libera/#maemo/ Thursday, 2018-06-07

jonwilhmmm, getting newer OpenSSL to work on Maemo QT isn't as easy as I thought. There is a Debian patch for QT4 but that's for 4.8.7, we only have 4.7.404:13
jonwilI think I got a solution now.06:11
OksanaSounds nice. Will it help with getting MicroB to work with some of those stubborn websites?06:30
jonwilNope, this is OpenSSL and QT, not microb-engine06:33
jonwilwhich uses NSS06:33
jonwilThe work to get Firefox 24 going is a different project06:34
KotCzarnyi wonder if there is a way to make nss use openssl06:34
jonwilNope06:34
jonwilGetting FF24 to work is still the best option.06:35
jonwilI need to go back and see about grabbing debug symbols for Firefox 24 on Linux and see if those debug symbols contain any useful info about how FF24 was compiled.06:35
jonwilOfficial Mozilla FF24 that is06:35
KotCzarnyhttps://rcritten.fedorapeople.org/nss_compat_ossl.html06:36
KotCzarnybut thats backwards06:36
jonwilGetting FF24 going will give you more than just TLS 1.206:39
KotCzarnyhttps://roumenpetrov.info/e_nss/06:39
KotCzarnyhmm06:39
jonwilThat's an engine to allow OpenSSL to read NSS certificate databases and such06:40
jonwilSo that doesn't do anything useful.06:41
KotCzarnyuhhum06:41
jonwiltrust me when I say getting FF24 going is the best hope for a browser that supports TLS 1.206:42
jonwilunless you find some weird hacky webkit fork that can be compiled properly on the ancient versions of the libraries the N900 is stuck at06:42
OksanaFirefox 24 does sound nice.06:48
jonwilGetting Fahrplan going again is important to me so I can do transport journey planning when I am out and about :)06:57
jonwilhence why I am putting the effort into OpenSSL and QT06:58
OksanaNice :-) Would Gtk+ applications be able to use the OpenSSL? Or would it require specific adaptation, like Qt does?07:05
KotCzarnyi dont think gtk is the same level of toolkitness as qt07:06
KotCzarnymaybe glib has some connectivity functions07:06
ceenejonwil: the QT thing, I did something to it to use openssl1.007:49
ceeneyou have that on my repos too07:50
ceenehttps://github.com/agamez/qt-x11-maemo/commits/RemoveSSL3 this branch should have been merged on maemo's n900, but i think nobody finally did it, even though it was approved07:51
ceeneapproved or whatever the process is to have patches applied to maemo repos07:51
ceenei don't remember the bureaucracy of that07:51
parazydjonwil: You do realize FF24 has like, a hundred CVEs?07:51
ceeneand also you have https://github.com/agamez/qt-x11-maemo/commits/UpgradeSSL07:51
ceenewhich does compile against newer openssl07:51
ceeneand backports support for new protocols: tlsv1_1, tlsv1_207:52
MaxdamantusCould always just write some tun-based proxy that everything is routed to.07:56
MaxdamantusBrowser just has some self-signed certificate that matches every host, gets routed through the tun proxy, using its old version of OpenSSL, tun proxy then connects to the actual IP address using its newer version of OpenSSL, doing host verification, etc07:58
jonwilGTK doesn't have any networking code at all08:03
jonwilIts just a UI toolkit08:04
jonwilAny GTK app can use OpenSSL 1.1.0h no problems08:04
jonwilThe removessl thing is already on the cssu version of QT and already in CSSU08:05
jonwilSo nothing needs to happen there08:06
jonwilThe upgradessl stuff is for 1.0.x, the debian patch makes everything work for 1.1.0h (much better to use 1.1.0 with less bugs etc than 1.0.x)08:08
jonwilAnd I see nothing specific that makes it hard to get that going08:08
jonwilAs for FF24, I bet the 1.9.2 based microb-engine has a lot of security flaws as well08:09
jonwilI doubt upgrading to FF24 is going to make things any LESS secure08:10
parazyd¯\_(ツ)_/¯08:10
KotCzarnyi just hope it will be usable08:10
KotCzarnynot that many exploits would work on n90008:10
KotCzarny';)08:11
ceeneah, so debian already has patches for qt4+openssl1.1?08:13
ceenedidn't know that08:13
jonwilYes they do08:13
ceenewell, so much better then08:14
jonwilThey have a patch for OpenSSL 1.1 support on QT 4.8.7 which I need to get going on the QT 4.7.4 we have08:14
jonwilNo-one is going to write something that targets an exploit in an ancient version of Firefox that has been fixed for years now, let alone one running on a linux armel target (as opposed to android)08:14
jonwilNot when they can write an exploit for Windoze and get far more machines infected08:15
KotCzarnyi suspect even static arm binaries might fail because of old kernel08:15
jonwilI already have the results of compiling the FF24 tree running on my device (so libxul.so etc) with http://conkeror.org/ as the front end.08:16
jonwilSo its definitely working.08:16
jonwilA long way from where I need it to be but its definitely at least working.08:16
jonwilSo we know its ok in regards to dependencies, kernel, libc, gtk etc08:17
ceenenot to be confused with https://konqueror.org/08:17
jonwilI did have to turn off a bunch of stuff though including gstreamer, WebRTC, WebM and a bunch of audio stuff like ogg.08:18
jonwilBut other than that its definitely usable and working :)08:18
ceenei don't think i've ever run any of those things on my pc08:18
jonwilYou will have if you are running a recent browser and e.g. accessed YouTube08:18
KotCzarnyjonwil, most people need functionality for utility sites08:18
KotCzarnyso audio isnt on top of the needed features08:19
KotCzarnyand might even be good because it will use fewer resources08:19
Maxdamantusbut not in microb/rtcom-messaging-ui, right?08:20
KotCzarnyi would like functioning browser, no need for device wide engine08:20
MaxdamantusCan already do that with a debian root (oldstable's xulrunner is also version 24 iirc)08:22
jonwilMy end goal is to hopefully replace microb-engine without breaking anything (except possibly support for the piece of garbage known as Flash)08:26
jonwilAlthough given how slow conkeror was when I tried it, I think I need to see if there are more optimization flags I can turn on (either mozilla config options or compiler/linker flags)08:29
KotCzarnythumb?08:29
KotCzarny;)08:29
jonwilAnything that doesn't require a new kernel is an option I will consider :)08:29
KotCzarnyi think all kernels in any cssu support thumb binaries08:30
jonwilExcept that CSSU doesn't install a new kernel08:30
jonwilI have everything from CSSU-testing running on my phone right now and I am still running the stock Nokia kernel08:31
MaxdamantusNothing should install a new kernel except the user.08:31
KotCzarnyho hum08:31
Maxdamantusbut cssu does have custom kernels.08:31
jonwilCSSU-thumb does08:32
jonwilCSSU-devel does08:32
jonwilBut cssu-testing and cssu-stable do not08:32
jonwilI know for sure cssu-devel has a custom kernel since I accidentally screwed up my phone by installing the modules for it by mistake without installing the kernel itself (thankfully I ended up finding a solution)08:33
sixwheeledbeast^CSSU -devel is just a repo of random devel packages, it's not a "standard" repo to pull everything from.09:40
sixwheeledbeast^You can install KP or "kernel-cssu" from thumb repo for thumb support.09:43
jonwilYeah I learned from that mistake pretty quickly and now I know to be more careful in what I install from cssu-devel10:31
DocScrutinizer05wrap the damn browser into a chroot15:46
DocScrutinizer05for messing with repos: http://maemo.cloud-7.de/maemo5/usr/local/sbin/enable-catalogs15:51
DocScrutinizer05even speedyham is a PITA to enable/disable repos15:52
DocScrutinizer05enable-catalogs all&&apt-get update&&apt-get install foobar-devel;enable-catalogs standard    at very least runs unattended, though also several minutes15:54
DocScrutinizer05or15:55
DocScrutinizer05enable-catalogs save tmp&&enable-catalogs all&&apt-get update&&apt-get install foobar-devel;enable-catalogs tmp&&enable-catalogs delete tmp15:56
DocScrutinizer05might make a wrapper out of this, s/foobar-devel/\$1/15:57
DocScrutinizer05install_X_with(){ enable-catalogs save tmp&&enable-catalogs ${2:-all}&&apt-get update&&apt-get install $1;enable-catalogs tmp&&enable-catalogs delete tmp }16:00
DocScrutinizer05install_X_with foobar-devel allPlusThumb16:01

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!