Re: [gentoo-user] Q: pp requires --uesr option t hat doesn't exist?

2017-12-24 Thread Max Zettlmeißl 
$ pip install --user awscli
or $ pip2.7 install --user awscli works.

Merry Christmas.


On 24 December 2017 at 21:54, Steven Lembark  wrote:
>
> This should have been simple: Install AWS client command line tools.
> Catch: Installing it with AWS' example tells me to use the "--user"
> option, though not why, and supplying --user with or without an
> argument tells me there is no such switch.
>
> I'd prefer not maintaining this stuff as SU, rather set up a group
> with access to the necessary libarary areas in Python.
>
> $ pip install awscli
> ERROR: (Gentoo) Please run pip with the --user option to avoid breaking 
> python-exec
>
> $ pip --user install awscli
>
> Usage:
>   pip  [options]
>
> no such option: --user
>
> $ pip --user=lembark install awscli
>
> Usage:
>   pip  [options]
>
> no such option: --user
>
> Examining the output from "pip --help" gives me lots of no "--user"
> in the output, which makes sense if there are no users. Using
> "--verbose" didn't tell me anything useful either.
>
> Say I want users in the "adm" group to maintain the Python libs,
> I'll need to ( find  | xargs chgrp adm; find 
> -type d | xargs chmod 02775; find  -type f | xargs
> chmod g+w ).
>
> Q: Whare are the python lib's stored?
>
> Python itself only tells me:
>
> $ python -V
> Python 3.4.5
>
> not the paths.
>
> Or, for that matter, does anyone know how to avoid the "--user"
> requirement using pip?
>
> thanks
>
> --
> Steven Lembark   1505 National Ave
> Workhorse Computing Rockford, IL 61103
> lemb...@wrkhors.com+1 888 359 3508
>

[gentoo-user] Q: pp requires --uesr option t hat doesn't exist?

2017-12-24 Thread Steven Lembark 

This should have been simple: Install AWS client command line tools.
Catch: Installing it with AWS' example tells me to use the "--user"
option, though not why, and supplying --user with or without an 
argument tells me there is no such switch.

I'd prefer not maintaining this stuff as SU, rather set up a group
with access to the necessary libarary areas in Python.

$ pip install awscli
ERROR: (Gentoo) Please run pip with the --user option to avoid breaking 
python-exec

$ pip --user install awscli

Usage:   
  pip  [options]

no such option: --user

$ pip --user=lembark install awscli

Usage:   
  pip  [options]

no such option: --user

Examining the output from "pip --help" gives me lots of no "--user"
in the output, which makes sense if there are no users. Using 
"--verbose" didn't tell me anything useful either. 

Say I want users in the "adm" group to maintain the Python libs,
I'll need to ( find  | xargs chgrp adm; find 
-type d | xargs chmod 02775; find  -type f | xargs 
chmod g+w ).

Q: Whare are the python lib's stored?

Python itself only tells me:

$ python -V
Python 3.4.5

not the paths.

Or, for that matter, does anyone know how to avoid the "--user" 
requirement using pip?

thanks

-- 
Steven Lembark   1505 National Ave
Workhorse Computing Rockford, IL 61103
lemb...@wrkhors.com+1 888 359 3508

Re: [gentoo-user] How to harden a system

2017-12-24 Thread taii...@gmx.com 
I would also consider purchasing a system with libre firmware and 
without ME/PSP such as:


POWER 9:
TALOS 2 (server/workstation, brand new and very high performance - the 
only brand new hardware that is legitimately libre)


x86-64:
(older, pre-PSP AMD - the best CPU's for C32/G34 are equivilant to one 
FX-8310 for the 8 core or almost two FX-8310 for the 16 core)

KGPE-D16 (server)
KCMA-D8 (workstation)
Lenovo G505S (laptop)

It is truly disturbing to think that someone with an ME exploit could 
hack 80% of the computers on the planet.

Re: [gentoo-user] How to harden a system

2017-12-24 Thread Grant Taylor 

On 12/24/2017 02:43 AM, Adam Carter wrote:
Oh I just noticed that vtv is now default enabled for gcc, so you 
could try;


CXXFLAGS="${CFLAGS} -fvtable-verify=std"

I tried this on earlier gccs, and there was a fair bit of breakage so 
i didnt persue it. Maybe i'll re-try with 7.2 to see how things have 
progressed.


Would you please elaborate on what types of breakage you saw?

"security feature that verifies at run time, for every virtual call, 
that the vtable pointer through which the call is made is valid for the 
type of the object, and has not been corrupted or overwritten.  If an 
invalid vtable pointer is detected at run time, an error is reported 
and execution of the program is immediately halted"


I'm extremely new to these types of thing and don't truly understand the 
failure mode of things like this.  It sound slike vtable-verify will 
conceptually make things more secure.  But I don't know enough to know 
how likely believed to be perfectly happy code will pass or fail such 
vtable verifications.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [gentoo-user] How to harden a system

2017-12-24 Thread Adam Carter 
>
> Lastly, this in /etc/sysctl.conf. SYN cookies is kernel option. The fin
> timeout cut was to clear out tens of thousands of TIME_WAIT sessions.
> net.ipv4.tcp_fin_timeout = 20
> net.ipv4.tcp_syncookies = 1
>

Oh I just noticed that vtv is now default enabled for gcc, so you could try;
CXXFLAGS="${CFLAGS} -fvtable-verify=std"

I tried this on earlier gccs, and there was a fair bit of breakage so i
didnt persue it. Maybe i'll re-try with 7.2 to see how things have
progressed.

"security feature that verifies at run time, for every virtual call, that
the vtable
   pointer through which the call is made is valid for the type of
the
   object, and has not been corrupted or overwritten.  If an invalid
   vtable pointer is detected at run time, an error is reported and
   execution of the program is immediately halted"

Re: [gentoo-user] after finally doing my emerge -e world successfully, my regular world update fails

2017-12-24 Thread Adam Carter 
>
> Ok, thanks. The system profile warning below had me worried, but from what
> you're said it appears that the warning is generated on an unsophisticated
> check, and in this case is a false positive.
>
> # emerge -pv --depclean sys-apps/openrc net-misc/netifrc sys-apps/sysvinit
>
>
FYI the rebuild of systemd automatically removes sys-apps/sysvinit for you,
which is nice. So its just;
emerge --depclean sys-apps/openrc net-misc/netifrc
emerge -N systemd

And its done.

Re: [gentoo-user] after finally doing my emerge -e world successfully, my regular world update fails

2017-12-24 Thread Neil Bothwick 
On Sun, 24 Dec 2017 13:11:08 +1100, Adam Carter wrote:

> > > But virtual/service-manager is using openrc. How do i point this to
> > > systemd?  
> >
> > By having systemd installed. A virtual is just a list of packages that
> > provide the functionality needed. As long as one of them is
> > installed, it is happy. If not, it installs the first in the list.
> >  
> 
> Ok, thanks. The system profile warning below had me worried, but from
> what you're said it appears that the warning is generated on an
> unsophisticated check, and in this case is a false positive.
> 
> # emerge -pv --depclean sys-apps/openrc net-misc/netifrc
> sys-apps/sysvinit
> 
> Calculating dependencies... done!
>   sys-apps/sysvinit-2.88-r9 pulled in by:
> sys-apps/systemd-236-r1 requires sys-apps/sysvinit
> 
> >>> Calculating removal order...  
> 
> >>> These are the packages that would be unmerged:  
> 
>  net-misc/netifrc
> selected: 0.6.0
>protected: none
>  omitted: none
> 
> 
> !!! 'sys-apps/openrc' (virtual/service-manager) is part of your system
> profile.
> !!! Unmerging it may be damaging to your system.

That's probably because openrc is installed at the top of the list of
deps in the virtual. I saw the same warning and everything is still
working.



-- 
Neil Bothwick

The cow is nothing but a machine which makes grass fit for us people to
eat.


pgpIZU19DYZo_.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] 'firmware_install' won't on 4.14.7-gentoo

2017-12-24 Thread Mick 
On Sunday, 24 December 2017 04:10:55 GMT Adam Carter wrote:

> > As you can see above there is a marked difference between the firmware
> > built
> > by the two kernels.  In any case, my '/lib/firmware/' path contains:
> > 
> > $ ls -l /lib/firmware/radeon/RV730*
> > -rw-r--r-- 1 root root  5440 Dec 20 17:29 /lib/firmware/radeon/RV730_me.
> > bin
> > -rw-r--r-- 1 root root  3392 Dec 20 17:29 /lib/firmware/radeon/RV730_
> > pfp.bin
> > -rw-r--r-- 1 root root 16684 Dec 20 17:29 /lib/firmware/radeon/RV730_
> > smc.bin
> 
> Earlier I saw
> 
> CONFIG_EXTRA_FIRMWARE="intel-ucode/06-1e-05 radeon/R700_rlc.bin
> radeon/RV730_smc.bin radeon/RV710_uvd.bin"

Yes, other than the Intel microcode I followed the Gentoo Wiki page for my 
graphics card:

https://wiki.gentoo.org/wiki/Radeon

> For radeon/R700_rlc.bin
> $ find /lib/firmware/ -name \*R700\*
> /lib/firmware/radeon/R700_rlc.bin
> 
> For radeon/RV730_smc.bin
> $ find /lib/firmware/ -name \*RV730\*
> /lib/firmware/radeon/RV730_pfp.bin
> /lib/firmware/radeon/RV730_smc.bin
> /lib/firmware/radeon/RV730_me.bin
> 
> For adeon/RV710_uvd.bin
> $ find /lib/firmware/ -name \*RV710\*
> /lib/firmware/radeon/RV710_me.bin
> /lib/firmware/radeon/RV710_pfp.bin
> /lib/firmware/radeon/RV710_smc.bin
> /lib/firmware/radeon/RV710_uvd.bin
> 
> So it looks like you're trying to load firmware from three different
> models.

Yes, this is what the Wiki recommends for RV730.


> Run lspci -v to determine which is correct one, then load all the firmwares
> for that model.

02:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] 
RV730/M96-XT [Mobility Radeon HD 4670] (prog-if 00 [VGA controller])
Subsystem: Dell RV730/M96-XT [Mobility Radeon HD 4670]
Flags: bus master, fast devsel, latency 0, IRQ 29
Memory at d000 (32-bit, prefetchable) [size=256M]
I/O ports at 2000 [size=256]
Memory at cfef (32-bit, non-prefetchable) [size=64K]
[virtual] Expansion ROM at 000c [disabled] [size=128K]
Capabilities: [50] Power Management version 3
Capabilities: [58] Express Legacy Endpoint, MSI 00
Capabilities: [a0] MSI: Enable+ Count=1/1 Maskable- 64bit+
Capabilities: [100] Vendor Specific Information: ID=0001 Rev=1 Len=010 

Kernel driver in use: radeon

02:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] RV710/730 HDMI 
Audio [Radeon HD 4000 series]
Subsystem: Dell RV710/730 HDMI Audio [Radeon HD 4000 series]
Flags: bus master, fast devsel, latency 0, IRQ 32
Memory at cfeec000 (32-bit, non-prefetchable) [size=16K]
Capabilities: [50] Power Management version 3
Capabilities: [58] Express Legacy Endpoint, MSI 00
Capabilities: [a0] MSI: Enable+ Count=1/1 Maskable- 64bit+
Capabilities: [100] Vendor Specific Information: ID=0001 Rev=1 Len=010 

Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel


It seems the blobs changed.  The firmware_install message confused me by 
making me think this was the cause of not being able to initiate the graphics 
card when I tried to boot the new kernel, rather than the missing blobs.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.