Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On Mon, Nov 04, 2013 at 09:30:07PM -0600, William Hubbs wrote: All, I would like to remind everyone about the tracker for services that are misusing need net in their OpenRC init scripts [1]. need net should be removed from our init scripts, because it is bogus and breaks things. I also question the value of use net, because the same thinking applies, e.g. the net virtual really doesn't have a strong meaning of any kind. For more details, see the tracker and flameeyes' blog post. Thanks, William [1] https://bugs.gentoo.org/show_bug.cgi?id=439092 In that bug I read: Flameeyes wrote the following blog post concerning this issue: http://blog.flameeyes.eu/2012/10/may-i-have-a-network-connection-please and the link gives me a (Error code: sec_error_ocsp_unknown_cert). -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On Tue, 5 Nov 2013 08:49:15 -0600 mingdao gentoo-...@happypenguincomputers.com wrote: and the link gives me a (Error code: sec_error_ocsp_unknown_cert). The certificate expired; I guess it'll be fixed soon, as he gets back. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D signature.asc Description: PGP signature
Re: [gentoo-dev] Re: Official way to do rolling update (Was: Re: Releng breakage with respect to move from dev-python/python-exec to dev-lang/python-exec)
On 11/04/2013 03:46 PM, Duncan wrote: Martin Vaeth posted on Mon, 04 Nov 2013 11:17:49 + as excerpted: Duncan 1i5t5.dun...@cox.net wrote: and the default is oneshot I would always recommend to put -1 into EMERGE_DEFAULT_OPTS; you can still use --select if you really want a new package in a word file: after the first installation this should happen rather rarely (and you can still use -n --select later on if you forgot it and realize that depclean wants to remove it). I imagine were emerge being written today, -1 /would/ be the default, and there'd be an option like --select to add to the @world file if necessary. That's actually the way I setup my scripts, with -1 the default, and an extra 2 suffix script variant that did add to the world file. But backward compatibility being what it is, I guess by the time portage authors realized they had a backward default, they couldn't really fix it, except by something like EMERGE_DEFAULT_OPTS. Then there's esyn, which syncs both the gentoo tree and layman, as well as automatically handling ebuild patching and redigesting You can use eix-sync for that [...] The advantage is that you will probably have a better behaviour in case some of the tasks fail... Again, if it were available (and something I knew about) back in the day... I might have ended up with that. However, I've come to appreciate an advantage to writing one's own scripts -- bug fixing or adding new functionality is a *LOT* easier since you're already familiar with the code. In fact, speaking from experience, adding support for a new feature to a script you've created yourself is often easier than figuring out the new config options for the same feature for an upstream script, when they add support for it! Plus, you don't have to worry about learning new config options for new features you'll never use, since you simply don't code them in the first place. =:^) The ebuild-patching tree and auto-redigest features were in fact recent adds, when I needed something that scaled better than one-off ebuild editing during the time gentoo/kde dropped support for USE=semantic- desktop and I had to carry my own patches to kill it. (FWIW, they've since reverted and offer USE=semantic-desktop again now, THANKS gentoo/kde! =:^) Similarly, adding git functionality to my existing kernel scripts wasn't difficult, and arguably easier to do since I knew the code, than trying to reverse engineer the new config options and perhaps the supporting code behind it, were I using an upstream solution that added git kernel support to existing helper scripts. I have a similar set, but starting with k* instead of e*, for automatic mainline kernel fetching, building, etc. This is rather cumbersome, since you should have different permissions for building and installing (if you use the recommended way to build into a separate KBUILD_OUTPUT with e.g. portage permissions). Except for fetching, you might want to use the kernel script from the mv overlay. Actually, both different building/installing permissions (via config file sudo option, tho I'll admit since I set that the option, running with that option turned off isn't tested, but the basic script infrastructure for it is there), and KBUILD_OUTPUT (setting in the config file) are already supported. =:^) And talk about ease of adding functionality, when I setup my 32-bit netbook build chroot, it was just a few lines changed in the kernel scripts themselves, and a dynamic config line added to the config file (which is sourced, so accepts both var=val style and dynamic config script snippets) to auto-detect which system I was building for and set KBUILD_OUTPUT accordingly, thereby keeping the work dirs and config entirely separate, automatically, via dynamic config. Trivial feature-add, and now that it's there, if I suddenly needed to scale to 100 or 1000 different kernel configs, that'd be even more trivial (even just a config file change), if necessary by having the config file source yet another separate-builds.conf file with its own dynamic-config logic to choose between the different configs. This sort of solidly sysadmin level helper/glue script is something Unix/ Linux/Gentoo is well optimized to make not only possible, but trivial, to implement, and I definitely put that feature to use! =:^) I'd be very interested in this kernel config script you have! I want to set up a mini ITX system as a NAS some day, and since it runs an Intel Atom, I'm likely going to be building the packages on my desktop.
Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On 11/05/2013 09:49 AM, mingdao wrote: Flameeyes wrote the following blog post concerning this issue: http://blog.flameeyes.eu/2012/10/may-i-have-a-network-connection-please and the link gives me a (Error code: sec_error_ocsp_unknown_cert). You should disable OCSP anyway. In Firefox, it's under, Edit - Preferences - Advanced - Encryption - Validation The OCSP protocol is itself is vulnerable to MITM attacks, which is cute when you consider its purpose. Moreover, it sends the address of every website you visit to a third party, which is the real reason to disable it IMO.
Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On Tue, Nov 05, 2013 at 11:39:10AM -0500, Michael Orlitzky wrote: You should disable OCSP anyway. In Firefox, it's under, Edit - Preferences - Advanced - Encryption - Validation The OCSP protocol is itself is vulnerable to MITM attacks, which is cute when you consider its purpose. Moreover, it sends the address of every website you visit to a third party, which is the real reason to disable it IMO. Thanks for the information, Michael. My Firefox had a slightly different $PATH as shown in the attached screenshot. Edit - Preferences - Advanced - Certificates - Validation www-client/firefox-24.1.0-r1 (didn't do the upgrade to www-client/firefox-25.0-r1 today due to unstable libpng-1.6.6 being pulled with the new subslot philosophy) -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts
On 11/05/2013 10:39 AM, Michael Orlitzky wrote: On 11/05/2013 09:49 AM, mingdao wrote: Flameeyes wrote the following blog post concerning this issue: http://blog.flameeyes.eu/2012/10/may-i-have-a-network-connection-please and the link gives me a (Error code: sec_error_ocsp_unknown_cert). You should disable OCSP anyway. In Firefox, it's under, Edit - Preferences - Advanced - Encryption - Validation The OCSP protocol is itself is vulnerable to MITM attacks, which is cute when you consider its purpose. Moreover, it sends the address of every website you visit to a third party, which is the real reason to disable it IMO. Thanks for pointing this out! I'm a privacy-minded kind of guy and didn't think to look there for possible violations. Do you know of any other tips for locking down Firefox from prying eyes? I already use NoScript and RequestPolicy, clean non-whitelisted cookies, and disabled web forgery reporting in Preferences.