[gentoo-user] Decoding portage output
Hi all, Can someone please point me to the doco that decodes the following errors: ** Calculating dependencies... done! !!! The ebuild selected to satisfy dev-vcs/git has unmet requirements. - dev-vcs/git-1.7.8.6 USE=blksha1 cgi curl iconv python threads webdav -cvs -doc -emacs -gtk -perl (-ppcsha1) -subversion -tk -xinetd The following REQUIRED_USE flag constraints are unsatisfied: cgi? ( perl ) The above constraints are a subset of the following complete expression: cgi? ( perl ) cvs? ( perl ) subversion? ( perl ) webdav? ( curl ) (dependency required by sys-devel/gettext-0.18.1.1-r3[git] [ebuild]) (dependency required by dev-perl/Locale-gettext-1.50.0 [ebuild]) (dependency required by sys-apps/help2man-1.40.10[nls] [ebuild]) (dependency required by sys-devel/automake-1.11.5 [ebuild]) (dependency required by sys-devel/libtool-2.4.2 [ebuild]) (dependency required by app-misc/screen-4.0.3-r5 [ebuild]) (dependency required by @selected [set]) (dependency required by @world [argument]) ** In particular the cgi? ( perl ) part. Thanks in advance, Andrew
Re: [gentoo-user] Decoding portage output
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 10:30, Andrew Lowe wrote: Hi all, Can someone please point me to the doco that decodes the following errors: ** Calculating dependencies... done! !!! The ebuild selected to satisfy dev-vcs/git has unmet requirements. - dev-vcs/git-1.7.8.6 USE=blksha1 cgi curl iconv python threads webdav -cvs -doc -emacs -gtk -perl (-ppcsha1) -subversion -tk -xinetd The following REQUIRED_USE flag constraints are unsatisfied: cgi? ( perl ) The above constraints are a subset of the following complete expression: cgi? ( perl ) cvs? ( perl ) subversion? ( perl ) webdav? ( curl ) (dependency required by sys-devel/gettext-0.18.1.1-r3[git] [ebuild]) (dependency required by dev-perl/Locale-gettext-1.50.0 [ebuild]) (dependency required by sys-apps/help2man-1.40.10[nls] [ebuild]) (dependency required by sys-devel/automake-1.11.5 [ebuild]) (dependency required by sys-devel/libtool-2.4.2 [ebuild]) (dependency required by app-misc/screen-4.0.3-r5 [ebuild]) (dependency required by @selected [set]) (dependency required by @world [argument]) ** In particular the cgi? ( perl ) part. Thanks in advance, Andrew To put it simple: if you want to use one of cgi,cvs or subversion, you'll need to activate the perl useflag too (same fpr webdav and curl, though that dependency is satisfied). WKR Hinnerk -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPzHOlAAoJEJwwOFaNFkYcdSMIAIn0+SqluauGTMLM9Ju2zJUb yXuggSBF9KFh6HfWICczih/3IN8+EiS7rXtgbmAw3qyzxly7K1/+4JHRr2tUIdpO JA8CAPzLE+0WPhCyhXSh2D7DbjwaDTQ3BmSvg71KuZRnTj9yA0D93h7O/gbe/sRG 6c3JIpyXlPGtJwMmnTG6AMw8VnWXJpIW3NplwFSoaTYEXzyyR2CpL7WdevkQJJf1 +IocOog0xfom+oHHAiwWMt0YuVzeFfpn3yJ9/PHbDmkR3xNJ0YebovcWcgBG7Rdg bVUU9SuF0Pw0lOslDTruVvilJLvAAVQf07kFkdZIbj/q41sdSUtc2yzwPbQoaCk= =ZsdU -END PGP SIGNATURE-
[gentoo-user] dracut + UUID : a problem solved
I recently reorganised my HDD to avoid having to use initramfs . Having done so, I still have some spare space on the HDD, which seemed a good place to have a couple of other distros installed in case I want to use Flash (my Gentoo is 64-bit) or show Linux to friends. Fedora 17 (Xfce) installs easily enough from a USB stick (my recently renewed mobo doesn't seem to be able to boot from CD), but I ran into a couple of bizarre problems whose solution mb of help to others in other situations. I use Lilo -- it's simple if you're not continually changing the set-up -- copied Fedora's kernel image + system map + initramfs from the partition where it's installed ( /dev/sda6 ) to /boot . Then I ran into 3 successive problems. (1) Lilo refused to run, as the Fedora system map file was 'read only'. As root, I tried to 'chmod 644 System...' was told again it was 'RO'. The only way I could alter its permissions was to boot System Rescue run 'chmod' there, which worked. This is bizarre. (2) Lilo refused again, saying there was some limit of 31. This was solved by emerging the testing version of Lilo. (3) Lilo then succeeded, but Fedora had a kernel panic, not being able to find the root partition. It is using Dracut -- which I've studiously avoided with Gentoo -- that doesn't recognise the traditional 'root=/dev/sda6'. You have to use 'blkid /dev/sda6' to get a lengthy UUID for the device, then replace the 'root=' line in lilo.conf with 'append=root=UUID=blah'. After all that, Fedora booted properly into the Xfce desktop. BTW anyone doing this needs to avoid letting Fedora overwrite the MBR -- it asks you it's easy to forget -- also not to let it set the time : otherwise, you'll have problems when back home in Gentoo. I also downloaded Mageia 2.0 , but there's a bug in its set-up -- it keeps finding USB devices, the same one over over -- , so I've given up on it. Hopefully eventually, they'll get things together : I used Mandrake 2000-3 , before I moved to Gentoo. HTH a few others. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] Decoding portage output
On 06/04/12 16:36, Hinnerk van Bruinehsen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 10:30, Andrew Lowe wrote: Hi all, Can someone please point me to the doco that decodes the following errors: [snip] ... ... ... [snip] Thanks in advance, Andrew To put it simple: if you want to use one of cgi,cvs or subversion, you'll need to activate the perl useflag too (same fpr webdav and curl, though that dependency is satisfied). WKR Hinnerk Hinnerk, Thanks for the decode, but where did YOU get the knowledge from? I want to understand this, so I don't have to send you an email every time I get one of these and need it decoded ;) Andrew
Re: [gentoo-user] Decoding portage output
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 12:50, Andrew Lowe wrote: On 06/04/12 16:36, Hinnerk van Bruinehsen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 10:30, Andrew Lowe wrote: Hi all, Can someone please point me to the doco that decodes the following errors: [snip] ... ... ... [snip] Hinnerk Hinnerk, Thanks for the decode, but where did YOU get the knowledge from? I want to understand this, so I don't have to send you an email every time I get one of these and need it decoded ;) Andrew Ok, I'll try t explain it: The following REQUIRED_USE flag constraints are unsatisfied: cgi? ( perl ) First: it states that a REQUIRED_USE flag is not set. That means that some functionality depends on a special useflag. The next line states, which useflag is the one in question and which useflag it needs: You could interprete cgi? as If cgi is set, then test for the following and ( perl ) is the flag which is tested. The rest is simply for more information: The above constraints are a subset of the following complete expression: cgi? ( perl ) cvs? ( perl ) subversion? ( perl ) webdav? ( curl ) It follows the same syntax, though. I hope this si helping... WKR Hinnerk -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPzJjgAAoJEJwwOFaNFkYctgwH/3GH2Fv1etxKNFGTOxCQATYv 5KVsjWRyvjKVKQ1oLBZIUjKbzJKn+piSRjbRcS86x7e/PV+sC8SrUxysagjTK3Jd 62yv9DH3BuyKO59X7pczCcZRjBg0MrOwtSWZYpDtlHyEAtclZphj02O0o3Ciwh8C aRJH+2yw4tYsk1AaSeWl3hzyzUQEEuv0rk1zhBF16bp9uTlELMX3GJGNUCqEHcei w7Zis6BG9VODSaKYAfadqtDVWD9HEnMBHcJQSZBdit6GkrI5gF6OC/f7D2EIu3x/ ZlI+wqG41KRjk2r3GBI3YU/PJPFuRI4O+ZVA1DcVac8GxQcDaMf5Jhj9Zt3ueoQ= =3BG3 -END PGP SIGNATURE-
Re: [gentoo-user] Decoding portage output
On 06/04/12 19:15, Hinnerk van Bruinehsen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 12:50, Andrew Lowe wrote: On 06/04/12 16:36, Hinnerk van Bruinehsen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 10:30, Andrew Lowe wrote: Hi all, Can someone please point me to the doco that decodes the following errors: [snip] ... ... ... [snip] Hinnerk Hinnerk, Thanks for the decode, but where did YOU get the knowledge from? I want to understand this, so I don't have to send you an email every time I get one of these and need it decoded ;) Andrew Ok, I'll try t explain it: The following REQUIRED_USE flag constraints are unsatisfied: cgi? ( perl ) First: it states that a REQUIRED_USE flag is not set. That means that some functionality depends on a special useflag. The next line states, which useflag is the one in question and which useflag it needs: You could interprete cgi? as If cgi is set, then test for the following and ( perl ) is the flag which is tested. The rest is simply for more information: The above constraints are a subset of the following complete expression: cgi? ( perl ) cvs? ( perl ) subversion? ( perl ) webdav? ( curl ) It follows the same syntax, though. I hope this si helping... WKR Hinnerk What I was looking for is a man page/a wiki page/something in the Gentoo doco pages, but if that's all there is to it, then thanks for the info. Regards, Andrew
Re: [gentoo-user] Decoding portage output
On 4 June 2012, at 13:06, Andrew Lowe wrote: ... What I was looking for is a man page/a wiki page/something in the Gentoo doco pages, but if that's all there is to it, then thanks for the info. I would have thought that `man 5 ebuild` covered this, if `man emerge` did not. I don't find these documents light reading, however. Stroller.
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
On Saturday 02 Jun 2012 23:50:58 pk wrote: On 2012-06-02 22:10, Michael Mol wrote: I expect the chief mechanism is at the manufacturer's end; blacklisted keys get included on shipment. Makes sense. It's also probable that the OS kernel can tell the UEFI BIOS about new keys to blacklist. I expect that'll be a recurring thing in the Monthly batch of security updates Microsoft puts out. (Makes sense, really; if malware is using a key, blacklist that key.) Yes, would expect something like this. Secure boot supposedly prevents unauthorized firmware, operating systems or UEFI drivers at boot time. So if I interpret this correctly it would mean that if I have, say, an old graphics card with an old firmware (vga bios) I can't use it with secure boot. More interestingly, how is an operating system defined? Does it mean only the kernel itself or does it mean a full-blown OS with init and other supporting software? What does that mean to a source based distro? Also, I would assume a legitimate key would be able to sign pretty much any binary so a key that Fedora uses could be used to sign malware for Windows, which then would be blacklisted by Microsoft... and how is malware defined? Anything that would be detrimental to Microsoft? Someone linked to some absolutely terrible stuff being built into Intel's Ivy Bridge...it's plausible it will be possible to deploy You mean: https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-contro l ? blacklist key updates over the network within a couple years. Well, UEFI already implements remote management: http://www.uefi.org/news/UEFI_Overview.pdf (page 13) ... so implementing an automatic update over the network, preferably via SMM/SMI so that the operating system cannot intervene would be possible already today... and you've lost control of your computer. I'm putting on my tinfoil hat now and I'm going to pretend it's raining... :-/ Best regards Peter K Can I please join you if you have a spare hat? On a 3 year old Dell laptop manufactured by the famous and well known Winbond Electronics /sarcasm I see this under lshw: *-remoteaccess UNCLAIMED vendor: Intel physical id: 2 capabilities: outbound but have not found a way of interrogating it or in anyway accessing it to understand what it is or does ... Note, this is not a UEFI machine: capabilities: smbios-2.6 dmi-2.6 vsyscall32 -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
On Mon, Jun 4, 2012 at 8:48 AM, Mick michaelkintz...@gmail.com wrote: On Saturday 02 Jun 2012 23:50:58 pk wrote: [snip] I'm putting on my tinfoil hat now and I'm going to pretend it's raining... :-/ Can I please join you if you have a spare hat? On a 3 year old Dell laptop manufactured by the famous and well known Winbond Electronics /sarcasm I see this under lshw: *-remoteaccess UNCLAIMED vendor: Intel physical id: 2 capabilities: outbound but have not found a way of interrogating it or in anyway accessing it to understand what it is or does ... Note, this is not a UEFI machine: capabilities: smbios-2.6 dmi-2.6 vsyscall32 What proc? -- :wq
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
From: Michael Mol mike...@gmail.com On Sat, Jun 2, 2012 at 10:04 PM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com [snip] In theory that's how key signing systems are suppose to work. In practice, they rarely implement the blacklists as they are (i) hard to maintain, and (ii) hard to distribute in an effective manner. Indeed. While Firefox, Chromium, et al check certificate revocation lists, Microsoft doesn't; they distribute them as part of Windows Update. Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers. Honestly, I don't expect SecureBoot to last very long. Either MS and the OEMs will be forced to always allow users to disable it, or they'll be simply drop it - kind of like they did with TPM requirements that were talked about 10 years back and never came to fruition. TPM is still around for organizations which can use them. And, honestly, I've been annoyed that they haven't been widespread, nor easy to pick up in the aftermarket. (They come with a random number generator...just about any HRNG is going to be better than none.) Yes TPM (originally named Palladium) is still around. However its use is almost non-existent. When it was proposed, it was to include SecureBoot and enable secure Internet transactions, etc. None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot. I see something like SecureBoot as being useful in corporate and military security contexts. I don't see it lasting in SOHO environments. Certain environments as you say may find it useful; but then those environments already have very stringent controls over the computers in those environments, often to the inability of people to do their job. [snip] What kind of signature is the bootloader checking, anyway? Regardless of the check, it'll never be sufficient. Sure; ultimately, all DRM solutions get cracked. TPM and SecureBoot will by design fail. We'll see if SecureBoot actually even makes it to market; if it does, expect some Class Action lawsuits to occur. Ben
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
On Mon, Jun 4, 2012 at 9:33 AM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com On Sat, Jun 2, 2012 at 10:04 PM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com [snip] In theory that's how key signing systems are suppose to work. In practice, they rarely implement the blacklists as they are (i) hard to maintain, and (ii) hard to distribute in an effective manner. Indeed. While Firefox, Chromium, et al check certificate revocation lists, Microsoft doesn't; they distribute them as part of Windows Update. Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers. Only if the workstation is so configured. (i.e. it's joined to the domain, or has otherwise had configuration placed on it.) It's not just a matter of setting up a caching proxy server and modifying the files before they're delivered. And if you think that's a risk, then consider that your local domain administrator has the ability to push out the organization CA into your system cert store as a trusted CA, and can then go on to create global certs your browser won't complain about. If you don't own the network, don't expect to be able to do things on it that the network administrator doesn't want you to do. At the same time, he can't force (much...see DHCP) configuration onto your machine without your being aware, at least if you're at least somewhat responsible in knowing how configuring your machine works. Honestly, I don't expect SecureBoot to last very long. Either MS and the OEMs will be forced to always allow users to disable it, or they'll be simply drop it - kind of like they did with TPM requirements that were talked about 10 years back and never came to fruition. TPM is still around for organizations which can use them. And, honestly, I've been annoyed that they haven't been widespread, nor easy to pick up in the aftermarket. (They come with a random number generator...just about any HRNG is going to be better than none.) Yes TPM (originally named Palladium) is still around. However its use is almost non-existent. No, TPM wasn't originally named Palladium. TPM was the keystore hardware component of a broader system named Palladium. The TPM is just a keystore and a crypto accelerator, both of which are two things valuable to _everybody_. The massive backlash against Palladium is at least part of why even a generally useful hardware component like the TPM never got distributed. Imagine if the floating-point coprocessor was ditched in x86 because people thought it was a conspiracy to induce difficult-to-resolve math precision errors from careless use of floating point arithmetic. The part you're worried about is the curtained memory and hardware lockout, which it sounds like Intel is distributing with vPro. When it was proposed, it was to include SecureBoot and enable secure Internet transactions, etc. None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot. I see something like SecureBoot as being useful in corporate and military security contexts. I don't see it lasting in SOHO environments. Certain environments as you say may find it useful; but then those environments already have very stringent controls over the computers in those environments, often to the inability of people to do their job. The nature of those controls stems at least in part from the ability to use other means to maintain an overall security policy. With more tools comes the ability to be more flexible, allowing people to do more convenient convenient things (such as insert a flash drive or CD into a computer) at lower risk (it'll be more difficult to accidentally boot from that flash drive or CD). It's for similar reasons the Linux kernel has support for fine-grained access controls; you can grant additional privileges where needed, and reduce the base set of privileges required. And here's a use case that might seem worthwhile...Say you've got hardware with SecureBoot. Now, you don't run Windows, so you don't care about the UEFI BIOS having Microsoft's key. Instead, you're a Linux guy, and you're very privacy conscious; perhaps you're a security consultant or contractor. Or perhaps you're worried about corporate espionage. Or perhaps you're simply afraid of governments. You can flush Microsoft's key from BIOS and insert your own. Sign your bootloader, kernel and initramfs. Set up your / filesystem to be fully encrypted. And configure things such that if BIOS isn't operating in SecureBoot mode with your key, it won't even mount and decrypt your / filesystem. You've just denied access to any existing forensic tool which would either examine your hard disk or operate as a rootkit. The only thing that's going to get your data is a live inspection of your RAM (tricky! but doable.) or a rubber hose. What kind of signature is the bootloader checking,
[gentoo-user] platform independant GUI for Perl ?
Hi, I tried wxperl, which failed to compile... What GUI else is recommended to be used for platform independant applications using Perl? Thank you very much in advance for any help! Best regards, mcc
Re: [gentoo-user] platform independant GUI for Perl ?
On Mon, Jun 4, 2012 at 11:54 AM, meino.cra...@gmx.de wrote: Hi, I tried wxperl, which failed to compile... What GUI else is recommended to be used for platform independant applications using Perl? Thank you very much in advance for any help! Tk has a long history as a cross-platform GUI toolkit, and it has Perl bindings. I'd suggest taking a look at that. Otherwise, try looking at this as a list of possibilities: http://rosettacode.org/wiki/Window_creation#Perl -- :wq
Re: [gentoo-user] Decoding portage output
On Mon, 04 Jun 2012 20:06:30 +0800 Andrew Lowe a...@wht.com.au wrote: On 06/04/12 19:15, Hinnerk van Bruinehsen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 12:50, Andrew Lowe wrote: On 06/04/12 16:36, Hinnerk van Bruinehsen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.06.2012 10:30, Andrew Lowe wrote: Hi all, Can someone please point me to the doco that decodes the following errors: [snip] ... ... ... [snip] Hinnerk Hinnerk, Thanks for the decode, but where did YOU get the knowledge from? I want to understand this, so I don't have to send you an email every time I get one of these and need it decoded ;) Andrew Ok, I'll try t explain it: The following REQUIRED_USE flag constraints are unsatisfied: cgi? ( perl ) First: it states that a REQUIRED_USE flag is not set. That means that some functionality depends on a special useflag. The next line states, which useflag is the one in question and which useflag it needs: You could interprete cgi? as If cgi is set, then test for the following and ( perl ) is the flag which is tested. The rest is simply for more information: The above constraints are a subset of the following complete expression: cgi? ( perl ) cvs? ( perl ) subversion? ( perl ) webdav? ( curl ) It follows the same syntax, though. I hope this si helping... WKR Hinnerk What I was looking for is a man page/a wiki page/something in the Gentoo doco pages, but if that's all there is to it, then thanks for the info. man 5 ebuild would be the most likely place to start -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] platform independant GUI for Perl ?
Michael Mol mike...@gmail.com [12-06-04 18:08]: On Mon, Jun 4, 2012 at 11:54 AM, meino.cra...@gmx.de wrote: Hi, I tried wxperl, which failed to compile... What GUI else is recommended to be used for platform independant applications using Perl? Thank you very much in advance for any help! Tk has a long history as a cross-platform GUI toolkit, and it has Perl bindings. I'd suggest taking a look at that. Otherwise, try looking at this as a list of possibilities: http://rosettacode.org/wiki/Window_creation#Perl -- :wq Hi Michael, thank you for your reply and the helpful link! Best regards, mcc
Re: [gentoo-user] Distcc advice needed
On Sun, 03 Jun 2012 16:44:19 +0200 Samuraiii samurai.no.d...@gmail.com wrote: Hello friends, I'm in need of good advice. I have 3 computers running gentoo and want to utilise all of them for distcc compiling - the emerging computer would be everytime different. Two machines are amd64 and one is x86 and this appears to be problem. According to http://www.gentoo.org/doc/en/cross-compiling-distcc.xml I need to edit some symlinks and if I'm going to emerge on either amd64 or X86. The problem is that wrapper script which calls c++ gcc g++ with architecture prefix. Is there a workaroud so that I do not need to change those symliks everytime Im going to emerge on different arch? Thanks for reply in advance S You are going to need seperate toolchains, where afaik there are only two ways to tell them apart. The first is the path you install it in, the other is the binary code itself (and that only tells you they differ, not which one is for a defined arch). So your best choice are those symlinks im afraid. However, you can automate this process, maybe eselect can already do that for you, have not checked that yet.
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
On 2012-06-04 14:48, Mick wrote: Can I please join you if you have a spare hat? Sure, got lots of (virtual) hats... here's one: ^ (may be a bit small) ;-) On a 3 year old Dell laptop manufactured by the famous and well known Winbond Electronics /sarcasm I see this under lshw: *-remoteaccess UNCLAIMED vendor: Intel physical id: 2 capabilities: outbound but have not found a way of interrogating it or in anyway accessing it to understand what it is or does ... Note, this is not a UEFI machine: capabilities: smbios-2.6 dmi-2.6 vsyscall32 https://en.wikipedia.org/wiki/System_Management_BIOS https://en.wikipedia.org/wiki/Desktop_Management_Interface SMBIOS does support out-of-band management, which may or may not be scary, depending on who's in control of it... https://en.wikipedia.org/wiki/Out-of-band_management If you have an Intel processor in that laptop that supports vPro, I would assume it's a professional laptop, and as such it might make sense (assuming the IT department in your company is in control). Here's an interesting link that describes some of the problems with modern computers (it's an approx 1 hour long video from Google Tech talks, regarding coreboot): https://www.youtube.com/watch?v=X72LgcMpM9k Best regards Peter K
[gentoo-user] wxPython completly on acid ?
Hi, something really strange happened: I installed wxPython and it compiles fine. I also installed the demo files and additionally tried some examples of the web. Beside the very basic hello word example (which only opens a bare window) the followiong happens: There is NO window shown at all. The X-cursor changed to a cross. After terminating with CTRL-C I got an additional file called wx which contains a screenshot of the terminal window from which I started the demo. THAT FILE IS IN PDF-FORMAT! It seems, something screwed up really bad... What happens here? And how can I fix it? Thank you very much in advance for any help! Best regards, mcc
[gentoo-user] genkernel initramfs and grub2-mkconfig
Hello, does anybody of you know how to get the grub2-mkconfig script to correctly detect initramfs and set the kernel parameter root= to /dev/ram0 or just don't set the parameter at all. I'm using genkernel and want to use my generated initramfs, but everytime grub2-mkconfig gets called it sets the kernel parameter root= to my root partition and then the initramfs won't get used. I think manually editing /boot/grub2/grub.cfg and deleting the root= parameter and setting real_root isn't a good choice for long term. Kind regards, morlix signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] genkernel initramfs and grub2-mkconfig
On Mon, Jun 4, 2012 at 1:40 PM, morlix mor...@morlix.de wrote: Hello, does anybody of you know how to get the grub2-mkconfig script to correctly detect initramfs and set the kernel parameter root= to /dev/ram0 or just don't set the parameter at all. I'm using genkernel and want to use my generated initramfs, but everytime grub2-mkconfig gets called it sets the kernel parameter root= to my root partition and then the initramfs won't get used. I think manually editing /boot/grub2/grub.cfg and deleting the root= parameter and setting real_root isn't a good choice for long term. The default scripts for grub2-mkconfig looks for a specific filename for the initramfs, related to the kernel filename. If you look in those scripts, you may be able to modify it to look at your filenames instead.
[gentoo-user] Re: no keyboard on fresh install
Stroller strol...@stellar.eclipse.co.uk writes: On 1 June 2012, at 09:33, Harry Putnam wrote: ... I am running thru a kvm switch, but don't really have the option without a fair bit of juggling to try it with everything hooked direct. I have tried plugging a keyboard direct, with no result. I don't really understand. You can't try direct, you tried direct. Which? KVMs are just flakey sometimes. Perhaps if you consider that KVM is a switch that controls several components, (keyboard, Video and mouse) it will come to you. You are at liberty to plug a second keyboard into a USB port. I have done that under certain condition in the past and did try that unsuccessfully, as reported, this time. As discussed at: http://www.gossamer-threads.com/lists/gentoo/user/223068 http://comments.gmane.org/gmane.linux.gentoo.user/252806 I'm not buying the idea that flakyness rules with KVM. There may be flakyness BUT based on my own experience of yrs of KVM use running gentoo, debian and few tries at a few other distros... always with a kvm, and currently am running debian on one of the other kvm boxes on my current setup. I should be quite a good test case. Someone, not all that bright, nor very competent and yet I've been able to run linux, windows and solaris all on various KVMS for a period of several yrs I'd guess at least 7 yrs. There were problems from time to time but none that prevented me continuing to run with a KVM after a pause, sometimes a good one to get things working. I'm inclined to agree with Hinnerk - if the keyboard is recognised by BIOS then it's Linux problem I hope so too, that would be nice. However, if you're having keyboard, video or mouse problems and a KVM is in the chain then you *always* remove it as the first step. No that is not the case. As indicated in OP, there is NO mouse trouble. Don't come to us saying I have this problem and just to confuse the issue it could be the KVM (something we're unable to help with), instead say I originally tried with a KVM, but having removed it, that makes no difference. I guess you've been elected to the post of Sargent at arms in my absence. I'm sorry Mr. Sargent but I guess you'll have to evict me. I will bring whatever I have problems with here and will try to have done some homework and to expound the problem as best I can. Hopefully better on both counts than this go around. Please, Mr. Sargent, before you high horse yourself even further into a corner, and end up looking even more like a bozo, consider these comments and those below. ---- ---=--- - Maybe someone, will still read my query and give it some thought. My idea starts with the premise that it ain't the KVM. Because some users are livid as to how faulty KVMS are does not make that the problem here. In this case it would take a fair bit of diddling around to do a direct hook up since the kvm is DVI based and I'd need an adaptor I don't have (other than the one built into the KVM cables). OK ---- ---=--- - Now this whole problem may have taken care of itself in an unexpected way. My niece, for whom I'm building this machine has informed me today that she really really hates trying to run linux and wants to get on with her work with tools she knows. Exit the gentoo install, enter an old XP disc I'm now trying to install. I am sorry for the line noise but it still may come to it that I end up bringing that problem here again. Mr Sargent may get another chance to bristle and show his teeth.
Re: [gentoo-user] genkernel initramfs and grub2-mkconfig
Am 04.06.2012 21:10, schrieb Paul Hartman: On Mon, Jun 4, 2012 at 1:40 PM, morlix mor...@morlix.de wrote: Hello, does anybody of you know how to get the grub2-mkconfig script to correctly detect initramfs and set the kernel parameter root= to /dev/ram0 or just don't set the parameter at all. I'm using genkernel and want to use my generated initramfs, but everytime grub2-mkconfig gets called it sets the kernel parameter root= to my root partition and then the initramfs won't get used. I think manually editing /boot/grub2/grub.cfg and deleting the root= parameter and setting real_root isn't a good choice for long term. The default scripts for grub2-mkconfig looks for a specific filename for the initramfs, related to the kernel filename. If you look in those scripts, you may be able to modify it to look at your filenames instead. Paul is right, but you shouldn't need to modify anything. Here's what grub2-mkconfig generates on my machine (first entry only): menuentry 'Gentoo GNU/Linux' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-713f1c17-1b9a-4967-ac05-d6a6a9ff60a5' { load_video set gfxpayload=keep insmod gzio insmod part_gpt insmod ext2 set root='hd0,gpt2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 e39917c2-b59e-4447-bcae-39a41c3816a7 else search --no-floppy --fs-uuid --set=root e39917c2-b59e-4447-bcae-39a41c3816a7 fi echo'Loading Linux x86_64-3.3.5-gentoo ...' linux /kernel-genkernel-x86_64-3.3.5-gentoo root=UUID=713f1c17-1b9a-4967-ac05-d6a6a9ff60a5 ro echo'Loading initial ramdisk ...' initrd /initramfs-genkernel-x86_64-3.3.5-gentoo } And here are the file in /boot # find /boot/ -name *genkernel* /boot/kernel-genkernel-x86_64-3.3.5-gentoo /boot/System.map-genkernel-x86_64-3.3.5-gentoo /boot/initramfs-genkernel-x86_64-3.3.5-gentoo /boot/kernel-genkernel-x86_64-3.3.5-gentoo.old /boot/System.map-genkernel-x86_64-3.3.5-gentoo.old /boot/initramfs-genkernel-x86_64-3.3.5-gentoo.old It boots perfectly fine using my initramfs
[gentoo-user] Re: no keyboard on fresh install
Hinnerk van Bruinehsen h.v.bruineh...@fu-berlin.de writes: On 01.06.2012 10:33, Harry Putnam wrote: On a fresh install on older dell P4, I've been unable to get the usb keyboard to respond. It responds at the grub screen, but once past there... no response SNIP Anyone have ideas on this? So your keyboard works within the bios and in grub, but not once the pc is booted? Thanks for your response and yes you have it right. Sounds like a driver-issue to me. You should check the kernel config for usb and hid options. You'll notice, in another post I announced that problem may have unexpectedly sidestepped. CONFIG_HID and CONFIG_USB_HID especially come to my mind. (Sorry, can't even check that since I'm now trying to install WinXP over that gentoo install) Thanks, when this roles around again sometime I'll have some idea what to be looking for during kernel build. I'll say though, and as reported in OP, I once had a very similar problem that turned out to be a simple bio setting. It was not so simple to find the setting, but still just a matter of enabling or disabling something I hope I find my old notes soon. I was hoping someone might recognize the problem and be able to remember the bios item[s]
[gentoo-user] GCC 4.7 and LTO: it works
I've emerged system and world with gcc-4.7.0 and LTO. I'm posting from it right now :-) It's a KDE system with 1043 packages installed. I've posted details on how to do this (including info on how to disable LTO for specific packages that don't work with it) here: http://realnc.blogspot.com/2012/06/building-gentoo-linux-with-gcc-47-and.html
Re: [gentoo-user] Re: no keyboard on fresh install
On Mon, Jun 4, 2012 at 3:45 PM, Harry Putnam rea...@newsguy.com wrote: Stroller strol...@stellar.eclipse.co.uk writes: On 1 June 2012, at 09:33, Harry Putnam wrote: ... I am running thru a kvm switch, but don't really have the option without a fair bit of juggling to try it with everything hooked direct. I have tried plugging a keyboard direct, with no result. I don't really understand. You can't try direct, you tried direct. Which? KVMs are just flakey sometimes. Perhaps if you consider that KVM is a switch that controls several components, (keyboard, Video and mouse) it will come to you. Back when my KVM was just a mechanical switch that flipped between A and B, and only switched VGA, a serial port and a mouse, that was true. For years, though, KVMs have tended to man-in-the-middle USB keyboards and intercept key sequences in order to control switching behaviors. Being the man in the middle is _very_ tricky, and it's highly unlikely kvm manufacturers get it perfect. At the very least, it's still intercepting keystrokes, which means that your input is either funkily jittered as it buffers looking for a combo, or it means that your input is incomplete. I'm not saying that the KVM is necessarily the source of your problem. I'm saying it's a far more complex device than you envision it to be. You are at liberty to plug a second keyboard into a USB port. I have done that under certain condition in the past and did try that unsuccessfully, as reported, this time. Makes sense. As discussed at: http://www.gossamer-threads.com/lists/gentoo/user/223068 http://comments.gmane.org/gmane.linux.gentoo.user/252806 I'm not buying the idea that flakyness rules with KVM. There may be flakyness BUT based on my own experience of yrs of KVM use running gentoo, debian and few tries at a few other distros... always with a kvm, and currently am running debian on one of the other kvm boxes on my current setup. I should be quite a good test case. Someone, not all that bright, nor very competent and yet I've been able to run linux, windows and solaris all on various KVMS for a period of several yrs I'd guess at least 7 yrs. There were problems from time to time but none that prevented me continuing to run with a KVM after a pause, sometimes a good one to get things working. I get it. You fancy yourself an expert on KVMs. Do you realize that KVM hardware is liable to be around as diverse as GPS and serial dongle hardware? That's pretty significant. I'm inclined to agree with Hinnerk - if the keyboard is recognised by BIOS then it's Linux problem I hope so too, that would be nice. Seems likely, given that you tried plugging the USB keyboard in directly without the KVM connected to a USB port. (You did, didn't you?) However, if you're having keyboard, video or mouse problems and a KVM is in the chain then you *always* remove it as the first step. No that is not the case. As indicated in OP, there is NO mouse trouble. keyboard, video _or_ mouse problems. And he's been trying to offer you advice on diagnostic procedure. And the advice makes sense at its core; simply the system as much as possible, then add pieces back until something breaks. The more you grant utmost confidence or assumptions about a component or behavior, the more things boil down to errors you think were impossible. Don't come to us saying I have this problem and just to confuse the issue it could be the KVM (something we're unable to help with), instead say I originally tried with a KVM, but having removed it, that makes no difference. I guess you've been elected to the post of Sargent at arms in my absence. Here, again, he tried offering you advice on how to present your problem in the clearest way possible, maximally avoiding confusion, and you've only taken offense. [snip irony] --- - ---=--- - Maybe someone, will still read my query and give it some thought. My idea starts with the premise that it ain't the KVM. For certainty's sake, have you tried plugging the keyboard in directly without the KVM plugged into the USB port? I don't think it's particularly likely that the problem is the KVM, either, but I do see it as a plausible source of interference if both devices are plugged into separate ports. USB normally handles multiple USB keyboards just fine, but I don't know how your BIOS's 'legacy' support handles it, and there have been rumblings in areas of multi-user workstations lately, so it's plausible things are changing. And, again, there's the potential of the KVM having a faulty implementation of USB HID proxy behavior. Because some users are livid as to how faulty KVMS are does not make that the problem here. (Again, nobody was trying to pin the blame on the KVM, they were trying to verify that the problem _wasn't_ the KVM). In this case it would take a fair bit of diddling around to do a direct hook up
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
From: Michael Mol mike...@gmail.com On Mon, Jun 4, 2012 at 9:33 AM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com On Sat, Jun 2, 2012 at 10:04 PM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com [snip] In theory that's how key signing systems are suppose to work. In practice, they rarely implement the blacklists as they are (i) hard to maintain, and (ii) hard to distribute in an effective manner. Indeed. While Firefox, Chromium, et al check certificate revocation lists, Microsoft doesn't; they distribute them as part of Windows Update. Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers. Only if the workstation is so configured. (i.e. it's joined to the domain, or has otherwise had configuration placed on it.) It's not just a matter of setting up a caching proxy server and modifying the files before they're delivered. And if you think that's a risk, then consider that your local domain administrator has the ability to push out the organization CA into your system cert store as a trusted CA, and can then go on to create global certs your browser won't complain about. If you don't own the network, don't expect to be able to do things on it that the network administrator doesn't want you to do. At the same time, he can't force (much...see DHCP) configuration onto your machine without your being aware, at least if you're at least somewhat responsible in knowing how configuring your machine works. True. My point was that since Microsoft is using Windows Update to update the CRLs, that the corporate IT departments could decide not to allow the update to go through. Of course, it's their risk if they don't allow it through. Further, they can push out CRLs even if Microsoft doesn't send them. But that's not the concern unless you want your device free of the IT department, and that's a wholly different issue. And of course, they can't change the CA on a WinRT device for SecureBoot. Honestly, I don't expect SecureBoot to last very long. Either MS and the OEMs will be forced to always allow users to disable it, or they'll be simply drop it - kind of like they did with TPM requirements that were talked about 10 years back and never came to fruition. TPM is still around for organizations which can use them. And, honestly, I've been annoyed that they haven't been widespread, nor easy to pick up in the aftermarket. (They come with a random number generator...just about any HRNG is going to be better than none.) Yes TPM (originally named Palladium) is still around. However its use is almost non-existent. No, TPM wasn't originally named Palladium. TPM was the keystore hardware component of a broader system named Palladium. The TPM is just a keystore and a crypto accelerator, both of which are two things valuable to _everybody_. The massive backlash against Palladium is at least part of why even a generally useful hardware component like the TPM never got distributed. Imagine if the floating-point coprocessor was ditched in x86 because people thought it was a conspiracy to induce difficult-to-resolve math precision errors from careless use of floating point arithmetic. The part you're worried about is the curtained memory and hardware lockout, which it sounds like Intel is distributing with vPro. TPM, SecureBoot, and Palladium are both beasts which need to be removed. When it was proposed, it was to include SecureBoot and enable secure Internet transactions, etc. None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot. I see something like SecureBoot as being useful in corporate and military security contexts. I don't see it lasting in SOHO environments. Certain environments as you say may find it useful; but then those environments already have very stringent controls over the computers in those environments, often to the inability of people to do their job. The nature of those controls stems at least in part from the ability to use other means to maintain an overall security policy. With more tools comes the ability to be more flexible, allowing people to do more convenient convenient things (such as insert a flash drive or CD into a computer) at lower risk (it'll be more difficult to accidentally boot from that flash drive or CD). How often do people accidentally boot from the wrong device? It's probably more of an issue for USB devices than floppy/CDs any more, but still. And why destroy people's ability to boot from USB/CD/Floppy? Let's not forget this makes it harder for Gentoo (and numerous other distros and OSes) to go on devices. The user should own and control the device, not a corporate entity (except where said corporate entity purchased the device in the first place). It's for similar reasons the Linux kernel has support for fine-grained access controls; you can grant
Re: [gentoo-user] GCC 4.7 and LTO: it works
On Mon, Jun 4, 2012 at 3:19 PM, Nikos Chantziaras rea...@gmail.com wrote: I've emerged system and world with gcc-4.7.0 and LTO. I'm posting from it right now :-) It's a KDE system with 1043 packages installed. I've posted details on how to do this (including info on how to disable LTO for specific packages that don't work with it) here: http://realnc.blogspot.com/2012/06/building-gentoo-linux-with-gcc-47-and.html Thanks. I'm not sure if I'm ready to recompile world yet, but we'll see where curiosity and boredom lead me. :) I have an older, slower machine that might benefit more from small optimizations. A few questions: Do you have any measure of compile times using lto compared to not using it? Was there any effect on quality of debugging info in the resulting binaries? I thought I read at some point there was no (or bad) debug info with LTO. Maybe I'm thinking about clang, though. Did you use gold or the standard linker?
[gentoo-user] Re: GCC 4.7 and LTO: it works
On 05/06/12 00:21, Paul Hartman wrote: On Mon, Jun 4, 2012 at 3:19 PM, Nikos Chantziarasrea...@gmail.com wrote: I've emerged system and world with gcc-4.7.0 and LTO. I'm posting from it right now :-) It's a KDE system with 1043 packages installed. I've posted details on how to do this (including info on how to disable LTO for specific packages that don't work with it) here: http://realnc.blogspot.com/2012/06/building-gentoo-linux-with-gcc-47-and.html [...] Do you have any measure of compile times using lto compared to not using it? It was pretty obvious without doing any actual measurement: linking is slower with LTO. Large programs even take several minutes for the link step. Was there any effect on quality of debugging info in the resulting binaries? I thought I read at some point there was no (or bad) debug info with LTO. Maybe I'm thinking about clang, though. Didn't notice anything strange yet. But I suspect that this isn't important to begin with; all we need are backtraces. Thorough debugging symbols are not important for emerged packages. Did you use gold or the standard linker? The standard one. I didn't actually think about the importance of this. Does gold work better with LTO?
Re: [gentoo-user] Re: GCC 4.7 and LTO: it works
On Mon, Jun 4, 2012 at 4:39 PM, Nikos Chantziaras rea...@gmail.com wrote: Did you use gold or the standard linker? The standard one. I didn't actually think about the importance of this. Does gold work better with LTO? I don't know much about it, but AFAIK gold is supposed to be several times faster at linking in general, and when using it in combination with gcc+LTO the compiler actually offloads some of the LTO processing to the linker which is supposed to be more efficient. I've never tried it personally, but I just googled and found this mentioned on the GCC site: As an added feature, LTO will take advantage of the plugin feature in gold. This allows the compiler to pick up object files that may have been stored in library archives. To use this feature, you must be using gold as the linker and enable the use of the plugin by compiling with gcc -fuse-linker-plugin. This will shift the responsibility of driving the final stages of compilation from collect2 to gold via the linker plugin. And in gentoo you can switch to gold as explained on the wiki: https://wiki.gentoo.org/wiki/Gold
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
On Mon, Jun 4, 2012 at 5:13 PM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com On Mon, Jun 4, 2012 at 9:33 AM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com On Sat, Jun 2, 2012 at 10:04 PM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com [snip] Honestly, I don't expect SecureBoot to last very long. Either MS and the OEMs will be forced to always allow users to disable it, or they'll be simply drop it - kind of like they did with TPM requirements that were talked about 10 years back and never came to fruition. TPM is still around for organizations which can use them. And, honestly, I've been annoyed that they haven't been widespread, nor easy to pick up in the aftermarket. (They come with a random number generator...just about any HRNG is going to be better than none.) Yes TPM (originally named Palladium) is still around. However its use is almost non-existent. No, TPM wasn't originally named Palladium. TPM was the keystore hardware component of a broader system named Palladium. The TPM is just a keystore and a crypto accelerator, both of which are two things valuable to _everybody_. The massive backlash against Palladium is at least part of why even a generally useful hardware component like the TPM never got distributed. Imagine if the floating-point coprocessor was ditched in x86 because people thought it was a conspiracy to induce difficult-to-resolve math precision errors from careless use of floating point arithmetic. The part you're worried about is the curtained memory and hardware lockout, which it sounds like Intel is distributing with vPro. TPM, SecureBoot, and Palladium are both beasts which need to be removed. I'm still confused by your malice toward the TPM. What part of 'crypto coprocessor' or 'crypto accelerator' doesn't get you thinking about faster SSH and SSL connection setup and data transfers? [snip] The nature of those controls stems at least in part from the ability to use other means to maintain an overall security policy. With more tools comes the ability to be more flexible, allowing people to do more convenient convenient things (such as insert a flash drive or CD into a computer) at lower risk (it'll be more difficult to accidentally boot from that flash drive or CD). How often do people accidentally boot from the wrong device? You know how many Linux install flash drives are floating around? What about OS install CDs? A curious artifact of both is that they're left in systems so _frequently_, they're often designed to proceed back to a disk-based boot after a timeout. It's probably more of an issue for USB devices than floppy/CDs any more, but still. The Gentoo 12.1 LiveDVD also has the timeout-and-boot. And it's quite common for people to leave flash drives plugged into systems over boot cycles; it's like a portable 'My Documents' folder. And why destroy people's ability to boot from USB/CD/Floppy? You're not; you can turn off SecureBoot in BIOS, and then boot from USB or CD as normal. Though why you'd boot from a floppy on a system that has SecureBoot, I have no idea. (It's questionable whether systems shipping SecureBoot will even have floppy controllers...) Being able to disable SecureBoot is going to be _critical_ for application of diagnostics, forensics and system repair. And if it comes down to it, you'll likely be able to get those tools signed, too. Let's not forget this makes it harder for Gentoo (and numerous other distros and OSes) to go on devices. Nobody's forgotten that. Now let's not forget how easy it will be to turn SecureBoot off. You're likely to have a harder time getting latest-grade RAM functioning in a brand-new new system, what with timings and gang modes to contend with. The user should own and control the device, not a corporate entity (except where said corporate entity purchased the device in the first place). Fully concur...and I'm moderately impressed; most people I've seen argue things like this can't make that distinction. It's for similar reasons the Linux kernel has support for fine-grained access controls; you can grant additional privileges where needed, and reduce the base set of privileges required. Linux has fine grain control because that's what's required for Common Criteria, and what the NSA implemented for SELinux. SELinux required it because it was necessary. Linux included SELinux because it's legitimately useful. Anything legitimately useful for someone else to keep you out of their stuff is legitimately useful for you to keep them out of yours. And here's a use case that might seem worthwhile...Say you've got hardware with SecureBoot. Now, you don't run Windows, so you don't care about the UEFI BIOS having Microsoft's key. Instead, you're a Linux guy, and you're very privacy conscious; perhaps you're a security consultant or contractor. Or perhaps you're worried about corporate espionage. Or perhaps you're
[gentoo-user] Re: GCC 4.7 and LTO: it works
On 05/06/12 01:37, Paul Hartman wrote: On Mon, Jun 4, 2012 at 4:39 PM, Nikos Chantziarasrea...@gmail.com wrote: Did you use gold or the standard linker? The standard one. I didn't actually think about the importance of this. Does gold work better with LTO? I don't know much about it, but AFAIK gold is supposed to be several times faster at linking in general, and when using it in combination with gcc+LTO the compiler actually offloads some of the LTO processing to the linker which is supposed to be more efficient. Sounds like it's worth trying, but one thing doesn't look good; Diego's blog is full of articles about Gold breakage: http://blog.flameeyes.eu/tag/gold
Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
On Mon, 2012-06-04 at 10:34 -0400, Michael Mol wrote: On Mon, Jun 4, 2012 at 9:33 AM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com On Sat, Jun 2, 2012 at 10:04 PM, BRM bm_witn...@yahoo.com wrote: From: Michael Mol mike...@gmail.com [snip] In theory that's how key signing systems are suppose to work. ... I see something like SecureBoot as being useful in corporate and military security contexts. I don't see it lasting in SOHO environments. ... And here's a use case that might seem worthwhile...Say you've got hardware with SecureBoot. Now, you don't run Windows, so you don't care about the UEFI BIOS having Microsoft's key. Instead, you're a Linux guy, and you're very privacy conscious; perhaps you're a security consultant or contractor. Or perhaps you're worried about corporate espionage. Or perhaps you're simply afraid of governments. You can flush Microsoft's key from BIOS and insert your own. Sign your bootloader, kernel and initramfs. Set up your / filesystem to be fully encrypted. And configure things such that if BIOS isn't operating in SecureBoot mode with your key, it won't even mount and decrypt your / filesystem. You've just denied access to any existing forensic tool which would either examine your hard disk or operate as a rootkit. The only thing that's going to get your data is a live inspection of your RAM (tricky! but doable.) or a rubber hose. ... We have a security researcher at work who specialises in the forensics side - expert witness in court and does data retrieval etc ... I dont think he has had anyone seriously try to hide anything yet, but if the above becomes common in the non-law abiding set, the govt will have it back doored or dissappeared (banned from sale or heavily controlled). Think of the children ... which is overused here in Oz comes to mind. Providing tools to strip cell phone data and PC hard disks seems to be a popular/profitable business to be in at the moment :) BillK
[gentoo-user] Re: Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
On 02/06/12 05:26, William Kenworthy wrote: http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html and something I had not considered with the whole idea was even bootable cd's and usb keys for rescue will need the same privileges ... We were chipping our Playstations and XBOXes, now we'll be chipping PCs too. :-/