Re: [gentoo-user] Firefox and VPN, plus security in generla

[Adam Carter]

On Sun, Jun 12, 2016 at 8:57 AM, Dale  wrote:

> Howdy,
>
> I ran up on a video website that had some info on it.  I found it
> interesting and was curious about what it said and another question I
> been wondering about.  It mentioned using a VPN so that the NSA, my ISP
> and others couldn't "see" what was going on.  So, my first question,
> does that work and does it require the site on the other end to have it
> set up as well?  Bonus question, is it easy to use on any site if it
> doesn't require the other end to use it?  I'm thinking of using this for
> my banking/financial sites as well if it is a good idea.
>

Firstly I suggest you dont consider the NSA your adversary, because;
1. They're probably not interested in you
2. If they are interested in you, just adding a VPN is not going to make
much difference.

So lets just consider an employee at your ISP.

There's typically no need to use a VPN when accessing an HTTPS website, as
the SSL/TLS already provides most of the privacy that a VPN would supply.
The extra that the VPN gives you in this case is to hide which websites
you're visiting. So the data is protected in both instances, but the VPN
also hides the connection metadata. So if you use just SSL/TLS then your
ISP can deduce which bank you have an account with. If you use the VPN as
well, then cant even tell that.

There are issues with SSL/TLS that could allow someone in the path between
you and the bank to decrypt your traffic, and if they can do that they
would be able to log into your account if the bank uses simple
password/passphrase style auth. The two main SSL/TLS issues are;
1. Improperly issued certificates
2. Older/weaker crypto

The trust system around certificates can be summarised as "you trust any
certificate as much as you trust the least trustworthy certificate
authority in your trusted certificate store". Your browser ships with many
CA certificates in its trusted certificate store. Any of these CAs can
issue cryptographically valid certificates for any domain. So, if I manage
to fool a CA that I am bigbank.com then i can buy a certificate to
bigbank.com. Or, I can just find a staff member of a CA in a very poor
country and offer them a big bag of sweet cash to have them issue the
certificate for me. Certificate pinning reduces this exposure significantly
so use a browser that supports it like chrome or firefox.

Weak crypto? Turn off all SSL, TLS 1.0 and 1.1 in the browser, and disable
RC4 crypto. That might block you out of some sites with weak crypto that
you may still want to use. Assuming your bank has good crypto, use chrome
or firefox with the weak crypto disabled for your banking, and another
browser for everything else.

This is something I been wondering about and I've seen a few posts here
> that bump around the edges of this question.  As most here know, I use
> Gentoo.  It's a older install but I keep it up to date.  I sit behind a
> DSL modem, a older Westell one, and a Linksys router, the old blue nosed
> one.  Neither modem or router has wireless stuff included.  Is that
> hardware and my Gentoo install pretty secure for most hackers?


If one of those devices is PATing your IP, then that effectively blocks all
inbound sessions, so it will prevent anyone on the internet scanning your
system, and attempting inbound connections. This makes you much more
secure.

If there's no PAT, then you need to turn off all unneeded network services
(use netstat to show what ports are open), and harden any services you
leave on. For example, you could run sshd with only the stricter crypto
enabled (this stops most bots as they havent implemented those functions),
and run fail2ban to lock out any IPs that are running password guessing
attacks.


> In other
> words, since I don't keep the formula to run car/truck engines on water
> here, would this stop most since there is nothing worth stealing here?
> I'm not interested in a NSA based hardened install here, just reasonably
> secure.
>

Ok - ignore previous comment on NSA :)

>
> Basically, I'm just wanting to make sure I'm reasonably secure here.
>
>
With regular patching and the above, you should be in pretty good shape.
Next step after that would probably be to look at gcc's stack protector. In
gcc 4.9.0+ -fstack-protector-strong is enabled by default. And in the
kernel .config set CONFIG_CC_STACKPROTECTOR_STRONG=y.

Then after that take a look at hardened sources and PaX (still on my todo
list)

[gentoo-user] Re: Recommend a simple video editor?

[Grant Edwards]

On 2016-06-14, Deven Lahoti  wrote:

> kdenlive is apparently usable, though I haven't tried it

I was sort of hoping that Shotcut would work, since it was
specifically recommended by the MLT developer as the best way to use
melt.

That was going to be my last resort, since I didn't really want to
install KDE stuff.  Openshot and Shotcut both required Qt, but not
KDE.  Flowblade would probably be next on my list to try, since it's
Gtk based and wouldn't pull in the 30-40 packages that a Qt app does
(or Dog-only-knows how many for a KDE app).

-- 
Grant Edwards   grant.b.edwardsYow! In 1962, you could buy
  at   a pair of SHARKSKIN SLACKS,
  gmail.comwith a "Continental Belt,"
   for $10.99!!

Re: [gentoo-user] Re: Recommend a simple video editor?

[Deven Lahoti]

kdenlive is apparently usable, though I haven't tried it

[gentoo-user] Re: Recommend a simple video editor?

[Grant Edwards]

On 2016-06-14, Grant Edwards  wrote:

> The git version of MLT installed fine, but shotcut failed to compile:
>
>  cd src/ && ( test -e Makefile || /usr/lib64/qt5/bin/qmake 
> /var/tmp/portage/media-video/shotcut-/work/shotcut-/src/src.pro 
> 'PREFIX={D}/usr/' -o Makefile ) && make -f Makefile 
>  Project ERROR: Unknown module(s) in QT: websockets
>  Makefile:95: recipe for target 'sub-src-make_first' failed
>
> I could probably figure out what's wrong and fix it, but...

The shotcut ebuild above is missing dependancies on qtwebsockets and
jack-audio-connection-kit.  Once I added those, it built cleanly.  It
doesn't _work_, but it builds.

When I run it it just dipslays a small balck rectangle in the middle
of the display and then locks up.

I must say I'm pretty unimpressed with the state of GUI video editors
on Linux (or at least on Gentoo).

There are probably three or four more I could try, but I think I'll
stick with the command-line rather than waste any more time on trying
to build and use half-finished apps.

-- 
Grant Edwards   grant.b.edwardsYow! I'm using my X-RAY
  at   VISION to obtain a rare
  gmail.comglimpse of the INNER
   WORKINGS of this POTATO!!

[gentoo-user] Re: Recommend a simple video editor?

[Grant Edwards]

On 2016-06-11, Grant Edwards  wrote:

> I've got a handful of mp4 video clips (a minute or two each).  All I
> want to do is 
>
>  1) Concatenate them with fade-in at beginning of each clip and fade-out
> at the end of each clip.
>
>  2) Superimpose a title at the beginning for a few seconds.
>
> Can anybody recomment a simple video editor?
>
>  
> So far I've tried Openshot and Cinelerra and niether is usable even
> for my trivial task.
[...]
> I may try Cinelerra 2014, but I'm not optimistic -- Cinelerra is known
> for it's slow rate of change.

I tried the 2014 (~amd64) version of Cinelerra, and it still doesn't
recognize the AAC audio in the MP4 files my Moto G phone produces.

I also tried the downloaded binary of Shotcut, but it it requires old
versions of libraries and wouldn't run. So, I tried building it using
the shotcut- ebuild and the mlt- ebuild from

  https://gpo.zugaina.org/media-video/shotcut
  https://gpo.zugaina.org/media-libs/mlt

The git version of MLT installed fine, but shotcut failed to compile:

 cd src/ && ( test -e Makefile || /usr/lib64/qt5/bin/qmake 
/var/tmp/portage/media-video/shotcut-/work/shotcut-/src/src.pro 
'PREFIX={D}/usr/' -o Makefile ) && make -f Makefile 
 Project ERROR: Unknown module(s) in QT: websockets
 Makefile:95: recipe for target 'sub-src-make_first' failed

I could probably figure out what's wrong and fix it, but...

Meanwhile, I was experimenting with the "melt" command-line video
editor that's included in the MLT library.

https://mltframework.org/twiki/bin/view/MLT/MltMelt
https://www.youtube.com/playlist?list=PLcUid3OP_4OWC-GJ6KfHK7dIK_yRKKn0e

It's pretty cool, if somewhat cryptic.  The documentation is a little
scarce, and what exists is somewhat hidden from Google by the use of a
common English word as the program name.

But, the developer was kind enough to offer a couple hints on the
mailing list, and it did a great job.

Using the x264 codec it produce an output file that was 1/3 the size
of that produce by Openshot and the improvement in video quality over
Openshot was Yuge(tm)!  I cranked up the x264 bitrate some (filesize
is now a little over half of that produced by Openshot), and the video
quality is great -- it's indiscernible from the input files which are
almost twice as large.

The interesting thing is that Openshot and melt both use the same MLT
backend, so Openshot _should_ be able to generate the exact same
output -- assuming it exposes all the required codec selections and
settings.

-- 
Grant Edwards   grant.b.edwardsYow! I have a TINY BOWL in
  at   my HEAD
  gmail.com

[gentoo-user] Re: Change from udev to eudev?

[James]

J. Roeleveld  antarean.org> writes:

> 
> On Monday, June 13, 2016 02:10:27 PM James wrote:
> > wabe  gmail.com> writes:
> > Still, if you manage 1000 linux workstations, then systemd does have
> > it's merits.

> Serious question: What makes systemd more suitable to manage 1000 linux 
> workstations when compared to, for instance, OpenRC?

> Joost


Seriously?
(note:: awkward position for me to defend systemd)


Because RHEL says so? Why else would they promote systemd?

Because It's what bloggers say that make systemd the Kool_aid of choice
these days?

Because really, I was just being polite and trying very hard to say
something nice about systemd?

Because Jim Morrison told me systemd is the way to nirvana, in a 60s laden
pipe dream?

Because, if you are not promoting systemd, you are just not Quool?

Because, resistance, defined as the counterflow to Systemd flux,
is futile? Reflectance is defined as the summation of your futile resistance
area, under the curve. The endpoint being when you finally addopted
(integrated) systemd into your hopes and dreams?

Because cross-dressing the linux systems you manage, with different, custom
scripts, is so 2010. We all need to wear the emperor's new clothes, to be
hip, just like lennertd ?

Because the NSA is funding systemd, and those that do not cooperate, will be
barred from all GSA  and large corporate contracts?

Because Big, Corporate management believes that systemd will enable them to
replace seasoned linux admins with mindless drones from the labor pool?
(Note::Management is always the first to 'drink the Kool_aide' from other
large, corporate vendors)? You do not want to know what else they do, after
guzzling the kool_aide.

Because, I think we all know that I'm no whiz at systemd, actually far from
it; in fact I'll be a very late adopter (perhaps post mortem as they inject
me with embedded linux micro-nomes on my way to an oceanic burial)?


So, one of the common arguments you here is that Systemd can standardize
management across different linux distros. If fact many promote systemd
based on a standardization track, as a really good idea. So in a large
installation, it provides the inter-intra-system discipline thereby reducing
the tendency of admins to create fiefdoms (via unique scripts) within the
different machines that different admins manage ( vs traditional divide and
conquer strategies).

Perhaps a workshop or conference is a good idea, should you want the latest,
expert advice on systemd [1]; just pay attention to the "no smoking signs"
posted near the kool_aid punch-bowl. 

(liar liar, hair on fiar)  -- da doors, resurrection tour.


[1] http://0pointer.net/blog/


it's been great fun defending systemd!
James

Re: [gentoo-user] How to try custom-optimization in firefox

[Andrew Savchenko]

On Tue, 14 Jun 2016 18:39:54 +1000 Adam Carter wrote:
> You missed another flag: USE="custom-cflags". You should really
> 
> > read USE flag descriptions (/usr/portage/use.{,local.}desc):
> >
> > custom-cflags - Build with user-specified CFLAGS (unsupported)
> > www-client/firefox:custom-optimization - Fine-tune custom compiler
> > optimizations (-Os, -O0, -O1, -O2, -O3)
> >
> > So custom-optimization will only get -O[0123s] option from your
> > CFLAGS,
> 
> 
> That's all I want. However, the -O2 was still filtered even though i have
> custom-optimization on.

Yes, -O* are removed from CFLAGS, because firefox uses
special .mozconfig option for -O* flags:

mozconfig_annotate "Gentoo's default optimization" --enable-optimize=-O2

emerge --info is not accurate here, as it can't handle non-trivial
stuff like mozconfig.

Actually -O2 is default and if you want only this option, you may
do nothing, since it is enabled by default.

If you have any further doubts, please provide a full build.log
(compress it or place somewhere outside of the list and provide
a link). Though you should see -O2 yourself there:

==
Building firefox-47.0 with the following configuration
--enable-application=browsermozilla.org default
--enable-optimize=-O2   Gentoo's default optimization

as well as in gcc commands below.

Best regards,
Andrew Savchenko


pgpUQoGHe4GN_.pgp
Description: PGP signature

Re: [gentoo-user] How to try custom-optimization in firefox

[Adam Carter]

You missed another flag: USE="custom-cflags". You should really

> read USE flag descriptions (/usr/portage/use.{,local.}desc):
>
> custom-cflags - Build with user-specified CFLAGS (unsupported)
> www-client/firefox:custom-optimization - Fine-tune custom compiler
> optimizations (-Os, -O0, -O1, -O2, -O3)
>
> So custom-optimization will only get -O[0123s] option from your
> CFLAGS,


That's all I want. However, the -O2 was still filtered even though i have
custom-optimization on.
emerge --info output;

=
Package Settings
=

www-client/firefox-47.0::gentoo was built with the following:
USE="*custom-optimization* dbus gmp-autoupdate gtk2 hwaccel jemalloc3 jit
pulseaudio -bindist -custom-cflags -debug -hardened (-neon) (-pgo)
(-selinux) -startup-notification (-system-cairo) -system-harfbuzz
-system-icu -system-jpeg -system-libevent -system-libvpx -system-sqlite
-test -wifi" ABI_X86="64" LINGUAS="-ach -af -an -ar -as -ast -az -be -bg
-bn_BD -bn_IN -br -bs -ca -cs -cy -da -de -el -en_GB -en_ZA -eo -es_AR
-es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he
-hi_IN -hr -hsb -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -lt -lv -mai -mk
-ml -mr -ms -nb_NO -nl -nn_NO -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si
-sk -sl -son -sq -sr -sv_SE -ta -te -th -tr -uk -uz -vi -xh -zh_CN -zh_TW"
CFLAGS=*"-march=amdfam10 -pipe"*
CXXFLAGS="-march=amdfam10 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -march=amdfam10 -pipe
-Wl,-rpath=/usr/lib64/firefox"

Re: [gentoo-user] Updateing linux-headers ...

[Alexander Kapshuk]

On Mon, Jun 13, 2016 at 11:29 AM, Dale  wrote:
> J. Roeleveld wrote:
>> On Saturday, June 11, 2016 03:54:32 PM Alexander Kapshuk wrote:
>>>
>>> If what you're after is rebuilding all the packages that depend on
>>> linux-headers, a command line below might be one way of doing it:
>>>
>>> emerge -a `equery -q d '=sys-kernel/linux-headers-4.3' | sed
>>> 's/\-[0-9].*//'`   `
>>>
>>> These are the packages that would be merged, in order:
>>>
>>> Calculating dependencies  . done!
>>> [ebuild   R] virtual/os-headers-0
>>> [ebuild   R] sys-apps/busybox-1.24.2
>>> [ebuild   R] sys-libs/mtdev-1.1.5
>>> [ebuild   R] dev-util/strace-4.9
>>> [ebuild   R] sys-apps/hwinfo-21.4
>>> [ebuild   R] sys-libs/libcap-ng-0.7.7
>>> [ebuild   R] sys-libs/libseccomp-2.3.0
>>> [ebuild   R] sys-apps/iproute2-4.4.0
>>> [ebuild   R] sys-libs/libcap-2.24-r2
>>> [ebuild   R] media-gfx/sane-backends-1.0.24-r6
>>> [ebuild   R] media-video/ffmpeg-2.8.6
>>> [ebuild   R] x11-drivers/xf86-input-evdev-2.9.2
>>> [ebuild   R] sys-fs/udev-225-r1
>>> [ebuild   R] sys-fs/udisks-2.1.4
>>>
>>> Would you like to merge these packages? [Yes/No]
>> Please ensure you pass " --oneshot " or " -1 " to emerge. Otherwise all these
>> will end up in your world-file causing interesting blockers later.
>>
>> --
>> Joost
>>
>>
>
>
> One other option, add it to emerge options in make.conf.  Then if you
> really want it in world, use --select or add it to the world file
> manually.  I added it to my make.conf file a long time ago.  It makes it
> much easier to keep a clean world file.  I would always forget to add
> that option.
>
> Dale
>
> :-)  :-)
>

Understood. Thanks.

Re: [gentoo-user] Updateing linux-headers ...

[Alexander Kapshuk]

On Mon, Jun 13, 2016 at 9:40 AM, J. Roeleveld  wrote:
> On Saturday, June 11, 2016 03:54:32 PM Alexander Kapshuk wrote:
>> On Sat, Jun 11, 2016 at 2:09 PM,   wrote:
>> > Hi,
>> >
>> > I want to update my linux-headers (I am using the vanilla-kernel).
>> >
>> > I did a
>> >
>> > solfire:/root>equery depends '=sys-kernel/linux-headers-4.6'
>> >
>> >  * These packages depend on sys-kernel/linux-headers-4.6:
>> > app-misc/srm-1.2.11-r2 (sys-kernel/linux-headers)
>> > dev-qt/qtgui-5.5.1-r1 (evdev ? sys-kernel/linux-headers)
>> >
>> >   (udev ? sys-kernel/linux-headers)
>> >
>> > dev-util/strace-4.9 (sys-kernel/linux-headers)
>> > media-video/ffmpeg-2.8.6 (v4l ? sys-kernel/linux-headers)
>> > media-video/transcode-1.1.7-r3 (v4l ? >=sys-kernel/linux-headers-2.6.11)
>> > sys-apps/busybox-1.24.2 (>=sys-kernel/linux-headers-2.6.39)
>> > sys-apps/iproute2-4.4.0 (>=sys-kernel/linux-headers-3.16)
>> > sys-apps/keyutils-1.5.9-r2 (!prefix ? >=sys-kernel/linux-headers-2.6.11)
>> > sys-fs/udev-225-r1 (>=sys-kernel/linux-headers-3.9)
>> > sys-fs/udisks-2.1.7 (>=sys-kernel/linux-headers-3.1)
>> > sys-libs/libcap-2.24-r2 (sys-kernel/linux-headers)
>> > sys-libs/libcap-ng-0.7.7 (sys-kernel/linux-headers)
>> > sys-libs/libseccomp-2.3.0 (>=sys-kernel/linux-headers-4.3)
>> > sys-libs/mtdev-1.1.5 (>=sys-kernel/linux-headers-2.6.31)
>> > sys-power/acpid-2.0.23 (>=sys-kernel/linux-headers-3)
>> > virtual/linuxtv-dvb-headers-5.8 (>=sys-kernel/linux-headers-3.7)
>> > virtual/os-headers-0 (kernel_linux ? sys-kernel/linux-headers:0)
>> > x11-drivers/xf86-input-evdev-2.9.2 (>=sys-kernel/linux-headers-2.6)
>> >
>> > How can I tell emerge just to recompile those packages since
>> >
>> > emerge --update --newuse --deep --with-bdeps=y --tree --keep-going
>> > --backtrack=30 @world -v
>> >
>> > does not do anything.
>> >
>> > Thanks a lot for any help in advance!
>> > Best regards,
>> > Meino
>>
>> If what you're after is rebuilding all the packages that depend on
>> linux-headers, a command line below might be one way of doing it:
>>
>> emerge -a `equery -q d '=sys-kernel/linux-headers-4.3' | sed
>> 's/\-[0-9].*//'`   `
>>
>> These are the packages that would be merged, in order:
>>
>> Calculating dependencies  . done!
>> [ebuild   R] virtual/os-headers-0
>> [ebuild   R] sys-apps/busybox-1.24.2
>> [ebuild   R] sys-libs/mtdev-1.1.5
>> [ebuild   R] dev-util/strace-4.9
>> [ebuild   R] sys-apps/hwinfo-21.4
>> [ebuild   R] sys-libs/libcap-ng-0.7.7
>> [ebuild   R] sys-libs/libseccomp-2.3.0
>> [ebuild   R] sys-apps/iproute2-4.4.0
>> [ebuild   R] sys-libs/libcap-2.24-r2
>> [ebuild   R] media-gfx/sane-backends-1.0.24-r6
>> [ebuild   R] media-video/ffmpeg-2.8.6
>> [ebuild   R] x11-drivers/xf86-input-evdev-2.9.2
>> [ebuild   R] sys-fs/udev-225-r1
>> [ebuild   R] sys-fs/udisks-2.1.4
>>
>> Would you like to merge these packages? [Yes/No]
>
> Please ensure you pass " --oneshot " or " -1 " to emerge. Otherwise all these
> will end up in your world-file causing interesting blockers later.
>
> --
> Joost
>

Understood. Thanks.

Re: [gentoo-user] How to try custom-optimization in firefox

[Andrew Savchenko]

On Tue, 14 Jun 2016 14:55:08 +1000 Adam Carter wrote:
> I have enabled this use flag and the output of emerge --info shows it has
> been recognised in USE but not in FCFLAGs/CFLAGs;
> 
> grep USE.*custom ff*
> ffafter-cust-opt.txt:USE="custom-optimization dbus gmp-autoupdate gtk2
> hwaccel jemalloc3 jit pulseaudio -bindist -custom-cflags -debug -hardened
> (-neon) (-pgo) (-selinux) -startup-notification (-system-cairo)
> -system-harfbuzz -system-icu -system-jpeg -system-libevent -system-libvpx
> -system-sqlite -test -wifi"
> ffbefore-cust-opt.txt:USE="dbus gmp-autoupdate gtk2 hwaccel jemalloc3 jit
> pulseaudio -bindist -custom-cflags -custom-optimization -debug -hardened
> (-neon) (-pgo) (-selinux) -startup-notification (-system-cairo)
> -system-harfbuzz -system-icu -system-jpeg -system-libevent -system-libvpx
> -system-sqlite -test -wifi"
> 
> grep CFLAGS ff*
> ffafter-cust-opt.txt:CFLAGS="-march=amdfam10 -mcx16 -msahf -mpopcnt -mabm
> -O2 -pipe"
> ffafter-cust-opt.txt:FCFLAGS="-O2 -pipe"
> ffafter-cust-opt.txt:CFLAGS="-march=amdfam10 -pipe"
> ffbefore-cust-opt.txt:CFLAGS="-march=amdfam10 -mcx16 -msahf -mpopcnt -mabm
> -O2 -pipe"
> ffbefore-cust-opt.txt:FCFLAGS="-O2 -pipe"
> ffbefore-cust-opt.txt:CFLAGS="-march=amdfam10 -pipe"
> 
> I assumed that enabling custom-optimization would let the optimization
> setting from CFLAGS in make.conf pass through unfiltered, but that's not
> the case. What else do i need to do to make it work?

You missed another flag: USE="custom-cflags". You should really
read USE flag descriptions (/usr/portage/use.{,local.}desc):

custom-cflags - Build with user-specified CFLAGS (unsupported)
www-client/firefox:custom-optimization - Fine-tune custom compiler
optimizations (-Os, -O0, -O1, -O2, -O3)

So custom-optimization will only get -O[0123s] option from your
CFLAGS, if you need another options, use custom-cflags. If you need
both (-O* and other options), set both USE flags (as can be seen
from mozcoreconf-v4.eclass).

Best regards,
Andrew Savchenko


pgpUZ666RMISS.pgp
Description: PGP signature