libera/#devuan/ Thursday, 2019-06-20

« Wednesday, 2019-06-19 Index Friday, 2019-06-21 »
* Xenguy waits for the vim and firefox-esr updates...01:18
fsmithredXenguy, auto.mirror.devuan.org ascii-security01:19
palinurohi11:07
gnarfacehello palinuro11:12
jaromilhola12:22
jaromilpalinoro: see also #devuan-dev ;^)12:23
jaromilu12:23
xrogaanis deb.devuan.org not good anymore?13:02
fsmithredxrogaan, I know ascii-security hasn't been updating on pkgmaster/deb.devuan13:04
fsmithredis there something else?13:04
xrogaanwell, I wait for the security update too13:04
xrogaanIf the round robin isn't being updated on time, why use it?13:04
fsmithredif you want a security update now (before pkgmaster gets fixed) use auto.mirror.devuan.org13:05
fsmithredthe problem is not with the mirrors updating; it's in amprolla itself13:07
xrogaanI don't know what that is13:07
fsmithredthat's the software that pulls packages from debian repo and devuan repo and merges them into one13:08
fsmithredand for some unknown reason, it's not pulling from stretch security13:08
fsmithredmirrors in deb.devuan.org pull from pkgmaster.devuan.org13:09
fsmithredmirrors in auto.mirror.devuan.org pull from packages.devuan.org which is working correctly13:10
fsmithredsed -i 's/deb.devuan.org/auto.mirror.devuan.org/g' /etc/apt/sources.list && apt update13:11
fsmithredneed to go out - back in 1513:12
xrogaanyes yes13:25
fsmithredxrogaan, all better now?13:37
AEonFyr_Are the dbus security updates suitably devunaised yet? I'm still seeing *deb9u1 vs *devuan2 when listing upgradeable, but it's been some time, so I'm not certain.14:10
fsmithredAEonFyr_, not yet14:16
AEonFyr_k, thanks, will keep them on the backburner.14:17
xrogaanfsmithred: I was just curious about why use auto.mirror. instead of deb.14:24
fsmithredxrogaan, because right now, auto.mirror is working correctly and pkgmaster is not.14:35
xrogaanYes, I got that :P14:37
fsmithredoh, ok14:37
fsmithredseveral people have asked about it because of new ff-esr14:37
AEonFyrBollocks... Seems I had unattended-upgrades automagically installed on one box and it helpfully already installed the faulty dbus packages. Now trying to downgrade to the previous version of libdbus-1-3 wants to remove some rather important looking packages:15:05
AEonFyrThe following packages will be REMOVED:15:06
AEonFyrconsolekit dbus elogind libpam-elogind libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-backend-consolekit-1-0 libpolkit-gobject-1-0 libpolkit-gobject-consolekit-1-0 packagekit packagekit-tools policykit-115:06
AEonFyrhmmm...15:07
AEonFyrShould I just leave evrything as is? Everything still seems to be running ok as far as I can see.15:08
nemospeaking of security updates15:16
nemowhat's up w/ Firefox ESR 60.7.1 ?15:16
nemoit's in debian stable-sec ...15:16
nemobut don't see it in devuan?15:17
fsmithredAEonFyr, are you trying to install the deb package from /var/cache/apt/archives?15:20
fsmithreddpkg --force-downgrade -i <whatever.deb>15:20
fsmithrednemo, pkgmaster is not updating security repo. You can use auto.mirror.devuan.org instead.15:21
AEonFyrfsmithred, yes. Using: sudo apt-get install libdbus-1-3=1.10.22-1+devuan215:22
nemofsmithred: ack15:22
nemothat seems kind of an important omission15:22
fsmithredagreed15:22
nemodeb http://us.deb.devuan.org/merged/ ascii-security main15:23
nemowhich one is that one15:23
fsmithredAEonFyr, using apt-get tries to pull from mirror. Try installing the old archived debs15:23
nemohm. actually that machine is fine15:23
fsmithreddeb.devuan.org is pkgmaster15:23
fsmithredauto.mirror.devuan.org is packages.devuan.org15:23
fsmithredthe latter is working correctly15:24
* AEonFyr consults man dpkg15:24
fsmithreddpkg --force-downgrade -i <whatever.deb>15:25
nemofsmithred: will this be corrected soon?15:25
nemofsmithred: I think all the devuan machines over here are on deb.devuan.org15:25
fsmithredprobably soon15:25
nemook. just, you know, firefox zero-day... kinda scary15:26
nemofsmithred: is there any reason to prefer one over the other in general?15:26
nemolike apart form this is pkgmaster more reliable ?15:26
nemootherwise I'll just switch all the machines15:26
fsmithrednemo, I'm not sure.15:26
nemohm15:26
nemook. well, will wait a bit then15:26
nemo*from this15:27
fsmithredold idea was to retire packages.do, but then it got upgraded to the new amprolla15:27
fsmithrednoscript15:27
nemofsmithred: hm... so I'm currently on the one that is theoretically the one you guys want to actively maintain in the future.15:32
nemoI did seem to remember having been told to use it in setup ☺15:32
fsmithredyes, and on the website, too15:33
nemoaight. well. I use noscript, so does my coworker.15:33
nemobut still. it's a baaaaaaad bug15:33
nemoso hopefully pkgmaster gets fixed soon15:33
nemolike. really easy to exploit and in the wild15:33
AEonFyrfsmithred: thanks a lot, that pushed them back down nicely. :)15:41
AEonFyr.... and to bring this little saga to an end for those of you following this from home: sudo apt-mark hold unattended-upgrades15:53
AEonFyr.... after removing it.16:06
cosurg1Uh, guys. After dbus update I have this file /etc/dbus-1/system.conf inside which I see "<includedir>system.d</includedir>" with comment:18:20
cosurg1Config files are placed here that among other things, punch holes in the above policy for specific services.18:20
cosurg1do we seriously need to "punch holes" for systemd in some policy?18:20
onefangI thought systemd needed a seriously good punching.  B-)18:21
cosurg1yeah. But can we change dbus a little to remove ths crap?18:21
cosurg1Also, there is a very worrisome diff in file /etc/init.d/dbus18:22
cosurg1This was removed:18:23
cosurg1## do not replace machine-id if uptime is larger than GRACETIME18:23
cosurg1MACHINEID=/var/lib/dbus/machine-id18:23
cosurg1GRACETIME=6018:23
cosurg1It basically means, that my machine-id will never change, so that all corporations can track my PC, regardless of how many adblockers I use.18:23
MinceRpunch a systemd-sized hole in systemd and a dbus-sized hole in dbus to fix problems18:23
cosurg1Also, we should simple set a crontab which recreates machin-id daily, e.g. at 4am.18:24
onefangA big enough hole to drive dbus through?18:24
cosurg1anyway. I will do git revert on this crap in /etc18:24
KatolaZcosurg1: you should probably read the whole diff18:26
KatolaZthe dbus package was patched exactly for that reason18:26
KatolaZlook into start_it_up18:26
onefangAre you complaining about the language in a comment?  "punch holes" in this case is fairly standard nomenclature.18:26
KatolaZit calls create_machineid *always*18:26
cosurg1I see that start_it_up() calls create_machineid once.18:26
KatolaZthen18:27
KatolaZplease read the whole diff18:27
cosurg1I would rather have it called more often.18:27
KatolaZ:\18:27
MinceRa big enough hole to ensure none of it remains :>18:27
cosurg1ok.18:27
Akuliwhere is the diff? /me wants to read too18:29
cosurg1I have it in 'git diff' in my /etc18:30
Jjp137cosurg1, is 1.10.28-0+deb9u1 the version of the dbus update you got?18:30
cosurg1interesting.18:31
cosurg1I did a git checkout to restore old files.18:31
cosurg1Then upon KatolaZ's suggestion I redownloaded it, to examine more carefully. And the changes are not there.18:31
cosurg1Now it's only in my xterm's history18:31
* cosurg1 look closer18:31
KatolaZcosurg1: which package are you talking about, exactly?18:32
cosurg1Jjp137: yes, this version dbus_1.10.28-0+deb9u1_amd64.deb18:32
cosurg1dpkg -S init.d/dbus18:32
cosurg1dbus: /etc/init.d/dbus18:32
Jjp137oh yeah for some reason that got into the repo and that version hasn't been touched by Devuan yet18:32
Jjp137otherwise it would probably have some +devuanx in the version number18:33
cosurg1http://janek.kozicki.pl/tmp/dbus-diff.png18:34
cosurg1there you go guys. Have a look.18:34
Akulito me this seems like it creates a new machine-id on reboot?18:38
cosurg1Ah! OK. Yes, this is definitely version dbus_1.10.28-0+deb9u1_amd64.deb18:38
cosurg1The reason for my surprise was that reinstalling this package did no overwrite those files. It apparently assumed that since files are from correct .deb version, thsy don't need overwriting.18:38
cosurg1I copied them over again. And I have this diff back.18:39
Akulii copied the file to /tmp, ran `sudo apt update` and diffed :D18:39
cosurg1just `git init` in /etc, you won't ever regret that.18:39
Akulithat seems like a good idea18:40
onefangOr try etckeeper.18:40
Akulii'm already familiar with git and i don't like spending time on memorizing commands, so i think i'll use that18:40
onefangWhich basically does that, but tracks apt updates.18:40
Akulicosurg1, you need to run git as root for this though?18:40
cosurg1Hm. Yes, actually I do. And you just remineded me, that git has security holes.18:41
Akuli:D18:42
cosurg1However, I only run a small set of my own scripts in there.18:42
cosurg1Ahhhh! It won't ever end.18:42
Akulimaybe i'll do it dumbly and `cp` my /etc somewhere before git initting18:42
cosurg1The security nightmare.18:42
* cosurg1 goes to the forest, light a fire by the river and sleeps beneath the starts. So peaceful!18:42
cosurg1*stars ;)18:43
* cosurg1 goes to the forest, lights a fire by the river and sleeps beneath the stars. So peaceful!18:43
cosurg1Oh. Now it looks good ;>18:43
cosurg1ok, so what is the conclusion?18:43
cosurg1looks like /var/lib/dbus/machine-id was recreated upon reboot anyway? Before and after this update/18:44
cosurg1?18:44
fsmithredif you have the old debs in /var/cache/apt/archives you can downgrade to the devuan versions of dbus dbus-x11 and libdbus-1-318:44
Akulithe init script seems to start dbus and create the machine-id on reboot18:44
cosurg1Ah. I see now. It actually could survive a little bit longer, after the reboot.18:44
cosurg1KatolaZ: thanks!18:44
fsmithredif you don't have the debs, you can still download them if you specify the verion18:44
Akulii downgraded with 'apt install' and the apt log to get the diff myself :)18:46
cosurg1KatolaZ: my apologies.18:52
cosurg1but I am still suspicious about these two new files: /etc/dbus-1/session.conf /etc/dbus-1/system.conf18:53
KatolaZcosurg1: I am not working on Devuan any more, sorry18:55
KatolaZI am sure somebody else can help you18:56
cosurg1:-((((18:56
cosurg1Is that becaue of that april fool's prank?18:56
cosurg1whoa.18:59
cosurg1I'm sorry.19:00
Akulithat's :(19:47
cosurgi?19:48
Akulithat katolaz doesn't work on devuan anymore19:48
cosurgiyeah, he is the only devuan developer I've ever met here. And frankly one of the best people I've met in my life.19:52
onefangThere's other Devuan devs here.19:53
fsmithredcosurgi, I have those directories in my ascii install that hasn't been upgraded lately19:59
fsmithredthe system.d dir is not about systemd. It's just another .d directory for custom configs20:00
golinuxThere are.  But KatolaZ did a lot of support and worked tirelessly on the backend too.  He is greatly missed,20:02
* furrywolf thought the april fools thing was funny20:02
golinuxI so wish he hadn't shot himself in the foot . . .20:02
* Akuli looks up "the april fools thing"20:02
* MinceR thought it was funny as well20:04
system32>>devuan now uses systemd instead of init v20:05
furrywolfhow did he shoot himself in the foot?  all I remember is a bunch of "oh noes, we don't look PROFESSIONAL enough if we let it show that we have a sensor of humor" whining...20:05
system32april 1st joke20:05
system32it can be a very good prank tho20:05
furrywolfno, this one was that all our pages had been moved to gopher.  gopher forever.20:05
Akulihow does that lead into katolaz's quitting :D20:07
furrywolfmaybe next year we should change all the pages to say that isos will only be distributed by avian carrier?  :)20:07
furrywolfAkuli:  some people have no sense of humor.20:08
onefangThat wasn't the problem, the problem was saying that Devuan's web site had been hacked.20:09
Akulidid you have 3 or more different april fool's jokes?20:09
Akulito me, the website hacked thing seems like it could have been real, i mean why couldn't a website get hacked on an april fool's day20:10
onefangThe "hacked" one was also the "gopher" one.20:10
Evilhamsystem32: maybe next year this should be packaged for devuan: https://github.com/reyk/systemd-openbsd20:17
furrywolfor announce that we've been bought by redhat20:20
furrywolfor that, with the assistance of poettering, we're now launching LinuxD, a single pid1 program that provides your entire linux experience.20:23
r3bootthis kind of stuff belongs to #debianfork, cmon20:27
golinuxThank you r3boot20:52
golinuxThe problem that I had with it is that they were lying and pretending that we HAD been hacked.20:54
golinuxNEVER EVER lie to your users about security.  That is NOT a joke.20:55
fsmithredanyone here running kde? If you started with a fresh kde install, are any xfce4 packages installed that you didn't put there?21:14
xrogaanThey keep comming. https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/23:05
xrogaanGAH!23:05
djph"oops"23:07
« Wednesday, 2019-06-19 Index Friday, 2019-06-21 »

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!