[gentoo-user] gstreamer or ffmeg - that's the question
Hi, the recent upgrade to Gnome 3.12.1 includes app-misc/tracker-1.0 which forces me to decide between gstreamer and ffmpeg. It says The following REQUIRED_USE flag constraints are unsatisfied: at-most-one-of ( gstreamer ffmpeg ) But many packages installed here depend on one of these. What can I do about it and why can't I have both as previously. Many thanks for a hint, Helmut
Re: [gentoo-user] gstreamer or ffmeg - that's the question
On 04/28/2014 01:13 AM, Helmut Jarausch wrote: Hi, the recent upgrade to Gnome 3.12.1 includes app-misc/tracker-1.0 which forces me to decide between gstreamer and ffmpeg. It says The following REQUIRED_USE flag constraints are unsatisfied: at-most-one-of ( gstreamer ffmpeg ) But many packages installed here depend on one of these. What can I do about it and why can't I have both as previously. It's only asking you to choose which to use for app-misc/tracker, not globally. Just change the USE for that individual package. echo app-misc/tracker gstreamer -ffmpeg /etc/portage/package.use/tracker or echo app-misc/tracker -gstreamer ffmpeg /etc/portage/package.use/tracker
Re: [gentoo-user] gstreamer or ffmeg - that's the question
Many thanks, John, Helmut On 04/28/2014 10:55:40 AM, John Campbell wrote: On 04/28/2014 01:13 AM, Helmut Jarausch wrote: Hi, the recent upgrade to Gnome 3.12.1 includes app-misc/tracker-1.0 which forces me to decide between gstreamer and ffmpeg. It says The following REQUIRED_USE flag constraints are unsatisfied: at-most-one-of ( gstreamer ffmpeg ) But many packages installed here depend on one of these. What can I do about it and why can't I have both as previously. It's only asking you to choose which to use for app-misc/tracker, not globally. Just change the USE for that individual package. echo app-misc/tracker gstreamer -ffmpeg /etc/portage/package.use/tracker or echo app-misc/tracker -gstreamer ffmpeg /etc/portage/package.use/tracker
Re: [gentoo-user] More emerge oddity in chroot
On Thursday 24 Apr 2014 13:57:19 I wrote: So far I've done these things: 1.Wiped the whole system and restored from backup (heavy overkill, but I wanted everything to be in the same, consistent state). 2.Run bad-blocks tests on all partitions (though all but / and /boot are in logical volumes - I don't know to what extent that will have affected the results). ---8 Looking at bad-blocks again, I see from gkrellm that 'mkfs.ext4 -cc -L Atom /dev/vg7/atom' writes the test patterns to both the underlying physical disks, but it only reads back from one of them. -- Regards Peter
[gentoo-user] new install - slim or xdm no fonts username/password
Hi, running slim, I see the gentoo logo with the window to insert username, but I don't see the username password labels. When typing username, I see blank letters. When pressing F1, the username label appears, but the name of the desktop does not. When entering password, again, pressing F1, the password label appears. Again, typing username, I see blank letters. Any help will be appreciated. Regards, Kfir
[gentoo-user] Re: new install - slim or xdm no fonts username/password
On Mon, Apr 28, 2014 at 3:59 PM, Kfir Lavi lavi.k...@gmail.com wrote: Hi, running slim, I see the gentoo logo with the window to insert username, but I don't see the username password labels. When typing username, I see blank letters. When pressing F1, the username label appears, but the name of the desktop does not. When entering password, again, pressing F1, the password label appears. Again, typing username, I see blank letters. Any help will be appreciated. Regards, Kfir Ok, https://bugs.gentoo.org/show_bug.cgi?id=488752 Shows the exact same problem. It seems I need to downgrade xorg-server. Kfir
[gentoo-user] Heartbleed - using openssl-0.9.8y and affected
Which program do I upgrade to fix Heartbleed bug? http://safeweb.norton.com/heartbleed/ is showing me my server is vulnerable. I'm using dev-libs/openssl-0.9.8y Why safeweb.norton is triggering my server vulnerable? -- Joseph
Re: [gentoo-user] glibc-2.18 build problem
2014-03-21 23:44 GMT+08:00 Tom Wijsman tom...@gentoo.org: On Fri, 7 Mar 2014 18:43:27 +0800 microcai micro...@fedoraproject.org wrote: I'm having trouble compiling glibc. No matter I tried with binutils 2.23 2.24. or - live version, I got ld internal error in x86_64_relocation . And the same error repeated with glibc-2.18 and glibc-2.19 . Don't know why . The google bring me a old bug report about x86_64_relocation internal error when used conjunction with IFUNC, but that doesn't seems to be related with mine problem. When I first try to update glibc to 2.18, it's fine. but then the attempt to update glibc to 2.18-r1 failed with ld internal error. This error remains with glibc-2.16-r2 and glibc-2.19, regardless of binutils version. Does anyone have had the same problem? Can you file a bug at https://bugs.gentoo.org such that the maintainers are aware of this? That is, only if it is still reproducible today. fixed. it's because of a wired CFLAGS -Bsymblic-functions that I put into make.conf once for testing but forget to remove afterwards. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/14 09:17, Joseph wrote: Which program do I upgrade to fix Heartbleed bug? http://safeweb.norton.com/heartbleed/ is showing me my server is vulnerable. I'm using dev-libs/openssl-0.9.8y Why safeweb.norton is triggering my server vulnerable? I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. -- Joseph
[gentoo-user] virtual problem : how can I unmerge Nano ?
I never use Nano -- Vim or Ed are available in a raw terminal -- would like to unmerge it, but Portage tells me that virtual/editor requires it that @system requires virtual/editor . How can I tell Portage that Vim or Ed satisfy virtual/editor ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
[gentoo-user] HP printing query
140417 Daniel Pielmeier wrote: Philip Webb schrieb am 16.04.2014 01:07: I ran into a problem trying to print yesterday -- solved for now -- , but would like to simplify things for the next occasion. What appears to have happened is that when I updated Hplip + Cups, one of them created a new printer, so that the list now appears as : Deskjet_2510 Automatically setup by HPLIP HP Deskjet 2510 Series hpijs, 3.13.9 Paused - Filter failed Deskjet_2510_2 Deskjet_2510_2 HP Deskjet 2510 Series hpijs, 3.13.9 Idle I had the Vim plug-in 'prtdialog' + Kwrite + LO set to use the former, but needed to change them all to the latter to get the printer to respond. I have removed the auto-configuration [1] of hplip printers done by udev rules. There was an upgrade and an uninstall tool which I have removed as well. These should be done by the user/admin. As mentioned on the wiki page for hplip [2], at every upgrade the recommended action is to delete all print queues and recreate them again either with hp-setup or the cups web interface. [1] *hplip-3.14.3 (07 Mar 2014) 07 Mar 2014; Daniel Pielmeier bil...@gentoo.org +hplip-3.14.3.ebuild: Version bump. This version adds a patch which removes the update and uninstall python scripts as well as the auto-configuration/plug-in installation related stuff from the udev rules. This should fix Gentoo bug #434830 (Upstream bug https://bugs.launchpad.net/hplip/+bug/1080353). [2] https://wiki.gentoo.org/wiki/HPLIP Thanks : this change appears to have eliminated the problem. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] OpenSP build fails
Ok, pambase/shadow problem solved. I called revdep-rebuild and it found libcairo problem, reemerged it, second revdep-rebuild was clean. There are still problems with compilation of packages mentioned above. 2014-04-27 22:10 GMT+03:00 Stroller strol...@stellar.eclipse.co.uk: On Sun, 27 April 2014, at 8:20 am, Nikita Tropin posixivis...@gmail.com wrote: gcc-config -l: [1] x86_64-pc-linux-gnu-4.6.3 [2] x86_64-pc-linux-gnu-4.7.3 * These are installed: gcc-4.7.3, gcc-4.6.3, clang-3.3. I'm using 4.7.3 and not redefine CC or CXX in make.conf or elsewhere. That's good. gcc-4.7.3 is current, so you should be able to revdep-rebuild and update glibc, paving your way to ncurses and your other failed compiles. But IMO you should get the pam / shadow stuff done, and reboot, first. I found that getting out `pam' flag from `shadow' flags removes block. Is it suitable fix(add `-pam' for `shadow' in package.use)? Or ... As I can understand from bugtracker(https://bugs.gentoo.org/show_bug.cgi?id=412721) I need to: su # For doing administrative tasks while /etc/pam.d/{su,login,passwd} will gone emerge shadow emerge pambase dispatch-conf etc-update PS Thanks Edward, it helps. … IMO you need to address the pambase/shadow block first. They're important packages and the transition is important. I intended to say here that they're important packages and the transition is well documented. I've already linked you pages and pages of information on this update: http://www.google.com/search?q=pambase+shadow+gentoo I *think* that you unmerge one or both packages and then reemerge, but I can't remember for sure. It's also hard to say how safe this will be on a system that's in such disrepair as yours - you might be best to backup the whole system /or build binary packages for everything that's presently installed. If you ignore updates for a year at a time, you're really risking trouble. Stroller. -- Regards, Nikita
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, 28 Apr 2014 10:02:52 -0600 Joseph syscon...@gmail.com wrote: On 04/28/14 09:17, Joseph wrote: Which program do I upgrade to fix Heartbleed bug? http://safeweb.norton.com/heartbleed/ is showing me my server is vulnerable. I'm using dev-libs/openssl-0.9.8y Why safeweb.norton is triggering my server vulnerable? I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. Unaffected according to: http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml Perhaps all you need to do is restart the Apache service? -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D signature.asc Description: PGP signature
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/14 20:13, Tom Wijsman wrote: On Mon, 28 Apr 2014 10:02:52 -0600 Joseph syscon...@gmail.com wrote: On 04/28/14 09:17, Joseph wrote: Which program do I upgrade to fix Heartbleed bug? http://safeweb.norton.com/heartbleed/ is showing me my server is vulnerable. I'm using dev-libs/openssl-0.9.8y Why safeweb.norton is triggering my server vulnerable? I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. Unaffected according to: http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml Perhaps all you need to do is restart the Apache service? -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. dev-libs/openssl Available versions: (0.9.8) 0.9.8y (0)1.0.0j 1.0.1f {bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib} Installed versions: 0.9.8y(0.9.8)(11:06:09 PM 10/18/2013)(sse2 zlib -bindist -gmp -kerberos -test) 1.0.1f(12:57:54 PM 03/21/2014)(sse2 tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla) But what puzzle me is when I downgraded it to 1.0.0j (uneffected version) I could not restart apache. I was getting an error: /etc/init.d/apache2 restart * apache2 has detected an error in your setup: apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: TLSv1_1_client_method * ERROR: apache2 failed to stop -- Joseph
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: But what puzzle me is when I downgraded it to 1.0.0j (uneffected version) I could not restart apache. I was getting an error: /etc/init.d/apache2 restart * apache2 has detected an error in your setup: apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: undefined symbol: TLSv1_1_client_method * ERROR: apache2 failed to stop When you *downgrade* a shared library, you generally need to rebuild all programs which are linked against that library. The newer library version may provide additional symbols which would be missing from the older version of the library. That's what that undefined symbol error is about.
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. Why not run emerge --sync and upgrade to 1.0.1g?
[gentoo-user] apache disable 40bit encryption
How do I disable apache 40bit encryption connection to my server? Is there a way to limit the connection to min 128-bit? -- Joseph
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/14 14:54, Mike Gilbert wrote: On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. Why not run emerge --sync and upgrade to 1.0.1g? This is my running server so I try to upgrade backup first before upgrading main server. I recompiled 1.0.1f without tls-heartbeat and it solved the problem. -- Joseph
Re: [gentoo-user] virtual problem : how can I unmerge Nano ?
On 04/28/2014 07:32 AM, Philip Webb wrote: I never use Nano -- Vim or Ed are available in a raw terminal -- would like to unmerge it, but Portage tells me that virtual/editor requires it that @system requires virtual/editor . How can I tell Portage that Vim or Ed satisfy virtual/editor ? Have you tried: $ emerge -C app-editors/nano emerge app-editors/vim virtual/editor Dan
Re: [gentoo-user] virtual problem : how can I unmerge Nano ?
On Monday 28 Apr 2014 15:32:22 Philip Webb wrote: I never use Nano -- Vim or Ed are available in a raw terminal -- would like to unmerge it, but Portage tells me that virtual/editor requires it that @system requires virtual/editor . How can I tell Portage that Vim or Ed satisfy virtual/editor ? I think if you set your /etc/env.d/99editor to the application you want (not nano, in your case) then portage should not bother you again - but could be wrong. This was discussed many moons ago in this list, but my memory is not what it used to be. :p -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] virtual problem : how can I unmerge Nano ?
On Mon, Apr 28, 2014 at 10:32:22AM -0400, Philip Webb wrote: I never use Nano -- Vim or Ed are available in a raw terminal -- would like to unmerge it, but Portage tells me that virtual/editor requires it that @system requires virtual/editor . How can I tell Portage that Vim or Ed satisfy virtual/editor ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca You can set your editor of choice with eselect: eselect editor list eselect editor set $(editor_of_choice) Usually nano can be removed with emerge --deplcean, but it might be included in your world file. emerge --deselect nano should remove it from your world file too :) -- greetings Michael Mair-Keimberger signature.asc Description: Digital signature
Re: [gentoo-user] virtual problem : how can I unmerge Nano ?
Philip Webb wrote: I never use Nano -- Vim or Ed are available in a raw terminal -- would like to unmerge it, but Portage tells me that virtual/editor requires it that @system requires virtual/editor . How can I tell Portage that Vim or Ed satisfy virtual/editor ? As Mick said, it has been a while. I think if you emerge the editor you want and change any config files that need to be changed then portage will let you unmerge nano. If I recall correctly, once some other editor is installed that will satisfy the virtual then it should let you unmerge the others without complaining. On this one tho, there may be a config that needs to be edited as well. I would search for any mention of nano in /etc and change anything that shows up containing it. Hope that helps. They do get confusing at times. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] ssh authkeys log invalid
On 04/21/2014 08:02 PM, thegeezer wrote: Hi all, i was looking up the gentoo wiki on fail2ban [1] to have it look at it's own log file fail2ban.log in order to block repeat offenders for longer as abuse@offender doesn't really seem to help these days. then i saw a warning saying fail2ban not blocking all requests which i followed to github [2] wihch has a paste of his logfiles [3] now this i commented at github saying it looks similar to something i discovered when trying to setup authkeys on ssh - namely invalid keys give you no log file entry saying invalid keys can anyone tell me if they know how to make the log file entry show that it was an invalid key? i only know that it is this from my experience -- when i was using the wrong key or auth keys file had wrong permission i had only similar entries in my logs. i did try to find the answer myself at that time but was unable to. thanks in advance! [1] http://wiki.gentoo.org/wiki/Fail2ban [2] https://github.com/fail2ban/fail2ban/issues/643 [3] http://bpaste.net/show/188261/ hey so i've been doing some digging and for openssh to log public key failures you have to set loglevel to minimum of VERBOSE please see my email to openssh mailing list. [4] is this something that could be implemented as a gentoo specific patch ? if so how would i go about requesting it ? i don't know about you all but i'm a little concerned that ssh is not logging bruteforce public keys, they might be harder to crack but if they are invisible in the logs then this could go on silently for a long time. [4] http://marc.info/?l=openssh-unix-devm=139871423503774w=3
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On Mon, 28 April 2014, at 8:09 pm, Joseph syscon...@gmail.com wrote: On 04/28/14 14:54, Mike Gilbert wrote: On Mon, Apr 28, 2014 at 2:34 PM, Joseph syscon...@gmail.com wrote: No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f and the one that was in use was buggy one: 1.0.1f I recompile 1.0.1f without tls-heartbeat and the problem is solved. Why not run emerge --sync and upgrade to 1.0.1g? This is my running server so I try to upgrade backup first before upgrading main server. I recompiled 1.0.1f without tls-heartbeat and it solved the problem. If you don't want to emerge --sync (and by implication update everything), you can download the ebuild for just this package and put it in /usr/local/portage http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-libs/openssl/openssl-1.0.1g.ebuild Stroller.
Re: [gentoo-user] using eclipse with java
On Thu, Apr 17 2014, Tom Wijsman wrote: On Thu, 17 Apr 2014 18:20:12 -0400 gottl...@nyu.edu wrote: When I did an emerge --pretend eclipse-sdk I received a note that a recent binary is in the java-overlay. Is that what you would recommend? I have used layman in the past for gnome. Yes, the binary one in the java overlay works here; I recommend that. I get almost immediate segfaults. I type eclipse-bin-7.2 It is basically empty (no projects). I start a new project called crash I then expand the project, select src, right click and say new class I call the class Crash and it give a correct skeleton I go to the blank line above public class Crash { and start to type import java.util.scanner I get as far as import java. then it pops up a window with completions and segfaults. It is quite repeatable. This happens on a fresh install of eclipse-bin. Any advice? Should I look for a binary on the eclipse site? thanks, allan
Re: [gentoo-user] ssh authkeys log invalid
On Monday 28 Apr 2014 20:54:18 thegeezer wrote: On 04/21/2014 08:02 PM, thegeezer wrote: Hi all, i was looking up the gentoo wiki on fail2ban [1] to have it look at it's own log file fail2ban.log in order to block repeat offenders for longer as abuse@offender doesn't really seem to help these days. then i saw a warning saying fail2ban not blocking all requests which i followed to github [2] wihch has a paste of his logfiles [3] now this i commented at github saying it looks similar to something i discovered when trying to setup authkeys on ssh - namely invalid keys give you no log file entry saying invalid keys can anyone tell me if they know how to make the log file entry show that it was an invalid key? i only know that it is this from my experience -- when i was using the wrong key or auth keys file had wrong permission i had only similar entries in my logs. i did try to find the answer myself at that time but was unable to. thanks in advance! [1] http://wiki.gentoo.org/wiki/Fail2ban [2] https://github.com/fail2ban/fail2ban/issues/643 [3] http://bpaste.net/show/188261/ hey so i've been doing some digging and for openssh to log public key failures you have to set loglevel to minimum of VERBOSE please see my email to openssh mailing list. [4] is this something that could be implemented as a gentoo specific patch ? if so how would i go about requesting it ? i don't know about you all but i'm a little concerned that ssh is not logging bruteforce public keys, they might be harder to crack but if they are invisible in the logs then this could go on silently for a long time. [4] http://marc.info/?l=openssh-unix-devm=139871423503774w=3 At the very least when one emerges fail2ban there should be an elog message informing/warning of the required modifications to the associated applications' config files, like ssh, to enable fail2ban to do its filtering. You can raise a bug for it at: https://bugs.gentoo.org/ -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] apache disable 40bit encryption
On Monday 28 Apr 2014 19:56:24 Joseph wrote: How do I disable apache 40bit encryption connection to my server? Is there a way to limit the connection to min 128-bit? http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite https://bettercrypto.org/static/applied-crypto-hardening.pdf -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Using USB key as real $HOME and possible encryption?
I want to set up my notebook for use whilst travelling. I intend to have an innocuous /home/waltdnes partion on the notebook, and have the real $HOME (a copy of my desktop machine's $HOME) on a 128 gigabyte USB key. When I want to access it, I'll mount the USB key over /home/waltdnes. That protects against the notebook being lost/stolen. The next question is how do I guard the data on the USB key. I'm looking at using cryptsetup to encrypt the USB key. Some interesting stuff on Google... http://sleepyhead.de/howto/?href=cryptpart shows how to use cryptsetup with and without LUKS. dm-crypt without LUKS # cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loop0 # dmsetup ls # check it, will display: sdc1 (254, 0) # mkfs.ext3 /dev/mapper/sdc1 # This is done only the first time! # mount -t ext3 /dev/mapper/sdc1 /mnt # umount /mnt/ # cryptsetup remove sdc1 # Detach the encrypted partition Do exactly the same (without the mkfs part!) to re-attach the partition. If the password is not correct, the mount command will fail. In this case simply remove the map sdc1 (cryptsetup remove sdc1) and create it again. I did a --pretend emerge of cryptsetup, and I see that it pulls in lvm2 as a dependancy, presumably to enable the /dev/mapper/* entries. Any comments on whether I'm better off with or without LUKS? I also intend to use ext2, because I understand that a journalling fs is murder on USB keys. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] apache disable 40bit encryption
On 04/28/14 21:38, Mick wrote: On Monday 28 Apr 2014 19:56:24 Joseph wrote: How do I disable apache 40bit encryption connection to my server? Is there a way to limit the connection to min 128-bit? http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite https://bettercrypto.org/static/applied-crypto-hardening.pdf -- Regards, Mick I've tried various combination in my: 00_default_ssl_vhost.conf SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT But openssl ciphers -v still lists: EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export My default in 00_default_ssl_vhost.conf was: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -- Joseph
Re: [gentoo-user] using eclipse with java
On Mon, 28 Apr 2014 16:08:18 -0400 gottl...@nyu.edu wrote: I get almost immediate segfaults. I type eclipse-bin-7.2 It is basically empty (no projects). I start a new project called crash I then expand the project, select src, right click and say new class I call the class Crash and it give a correct skeleton I go to the blank line above public class Crash { and start to type import java.util.scanner I get as far as import java. then it pops up a window with completions and segfaults. It is quite repeatable. This happens on a fresh install of eclipse-bin. Eclipse SDK 4.2 works here; strange that it doesn't for you, it might be some incompatibility perhaps with one or another library. Given that it is binary I'm unsure if this can be debugged... Any advice? Should I look for a binary on the eclipse site? Yes, try one from the Eclipse site and put it in /opt/ (create symlinks in /usr/local/bin/); there is 4.3 there, I think we need to bump to that in the Java overlay at some point as 4.2 is getting somewhat old. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D signature.asc Description: PGP signature
Re: [gentoo-user] Heartbleed - using openssl-0.9.8y and affected
On 04/28/2014 12:02 PM, Joseph wrote: I'm using apache-2.2.25 Which file contain setting for: SSLCompression I'm trying to turn it off. It's on by default in apache-2.2. Place the following somewhere in 40_mod_ssl.conf, between IfModule ssl_module and /IfModule: # Disable CRIME attack (off by default in apache-2.4) SSLCompression off
Re: [gentoo-user] More emerge oddity in chroot - SOLVED
On Monday 28 Apr 2014 13:32:05 I wrote: On Thursday 24 Apr 2014 13:57:19 I wrote: So far I've done these things: 1. Wiped the whole system and restored from backup (heavy overkill, but I wanted everything to be in the same, consistent state). 2. Run bad-blocks tests on all partitions (though all but / and /boot are in logical volumes - I don't know to what extent that will have affected the results). ---8 Looking at bad-blocks again, I see from gkrellm that 'mkfs.ext4 -cc -L Atom /dev/vg7/atom' writes the test patterns to both the underlying physical disks, but it only reads back from one of them ... so it isn't much use on a virtual disk. Well, that was a long weekend. The symptoms grew stranger and stranger, until I eventually discovered a problem with IRQ 16. /proc/interrupts includes this line: 16: 0 302525 0 0 IO-APIC-fasteoi ehci_hcd:usb1, nouveau The source file /usr/src/linux/kernel/irq/spurious.c says: /* * If 99,900 of the previous 100,000 interrupts have not been handled * then assume that the IRQ is stuck in some manner. Drop a diagnostic * and try to turn the IRQ off. * * (The other 100-of-100,000 interrupts may have been a correctly * functioning device sharing an IRQ with the failing one) */ ...and suggests booting with irqpoll. So I added irqpoll to the kernel command line. It seemed to make no difference at the time, but I haven't had any recurrence in the last two days. I see though that, according to gkrellm, I have core temps of 52 - 56C and the graphics card shows 59C. That shouldn't be hot enough to start raising spurious interrupts: the nVidia web site says to expect around 105C as a limit. Perhaps I should find a different slot for the Quadro FX580 card, to separate it from the usb interface. So, many hours and much rebuilding later, I've installed a new chroot for the Atom and it seems to be working as expected. Actually, I reinstalled the entire system to be safe, including re-creating the physical and logical volumes on the two SATA disks. The question still remaining is what caused millions of spurious interrupts over a period of a week or so and then subsided. This is an Asus P7P55D motherboard (http://www.asus.com/Motherboards/P7P55D/). -- Regards Peter
Re: [gentoo-user] using eclipse with java
On Mon, Apr 28 2014, Tom Wijsman wrote: On Mon, 28 Apr 2014 16:08:18 -0400 gottl...@nyu.edu wrote: I get almost immediate segfaults. I type eclipse-bin-7.2 It is basically empty (no projects). I start a new project called crash I then expand the project, select src, right click and say new class I call the class Crash and it give a correct skeleton I go to the blank line above public class Crash { and start to type import java.util.scanner I get as far as import java. then it pops up a window with completions and segfaults. It is quite repeatable. This happens on a fresh install of eclipse-bin. Eclipse SDK 4.2 works here; strange that it doesn't for you, it might be some incompatibility perhaps with one or another library. Given that it is binary I'm unsure if this can be debugged... Any advice? Should I look for a binary on the eclipse site? Yes, try one from the Eclipse site and put it in /opt/ (create symlinks in /usr/local/bin/); there is 4.3 there, I think we need to bump to that in the Java overlay at some point as 4.2 is getting somewhat old. The one from the Eclipse is *MUCH* better. It works. Thanks, allan
Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/28/2014 04:57 PM, Walter Dnes wrote: I want to set up my notebook for use whilst travelling. I intend to have an innocuous /home/waltdnes partion on the notebook, and have the real $HOME (a copy of my desktop machine's $HOME) on a 128 gigabyte USB key. When I want to access it, I'll mount the USB key over /home/waltdnes. That protects against the notebook being lost/stolen. The next question is how do I guard the data on the USB key. I'm looking at using cryptsetup to encrypt the USB key. Some interesting stuff on Google... http://sleepyhead.de/howto/?href=cryptpart shows how to use cryptsetup with and without LUKS. dm-crypt without LUKS # cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loop0 # dmsetup ls # check it, will display: sdc1 (254, 0) # mkfs.ext3 /dev/mapper/sdc1 # This is done only the first time! # mount -t ext3 /dev/mapper/sdc1 /mnt # umount /mnt/ # cryptsetup remove sdc1 # Detach the encrypted partition Do exactly the same (without the mkfs part!) to re-attach the partition. If the password is not correct, the mount command will fail. In this case simply remove the map sdc1 (cryptsetup remove sdc1) and create it again. I did a --pretend emerge of cryptsetup, and I see that it pulls in lvm2 as a dependancy, presumably to enable the /dev/mapper/* entries. Any comments on whether I'm better off with or without LUKS? I also intend to use ext2, because I understand that a journalling fs is murder on USB keys. I suggest with LUKS. Also I suggest using ext4 and disabling the journal (mkfs.ext4 -O ^has_journal). Gentoo has some pretty good init scripts for dmcrypt that you can use to mount your usb key when ready, check it out in /etc/conf.d/dmcrypt. - -Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTXwWWAAoJEKXdFCfdEflKgMkP/AjZAEi+ltpEDS320Kf70SFd tIrQrYhNM+DggnX0JlW0C37zM82ecCbfOGqvSGgkgbUtmUznBCKKfa1wbauljQS1 aBlXYv4RfNH/ZJ2ldrnnfd/BHbHLIJIkobXBfFsMS8s7EIQI+IOLr3dbWiYAzqIb eKfqjGAJqlvWK+9MmFTJkZdT3KgQU1KJdvKyq7UK7bt6Fi/3a8zRm7N0UU4h0lQd VQcfUm7Lq6nNUMJldtwp4uL+vxZREFSszSID1blqHQpzxBAHZO8ntSwLq98W0W1P E0fqTbifEu7jBY14ek2jysdPj/bHvNJulUIj6sqTc5qenu8ozwnt0olzkS1M0Yrr vzzF/HKbV70GjSjbx9cSVgv5opyTq+9n3oH5u7L87T0sXQdAch2yW0HpeQlCuYQe EPHt10zP0AtnSlLMIr7D2pVNI2NvsIrWsIdAC9op9ZtxYSnTgruBGyH2xw3QM6XZ A2NAemrbq6J2DGihC0kEBvBDTylUW5RL7WOQuxjmelp27sV2/lqtRTBaWz/cFGrK PvqEZuKkWW9ThpuAdEsSbZNGhf+wka+B8swAOlBXqSVIx5VKmTsxp92wJs3UEzT+ 3NyjWx/nmk1IHFAAQqLebcciBKE4/5Ix+9CJ1QHQsvC70iSXcyyBH6YkrHor9bJM X0M40ycF4uss0QtKmWEe =6vUW -END PGP SIGNATURE-
Re: [gentoo-user] virtual problem : how can I unmerge Nano ?
140428 Michael Mair-Keimberger wrote: On Mon, Apr 28, 2014 at 10:32:22AM -0400, Philip Webb wrote: I never use Nano -- Vim or Ed are available in a raw terminal -- would like to unmerge it, but Portage tells me virtual/editor requires it @system requires virtual/editor . You can set your editor of choice with eselect: eselect editor list eselect editor set $(editor_of_choice) I've done that, but it doesn't alter Portage behaviour. Usually nano can be removed with emerge --depclean Yes, I can do 'emerge -C nano', but that is brute force deprecated. I've checked 'man portage' 'man emerge' the virtual/editor ebuild. Acc to 'man portage' it sb possible to tell the virtual to accept Vim or Ed via /etc/make.profiles - /usr/portage/profiles/default/linux/amd64/13.0 by adding a file 'virtuals' w a line 'virtual/editortabapp-editors/vim', but this has no effect. The ebuild has a long list of possible editors, incl Vim Ed Nano, but nothing singling out Nano, so Portage must be getting its instruction from somewhere else. Does anyone have better info ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca