libera/#devuan/ Sunday, 2018-09-30

AMDmi3KatolaZ_: fetch attampt is performed once in around 3 hours, and out of latest 10 attempts there are 4 or 5 failures00:17
golinuxAMDmi3: It is recommended to use the releasename because Devuan and Debian are not always in sync.00:18
golinuxSo try with jessie rather than oldstable.00:19
AMDmi3golinux: but 403 seem to be a problem anyway. I don't care of synchronization to Debian, it's just that release aliases are more convenient for Repology as I don't need to update them for new releases00:28
VajbI have noticed a strange feature in my devuan mate desktop. When screen is locked and blanked and I press a button. It shows my desktop a while before reverting to login prompt. Is ther a way to prevent my desktop showing?01:03
gnarfaceVajb: hard to say, as i don't use mate, but it could be a compositing issue or a video driver issue in theory... do you have any other place to test it for the same behavior?  maybe on something with a different brand of video card?02:13
DocScrutinizer05parazyd: ping02:14
gnarfaceVajb: oh, if you're using xscreensaver for this, it's probably also worth trying to disable "X damage" and screenshotting the desktop02:15
gnarfacecould be a race condition related to how it caches those02:15
Digiti see that mpv bug i mentioned earlier's been fixed upstream  https://github.com/mpv-player/mpv/issues/589004:36
* man_in_shack waves09:07
man_in_shackeudev package in ceres/unstable is bitching about my kernel09:07
man_in_shackreckons udev "since r198" won't work which is a blatant lie :P09:08
man_in_shackchecked my /proc/config.gz and all the CONFIG_s it's looking for are =y09:09
man_in_shackok09:36
man_in_shackthink i've found a side-effect of removing systemd that's not covered (yet)09:37
man_in_shackgvfs expects /run/user/$UID to exist but this is something normally handled by pam-systemd09:37
man_in_shackhuh09:43
man_in_shackopenrc, why do you think alsa-utils needs networking?09:43
man_in_shackand lm-sensors?09:43
man_in_shackok, haven't tracked down my gvfs-fuse issue10:16
man_in_shackbut creating /run/user/$UID via a pam_exec script, now there's gnupg in there10:18
man_in_shackwelp that was fun10:21
man_in_shacklooks like it was netatalk creating random files again10:22
man_in_shackfucking .AppleDouble files10:22
man_in_shackand gvfsd-fuse is now in ~/.gvfs as it should be10:23
man_in_shackso there's something funky going on with my network boot scripts10:57
man_in_shacklooks like something to do with switching to eudev10:58
man_in_shackcould also be a bios bug11:18
man_in_shackfuuuuun11:18
booyah/trololo.uefi11:24
* man_in_shack agrees with booyah11:48
booyahA:/ Problem? [Yes, No, Abort, Fail, Try Again]11:49
man_in_shackhm11:56
man_in_shacktrying with new initscripts11:56
man_in_shacknope11:57
man_in_shacksomething still confusing the network boot script11:57
man_in_shackinit-system-helpers?12:00
* man_in_shack flails at man_in_shack12:00
DocScrutinizer05parazyd: ping14:58
DocScrutinizer05!seen parazyd14:59
infobotparazyd is currently on #devuan #maemo, last said: 'It can even resize a partition in use.'.14:59
DocScrutinizer05:-S subpar implementation14:59
EHeMThe mirror 37.220.36.58 of us.deb.devuan.org is continues to give 403 Forbidden errors.18:29
EHeM^is^still18:30
golinuxKatolaZ: ^^^18:32
nailyk_matrixhi all. As suggested I set up my source.list with pkgmaster.devuan.org . Right now it is resolving to prod.debian.map.fastly.net. Looks like ipv6 is broken on this host.18:42
EHeMWhere did you see "pkgmaster.devuan.org"?  (it needs to be hunted down and fixed)  Currently you want deb.devuan.org.18:44
nailyk_matrixhere. Someone suggested me to use this18:45
nailyk_matrixsame as in the migration guide: https://devuan.org/os/documentation/dev1fanboy/migrate-to-ascii18:46
golinuxnailyk_matrix: I alerted the maintainer of that guide to make those changes but guess he never did.19:21
golinuxI will try to do it later today.19:21
Humpelstilzchen119:21
nailyk_matrixgolinux: any chance I can do it?19:22
golinuxYou would have to have proper permissions to do so.19:24
golinuxAnd if you have ever looked at the code for the website, you might not be so eager to offer.  It is a veritable hairball.19:25
nailyk_matrixxD Thanks then :)19:25
* EHeM has a feeling #devuan has been telling people to correct the hostname, but missing the step of asking of original information source to correct those.19:25
DocScrutinizer05parazyd: ping19:41
Wonka*sigh* Failed to fetch http://deb.devuan.org/merged/dists/ceres/InRelease: 403  Forbidden [IP: 37.220.36.58 80]20:10
WonkaI mean, anything. But 403??!?20:11
golinuxKatolaZ: ^^^20:35
waydotalso the cert is wrong20:38
Wonkawhat cert?20:38
waydotat deb.devuan.org20:39
waydottls20:39
waydotfor https20:39
Wonkaah. hm. well, "deb https" is not widely spread luckily - integrity of "deb http" is still assured by gpg signature, so why bother.20:47
waydot*shrug* i just used my browser to check what happens ... due to hsts it's a showstopper20:51
gnarfacei think that's a known issue20:54
gnarfaceor at least, people were complaining about https breaking their sources.list file before20:54
gnarfacei forget if it ended up getting blamed on their ISP or amprolla ...20:54
gnarfacebut yea for the most part, the security risk is minimal... it exposes your package selection to eavesdroppers but gpg should protect you from any weaponized man-in-the-middle attacks20:56
gnarfacenow, if you start getting spurious gpg validation errors from those packages... don't ignore/silence them.  it's important to know at that point you ARE under attack by someone stupid/desperate/rich20:57
Wonkaack20:57
gnarfaceusually 2 of 3 of those at once is a bad combination20:58
gnarfaceso far i haven't seen any conclusive proof of this type of persistent attack attempt reported in the wild20:59
gnarfacethe https thing i recall from earlier i think we finally chalked it up to a bug or misconfiguration, i'm just not sure who it got blamed on20:59
golinuxDoes https even work on deb.devuan.org?  I thought it didn't, at least at one time.21:00
gnarfacehmmm. you're right, when that came up it was even before the introduction of deb.devuan.org, so i don't know21:01
fsmithredI think the problem with using https with deb.devuan.org is that not all the mirrors use https, and the round-robin can't select for that.21:07
gnarfacethat would make sense21:07
gnarface right, because some stuff has to come from debian repos21:08
dethaAlso, it appears that not all mirrors actually have a certficate for deb.devuan.org21:08
gnarfaceand if debian doesn't require it, that would break21:08
dethaRandomly putting https://deb.devuan.org in a browser yields: "This server could not prove that it is deb.devuan.org; its security certificate is from sagres.c3sl.ufpr.br."21:09
gnarfaceso that one DOES have https enabled, but it's the wrong key21:14
gnarface*wrong cert21:14
gnarfacewhat a mess21:15
dethaThe tl;dr version: getting https working on a motley crew of mirrors, with no central administration, is hard.21:15
waydotwell ... you could share the key :)21:29
waydotor disable https altogether, if it's not needed21:30
dethaYou will have to. That is not the problem. The problem is to get n administrators to all configure it properly, and to update with a new cert+key when it expires.21:30
dethahttps is not needed. But people do not (want to) understand that, and "waaah, no https, it is unsafe"21:31
waydotso, the problem is getting people who know what they're doing ... same old ...22:17
gnarfacewell, keep in mind that lots of these are probably mirrors for other stuff too22:27
gnarfaceso it might not always be as simple as switching the keys22:27
gnarface*certs22:27
dethaConfigure the web server for SNI, deb.devuan.org serves a devuan cert, other mirrors serve whatever other cert.22:29
gnarfacei think SNI kills support for a bunch of legacy microsoft stuff22:30
gnarfaceIE6 and earlier maybe?22:30
gnarfacemaybe something older than that22:30
dethaSomething like that. Nothing that is still supported by MS in any way22:30
gnarfaceyea nothing that is still supported by microsoft, but likely something that is still serving paying clients somewhere, in bulk22:31
dethaMaybe. But all it kills is the ability to use IE6 to view the devuan part of the mirror.22:32
gnarfacehmmm.  is that all?  i thought it also exposed some incidental MITM vector in the client...22:35
gnarfacelike they'd have to suppress an unsafe warning to keep using it22:36
golinuxnailyk_matrix: I made the changes in git but looks like middleman is broken (again) so not getting to the webpage(s).  Hopefully will be fixed soon.22:36
dethaHeh. If they can use it at all. Pretty sure most sites now don't support https for IE6 anyway, because enabling SSL versions that old give you bad scores on the security scanners22:38
waydotindeed22:38
gnarfaceit might have actually been ie4 and earlier22:38
gnarfacethe notes in the default apache configs at least used to say ...22:38
gnarfaceoh22:38
gnarfaceright, there was that other cipher that was a patent trap...22:39
gnarface*and* insecure22:39
waydotit's supported in ie7 on vista and newer22:39
gnarfacei suppose that's a good argument in favor of enabling it22:40
golinuxnailyk_matrix: The ascii upgrade/update pages are now corrected and on the site.23:30
nailyk_matrixThanks !23:35

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!