 134, Issue 14

[centos-announce-request]

Send CentOS-announce mailing list submissions to
centos-annou...@centos.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org

You can reach the person managing the list at
centos-announce-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CESA-2016:0695 Critical CentOS 7 firefox Security Update
  (Johnny Hughes)


--

Message: 1
Date: Tue, 26 Apr 2016 23:59:06 +
From: Johnny Hughes 
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2016:0695 Critical CentOS 7 firefox
SecurityUpdate
Message-ID: <20160426235906.ga46...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2016:0695 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0695.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
7ad87030365ab1016abb60f1e290685ad331c5a5f1562bde57106a7ccacaf69b  
firefox-45.1.0-1.el7.centos.i686.rpm
9d5a9f3245ea81a0750082d056031816b6d1d05fe278641a0aad4fd44f367c05  
firefox-45.1.0-1.el7.centos.x86_64.rpm

Source:
ea6c6ab0a63372cae9b1c76d642de69e23866e790dc41d5a91f56b99d352ec34  
firefox-45.1.0-1.el7.centos.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS



--

___
CentOS-announce mailing list
centos-annou...@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce


End of CentOS-announce Digest, Vol 134, Issue 14

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Storage cluster advise, anybody?

[Patrick Begou]

May be this can be a good starting point:

https://pve.proxmox.com/wiki/High_Availability_Cluster

There is also a book "Proxmox High Availability" by Simon M. C. Cheng.

I'm starting to build such a solution to provide NFS service to my CentOS 
clients (i've just received the hardware). I'm using proxmox for a while, but 
without HA at this time, and it is very stable and reliable.


Patrick

Gordon Messmer wrote:

On 04/22/2016 12:24 PM, Digimer wrote:

My requirements are:

This sounds like you want a cloud-type storage, like ceph or gluster.


I agree.  I think either would work.  A cluster with striping and mirroring of 
volumes should fit all the requirements.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




--
===
|  Equipe M.O.S.T. |  |
|  Patrick BEGOU   | mailto:patrick.be...@grenoble-inp.fr |
|  LEGI|  |
|  BP 53 X | Tel 04 76 82 51 35   |
|  38041 GRENOBLE CEDEX| Fax 04 76 82 52 71   |
===

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Alice Wonder]

On 04/27/2016 01:19 AM, Alice Wonder wrote:

On 04/27/2016 01:06 AM, Brandon Vincent wrote:

On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder 
wrote:

Not with a smtp that enforces DANE.


I'm aware of how DANE works.

The only problem is no MTA outside of Postfix implements it.

You can thank the hatred of DNSSEC for that.



I never understood the hatred for DNSSEC.

When I first read about it, it was like a beautiful epiphany.

But DNSSEC adoption is increasing. I keep seeing the green DNSSEC icon
in my browser more and more often, when I first started using it was rare.

But the point is, other mail servers may not have implemented yet but
Postfix has implemented it, and the stock version in RHEL / CentOS is
too old. Barely too old, but too old.

Thus better security it achieved by running a newer version.

Especially since adoption is in fact increasing.


comcast is a major ISP that publishes TLSA records for their MX servers.

It appears the TLSA records for IPv6 are broken but I was told that was 
intentional, they can tell what mail servers don't enforce DANE by which 
ones continue to connect to IPv6 anyway.


The IPv4 records are good and valid.

So when any of my mail servers send e-mail to users at a comcast 
address, it is extremely unlikely there a MITM would be successful.


But only because I updated the postfix from stock.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Brandon Vincent]

On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen  wrote:
> Sounds good, but how many domain MX servers have set up these fingerprint
> keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it
> uses it if available. So even if you do post it on your DNS, how many
> clients out there are using DANE on their set up? By the time it becomes
> more than a tiny % and generally useful, it will be in CentOS 8. It also
> requires certificates to be implemented more ubiquitously than at present -
> although we do now have affordable solutions, so this one may resolve more
> quickly.

I hope my prior comments weren't too off topic but a lot of people
don't seem to understand the purpose for an enterprise distribution.

DANE is a perfect example of this. Go poll the SMTP servers for any
company on the S&P 500 and I can almost guarantee that 99.9% of them
will not have TLSA records for DANE. It's a new/emerging technology.
The same is true with DNSSEC (which is actually quite old).

Enterprises are typically behind in the technology they adopt.
Stability and reliability are paramount. This is where RHEL and CentOS
come in.

I know of a few companies listed on the S&P 500 who still have SSLv3
turned on to allow customers with old versions of Internet Explorer on
Windows XP to connect. You can't simply assume everyone is using the
latest technology.

This is the reason IBM loves System z.

Brandon Vincent
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Alice Wonder]

On 04/27/2016 01:06 AM, Brandon Vincent wrote:

On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder  wrote:

Not with a smtp that enforces DANE.


I'm aware of how DANE works.

The only problem is no MTA outside of Postfix implements it.

You can thank the hatred of DNSSEC for that.



I never understood the hatred for DNSSEC.

When I first read about it, it was like a beautiful epiphany.

But DNSSEC adoption is increasing. I keep seeing the green DNSSEC icon 
in my browser more and more often, when I first started using it was rare.


But the point is, other mail servers may not have implemented yet but 
Postfix has implemented it, and the stock version in RHEL / CentOS is 
too old. Barely too old, but too old.


Thus better security it achieved by running a newer version.

Especially since adoption is in fact increasing.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[wwp]

On Wed, 27 Apr 2016 10:08:10 +0200 wwp  wrote:

> Hello all,
> 
> 
> On Tue, 26 Apr 2016 22:21:34 -0400 Digimer  wrote:
> 
> > On 26/04/16 10:07 PM, John R Pierce wrote:  
> > > On 4/26/2016 6:45 PM, Jack Bailey wrote:
> > >>
> > >> Today someone in a meeting claimed the Bourne shell is deprecated, one
> > >> of the reasons being it supposedly has security issues.  Well that's
> > >> all news to me, and I cannot find anything online to corroborate the
> > >> claim.  Is this true, is it a bash vs. Bourne FUD, or something else?
> > >>  
> > > 
> > > there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to
> > > /bin/bash...
> > > 
> > > last OS I can think of with an actual Bourne shell was Solaris.
> > 
> > ??
> > 
> > [root@an-striker01 ~]# cat /etc/redhat-release
> > CentOS release 6.7 (Final)
> > 
> > [root@an-striker01 ~]# which bash
> > /bin/bash
> > 
> > [root@an-striker01 ~]# ls -lah /bin/bash
> > -rwxr-xr-x. 1 root root 885K Sep 22  2015 /bin/bash
> > 
> > [root@an-striker01 ~]# which sh
> > /bin/sh
> > 
> > [root@an-striker01 ~]# ls -lah /bin/sh
> > lrwxrwxrwx. 1 root root 4 Mar 27 18:40 /bin/sh -> bash
> > 
> > Same upstream on Fedora 23:
> > 
> >  0 root@pulsar:/home/digimer# cat /etc/redhat-release
> > Fedora release 23 (Twenty Three)
> > 
> >   0 root@pulsar:/home/digimer# which bash
> > /bin/bash
> > 
> >   0 root@pulsar:/home/digimer# ls -lah /bin/bash
> > -rwxr-xr-x. 1 root root 1.1M Jan 11 06:02 /bin/bash
> > 
> >   0 root@pulsar:/home/digimer# which sh
> > /bin/sh
> > 
> >   0 root@pulsar:/home/digimer# ls -lah /bin/sh
> > lrwxrwxrwx. 1 root root 4 Jan 11 06:02 /bin/sh -> bash  
> 
> There seems to be a big confusion in this thread.
> The Bourne shell has gone long time ago. The Bourne-Again shell is bash
> (which is GNU software). Bash is not the Bourne shell.

Sorry if I wrote too fast: s/has gone/was born/. The Bourne shell seems
to be still in use in FreeBSD.


Regards,

-- 
wwp


pgplMm_IZrmjT.pgp
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Rob Kampen]

On 04/27/2016 07:50 PM, Alice Wonder wrote:

On 04/27/2016 12:41 AM, Alice Wonder wrote:

On 04/27/2016 12:30 AM, James Hogarth wrote:
*snip*


Unless you have a very specific requirement for a very bleeding edge
feature it's fundamentally a terrible idea to move away from the
distribution packages in something as exposed as a webserver ...


I use to believe that.

However I no longer.

First of all, advancements in TLS happen too quickly.

The RHEL philosophy of keeping API stability for as long as the release
is supported means you end up running old protocols and old cipher
suites and don't have the new protocols and cipher suites available.

That's a problem.

With respect to Apache and PHP -

There is a lot of benefit to HTTP/2 but you can't get that with the
stock Apache in RHEL / CentOS 7. You just can't.

The PHP in stock RHEL / CentOS is so old that web application developers
largely are not even using it anymore, resulting in some web
applications that just simply don't work unless you update the PHP to
something more modern.

It's a nice idealistic philosophy to want to keep the same versions and
backport security fixes and keep everything API compatible but in real
world practice, it makes your server stale.


Another example outside of LAMP

Postfix -

The postfix that ships with CentOS 7 does not have the ability to 
enforce DANE.


If you are not sure what that is -

On mt DNS server, I can (and do) post a fingerprint of the TLS keys 
used by my smtp server.


When other mail servers want to send an e-mail to my server, they can 
do a DNS query and if I have a DANE record, then they can require that 
that the TLS connection they make to my SMTP server uses a certificate 
with a fingerprint that matches.


That is the only reliable way to avoid MITM with SMTP.

It's easy to set up in postfix -

smtp_dns_support_level = dnssec
smtp_host_lookup = dns

Sounds good, but how many domain MX servers have set up these 
fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess 
I'm thinking it uses it if available. So even if you do post it on your 
DNS, how many clients out there are using DANE on their set up? By the 
time it becomes more than a tiny % and generally useful, it will be in 
CentOS 8. It also requires certificates to be implemented more 
ubiquitously than at present - although we do now have affordable 
solutions, so this one may resolve more quickly.
But with the postfix that comes with CentOS 7 - it is too old for 
that, so Postfix with CentOS 7 will never even try to verify the TLS 
certificate of the servers it connects to.


It's a stale version of postfix and people running postfix on CentOS 7 
should use a newer version.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bourne shell deprecated?

[wwp]

Hello all,


On Tue, 26 Apr 2016 22:21:34 -0400 Digimer  wrote:

> On 26/04/16 10:07 PM, John R Pierce wrote:
> > On 4/26/2016 6:45 PM, Jack Bailey wrote:  
> >>
> >> Today someone in a meeting claimed the Bourne shell is deprecated, one
> >> of the reasons being it supposedly has security issues.  Well that's
> >> all news to me, and I cannot find anything online to corroborate the
> >> claim.  Is this true, is it a bash vs. Bourne FUD, or something else?   
> > 
> > there's no Bourne shell in CentOS anyways, /bin/sh is a symlink to
> > /bin/bash...
> > 
> > last OS I can think of with an actual Bourne shell was Solaris.  
> 
> ??
> 
> [root@an-striker01 ~]# cat /etc/redhat-release
> CentOS release 6.7 (Final)
> 
> [root@an-striker01 ~]# which bash
> /bin/bash
> 
> [root@an-striker01 ~]# ls -lah /bin/bash
> -rwxr-xr-x. 1 root root 885K Sep 22  2015 /bin/bash
> 
> [root@an-striker01 ~]# which sh
> /bin/sh
> 
> [root@an-striker01 ~]# ls -lah /bin/sh
> lrwxrwxrwx. 1 root root 4 Mar 27 18:40 /bin/sh -> bash
> 
> Same upstream on Fedora 23:
> 
>  0 root@pulsar:/home/digimer# cat /etc/redhat-release
> Fedora release 23 (Twenty Three)
> 
>   0 root@pulsar:/home/digimer# which bash
> /bin/bash
> 
>   0 root@pulsar:/home/digimer# ls -lah /bin/bash
> -rwxr-xr-x. 1 root root 1.1M Jan 11 06:02 /bin/bash
> 
>   0 root@pulsar:/home/digimer# which sh
> /bin/sh
> 
>   0 root@pulsar:/home/digimer# ls -lah /bin/sh
> lrwxrwxrwx. 1 root root 4 Jan 11 06:02 /bin/sh -> bash

There seems to be a big confusion in this thread.
The Bourne shell has gone long time ago. The Bourne-Again shell is bash
(which is GNU software). Bash is not the Bourne shell.

FYI: https://en.wikipedia.org/wiki/Bourne_shell


Regards,

-- 
wwp


pgpsSAXPa4CcQ.pgp
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Brandon Vincent]

On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder  wrote:
> Not with a smtp that enforces DANE.

I'm aware of how DANE works.

The only problem is no MTA outside of Postfix implements it.

You can thank the hatred of DNSSEC for that.

Brandon Vincent
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Alice Wonder]

On 04/27/2016 12:59 AM, Brandon Vincent wrote:

On Wed, Apr 27, 2016 at 12:50 AM, Alice Wonder  wrote:

That is the only reliable way to avoid MITM with SMTP.


Except I can just strip STARTTLS and most MTAs will continue to connect.



No you can't.

Not with a smtp that enforces DANE.

If my postfix sees that your SMTP publishes a DANE record then it will 
refuse to connect unless it is a secure connection with a certificate 
that matches the fingerprint in the TLSA record.


See RFC 7672

But the postfix in RHEL / CentOS 7 does not support that.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Brandon Vincent]

On Wed, Apr 27, 2016 at 12:50 AM, Alice Wonder  wrote:
> That is the only reliable way to avoid MITM with SMTP.

Except I can just strip STARTTLS and most MTAs will continue to connect.

Brandon Vincent
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Alice Wonder]

On 04/27/2016 12:41 AM, Alice Wonder wrote:

On 04/27/2016 12:30 AM, James Hogarth wrote:
*snip*


Unless you have a very specific requirement for a very bleeding edge
feature it's fundamentally a terrible idea to move away from the
distribution packages in something as exposed as a webserver ...


I use to believe that.

However I no longer.

First of all, advancements in TLS happen too quickly.

The RHEL philosophy of keeping API stability for as long as the release
is supported means you end up running old protocols and old cipher
suites and don't have the new protocols and cipher suites available.

That's a problem.

With respect to Apache and PHP -

There is a lot of benefit to HTTP/2 but you can't get that with the
stock Apache in RHEL / CentOS 7. You just can't.

The PHP in stock RHEL / CentOS is so old that web application developers
largely are not even using it anymore, resulting in some web
applications that just simply don't work unless you update the PHP to
something more modern.

It's a nice idealistic philosophy to want to keep the same versions and
backport security fixes and keep everything API compatible but in real
world practice, it makes your server stale.


Another example outside of LAMP

Postfix -

The postfix that ships with CentOS 7 does not have the ability to 
enforce DANE.


If you are not sure what that is -

On mt DNS server, I can (and do) post a fingerprint of the TLS keys used 
by my smtp server.


When other mail servers want to send an e-mail to my server, they can do 
a DNS query and if I have a DANE record, then they can require that that 
the TLS connection they make to my SMTP server uses a certificate with a 
fingerprint that matches.


That is the only reliable way to avoid MITM with SMTP.

It's easy to set up in postfix -

smtp_dns_support_level = dnssec
smtp_host_lookup = dns

But with the postfix that comes with CentOS 7 - it is too old for that, 
so Postfix with CentOS 7 will never even try to verify the TLS 
certificate of the servers it connects to.


It's a stale version of postfix and people running postfix on CentOS 7 
should use a newer version.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Andreas Benzler]

Another way i choose is install what i need in opt a php cli and configure
apache. What is the different? I drive php 5.3, 5.6 side by side. It always
depends of your needs.

How configure this stuff on my virtual host? ISP-Config
make it easy for me. 

Can be a solution for you. RPM isn’t that bad and  hold
the configuration in a spec file is handy. You can take a name for a package 
like php-7 and
 will be never overwritten by an update. There are many ways to track down
problems. It’s up to you. 

> Am 27.04.2016 um 09:30 schrieb James Hogarth :
> 
> On 26 Apr 2016 23:28, "Tim Dunphy"  > wrote:
>> 
>> Hey guys,
>> 
>> I tend to work on small production environments for a large enterprise.
>> 
>> Never more than 15 web servers for most sites.
>> 
>> But most are only 3 to 5 web servers. Depends on the needs of the
>> client.I actually like to install Apache and PHP from source and by
>> hand. Although I know that's considered sacrilege in some shops.
>> 
>> I do this because on RH flavored systems like CentOS the versions of
>> Apache, php and most other software are a little behind the curve in
>> terms of versions.
>> 
>> And that's intentionally so! Because the versions that usually go into
>> the various repos are tested and vetted thoroughly before going into
>> the repos.
>> 
>> I like to use the latest, stable versions of apache and php for my
>> clients without having to create a custom RPM every time a new version
>> comes out.
>> 
>> So what I'd like to know is it better in your opinion to install from
>> repos than to install by source as a best practice? Is it always
>> better to use puppet, chef, ansible etc even if the environment is
>> small? I'm sure this is a matter preference, but I would like to know
>> what your preferences are.
>> 
> 
> Unless you are explicitly tracking upstream and religiously providing
> builds as upstream release them taking upstream sources and building from
> them is a disservice to your customers.
> 
> This goes doubly for just installing from source without making packages as
> then it's impossible to audit the system for what is installed or properly
> clean up after it.
> 
> You need to be aware that it's not only about "vetting" but rather that
> auditing for a CVE becomes as simple as rpm -q --changelog | grep CVE ...
> Security updates from RH don't alter functional behaviour reducing the need
> for regression testing.
> 
> Unless you have a very specific requirement for a very bleeding edge
> feature it's fundamentally a terrible idea to move away from the
> distribution packages in something as exposed as a webserver ... And when
> you do you absolutely need to have the mechanisms in place to efficiently
> and swiftly build and deploy new versions, and deal with any fallout
> yourself.
> 
> Finally keep in mind the CentOS project can only viably support what we
> ship and not $random source. When you do need help and head to #centos on
> irc or report something on the mailing list keep that in mind.
> 
> As for CM? Doesn't take any significant effort or time to knock together a
> playbook to cover what you did by hand. Doesn't need to be high quality and
> distro agnostic ready for galaxy (or forge or whatever chef does) but it
> does mean you have "documentation in code" of how that system is without
> having to maintain info on how to rebuild it anyway. And assume every
> system may need a rebuild at some point - having CM in place makes that
> trivial rather than "oh what was the special thing on this one" scenarios.
> ___
> CentOS mailing list
> CentOS@centos.org 
> https://lists.centos.org/mailman/listinfo/centos 
> 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[Alice Wonder]

On 04/27/2016 12:30 AM, James Hogarth wrote:
*snip*


Unless you have a very specific requirement for a very bleeding edge
feature it's fundamentally a terrible idea to move away from the
distribution packages in something as exposed as a webserver ...


I use to believe that.

However I no longer.

First of all, advancements in TLS happen too quickly.

The RHEL philosophy of keeping API stability for as long as the release 
is supported means you end up running old protocols and old cipher 
suites and don't have the new protocols and cipher suites available.


That's a problem.

With respect to Apache and PHP -

There is a lot of benefit to HTTP/2 but you can't get that with the 
stock Apache in RHEL / CentOS 7. You just can't.


The PHP in stock RHEL / CentOS is so old that web application developers 
largely are not even using it anymore, resulting in some web 
applications that just simply don't work unless you update the PHP to 
something more modern.


It's a nice idealistic philosophy to want to keep the same versions and 
backport security fixes and keep everything API compatible but in real 
world practice, it makes your server stale.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/PHP Installation - opinions

[James Hogarth]

On 26 Apr 2016 23:28, "Tim Dunphy"  wrote:
>
> Hey guys,
>
> I tend to work on small production environments for a large enterprise.
>
> Never more than 15 web servers for most sites.
>
> But most are only 3 to 5 web servers. Depends on the needs of the
> client.I actually like to install Apache and PHP from source and by
> hand. Although I know that's considered sacrilege in some shops.
>
> I do this because on RH flavored systems like CentOS the versions of
> Apache, php and most other software are a little behind the curve in
> terms of versions.
>
> And that's intentionally so! Because the versions that usually go into
> the various repos are tested and vetted thoroughly before going into
> the repos.
>
> I like to use the latest, stable versions of apache and php for my
> clients without having to create a custom RPM every time a new version
> comes out.
>
> So what I'd like to know is it better in your opinion to install from
> repos than to install by source as a best practice? Is it always
> better to use puppet, chef, ansible etc even if the environment is
> small? I'm sure this is a matter preference, but I would like to know
> what your preferences are.
>

Unless you are explicitly tracking upstream and religiously providing
builds as upstream release them taking upstream sources and building from
them is a disservice to your customers.

This goes doubly for just installing from source without making packages as
then it's impossible to audit the system for what is installed or properly
clean up after it.

You need to be aware that it's not only about "vetting" but rather that
auditing for a CVE becomes as simple as rpm -q --changelog | grep CVE ...
Security updates from RH don't alter functional behaviour reducing the need
for regression testing.

Unless you have a very specific requirement for a very bleeding edge
feature it's fundamentally a terrible idea to move away from the
distribution packages in something as exposed as a webserver ... And when
you do you absolutely need to have the mechanisms in place to efficiently
and swiftly build and deploy new versions, and deal with any fallout
yourself.

Finally keep in mind the CentOS project can only viably support what we
ship and not $random source. When you do need help and head to #centos on
irc or report something on the mailing list keep that in mind.

As for CM? Doesn't take any significant effort or time to knock together a
playbook to cover what you did by hand. Doesn't need to be high quality and
distro agnostic ready for galaxy (or forge or whatever chef does) but it
does mean you have "documentation in code" of how that system is without
having to maintain info on how to rebuild it anyway. And assume every
system may need a rebuild at some point - having CM in place makes that
trivial rather than "oh what was the special thing on this one" scenarios.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos