26[00:13:41] <teclo-> corey1: well, the best language to start
learning programming is Pascal. The Pascal language was created to
teach people structured programming
27[00:13:53] <greycat> Pbbbbt.
28[00:14:28] <greycat> Esperanto was "created" to be
a universal language for humans, but that doesn't make it the
best one to communicate with humans.
29[00:14:54] <teclo-> evening greycat :)
30[00:15:11] <teclo-> greycat: well Pascal is the best language
to teach people programming
31[00:15:19] <teclo-> I mean, as a first language
32[00:15:33] <greycat> A language that can't even open
files by name?
33[00:15:36] <teclo-> then later, one can learn C or C++ or
Java or Python
34[00:15:59] <greycat> Which means every implementation bolts
on their own unique special-snowflake way to open files,
incompatible with every other pascal...
35[00:16:14] <teclo-> well file management in Pascal is indeed
a problem, Niklaus Wirtz didn't make an effort on that
36[00:16:29] <teclo-> greycat: well I was gonna say "It
depends on th eim
37[00:16:34] <teclo-> greycat: well I was gonna say "It
depends on the implementation"
38[00:16:47] <greycat> I'd say Tcl and Pascal are both
excellent first languages, but people will yell if you suggest Tcl
because it's not "popular" enough.
39[00:16:59] *** Quits: epony (epony@replaced-ip) (Remote host closed the connection)
40[00:17:12] <abrotman> teclo-: as someone who learned in
Pascal, I would agree if it were 1990 .. Python is better at this
point
42[00:17:49] <abrotman> Pascal has some interesting features,
but so does Ada .. Neither have much practical use today (Ada more
than Pascal, but still ... )
43[00:17:56] <greycat> sorry, I mistyped there, badly.
44[00:18:00] <greycat> I'd say Tcl and Python are both
excellent first languages, but people will yell if you suggest Tcl
because it's not "popular" enough.
45[00:18:31] <jhutchins> I thought lisp was the one created to
teach programming.
47[00:18:37] <sney> if you're going to start on a language
that isn't used by anything in the real world, you may as well
shoot the moon and lock yourself in a room with SICP for a year
48[00:18:48] <greycat> LISP is a little too academic
49[00:18:53] <jhutchins> teclo-: They know a lot more about
good programming practices than they did when pascal was developed.
59[00:20:20] <abrotman> There are lots of beginner docs for
Python, and it's a reasonably extensible language
60[00:20:28] <greycat> Tcl and Python are both good, both are
in use in the real world, both have an *imperative* syntax which is
how people should start learning....
61[00:20:51] <jhutchins> abrotman: Ever done RPG?
62[00:20:53] <teclo-> well it's better to start leaning an
imperative language
63[00:20:54] *** Quits: gelignite (~gelignite@replaced-ip) (Quit: Stay safe! Stay at home! Stop the chain reaction!)
64[00:20:57] <teclo-> learning*
65[00:21:13] <abrotman> jhutchins: yes, sadly
66[00:21:21] <teclo-> and when you know 2 ou 3 inmperative
languages, then you can learn functional programming
67[00:21:23] <greycat> Pascal isn't the worst choice, to
be sure.
68[00:21:33] <abrotman> jhutchins: RPG IV. XEDIT is the most
infuriating editor I've ever used
69[00:21:49] * abrotman might still have a book around here somewhere
70[00:21:50] <jhutchins> abrotman: You know it's a
software abstraction of the programming patch boards for card
sorting machines?
71[00:22:04] <abrotman> yeah :(
72[00:22:38] <jhutchins> I thougt it was fun, but all I had to
do was pass the course.
108[00:40:12] <H-var> will debian become faster in any way, if I
switch to the testing update channel?
109[00:40:20] <H-var> I have a 2008 PC
110[00:40:33] <n4dir> no
111[00:40:35] <sponix> H-var: nope
112[00:40:48] <H-var> H-var: Yes
113[00:41:04] <H-var> thanks, H-var. Thats' all I needed to
know.
114[00:41:20] <H-var> np
115[00:41:25] <sney> depends on what programs you're using,
sometimes newer versions have efficiency improvements. but mostly it
will be just as fast as stable
116[00:41:33] <n4dir> without any proof it *seems* to me that
systemd isn't outstanding ressource friendly. 2008 should (?)
be able to handle it though, i think
121[00:43:02] <n4dir> i guess you did check if abiword and
claws-mail work any better ? web-browsers are not really with an
alternative, if you want the web as is
122[00:43:17] <n4dir> i use falkon, and it is slightly ! less
ressource intensive, it seems
123[00:43:22] <H-var> but I have to say the laptop is flying,
man, even when I have all of them opened simultaneously, 4GB ram,
1.4GHz Celeron
124[00:43:23] <sponix> in general software tends to just get
heavier over time. so I think going to a newer software channel with
the expectation of a software speed-up isn't very realistic
125[00:43:51] <H-var> my ram rarely shows anything close to 40%,
and swap is literally never ever touched
126[00:44:28] <n4dir> get yourself a Pentium 4. Or like that.
Big fun.
127[00:44:38] <greycat> With a 12-year-old PC, upgrading to a
newer release runs the risk of losing video chipset support, in some
cases.
128[00:44:44] <H-var> on the other hand, lol, windows 10 was
constantly crashing due to ram, and on windows 7 I couldn't
open more than 1 tab on firefox, and everything else had to be
closed
129[00:44:54] <H-var> otherwise, firefox would crash all the
time
130[00:45:10] <greycat> Or maybe 12 years isn't quite old
enough to have to worry about that, I dunno.
131[00:45:39] <H-var> I tried sylpheed but the problem I have
with it is that its spam filter sucks
132[00:45:42] <n4dir> i sure had more than one mashine that old
or way older. But most of them had intel graphics. That said i
didn't run in any problems
133[00:46:02] <H-var> firefox's anti-spam is amazing, and
super precise
134[00:46:09] <H-var> sorry thunderbird's
135[00:46:14] <n4dir> probably i simply got used to lousy
graphics :-)
147[00:59:22] <H-var> thunderbird is really the best on windows
indeed, but on linux there are some major issues with it, even the
most basic stuff, like the lack of translation packs, or weird bugs
which existed since 2015 (I googled), like for example a bug that
makes you send a letter twice, even though you sent it only once,
etc
148[01:00:09] <H-var> it's kinda just a mess, and feels
more like a lousy windows port than an actual program
149[01:02:32] <sney> a non-enterprise gui email program is kind
of a weird thing in 2020, I wouldn't be surprised if mozilla
dropped it entirely in the next while
150[01:02:42] <H-var> it's really weird to me that linux
has always been the best option when you talk networking, but then
at the same time, it lacks such a basic thing as an advanced mail
client - all of the clients available for free on linux are inferior
to their analogs on windows, and that's just not right man
160[01:10:07] <sney> quadrathoch2: really just that the Average
User who isn't at a business with a built-in IT infrastructure
is usually going to use a web browser for email. standalone
pop3/imap clients have been diminishing in popularity for years.
161[01:10:35] <jmcnaught> Earlier I asked about moving /boot and
/boot/efi from one drive to another. I recreated the two
filesystems, copied the files, updated /etc/fstab, but I was unable
to mount the new ESP at /boot/efi. After a netinst rescue mode boot
I was able to run update-grub in a chroot. Debian is now booting
from the new drive.
162[01:10:44] <derpadmin> sney, which is a shame
163[01:10:59] <H-var> n4dir abiword is interesting, but it lacks
spreadsheets, and other stuff - it's just literally word, and
that's it
164[01:10:59] <sney> I'm sure if/when mozilla drops
thunderbird, someone else will pick it up and maintain it, and ofc
stuff like mutt will always be around, but you know
167[01:12:05] <derpadmin> sney, there is k9 on mobile, I use
kmail on kde (not sure if thunderbird based though)
168[01:12:09] <quadrathoch2> sney, yeah I am still looking
around for a good email client (gui, gtk based). mutt is great, but
for me rather only the backup plan
169[01:12:39] <jmcnaught> evolution?
170[01:13:05] <lnxslck> thunderbird?
171[01:13:30] <quadrathoch2> is evolution a suite (in the
direction of outlook)
172[01:13:36] <quadrathoch2> ?
173[01:13:52] *** Quits: niko (~niko@replaced-ip) (Ping timeout: 615 seconds)
183[01:16:53] <quadrathoch2> and afaik they are using a
nonstandard compliant imap, but can't remember if it still is
184[01:17:55] <H-var> sney I don't have to do anything - on
thunderbird I just entered my login, and then thunderbird put me
through oauth2 process and next moment I was already connected
185[01:18:03] <jmcnaught> rander2: can you make a paste of
"apt policy ruby-http-parser.rb ruby-http-parser ; apt
policy" ?
186[01:21:51] *** Quits: tangarora (~tangarora@replaced-ip) (Remote host closed the connection)
224[01:46:45] <HelloShitty>
[5688:1124/004550.619791:FATAL:setuid_sandbox_host.cc(157)] The SUID
sandbox helper binary was found, but is not configured correctly.
Rather than run without sandboxing I'm aborting now. You need
to make sure that
/home/psysc0rpi0n/Downloads/spark-wallet-0.2.17-linux-x64/chrome-sandbox
is owned by root and has mode 4755.
271[02:25:24] <scrul00se> HelloShitty: If you want to make it
work without giving SUID root to some third-party binary,
there's a workaround for that too
replaced-url
518[07:19:25] <uplime> if I want to specify that an interface in
/etc/network/interfaces should only get an ipv4 address from dhcp,
and not an ipv6 address, is there a directive I can use? I looked on
google, but the closest thing i could find was disabling it via
sysctl
542[07:37:49] *** Joins: conta (Thunderbir@replaced-ip)
543[07:39:59] <sney> uplime: see interfaces(5), if you
don't have 'inet6' specified then ifupdown will not
get you an ipv6 address, via dhcpv6 or anything else. but link-local
stuff still happens in the background.
544[07:40:58] <sney> since squeeze, we're supposed to be
able to disable ipv6 at boot by adding 'ipv6.disable=1' to
the kernel command line. I haven't tried it though.
545[07:46:10] <uplime> ah, that makes sense. link-local is
probably what im seeing then
546[07:46:22] <uplime> i disabled it with the sysctls though so
problem solved anyways
547[07:46:28] <uplime> thanks for the info sney
548[07:48:16] <sney> np
549[07:48:52] *** Quits: psych094 (~Thunderbi@replaced-ip) (Quit: Hope to be back soon! 👋)
573[08:12:21] <tohoyn> I get the following error message:
"dh_autoreconf: error: debhelper compat level specified both in
debian/compat and via build-dependency on debhelper-compat"
even though I have removed debian/compat
574[08:12:43] <tohoyn> I use gbp buildpackage and sbuild
575[08:13:23] *** Quits: ohwowlol (~ohwowlol@replaced-ip) (Remote host closed the connection)
576[08:13:23] <themill> sounds like you've not actually
removed debian/compat
577[08:13:55] <tohoyn> debian/compat is not present in the
directory tree
578[08:14:03] <themill> deleted but not committed perhaps?
579[08:14:12] <tohoyn> and it is not present in the generated
...*.debian.tar.xz
580[08:14:36] <tohoyn> the deletion is committed. I just checked
581[08:15:31] <tohoyn> I'm running the build command again
597[08:29:22] <themill> tohoyn: do you have something in
debian/rules that is specifying the compat? (DH_COMPAT is the
environment variable from memory)
672[10:06:49] <Lope> is there a way to run my systemd service at
shutdown (ExecStop) Before blkdeactivate? is there some proper name
for blkdeactivate? I see blkdeactivate in my verbose previous
shutdown journal
802[11:37:57] <ksk> Rob_Jones: you need to acutally make the
directoy where you chroot to have all the things needed (tm)
803[11:38:14] <ksk> !chroot
804[11:38:14] <dpkg> To chroot into your Debian system boot to
your Debian install disk/live CD, switch to the other console
(Alt-F2). Mount your root filesystem with "mount -t ext2
/dev/whatever /target" and make /dev, /proc and /sys usable
with "mount --rbind --make-rslave /dev /target/dev ; mount -t
proc none /target/proc ; mount -t sysfs none /target/sys". You
can then chroot into the system with "chroot /target".
810[11:39:22] <Rob_Jones> was gunna say that makes no sense
811[11:39:23] <ksk> If you call chroot(), you change the root
directory ("/") of the processes running from that poin
on, meaning /var/projects/public_html becomes / for the user logging
into (s)ftp.
812[11:39:28] <Rob_Jones> but the directory does exist
813[11:40:03] <ksk> this means, that things that normally are
provided by your Debian Linux system (Like the Shell, /bin/sh), and
other stuff(tm), need to be there
814[11:40:05] <Rob_Jones> chroot does sort of work now except i
get this
815[11:40:15] <Rob_Jones> /bin/sh: No such file or directory
816[11:40:37] <ksk> I did read that, and am already responding
to it with my last three postings.
901[12:53:34] <L0aD1nG> I would like to tell you a weird
situation that i ve experienced installing Debian 10 on an old asus
netbook, the bios had not an option about legacy/uefi(i didnt know
if the netbook supports uefi). The bootable usb stick was booting in
both modes mainly in uefi i tried to install it on uefi mode, the
installation was going smoothly until the it was arriving in grub
then the installer was crashing and even
902[12:53:36] <L0aD1nG> the netbook was crashing i wasnt able to
power it off via the power button i was unpluging the AC. Finally i
booted it from usb until it gave me bios mode (legacy) and i
installed it.
916[13:04:46] <f-a> not strictly a debian question but…
when I connect to an ssh server, not and then I lose connection. On
my client, my screen freezes and I have to kill the pane, open a new
one, restart ssh
917[13:04:59] <f-a> what is a sensible way to achieve
persistency? tmux on the server machine?
943[13:14:24] <L0aD1nG> now debian is up i am on the terminal
(didnt install any graphics with the installer) and i see that i
miss the ifconfig command...
944[13:14:39] <f-a> oxek: super idea
945[13:15:17] <oxek> f-a: and look up theming for tmux, so that
you get different colors on client & server
947[13:21:25] <rootkea> Hi! I have a question regarding
libinput. I installed Debian 10.6.0 on 3 machines - Dell Inspiron,
Acer Aspire and Lenovo Ideapad and each time I had to copy
/usr/share/X11/xorg.conf.d/40-libinput.conf to /etc/X11/xorg.conf.d/
as suggested here
replaced-url
948[13:21:26] <rootkea> libinput?
949[13:22:20] *** Quits: kreyren (~kreyren@replaced-ip) (Remote host closed the connection)
1027[14:35:41] <EdePopede> just downloaded a pdf i'm afraid
to open. already made qpdfview use 50% right from the start, unable
to kill -15 it (60% RAM instead, and then 70% CPU), had to -9.
pdf2ps also goes mad, at least -15 worked.
1028[14:35:51] <EdePopede> can i extract individual pages at
least somehow?
1045[14:43:34] <EdePopede> i think i'll install
poppler-utils and run some checks on the PDF later, our local trash
calendar is a horror to open already, but this one really tops it.
1048[14:44:18] <shtrb> could it have some JS or network reousrce
inside it ?
1049[14:44:19] <rootkea> Hi! To fix "user is not in the
sudoers file" I read 2 solutions 1. visudo (editing sudoers
file) 2. add user to sudo group. What's the difference between
these two approaches? Does adding user to sudo group automatically
add "user ALL=(ALL:ALL) ALL" to /etc/sudoers (the first
approach)?
1061[14:47:36] <rootkea> shtrb, So `adduser user sudo` should be
used to fix "user is not in the sudoers file"?
1062[14:47:37] * shtrb just imagined a pdf file that has some JS , with
a client cert to access corporate site, over to some node-js and all
that just for some kind of a fancy form
1065[14:48:41] <EdePopede> they did a good job with their
software downloads/disks over the decades, from 2
"similar" sources this was always my starting point,
i'm really not concerned.
1075[15:01:05] <rootkea> Btw, I see "user ALL=(ALL)
ALL" been recommended many times over and over without any
counter... Guess I need to read man sudoers to understand what does
that line mean exactly and why it shouldn't be preferred over
`adduser user sudo`
1144[15:57:40] <dob1> I don't understand why fail2ban
doesn't send the notification email. I changed mta in jail.conf
to mail because I don't have sendmail but it still doesn't
work
1145[15:57:49] <dob1> I don't find any logs about some
errors
1152[16:02:16] <jelly> dob1: you don't have ANY
/usr/sbin/sendmail isntalled?
1153[16:02:20] <ahylight> out of curiosity, can a linux username
have a '/' (forward slash) in it?
1154[16:02:41] <dob1> jelly, no
1155[16:02:47] <dob1> ah sbin
1156[16:03:00] <dob1> jelly, I have it
1157[16:03:33] <def_jam> hey do i need to set up resolv.conf when
i have set up my nameservers in /etc/systemd/network/enp233.network
1158[16:04:08] <def_jam> the dns servers in resolv.conf are
different to the ones i chose to use via systemd
1159[16:04:12] <dob1> jelly, but still no mails
1160[16:04:20] <def_jam> i am having problems pinging a name from
user ..yet i can ping it from root
1161[16:04:21] <jelly> dob1: then keep the default value. When an
app says it needs "sendmail" what it actually needs is
/usr/sbin/sendmail command providing a specific API. Doesn't
have to be Sendmail.
1239[17:14:32] <ealfonso> hi. my beep isn't working even as
root: "sudo env -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER -u
SUDO_UID /usr/bin/beep -f 440". I also tried "sudo
modprobe pcspkr" and checked alsamixer beep volume.
1271[17:27:00] <thither> I have an encrypted LVM partition for /.
When I set it up I mistakenly didn't allocate all of the free
disk space to the volume group. Is it possible to resize it? All of
my tools say there's no free space, presumably because
it's encrypted.
1277[17:30:06] <BugHunter1000> Hey guys, I hope that this message
will be taken with the genuine desire to help that it is indended,
but has anyone run "debsecan" recently and seen the
hundreds of vulns in a base install? I was always of the view that
Debian is secure and stable, but this is very concerning to me.
Thanks for your time.
1278[17:30:57] *** Quits: tagomago (~tagomago@replaced-ip) (Remote host closed the connection)
1280[17:32:16] <ratrace> BugHunter1000: that's normal.
expecting no vulns at all, in any distro, is unreasonable
1281[17:32:52] <dob1> no way, I am not able to understand why
fail2ban is not sending the notifcation mail...
1282[17:33:04] <BugHunter1000> ratrace: I respectfully disagree
that hundreds of cve's in a base install can be considered
normal in any way. Arch for example shows very few with arch-audit.
1283[17:33:11] <ratrace> Debian, like other major distros, does
security best effort, and the priority are RCEs and local priv
escalations. many CVEs are theoretical, hard to exploit or very low
impact, those are treated last
1284[17:33:26] <ratrace> BugHunter1000: you're assuming arch
db is complete
1285[17:33:35] *** Quits: darunesh (~darunesh@replaced-ip) (Remote host closed the connection)
1286[17:33:39] <BugHunter1000> ratrace: do you have a reason to
think the db is broken?
1289[17:34:31] <thither> BugHunter1000: what kind of CVEs are you
seeing that worry you?
1290[17:34:42] <thither> A lot of CVEs are non issues
1291[17:34:51] <ratrace> another thing to consider, debian has to
backport fixes, where arch just bumps a package to newer version,
and by virtue of that, can get the fix faster
1292[17:35:02] <scrul00se> thither: I'm reasonably sure
it's possible, but I wouldn't say it'll be simple
replaced-url
1293[17:35:56] <thither> Thanks
1294[17:36:02] <ratrace> all that said... I stopped considering
Debian as a security-centric distro because indeed it's too
slow in my opinion with some fixes. this especially happens around
release freeze time...
1295[17:36:26] <petn-randall> BugHunter1000: For example,
debsecan shows me ansible-doc is affected by CVE-2020-1736. I'd
say it's not.
1296[17:36:35] <ratrace> for many things, debian's policy to
keep things "stable" is often in direct conflict with
"secure"
1297[17:36:43] <petn-randall> BugHunter1000: The reason is that
debsecan apparently scans by source package, not binary package.
1298[17:37:10] <petn-randall> ratrace: What? That makes zero
sense.
1299[17:37:38] <petn-randall> How are stable and secure
conflicting goals? "secure" is part of being
"stable".
1300[17:37:53] <BugHunter1000> yeah no offense but that sounds
like koolaid to me
1301[17:38:05] <ratrace> because of the way debian achieves this
"stability". or else chromium would'be fixed looong
time ago
1303[17:38:36] <ratrace> ie, cherry picking fixes instead of
doing complete version bumps, which leads to issues and inability to
backport without a lot of work
1304[17:38:58] *** Quits: rany (~rany@replaced-ip) (Remote host closed the connection)
1305[17:39:04] <petn-randall> ratrace: But browsers are the one
thing that regularly *do* get version bumps in stable ...
1306[17:39:16] <ratrace> except chromium
1307[17:39:16] <BugHunter1000> i mean it's nice to have
stuff like firefox esr where you don't mess with anything but
fixes, i agree with that
1317[17:48:04] <ratrace> okay then... how about saddns
(CVE-2020-25705).... still unfixed in debian.... which makes all the
debian servers with a resolver currently open to abuse and dns
poisoning, unless the admins mitigated that by dropping icmp
altogether
1352[18:03:41] <BCMM> petn-randall: what counts as RC?
1353[18:03:58] <sney> sometimes an effective patch isn't
immediately forthcoming, or it only targets the bleeding edge
upstream release and needs work to backport to stable, etc
1354[18:04:08] <sney> it's not an instant drive-thru
transactional thing
1356[18:04:29] <petn-randall> BCMM: "If you set up your
package in a very stupid way, and you trigger this CVE, which
involves users ignoring warning signs and actively participating in
the CVE, then this is a security hole" are CVEs that I'd
count as low.
1357[18:05:36] <BCMM> right, but the unpatched issues in chromium
don't seem like that sort of thing
1358[18:05:47] *** Quits: chipxxx (~androirc@replaced-ip) (Remote host closed the connection)
1359[18:05:55] <petn-randall> BCMM: For example, in ansible
there's a CVE that only affects installations that have their
playbooks world-writeable. But having them world-writeable is a HUGE
security risk in itself, much larger than the CVE. Would you
consider that CVE release-critical?
1360[18:06:04] <petn-randall> *There was
1361[18:06:05] <BCMM> it seems odd to me that it hasn't
simply been removed, but i don't know enough about
debian's processes to understand why that's happening
1362[18:06:08] <petn-randall> I actually fixed that one.
1363[18:06:09] <BugHunter1000> petn-randall: some of the vulns in
debsecan are marked low urgency for that reason, some however, are
not.
1365[18:06:46] <epictetus2> how do i install a newer version of
firefox in buster?
1366[18:07:13] <petn-randall> BugHunter1000: That tool in itself
is not really useful. It doesn't tell you if those CVEs are
remotely exploitable, if they need user interaction, if you need to
configure things in a certain way for the CVE to apply, etc.
1368[18:07:53] <BugHunter1000> petn-randall: what is your
preferred tool for keeping track of the documented, public
vulnerabilities present in your freshly-installed system?
1369[18:08:21] <petn-randall> BugHunter1000: What would help
though is if there would be a flag if it affects default
installations, and then it calls dpkg to check if the default config
is in place.
1370[18:11:12] <dob1> I am trying to identify where is the
problem with fail2ban and its mail report. looking at mail.log there
is nothing so I can assume that it doesn't even try to send the
email, right?
1371[18:11:18] *** Quits: Razva (uid17541@replaced-ip) (Quit: Connection closed for inactivity)
1381[18:13:29] <sney> how does fail2band do it, with
/usr/bin/sendmail or smtp directly, etc?
1382[18:13:31] <petn-randall> BugHunter1000: I personally leave
it to the security team to keep track of that, they do a much better
job than I do. Sometimes I keep track of high profile CVEs, but
they're usually fixed within a day in Debian.
1383[18:14:09] <epictetus2> how should i go about installing the
latest firefox version on buster?
1384[18:14:20] <ratrace> from snaps or flatpaks
1385[18:14:32] <dob1> sney, in the configuration I have to
configure mta as sendmail
1386[18:14:44] <ratrace> dob1: is the ban logged in fail2ban.log
?
1387[18:14:51] <dob1> ratrace, yes
1388[18:15:02] <petn-randall> BugHunter1000: It's important
to know that every CVE is marked as "open" by default, and
only closed when it's actually fixed. Even if it doesn't
affect default installations, or is only exploitable in combination
with software not in Debian. Because someone might install that
software locally.
1389[18:15:03] <BugHunter1000> petn-randall: so what you're
saying is, debsecan is the best tool available
1392[18:15:40] <petn-randall> BugHunter1000: Other distros might
have different policies, and mark a bug as closed even if
they're just as "vulnerable" as Debian.
1393[18:16:09] <ratrace> dob1: and you've enabled the action
on the jails you want to monitor by mail?
1394[18:16:31] <petn-randall> BugHunter1000: I guess, it really
depends on what your overall goal is.
1395[18:16:40] <ratrace> BugHunter1000: no, it's the worst.
The best you can do is sub to various security mailing lists and
trackers and DIY
1400[18:17:22] <dob1> ratrace, from what I know (and I tested on
an old version of debian) it's enabled by default in jail.conf
you just override this behaviour with jail.local or with conf files
in jail.d
1401[18:18:03] <ratrace> dob1: afaik it's not enabled by
default
1402[18:19:12] <epictetus2> im running stable on my work station.
im i no supposed to do that?
1406[18:20:19] <ratrace> epictetus2: there is no latest firefox
packaged in stable. only firefox-esr. if you want latest, install
via snaps or flatpaks.
1407[18:20:37] <CrystalMath> eww, snaps
1408[18:20:48] <CrystalMath> i prefer the Eric S. Raymond version
of Firefox
1409[18:21:47] <BCMM> epictetus2: FYI the firefox version in
Stable isn't *just* an outdated version. It's the ESR
version.
1410[18:21:58] <ratrace> isn't "outdated" at all
then
1411[18:22:02] <BCMM> epictetus2: so it's missing some newer
features, but is *is* kept up-to-date with security issues
1412[18:22:04] <CrystalMath> i like to call it the Eric S.
Raymond version
1413[18:22:07] <CrystalMath> because ESR :P
1414[18:22:09] <BCMM> ^it *is*
1415[18:22:14] <CrystalMath> (but it really means Extended
Support Release)
1417[18:22:52] <ratrace> outdate = out of date; obsolete ---
oxford dictionary. firefox-esr is neither out of date (it's at
latest ESR version) nor is it obsolete
1418[18:22:55] <BCMM> epictetus2: i know that doesn't help
much if you need a new feature, but i thought i'd mention it in
case you were worried about the security implications of running an
old firefox release
1426[18:27:11] <BCMM> epictetus2: the latest Firefox is going to
be a little bit faster, but the version that's in Stable now
contains the really big performance improvements of the last few
years
1427[18:28:46] <ratrace> dob1: awesome. careful with that tho,
might get an email storm in some cases
1428[18:28:56] <BCMM> (it *was* pretty annoying using Firefox ESR
before Quantum landed in that release channel)
1431[18:29:08] <scrul00se> epictetus2: FWIW, I *think* once
Bullseye gets released, the mozilla.debian.net repo will be back to
having a backport of Firefox "release" for stable
1432[18:29:18] <epictetus2> i see. thanks. i only noticed that my
ublock origin wasnt the latest version. but maybe thats just the
plugin distribution that is late
1439[18:33:48] <netx> FWIW, I eventually gave up on Debian
packages for Firefox and use Flatpak, now that Mozilla supports
Flatpak as a first-class distribution mechanism.
1440[18:33:51] <netx> And I've never relied on Debian
packages for browser extensions -- they just change too rapidly.
1442[18:34:30] <netx> A caveat with Flatpak is that you need to
migrate any .mozilla configuration over, as Flatpak uses its own
configuration under ~/.var
1448[18:38:09] <netx> I actually don't mind it too much, as
it allows me to keep ~/.mozilla/ unpolluted by newer-than-ESR
configuration, in case I feel the need to fall back to the ESR
build.
1449[18:38:26] <netx> But so far that hasn't been the case.
1450[18:39:12] <ratrace> btw you can't reuse the profile
1451[18:39:24] <ratrace> between ESR and non-ESR versions, you
can't reuse profiles
1452[18:40:05] <scrul00se> netx: I'm right there with you on
the extensions. Those I let Firefox handle its own way. Personally I
run testing on my desktop systems, and add unstable sources —
with apt default-release set to testing — so it's
generally pretty painless to have the Firefox package from unstable
1453[18:41:06] <ratrace> that's called a frankendebian in
these circles
1455[18:42:35] <netx> I'm a stable (+ select backports) guy
in almost all respects. If current-Firefox makes it back into
backports (or some other similar mechanism) I'll happily ditch
the Flatpak version.
1459[18:43:05] <scrul00se> ratrace: Hmm. If I'm updating a
web browser manually with apt install -t and aborting if it wants to
pull in a bunch of libs, how Franken- is it really?
1465[18:44:22] <dpkg> When you get random packages from random
repositories, mix multiple releases of Debian, or mix Debian and
derived distributions, you have a mess. There's no way anyone
can support this "distribution of Frankenstein" and
#debian certainly doesn't want to even try. Ask me about
<reinstall>
1467[18:44:57] <netx> scrul00se: a problem I've run into
with that type of setup is that, when you update it today, the deps
changes are reasonable, but when you go to update it tomorrow, it
might try to break everything.
1468[18:45:00] <netx> And then you have to choose between not
updating at all, or manually rolling back everything.
1471[18:46:59] <petn-randall> netx: firefox (non-ESR) will never
make it into backports, because it would first have to migrate to
testing, which it will never do because it can't be supported
over a stable cycle.
1473[18:48:16] <scrul00se> I guess that raises a different
question then: is there a "right" and/or
"supported" way to run Firefox *release* version on Debian
at all?
1480[18:49:23] <scrul00se> Won't result in a bot echo
telling me "There's no way anyone can support this
"distribution of Frankenstein" and #debian certainly
doesn't want to even try. Ask me about <reinstall>"
would be a start ;-)
1482[18:50:04] <netx> Yeah, I'm aware of the issues. My
personal opinion (which I know is not shared by the debian project)
is that for some kinds of apps, like browsers, there is no real
"stable cycle".
1483[18:50:06] <netx> IMO, a "stable web browser" is
about as useful as a "stable time zone definition" b/c
like time zones, the web does not sit still.
1484[18:50:25] <petn-randall> netx: There's already
firefox-esr and that work pretty fine.
1487[18:52:08] <alex11> esr works ok for me now but things start
getting deprecated the longer we go into the esr lifecycle and
debian insists on using the oldest possible esr that's still
supported instead of offering the newer esr
1495[18:55:22] <petn-randall> alex11: You can always upgrade to
newer firefox, but seldomly downgrade.
1496[18:55:33] <scrul00se> petn-randall: But isn't
installing stuff with third-party shell-script installers also
squarely in "Gah! You broke everything and no-one can help
you!" territory? (that is "the way Mozilla offers
it", I think?)
1497[18:55:52] <ratrace> alex11: through a firefox online/cloud
thingy account I think
1498[18:56:14] <petn-randall> scrul00se: Sure, but you still
might get help in here. If you mix stable and unstable, you
definitely won't.
1499[18:56:28] *** RhineDevil^ is now known as RhineDevil
1500[18:57:00] <petn-randall> scrul00se: We definitely support
users trying to get things done in here, we just don't support
ways known to be broken.
1504[18:57:46] <alex11> oh right firefox has the cloud thing,
whatever it's called
1505[18:57:49] <alex11> firefox sync i think
1506[18:58:00] <petn-randall> scrul00se: The upstream firefox
installer doesn't require root, so the possible damage done can
only affect the user's home dir.
1507[18:58:08] <alex11> but who knows, maybe i just stay on esr,
depends how things go
1508[18:58:10] <scrul00se> petn-randall: Huh! I wouldn't
have expected that to be where the line is. Learn something every
day!
1509[18:58:49] <petn-randall> scrul00se: Worst case is you'd
have to delete ~/my_firefox_install/ and start over.
1510[18:58:57] <jmcnaught> At least use firefox-esr until you
actually find some site that's broken.
1515[19:01:11] <ratrace> installing firefox into ~/ is not a good
idea. code should never, except in carefuly curated circumstances,
have the ability to modify itself.
1516[19:01:15] *** Quits: chele (~chele@replaced-ip) (Remote host closed the connection)
1520[19:01:49] <alex11> really? that's what i've been
doing... TIL
1521[19:02:02] <ratrace> or more precisely, installing FF (or any
program) as the user that will also run said program, should be
avoided where possible
1526[19:05:27] <petn-randall> I'd also go with /usr/local/,
and belonging to root for most programs. But in the case of firefox
the built-in updater won't work, and requires manual updates.
And IMHO known security holes in FF due to late updating are a
higher risk than user-writeable firefox installation.
1531[19:06:41] <netx> I'm on the fence about this. In a
genuine multi-user environment, sure what ratrace said. But on my
own system, in which I'm the sole user?
1532[19:06:44] <netx> I really only care about the contents under
~ and if a program gets remotely hacked, ~ is exposed to attack
regardless of whether the program can modify itself.
1533[19:07:19] <netx> unless you have apparmor or selinux set up
properly, and that's pretty rare...
1534[19:07:52] <ratrace> petn-randall: it's not like
there's a choice between the two... unstalling as, say, root
and updating frequently aren't in contradiction
1535[19:08:03] <ratrace> and raelly if the user is lazy......
just friggin flatpak or snap the thing :)
1536[19:08:37] <ratrace> netx: well I have AppArmor on my firefox
and most of WAN facing programs
1537[19:10:06] <netx> so you're part of the 1 out of 1000
;-) i had it set up on an older system years ago but it was a PITA,
so when I got this system, I never bothered getting it working
1545[19:12:14] <ratrace> yeah hard and in conflict with
convenience. most users prefer convenience
1546[19:12:19] <netx> Pretty much the only thing I really worry
about are my SSH and PGP keys, all of which live only on a Yubikey
an an air-gapped computer.
1550[19:15:31] <alex11> i don't think i have pgp keys and my
ssh keys are chmod 600
1551[19:16:10] <netx> ratrace: Are there any good guides/configs
for Firefox/mutt/etc for AppArmor (bonus if on Debian) nowadays? Or
did you build them yourself by trial and error?
1552[19:16:29] <ratrace> I built them myself
1553[19:16:40] <ratrace> there exists a FF profile in
apparmor-profiles but it's terrible
1554[19:16:58] <netx> :-(
1555[19:17:30] <ratrace> it's not difficult once you
understand the MAC concepts. there are tools that help you build the
profile from denial logs, so it's just a matter of covering all
use cases and tuning.
1556[19:17:37] <alex11> i understand problems in testing/sid for
obvious reasons but i hope the programs/configs in Stable are mostly
sane
1560[19:20:17] <netx> My biggest issue last time I used apparmor
(and also selinux, professionally) was things would fail silently,
and then you'd have to realize it might be a MAC error, and
then dig through audit logs to confirm.
1562[19:20:58] *** Quits: conta (~Thunderbi@replaced-ip) (Quit: conta)
1563[19:21:10] <netx> I'd really love some kind of applet or
notification mechanism that you could install for a specific user
that would alert when (possibly whitelisted) apps encounter MAC
denials.
1572[19:28:56] <netx> (By "install for a specific user"
I mean, you'd need to whitelist a user for it, b/c you
certainly don't want to allow arbitrary users to plumb audit
logs.)
1576[19:33:07] <ratrace> netx: a properly set up systems should
have NO audit logs except in case of an actual hax attempt. meaning,
one should monitor them and react to them. my systems produce 0
denial logs, unless I borked policy or there's an actual xploit
going on
1577[19:33:28] <ratrace> unfortunately, SELinux tends to train
people to ignore the myriad of denials stemming from bad or
incomplete policies
1593[19:36:24] <ratrace> well there. ideally there should be an
nvidia profile and a profile transition from FF to nv, but.....
eh.... running proprietary code in ring0 under xorg is kinda making
all this a Security Joke of the Decade.
1595[19:36:54] <ratrace> shtrb: you can also shush a denial if
you want it to remain a denial. just add a "deny"
modifier, explicit denials aren't logged.
1603[19:37:45] <ratrace> deny them and see what happens.
1604[19:38:30] <ratrace> buildig my own profiles I caught
programs doing terrible things. like wine crap (I run steam under a
custom AA profile, so it's proton/wine thing) tryinna write to
/<somerandom-uuid-looking-file>
1607[19:39:37] <ratrace> steam is a terrible invasionware.
I'm running it as a completely separtae users because I
can't be assed to fine tune each game's access into ~/
1608[19:39:44] *** Quits: conta (~Thunderbi@replaced-ip) (Ping timeout: 260 seconds)
1613[19:40:11] <netx> I guess to restate, my biggest problem is
that MAC denials usually fail silently, which means step 1 of
"your program is acting weird" is remembering/recognizing
that it might be a MAC denial. I guess once you've got that
mindset you're good.
1614[19:40:54] <ratrace> right. that happens when a program fail
in a section that doesn't expect failure so it's not loud
about it. frankly, that's a bug in the program.
1617[19:41:50] <netx> yeah, but I'm betting on heat death of
universe happening before programs (in general) being written to
expect failures due to MAC denial :-(
1618[19:41:59] <ratrace> but anyway, you don't need to
"train" yourself to check denials. you should have
monitoring in place and get alerted when there's a denial.
intrusion detection is one of very important parts of the security
onion
1619[19:42:21] <ratrace> netx: the programs don't do
anything special "due to MAC denial"
1620[19:42:45] <ratrace> programs should inspect error state
after _every_ (sys)call that can throw an error, and then handle it.
1626[19:46:21] <ratrace> part of my real time logwatch across
servers. ther'es also tools like `logwatch` but afaik they
don't work realtime and I'm not sure how easy it is to
write custom metrics
1628[19:48:22] <ratrace> this is just a quick bash whip, I intend
to replace it with a proper journald API python daemon that will do
the real time metrics I'm interested in, and run custom
actions, beside emailing, like saltstack event triggers.
1629[19:48:53] <jelly> isn't "realtime logwatch"
either Splunk if you got good money, or ELK if you got less money?
1635[19:51:13] <jelly> GNU\colossus: okay, needs another letter
in front then
1636[19:51:31] <GNU\colossus> jelly, ELK can also be made to be
really nice :)
1637[19:51:39] <GNU\colossus> the setup at my previous job was
pretty amazing
1638[19:52:05] <GNU\colossus> and nowadays, between elastic
common schema and beats with magical auto-setup, you can get rather
close to that in no time
1639[19:52:13] <jelly> sure, but as with any open source clone,
you trade your hours and sometimes hardware for ease of use
1688[20:40:46] *** Quits: Nokaji (~Nokaji@replaced-ip) (Quit: "... when the freedom they wished for most was
freedom from responsibility then Athens ceased to be free and was
never free again.” ~ Edward Gibbon (1737-1794) - Decline and
Fall of the Roman Empire, 1909)
1725[21:00:02] <timur_davletshin> It's old good dejavu, just
improved.
1726[21:02:52] <jelly> my fonts need to either have a clean
vertical alignment, or give me a 300+ dpi screen. If there's
anything fuzzy my brain can't deal with it and there's
going to be a headache
1727[21:02:53] <timur_davletshin> Ubuntu is fine but it is not
updated for a very long time.
1757[21:14:40] <timur_davletshin> Not sure about terminal, but in
editors it looks weird.
1758[21:14:57] <grondilu> Where is the appropriate place to clone
a github source tree and compile it ? /usr/local/src sounds obvious
to me but it's usually not writable by normal users. Should I
remain in $HOME ?
1759[21:16:17] <nkuttler> grondilu: i use ~/local for the build
and ~/src for the source
1760[21:16:49] *** Quits: ov3rmind (~over0-07@replaced-ip) (Remote host closed the connection)
1767[21:21:44] <timur_davletshin> wrksx, I find Fira's
hinting ugly on lodpi devices (look at those jumping numbers). Hidpi
looks better but not ideal.
1790[21:32:52] <wrksx> timur_davletshin: I feel lucky I
didn't witness that. Hate those standing out numbers. But
thanks for introducing me to the concept of hinting, I knew it was
there without ever heard of it.
1791[21:33:11] <timur_davletshin> wrksx, Fira Sans btw is no
longer developed. Use FiraGO.
1828[21:46:14] *** Quits: Sigyn (sigyn@replaced-ip) (Quit: i've seen things you people wouldn't believe.
spam bots on fire off the shoulder of sigyn. i watched k-line beams
glitter in the dark near the Tannhäuser Gate. all these moments
will be lost in time, like tears in rain. time to /die)
1870[22:15:41] <Franciman> sney, sorry, can you suggest a source
for learning about kernel
1871[22:15:45] <Franciman> and related stuff?
1872[22:15:55] <sney> !kernel handbook
1873[22:15:55] <dpkg> The Debian Linux Kernel Handbook
replaced-url
1874[22:16:03] <sney> kernel.org has docs as well
1875[22:16:11] <Franciman> thanks
1876[22:16:18] <sney> np
1877[22:16:27] <Franciman> then I wanted to ask, is there an easy
way to rebuild the debian kernel
1878[22:16:33] <Franciman> with other settings?
1879[22:16:34] <sney> the handbook has that
1880[22:16:46] <Franciman> hm ok, thanks
1881[22:17:27] <sney> but last time I did it, the procedure was
basically, copy the config to /usr/src/linux with your changes,
'make oldconfig' then 'make deb-pkg'
1926[22:56:52] <n4dir> i think .profile only gets sourced if you
login in via startx.
1927[22:56:58] <jmcnaught> bash only uses .profile when it is
invoked as a login shell. For regular interactive shells (like
running a terminal emulator, or opening a new tmux window(?), it
only uses .bashrc.
1928[22:57:04] <n4dir> mywiki.wooledge.org has a page about it,
to be sure
1929[22:57:26] <jmcnaught> grondilu: "man bash" the
section titled INVOCATION has more details about this.