Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
On Fri, Aug 28, 2020 at 10:15:32PM -0500, Dale wrote: > Ashley Dixon wrote: > > > > Especially considering most Americans do not understand the system (the > > readability of the I.R.S. tax code has been under scrutiny for a long time), > > I wouldn't want to place the burden of conferring with such a convoluted > > system on anyone. > > I read a article once several years ago where a magazine contacted the > IRS and gave the same set of facts and asked the same question of over a > dozen different IRS help agents. You know, the ones that answer the > phone to help you. Given the same facts and the same question, they got > several different answers. It seems even the people at the IRS can't > understand it either. I did a quick on-line search regarding this matter (and readability of English texts in general), and it seems like the I.R.S. tax code is incapable of achieving even a positive score on the Flesch readability index [1, 2], so your testimonial doesn't surprise me too much. The same algorithm has been applied to a quite a few public domain works in Literature and Philosophy over the last few centuries; some of the results are mildly interesting [3]. Although, considering Finnegans Wake attained a score of 62.8, I am dubious of the accuracy of this method (then again, it's very non- standard English, if you can call it English at all) [4]. [1] http://users.csc.calpoly.edu/~jdalbey/305/Projects/FleschReadabilityProject.html [2] https://en.wikipedia.org/wiki/Flesch%E2%80%93Kincaid_readability_tests [3] http://www.infomotions.com/etexts/ [4] https://www.statslife.org.uk/culture/1572-how-unreadable-are-james-joyce-s-novels -- Ashley Dixon suugaku.co.uk 2A9A 4117 DA96 D18A 8A7B B0D2 A30E BF25 F290 A8AA signature.asc Description: PGP signature
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
Ashley Dixon wrote: > > Especially considering most Americans do not understand the system > (the > readability of the I.R.S. tax code has been under scrutiny for a long time), > I > wouldn't want to place the burden of conferring with such a convoluted system > on > anyone. > I read a article once several years ago where a magazine contacted the IRS and gave the same set of facts and asked the same question of over a dozen different IRS help agents. You know, the ones that answer the phone to help you. Given the same facts and the same question, they got several different answers. It seems even the people at the IRS can't understand it either. I've also read that some lawyers know the more common things but have to look up some things and even then, the answer may not be clear. One law says one thing, some other law says something else. Or worse yet, the law isn't clear at all. This is one reason I think a flat tax or something should be considered. As it is, who really understands the tax code? I read once how much paper it takes to print it all out but can't recall how many it was. Just remember it was a lot and that it was way to many. Even half would be to much. Personally, maybe moving to a different state would help, maybe not. It's not like any Govt can be *really* trusted nowadays anyway, right? Moving to another country may fix one thing and create yet another. Dale :-) :-)
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 2020-08-28 20:29, Grant Taylor wrote: > On 8/28/20 6:10 PM, Michael Orlitzky wrote: >> I think I see where we're diverging: I'm assuming that the employees of >> the VPS provider can hop onto any running system with root privileges. > > Perhaps I'm woefully ignorant, but my current working understanding > is that ...They still need to connect to a terminal (be it console or > serial or ssh or other), log in (with credentials that they should > not have) and access things that way. > > I'm actually not encrypting the full VM. I have an encrypted disk. The > VM boots like normal, I log in, unlock the encrypted disk, mount it, and > start services. If /etc/passwd, /etc/shadow, and friends aren't encrypted, they can get in pretty easily without credentials. The VPS admins have physical access to the disk -- they could swap out your root password for theirs temporarily, or create a secondary privileged account. And keep in mind that your shell and all of the executables used to decrypt/mount the disk are themselves unencrypted and can be replaced by malware. A lazy attack would be to reboot in single-user mode (bypasses the root password) and then replace your utilities with keyloggers before rebooting again. This might look suspicious to you, but would you really avoid logging into the system ever again because it rebooted once?
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 3:54 PM, Poison BL. wrote: On Mon, Aug 17, 2020 at 12:51 AM Caveman Al Toraboran wrote: hi. context: 1. tinfoil hat is on. 2. i feel disrespected when someone does things to my stuff without getting my approval. 3. vps admin is not trusty and their sys admin may read my emails, and laugh at me! 4. whole thing is not worth much money. so not welling to pay more than the price of a cheap vps. moving to dedicated hardware for me is not worth it. my goal is to make it annoying enough that cheap-vps's admins find it a bad idea for them to allocate their time to mingle with my stuff. thoughts on how to maximally satisfy these requirements? rgrds, cm. I'm rather late to the game with this, but at the end of the day, mail coming *into* a mail server isn't typically encrypted (and even that is only the body, the headers can still reveal a great deal, and are necessary for the server to work with it). A packet dump at the switch will turn over every piece of mail you receive along the way. Email's not designed for end to end security by default. Secondly, any hosting on hardware you don't control is impossible to fully secure, if the services on that end have to operate on the data at all. You can encrypt the drive, encrypt the mail stores themselves, etc, but all of those things will result in the encryption key being loaded into ram while the VPS is running, and dumping ram from the hypervisor layer destroys every illusion of security you had. Dedicated hardware in a locked cabinet is as close as you get to preventing physical attacks when you're hosting in someone else's DC, and that's not nearly in the same market segment, price-wise, as a cheap VPS. At best, if you have sensitive email that you're sending or receiving, work with the other end of the communication and then encrypt the contents properly. Even better, go with a larger scale, paid, solution in which your email isn't even remotely worth the effort to tamper with for the hosting company's employees, and hope the contractual obligations are sufficient to protect you. If you have any sort of controlled data going in and out of your email, step up to a plan that adheres to the regulatory frameworks you're required to adhere to and make very sure the contracts for it obligate the vendor to secure things properly on their end (aws, azure/o365/etc mostly all have offerings for, at least, US Gov level requirements). Hm. How about paying for codes the US F. Feds do not have, like Real Random. Supposedly, they are legally pissing of the F. Feds. Do your own evaluation. A US corp in good standing the F. Feds do not want anyone to know. About. Why? For the F. Feds to challenge what they do, they have to PUBLICLY disclose their p. p. https://www.realrandom.co/wp/ yes it's commercial. But for Gentoo, I'd push for a deep discount. They have totally awesome technology, and I know a sales guy there. Any solution, should have open source codes, and options for non-publish commercial codes. Are there back doors? Dunno. Ask. Make your own decision. But rumors are the F. Feds are pissed at these guys, cause they have real technology solutions right now. Not bullshit-AI jibberish. Sure, by executive order Trump could single action them out of existence, but rumor has it, he has already decided NO, on that pathway. My postulate is US Citizens, in good legal standing, with NO felony convictions, have superior rights to privacy, than the F. Feds. It's constitutionally bake in by our for fathers. We just need to stand up and demand this. F. these scumbag lawyers, judges and corrupt (sold out) politicians. The rest of the work is on their own. But, if we organize and stand up, we can put this 'demon' back into the darkness (abyss). I have no fear of the F. Feds. Others would be wise to self examine, before joining up with such an effort. James Horton, pe
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 6:10 PM, Michael Orlitzky wrote: I think I see where we're diverging: I'm assuming that the employees of the VPS provider can hop onto any running system with root privileges. Perhaps I'm woefully ignorant, but my current working understanding is that no virtual machine hypervisor solution provides a way for someone at the hypervisor level to access a guest VM as if they were root. They still need to connect to a terminal (be it console or serial or ssh or other), log in (with credentials that they should not have) and access things that way. I see little difference in the full (fat) VM compared to a stand alone server. Safe for the fact that there are ways to cross access memory. Though I think those types of things are decidedly atypical. My mental security model probably completely fails for containers. I suppose you can make that pretty annoying to do. If you're willing to encrypt everything, then you can even put /boot on the encrypted disk, unlocking it in (say) grub. The VPS provider can still replace grub with something that faxes them your password, but it's not totally trivial. (How are you accessing the console at boot time? Is it using software from the VPS provider? It's turtles all the way to hell.) I'm actually not encrypting the full VM. I have an encrypted disk. The VM boots like normal, I log in, unlock the encrypted disk, mount it, and start services. So, I feel like I've done the things that I reasonably can do to protect my email. Or said another way, I'm not sure what else I could do that would not also apply to a co-lo server. My VPS provider does offer the ability to access a console so I could use full encrypted system. -- Grant. . . . unix || die
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 5:00 PM, Grant Taylor wrote: On 8/28/20 1:18 PM, antlists wrote: The main reason other applications use "TCP over HTTP(S)" is because stupid network operators block everything else! I agree that filtering is a problem. I also think that it's something that most people can overcome when they control the firewall between the private LAN and the Internet.� (Your typical SOHO NATing gateway.) The few times that I have run into filtering, it has been for uninitiated inbound connections.� I've almost always been able to initiate outbound connections to / from odd ports.� The few times that I could not do so in the last 20 years were resolved by engaging the ISP and ... politely ... getting them to knock it off.� Inbound can be more tricky.� But even inbound HTTP(S) was subject to the same problems. Actually, inbound HTTP(S) was more of a problem than other ports. The more I hear, the more the FEDS and judges need to get involve. From what I read, it's and education problem. This is commonly referred to as 'racketeering' and is extremely illegal, meaning the FEDS fine them super high amounts of money, and judges rubber stamp the fines. You want to play and compete in the US? A fair economic playground is constitutionally required. There is so much case law, that it is ridiculous. What case law does is establish precedence. And that precedence of relevant case builds a HUGH argument that most judges will not ignore. Combine that with the fact that the general public, will side with us? SlameDunk, in legal parlance. Anyone with access to legal precedence setting case law, can research this out. I had no idea what a pile of Horse S. this has become. It is totally illegal. Even if I were to loose, on Gentoo's behalf, a legal battle, going public will destroy their pierce strings. All of this should be codified in RFCs, or labeled as optional. WE do need to get organized, before seeking legal moguls to assist this public effort. The more I dig, the more I realize it is way past time to fix this illegal activity. My guess is a well documented and organized effort is the first step. Then a few mavericks educating politicians and filing briefs with the court systems will get the ball rolling. I kicked Verizon's Ass, back when they were call GTE, so it's routine for me to kick some big corps ass. If we get, just 0.1 % of their subscribers onboard, it's a done deal. Cell phone criminal activity by the big telco operators is 'part and parcel' to this HS too. My question is have a few technical devs had enough? There are plenty of tech-savie High School kids that need jobs. Think of it as a jobs program. Started here in the US, but easily expandable to most countries. https://foreignpolicy.com/2020/08/27/china-tech-facebook-google/ James
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 4:45 PM, james wrote: If we can get these codes running on arm64 (R.P.4) surely running them on AMD or intel is trivial? I will be flabbergasted if something would run on the Raspberry Pi that won't run on x86 (Intel / AMD). Presuming that it's complied from common source code. Perhaps a read on "Intel cripple AMD functions is in order? https://www.agner.org/forum/viewtopic.php?f=1=6 I don't believe this is germane to the primary topic of this thread. (2) identical R.Pi.4 8gig rams systems, running gentoo. Okay. (1) dns resolver codes emails service codes etc (1) dns resolver codes, webserver to support email services etc. So each Raspberry Pi is performing a different function. Okay. I was wanting to make sure that you weren't wanting to try to do some sort of clustering where each Raspberry Pi could stand in for the other. As that's a considerably more complex configuration. I'm open to the stack (list) of codes necessary to securely run 1. embedded gentoo on R.P.4 (other hardware can be funded by others). 2. Any number of robust email servers-systems (open) I've recently shared what I have used for email. 3. a DNS servers to provide "primary dns services" a total of (2). More than 2 would be great. Please elaborate on what you are proposing network connectivity to be? Are you thinking the Pi's have globally routed IPs? As such, primary DNS could be 192.0.2.1 and secondary DNS could be at 192.0.2.2? Note: It is best practice to have primary and secondary DNS servers in different /24 (or larger) networks. If you are thinking two globally routed IPs, I believe that significantly, if not artificially, narrows the number of people that could participate as getting multiple IPs on a SOHO Internet connection can be challenging and almost always requires additional monthly fees. Conversely, a single IP with proper network magic is much simpler entry point. 4. A companion ngnix(?) web server just to complement the project. The ideas is each email services collective could have their own web pages explaining their email and related services. Okay. You can run the web server on the same system. But if you want to run it on a separate system, that's fine too. I'm somewhat confused by your choice of the word "collective". My anticipation is that many of the people that would be doing this, would be doing so for their own person reasons. Much like I have my domain name for my own reasons. I don't anticipate that people will be offering services to more than a few friends and / or family members (if that). 5. On these (3) projects, I'd be open to other, complementary experimentation, as long as it is published. Grant Taylor, do not let it go to your head, but I agree with most of what you write in Gentoo User. Me? I'm just an idiot on the Internet with some things to say. Sometimes they happen to be true. Ideally, you know (or learn) enough to tell which is which. ;-) But, thank you. :-) 6. (2) Rpi4 (8 gig) systems and extras are 2-3 hundred dollars. So it's total less than $900 USD dollars. NOT a bid deal for my little corp. Actually, if I get what I need, then it's the most inexpensive && robust way for my little corp to get exactly what I need. My own small email servers and dns resolvers supporting those email services. Based on some back of the envelope math Sure. I'm not funding somebody else's idea. I'm funding what *I* want, open to input. That seems reasonable. Though, I think that some of your requirements are still a bit too undefined. Even independent of what software is used and how it's configured, there are still questions: - Are IP addresses globally routed or not? - Are said IP addresses static or dynamic? - What sort of client's will be accessing this? - Where will they be accessing from; LAN and / or Internet? With this effort others benefit from the project. The ultimate goals is for hundreds of email services to be setup, gentoo centric. OK, great. FUND what you want. Run things as you see fit I have been. My intention is to see if there is a way that I can contribute to your community project without consuming any funds so that other people might be able to benefit from your generosity. Show me a concise, easy to follow set of codes and docs, and I'll just build (2) R.P.4 servers and share my docs 100%. There is more to setting up and running an email server off of a SOHO internet connection than just how the email stack is configured. Forget the fact, for now, that all static IPs Frontier has, are blocked by this same group of higher and higher standards. Really, I'm kinda shocked NeddySeagoon, or others have not already fixed this, via 100% gentoo codes, complete with ample documentation. That's an example of the type of problem that will need to be overcome which is independent of the email server stack. Just add the email, dns, ngnix, security
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 2020-08-28 19:43, Grant Taylor wrote: > > The only way to get the key is to extract it out of the running VPS's > memory. Something that I think is beyond the capability of many, but > definitely not all, people. > > ... > > As long as STARTTLS is used (and validated) between the MTAs and the VPS > provider doesn't have a way to get the keys (because they are on an > encrypted disk), then the contents of the transmission should be fairly > secure. I think I see where we're diverging: I'm assuming that the employees of the VPS provider can hop onto any running system with root privileges. I suppose you can make that pretty annoying to do. If you're willing to encrypt everything, then you can even put /boot on the encrypted disk, unlocking it in (say) grub. The VPS provider can still replace grub with something that faxes them your password, but it's not totally trivial. (How are you accessing the console at boot time? Is it using software from the VPS provider? It's turtles all the way to hell.)
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 4:26 PM, Michael Orlitzky wrote:> The contents of the disk are unencrypted while the server is powered on, or at least while the server is receiving email (while it's reading from and writing to that disk). In practice that will be all the time -- you can't log in and type the disk-encryption password every time an email arrives. You don't need to enter a password every time that an email comes in. I have a VPS with an encrypted file system. I enter the password at the time that it boots. The disk and file system(s) therein are encrypted all the time. So a clone of the disk will require the passphrase to unlock the key. The only way to get the key is to extract it out of the running VPS's memory. Something that I think is beyond the capability of many, but definitely not all, people. A clone of the VPS will effectively present the same security posture as the running system. I've been running like this for five (or more) years without any problems. I think it works great. I shouldn't have used the word "secret." Pre-established or out-of-band authentication would have been more accurate. Okay. Poor choice of words happen. Unfortunately I mistook your statement to be referencing symmetric encryption with a shared secret. With GPG, the trust is between you and I, and the VPS provider acts as the eavesdropper. All three parties are distinct, and the security can work. With TLS between MTAs, the trust is established on-the-fly between the other MTA and the VPS provider, but the VPS provider still also plays the the role of the eavesdropper. When the eavesdropper is trusted, you're in trouble. As long as STARTTLS is used (and validated) between the MTAs and the VPS provider doesn't have a way to get the keys (because they are on an encrypted disk), then the contents of the transmission should be fairly secure. -- Grant. . . . unix || die
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 4:56 PM, Grant Taylor wrote: On 8/28/20 1:55 PM, james wrote: I'm proposing, via a small corp I own, to purchase up to (3) dual Rasp.pi 4 setups of (2) R.Pi.4 8gig ram setups and send them to the devs WE all decide on. A few points. 1)� I don't think that 8 GB of RAM is required.� --� My email server is a VPS with 2 GB of RAM and is running just fine.� So, maybe smaller systems would work.� And maybe that would mean that more of them could be acquired for the same funding. OK, but I like the R.P.8gram quite a lots. so my money is with prototyping on via (3) innovators each with (2) R. P. 4 8g ram. Others can use what they want. Surely others can propose and use other embedded (low2 power) boards. 2)� I don't know that a Raspberry Pi is strictly required for the testing.� I think that anything that will run Gentoo can be used to prove out the software stack.� --� Sure, there will /eventually/ need to be /some/ testing on Raspberry Pis.� But I think that testing will be later in the game and more of a confirmation after the fact. Great idea. Fund that pathway yourself. I LOVE R.PI.4 boards, with 8gig of ram. ymmv. If we can get these codes running on arm64 (R.P.4) surely running them on AMD or intel is trivial? Perhaps a read on "Intel cripple AMD functions is in order? https://www.agner.org/forum/viewtopic.php?f=1=6 3)� I'm not sure what you mean by "dual ... setups". (2) identical R.Pi.4 8gig rams systems, running gentoo. (1) dns resolver codes emails service codes etc (1) dns resolver codes, webserver to support email services etc. What are the two systems (be it Raspberry Pis or VPSs or VMs or something else) supposed to do?� -� Are you wanting primary and backup (as in MX) or some sort of cluster with shared file system or something else? Well establish, albeit, in long postings on this gentoo-user list. It's just (2) R.P.4 systems, running gentoo. I'm open to the stack (list) of codes necessary to securely run 1. embedded gentoo on R.P.4 (other hardware can be funded by others). 2. Any number of robust email servers-systems (open) 3. a DNS servers to provide "primary dns services" a total of (2). More than 2 would be great. 4. A companion ngnix(?) web server just to complement the project. The ideas is each email services collective could have their own web pages explaining their email and related services. 5. On these (3) projects, I'd be open to other, complementary experimentation, as long as it is published. Grant Taylor, do not let it go to your head, but I agree with most of what you write in Gentoo User. 6. (2) Rpi4 (8 gig) systems and extras are 2-3 hundred dollars. So it's total less than $900 USD dollars. NOT a bid deal for my little corp. Actually, if I get what I need, then it's the most inexpensive && robust way for my little corp to get exactly what I need. My own small email servers and dns resolvers supporting those email services. Let's us start compiling up the codes, keep it simple (for now) and implement them with gentoo-users as the testers of the email services. These discussions should be continued to everyone's benefit. However there are way more than (3) folks on these threads who are most capable to do this community prototyping. I think the idea of using VPSs or VMs means that a lot more people can participate using the same funding. I'm not funding somebody else's idea. I'm funding what *I* want, open to input. With this effort others benefit from the project. The ultimate goals is for hundreds of email services to be setup, gentoo centric. If WE do not act and get hundreds of these deployed, email, as we know it via RFCS and other standards may just disappear, or be relegated to the far reaches of the Internet.� What I have read, is standards based email services, particularly by small organizations, are under extreme pressure by large corporations to be marginalized out of existence. I think I disagree with that. OK, great. FUND what you want. Run things as you see fit Many of the big email operators are enforcing higher and higher standards.� But the standards /are/ /open/ and /can/ /be/ /implemented/ /by/ /anyone/ who wants to do so. Show me a concise, easy to follow set of codes and docs, and I'll just build (2) R.P.4 servers and share my docs 100%. Forget the fact, for now, that all static IPs Frontier has, are blocked by this same group of higher and higher standards. Really, I'm kinda shocked NeddySeagoon, or others have not already fixed this, via 100% gentoo codes, complete with ample documentation. https://wiki.gentoo.org/wiki/Raspberry_Pi4_64_Bit_Install Just add the email, dns, ngnix, security setup codes to this doc? I have been researching and reading, for over (3) weeks and have yet been able to formulate a pathway to get a mail server up. Granted the industry black-balling Frontier, is a bit of a shocker
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 2020-08-28 17:53, Grant Taylor wrote: > On 8/28/20 3:33 PM, Michael Orlitzky wrote: >> TLS only secures the channel; what comes out at the end is a plain-text >> message that can be read with minimal effort by the VPS provider, >> no skullduggery needed. > > I agree that STARTTLS only protects the email while it's in flight > between servers. > > Though I do think that it's going to somewhat difficult for a VPS > provider to read the contents of the message if it's stored on an > encrypted disk. The contents of the disk are unencrypted while the server is powered on, or at least while the server is receiving email (while it's reading from and writing to that disk). In practice that will be all the time -- you can't log in and type the disk-encryption password every time an email arrives. >> Unless the sender and recipient have some pre-shared secret (like GPG >> assumes), > > I *REALLY* thought that PGP (GPG) was based on public & private key > pairs, much like S/MIME and TLS. > > As such, Alice and Bob can encrypt messages to each other, even through > an untrusted medium such as a questionable email server. > > Yes, that still leaves the bootstraping issue of how do Alice and Bob > get each other's public key. -- I defer to my recent comments about > publishing keys in DNS and relying on DNSSEC. > GPG is based on public keys, but you've anticipated my response: public-key encryption still requires you to verify that "my" public key does in fact belong to *me* somehow. If you believe in the web of trust, then someone you know (or someone someone you know knows...) has to have met me in person and signed my key before it means anything to you. I shouldn't have used the word "secret." Pre-established or out-of-band authentication would have been more accurate. With GPG, the trust is between you and I, and the VPS provider acts as the eavesdropper. All three parties are distinct, and the security can work. With TLS between MTAs, the trust is established on-the-fly between the other MTA and the VPS provider, but the VPS provider still also plays the the role of the eavesdropper. When the eavesdropper is trusted, you're in trouble.
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
On Fri, Aug 28, 2020 at 10:03:33PM +0100, antlists wrote: > On 28/08/2020 19:10, james wrote: > > > > A council member, from say England, could manage how 1/2 of what they > > raise is spent. It could even "english centric" but must comply with USA > > IRS standards. Our council could be expanded to many members, from other > > countries, with a centic goal of spending Gentoo funds > > WHY? As a Brit I wouldn't want to touch the Americal Legal System with a > barge pole!!! > > > Truly, there is no other globally recognized tax system > > like the USA-IRS (bad ass && world class open). That's why in times of > > trouble, entrepreneurs world wide flock to the "dollar". Also, being in > > elite standing with the USA-IRS opens many door doors to enhance and > > promote and deploy GENTOO globally. > > And as a Brit, while HMRC may be a pain, I have precious little to do with > them. My employer deals with them, and at the end of the year I occasionally > get a letter saying I've overpaid my taxes and here's some money back. Do I > REALLY want to get involved with some foreign system that's WAY more > complicated? > > Get rid of your rose-tinted spectacles. For the MAJORITY of Brits, our tax > system is way less complicated than yours. You'd be better off moving the > foundation to somewhere that doesn't have your insane mix of state and > federal taxes, and doesn't offload the responsibility onto people who don't > understand the system. Also as a Brit (West Yorkshireman), I concur one-hundred percent. The I.R.S. taxation system may be "globally recognised" in the sense that America is the only country on Earth, but in actuality, I remain gravely dubious that managing a U.S.-bound organisation from an "English-centric" perspective would serve any advantage whatsoever. Especially considering most Americans do not understand the system (the readability of the I.R.S. tax code has been under scrutiny for a long time), I wouldn't want to place the burden of conferring with such a convoluted system on anyone. -- Ashley Dixon suugaku.co.uk 2A9A 4117 DA96 D18A 8A7B B0D2 A30E BF25 F290 A8AA signature.asc Description: PGP signature
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 3:33 PM, Michael Orlitzky wrote: TLS only secures the channel; what comes out at the end is a plain-text message that can be read with minimal effort by the VPS provider, no skullduggery needed. I agree that STARTTLS only protects the email while it's in flight between servers. Though I do think that it's going to somewhat difficult for a VPS provider to read the contents of the message if it's stored on an encrypted disk. I think that taking a snapshot of a running VPS / VM with the disk encryption keys in memory and accessing it qualifies as skullduggery. Plus, they will still need to content with the authentication requirements of the running snapshot, just like they would with the running VPS / VM. So things like LUKS definitely raises the bar and makes a VPS provider work a fair bit harder to access what's on the encrypted disk. (And the private key for each TLS session is generated on-the-fly by the VPS anyway, so they could snoop on the channel too if they wanted to.) Harvesting keys (TLS and / or LUKS) out of memory definitely qualifies as skullduggery. You can only protect against so much. You have to find what is acceptable risk. Unless the sender and recipient have some pre-shared secret (like GPG assumes), I *REALLY* thought that PGP (GPG) was based on public & private key pairs, much like S/MIME and TLS. As such, Alice and Bob can encrypt messages to each other, even through an untrusted medium such as a questionable email server. Yes, that still leaves the bootstraping issue of how do Alice and Bob get each other's public key. -- I defer to my recent comments about publishing keys in DNS and relying on DNSSEC. you're going to fall into the same trap that DRM falls into. The technology provides a way for Alice and Bob to communicate securely in the presence of Eve, but only when Alice, Bob, and Eve are three distinct people. If the VPS is playing the part of both Bob and Eve, an off-the-shelf encryption model isn't going to work. I see no need for either Alice nor Bob to be on the VPS. I would expect that they are their own independent (smart) devices accessing their respective email servers. Don't put any unencrypted sensitive data on the central server(s). Decrypting the emails in any capacity on the central server means that the gig is up and anyone with access, OS level or more nefarious, can access things. -- Grant. . . . unix || die
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 2020-08-28 17:12, Grant Taylor wrote: > On 8/28/20 1:54 PM, Poison BL. wrote: >> I'm rather late to the game with this, but at the end of the day, >> mail coming *into* a mail server isn't typically encrypted (and even >> that is only the body, the headers can still reveal a great deal, >> and are necessary for the server to work with it). > > You seem to be referring to S/MIME and / or PGP encryption. You are > correct that S/MIME and PGP don't offer protection for headers. > > However, STARTTLS provides an encrypted channel to protect all of the > SMTP traffic. Thus, even the headers of email are encrypted while in > flight between servers. > >> A packet dump at the switch will turn over every piece of mail you >> receive along the way. > > When STARTTLS is in use, the only thing that you will see is the initial > EHLO and STARTTLS commands. Everything after that will be encrypted > traffic. > TLS only secures the channel; what comes out at the end is a plain-text message that can be read with minimal effort by the VPS provider, no skullduggery needed. (And the private key for each TLS session is generated on-the-fly by the VPS anyway, so they could snoop on the channel too if they wanted to.) Unless the sender and recipient have some pre-shared secret (like GPG assumes), you're going to fall into the same trap that DRM falls into. The technology provides a way for Alice and Bob to communicate securely in the presence of Eve, but only when Alice, Bob, and Eve are three distinct people. If the VPS is playing the part of both Bob and Eve, an off-the-shelf encryption model isn't going to work.
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 1:54 PM, Poison BL. wrote: I'm rather late to the game with this, but at the end of the day, mail coming *into* a mail server isn't typically encrypted (and even that is only the body, the headers can still reveal a great deal, and are necessary for the server to work with it). You seem to be referring to S/MIME and / or PGP encryption. You are correct that S/MIME and PGP don't offer protection for headers. However, STARTTLS provides an encrypted channel to protect all of the SMTP traffic. Thus, even the headers of email are encrypted while in flight between servers. A packet dump at the switch will turn over every piece of mail you receive along the way. When STARTTLS is in use, the only thing that you will see is the initial EHLO and STARTTLS commands. Everything after that will be encrypted traffic. Email's not designed for end to end security by default. Encryption for anything other than military use didn't really exist when email was developed. Since then, things like STARTTLS (or SMTPS if you choose to abuse it for B2B connections) and VPNs have become a realistic option. Most contemporary MTAs will opportunistically use STARTTLS if it is an option. We only need to worry about things that try to prevent STARTTLS from working. Thankfully, this is mostly authoritarian regimes in some parts of the world. Secondly, any hosting on hardware you don't control is impossible to fully secure, if the services on that end have to operate on the data at all. You can encrypt the drive, encrypt the mail stores themselves, etc, but all of those things will result in the encryption key being loaded into ram while the VPS is running, and dumping ram from the hypervisor layer destroys every illusion of security you had. I agree those are all valid concerns. However, we shouldn't let the inability to realistically have perfect prevent us from having something better than no encryption. Dedicated hardware in a locked cabinet is as close as you get to preventing physical attacks when you're hosting in someone else's DC, and that's not nearly in the same market segment, price-wise, as a cheap VPS. At best, if you have sensitive email that you're sending or receiving, work with the other end of the communication and then encrypt the contents properly. Even better, go with a larger scale, paid, solution in which your email isn't even remotely worth the effort to tamper with for the hosting company's employees, and hope the contractual obligations are sufficient to protect you. I'm not aware of any place that contracts will protect you against local court orders / government involvement. If you have any sort of controlled data going in and out of your email, step up to a plan that adheres to the regulatory frameworks you're required to adhere to and make very sure the contracts for it obligate the vendor to secure things properly on their end (aws, azure/o365/etc mostly all have offerings for, at least, US Gov level requirements). Yep. -- Grant. . . . unix || die
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
james wrote: > On 8/21/20 4:10 PM, Grant Taylor wrote: >> On 8/21/20 11:01 AM, Caveman Al Toraboran wrote: >>> yes, i do consider re-inventing octagonal wheels. >> >> I think that it's occasionally a good thing to have a thought >> experiment about how $THING might be made better. >> >> It's probably good to have discussions around green feel types of >> replacements. >> >> But it's important to eventually assess the pros and cons of the old >> (as it exists), the new (as from green field), and the transition >> between the two. >> >> Sometimes the new doesn't warrant the transition, but it does provide >> an option that might be worth augmenting into the old. >> >> If nothing else, it's good to have the discussions and be able to >> answer why something was done or chosen to remain the same. >> >>> here, i'm just "asking" to see what makes the "safely stored" >>> guarantee. >> >> MTAs are supposed to be written such that they commit the message to >> persistent storage medium (disk) before returning an OK message to >> the sending server. >> >> There is some nebulous area around what that actually means.� But >> the idea is that the receiving server believes, in good faith, that >> it has committed the message to persistent storage.� Usually this >> involves writing the message to disk, probably via a buffered >> channel, and then issued system calls to ask the OS to flush the >> buffer to disk. >> >> Is there room for error?� Probably. >> >> Had the server made (more than) reasonable effort to commit the >> message to disk?� Yes. >> >> The point being, don't acknowledge receipt of the message while the >> message is only in the MTA's memory buffer.� Take some steps to >> commit it to persistent storage. >> >> That being said, there are some questionable servers / configurations >> that will bypass this safety step in the name of performance.� And >> they /do/ /loose/ /email/ as a negative side effect if (when) they do >> crash. This is a non-default behavior that has been explicitly chosen >> by the administrators to violate the SMTP specification.� Some MTAs >> will log a warning that they are configured to violate RFCs. >> >>> got any specific definition of what makes a storage "guaranteed"? >>> e.g. what kind of tests does the mail server do in order to say >>> "yup, i can now guarantee this is stored safely!"? >> >> It's more that they do something safe (write the message to disk) >> instead of risky (only store it in memory). >> >> Everything can fail at some point.� It's a matter of what and how >> many reasonable steps did you take to be safe.� Read: Don't cut >> corners and do something risky. >> >>> i guess you think that i meant that a relay should be mandatory? >> >> Sending / outbound SMTP servers /are/ a relay for any messages not >> destined to the local server. >> >> There is almost always at least two SMTP servers involved in any >> given email delivery.� All but the final receiving system is a relay. >> >>> (yes, a relay doesn't have to be used.� i'm just describing some >>> uses of relays that i think make sense.� (1) indicate trust >>> hierarchy, (2) offload mail delivery so that i can close my laptop >>> and let the relay have fun with the retries.� not sure there is >>> any other use.� anyone?) >> >> There are many uses for email relays.� A common one, and best >> practice, is to have an /inbound/ relay, commonly known as a backup >> email server. The idea being it can receive inbound messages while >> the primary email server is down (presumably for maintenance). >> >> Many SaaS Email Service Providers (ESPs) /are/ relay servers.� They >> receive email from someone and send it to someone else. >> >> A number of email hygiene appliances function as an email relay >> between the world and your ultimate internal email server.� >> Services that filter inbound email qualify here too. >> >> It is common, and I think it's best practice, to have web >> applications send email via localhost, which is usually a relay to a >> more capable hub email server which sends outbound email.� Both of >> these layers are relays. >> >> A relay is the same thing for email that a router is for a network. > > WOW do I love these discussions, but let me 'cut to the chase'. > > I'm proposing, via a small corp I own, to purchase up to (3) dual > Rasp.pi 4 setups of (2) R.Pi.4 8gig ram setups > and send them to the devs WE all decide on. Let's us start compiling > up the codes, keep it simple (for now) and implement them with > gentoo-users as the testers of the email services. > > > These discussions should be continued to everyone's benefit. However > there are way more than (3) folks on these threads who are most > capable to do this community prototyping. If WE do not act and get > hundreds of these deployed, email, as we know it via RFCS and other > standards may just disappeaar, or be relegated to the far reaches of > the Internet. What I have read, is standards based
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
On 28/08/2020 19:10, james wrote: A council member, from say England, could manage how 1/2 of what they raise is spent. It could even "english centric" but must comply with USA IRS standards. Our council could be expanded to many members, from other countries, with a centic goal of spending Gentoo funds WHY? As a Brit I wouldn't want to touch the Americal Legal System with a barge pole!!! Truly, there is no other globally recognized tax system like the USA-IRS (bad ass && world class open). That's why in times of trouble, entrepreneurs world wide flock to the "dollar". Also, being in elite standing with the USA-IRS opens many door doors to enhance and promote and deploy GENTOO globally. And as a Brit, while HMRC may be a pain, I have precious little to do with them. My employer deals with them, and at the end of the year I occasionally get a letter saying I've overpaid my taxes and here's some money back. Do I REALLY want to get involved with some foreign system that's WAY more complicated? Get rid of your rose-tinted spectacles. For the MAJORITY of Brits, our tax system is way less complicated than yours. You'd be better off moving the foundation to somewhere that doesn't have your insane mix of state and federal taxes, and doesn't offload the responsibility onto people who don't understand the system. Cheers, Wol
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 1:18 PM, antlists wrote: The main reason other applications use "TCP over HTTP(S)" is because stupid network operators block everything else! I agree that filtering is a problem. I also think that it's something that most people can overcome when they control the firewall between the private LAN and the Internet. (Your typical SOHO NATing gateway.) The few times that I have run into filtering, it has been for uninitiated inbound connections. I've almost always been able to initiate outbound connections to / from odd ports. The few times that I could not do so in the last 20 years were resolved by engaging the ISP and ... politely ... getting them to knock it off. Inbound can be more tricky. But even inbound HTTP(S) was subject to the same problems. Actually, inbound HTTP(S) was more of a problem than other ports. -- Grant. . . . unix || die
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/28/20 1:55 PM, james wrote: I'm proposing, via a small corp I own, to purchase up to (3) dual Rasp.pi 4 setups of (2) R.Pi.4 8gig ram setups and send them to the devs WE all decide on. A few points. 1) I don't think that 8 GB of RAM is required. -- My email server is a VPS with 2 GB of RAM and is running just fine. So, maybe smaller systems would work. And maybe that would mean that more of them could be acquired for the same funding. 2) I don't know that a Raspberry Pi is strictly required for the testing. I think that anything that will run Gentoo can be used to prove out the software stack. -- Sure, there will /eventually/ need to be /some/ testing on Raspberry Pis. But I think that testing will be later in the game and more of a confirmation after the fact. 3) I'm not sure what you mean by "dual ... setups". What are the two systems (be it Raspberry Pis or VPSs or VMs or something else) supposed to do? - Are you wanting primary and backup (as in MX) or some sort of cluster with shared file system or something else? Let's us start compiling up the codes, keep it simple (for now) and implement them with gentoo-users as the testers of the email services. These discussions should be continued to everyone's benefit. However there are way more than (3) folks on these threads who are most capable to do this community prototyping. I think the idea of using VPSs or VMs means that a lot more people can participate using the same funding. If WE do not act and get hundreds of these deployed, email, as we know it via RFCS and other standards may just disappeaar, or be relegated to the far reaches of the Internet. What I have read, is standards based email services, particularly by small organizations, are under extreme pressure by large corporations to be marginalized out of existence. I think I disagree with that. Many of the big email operators are enforcing higher and higher standards. But the standards /are/ /open/ and /can/ /be/ /implemented/ /by/ /anyone/ who wants to do so. The /only/ thing that I've seen that is somewhat of a closed system that small players -- like myself -- have no real hop of is getting people like Google to trust our ARC (not DMARC) signatures. Though this is probably more a shortcoming in the ARC specification as it doesn't tackle how to get providers to trust your signature as a small operator. So any of the folks in these treads can announce publically, or send me private email as to your concerns. Public is best, but, I understand the needs for private communications sometimes. So yea, I'll personally finaces, at least 6 months of (3) projects. I'll take all input, but will make my (funding) decision, in a focus, quick strategy. I'm happy to participate. My preference would be to use a VPS / VM (which I can provide) and allow others to take advantage of the Pis that are on offer. -- Grant. . . . unix || die
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 28/08/2020 20:34, J. Roeleveld wrote: Cheers, Wol I think you meant that Caveman doesn't understand what TCP (and UDP) actually is. Grant does seem to know what he is talking about. Sorry yes I did. I got rather confused ... not surprising really :-) Cheers, Wol
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/21/20 4:10 PM, Grant Taylor wrote: On 8/21/20 11:01 AM, Caveman Al Toraboran wrote: yes, i do consider re-inventing octagonal wheels. I think that it's occasionally a good thing to have a thought experiment about how $THING might be made better. It's probably good to have discussions around green feel types of replacements. But it's important to eventually assess the pros and cons of the old (as it exists), the new (as from green field), and the transition between the two. Sometimes the new doesn't warrant the transition, but it does provide an option that might be worth augmenting into the old. If nothing else, it's good to have the discussions and be able to answer why something was done or chosen to remain the same. here, i'm just "asking" to see what makes the "safely stored" guarantee. MTAs are supposed to be written such that they commit the message to persistent storage medium (disk) before returning an OK message to the sending server. There is some nebulous area around what that actually means.� But the idea is that the receiving server believes, in good faith, that it has committed the message to persistent storage.� Usually this involves writing the message to disk, probably via a buffered channel, and then issued system calls to ask the OS to flush the buffer to disk. Is there room for error?� Probably. Had the server made (more than) reasonable effort to commit the message to disk?� Yes. The point being, don't acknowledge receipt of the message while the message is only in the MTA's memory buffer.� Take some steps to commit it to persistent storage. That being said, there are some questionable servers / configurations that will bypass this safety step in the name of performance.� And they /do/ /loose/ /email/ as a negative side effect if (when) they do crash. This is a non-default behavior that has been explicitly chosen by the administrators to violate the SMTP specification.� Some MTAs will log a warning that they are configured to violate RFCs. got any specific definition of what makes a storage "guaranteed"? e.g. what kind of tests does the mail server do in order to say "yup, i can now guarantee this is stored safely!"? It's more that they do something safe (write the message to disk) instead of risky (only store it in memory). Everything can fail at some point.� It's a matter of what and how many reasonable steps did you take to be safe.� Read: Don't cut corners and do something risky. i guess you think that i meant that a relay should be mandatory? Sending / outbound SMTP servers /are/ a relay for any messages not destined to the local server. There is almost always at least two SMTP servers involved in any given email delivery.� All but the final receiving system is a relay. (yes, a relay doesn't have to be used.� i'm just describing some uses of relays that i think make sense.� (1) indicate trust hierarchy, (2) offload mail delivery so that i can close my laptop and let the relay have fun with the retries.� not sure there is any other use.� anyone?) There are many uses for email relays.� A common one, and best practice, is to have an /inbound/ relay, commonly known as a backup email server. The idea being it can receive inbound messages while the primary email server is down (presumably for maintenance). Many SaaS Email Service Providers (ESPs) /are/ relay servers.� They receive email from someone and send it to someone else. A number of email hygiene appliances function as an email relay between the world and your ultimate internal email server.� Services that filter inbound email qualify here too. It is common, and I think it's best practice, to have web applications send email via localhost, which is usually a relay to a more capable hub email server which sends outbound email.� Both of these layers are relays. A relay is the same thing for email that a router is for a network. WOW do I love these discussions, but let me 'cut to the chase'. I'm proposing, via a small corp I own, to purchase up to (3) dual Rasp.pi 4 setups of (2) R.Pi.4 8gig ram setups and send them to the devs WE all decide on. Let's us start compiling up the codes, keep it simple (for now) and implement them with gentoo-users as the testers of the email services. These discussions should be continued to everyone's benefit. However there are way more than (3) folks on these threads who are most capable to do this community prototyping. If WE do not act and get hundreds of these deployed, email, as we know it via RFCS and other standards may just disappeaar, or be relegated to the far reaches of the Internet. What I have read, is standards based email services, particularly by small organizations, are under extreme pressure by large corporations to be marginalized out of existence. So any of the folks in these treads can announce publically, or send me private email
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On Mon, Aug 17, 2020 at 12:51 AM Caveman Al Toraboran wrote: > > hi. context: > > 1. tinfoil hat is on. > 2. i feel disrespected when someone does things to >my stuff without getting my approval. > 3. vps admin is not trusty and their sys admin may >read my emails, and laugh at me! > 4. whole thing is not worth much money. so not >welling to pay more than the price of a cheap >vps. moving to dedicated hardware for me is >not worth it. my goal is to make it annoying >enough that cheap-vps's admins find it a bad >idea for them to allocate their time to mingle >with my stuff. > > thoughts on how to maximally satisfy these > requirements? > > rgrds, > cm. > I'm rather late to the game with this, but at the end of the day, mail coming *into* a mail server isn't typically encrypted (and even that is only the body, the headers can still reveal a great deal, and are necessary for the server to work with it). A packet dump at the switch will turn over every piece of mail you receive along the way. Email's not designed for end to end security by default. Secondly, any hosting on hardware you don't control is impossible to fully secure, if the services on that end have to operate on the data at all. You can encrypt the drive, encrypt the mail stores themselves, etc, but all of those things will result in the encryption key being loaded into ram while the VPS is running, and dumping ram from the hypervisor layer destroys every illusion of security you had. Dedicated hardware in a locked cabinet is as close as you get to preventing physical attacks when you're hosting in someone else's DC, and that's not nearly in the same market segment, price-wise, as a cheap VPS. At best, if you have sensitive email that you're sending or receiving, work with the other end of the communication and then encrypt the contents properly. Even better, go with a larger scale, paid, solution in which your email isn't even remotely worth the effort to tamper with for the hosting company's employees, and hope the contractual obligations are sufficient to protect you. If you have any sort of controlled data going in and out of your email, step up to a plan that adheres to the regulatory frameworks you're required to adhere to and make very sure the contracts for it obligate the vendor to secure things properly on their end (aws, azure/o365/etc mostly all have offerings for, at least, US Gov level requirements). -- Poison [BLX] Joshua M. Murphy
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 28 August 2020 21:27:52 CEST, antlists wrote: >On 26/08/2020 21:21, Grant Taylor wrote: >>> so basically total expected number of protocols/layers used in the >>> universe, per second, will be much less if we, on planet earth, use >a >>> mail system that uses HTTP* instead of RESXCH_*. >> >> I obviously disagree. > >Exactly. You now need a protocol/layer that says you're running "mail >over http" as opposed to "web". HTTP is tcp/80 that *means* web. As >soon >as you start using it for something (anything) else you've just added >another protocol/layer. > >I get the distinct impression that Grant doesn't actually understand >what TCP is ... (hint - it has port numbers that are meant (if they're >not abused) to indicate what is going over the connection, like SMTP, >or >HTTP, or POP, or IMAP, etc etc). > >Cheers, >Wol I think you meant that Caveman doesn't understand what TCP (and UDP) actually is. Grant does seem to know what he is talking about. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 26/08/2020 21:21, Grant Taylor wrote: so basically total expected number of protocols/layers used in the universe, per second, will be much less if we, on planet earth, use a mail system that uses HTTP* instead of RESXCH_*. I obviously disagree. Exactly. You now need a protocol/layer that says you're running "mail over http" as opposed to "web". HTTP is tcp/80 that *means* web. As soon as you start using it for something (anything) else you've just added another protocol/layer. I get the distinct impression that Grant doesn't actually understand what TCP is ... (hint - it has port numbers that are meant (if they're not abused) to indicate what is going over the connection, like SMTP, or HTTP, or POP, or IMAP, etc etc). Cheers, Wol
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 26/08/2020 19:51, Grant Taylor wrote: Just because it's possible to force something to use HTTP(S) does not mean that it's a good idea to do so. The main reason other applications use "TCP over HTTP(S)" is because stupid network operators block everything else! Cheers, Wol
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 26/08/2020 18:40, Grant Taylor wrote: On 8/21/20 10:15 PM, Caveman Al Toraboran wrote: just to double check i got you right. due to flushing the buffer to disk, this would mean that mail's throughput is limited by disk i/o? Yes. This speed limitation is viewed as a necessary limitation for the safety of email passing through the system. Nothing states that it must be a single disk (block device). It's entirely possible that a fancy MTA can rotate through many disks (block devices), using a different one for each SMTP connection. Thus in theory allowing some to operate in close lock step with each other without depending on / being blocked by any given disk (block device). Thank you for the detailed explanation Ashley. Or think back to the old days - network was slow and disks were relatively fast. The disk was more than capable of keeping up with the network, and simple winchesters didn't lie about saving to the rotating rust ... As Ashley explained, some MTAs trust the kernel. I've heard of others issuing a sync after the write. But that is up to each MTA's developers. They have all taken reasonable steps to ensure the safety of email. Some have taken more-than-reasonable steps. Depends on the filesystem. "sync after write" was an EXTREMELY daft idea on ext4 in the early days - that would really have killed system response. Nowadays you could stick an SSD cache in front of a raid array ... Cheers, Wol
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
On 8/28/20 2:10 PM, james wrote: On 8/28/20 1:20 PM, Dale wrote: Jack wrote: On 8/28/20 12:33 PM, james wrote: On 8/27/20 10:11 PM, Dale wrote: james wrote: Gentoo, https://blogs.gentoo.org/mgorny/2020/08/25/is-an-umbrella-organization-a-good-choice-for-gentoo/ Surely some of the business/legal savvy folks want to "chime in" on Sir Gorny's proposal? I just read this on 'hacker news' It just sounds like mostly a lack of fund raising to operate? James There's several issues that lead to this.� For ages, the financial books were not kept up to date.� From what I recall, some paperwork was lost which made it difficult to impossible to do the needed IRS filings.� Things on that part seemed to snowball from there.� In the past few years or so, that has been dealt with and from what I've read, it is now up to date and they are trying to get back in good standing with the IRS and other Govt entities.� I think I read where most of the hard work as already been done, just needs time to kick in.� It isn't hard to get into that situation, it just takes one year with a mistake to trigger bad things.� It takes a lot of work to get it cleared up tho.� All of us should be grateful to the ones who put in the hard work to get that taken care of.� I'm sure it took a lot of effort and time to get that done.� I'm sure it was boring as heck to do as well.� Some of us would likely have no hair left. Another issue, not many want to run the foundation.� The devs mostly want to write code.� They aren't to much interested in running the foundation part of it.� A few do because it is needed and they do their best, some even go far beyond that, but they really want to write code.� That's what developers came to Gentoo for after all. Since there is two different bodies that run Gentoo in different ways, it further reduces the number of people wanting to do the job.� The foundation part is from my understanding, bureaucratic paperwork.� Who wants to do that for free?� There's not many. Basically, if you run for a position on the foundation, it's good odds you get it because usually just enough run to fill the open spots.� I often wonder, do they draw straws to pick people to run just so things keep chugging along??� LOL Then there is the costs.� It costs to deal with all the paperwork and filings.� There's state filings as well as federal.� Missing either of those can cause trouble for the other and also get expensive and time consuming to correct.� Again, very few want to deal with it.� The few that do likely do it because Gentoo needs it not because they are jumping up and down wanting to do it.� It's what keeps Gentoo going. It's cheaper to join some other group like has been talked about for years and let them take a percentage of the money and them as professionals handle all that nasty paperwork and filings. My personal opinion.� I'm still leaning to keep Gentoo as it is but I'm not the one doing all the boring work either.� My concern, Gentoo joins some group and it ends badly for Gentoo.� Maybe they screw up something and that puts Gentoo and maybe everyone else in the group in jeopardy with govt entities or lawsuits.� On the other hand, if Gentoo doesn't have the right people, they could do the same thing to themselves.� The people who do run for those seats do try their best even if something goes wrong.� Thing is, it doesn't take much to run afoul of govt entities or trigger a lawsuit. Gentoo has been lucky in that regard.� There is no easy answer to this.� Either way has advantages.� Same can be said for disadvantages as well. I'm sure there is more that isn't known to the public and I'm sure some things are escaping my mind at the moment.� Either way, whatever keeps Gentoo going and successful, that is what needs to be done.� Since I don't have a crystal ball, I'm not sure which is best long term. Now someone add more to this.� ;-) Dale :-)� :-) The referenced article says this: "Right now we�re already relying on a CPA to handle our filings. For a commercial company (we are one now), the cost is $1500 a year." Seems way too high. I pay $500/yr for a C corp here in Florida; a firm that that is "outstanding" with the US IRS. "If we wanted to go for proper non-profit, the estimated cost is between $2000 and $3000 a year." Still seems way to high. With Gentoo, we can use Any state, so why not move the home to a low cost state? Many corps use Delaware, just for that reason. I think most of those listed numbers are not just the official filing fees, but include paying a CPA to do the filings.� While certified CPA is not required to do any of those filings, I suspect it is now that way because historically, the volunteer who was supposed to do it didn't.� Paying someone does seem excessively expensive, but you know it will get done, and
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
‐‐‐ Original Message ‐‐‐ On Friday, August 28, 2020 2:35 AM, Ashley Dixon wrote: > On Thu, Aug 27, 2020 at 09:07:03PM +, Caveman Al Toraboran wrote: > > > anyway i'm out of this. massive waste of time. i > > could've finished server-side hillarymail by it. > > Oh, come on. People on this list have decades of experience managing and > implementing e-mail protocols, and you call their (free) help a "massive waste > of time"? Stop being silly and realise that no initial proposal is completely > flawless. it's not against "people on the list". it's rather for them. because continuing talking to grant (and soon you) is fueling a useless conversation that is effectively vandalising the mailboxes of 100s of people on this list. now you're posting this yet another useless drama message trying to make it sound as if it's against "people on the list" or as if i'm too defensive of hillarymail. so now i'll also stop talking to you in this sub-thread (in addition to grant taylor). nothing personal. we may talk in other sub-threads. it's just that talking to you 2 in these late threads became a fuel to vandalise others' mailboxes. > As I keep urging you, define some goals (and as Grant said, start with > defining > the current problem), finish an initial standards document, and begin writing > a > reference implementation. Or just define some of the core algorithms with > pseudocode. I can almost-guarantee that you will start realising things that > need changing almost immediately upon doing so. nothing new. we already discussed this in the other sub-thread and, as i said there, i am already planning to write an implementation. and i'm already refining the draft. i don't know why you keep repeating non-new things over and over (zero information content). that sub-thread has also became very useless thanks to you and grant for talking about margaret thatcher, LaTeX and other unrelated things. zero actual comments about technical aspects. > Perhaps it is just me with my English sense of over-politeness, but I find > your > conduct to be remarkably audacious (and frankly rude) considering all the time > people are spending to help you. ... And if you don't want this sort of > on-line > discourse, why did you post on the list at all? is your "English" sense of "over-politeness" capable of sensing vandalism caused by having you post texts with low information content, or irrelevant info, to people's inboxes? (rhetorical)
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
On 8/28/20 1:20 PM, Dale wrote: Jack wrote: On 8/28/20 12:33 PM, james wrote: On 8/27/20 10:11 PM, Dale wrote: james wrote: Gentoo, https://blogs.gentoo.org/mgorny/2020/08/25/is-an-umbrella-organization-a-good-choice-for-gentoo/ Surely some of the business/legal savvy folks want to "chime in" on Sir Gorny's proposal? I just read this on 'hacker news' It just sounds like mostly a lack of fund raising to operate? James There's several issues that lead to this.� For ages, the financial books were not kept up to date.� From what I recall, some paperwork was lost which made it difficult to impossible to do the needed IRS filings.� Things on that part seemed to snowball from there.� In the past few years or so, that has been dealt with and from what I've read, it is now up to date and they are trying to get back in good standing with the IRS and other Govt entities.� I think I read where most of the hard work as already been done, just needs time to kick in.� It isn't hard to get into that situation, it just takes one year with a mistake to trigger bad things.� It takes a lot of work to get it cleared up tho.� All of us should be grateful to the ones who put in the hard work to get that taken care of.� I'm sure it took a lot of effort and time to get that done.� I'm sure it was boring as heck to do as well.� Some of us would likely have no hair left. Another issue, not many want to run the foundation.� The devs mostly want to write code.� They aren't to much interested in running the foundation part of it.� A few do because it is needed and they do their best, some even go far beyond that, but they really want to write code.� That's what developers came to Gentoo for after all. Since there is two different bodies that run Gentoo in different ways, it further reduces the number of people wanting to do the job.� The foundation part is from my understanding, bureaucratic paperwork.� Who wants to do that for free?� There's not many. Basically, if you run for a position on the foundation, it's good odds you get it because usually just enough run to fill the open spots.� I often wonder, do they draw straws to pick people to run just so things keep chugging along??� LOL Then there is the costs.� It costs to deal with all the paperwork and filings.� There's state filings as well as federal.� Missing either of those can cause trouble for the other and also get expensive and time consuming to correct.� Again, very few want to deal with it.� The few that do likely do it because Gentoo needs it not because they are jumping up and down wanting to do it.� It's what keeps Gentoo going. It's cheaper to join some other group like has been talked about for years and let them take a percentage of the money and them as professionals handle all that nasty paperwork and filings. My personal opinion.� I'm still leaning to keep Gentoo as it is but I'm not the one doing all the boring work either.� My concern, Gentoo joins some group and it ends badly for Gentoo.� Maybe they screw up something and that puts Gentoo and maybe everyone else in the group in jeopardy with govt entities or lawsuits.� On the other hand, if Gentoo doesn't have the right people, they could do the same thing to themselves.� The people who do run for those seats do try their best even if something goes wrong.� Thing is, it doesn't take much to run afoul of govt entities or trigger a lawsuit. Gentoo has been lucky in that regard.� There is no easy answer to this.� Either way has advantages.� Same can be said for disadvantages as well. I'm sure there is more that isn't known to the public and I'm sure some things are escaping my mind at the moment.� Either way, whatever keeps Gentoo going and successful, that is what needs to be done.� Since I don't have a crystal ball, I'm not sure which is best long term. Now someone add more to this.� ;-) Dale :-)� :-) The referenced article says this: "Right now we�re already relying on a CPA to handle our filings. For a commercial company (we are one now), the cost is $1500 a year." Seems way too high. I pay $500/yr for a C corp here in Florida; a firm that that is "outstanding" with the US IRS. "If we wanted to go for proper non-profit, the estimated cost is between $2000 and $3000 a year." Still seems way to high. With Gentoo, we can use Any state, so why not move the home to a low cost state? Many corps use Delaware, just for that reason. I think most of those listed numbers are not just the official filing fees, but include paying a CPA to do the filings.� While certified CPA is not required to do any of those filings, I suspect it is now that way because historically, the volunteer who was supposed to do it didn't.� Paying someone does seem excessively expensive, but you know it will get done, and if not, you have some legal
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
Jack wrote: > On 8/28/20 12:33 PM, james wrote: >> On 8/27/20 10:11 PM, Dale wrote: >>> james wrote: Gentoo, https://blogs.gentoo.org/mgorny/2020/08/25/is-an-umbrella-organization-a-good-choice-for-gentoo/ Surely some of the business/legal savvy folks want to "chime in" on Sir Gorny's proposal? I just read this on 'hacker news' It just sounds like mostly a lack of fund raising to operate? James >>> >>> >>> There's several issues that lead to this.� For ages, the financial >>> books were not kept up to date.� From what I recall, some >>> paperwork was lost which made it difficult to impossible to do the >>> needed IRS filings. Things on that part seemed to snowball from >>> there.� In the past few years or so, that has been dealt with and >>> from what I've read, it is now up to date and they are trying to get >>> back in good standing with the IRS and other Govt entities.� I >>> think I read where most of the hard work as already been done, just >>> needs time to kick in.� It isn't hard to get into that situation, >>> it just takes one year with a mistake to trigger bad things.� It >>> takes a lot of work to get it cleared up tho.� All of us should be >>> grateful to the ones who put in the hard work to get that taken care >>> of.� I'm sure it took a lot of effort and time to get that >>> done.� I'm sure it was boring as heck to do as well.� Some of us >>> would likely have no hair left. >>> >>> Another issue, not many want to run the foundation.� The devs >>> mostly want to write code.� They aren't to much interested in >>> running the foundation part of it.� A few do because it is needed >>> and they do their best, some even go far beyond that, but they >>> really want to write code. That's what developers came to Gentoo >>> for after all. Since there is two different bodies that run Gentoo >>> in different ways, it further reduces the number of people wanting >>> to do the job.� The foundation part is from my understanding, >>> bureaucratic paperwork.� Who wants to do that for free?� There's >>> not many. Basically, if you run for a position on the foundation, >>> it's good odds you get it because usually just enough run to fill >>> the open spots.� I often wonder, do they draw straws to pick >>> people to run just so things keep chugging along??� LOL >>> >>> Then there is the costs.� It costs to deal with all the paperwork >>> and filings.� There's state filings as well as federal.� Missing >>> either of those can cause trouble for the other and also get >>> expensive and time consuming to correct.� Again, very few want to >>> deal with it.� The few that do likely do it because Gentoo needs >>> it not because they are jumping up and down wanting to do it.� >>> It's what keeps Gentoo going. It's cheaper to join some other group >>> like has been talked about for years and let them take a percentage >>> of the money and them as professionals handle all that nasty >>> paperwork and filings. >>> >>> My personal opinion.� I'm still leaning to keep Gentoo as it is >>> but I'm not the one doing all the boring work either.� My concern, >>> Gentoo joins some group and it ends badly for Gentoo.� Maybe they >>> screw up something and that puts Gentoo and maybe everyone else in >>> the group in jeopardy with govt entities or lawsuits.� On the >>> other hand, if Gentoo doesn't have the right people, they could do >>> the same thing to themselves.� The people who do run for those >>> seats do try their best even if something goes wrong.� Thing is, >>> it doesn't take much to run afoul of govt entities or trigger a >>> lawsuit. Gentoo has been lucky in that regard. There is no easy >>> answer to this.� Either way has advantages.� Same can be said >>> for disadvantages as well. >>> >>> I'm sure there is more that isn't known to the public and I'm sure >>> some things are escaping my mind at the moment.� Either way, >>> whatever keeps Gentoo going and successful, that is what needs to be >>> done.� Since I don't have a crystal ball, I'm not sure which is >>> best long term. >>> >>> Now someone add more to this.� ;-) >>> >>> Dale >>> >>> :-)� :-) >> >> The referenced article says this: >> >> "Right now we�re already relying on a CPA to handle our filings. >> For a commercial company (we are one now), the cost is $1500 a year." >> >> Seems way too high. I pay $500/yr for a C corp here in Florida; a >> firm that that is "outstanding" with the US IRS. >> >> >> "If we wanted to go for proper non-profit, the estimated cost is >> between $2000 and $3000 a year." >> >> >> Still seems way to high. With Gentoo, we can use Any state, so why >> not move the home to a low cost state? >> >> Many corps use Delaware, just for that reason. > I think most of those listed numbers are not just the official filing > fees, but include paying a CPA to do the filings.
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
On 8/28/20 12:33 PM, james wrote: On 8/27/20 10:11 PM, Dale wrote: james wrote: Gentoo, https://blogs.gentoo.org/mgorny/2020/08/25/is-an-umbrella-organization-a-good-choice-for-gentoo/ Surely some of the business/legal savvy folks want to "chime in" on Sir Gorny's proposal? I just read this on 'hacker news' It just sounds like mostly a lack of fund raising to operate? James There's several issues that lead to this.� For ages, the financial books were not kept up to date.� From what I recall, some paperwork was lost which made it difficult to impossible to do the needed IRS filings. Things on that part seemed to snowball from there.� In the past few years or so, that has been dealt with and from what I've read, it is now up to date and they are trying to get back in good standing with the IRS and other Govt entities.� I think I read where most of the hard work as already been done, just needs time to kick in.� It isn't hard to get into that situation, it just takes one year with a mistake to trigger bad things.� It takes a lot of work to get it cleared up tho.� All of us should be grateful to the ones who put in the hard work to get that taken care of.� I'm sure it took a lot of effort and time to get that done.� I'm sure it was boring as heck to do as well.� Some of us would likely have no hair left. Another issue, not many want to run the foundation.� The devs mostly want to write code.� They aren't to much interested in running the foundation part of it.� A few do because it is needed and they do their best, some even go far beyond that, but they really want to write code. That's what developers came to Gentoo for after all. Since there is two different bodies that run Gentoo in different ways, it further reduces the number of people wanting to do the job.� The foundation part is from my understanding, bureaucratic paperwork.� Who wants to do that for free?� There's not many. Basically, if you run for a position on the foundation, it's good odds you get it because usually just enough run to fill the open spots.� I often wonder, do they draw straws to pick people to run just so things keep chugging along??� LOL Then there is the costs.� It costs to deal with all the paperwork and filings.� There's state filings as well as federal.� Missing either of those can cause trouble for the other and also get expensive and time consuming to correct.� Again, very few want to deal with it.� The few that do likely do it because Gentoo needs it not because they are jumping up and down wanting to do it.� It's what keeps Gentoo going. It's cheaper to join some other group like has been talked about for years and let them take a percentage of the money and them as professionals handle all that nasty paperwork and filings. My personal opinion.� I'm still leaning to keep Gentoo as it is but I'm not the one doing all the boring work either.� My concern, Gentoo joins some group and it ends badly for Gentoo.� Maybe they screw up something and that puts Gentoo and maybe everyone else in the group in jeopardy with govt entities or lawsuits.� On the other hand, if Gentoo doesn't have the right people, they could do the same thing to themselves.� The people who do run for those seats do try their best even if something goes wrong.� Thing is, it doesn't take much to run afoul of govt entities or trigger a lawsuit. Gentoo has been lucky in that regard. There is no easy answer to this.� Either way has advantages.� Same can be said for disadvantages as well. I'm sure there is more that isn't known to the public and I'm sure some things are escaping my mind at the moment.� Either way, whatever keeps Gentoo going and successful, that is what needs to be done.� Since I don't have a crystal ball, I'm not sure which is best long term. Now someone add more to this.� ;-) Dale :-)� :-) The referenced article says this: "Right now we�re already relying on a CPA to handle our filings. For a commercial company (we are one now), the cost is $1500 a year." Seems way too high. I pay $500/yr for a C corp here in Florida; a firm that that is "outstanding" with the US IRS. "If we wanted to go for proper non-profit, the estimated cost is between $2000 and $3000 a year." Still seems way to high. With Gentoo, we can use Any state, so why not move the home to a low cost state? Many corps use Delaware, just for that reason. I think most of those listed numbers are not just the official filing fees, but include paying a CPA to do the filings. While certified CPA is not required to do any of those filings, I suspect it is now that way because historically, the volunteer who was supposed to do it didn't. Paying someone does seem excessively expensive, but you know it will get done, and if not, you have some legal recourse. "If we were to pass full accounting to an
Re: [gentoo-user] Gentoo Council vs Umbrella Corp ?
On 8/27/20 10:11 PM, Dale wrote: james wrote: Gentoo, https://blogs.gentoo.org/mgorny/2020/08/25/is-an-umbrella-organization-a-good-choice-for-gentoo/ Surely some of the business/legal savvy folks want to "chime in" on Sir Gorny's proposal? I just read this on 'hacker news' It just sounds like mostly a lack of fund raising to operate? James There's several issues that lead to this.� For ages, the financial books were not kept up to date.� From what I recall, some paperwork was lost which made it difficult to impossible to do the needed IRS filings. Things on that part seemed to snowball from there.� In the past few years or so, that has been dealt with and from what I've read, it is now up to date and they are trying to get back in good standing with the IRS and other Govt entities.� I think I read where most of the hard work as already been done, just needs time to kick in.� It isn't hard to get into that situation, it just takes one year with a mistake to trigger bad things.� It takes a lot of work to get it cleared up tho.� All of us should be grateful to the ones who put in the hard work to get that taken care of.� I'm sure it took a lot of effort and time to get that done.� I'm sure it was boring as heck to do as well.� Some of us would likely have no hair left. Another issue, not many want to run the foundation.� The devs mostly want to write code.� They aren't to much interested in running the foundation part of it.� A few do because it is needed and they do their best, some even go far beyond that, but they really want to write code. That's what developers came to Gentoo for after all. Since there is two different bodies that run Gentoo in different ways, it further reduces the number of people wanting to do the job.� The foundation part is from my understanding, bureaucratic paperwork.� Who wants to do that for free?� There's not many. Basically, if you run for a position on the foundation, it's good odds you get it because usually just enough run to fill the open spots.� I often wonder, do they draw straws to pick people to run just so things keep chugging along??� LOL Then there is the costs.� It costs to deal with all the paperwork and filings.� There's state filings as well as federal.� Missing either of those can cause trouble for the other and also get expensive and time consuming to correct.� Again, very few want to deal with it.� The few that do likely do it because Gentoo needs it not because they are jumping up and down wanting to do it.� It's what keeps Gentoo going. It's cheaper to join some other group like has been talked about for years and let them take a percentage of the money and them as professionals handle all that nasty paperwork and filings. My personal opinion.� I'm still leaning to keep Gentoo as it is but I'm not the one doing all the boring work either.� My concern, Gentoo joins some group and it ends badly for Gentoo.� Maybe they screw up something and that puts Gentoo and maybe everyone else in the group in jeopardy with govt entities or lawsuits.� On the other hand, if Gentoo doesn't have the right people, they could do the same thing to themselves.� The people who do run for those seats do try their best even if something goes wrong.� Thing is, it doesn't take much to run afoul of govt entities or trigger a lawsuit. Gentoo has been lucky in that regard. There is no easy answer to this.� Either way has advantages.� Same can be said for disadvantages as well. I'm sure there is more that isn't known to the public and I'm sure some things are escaping my mind at the moment.� Either way, whatever keeps Gentoo going and successful, that is what needs to be done.� Since I don't have a crystal ball, I'm not sure which is best long term. Now someone add more to this.� ;-) Dale :-)� :-) The referenced article says this: "Right now we�re already relying on a CPA to handle our filings. For a commercial company (we are one now), the cost is $1500 a year." Seems way too high. I pay $500/yr for a C corp here in Florida; a firm that that is "outstanding" with the US IRS. "If we wanted to go for proper non-profit, the estimated cost is between $2000 and $3000 a year." Still seems way to high. With Gentoo, we can use Any state, so why not move the home to a low cost state? Many corps use Delaware, just for that reason. "If we were to pass full accounting to an external company, the rough estimate I�ve been given by Trustees is $2400. So once our volunteer bookkeeper retires, we�re talking of around $4000 + larger taxes for a corporation, or $4500 to $5500 + very little taxes for a non-profit." Again, these numbers are WAY TOO HIGH. Shop around! Many states are way less expensive. Ok so ask why don't I volunteer? I've been using gentoo, since 2002. I have made many enemies, because of my views on
[gentoo-user] Can root verify user is secure?
I noticed some strange behavior recently which has since gone away. >From a security standpoint, if root is hacked I suppose there's no way to know, but if not can I use root to determine whether my user is still secure?
Re: [gentoo-user] new mail protocol rfc (was Re: tips on running a mail server in a cheap vps provider run but not-so-trusty admins?)
On Friday, 28 August 2020 01:30:58 BST Ashley Dixon wrote: > I can't really comment on LaTeX, because I've never really used it; from > the small snippets I've seen, I just assume it's TeX with a hell of a lot > of useful macros. I've always just stuck to TeX, with a copy of the > TeXBook handy. I used LaTeX for a time in the mid-80s. From what I remember, you're right about the macros, but they're a big enough addition to lift the language from assembler to a 'proper' symbolic language - Coral, say, or Fortran. Speaking metaphorically, that is. -- Regards, Peter.
