Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Saturday 19 Apr 2014 19:41:02 Dale wrote: Mick wrote: and look for this info: New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA I have this little padlock looking thing too. I dug around and found this info: CN = VeriSign Class 3 Extended Validation SSL SGC CA OU = Terms of use at https://www.verisign.com/rpa (c)06 OU = VeriSign Trust Network O = VeriSign, Inc. C = US PKCS #1 RSA Encryption There is another place with info but it doesn't allow me to highlight it so that I can copy and paste. Hmm. Anyway, is that reasonable for a bank to use? In case you haven't noticed, I'm not a wealth of info on encryption, just rich in questions. I just know that it is supposed to make things unreadable without a password, pass key or whatever. This is currently my bank. http://cadencebank.com/ Since they changed to a card that a lot of stores don't take, that could be changing real soon. You need to go to the URL that they provide for secure banking, not the home page of their main website. They seem to offer a lot of services under different URLs. Not all of them have the same level of protection. Picking two URLs at random: The Fluent account login page takes me to: https://portal.cadencebank.com/consumer/ and openssl s_client tells me: == New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA == So, they use TLSv1, as opposed to the latest TLSv1.2 and their digital signature is with the AES symmetric cipher with 128bit keys. This is considered safe enough for today. They also use the SHA1 hash which is less secure (if you are paranoid that someone may change the packets payload in flight). Since 2004 it was found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms and NIST has launched a competition for the next secure hash SHA3. However, MD5 and SHA1 are used so widely today it could take a lng time for them to disappear. However, picking up another banking service of theirs I see that they are using RC4 with MD5: == New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 == RC4 is considered completely broken today, even for Microsoft! :-) http://en.wikipedia.org/wiki/RC4 The good news are that your bank's servers do not leak any secrets at this moment and it seems they never did (they use SUN servers). -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote: On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: Well you can use ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhide Res ults=on Well, that's an eye-opener and no mistake. I see my bank is rated B overall. Could be worse I suppose. Maybe I should forward the results to them. Many banks, businesses and public institutions have to cater for the lowest common denominator, or their help lines would be inundated with irate customers being asked to first reboot their MSWindows PC. Until the beginning of April 2014 this would have been a WinXP user with MSIE 8.0. In Europe up to 25% of all PCs are still on WinXP. This counts out anything exotic in encryption capabilities, like ECDHE and ECDSA, because it is only the latest versions of Firefox and Chrome that can use these. This is the reason that banks also employ some other means of authentication, in addition to your user ID; e.g. they typically ask you to enter a few characters out of your password (different each time), or additional secret data like the name of your favourite teacher, mother's maiden name and the like. Unless someone was recording each and every login of yours with the bank and kept a record of each and every password character you ever typed they may still not be able to login, without locking up the account and triggering an offline replacement of your password. So I suspect they assume that the Internet connection to their servers should be treated as aheam! less than private and have deployed additional means of at least stopping unauthorised transactions online. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Mick wrote: On Saturday 19 Apr 2014 19:41:02 Dale wrote: Mick wrote: and look for this info: New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA I have this little padlock looking thing too. I dug around and found this info: CN = VeriSign Class 3 Extended Validation SSL SGC CA OU = Terms of use at https://www.verisign.com/rpa (c)06 OU = VeriSign Trust Network O = VeriSign, Inc. C = US PKCS #1 RSA Encryption There is another place with info but it doesn't allow me to highlight it so that I can copy and paste. Hmm. Anyway, is that reasonable for a bank to use? In case you haven't noticed, I'm not a wealth of info on encryption, just rich in questions. I just know that it is supposed to make things unreadable without a password, pass key or whatever. This is currently my bank. http://cadencebank.com/ Since they changed to a card that a lot of stores don't take, that could be changing real soon. You need to go to the URL that they provide for secure banking, not the home page of their main website. They seem to offer a lot of services under different URLs. Not all of them have the same level of protection. Picking two URLs at random: The Fluent account login page takes me to: https://portal.cadencebank.com/consumer/ and openssl s_client tells me: == New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA == So, they use TLSv1, as opposed to the latest TLSv1.2 and their digital signature is with the AES symmetric cipher with 128bit keys. This is considered safe enough for today. They also use the SHA1 hash which is less secure (if you are paranoid that someone may change the packets payload in flight). Since 2004 it was found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms and NIST has launched a competition for the next secure hash SHA3. However, MD5 and SHA1 are used so widely today it could take a lng time for them to disappear. However, picking up another banking service of theirs I see that they are using RC4 with MD5: == New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 == RC4 is considered completely broken today, even for Microsoft! :-) http://en.wikipedia.org/wiki/RC4 The good news are that your bank's servers do not leak any secrets at this moment and it seems they never did (they use SUN servers). Yet. I would rather not be the next customer to have his ID stolen like Target, I think the chain Micheal's was stolen in the past couple days but not positive on that yet. That bank is not a small bank and I pay fees each month for them to be able to keep their stuff updated. If they can't be bothered to keep it updated and then turn around and give me a card that sucks, well, oh well. picture a thumbs up here Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 20, 2014, at 11:49, Mick michaelkintz...@gmail.com wrote: On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote: On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: Well you can use ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhide Res ults=on Well, that's an eye-opener and no mistake. I see my bank is rated B overall. Could be worse I suppose. Maybe I should forward the results to them. Many banks, businesses and public institutions have to cater for the lowest common denominator, or their help lines would be inundated with irate customers being asked to first reboot their MSWindows PC. Until the beginning of April 2014 this would have been a WinXP user with MSIE 8.0. In Europe up to 25% of all PCs are still on WinXP. This counts out anything exotic in encryption capabilities, like ECDHE and ECDSA, because it is only the latest versions of Firefox and Chrome that can use these. Yes, this is true. Even gentoo doesn't have a stable firefox that supports TLSv1.2 highest security ciphers C030 and C02C (ECDHE-RSA/ECDSA-AES256-GMC-SHA384). But wht banks should do they should support the most secure ciphers and sort their ciphers lists so that the most secure are at the top. Because what I understood is that browsers will by default use the first cipher in the order the server sent them it supports and not go through the entire list. A security aware user can ofcourse disable all the bad ciphers he foesn't want to use in his own browser. Now if he tries to connect to a poorly secured site the connection will fail until a common cipher is found. But what is important you will know when you try to make an insecure connection. This is the reason that banks also employ some other means of authentication, in addition to your user ID; e.g. they typically ask you to enter a few characters out of your password (different each time), or additional secret data like the name of your favourite teacher, mother's maiden name and the like. Unless someone was recording each and every login of yours with the bank and kept a record of each and every password character you ever typed they may still not be able to login, without locking up the account and triggering an offline replacement of your password. NSA has this capability. Also i think most of the largest ISPs are capable to do it. All this requires is enough HD space, private key of any CA enabled x509 certificate and access to any router between you and the bank or DNS poisoning of your computer. So I suspect they assume that the Internet connection to their servers should be treated as aheam! less than private and have deployed additional means of at least stopping unauthorised transactions online. -- -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Sunday 20 Apr 2014 10:21:08 Matti Nykyri wrote: On Apr 20, 2014, at 11:49, Mick michaelkintz...@gmail.com wrote: On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote: On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: Well you can use ssllabs.com. I use it for debuging. Here is what Bank of America uses: https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.comhi de Res ults=on Well, that's an eye-opener and no mistake. I see my bank is rated B overall. Could be worse I suppose. Maybe I should forward the results to them. Many banks, businesses and public institutions have to cater for the lowest common denominator, or their help lines would be inundated with irate customers being asked to first reboot their MSWindows PC. Until the beginning of April 2014 this would have been a WinXP user with MSIE 8.0. In Europe up to 25% of all PCs are still on WinXP. This counts out anything exotic in encryption capabilities, like ECDHE and ECDSA, because it is only the latest versions of Firefox and Chrome that can use these. Yes, this is true. Even gentoo doesn't have a stable firefox that supports TLSv1.2 highest security ciphers C030 and C02C (ECDHE-RSA/ECDSA-AES256-GMC-SHA384). But wht banks should do they should support the most secure ciphers and sort their ciphers lists so that the most secure are at the top. Because what I understood is that browsers will by default use the first cipher in the order the server sent them it supports and not go through the entire list. I think the browsers go through the list, but agree to support the first server preferred cipher that is also supported by the client, even if it is lower in the list of preferred ciphers on the client: http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html A security aware user can ofcourse disable all the bad ciphers he foesn't want to use in his own browser. Now if he tries to connect to a poorly secured site the connection will fail until a common cipher is found. But what is important you will know when you try to make an insecure connection. This is the reason that banks also employ some other means of authentication, in addition to your user ID; e.g. they typically ask you to enter a few characters out of your password (different each time), or additional secret data like the name of your favourite teacher, mother's maiden name and the like. Unless someone was recording each and every login of yours with the bank and kept a record of each and every password character you ever typed they may still not be able to login, without locking up the account and triggering an offline replacement of your password. NSA has this capability. Also i think most of the largest ISPs are capable to do it. All this requires is enough HD space, private key of any CA enabled x509 certificate and access to any router between you and the bank or DNS poisoning of your computer. In Europe I think that the situation for ISPs capturing data is not settled yet. I seem to recall that Germany and Belgium disputed in court a European Directive (Data Retention Directive 2006) to capture and store users data. I think that they eventually were forced to implement part of the directive - who needs GDR's STASI these days! :p In the UK data is kept for 1-2 years, but that is only what they let us know. A few days ago the EU Court of Justice declared the directive invalid/unlawful, but that has been kept quiet in the media. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Sunday 20 Apr 2014 10:10:42 Dale wrote: Mick wrote: SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 == RC4 is considered completely broken today, even for Microsoft! :-) http://en.wikipedia.org/wiki/RC4 The good news are that your bank's servers do not leak any secrets at this moment and it seems they never did (they use SUN servers). Yet. I would rather not be the next customer to have his ID stolen like Target, I think the chain Micheal's was stolen in the past couple days but not positive on that yet. That bank is not a small bank and I pay fees each month for them to be able to keep their stuff updated. If they can't be bothered to keep it updated and then turn around and give me a card that sucks, well, oh well. picture a thumbs up here Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public sites offer it as an exclusive encryption protocol, because they would lock out most of their visitors. This is because most browsers do not yet support it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the RC4 cipher (since November last year). I understand they are planning to drop SHA-1 next Christmas and have already dropped MD5 because of the Flame malware. This should push many websites to sort out their encryption and SSL certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many sites as an immediate if interim defence against the infamous BEAST and Lucky Thirteen attacks. According to the Netcraft SSL Survey (May 2013) only a third of all web servers out there offer Perfect Forward Secrecy to ensure that even if the encryption keys were to be compromised, previous communications cannot be retrospectively decrypted. Elliptic Curve algorithms are not yet included in many browsers and in any case the security of these in a post-Snowden world should be questionable (well, at least the arbitrarily specified NIST-NSA sponsored curves, which OpenSSL is heavily impregnated with). What I'm saying is that there may be no perfect banking website out there, because Internet security is screwed up at the moment, but it is always worth looking for a better bet. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Weird Screen-Overlay problems after update
Walter Dnes waltd...@waltdnes.org [14-04-14 17:23]: On Mon, Apr 14, 2014 at 05:20:12AM +0200, meino.cra...@gmx.de wrote was updated and I installed Linux 3.12.17 (vanilla) and recompiled the nvidia-drivers and finally the X11-modules, a really annoying thing happened: When a program uses the screen overlay technique (right word???) to display (mainly) videos (me-tv, flashplayer, Blender while rendering) ANY and everything on any desktop, which has a black background (mutt, urxvt to only name a few) displays the video even the video application runs on a different desktop. Handling the desktops then becomes a masterpieces of focus and counting ;) I am using openbox, nvidia-drivers, linux 3.12.17 vanilla, me-tv, flashplayer, blender (daily build taken from blenders buildbot). What can I do to get rid of this effect? This seems to be a common problem with nvidia video cards using the nvidia binary blobs. I ran into it some time ago. If you don't want to get rid of the nvidia card, try the Nouveau open-source drivers. You won't get all the acceleration that the Nvidia binaries provide, but at least you probably won't get the problems you have now. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications Hi, after a reasonable count of up- and downgrades of a handful of software and drivers I sorted out x11-base/xorg-server-1.15.0 that causes the problems. Everything is now at the newest state. After downgrading to x11-base/xorg-server-1.14.5 and its modules everything works fine again. Only mentioned, everyone else searches here for the same and got the impression it is better to buy a new card / new PC / other OS. Best regards, mcc
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 20, 2014, at 15:38, Mick michaelkintz...@gmail.com wrote: On Sunday 20 Apr 2014 10:10:42 Dale wrote: Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public sites offer it as an exclusive encryption protocol, because they would lock out most of their visitors. This is because most browsers do not yet support it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the RC4 cipher (since November last year). I understand they are planning to drop SHA-1 next Christmas and have already dropped MD5 because of the Flame malware. This should push many websites to sort out their encryption and SSL certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many sites as an immediate if interim defence against the infamous BEAST and Lucky Thirteen attacks. This is a problem all Microsoft's customers are facing. I wonder why they don't demand more. I hope this publicity that snowden and heartbleed has brought to an average user will change their interests to demand better privacy. Anyways I just wonder who trusts software whose source code isn't open and and reviewed by a large community that don't have a financial interest on you. According to the Netcraft SSL Survey (May 2013) only a third of all web servers out there offer Perfect Forward Secrecy to ensure that even if the encryption keys were to be compromised, previous communications cannot be retrospectively decrypted. Elliptic Curve algorithms are not yet included in many browsers and in any case the security of these in a post-Snowden world should be questionable (well, at least the arbitrarily specified NIST-NSA sponsored curves, which OpenSSL is heavily impregnated with). What I'm saying is that there may be no perfect banking website out there, because Internet security is screwed up at the moment, but it is always worth looking for a better bet. It is really hard to fight for privacy, because we have large companies and agencies that actively are lobbing politicians and standards for their own personal interests. In order for the security to get better an average user need to gain an interest to it. This seems unlikely because now a days everybody is uploading all their secrets to a cloud computing service etc. But I hope this publicity will change it even slowly. Another thing is that system administrators need to gain more knowledge on securing their services. For that I think this conversation is quite helpful. A lot of people read this list and it can be found by google. Openssl and gnupg are not very easy to use for someone who doesn't have any knowledge on cryptography. For example openssl will try to use md5 by default even in gentoo if you just try to create x509 cert. And many manual pages are way behind... Newest algorithms are almost never listed there. So you have to truly dig in or ask somebody to find safe and up-to date answers. -- -Matti
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 20.04.2014 18:40, Matti Nykyri wrote: On Apr 20, 2014, at 15:38, Mick michaelkintz...@gmail.com wrote: On Sunday 20 Apr 2014 10:10:42 Dale wrote: Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public sites offer it as an exclusive encryption protocol, because they would lock out most of their visitors. This is because most browsers do not yet support it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the RC4 cipher (since November last year). I understand they are planning to drop SHA-1 next Christmas and have already dropped MD5 because of the Flame malware. This should push many websites to sort out their encryption and SSL certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many sites as an immediate if interim defence against the infamous BEAST and Lucky Thirteen attacks. This is a problem all Microsoft's customers are facing. Take a look on Linux Distros from 2000 when WinXP has been developed, and you'll see, that the Linux Distros weren't better in this. Same for the time when WinVista was developed, and the same for Win7 and Win8. So don't blame Microsoft for things that they did as good as everybody else did, that would be unfair. Anyways I just wonder who trusts software whose source code isn't open and and reviewed by a large community that don't have a financial interest on you. Ouch, wrong argument, realy! Nobody in the large opensource community had ever reviewed the heartbeat code in more than two years. This was not a harmless bug in a mostly unused library, it was a realy big issue in one of the most used library in the world and *nobody* saw it. Has openssl ever been carefully audited? I don't think so and i bet that there are more heartbleed like bugs in openssl. On the other hand schannel (the Windows cryptolib) is regularly audited. Sorry, but the large opensource community is blind on both eyes, whereas the closed source community is only blind on one eye. - -- Kind Regards, Mit freundlichen Grüssen, Markus Kohlmeyer Markus Kohlmeyer PGP: 0xEBDF5E55 / 2A22 1F71 AA70 1AD1 231B 0178 759F 407C EBDF 5E55 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBCgAGBQJTVAHEAAoJEHWfQHzr315VBREP/11tSjfwXJEOmJ4kC/PG+8lj LN1vb/vMLWDny7HaTYRqCX8k49rhLCXTXeCB5sb10qeUX3rtqrudrYc/sGwI/H3E euhiU4oGK4YLDEQkXQDtFaSjpV0hayNQZruiz7x1mFO5FB05IqBmbSmxZLgKndE/ ydRevZPjvX475yVQ8YBsZRlLP8JQnOfec+4pxh8X+pq8/7THWOpdMqmaXdHwZVkM p0aZX3NBKQyFCtV/JTriQ/ByRC3OfDQbPY75qup13kr74B1222EGFpStU7TGedgR A+N36/9VrH/DCObQ78c8hsDfjLgRE5eJXBuYlL9dznKM68DrXGVP3hRkvuRozdQx KlNeQalkVd2p561dY0m92sCqitQIlTJ4uYEMeo4uIURYfBecQz/21Hk4cAATd+Yo IFamC3N8lO/iww4JsAzPgaywi2mkBzxH5o0jmSjmUW/aq/Mype7FADE9yFBNYr9P +E/d8AItXM7ouVfE2n55iz7i8wKIeyxZ2Ob1JMP0Bidxv9haihYMA6VYlmkryPmk TtR+oLxsGywRz21rBghOvzuyy7cyfBX2uHCo55VmxYIVGMfnYKF4ww/5iomgVtwp wTRo8JYPu8ixW9GAwtfoydEr4N4WMWyqHveNX+YqQMiQqlz2U1MieL/ILyHplRh8 PU4uCElXb5sYR6/w0KEV =5FIt -END PGP SIGNATURE-
Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Mick wrote: On Sunday 20 Apr 2014 10:10:42 Dale wrote: Mick wrote: SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 == RC4 is considered completely broken today, even for Microsoft! :-) http://en.wikipedia.org/wiki/RC4 The good news are that your bank's servers do not leak any secrets at this moment and it seems they never did (they use SUN servers). Yet. I would rather not be the next customer to have his ID stolen like Target, I think the chain Micheal's was stolen in the past couple days but not positive on that yet. That bank is not a small bank and I pay fees each month for them to be able to keep their stuff updated. If they can't be bothered to keep it updated and then turn around and give me a card that sucks, well, oh well. picture a thumbs up here Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public sites offer it as an exclusive encryption protocol, because they would lock out most of their visitors. This is because most browsers do not yet support it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the RC4 cipher (since November last year). I understand they are planning to drop SHA-1 next Christmas and have already dropped MD5 because of the Flame malware. This should push many websites to sort out their encryption and SSL certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many sites as an immediate if interim defence against the infamous BEAST and Lucky Thirteen attacks. According to the Netcraft SSL Survey (May 2013) only a third of all web servers out there offer Perfect Forward Secrecy to ensure that even if the encryption keys were to be compromised, previous communications cannot be retrospectively decrypted. Elliptic Curve algorithms are not yet included in many browsers and in any case the security of these in a post-Snowden world should be questionable (well, at least the arbitrarily specified NIST-NSA sponsored curves, which OpenSSL is heavily impregnated with). What I'm saying is that there may be no perfect banking website out there, because Internet security is screwed up at the moment, but it is always worth looking for a better bet. Well, my bank only got a C for it's grade. For what it costs every month, it should get a A+. I don't have one of those free checking accounts. I pay fees each month for mine. Plus I have already been planning to switch ever since they switched my debit card from Visa to Discover. I'm tired of finding something online or going into a business to buy something and then find out they don't take Discover. It's just a matter of speed of switching that has changed. Basically, just one more nail in the coffin. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Output of mount and cat /etc/mtab inside install chroot?
On Sat, 19 Apr 2014 13:54:07 +0100 Peter Humphrey pe...@prh.myzen.co.uk wrote: On Saturday 19 Apr 2014 07:43:18 Walter Dnes wrote: I've got another thread going called... Strange behaviour with LILO on new install on old laptop. Before I file a bug report, I want to check first whether it's my fault. Can people here do me a favour? If you have a Gentoo install CD or USB key handy, and are willing to reboot, can you please do the following... 1) boot from the install ISO 2) chroot to a running environment 3) list the output from the 2 commands mount cat /etc/mtab I'm getting absolutely no output at all from those 2 commands in the install chroot. That screws up the lilo ebuild install process. I want to check whether blank /etc/mtab is my fault or not. The installation handbook used to include a command to write /etc/mtab in the chroot by grepping the host mtab It was part of grub-install, now grub legacy https://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=1chap=10#doc_chap4 --- Jan Matějka| Developer https://gentoo.org | Gentoo Linux GPG: A33E F5BC A9F6 DAFD 2021 6FB6 3EBF D45B EEB6 CA8B signature.asc Description: PGP signature