Re: [DNG] Xorg, choosing setuid vs. libpam-elogind and rant about security (was: Re: Jessie -> Ascii upgrade breaks X)

2018-06-12 Thread Peter Vachuska 
Thank you for your reply. I should have started by RTFM (or in this case, 
reading the release notes). I walked away from the computer for two days and on 
the third day followed the documentation, behold, X ascended to F7 and played 
nice with screen & byobu & all of the virtual terminals. I should not have 
assumed that I understood it before.  I'm also impressed with the boot up time. 
For me it is just over 10 seconds from selecting to grub entry to login prompt. 
The Devuan developers and the community is doing a wonderful job. And Thank You 
again for your patience. There is much rejoicing in the household today.


10.06.2018, 11:55, "KatolaZ" :
> On Sun, Jun 10, 2018 at 11:15:18AM -0500, Peter Vachuska wrote:
>>  I really wish I had paid more attention to this thread and others warning 
>> about the changes to X before attempting to upgrade to ascii. My preferred 
>> way of working is out of a console running byobu and GNU screen and starting 
>> X only when needed. This no longer works as both screen and X use virtual 
>> terminals and instead of X starting on F7-F9, it is on F1; so that the 
>> console terminal is unusable. So after hours of frustration yesterday trying 
>> to get ascii working, I gave up and today reinstalled jessie only to find 
>> that xserver-xorg-legacy had been removed from the available packages; so I 
>> had the same problem. I had been using Devuan jessie for months and was very 
>> happy with it. (I should remember not to try to fix things that are not 
>> broke.) Fortunately, I had an old Debian wheezy installation which I'm now 
>> using.
>>
>>  While any suggestions would be appreciated, I'm mostly just venting 
>> frustration. I know that my setup is atypical and console users won't 
>> influence the direction of X. Still
>
> Dear Peter,
>
> please have a look at the ASCII Release Notes:
>
>   https://files.devuan.org/devuan_ascii/Release_notes.txt
>
> which provide an explanation of the whole X.org matter and of the
> solutions available in Devuan ASCII. I understand the frustration, but
> the best way to get out of it is to do something to solve the
> problem. Whatever you can.
>
> Devuan has proven that we are all potential Devuan developers. This is
> exactly what happened with elogind, just to make an example. It was
> pushed into reality within a couple of months by the stubborness and
> committment of a few fellow devuaner. Each of them put what they had
> (knowledge, time, patience, attention to detail, etc.), and the result
> is that we all can choose among more DE alternatives in Devuan ASCII.
>
> Devuan is really what we want it to become.
>
> HH
>
> KatolaZ
>
> --
> [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ]
> [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ]
> [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ]
> [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ]
> [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]
> ,
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Xorg, choosing setuid vs. libpam-elogind and rant about security (was: Re: Jessie -> Ascii upgrade breaks X)

2018-06-10 Thread Peter Vachuska 
I really wish I had paid more attention to this thread and others warning about 
the changes to X before attempting to upgrade to ascii. My preferred way of 
working is out of a console running byobu and GNU screen and starting X only 
when needed. This no longer works as both screen and X use virtual terminals 
and instead of X starting on F7-F9, it is on F1; so that the console terminal 
is unusable. So after hours of frustration yesterday trying to get ascii 
working, I gave up  and today reinstalled jessie only to find that 
xserver-xorg-legacy had been removed from the available packages; so I had the 
same problem. I had been using Devuan jessie for months and was very happy with 
it. (I should remember not to try to fix things that are not broke.) 
Fortunately, I had an old Debian wheezy installation which I'm now using.

While any suggestions would be appreciated, I'm mostly just venting 
frustration. I know that my setup is atypical and console users won't influence 
the direction of X. Still

09.06.2018, 18:52, "Joel Roth" :
> Colleagues!
>
> Earlier in this thread, we learned that installing xserver-xorg-legacy
> allows you to run X the old way, as a setuid script.
>
> The default upgrade path from jessie -- in which X11 was
> setuid-only -- migrates to a new xserver-xorg in which the
> setuid mechanism is replaced. In order to run X with user
> permissions in the dist-upgrade'd environment one needs to
> pull in a stack of dependencies including dbus, polkit,
> libpam-elogind, and elogind.
>
> I think it may be a bug that in the case of my upgrade
> experience, neither xserver-xorg-legacy (a wrapper that
> enables setuid X) nor this pam stack were installed, so
> startx failed for me. Perhaps the experience is different
> with a display manager installed.
>
> I have and use dbus apps on my system, However, as far as
> I'm aware, none of these programs has root privileges.
>
> As the pam/dbus/elogind/polkit mechanism is capable of
> handing out root authority, and as all software has bugs, I
> think we _can_ anticipate that bugs that create security holes
> will be uncovered in this stack. How much scrutiny did the
> developers devote? Did anyone ever consider security at
> through the whole stack? Probably the developers of each
> component do consider security in their own code.
>
> openssl had a big hole for years, and before that debian's random
> number generator was broken. Showstopping
> holes, but the show goes on...
>
> Will someone who scrutinizes closer have a back door,
> is that likely be true for the foreseeable future?
>
> In a way, running others' code is like driving: putting
> oneself in the hands of strangers you've never met and
> might not trust for minute in person.
>
> I read about the art of "fuzzing" programs with various
> combinations of random inputs, to discover bugs such as
> buffer overflows. This technique has been used to find bugs
> and improve security in many languages. It was also used to
> find hidden instructions and other attributes of
> microprocessors.
>
> https://github.com/xoreaxeaxeax/sandsifter/blob/master/references/domas_breaking_the_x86_isa_wp.pdf
>
> I see fuzzing tools for dbus also available.
>
> I think it's an interesting security question, since the default
> state of a distribution is so influential.
>
> That PAM is finely grained, I get, so on the surface, it
> looks superior to the big club of root permissions.
>
> I'd be interested to links to any discussions of these
> topics. I see the CVEs are published, in this example,
> smb4k is being careless in arguments it passes to dbus,
> leading to an exploit.
>
> https://nvd.nist.gov/vuln/detail/CVE-2017-8849
>
> cheers
>
> --
> Joel Roth
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Should I, or should I not, make a Devuan VimOutliner package?

2018-01-09 Thread Peter Vachuska 
As someone who uses VO everyday for everything from journals, to to-do
lists, to outlining, I prefer (or am used to) the double comma leaders.
I was not aware that Debian changed it to //. (I *would* like to point
out that ,, is not equally easy on every keyboard layout. I use Dvorak
where ,, is upper-left rather than lower-right, but it is still easier
to find than //.) I would appreciate a Devuan VimOutliner package. Thanks.

-peter

09.01.2018, 09:52, "Steve Litt" :
> Hi all,
>
> BACKSTORY...
>
> I'm the *originator* of VimOutliner, an outline processor that uses the
> Vim engine. VimOutliner's top priority was authoring speed. That
> priority drove most VimOutliner keyboard commands to begin with a
> double comma (,,), which is both extremely easy to hit from typing home
> position, and very unlikely to happen within written text. I published
> VimOutliner 0.13 June 1 2001.
>
> Several other people used it, liked it, and improved it far beyond my
> capabilities. Several Linux distros acquired VimOutliner packages.
> Unfortunately, the Debian VimOutliner package manager insisted on using
> double backslash (//) instead of double comma (,,) as the first two
> characters of commands. The double backslash is slower, and more
> important, it's a key that appears in different places on different
> keyboards. Use of the double backslash represents a degradation of
> VimOutliner's top priority: Authoring speed.
>
> I'm thinking of making the Devuan VimOutliner package use double comma.
> I'd take the Debian package and replace all appropriate double
> backslashes with double commas.
>
> Please understand, there is no SystemD dependency in the current Debian
> VimOutliner package. It doesn't in any way violate any Devuan policy.
> It simply uses the wrong string for the purposes of outlining.
>
> As mentioned, I'm the originator of VimOutliner, and as such I set the
> priorities, and the top priority has consistently been authoring speed.
> I can either modify the "standard" VimOutliner for my own use, or I can
> make a new, double comma equipped package for Devuan. Anyone have an
> opinion on this?
>
> SteveT
>
> Steve Litt
> December 2017 featured book: Thriving in Tough Times
> http://www.troubleshooters.com/thrive
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Bad UEFI: was Systemd at work: rm -rf EFI

2016-02-03 Thread Peter Vachuska 


03.02.2016, 14:56, "Steve Litt" :
>
>  Let's talk about a minimal standard of safety as opposed to relying on
>  "knowing what you're doing."
>

A little knowledge is a dangerous thing.

I wouldn't have hesitated using 'rm -rf /' if I was going to remove all of the 
files from my current installation and reinstall anew. 
And I still don't understand why one would want a switch that bricks your 
computer?

-peter
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng