Beerbelott | I remember having wondered why packages were not delivered over HTTPS ans at the time I got replied the GPG signature of the packages themselves was sufficient | 00:01 |
---|---|---|
Beerbelott | packages chain-links pwned :) | 00:02 |
KatolaZ | Beerbelott: even if they were delivered via https, youwould have been vulnerable anyway | 00:02 |
KatolaZ | 'cause the bug is in the way "Location" headers are handled by apt | 00:03 |
KatolaZ | and this has nothing to do with https, or lack thereof | 00:03 |
KatolaZ | more details in the CVE | 00:03 |
Beerbelott | KatolaZ: It is said HTTPS would have helped as to forge the redirect the attacked would also need to have his hands on the server's certificate, not merely intercept/tamper with packets on a network (never trust it) | 00:28 |
Beerbelott | There is a dedicated part of the blog post about it: https://justi.cz/security/2019/01/22/apt-rce.html | 00:28 |
Beerbelott | attacker* | 00:32 |
Beerbelott | tl; dr does not solve the core problem, correct, but greatly reduces attack surface | 00:33 |
Beerbelott | it's the same plain old debate HTTP vs HTTPs to me, uness I missed sth? | 00:33 |
drwhite | Hi folks, I'm having serious issues with LibVirt and it having access to things. Even XEN can't do things that is has to. | 00:36 |
drwhite | Is this just an issue because of the security on Devuan? | 00:38 |
drwhite | It's run as root | 00:38 |
rwp | Hello drwhite. I am just another user but what specifically are you having problems with? What issues are you having? | 00:39 |
drwhite | Libvirt can't access the certificate that is there. | 00:40 |
drwhite | virtualbricks can't detect qemu version | 00:40 |
drwhite | qemu can't run with XEN. | 00:40 |
drwhite | Wehter admin or not. | 00:40 |
rwp | Those are pretty vague descriptions. | 00:40 |
drwhite | They are just t he first things. | 00:41 |
drwhite | and they aren't vague | 00:41 |
drwhite | they are specific. | 00:41 |
drwhite | they are 3 issues | 00:41 |
drwhite | is there anyone that can assist with those issues or any one of them please? | 00:42 |
drwhite | I have no idea what is going on, it should work, but isn't. | 00:42 |
Beerbelott | Correct me if I'm wrong, but I guess rwp would like to know commands and the associated errors? Mb a paste is in order? | 00:43 |
drwhite | First issue, not one that I listed.. This one is related to SPICE using LibVirt... | 00:48 |
drwhite | nable to complete install: 'internal error: unable to execute QEMU command 'set_password': Could not set password' | 00:48 |
drwhite | Traceback (most recent call last): | 00:48 |
drwhite | File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper | 00:48 |
drwhite | callback(asyncjob, *args, **kwargs) | 00:48 |
drwhite | File "/usr/share/virt-manager/virtManager/create.py", line 2288, in _do_async_install | 00:48 |
drwhite | guest.start_install(meter=meter) | 00:48 |
* Jjp137 sighs | 00:48 | |
Beerbelott | I guess he is not coming back ^^ | 00:49 |
Criggie | drwhite: do consider using http://pastebin.com/ or similar, rather than dumping a load of stuff in channel. One line paste is fine, two is marginal, any more than 2 lines absolutely use a pastebin-like service. | 00:50 |
Criggie | Oh he hasn't rejoined yet..... *waits* | 00:50 |
Jjp137 | you should probably say that again when he comes back :p | 00:50 |
Criggie | -grin- I remember the days of auto-rejoin..... | 00:50 |
Criggie | bugger me its 34 degrees outside. *melt* | 00:51 |
rwp | It's -8C here. And windy today. | 00:52 |
KatolaZ | 34 in which scale? | 00:52 |
Criggie | rwp: every wind can be a tail-wind. | 00:52 |
Criggie | KatolaZ: celcius AND centigrade. Not that impressive, but hot for here. | 00:53 |
rwp | It was quite a headwind driving home from playing in the snow in the mountains. AWOS reporting 19kts gusting 29kts on the nose. | 00:53 |
KatolaZ | Criggie: you must be in NZ or AUS then | 00:53 |
Criggie | I had to go home last night straight into a 30 km/h headwind at ~30 degrees C. It was hard yakka. | 00:54 |
Criggie | normal commute is 60 minutes - yesterday took 90 | 00:54 |
Criggie | ground speed barely passed 20 km/h and not for long. | 00:54 |
Criggie | I should put an airspeed gauge on my bike. | 00:54 |
golinux | It was over nearly 70 F here today. That's about to change | 01:17 |
golinux | Wrong channel for that discussion though. | 01:18 |
watchcat | "I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https." -- the guy who found CVE-2019-3462, https://justi.cz/security/2019/01/22/apt-rce.html | 02:40 |
buZz | https://deb.devuan.org/ gives interesting results ;) | 02:45 |
g4570n | !ping | 03:46 |
infobot | 1 packet transmitted, 1 packet received, 0.0% packet loss | 03:46 |
Xenguy | !pong | 03:47 |
infobot | ping, or also https://en.wikipedia.org/wiki/First_video_game | 03:47 |
redrick | Criggie: Celsius AND Centigrade? How very trans-temporal of you. ;-> | 09:12 |
redrick | I'm officially-not-really awarding you credit for 50 kph pedalling. Wear it proudly. | 09:17 |
watchcat | is there any way to fix the broken apt without using the broken apt? | 10:14 |
gnarface | wget the package manually then install it with dpkg | 10:15 |
watchcat | that would be perfect. what's the url? | 10:19 |
gnarface | i didn't memorize it | 10:20 |
gnarface | pkgmaster.devuan.org something | 10:20 |
Jjp137 | here's the e-mail sent to DNG: https://lists.dyne.org/lurker/message/20190122.152406.07b05a4c.en.html | 10:21 |
redrick | Jjp137: Beat me to that by a few secs. | 10:23 |
redrick | Well, maybe a minute or so. ;-> | 10:23 |
furrymcgee | are redirections of http://deb.devuan.org/merged logged? | 10:46 |
Wonka | *sigh* Failed to fetch http://deb.devuan.org/merged/pool/DEBIAN/main/c/ca-certificates/ca-certificates_20190110_all.deb: 404 Not Found [IP: 131.188.12.211 80] | 10:46 |
iatrogenic | Hello. I've posted this issue before here but I'll restate. Some fonts were aliased, I installed microsoft fonts and it fixed most but the issue remains for websites that use Helvetica. Is there any missing fonts I have to install or is it just something related to this particular font? | 12:34 |
iatrogenic | https://unix.stackexchange.com/questions/145701/how-do-i-diagnose-a-font-rendering-problem | 12:35 |
iatrogenic | In this link they tell me to just replace it. But if possible, I would rather not alter the intended look of the websites I visit | 12:36 |
iatrogenic | Verdana also seems aliased | 12:36 |
iatrogenic | https://i.imgur.com/mQNIjr3.png | 12:39 |
iatrogenic | Well the first 5 do look the same to me | 12:40 |
Leander | do you want to remove aliasing (and have your fonts look ugly), or do you need to adjust it because they look blurry on your monitor? | 12:51 |
iatrogenic | Leander: They do not look blurry. They (now just Helvetica) look aliased, pixelated. I want them to look smooth | 15:20 |
jonadab | So what you want is to turn anti-aliasing on. | 15:41 |
caioau | Hello, I have devuan on my raspberry pi , and I installed in jully and never updated the kernel, Am I using a outdated kernel version? It's running Linux rpi 4.14.44+ #1 Tue Jun 5 20:32:40 CEST 2018 armv6l GNU/Linux Thanks | 16:09 |
_stephen_ | Anyone know off the top of their head how much space is needed to create a mirror? I'm using rsync per https://files.devuan.org/MIRRORS.txt | 17:02 |
KatolaZ | _stephen_: ISO mirror or package mirror? | 17:02 |
_stephen_ | Package mirror | 17:02 |
djph | some 2TB, IIRC for a package mirror. | 17:02 |
_stephen_ | Maybe I should just grab the packages for ascii, then... | 17:03 |
KatolaZ | _stephen_: you are reading the wrong howto if you want to setup a package mirror then | 17:03 |
KatolaZ | that's the howto for ISO mirrors | 17:03 |
_stephen_ | I just noticed that... | 17:03 |
KatolaZ | _stephen_: https://pkgmaster.devuan.org/devuan_mirror_walkthrough.txt | 17:04 |
_stephen_ | THanks! | 17:04 |
KatolaZ | _stephen_: the package mirror is currently around 20GB | 17:04 |
KatolaZ | the reason is that packages that have not been forked by Devuan come directly from Debian | 17:05 |
KatolaZ | through an appropriate set of rewrites | 17:05 |
_stephen_ | So will I need a debian and a devuan mirror to use it offline? | 17:05 |
KatolaZ | _stephen_: more information in the document I linked | 17:05 |
KatolaZ | if you want to use it offline, then yes | 17:05 |
r3boot | I used to manage some debian package repo's (for debian squeeze). Repo size for amd64 was around 70GB back then | 17:06 |
KatolaZ | a full repo with all archs is far larger than that, tbh | 17:06 |
r3boot | (main+contrib+non-free) | 17:06 |
r3boot | oh, yes, indeed | 17:07 |
r3boot | imho, a safe assumption is to allocate some 100GB per arch/release | 17:07 |
KatolaZ | https://www.debian.org/mirror/size | 17:07 |
KatolaZ | r3boot: it's not enough for i386 or amd64 | 17:07 |
r3boot | oh wow, things grew :O | 17:07 |
KatolaZ | the whole thing is around 3TB for all arch and ports, apparently | 17:08 |
_stephen_ | Damn, this looks kind of involved, I was hoping I could just kick of rsync, serve the directory up via http, and have an offline mirror. | 17:08 |
KatolaZ | no _stephen_ | 17:08 |
KatolaZ | you can't | 17:08 |
KatolaZ | as I explained above | 17:08 |
KatolaZ | you can crate a local mirror with debmirror or apt-mirror though | 17:09 |
r3boot | what is iyt | 17:09 |
_stephen_ | Yes, as I'm reading. | 17:09 |
r3boot | *what is it you're trying to achieve _stephen_? | 17:09 |
KatolaZ | I guess I posted some HOWTO on dev1galaxy a few months ago | 17:09 |
_stephen_ | To have packages available on an offline network. | 17:09 |
KatolaZ | (maybe more than that, actually) | 17:09 |
KatolaZ | _stephen_: use debmirror then | 17:09 |
r3boot | .. one setup I used to run had squid in front of the repo's, with caching rules that picked up everything | 17:10 |
r3boot | worked pretty well, but you will need special rules for various special files underneath the repo | 17:11 |
KatolaZ | _stephen_: https://dev1galaxy.org/viewtopic.php?id=1571 | 17:11 |
KatolaZ | but you don't actually need devuan-debmirror | 17:11 |
KatolaZ | just plain debmirror | 17:11 |
KatolaZ | with host=pkgmaster.devuan.org | 17:12 |
KatolaZ | and the appropriate keyring | 17:12 |
KatolaZ | (it's at /usr/share/keyrings/devuan-archive-keyring.gpg) | 17:12 |
KatolaZ | _stephen_: https://dev1galaxy.org/viewtopic.php?pid=7712#p7712 | 17:14 |
KatolaZ | this is actually the most relevant reply I guess | 17:14 |
KatolaZ | _stephen_: but please use $remoteroot="merged" | 17:15 |
_stephen_ | Hm. Apparently you have to spell the config file name correctly. | 17:21 |
work25040 | Hello, I have devuan on my raspberry pi , and I installed in jully and never updated the kernel, Am I using a outdated kernel version? It's running Linux rpi 4.14.44+ #1 Tue Jun 5 20:32:40 CEST 2018 armv6l GNU/Linux Thanks | 17:22 |
KatolaZ | work25040: do you have any issue in particular? | 17:24 |
work25040 | Katolaz I dont have any issue, I just find this as strange | 17:42 |
KatolaZ | work25040: that do you find strange? | 17:43 |
work25040 | KatolaZ I been using it for mouths and the kernel havent been updated once | 17:44 |
KatolaZ | work25040: the kernel will never be updated automatically, unless you have installed the package linux-image-$ARCH | 17:44 |
KatolaZ | and issued an apt-get upgrade | 17:44 |
KatolaZ | I would be surprised of the opposite, i.e., if the kernel was actually changed without me noticing it... :) | 17:45 |
fsmithred | 4.14 sounds like an old backports or testing kernel | 17:45 |
KatolaZ | I think 4.14 is the kernel available in the standard arm images | 17:46 |
fsmithred | oh, maybe | 17:46 |
KatolaZ | but parazyd might remember better | 17:46 |
fsmithred | I'm only seeing amd64 here, but there's 4.17, 4.18 and 4.19 backports kernels showing up | 17:46 |
work25040 | KatolaZ thanks, I will do a apt search linux-image, I found this strange because I used to use raspbian and the kernel updated normaly | 17:47 |
parazyd | I have this on my todo | 17:47 |
parazyd | The kernels don't update automatically. | 17:47 |
KatolaZ | work25040: if you want to update the kernel, you should install linux-image-${ARCH} | 17:47 |
parazyd | We'll need a separate repo section for all of the boards so we can build kernels on the CI. | 17:47 |
KatolaZ | e.g., linux-image-armhf | 17:47 |
parazyd | KatolaZ: I'm not sure it'll work out. | 17:48 |
KatolaZ | parazyd: if they have the raspberrypi repo, it should | 17:48 |
KatolaZ | (but I might be wrong) | 17:48 |
parazyd | In theory it should conflict with the existing files. | 17:48 |
KatolaZ | ok | 17:49 |
parazyd | In any case it's something to talk over with you. These days even. | 17:49 |
KatolaZ | ok | 17:49 |
KatolaZ | anytime :) | 17:49 |
parazyd | *nod* | 17:49 |
* KatolaZ nods | 17:49 | |
work25040 | KatolaZ, parazyd Thanks | 17:50 |
* enyc meows | 17:54 | |
DocScrutinizer05 | haha nice! >>How many ad blocks could an ad slinger block if an ad slinger could block blocks?<< | 19:37 |
DocScrutinizer05 | wood pecker would peck wood... | 19:37 |
sixwheeledbeast | could block ads surely? | 20:15 |
DocScrutinizer05 | https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/ | 20:23 |
DocScrutinizer05 | aaand | 20:23 |
DocScrutinizer05 | https://securityboulevard.com/2019/01/wi-fi-chip-firmware-flaws-enable-over-the-air-hacking/ | 20:23 |
* DocScrutinizer05 cringes | 20:25 | |
furrywolf | there's a reason I don't use chrome. | 20:25 |
DocScrutinizer05 | 6 billion(!) WiFi chips using this ThreadX firmware | 20:26 |
DocScrutinizer05 | 6E9 | 20:27 |
furrywolf | this is also a good argument for why any project with a major corporate backer should be frowned upon. | 20:28 |
gnarface | did something bring back the nice font rendering? i'm looking at rendered fonts in firefox-esr today on ceres and something seems to have improved subtly... it seems like there's been a fix to the font rendering quality regression i mentioned some months back | 21:35 |
gnarface | i can't think of anything that might have changed other than basic package updates though | 21:36 |
gnarface | has anyone else noticed this, or am i hallucinating? | 21:37 |
Criggie | redrick: chur :) | 21:47 |
redrick | It's a balmy 17 degrees chez redrick. | 21:48 |
redrick | Good weather for being balmy. | 21:48 |
HumanG33k | and an other upgrade for libsystemd0 ^^ | 23:23 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!