[gentoo-user] Raspberry Pi with 8GB
Gentoo Folks, Has anyone ported gentoo to the newest Raspberry Pi with 8 gig of ram? https://www.admin-magazine.com/News/Raspberry-Pi-with-8GB-of-RAM-Now-Available If so, I'd be curious as to your performance and using it as a workstation or mobile/laptop. https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up None of the usual gentoo embedded sites I have search list gentoo on this device. All input is welcome. 8GB on a 64 bit arm low power (embedded) board, or a cluster of 4+ such boards is of keen interest to my new, gentoo centric low power goals. TIA, James
Re: [gentoo-user] Hard drive screws
james wrote: > On 6/7/20 5:24 PM, Dale wrote: >> antlists wrote: >>> On 07/06/2020 10:50, J. Roeleveld wrote: On 7 June 2020 09:41:16 CEST, antlists wrote: > On 06/06/2020 20:14, J. Roeleveld wrote: >> One of my old cases had plastic strips with little sticks on them > that would fit into the screwholes. Those strips would then slot into > the mounting points for the disks. >> >> No messing around with screws and really easy to swap drives. They > would be perfectly mounted as well. >> >> Too bad I don't see the same with most other cases. > > I remember that. Compaqs with 75 MEGA Hz cpu's iirc. > > Cheers, > Wol Not just Compaq. I think mine was a coolermaster case at the time. Toolless hotswap is a useful feature when regularly swapping drives. >>> These weren't hotswap (just ordinary IDE), but it's a damn sight >>> easier putting the rails on a drive on a desk, rather than putting >>> the screws in a drive in a case :-) >>> >>> Cheers, >>> Wol >>> >>> >> >> >> My Cooler Master HAF-932 has no screws for drives either.� It has >> those plastic frames with these rubber and metal pins that take the >> place of screws.� Once the frame is inserted into the drive cage, >> those pins can't let go of the drive.� I might add, if the pins are >> inserted properly, the plastic frame won't go into the cage either. I >> like the design part but I hope the plastic part never breaks. They >> ain't cheap or easy to find at times. >> >> Oh, my mobo supports hot swap SATA so all are hot swappable too. I'm >> not sure if I have a IDE connector.� It might but I'm not sure. >> >> Dale >> >> :-)� :-) > > Dale, > > It's a bit late now, but here goes. When I spend money, I always > request the entire box of parts, for the mobo, drives, gpu cards, etc > etc. Most vendors will talk to direct, over email, chat etc. I then > have plastic organizer boxes with dozens or more small compartments > and lids to these boxes. So I save all sorts of screws, from 30 years > back to now, always. It's a bit of an extreme, but as an avid hardware > hacker, I use those collections, almost weekly to fix/enhance mounts, > cases, antennas and all sorts of custom rigs... > > Also, you can find collections of such for less than $50 on the net. > Great to have, but I have over 1,000 sq. ft. or more of all sorts of > new and old hardware I've collected up over the decades. Skycraft in > Orlando is just one of many great places to purchase inexpensive > excess hardware. > > https://skycraftsurplus.com/ > > Also, local computer shops will sell you hordes of excess screws and > such; just talk to them. When you are spending money, it is real easy > to collect up excess screws and such from most vendors, for next to > nothing. > > But then, I hardware hack of hundreds/thousands of different hardware > systems. > > > hth, > James > > I have a small toolbox that I take if I go work on someone else's computer somewhere. It has a small plastic compartment box in it along with a few other common things. I have a lot of screws, bolts, nuts and washers that I've pulled from puters over the years. Hard drives, floppys, cases, fans and no telling what else. Thing is, when I was trying to install that drive, not one of the thousands of screws I have would fit. I have them sorted somewhat by size and thread. Still, none seemed to fit right. The one thing I didn't want to do was mess up the threads. Worse yet, the hard drive come lose and start flopping around in the enclosure doing who knows what damage wise. That's not to include all the stuff I have in a 20x40' shop. Then I have another 10x10' building that I keep quite a bit of electronic gear in. Still, couldn't find a screw to fit. It would seem to me that there would be some sort of standard for this sort of thing. They have a standard width and even length. Heck, most are the same thickness as well. Why not use the same type of screws?? lol I guess I need to put the word out that I need newer junked puters to tear apart. I may not be able to use the cases or anything but at least maybe I can get some hard drive screws out of it. Be my luck, I'd get all the same brand and them be some weird size no one else uses. :/ I'll check out that link tho. I just may have to invest in larger bins. Dale :-) :-)
Re: [gentoo-user] Hard drive screws
On 6/7/20 5:24 PM, Dale wrote: antlists wrote: On 07/06/2020 10:50, J. Roeleveld wrote: On 7 June 2020 09:41:16 CEST, antlists wrote: On 06/06/2020 20:14, J. Roeleveld wrote: One of my old cases had plastic strips with little sticks on them that would fit into the screwholes. Those strips would then slot into the mounting points for the disks. No messing around with screws and really easy to swap drives. They would be perfectly mounted as well. Too bad I don't see the same with most other cases. I remember that. Compaqs with 75 MEGA Hz cpu's iirc. Cheers, Wol Not just Compaq. I think mine was a coolermaster case at the time. Toolless hotswap is a useful feature when regularly swapping drives. These weren't hotswap (just ordinary IDE), but it's a damn sight easier putting the rails on a drive on a desk, rather than putting the screws in a drive in a case :-) Cheers, Wol My Cooler Master HAF-932 has no screws for drives either.� It has those plastic frames with these rubber and metal pins that take the place of screws.� Once the frame is inserted into the drive cage, those pins can't let go of the drive.� I might add, if the pins are inserted properly, the plastic frame won't go into the cage either. I like the design part but I hope the plastic part never breaks. They ain't cheap or easy to find at times. Oh, my mobo supports hot swap SATA so all are hot swappable too. I'm not sure if I have a IDE connector.� It might but I'm not sure. Dale :-)� :-) Dale, It's a bit late now, but here goes. When I spend money, I always request the entire box of parts, for the mobo, drives, gpu cards, etc etc. Most vendors will talk to direct, over email, chat etc. I then have plastic organizer boxes with dozens or more small compartments and lids to these boxes. So I save all sorts of screws, from 30 years back to now, always. It's a bit of an extreme, but as an avid hardware hacker, I use those collections, almost weekly to fix/enhance mounts, cases, antennas and all sorts of custom rigs... Also, you can find collections of such for less than $50 on the net. Great to have, but I have over 1,000 sq. ft. or more of all sorts of new and old hardware I've collected up over the decades. Skycraft in Orlando is just one of many great places to purchase inexpensive excess hardware. https://skycraftsurplus.com/ Also, local computer shops will sell you hordes of excess screws and such; just talk to them. When you are spending money, it is real easy to collect up excess screws and such from most vendors, for next to nothing. But then, I hardware hack of hundreds/thousands of different hardware systems. hth, James
Re: [gentoo-user] What's the best way to force a particular version of a dependency
n952162 wrote: > On 2020-06-07 23:37, Dale wrote: >> J. Roeleveld wrote: >>> >>> You need to add "-1" or "--oneshot". >>> >>> As this has been used, I would definitely expect the world-file to be full >>> of this, causing issues with updates later. >>> >>> Also, by restricting to @system, any packages not in @system with a >>> restriction on readline V8 will cause the mentioned problem. >>> >>> @system is, for me, a lasr resort, but I tend to move my world file away >>> (rename) and put it back once @system is done and a depclean finished. This >>> is usually only needed after not updating for a while and/or big changes in >>> the tree. >>> >>> -- >>> Joost >> >> >> Would OP posting the world file help? I'm sure some of us could >> recognize things that shouldn't be there and could help clean it up. >> Things with a specific version should be given a hard look. >> >> Dale >> >> :-) :-) > > > That would be a fantastic opportunity, but I'm not sure when tomorrow > the update will be done ;-) > > It won't hurt to get the info even while it is updating. As long as you are not emerging anything new, it shouldn't change. This will get the info. cat /var/lib/portage/world Then copy the output and paste it in a email. It's plain text so post the whole thing. You could just attach the file as well. Either way should work. Dale :-) :-)
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On 2020-06-07 23:37, Dale wrote: J. Roeleveld wrote: You need to add "-1" or "--oneshot". As this has been used, I would definitely expect the world-file to be full of this, causing issues with updates later. Also, by restricting to @system, any packages not in @system with a restriction on readline V8 will cause the mentioned problem. @system is, for me, a lasr resort, but I tend to move my world file away (rename) and put it back once @system is done and a depclean finished. This is usually only needed after not updating for a while and/or big changes in the tree. -- Joost Would OP posting the world file help? I'm sure some of us could recognize things that shouldn't be there and could help clean it up. Things with a specific version should be given a hard look. Dale :-) :-) That would be a fantastic opportunity, but I'm not sure when tomorrow the update will be done ;-)
Re: [gentoo-user] What's the best way to force a particular version of a dependency
J. Roeleveld wrote: > > You need to add "-1" or "--oneshot". > > As this has been used, I would definitely expect the world-file to be full of > this, causing issues with updates later. > > Also, by restricting to @system, any packages not in @system with a > restriction on readline V8 will cause the mentioned problem. > > @system is, for me, a lasr resort, but I tend to move my world file away > (rename) and put it back once @system is done and a depclean finished. This > is usually only needed after not updating for a while and/or big changes in > the tree. > > -- > Joost Would OP posting the world file help? I'm sure some of us could recognize things that shouldn't be there and could help clean it up. Things with a specific version should be given a hard look. Dale :-) :-)
Re: [gentoo-user] What's the best way to force a particular version of a dependency
Rich Freeman wrote: > On Sun, Jun 7, 2020 at 5:07 PM Dale wrote: >> >> Unless you have a really good reason to do so, you shouldn't try to update >> system by itself. It limits emerge and can lead to issues. > He's just following my earlier advice. While what you say is true in > general, the problem is that he is trying to update a system that > hasn't been updated in ages, and so he probably needs to adjust dozens > of USE flags/etc or make other tweaks to fix things. Using @system > reduces the scope of the update to try to at least get the core system > updated, but you're right that this might need to be augmented with > other packages. > > Really though part of the problem here is that each time there is a > problem I'm seeing about 10 lines of portage output, when I probably > need 500 lines to figure out what is likely going on. Half the battle > of the bug wranglers is getting people to just post all the stuff that > the new bug form asks you to attach - we don't ask for thousands of > lines of logs because we have nothing better to read... :) > This is true. I noticed the output was shall we say, short. Usually emerge is good out puking all over the keyboard and a good bit of the floor as well. Pull out the decoder ring and figure out just what started the fight and you can work out a solution. It just may take more than one person to figure it out. lol I think people tend to not want to post large amounts of info on a mailing list. Thing is, you are correct 100% on this, all of that error is likely needed to figure out the problem. In a build failure, I've learned to look for error 1 and even then go back 30 to 40 lines. Generally, that catches the error and can get a solution. With emerge tho, it's the whole thing including the command itself. Anything less and it makes it hard or impossible to figure out. Dale :-) :-) Y'all better watch out. I been watching LUKS videos. O_O
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On 7 June 2020 21:30:19 CEST, Rich Freeman wrote: >On Sun, Jun 7, 2020 at 2:56 PM n952162 wrote: >> >> >> $ equery list \* | grep readline >> sys-libs/readline-7.0_p5-r1 >> >> But, given your answer about exclusivity/inclusivity in the other >thread, I guess this result is questionable... > >This is just showing what version you have installed, not what >versions are available. > >> >> The ebuild for bash-5.0_p17 has: >> >> READLINE_VER="8.0" >> >> The ebuilds for other the other users don't, I believe. > >So, first, this is just a random local variable and has no meaning in >and of itself. It is used in the dependency string which makes that >version of bash dependent on readline v8 specifically. Other packages >that don't list a version of readline will accept any version that >isn't masked/etc. So they're fine with v8. > >> >> The emerge that I used was this: >> >> emerge -auDv --verbose-conflicts --changed-use --keep-going >--with-bdeps=y --changed-deps --backtrack=100 @system > >Yeah, you might have to include the other packages that need readline >if portage complains. > >> >> However, I was just able to get it to build with this script: >> >> $ cat update-readline >> #!/usr/bin/env bash >> emerge -uUv $(cat <<-eof >> sys-libs/readline >> dev-db/postgresql >> sys-apps/gawk >> net-wireless/wpa_supplicant >> sys-fs/lvm2 >> dev-lang/python >> dev-lang/lua >> sci-visualization/gnuplot >> dev-db/postgresql >> app-text/hunspell >> sys-fs/udftools >> sys-block/parted >> x11-wm/fvwm >> net-misc/ntp >> sys-devel/gdb >> dev-db/postgresql >> sys-libs/gdbm >> net-mail/mailutils >> app-misc/rlwrap >> sys-devel/bc >> dev-libs/libxml2 >> net-dns/bind-tools >> eof >> ) >> > >That will probably work. Offhand I'm not sure if you need to add -1 / >--oneshot to that to prevent all that cruft from being added to your >world file. You need to add "-1" or "--oneshot". As this has been used, I would definitely expect the world-file to be full of this, causing issues with updates later. Also, by restricting to @system, any packages not in @system with a restriction on readline V8 will cause the mentioned problem. @system is, for me, a lasr resort, but I tend to move my world file away (rename) and put it back once @system is done and a depclean finished. This is usually only needed after not updating for a while and/or big changes in the tree. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] Hard drive screws
antlists wrote: > On 07/06/2020 10:50, J. Roeleveld wrote: >> On 7 June 2020 09:41:16 CEST, antlists wrote: >>> On 06/06/2020 20:14, J. Roeleveld wrote: One of my old cases had plastic strips with little sticks on them >>> that would fit into the screwholes. Those strips would then slot into >>> the mounting points for the disks. No messing around with screws and really easy to swap drives. They >>> would be perfectly mounted as well. Too bad I don't see the same with most other cases. >>> >>> I remember that. Compaqs with 75 MEGA Hz cpu's iirc. >>> >>> Cheers, >>> Wol >> >> Not just Compaq. I think mine was a coolermaster case at the time. >> >> Toolless hotswap is a useful feature when regularly swapping drives. >> > These weren't hotswap (just ordinary IDE), but it's a damn sight > easier putting the rails on a drive on a desk, rather than putting the > screws in a drive in a case :-) > > Cheers, > Wol > > My Cooler Master HAF-932 has no screws for drives either. It has those plastic frames with these rubber and metal pins that take the place of screws. Once the frame is inserted into the drive cage, those pins can't let go of the drive. I might add, if the pins are inserted properly, the plastic frame won't go into the cage either. I like the design part but I hope the plastic part never breaks. They ain't cheap or easy to find at times. Oh, my mobo supports hot swap SATA so all are hot swappable too. I'm not sure if I have a IDE connector. It might but I'm not sure. Dale :-) :-)
Re: [gentoo-user] What's the best way to force a particular version of a dependency
So try the same command but use -epv and it will tell you everything it's going to do. If you have a dependency issue it will tell you straight up. On Sun, Jun 7, 2020 at 2:15 PM n952162 wrote: > On 2020-06-07 23:03, Mark Knecht wrote: > > > > On Sun, Jun 7, 2020 at 1:20 PM n952162 wrote: > > > I don't understand this - what can I add to @system to get @system to > update? > > > emerge -e @system > >--emptytree, -e > Reinstalls target atoms and their entire deep dependency > tree, as though no > packages are currently installed. You should run this with > --pretend first > to make sure the result is what you expect. > > Oh, that's really the nuke option, isn't it. Good to know about it. >
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On Sun, Jun 7, 2020 at 5:07 PM Dale wrote: > > > Unless you have a really good reason to do so, you shouldn't try to update > system by itself. It limits emerge and can lead to issues. He's just following my earlier advice. While what you say is true in general, the problem is that he is trying to update a system that hasn't been updated in ages, and so he probably needs to adjust dozens of USE flags/etc or make other tweaks to fix things. Using @system reduces the scope of the update to try to at least get the core system updated, but you're right that this might need to be augmented with other packages. Really though part of the problem here is that each time there is a problem I'm seeing about 10 lines of portage output, when I probably need 500 lines to figure out what is likely going on. Half the battle of the bug wranglers is getting people to just post all the stuff that the new bug form asks you to attach - we don't ask for thousands of lines of logs because we have nothing better to read... :) -- Rich
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On Sun, Jun 7, 2020 at 3:38 PM n952162 wrote: > > I don't understand this - what can I add to @system to get @system to update? > > Ah, you mean that since readline is used by ~@system packages ... I'll try > @world ... oh, that's not inclusive of @system, perhaps. @world includes @system. It doesn't necessarily include everything installed on your system though. > No, it hadn't worked. I oversaw this: > > WARNING: One or more updates/rebuilds have been skipped due to a dependency > conflict: > > sys-libs/readline:0 > > (sys-libs/readline-8.0_p4:0/8::gentoo, ebuild scheduled for merge) > conflicts with > sys-libs/readline:0/7= required by > (dev-libs/libxml2-2.9.9-r3:2/2::gentoo, installed) > ^ > > dev-libs/libxml2:2 > > (dev-libs/libxml2-2.9.9-r3:2/2::gentoo, ebuild scheduled for merge) > conflicts with > > dev-libs/libxml2[python,python_targets_python3_6(-),-python_single_target_pypy3(-),-python_single_target_python2_7(-),python_single_target_python3_6(+)] > required by (dev-util/itstool-2.0.6:0/0::gentoo, installed) The full output of the command would help, and so would the output of emerge --info. It seems like you probably have a problem with your PYTHON_TARGETS or something like that. There is quite a bit of turmoil going on with this right now - lots of people have run into difficulties with updating even a few packages and you're trying to update hundreds at once. > Lots built, but nothing is changed. I'll try @system @world That is unlikely to help. The python issue is probably your problem. -- Rich
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On 2020-06-07 23:03, Mark Knecht wrote: On Sun, Jun 7, 2020 at 1:20 PM n952162 mailto:n952...@web.de>> wrote: > I don't understand this - what can I add to @system to get @system to update? emerge -e @system --emptytree, -e Reinstalls target atoms and their entire deep dependency tree, as though no packages are currently installed. You should run this with --pretend first to make sure the result is what you expect. Oh, that's really the nuke option, isn't it. Good to know about it.
Re: [gentoo-user] What's the best way to force a particular version of a dependency
n952162 wrote: > On 2020-06-07 21:30, Rich Freeman wrote: >> On Sun, Jun 7, 2020 at 2:56 PM n952162 wrote: >> >>> The emerge that I used was this: >>> >>> emerge -auDv --verbose-conflicts --changed-use --keep-going --with-bdeps=y >>> --changed-deps --backtrack=100 @system >> Yeah, you might have to include the other packages that need readline >> if portage complains. >> >> > > This, indeed, seems to have been the magic. > > By specifying *both* @system and @world, two of my machines that I > worried were lost-causes are now updating - hundreds of packages, but > that's okay, I've been pulling my hair out for months. > For future reference, @world includes @system. My updates tend to work like this: eix-sync && emerge -uaDN world I have the following options in make.conf as defaults. EMERGE_DEFAULT_OPTS="--with-bdeps y --backtrack=100 --keep-going -v -j5 --quiet-build=n -1 --unordered-display" Emerge applies those as is appropriate. First it syncs the tree and any overlays that are enabled. Then emerge starts building the list of packages that need to be updated. Sometimes if you try to do system by itself, it can cause problems because something in world may depend on something that system is wanting a upgrade. Thing is, that creates a conflict and emerge won't be able to upgrade. If however you upgrade world, which includes all packages, then emerge can include the packages in world and figure out how to update both sets, system and world. Unless you have a really good reason to do so, you shouldn't try to update system by itself. It limits emerge and can lead to issues. The easiest way is to update world and let emerge update everything at once. There may be exceptions to that at times but they are not that often. Hope that helps. Dale :-) :-)
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On Sun, Jun 7, 2020 at 1:20 PM n952162 wrote: > I don't understand this - what can I add to @system to get @system to update? emerge -e @system
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On 2020-06-07 21:30, Rich Freeman wrote: On Sun, Jun 7, 2020 at 2:56 PM n952162 wrote: $ equery list \* | grep readline sys-libs/readline-7.0_p5-r1 But, given your answer about exclusivity/inclusivity in the other thread, I guess this result is questionable... This is just showing what version you have installed, not what versions are available. The ebuild for bash-5.0_p17 has: READLINE_VER="8.0" The ebuilds for other the other users don't, I believe. So, first, this is just a random local variable and has no meaning in and of itself. It is used in the dependency string which makes that version of bash dependent on readline v8 specifically. Other packages that don't list a version of readline will accept any version that isn't masked/etc. So they're fine with v8. The emerge that I used was this: emerge -auDv --verbose-conflicts --changed-use --keep-going --with-bdeps=y --changed-deps --backtrack=100 @system Yeah, you might have to include the other packages that need readline if portage complains. I don't understand this - what can I add to @system to get @system to update? Ah, you mean that since /readline/ is used by *~*@system packages ... I'll try @world ... oh, that's not inclusive of @system, perhaps. Is emerge @system @world the ace? However, I was just able to get it to build with this script: $ cat update-readline #!/usr/bin/env bash emerge -uUv $(cat <<-eof sys-libs/readline dev-db/postgresql sys-apps/gawk net-wireless/wpa_supplicant sys-fs/lvm2 dev-lang/python dev-lang/lua sci-visualization/gnuplot dev-db/postgresql app-text/hunspell sys-fs/udftools sys-block/parted x11-wm/fvwm net-misc/ntp sys-devel/gdb dev-db/postgresql sys-libs/gdbm net-mail/mailutils app-misc/rlwrap sys-devel/bc dev-libs/libxml2 net-dns/bind-tools eof ) That will probably work. Offhand I'm not sure if you need to add -1 / --oneshot to that to prevent all that cruft from being added to your world file. No, it hadn't worked. I oversaw this: WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict: sys-libs/readline:0 (sys-libs/readline-8.0_p4:0/8::gentoo, ebuild scheduled for merge) conflicts with sys-libs/readline:0/7= required by (dev-libs/libxml2-2.9.9-r3:2/2::gentoo, installed) ^ dev-libs/libxml2:2 (dev-libs/libxml2-2.9.9-r3:2/2::gentoo, ebuild scheduled for merge) conflicts with dev-libs/libxml2[python,python_targets_python3_6(-),-python_single_target_pypy3(-),-python_single_target_python2_7(-),python_single_target_python3_6(+)] required by (dev-util/itstool-2.0.6:0/0::gentoo, installed) Lots built, but nothing is changed. I'll try @system @world
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On 2020-06-07 21:30, Rich Freeman wrote: On Sun, Jun 7, 2020 at 2:56 PM n952162 wrote: The emerge that I used was this: emerge -auDv --verbose-conflicts --changed-use --keep-going --with-bdeps=y --changed-deps --backtrack=100 @system Yeah, you might have to include the other packages that need readline if portage complains. This, indeed, seems to have been the magic. By specifying *both* @system and @world, two of my machines that I worried were lost-causes are now updating - hundreds of packages, but that's okay, I've been pulling my hair out for months.
Re: [gentoo-user] where are the version numbers of a profile stored?
On Sun, Jun 7, 2020 at 2:46 PM n952162 wrote: > > > Regarding ~amd64 vs. amd64 - these are both just keywords, reflecting > only a qualitative difference, not a special syntax understood by > ebuild/emerge? > Honestly, I'm not actually sure whether portage has any logic that gives these meaning. If you did a sed on the entire tree and replaced "~amd64" with "apple" and "amd64" with "pear" I suspect that wouldn't break anything, but I'm not sure if there is logic that gives ~arch some special treatment compared to arch. In practice amd64 means that a package is stable on amd64, and ~amd64 means that a package is flagged as being of "testing" quality on amd64. The threshold for the latter is that it builds and doesn't break or have serious problems. The threshold for stability is that it typically has been around for 30 days and is suitable for stable users (I won't go into the details). -- Rich
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On Sun, Jun 7, 2020 at 2:56 PM n952162 wrote: > > > $ equery list \* | grep readline > sys-libs/readline-7.0_p5-r1 > > But, given your answer about exclusivity/inclusivity in the other thread, I > guess this result is questionable... This is just showing what version you have installed, not what versions are available. > > The ebuild for bash-5.0_p17 has: > > READLINE_VER="8.0" > > The ebuilds for other the other users don't, I believe. So, first, this is just a random local variable and has no meaning in and of itself. It is used in the dependency string which makes that version of bash dependent on readline v8 specifically. Other packages that don't list a version of readline will accept any version that isn't masked/etc. So they're fine with v8. > > The emerge that I used was this: > > emerge -auDv --verbose-conflicts --changed-use --keep-going --with-bdeps=y > --changed-deps --backtrack=100 @system Yeah, you might have to include the other packages that need readline if portage complains. > > However, I was just able to get it to build with this script: > > $ cat update-readline > #!/usr/bin/env bash > emerge -uUv $(cat <<-eof > sys-libs/readline > dev-db/postgresql > sys-apps/gawk > net-wireless/wpa_supplicant > sys-fs/lvm2 > dev-lang/python > dev-lang/lua > sci-visualization/gnuplot > dev-db/postgresql > app-text/hunspell > sys-fs/udftools > sys-block/parted > x11-wm/fvwm > net-misc/ntp > sys-devel/gdb > dev-db/postgresql > sys-libs/gdbm > net-mail/mailutils > app-misc/rlwrap > sys-devel/bc > dev-libs/libxml2 > net-dns/bind-tools > eof > ) > That will probably work. Offhand I'm not sure if you need to add -1 / --oneshot to that to prevent all that cruft from being added to your world file. -- Rich
Re: [gentoo-user] where are the version numbers of a profile stored?
On 2020-06-07 20:22, Rich Freeman wrote: On Sun, Jun 7, 2020 at 1:31 PM n952162 wrote: When I do an emerge --sync, various ebuilds are loaded onto my system, co-existing with other ebuilds, possibly from the same package. What determines which package version is to be used? I assumed this was specified by the profile (e.g. 17.1), but I can't find any version numbers in /etc/portage/make.profile/ The process is exclusionary, not inclusionary, for the most part, which is why the profiles tend to be simple and not list a lot of packages or versions. Okay, that's understandable. Keywords: A package version can only be installed if it contains an accepted keyword. Keywords can be accepted by your profile or by your make.conf. Eg, ~amd64 or amd64. If the package does not declare any keyword that you are accepting, then it will not be used. This is the main mechanism used to determine what version you will get. Packages are keyworded based on whether they work (~arch) or are considered stable (arch) on a particular architecture. Regarding ~amd64 vs. amd64 - these are both just keywords, reflecting only a qualitative difference, not a special syntax understood by ebuild/emerge? If you post a specific example I can explain what version will be installed, assuming you don't have any dependencies with version restrictions, and you will need to tell me what your ACCEPT_KEYWORDS and profile are set to. Please see my following posting on my other, concurrent thread.
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On 2020-06-07 20:33, Rich Freeman wrote: On Sun, Jun 7, 2020 at 2:16 PM n952162 wrote: When I try to update @system after --sync-ing, I get a conflict on readline. Bash wants readline 8.0 but the profile specifies readline 7.0 and lots of other packages are linked against 7.0. Just rebuilding those packages probably won't help, because they don't know about readline 8.0. Would the right thing, the easiest thing, be to define my own profile 17.1.1 or something, where I specify readline 8.0 in the profile? Why do you think that your profile specifies readline 7.0? What profile are you using? $ eselect profile show Current /etc/portage/make.profile symlink: default/linux/amd64/17.1 $ equery list \* | grep readline sys-libs/readline-7.0_p5-r1 But, given your answer about exclusivity/inclusivity in the other thread, I guess this result is questionable... As far as I'm aware no profile restricts readline versions. What makes you think that those other packages "don't know about readline 8.0?" The ebuild for bash-5.0_p17 has: READLINE_VER="8.0" The ebuilds for other the other users don't, I believe. Full command outputs along with emerge --info would probably help here. Readline 8.0 is stable so few if any packages in the tree will have problems with it. If you're getting errors it is probably because you're trying to do a limited update and not giving portage the option to rebuild every impacted package. The emerge that I used was this: emerge -auDv --verbose-conflicts --changed-use --keep-going --with-bdeps=y --changed-deps --backtrack=100 @system However, I was just able to get it to build with this script: $ cat update-readline #!/usr/bin/env bash emerge -uUv $(cat <<-eof sys-libs/readline dev-db/postgresql sys-apps/gawk net-wireless/wpa_supplicant sys-fs/lvm2 dev-lang/python dev-lang/lua sci-visualization/gnuplot dev-db/postgresql app-text/hunspell sys-fs/udftools sys-block/parted x11-wm/fvwm net-misc/ntp sys-devel/gdb dev-db/postgresql sys-libs/gdbm net-mail/mailutils app-misc/rlwrap sys-devel/bc dev-libs/libxml2 net-dns/bind-tools eof ) I have had mixed luck with putting all of the colliding packages on a single emerge line - it worked this time. I can supply the "emerge --info" but that /emerge/ above is still working so I'll let it complete first.
Re: [gentoo-user] What's the best way to force a particular version of a dependency
On Sun, Jun 7, 2020 at 2:16 PM n952162 wrote: > > When I try to update @system after --sync-ing, I get a conflict on readline. > > Bash wants readline 8.0 but the profile specifies readline 7.0 and lots of > other packages are linked against 7.0. Just rebuilding those packages > probably won't help, because they don't know about readline 8.0. > > Would the right thing, the easiest thing, be to define my own profile 17.1.1 > or something, where I specify readline 8.0 in the profile? Why do you think that your profile specifies readline 7.0? What profile are you using? As far as I'm aware no profile restricts readline versions. What makes you think that those other packages "don't know about readline 8.0?" Full command outputs along with emerge --info would probably help here. Readline 8.0 is stable so few if any packages in the tree will have problems with it. If you're getting errors it is probably because you're trying to do a limited update and not giving portage the option to rebuild every impacted package. -- Rich
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
On 07/06/2020 10:07, antlists wrote: I think it was LWN, there was an interesting article on crypto recently. https://lwn.net/Articles/821544/ Cheers, Wol
Re: [gentoo-user] where are the version numbers of a profile stored?
On Sun, Jun 7, 2020 at 1:31 PM n952162 wrote: > > When I do an emerge --sync, various ebuilds are loaded onto my system, > co-existing with other ebuilds, possibly from the same package. What > determines which package version is to be used? > > I assumed this was specified by the profile (e.g. 17.1), but I can't > find any version numbers in /etc/portage/make.profile/ > The process is exclusionary, not inclusionary, for the most part, which is why the profiles tend to be simple and not list a lot of packages or versions. Portage installs the highest version of a package which is not blocked for some reason, unless you explicitly tell it to install a particular version of a package (which still will only install if not blocked for some reason). So, if you type: emerge '=app-shells/bash-5.0_p11' Then portage will install that version of bash if it is not blocked for some reason. If you type: emerge app-shells/bash Then portage will install the latest version of bash that is not blocked for some reason. The same applies to dependencies pulled in by packages - if a particular version is pulled in then that version will be installed if possible. If a dependency is mentioned then the latest allowable version will be installed. The dependency can also include version restrictions in which case the latest version allowed with the additional restrictions will be installed. I'll leave out USE dependencies, which impose more rules. So, at that point the only thing that matters is the various mechanisms that block package versions from installing: masks and keywords. Keywords: A package version can only be installed if it contains an accepted keyword. Keywords can be accepted by your profile or by your make.conf. Eg, ~amd64 or amd64. If the package does not declare any keyword that you are accepting, then it will not be used. This is the main mechanism used to determine what version you will get. Packages are keyworded based on whether they work (~arch) or are considered stable (arch) on a particular architecture. Masks: A package version cannot be installed if it is masked. This can be set in /etc/portage/package.mask, or by a profile. Masks are used for a lot of reasons - sometimes to stage package versions for broader testing before being released, and sometimes because they don't work well in a particular profile, and often for security concerns or as a prelude to removal. If you post a specific example I can explain what version will be installed, assuming you don't have any dependencies with version restrictions, and you will need to tell me what your ACCEPT_KEYWORDS and profile are set to. -- Rich
[gentoo-user] What's the best way to force a particular version of a dependency
When I try to update @system after --sync-ing, I get a conflict on /readline/. /Bash/ wants /readline/ 8.0 but the profile specifies /readline/ 7.0 and lots of other packages are linked against 7.0. Just rebuilding those packages probably won't help, because they don't know about /readline/ 8.0. Would the right thing, the easiest thing, be to define my own profile 17.1.1 or something, where I specify /readline/ 8.0 in the profile?
Re: [gentoo-user] where are the version numbers of a profile stored?
On 2020-06-07 19:31, n952162 wrote: When I do an emerge --sync, various ebuilds are loaded onto my system, co-existing with other ebuilds, possibly from the same package. What determines which package version is to be used? I assumed this was specified by the profile (e.g. 17.1), but I can't find any version numbers in /etc/portage/make.profile/ I just tried using a wildcard with this equery module: (l)ist list package matching PKG and got basically what I needed $ equery list \* | grep readline sys-libs/readline-7.0_p5-r1 Although, I'm still curious where that information is stored.
[gentoo-user] where are the version numbers of a profile stored?
When I do an emerge --sync, various ebuilds are loaded onto my system, co-existing with other ebuilds, possibly from the same package. What determines which package version is to be used? I assumed this was specified by the profile (e.g. 17.1), but I can't find any version numbers in /etc/portage/make.profile/
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
On Fri, Jun 05, 2020 at 11:37:23PM -0500, Dale wrote: > Howdy, > > I think I got a old 3TB hard drive to work. After dd'ing it, redoing > partitions and such, it seems to be working. Right now, I'm copying a > bunch of data to it to see how it holds up. Oh, it's a PMR drive too. > lol Once I'm pretty sure it is alive and working well, I want to play > with encryption. At some point, I plan to encrypt /home. I found a bit > of info with startpage but some is dated. This is one link that seems > to be from this year, at least updated this year. Encryption is a means to protect against adversaries, but in my case I mostly want to protect from incidental access. My top “use” cases: - I need to send in a broken disk for service/replacement - $DEVICE is stolen and I dont’t want the thief to access my personal stuff - the device needs to be serviced, but has its storage soldered on - protect from recovery on flash storage I’ve been running full-disk encryption with LUKS/LVM for some years now on my laptop’s SSD. I used Sakaki’s scripts to set up the kernel and initrd. The encryption password is entered during the boot process while still in the initrd phase. I don’t know of the current status of Sakaki’s stuff though (I must admit I moved away from Gentoo because portage took to much time on the laptop). On my main PC I used to have ~ on a hard disk and / on an SSD. So I left / unencrypted and symlinked sensitive files such as wpa_supplicant.conf and database files onto a directory beneath /home. Since decryption is done early at boot, there is no race condition. By now I upgraded the SSD and have both / and ~ on it, but I kept the scheme out of laziness. A week ago I got me and myself a used Surface Go (a little X86 tablet) which only has a small SSD soldered onto the board. There is no way to access or replace it. I didn’t want to use the same approach as with the laptop, because I wanted to be able to boot without a keyboard. This meant that PW entry at early boot was no option because there is no touch support at this stage. So I researched a little towards decryption at login. Ext4-internal encryption was a strong contender, because it allowed me to decrypt ~ on login, while still using a shared partitions for / and ~, which would give me more flexibility on the constrained SSD. It also encrypts filenames, but not access times (which I was OK with). Eventually though, I decided to go for more encapsulation and put ~ on a separate partition again. I set it up with LUKS and auto-mount it on login with pam_mount. On a performance not: the Surface Go has an NVME SSD and hdparm -t varies wildly between 220 and 640 MB/s. OTOH, cryptsetup benchark resulted in 1330 MiB/s for aes-cbc with a 128 bit key. Aes-xts was slower, but once I disabled all kernel mitigations¹, its throughput went up by more than 40 % and also reached 1300 MiB/s. And this is for the meagre Pentium Gold processor. So no worries in that department. ¹ Many of those vulnerabilities are about violating memory boundaries, which is most relevant for server operators and securing their users from each other. Thus, I don’t care about those on my personal machines and rather have the original performance. Exploits need to get *on* my machines first before they can snoop in my memory. -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me on any social network. I hate being bi-polar. It’s fantastic! signature.asc Description: PGP signature
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
On 07/06/2020 12:52, Victor Ivanov wrote: > Indeed. I second Rich and too would recommend sticking with AES for this > reason. LUKS will support an AES key of up to 512 bits. It's fast and > hardware acceleration is widely available. > ... > For example, Intel's native AES extensions work in 4x4 data blocks of > 128 bits but will support variable key lengths. Their white paper [3] > suggests supported key lengths are 128, 192, and 256 bits but I've been > using a 512 bit key on my drives for years with negligible performance > impact (Skylake systems). Perhaps this requires extra clarification re key length, which I should have included, as it may give misleading information. As an algorithm AES fundamentally only goes up to 256 bits for key length. However, in XTS mode (aes-xts) two _separate_ keys are used for the initialisation vector and the block encryption. As such, for AES-256 in XTS mode, one needs to supply 2x256b keys. Effectively, 512b are used, but this too may be misleading. It's better than 1x256b but certainly not as good as 1x512: (2^256 + 2^256) vs 2^512. It also maps well to hardware extensions already supporting key sizes of 256b. This is not possible in CBC or GCM mode which only allows for a single key of up to 256b. My apologies, it was a case of my fingers getting ahead of my thoughts and not having formulating the latter appropriately. Regards, Victor signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Hard drive screws
On 07/06/2020 10:50, J. Roeleveld wrote: On 7 June 2020 09:41:16 CEST, antlists wrote: On 06/06/2020 20:14, J. Roeleveld wrote: One of my old cases had plastic strips with little sticks on them that would fit into the screwholes. Those strips would then slot into the mounting points for the disks. No messing around with screws and really easy to swap drives. They would be perfectly mounted as well. Too bad I don't see the same with most other cases. I remember that. Compaqs with 75 MEGA Hz cpu's iirc. Cheers, Wol Not just Compaq. I think mine was a coolermaster case at the time. Toolless hotswap is a useful feature when regularly swapping drives. These weren't hotswap (just ordinary IDE), but it's a damn sight easier putting the rails on a drive on a desk, rather than putting the screws in a drive in a case :-) Cheers, Wol
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
On 07/06/2020 09:08, Dale wrote: > You can have a password, a key file, both or likely other options as > well. On one video, the guy generated a key file with urandom that was > 1024 characters. As he put it, try typing that in. Indeed! All of these techniques have various pros/cons which is partly why my last reply / novel ended up being long yet still shallow. A key file would, generally, be more secure provided you can keep the medium on which it is stored secure as well. A long and strong password doesn't have to be difficult to type though. A lot of 2FA dongles, such as the YubiKey will allow for one (or more) of its key slots to be programmed in plain text. If you have one, this would allow you to effectively "paste" a very long password in less than a second. Then again, you will have to keep your dongle secure as well, as plain text means anyone can "paste" the password into a text file. Again, pros/cons of the strategy. On 07/06/2020 09:08, Dale wrote: > Then I found out about crypttab. I don't have that on my system, yet. Crypttab is the standard on most distributions. Gentoo, however, uses "/etc/conf.d/dmcrypt". Personally, I find its syntax less of an eyesore and more favourable, but it does effectively the same thing. And the comments inside it are even better than a man page haha On 07/06/2020 09:08, Dale wrote: > I still don't think I'm ready to try and do this on a hard drive. Don't let any of that discourage you :) It's a lot simpler than it may seem, and most desktop environments (I believe you we using KDE?) have excellent support for mounting and unmounting/ejecting encrypted volumes both internal, as well as removable, once the LUKS container has been set up. The guide [1] (also linked to earlier) is comprehensive, but fundamentally the most relevant part for getting started are steps 2.3-2.5. If you use genkernel, with LUKS="yes" in the config it will have taken care of the kernel for you and even created a initramfs suitable for an encrypted root. As Rich suggested try it out with a flash drive or a loopback file. On a side note re drives, if using LUKS with an SSD you may or may not wish to keep trimming disabled, as it may lead to leaked data regarding the blocks being trimmed [2]. For this reason, trim pass-through is left OFF by default. The leaked information, however, is minimal and I doubt it poses any significant risk for the average use case. On 07/06/2020 09:08, Dale wrote: > I notice that one can use different encryption tools. I have Blowfish, > Twofish, AES and sha*** Bear in mind not all of the items listed are encryption algorithms per se. The SHA and Argon families are hashing algorithms/functions used to hash your password and store it an obfuscated form. They are also used as HMAC functions in the context of encrypted data exchange. The key thing is that hash functions are one-way. That is, it's computationally straightforward to create the hash of a given input, but computationally infeasible to reverse the process. They do not use a a separate encryption key, and the result is always deterministic and reproducible. I would stick with SHA as its widely supported. Except for sha1 which was cracked a few years back. If you choose sha256 or better yet sha512 you can't go wrong. Argon2 is a great choice, but if I'm not mistaken it's only supported by LUKS2 which Gentoo only recently made the default. I believe most current distros have LUKS2 by default, but older ones, including some LTS versions and distros with release cycles of once per century or so may not support that, so for removable drives I would stick to LUKS1. On 07/06/2020 11:33, Rich Freeman wrote: > AES is probably the most mainstream crypto system out there and is > considered very secure. It is also widely supported by hardware and > all recent Intel/AMD CPUs. Indeed. I second Rich and too would recommend sticking with AES for this reason. LUKS will support an AES key of up to 512 bits. It's fast and hardware acceleration is widely available. For example, Intel's native AES extensions work in 4x4 data blocks of 128 bits but will support variable key lengths. Their white paper [3] suggests supported key lengths are 128, 192, and 256 bits but I've been using a 512 bit key on my drives for years with negligible performance impact (Skylake systems). But since data block size is fixed, this hardly surprising. Acceleration of key length > 128b then only becomes relevant at key generation time which is a one-time step, so the cost of this step becomes largely irrelevant. [1] https://wiki.gentoo.org/wiki/Dm-crypt [2] http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html [3] https://www.intel.com/content/dam/doc/white-paper/enterprise-security-aes-ni-white-paper.pdf signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
On Sun, Jun 7, 2020 at 4:08 AM Dale wrote: > > I still don't think I'm ready to try and do this on a hard drive. I'm > certainly not going to do this with /home yet. If you have a spare drive or just a USB stick lying around, set it up on that. Then you can test that it mounts on boot and prompts for a password and all that stuff. Or you can use a loopback filesystem using a file on your hard drive. That is pretty safe as long as you don't enter "/bin/bash" as your loopback filename or whatever. I'm not sure if that will correctly mount itself automatically at boot though, as I'm not sure if the various service dependencies are set up to handle it (the drive containing the file has to be mounted first). > I notice that one can use different encryption tools. I have Blowfish, > Twofish, AES and sha*** as well as many others. I'd stick with AES. If you're trying to keep the NSA out of your hard drive and you think they're part of a conspiracy to get people to use AES despite having cracked it, then I don't know what to tell you because they're probably going to get you no matter what you do... :) AES is probably the most mainstream crypto system out there and is considered very secure. It is also widely supported by hardware and all recent Intel/AMD CPUs. 128-bit keys are the most standard. Linux supports 256-bit though if you use that I'm not sure if hardware-acceleration is available. -- Rich
Re: [gentoo-user] Hard drive screws
On 7 June 2020 09:41:16 CEST, antlists wrote: >On 06/06/2020 20:14, J. Roeleveld wrote: >> One of my old cases had plastic strips with little sticks on them >that would fit into the screwholes. Those strips would then slot into >the mounting points for the disks. >> >> No messing around with screws and really easy to swap drives. They >would be perfectly mounted as well. >> >> Too bad I don't see the same with most other cases. > >I remember that. Compaqs with 75 MEGA Hz cpu's iirc. > >Cheers, >Wol Not just Compaq. I think mine was a coolermaster case at the time. Toolless hotswap is a useful feature when regularly swapping drives. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
On 07/06/2020 09:08, Dale wrote: I notice that one can use different encryption tools. I have Blowfish, Twofish, AES and sha*** as well as many others. I know some have been compromised. Which ones are known to be secure? I seem to recall that after Snowden some had to be redone and some new ones popped up to make sure they were secure. Thoughts?? Some had to be redone ... Elliptic Cryptograph Curve or whatever it's called. The basic maths is secure, but the NSA got a standard released (you have to pick a set of constants) where the constants had been nobbled. DJB has released a different set of constants (ECD25519) which is thought to be secure. I think it was LWN, there was an interesting article on crypto recently. Cheers, Wol
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
Dale wrote: > > > My take. Bad password, easy to guess, easy to crack because it is > simple or common; not very secure even if the password is changed > since one could use the old password in certain situations and get at > the data. Good strong password, changed or not; hard to crack even if > the whole drive is taken. > > Moral of the story. Have a good strong password and keep your mouth > shut about what the password is, unless you want that person to spill > the beans. Or you plan to knock them off later. ROFLMBO > > I'm not storing the secrets to some new weapon that will destroy the > world and everything on it, including the roaches. Well, that last > one might be OK. lol I just want it so that when I fall into the > cremation chamber or a cemetery plot, it won't be easy for a person to > access the drive. I'm good at the keeping password to myself bit. > Still thinking on killing all the roaches tho . I'd keep that secure > but I wouldn't mind being rid of those. :/ > > I think I need to watch a youtube video on this tho. I want to watch > a person not only install it but actually use it. For example, what > triggers it asking for a password and what does it look like? Is it > pretty fast, take a few seconds or what? I got a lot of questions but > they are things that can't be answered easily in text. Yea, gotta go > visit youtube. Test drive youtube-dl again. > > Dale > > :-) :-) OK. Found some videos and jeez, there is a ton of ways to use this. You can have a password, a key file, both or likely other options as well. On one video, the guy generated a key file with urandom that was 1024 characters. As he put it, try typing that in. Anyway, he put the file in / and used the file to mount the thing automatically after some setup. If however he goes to another puter, either you have to have that key file on it to or type in the password. He also set it up to mount automatically. Then I found out about crypttab. I don't have that on my system, yet. I was wondering how the system would know when a drive or partition was encrypted or not. Well, there you go. Once crypttab and fstab are set up, it can mount automatically. Well neato. ;-) When watching a video or two, I had to google some things. I run up on zulucrypt. It's a GUI that can handle several different encryption tools. Yes, one should at least be familiar with command line just in case the GUI doesn't work but having a GUI does make it easier. I still don't think I'm ready to try and do this on a hard drive. I'm certainly not going to do this with /home yet. Between this thread and a few videos, pictures says a lot, it's starting to make sense. I also noticed, it is really fast. One may need a stopwatch to even notice it is encrypted at all. I notice that one can use different encryption tools. I have Blowfish, Twofish, AES and sha*** as well as many others. I know some have been compromised. Which ones are known to be secure? I seem to recall that after Snowden some had to be redone and some new ones popped up to make sure they were secure. Thoughts?? Dale :-) :-)
Re: [gentoo-user] Hard drive screws
On 06/06/2020 20:14, J. Roeleveld wrote: One of my old cases had plastic strips with little sticks on them that would fit into the screwholes. Those strips would then slot into the mounting points for the disks. No messing around with screws and really easy to swap drives. They would be perfectly mounted as well. Too bad I don't see the same with most other cases. I remember that. Compaqs with 75 MEGA Hz cpu's iirc. Cheers, Wol
Re: [gentoo-user] Encrypting a hard drive's data. Best method.
On 06/06/2020 21:12, Rich Freeman wrote: To do this I'm just going to store my keys on the root filesystem so that the systems can be booted without interaction. Obviously if somebody compromises the files with the keys they can decrypt my drives, but this means that I just have to protect a couple of SD cards which contain my root filesystems, instead of worrying about each individual hard drive. The drives themselves end up being much more secure, because the password used to protect each drive is random and long - brute-forcing the password will be no easier than brute-forcing AES itself. This doesn't protect me at all if somebody breaks into my house and steals everything. On the other hand, if you're always present at boot, stick the keys on a USB that has to be in the laptop when it starts. If that's on your (physical) keyring, chances are it won't be compromised at the same time as the laptop - and hopefully the attacker won't realise it's needed for boot :-) (yes I know - security through obscurity is bad as your MAIN defence, but a few layers on top of something secure just makes life more of a pain for an attacker :-) Cheers, Wol
