Re: [gentoo-user] PORTAGE_COMPRESS
Am 02.04.2014 14:27, schrieb Douglas J Hunley: I was reviewing my Portage settings yesterday and I noticed that I have PORTAGE_COMPRESS set (to bzip2, the default) on both of my servers and it occurred to me that both of these servers have filesystems that support compression (btrfs on one, zfs on the other). So I'm wondering if it still makes sense to have PORTAGE_COMPRESS set or if I should unset it and just let the fs-level compression handle it. Portage is already slow, why have it take the time to do this when the fs does it better and transparently? Thoughts on the matter? I think you have a good point disabling portage compression, but I wanted to correct one statement: Decompression in the kernel takes as much time as decompression in userspace - if it's the same algorithm. The differences here are: * creation of an additional process (bz[ip2, cat]), negligible compared to the cpu time compression takes * bz[ip2, cat] runs in user space (safer) vs in kernel space (risky) * different [de]compression algorithm (fs usually uses weaker but faster compression algorithms like lz4, lzo or gz) * different [de]compression setting (portage uses -9, kernel at best -6 - the difference in the resulting file size is small, but the difference in used cpu time is high) For me two things decide the question: * Assuming you write more man pages than you read, and disk space is not an issue, a weaker compression ratio to save cpu time makes sense. * If you have compression _already_ on for the fs, then compressing textual data before storing it on that fs is a waist of cpu time: For example LZ4 will detect already compressed data (compression ratio 12.5%), abort compression and store the file uncompressed. That's nice, but it means that it has already compressed some blocks, before it could measure it - waisting cpu time. Greetings, Daniel -- Get my PGP key at: * http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0x837FB8B5BB9D4887 * $ gpg --recv-keys --keyserver keyserver.ubuntu.com 0xBB9D4887 signature.asc Description: OpenPGP digital signature
[gentoo-user] Honeypot distro?
My company ended up with several 'ancient' HP ProLiant G4 servers. We're thinking of setting up honeypots there. Although I know Gentoo is perfectly capable of becoming a honeypot, we currently prefer something... less involving in deployment :-D Now, since this mailing list unarguably contains the 'creme de la creme' of Linux users in the world... maybe you can help me in choosing a honeypot distro? I've been looking at several, such as ADHD or Stratagem or Honeydrive, also stalwarts such as BackTrack ... but I still can't make up my mind yet. TIA! Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pandu.poluan.info/blog/ • Linked-In : http://id.linkedin.com/in/pepoluan
Re: [gentoo-user] Honeypot distro?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Gentoo. -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJTPS7RXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMDlCNDQ4NjEyNDI4NjA5REVEMDI3MzIy MjBDRDFDNUJERUVEMDIwAAoJECIM0cW97tAgEE4QAJwEDQaUdUbzIu1Yr+vN94qN fNlz9dydP7fEHhh+ohkxRMT1fP736KpSelmIMRqdV8PpF6Rw/MbsD55zGt5v3JVP 9S4Bx5bMizovtHreDv2RhPnsjQos5OV2tpaSnCU84OEbF5ojzI+e8nrOE6aGyJ6t gcXmOlyjlugxPjRxdkPC+IiAVe5KAoDpMZhdNJy+e34FtyZDiYPjGt+7bTwHNNvq rm8iZiq/vMksicXXw4zxGjQRcdLykkIZ2HN1rjl+7Q9o4K/rRId0UncLynybj7dc 3y04MvL5BZUE9uXKTNVgtrd7CJ1ARCq7n8ILqH4q74v4Jd0WSn0YnwOZzdQwEYGa erav+OwJ0KsHDsfSusD4by2nTx/halpnZo8Z8y3OjqROMBoSluV1I2WkxVS8L8b4 0lEz4lyuHBXFktNjyQyZzFSfz6zzyKVo3MgLi5xxj64V1XZPq3rIW9PYwt0NTlH3 ZkBtFZTMd5RRrBZzVcxugjE6V+XzQwK3lVKKL8Rz9yhXH52ReBxlMI2WxL1UXYiL zGsxc2abSWgROy7oi+Dvtj9E5carM7r/gNm/mZSQL/zlGUzyqNDAv33/5mBToAPW EoQx35iXyAILmPJEZ2a+NHc+OGRH9bwXY03XDCWrgUTR9KQq3v6z2xbCWpYBMnAC 6ssLl35I1YGtAdkSH1hv =kpA4 -END PGP SIGNATURE-
Re: [gentoo-user] How to appoint python version for a package
On Thu, 3 Apr 2014 13:15:59 +0800 林守磊 linxiu...@gmail.com wrote: @all I found that is a bug from package pygments-1.6_p20140324, and I downgrade to 1.6-r1. problem solved ! @Tom that mean pygments-1.6_p20140324 do not support python3_2, thank you a lot Indeed. Bugs appear to have been filed about this: https://bugs.gentoo.org/show_bug.cgi?id=470962 https://bugs.gentoo.org/show_bug.cgi?id=489198 -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
[gentoo-user] converting openrc's dmesg to systemd service file
I'm sure this is way more trivial than I'm making it out to be, but how in the world would one converty /etc/init.d/dmesg to a systemd service file? Is there a good online pointer about building service files? -- Douglas J Hunley (doug.hun...@gmail.com) Twitter: @hunleyd Web: douglasjhunley.com G+: http://google.com/+DouglasHunley
Re: [gentoo-user] my gnome-shell break
Did you try deleting ~/. *? Sometimes simple things like those help. Take a backup first. Sorry for top post, sent from mobile. On 03-Apr-2014 6:48 am, 林守磊 linxiu...@gmail.com wrote: Hi all I use gnome-shell-3.10.4-r1 some problem happen when I upgrade from 3.8, such as wall-picture disappeared, word of clock break attached my screenshotsPortage 2.2.10 (default/linux/amd64/13.0/desktop/gnome, gcc-4.8.2, glibc-2.19, 3.13.5-gentoo-shelley x86_64) = System Settings = System uname: Linux-3.13.5-gentoo-shelley-x86_64-Intel-R-_Core-TM-_i5_CPU_M_480_@ _2.67GHz-with-gentoo-2.2 KiB Mem: 7970940 total, 4488632 free KiB Swap:2097148 total, 2097148 free Timestamp of tree: Wed, 02 Apr 2014 21:45:01 + ld GNU ld (GNU Binutils) 2.24 app-shells/bash: 4.2_p46 dev-java/java-config: 2.2.0 dev-lang/python: 2.6.9, 2.7.6, 3.2.5-r3, 3.3.5, 3.4.0 dev-util/cmake: 2.8.12.2 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.14.1 sys-devel/binutils: 2.24-r2 sys-devel/gcc:4.5.4, 4.8.2 sys-devel/gcc-config: 1.8 sys-devel/libtool:2.4.2 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.14 (virtual/os-headers) sys-libs/glibc: 2.19 Repositories: gentoo x-portage gentoo-zh sublime-text ACCEPT_KEYWORDS=amd64 ~amd64 ACCEPT_LICENSE=* -@EULA CBUILD=x86_64-pc-linux-gnu CFLAGS=-march=native -O2 -pipe CHOST=x86_64-pc-linux-gnu CONFIG_PROTECT=/etc /usr/share/gnupg/qualified.txt CONFIG_PROTECT_MASK=/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c CXXFLAGS=-march=native -O2 -pipe DISTDIR=/usr/portage/distfiles FCFLAGS=-O2 -pipe FEATURES=assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync FFLAGS=-O2 -pipe GENTOO_MIRRORS=http://mirrors.aliyun.com/gentoo/ http://mirrors.163.com/gentoo/; LANG=en_US.utf8 LC_ALL=en_US.utf8 LDFLAGS=-Wl,-O1 -Wl,--as-needed MAKEOPTS=-j5 PKGDIR=/usr/portage/packages PORTAGE_CONFIGROOT=/ PORTAGE_RSYNC_OPTS=--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages PORTAGE_TMPDIR=/var/tmp PORTDIR=/usr/portage PORTDIR_OVERLAY=/usr/local/portage /var/lib/layman/gentoo-zh /var/lib/layman/sublime-text SYNC=rsync://mirrors.163.com/gentoo-portage USE=X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli colord consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo exif fam firefox flac fortran gdbm gif gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk iconv introspection jpeg lcms ldap libnotify libsecret mad mmx mng modules mp3 mp4 mpeg multilib nautilus ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt3support qt4 readline sdl session socialweb spell sse sse2 sse3 ssl startup-notification svg systemd tcpd tiff truetype udev udisks unicode upower usb utf vim-syntax vorbis wxwidgets x264 xcb xinerama xml xv xvid zlib ABI_X86=64 ALSA_CARDS=ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci APACHE2_MODULES=authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias CALLIGRA_FEATURES=kexi words flow plan sheets stage tables krita karbon braindump author CAMERAS=ptp2 COLLECTD_PLUGINS=df interface irq load memory rrdtool swap syslog DRACUT_MODULES=lvm ELIBC=glibc GPSD_PROTOCOLS=ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx GRUB_PLATFORMS=pc INPUT_DEVICES=keyboard mouse evdev KERNEL=linux LCD_DEVICES=bayrad cfontz cfontz633 glk hd44780 lb216
[gentoo-user] Self-signed certificate Apache
Hello list, Almost there now... After receiving help from Mick K and the list (thanks again!) I've now some idea of what I'm doing. I've installed OwnCloud to be served over SSL. I've followed the instructions here[1] to create a self-signed certificate, which is in two files: cloud.crt and cloud.key. I put both of those under /etc/apache2/private. I ignored the vague references to intermediate files. The command I gave was: # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cloud.key -out cloud.crt Now when I start Apache I get this warning, twice: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) Is this to be expected, or is anyone visiting (none expected though) likely to think I'm masquerading as a certification authority? [1] http://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html -- Regards Peter
Re: [gentoo-user] Self-signed certificate Apache
On 03/04/2014 16:24, Peter Humphrey wrote: Hello list, Almost there now... After receiving help from Mick K and the list (thanks again!) I've now some idea of what I'm doing. I've installed OwnCloud to be served over SSL. I've followed the instructions here[1] to create a self-signed certificate, which is in two files: cloud.crt and cloud.key. I put both of those under /etc/apache2/private. I ignored the vague references to intermediate files. The command I gave was: # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cloud.key -out cloud.crt Now when I start Apache I get this warning, twice: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) Is this to be expected, or is anyone visiting (none expected though) likely to think I'm masquerading as a certification authority? [1] http://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html What you've done works but you didn't do it the way Apache thinks these things work. You created a signing certs that is to be used to sign other certs, but instead used it as your SSL cert. Apache thinks this is unusual enough to warrant a log entry. To be truthful you don't want to do it that way if only because it's contrary to what other pros except you to have done. Third comment in this blog post gives excellent advice on how to do it better: http://www.turnkeylinux.org/forum/support/20121228/rsa-server-certificate-ca-certificate-error -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Kworker use 80% of CPU
Hi everybody, and thank you all! Excuse me, I did not answer for a long time. The problem is fixed for now. I delete all old kernels initrd and configs. The only question now is: why just upgrade to new kernel don`t fix it. For new kernel it should use default config, shouldn`t it? С уважением, Клочков Глеб 2014-03-21 14:31 GMT+04:00 Volker Armin Hemmann volkerar...@googlemail.com : Am 20.03.2014 11:24, schrieb Tom Wijsman: On Thu, 20 Mar 2014 11:39:58 +0400 Gleb Klochkov glebiu...@gmail.com wrote: Tom, thank you for your answer. $ dmesg http://bpaste.net/show/187533/ There this can be seen: [ 18.074574] [drm] Wrong MCH_SSKPD value: 0x16040307 [ 18.074575] [drm] This can cause pipe underruns and display issues. [ 18.074575] [drm] Please upgrade your BIOS to fix this. [ 18.148162] [drm] GMBUS [i915 gmbus vga] timed out, falling back to bit banging on pin 2 Above your messages seem interesting; some expected value is wrong, it also times out on a bus and then goes to use a pin instead. Not sure how much of this is intended, but try to upgrade your BIOS as suggested. $ cat /proc/interrupts http://bpaste.net/show/187537/ So, that would be this: 8: 63 0 0 0 IO-APIC-edge rtc0 Hmm, nothing about it in the dmesg; also, 63 seems low (on my system, however, it's only 1 as I think my system uses something different). You can try a different timer using this kernel parameter: clocksource=hpet Another note-worthy thing: 9: 699799454 0 0 0 IO-APIC-fasteoi acpi That there are ~700 million ACPI interrupts seems abnormally high; maybe the count is off by one, and 8 refers to 9? On my system, that's been running for a while by now, it's only at ~6000 (six thousand). uptime 11:29:37 up 49 days, 15:48, 16 users, load average: 0,38, 0,31, 0,39 8: 0 0 0 48 IO-APIC-edge rtc0 9: 0 0 0 0 IO-APIC-fasteoi acpi Changing the ACPI related kernel parameters to try to get it supported differently might be one thing to do here; other than that, it might be something going on with the hardware (try disconnecting things?) so the BIOS upgrade is certainly of interest. Try the BIOS upgrade first, then play around with the parameters; if things don't work out, I suggest you look for support on one of the Linux kernel mailing lists (perhaps acpi-devel*). Good luck. * https://lists.sourceforge.net/lists/listinfo/acpi-devel imho he should first use a recent VANILLA kernel. 2.12 or 2.13. And build a config without all that unneeded garbage. Also increase the dmesg buffer. Most interesting stuff is missing.
Re: [gentoo-user] Kworker use 80% of CPU
On 03/04/2014 17:20, Gleb Klochkov wrote: Hi everybody, and thank you all! Excuse me, I did not answer for a long time. The problem is fixed for now. I delete all old kernels initrd and configs. The only question now is: why just upgrade to new kernel don`t fix it. For new kernel it should use default config, shouldn`t it? Please don't top post. It messes with people's mail apps. The kernel is self-contained. You can have 1 or 100 kernels in /boot, the only one that applies is the one you booted with. The other 99 have exactly zero influence over the one that is running. The config settings to kernel is built with are whatever you told it to use. If you don;t run *config at all, then the default settings are used. If it builds and runs, then it built and ran. The default config is nothing special, it's just a config. So that's not it, and it's not some magic influence. Most likely you had stuff mixed up in /boot and the image you booted from is not the one you thought you booted from. Or the initrd is out of sync. Something like that - it will be human error. I'll say it again because it is important - there is no magic interaction between kernel images and you can have as many as you want. There's another possibility: some userspace app on your system was the real problem and you updated it meanwhile, fixing things. You also deleted old kernels and now wrongly think that is what fixed it. С уважением, Клочков Глеб 2014-03-21 14:31 GMT+04:00 Volker Armin Hemmann volkerar...@googlemail.com mailto:volkerar...@googlemail.com: Am 20.03.2014 11:24, schrieb Tom Wijsman: On Thu, 20 Mar 2014 11:39:58 +0400 Gleb Klochkov glebiu...@gmail.com mailto:glebiu...@gmail.com wrote: Tom, thank you for your answer. $ dmesg http://bpaste.net/show/187533/ There this can be seen: [ 18.074574] [drm] Wrong MCH_SSKPD value: 0x16040307 [ 18.074575] [drm] This can cause pipe underruns and display issues. [ 18.074575] [drm] Please upgrade your BIOS to fix this. [ 18.148162] [drm] GMBUS [i915 gmbus vga] timed out, falling back to bit banging on pin 2 Above your messages seem interesting; some expected value is wrong, it also times out on a bus and then goes to use a pin instead. Not sure how much of this is intended, but try to upgrade your BIOS as suggested. $ cat /proc/interrupts http://bpaste.net/show/187537/ So, that would be this: 8: 63 0 0 0 IO-APIC-edge rtc0 Hmm, nothing about it in the dmesg; also, 63 seems low (on my system, however, it's only 1 as I think my system uses something different). You can try a different timer using this kernel parameter: clocksource=hpet Another note-worthy thing: 9: 699799454 0 0 0 IO-APIC-fasteoi acpi That there are ~700 million ACPI interrupts seems abnormally high; maybe the count is off by one, and 8 refers to 9? On my system, that's been running for a while by now, it's only at ~6000 (six thousand). uptime 11:29:37 up 49 days, 15:48, 16 users, load average: 0,38, 0,31, 0,39 8: 0 0 0 48 IO-APIC-edge rtc0 9: 0 0 0 0 IO-APIC-fasteoi acpi Changing the ACPI related kernel parameters to try to get it supported differently might be one thing to do here; other than that, it might be something going on with the hardware (try disconnecting things?) so the BIOS upgrade is certainly of interest. Try the BIOS upgrade first, then play around with the parameters; if things don't work out, I suggest you look for support on one of the Linux kernel mailing lists (perhaps acpi-devel*). Good luck. * https://lists.sourceforge.net/lists/listinfo/acpi-devel imho he should first use a recent VANILLA kernel. 2.12 or 2.13. And build a config without all that unneeded garbage. Also increase the dmesg buffer. Most interesting stuff is missing. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] converting openrc's dmesg to systemd service file
On Thu, Apr 3, 2014 at 7:25 AM, Douglas J Hunley doug.hun...@gmail.com wrote: I'm sure this is way more trivial than I'm making it out to be, but how in the world would one converty /etc/init.d/dmesg to a systemd service file? Mmmh. Seeing [1], I really don't think that's a *service*. It's the kind of abuse that SysV scripts usually fall into. What do you want to accomplish? Less output in the console when booting with systemd? Then you can set the quiet *kernel* command line. If you want systemd to be more (or less) verbose, then you can pass it different arguments in the kernel command line; see [2]. Is there a good online pointer about building service files? The guide in [3] is a start; but I don't think it will help you, since /etc/init.d/dmesg is not a service. Is a hack to control console output behavior jammed into the init system because why not. Regards. [1] http://git.overlays.gentoo.org/gitweb/?p=proj/openrc.git;a=blob;f=init.d/dmesg.in;h=5b001fca7542ce7e003af30ca49fdf471efd8871;hb=HEAD [2] http://www.freedesktop.org/software/systemd/man/systemd.html#Kernel%20Command%20Line [3] http://0pointer.de/blog/projects/systemd-for-admins-3.html -- Canek Peláez Valdés Posgrado en Ciencia e Ingeniería de la Computación Universidad Nacional Autónoma de México
Re: [gentoo-user] converting openrc's dmesg to systemd service file
On 03/04/2014 17:35, Canek Peláez Valdés wrote: On Thu, Apr 3, 2014 at 7:25 AM, Douglas J Hunley doug.hun...@gmail.com wrote: I'm sure this is way more trivial than I'm making it out to be, but how in the world would one converty /etc/init.d/dmesg to a systemd service file? Mmmh. Seeing [1], I really don't think that's a *service*. It's the kind of abuse that SysV scripts usually fall into. What do you want to accomplish? Less output in the console when booting with systemd? Then you can set the quiet *kernel* command line. If you want systemd to be more (or less) verbose, then you can pass it different arguments in the kernel command line; see [2]. Is there a good online pointer about building service files? The guide in [3] is a start; but I don't think it will help you, since /etc/init.d/dmesg is not a service. Is a hack to control console output behavior jammed into the init system because why not. Regards. [1] http://git.overlays.gentoo.org/gitweb/?p=proj/openrc.git;a=blob;f=init.d/dmesg.in;h=5b001fca7542ce7e003af30ca49fdf471efd8871;hb=HEAD [2] http://www.freedesktop.org/software/systemd/man/systemd.html#Kernel%20Command%20Line [3] http://0pointer.de/blog/projects/systemd-for-admins-3.html Let's be fair to SysV init though. This is not a hack in the true sense of the word as SysV doesn't impose the concept of a service as such. It's more of a $DO_STUFF_HERE concept, as in: - start pid 1 - read /etc/inittab - DO_STUFF_HERE (determined by /etc/rc.d/*) - run login on consoles SysV init pays no attention to what the various STUFF might be so they can correctly be anything and are considered to be unmanaged. Systemd is an effort to categorize things, and to get them consistent, manageable and *managed*. As such, dmesg indeed does not belong with services, but somewhere else. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] converting openrc's dmesg to systemd service file
On Thu, Apr 3, 2014 at 9:25 AM, Douglas J Hunley doug.hun...@gmail.com wrote: I'm sure this is way more trivial than I'm making it out to be, but how in the world would one converty /etc/init.d/dmesg to a systemd service file? Is there a good online pointer about building service files? Rather than create a service, drop a conf file into /etc/sysctl.d/ to set kernel.printk where the first of the four levels is the dmesg_level of /etc/conf.d/dmesg.
Re: [gentoo-user] converting openrc's dmesg to systemd service file
On Thu, Apr 3, 2014 at 1:04 PM, Tom H tomh0...@gmail.com wrote: Rather than create a service, drop a conf file into /etc/sysctl.d/ to set kernel.printk where the first of the four levels is the dmesg_level of /etc/conf.d/dmesg. ah, there it is. trivial. :) thanks! -- Douglas J Hunley (doug.hun...@gmail.com) Twitter: @hunleyd Web: douglasjhunley.com G+: http://google.com/+DouglasHunley
Re: [gentoo-user] Self-signed certificate Apache
On Thursday 03 Apr 2014 15:42:13 Alan McKinnon wrote: On 03/04/2014 16:24, Peter Humphrey wrote: Hello list, Almost there now... After receiving help from Mick K and the list (thanks again!) I've now some idea of what I'm doing. I've installed OwnCloud to be served over SSL. I've followed the instructions here[1] to create a self-signed certificate, which is in two files: cloud.crt and cloud.key. I put both of those under /etc/apache2/private. I ignored the vague references to intermediate files. The command I gave was: # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cloud.key -out cloud.crt Now when I start Apache I get this warning, twice: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) Is this to be expected, or is anyone visiting (none expected though) likely to think I'm masquerading as a certification authority? [1] http://www.sslshopper.com/article-how-to-create-and-install-an-apache -self-signed-certificate.html What you've done works but you didn't do it the way Apache thinks these things work. You created a signing certs that is to be used to sign other certs, but instead used it as your SSL cert. Apache thinks this is unusual enough to warrant a log entry. To be truthful you don't want to do it that way if only because it's contrary to what other pros except you to have done. Third comment in this blog post gives excellent advice on how to do it better: http://www.turnkeylinux.org/forum/support/20121228/rsa-server-certificate-c a-certificate-error As Alan said, you have created a self-signed certificate, which in essence acts as its own Certification Authority (both Issuer and Subject are the same). Every CA root certificate is a self-signed certificate, but they are typically only used to sign other certificates with, intermediate, or end certificates. You configure your client to trust the CA certificate and then it will also trust any certificate signed by it. If you examine the X509 structure, you will see a field like this: X509v3 Basic Constraints: CA:TRUE If it were an intermediate certificate it would say: X509v3 Basic Constraints: CA:FALSE This is what your browser is warning you about. Anyone visiting the web page will either abort thinking that there is something dodgy with the server, or click fast on the ignore button on their browser and carry on. In this case they could well fall victim of a man-in-the-middle attack - if they do not check the content of the certificate and assure themselves that they are visiting the domain they intended to visit. Illegitimate certificates would complain in the same manner. In any case, unless you obtain a certificate which has been signed by a CA that is included in the default browser root CA certificates, random visitors are bound to get a browser warning about the CA that issued the certificate not being recognised as a trusted root CA by the browser. If they are instructed by you to accept said certificate as a trusted root CA in their browser, then the problem will go away as long as they are using the same browser on each visit. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Portage did not remerge dev-perl/XML-Parser after upgrading perl,
Portage did not remerge dev-perl/XML-Parser after I upgrade perl, which case new perl can't require XML::Parser do revdep-rebuild will sovle it ?
Re: [gentoo-user] Portage did not remerge dev-perl/XML-Parser after upgrading perl,
On 04-Apr-2014 6:55 am, 林守磊 linxiu...@gmail.com wrote: Portage did not remerge dev-perl/XML-Parser after I upgrade perl, which case new perl can't require XML::Parser do revdep-rebuild will sovle it ? perl-cleaner --all
Re: [gentoo-user] my gnome-shell break
What the path of gnome-shell log, maybe some error log can trace the problem PS: I use journal 2014-04-03 21:28 GMT+08:00 Nilesh Govindrajan m...@nileshgr.com: Did you try deleting ~/. *? Sometimes simple things like those help. Take a backup first. Sorry for top post, sent from mobile. On 03-Apr-2014 6:48 am, 林守磊 linxiu...@gmail.com wrote: Hi all I use gnome-shell-3.10.4-r1 some problem happen when I upgrade from 3.8, such as wall-picture disappeared, word of clock break attached my screenshotsPortage 2.2.10 (default/linux/amd64/13.0/desktop/gnome, gcc-4.8.2, glibc-2.19, 3.13.5-gentoo-shelley x86_64) = System Settings = System uname: Linux-3.13.5-gentoo-shelley-x86_64-Intel-R-_Core-TM-_i5_CPU_M_480_@ _2.67GHz-with-gentoo-2.2 KiB Mem: 7970940 total, 4488632 free KiB Swap:2097148 total, 2097148 free Timestamp of tree: Wed, 02 Apr 2014 21:45:01 + ld GNU ld (GNU Binutils) 2.24 app-shells/bash: 4.2_p46 dev-java/java-config: 2.2.0 dev-lang/python: 2.6.9, 2.7.6, 3.2.5-r3, 3.3.5, 3.4.0 dev-util/cmake: 2.8.12.2 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.14.1 sys-devel/binutils: 2.24-r2 sys-devel/gcc:4.5.4, 4.8.2 sys-devel/gcc-config: 1.8 sys-devel/libtool:2.4.2 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.14 (virtual/os-headers) sys-libs/glibc: 2.19 Repositories: gentoo x-portage gentoo-zh sublime-text ACCEPT_KEYWORDS=amd64 ~amd64 ACCEPT_LICENSE=* -@EULA CBUILD=x86_64-pc-linux-gnu CFLAGS=-march=native -O2 -pipe CHOST=x86_64-pc-linux-gnu CONFIG_PROTECT=/etc /usr/share/gnupg/qualified.txt CONFIG_PROTECT_MASK=/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c CXXFLAGS=-march=native -O2 -pipe DISTDIR=/usr/portage/distfiles FCFLAGS=-O2 -pipe FEATURES=assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync FFLAGS=-O2 -pipe GENTOO_MIRRORS=http://mirrors.aliyun.com/gentoo/ http://mirrors.163.com/gentoo/; LANG=en_US.utf8 LC_ALL=en_US.utf8 LDFLAGS=-Wl,-O1 -Wl,--as-needed MAKEOPTS=-j5 PKGDIR=/usr/portage/packages PORTAGE_CONFIGROOT=/ PORTAGE_RSYNC_OPTS=--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages PORTAGE_TMPDIR=/var/tmp PORTDIR=/usr/portage PORTDIR_OVERLAY=/usr/local/portage /var/lib/layman/gentoo-zh /var/lib/layman/sublime-text SYNC=rsync://mirrors.163.com/gentoo-portage USE=X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli colord consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo exif fam firefox flac fortran gdbm gif gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk iconv introspection jpeg lcms ldap libnotify libsecret mad mmx mng modules mp3 mp4 mpeg multilib nautilus ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt3support qt4 readline sdl session socialweb spell sse sse2 sse3 ssl startup-notification svg systemd tcpd tiff truetype udev udisks unicode upower usb utf vim-syntax vorbis wxwidgets x264 xcb xinerama xml xv xvid zlib ABI_X86=64 ALSA_CARDS=ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci APACHE2_MODULES=authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias CALLIGRA_FEATURES=kexi words flow plan sheets stage tables krita karbon braindump author CAMERAS=ptp2 COLLECTD_PLUGINS=df interface irq load memory rrdtool swap syslog DRACUT_MODULES=lvm ELIBC=glibc GPSD_PROTOCOLS=ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf