this is #debianan IRC-Channel at freenode
(freenode IRC service closed
2021-06-01)
0[00:00:05] <ratrace> perhaps solve one problem at a time?
about asterisks, if that's default installer's encryption
setup, which is cryptsetup initramfs-tools scripts, then yes,
it's showing asterisks. dunno if you can disable that
1[00:00:46] <hendursaga> Well, it wasn't before, when it
wouldn't accept my password, previous install. (See above)
25[00:08:46] <ratrace> I mean there's really not many
options. gnome and sway. KDE's kwin is getting there, and ....
what else is tehre? xfce has no wayland compositor afaik
52[00:19:00] <ratrace> btw, even if you use the wayland
protocol for gnome/mutter, the system will still going to install,
and use, Xorg. xwayland is needed to run programs that don't
yet work under wayland. that should be transparent tho, but keep in
mind that xorg might still be running
101[00:44:02] <ratrace> what's a firewall for usb ports?
102[00:44:26] <Taserface> a wut
103[00:44:40] <ratrace> the only thing that I can imagine coming
close to that is part of grsec patches, it's no longer freely
availabe, since kernel 4.9
104[00:45:07] <ratrace> ie. prevention of USB devices from
changing from, say, a mouse, into a keyboard, like
"BadUSB" xploit
111[00:47:12] <kingsley> Maybe I owe you an apology for not
prefacing my question with the explanation that a little-known
security vulnerability is running malware in USB device controllers,
like in thumb drives.
116[00:49:39] <ratrace> I was actually thinkign about using an
RPI to plug unknown usb devices into it, instead of my workstations
or servers.
117[00:50:02] <ratrace> like have an actual physical separation
for badusb things
118[00:50:13] <ratrace> airgap'd
119[00:51:31] <koollman> that reminds me of a feature I wanted
to have for a while ... basically disabling usb hotplug, and making
everything 'manual' for each usb devices listed
120[00:52:50] <ratrace> look at the usbguard package then, it
does that, you specify rules, which usb ids may connect on which
ports
175[01:15:08] <ratrace> I know in the past amd drivers used to
be... unkind.... to their old models, but I don't think
that's the case now with amdgpu in the kernel
225[01:36:43] <ratrace> weird string, but I guess that is
running on the GPU indeed. now whether something is fully
accelerated, dunno, opengl can run in software what's missing
on the hardware
226[01:37:03] <hendursaga> Yeah I've done a *bit* of OpenGL
coding before
227[01:37:06] <hendursaga> Royal pain
228[01:37:24] <ratrace> right, so you know. but if gnome is
snappy... and that thing IS a hog, then you're damn well
accelerated :)
229[01:37:42] <hendursaga> Anyway, fingers crossed, my system is
finally up and running! Thanks!
230[01:38:04] <hendursaga> And no, it's not snappy, it just
doesn't take 30 seconds to open Konsole :P
259[01:53:05] <ratrace> none whatsoever. I haven't had a
DVD drive since ... 2014?
260[01:53:24] <brachamh> oh? all bluray? or no optical?
261[01:53:29] <ratrace> no optical
262[01:53:34] <brachamh> ah
263[01:53:49] * dvs blinds ratrace
264[01:54:39] <ratrace> brachamh: there was some silly named
library you needed to have installed in order to work with .... copy
protected DVDs
265[01:54:39] <brachamh> i'm trying to transfer my
reasonably extensive dvd library to hard drive to use in emby
266[01:55:11] <brachamh> ratrace: yes, libdvdcss2
267[01:55:14] <brachamh> got it
268[01:55:46] <ratrace> hmm that, yes ... but I was thinking of
libass which is ... related :)
269[01:56:23] <brachamh> handbrake still won't transcode
some discs. installed makemkv which worked for one disc, but now
it's saying the region code is wrong for the disc that is the
sequel to the one i just ripped
274[01:58:02] <ratrace> libass! renders your ass files!
275[01:58:23] <brachamh> just searched it...libass9 library for
SSA/ASS subtitles rendering
276[01:58:28] <ratrace> yeah :)
277[01:59:13] <brachamh> that's what could be causing it to
hang?
278[01:59:21] <ratrace> now let's get that banned like
libweboob. Lib Web Ob.
279[01:59:54] <ratrace> brachamh: no no, that was the silly
named library I remembered in relation to DVDs, but it's
libdvdcss thingy that you _need_ strictly, I misremembered.
280[02:00:02] <brachamh> oh!
281[02:00:07] <brachamh> ok, that makes sense lol
282[02:00:12] <ratrace> it's also illegal in some parts of
the world, so caveat emptor
283[02:00:30] <brachamh> ok. well i have libdvdcss2 already
284[02:00:37] <brachamh> which is why most discs are working so
far
317[02:14:00] <ratrace> try massive VM hosts. can take hour(s)
to fully boot
318[02:14:17] *** Quits: catman370 (~catman@replaced-ip) (Quit: See you later..)
319[02:14:18] <sney> ok, fine, but that is probably not relevant
in Taserface's case.
320[02:14:29] <ratrace> try large storage solutions hosting zfs
or btrfs with tens of thousands of snapshots, mountpoints, datasets,
.... that can take ages...
321[02:14:42] <ratrace> ah, probably not. I was referring to
"no system" :)
322[02:14:59] <Taserface> I ran mkswap on the swap part (long
story) and I guess the UUID changed
323[02:15:05] <sney> I type too fast to account for every plot
hole. mea culpa.
324[02:15:22] <Taserface> so bootup is like "swap part not
found, please wait 90 secs. And please wait 90 secs again."
352[02:21:23] *** Quits: D4rk4ngel2020 (~darkangel@replaced-ip) (Remote host closed the connection)
353[02:21:43] <sney> zfs is maintained by a team, which would
probably welcome a new member. and it looks like rtorrent's
actual maintainer hasn't uploaded anything since 2015, so there
is clearly room for new volunteer work there too
354[02:21:44] <Taserface> there's a deb right there
<points at repo>
357[02:22:55] <Taserface> where did I get "nobootwait"
from?
358[02:23:00] <ratrace> Taserface: you never replied to my
question. and I'm having a suspicion you have that
"mkswap'ing encrypted swap with random key on boot"
thingy, so every time it has a different uuid .. which is solvable
with partlabels
361[02:23:40] <Taserface> I was temporarily using the part for
something else
362[02:23:53] <Taserface> so it is re-mkswap'd part
363[02:24:49] <sney> SponiX: anyway, I became the hexchat
maintainer for a couple years via using the ssb and uupdate
processes to build it for myself based on debian's old xchat
packages... if you find that the tools are "easy" then
there's room for you to do stuff too
364[02:24:53] <Taserface> (nobootwait appears to be an old flag
that disappeared)
365[02:24:58] <Taserface> (FYI)
366[02:24:59] <ratrace> Taserface: still, consider using
partlabels
367[02:25:08] <Taserface> yeah I just realised I can do that :)
368[02:25:15] <Taserface> then I just have to remember to set
the label
369[02:25:42] <Taserface> at least then I only have myself to
blame
370[02:26:00] <ratrace> should be second nature when you
parted'it the disk on installation :)
371[02:26:19] <Taserface> that was the debian installer, that
did that
398[02:55:36] *** Quits: czesmir (~stefan@replaced-ip) (Quit: Lost terminal)
399[02:56:00] <brachamh> hahahaha! so i decided to try the disc
that wouldn't work in a different machine, and what do ya know,
it is transcoding as i type
400[02:58:53] *** Quits: Conradish006 (~Conradish@replaced-ip) (Remote host closed the connection)
538[07:03:14] <Sean_McG> hi, is there a channel where I can get
help if I am a beginning packager and am stuck on something?
539[07:04:11] <JackFrost> On the OFTC IRC network yes, if you
plan to package something for Debian's repositories then
#debian-mentors, if it's just for you then #packaging on OFTC.
540[07:04:13] <JackFrost> !oftc
541[07:04:14] <dpkg> OFTC is the Open and Free Technology
Community, a support/collaboration service. They have an IRC
network: irc.oftc.net. You may (or may not) be connected to
OFTC's network.
replaced-url
542[07:04:29] <Sean_McG> ahhhh OK, thanks
543[07:04:50] <Sean_McG> (it is something just for me... for
now, anyhow)
620[08:55:05] <Gertm-> I'm trying to make a fully automated
debian install USB stick but I'm having trouble getting things
exactly right. Does anyone have experience with that?
621[08:56:08] <oxek> anyone know if this security issue
replaced-url
661[09:44:52] <ratrace> oxek: you can easily verify it: a) if it
has a CVE you can look up; b) see which codeset is changed with the
fix, then find if that codeset exists in the tag that corresponds to
version included in debian
694[10:08:27] <ratrace> well lets see if the "fix"
introduced more bugs.....
msgBox.setDetailedText(QObject::tr("Blocked URL:
\"%1\"").arg(url.toString())); ? srsly? using
unsanitized input value? nice.
771[10:36:00] <jelly> it would be a problem if the function was
printf-like and took a format. If it takes a string it's safer.
772[10:36:17] <ratrace> there once existed a SELinux CVE where
teh attacker could trigger a denial which in itself wasn't an
issue. only when the admin looked at it with setroubleshoot, where
the actual vuln was, the system could be exploited
773[10:36:41] <ratrace> any external input could be used in any
number of unexpected ways, if bugs exist. never use unsanitized
inputs, ever.
775[10:37:33] <ratrace> similarly there are xss attacks against
web systems that log errors. the vuln is in the part where the admin
looks at the logs through the UI.
776[10:38:22] <oxek> aren't you gonna end with an
"infinity" problem that the function that sanitizes
untrusted input is actually handling untrusted input?
777[10:38:45] <ratrace> I've just grown an allergy to
unsanitized input use, over the years :)
779[10:39:25] <ratrace> oxek: that wasn't unheard of :)
780[10:39:27] <oxek> I'm the same, just wondering if
there's something I don't know about passing strings into
a QT message box.
781[10:40:43] <ratrace> oxek: strings don't really exist in
C. Even in C++, strings are basically pointers wrapped in a class.
"strings" in C(++) are an unending source of vulns,
history has shown.
787[10:42:35] <ratrace> and to me, it's really insane to
actually log and display to the user, a string you actually found
illegal and are blocking. that's like.... ironic code is
ironic.
788[10:43:33] <oxek> you're right. Thank's for
explaining.
789[10:45:07] <ratrace> and while on offtopic of vulns, we
haven't heard the last of Baron Samedit. new CVEs to follow.
792[10:47:41] <oxek> I've read it a few times that sudo
likely has lots of undiscovered issues
793[10:47:49] <oxek> but what could we replace sudo with?
794[10:47:58] <oxek> it's such an integral piece of any
linux system nowadays
795[10:48:52] <oxek> and I'm definitely not gonna write
code that deals with delegating root privileges.
796[10:49:02] <oxek> probably very few people would want to
write such code
797[10:49:18] <ratrace> see that's the problem these days.
"replace with". NOTHING. any replacement, if written from
scratch, is a pile of NEW bugs, SOME of which are reinvented again
798[10:49:42] <ratrace> what we do need, is fix sudo/broken
code. not rewrite anew. doas and friends are knee jerk reactions
that, ironically, had CVEs of their own. Har har har. Har.
799[10:49:43] <oxek> but replacing stuff means it can be written
in a memory-safe language instead, thus eliminating an entire class
of security bugs
800[10:51:07] <ratrace> new things, new functions can be written
in memory safe langs. for existing code, if it ain't broken,
don't fix it. if it is, fix it, don't rewrite from
scracth, unless the code is really so buggy and broken and it
doesn't matter
801[10:51:16] <ratrace> (sudo ain't in that class, btw)
802[10:54:59] <jelly> would you say openssl was in that class
803[10:55:09] <oxek> sudo should indeed be old enough to not
have any massive issues in it anymore, but openssl would be a good
counterexample
804[10:55:20] <oxek> I don't have anything against sudo
personally
805[10:55:25] <oxek> or openssl
806[10:55:28] <oxek> I use both
807[10:55:29] <jelly> old != sane
808[10:55:50] <oxek> true
809[10:56:06] <jelly> see also: gnupg. screen, probably.
810[10:56:34] <azeem> gnupg is being rewritten in rust by the
sequoia team
811[10:56:34] <ratrace> jelly: probably not. it has been looked
at extensively since 2014, a bunch of CVEs were ferreted out with
all those audits, and openssl is now back to quiescent state.
812[10:56:58] <oxek> makes me wonder why libressl still exists
then
813[10:57:03] <azeem> also, libressl seems to have quieted down
again
814[10:57:05] <azeem> heh
815[10:57:16] <ratrace> oxek: because it's another knee
jerk reaction
816[10:57:23] <jelly> ratrace, it's still horrible.
824[10:59:32] <ratrace> problem with crypto is that even if you
rewrite in in memory-safe langs, the code conceptually is such that
logical bugs could exist that have nothing to do with memory safety.
wrong bit in a wrong place turning sha1024-rust into
sha1-bit-rust-herp-derp-we-borked-it
825[10:59:41] <jelly> polar is a different lib I think
827[11:00:23] <ratrace> let's not forget what debian did to
openssl a buncha years back and reduced the keysize from billions to
64k :) because someone cleaned up code. wasn't memory safety
bug. it was a logical error.
828[11:00:42] <jelly> !dsa1571
829[11:00:42] <dpkg> Due to a weakness in a random number
generator, keys generated after 2006-09-17 (using openssl 0.9.8c-1
and later) need to be regenerated with a newer openssl (at least
0.9.8c-4etch3). See
replaced-url
830[11:01:06] <ratrace> !dsa1571 jokes
831[11:01:07] <dpkg> For some light relief between changing your
keys, see
replaced-url
870[11:22:04] <themill> zfs problems have nothing to do with the
DFSG. There is no clause in the DFSG that says that you can't
do this. Both CDDL and GPL-2 are perfectly fine licences according
to the DFSG.
871[11:23:37] <jelly> but you have to store them separately as
two components, and mix right before use
896[11:32:41] <jelly> TASK [aminvakil.mysql_initial : Change
root user password on first run] ********
897[11:32:41] <jelly> 228
898[11:32:41] <jelly> fatal: [instance]: FAILED! =>
{"censored": "the output has been hidden due to the
fact that 'no_log: true' was specified for this
result", "changed": false}
899[11:32:43] <jelly> 229
900[11:32:55] <jelly> why was I not kicked!
901[11:33:14] <aminvakil> that's because mariadb is not
started i suppose
902[11:33:17] <jelly> aminvakil, ^ that's what seems to
fail
906[11:34:04] <aminvakil> here i just executed "systemctl
start mysqld" and after 15 min it timed out
907[11:34:25] <themill> /kick jelly
908[11:34:49] <aminvakil> in the log you're referring to i
execute "journalctl -n 100 | cat" to see if i can find
anything in journal and i saw mariadb stuck in reloading after it is
installed
909[11:34:52] *** ChanServ sets mode: +o jelly
910[11:34:57] *** jelly was kicked by jelly (jelly)
934[11:56:12] <RoyK> hm... [Tue Feb 9 14:54:03 2021] sd 0:0:1:0:
[sdb] Assuming drive cache: write through <-- Any idea why it
would assume this? it's Dell storage behind vmware
replaced-url
936[11:59:26] <ratrace> the storage driver is reporting
writethrough cache maybe?
937[12:02:29] <ratrace> is *not reporting
938[12:02:41] <koollman> RoyK: basically, it means it could not
find out disk type when sending a scsi command to find out about
cache. But it's optimistic and decide to use cache through.
It's not a problem
975[12:32:15] <hwm4rgs> gogs is sort of a dead project and it
left a bad taste in my mouth when they wouldn't fix the cookie
XSS vulnerability they had (have?)
1023[13:29:01] <koollman> RoyK: it could be intentional. For
example, it is the mode used for battery-backed units on raid cards,
for example. Since it is assumed the controller take care of things
without the OS knowledge (so 'direct' writes are
effectively cached by the storage backend doing writeback, thus
additional cache in front would be wasted)
1032[13:37:21] <koollman> RoyK: if it's not performing as
expected, I assume you can ask vmware/dell why it is that way, or if
you're missing some VAAI or some setting on vm disks or vmfs
1038[13:39:29] <oxek> jelly: I'm not familiar with what
spl-dkms is, but it is now a transitional package that depends on
zfs-dkms, which has always been in contrib and not main.
1039[13:39:47] *** Quits: drzacek (~drzacek@replaced-ip) (Remote host closed the connection)
1043[13:40:42] <SanchoPensa> As of late my /boot partition keeps
running out of space, when Debian updates the Kernel, which is why I
am in the process of creating a Live stick, in order to be able to
resize my partitions.
1044[13:41:06] <oxek> SanchoPensa: it's a known issue that
the default size for /boot partition is too small in debian
1045[13:41:20] <phogg> if you used LVM resizing /boot is easy, if
you didn't it's not
1046[13:41:35] <oxek> it will get bigger on new installations of
bullseye (and likely even larger once again when bullseye++ comes
along)
1047[13:41:40] <SanchoPensa> I have just completed copying the
image with gnome-disk-utility to a USB stick.
1048[13:42:03] <SanchoPensa> ist that going to boot, or do I have
to explicitly copy the image with dd?
1049[13:42:27] <oxek> (btw, do we know the name of debian version
after bullseye?)
1050[13:42:44] <SanchoPensa> oxek: phogg: ya well, no worries
there, I know, how to help myself with gparted
1052[13:43:10] <SanchoPensa> problem is, you cannot resize
partitions, while they are mounted, which is, why I need to boot
with a stick
1053[13:43:18] <phogg> s/set/say/
1054[13:43:32] <oxek> phogg: unfortunately I am still banned from
reading the debian wiki :(
1055[13:43:41] <phogg> oxek: how?
1056[13:44:05] <SanchoPensa> oxek: phogg: hehe thanks, guys, but
your answers kinda miss my point...
1057[13:44:06] <oxek> phogg: the wiki bans massive blocks of IP
addresses, and doesn't let people even read. I just get 403
forbidden
1058[13:44:16] <oxek> it's a known issue
1059[13:44:30] <phogg> oxek: well then FYI the answer is bookworm
1060[13:44:40] <SanchoPensa> :D
1061[13:44:46] <oxek> bookworm. Thank you.
1062[13:44:54] <SanchoPensa> :D
1063[13:45:20] <oxek> SanchoPensa: depending on which image you
want to boot, using `dd` or `gnome-disk-utility` will both create a
bootable usb stick.
1064[13:45:59] <oxek> since you're having issues with the
size of /boot, it's likely you left it all at default during
installation, which means it would not be part of LVM
1065[13:46:11] <SanchoPensa> oxek: I used a live image from here:
replaced-url
1066[13:46:40] <SanchoPensa> oxek: thanks a lot, in that case I
will be as audacious as to reboot now... :D
1067[13:46:42] <oxek> SanchoPensa: that should work
1068[13:46:50] <SanchoPensa> nice!
1069[13:46:52] <oxek> before you reboot
1070[13:46:55] <oxek> do you have backups?
1071[13:46:57] <SanchoPensa> yes?
1072[13:47:05] <SanchoPensa> well... sort of...
1073[13:47:10] <oxek> do backups first
1074[13:47:22] <SanchoPensa> I do, however, have my data on a
seperate /home partition.
1075[13:47:39] <oxek> you're resizing partitions.
That's how /home can get messed up
1076[13:47:46] <SanchoPensa> So, everything I could potentially
lose, are years of configuring my os...
1077[13:48:01] *** debhelper sets mode: +l 1181
1078[13:48:19] <oxek> so practically many wasted hours of trying
to reconfigure everything back
1079[13:48:26] <oxek> do a backup
1080[13:48:33] <SanchoPensa> oxek: well... I have resized about a
gazillion partitions so far, and has never happened yet...
1081[13:48:56] <oxek> up to you, I just wanted to state the
official warning
1082[13:49:18] <EdePopede> it always happens the n+1th time :)
1220[15:51:44] <ratrace> actually... I also got a full debian
installation on an external drive which I use for rescuing.
it's a thing I made few days ago, seems like I forgot I have
it. but before that, I used the ubuntu ISO
1221[15:51:45] <SanchoPensa> ratrace: but in principle to be able
to rescue a system would be the primary purpose of the live stick,
right?
1223[15:52:00] <SanchoPensa> do you think, there is an issue with
the debian live stick version?
1224[15:52:14] <ratrace> SanchoPensa: not necessarily. a
"rescue" environment has all the tools
1225[15:52:39] <ratrace> if you needed to apt install lvm2, then
that's not a suitable rescue env
1226[15:53:02] <SanchoPensa> ratrace: I am btw not really
attempting to rescue the system, since there is nothing wrong with
it. Except the fact, that my /bootpartition runs out of space on
every kernel update...
1227[15:53:15] <ratrace> SanchoPensa: yes, I think there is.
it's also not recommended for installation, something about its
installer being off?
1231[15:54:14] <oxek> if one does not wish to create a
personalized iso (and maintain it), is Grml the best option?
1232[15:54:19] <ratrace> there's dedicated distros for that
(the abovementioned grml, and sysrescuecd), or you can build your
own
1233[15:54:26] <SanchoPensa> ratrace: and your weapon of choice
for that purpose is Ubuntu...?
1234[15:54:39] <ratrace> SanchoPensa: yes but now I have a full
debian installation on an external usb disk
1235[15:55:05] <ratrace> ubuntu live ISO is fully apt-installable
and functional. if you don't wanna botehr with a DIY solution,
I'd recommend teh 'buntu
1236[15:55:17] <SanchoPensa> oh! that grml comment was for me,
thanks apollo13
1237[15:55:22] <SanchoPensa> never heard of it so far...
1238[15:55:37] <SanchoPensa> i see...
1239[15:55:55] <oxek> I once tried a ubuntu iso for rescue. It
immediatelly started downloading gigabytes of data to update the
snap applications, ran out of RAM and crashed. It's not
supposed to happen, snap is set to delay updating by 45 days, but
the system time was off by a lot and once fixed, snap started
updating.
1240[15:55:56] <SanchoPensa> what ever happened to
supergrubcd...? :D
1241[15:56:15] <SanchoPensa> lol
1242[15:56:45] <SanchoPensa> Well, I basically don't really
care what to use, as long as it works...
1243[15:56:49] <oxek> whoever thought making it impossible to
disable snap autoupdates should be excommunicated from the community
1248[16:01:09] <oxek> before the buster release, I said that the
default /boot size was too small. But there was no way for me to
reach the relevant people.
1249[16:01:11] <ratrace> oxek: agreed about snapd autoupdates.
the ONE thing that blows the entire framework and tool.
1251[16:02:26] <oxek> ratrace: exactly. snap is really nice with
the enable/disable app, revert, save/restore/forget snapshots, and
so on
1252[16:02:37] <oxek> but the autoupdates by default, with no way
off, kill it for me
1253[16:03:00] *** Quits: kristijonas (~Kristijon@replaced-ip) (Remote host closed the connection)
1254[16:03:21] <oxek> (you can disable them by
disabling&stopping the snap service and socket, but then you
lose all the actually good things about snap)
1260[16:06:22] <jelly> oxek, there are people inside Canonical
unhappy with that as well, so we'll see how far that gets them
1261[16:06:46] <jelly> lxd as snapd is just icing on the cake
1262[16:07:02] <jelly> beefcake.
1263[16:07:13] <wsky> beefcake!
1264[16:09:12] <oxek> I really like that debian still seems to be
on the side of the users. There was that brief issue with systemd,
but honestly debian had no option than to go with it, because
systemd is everywhere
1292[16:24:37] <istrive> I am stroggling to force the system wait
until the script finishes running BEFORE shutdown... I curretly have
the script as a service from systemd but after testing it did not
finishe and the system rebooted anyway!
1311[16:30:16] <greycat> We hate it when people answer "what
are you trying to do" with "here is my broken code, you
can just reverse engineer it and try to guess what I wanted it to
do"
1312[16:30:22] <istrive> and I enabled it with a service:
replaced-url
1313[16:30:24] <wsky> i see you're trying to launch vbox on
boot
1314[16:31:08] <istrive> I am trying to shutdown them properly at
reboot/shutdown from host!
1349[16:37:32] <istrive> TY greycat, I will take a look at this
1350[16:38:17] <EdePopede> «I have a service that takes 10
seconds to shut down» - i just hope (and guess) services are
more reliable then GUI crap. (namely modern browsers which may need
minutes to finish after a few days of usage, usually crashing at the
end)
1351[16:38:35] <istrive> I doubt anyone that when asked something
gives a gazillion possibilities as the answer! ;)
1352[16:38:43] *** Quits: thiras (~thiras@replaced-ip) (Remote host closed the connection)
1353[16:38:45] <wsky> vbox can run in gui or no
1354[16:39:04] <wsky> any way it will take some time to freeze
the memory
1356[16:39:29] <istrive> the vms are unattended and runn in the
background (win svr 2012r2)
1357[16:39:54] <EdePopede> i'm concernd more about
what's running inside it. it's a stack, clean it from top
to bottom. and hope there's not a single layer which just
refuses to die in dignity ;)
1358[16:40:55] <istrive> this is just to shutdown the servers
properly... I don't know why VirtualBox made it so hard...
Hyper-V has a much better handling of this task!
1369[16:44:03] <EdePopede> ah, good to know. anyway, systemd and
termination, i'm not sure about it anymore after the mess
that's left behind after i logout from the desktop session on
the test install of buster on the other pc.
1370[16:44:45] <greycat> EdePopede: if the systemd default
timeout (90 seconds?) is too short, I'm pretty sure you can
supply a longer timeout in your service definition
1372[16:46:03] <EdePopede> greycat: ah thanks, good idea.
it's just a plain installation with everything selected (all
servers, all desktops...) where i'm looking at the different
UIs i can use. no manual system wide changes, and the user profile
is recreated for every run.
1398[17:03:17] <koollman> neilthereildeil: no root device
detected, most likely. You can try adding : rootdelay=30 (or some
larger number), but first make sure you didn't remove stuff
that would have helped find the correct root device
1439[17:36:16] *** Quits: Nokaji (~Nokaji@replaced-ip) (Quit: "... when the freedom they wished for most was
freedom from responsibility then Athens ceased to be free and was
never free again.” ~ Edward Gibbon (1737-1794) - Decline and
Fall of the Roman Empire, 1909)
1502[18:38:14] <urk> My employer bought this computer for me so I
can work from home, but they let me choose which one to get. The
screen is amazingly bright. My only gripe is no numeric keypad, but
I knew about that before I got it.
1568[19:20:44] <srged> My canon printer prints out blank pages. I
am using CUPS. WWhat could it be? (the scanner prints out just fine,
so the ink is good)
1588[19:32:45] <greycat> They asked about the desktop environment
because for most people, the tools for setting up wireless
networking come with the desktop. Relatively few people use lower
level stuff, but it exists.
1589[19:32:58] <greycat> !wifi
1590[19:32:58] <dpkg> Support for your wireless LAN device is
dependent on the chipset within. Don't know what you have? Ask
me about <what's my wireless>. Atheros: <atheros>;
Atmel: <atmel>; Broadcom: <broadcom>; Intel:
<intel>; Intersil: <prism>; Marvell: <marvell>;
Ralink: <ralink>; Realtek: <realtek>; TI:
<acx-mac80211>; VIA: <vt665x>; ZyDAS: <zydas>. See
also <crda>, <killswitch>, <wpa>.
replaced-url
1591[19:33:23] <greycat> I believe there's a subpage of
replaced-url
1608[19:36:44] <greycat> Or you plug in an ethernet cable
temporarily.
1609[19:36:48] <ratrace> I think it'd be easier and faster
if you reinstalled from the nonfree firmware iso so you get it set
up by the installer
1610[19:37:20] <jmd> ratrace: I've installed the firmware.
That is not an issue.
1611[19:37:39] <ratrace> otherwise you'd have to hunt down
all the debs and dependency debs and firmware debs and whatnot debs
and sneakernet them in, as greycat suggested
1612[19:38:07] <greycat> is it really not on the installer that
you used?
1613[19:38:08] <ratrace> jmd: what was the installation iso, cd?
dvd? netinst (probs not if you don't have teh nets)?
1614[19:38:42] *** Quits: centrx (~centrx@replaced-ip) (Remote host closed the connection)
1615[19:38:42] <jmd> It was the netinst dvd image. That is
supposed to magically install everything that is needed.
1616[19:39:12] <greycat> It installs what you request. And I
would be really shocked if network-manager is not on it. Just use
it.
1617[19:39:33] <greycat> If you installed without network, then
it should have set up sources.list to use the installer CD.
1618[19:40:09] <srged> guys, why is my printer printing blank
pages while the scanner works just fine? (PS. tonner refilled, led
is blinking. yet the scanner works fine)
1623[19:43:11] <ratrace> srged: probably encrypted, so it's
printing with invisible ink. I mean... you asked THAT kind of
question, you got THAT kind of answer :)
1632[19:48:56] <ratrace> srged: for starters, the printer and
scanner are served by different subsystems, even if they're the
same physical device. one working doesn't mean the other would.
1643[19:58:13] <wsky> it is about dumping the most mnimal debian
os to the hdd and possibli fetch some extra stuff from the net
1644[19:58:27] <wsky> possibly*
1645[19:58:36] <jmd> Yeah. But it seems that last step it
doesn't do.
1646[19:58:45] <AlexHMusique> the most minimal installation is
via debootstrap
1647[19:59:16] <wsky> if you want debian offline get the full dvd
set
1648[19:59:37] <ratrace> netinst isn't about installing most
minimal debian, it's about having the most minimal _installer_
that then goes out to fetch the packages online
1649[19:59:42] <jmd> I don't want it offline.
1650[20:00:01] <jmd> ratrace: That's what I thought.
1651[20:00:11] <wsky> then minimal should sound ok
1655[20:01:17] <donavan01> so Im getting an error when trying to
run apt --fix-broken install its hanging on something dealing with
one of the themes so I really dont care if it ever installs but its
causing other things to not process... I tried running the dpkg
--force-overwrite but it complains as well can someone with better
linux know how look at the errors im getting and tell me how to
proceed
replaced-url
1657[20:02:08] <ratrace> jmd: "amazed that the netinstall
disk won't do that for me" .. I think the installer
assumes that the default setup, which is gnome desktop, suffices to
autoconfigure dhcp with networkmanager, and that's what it
does. it also _does_ setup dhcp for the ethernet, but it
doesn't set up wifi, that's left for the networkmanager
1660[20:02:51] <ratrace> jmd: it also assumes that deviation from
default predicates experience and skill and setting it up using
whatever tool you want. via interfaces(5) like in my paste, via
networkd, via nm(cli), wicd, ...
1662[20:03:24] <ratrace> jmd: and by that does not impose any
default setup
1663[20:04:00] <jmd> Well really I don't care what tool it
uses. I just expected that after running the installer I would have
a working network.
1664[20:04:18] <jmcnaught> donavan01: you have more than one
package containing the same file, which generally does not happen on
Debian and indeed it appears the offending packages are kali or
mxlinux related. If you are using Debian then you should not be
using repos for other distros. If you are not using Debian, then you
will need to find the appropriate channel for your distro.
1672[20:07:55] <ratrace> perhaps. that requires someone to
implement that in the installer. the current state is deemed
sufficient: NM by default for default gnome deskop; the rest assumes
you're skilled enough to deviate, so you'll set it up
yourself.
1673[20:08:01] *** debhelper sets mode: +l 1214
1674[20:08:59] *** Quits: srged (~airways@replaced-ip) (Quit: Lost terminal)
1675[20:09:05] <donavan01> yeah Im running MXlinux but as with
literally every distro I have tried over the years besides ubuntu
(which I cant stand) and straight Debian which honestly my linux
skills arent good enough to just dive in (or at least they werent
the last time I tried it )I can never find anyone that actually
chats I was in the #linux and was told to come here ... I have
installed other programs from other repos could this have caused the
issue?
1683[20:10:52] <dpkg> MX Linux is a popular distribution
<based on debian>. It is not supported in #debian. Support is
available on their forum:
replaced-url
1726[20:29:14] <aminvakil> i'm execuing systemctl start
mysqld after installing mariadb-server on a clean debian 10
container which also has systemd installed on it
1727[20:29:30] <aminvakil> host is ubuntu 20.04, but i've
also tested ubuntu 18.04 and ubuntu 16.04
1728[20:29:38] <koollman> container. so, host system has apparmor
?
1729[20:29:46] <wsky> have you got the filesystems mounted?
1730[20:29:49] <aminvakil> i'm not sure, maybe?
1731[20:29:56] <koollman> or docker (or whatever you use) has an
apparmor profile, maybe
1732[20:29:58] <aminvakil> wsky: not that i know of
1745[20:31:41] <ratrace> aminvakil: why do you ask about ubuntu
issues in #debian?
1746[20:31:44] <aminvakil> foxide: i should ask this from github
guys then. but what i wanted to be sure from this channel was this
1747[20:31:56] *** Quits: merAzi (~mer@replaced-ip) (Remote host closed the connection)
1748[20:31:58] <foxide> ratrace: He's not. He's having
issues with a buster container.
1749[20:32:00] <ratrace> and what is that paste? I don't see
any errors there
1750[20:32:10] <wsky> yeah, your host os seems to be ubuntu
1751[20:32:11] <ratrace> if there are apparmor denials, then
apparmor IS installed.
1752[20:32:15] <koollman> aminvakil: I have no idea what molecule
is in this context. I assume something on the host side or container
runtime is provoking that error, though
1753[20:32:23] <aminvakil> ratrace: i couldn't understand if
enabling apparmor on host could bring this up
1754[20:32:30] <wsky> and it seems it's an issue of their
1777[20:36:37] <ratrace> aminvakil: if that's a container,
then probably there's no control over the AA policy, and you
can't have one defined from _within_ it afaik
1778[20:37:09] <aminvakil> ratrace: i think i should look and
bother github guys for this issue then
1780[20:37:34] <aminvakil> it seems that apparmor log which
appears in buster container that doesn't have apparmor
installed is coming from ubuntu host which has some apparmor profile
enabled
1781[20:37:40] <ratrace> aminvakil: yeah and if there's AA
policy on the host, it has to account for full paths into the
container, this trail doesn't seem to show it
1782[20:37:42] <aminvakil> if i understood correctly
1784[20:38:09] <ratrace> aminvakil: containers don't run
their own kernels, so any kernel logs from /dev/... are host's
1785[20:38:19] <koollman> aminvakil: correct. (either host-wide
or on the specific container running, without anything
'inside' the container knowing or enabling apparmor)
1829[20:56:08] *** Quits: Mister00X (~quassel@replaced-ip) (Quit: "I'll be back" — Arnold
Schwarzenegger)
1830[20:56:41] <jezebel> i waant to statically build a package
1831[20:57:53] <ratrace> I don't know if you can recurse
automatically, or need to install them one by one. just trying to
understand your use case here. which package btw?
1842[21:01:47] <ratrace> jezebel: btw, you're aware of the
reasons amor got dropped from debian? can you work around those
reasons by building it from source?
1843[21:02:08] <jezebel> yeah upstream no longer working on it
1844[21:02:09] <ratrace> mentor: should be just headers, maybe
docs, and that class of files
1845[21:02:27] <ratrace> jezebel: and something something
incompatible with qt5
1846[21:02:33] <jezebel> but a statically linked copy should
work?
1847[21:02:45] <mentor> ratrace: I'm pretty sure that static
libraries get included some of the time
1848[21:03:17] <jezebel> a pure statically linked copy should
only need a compatible kernel?
1849[21:03:28] <ratrace> mentor: static (built binaries) and
libraries are usually contradicting each other; what did you mean to
say?
1851[21:03:59] <mentor> ratrace: I meant what I said
1852[21:04:14] <jezebel> and kernel is 'always'
backwards compatible iiuc ("don't break userspace")
1853[21:04:30] <ratrace> jezebel: depends if, since it's a
GUI app, it can work with qt5, unless you need to statically link
all of Qt ... I don't know the full state of incompatibility
there. try it and see, just before you waste your time, look up why
it was dropped, s'all I'm saying :)
1880[21:11:57] <ratrace> mentor: ie. they don't need the
sources, just -dev which are pulled in by apt install build-deps,
right?
1881[21:12:17] <mentor> Yes
1882[21:12:21] <ratrace> k
1883[21:12:50] <hendursaga> I need help getting my USB WiFi
adapter working, it's a Ralink Technology, Corp. RT2870/RT3070,
is this page what I'm looking for?
replaced-url
1927[21:27:07] <hendursaga> I press the hardware switch and on
GNOME it shows a notification that I (dis/en)abled it but rfkill
doesn't show a difference
1928[21:27:25] <hendursaga> mentor: Interface? It's not
showing up on NetworkManager
1929[21:27:33] <hendursaga> And ip link shows only Ethernet is up
1930[21:27:52] <mentor> hendursaga: Does network manager believe
it is controlling that interface?
1931[21:28:09] <mentor> hendursaga: I.e., managed is yes
1932[21:28:15] <jezebel> networkmanager wont touch anything in
/etc/network/interfaces
1933[21:28:16] <hendursaga> mentor: What do you mean?
1934[21:28:30] <jezebel> or /etc/network/interfaces.d/
1935[21:28:46] <hendursaga> It's not in there jezebel
1936[21:29:12] <hendursaga> mentor: Where do/should I see
managed? ip link?
1937[21:29:29] *** Quits: zapwai (~zapwai@replaced-ip) (Remote host closed the connection)
1938[21:29:32] <ratrace> no,
/etc/NetworkManager/NetworkManager.conf or something like that
1939[21:29:58] <mentor> hendursaga: What does running
'nmcli' say?
1940[21:30:12] <ratrace> I'd first try to get it working
from the command line, wpa_supplicant directly. NM can sometimes
herpderp things up
1941[21:30:24] <jezebel> (assuming you have udev and dbus
installed)
1942[21:30:39] <ratrace> pretty likely assumption with gnome
being there :)
1943[21:31:09] <hendursaga> ratrace: managed=false in that file
1951[21:32:58] <ratrace> hendursaga: weirdly in your last paste,
theres' no mention of missing firmware. could it be that THAT
particular module needs none? I somehow doubt that, for ralink....
1953[21:33:35] <mentor> Would network manager pick up new
interfaces without udev and dbus being installed?
1954[21:33:35] <hendursaga> ratrace: The docs say I might need to
blacklist rt2800usb - that module is NOT the one I need, it's
rt2870sta and that ain't showing
1955[21:33:36] <ratrace> hendursaga: so when you say you need
rt2870sta instead of rt2800usb, and that wiki page does list your
usbid .... then perhaps that's what you have to do as the
kernel erroneously loads up rt2800usb.
1956[21:33:48] <ratrace> that = blacklist rt2800usb
1957[21:34:00] <hendursaga> So, how do I blacklist rt2800usb?
1958[21:34:15] <hendursaga> And do I need to blacklist its
dependecies?
1960[21:34:41] <mentor> So network manager believes the interface
to be unavailable
1961[21:34:59] <ratrace> hendursaga: and then rebuild
update-initramfs -u
1962[21:35:00] <hendursaga> ratrace: Is it recursive?
1963[21:35:22] <ratrace> no, but if you blacklis that module,
then modules that depend on this one should fail to load
1964[21:35:44] *** Quits: yans (~yans@replaced-ip) (Remote host closed the connection)
1965[21:35:44] <hendursaga> Also should I backup my initramfs? It
looks important.
1966[21:36:32] <hendursaga> Or is it versioned or...?
1967[21:36:34] <ratrace> hendursaga: you probably have two kernel
versions -- the previous one also has its own initramfs, so you
kinda do have a backup. this, however, should not be something that
would nuke the boot process, and you're not doing it remotely
over the network
1968[21:36:45] <ratrace> you can always rebuild initramfs later
1969[21:36:51] <ratrace> don't worry about it, really.
1971[21:37:22] <hendursaga> ratrace: Why would I have two kernel
versions??! I just installed it yesterday!
1972[21:37:46] <ratrace> ah right .... well, you would next time
there's kernel upgrade. debian, by default, keeps one copy of
previous kernel with its initramfs and config, under /boot
1973[21:38:01] *** debhelper sets mode: +l 1206
1974[21:38:08] <ratrace> wise thing, so you can select the
previous version, if the upgrade somehow borks the boot
1975[21:38:15] <mentor> hendursaga: You only really need to worry
about initramfs if something on your path to mounting your root
filesystem changes
1976[21:38:21] <ratrace> ^^ that
1977[21:38:34] <ratrace> here you're just blacklisting a
wifi module. totally not anything critical for the boot process
1983[21:39:49] <ratrace> hendursaga: once in anywhere from few
days to I think the record I saw was ~130 days in 2019
1984[21:39:52] <wsky> not too often
1985[21:41:01] <hendursaga> I assume it has something to do with
module dependencies..
1986[21:41:25] <ratrace> no I don't think you need to run
that
1987[21:41:56] <ratrace> just add that blacklist, update
initramfs, and reboot. in fact, I think you maybe don't even
need to reboot, but can rmmod and modprobe the correct one after
blacklisting. dunno. try it. or just reboot
1991[21:45:07] <jezebel> dumb question but why is [u]xterm not
picking up my .Xresources in xfce? when i xrdb -q it's shown as
merged in but [u]xterm isn't reflecting this?
2013[21:52:58] <jezebel> when i log in it should be merged
already?
2014[21:53:19] <jezebel> it does get merged i believe, bcause
xrdb -q shows my resources when i log in
2015[21:53:25] <merAzi> about uxterm not picking xresources,
that's because xterm and uxterm use different settings names,
try adding UXTerm*option: to your .Xresources
2016[21:53:28] <jezebel> but xterm doesnt see
2017[21:53:42] <jezebel> yeah i've tried both UXTerm and
XTerm
2018[21:54:03] *** Quits: asymptotically (~asymptoti@replaced-ip) (Remote host closed the connection)
2042[22:02:31] <merAzi> is uxterm detecting the xresources
configuration now?
2043[22:02:54] <hendursaga> Now, it doesn't show up at all.
One issue with the prior config was that the interface had to be
renamed, from wlan0, I believe. Would that have been an issue??
2044[22:03:03] <ratrace> hendursaga: meaning, if you have the
kernel show the device ... welp ... try and configure it
2045[22:03:18] <ratrace> hendursaga: "had to be"? or
you mean the dmesg entry where it's renamed?
2048[22:04:00] <hendursaga> The dmesg entry, from last boot
2049[22:04:08] <ratrace> hendursaga: yah that's normal, udev
changing from kernel's name into a so called
"predictable" name.
2050[22:04:24] <ratrace> hendursaga: so to revert this ... remove
that blacklist line; update-initramfs -u ; reboot
2051[22:04:58] <ratrace> and when you get to see the link, try
configuring it with wpa_supplicant. note that with wifi you have wo
OSI layers to configure. the wifi itself, which is lower, and then
when that connects, you get the higher IP layer with dhcp or static
IP
2052[22:05:00] <hendursaga> Could I just comment it out?
2053[22:05:14] <mentor> As opposed to the kernel's somewhat
arbitrary device naming strategy
2054[22:05:15] <ratrace> ie, you can have wpa_supplicant connect
successfully, without the higher one getting an IP, for testing
2055[22:05:21] <ratrace> hendursaga: yes
2056[22:05:47] <ratrace> mentor: actually ... the udev one seems
arbitrary. kernel will always do wlan0 or eth0, and if there's
more, wlan1, eth1, ...
2057[22:06:13] <ratrace> now for $1000 cash, predict the name
hendursaga will get on boot :) no peaking in scrollback :)
2058[22:06:43] <mentor> ratrace: The index assigned by the kernel
is in now way guaranteed
2064[22:07:54] <ratrace> which is what I do, I prefer that. the
"predictable" names can change in some cases when you have
buggy bios/efi/firmware/chipset .. the very same scenario that
prompted the "predictable" naming in the first place.
2065[22:07:55] <mentor> ratrace: No, it is the kernel's
fault; it assigns in the order it enumerates
2066[22:07:55] *** Quits: platvoeten (~platvoete@replaced-ip) (Remote host closed the connection)
2072[22:08:57] <mentor> The kernel doesn't make a guarantee,
and the userspace does its best to work around that
2073[22:09:07] <mentor> That's the situation
2074[22:09:17] <ratrace> I never said that wasn't the true,
however the ordering is done by bios
2075[22:09:24] <ratrace> AND to fix it, bind MAC to NIC name.
solved.
2076[22:09:45] <mentor> Yeah, that only works for network
interfaces
2077[22:09:48] <ratrace> you don't need
wlanxnafjsiodpjuf9ouw4q0uwfwa90u43w90tfumw409fu
ewr09t7ue09t34u09te34 crapshit in the name of
"predictabilit" when the same buggy bios will happily
rename that next boot
2078[22:10:10] <mentor> ratrace: Please refrain from the rhetoric
2079[22:10:17] <ratrace> like ... pull out your GPU, get effed on
reboot with totally new NIC names. there's an issue for just
that on systemd GH
2080[22:10:47] <greycat> mentor: it's not just rhetoric,
though. People have had that problem here before.
2081[22:10:50] <ratrace> which means "predictable"
naming solved NOTHING. just added moar headaches. the proper fix is
binding MAC and NIC name, either via .link or interfaces(5) or
whatever other way is usable
2092[22:14:39] <ratrace> dvs: let me tell you a tale of linux
kernel 5.9 and totally flakked up, renamed, renumbered, regroupped
IOMMU and slot IDs and a workstation failing to boot because of
that. :)
2130[22:30:27] <ratrace> why? to remain in line with the expected
standards. wpasupplicant (the package) installs some systemd
services which can be used as templates with NIC names that then
source exactly those patterns
2132[22:32:13] <pasiz> if using just password auth, what's
the point of creating wpa_supplicant config when nm
2133[22:32:52] <pasiz> does nm forget settings?
2134[22:33:11] <jezebel> nm uses wpasupplicant under the hood for
you
2135[22:33:15] <ratrace> nm uses wpasupplicant's dbus api
2136[22:33:25] <jezebel> yup
2137[22:33:42] <pasiz> so yup, it forgets or what?
2138[22:33:52] <ratrace> ie doesn't care about your config
files. and hre, I recommended hendursaga try "manual"
approach, ousside NM because NM is ..... flaky.... in some
situations, ti's hard to control variables of _what_ exactly is
failing.
2139[22:34:04] <jezebel> if you dont have a gui, you can use
nmtui if you want to be insulated from it all
2140[22:34:05] <ratrace> this way, they can see the OSI layers at
work and where the failure is
2154[22:36:46] <ratrace> that means it works. NM will use
wpasupplicant too, so the question here is ..... what's
NM's problem. referring to "flakey" adjective from
before. eff NM, tho.
2155[22:36:53] <jezebel> then dhclient for your ip address
2156[22:37:03] <hendursaga> Does that require root?
2157[22:37:07] <jezebel> yes
2158[22:37:21] <hendursaga> I had to use ifup so.. aww man
2159[22:37:30] <pasiz> cannot understand how it's flakey...
i use eap-tls on home too, and never have problems
2160[22:37:42] <hendursaga> Maybe if I restart NM would work,
haha
2161[22:37:45] <jezebel> ifup will use /etc/network/interfaces
which tlls it to use wpasupplicant and dhclient
2162[22:38:02] <ratrace> if you configure it so
2163[22:38:06] <hendursaga> Is there a way to get WiFi up without
root every time?
2164[22:38:06] <jezebel> true
2165[22:38:45] <ratrace> hendursaga: with the pastebin I showed
you, that approach can work automatically. you plug in the USB
thingy, it connects. you unplug it, it disconnects
2166[22:38:59] <ratrace> thanks to interfaces(5) persistence and
allow-hotplug
2167[22:39:12] <hendursaga> Can? OK, yeah that sounds vaguely
familiar
2168[22:39:29] <ratrace> some say it's even possible to roam
with a static wpa_supplicant config like that and all the hotspots
enumerated and confiugred. it's all automagick
2169[22:40:03] <ratrace> hendursaga: can yes, and I know it for a
fact. I have that exact setup, where I use a wifi dongle as backup
for eth0. I plug it in, it autoconnects, works. assumes eth0 is down
and routes are off
2170[22:40:23] <ratrace> otherwise you might need some post-up
re-routing magick
2171[22:40:24] <jezebel> fwiw i've had flakey experiences
with nm... i hate the 'deauthenticating by local choice'
message, it doesnt tell you who or what did it
2172[22:40:29] <hendursaga> Cool, cool, now I can fix my
friend's WiFi haha
2173[22:40:47] <dvs> famous last words
2174[22:40:51] <hendursaga> ratrace: Routing? As in?
2175[22:40:51] *** Quits: jmd (~user@replaced-ip) (Remote host closed the connection)
2189[22:43:25] <ratrace> jezebel: bonding eth0 and wifi? teh
heresy! :)
2190[22:43:42] <pasiz> not to mention stateful packet filtering
on that kind of network...
2191[22:44:06] <ratrace> eh my iptables rules don't include
-i for that reason :) except where it's -i specific
2192[22:44:50] <hendursaga> And.. victory short lived..
2193[22:44:55] <ratrace> now what
2194[22:45:12] <hendursaga> I shut my laptop case to move to the
spot I wanted to go to without Ethernet, and then device shut off
2195[22:45:24] <hendursaga> I had to do ipdown and then ipup to
bring it back up again
2196[22:45:48] <pasiz> ratrace: does -i do connection tracking
2197[22:46:16] <ratrace> pasiz: it's just a filter criteria
for nic name
2198[22:46:33] <pasiz> but even states doesn't work on
network with legs in multiple subnets
2199[22:46:57] <dvs> hendursaga: That's an ACPI issue, not a
networking issue.
2200[22:46:59] <hendursaga> Also how might I get on another WiFi
network?
2201[22:47:11] <ratrace> well it's assumed that tcp sessions
wont receive packets from different networks, unless you have that
explicitly enabled with bonding
2202[22:47:31] <hendursaga> Just add another entry to
wpa_supplicant?
2203[22:47:35] <jmcnaught> What was wrong with using
NetworkManager?
2204[22:47:38] <ratrace> hendursaga: with this approach? add
another network={} stanza in the wpa supplicant conf
2205[22:48:03] <hendursaga> jmcnaught: No idea
2206[22:48:04] <dvs> and assign a priority
2207[22:48:11] <ratrace> jmcnaught: that's the part that has
to be figured out. NM refused to use the NIC
2232[22:58:17] <greycat> well, it ain't supposed to do that,
so either investigate whether you've got the correct firmware,
drivers, etc. or file a bug report
2233[22:58:47] <queip> greycat: by freeze I mean that gui using
programs stop doing almost anything, and they resume when you are
back in X
2265[23:10:22] <ratrace> dunno. and I don't feel like
changing the VT now to test it :)
2266[23:10:53] <ratrace> I mean it's not something
you'd normally do, change the vt from xorg
2267[23:12:17] <queip> ratrace: administrating from graphical
console of an user is not as secure
2268[23:12:20] <milkt> is this about specific X program or any
program drawing something on X?
2269[23:12:37] <queip> milkt: irc client, torrent client - for 2
things tested
2270[23:12:44] <ratrace> thinking about it now, maybe a
compositor would help
2271[23:13:07] *** Quits: Jerrynicki (~niklas@replaced-ip) (Remote host closed the connection)
2272[23:13:19] <queip> video stack in linux is so
overcomplicated... so how to "get a compositior"? I want
to use xfce for the windows and stuff
2273[23:14:43] <ratrace> I think Compton is recommended these
days for xfce?
2274[23:14:52] <ratrace> ,i compton
2275[23:14:55] <judd> Package compton (x11, optional) in
buster/amd64: compositor for X11, based on xcompmgr. Version:
0.1~beta2+20150922-1; Size: 97.4k; Installed: 264k; Homepage:
replaced-url
2290[23:18:33] <ratrace> I actually don't know this part,
hence asking. because if they do .... then a threat actor able to
execute a RCE as your user can sniff it, xorg or no xorg, because
teh devices are ACL'd to you
2337[23:27:26] <jezebel> you could try checking the xorg logs
2338[23:27:39] <queip> jezebel: no erros appear in them during
that time
2339[23:27:50] <ratrace> queip: I think you're
overestimating the value of switching VT for "security"
reasons and are just chasing rainbows
2340[23:28:02] <jezebel> queip… anything in the timestamps
to ggive you a hint?
2341[23:28:19] <queip> ratrace: what is "over
estimated" in not letting your potentially hacked programs see
you type in root password?
2342[23:28:52] <jezebel> sudo might be your friend
2343[23:29:01] <ratrace> in that potentially hacked programs that
are running as your user can see everything you do, because
they're running as you
2344[23:29:05] <queip> ratrace: with such assumption you can just
add * to wheel and sudoers. asking for root password inside of user
program is security theater mostly
2345[23:29:23] <ratrace> linux security rests on UID separation
but things run as the same UID? without MAC or namespaces, it's
game over
2349[23:29:44] *** Quits: n4dir (~n4dir@replaced-ip) (Remote host closed the connection)
2350[23:29:59] <jezebel> is your root password the same as your
user password? Hmmm
2351[23:30:10] <queip> jezebel: ? of course not
2352[23:30:13] <jezebel> with sudo you type in your user password
2353[23:30:17] <jezebel> not your root password
2354[23:30:59] <jezebel> you prove who you are as a user and you
get certain privileges which are typically associated with root,
controlled by the sudoers file
2355[23:31:22] <jezebel> so you shouldnt be compromising your
root password
2356[23:31:26] <ratrace> my root and user's pass are the
same. because it totally doesn't matter what the root pass is
if I'm a sudoer :)
2357[23:31:41] <queip> if attacker is already running your user,
then intercept entire X windows manager or anything like that, run
own fake sudo-gtk, get user password, then use that password to
become root via sudo
2358[23:31:49] <nkuttler> ratrace: that's entirely wrong,
see man 5 sudoers
2377[23:33:58] <ratrace> so back to what I said .... my root and
my user's pass are the same because I am sudoer with full sudo
-i ability so it completely doesn't matter what root's
pass is
2384[23:34:56] <nkuttler> you can also configure pam if you want
to do such silly things
2385[23:35:05] <ratrace> that's completely different. I was
talking about the ability to use sudo to become full, logged in
root.
2386[23:36:02] <jezebel> queip… feel free to write a pam
module which asks you for your password in tty1 lol
2387[23:36:29] <queip> my use case is that regular user, who runs
X and crap like firefox, can not sudo into root. and then root I
access only by logging into root in separate VT1. The goal is that
when firefox gets exploited via one of million firefox/etc vulns,
they can't log into my other users which are kind of improtant
for me, like my bitcoin server user
2388[23:37:21] <ratrace> here's a little secret. I run
firefox as its own unprivileged user :) well, at least for untrusted
browsing. and it has an apparmor profile, carefully tailored because
default ff profile is too wide open.
2390[23:38:01] <jezebel> i need to learn about apparmor
2391[23:38:02] *** debhelper sets mode: +l 1192
2392[23:38:02] <ratrace> queip: if your FF gets exploited with
full RCE .... it's basically game over and "we can't
be sure" land.
2393[23:38:05] <ratrace> !ripley method
2394[23:38:06] <dpkg> "I say we take off and nuke the entire
site from orbit. It's the only way to be sure." -- Ellen
Ripley
2395[23:38:08] <queip> jezebel: that is a good idea, but for
thing that need to be root, not just the moment of typing in
password must be done outside of potentially-taken-over X.
Otherweise even if I type in root pass via secure method, as soon as
root shell would be in my infected X session, attacker would inject
keyboard events and type in commands as root
2396[23:38:50] <ratrace> queip: like ... was there a kernel
zeroday privilege escalation that the threat actor just executed
with that full RCE
2397[23:38:51] <jezebel> haha i just watched aliens again the
other weekend :/
2399[23:38:57] <queip> ratrace: I know nothing is perfect, but
still attacker neeeds an exploit to go from user to root. they
happen too, but it's harder to at same time have both this and
ffox rce
2400[23:38:58] <ratrace> jezebel: :)
2401[23:39:17] <nkuttler> queip: if you own enough bitcoin to
care about such things you should just run it on airgapped hardware
2402[23:39:27] <queip> jezebel: apparmor is toy for kids, mostly
2403[23:39:31] <ratrace> or .... are there still widely unknown
meltdown or spectre bugs so the FF hack doesn't even need a RCE
to take out my secrets
2404[23:39:44] <queip> nkuttler: I do, this is my bitcoin node
for coffee etc ;))
2405[23:39:53] <jezebel> put it in a kvm :D
2406[23:39:55] <nkuttler> basically, anybody with a shell should
be assumed to be root
2411[23:40:21] <queip> well plan for the worst, but at same time
minimize access, which is what is done here
2412[23:40:27] <jmcnaught> From what I understand under Wayland
programs do not share a common input queue (so one program can not
keylog another) except for all the programs that run under XWayland.
2413[23:40:33] <ratrace> nkuttler: exactly. if they can RCE....
you can't know what else they did exploit
2414[23:40:36] <jezebel> nkuttler… there's been a
couple of noteworthy sudo bugs recently that makes that assumption
fair :/
2415[23:40:48] <nkuttler> even without sudo
2416[23:40:49] <queip> ratrace: which IME?
2417[23:41:03] <ratrace> queip: the ... THE.... IME?
2418[23:41:08] <queip> ratrace: what is IME?
2419[23:41:13] <jezebel> intel management engine
2420[23:41:17] <ratrace> oooooh.... are you sitting?
2421[23:41:21] <jezebel> hahah
2422[23:41:39] <ratrace> it's...... a full blown....
MINIX.... operating system running in a chip ousside the CPU with
total. absolute. control over the hardware.
2423[23:41:41] <jezebel> your processor in the processor, it runs
on minix :D
2424[23:41:46] <queip> yeah there are various CPU and mainboard
exploits, we know
2425[23:41:56] <queip> doesn't mean you should throw away
all security mechanisms everywhere
2426[23:42:25] <ratrace> no no. just saying.... if anyone gets to
your FF and can exec random code? it's game over.
2437[23:44:28] <queip> usecases that ABSOLUTELY must prevent that
I run on offline airgapped computer
2438[23:44:47] <queip> but it's a bit not comfortable, so a
middle level of security is enough for other things
2439[23:45:28] <queip> not sure why it needs explanation that
there are other levels of security between using root password
hunter2 and heaving all users in sudoers, and between building own
CPU from TTL logic
2440[23:46:24] <ratrace> I know there are. I just think that
_this_ particular case is misaligned.
2442[23:46:39] <ratrace> running as root over another VT beause
your FF might be compromised
2443[23:46:41] <queip> compositor didn't helped in xfce.
other things to try?
2444[23:47:31] <queip> btw there is none good video card for
debian, one that doesn't need binary blobs to work well, is
there yet? maybe in next decade?
2445[23:47:45] *** randomgry is now known as gry
2446[23:47:56] <queip> hm maybe run everything in damn Xnest, or
firejail X...
2447[23:48:04] <ratrace> doesn't nouveau work withou.... oh
wait, even that has some firmware amirite?
2448[23:48:16] <ratrace> queip: I prefer kvm hypervisor
boundaries
2449[23:48:22] <queip> well, at least nothing that runs "on
cpu" that is closed
2450[23:48:26] <jezebel> kvm is awesome
2451[23:48:42] <ratrace> sure, not absolute, but waaaaaay better
than running trusted, sensitive, and untrusted on the SAME kernel
2453[23:48:46] <jezebel> isnt amd's vega supposed to be more
open?
2454[23:49:02] <queip> jezebel: the virtual machine? it's ok
but you need lots of ram, and it is somewhat combersome to switch.
btw, there were kvm breakout to user exploits too (still, it's
an idea)
2455[23:49:45] <ratrace> firejailing X is also misaligned
security. X runs code in ring0. game over. both nvidia and intel (I
haven't been paying attention about AMD) have had vulns in that
same ring, in the past two or so years
2456[23:49:53] <ratrace> intel still does, on haswells if
I'm not mistaken
2457[23:50:10] <queip> only root can change the code that X runs
in ring 0
2458[23:50:20] <queip> so it's still saved on user to root
2459[23:50:31] <ratrace> not true. look at recent nvidia xploits
2471[23:55:07] <ratrace> here's what I do. I run FF as
another user and it's AA enforced. That way it can't
access things it shouldn't even if it exec's arbitrary
code. it can't even access things it shouldn't even if it
becomes root. however ... it can compromise stuff through xorg
exploits, gpu exploits and direct kernel (Syscall) exploits
2472[23:55:17] <queip> AA is mostly a meme btw
2473[23:55:34] <ratrace> so the first level is sufficient for me.
things that I mustn't allow even in the second part, is behind
kvm hypervisor.
2474[23:55:47] <ratrace> the third level of security is airgapped
2475[23:55:54] <ratrace> duno what's is so meme-y about AA
2476[23:56:04] <ratrace> it does its job and does it well.
2477[23:56:04] <queip> grsec was the real deal but due to Linus
and/or Spender(?) heaving heads stucke in their ego/ass (both
depending on personal views) we don't have anything as good
anymore
2478[23:56:24] *** Quits: dvs (~hibbard@replaced-ip) (Remote host closed the connection)
2479[23:56:25] *** Quits: gry (~test@replaced-ip) (Ping timeout: 240 seconds)
2480[23:56:46] <queip> ratrace: it's a blacklist instead of
a whitelist. it blocks few things with few mechanism while not
protecting dozens of other avenues of attacks
2481[23:57:04] <ratrace> queip: actually it's a whitelist,
but at specific program/profile level
2482[23:57:12] <queip> grsec was protecting ioports, kmem and
probably that ring0 stuff. aa doesn't do anything like that
2483[23:57:21] <ratrace> ie. it has no concept of selinux strict
security mode where unconfined_t is not allowed
2484[23:57:49] <queip> ratrace: read docs on pax and grsecurity
to realize apparmor lacks 90% of it
2485[23:58:05] <ratrace> aa doesn't do anything like that
but ..... AA ..... is all we got. grsec is paywalled. selinux is too
damn difficult to manage ref policies for, ousside of RHEL family
2486[23:58:14] <ratrace> queip: I actually used grsec exclusively
until 4.9 :)
2490[23:58:27] <queip> linux security failed, thx Torv/Spender :/
2491[23:59:07] <ratrace> so for what AA does ... being a path
based MAC? it does it well
2492[23:59:15] <queip> we can probably conclude open source
security failed, nothing does anything like that
2493[23:59:26] <ratrace> it's also growing dbus policing
capabilities, ther's caps and there will be more granularity,
they say, with networking in the future releases
2494[23:59:34] <queip> all we can do is put few obstables on the
way
2495[23:59:40] <Taserface> umm, ioport are already blocked for
non-root users?
2496[23:59:47] <Taserface> same with kmem
2497[23:59:58] <queip> Taserface: pretty sure it was blocked also
from root